Committee
Consult the user guide
For assistance, please contact us
Consult the user guide
For assistance, please contact us
Add search criteria
Results: 1 - 9 of 9
View Majid Jowhari Profile
Lib. (ON)
Okay. Let me move to CSE.
Mr. Jones, I was reviewing the Library of Parliament notes, which indicate that the “effectiveness of CIRA's technology relies on intelligence provided by the Communications Security Establishment's CCCS”. Can you shed some light on the technology you're referring to?
Scott Jones
View Scott Jones Profile
Scott Jones
2020-05-20 15:51
From our perspective, we're one intelligence thread that is fed into CIRA. I'll let our colleagues at CIRA talk about the broader approaches, but our feed comes from our defence of the Government of Canada. As we see attacks or compromises happening, such as, for example, spam emails being sent to us or attempts to defraud the government, etc., we share those indicators regularly with our partners, including CIRA.
In CIRA's case, then, with Canadian Shield, they're able to take those and put those to block, so that even if a Canadian were to click on the link they wouldn't be able to get to the bad or malicious site. That's an advantage. We do that same level of defence on the Government of Canada as well, but that's where we get the information from. It's really from our defence of a coast to coast to coast and global network. We try to feed that into our partners at CIRA to make sure Canadians are protected.
Simon Marchand
View Simon Marchand Profile
Simon Marchand
2020-05-20 15:53
Thank you, Mr. Lemire.
To start, I'll provide some clarity around the 600%. It refers to the increase in the number of attacks involving COVID-19 during this very specific period of time, not necessarily to the increase tied to economic factors. Naturally, during times of economic crisis, the number of scams goes up. The percentages vary.
That said, the lack of accountability in federally regulated companies is problematic in that all the current legislation—think of the Personal Information Protection and Electronic Documents Act, for example—forces companies to disclose that they were hacked and data was compromised. In Canada, however, we don't have an overall sense of how many people fall victim to identity theft once their information is stolen. Since banks and telecommunications carriers are federally regulated, they are making crimes involving one another easier to commit. In other words, much of the credibility for an identity is based on the fact that the individual has a cell phone account or bank account. These companies have tremendous amounts of sensitive information at their disposal, so once a hacker gets in, they can commit more and more fraud.
I have over a decade of experience in prevention, and I work with the fraud prevention teams in those companies. I can tell you that a bank's or telecommunications carrier's prevention team is under no obligation to disclose how many fraudulent accounts were opened daily or annually. They don't even have to contact or identify identity theft victims. That means you may have been the victim of identity theft, that your identity may have been used to open an account with a telecommunications carrier, for instance. The team in charge of fraud was able to detect the fraudulent use of a person's identity and reverse the transaction, but it doesn't have to notify the individual, in other words, the consumer. Consumers are completely clueless. No one has any idea when their identity has been used. The person can't take further steps to protect themselves in the future. That lack of accountability prevents the government from taking clear action to regulate the process of identifying or authenticating people who open bank or cell phone accounts.
View Tako Van Popta Profile
CPC (BC)
Thank you very much.
My first question will be for Mr. Marchand.
Thank you for your testimony. Thank you for educating us on some of these important statistics.
You told us about increased identity theft associated with so many Canadians who are teleworking, as we are today. I think you mentioned a 600% increase in phishing. Again, thank you for that information. What do we, as legislators, do with that? Do you have any specific advice for what we as legislators can do to help you help Canadians better protect themselves?
Simon Marchand
View Simon Marchand Profile
Simon Marchand
2020-05-20 16:16
Thank you for the question.
Perhaps we could look at two tools in the short term. The goal is to provide tools to companies that face these risks. Now that the fraudsters have access to the information, how can we equip banks and telecommunications companies with tools to prevent the fraudsters from successfully attacking them?
The STIR/SHAKEN standards are included in these tools. Of course, in my view, because the Americans will implement these standards quickly, we can expect fraudsters to come north of the border and to take advantage of a gap in Canada's legislation and regulations.
In my opinion, the STIR/SHAKEN standards are an essential tool because fraudsters use scooping to carry out certain types of identity fraud. This isn't just a matter of robocalls, but also a matter of identity theft.
As for the other tool, I think that the rules for identifying customers should be strengthened. Right now, a social insurance number, a driver's licence or a health insurance card is enough to open a bank account or a telephone account. These pieces of identification are outdated. We must start looking at the issue of digital identity and biometric identity.
Several countries have already transitioned to these higher levels of identification. To protect Canadians, we must consider whether some form of more advanced biometric identification should be required to open accounts.
View Ali Ehsassi Profile
Lib. (ON)
View Ali Ehsassi Profile
2020-05-20 16:25
Thank you.
Given all the advisory work you do and the counsel you provide to various organizations on a general basis, would it be fair to say that the guidance you are providing essentially establishes the standard of care from a legal standpoint as to whether organizations are actually adhering to best practices and insulating themselves from losses?
Scott Jones
View Scott Jones Profile
Scott Jones
2020-05-20 16:26
Well, I'm an engineer and not a lawyer, so I'm not sure that I'm qualified to demonstrate the standard of care.
One of the things we have worked on with our colleagues in Innovation, Science and Economic Development is the cybersecure Canada program to provide baseline cybersecurity controls to help small and medium-sized organizations do things that are actually within reach. I think one of the failings of the commercial cybersecurity industry is that we talk about things that a multi-million dollar or a billion-dollar company can afford. We need things that Canadian small businesses can afford, and that's what this is really trying to achieve.
View Nathaniel Erskine-Smith Profile
Lib. (ON)
I understand.
This question is for CSE and the RCMP.
We hear from constituents all the time about scams. The RCMP has tallied up that it costs individuals about $100 million a year overall for these scams, at least those that are reported. I would say they are under-reported, because people are embarrassed when they are taken advantage of. We hear about this all the time, and it's not just from seniors, although I've heard predominantly from seniors.
We've made significant investments in cybersecurity over the last number of years. You are the experts. Are there measures that other countries take that we do not? Are there measures, in your experience and estimation, the government could take to better strengthen our society against such fraud?
Scott Jones
View Scott Jones Profile
Scott Jones
2020-05-20 16:42
I'll start and then turn it over to my colleagues in the RCMP.
The first thing we've done is we've really tried to give practical things that every Canadian can do that are within reach. That's something all countries are doing. We've tried to make this as accessible as possible through, say, Get Cyber Safe.
The second thing we've tried to do is to find partners who can give capability. CIRA is a great example of that. That's something every Canadian can look into that immediately raises the cybersecurity bar. The one thing with cybercriminals especially is that they go after the lowest bar. If it's not economically feasible, they're going to move on to the next target, so by doing—
Results: 1 - 9 of 9

Export As: XML CSV RSS

For more data options, please see Open Data