Thank you very much for the invitation to speak to you today. The topic you've asked me to cover is the issue of cybersecurity, and in particular how it applies to the financial sector.
I think it would be useful to start with a very quick bit of background information when it comes to cybersecurity, in terms of why the financial sector is of interest, who the actors might be who might be interested in attacking, compromising or otherwise getting into the financial system, and some of the challenges that go with trying to protect the financial system and why.
I did provide my speaking notes beforehand, and the cover is just some very, very big numbers. Essentially, we're talking about the rate of breaches per day. It's in the hundreds, if not more, and it just keeps going up. People are very interested in attacking organizations from a cyber or Internet perspective because it's easy. You can be anywhere in the world to do it. In particular, when we think about those who might be interested in the financial sector, I would bucket them into four categories.
The first category is very easy: people who like the challenge. I sometimes refer to them as thrill-seekers. Financial institutions represent probably the toughest nut to crack when it comes to cybersecurity, so the kudos that goes with successfully breaching systems is very high in the hacker community. In many cases, this sort of action may be harmless and may be more reputational, such as changing the graphical interface on a web page, but nevertheless it's a group with interests in the financial sector.
Second are the hacktivists, those who have a social or political cause and see the financial sector or some of those it supports as being part of the challenge they face. Hacking helps them to further their cause or further their message. Again, I think it's very straightforward. Everyone has heard of Anonymous, though they're not very anonymous anymore.
Third are the criminals. Again, this is very straightforward in some ways. In the financial system, there's a direct monetary return that can be gained by criminals, but it's not just the direct monetary interest that criminals have, and I think this is very important to emphasize. You could hack into a system and try to siphon out money, but it's not just money that's in the system—it's information. It's personal information and information about the dealings of companies, all of which can be monetized in other ways. When we think about criminals, it's not just about direct monetization off the attack; it's also about the indirect benefits they can gain.
Finally—and I think this is where some of the biggest challenges are coming from—there is the issue of nation-states. You might ask the question, why would another state be interested in our financial system? If you think about it for a moment, in terms of the challenges we face in today's world, economic competition is as stiff as it ever was, and understanding the financial system, because everything flows through it at one point or another, gives you a very strong indication of not only how the country is doing, but also potentially how some of the corporations within the country are doing.
When it comes to having the upper hand in the economic challenge sphere—I shouldn't say “warfare”—from nation to nation, understanding the financials of a nation becomes very useful. If you think about that further and you're talking about nation state-sponsored takeovers, that information becomes even more useful. Ultimately, if you think about modern warfare and modern threats, think about the financial system this way. At the end of the day, our financial systems are literally based on confidence. Anyone who is able to infiltrate that and affect that confidence will affect our markets.
We've seen time and time again how markets change just on the basis of what people think is going to happen. For those nation-states, in terms of a leg-up, in terms of a new hybrid warfare option, that becomes a target of tremendous interest, because the consequences can be quite significant if you manage to undermine confidence in the financial system.
If we take a look at those four actors and then look across the financial system, I think there are five key challenges we have to think about.
The first is—I think this has been mentioned time and time again—that we think about the threats we face in terms of regulation and legislation. We think that if we put in the right rules and the right standards, we'll be able to stop bad things from happening.
I don't know how many of you have the 60-day or 90-day password rule change. Just to let you know, that was invented in the days when it took between 60 and 90 days to compromise your account from when someone had your password, but this is an ISO standard, and in many cases it's a requirement for companies.
First and foremost, standards are actually struggling to keep up. By the time a standard comes into place, we've gone well beyond it. I think the first big challenge we face, particularly in the financial sector, which is heavily regulated, is that if we just depend on standards and regulation, which cannot keep up with the threat, for me they're just the table stakes to get into the game. It has to go far beyond that.
The second issue, which is certainly as pertinent in the financial sector but it cuts across everything in cybersecurity, is the issue of information sharing. If I'm company A and somebody has tried to attack me by going after a very specific piece of software and no one knows, it's a zero-day vulnerability. No one yet knows this vulnerability exists, but the rest of the financial sector, maybe 70% of it, depends on the same software. Do you know what? It's embarrassing to admit that I've been hacked, so I'm not going to tell anyone. That's the typical story we hear about cybersecurity. The information about what's happened is rarely, if ever, shared or made available. Now, this is not about embarrassing anyone. This can be made available anonymously. Some nations like Australia, for instance, are pushing for more and more disclosure when it comes to breaches or attacks. Having that intelligence and information shared actually has a crucial role to play in cybersecurity, and it's something we have not gotten right yet.
The third challenge is that whenever I say “cybersecurity”, someone brings up a smart phone and says, “Yes, it's about securing this.” Cybersecurity is not just a technology problem. In fact, if you look at the latest breach statistics from the Australian privacy commissioner and work it out in terms of the different categories they use, over 60% of it comes through humans, either malicious or non-malicious, making mistakes or being socially engineered. That's 60% or more. This is not just a technology problem; it is very much a human problem.
I would say this to you as well: If I wanted to hack your bank, I wouldn't hack your bank; I would hack you. It's far easier to engineer a person than it is to get through the protections that a financial institution or a large organization might have.
The fourth thing, which is kind of an extension of that first piece about technology, is users. I think there was a news story a few weeks ago about a user being compromised because they were taken in by a scam and they were actually paying out large amounts of money. Unfortunately, that security, as one expert once described to me, is like armoured vehicles with armed officers taking money between two cardboard boxes, and it's the cardboard box at the end that we worry about, because the user at the end may not be as well defended, or may not understand things as well as the bank or the financial institution or the provider of the services might.
My biggest nightmare was when my father got an eBay account and a PayPal account. Not everyone is familiar with the digital world, and therefore there can be attacks against them, and while you and I may look at those and laugh and say we know they are scams, not everyone will. So the user at the end of the chain is another piece that we need to think of.
Going back to the comment I made about confidence, it may not be a financial institution's fault, but if enough of those users, particularly as people age, start suffering these attacks, think about what that does for confidence. They tell their friends; their friends tell their friends, and that spreads. There's a problem with the system, but it's not the system; it's the user, at the end of the day.
The last piece, which I think is a very big challenge and certainly it's pertinent in today's headlines, is the issue of supply chains. This might sound a little odd in cybersecurity, but think about it this way. We buy equipment; we buy bits and pieces from all over the world, and we integrate those into our systems. If we look at the earpieces we're using today to the translation systems, to the audio systems, there will probably be anywhere between three and 20 countries involved in constructing all of those. There's a direct supply chain, but it's not even in the equipment we're using directly. For those of you who remember the infamous Target breach, it was the HVAC system that they went after. They went after the HVAC company, and through that breached the system, and from there got into Target.
Supply chains have become very complex. They involve not just the bits and pieces we buy, but also the organizations that provide services to us. Again, I wouldn't attack your company; I would attack whoever services your company. When we think about cybersecurity, all of these elements add up to a very dangerous picture, which is, what does that do to confidence? If enough of these incidents keep happening, will they affect confidence, which is ultimately what underpins our financial system? That's why cybersecurity in the financial sector is a major concern and continues to be a major concern today.
The submission is more than 10 minutes, so I'll just highlight a few points. I tried to make sure I circulated it beforehand so we can go into some of the other issues.
As always, it will be my pleasure to answer your questions in both official languages, but I will be making my presentation in English.
There are five different elements that I was asked to comment on in regard to the range of cyber-threats that are facing the financial sector.
Here particularly, I highlight the ones that derive from the Internet more generally, including online banking, financial transfers and whatnot, and also the threats in particular to the SWIFT network: the vulnerability of the Internet as a whole, all the electronic transfers, and then the vulnerability of banks in particular to detect money laundering—know your customer—and the large-scale financial money-laundering issues that we have. I list some of those here in my brief. There are also the dangers that emanate from the SWIFT network, with Canada obviously being tied into the SWIFT network.
There are some recommendations here supporting the cybersecurity needs particularly of small and medium-sized financial institutions, something that I think is often overlooked as we focus only on the large entities.
Also, Canada must develop a policy response for rebuilding the financial system's technological infrastructure in the case of a major failure. I think we have not quite figured out the relationship between government and private industry if the entire system did go down and we actually needed government intervention and the expertise of some of our colleagues around town in order to bring the entire system back up.
We need the ability to publish warnings of retaliatory attacks and to pursue hackers in all available avenues under domestic and international law, all of which I think we can be much more aggressive at.
Second, I'll comment briefly on the sector-specific vulnerabilities and mitigation efforts.
The banking sector in particular is vulnerable to insiders. This applies not only to physical insider threats, but also to people who provide insider threats inside the organization with regard to moving and laundering money. It's estimated that about $2.5 trillion is laundered around the world each year, much of this electronically, including—as you know from our own case in Vancouver in recent days—a substantial amount through our own country.
Banks need to take responsibility for the consumer losses, as they do, but they have significant incentives not to do as much as they can. In the trade-off between convenience and security, they'll always go with convenience, because that's what the customers want, and we're not convinced that banks are being forced by government to pay sufficient attention to that trade-off. When banks are robbed in a cyber-attack, they have currently no incentive to disclose it, which means that everyone else is vulnerable to the same sort of attack. There are also reputational risks.
With regard to recommendations, they include developing a policy framework to mitigate consumer losses from risky behaviour, both at the institutional level and at the individual level; supporting the nascent cybersecurity industry in Canada, where I think there's a lot more that government can and should be doing; developing policies to incentivize data analysis of bank data for cybersecurity purposes; and encouraging more government collaboration among law enforcement, FINTRAC and financial institutions, including bestowing an enforcement capacity on FINTRAC.
Third, there are infrastructure interdependencies. These arise through the fact that the Internet does not respect boundaries, so information held by businesses such as banks is particularly vulnerable to data outages, data breaches and interruptions to communications in other countries, which are either accidental or deliberate. The SWIFT network, for instance, has had multi-hour outages. Financial institutions are motivated to keep data about customers and transactions in national repositories, and it's difficult to ensure this with the way the infrastructure is currently set up. Because of how distributed the infrastructure is, Canadian data are vulnerable to data breaches in jurisdictions outside of Canada, where regulations are weaker.
Bank infrastructure of communication systems.... The nature of the current system, with considerable extension such as 5G, means that vulnerabilities can only be hardened but not avoided. The recommendation here is that Canada should pursue a sovereign data localization strategy, reinforced by legislative and tax incentives to require critical data to be retained only in Canadian jurisdictions; set clear standards and expectations for the resilience of Canadian communication infrastructure; monitor that resilience; and impose penalties on critical communication infrastructure players who fail to adhere to standards or fail to make adjustments without which they would be left vulnerable.
Fourth is the role of communications service providers in threat detection and threat mitigation. This is where telecoms play a particularly important role. I cite here also the example of the deep packet inspection that CSE, for instance, uses to protect government infrastructure. Two issues prevent this from being fully exploited. First, the level of detection is so expensive that there's little incentive for telecom providers to get into that business. Second, telecom providers consider that amelioration, once detected, legally problematic. One of the interesting curiosities is that telecom providers in Australia have been much more willing to be proactive, even though their legislative regime is almost the same as Canada's. These widely different outcomes between Canada and Australia, I think, warrant further examination to see what can be learned in order to achieve the outcomes that Australia, under the same legal regime, is achieving.
The recommendation is that government should clarify the opportunities and obligations of telecom providers with respect to detecting and ameliorating communications that have the potential to do harm. Government should devote more resources to cybersecurity research. We already have a number of world-class capacities, including in quantum computing and cryptography, but there's much more need. The demand for highly skilled personnel vastly outstrips the supply. Unlike Australia, there is no strategy in this country on how to generate those human resources in terms of highly qualified personnel.
Finally, there are issues relating to entities participating in the Canadian economy and telecommunications infrastructure that may be subject to extraterritorial direction from foreign governments. Two parts of the information infrastructure contain inherent unfixable vulnerabilities—the network switches that form the backbone of the Internet and the consumer devices themselves. The network switches necessarily see all the traffic that they direct. If this traffic is not encrypted or is weakly encrypted, such switches may be able to detect everything that passes through them. Even if the traffic is strongly encrypted, the patterns of communication cannot be hidden from the switch. This traffic analysis is revealing. Switches can also control how they manage communication by delaying it, by cutting it off completely, or by diverting traffic.
The hardware and software of a switch can be analyzed for built-in vulnerabilities that might have been inserted. However, it needs to be possible to update the software in a switch from time to time, so each switch possesses a mechanism to “call home” and allow it to check and to get updates from remote locations. Policing this update mechanism is extremely difficult. The routing technique of the Internet uses tables that tell each switch which outgoing link to use to reach each eventual destination. These tables themselves are a vulnerability. There were several recent incidents where large amounts of traffic were misdirected through the territory of a particular state. Such consumer devices as cellphones have an inherent vulnerability, because they must see key process and display information, even if the data is encrypted for the rest of its existence. The manufacturers of such devices are in a position to see all of the input and output even if the storage of the device and all of its communications are encrypted. Such devices are routinely used for banking transactions and capture financial details. Transactions can, in principle, be captured.
Here are the recommendations. First, the government should ban such telecommunications providers as Huawei from participating in the development of 5G network infrastructure. In our view—I stress here that I wrote this brief with a colleague in computer science and a colleague in law—the government should ban Huawei from participating in the development of Canada's 5G mobile infrastructure. As a result of a recent change in a Chinese law, China can request any domestic company, including Huawei, to assist it to support national interests, including intelligence interests.
A related concern is that China and its industries are suspected to engage in industrial espionage on a large scale as an inexpensive means of R and D transfer. Moreover, Huawei and the ruling Communist Party appear interwoven in many important fashions, including via state subsidies of reportedly $10 billion in a single year. The systematic theft of IP, along with the massive state subsidies, made it impossible for such competitors as Nortel Networks to compete, and ultimately helped precipitate the demise of Canada's premier high-tech company. Since communications are a critical infrastructure, the government should be excluding wholesale any foreign entity with suspected ties to any country where strong evidence exists of significant prior IP theft or intelligence gathering.
For the sake of Canadian security, Canadian industry and Canadian research, Canada has a strategic interest in supporting our allies and banning foreign entities that they find undermine their national security interests. In doing so, the Canadian government would join not only its Five Eyes partners, including the United States, Australia and New Zealand, but a growing list of other allies that have already taken the step to ban—or are actively looking at ways of excluding—Huawei from their 5G and communication networks, including Japan, South Korea, Germany, France, the Czech Republic and Poland.
Furthermore, the evaluation board of the Huawei Cyber Security Evaluation Centre, set up jointly between the entity in question and GCHQ in the U.K., has become even less certain about this entity and its product security implications, with U.K. and French telcos actively replacing that equipment in their critical communications infrastructure.
In this matter, Canada appears increasingly out of step with key allies, and dithering carries reputational risks for Canada's perceived reliability as an ally, as well as for Canada's integration into the North American and allied communication infrastructure. Canada already opted to exclude this foreign manufacturer from critical infrastructure years ago. It should do likewise for the national grid.
Going back to what I mentioned about the Internet of things, the way this has developed is that it's become cheaper and cheaper to literally build and place a tiny little computer into anything. That means you can have a smart fridge, which I don't want, because my wife will know how much beer I'm drinking.
Voices: Oh, oh!
Dr. Satyamoorthy Kabilan: However, what happens with this is that it is about low cost, and security comes at a cost. If you're trying to make something as cheaply as possible, that's the first thing that tends to drop off your list.
These things are pervasive. You can get them anywhere and everywhere. Now, if you think about it, when you aggregate a bunch of very small computers, they can't do much on their own, but they have no security. You can take them over very easily, and also, because they are doing things such as monitoring your home, they'll know when you're in and when you're out. If they're on a camera, they might know what you're typing in as your password. Add that to the fact that if you pool all of them together, these little computers suddenly become a gigantic supercomputer.
I believe that in the fall of 2016 there was an outage across the east coast that affected some of the major social media companies such as Twitter and some other major websites. It was essentially a large-scale denial of service attack. What one organization had done was to look at all of these poorly secured devices, pull them all together as a gigantic hammer, and literally hit what was essentially a major address provider in the Internet. That caused one of the largest outages ever, and to this day I think it's still the largest denial of service attack we've ever seen.
With cheap devices, therefore, security is compromised, but this is everywhere. It's in everything. When roped together, it can be pretty impressive and dangerous.
In the interest of clarity, I will answer in English.
I think there are a couple of key risks. One is the pyramidal structures of the switches within the Internet. The higher up you are in that pyramid, the more traffic you can extract from the Internet. Currently, our adversaries have to try to get very high up in the Internet to extract as much traffic as they can. In the absence of that, they will reroute traffic. If the technology is embedded throughout the entire Internet, you don't have to make an effort to get at those switches anymore. You can just extract the entire traffic from the infrastructure as is.
The other problem is that even though we might test the technology,
—and this technology seems entirely safe to us—but we have to be able to update it. That is the problem.
There's always the ability for the manufacturer or an adversarial government to reach into that technology and, in the update process, install vulnerabilities in the technology. As for anything in life, it's an insurance policy that we take out.
Look at the November release by the joint congressional commission for the common defence, co-chaired by Ambassador Edelman. In its report, which you can download from the United States Institute of Peace, the commission concludes that if the U.S. today got into a war with Russia, China, or both, the U.S. would likely lose. Why? Because the war would start with a massive attack on the vulnerabilities within the critical infrastructure of, let's say broadly, the national grid; I don't mean just electricity. As a result, it would create such vulnerability, chaos and instabilities within the country that the U.S. would not have an opportunity to respond. It sure was a wake-up call in the United States. Countries such as China reserve the privilege of a first strike when it comes to cyberspace. This is part of the Chinese doctrine.
How much vulnerability and risk are we willing to expose ourselves to as a country? If we find ourselves in that situation, then it's a little late to go back.
Good afternoon, Mr. Chair and members of the committee.
It's a pleasure to be here again, I think. I guess I was just scrummed, so I got a little taste of what your lives are like.
As you know, my name is Scott Jones and I'm the head of the Canadian Centre for Cyber Security, which is a change from the last time I was here. The launch of the cyber centre was imminent. I am joined today by Eric Belzile, the director general of our incident management and threat mitigation team.
Launched on October 1, 2018, the Canadian Centre for Cyber Security is a new organization but one with a rich history. The cyber centre brings together operational cybersecurity experts from across the Government of Canada under one roof.
In line with the National Cyber Security Strategy, the launch of the Canadian Centre for Cyber Security represents a shift to a more unified approach to cyber security in Canada. The Canadian Centre for Cyber Security continues the work of the Communications Security Establishment's (CSE) IT security mandate. It provides advice, guidance, and services to federal departments and agencies and other systems of importance to the Government of Canada.
The Canadian Centre for Cyber Security also keeps Canadians safe in cyberspace by providing easily accessible information on cyber security matters, as a single, clear, and trusted source of information. With the amalgamation of parts of Public Safety Canada and Shared Services Canada, the Canadian Centre for Cyber Security continues the work of these departments to encourage collaboration with other levels of government, the private sector, and academia.
Our partnerships with industry are vital. Governments everywhere are simply not able to keep pace with the rapid innovation that the private sector is able to bring to bear. The Government of Canada cannot improve cybersecurity for Canadians without collaborating with the private sector.
This brings me to the specific topic of today's discussion: cybersecurity in the financial sector as a national economic security issue.
A significant disruption to the financial sector could have effects that reverberate across Canada's entire economy. The effects of a cyber-disruption could be immediate, such as financial loss, or they could occur over the medium to long term in the form of decreased consumer confidence. The risk of a cyber-compromise increases as the financial sector continues its transition to digital services and connects more devices to the Internet.
Nevertheless, this digital transformation has the potential to create tremendous opportunities for growth. To not leverage innovations in digital technology would mean being left out of the global economy. Retrenchment is not an option.
To this end, Canada needs to remain vigilant and take action to prevent, detect and respond to cyber threats to the financial sector, and all sectors of Canada's industry.
In this effort, the Canadian Centre for Cyber Security was proud to release Canada's first National Cyber Threat Assessment in December 2018. This assessment describes our view of the current cyber threat landscape in Canada. The intent is to ensure that as cyber threat actors pursue new ways to use the Internet and connected devices for malicious purposes, Canadians are well informed of the cyber threats facing our country. The assessment includes several key judgments on the current cyber threat environment, including that facing Canada's financial sector.
First, we assess that cybercrime is the cyber-threat most likely to affect Canadians and Canadian businesses in 2019. While all businesses are at risk, the financial sector is a frequent target of cybercriminals.
In a survey on the impact of cybercrime on Canadian businesses, researchers at Statistics Canada found that nearly half of Canadian organizations in the banking sector were impacted by cybersecurity incidents in 2017. Cybercriminals can target the financial sector, such as banking institutions, for immediate financial gain, but they can also target this industry for data about its customers and partners or for proprietary information. Stolen information is often held for ransom, sold or used to gain a competitive advantage.
These incidents can result in major financial losses and can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions and recovery expenses.
More sophisticated threat actors, including nation states, could also target the financial sector for its value as one of Canada's critical infrastructure sectors. However, we assess that at this time it is very unlikely that state-sponsored cyber threat actors would intentionally seek to disrupt Canadian critical infrastructure. While the financial sector is an attractive target for cyber threat actors, it is also a relatively hard target.
Indeed, in its 2017 survey, Statistics Canada found that two-thirds of banking institutions had a policy in place to manage or report cybersecurity incidents. The Canadian Centre for Cyber Security also plays an important role in helping to protect systems of importance to the Government of Canada.
We currently have ongoing and tailored initiatives with partners in Canada's financial sector. For example, the cyber centre regularly shares reports on indicators of compromise with critical infrastructure providers, including partners in the financial sector, with the goal of promoting the integration of cyber-defence technology.
When looking at what Canadians and businesses can do to protect themselves from cyber-threats, it is important to remember that adopting even basic cybersecurity practices can help thwart cyber-threat actors. Cybersecurity is everyone's business.
Thank you. I look forward to your questions.