Transport Committee on March 24th, 2022

I would rely on some of the assessments that have come out of the U.S. government. The U.S. government has publicly indicated that this threat is real and persistent. President Biden issued a strategy, a maritime cybersecurity strategy, last year, which documented significant gaps in the port system, as well as in ship systems. Many of these systems, whether it be ships, trains or planes, are built to last 30 years. What that means is that they contain legacy systems, outdated IT systems that have not been patched. The vulnerability is vast; it's deep, and the threat is persistent and real.

The U.S. Justice Department in October 2020 charged six Russian intelligence officers affiliated with the NotPetya malware attack that crippled the shipping giant Maersk and also attacked TNT—now FedEx.

There is evidence out there that some of these attacks, some of the largest, most impactful attacks, are state-based.

It's a great question, and the answer is, yes, it can be prevented.

We have technologies out there in the market today that are prevention-first technologies. Essentially, they leverage AI and machine learning to predict and prevent attacks before they are executed. We have moved beyond traditional technology, which basically adopted what is called a signature-based approach, similar to how we dealt with a COVID-19 vaccine. You need a patient zero, and then you model it and trace it, but now we've moved ahead of that. We have technology that, if put in place, can prevent that.

Second, mandatory cyber incident reporting for critical infrastructure will automatically create an incentive—or a stick, if you will—for entities to put in place better defences. They don't want to have to report their cyber incidences, but if they do, and if it's time-bound, at least we can move quickly to contain it.

Another key vulnerability that can be addressed, and it's being done in the U.S., is actually to get developers of software that's embedded in critical infrastructure and government systems to produce what we call a software bill of materials or an ingredients list that will list all of the components that are in that software so that they can quickly determine the provenance or origin of that software, where it comes from, identify whether vulnerabilities exist and be able to remedy them.

The reality right now is that people who buy software have no idea what's in it. There's no way to verify whether or not that software was built using cybersecurity practices.

All of them, unfortunately, are susceptible. All of them contain legacy IT systems that are not protected and have open-source software that could contain back doors. They depend on supply chains where they are trusting those suppliers, those vendors to implement secure practices, but they perhaps do not verify them.

All of them are susceptible. That's why we need to move quickly to get these critical infrastructure operators, transit operators, to take action to report cyber incidents, to develop cyber incident response plans and to undergo cybersecurity vulnerability assessments. Finally, it's not just about having a plan on paper. We need to verify that they put that in place.

BlackBerry, together with the Canadian Chamber of Commerce and its members, has put forward a budget submission. We are calling on the government to double its investment in cybersecurity. That would bring us up to what our peers in the G7 are spending on cybersecurity. So, yes, we need to spend more, and we need to spend it smartly. There are also initiatives that won't cost money that we can do right now, as I mentioned, in terms of cyber incident reporting.

The final thing I'll mention very quickly is that we need leadership at the top. Describing that cybersecurity is a priority. President Biden is out there almost daily talking about cybersecurity. We need to take that type of leadership as well.

Mr. Chair, BlackBerry provides a range of services from our unified end point protection and unified end point management services, which protect mobile devices. We also provide secure communications to the Government of Canada, which are certified by the Canadian cybersecurity entity CSE as well. It's primarily oriented to secure communications and unified end point management, which, again, is about secure mobile technology.

It's hard to say. I don't have the precise numbers on the government. Again, our remit is focused largely on secure communications and on mobile technologies. We don't monitor the overall security posture of the Government of Canada.

I don't have visibility personally on that type of information, on the seriousness of those attacks. I can only comment on what's been in the news and what I've seen on a personal basis. I'm afraid I'm not able to provide you with a precise answer to that question.

BlackBerry regularly collaborates with the Government of Canada, the Canadian Centre for Cyber Security and others, whether it be related to vulnerability disclosures or other threat assessments.

One thing I would like to offer, though, is that a lot of the emphasis has been on information sharing. I think there's room to emulate what the United States has done again here, which is collaborative planning. This is a preventative approach to dealing with upcoming potential events. That's what I would emphasize.

It would be much more robust public and private sector collaboration with the government, where there is two-way communication and we are engaged in collaborative planning for potential events that may come our way.

They're 30 minute bells.