Interventions in Committee
 
 
 
RSS feed based on search criteria Export search results - CSV (plain text) Export search results - XML
Add search criteria
View David Lametti Profile
Lib. (QC)
Thank you, Mr. Chair.
I will make a statement, then the Right Honourable Kim Campbell will speak, and then I will speak again. Afterwards, we will answer your questions together.
Mr. Chairman, Right Honourable Kim Campbell, members of the committee and other parliamentarians in the room, good morning. I also note the presence of the Honourable Irwin Cotler, whom I thank for being here.
First and foremost, we recognize that we are on traditional unceded Algonquin lands. It is very important to underline this fact today.
I would like to thank the chair for convening this extraordinary meeting of the committee. I also thank all honourable members for being here today. I recognize, of course, that many of them have changed their summer plans to be with us. I am very grateful to them.
As the chair has just pointed out, this is the third time our government has implemented its reformed process for appointing judges to the Supreme Court of Canada.
The modifications we introduced in 2016 are designed to ensure greater openness, transparency and accountability in the appointments process. Many of you here today are seasoned participants, having been part of the 2016 and 2017 processes that resulted in the appointments respectively of justices Rowe and Martin. Madam Campbell was the chair of those committees as well.
As you can imagine, I have followed these processes with great interest and attention. It is now a great honour and privilege for me to participate more directly in the process to fill the position that will become vacant on September 15, 2019, following the retirement of Justice Clément Gascon.
I would like to take this opportunity to once again thank Justice Gascon for his contribution and to acknowledge the courage he has shown throughout his career.
I have the pleasure of appearing today with the Right Honourable Kim Campbell, who joins us via video conference from Vancouver. Ms. Campbell previously served as the chairperson of the Independent Advisory Board for Supreme Court of Canada Judicial Appointments. Ms. Campbell also served as the chairperson of the current advisory board that was adapted to ensure the appointment of a judge properly grounded in the legal experience of Quebec and its legal tradition. Ms. Campbell's extensive experience with the selection process has been an invaluable resource in this process. We are grateful for her continued dedication to serving Canadians in this role and we say thank you.
In a few moments, I will turn things over to Ms. Campbell to describe the specific work the advisory board undertook in order to produce the short list of candidates for the Prime Minister's consideration. Before doing so, however, I would like to briefly outline the unique aspects of the current process to fill this Quebec seat on the court.
According to the Supreme Court Act, three seats on the court are reserved for lawyers from Quebec. Under sections 5 and 6 of the act, only judges of the Court of Appeal or the Superior Court of Quebec, or those who have been members in good standing of the Barreau du Québec for at least 10 years, may be appointed.
As specified by the Supreme Court of Canada in the Reference re Supreme Court Act, ss. 5 and 6, these appointment criteria are intended to ensure that Quebec's unique legal traditions are well represented on the court. These criteria make it possible not only to ensure that the court is able to handle civil law cases, but also to ensure its legitimacy in the eyes of the Quebec population.
That is why the qualifications and evaluation criteria stipulate that a "deep knowledge of the civil law tradition is essential for all candidates to the three Quebec seats".
In addition, on May 15, 2019, the Prime Minister announced a memorandum of understanding between our government and that of Quebec. This memorandum of understanding sets out the process for filling the position that will become vacant following Justice Gascon's retirement. As with the process for seats that do not belong to Quebec, this process is based primarily on the work of the independent and impartial advisory board, which is responsible for assessing nominations and developing a short list of three to five names to recommend to the Prime Minister.
The composition of the advisory board has been adjusted to accurately reflect the reality of Quebec, its legal practices and its civil law tradition.
As mentioned, the advisory board was chaired by Ms. Campbell and included another member whom, as Federal Minister of Justice, I had been asked to appoint. The other six members were selected in such a way as to ensure adequate representation with respect to Quebec and civil law. These six other members were appointed by the Quebec Minister of Justice, the Barreau du Québec, the Quebec Division of the Canadian Bar Association, the Canadian Judicial Council and the Deans of the Quebec Law Faculties and the Civil Law Section of the Faculty of Law of the University of Ottawa.
The selected members, all of whom are functionally bilingual, represented a distinguished set of individuals who undertook their important responsibilities with great care and dedication. I would like to thank them, on behalf of the Prime Minister and our government, for their exceptional service throughout this process.
They did a better job than those working the lights today.
Voices: Oh, oh!
Hon. David Lametti: The core mandate of the advisory board was to assess candidates against the published assessment criteria and to submit to the Prime Minister the names of three to five qualified and functionally bilingual candidates.
In accordance with the agreement with the Government of Quebec, after receiving the short list provided by the advisory board, I forwarded it to the Quebec Minister of Justice. We then conducted our own separate confidential consultations on the preselected applications.
For my part, I consulted with the Chief Justice of Canada, a number of my cabinet colleagues, the opposition justice critics, members of your committee and the Standing Senate Committee on Legal and Constitutional Affairs, among others. The Quebec Minister of Justice conducted her own consultations, including with the Chief Justice of Quebec, before reporting her findings to the Premier of Quebec. After the conclusion of this consultation period, the Premier of Quebec and I submitted our respective recommendations to the Prime Minister of Canada to inform his choice as to whom to appoint.
Before turning the floor over to Ms. Campbell, I would like to speak briefly about the importance of confidentiality in this process, given the concerns that have rightly been raised about improper disclosures surrounding the 2017 selection process.
As I have said previously, the disclosure of confidential information regarding candidates for judicial appointments is unacceptable. I want to stress that I took strict measures to ensure that confidentiality was respected. This process has implemented strict confidentiality measures throughout. The terms of reference for the advisory board contain provisions specifically designed to ensure that the privacy interests of all candidates are respected. This includes a requirement that advisory board members sign a confidentiality agreement prior to their appointment. In addition, the agreement with Quebec explicitly states that the sharing of, and consultations on, the short list are to be conducted in a confidential manner.
In terms of next steps in the process, in addition to the advisory board's critical contribution in developing the short list, today's hearing is another important element. It provides an opportunity for all of you, as parliamentarians, to hear from and question the government regarding the selection process and our choice of nominee. Parliamentarians, and Canadians more broadly, will have the opportunity to become acquainted with the nominee through the question and answer session that has been scheduled for this afternoon.
Having provided this context, I would now look to Ms. Campbell to describe the work that the advisory board undertook in fulfilling its mandate. I will then say a few words about the Prime Minister's nominee to the Supreme Court of Canada, the Honourable Nicholas Kasirer.
Madam Campbell.
View Lisa Raitt Profile
CPC (ON)
View Lisa Raitt Profile
2019-07-25 11:34
The retired justice of the Supreme Court of Canada Louis LeBel sat on your committee this time and commented regarding the leak from the advisory process the last time, saying it was very serious because the process is a very delicate matter.
Did he bring up any concerns about confidentiality during this process?
Kim Campbell
View Kim Campbell Profile
Right Hon. Kim Campbell
2019-07-25 11:34
Not particularly, because we were obviously so devoted to it and so very careful to maintain that confidentiality.
View Lisa Raitt Profile
CPC (ON)
View Lisa Raitt Profile
2019-07-25 11:34
Did you take any steps to determine and ensure that there was no leak of confidentiality from your advisory committee? I know you said there wasn't, but I'm just wondering if you called anybody. Did you talk to the minister? Did you talk to PCO?
Kim Campbell
View Kim Campbell Profile
Right Hon. Kim Campbell
2019-07-25 11:34
I don't think it was necessary. We worked with the commissioner for federal judicial affairs. We worked on our documents on secure tablets—very carefully controlled. We always left our documents in the meeting room and the clear commitment.... We signed an undertaking to maintaining confidentiality, so the process was well established. I just want to repeat that there has been no indication of any leak ever coming from a member of the committee.
Kim Campbell
View Kim Campbell Profile
Right Hon. Kim Campbell
2019-07-25 11:35
If anything, we were sort of tip-toeing around and were often afraid, even among ourselves. When we ate dinner together we went someplace where people wouldn't even realize who we were and what we were doing.
View Lisa Raitt Profile
CPC (ON)
View Lisa Raitt Profile
2019-07-25 11:35
That's tough for you to do, I would imagine, Ms. Campbell.
The reason I ask is that, of course, we are concerned about the leak and the way it happened. The Privacy Commissioner is concerned as well and is investigating the leak. His officials can't interview the minister's office or the Prime Minister's Office.
I'm wondering if he had a conversation with you to understand the confidentiality around the advisory committee.
Kim Campbell
View Kim Campbell Profile
Right Hon. Kim Campbell
2019-07-25 11:35
Well, no, because there's never been any suggestion that this confidentiality has been breached.
I'm delighted—this is good for your committee obviously to be concerned about, but the nature of the leak, such as it was, is that it very clearly was not from the committee process.
View John McKay Profile
Lib. (ON)
Folks, we're trying to get back on our timeline here. We are waiting for our other witness, but in the meantime, we will proceed with RCMP captain Mark Flynn.
You will make your presentation, and if the folks from the Communications Security Establishment come, we'll make arrangements for them to speak as well.
The meeting is now public, by the way.
For those who are presenters, the real issue here is that the members wish to ask questions. Therefore, shorter presentations are preferable to longer ones.
With that, Superintendent Flynn, I'll ask you to make your presentation.
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:29
You'll be happy to hear, as I understand the committee was informed, that I won't be making any opening remarks. I am present here today simply to address any questions you may have. As this, on its surface, does relate to an ongoing criminal investigative matter, it would be inappropriate for me to provide details of an investigation, particularly an investigation that is not being undertaken by the RCMP.
I welcome all questions. I am here to provide whatever assistance I can.
View David de Burgh Graham Profile
Lib. (QC)
It's a little harder to ask questions without an opening to work off.
The first question I have is this. If somebody calls the RCMP with a suspicion of data theft complaint, how does the RCMP treat that from the get-go?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:30
That will depend on the jurisdiction where it occurs. In the jurisdiction where we are, the police have jurisdiction, so they have the provincial and municipal responsibility. It would be forwarded to our intake process there, whether it be our telecoms office, the front desk of a detachment or a particular investigative unit that's identified for that.
In cases where we are not the police of jurisdiction, like in Ontario and Quebec where we are the federal police, we will become aware of these instances through our collaboration with our provincial and municipal partners. We will look at the information and determine whether or not there are any connections to other investigations that we have ongoing, and offer our assistance to the police of jurisdiction should they require it, although on many occasions this type of incident is very well handled. We have very competent provincial and municipal police forces that are able to handle these on their own.
View David de Burgh Graham Profile
Lib. (QC)
At what point does something become federal? If something is provincial jurisdiction but affects multiple provinces, does each province have to deal with it separately or is the RCMP able to step in at that point?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:31
The RCMP doesn't automatically step in solely because it crosses multiple provinces. As occurs with traditional crimes, whether a theft ring on a border between two provinces, or homicides, the police forces in those jurisdictions are used to collaborating and do so very well.
When there's an incident that occurs from a cyber perspective, if it's going to have an impact on a Government of Canada system, a critical infrastructure operator or there are national security considerations to it, or if it's connected to a transnational, serious and organized crime group that already falls within the priority areas we're investigating, then that matter will be something we will step into.
From a cyber perspective, we have ongoing relationships and regular communication with most of the provinces and municipalities that have cyber capabilities within their investigative areas. We know that many of these incidents occur in multiple jurisdictions, whether they be domestic or international, so coordination and collaboration are really important.
That's why the national cybercrime coordination unit is being stood up as a national police service to aid in that collaboration, but prior to that being implemented, one of the responsibilities of my team in our headquarters unit is to have regular engagement, whether regular telephone conference calls or formal meetings where we discuss things that are happening in multiple jurisdictions to ensure that collaboration and deconfliction occurs, or on an ad hoc basis. When a significant incident occurs, our staff in the multiple police forces will be on the phone speaking to each other and identifying and ensuring that an appropriate and non-duplicating response is provided.
View David de Burgh Graham Profile
Lib. (QC)
In the case of the incident we're here to discuss, which is obviously a major incident, is the RCMP being kept apprised of what's happening, even if it's not their investigation?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:33
I'd like to stay away from discussing this particular investigation, but I can tell you that investigations of this nature absolutely will lead to discussions occurring. That happens as a consequence of the fact that we do have those regular meetings, whether it be in cyber or other types of crime that are going on in different jurisdictions. These, obviously, on a scale of this nature, would lead to discussions.
I am not involved involved in any of those discussions at this time. It is not something I have knowledge about.
View Francis Drouin Profile
Lib. (ON)
Thank you, Mr. Chair.
Mr. Flynn, thank you for being here. I know that you will not comment on the ongoing investigation, but as a member of Parliament who represents a lot of members who have been impacted—I have been impacted as well—I am looking more at the potential impacts of fraud.
I know that many Canadians get fraudulent calls from CRA. I myself called back somebody who pretended they were you guys. They wanted to collect some money for a particular person. They were demanding. They were really adamant. They gave a callback number, and I provided that callback number to the police. Is that something you would advise Canadians to do where obviously the RCMP, or your local police force, is the first point of contact?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:35
Absolutely. We actually have a program at the Canadian Anti-Fraud Centre and a close relationship with telecommunications service providers, who have been very helpful in addressing some of the challenges we've had around telemarketing and the mass fraud committed over the telephone. As we learn about numbers that are utilized for fraud, we are validating that, and the telecoms industry is blocking those numbers to reduce the victimization. We have adapted some of our practices to ensure that this occurs at a much more timely rate than it has historically.
View Francis Drouin Profile
Lib. (ON)
Just from your experience, and learning from cases of fraud, we know that some of them may have my social insurance number. They may have my email address, as well as my civic address. It could be a very convincing case for them to pretend that they're either a government official or from some type of financial institution. What would you advise Canadians on the best way to protect themselves?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:36
With any mass fraud campaign, whether it be tied to an instance like this or just in general, people need to have a strong sense of skepticism and take action to protect themselves. There are many resources under the Government of Canada, with such organizations as the Canadian Anti-Fraud Centre and Get Cyber Safe, that provide a list of advice for Canadians. It simply comes down to protecting your information and having a good sense of doubt when somebody is calling you. If it's a bank calling, call your local branch and use your local number. Don't respond to the number they provide and don't immediately call back the number they provide. Go with your trusted sources to validate any questions that are coming in.
I have experienced calls similar to yours. I had a very convincing call from my own bank. I contacted my bank and they gave me the advice that it was not legitimate. It was interesting, because in the end it turned out to be legitimate, but we all felt very safe in the fact that the appropriate steps were taken. I would rather risk not getting a service than compromising my identity or my financial information.
View Pierre Paul-Hus Profile
CPC (QC)
Thank you, Mr. Chair.
Thank you, Mr. Flynn. I'll come back to you in a few moments.
The leader of the Conservative Party of Canada, Andrew Scheer, asked me to contact my fellow committee members to convene this meeting. He sent an open letter to the media on July 12, and I'd like to paraphrase a few paragraphs.
Like the vast majority of Quebecers and all Canadians, I am worried about the the security of our information technology systems, identity theft and privacy protection.
This is a very serious situation, and I understand the fear and anxiety of the victims, whose personal information, including their social insurance number, was stolen. They are worried about how this will affect them in the future. They will have to spend considerable time and energy dealing with this.
It is reassuring to see that the leadership at Desjardins Group is taking the matter seriously and working hard to protect and reassure members. The federal government, too, has a responsibility and duty to support all victims of identity theft by learning from the past and strengthening cybersecurity in partnership with all stakeholders across the industry.…
I want the victims of this data breach, as well as all Canadians, to know that we stand with them and that a future Conservative government would be committed to tackling the privacy challenges confronting Canadians.
View Pierre Paul-Hus Profile
CPC (QC)
We want to be very clear about what an important and serious issue this is—so important, in fact, that we felt it was necessary for the committee to meet on this sunny July 15.
Mr. Flynn, you answered the questions of my Liberal colleagues, but I find the RCMP's response to the situation rather weak. Allow me to explain. Some 2.9 million Desjardins account holders are very worried right now. About 2.5 million are Quebecers, and 300,000 are in Ontario and other parts of the country. For the past three weeks, constituents have been contacting our offices non-stop, and the government has yet to respond. The reason for today's emergency meeting is to figure out what the federal government can do to help affected Canadians.
You said the RCMP isn't really involved, but can't it do something given that it has its own cybersecurity unit, works with organizations like Interpol and has access to other resources? I don't want to interfere in a police investigation, but we heard that people's personal information was being sold abroad. Isn't there technology or techniques the RCMP can use to detect potential fraud?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:40
The RCMP's role, as I explained earlier, in many of these situations is to work with our provincial and municipal partners. It's important to recognize that our provincial and municipal partners are very skilled at responding to many of these incidents. It's not always the case that the RCMP has additional powers, authorities or capabilities to the ones they have when dealing with an incident that is singular in nature, where an individual is involved in a single event, as opposed to a broader one.
However, there's always a standing offer from the RCMP to our provincial and municipal partners, that should they require technical assistance, advice or guidance, we are available to them for that. It would be inappropriate for the RCMP to inject itself into the jurisdiction of another police force to run the investigation they are operating.
View Pierre Paul-Hus Profile
CPC (QC)
I understand what you're saying about the investigation probably being conducted by the Sûreté du Québec, but what the Conservatives and NDP want to know is this. What can the RCMP do about the personal information of 2.9 million people that was handed over to criminals? I don't want to discuss the investigation; I want to know whether you have resources. If you don't, we want to know. That's why we are here today. If personal data was sold on the international market, neither the Quebec provincial police nor Laval police is going to deal with it. I think it falls under RCMP jurisdiction.
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:42
Again, outside the scope of this particular investigation, cybercriminals do commit the majority of their crimes to gain access to personal or financial information for the purposes of gaining access to financial institutions and the money that's housed in those locations. The RCMP work continuously with the international community to identify and pursue the individuals who are committing a great number of these crimes.
The RCMP are working closely right now with those international partners, as well as many of the large financial institutions in Canada and the Canadian Bankers Association, to ensure that we are targeting the individuals who are causing the most significant harm. Our federal policing prevention and engagement team has hosted sessions with both the financial institutions and the cybersecurity industry. We have a new advisory group that's helping us target those individuals.
As far as knowledge goes, it's only in the hands of those cybersecurity and financial institutions. We're trying to ensure that as we are putting the resources we have into investigations, we are targeting those individuals who are causing the most harm.
We do that, as well, internationally. As incidents occur, we speak to our international law enforcement partners. We identify the behaviours we have in our cases or in our Canadian law enforcement partners' cases, so that if there are connections or individuals who are in those other jurisdictions, we're using the mutual legal assistance treaty, and we're using police-to-police collaborative efforts that we have to ensure that, internationally, all of those efforts are put towards a problem.
Now, I want to stay away again—and I apologize for doing that—from this exact incident. I cannot express what is or is not being done in this particular incident.
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:44
I am unable to speak about this particular incident. It would be inappropriate for me to do so.
View Matthew Dubé Profile
NDP (QC)
Thank you, Mr. Chair.
Thank you for being here today, Mr. Flynn.
It's important that we talk about this situation because, as my colleague pointed out, people are worried. It's essential that we find out more about the federal government's capacity to take action and the means we have at our disposal, especially since the committee just wrapped up a study on cybersecurity in the financial sector before Parliament rose in June. I'll touch on some of the things the committee looked at in its study because they pertain to the matter at hand.
I'd like to follow up on some of your answers. First of all, it is rumoured that personal data was sold to criminal organizations outside Quebec and Canada. I know you can't comment on this case specifically, but at what point does the RCMP step in to assist the highly competent people at such organizations as the Sûreté du Québec when a case involves a criminal organization operating outside Canada that the RCMP is already monitoring?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:46
We have formal, regular engagement with our policing partners across the country. That occurs on a monthly basis in the cyber area, as well as biweekly in some other areas. However, when there are incidents such as this, as you described, there are immediate calls that go out to ensure that collaboration is occurring and that any of our international partners' information that's relevant could be utilized to aid in those investigations.
View Matthew Dubé Profile
NDP (QC)
Thank you.
You said local police forces, the Sûreté du Québec and the Ontario Provincial Police were very competent when it came to dealing with cybersecurity issues and had significant powers. Does the RCMP have special expertise or information that could help them?
The reason I ask is that the government touted the consolidation of the cybersecurity capacity of the Communications Security Establishment, or CSE, the RCMP and all the other agencies concerned as a way to ensure information was shared and everyone was on the same page. I'll be asking Mr. Boucher, of the Canadian Centre for Cyber Security, about this as well when we hear from him.
Do you engage municipal or provincial police, as the case may be, in the same way?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:48
Yes, we do. We work very closely, as I've stated, with our provincial and municipal police agencies. In fact, I take great pride in the fact that at some of those meetings that I described, where our federal policing prevention and engagement team brought together the private sector, financial institutions and cybersecurity, one of those policing partners actually stood up at the front of the room and thanked the RCMP for the collaboration they are seeing in the area of cyber, which is far better than anything they've ever seen in their career.
I take great pride in that because that has been a priority for me, my staff and our engagement folks, to ensure that we are not being competitive but are being collaborative and, in that collaboration, we are supporting each other. We are not superseding other police forces' authorities, but we're also ensuring that we can assist the others in that.
View Matthew Dubé Profile
NDP (QC)
Thank you. I don't mean to cut you off, but I have a limited amount of time.
When the committee was studying cybersecurity in the financial sector, we talked about the fact that people tend to think of state actors as being the threat. I won't name them, but I'm sure everyone has an idea of the countries that could pose a threat to Canada's cybersecurity.
I realize you can't talk about it, but in this particular case, we are dealing with an individual—an individual who poses a threat because the stolen data can be sold and could end up in the hands of state actors. One of the things the committee heard was that individuals represent the greatest threat. Is that always the case? Does a lone criminal wanting to steal data pose a greater threat than certain countries we would tend to suspect?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:50
The threat comes from multiple directions, and I can't say which is greater, because, in our experience, we have seen a significant number of organized groups or individuals perpetrating the crimes across the Internet. The Internet is an enabler as much as it's a tool for us to use in leveraging and utilizing all the fantastic services that are out there.
View Matthew Dubé Profile
NDP (QC)
I have to cut you off because I'm almost out of time.
Has the presence of organized groups or countries with ill intentions seeking to buy personal data created some sort of marketplace? Do individuals like the alleged perpetrator in this case have an incentive, albeit a malicious one, to steal information and sell it to interested parties? Does the existence of these groups incentivize individuals who have the expertise to do things they wouldn't normally do?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:51
Yes, absolutely. We have seen a rise in what we refer to as cybercrime as a service to aid others who are less skilled at committing cyber offences, whether they are creating the malware, operating the infrastructure, or creating the processes by which somebody can monetize the information that is stolen. That is a key target area for the RCMP under our federal policing mandate, and we are targeting those key enabling services so that we can have the most significant impact on the individual crimes that are occurring, as opposed to chasing each individual crime.
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 13:52
Thank you, Mr. Chair. As requested, I'll keep my presentation on the shorter side.
Mr. Chair and honourable members of the committee, my name is André Boucher, and I am the associate deputy minister of operations at the Canadian Centre for Cyber Security.
Thank you for the opportunity to appear before you this afternoon.
Let me begin with a brief overview of who we are.
The Canadian Centre for Cyber Security was launched on October 1, 2018 as part of the Communications Security Establishment. We are Canada's national authority on cybersecurity and we lead the government's response to cybersecurity events.
As Canada's national computer security incident response team, the cyber centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response.
The cyber centre's partnerships with industry are key to this mission. Our goal is to promote the integration of cyber defence into the business model of industry partners to help strengthen Canada's overall resiliency to cyber threats. Despite these efforts and those of Canada's industry, cyber incidents do still happen.
This brings me to the topic we are here to discuss today. The cyber centre is not in a position to provide any details on this incident and does not comment on the cybersecurity practices of specific businesses or individuals. Any cyber breach, not just this specific instance, can be taken as an opportunity to revisit best practices and to refine systems, processes and safeguards.
In this case, media reporting and public statements indicate that the disclosure of personal information occurred as a result of the actions of an individual within the company—what is termed insider threat.
In our recent introduction to the cyber-threat environment, the cyber centre described the insider threat as individuals working within an organization who are particularly dangerous because of their access to internal networks that are protected by security parameters. For any malicious actor, access is key. The privileged access of insiders within an organization eliminates the need to employ other remote means and makes their job of collecting valuable information that much easier. More broadly, what this incident underscores is the human element of cybersecurity. The insider threat is only one example of this.
Cybercriminals have proven especially adept at exploiting human behaviour through social engineering to deceive targets into handing over valuable information. Fundamentally, the security of our systems depends on humans—users, administrators and security teams.
What can we do in a world of increasing cyber-threats? At the enterprise level, adopting a holistic approach to security is critical. This means starting with a culture of security and putting in place the right policies, procedures and cybersecurity practices. This ensures that when something goes wrong, as it almost inevitably will, there is a plan in place to address it.
Then we need to invest in knowing and empowering our people. Training and awareness for individuals and businesses are very important. Only with awareness can we continue to develop and instill good security practices, a fundamental step in securing Canada's cybe systems.
As well, we always need to identify and protect critical assets. Know where your key data lives; protect it; monitor the protection, and be ready to respond.
At the cyber centre, we'll continue to work with industry and to publish cybersecurity advice and guidance on our website. We regularly issue alerts and advisories on potential, imminent or actual cyber-threats, vulnerabilities or incidents affecting Canada's critical infrastructure.
Under, we hope, different circumstances, we'll continue to participate in conversations like this one, which help to keep the spotlight on these issues.
Ultimately, there is no silver bullet when it comes to cybersecurity. We cannot be complacent; there is too much at stake. While long-promised advances in technology may make the task easier, the need for skilled and trustworthy individuals will remain a constant.
Thank you, and I look forward to answering your questions.
View Michel Picard Profile
Lib. (QC)
View Michel Picard Profile
2019-07-15 13:57
I would like to preface my remarks by pointing out that the incident we are discussing today falls entirely within the parameters of the study we began in January on cybersecurity and financial crime.
As suggested by my fellow Liberal members, I put forward a motion that we study the issue. That shows how deeply concerned we are about cybersecurity in financial institutions. I'm delighted that Mr. Scheer commended our efforts in relation to the study. He fully supports my motion, and I'm glad that his party is joining the Liberal Party in its efforts to address the issue of cybersecurity in financial institutions, so thank you.
Mr. Flynn, I think it's important to speak to Canadians today to help people manage their expectations when something as serious as identity theft occurs.
The public wants the police to conduct a criminal investigation. Generally, people want something done about the loss of their personal information. They want their identity to be restored, without having to worry that five, 10 or 15 years down the road, they will once again be targeted. In terms of a criminal investigation, what are people's expectations?
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 13:59
From a policing perspective, I believe that the public expectation is that police are going to pursue the person and anyone associated with that person who is involved in either the theft or the monetization of information—whether through cyber-threat, cyber-compromise, insider threat, or so on—and hold them to account and bring them into the judicial process to ensure that there are consequences, and that steps are taken to prevent this type of incident from occurring.
View Michel Picard Profile
Lib. (QC)
View Michel Picard Profile
2019-07-15 13:59
It's very hard for people to understand just how difficult it is to prove that you are the person you say you are. How are people supposed to prove their identity? It's extremely challenging when three different people are out there using the same name and social insurance number.
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 14:00
It's not an area of expertise for me, as a police officer, to confirm identity. I would go back to my earlier statement about using your local resources, whether it be financial institutions or other types of service. If you're able to use a local service to confirm it, that is your best way to deal with those companies when there are questions about your identity.
View Michel Picard Profile
Lib. (QC)
View Michel Picard Profile
2019-07-15 14:00
To a certain extent, the criminal investigation is a way to ensure justice is served, provided that it leads to the perpetrators being nabbed, the evidence being used to successfully prosecute them and their being punished, mainly sent to prison.
That said, data on the black market represent virtual assets, ones that aren't housed in a physical location. Data can be located in many places. I'm not trying to alarm people, but it's important for them to understand that, even if the perpetrators are arrested, it doesn't necessarily mean that their data are no longer vulnerable and their identity can be restored.
Mark Flynn
View Mark Flynn Profile
Mark Flynn
2019-07-15 14:01
That is correct. It's important to point out that the only measure of success is not necessarily prosecution. In fact, in the cyber area many of those prosecutions will occur in other jurisdictions as we work collaboratively.
One of the approaches in the RCMP, and I know in some of our other police forces as well, is that we are bringing financial institutions and cybersecurity experts into our investigations. That is different from what we traditionally have done in our criminal investigative efforts. That has already borne fruit. It has already provided significant advantages. Those “partners”, as I refer to them, are able to see information that we as police officers might not know is important and we may not independently be able to identify that this could be used to provide protection for their customers. I know of at least one incident in a major investigation we've been undertaking where several financial institutions, through that collaboration, were able to identify and reduce potential harm to accounts that through that sharing were identified as compromised.
So I think the approach we are taking is providing benefits that are not solely measured by arrest and prosecutions.
View Michel Picard Profile
Lib. (QC)
View Michel Picard Profile
2019-07-15 14:02
Mr. Boucher, your centre provides advice to other organizations. How can a business protect itself from its own staff? What advice do you have for businesses in that regard?
As we saw this winter, there is every reason to believe that banks, financial institutions and financial service companies have the best possible technology to protect their data from outside threats. What concerns us are threats from the inside. I don't think any software out there can protect against that risk. How do you advise organizations to safeguard against the human element when it comes to fraud?
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:03
Thank you for your question.
That ties in with my opening statement. A few tools are available, but what works best is going back to the basics—in other words, taking a holistic approach to security.
First, that means a well-established internal security regime for staff. It is important to understand exactly where the information that needs protecting resides, to know the individuals the organization works with and to constantly update the security regime. An individual's personal situation can easily change after they've been interviewed, so an organization should have those kinds of conversations with staff members on a regular basis. For individuals, a clear training and education program should be in place, one that includes refreshers, and the underlying processes should be clear.
IT teams have access to data loss prevention tools that can help to detect fraud. By the time fraudulent activity is detected, however, it's often too late. It is therefore important that organizations invest as early as possible in measures that build trust and confidence and that they work with reliable people.
View Glen Motz Profile
CPC (AB)
Thank you, Chair.
Thank you, witnesses, for being here.
Mr. Boucher, I was intrigued by your opening comments on the Canadian Centre for Cyber Security being the national authority on cybersecurity and leading the government's response to cybersecurity events:
As Canada's national...security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses, and international partners to prepare for, respond to, mitigate, and recover from cyber incidents.
That's fantastic. It also leads to this question by me: What standards or measures do we have in place now? We consider banking in Canada to be a critical infrastructure in this country. What standards are in place at this moment to ensure that those are met? Do we have incentives? Do we have penalties? Do we have anything in the way of ensuring that we have a uniform approach across the industry to make sure that Canadians are safe? It's Canadians we are here for and are serving in that capacity. I'm curious to know if we have a mandatory baseline that everybody needs to operate at. If we don't, how come? And how can we?
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:05
Thank you for your question. It's a vast question. I think you will have testimony this afternoon from experts from that specific sector of financial institutions.
I would say that from a cybersecurity perspective, the financial sector is quite mature, where we have both regulators in place and best practices that are part of the community. As cybersecurity-focused experts, we put a lot of effort into that collaboration in those best practices. We leave it to the regulators who are sector-specific to put in those minimum standards and guidelines that need to be in place, enforced and reviewed. We in fact appeal to the best and try to tease that up as much as possible for entire sectors, in this case the financial sector. The financial sector is one that's very mature. It's one where collaboration is established. It is where reputational risks are measured at their true value. Significant investments are made in that regard.
From a Canadian perspective, I would feel quite reassured that as a sector, there are both minimum standards and applications through the regulators that are in place and teams that are working at bringing the best out of enterprises so that they perform as well as possible.
View Glen Motz Profile
CPC (AB)
Approximately 2.9 million entities, individuals and Canadian businesses, are impacted by this particular occurrence, but millions of others across this country have also been victims of having their identities and credit card information stolen. They may not find solace in that particular statement that we have a mature banking industry in this country, because they continue to be victimized. I'm curious to know whether we are as vigorous in that way as we could or should be in pursuing the financial security of those institutions and of the people who put their trust in them.
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:07
I can assure you that we're quite vigorous in taking all the measures at our disposal, whether they be best practices in collaboration or measures that are enforced and in place.
The sad or unfortunate reality that we all have to compose with is that, as was pointed out earlier, when data gets lost and gets in the wild, we never get to recover it. It is not like a tangible asset that you can go and purge and bring home. It is a new reality for clients, it is a new reality for customers and it is a new reality for enterprises.
I would go back to the comment I made earlier that it just puts more fuel into the need to invest early, with early investments in having programs, in choosing our employees better, and in making sure we have a holistic approach to security to make sure we don't find ourselves trying to recover our losses.
View Glen Motz Profile
CPC (AB)
Okay. Thank you.
Chief Superintendent Flynn, as we've learned from this circumstance and from others, data is the hottest commodity on the dark web. We know that. People's names, addresses, dates of birth, social insurance numbers, IP addresses, email addresses—all those sorts of things are commodities that are traded at will on the web. I guess a couple of things come to mind for me. Can you help the Canadian public understand, number one, how that information is used by the criminal element, and number two, how they can then be vigilant? You answered Mr. Drouin partially with a response, but as the law enforcement agency in this country, what red flags or alarms could you make the Canadian public aware of that they need to be vigilant about if they've been compromised, and even before they become compromised?
View Julie Dabrusin Profile
Lib. (ON)
Thank you.
When we did our study on financial institutions and cybersecurity, we heard that banks had extensive security measures in place—something people may be questioning now. We also heard people being talked about as though they were cardboard boxes.
What can people do to better protect themselves? Can you give us any helpful information or details? Is there a place where members of the public can turn for information on how to better protect themselves—a website or a telephone line, perhaps? Is there anything you can tell us, Mr. Boucher?
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:10
Thank you for your question.
We have an extensive program. On our website, cyber.gc.ca, people can find information on how to protect themselves. Of course, people have to be aware when they are online. That is the most basic rule of cybersecurity. People have to know not only how to use the Internet, but also what they are sharing with others online. We are constantly running campaigns to educate people on using their devices securely and being smart about who they choose to share confidential information with.
Having the best protection and keeping it up to date is the first step, but making smart choices is another. People should visit only the sites of companies they consider to be reliable and reputable. Once they've done those two things, people need to choose what information they agree to share with the company. It's a three-step approach, and it is all available in the information and guidance we provide to people.
View Julie Dabrusin Profile
Lib. (ON)
I see.
I also saw a lot of information about passwords. For instance, it mentioned people who use the same password for all of their online accounts.
Can you share some things people can do to protect themselves when it comes to their passwords? That's an important element.
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:12
Yes. I always look for opportunities to promote our website, so on our website, we talk specifically about how long and complex passwords should be. We also provide some tips. I encourage people to explore our website for themselves. It is often said that people should change their passwords regularly, but the problem with that is having to memorize a bunch of ever-changing passwords. The guideline has evolved over time. Nowadays, it is recommended that people choose at least one strong password, using certain parameters, which are available online, based on password length and/or complexity, depending on the available options. If it's possible to have a password containing up to 15 characters, people should try to choose a password that uses all 15 characters. If the password can have only eight characters, that's pretty bad, but people should at least choose a more complex password.
Constantly changing one's passwords is of minimal benefit if it means people have to write them down somewhere or use the same one for many different sites. What we want people to do is be diligent about choosing their passwords: choose something that is unique and as strong as the provider's parameters allow. People can use the same password, but if a data breach occurs, they have to act fast, changing their password and taking additional security measures. It's important to do a combination of things.
View Julie Dabrusin Profile
Lib. (ON)
The other problem is that once people have a password that works well, they use it for all their online accounts. Some sites tell users that their passwords have to be longer, more complex or what have you, but they never remind people not to use the same password all the time or to use a different password than they do for other accounts. Would you mind talking about that as well?
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:13
Now you're asking me to be very pragmatic.
Ms. Julie Dabrusin: Yes, but this is pragmatic stuff.
Mr. André Boucher: What I would advise people, other than being very pragmatic, is to base their passwords on their level of uncertainty when it comes to the various online services they are using. For instance, for online banking, people should use a number of distinct passwords that are as complex as possible. However, for their online account with their local curling club, say, people may wish to be a little less rigorous and use the same password a few times, even though that isn't what I would recommend.
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:14
I believe most, if not all, banks require a minimum level of sophistication when it comes to the passwords they accept. They already have a certain standard in place to protect themselves from clients who are less diligent than they should be in selecting a password.
View Alupa Clarke Profile
CPC (QC)
Thank you, Mr. Chair. I'm very pleased to be here today.
Thank you, gentlemen, for being here and giving up your time to reassure Canadians and answer our questions.
One of the cornerstones of the social contract that exists across this land is the protection of citizens, not just the protection they offer one another, but also the protection provided to them by the government. For the past three weeks, constituents in all of our ridings have been profoundly concerned. Two days after the data breach was made public, people started coming to my office. When I would knock on people's doors, that's all they would talk about. That tells me people are genuinely concerned and feel that the government has done nothing in response.
The question my constituents want you to answer, Mr. Boucher, is very simple. Can the Canadian Centre for Cyber Security indeed ensure the 2.9 million Canadians affected by this data breach are properly protected, yes or no?
Does your centre have the tools to respond to the situation and ensure the victims of identity theft are protected?
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:16
It's fair to say that the Canadian Centre for Cyber Security has the resources to deal with all aspects of cybersecurity. The case we are talking about today involves an insider threat and stolen information. Strictly speaking, it's not a cybersecurity issue.
View Alupa Clarke Profile
CPC (QC)
I'm not talking about what's already happened. I'm talking about what's going to happen next. That's what worries people. I want to know whether the Canadian Centre for Cyber Security has the capacity to deal with international or national fraudsters who send text messages or whatever it may be.
Does your centre have the capacity to deal with that?
Results: 1 - 60 of 7238 | Page: 1 of 121

1
2
3
4
5
6
7
8
9
10
>
>|
Refine Your Search