Good afternoon, Mr. Chair and members of the committee.
My name is Scott Jones. It's a pleasure to be back again. I'm the deputy chief of IT security at the Communications Security Establishment and the head-designate of the soon-to-be established Canadian centre for cybersecurity.
I am joined today by Rajiv Gupta, the director of standards architecture and risk mitigation. Thank you for inviting us to discuss this very important topic.
The Communications Security Establishment is the lead technical and operational agency for cyber security in the Government of Canada. We are mandated to protect information and information infrastructures of importance to the Government of Canada.
This expertise in protecting and providing information is over 70 years in the making. The protection of government communications has been a part of CSE's mission since it was first established in 1946 as the Communications Branch of the National Research Council.
It goes without saying that the world of 1946 was much different from the world of today. What has not changed, however, is the need for innovative and skilled leadership to meet the challenges of an evolving world.
Canada's new national cybersecurity strategy, announced in June of 2018, recognizes this and sets out Canada's vision for security and prosperity in the digital age. Among the new measures in this strategy is the creation of the Canadian centre for cybersecurity, to be housed at the Communications Security Establishment.
Combined with the investments made in budget 2018, these efforts will enable us to remain resilient against cyber-threats and to continue to protect the safety and security of Canadians—and there's a great deal worth protecting.
Recent innovations in technology have created incredible opportunities for economic growth in Canada. The benefits of an increasingly digital society are many and should not be understated.
The Internet has brought enormous benefits to the lives of Canadians. Many federal government services are online. Budget 2018's investments in strengthening digital services demonstrate that the government is embracing new and innovative technology.
But of course, Canadians can only reap the benefits of online commerce when they can conduct their online activities with confidence and trust. These risks should not dissuade us from adopting new technologies, but they should be acknowledged and mitigated.
Unfortunately, we have all seen how cyber-compromises can result in significant financial loss, the loss of intellectual property and reputational damage to a company, an individual, or a government. For example, recent cases involving ransomware demonstrate the increasing threat of cybercrime and the effects of a cyber-compromise.
Today's cyber-threat actors have a variety of motivations and capabilities. They include state actors, hacktivists, criminals and terrorists capable of a broad range of disruption, from denial of service attacks to the exposure of personal information.
CSE plays an important role in stopping threat actors from achieving their goals. Our expertise helps identify, prepare for, and defend against the most severe and persistent threats to Canada's systems and networks.
There are three keys to success: partnerships, appropriate authorities and talent.
Let's begin with partnerships.
Cyber security is everyone's business. Our relationships with industry are critical to defending Canada and Canadians from cyber threats.
Equally important are our relationships with other government departments, including Public Safety Canada, Shared Services Canada, the RCMP and the Canadian Security Intelligence Service.
Beyond the government and the private sector, CSE's partnerships also extend to academia and leading-edge research groups.
The Canadian centre for cybersecurity will greatly improve our ability to work with industry, other government departments, other government partners and academia. The cyber centre will consolidate the key cybersecurity operational units of the Government of Canada under a single roof. In doing so, the cyber centre will establish a unified source of expert advice, guidance, services and support on cybersecurity operational matters, providing Canadians with a clear and trusted place to turn for cybersecurity advice.
An important part of this is ensuring continuity in the functions of the Canadian Cyber Incident Response Centre—also known as CCIRC—at Public Safety, once it becomes part of the cyber centre. Specifically, a crucial element of CCIRC's work is the notification of victims in the event of a cyber-compromise. This is an important role and one that will need to continue under the cyber centre.
Second, I would like to talk about CSE's authorities.
As you all know from debates on Bill , under the proposed legislation, CSE would retain its current cyber security and information assurance mandate and would be given a new authority to defend important networks outside the Government of Canada.
The proposed Communications Security Establishment Act would also explicitly allow CSE to share cyber threat information with owners of systems outside the Government of Canada, so they can better protect their networks and information. For example, CSE could more extensively share information about specific cyber threats with the owners of critical infrastructure such as communications companies or the banking sector.
Finally, the CSE act would give CSE the ability to take action online to defend important Canadian networks and proactively deter cyber-threats before they reach important Canadian systems. These new authorities will better protect Canadians' most sensitive information and important cyber-networks from compromise and strengthen Canada's cyber-defences.
Third, and most key for me, is people. Among the new measures introduced as part of the national cybersecurity strategy is funding to develop Canadian cyber-talent. We are fortunate at CSE to have incredibly bright and talented Canadians working to address these tough cyber-challenges. However, to continue the success, we need to build on this talent and harness the tremendous brain power in the cyber field that exists here in Canada.
With strong partnerships, appropriate authorities and skilled people, CSE is working to address cyber threats facing Canada. However, cyber security is everyone's responsibility, and it will take all of our expertise and innovation to remain resilient.
Thank you for your invitation. We look forward to answering your questions.
Thank you for your question.
The first step is to establish the centre. As you said, that is something of a bureaucratic job.
What I think the key aspects of the cyber centre are going to be are building the trust and credibility to work with the private sector. We need to be very vocal about increasing all of our expectations—the private sector, the government—as we look at the security challenges we all face and start to have some of the more open discussions about the threats. All too often we concentrate on the threat after and not on the threat activity and how to raise that bar.
The first thing is increasing resilience. Canadian resilience, in general, is low. We don't talk about doing the simple things, and we're looking at defending against the most sophisticated threat. In reality, a few simple things can raise that bar for all of us and make us more immune and more resilient against basic things like cybercrime, so it's something as simple as patching our systems. Getting the message out, getting simple, straightforward advice that every Canadian can take and use is one of the first goals.
The second one is obviously establishing a centre where, if there is an incident, we are able to manage. We have done a number of exercises over the summertime to make sure we're ready to manage any incident, be it large or small, international in scope or national in scope, within the federal government or in the private sector, to make sure that we are ready to do our part so that on day one we'll be able to provide the federal lead, working with either the victim or other jurisdictions to make sure we're ready to manage an incident.
I think those are the two key things.
We talk about it. We make the decision is in the best interests of Canadian security. We look at the holistic piece. We want to make sure that Canada has secure, resilient networks that are able to operate in a way that provides confidence for our networks. At the same time, we realize that there are the tools that are needed for intelligence gathering and that there are the techniques that are required. We do have to strike a balance between understanding both sides of those coins.
At the end of the day, though, our system is designed to.... We will default to defence, meaning protecting Canada and making the decision. In reality, the decisions are much more clear-cut than that. We very rarely get something close to the edge. The decisions are very evident. If it's Canadian security, meaning releasing things for defence for purposes—protecting cybersecurity, updates, etc.—we're going to do that.
If it's something that lets us protect Canada from counterterrorism and gain proper foreign intelligence, we're going to make that decision, but we always know that, no matter what, it's going to be reviewed. We're going to respond to, right now, the CSE commissioner and, at the end of the day, the court of public opinion, if we make the wrong decision. We take in a number of factors that way.
Patching is number one. It really is.
The second one, depending on what infrastructure you're using, is just not logging in as administrator, not logging in with super privileges, etc. That's a simple thing. It just slows things down.
There is also backing up your data. If you have something critical, make sure you're backing it up, because if ransomware hits, then all you do is restore and you get your data back, and things like that. I'm kind of making it a little simpler than it really is in practice, but these are some basic resiliency things that we'd really look at doing.
We've put out our top 10. Those are more oriented towards larger organizations, but I can translate those into personal actions. It's also knowing what's important to you and making sure you're protecting it, such as keeping backups. For me, I care about family photos and things like that. I honestly don't care about the email I'll never read again that I get on my personal email.