Colleagues, it appears that we have quorum. We will be under some time constraints. We will likely be interrupted by votes.
I want to apologize in advance to our witnesses. We will try to conduct this in as orderly a fashion as we can and try to save time where we can.
The normal course is that we have witnesses read into the record their statements of up to 10 minutes, and then we go to questions from members.
I haven't been able to speak to all colleagues, but I am going to propose to colleagues that the statements as prepared and submitted be taken as read and put into the record. Rather than having the witnesses read their statements again, they would simply summarize their statements, and then we'd move to questions, all in an effort to save some time.
Is that acceptable to you, colleagues?
We'll deem it banged and deem those statements read.
[See appendix—Remarks by Professor Jill Slay]
[See appendix—Remarks by Professor Yuval Shavitt]
The Chair: Professor Slay, since you are the witness who would be the most vulnerable to technology, maybe I could ask you first, if you will, to summarize your statement.
Then I'll ask Professor Shavitt if he will summarize his statement, and then we'll go immediately to questions.
If that's fine with you, then we look forward to what you have to say.
I have just developed a paper that looks at some of the key cybersecurity challenges. I have extended my thinking beyond the technical to those that I think are important for both of our governments.
I've explained to you that I think there is a need for a clear understanding of cyber threat. The diagram I have provided explains to you through a little flower picture that there are different vectors of attack, so cybersecurity and cyber threat is not the traditional understanding of technology, of computer network security, but it also covers issues such as law and policy and administration. Therefore, when we are looking holistically at cybersecurity, we must get all those elements aligned.
One of the issues I focused on in Australia for many years is seeing cybersecurity as part of national security. Very often, those of us who are considered experts have come from technical backgrounds where we have been applauded and awarded funds for particular niche pieces of technical research, but there has been a reluctance for academics to see their work as part of national security. Somewhere within the policy mechanism of government, of prime ministers' departments and those departments that deal with the more secret issues around cybersecurity, there has to be an alignment of the agendas of the computer scientist and that of the national security agencies.
The other issue I've raised with you, which obviously I've been working on in Australia for a couple of years, is that as there is more of a focus and more of a need to deal with cybersecurity as part of national security, it's really important for us as countries and as allies to define what a cybersecurity practitioner is. We need to be able to answer the question: Who is an expert in this field?
We, in Australia, have done some work on that over the last couple of years actually to develop a national standard, professional standards in cybersecurity, so that we can answer the question: Who is a cybersecurity professional and who is a cybersecurity technician? This makes workplace issues, HR issues and government employment issues much easier, because our discipline has grown in some ways as an art rather than a science.
I've indicated the type of work we've done in developing national professional standards.
The last point I was making was essentially, in all of our countries, we're going to have a limited amount of money for research, for training, for alignment of cybersecurity with national security. We each have cohorts of researchers who are able to do really good research in areas such as artificial intelligence, machine learning for cybersecurity and IoT security, but very often I find as an academic that the research and teaching agenda is not aligned with the national security agenda.
I can do wonderful publishable work, but in a constrained environment. It's sometimes very unclear from government what they might do with the outcomes of my research. It's very important from a policy point of view to align research funding policies and education policies with the national security policies, the national security environment, so that we actually fund work that is important to the country.
I'll stop there.
I'm a professor at Tel Aviv University. I'm also a member of the Blavatnik Interdisciplinary Cyber Research Center. In this aspect, I fully agree with Professor Slay that cybersecurity is not only about technology, but it is also an interdisciplinary problem.
There are other aspects, such as the legal and social aspects, etc., and at the centre, we do this. We do interdisciplinary research. I'm also the CTO of a company called BGProtect, which is related to what I'm going to talk about.
I've studied Internet routing for over two decades. About 15 years ago, I started an academic project called DIMES, in which, using volunteers, we followed Internet routing around the world. At the peak of the project, we had 1,500 software agents running on volunteer machines in more than 40 nations around the world, so we got a very good picture of how Internet world routing behaves.
About four years ago, we took all this expertise and started BGProtect, which is a company that wants to help government and international institutions strengthen their security by monitoring the routing towards their networks in terms of what they had a fear of. Internet routing is a distributed protocol called BGP, and it is used to tell everybody where to find the servers or the clients on the Internet. However, when it was designed several decades ago, the Internet was very small and based on a lot of trust. Nobody was thinking about security.
About 10 years ago, a new type of attack came into the world: the IP hijack attack. Basically what you do in this attack is take the traffic between two end points and force it to go through your own network. By doing this, you form what is called a man-in-the-middle attack. These attacks are really.... These are large-scale attacks and are able to do a lot of things. Of course, if you get all the traffic passing through you, you can do espionage, or you can do what we call downgrade attacks and be able to insert Trojans into networks. You can penetrate networks. There are many types of attacks. This is why it is so dangerous. We have seen these attacks increasing in number throughout the years, especially in recent years.
We are here to look at these attacks. As a university professor, I'm doing research on this and have published a paper about this. Also, I do it as a company.
Now, when we look at these attempts, we see that these are not simple ones. They cannot be done by script kiddies. We're talking about government agencies and large criminal organizations doing these attacks, and we have to understand that this is not a dichotomy. There are governments using non-governmental bodies, and sometimes even criminal bodies, to do jobs that they want to distance themselves from. Think about the financial sector. It is especially targeted both by governments and of course by criminal organizations.
What can be done? One thing, of course, is to monitor your traffic to make sure that your flows of information won't go where they shouldn't go. This is obvious. This is something that we do at the company.
Another thing you need to do—and this is what we do also in Israel—is to set up CERTs. CERTs are what the Americans call fusion centres. They are organizations where, for governance in financial sectors, banks can share, in various levels of anonymity, data about attacks they are witnessing. This data can be distributed again—there are several levels of distribution—to other financial organizations, so that when there is an attack, such as a new virus, a new hijack attack or any other attack, data can be quickly shared with all the participants of the CERT in order to let them prepare for an attack that is going to come. This is very important. We do it in Israel. We have a national CERT and now we've also set up sectorial CERTs.
Finally, I cannot ignore the debate in Canada, in the U.K. and in the rest of the western world about equipment manufacturers. We know from the Snowden report that many American companies were collaborating with the U.S. government to get information from flows that they had.
There's no reason to believe that this is limited only to the U.S., and I would dare to say that in non-democratic countries it's probably happening even more often.
Now, when you have equipment, this equipment can be designed with vectors, with mechanisms, to sometimes divert traffic against what seems to be happening according to the routing protocol, so you have to monitor this type of equipment especially. We're talking about all sorts of telecommunications equipment, but especially routers. To do this, it's not enough to just look at the routing protocol, because here the diversion is done not through the routing protocol, but through the hardware itself. You need to do active monitoring.
This is something that we are doing. We've seen an increase in such attacks in the last two years. It's important not to limit ourselves to BGP but to also look at the actual data plane and where the packets are actually going, especially if you don't trust your equipment manufacturer.
There is a problem with regulation in the U.S. and I think also in Canada. If I, as an Israeli, were to try to buy a telephone company in Canada, I'm sure that I would not be able to do it, but if I would like to buy a telecommunications supplier, an ISP, I can do it. For some reason, data communication was ignored, because traditionally it was used by hippies. Now, it's really a critical infrastructure, and regulations need to be changed in terms of who can own this type of infrastructure in your own nation.
In general, many Internet companies, many ISPs, are spread out worldwide. You have Russian companies here and you have Canadian...well, maybe not Canadian, but you have American companies in Russia. You have Telia, which is a Swedish company, all over the world. It's okay.
There's one country—China—that doesn't allow foreign players to establish communications in its own land, so I don't understand why Canada and the U.S. allow the Chinese to have a communication infrastructure presence in the U.S. and Canada that actually helps them to do these kinds of attacks.
Thanks to both of you for being with us.
Professor Slay, I appreciate the fact that you're with us notwithstanding the time differential in Melbourne.
I want to stay with the theme that I've spoken to some of your predecessor witnesses about, and that's the environment we want to create in Canada and that we are creating for small business as an environment to start up in. Many small businesses are involved in data-centric, data-intensive lines of business. Some are involved in the development of software directly, and some of them, even more directly still, are involved in the development of defence-related procurement issues, software-related issues.
To what extent are small businesses particularly vulnerable in the cyber domain? To what extent are security questions in fact a barrier to entry into the marketplace in the first place? Are there jurisdictional lessons or best practices that you could tell us about in Israel, Australia or the other areas you're studying?
Yes, I think it does. We had a government cybersecurity initiative in 2016, and there was already a big focus on the big end of town. With new Labor Party policy and a general election coming up, there is more of an emphasis on the cybersecurity needs of small businesses. With the skill shortage in the market, the expensive salaries of cybersecurity practitioners, and the fact that, I think, Australia is about 60% to 70% small to medium-sized enterprises, those small to medium-sized enterprises suffer because they usually get general IT or ICT as a service. In many cases there's a lack of understanding of even the need for cybersecurity as a service.
But if you look at it the other way round, from a financial point of view, there has been a huge investment in Australia with government Department of Industry cyber growth centres, cyber growth sorts of nodes in a network, which in part has been to boost the national cybersecurity posture by producing incentives to get the small players in the market. You will have a lot of very small players, say in Canberra, where people who have retired from government service and who have cybersecurity skills are setting up small businesses and developing niche products, niche hardware and niche software. There's a lot of government incentive to actually produce more of that.
It has actually been very successful, but there has been a large amount of federal government funding to make that happen.
Thank you, Chair, and thanks to both of you for being here.
Professor Shavitt, I want to start with you.
In looking at where Internet traffic goes, there are a few pieces that I wanted to look at.
The first is regarding which jurisdiction applies to the protection of data that's being routed lawfully to a different area, whether that's because of how a company operates or a free trade agreement. One example that comes to mind that I know of, being from the Montreal area, is that with the abundance of hydroelectricity we have in Quebec, a number of these companies—Amazon, Google, etc.—are storing servers there because the cost of energy is low.
Not to get too far away from my questions, but I was reading something interesting the other day, which is that streaming music, depending on the jurisdiction, has a larger impact on greenhouse gas emissions than people might realize. There are a lot of interesting things happening with regard to where servers are located.
My question for you is in that vein. Is there any concern that data, through the legal mechanisms that exist, might be going through areas that people aren't necessarily aware of and causing risks for privacy and other things? One example that comes to mind as well is that we all use credit cards. Many of these companies aren't Canadian, so the information is being stored elsewhere. Is that a concern you have? How does that play into some of the research you've done?
Yes, this is the primary concern of this research. We see routing that is diverted, either maliciously or accidentally, to locations where you don't want it to go.
By the way, it also hurts performance, so you don't get the network to be as fast as it could be. I can tell you, for example, that we've seen routes from Tokyo to Seoul rerouted non-maliciously through the U.S. and then, after a week, through London. This makes the connection time 10 times slower, and this is a non-malicious diversion.
You see things like this happening all the time. The real problem is how do you distinguish between bad engineering, configuration errors and attacks.
I appreciate that. Thank you.
Professor Slay, I want to speak more specifically about the Australian experience.
Last year, I believe, legislation was adopted there. This comes back to this idea of the concern often raised about these so-called back doors. I'll express it in layperson's terms. Any sort of back door that's potentially opened to decrypt for law enforcement potentially opens the same avenue for bad actors—to not use the expression “bad guys”.
I'm just wondering what your thoughts are on that legislative experience that Australia has had, or if it's too early to tell if that's what has happened. I believe that concern was raised at the time.
We enter a grey zone, if I understand that.
Prof. Yuval Shavitt: Yes.
Mr. Michel Picard: Okay.
Professor Slay, a few weeks ago there was an article stating that London has looked at Huawei and is maybe starting to change its perspective on the company with the security issue they had to deal with, and they might not be as scared or have to be as protected as they thought they should be, although in Australia you got rid of the company and that was that.
Are you aware of this change of mind in the U.K., and if so, what do you think of it?
I've been following that quite closely.
The first report from GCHQ said they felt it was far too great an effort for their lab to provide assurance about the Huawei equipment, but I believe it was only yesterday that GCHQ said maybe they could assure the equipment. I believe there are political implications in the U.K. because of the nature of their board, which were not necessarily the same for us in Australia. I believe we have already made that commitment not to use Huawei at the federal government level, but we have not always tracked the relationships Huawei has in the country with, for instance, others who are not purchasing for the federal government. For instance, the Government of Western Australia has a contract with Huawei for equipment for their train system, and the University of New South Wales, where I used to work, has bought equipment for some kind of building works.
In Australia the federal government can control federal purchasing. For instance, it was able to control or to in some way stop Optus, one of our telcos, from using Huawei for 5G, but we don't have an overarching blanket control, because we're a democracy and because we have states as well as a federal government.
My own opinion is that the British decision will not affect the decision we have made in Canberra, mostly because we see the link between cybersecurity, the ability to infiltrate our systems' back doors, cyber-espionage and foreign interference. That is the theme at the moment, rather than just the security of the equipment.
You would rather not comment? Okay. I'm going to move away from that, then.
You talked about monitoring flow, which you do in your home country. One of the most important things, of course, is to activate monitored data plates, to know what kind of equipment is there. I'm kind of curious with regard to this monitoring.
You're keeping an eye on what is being routed and where. By the time you find out that someone is undergoing unusual routing changes, has that data already been lost? Is there a way for you to stop it before it gets that far? You did talk about technology and the cost of investing in protection, so I wonder if you could give us a little on that.
If I'm open with you, I lived in Hong Kong for 10 years. I speak fluent Chinese but I also have clearance. Also, I'm very, very careful about what I put on Twitter, so you're just going to see the fact that I've been selective.
I have gotten to the stage where I am very frustrated with the way that, as a professor, I'm constantly targeted by the Chinese. I have attribution. My stuff's been stolen. They've planted Ph.D. students on me. Therefore, I've decided to be more vocal about it. That's what you're seeing.
For me, the problem as I've become more well known is that I'm much more likely to be targeted. I fear that all professors in our field, whichever country they're in—and I wouldn't think that Canada is exempt—will be targeted by, particularly, China because they're really on the hunt for IP, and they have been for many years.
I have to say that it's a sovereign issue. It's really for Canada to decide.
Obviously, I can't speak for government. I just speak for myself. I think it would be easier for the Five Eyes partnership, just thinking from a technical point of view, if we had a common view on Huawei. But I think the announcement yesterday from the British, which was a halfway announcement that perhaps we might be able to deal with this, which says perhaps, with effort, we can provide the kind of assurance...would also then complicate the system for Canada.
I'm a very black and white person and a very black and white engineer, so I'm comforted by the fact that the federal government is not going to buy Huawei. I'm also the Optus chair, and Optus funds a lot of the research at my university. Obviously, Optus was the company that had the relationship with Huawei for 5G. I felt myself in huge conflict because I was called the Optus chair, so I was highly relieved when I didn't have to deal with that issue.
From a political point of view, I think for maintaining the solidarity of the Five Eyes, I would hope that we could come to the same kinds of conclusions. But I think there will be other people having that discussion this week.
Mr. Glen Motz: Dr. Shavitt.
We should be and I think we are. There is probably a lack of under-reporting publicly, but I'm pretty sure that within international organizations, within governments, there is also a lot of sharing. My experience is that there is a lot of sharing, whether it's law enforcement or whoever. I don't think we're necessarily constrained by those things.
It might be smaller companies that don't want to acknowledge they have been breached. However, particularly in Australia, there is more of an openness now to talk about it, particularly since before Christmas, the government, Alastair MacGibbon, the deputy secretary, the prime minister's adviser, did made it very clear that many companies have been breached, and there is more openness, more willingness to accept that because there's just so much of it.
Very quickly, I want to hear from both of you. We've talked a lot about foreign state actors as a threat. There has been a certain level of reporting here in Canada about domestic actors operating, not necessarily related specifically to cybersecurity, but in the digital space.
From a cyber perspective relating to our study, has there been any concern, in both Israel and Australia, about domestic actors and malicious actions that have posed a risk for either government or private individuals? Perhaps Professor Shavitt could answer and then Professor Slay.
I have a couple of questions, with the indulgence of the committee. Even if the committee doesn't indulge me, I'm going to ask them anyway.
Professor Shavitt, I want to focus on your analysis of the router, which, as I understand it, is your specialty. You talked about the attack points, both the software and hardware attack points, and where they can be compromised and route information to where you don't want it routed. The question I have for you is that this is the current state of affairs with the 4G network, and when it comes to a 5G network, what is the significant difference, if any, in terms of how you protect those routers?