Transport Committee on March 24th, 2022

At this point we have not seen an increase. We have knowledge of the cyber-threats happening, but they are threats we would have already forecasted.

NotPetya was attributed to Russia. That answers an earlier question as well in case we're aware of these.

In terms of the vulnerability, I would turn that over to my Public Safety counterpart. We helped them develop the tool, but really the assessments, knowledge and information that's sent back from that would not be in our hands within the cyber centre.

Mr. Chair, I can elaborate on that to some extent.

We've done work on ports with respect to some of the resilience assessment tools that we have. We've done physical security assessments at 14 facilities in Canada. We've only done cyber-assessments at four facilities. If you're wondering if that's low, I would say it is. I think part of the reason for that is that the programs we offer are not mandatory. They are voluntary programs whereby Public Safety administers these on a free-of-charge basis. We basically rely on CI stakeholders coming to us to actually undertake these services.

In this case, it is a low sample size and we can't really draw any specific comparisons from that based on the overall vulnerability.

Of course, we don't share that information broadly, except with the owner and operator under confidentiality agreements that we sign with them. We do have non-disclosure agreements that we sign with CI owners and operators and—

I'm sorry, Mr. Chair. Is that a question for Public Safety or the cyber centre?

In terms of resources, I think that might be more of a policy question. At the same point in time, one thing I would highlight is that cybersecurity is an all-of-society consideration.

As mentioned earlier, there are obligations on the providers themselves, as well as on government, to provide certain elements of cybersecurity. It's a balance. Government needs to provide the advice and guidance and the tools and information to help organizations equip themselves. At the same point in time, organizations need to invest in implementing the foundational cybersecurity and cyber-resilience elements they need to defend themselves.

Sure.

Mr. Chair, I would add that budget 2019 allocated about $508 million, I think, for efforts to advance the updated or renewed cybersecurity strategy, which was shared among a number of departments and agencies for their respective cybersecurity efforts. I would also say that there would be—I don't have a number for this—other resources that are applied there. I would use the example of my own group here, where efforts are undertaken to deliver programs that aren't counted or lumped in as part of that $508 million.

I'll leave the question at that. Thank you.

I guess the answer would be that this is a growth industry. I say that facetiously in the sense that the scope of the challenge is growing. Significant investments have been made.

As my colleague at the cyber centre said, cybersecurity and critical infrastructure security and resilience is definitely a shared responsibility. I am encouraged by the fact that a number of stakeholders in both the public and private sectors are working together, sharing resources and pooling information to address this.

I think the nature of the commitments that have been signalled in most recently the mandate letter for the Minister of Public Safety to renew a strategy signals the intent to do more work here, but I can't speak to whether we need more money or not at this point in time.

I can start, Mr. Chair.

Absolutely, as you've pointed out, highlighting that Colonial pipeline is important. We certainly took that incredibly seriously as well, and it was aligned with what we had predicted in our cyber-threat assessment.

In December we went on a ransomware campaign to educate Canadians and to push out the information, and tools and resources that would be necessary for Canadian organizations to help equip themselves.

It started with an open letter from four different ministers [Technical difficulty—Editor].

Okay.

In terms of countering ransomware, we did put forth a ransomware campaign in December, which was started by a joint open letter from four different ministers, as well as a ransomware playbook and a ransomware threat bulletin to help equip critical infrastructure and Canadians with the tools [Technical difficulty—Editor].

In addition to that, we continually share threat information related to ransomware with the various sectors. You mentioned energy, which is very important and certainly dependent for transportation. We work closely with the energy sector and we have established two programs, one called Lighthouse and one called Blue Flame, with the Canadian Gas Association and the gas industry across Canada, to exchange cyber-threat information in near real time and to help protect them.

These are two pilots we think are very important to protecting the energy sector, not just for ransomware, but for cyber-threats in general.

I will start, Mr. Chair.

In terms of the nature of attacks, we were describing ransomware. Ransomware is a threat where a threat actor will gain access to your network and then encrypt your valuable data and hold it hostage until a ransom is paid. This threat has evolved to the point where the ransomware threat actors will actually take your data as well as encrypt it sometimes, and actually threaten to extort you in terms of threatening leakage of the information to cause further pain and to further incite you to pay the ransom.

Obviously, they're financially motivated. They will do whatever it takes to get that money. As we've seen, with targeting against various sectors, including health care and others, there is definitely a significant impact on lives and whatnot. These threat actors are interested in money and that's pretty much it.

There are different types of threats, obviously. There are DDoS attacks that do happen and sometimes those are linked to ransomware as well. Someone will basically try to overwhelm an organization with traffic and say that they won't turn it off until you pay a ransom. Those are less common than the traditional ransomware that I described.

Then of course there is traditional espionage and theft of intellectual property or sensitive company data as well, which results in data breaches because this is also worth money on the dark web in terms of selling health information, tax information or credit information and financial information, which can all be sold on these markets for money, and of course—