Transport Committee on March 24th, 2022

It's very difficult to rate from one to 10. I wouldn't be able to do that. What I will say is that they are engaged; they're competent; we know they're working on it.

We're not a regulator, so I don't know exactly how they're mitigating their risks. What I do know is that they tend to clearly understand the advice and guidance and they are engaged in terms of working with us. That's probably all I can say about that.

I can start, Mr. Chair.

We work on a voluntary basis. We certainly encourage all Canadian entities to report immediately to us. We're here to help and we're very happy to hear of them.

In terms of what has happened in the U.S., we're definitely going to be working with our colleagues and counterparts in the U.S. to learn how it's working there and then basically educate ourselves in terms of their experience.

I'd probably turn that over as more of a policy question.

Mr. Chair, maybe just to quickly go back to the previous question on whether certain sectors are prepared, further to my colleague's comments, this is top of mind for industry associations, such as the Canadian Forum for Digital Infrastructure Resilience, as well as Electricity Canada, formerly the Canadian Electricity Association. We have a lot of engagement with different industry association groups.

With respect to greater diligence and the proposal or the initiative you mentioned from the U.S., I would flag that budget 2019 did provide some funding to support new legislation aimed at protecting Canada's critical cyber-systems in four sectors: finance, telecommunications, energy and transport. This is something that continues to be developed by key departments and agencies around town. Certainly I would say that this is a top-of-mind issue both for our industry partners but also in terms of some continued policy work that we develop in-house to the federal government.

I would be happy to answer the member's question, Mr. Chair.

I thank the member for the question.

In fact, we are constantly exchanging information and listening to what is going on and what could jeopardize our presence and border fluidity because of its importance to the economy and to the security of Canada.

To answer your question directly, I don't have any information at the moment that demonstrates that, but it goes without saying that as a result of the sanctions that have been imposed, we are making sure that those cargoes, which are targeted, don't cross the border.

In terms of security, we have radiation detection portals in our seaports to make sure that containers coming in from overseas are checked for radiation and chemicals that might be in them.

We are always on guard, but I have no information at the moment that there are efforts to block the infrastructure.

Mr. Chair, I wouldn't mind chiming in, if you'll indulge me.

Looking back at the example of the recent blockades in February, I would preface this by saying that I also have no intel further to Mr. Vinette's response, but I think another area worth examining is the effects of misinformation and disinformation, which can cascade across social media platforms and be used to incite certain responses, shall we say, that have negative and disruptive consequences on Canadian critical infrastructure, notably in the context of transportation critical infrastructure.

Misinformation and disinformation is something that can have very strong destabilizing effects from a critical infrastructure stability and reliability perspective, but also in terms of social cohesion. That's something as well that I would like to flag to the committee.

Thank you for the question.

In fact, the CBSA works in partnership with Transport Canada, which is responsible for regulating security at airports, at our seaports, and elsewhere.

We always work very closely with Transport Canada to make sure that whenever there are threats or information comes to one of the partners, it's shared and then assessed to see if a response is required. In the maritime units, which monitor our coasts and are integrated teams of CBSA, RCMP, Coast Guard and our military colleagues, we work together to have an overview of what is happening in the maritime domain at all times. This is an example of our efforts to ensure the security of our ports of entry when there are ship movements. We deploy a similar effort on the airport side as well.

Thank you.

From a CSE perspective, we have [Technical difficulty—Editor] in defensive cyber-operations that we have both legislation and the capability to perform.

Thank you, Mr. Chair.

On behalf of BlackBerry, I'm delighted to speak with you and committee members today.

For over 35 years, BlackBerry has invented and built trusted security solutions to give people, governments and businesses the ability to stay secure and productive. Today, our software is used to protect all G7 governments, is embedded in more than 195 million cars and secures more than 500 million other devices, including mobiles, laptops, and transportation, aerospace and defence systems.

Drawing on our unwavering commitment to safety, security and data privacy, I would like to speak today about the gap between the cybersecurity preparedness of Canada's transport sector and the sector's growing exposure to cyber-threats.

Every organization in every industry sector runs the risk of a cyber breach; however, few carry the same real-world risk from cyber-attacks as those in the critical infrastructure sector. As was highlighted by this committee earlier this week, ransomware attacks on the transportation sector in North America increased by 186% between June 2020 and June 2021. In the past year, Canadian transit systems in Toronto, Montreal and Vancouver experienced cyber-attacks. Rightfully, Canadians are worried. According to the Edelman trust survey, falling victim to a cyber-attack now ranks second behind job loss on the things Canadians worry about most.

Currently, apart from PIPEDA-related obligations, Canada has no regulations in place to govern, much less obligate, rail, air and surface transit operators and owners to report, prepare for and prevent cybersecurity incidents. While there is a regulatory obligation for port administrations and marine and ferry facilities to report cyber incidents to law enforcement and Transport Canada, there is no specific reporting period nor guidance on the cybersecurity measures that they should put in place.

Stepping back to the larger geo-competitive picture, Canada is falling behind our G7 peers on cybersecurity. On a per capita basis, Canada invests half of what the U.S., U.K. and France invest in cybersecurity. The U.S. and European governments are also taking regulatory measures to raise the bar on critical infrastructure cybersecurity, like transportation systems. For example, in the wake of successive attacks on U.S. critical infrastructure, including the Colonial pipeline and the New York subway system last year, the U.S. government took meaningful steps to address cyber vulnerabilities.

In May 2021, President Biden issued an executive order on improving the nation's cybersecurity, which required his government to modernize its cybersecurity defences. In July 2021, President Biden directed the U.S. government to develop cybersecurity performance goals for critical infrastructure owners and operators.

In December 2021, the U.S. Department of Homeland Security's Transportation Security Administration [Technical difficulty—Editor] for all freight railroad carriers, passenger rail and rail transit operators to designate a cybersecurity coordinator, report cybersecurity incidents to the U.S. government within 24 hours, develop a cybersecurity incident response plan and conduct cybersecurity vulnerability assessments.

Just two weeks ago, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 requiring covered critical infrastructure entities to report cybersecurity incidents to government within 72 hours and ransomware payments within 24 hours.

Europe has similar requirements and is currently expanding these requirements to include intelligent transport systems, such as connected cars and smart infrastructure. It also plans to levy fines of up to 10 million euros or 2% of annual revenue, whichever is greater, to those who are found non-compliant.

While Canada recently joined the U.K. and the U.S. in calling on critical infrastructure entities to “bolster their awareness of and protection against...state-sponsored cyber-threats”, we are still far behind.

BlackBerry stands ready to work with this committee to strengthen the cybersecurity of Canada's transportation systems from this growing and evolving threat.

Thank you for time today. I look forward to your questions.

Ninety per cent of cyber incidents go unreported.

Furthermore, as I mentioned, there are no mandatory requirements for critical infrastructure operators or private sector entities to report cyber incidents.

You put your finger on a critical issue. The Canadian government and many entities simply do not have full visibility on the scale of the threat or the persistent nature of the threat. That is one of the key issues, and that is one of the reasons why President Biden moved to require mandatory cyber incident reporting for critical infrastructure.