Thank you again for the opportunity to speak to you.
As I start, I want to note that in discussions with the clerk and the staff of the committee, I told them that I wasn't an expert on the financial sector, and it was suggested to me that I could make some general comments on national security and cyber, so that's what I'm proposing to do. I hope that will be helpful to the committee.
I want to comment in an odd sort of way on your order of reference, which talks about national economic security. I'm sure that careful thought was given to that, but I'd like to suggest to you—and I'm doing a bit of marketing here—that the issues you're talking about are national security issues, period. They're not a subunit of national security.
This goes to the definition of national security. I hope and think that you use a fairly broad one, but to my mind, it's anything that materially affects a nation's sovereignty. The things that the committee is talking about now can potentially very much affect a nation's sovereignty, just like money laundering conducted by a foreign state, or a devastating national security issue. That's just a small marketing effort on my part.
While I'm not an expert in financial systems, I hope and think that I can offer you a couple of useful context points. One is that context in the environment in which cyber-attacks occur, be they against the financial institutions or anywhere else, is important. These things don't occur in isolation. I would argue that you cannot deal with cyber-threats in the financial sector without an understanding of cyber-threats generally, and you can't understand cyber-threats without understanding threats generally directed against Canada and the west. We all live in a globalized world, and that certainly applies to national security threats.
I say this for a couple of reasons. Some of you may be old enough to remember the Cold War where it was fairly simple: those who were causing trouble and those who were receiving trouble were basically states. I'm oversimplifying, but it was the Warsaw Pact against the west. Some companies were affected.
I think one of the contextual points that are important is that our adversaries or instigators today are states, terrorist groups, criminal organizations—and I'll come back to that—corporations, civil society groups and individuals. I think that any of these could be causing difficulties in the financial systems that you're concerned about.
The targets, on the other hand, used to be basically states. I'd argue that they're now states, corporations, civil society, political parties, non-profits and individuals. The world is fairly complicated, and if either the financial institutions themselves or the government is going to deal with cyber-attacks against them, my suggestion to you is that they have to know and understand the context in which all of that is occurring. They just can't build walls abstractly.
I think the question of who or what might initiate cyber-attacks against our financial sector is very relevant. I don't try very hard to do sound bites, but I have one: National security is not national. It's not national in the sense that no single state can deal with these issues— certainly not a relatively small middle power like Canada—and you need international co-operation.
Second, I would argue that no federal state or nation state can deal with these sorts of things without the help of provincial or regional governments, and corporations and society generally. I would argue with you that it is a significant mistake for financial institutions to argue that they can do it all themselves, just as it is a mistake for the government to accept that hypothesis.
I talked a little bit about context and environment, so I would just like to lay out very quickly the kinds of threats to national security that Canada's facing. I think of the revisionist states, Russia and China; extremisms and extremism generally, including terrorists; the issue of cyber; the dysfunctional west; and the rogue states and issues—Iran and North Korea, come to mind.
I'm emphasizing this a little bit because I think all of these are interrelated far more than they might have been 15 or 20 years ago. They leverage against each other, and they amplify their effects. For example, Russian and China use cyber systems and benefit from a dysfunctional west because we're not fighting them together. Terrorist groups benefit from the discord caused by revisionist states, and they use cyber systems. All of them interact with one another, and I think that we need to keep that in mind when we do that.
One of the other issues I want to emphasize and suggest to you is that Canada is very much threatened by cyber-attacks generally and against our financial institutions. I say this, because when I used to be working, one of the things that used to drive me to distraction was the view of many Canadians that Canada wasn't threatened because we had three oceans and the United States. That view made it very difficult for governments and others to deal with a lot of national security threats. The average Canadian, absent an event, didn't think there was a great issue.
I think Canada is very much threatened by a variety of the institutions and entities that I just talked about, but why is this the case? We have an advanced economy, advanced science and technology; we're part of the Five Eyes and NATO, and we're next to the U.S.
To be honest, we're not thought internationally to have the strongest defences on the cyber side, and any institution will go to the weakest link in the chain. Sometimes we are thought to be that, although I don't think we're doing all that badly. Also, we're threatened, sometimes simply because we're hit at random.
I think it's especially important for the committee to make the point that our financial sector is indeed threatened by cyber-attacks, because I don't think a lot of people believe that.
One of the other things I'd like to talk about is who I think are the main instigators of potential attacks. I think they're nation states and international criminal groups.
What are they going to try to do? They're going to try to deny service, old-fashioned theft—and I'll come back to that—information and intelligence acquisition, intellectual property theft, and identification theft, for both the purposes of acquiring money and espionage.
Let me give you a couple of examples about states that play with countries' financial systems.
North Korea finances a lot of their operations, gets a lot of their hard currency by using their cyber-capabilities to access the financial systems of various and sundry countries. For example, they had a program some time ago that allowed them to steal money systematically from ATMs around the world. They also had a program that allowed them to claim ransoms using ransomware. More generally, they are the country that was thought to have frozen the United Kingdom's national health service a few years ago.
My point is that you can find out as much about this as I can just by Googling them. The United States has indicted a number of people from North Korea who have tried to do this, and this is just one example of a state that tries to get into western countries' financial systems.
Another one is Iran. You will have seen in the newspapers over the last five or ten years, a couple of examples of how Iran has tried to do this, in particular against the United States and banks. There are indictments against seven or eight Iranians.
I have a couple of words about Russia and China and how I don't think you cannot ignore them when you talk about this topic. I think their main objective is twofold: one is denial of service, and another is to simply reduce western confidence in our institutions. They do this systematically.
Criminal groups I think are becoming much more prominent in this area, and it's something we don't talk enough about. I hope you've had an opportunity to talk to the RCMP about this. If you look at either RCMP or Statistics Canada figures, the extent to which international criminal groups are playing with our financial institutions has gone through the roof over the last little while.
In summary, cyber-attacks on our financial system are a national security issue in my view. These attacks must be viewed in broad context if we're going to deal with them effectively. There's no silver bullet to any of this. It will only work, and we will only reduce the risk, if governments, corporations and civil society co-operate.
I think government needs to share more information with the private sector. It's something that we do far less of than the United Kingdom and United States. You can't expect private corporations to be an effective partner if they're not aware of what's going on.
The financial sector needs to report these attacks and breaches far more systematically than they do.
These issues are evergreen, and we need to talk about them more than we do.
Thank you, Chairman.
Good afternoon, Chairman and members of the committee. My name is Mark Ryland. I'm the director of security engineering with Amazon Web Services. I work in the office of the CISO, so I work directly for the chief information security officer. Thank you for giving us the opportunity to speak with you today.
I suspect you all know a bit about Amazon.com, generally speaking, but allow me to add some Canadian details.
Amazon.ca has been serving our Canadian customers since 2002, and we have maintained a physical presence in the country since 2010. Amazon now employs more than 10,000 full-time employees in Canada, and in 2018 we announced an additional 6,300 jobs. We have two tech hubs, which are important software development centres with multiple office sites in Vancouver and Toronto. We employ hundreds of software designers and engineers who are working on some of our most advanced projects for our global platforms. We also have offices in Victoria with AbeBooks.com and in Winnipeg with a division called Thinkbox.
We also operate seven fulfillment centres in Canada—four in the greater Toronto area, two in the Vancouver area, and one in Calgary. Four more have been announced. Those will be coming online in 2019 in Edmonton and Ottawa.
But why am I here? What is this cloud thing? You might be wondering why we're here discussing the cybersecurity of the financial sector at all. Well, roll back the clock. About 12 years ago, we launched a division of our company we call Amazon Web Services, or AWS for short.
AWS started when the company realized that we had developed our core competency in operating very large-scale technology infrastructure and data centres. With that competency, we embarked on a broader mission of taking that technological understanding and serving an entirely new customer segment—developers and businesses—with an information technology service they can use to build their own very sophisticated, scalable applications.
The term “cloud computing” refers to the on-demand delivery of IT resources over the Internet or over private networks, with pay-as-you-go pricing, so that you pay only for what you use. Instead of buying, owning and maintaining a lot of technology equipment, such as computers, storage, networks, databases and so forth, you simply call an API and get access to these services on an on-demand basis. Sometimes it's called “utility computing”. It's similar to how a consumers flip on a light switch and access electricity in their homes. The power company sort of takes care of all the background.
All this infrastructure is created and built. There is of course physical equipment and infrastructure behind all of this, but from the user perspective, you simply call an API. You call a software interface or click a button with a mouse, get access to all this capability and are then charged for its usage.
It's all fully controlled by software, which means that it's all automatable. That's a really important point that I'll make several times, because the ability to automate things is a big advantage in the security realm. Instead of doing things manually and using.... We don't have enough experts, believe me, to do all the command typing that needs to be done, so you need the right software to automate.
As of today, we provide highly reliable, secure, resilient services to over a million customers in 190 countries. Actually, you can think of our cloud platform as a federation of separate cloud regions. There are 20 of those around the world and 61 availability zones. Each region is made up of separate physical locations to create greater resiliency.
Montreal is home to our AWS Canada region, which has two availability zones. Each availability zone is in one or more distinct geographic areas and is designed with redundancy, for power, for networking, for connectivity and so forth, to minimize the chance they could both fail. With this capability, with these multiple physical locations, our customers can build highly available and very fault-tolerant applications. Even the failure of an entire data centre need not result in an outage for our customers and their applications.
The companies that leverage AWS range from large enterprises such as Porter Airlines, the National Bank of Canada, the Montréal Exchange, TMX Group, Capital One and BlackBerry, to lots of start-ups, such as Airbnb and Pinterest, as well as companies like Netflix, which many of you have heard of, all of which are running on the AWS cloud.
We also work a lot with public sector organizations around the globe, including the Government of Ontario, the Ministry of Justice and the Home Office in the U.K., Singapore, Australia, the U.S.A. and many customers globally in the public sector area.
What are the advantages of moving to the cloud? There are three primary benefits that I want to highlight.
The first is agility and elasticity. Agility allows you to quickly spin up resources, use them, and shut them down when you don't need them. This really means that for the first time, customers can treat information technology in a more experimental fashion because experiments are cheap. You can actually try things, and if they don't work, you spend very little money. Instead of this large capital expenditure with large software licensing costs, you can do this in a much more dynamic model. Experimentation is very helpful when it comes to innovation, so that leads to greater innovation.
In terms of elasticity, customers often had to over-provision for their systems. They had to buy too much capacity, because only once a year or once a month was there a need for a great deal of capacity.
Most of the time, the systems are relatively idle. You have a lot of waste in this over-provisioning model. In the cloud, you can provision what you need. You can scale up and add more capacity or subtract capacity dynamically as you go.
Another advantage is cost savings. Part of what I just described also leads to cost savings. You're using only the amount of capacity you need at any one time. You can also treat your expenditures in terms of moving from capital expenses to operational expenses, which many people find very helpful.
In short, our customers are able to maintain very high levels of infrastructure at a price that is very difficult to do when you buy and manage all your own infrastructure.
The third reason, and the one that I really want to emphasize here in my testimony, is actually the benefit of security. The AWS infrastructure puts very strong safeguards in place to protect customer security and privacy. All the data is stored in highly secured data centres. We provide full encryption very easily; you just literally check a box or call an API. All your data is encrypted, which acts as controls in logging, to see what's going on and to monitor and control who has access. Also, our global network provides built-in inherent capabilities for protecting customers from DDoS and other network-type attacks.
Before the cloud, organizations had to spend a lot of time and money managing their own data centres and worrying about all the security of everything inside, and that meant time not focused specifically on their core mission. With the cloud, organizations can function more like start-ups, moving at the speed of ideas, without upfront costs and the worry of defending the full range of security threats.
Previously, organizations had to either adopt this big capital investment program or enter into long-term contracts with vendors. Really, the most difficult part was that the companies and organizations were responsible for the entire stack. Everything from the concrete to the locks on the doors and all the way to the software was completely the responsibility of the customer. With cloud, we take care of a number of those responsibilities.
What about cloud security? More and more, organizations are realizing that there's a link between IT modernization and using the cloud and improving their security posture. Security depends on the ability to stay a step ahead of rapidly and continuously evolving threat landscapes and requires both operational agility and access to the latest technologies. As the legacy infrastructure that many of our customers use approaches obsolescence or needs replacing, organizations move to the cloud to take advantage of our advanced capabilities.
Increased automation is key, as I mentioned before, and the cloud provides the highest level of automation. The possibility of automation is maximized using the cloud platform. Cloud security is our number one priority. In fact, we say that security is job zero, even before job one, and organizations across all sectors will highlight how commercial cloud can offer improved security across their IT infrastructure.
Therefore, many organizations, such as financial institutions, are modernizing their capabilities to use cloud platforms. We've been architected for the security of organizations, and for some of the most security-sensitive organizations, such as financial services.
Now, there is a shared responsibility. Customers are still responsible for maintaining the security of their environments, but the surface area, the amount of things they need to worry about, is greatly reduced, because we take care of a lot of those things and they can focus their attention on what remains. From major banks to federal governments, customers have repeatedly told us—and we have quotes that we can supply to the committee—that they feel more secure in their cloud-based deployments of their applications than they do in their on-premise physical infrastructure in their own data centres.
In sum, cloud should not be seen as a barrier to security, but as a technology that helps security and is therefore very helpful in the financial services realm as a part of a general solution for modernization and improving security.
We also have a few policy recommendations, which we'll provide in our written testimony.
One of the things is that we think there's an overemphasis on the physical location of data. Very often, people think, “I've got to have data physically here in order to protect it.” Actually, if you look at the history of cyber-incidents, everything is done remotely. If you're connected to a network and the network has outside access, that's where all the bad things happen.
Physical location of data, especially when you can encrypt everything, such as physical access to storage drives or whatever, literally is not a threat vector. Really, there should be some flexibility for banks and other institutions as to where they physically place their data, and they should be able to run their workloads around the globe, reaching their global customers with low latency and storing data potentially outside of Canada.
There are another couple of recommendations, including data residency. We believe also that centralizing security assessment makes a lot of sense. Instead of having every agency or every regulatory body separately evaluating cloud security, centralize that in an organization like the CCCS, where they can do a central evaluation and determine whether clouds are meeting the requirements. Then, that authority to operate can be inherited by other organizations throughout the government and under industries that are regulated.
Thank you very much for your time.
I should admit up front that I'm probably prejudiced, having spent a goodly number of years working in this area, but I think there has been a lot of progress over the last little while and there's much more co-operation and collaboration.
But I would argue two things. One is that the world is becoming much, much more complex, and I think it could be argued that we need more resourcing. When I used to work for the government, the last thing you wanted to do was embarrass your minister by saying you wanted more money. I'm not really saying that now, but if you consider the Cold War to terrorism and the current cyber issues and great power conflict generally, yes, all of these institutions have had more resources, but the resources may not be enough today, so I would ask that.
I guess the other issue I would note is this. I was told over the years by several politicians from both sides that there aren't very many votes on national security, and that's one of the reasons why governments are sometimes hesitant to take some of the steps you've implied. However much politicians may get frustrated with officials, officials do take the lead from the political side of things, and I think we need to be a little bit more proactive sometimes than we are, because technology is moving, the threat is moving, and we seem to be playing catch-up.
I don't direct this at any government or any official. It just seems to be the way we do it, largely because, if you're the Minister of Finance or the President of the Treasury Board, the last thing you want to do is to say every two years, “Here's another quarter of a billion dollars.” I'm just picking a number, but you know, there are technological changes, some of which Mr. Ryland talked about, and there are a whole raft of others. It's very hard for government to keep up with these things without a constant ongoing effort, and at the same time, you're worrying about Russia and China and North Korea and Iran. You're worrying about international criminal groups. I think we're beginning to underestimate the problem with terrorists just because we've whacked a few of them.
So, as a long answer to a short question, I think generally speaking people are doing as well as they can, but it's very difficult to galvanize everybody who works on this—political officials and the private sector—unless there's some consensus on how serious the threat is.
I would say, with great respect, there's no such consensus in Canada.
Thank you. I am Steve Drennan and I'm pleased to be here today representing myself and ADGA in the cybersecurity domain and financial sector in Canada. Thank you for the invitation to provide testimony to the public safety committee at the House of Commons today and for all of your time.
For a bit of background, ADGA is a one hundred per cent Canadian company that has delivered strategic consulting, professional services and world-class technology in defence, security and enterprise computing for over 50 years. It provides high-end solutions, engineering and staffing in the government and commercial spaces. ADGA has a lot of insight, given all of this, and expertise into domains such as cybersecurity. ADGA also has strong views, as do I, on coast-to-coast security requirements and evolution and on our being abreast of the landscape and strategic partners. ADGA has a strong converged security capability with lots of cyber assessment design and compliance background. That's just to give you a feel of where I'm coming from today.
From reviewing previous testimony online, I saw a theme that the committee already had a lot of feedback on cyber-attacks, challenges, ranges and faults in the domain. Given all of that, I thought I'd focus today on cybersecurity solutions. There isn't a silver bullet to it, but there is a lot of capability that can be deployed on scale and a lot of other parts that can be developed to really increase what we do and strengthen the Canadian financial sector.
I like to think of it as critical infrastructure. You probably think of power stations and dams and classified systems as critical infrastructure, but the financial sector certainly is critical infrastructure. It's one large interdependent system that ranges across lots of different entities, like the Bank of Canada, Payments Canada, Interac—who I know were presenting—the Receiver General, merchants, small and large commercial entities and also consumers. Those are a lot of end points. There are a lot of things that can go wrong there. It's all the data, too, that is in transit and in storage. If you've been hearing and thinking about one network, one piece or one solution, it's not the whole story.
There's a shift occurring in cyber. It's shifting to socio-political attacks and brand manipulation, along with small and large volume financial attacks. Given what's at stake and the ability of cyber criminals to hide, obfuscate, and launch attacks on a non-stop basis, Canada needs to have an updated approach to cyber defence in the financial sector. The days of hiding behind walls, actual walls or firewalls, are past. It's a very interconnected space out there.
It's important to understand the adversary too. I think you've been well briefed on that, but cybercriminals and nation states have massive sets of resources. They'd be a very large country by GDP if all the cybercriminals put their wealth together. They are often physically unreachable because of where they come from.
One stat, a brief example, and I won't get into too many, from a recent Mandiant report—Mandiant is the cyber arm of FireEye, one of our strategic partners—is that the global median dwell time is 101 days. Dwell means the time that malware lives in a network until it's found and stopped. Just think about that for a second. That's an incredible amount of time for something to be sitting there exfiltrating and taking data before it's even found. Sometimes it goes up to 2,000 days before it's found. While the cyber problem is complex, it can be tackled in a way that is simplified for users, merchants, businesses and banking organizations. That's what I want to focus on today, that is, on some of the ways we can address this.
I'll focus on cyber solution themes that can address large-scale cyber-threats to the Canadian financial sector. Theme one that I'd like to go over is what I call “convergence of cyber data and protection capability”. Think of this as next generation solutions that could be deployed on scale for everyone to use and take advantage of. The concept is that one organization could actually lead this effort and put this capability in a central location so that it would be turned on for all of the entities I was just speaking about—everything we've been thinking about.
There's really fantastic new technology. One of them is linking ideas around centralized artificial intelligence, machine learning, advanced analytics, threat hunting—if you haven't heard about that, you can ask me questions about it later—and security orchestration. You can actually create semi-automatic cybersecurity detection and response. It can be fairly automated. Sometimes you do want somebody to be able to make decisions on key points and react when you sense a cyber-threat, especially if you're shutting down part of a network.
Smart buildings and networks can also be a part of this. It's not just green. Green is good, but when you introduce all kinds of Internet of things sensors, you're introducing a whole bunch of data, and that data can then be compromised. If we have an ability to sense across the physical data—operational data, sometimes called OT data, and the IoT data—we can have solutions that can better sense when there's a problem. For instance, if there's an environmental problem or an attack against a building or data centre, you'd probably want to know about that in the cyber-world and be able to respond to it. Today it's not very merged, but it can be.
There's the notion of moving forward on cyber-active defence or even offence, and that is linked to legislation and what the rules are. When you know you're being probed and attacked, the ability to respond to it, to determine where it is and to shut it down to at least protect yourself, is a very important capability.
The securing of domain name service, which is at the heart of the Internet, has standards around it called DNSSEC and others. That's really important because, if you can't trust your address resolution and where you're going to for data, that's really important.
Cyber-threat intelligence, which we touched on earlier, is really interesting because it can be done vertically. You could have just Canadian data and banking information, so you would see trends in attacks in the Canadian market space, and you'd be seeing them before they hit most of your end points, and then you'd be able to react to it in advance. You'd be able to make decisions and do updates before it became a widespread attack. That could be zero-day attacks or APT attacks, but the ability to see and respond before they become a problem is very important.
On the last point about capability, something that could be introduced on scale, as we were talking about in this theme, could be supply-chain and life-cycle management. CSE, the Communications Security Establishment, which also has the cyber centre, used to run a program called the “evaluated products list”.
When we talk about Huawei, people have issues and we talk about them. We have to think about everything that gets introduced, all the software that's built—it's often virtualized and put in the cloud—the hardware and the chips. Where do the chips get manufactured? Where do they come from? You can have a complete cradle-to-grave program so that you evaluate that equipment and that software so that you know you can trust it. The government is the right entity to be able to manage that program.
The second theme I'd like to go over is leveraging a secure public cloud. I think the speaker before me was from AWS, so I'm sure you heard plenty on it. I'm here to say, too, that it's a good idea. When you're trying to bring all of these different groups together, one of the best ways to do that is with a secure Canadian public cloud, and I think we need to start thinking more about that. I know a number of banking entities that are looking at moving that way.
When you have networks inside, that's a private cloud, or a hybrid cloud as you move out to the public cloud, but leveraging a secure public cloud on scale is really important because that would be a great way for the whole community and all of those consumers to speak to each other. If you set up the right security, and policies and filters, everybody will have the same security. There are operators who have true failover within Canada, so if you have a failure, which you have to expect and count on, then, when you have disaster recovery, it stays within Canada. That's really important for the residency and custodianship of the data itself.
Cyber-agility is a piece that's really important here. It lets you move and launch new applications.