Public Safety committee  I can't see doing this without collaborating with the private sector.

Public Safety committee  I'm not sure what actually would be the method for that. I think there are a few different things, depending on the technology you're implementing. Sometimes it would be that the provider can provide the information, or they can design it. In a lot of cases they're designing it so that they don't actually see the data that traverses the network, and they're making explicit design choices.

Public Safety committee  I think that's absolutely the case. We rely on private infrastructure that runs our critical infrastructure, which is built in the commercial space. Pretty much gone are the days of government-produced equipment. We can't keep up with the rapid innovation pace that the private sector is able to bring to bear.

Public Safety committee  When we're talking specifically about 5G, meaning fifth-generation telecommunications networks, the best security outcome for anything related to 5G is really an environment with multiple vendors where you're able to put security protocols or security appliances in at different layers.

Public Safety committee  Patching is number one. It really is. The second one, depending on what infrastructure you're using, is just not logging in as administrator, not logging in with super privileges, etc. That's a simple thing. It just slows things down. There is also backing up your data. If you have something critical, make sure you're backing it up, because if ransomware hits, then all you do is restore and you get your data back, and things like that.

Public Safety committee  In some cases, it's inconvenient. It's inconvenient to update. It's inconvenient to run the patches, etc. In other cases, people just don't see the need. They say, “It's working for me. It's good enough” or “I'm afraid I'll break it.” That's kind of an unfortunate legacy of our industry.

Public Safety committee  We actually have a program called the cryptographic module validation program, which we use to actually strengthen encryption and make sure it is done properly. That's something that we work with the commercial sector on in terms of making sure that the products we use in government but also the products that are available to all of us are secure and implemented properly.

Public Safety committee  I think if you're looking at it from the provider's point of view, there are some providers that are able to get to that data, so how do you provide that access, under what lawful authorities, etc.? You can ask, because it's not encrypted when it's, for example, on a vendor's server.

Public Safety committee  Certainly, we'd look to work with the RCMP on that to engage all law enforcement and to follow their lead on that. In terms of financial contributions, it's not really within our authority or remit to do those types of things, but we do offer training. We run our IT security learning centre right now, where we do offer training.

Public Safety committee  In terms of training and helping...?

Public Safety committee  I think there are a few things. It's in cyber-literacy. It's in demystifying IT. We've made it the domain only of experts, and yet we all use it every day. Most people are scared to actually touch it when it breaks, etc. It shouldn't be that hard. As an industry, we have to get better at that.

Public Safety committee  Sure. Assemblyline is the system we use when doing malware analysis. Let's say you're getting a malicious file. How do we break it down and basically do all the cyber-analysis? We automate it. That's how we scale for the government. It wasn't done by people; it was done by automating and taking advantage of some creative things.

Public Safety committee  In terms of what worked really well, it was aimed at cybersecurity professionals, people who do this for a living, and we did see pickup around the world for it. Also, people are contributing back in. It is a lot of work to maintain an open-source project. When we release this, we have to continually invest in it managing the open-source software, etc.

Public Safety committee  We made the tool available. We didn't make our instance of the tool available. You can download the software, install the software on your system, and run it in your own environment to protect it. It's not connected in, so you don't use our instance of the tool, and we don't collect....

Public Safety committee  That's one of the goals of the cyber centre: to be more open and transparent. In fact, we're making sure that we have a facility where people can come in and work. If you come and visit CSE now, we take all of your technology away because you're entering a top secret building. The cyber centre will not be that way.