National Defence committee  I think the issue is more the ecosystem itself. If you take a look at it, consumer protection laws that exist for the building of a device—for example, a car—compel the manufacturers to look at safety and security as the basic design of what they're building, whether it's seatbelts, airbags, or whatever.

National Defence committee  I think that is certainly one issue that needs to be considered, among others. I would say that the issue of dealing with basic insecurity and vulnerability of networks at its highest concentration point, which is the operation of networks themselves, is probably more important than the consumer level at this point, in terms of the effect that it would generate.

National Defence committee  I'm not sure if I understand the question. Perhaps you can rephrase it in a different way.

National Defence committee  Perhaps I'd answer differently. Certainly, if we take a look at the model that's been adopted for security in the U.S., which is emerging right now, we see there's certainly a sectoral approach in terms of the degree to which security has to be ensured for the survival or the needs of the sector itself.

National Defence committee  I would argue that any network that's designed for interoperability will always have a vulnerability. Whether it's designed to be isolated or not isolated, ultimately it's going to have the same basis of vulnerability. I think Stuxnet proved that rather effectively in Iran, where a completely isolated system still managed to be compromised through a vector.

National Defence committee  Excellent question, and I'll predicate my answer by saying that I'm testifying in front of a Senate committee on the issue of cyberterrorism on Monday. We have been involved in working with Public Safety Canada under the Kanishka program, specifically looking at social media, the Internet and radicalization, and what measures can be taken, both within the public sector as well as at the community level, in order to be able to detect and provide early intervention to individuals at risk of radicalization.

National Defence committee  Sure. I'll give the short-form answer to it. Effectively, the standards that currently define the interoperability between hardware using the Internet protocol came out of a governance structure that was initially put in place when the Internet globalized in 1995. That included both the creation of an entity, ICANN, that effectively regulated the address space, but it also included subcommittees that dealt with security, and for example, the engineering aspects of cyberspace itself.

National Defence committee  On the issue of vulnerability, I think the reality is that our systems are very vulnerable. The reality is that they're vulnerable for two reasons: first, because security was never at the heart of how these systems were engineered to begin with, and second, we haven't put in those kinds of regulatory demands to ensure that operators of critical infrastructure take security not just as a responsibility to their shareholders, as businesses, but also as part of their responsibility to Canada, quite frankly, or to national security.

National Defence committee  Again, I think part of the problem is that currently the heart of the capabilities that the government has for doing attribution-type work lies in an institution that was never designed to do so—the CSE—hence my comment earlier on that I think there are capabilities that currently are, for all the right reasons, centralized within CSE, but that actually have to be migrated out.

National Defence committee  Yes and no. I would separate two things. Yes, there has been, not just amongst the Five Eyes, but across, if I'm not mistaken.... We did a study for the strategic balance for the IISS, and about 90 countries are starting to develop the equivalent of what would be a cyber command, which means a military organization that effectively looks at cyberspace as a domain for operations and that trains, equips, and develops a doctrine for being able to conduct operations therein.

National Defence committee  I can't comment on the capabilities of CSEC, seeing as I'm not really speaking on its behalf nor am I an employee nor do I have privilege to be able to access it at that level. However, if I talk about it from an institutional point of view, I think CSEC has definitely taken a leading role in cybersecurity in Canada because, quite frankly, that's the institution where government has been able to bring together the expertise and know-how to do so.

National Defence committee  Sure. Thank you very much for the questions. With respect to your first question, yes, I think we have to recognize the fact that one of the costs of openness is the fact that the environment itself will always provide a degree of insecurity. That's absolutely right. The problem, however, is that the nature of the kinds of threats that exist in malware code can be aggregated and seen when you look at them at scale.

National Defence committee  Thank you very much. Thank you to the members of the committee. It is truly a privilege to address you today on the topic of cybersecurity. By way of background I am not just a principal of the SecDev Group, which is a Canadian company that works at the intersection of technology and security and has actively worked in an operational capacity in the cyber domain on behalf of the U.S. and U.K. governments in particular.