Thank you, Mr. Chair. I appreciate the opportunity to share FireEye's perspective with you on threats to the Canadian financial services sector and to provide an overview of how we as a company and the private sector in general work in partnership with the government to help defend that sector.
As the Chair said, my name is Christopher Porter. I'm the chief intelligence strategist for cybersecurity company FireEye. We have more than 4,000 customers in 67 countries. My testimony today will reflect the lessons we learned from responding to incidents around the world, but also intelligence we gather on threats that are specific to Canada.
In addition to working at FireEye, I am also a non-resident senior fellow at the Atlantic Council and until 2016 I served for nearly nine years at the U.S. Central Intelligence Agency, which included an assignment as the cyber-threat intelligence briefer to the White House National Security Council staff, several years in counterterrorism operations and brief war zone service.
In addition to the 300-plus security professionals responding to computer intrusions worldwide, FireEye also has over 200 cyber-threat analysts on staff in 18 different countries. They speak over 30 languages. They help us predict and better understand the adversary, often by considering the political and cultural environment of the threat actor. We were born as a technology company, but we have these capabilities, as well. We have an enormous catalogue of threat intelligence and it continues to grow every day alongside the continually increasing attacks on organizations around the world.
We also have deep ties to Canada. FireEye appliances defend Government of Canada email inboxes every day, and we work closely with Canada's public safety institutions to keep Canadians safe by defending their networks and also by supporting investigations.
For today's discussions I will focus not only on the cyber-threats that Canada's banks, investment firms and government financial regulators face today but also the threats that they are likely to face in the near future. We live in a time of rapid change in how cyber operations are deployed, especially by nation-states. What were once spying tools used to carefully, quietly and illicitly acquire information are increasingly in the hands of military officers poised to go on the offensive and do serious damage and disruption.
This is especially true in Canada, which is often one of the first nations targeted for new types of cyber operations. Canada is a country with a high per capita GDP which makes it an attractive target for financially motivated criminal activity. It is a world leader in high-tech development, including in some niche areas of military applicable dual-use technology, so it's going to be a perennial target for foreign intelligence services. As a member of NATO with a large diplomatic and investment presence worldwide, Canada is a natural target for politically motivated retaliation from a number of actors worldwide.
Companies and individuals in Canada are also targeted by a spectrum of threat activity that ranges from deliberate, sophisticated criminal intrusions to commodity malware that spreads worldwide and only incidentally affects Canadians.
For example, in February 2017, multiple major Canadian financial institutions were exposed to risk of state-sponsored cyber-theft from North Korea. At that time, the Polish financial supervision authority took its systems offline after discovering malicious code had been placed on its web server and it was being used to redirect select targets to malicious downloads that gained control of their computer. Notably, those attackers used a white list of IP addresses to designate which individuals would receive the designated payload and multiple Canadian financial institutions appeared prominently on the targeted list. Even though the threat was in Poland, it still came home here in Canada.
Commodity campaigns, such as ransomware, crypto jacking and especially credential theft malware constitute a significant threat to Canadians. Card-related fraud is a serious concern. FireEye routinely uncovers major underground fora that sell thousands of stolen credit cards at a time, sometimes from major financial institutions, but just as often targeting customer accounts at smaller banks and credit unions.
Canada is also often one of the first targets for new malware campaigns. A Canadian bank was one of the first five financial institutions worldwide to be targeted by TrickBot malware and since then we've observed additional financial institutions added to TrickBot's configuration files that have a presence in or are based in Canada. Notably, Canadian URLs appeared in all TrickBot campaign IDs and several of those organizations were either credit unions or smaller banks. In August 2017 we also observed a PandaBot configuration file that revealed targeting specifically of 15 major Canadian financial institutions.
At least a half dozen organized crime groups also conduct financial crime operations targeting companies and people in Canada, and their sophistication is on par with what previously we would have said was reserved only for nation-states. One group in particular, which FireEye calls Fin10, has been focused specifically on Canada since 2013, carrying out numerous intrusions against gambling and mining organizations, exfiltrating business data and extorting victims.
With ongoing intrusion operations, active underground threat activity, substantial targeting by commodity malware campaigns and homegrown threat actors, Canada will likely continue to face a complex and challenging criminal threat landscape in the short- to medium-term future.
The cyber espionage threat to Canada is moderate, but could be on the rise. We have observed 10 separate cyber espionage groups from China, Russia and Iran targeting Canada in recent years. Organizations in the government, defence, high-tech, non-profit, transportation, energy, telecommunications, education, and media sectors, among others, have all been impacted, much like they have been in many western countries.
Many Chinese cyber-threat groups have renewed their attention to the theft of military applicable technologies since mid-2017 and are likely to intensify those efforts as trade-related conflicts with Canada and its allies emerge. This greatly increases the risk to Canadian commercial firms in all industries, but especially those that develop cutting-edge technologies or that directly compete with Chinese companies internationally.
Aside from intellectual property theft, Chinese-origin operations continue to heavily target competitive business intelligence from Canadian companies, especially those making foreign direct investments globally.
Looking forward, I am gravely concerned about the militarization of cyber operations. As NATO members continue to share capability in training, the major cyber powers outside the alliance are likely to do the same. This proliferation of cutting-edge offensive cyber power, combined with an increasing willingness to use it, with minimal blowback and spiralling distrust, has set the stage for more disruptive and destabilizing cyber events possibly in the near future.
In the past, some countries would have responded to western sanctions with increases in denial of service attacks on finance sector websites, but in the future, they may just as well respond with destructive attacks that are aimed at permanently disabling financial services or altering data in ways that undermine trust in the global financial system. For example, they could delay or impair the trustworthy settlement of collateralized government debt.
For countries sufficiently sanctioned, and therefore increasingly outside the financial system anyway, there is little incentive not to do so during a confrontation. Efforts to undermine foreign governments may increasingly be met with disruptive cyber campaigns, such as those that target elections infrastructure and individual candidates, where Canada is especially vulnerable.
I urge the Government of Canada to work with its allies in the United States and Europe to find peaceful, diplomatic arrangements with potential rivals and adversaries in cyberspace. Attribution, while difficult, has not proven to be the barrier that many predicted to enforcing such diplomatic arrangements, and many of Canada's likely antagonists share similar concerns about cyber-threats to their own financial sector, government stability and a desire to protect their people.
Diplomatic agreements that focus on ensuring the sovereignty of signatories and that avoid destabilizing operations while protecting human dignity can be reached. They can be enforced, and they would be mutually beneficial. But they may require the west to curtail some of its own cyber activities. While not sufficient on their own to protect Canadians, diplomatic agreements restricting certain classes of cyber operations will prove necessary alongside private sector technology and services to protect Canadian citizens and businesses in the long term.
Thank you, Mr. Chair, for the opportunity to participate in today's discussions. I look forward to answering any questions you may have.
Mr. Chairman and Vice-Chairman, thank you for the invitation to testify before your committee today. It is an honour to represent my company, Illumio, and to offer my thinking about the future of cybersecurity and national security policy planning.
I'm the head of cybersecurity strategy at Illumio, which provides microsegmentation capabilities for cyber-resilience, and the former head of cyber-strategy in the Pentagon, where I was speech writer to the deputy secretary of defense during the Obama administration.
If I may first beg your indulgence, I'd like to open my statement by honouring the memory of a great Canadian national security leader with whom I worked in the Obama administration and who died last year. We worked on cybersecurity together. I'd like to inform you about him briefly and register his name into the Canadian record.
Shawn Brimley's life has been celebrated across his adoptive home in the United States, including through a letter from former president Barack Obama and moving eulogies in our national press, but for his family and for our two countries, I'd like to enter this statement into the permanent record of the House of Commons.
Shawn Brimley was born in Mississauga, Ontario, served in the Canadian army and was educated at Queen's University. He later settled in Washington, D.C. with his wife, Marjorie Clark Brimley, and achieved more in his 40 years than most do in a lifetime of service. He went from serving in the Pentagon to the White House to running one of Washington's premier think tanks, the Center for a New American Security. He wrote the 2010 Quadrennial Defense Review, helped shape the U.S. pivot to Asia, ran crisis response and strategic planning initiatives out of the White House and was a leading thinker behind the third offset strategy for long-term U.S. defence innovation.
A loving husband and father, a great friend and a mentor, Shawn Brimley made all of us safer and more secure. For that, this House and this country, as well as mine, can be proud.
As he testified before the U.S. Congress in 2015, it is an honour to testify in front of this House today, especially on an issue that he and I started working on nine years ago.
In the years since I first entered the Pentagon, the cyber-threats have become a top-tier challenge to international security. Three trends make it so: the vulnerability of the networks and data of cyberspace; the overarching digital transformation of society; and, a lack of sufficient investment by organizations in the people, processes and technologies required to deter, defend against and recover from cyber-attacks. Governments and organizations have taken steps to improve their cybersecurity posture by building teams, developing options and adopting technologies, but progress has been too slow to keep pace with the threat.
Nation-states and non-state attackers steal, destroy and manipulate data in and through cyberspace. Adversaries flourish in what could be called the “grey space” below the level of outright conflict, and they appear undeterred in pursuing their goals in that way. To name just a few, consider China's continuing campaign to steal U.S. intellectual property, including the data of the joint strike fighter; North Korea's 2015 theft of $81 million from the Bangladesh central bank and the U.S. Federal Reserve; China's theft of 21.5 million personnel records from the U.S. Office of Personnel Management; and, Russia's disruptive attacks on the Ukrainian electric grid in 2015 and 2016.
Nation-states present the greatest threat because they have the resources to put hackers on salary. These people can go to the gym; they can work diligently over time to try to penetrate a target. In recent years, they have shifted their focus from theft and destruction to the data manipulation of political and media targets.
The Russian attack on the 2016 U.S. presidential election is the most notable example. As you're familiar with, on the express direction of Russian President Vladimir Putin, Russian military intelligence hacked into the networks of U.S. political organizations and political leaders and exploited vulnerabilities in social media business practices to spread propaganda and foment mistrust in the American population.
The Russian operation hit at three parts of the American “centre of gravity” during a period of acute political transition: the American people, the political leadership and the key technology companies. Other countries have since taken similar steps, including China's reported penetration of Cambodia's electoral system in 2018, which affords it the opportunity to manipulate the outcome of those elections.
Why is this problem so severe right now? There are three points, I would say. The first is increased urbanization. The second is the proliferation of dual-use technologies. The third is the interconnected nature of the world economy. This means that smaller groups of individuals can have an impact significantly disproportionate to their size. This is the high-consequence risk nature of modernity, which is what Anthony Giddens called it.
Examples include the 9/11 attacks by al Qaeda, the actions of the subprime lenders and their impact on the mortgage market and, most recently, Russia's cyberspace operation against the U.S. election. Just like the September 11 attacks when 19 men slipped past the security establishment and turned airplanes into missiles, a small group of Russian operatives found a seam in American security to conduct a high-risk asymmetric attack.
The Internet grew from zero to just under four billion users in the 35-plus years since its founding and access increased without a commensurate understanding of risk. Whether from the vulnerabilities of code or the impact of social media on political identity formation, network status and cloud environments are vulnerable to breach, and society is vulnerable to manipulation.
As a matter of priority, countries should focus on deterring nation-state attacks. Deterrence is a function of perception, and it works by convincing a potential adversary that the costs of conducting an attack will outweigh the benefit. Effective deterrence requires the ability to impose costs on an attacker through sanctions or military means; defensive tools to repel an incoming attack, like firewalls; and, in the event that a hacker gets through the perimeter defence, resiliency capabilities to limit impact, like microsegmentation.
Two propositions arise from recent history to inform your inquiry. First, adversaries have escalated in cyberspace, despite the U.S. government's efforts at deterrence. The United States and other countries must therefore take a more aggressive stance to deter aggression. In 2018, the U.S. government embraced this position, notably through the defense department's doctrine of defending forward in cyberspace.
As my colleague pointed out, adversaries have escalated, and the United States chose to indict or sanction as punitive measures. These actions, while reasonable, did not set a precedent or effectively deter escalation. For example, even after sanctioning Russia for its actions in the 2016 election, Russia reportedly continued to implant malware on the U.S. electric grid through 2018.
What does it mean to defend forward in cyberspace? If it has indications and warning of an impending attack, the United States must be able to push back against an adversary. This means penetrating the cyberspace infrastructure to conduct counter-offence hacking to blunt an incoming attack. Nation-states have the right to defend themselves in cyberspace, just as they do in other domains. To maintain peace and stability however, any operation must be conducted under the law of armed conflict.
The need for a more forceful deterrence posture is the first takeaway from the last 10 years of cybersecurity policy development in the United States. The second is the need to assume breach and plan for adversaries to penetrate your internal defences and gain access to your most vulnerable data.
What does it mean to assume breach? Most organizations focus on the perimeter defence, and they lack an internal security system to prevent servers from communicating with one another once an attacker has broken in. Once an attacker has penetrated a network, they can spend up to an average of six months inside a data centre or cloud environment, moving around unencumbered, implanting malware for whatever purpose they choose. An organization's crown jewel applications, like its key databases, are open game in that instance.
In the Chinese attack on OPM, for example, no rules existed to govern how applications and servers would interact internally. Thus, when the Chinese made their way inside, they could easily make their way to the database that held 21.5 million records.
Microsegmentation prevents breaches from spreading. At its most basic level, it puts walls around vital applications to segment them away from the rest of the cloud environment and data centres. An intruder may be able to get three servers, but not 3,000. In this way it's a deep foundation for cyber resilience and the last line of defence. For critical infrastructure sectors like the financial sector, if you have this kind of capability installed, it provides an element of resilience not just for the sector itself, but for the nation as a whole.
It is not a question of if but when a breach will occur. Countries need to proactively defend themselves against aggressors to achieve deterrence, but they also need to assume breach and implement defence in-depth strategies to withstand cyber-attacks. Leadership enables success against all parts of the cybersecurity project.
In his seminal essay, “The Challenge of Change”, historian Arthur M. Schlesinger said, “Science and technology revolutionize our lives, but memory, tradition and myth frame our response”. That is true. Our ability to manage technological change depends ultimately on the success of the leader and his or her ability to tell a story to make change. We have a crop of strong security leaders who have come up in Canada and the United States in the last 10 years. Technology's momentum and evolution may never end, but good leaders help society adapt and manage change, from the rise of aviation to the dawn of the nuclear age. Cybersecurity is simply the latest chapter in our story.
Ultimately, leadership is underpinned by analysis, and that's what makes this committee's work so important.
Thank you for having me. I welcome your questions.
I think it helps to start by thinking like an adversary, right? Whether you're a government or an organization that is thinking about threats overall, you need to go through: What is an adversary? How are they going to try to hold me at risk? What are they going to try to do to me? What am I willing to lose? Once you have a sense of what your core interests are, what you're willing to lose and what you need to protect, then you can start building a strategy for investment. That doesn't quite get you there to answer your question, however.
In the United States, we passed an executive order about cybersecurity that called out something called the section 9 list. The Department of Homeland Security conducted an assessment of all the companies and organizations in the country that were most cyber-vulnerable, and the impact of which, if disrupted, would cause the most significant damage. That analysis led to a list, which is classified. It's not a very large number of companies; you could probably guess a number of them right off the bat. That also helped the government focus on its collaboration with those key companies. That way, you can say that we're going to ensure the cyber-defences of these companies are going to be hardened.
That does not mean that those are the only companies the country would focus on. The military, for example, has to look at the adversaries, Russia, Iran and North Korea in particular, and ask: What are they investing in? What are they going to go after? What are they going to try to do? You have to try to blunt and block them if they do something quite significant.
That also doesn't quite get us there, and this is where regulation has to come in. If you've hardened the most valuable companies in a country, if the military is watching the most valuable adversaries, it's the Internet. It's massive. Someone is going to try to hack somewhere else and they're always going to look for the weakest underbelly—wherever they can go.
A great example here is Iran in 2012. The United States was prepared for Iran to do all sorts of things during the nuclear negotiations. What Iran did, which we were able to prognosticate that they would do, was to go after the infrastructure in the Persian Gulf of Saudi Aramco. They hacked Saudi Aramco, as has been publicly reported. That's where regulation absolutely has to come in and say that there have to be breach management requirements; there have to be penalties if companies don't meet these breach management requirements, and companies have to be able to meet certain resiliency investments to defend against breach.
Yes, absolutely. Thank you for the question, Mr. Chair.
The good news and bad news is that because cyber-policy is still so nascent, and your allies are still grasping at something that will actually work, Canada has a de facto opportunity to be a leader in this field by finding a solution that works. I think that's absolutely achievable.
I'll start by reorienting the question just a little bit. Within the NATO alliance there's a general attitude that governments will learn secret things and they will take some action to defend mostly their own networks, and then maybe companies and individuals as well. Maybe occasionally they will declassify that and share that with companies. That process is typically very slow and very long term. In the private sector, if we don't turn around actionable threat intelligence in 48 hours, we really have let our clients down. I think governments typically operate on timelines of several months. In some cases this is for good reason. I'm not going to pretend like there aren't good reasons for doing that. There often are.
I would encourage you to think that everything I just said about cyber-intelligence sharing was once true of counterterrorism, for example, until...threats to aviation and with 9/11. There was a much greater emphasis on pushing that information out to local governments, to individual actors and to companies in the U.S., and much greater information sharing and declassification.
I think we need the same thing in cyber-threat intelligence, where the allies are willing to tolerate more risk and push that defensive information out to the private sector more rapidly. It's unrealistic to think that a small business, for example—large enterprises, maybe—would be able to keep up with changes in major threats in a competent way. Between the large private sector cybersecurity companies and better information sharing from the government to those key partners, I think that would go a long way. You would have to tolerate some risk, of course.
The current situation where governments tend to view themselves as the central repository for information and will collect everything and then tell you what to do about it is just not how things work in cyberspace. Governments are still the largest actors, but they're not the only ones.
It really depends on what you're trying to achieve. I would defer to my team for specific pricing models.
It's really done on a case-by-case basis. I would recommend organizations to start.... One thing we discovered in our businesses is that most organizations may have some sense of what their crown jewel applications are, what their most valuable applications are within their universe. For example, as I mentioned once before, if you're the Office of Personnel Management, a database that stores all the data for all the personnel would be a key application.
Once you've identified your most important applications, you want to map out your data centre, all your applications, and workloads, which are not quite applications, but they provide the connective tissue within your data centre for your applications and servers. You want to map them out. Most organizations haven't done that. If you think about maps as a key element of geostrategy, in order to control your terrain you have to have this map of your interior. That then shows you how all the applications interact.
If Chris is in the marketing department and I'm the guy who handles the key servers for whatever my organization is, a payment system or otherwise, and he gets hacked through an email, there's no reason why his server should ever be interacting with mine. He's not concerned. He's not an engineer. I'm the engineer. In that way, you draw a map of how your applications work and then you set rules for how they interact with one another.
The degree to which an organization wants to set rules for specific crown jewel applications across their enterprise affects the pricing model to some degree. That's why I'm not going to offer you a specific cost. If you want to map your enterprise and begin to set rules internally, that's when you really harden your interior. One of the benefits of setting rules is it provides alarms. If somebody breaks into one server and you know that server shouldn't be interacting.... Again, if he's hacked in the marketing department and I'm an engineer, we know these servers shouldn't be interacting. If you see an intruder doing it, it will set off an alarm so then the security operations team can know somebody's inside.
I also don't endorse the view that China would simply win a cyberwar, instantly. I think that, certainly, multiple countries have developed the capability to conduct destructive attacks on critical infrastructure, globally.
Of Russia, China, Iran and North Korea, the one that I'm by far the most worried about is Russia. The reason is that they've implanted malware across elements of the U.S. electric grid, and it wasn't clear why.
I don't think, if any one of these adversaries initiated a conflict in cyberspace, that it would terminate in a manner favourable to their terms so quickly, because we've invested in the cyber mission force. That's a large capability of 6,200 elite trained hackers and operators who are watching those countries quite closely.
If you go through an escalation ladder and consider China and Russia in particular, China even more so, they're deeply intertwined with our economy. They know that any element of escalation in cyberspace that goes beyond a certain level is going to begin to have significant economic consequences for them, if it leads to any kind of military confrontation.
I recently wrote a piece about why I think China is the greatest long-term threat in cyberspace. Really, it's because of their advanced weapons development in other domains, like railguns. It's for that reason that the U.S. invested in the third offset strategy that Shawn Brimley led. If we look over the 20-year span of what could happen between these two countries, we'd see an element of keeping parity in terms of technological development.
To my colleague's point, this is an outcome that you want to obviously avoid. It's not something that's in either country's long-term interest. It's in both of our interests, from the United States' and China's standpoint—also for Canada, I imagine—to maintain productive, peaceful relations that over time will lead to the economic flourishing of everybody in the Pacific and beyond. That ultimately comes down to issues of diplomacy and speaking to them about what escalation means and what it doesn't.
In our back pocket, however, we do have to preserve these technological options for the potential for conflict, unfortunately.
I think a number of nations have passed stringent regulations to help protect critical infrastructure. The French example for ANSSI, and the directives that have been developed, I think are a very good example. My sense is that they have greater amounts of control over their critical infrastructure from a mandate standpoint than the United States.
Our example, as I mentioned earlier, stems from the section 9 list. We went through and asked what the most important critical infrastructure in the U.S. is from a protection standpoint.
We do not yet have a national data and privacy protection law in the United States. For breach management, we have our states, and each state has a different role. California and Colorado have passed this more aggressive version. GDPR is very aggressive from that standpoint. It mandates a very short period of time to prove that you have a breach under control and levies a penalty if you haven't.
I think the French example, GDPR, and the California and Colorado state regulations are the most progressive and have fairly strong teeth. That doesn't mean they've won friends. A lot of sectors feel now that they have to have a compliance officer to handle all of these requirements, and it can be a lot of work. I think the nature of cyberspace says, “Look. That's too bad; you're just going to have to do it.”
The interesting thing about the financial sector is that it has been under attack probably since it moved over to the Internet. There are a number of major breaches that have caught the attention of the national security community as well as the banking sector, and it has led the banking sector to invest quite a lot in cybersecurity capabilities. It's for that reason that they're so far ahead.
I may have already commented on this, but they're much further advanced than a lot of the other sectors in the U.S. You could opine that part of the reason is that they're able to attract the best talent to their workforce. They're able to pay good salaries to attract people who want to work hard.
My general belief, and this is putting on my historian's hat and looking at all of these sectors, the cyber mission force and the evolution of cybersecurity strategy.... When I first started working on this in 2010—I mentioned the time of Shawn Brimley—you couldn't attract people to work in the cyber-policy office in the Pentagon. It was a bunch of nerds; everybody thought they were just computer geeks.
Now it's a problem that affects all of us. My view is that we now attract such talented people across sectors that we're going to be able to solve this problem. I really think we're going to be able to solve it and people will be able to implement good technologies. The banking sector will have led the way, and someday somebody will write a history of the banking sector where people on the inside talk about what it was actually like.