Good afternoon to all committee members.
My name is Luc Jarry and I'm a senior cybersecurity advisor for Cascades Inc. I'm also a lecturer and I teach industrial cybersecurity at the Polytechnique Montréal, which is affiliated with the University of Montreal.
This is my first time appearing as a witness. I spent some time reading the evidence from other witnesses and I noted that several topics were discussed. Today, I'll talk about a subject that affects virtually every domain, from financial affairs to the industrial, business and personal worlds. I'm talking about the Internet of Things, better known as IoT, which is of course associated with artificial intelligence.
What is IoT? I think the best definition is also the shortest: IoT is a direct integration between the physical world and computer systems. In the past few years, there has been an extraordinary revolution in the way objects connect to TCP-IP networks. I'm talking about the Internet. It has been estimated that by 2020, between 40 billion and 50 billion devices will be connected to the Internet. We will have to ask ourselves wether the "Internet of Things" will become the "Internet of All."
Together with artificial intelligence, the Internet of Things makes possible what was only imaginable a few years ago. Think for example of self-driving cars. They are still in the testing stage. We have all heard about them. Currently, if your car is even halfway modern, it will probably have a monitoring system that measures the pressure in your tires. If a tire's pressure is low, the monitoring system will send a message to the car's computer to warn the driver that one of the tires is low on air. The driver will then have to deal with the problem.
The same thing will happen with the Internet of Things, but in addition to informing the driver, the car itself will make an appointment at the dealership or the garage responsible for maintenance. The car will then drive itself to the dealership so the problem can be fixed, and it will then return to its point of origin. You can start seeing the potential involved. This will open up extraordinary opportunities in all areas.
Unfortunately, all these new technologies make us susceptible to new threats and vulnerabilities. However, computers, which have microprocessors and are controlled by operating systems, are virtually the only devices connected to the Internet. This makes it possible for us to implement basic cybersecurity defences. For example, I can see there are open laptops in this room. I'm sure that those computers have basic cybersecurity protections. This would involve a personal firewall turned on and probably an antivirus program—which I hope has the latest virus updates—as well as a malware scanner. There is something important to note here. These computers have a processor and are able to encrypt and decrypt data. I'm talking about encryption, a widely used strategy in cybersecurity.
The problem with the Internet of Things is that the objects have no operating system or processors. It is therefore impossible to give them basic protections, as we can do with computers. These makes them extremely vulnerable.
Over the last 15 or 20 years industries have invested heavily in mechanization and automation technologies. Today, modern factories use industrial control systems such as programmable automatons and SCADA, which communicate with each other via their own telecommunications protocols on private networks within factories. These networks are invisible to the Internet. We often refer to them as an intranet. For industries to ensure they can use and benefit from the advantages of artificial intelligence, they must connect these automatons or industrial control devices to the Internet in order to communicate with AI service providers. This makes these devices very vulnerable.
Another thing is that, based on my own observations, most industrial controls in factories are maintained and supported by electrical engineers, most of whom have no training in cybersecurity.
There are currently many factories connecting things to the Internet in a way that creates gaps in their internal networks, opening them up to possible intrusions. I'm talking about theft of information and industrial espionage, in short, unauthorized access.
There are now things worse than that. With the Internet of Things, we can imagine a hacker or even a terrorist group taking remote control of critical infrastructure such as a hydroelectric dam, a water processing or oil industry plant, a hospital and so on. Imagine all the ensuing damage and danger to public and financial security and safety.
We must also keep the privacy issue in mind. As you know, an increasing number of users are connecting devices to their own networks at home or via cellular networks. You can for example buy a smart refrigerator equipped with a tablet-like screen that takes inventory of all the food and drinks it contains, monitors their expiry dates and even suggests recipes for the food inside, thanks to artificial intelligence. It's a wonderful thing. However, from a privacy perspective, we might ask whether life insurance companies would be interested in knowing what is in their customers' fridges. The answer is yes.
In Canada, citizens are protected by privacy laws, but there is a problem. Many studies have shown that nearly 95% of users agree to terms and conditions of confidentiality without reading them. Often, people don't really know what they are agreeing to.
Still on the subject of privacy, there are now assistants that connect to the Internet and are activated by a specific sentence or word spoken by a user. You can dialogue with the assistant to obtain various kinds of information available online, such as weather forecasts or the news. If these types of devices are connected to an unsecured home network with easy access, a hacker could use a computer worm to record you. If the device has a camera, the hacker could take pictures of you. This would obviously be a breach of privacy.
I could give you several examples. The document I submitted contains a series of recommendations, but unfortunately I won't have the time to go over them all.
With your permission, Mr. Chair, I will now answer questions.
[Witness spoke in Cree]
In my language, I thank you for hearing us out and giving us an opportunity to share with you a little in terms of opportunities we're looking at for our nation—the Cree nation—and our community, more specifically, Wemindji.
On my left are my advisers who are working on this file with us, our corporation. This is Sam Gull, an adviser; this is Jean Schiettekatte, another one of our advisers; and this is Robert Milo. They are three advisers and somewhat experts too in this field in terms of what we're trying to accomplish.
I guess the message here today from us, as you can see, is that it's a northern international fibre telecommunication highway to link Canada, Asia and Europe. It's key to assuring Canadian financial Internet cybersecurity.
For us, in terms of the corporation itself, it's wholly owned by the community of Wemindji, which is about 1,400 people. Right now the corporation, just to give you an idea, is called Tawich. Tawich means “far out”. It's a far out development corporation—that's the translation.
Just to give you perspective, right now Tawich employs over 1,000 people across Quebec, in the region of Abitibi and in certain other areas within the province. We have various companies. This is just another exciting opportunity we're looking into to basically reach the goal of convincing certain people to get into this project together.
As you know, it's basically keskun, which means clouds. When you're talking about cyber, Internet and talking about clouds, it's keskun, as it is pronounced in our dialect. Basically, it's the data centre project that we will be building on the Cree territory of our community. Keskun is essentially an industrial storage park and major Nordic data centres that we're looking at.
The project will initially require a power supply of about 200 megawatts. The most reliable green energy source in North America, as we all know, is the big Robert-Bourassa power station that is just a couple of hours' drive away from home. The Quebec energy board authorized the allocation of a certain amount of megawatts to calculation centres on April 29, 2019.
Right now we feel that Canada is basically limited to the U.S. for its international Internet connectivity. About 11% of Canadian international Internet traffic doesn't pass through the U.S.
We talk a lot in terms of what this gentleman just spoke about. The way I look at it is that it's a superhighway that we're trying to connect to and bring into our area. Canadian cybersecurity, including financial transactions, is dependent on the U.S.A. This is part of what we feel is kind of a weak link.
With that being said, I'll let my advisers and colleagues touch more on the project.
[Witness spoke in Cree]
I want to thank you for inviting me to make this presentation.
As you see on the screen here, the biggest problem that we have here in Canada is that all of our links are in the United States. We only have 11%, which are on the Newfoundland side, to Greenland. That's our only escape route. The rest are all in the United States. This is a major issue for us.
As you see on the screen here, we have a project that we're looking at. It's called the Quintillion link. It is already serviced in Alaska—the first phase. The second phase will be service from Alaska to Japan, and the third phase will go from Alaska through the Hudson Strait to Europe. This is where we want to connect our pipeline to Wemindji because once that pipeline comes through we only have one opportunity to connect, and we don't want to miss that opportunity.
The northern link is a high-fibre.... It has six big fibre links that are connected, and two of them stay in international waters. Those are the two that we want to connect, and we believe that the security, safety and sovereignty of the Arctic are key for us as a first nation. This southern spur that's going to go to James Bay will also be linked to Montreal, Toronto and the southern network.
A Canadian northern international connectivity project must be developed to assure Canadian international connectivity and cybersecurity.
As you see on the map here, it would go through the Northwest Passage, from Alaska through the Hudson Strait. This is where we want to connect, through James Bay to the Wemindji-Tawich Development community, and from there we connect to the south, to Montreal and Toronto.
On this map you can see that 89% of Canadian data passes through the United States. The USA PATRIOT Act governs this data and governs Canadian data, and this is where we believe security is an issue. Canada's new northern fibre can change this paradigm. Data centres with access to northern international fibre connectivity and ultra-low latency connectivity, in the long haul, in milliseconds, are important. The geographic position related to financial hubs with London, New York, Tokyo, Shanghai, Montreal and Toronto is key. The inexhaustible renewable energy and ultra-reliable power in the north at a low cost, at an approximate price of 4 cents U.S. per kilowatt, is a strength on our part, and low operation costs for data centres with cooling would be a competitive advantage because the computers need a lot of cooling.
A northern link would assure the independence of international connectivity and security from the United States. As an example, one of the big advantages is that from Montreal to Tokyo, we're looking at 18 milliseconds of speed that we can gain just between those two cities. There's no real advantage into the United States. The big advantage is from Montreal and Toronto to England and Asia.
The other advantage is that Hydro-Québec has announced in their strategic plan that they would give an estimated 4 cents per kilowatt. This is a huge advantage for us in terms of power usage. Another advantage is that we're on the Canadian Shield, and there are no earthquakes. You probably know what happened in Japan and Alaska. Earthquakes are a big issue, so this could be a good location for data centres of the north.
I'll pass it to Jean Schiettekatte to make concluding remarks.
Thanks, everybody, for receiving us today.
As you saw in the presentation, because of the ultra-low latency, all Canadian financial transactions will go through this link. This is an opportunity for us to offer Canadians a security solution that is not just software, but also hardware. The idea is to build an independent and international northern fibre, whose main benefit would be to enable Canadians, with the First Nations, to assert their sovereignty over this territory. This is a very important aspect that we want to see in this project.
I think that today is the last day you're meeting on this subject. We would like the Committee to consider this option. There is the Quintillion link—which is still under development, although its first segment is already in service—but there could be another Canadian project that would link to the network. As Mr. Gull said, parts of this line would stay in international waters. This could provide an international cybersecurity solution and would ensure that Canadians would have access to other markets with ultra-low latency. This would give us an advantage in our international financial transactions, and, most importantly, would enable us to assert our sovereignty over the Northwest Passage.
It would be a good idea to combine this with the connectivity of northern communities, but that should not be our primary goal. The primary goal is to ensure our security. There are of course all sorts of other benefits, such as worker training and job creation in the North, which are good for the economy.
Thank you, Mr. Chair.
I have just one comment before Jean responds to it a little more technically.
For me, it's about economic development—that's why I'm here. My mandate is economic development, and I believe the federal government's responsibility—and some of our responsibility—is economic development, as well. I think it will provide a lot of opportunities economically, but also, and more importantly.... Whether it's cybersecurity, or being sovereign with our own line, data is so important. It's crucial to have, and to keep.
For me, that's the impact—it's all about the economic development, because that's my mandate. This is what I do, and this is why I'm presenting here today.
Go ahead, Jean.
I'd like to thank all the witnesses for being with us today.
Mr. Jarry, I have a question for you.
I'm sure you heard about the CRTC participating in an RCMP investigation of an individual who was using software known as “bots” for cryptocurrency. Everyone heard about it because it was the first time those powers, which were granted under the anti-spam legislation, were used.
That got me thinking, and it raised a question I'd like your thoughts on. If legislative and regulatory changes were to be made to address all the issues raised during this study, such as the Internet of things, would the CRTC be responsible for dealing with problems? For example, would it be better to create a new organization to enforce standards for devices? Is that something that would be looked at from both a legislative and a regulatory standpoint?
That happened at École Polytechnique Montréal and at Ryerson University. My colleague invited a representative from there, but we don't have a lot of institutions or resources in Canada with the expertise to manage our cybersecurity problems. Resources are limited, even rare. We are concerned that, as good as the expertise may be, it's not enough.
If we compare that to expertise developing elsewhere, especially the quality and scope of outside attacks, how would you compare the level of expertise and training available in Canada to those external threats?
I don't want any publicity or marketing here, but frankly, if we want to improve the situation, we need to know where we're at.
One of the main problems with the Internet of Things is cybersecurity. Cybersecurity is not a consideration when designing and manufacturing most of the things that we want to connect to the Internet. One of my recommendations to the committee is to deal with this aspect once and for all. We now have to consider cybersecurity when connecting a device.
Let us not forget that automated systems are not new. As I mentioned, we have been investing in this area for 15 to 20 years. However, these systems were on closed networks. Now we will be able to prevent equipment breakdowns in plants with artificial intelligence.
Earlier, we talked about the availability of systems at Cascades. We will be able to operate systems 24 hours a day, seven days a week, 365 days a year. We can use artificial intelligence to anticipate equipment breakdowns. To take advantage of that we have to connect all the equipment.
We must not forget that the majority of cyber attacks that have taken place in Canada and around the world involve information and denial of service. When we connect these things, it becomes physical. In terms of security, we must now ask ourselves if this will be part of the country's military arsenal.