Did you bring your cot?
An hon. member: Oh, oh!
The Chair: Okay, with that, the meeting has come to order.
I'll simply call the witnesses in the order that we have on the agenda, which starts with Mr. Green from Mastercard, followed by Mr. Davies from EY, Mr. Finlay from Cybersecure Catalyst and Mr. Gordon from Canadian Cyber Threat Exchange.
With that, Mr Green, you have seven minutes, please.
Good afternoon, and thank you for the opportunity to be here today.
First, I want to praise the committee for launching this study. Cybersecurity is one of the greatest challenges governments and businesses are facing at the present time, with serious implications for national security, financial stability and consumer protection.
I also want to congratulate the Government of Canada for launching its national cybersecurity strategy and establishing the Canadian Centre for Cyber Security. I had the opportunity to meet with the leadership of the centre today, and we at Mastercard look forward to supporting their work however we can.
Cybersecurity is a top global priority for Mastercard. Safety and security are foundational principles for every part of our business and the innovative technology platforms and services we enable. We know that secure products and services are essential to the trust our customers, cardholders, merchants and other partners place in us. Let me contextualize this.
As you probably know, Mastercard does not issue credit cards or have a direct relationship with consumers. That is the purview of the banks that issue our cards.
Mastercard is a technology company. We provide the network that allows consumers to use their Mastercard virtually anywhere in the world, in more than 210 countries and territories, and have those transactions processed in seconds, connecting 2.5 billion cardholders with tens of millions of merchants.
For us to provide value to banks, merchants and consumers who use our network, we must provide safety and security. We cannot afford to have any interruptions in the operations of our network.
We are also investing in innovation: enhancing our capabilities in-house; acquiring cutting-edge technology companies; and nurturing our Start Path group of curated start-ups, including five in Canada, connecting with our issuing partners to grow their business. Just last month, Mastercard entered into an agreement to acquire Toronto-based Ethoca, a fraud solution powered by collaboration between banks and merchants.
At a very high level, that's what we're doing. Please let me now turn to our advice for government, which falls into six main areas.
First, in a networked, interconnected digital world, we need cybersecurity solutions tailored to small and medium-sized businesses. Cybercriminals will seek out the weakest point in the system to launch an attack. Therefore, we need to provide a framework for small businesses to protect their operations. Mastercard is playing a leading role in defending SMEs as we stand up our Cyber Readiness Institute, which emphasizes the practical application of tools for small and medium-sized businesses. The institute also facilitates the workforce development needed to implement these cybersecurity risk management tools.
In addition, keeping with this focus, in February, Mastercard and the Global Cyber Alliance released a new cybersecurity tool kit specifically designed for SMEs. This is a free online resource available worldwide. It offers actionable guidance and tools with clear direction to combat the increasing volume of cyber-attacks. There are operational tools, how-to materials and recognized best practices, all with an action focus. This tool kit will be updated regularly.
Second, global companies frequently confront an expanding and overlapping set of cybersecurity regulations in different jurisdictions. Those need to be harmonized using a baseline framework. We understand good trilateral progress was made here in the context of the NAFTA renegotiation, developing a common framework to align and manage cybersecurity risks, which is encouraging.
Third, there is a need to improve identity management and authentication as more devices are connected online. We need a robust identity ecosystem to enable easier and more secure digital interactions and transactions that safeguard the privacy of our cardholders.
Fourth, with the Internet of things there will soon be 30 billion connected devices. This creates enormous opportunities for the digital economy, but it also increases cyber-risk. Therefore, governments and the private sector should develop standards to improve the interoperability and cyber-threat detection and prevention while removing friction from commerce.
Fifth, as cyber-threats grow, governments and the private sector face a shortage of employees with cybersecurity skills. The world needs to start training the next generation of cybersecurity experts, and government has a role to play. If you have kids or grandkids, get them hooked on cybersecurity and they can make a lot of money in their lifetime, because right now the needs are there but the qualified security personnel are not.
Finally, collaboration, information-sharing and bringing all stakeholders to the table are required to fight cybercrime. President Obama commissioned an expert task force on cybersecurity on which our CEO sat. The task force issued a series of recommendations. The CRI, which I mentioned earlier, is a direct offshoot of the task force's emphasis on securing SMEs.
I believe this issue is so fundamental to the future of our economy and society that it needs attention from leadership at the highest levels. Mastercard is ready to lend its expertise to the Government of Canada in much the same way.
I could talk for hours on the subject but I will stop here and happily take questions on the areas that are of most interest to you. I have tried to provide a snapshot of what we are doing and what we think governments should be doing.
Thank you again to the committee for having me here, and I look forward to your questions.
Thank you for inviting us to this session to provide insights and field questions on cybersecurity in the financial sector.
My name is Thomas Davies, and I am the National Financial Services Cybersecurity Leader for EY in Canada. I'm also a special adviser for financial crime for the firm globally with a focus on insider and outsider threats. Prior to joining EY, I spent eight years as a director of Scotiabank, supporting all three lines of defence.
Cyber-attacks are on the rise and the financial services industry is considered a high value target globally. The number of individuals, organizations and nation states with access to advanced tools has grown exponentially as service offerings for hacking have been developed and optimized by criminal organizations. Attacks on financial services are not limited to cyber-breaches. They can quickly move to fraud and money-laundering activities, which then create a strain on the talent and financial resources of any organization. These concerns are exacerbated by the shortage of skilled professionals across financial crime domains. A successful breach of payment systems, transaction networks or customer data could have a material impact on the economy.
Consider for a moment the implications of not being able to use your debit or credit card for a day or even a week. Imagine over one million Canadians trying to withdraw cash to pay for groceries, gas or medicine. Many global regulators consider the resiliency of financial services against a cyber-event to be a top priority for ensured economic health, as exhibited by new security requirements in Hong Kong, the United Kingdom and New York.
As Canadians demand greater access to financial services through digital platforms such as open banking, we need to consider embedding security and privacy principles into the design phase of a solution. In doing so, we will help to build customer trust, encourage adoption and proactively reduce the likelihood of costly fixes later. Implementing preventative measures such as training and awareness, access management, system hygiene, third party risk and corporate governance will reduce both the attack surface of these platforms and the maintenance required to support them.
Canada has an opportunity to become a global leader in security and privacy while continuing to be a great innovator of fintech. Through the continued support of shared intelligence, the development of talent through early and continuous education, and by enhancing public awareness of cyber-threats leading to financial crime, we can ready ourselves against this growing threat.
Chair and members of the committee, thank you very much for the opportunity to speak with you today.
Cybersecure Catalyst is a new centre for cybersecurity activities that was established last year by Ryerson University. It is permanently located in Brampton and will open its physical footprint in Brampton later this year. The centre will collaborate closely with governments and government agencies at all levels, private sector partners and other academic institutions across Canada to drive growth and innovation in the Canadian cybersecurity ecosystem.
We will deliver programming in four pillars. We will provide cybersecurity training for existing cybersecurity professionals, and introductory cybersecurity training for newcomers to the sector. We will support scaling-up Canadian cybersecurity companies through a unique commercial accelerator program. We will support applied cybersecurity R and D partnerships between academic institutions and private sector partners. Finally, we will deliver public education in cybersecurity, focusing on private citizens and small businesses.
In developing the mandate of Cybersecure Catalyst, Ryerson University engaged in a lengthy consultation process with industry and government, including a number of financial institutions. I think the results of this consultation process are important for our discussion of cybersecurity in the financial sector as a national economic security issue. When we asked major financial institutions and other private sector entities what they needed most from a university-based cybersecurity centre, the answer wasn't some specific technological tool or identified advance in the science. The overwhelming answer was more people. You have heard this from other witnesses before the committee today. In particular, we heard from financial institutions that they need their existing personnel to be upskilled to meet emerging threats, and they need more people to come into the sector to staff entry-level positions within their organizations. Every one of the major financial institutions in Canada has many current openings for cybersecurity personnel.
The anecdotal evidence taken from our consultation process is supported by the empirical evidence. As you have already heard from other witnesses in this hearing, in July of 2018 Deloitte and the Toronto Financial Services Alliance released a report that estimated that the demand for cybersecurity personnel in Canada was increasing by 7% annually and that 8,000 cybersecurity positions need to be filled by 2021.
It is important to note that this shortage is not just a security problem; it is an economic development problem. The lack of trained cybersecurity personnel creates staffing challenges for the regular operations of these financial institutions, but it also impacts these institutions' ability to create new and safe products and services for domestic and international markets. Crucially, the lack of trained personnel seriously impacts the ability for small and medium-sized Canadian cybersecurity companies to grow.
An interesting way to see the Canadian labour market problem in cybersecurity is to travel to Israel. Israel is generally acknowledged to have the strongest cybersecurity technology ecosystem in the world. The Israeli government has established a new major centre for cybersecurity activities in a small town in the Negev Desert about an hour by car from Tel Aviv, called Beersheba. In January, I travelled Beersheba to meet not with Israeli companies but with representatives of Canadian financial institutions that have established offices at Beersheba because they can find cybersecurity talent in Israel much more readily than they can in Canada.
That is the bad news. The good news is that this problem is well understood and efforts are being made to address the issue. This federal government's investments in cybersecurity in the 2018 budget were significant, in particular with the establishment of the Canadian Centre for Cyber Security. The centre is already acting as an important partner and voice for the cybersecurity sector in Canada. In the recently released 2019 budget, this government made cybersecurity a priority, allocating $80 million to post-secondary institutions to expand the pipeline of cybersecurity talent in Canada, among other measures.
Of course there is always more to do. In our view, training programs should focus on two key cohorts: young people in K to 12 and demographic groups that are seriously under-represented in the cybersecurity sector. Young people are not necessarily inclined to view cybersecurity as an interesting or exciting field of study or future employment, but this can change with the right engagement.
We will not solve the labour market issue of cybersecurity for financial institutions or for any other institutions if we don't open the cybersecurity sector to more women, racialized groups, new Canadians, indigenous Canadians, veterans and to those who have been displaced from legacy sectors. Efforts should be made to focus specifically on opening training and industry placement opportunities to individuals from these groups, and we will focus on that at Cybersecure Catalyst.
Finally, as our economy continues to transform, we see exciting opportunities to build talent pipelines between sectors where human labour is being displaced, and the cybersecurity sector where the need for qualified personnel is growing.
Thank you very much.
I'd be pleased to take your questions.
I would like to thank the committee for giving me the opportunity to speak today about cybersecurity in the financial sector.
I'm the Executive Director of the Canadian Cyber Threat Exchange, CCTX. I'll highlight the work of the CCTX because I believe it has a direct bearing on the current focus of this committee's inquiries.
The CCTX is a not-for-profit organization established by the private sector with two broad mandates. First, we operate a cyber-threat information exchange to deliver actual intelligence to our members. Second, we provide a collaboration hub for the sharing of best practices among cybersecurity professionals. We're a relatively new organization, having commenced basic operational capacity just two years ago. I'll provide a few additional comments on our services in a minute.
The founding principles of the CCTX make it unique. First, our aim is to attract members from all sectors of the economy, not just those from critical infrastructure. We currently have members from accounting companies, law firms, the health sector, construction firms, entertainment companies, airport authorities and technology companies, among others.
Second, the large companies that founded the CCTX made it clear that the CCTX cannot be just for large organizations. We need to attract small and medium-sized organizations. In every sector of the economy, all sizes of organizations are experiencing cyber-attacks. We've grown from the initial nine founding members to just under 60 today, with additional applications being processed weekly.
In January this year, we changed our membership and fee structures to make membership more attractive to small and medium-sized organizations. Those changes have been really well received. Small organizations now represent 28% of our membership, and we're working to ensure this number grows significantly. As we increased the number of small organizations, we were developing cybersecurity reports and services specifically tailored to meet the needs of the small business owner.
I'll briefly highlight two of the service delivery areas.
We operate a cyber-threat information-sharing hub. Threat information is provided by participating member organizations. The threat intelligence received does not contain personal information, and the source of the information is anonymized.
The CCTX also receives cyber-threat information from the new cyber centre. We're pleased to be the first organization to sign a collaboration agreement with the new cyber centre. This is an important partnership for the CCTX and the government. We believe we will benefit from the full cybersecurity capability the government offers, and the government is going to benefit by our being able to extend the reach of what they're doing to small parts of the economy they no longer service, particularly those areas outside the core critical infrastructure.
The CCTX also offers its members an opportunity to provide threat-related information to the government, while keeping their identities anonymized. As we continue to grow, we'll provide the government with a broader understanding of how cyber-threats are impacting the entire Canadian economy.
This committee previously heard from witnesses on the importance of developing the cyber workforce required to defend the Canadian economy. The CCTX plays a role in assisting the private sector in developing and retaining the skills they require. Our cross-sector collaboration capability provides a variety of forms to bring together cybersecurity professionals to share best practices and ideas. Practitioners get together to discuss new topics such as the new techniques that are being used by attackers, new defence technologies and strategies, and changes in the legal landscape that companies should be aware of. We deliver this capability through monthly webinars and in-person collaboration events. The time employees devote to participating in these events contributes to their retention of their professional certifications.
Financial institutions understand the importance of collaboration, which is why all six of Canada's largest banks belong to the CCTX. The banks recognize that through collaboration they can raise their own defences and make it more expensive for the attacker. We provide a unique cross-sector sharing forum. As an example of the beneficial and unique relationship of the CCTX, work is being done through our portal between the financial institutions and telecommunications companies on a very specific cyber-threat.
Banks have built an impressive capability to defend their networks from cyber-attack, and they are now launching a new initiative through the CCTX. They would like to share their expertise with SMEs and are working with us in helping to raise the maturity of SMEs in every sector's supply chain, not just those relating to financial services. Each bank has identified an area of expertise and presentations have been developed that focus on the needs of small and medium-sized enterprises. We're currently working on the delivery mechanism for this important initiative.
Collaboration starts with building a trusted relationship. The CCTX provides an environment where the trust can flourish. We're building a community where members don't have to be operating in isolation. When a crisis occurs, they have a community to which they can reach out for assistance. Creating this organization that shares threats and best practices across sectors and all sizes of companies is a key pillar to achieving the desired level of security in order to protect Canada's economic prosperity. Collaboration means you don't have to do it all yourself because “none of us is as smart as all of us”.
I look forward to your questions.
As someone who has visited a number of small start-ups, I can say that for many of them security may not be top of mind. It needs to become part of everything we do, not just for small businesses, but just as people.
When you leave your house every day, you lock your door. You need to have a certain level of cybersecurity hygiene in your everyday life. For businesses, especially those that have data available to them, it needs to be a part of what they do now. We're at a point in time where we need to help them with that, through best-practice sharing and access to experts. That is one of the reasons we engage with Global Cyber Alliance. We are part of many groups that provide best practices and how-tos, but it's about making tools available to small businesses to actually help them do something, rather than just telling them, “These are the things you should think about.” Give them the tools and access to the expertise.
At the cyber centre, they're certainly working on ways to provide information to small businesses. They'll never have intelligence organizations like I have, but certainly, you can break down the information enough to help them on the journey to get more secure.
Mr. Green, this whole notion of not being a card issuer is something that I recently was helped to understand by folks in your company. It adds a lot of wrinkles, I think, to how this process works.
I'm just wondering if you could walk me through a few things.
Mastercard is in charge of the payments, the transactions themselves, and then you have a card or a device or a website, sort of these third party things out there if you're using Apple Pay or something like that. And then there's the bank, which would be the card issuer.
Through that triangle, if I could put it that way, how would the accountability work, let's say in terms of my information? In other words, if I'm using my phone to pay for something and there's an issue, then is it incumbent on the banks, the card issuers, is it incumbent on Mastercard, is it incumbent on Apple because they caused a problem with Apple Pay? How does that work?
My next question concerns human resources, and it's for Mr. Davies and Mr. Green.
From a consulting perspective, the focus is on recruitment, while from a client perspective, for example at Mastercard, the focus is on the risk posed by human resources.
I want to share an anecdote. A number of years ago, I filled in a credit card application form properly—I won't say which card. When I received the card, the credit limit had already been exceeded. Obviously, I contacted the security department. The problem wasn't caused by me, but by the security department when the card was issued. The problem came from the inside.
In a previous life, I attended Canadian Bankers Association meetings, where we talked about payment terminals that were impossible to break into. However, the terminals were broken into within three weeks. We think that there's still a risk of inside jobs.
How is this human resources risk, which seems to lead to a dead end, managed for both the client and the consultant?
We do a great deal of background checking on our employees before we bring them on, but we also have insider threat programs. We know what the correct or usual behaviour is, and then we look for anomalies. I had an opportunity to take my board through what we have in our insider threat program, but we have a way of sensing when people are acting abnormally.
When those triggers are set, then my team will launch an investigation to see if the employee is acting in a way that is not in the best interests of the company.
Additional to that, we have employees who have high-risk roles. The things that they do allow them the ability to make or destroy machines, or things like that.
We have an increased level of monitoring, so my guys watch what it is that they're doing. It's all in behind the scenes, but it happens to make sure they they're doing the things that they are supposed to. If they're not, then we respond to it.
I'll add that the insider threat is the number one concern of most chief risk officers, because of the magnitude of the event when it occurs. You know, the Edward Snowden discussion comes up often in terms of national security. The idea that an insider has access to privileged information is always a concern.
There is a discussion around enhanced monitoring under what we call powerful users, people who have—to Mr. Green's point—powerful privileges inside the organization, and making sure to mitigate the risks.
So one account is frauded, that's a mitigated risk, and there's a certain risk tolerance you have to have internally. You can't guarantee that nobody will do a bad thing, but you can minimize the impact and do some basic training and awareness.
When I was a member at Scotiabank the code of ethics, business conduct, know your customer, and anti-money and laundering training were mandatory. It is important to have that be a mandatory component and to at least give everybody the sense that you're here to do the right thing.
I think we actually are improving. I think one of the big steps was creating the new cyber centre to do that. It's one of the reasons why we're working so closely with them to do that linkage between what the private sector is doing and what the government's doing.
As a matter of fact, we're working with some Australian organizations to create an organization in Australia similar to the CCTX, to do that cross-sector piece. It's one of the ways of bringing together all of the companies, all regardless of size or what they're doing, and bring them forward in a way they can start to interact with the government.
The government's going to be looking after the cyber centre, a fairly narrow window into the critical infrastructure—that's what they are going to scale to—and they're looking at us to expand that out to all the those sectors and areas that aren't going to be covered by what they're doing. The government can be providing some general advice, but a lot of it is taking the general advice and saying, we need to do something in technology, but as an individual within a company, how do I actually do that?
It's a little bit of the skills development that Mr. Finlay was talking about. We're trying to bring that along, to take the knowledge the government is providing and then translate that by getting individuals who are going to execute on using that technology to sit down and figure out how you actually do some of these things.
There are a number of different things that are interesting about how the Israeli cybersecurity ecosystem trains its people. It obviously has a unique national service characteristic, with military service in Israel that is different from the Canadian context.
One of the interesting and powerful things that they do is start young—K to 12. We think that is a very powerful way to get at the root of the cybersecurity labour market issue, by making young people very interested in cybersecurity and engaging them in cybersecurity careers. Ryerson, in partnership with Royal Bank of Canada and Carnegie Mellon, one of the leading universities in the United States in cybersecurity, ran a hack-a-thon called CanHack in 2018. It's an online game where high school students engage in monitored, supervised, safe cybersecurity tasks. Our projection was doubled in terms of the number of students who engaged in that program.
We think the opportunity there is extraordinary. That's piece number one, in terms of young people. Piece number two is engaging demographic groups that are under-represented in cyber and workers who are being displaced from legacy sectors. There's an opportunity to introduce workers who are being displaced from some sectors that are losing personnel, to train them up so that they can enter the cybersecurity sector at an entry level. We think that's a very exciting proposition.
Those are two things we hope to do and those are analogous to things we have seen being done in other countries, including Israel.
I'll skip over Y2K, then.
One of the challenges for companies is getting them to actually identify the critical information in their systems that they need to protect. If you don't know what's critical, you can't protect it all, so you start to layer it down on the things that are more important, then you can start to control who gets access to it.
One of the interesting challenges for a lot of companies, particularly when you're talking about ransomware and small companies, is that they traditionally think they haven't any big trade secrets, nothing that somebody wants to steal.
The problem with ransomware is that they don't want to take anything; they just want to deny you access to whatever you have that's of value to you. For a lot of small companies, that's quite a mind shift to get around, because once they get around that, then they can start to realize why they now have to be taking an interest in ransomware, both in terms of the defence of things—there are some things that can be done—and if it happens how they actually recover from it.
Mr. Green, you'll forgive me for harping on this. I'm just trying to walk through my understanding of it. When we left off, we were clarifying my question.
You talked about the local inability to identify a threat that's not necessarily going to recognize borders. I guess the concern can be flipped as well in terms of that type of information being accessible, say, to national security agencies or law enforcement. The specific example I'm thinking of is the concern that's been raised by the Privacy Commissioner here in Canada. For example, Canadians might now legally purchase marijuana with their credit cards. As it is illegal federally in the United States, if the border patrol were so inclined, that information could potentially see a Canadian being barred from entering the U.S.
If that information is there somewhere, for good or for ill, there's always going to be a risk of it being used. I'm just not clear on the accountability that exists, both in law and otherwise, for information for me as a Canadian dealing with a Canadian bank that might be stored on a server located in the U.S., or anywhere else.
I have a couple of questions, and then I have Mr. de Burgh Graham and Mr. Paul-Hus, for three minutes, and anybody else. That should run the clock right down. No questions for Mr. Motz—ageism.
You know, part of this study is precipitated by virtue of the 5G controversy, and particularly the 5G controversy with respect to Huawei, Nokia and Ericsson. You three in particular are on the front lines of defence, and so my question is this. If this is coming down the track—and it is—how are you preparing for that, or are you preparing for that, and how would your preparations change what you've just said today, if in fact it would change what you just said today?
We'll start with Mr. Green and work to the right.
With respect to certifications, it's our goal to deliver a suite of internationally recognized certifications from established third party cybersecurity training organizations. These are well known in the marketplace. These are entities like SANS, EC-Council and Palo Alto. There are lots of different providers that offer these and we are engaged in developing partnerships quite intensively with SANS and EC-Council to deliver these courses.
This really goes to the posture of Cybersecure Catalyst, which is industry-focused. We are very much interested in supporting the Canadian cybersecurity industry through the partnerships that we've discussed with academia and, obviously, through collaboration with the government. The cybersecurity sector in Canada promises to be one of the best in the world, and it can be one of the best in the world. We're going to work extremely hard to support that. We are aiming for those kinds of industry-focused certifications.
In terms of numbers, we have a five-year model out with respect to the introductory courses, that is, bringing demographic groups that are under-represented in cyber into the sector. We're looking at approximately 500. In terms of the work that we're going to be doing with our private sector partners, that will be in the thousands. In terms of engagement with young people, that will be, we hope, in the tens of thousands. Cybersecurity is a big problem and the numbers that we need to reach in order to have a material impact on this issue are large.
That's the ambition for this centre.