:
Thank you very much for that, Mr. Chair.
Good afternoon, committee members.
Thank you for the invitation to appear today to discuss cybersecurity and specifically the “National Cyber Threat Assessment 2020” report released on November 18.
As the head of the Canadian Centre for Cyber Security at the Communications Security Establishment, I am very pleased to be here. CSE is Canada's foreign intelligence agency and lead technical and operational agency for cybersecurity. As was mentioned, I have appeared here a few times before.
Created in 2018, the cyber centre is a unified source of expert advice, guidance and support on cybersecurity operational matters. We work closely with other government agencies, industry partners and the public to improve cybersecurity for Canadians and to make Canada more resilient against cyber-threats.
Our goal with the national cyber-threat assessment is not to frighten Canadians or to be downers, but rather to inform all of us about the threats we will be facing in the coming years. I hope it spurs many of us to take simple actions to protect ourselves. We have seen that easy, simple actions can greatly increase our individual security.
Canada is one of the most connected countries in the world, which the NCTA highlights, and the COVID-19 pandemic has accelerated our reliance on the Internet to meet basic needs. We are increasingly leading our lives online, and at the same time threat actors continue to pursue new ways to use the Internet for malicious purposes. While this assessment does not provide specific mitigation advice, more guidance and best practices can be found on the cyber centre's website and through our “Get Cyber Safe” public awareness campaign. As I've said before, by taking even a single action, all Canadians can help shape and sustain our nation's cyber-resilience.
For those Canadians who would like to learn more, we have also published an updated “An Introduction to the Cyber Threat Environment”, which I will confess I may slip and call the “cyber primer”, in which we explain many of the terms and techniques used in cybersecurity.
The assessment analyzes cyber-trends since 2018 and draws upon the cyber centre's unique view of the cyber-threat environment to forecast those trends to around 2022. The assessment also highlights the most relevant cyber-threats to Canadian individuals and organizations.
Before I discuss those threats further, though, I would note that the assessment's findings are based on reporting from multiple classified and unclassified sources, including those related to CSE's foreign intelligence mandate. While the cyber centre must protect classified sources and methods, we have tried to provide readers with as much information as possible, including footnotes.
I'll now provide a brief breakdown of the cyber centre's key findings regarding the cyber-threat landscape. Broadly, these can be grouped into three key observations for our discussion today.
The NCTA 2020 highlights several key observations.
First, cybercrime is the threat most likely to impact Canadians now and in the years ahead, and cybercriminals often succeed because they exploit human and social behaviours.
Second, ransomware directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers.
Finally, while cybercrime is the main threat, state-sponsored cyber-programs of China, Russia, North Korea and Iran pose a strategic threat to Canada.
First, we assessed that cybercrime remains the threat most likely to impact Canadians. Now and in the years ahead Canadian individuals and organizations will continue to face online fraud and attempts to steal personal, financial and corporate information. Cybercriminals often succeed because they exploit deeply rooted human behaviours and social patterns as well as technological vulnerabilities. Unfortunately, as a result of this reality, Canadians are more at risk for cybercrime than ever. This has only increased during the COVID-19 pandemic.
Malicious cyber-actors are able to take advantage of people's heightened levels of fear to lure and encourage victims to visit fake websites, open email attachments and click on links that contain malware. These website emails and links frequently impersonate health organizations or the Government of Canada. Defending Canadians against these threats requires addressing both the technical and social elements of cyber-threat activity.
Second, the ongoing safety of Canadians depends on critical infrastructure as well as consumer and medical goods, many of which are increasingly being connected to the Internet by their manufacturers. However, once connected, these infrastructures and goods are susceptible to cyber-threats, and maintaining their security requires investments over time from manufacturers and owners that can be difficult to sustain.
We have assessed that ransomware directed at Canada will continue to target those large enterprises and critical infrastructure providers. As these entities cannot tolerate sustained disruptions, they are often willing to pay up to millions of dollars to quickly restore their operations. Many Canadian victims will likely continue to give in to ransom demands due to the severe costs of losing business and rebuilding their networks and the potential consequences of refusing payment. The protection of these organizations and networks is crucial to the productivity and competitiveness of Canadian companies, and vital for Canada's national defence.
Finally, state-sponsored actors are very likely attempting to develop cyber-capabilities to disrupt Canadian critical infrastructure to further their goals. However, we judge that it is very unlikely that cyber-threat actors will intentionally seek to disrupt critical infrastructure and cause major damage or loss of life in the absence of international hostilities. Nevertheless, cyber-threat actors may target Canadian critical organizations to collect information, pre-position for future activities, or as a form of intimidation.
While cybercrime is the most likely threat to impact the average Canadian, state-sponsored cyber-programs of China, Russia, North Korea and Iran pose the greatest strategic threat to Canada. We have assessed that state-sponsored actors will almost certainly continue to attempt to steal Canadian intellectual property, proprietary information and, in today's context, information specifically related to COVID-19.
We have also assessed that online foreign influence campaigns are no longer limited to key political events such as election periods. They are now the new normal. Adversaries now look to sustain their influence campaigns across all levels of discourse deemed to be of strategic value. While Canadians are often lower-priority targets for online foreign influence activity, our media ecosystem is closely intertwined with that of the United States and other allies, which means that when their populations are targeted, Canadians become exposed to online influence as well.
I want to reassure you that CSE and the cyber centre are working hard to mitigate many of these threats and protect Canadians and their interests through targeted advice and guidance. CSE continues to leverage all aspects of its mandate to help ensure that Canada is protected against threats. Not only is the “National Cyber Threat Assessment” meant to inform Canadians, but it is also setting the priorities for action by the cyber centre on what actions we can take, often with partners in the private sector who are willing to stand up and assist in directly addressing these threats facing each of us.
A key example of this type of partnership is the Canadian Shield initiative from the Canadian Internet Registration Authority, CIRA. CIRA Canadian Shield is a free, protected DNS service that prevents you from connecting to malicious websites that might affect your device or steal your personal information. The service is provided by the Canadian Internet Registration Authority, a not-for-profit agency that manages the “.ca” Internet domain. The service uses threat intelligence from the Canadian Centre for Cyber Security. In simple terms, if someone who is using Canadian Shield clicks on a link that is known to be malicious, they will be stopped from going to that bad site.
CIRA has seen a number of Canadians pick up the use of this tool, although we would certainly like to see it accelerated more. We are just past the six-month mark. We do recommend that all Canadians take advantage of this free service built by Canadians for Canadians and designed to protect Canadians' privacy.
Through targeted advice and guidance, the cyber centre is helping to protect Canadians' cybersecurity interests. We are dedicated to advancing cybersecurity and increasing the confidence of Canadians in the systems they rely on. We hope this report will help raise the bar in terms of awareness of today's cyber-threats. I encourage Canadians who are looking for easy-to-follow tips on cybersecurity, such as our holiday gift guide, to visit our website, GetCyberSafe.gc.ca.
For businesses and large organizations, or if you would like to read more of the publications of the cyber centre, we can be found at cyber.gc.ca.
Thank you again for the opportunity to appear before you virtually today. I'll be pleased to answer any questions you may have.
:
Thank you for that question. There's a lot in there.
We have been working since the beginning to build up the resiliency of the health care community. One of the things we have been working on, which we've done in partnership with the provinces and territories—which clearly have such an important role to play in health care, in providing advice and guidance—is targeted briefings, targeted information, specifically to that health care sector to build resiliency over time. We knew we were going to arrive at a vaccine at some point, so we have been building up resiliency and making sure that the information flows are in place, and also ensuring that they have the information they need to proactively take steps to protect themselves. We've done that through things such as publishing other threat assessments that are specifically for the health sector. We take those, and then on regular weekly calls, we go over any threat we're seeing and how it could apply to the health sector and what could be done about that. We're trying to very much build up resiliency before something happens.
In terms of the current rollout of the vaccine, we are working with, obviously, our colleagues at the Public Health Agency and the overall task force to make sure that the information is in the hands of any organization that would be part of this to make sure we're taking actions earlier. Then, of course, we do leverage our foreign intelligence mandate, so if we do see things that are happening in foreign space or in our group of allies around the world and not necessarily just the Five Eyes.... We have a lot of allies in cybersecurity, and we all look at and share information very quickly to make sure we're getting that information out. Our goal is not to observe the problem but to give somebody, anybody who's a potential victim, something they can use to protect themselves. That's really been our goal.
We continue to look for new ways that we can build up our cyber resiliency in this [Inaudible—Editor].
:
Mr. Chair, that's a really great question. I'm glad to get the opportunity to address this.
We've been working with Canada's critical infrastructure providers for quite a while. Now, we do have to concentrate on the ones that are most at risk, so when we talk about the electricity sector in this report, that's a sector where we have been working both to build the relationships that we need across the country and with energy providers such as the Canadian Electricity Association to make sure we're addressing cyber-threats proactively.
Over a year ago, one of the things I did was that I participated in the tabletop exercise to simulate what would happen in an event where there was a cybersecurity incident, just to make sure that we're prepared, that we had gone through it and there were no gaps in the process. We continuously are looking to improve here.
This is an area where the technology changes are something that the sector is very aware of. They're very much resiliency based. They understand. They're used to dealing with things like major weather events, etc. Cybersecurity can be looked at as just a different source of the same type of impact. They're organizations that understand risk resiliency, and it's a very easy conversation. We're working closely with them. We are looking to address the threats. We're looking to see how we can expand not only into proactive cybersecurity, but into the discovery of threats before they manifest on the network, and we're looking for some joint projects.
At the cyber centre, one of the areas that we really like to concentrate on is innovation. We do that collaboratively, though. We do that collaboratively by bringing in partners from the energy sector and their suppliers, and we ask them if we can we tackle these problems together. If it is the convergence of operational technology, we ask how we can work with them and other leaders in industry, and we ask how we can detect when there's a threat or when there's somebody targeting and then proactively deal with it.
One of our goals is to make sure that is shared sector-wide from coast to coast to coast with every provider and to get that information out quickly. While one might fall victim, we don't want it to be two. Information sharing is also an important piece here when something is hitting, so that others can be inoculated against the threat as well.
:
I think there are a few things I'm.... I'm a little concerned. The report is meant to inform; we're hoping not to scare. We believe that fear doesn't really motivate Canadians, in most cases, to take action. However, what we are hoping is that we can give Canadians simple things that they can do to help themselves be secure online. Get Cyber Safe is a great source for that, whether it's the Twitter account or the online account. There are some really easy things that we would like to ask Canadians to do.
One of those is passwords. We've seen that the number one password in Canada remains “password”; the number two password is “123456”. That's from a report, and that's pretty common worldwide. That just leaves it open and makes it easy for the cyber-threat actors. I know that passwords are a nightmare for all of us, but something basic like that can actually really strengthen cybersecurity.
The second easy thing that people can do is just turn on auto updates. Instead of having to install the updates manually on your phone or your computer, just set it to auto update. That also raises the bar for cybersecurity. We find that, in the last year or number of years, it is still the basic, out-of-date systems that are causing most of the cybersecurity breaches, so those two things are simple.
With regard to your point, for small and medium-sized enterprises what we have tried to do is also prepare a guide of simple, straightforward things that small and medium-sized organizations can do because they don't need to be—they shouldn't be—cybersecurity experts. That's our guidance for small and medium-sized enterprises. We designed that specifically so that 20% of the effort would result in 80% of the benefits of what we would do from, say, an enterprise-grade cybersecurity program that exists.
We are trying to do things that are practical and pragmatic, and then we do things that are fun—like the holiday gift guide, etc., at this time of year—to hopefully try to help Canadians make some good online security choices.
:
I think there are a few things.
Certainly, embarrassment and shame and fear about a potential loss of business are preventing organizations from reporting. In cybersecurity, unfortunately, we tend to punish the victim and not the perpetrator in our actions as citizens. We tend to shift away, and so there's an incentive for an organization to not admit when they're victims of a cybersecurity incident.
Then there's the second piece where there is embarrassment because the situation usually involves a mistake. Sometimes it's not because a patch has not been applied, but a lot of times it involves their having clicked on something they shouldn't have, and we have to begin to destigmatize that, and make people aware. You can get fooled. Some of the cybercriminal aspects...I believe it's only a matter of time before I'm going to click on something because some of them are so well done.
So if I know that is the case in my job, then nobody else should be feeling shame for it. I will probably be embarrassed when I click, but I'll get over it.
Lastly, I think some of the things we have seen include indications that insurance companies are telling organizations not to report, not to go to police, which makes this a very challenging thing to respond to, and also to get accurate statistics about, so we that know where to apply our resources on the specific threats. If we wanted to start to work on a particular version of cybercrime, without knowing what's hitting Canadians, where do we start?
Cybercrime is a global enterprise, unfortunately, but we should be focusing on what's targeting Canadians, and that's a challenge both for ourselves and the RCMP, because Canadian organizations just simply are not reporting for whatever reasons—ranging from embarrassment all the way to being advised not to report and pay the ransom to get back online.
:
Yes, absolutely. I'm happy to answer that.
First of all with regard to DNS, the Internet works on a series of numbers and we go to www.website.com, but the Internet doesn't understand what that is. DNS translates back into the actual address on the Internet, which is called an IP address. So it tells the Internet how to route itself and how to get to the location.
Cybercrime actors take advantage of that, so when you click on a link, if you were going to impersonate the cyber centre, for example, you might create a domain or a website that would say “cyber.gcca”. You might miss the dot and so fool Canadians; they wouldn't see it—that's called “typo-squatting”—and then they would go to something that looks like the cyber centre website, except you're downloading malware when you're there.
So a DNS firewall says, hey, that's accidentally been blocked as an illegitimate site, so when you click, you don't go there. So it stops you from having the consequence of either the mistyped address or the deliberate....
In terms of my using these, I absolutely do. I put them on my personal devices because, frankly, it gives me a level of protection. I admit it's only a matter of time before something happens and I click. I want to make sure that I'm as protected at every level as I can be.
:
That's an excellent question.
I don't want it to sound as if we're blaming Canadians for this, because it isn't easy, nor do I want to blame businesses. The problem with the technology world is that we've made it too hard for business to keep up to date, and a small business owner should not also have to be a firewall expert and a networking expert and a computer expert. There's a certain amount on business to take this on and make it easy for them to do.
But there are some simple things. Our small and medium-sized business guidance does give some simple steps that we've written to be accessible. I really did appreciate the comments about making the report accessible. We really are trying to write this for advice and guidance for all Canadians.
For individual Canadians, though, we do publish tips. We try to put them out such that it's one simple action to take to make yourself more secure. It can be, today I'm going to make a unique password for my bank. That immediately means if it's not being reused—you never use that password—you're raising the bar for your bank. Multi-factor authentication is harder. When you log in to your bank, for example, and you turn it on, it means somebody else can't log in as you. Even if they get your password, there's another step to verify. That, again, makes it hard, so the cybercriminal is going to move on. Essentially what we're talking about is putting hurdles in place. Why would a cybercriminal want to jump over them when they can move on to the next target, who doesn't have the same hurdle in place? That only works for individuals.
When we look at companies, especially large organizations, sometimes they're worth the effort, so they'll pay to invest to develop unique capabilities after them, and that's what we call “big game hunting”, which cybercriminals will target. That's where a large organization has the benefit of a larger budget and a larger cybersecurity organization so they can bring in a really qualified provider to help them.
:
One of the things we've done, which we started early in the pandemic, was to simply work with providers—partners around the world and commercial providers—to take down anybody that was impersonating the Government of Canada. I think we've all gotten the calls from someone pretending to be from a government agency. The same thing happens on the Internet, where you get emails, etc. We've taken down over 4,000 of these since March. It's something we did to try to decrease the amount of fraud that's happening.
The second thing that we've also tried to do is to raise awareness. We did some joint public awareness campaigns with the RCMP and the Canadian Anti-Fraud centre to get information out to Canadians to say, “Hey, look for this, because here's something we're seeing.” We've really tightened up the path of communications there in terms of making sure that information is being shared quickly and is getting out to Canadians so they can know what to be aware of and what is the latest scam.
The third piece, though, is that we have been working with telecommunications companies as Canadians report spam. For anything that's related to the Government of Canada, we've been able to proactively put things in place. For example, on the programs that the government has put in place in terms of the CERB or some of the other response benefits, we're ensuring that we know what those look like ahead of time so that we can pre-position fraud detection. If somebody tries to pretend to be the CERB site to try to get information, we have commercial providers that are looking for that proactively to take it down before any Canadian is victimized.
We're really trying to get ahead of the curve. It's something where we've really relied on those government departments that are responsible for delivery to get that out there.
Finally, we're also telling everybody to go to the root of the truth. If you're looking for the facts, go to the place to get the real facts. In a pandemic situation, Ottawa Public Health, Public Health Ontario and the Public Health Agency of Canada are those roots of truth for me. They'll obviously be different wherever you're—
:
We certainly don't want to blame the victims for this. It is hard, I understand, just keeping on top of all of this.
The first thing that we say to businesses, as well as individual citizens, is to just turn on auto updates—on our phones, just slide it to auto updates. However, the industry does need to make this easier. In many cases it is: Our home laptops, our home computers, etc., tend to do this now by default. You have to manually set them to not auto update so that the updates are manual.
That's good progress, but it needs to be made better.
The real challenge is for businesses where the equipment doesn't do that. The equipment requires a system administrator to download a patch or an update, to go onto the device, to install it, to test it, and it may or may not work because the device, really, is finicky. That's where the industry really does need to start stepping up on cybersecurity to make it easier for these small and medium-sized organizations to stay up to date.
However, there is some hope. The cloud does offer some benefits to these organizations where updates are automatic. With regard to the cyber centre, one of the things we did when we stood it up was to move our operations into the cloud because we wanted to work like every business in Canada either was working that day or was going to be working. We wanted to live our own advice. What we do is.... I get updates. In fact, I just saw—my computer just told me—that I just got an update for my Microsoft Teams environment that we use to say that, yes, we have the updates. You get them right away when they're issued by the vendor.
That makes it easier. That takes the pressure off those small and medium-sized organizations to do things. When you do that, that means that you don't have to do it yourself. You don't have to go in and download the patches and install them because it comes with it.
That's really where we're saying that it has to be easier for the users and not place the blame on them.
:
Thank you for that question, which I think really does go to the root of some of the things we talked about in the national cyber-threat assessment.
The amount of personal data that's out there on us now is quite extensive. One thing that's been noted is that in any cyber-attack, not only do they have things like your usernames and passwords that they've stolen from other places; in many cases, they also have the answers to your security questions—your mother's maiden name, your first pet, what school you went to and things like that. Those things that we always relied on as kind of a second barrier to security are now just the same as the password type of thing. It's critical.
To protect information, I always ask, “Why does somebody to know this? Are they asking something that's legitimate?" If I'm going on and buying an online purchase and they ask for my social insurance number, they don't need that for the purchase. I'll walk away. They need to start collecting the minimum amount of information viable. The second thing I think about is the risk I am taking on. Of course I do online shopping, not just because of the pandemic but also because it's convenient for me. Where is it going? Who's behind this service? Is it using a third party payment system? That can protect you financially. In reality, though, things like credit cards do have good protection.
It really boils down to, “Do they really need to know?” Over-collecting of information is something we certainly look at. Even when we designed the cyber centre, we made it so that there's a phone number people can call for help. We looked at the minimum information we absolutely needed to be able to respond and help the person, and then we did a privacy assessment on that to protect it. That's something I think every business should be looking at: . “Do I really need to know all of this? Do I really need to keep the history of every purchase they made?" Maybe they do. There could be a real reason for that. That's something I think the privacy commissioners have advice on.
From a cybersecurity perspective, the more information we put out there and the more information we put on our social media accounts, the more vulnerable we're making ourselves. Frankly, we're giving them the information they need to target us.
:
I'll have to be careful because the policy decision is still pending.
In general, what we're looking at when we're looking at anything approaching a 5G network is that the system needs to be secured in layers, everything from how it's maintained to who's accessing it, to the variety of equipment itself, to whether the software used is open source, publicly scrutinizable or closed, meaning it comes from a particular vendor, and then it's also how we leverage it. That's one of the things where modern telecommunications offer a significant advantage now.
We used to rely on the network itself for security and how you transmitted because encryption couldn't be used. It was too expensive. Our devices weren't fast enough to do it. It is a challenge, when you talk about the law enforcement context.
Encryption offers protection for private information that you're transmitting. It's hard to observe. Encryption is now enabled more and more on our devices by default. All of the Government of Canada websites mandate that they're encrypted. So encryption itself is protecting confidentiality and the ability to know what I'm saying or what's happening.
The second piece is the integrity, knowing that when I send a message, nobody is modifying it. That's one of the areas where we need to think about end to end. For example, if the city is facilitating an ambulance to get to the hospital and is changing the lights, you want to make sure that it's not sending green, green, where traffic will cross—things like that. That's the integrity of the message, meaning that the message you want to send is getting there exactly as determined. You use encryption for that. You don't really care if somebody sees the message; you just care that they can't change it.
Then there is availability: we need the networks to be there. That's where we really look at a robust strategy talking about vendors building better equipment and better software. How is it tested? It's international in scope to make sure that it meets minimum standards, but you also have multiple vendors in place. We want a multi-vendor strategy. We want diversity in the market. We want these things in every section regardless of the type of network or the type of equipment. We're always better off than when it's a monopoly.
We really want to leverage all of those things. That's what I think the Citizen Lab report was getting at. It said it's multi-faceted. There's not one solution to the challenge we face; you need to apply multiple different aspects of security. That's certainly what we try to layer into any security program we do. It's not unique to the next generation mobile network versus a fixed network or anything that's.... For example, we use the same security modelling for the incredibly high-speed network I have at home right now.
:
I'm going to assume that you're talking about the work of the security and intelligence threats to the elections task force that CSE chaired on behalf of the community.
We're doing a few things. We did work with Elections Canada to support them overall on cybersecurity. I could go into a lot of detail on that, but so could the Chief Electoral Officer and his team.
One of the aspects for us was also making sure that every registered political party that wanted to was getting regular cyber briefings. My team did that on an ongoing basis throughout the campaign to make sure that we shared any cyber-threats that we were seeing. We also contextualized it to say what was really important and what they could be expecting to see. That tended to be with the officials inside of the party.
We also had the hotline set up where political parties could call if they needed assistance with something, such as fake social media accounts, etc. Most of the social media providers were fairly responsive to those types of things. We would try to ensure that connections were made there.
It does remain a challenge. That's one of the areas where we are always looking for ways to connect.
On the other hand, one of the things that has been repeatedly reinforced to me is that if, for example, you are impersonated on social media, I cannot make a complaint on your behalf. You have to do that. The social media companies are quite adamant about that. It's one of the areas where, if something like that does happen, we try to facilitate and hopefully accelerate getting a resolution. We did see some incidents like that where parties asked for some support.
Then, of course, in the report itself—the first and second ones—were the threats to Canada's democratic processes, where we really try to lay the groundwork for what cyber-threats we expect to see to Canada's democratic institutions.
:
Great. Thank you for that question. There are risks, and it depends on which country we're looking at. Specifically recall that we talked about state-owned enterprises and partnering with those.
This is where, depending on the Canadian business, there's quite a lot of advice out there. It's about understanding what the goal of the partnership agreement is. Is it a technology transfer agreement where it really is looking to transfer the technology to build, or is it about manufacturing and you're outsourcing something?
Knowing what's important to you as a company is the first step. What makes my information special? Is that intellectual property, some unique manufacturing process, tool technique design, or is is my customer base and how I interact with them, how I promote, etc.? By knowing what makes you special and unique, you know what you need to protect—that's the goal that you need to protect.
Then you go in with your eyes wide open. What's of interest to me? Is this a mutually beneficial relationship? When you start to assess this, it tells you where you need to put your cyber defences, which ultimately gets to what I'm responsible for. Are you positioning your company for a takeover? In this case you could expect to see a company looking to get information on your financials. Where are you particularly vulnerable, who are your suppliers, who's your legal counsel, etc.? You could see that in terms of a takeover bid.
If you're looking at a unique piece of technology, then you need to protect that. How am I protecting it and making sure that it isn't travelling, isn't going places where it walks out the door? Really think that through. You're thinking through the threats and then leveraging the advice that's out there.
:
That's an interesting question.
I think we're faced with the challenge that an insider threat, which is really what we're talking about, is something that kind of hits different facets. One is that the person is in a position of trust and does do have access to types of data and information, especially if it's related to their position. Then what controls are put in place from an information security perspective? That's a case of understanding one of the things we say in our top ten, which is to segment and separate information.
There are things at CSE that I just don't need to know. Yes, I'm one of the senior executives there, but that doesn't mean I need to know everything. I don't have access to security files for security clearances. I don't need to know; I don't need to access them. We segment information away, and we protect it. That's for privacy reasons, but it's also for security reasons.
Even in the cyber centre, there are things where there's a limited group of people who have exposure to certain information. We do that deliberately to protect it.
Those are some of the cybersecurity elements that we would say are part of our general advice and guidance, but you first have to know what needs to be protected. That's one of the things, and also what that information could be used against. A lot of times, what I say to businesses is not to think about the harm that it can cause to you; think of the harm somebody could do with the information that you have. Who could they give it to that would harm you?
:
A bit of some of that might touch on some classified issues, but I can certainly talk about it and hope I answer your question fully.
There are a few things. Typically, what we're talking about here is that the way the Internet routes itself is that it works on what is the cheapest route, usually meaning fastest. You can pretend to be the cheapest route and fastest, which forces the Internet to direct across it. The technique for that is called “BGP hijacking”, but I won't go into all the techy grossness of it.
That's one of the things that we've been working on in partnership with telcos. I talked about innovation before, and we do look at ways to innovate and work with our telcos to detect this type of activity, and moreover, to ask what are the defensive ways we can do things to prevent this?
It isn't something that happens a lot, but it is something that can happen and it's something that we're looking for. We're looking for ways to mitigate and defend against it, but at the same time, though, not reduce the reliability of the Internet.
It is something where you're talking about big shifts, so it is a bit of a concern. Really, you're talking about being able to mass all the data that's going from one place to another, so encryption is a great defence against that.
With our apps, right now for example we are on an encrypted Zoom channel. You can't publicly just tap into this; you have to be able to sign in, and so on. There's encryption there. When I send a message over any of the messaging apps, and so on, that's encrypted.
Our websites are all encrypted now as well for the government, and hopefully, more and more commercial sites are fully encrypted. That immediately puts a barrier to actually using that information for anything, other than getting a whole bunch of encrypted data that you can't do anything with.
Those are some of the defences.