Good afternoon, Mr. Chair and members of the committee.
Thank you for the invitation to speak to you today. I'm grateful for the opportunity given your study touches on issues with which Canadians and the Office of the Privacy Commissioner, or OPC, are seized.
I will reiterate the concerns I voiced when I appeared before the Standing Senate Committee on Banking, Trade and Commerce on its study of open banking: the financial sector must be built upon a foundation that includes respect for privacy and other fundamental rights at its core. Banks and other financial institutions must have robust standards for both cybersecurity and privacy.
It is important to clarify the difference between a privacy breach and a security breach as the two terms are often used interchangeably.
A security breach is any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms. A privacy breach is the loss of, unauthorized access to, or disclosure of, personal information, regardless of the means. A privacy breach is broader and can occur without any compromise of security systems.
And this is the challenge: cybersecurity and privacy have some overlap in that the former can help protect the latter, but in some cases, cybersecurity can create risks for privacy. For example, it is vital to ensure that cybersecurity strategies and activities do not lead to the development of massive surveillance regimes for unlimited and unending monitoring and analysis of the personal information of individuals.
Both the public and private sectors have obligations to report breaches. Under the public sector Privacy Act, that obligation resides in Treasury Board policy, which requires that OPC officials be notified of material privacy breaches. A breach is “material” if it involves sensitive personal information, could reasonably be expected to cause harm or involves a large number of individuals.
On the private sector side, the Personal Information Protection and Electronic Documents Act, or PIPEDA, requires organizations to report breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. Organizations must notify affected individuals about those breaches and keep records of all breaches.
An example of a high-profile privacy breach is the World Anti-Doping Agency—otherwise known as WADA—case. As a result of a phishing attack in 2016, WADA's database containing extremely sensitive personal information of athletes was compromised by Russian military intelligence operators, who subsequently released some of this data into the public domain, with the threat of releasing more.
ln the OPC's WADA investigation, we concluded that cybersecurity measures should be proportionate both to the sensitivity of the personal information being protected and to the attractiveness of the information to malign actors. This reasoning also applies to cybersecurity in the financial sector. The Supreme Court of Canada has ruled that financial information is indeed sensitive. Other major breaches in recent memory have been those concerning Equifax, Ashley Madison and the Phoenix pay system.
Privacy breach reporting in the private sector has been mandatory since November 1, 2018. Since then, we have seen an approximately fourfold increase in breach reports from the private sector. With six months of private sector data breach reporting under our belt, and considerably more experience on the public sector side of the house, we have made a number of observations. These include that institutions are not always aware of the personal information they hold, where it goes or who has access to it. Oftentimes in the rush to protect against hackers, the internal threat is overlooked, yet privacy breaches involve not only loss of personal information to external forces, but also inappropriate access by internal actors. Mandatory breach reporting requirements can be a tool to enable institutions to confront the adequacy, or lack thereof, of cybersecurity plans and preparations. Furthermore, the OPC uses this information to inform our guidance to organizations.
The challenge for our office and for Canadians is to keep pace with technology. Understanding how personal data will be used, by whom and for what purpose, is equally difficult. While it's the case that privacy policies are seldom read, we may be approaching a time where how data is used is equally ill-understood. The office has done work in the area of examining notions of consent in this space, and has recently launched guidelines for organizations subject to PIPEDA on how best to obtain meaningful consent for the use of personal information.
As others have indicated before this committee, we believe that these issues are best addressed with a collaborative approach. To that end, we work together with other data protection and privacy offices on joint investigations. We participate in Global Privacy Enforcement Network sweeps, and have found that this enables sharing of best practices. The OPC also participates in the cyber security analysts network group, chaired by Public Safety, with the participation of other federal government departments. Our government advisory directorate also provides advice to federal government stakeholders in this area. Other solutions involve education and outreach for companies, particularly small and medium-sized enterprises, which are often hard pressed to ensure their information, including personal information, is adequately safeguarded.
ln conclusion, privacy regulators and advocates have a role to play to ensure that cybersecurity strategies, principles, action plans and implementation activities promote privacy protection both as a guiding principle and an enduring standard. We also need to reform our privacy legislation to make it fit for purpose to ensure that the privacy of Canadians is protected as technologies and economies change, including those in the financial sector.
I welcome your questions.
I'd like to thank all the witnesses for being here today.
To our witnesses, with respect, just quickly before I get to my questions, I did have an opportunity to send my colleagues a notice of motion. I understand that I'm not within the 48-hour delay, but I did want to take an opportunity with my time to read the motion and explain in 30 seconds or less its rationale. It reads:
That, pursuant to Standing Order 108(2), the Committee invite the Minister of Public Safety and Emergency Preparedness to appear, no later than Friday, June 21, 2019, to respond to and take questions on the 2018 Public Report on the Terrorism Threat to Canada tabled in Parliament on Tuesday, December 11, 2018.
Quickly, for the benefit of colleagues, the rationale is that we've heard from communities named in this report that there is a concern about what impact that can have. I think that when we see some of the terrorist activities being committed here and abroad against faith groups and other communities, it's become pretty clear that there needs to be a rethinking of how these groups are identified in these reports and a better understanding of the thought process behind them.
I understand that it's based on information from our national security services, but at the same time, the government is the one responsible for tabling it in the House. We're looking to have a dialogue with the on that issue given the concerns that have been raised. Among others, they include the Sikh community. At the appropriate time, I will move the motion forward for debate and, hopefully, for approval.
That said, thank you for indulging me. I was just taking advantage of the opportunity.
I have a few questions for you.
We often hear about the Internet of things. You mentioned that, oftentimes, businesses aren't aware of all the data they hold or that, conversely, they are aware but keep it anyway even when the data aren't pertinent.
My question ties in with some of the questions that were asked earlier.
When people download apps on their phone and give their consent, rarely do they realize how much access to the data on their phones they are agreeing to share in exchange for the app. In terms of repercussions, how does that tie in with the issue we are studying? When people use banking applications or fingerprint identification to access their account from their phone, for example, what is the impact of using their phone in that way?
It's not directly related to you, but I want to use this opportunity to clear up some questions that keep coming up.
Black hat hackers and white hat hackers are long-held terms in the technology community. I just want to put that out there since there's confusion about it. There are also grey hats, and we can get into a whole discussion about that.
Another point I want to make sure everyone is aware of is cracking versus hacking. If you put duct tape on a bottle of WD-40 to make it go to space, that's a hack. If you use that to break into a bank, that's a crack. I want to make sure we have that distinction very clear out there.
My name is Glenn Foster. I'm the senior vice-president and chief information security officer of TD Bank Group. I'm responsible for TD's cybersecurity program across all of TD's activities globally.
TD is the sixth-largest bank in North America by branches and serves more than 25 million customers. We rank among the world's leading online financial services firms.
I'm here to talk to you about cybersecurity and its impact on financial services, Canadian consumers and national security. Traditional banking services have continued to become more digital. A recent CBA poll found that 76% of Canadians are using digital channels, both online and mobile, to conduct most of their banking transactions.
More than half of those polled say this is their most common banking method. This is true for TD customers as well. We have more than 12.5 million active digital customers and 7.5 million total active mobile customers. We complete 1.1 billion digital transactions per year in North America, and we have the highest digital penetration of any bank in Canada, the U.S., the U.K., and other parts of Europe.
Meanwhile, cyber-threats continue to become more sophisticated, driven by the commoditization of crime in the underground economy; the loss of top secret nation state intelligence technologies, when made available to bad actors; innovative technologies that spur advances in automation; geopolitical tensions and increased activity against global financial service participants and payment systems.
Recent economic sanctions have further increased tensions and have motivated retaliatory actions, cyberespionage campaigns, and attacks on financial services and critical infrastructure globally by nation state actors.
The proliferation of data breaches has significantly exposed consumer data and places pressure on banks' ability to authenticate customers.
This exposure of consumer data has also led to new automated attacks in which criminals leverage stolen account credentials and test them against online banking sites at a significant rate, an attack that's known as credential stuffing.
At TD, we have invested heavily in cybersecurity as one of our top priorities to ensure that we can protect our customers and live up to the high expectations of trust they place in us. We have a strong history of information sharing and collaboration with other Canadian banks through the Canadian Bankers Association, and across sectors of the Canadian economy through the newly formed Canadian Cyber Threat Exchange. We understand how critical it is to share intelligence on threat actors, and we consider it a best practice to combine our defences, as our ability to prevent, detect and contain cyber-attacks increases significantly when we work together as opposed to individually.
The effectiveness of our information sharing is limited based on current privacy laws and legal barriers. Legislative reforms allowing for safe harbour provisions for proactive protection could benefit our efforts. We support the government's creation of the Canadian Centre for Cyber Security under the Communications Security Establishment. We've been a long-time proponent of centralized authority for collaboration with the private sector.
Working with the Canadian Cyber Threat Exchange, we have established a solid structure for public-private partnerships and sharing. The critical part of the centre's mission should be not only information sharing and intelligence but also developing and implementing national strategies for cyber resiliency, preparedness and response.
The centre should be effectively resourced to engage with the private sector in establishing and measuring minimum security baselines for critical infrastructure sectors. The public and private sector would also benefit from coordinated resiliency tests and response capabilities verus systemic cyber events for critical infrastructure, which will prepare the centre to be the central point of coordination with the private sector in response to a national security threat.
It is important to note that cyber protection and safety are the responsibilities of not only financial institutions and government but also Canadian consumers.
Security practices fail when individuals do not understand their personal accountabilities and do not practise due care in their digital lives. Therefore the new national strategy is focused on educating Canadian citizens on cyber safe practices, which is vitally important to increasing their literacy with regard to risks and expectations.
The ever-increasing cybersecurity demands require a robust and highly skilled workforce. Various external benchmarks suggest an unmet demand of over one million open positions for cyber talent in North America alone.
At TD, a premier employer in Canada, our focus on talent is a top strategic pillar of our cyber program. We face increasing competition for cyber talent in Canada, and we are collaborating with academic institutions to create strategic partnerships such as the one mentioned in our announcement last year of our partnership with the cybersecurity institute of the University of New Brunswick.
We have also expanded our geographic footprint to the United States and Israel to meet talent demands. We are committed to growing the next generation of cyber talent here in Canada and encourage the federal government to accelerate the development of robust educational programs at Canadian universities to provide for the cyber workforce of tomorrow.
I am pleased to be here to discuss Canada's approach to cybersecurity, and I look forward to our discussion.
Mr. Foster, thank you for being here.
I want to talk about artificial intelligence. It has been raised a few times. In particular, it's being used by bad actors to learn how to attack weaknesses in systems. My understanding is that more and more we're seeing it being used also as a protective measure, learning how to protect.
I think TD acquired an AI start-up last year. I'll start with the security perspective and I'll get to other aspects of it.
From a security perspective, for both defending and your perception of those who are attacking, what's your sense of the current state of affairs?
I'll start with the attackers.
Although we're highly concerned about adversaries leveraging artificial intelligence to attack us, we haven't seen many examples of that in practice. Given that it's an evolving space, it's one that our threat intelligence team monitors very closely.
On the defence side, it's a significant asset and tool for us. Traditional security products were very good at a period of time where attacks were very repeatable. You could define signatures; you could block them.
Current attacks are very sophisticated. They're evolving on an almost daily basis. From the time of zero day out in the public to the time the commercial vendor can patch, to the time that large institutions can patch those vulnerabilities, the window, although getting so much shorter, is still significantly greater than the speed at which adversaries can develop scripting and start scanning everyone on the Internet. Part of that automation, in some cases using AI to be more rapid in how it identifies these vulnerabilities, is becoming a much more significant problem for us.
How we detect the more sophisticated actors in some of those regards, where they know how to get around our traditional security equipment, is through AI and machine learning and big data.
Thank you for that. That's the security side.
From a business or marketing side, AI can also be used to advance the needs of a business, to identify customer needs, and so forth. Layer 6, which you acquired, actually even says in their mission statement that they use machine learning technologies to help businesses better anticipate their customers' needs, which is a laudable goal. Those of us who use banking apps see these things being incorporated, where they're trying to predict spending trends or things such as that.
How does that get used? I know it's a broad question, but I want to understand. If data is being collected inevitably, how does your organization, your business or your bank, go about culling that information and making sure you're not gleaning things that maybe shouldn't be gleaned or that haven't been consented to, at least not explicitly?
The other aspect I wanted to go to is with regard to apps. Earlier, I was asking the Office of the Privacy Commissioner about this notion that when you install an app on your phone you're sort of giving broad permission. Some of the time it's explicit and other times it's less so in terms of such-and-such app wanting to access your microphone, your camera, and this, that and the other thing.
When your organization is developing the app, I'm wondering how you reconcile what's going on within the application for the banking activity of the client and the fact that there might be a variety of flaws that exist within, whether it's the firmware or other flaws that are being exploited within the mobile device itself. How does that work? What do you see as recommendations going forward?
All I can tell you is how we approach the security with the TD Bank for our applications.
You're right. Our application has to live in an ecosystem. No different from your computer, it's dependent upon the underlying operating system and the firmware. We build those applications with a couple of principles in mind. One is least privilege. Of the data that's in there, we try not to persist any data on the device itself. That way, if there are any inherent weaknesses, there's no data there for it to actually access.
We make sure the application is hardened. I mentioned the ethical hacking team that we have, in addition to the red team. Their role within the bank is that prior to the launch of any of these products, they perform very robust security testing, to make sure the application adequately insulates the application from the other things that are going on within the device itself.
Thank you, Chair, and thank you, Mr. Eglinski.
Thanks very much, Mr. Foster. As a former employee of TD, it's a pleasure to welcome you.
I'll roll my questions into one. We have the privilege of having you here as the chief information security officer of a major bank. Can you give us some insights into how your role is structured, what your responsibilities are and how you intersect with other major parts of the bank?
In the same breath, can you give us an appreciation of how much room there is for a major bank to be creative to develop its own security platforms? To what extent are you really constrained by the realities of the use of digital technology in limiting, first of all, the percentage of expense on security, but also the options that exist in terms of what you do to protect daily operations?
Where I sit organizationally, I report to the head of enterprise operational excellence, who reports to our group head, who reports directly to our CEO. My group has a head of innovation technology and shared services at TD Bank.
We felt that for strong governance, it was important to separate the CISO role from the technology organization, both for objectivity and as a reflection that cyber is really a business risk, not a technology risk.
We find that business engagement, in terms of process and products and how we engage our customers, is paramount to the success of our cybersecurity program.
As far as your other question is concerned, I had a bit of difficulty understanding whether you were talking about a percentage of spending or caps on spending.
I think there is variability among banks, partly because we're not necessarily all organized exactly the same way. If you look at any information security organizations, it's the 80-20 rule: 80% of us have the same things in our organization, and 20% may be federated or decentralized in other areas. It's very difficult to track apples to oranges.
At TD bank, cyber is the top risk. Getting budgets is not a problem for me. We have top executive support, we have board support, for the program. Any constraint I face would probably be in the form of two things.
First is the amount of change the organization can go through in a given year. This is a fast evolving space. My spend has been growing at a compound annual growth rate of about 35% to 40% year over year. That's a lot of change to try to push into the organization.
Second is the availability of commercial products. The explosion, as I would call it, of security products within the industry is a lot to weed through to decide what's more hype than legitimate protection. I would find that for the most advanced organizations—we talked about big data and AI—the most uplift in the coming years would be in investments in our own skills and our people with data science and to be able to solve the problems of our bespoke applications as opposed to the general use vendors.