October 3, 2024 • 43 mins
We're picking up where we left off in our last episode to take a hard look at Canada's national security strategy for cybersecurity. Guest Aaron Shull, managing director and general counsel at the Centre for International Governance Innovation returns to discuss whether Canada is well equipped to deal with current and future online threats. Sami Khoury, senior cybersecurity official at the Communications Security Establishment Canada, shares insights about pre-ransomware notifications, threat alerts and public access to open-source tools. David Shipley, CEO of Beauceron Security, also returns his take on how Canada compares against its peers when it comes to cybersecurity.
We also dissect the controversial Bill C-26 and its implications for Canada's cybersecurity landscape with guest Matt Malone, Waterloo University, and sit down with Kate Robertson from Citizen Lab to discuss Canada's involvement with the UN Cybercrime Treaty.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Takara Small (00:03):
So we've been talking a lot over the last few
weeks about the many cybersecurity threats we're facing,
but how are we fighting back?
We trust the state to keep ussafe, but are they doing a good
job?
Aaron Shull (00:17):
If we're going to get our kind of act together in
Canada, it's going to have to beabout this national approach.
Takara Small (00:24):
Trying to stay ahead of the criminals and bad
actors is a tough gig, and onethat governments all over the
world are struggling with.
So this week, on what's Up Withthe Internet, we're looking at
what the Canadian government'sresponse to our current
cybersecurity threats has been.
As always, I'm your host,takara Small, and this podcast
(00:45):
is brought to you by CIRA, theCanadian Internet Registration
Authority, which is a non-profitbuilding a trusted internet for
Canadians.
So then, what is the governmentdoing about the issues we've
been talking about in ourprevious episodes?
First, let's hear from one ofthe government bodies leading
the fight.
We spoke to Sami Khoury acouple of weeks ago in episode
(01:09):
three.
Sami has now taken up a role asthe Canadian government's
senior official forcybersecurity, but until very
recently he was the head of theCanadian Center for
Cybersecurity, and that's whenwe interviewed him.
He told us what the governmentis doing to help combat cyber
attacks.
Sami Khoury (01:29):
So we are actually we're doing a lot, and at the
cyber center and with ourpartners across government.
So, from the pre-ransomwarenotification so a lot of it, we
do a lot behind the scene thatisn't often known because it's a
sort of capabilities that weare developing that generate
things like pre-ransomwarenotification.
(01:51):
We are putting a lot of adviceand guidance out there.
I'm speaking like I'm doingright now to bring attention to
the fact that this is a bigissue and we need to, as a
society, we need to take itseriously.
We make a lot of ourcapabilities available in open
source.
So on GitHub we've publishedsome of the tools that we use,
(02:13):
some of the tools that wedeveloped here at the Cyber
Center, that if somebody wantsto use them, they can go and
download them and make use ofthem.
When we see something, we shareit.
So we see a lot of things.
We see a lot of activityagainst the Canadian government,
people trying to hack into it,trying to scan it for
vulnerability.
(02:34):
Everything we learn from that.
We publish it through some ofour threat feeds and people can
subscribe companies mostly cansubscribe to our threat feeds
and be up to date with threatsthat we know of, and then we
issue alerts.
If there's something happeningwe will issue an alert or we
(02:55):
will issue a cyber flash to letpeople know.
And lastly, we've partneredwith the private sector, with
companies, so we partnered withCIRA to make available Canadian
Shield.
Canadian Shield is a capabilitythat anybody can download on
(03:18):
your phone, on your homecomputer, and it essentially
makes sure that you don't go towebsite that we know are
malicious.
So, effectively, when you typesomething in your bar of your
web browser, if where you aretrying to go, or whether you
(03:40):
click on a link, the minute thatcomputers try to go out there,
canadian Shield will stop youfrom going if we know that this
site is malicious.
So that's a free service thatwe've partnered with CIRA on to
make sure that Canadians haveaccess to that capability called
Canadian Shield.
There's a commercial versionfor businesses, but the free one
(04:04):
anybody can use it and downloadit and make use of it.
It's a one-way feed, so we tellCIRA what we know is malicious,
so there's nothing that comesback to us.
So, from a privacy perspective,I think your listeners can rest
assured that we don't getanything in return in terms of
your browsing history or whatwebsite you go to.
(04:26):
We just tell CIRA these are allthe websites or all of the
domains out there that we knoware malicious.
If you get an SMS we'vepartnered with the telecom
companies you just have to sendforward that malicious SMS to
7726.
And behind the scene, magichappens and we encourage people
(04:48):
to send their SMS.
And if that SMS is maliciousbecause there's a link in it
that we know ends up beingmalicious, then it will be
blocked, and it will be blockedby all of them and it will be
blocked also.
It will be added to our feedthat is then shared with CIRA
through Canadian Shield andblocked there too.
So you are making a differenceand you're contributing to doing
(05:13):
your part in ensuring thatcybersecurity, that Canada is
more resilient in that space.
So those are examples of thingsthat we do.
Takara Small (05:21):
And you know, another government initiative is
also Bill C-26.
Do and you know anothergovernment initiative is also
Bill C-26.
For people who aren't familiarwith that provision, can you
tell me a little bit more aboutwhat it is and how it addresses
the problem of cybersecurity?
Sami Khoury (05:34):
Yes, absolutely so.
Bill C-26 is still going beforeParliament, so we hope that it
will come out at the other endand it will receive royal assent
.
But that's a bill that is goingto raise cyber resilience in
Canada for four sectors.
(05:55):
So telecommunication, finance,energy and transportation these
are four sectors that have beenidentified in Bill C-26.
These are four sectors thathave been identified in Bill
C-26.
And through that bill, therewill be an obligation on the
companies that fall within thosedesignated sectors.
Not everybody will be subject toBill C-26.
(06:16):
That is something that still isyet to be decided.
But companies that areoperating within those sectors,
primarily the big companies,will have an obligation to have
a cybersecurity plan.
So, if something happens,what's your readiness?
But also that will have anobligation to report cyber
incidents to the cyber center,to our organization, to the
(06:39):
organization I lead, and that'svery important because it will,
by reporting incidents, which isone of the key messages I'd
like to leave people with.
It's important to reportincidents to us.
We connect, we then understandhow it happened, what happened.
We can connect a few dots,maybe by connecting dots between
two or three incidents andstarting to see a pattern there.
(07:01):
So Bill C-26 will essentiallymandate that those companies
that will be designated at theend of the process have a
cybersecurity plan and reportcyber incidents to the cyber
center.
Takara Small (07:18):
So that's some of what the government is doing,
but it's not enough to impresseveryone.
Back in June, a report from theAuditor General, karen Hogan,
said that the RCMP and otherCanadian security agencies do
not have the capacity orcapability to effectively police
cybercrime, and a new, updatednational cybersecurity strategy
(07:42):
still hasn't been introduced.
David Shipley (07:45):
We are sadly lagging our G7 peers in level of
investment.
Takara Small (07:50):
That's David Shipley.
He's the CEO of BeauceronSecurity Inc.
David Shipley (07:55):
We are lagging our peers in legislative tools,
frameworks, requirements,standards and more.
We're making some progress, andI would be remiss if I didn't
acknowledge that we're headingto third reading on finely
updated laws to protect criticalinfrastructure that's federally
regulated in Canada, like thebanking sector,
(08:17):
telecommunications, energytransmission and transportation
Yay.
But the reality is as I wrotein an op-ed recently for the
Hill Times is we still have afederal government where we are
castle and moat, and so they areconcerned with protecting the
castle, without realizing thatthe castle lives off the
proceeds of the village, thatthey will starve to death
(08:38):
without the rest of us, and weare getting pillaged by the
cyber vikings left, right andcenter, and so we need to have a
couple of really keyconversations in Canada.
The first is our policingmodels don't work in the 21st
century when it comes tocybercrime.
The idea that your locallyfunded municipal police force in
many parts of Canada is yourjurisdiction to report crimes to
(09:03):
, to resource to deal with, isabsolutely insane when faced
with these internationalmulti-hundreds of millions of
dollars cyber criminalorganizations.
We need a single nationalpolice force, resourced to deal
with cyber crime and able todeliver an equal response across
the country, whether you'reurban or rural, rich province or
(09:24):
poor, across the country,whether you're urban or rural,
rich province or poor.
We need a new nationalcybersecurity strategy that
looks at policing, like I justmentioned, that looks at
preventative investments indefense, so a dedicated cyber
fund for municipalities and forhealthcare, who are not
federally regulated, so they arenot getting the legislative
support they need and certainlydon't have the money on their
(09:44):
own to do this, and the areas ofCanadian life when they're hit
are the most disruptive eitherto safety or overall well-being.
So we need to put some moneyinto national cyber defense
preparedness, invest inoffensive cyber when we can't go
after criminals, so that we canraise the cost of cyber crime
(10:07):
by ruining their infrastructure,hacking them back.
And that needs to be anexplicit mandate of the Canadian
forces.
Right now the Canadian spyagency, cse, has a mandate for
active cyber.
I would prefer and I've hadthis debate with national
security folks back and forththat they stick to their
espionage mandate because that'snormal and expected in global
(10:29):
affairs.
But I think when it comes tohacking back and working outside
of law enforcement regimes, Ithink that's a role for the
Canadian forces.
Takara Small (10:38):
Why do you think we've lapsed in this area
compared to some of our peers?
Why do you think Canada isn'tat the forefront when it comes
to cybersecurity, whether it'snationally, provincially,
locally?
Why is it some of our EUcounterparts are so far ahead?
David Shipley (10:55):
We have slept under the blanket of American
security since the end of theSecond World War and we have
cashed in the dividends frombeing able to rely on American
investment in this to fund allkinds of really important things
for Canada social programs, etc.
You know, universal health care, other things.
(11:17):
We have slept ourselves intocomplacency and we struggle in
this country to take nationalsecurity seriously on a numerous
front.
So I'm obviously you know, I'ma proud Canadian Forces veteran.
So I have strong feelings aboutthe need and necessity for us
to show up and be a valuedmember of NATO, to actually
contribute our 2% GDP spendingto that, so that we can continue
(11:39):
to benefit from that collectiveinvestment in defense in a
world that's a lot more hostile.
We for some reason cannot seemto rouse ourselves to the fact
that we are in an activeconflict of ideologies with
China, that the idea that we hadin the 1990s that we could
normalize relations with Chinaand China would become like the
(11:59):
West through trade has failedmiserably, and that we are
living through the consequences,whether that's, you know,
election interference, whetherit's, you know, actual impacts
on diaspora communities inCanada.
That's just one country'sforeign policy being pursued
without a lack of response.
Here in Canada we have othersIndia, you know, we had a
(12:21):
Canadian citizen murdered on ourterritory.
So the reason I mentioned allof these issues in the national
security context is if we can'teven take national defense
seriously, if we can't takeforeign interference seriously,
cyber does not even make it tothe top of the list for most of
our most important conversationsat the most senior political
(12:41):
level in Canada.
It just isn't there.
I have been to Parliament Hilltwice.
I have testified in front ofthe National Security and Public
Safety Committee twice.
I have watched one of mytestimonies was delayed while a
filibuster on the EmergenciesAct for political performative
reasons was performed ratherthan listening to expert
testimony on the issue at hand.
(13:01):
So we're not a serious country.
Takara Small (13:04):
Okay, well, aaron Shull, who we heard from in our
last episode, is a little bitmore positive about how
well-equipped we are.
He thinks the provinces andcity councils need to be more
involved, though.
Aaron is the managing directorand general counsel at CG, and
his work is helping influencegovernment policy.
(13:26):
I want to talk about policy,then, a little bit.
We've discussed so much when itcomes to the impact of
cybersecurity, cyber warfare,and I'm wondering if Canada is
well equipped to deal with thesethreats now and in the future.
Aaron Shull (13:42):
Yeah, so maybe as a starting point, canada's part
of something called the FiveEyes Alliance, so that's the UK,
united States, australia,canada, and so we're in this
intelligence sharing arrangementwith our closest allies.
So that's good with our closestallies, so that's good.
(14:06):
Within that, canada contributesthrough something called the
Communications SecurityEstablishment.
That's our nationalcryptological agency, kind of
Canada's code makers, codebreakers, and that's where all
of our premier cybercapabilities reside.
The CSE is some of the best inthe world, and you don't have to
(14:27):
take my word for it.
This is what I've heard fromallies, and so we are very well
equipped for a nation of oursize by virtue of having this
institution.
But that's one piece of a bigpuzzle, right, like the problem
is that the government doesn'town most of the critical
infrastructure in the country.
Right, it's privately owned.
And also we've got aconstitutional division of
(14:50):
powers Right, we've got afederated system, and so
hospitals and schools are underprovincial jurisdiction, right,
and so so we've got to take thatinto account.
Plus, we've also gotmunicipalities, and it's a bit
weird because it's actually atthe municipal level where people
have their closest relationshipwith democratic institutions.
(15:13):
Right, this is where they'vegot their closest relationship
with government.
Like I said earlier, if yourpower turns off or your water
doesn't come out of your tap oryour garbage doesn't get picked
or your hospital goes down oryour kid's school gets hacked,
you'll notice right, and wherewe do most of that work is
actually at the municipal level,but that's where our
capabilities are the lowest.
(15:34):
And so if we're gonna get ourkind of act together in Canada,
it's gonna have to be about this, a national approach and I'm
using the word national hereadvisedly, as opposed to federal
.
It's going to have to be anational approach where we bring
together the feds, theprovinces, territories,
municipalities, indigenousgovernment groups, along with
(15:57):
critical infrastructureproviders, in a bit of a
holistic way, like it can't justbe a one and done type of thing
, and we also have to beprepared to continue to update
our approach to this as wecontinue to hook more stuff to
the internet and as the threatsget more and more sophisticated.
Takara Small (16:16):
You've actually talked a lot about this and you
know what other-.
Aaron Shull (16:20):
I'll talk to anybody who'll listen to me
about this.
Takara Small (16:22):
I mean you've talked in parliament about this.
You've also done extensive workwhen it comes to government
policy.
I'm going to just plug yourwork reimagining a Canadian
national security strategy.
Can you tell us about yourproject and what your hopes are
for your advocacy on this issue?
Aaron Shull (16:40):
Yeah, sure, sure.
Well, maybe I'll back up a stepand so say I work at a think
tank, we do public policyresearch right, and we always
talk about wanting to have apolicy impact from our work.
So it's a little bit differentthan like a typical university
where you know a lot of the workcan be, you know, curiosity
(17:01):
driven or whatever this is meantto.
Our work is meant to have apoint and to have a kind of
impact in the, in the realpolicy world, and so.
But for me it's not just aboutimpact.
I actually break impact intotwo constituent elements.
The first is, if you want tohave an impact, you want to be
helpful to policymakers, and thesecond is you want to be
(17:25):
relevant to policymakers, and sothe easiest way to be helpful
and relevant is to work on stuffthat policymakers would think
would be helpful and think wouldbe relevant, and so our last
national security strategy wasdone in 2004.
So 20 years ago.
And so to say that that isoutdated would be the
understatement of thisconversation, right, like, think
(17:45):
about your computer 20 yearsago.
And so to say that that isoutdated would be the
understatement of thisconversation, right, like, think
about your computer 20 yearsago, anyways.
So I thought this is an areawhere we could help, and so we
put together a team of about 250experts and, along with current
government officials, to thinkthrough some of this.
We wrote a whole bunch ofreports.
(18:06):
But the nice thing is, in our,our kind of capstone report that
my colleague Wesley Wark and Iwrote, we had a bunch of
recommendations in there.
The first was you got to do anational security strategy, but
come on and the governmentagreed, in something called the
defense policy update, which was, I'm saying, maybe released a
month ago.
They agree.
(18:27):
So there's going to be a newnational security strategy
that's going to be updated everyfour years.
So we can tick that one off thelist.
The second we argued for thecreation of a national security
council chaired by the primeminister, and they agree.
Now there is a nationalsecurity council chaired by the
prime minister, and so, kind ofone by one, we're ticking things
off of our list.
(18:48):
But the point here is that whenwe're looking at our work, we
are always doing it with a viewto being helpful and with a view
to being relevant and to usingour good offices to try and
advance a national conversation,and so I'm thankful that we
were successful at it.
Takara Small (19:08):
So you know, I'm thankful that we were successful
at it.
Do you think Canadians are nowmore concerned with
cybersecurity than in years past?
And I say that because we haveseen quite a list of
institutions, both public andprivate, that have been hacked
and have been taken down in thisyear and last year alone.
So one of the big ones,obviously Toronto Public Library
.
That's Canada's largest librarysystem.
In this year and last yearalone so one of the big ones,
obviously toronto public library.
That's canada's largest librarysystem.
(19:30):
Um, the lcbo and medicalhospital, like the list goes on
and on.
Do you think now voters andpoliticians, as an extension of
that, are much more aware?
Aaron Shull (19:42):
yeah, oh, for sure, for sure, and that's what I was
saying, kind of at the top ofthe interview.
What this will now require is,you know, uh, depending on whose
, whose notes you're looking at,we're, we're going to be in an
election in the next, you know,12 months, or whatever.
I think that this, like everyparty, should have to say
something about this and whattheir, their vision is for the
future, because you'reabsolutely right, like it's
(20:04):
impossible to have a localschool hacked or a hospital
taken down and to not notice,right, like this is, this is
genuinely affecting people'sreal lives now, and so, while it
might not be the topic ofconversation around most dinner
tables, I think this is one ofthose areas where politicians
(20:27):
and the political parties needto lead, they need to shape the
discourse in the country, andwe've got to get serious about
it because, like we've beensaying throughout the duration
of this conversation, the trendlines do not look good.
Like if you think this is goingto get better on its own, like
I got news for you, it's not,and so this is one of those
areas where, while it might notbe the top of mind when people
(20:51):
are thinking about who they wantto vote for.
This is one of those areas thatrequires political leadership
and vision.
Takara Small (20:58):
And then there's Bill C-26.
If you're not familiar with it,that's the new cybersecurity
bill aimed at protectingCanadians.
It's been called one of themost important pieces of safety
regulations for a generation andit's been in the pipeline for
years.
The bill has already gonethrough the House of Commons and
(21:23):
is waiting to be rubber stampedby the Senate.
Bill C-26 is supposed to be ourcybersecurity hero, but there
are concerns around privacy andtransparency.
We got Matt Malone on the linefrom Waterloo to discuss it.
Matt Malone (21:46):
Matt is an expert in all sorts of law around
cybersecurity and privacy, andhe's a Balsillie scholar at the
Balsillie School ofInternational Affairs.
So Bill C-26 was a bill thatwas introduced in the summer of
2022 by then Minister of PublicSafety, marco Mendicino.
The bill has two maincomponents to it.
It makes a series of amendments, principally to the
(22:07):
Telecommunications Act and a fewother acts, and then it passes
a new act entirely, which iscalled the Critical Cyber
Systems Protection Act.
So if you zoom out and you lookat this bill, it can be situated
with a series of legislativeefforts that have been taken in
(22:27):
recent years across peer statesof Canada, like Australia, the
United States, across the EU,where you've seen an interest by
governments to use regulationto nudge or to require certain
postures when it comes tocybersecurity.
And that's really rooted insomething that became clear when
(22:51):
our last national cybersecuritystrategy came out, where it
became very clear that there wasa recognition of the role of
regulation in changing andimproving our cybersecurity
posture as a country.
So more or less, we settled onthat view in 2016.
But it took us until about 2022to come up with this law and we
(23:14):
have not by any means expeditedthe law.
It's more than two years later.
Now we're in September 2024having this conversation and the
bill still hasn't become a law.
It's currently in the Senate onsecond reading as I'm talking
to you, but we'll see the stageit gets to later on.
So just to answer your questionabout what the bill is, these
(23:36):
two main parts of the bill, theamendments to the
Telecommunications Act reallyrecognize the role of security
as a key objective of Canadiantelecommunications policy.
So we have a TelecommunicationsAct that recognizes various
policy rationales that guide ourpolicy, you know, through
(23:59):
entities like the CRTC and soforth.
But what it does is it addssecurity to those rationale and
it endows the government,technically the governor and
council and the minister ofindustry, which has
responsibility overtelecommunications, to direct
TSPs or telecommunicationservice providers to take or
(24:21):
refrain from taking actions thatmight be necessary to ensure
security.
So that's sort of the main partof the bill that concerns the
Canadian Telecommunications Act.
But there's a second part, andI apologize if this is boring
because it is a little bitboring.
Takara Small (24:37):
What are you talking about?
Matt Malone (24:39):
Right, that's the attitude.
Takara Small (24:41):
Maybe scary is the actual right word, but continue
.
Matt Malone (24:43):
Well, you know, I think we'll talk about scary in
a second, and that's for me whenit comes to transparency.
So the second part is really.
The second part of Bill C-26 isthe Critical Cyber Systems
Protection Act, and this got alot less attention, but it's
equally important because itallows the government again
technically the governor andcouncil to designate certain
(25:08):
services as vital systems, sosystems that would be under the
federal jurisdiction, systemslike and there's already a few
that are recognized in the law,like telecommunications,
pipelines, energy, nuclearenergy, banking, various
transportation systems and soforth.
So what this bill does is itallows the government to
(25:30):
recognize these systems as vitalservices, vital systems, and
then it authorizes thegovernment to designate certain
operators of those systems asparties whom the government can
direct to do all different kindsof things.
And perhaps the most importantis, once a designated operator
(25:52):
of a vital system is recognized,there's an obligation to create
a cybersecurity program whereyou have to identify risks,
protect the system and so forth.
But there's other requirements,and this is where the bill gets
really interesting, where thebill endows the government with
the ability to take alldifferent kinds of actions,
(26:12):
including so it's not just aboutthese entities engaging in
certain conduct, like reportinga cybersecurity incident to the
government or establishing acybersecurity program.
But the bill also allows thegovernment to issue what are
called cybersecurity directions,which are totally secret
directives that the governmentcan issue to these entities to
(26:35):
take, or refrain from taking, acertain action to bolster the
cybersecurity of their services.
So it's really interestingbecause there's not a lot of
transparency over thosedirectives, and so I think this
continues a trend that we'reseeing with cybersecurity
generally in Canada, where we'reendowing the government with a
(26:59):
lot of power that is notaccompanied with a lot of
transparency around that power,and I don't think that that's
necessarily a good recipe forbolstering trust in federal
institutions.
Takara Small (27:10):
Personally, so there is a history of Canada
following in the footsteps ofour closest neighbor, the US,
when it comes to legislation,when it comes to initiatives and
funding, but I'm wondering whatgovernment initiatives you
would suggest need to be put inplace, divorced from what's
happening south of the border.
(27:30):
What would you think thegovernment needs to focus on or
needs to enact?
Matt Malone (27:38):
would you think the government needs to focus on or
needs to enact?
Well, I think, as muchcriticism as I have of Bill C-26
, I think it's, you know, toborrow a phrase from Christopher
Parsons, who was a seniorresearcher at the Citizen Lab,
who's now at the OntarioInformation and Privacy
Commissioner I think Bill C-26is incredibly well-intentioned.
This is definitely a bill thatwe need, but I think a few
(28:01):
things need to happen.
I think the first is that weneed to get back into this
show-don't-tell approach.
It's important to remember thatBill C-26 only regulates the
private sector.
It doesn't actually regulategovernment itself and the
government.
Cybersecurity is characterizedby a lot of fragmentation and
approaches that are sometimesillogical, and this
(28:24):
fragmentation is apparent fromBill C-26 itself.
Right, the bill was introducedby the public safety minister,
but what it really does is givea lot of powers to CSE, which
reports to the national defenseminister and sort of.
Who is responsible forcybersecurity overall in the
Canadian government is aninteresting question.
I mean, you recently had SammyCurrie on, you know, an
(28:47):
incredible individual who's donea lot of service for Canada,
and he's actually just beenappointed or elevated into a new
role, and I'm not entirely surewhere that resides in
government, but there's you know, there's folks who sit in the
Privy Council who have someresponsibility with
cybersecurity policy and SharedServices Canada with respect to
devices that are issued togovernment, and then Global
Affairs Canada has its own sayin certain conduct that CSE will
(29:11):
take, in particular, when ittakes active or offensive cyber
operations against other states.
So there's a lot offragmentation here, and I think
one of the main things thatneeds to change in Canada is an
approach that really operates byshow, don't tell.
Cse's annual report came outthis summer and it highlighted a
(29:34):
lot of the incredible work thatthey do.
I mean, this is a supertalented group of people,
probably one of the mostcompetent entities in government
and highlighting things likeleading multilateral efforts to
take down a ransomware gang andliaising with sensitive
industries like oil and gas, andso forth.
(29:56):
So a lot of good stuff comingout of that.
But one of the things thatcaught my attention was that CSE
is very well known for sensorsthat it places on networks to
identify and anticipate andmitigate cybersecurity risks,
and something I found veryinteresting in their report was
that some 50 federalinstitutions still don't have
(30:20):
any of those sensors installedon their networks, and these
sensors are famous.
I mean the UK has actuallyinstalled more than 100,000 of
them on their networks, theseCanadian sensors.
So you know it's brought in CSEa lot of.
So you know it's brought in CSEa lot of.
You know praise, and rightly so,but the government itself
(30:58):
hasn't responded to shortarians,NSICOP or NCCOP.
So I think show not tell is animportant part of it.
If I were to critique the billitself, I have a few overriding
critiques.
I mean one of them is that thebill is titled the Critical
Cyber Systems Protection Act,but what is critical?
(31:20):
And the government has a verysort of limited remit for what
is defined as critical?
As I said, it only applies toprivate sector entities, so it
doesn't apply to the federalgovernment's own conduct.
And it also fails to mentionsectors that are very clearly of
(31:43):
tremendous importance and youcan imagine space is going to
continue to become a majorsector in Canada over the next
few years Water and wastewaterinfrastructure.
I mean the European Union'smain cybersecurity law
identifies that as one of itscritical sectors.
It doesn't mention food and soforth.
(32:04):
So I think there's someinteresting questions around
what is being brought in oridentified as critical and what
is not.
It makes sense when you thinkabout the cybersecurity threats
that we have faced.
I mean, the colonial pipelinewas a very notable disruption
(32:25):
caused by a threat actor and youknow it makes sense that we
might want to focus on pipelinesand energy and nuclear within
this bill, but we shouldn'tlimit it there.
The other problem I have withthe bill is that it's based on
an approach where the governmentneeds to register a designated
(32:47):
operator for the bill to applyto them, and I think there's a
lot of problems with thisapproach because it basically
requires us to count on thegovernment being vigilant and
identifying everyone who couldpossibly be critical, taking the
right action and putting themon.
Forget what it stands for NIS1and NIS2, the cybersecurity, the
(33:20):
big cybersecurity legislations.
They have these long EU namesthe Directive on Network and
Information Security, something,something specifically
identifying and addingdesignated operators by
government entities and made itso that there were certain
requirements that automaticallytriggered the application of the
(33:40):
law.
So entities that were above acertain size in certain
industries would automaticallyhave requirements to follow
NIS2's obligations with respectto taking certain measures, and
I think that's a much moreorganic and sustainable approach
, because it doesn't requiresomeone in government to
(34:01):
constantly be out there scanningthe threat environment and
adding specific entities to thelist.
Rather, it automatically addsthem as they grow or as they
gain in importance.
So I think that's a big part ofit and, of course, with that, I
would probably say the penalties, the administrative monetary
(34:21):
penalties in the law.
Although they're tiered forindividuals and corporations, I
think they actually need to bematched to follow the EU example
, where we basically, just inthe EU EU use a percentage-based
approach, so failure to act cancause a penalty that is X
(34:42):
percent of your total revenue inthe last year, as opposed to
the Canadian approach, which isjust $1 million, $10 million,
whatever it is.
So I think those are the maincritiques that I would have.
I think the overarchingcritique, however, is a
transparency critique.
The bill endows the governmentto issue these directives
(35:05):
shrouded in complete secrecy,and that's a major problem
Because, as much as CSE is a youknow, an entity that deserves a
lot of praise, it also is stillgetting its sea legs when it
comes to showing its work andbeing transparent about its work
.
It's been called out by reviewagencies for failing to submit
(35:29):
its own records that it needs toprovide to those review
agencies.
For years it has one of theworst rates in responding to
provide to those review agencies.
For years, it has one of theworst rates in responding to
access to information requests.
It refuses to answer sort ofbasic questions around its
practices, including whetherit's using third-party spyware
(35:50):
like NSO Group's Pegasussoftware, and the BC Civil
Liberties Association has calledout CSE saying that it's in
dire need of oversight, and Iwould share that view.
They've done great workcooperating with various sectors
, issuing pre-ransomwarenotifications having a tangible
impact on the private sector,but transparency is lacking and
(36:16):
that's a major concern.
Takara Small (36:19):
And that was Matt Malone.
Now, that issue of findingbalance with government power is
a bit of a trend.
Fighting cybercrime shouldn'tmean creating limitless
government powers.
Kate Robertson spoke to usabout Canada's involvement with
the UN Cybercrime Treaty.
It's an agreement that wants toharmonize laws around
(36:40):
cybersecurity across its memberstates.
Kate Robertson (36:44):
Well, this is a good example of where Canada has
been playing an important rolein demonstrating leadership and
calling for the need for humanrights standards to inform how
we approach cyber threats,including the threat of cyber
crime, and the agreement you'rereferencing is an international
(37:07):
treaty that has been put forwardin draft form for the United
Nations General Assembly toultimately consider and vote on,
and it remains to be seen whatcountries like Canada and others
around the world will do aboutit, because there have been many
experts in both cybersecurityand civil society and digital
(37:33):
rights who have pointed to howsome of the powers that are
being discussed, includingcooperation powers around
cybercrime, will actually posereally significant risks when
conceived at an internationallevel, given these same powers
might be used by authoritariangovernments against human rights
(37:53):
activists, journalists orpolitical opponents, and so it's
again one of the importantbalances that policymakers need
to strike when you're respondingto a problem like cybercrime,
so the need to react to thosetypes of problems rather than
operating from a place of fear,but instead to bring forward a
(38:16):
really right-centric approach tocybersecurity, which says that,
yes, we do need to respond tosome of the new and or even
growing threats that we'reseeing on an online environment,
but taking a really long viewthat protects the security of
our networks, which is reallyabout protecting the security of
us as people, making sure thatwe're not exposing individuals
(38:43):
unnecessarily to other types oreven more dangerous types of
security threats in the process,particularly when it's not
necessary to do so.
Takara Small (38:49):
If I can be frank, you know, governments really
are only likely to take actionwhen there's public demand for
it, and it creates this kind ofcatch-22 because you need the
general public to care aboutsomething in order for the
government then to acknowledgeand take the next steps.
So I'm curious you know, how doyou go about increasing public
(39:11):
awareness around this topic andincreasing, I guess, education
for the general public aboutwhat can be perceived as a very
complex issue?
Kate Robertson (39:23):
I think that is a really fair comment and an
important comment, and toucheson some of the broader themes
that you've been speaking abouton this podcast and in recent
weeks with other guests as well,and I think it's helpful
perhaps to return to the analogyof thinking about cybersecurity
as a team sport.
(39:43):
Yes, we do think of it as areally technical area, but it's
also a highly interdisciplinaryarea as well.
Effective cybersecurityintegrates expertise from a
whole range of sources,including independent regulators
and government, industry, civilsociety, academic researchers,
security researchers, datajournalists like yourself, who
(40:07):
hosts really informative andtranslatable messages around how
technology impacts us in ourday-to-day lives, and so I do
think it is true that it canoften feel overwhelming for
certain individuals to hearabout some of the
vulnerabilities that do exist,and sort of a powerlessness
(40:30):
feeling can surface at times,but I also think it's important
to look at it in light of whatamazing dynamics are already
unfolding, when you have manywho are working with the public
at large to help translate andshine a light on some of the
ways that governments andcompanies can be doing much more
(40:51):
to protect us at a human leveland a policy level, and so I
would actually even think of thequestion a little bit
differently is that there aremany, many in the public who are
participating in reallyimportant public debates about
cybersecurity and, in fact, whenyou look at how the
parliamentary process aroundBill C-26 has been unfolding,
(41:15):
there are many pointing to howthe secrecy that's embedded in
many of these new governmentpowers are actually running up
against a desire from the publicto have much more transparency
about what's going on, andthat's really a reflection of
the really rich part of societythat has and has historically
(41:37):
played a really important rolein protecting us at an
individual level.
And one of my colleagues hasactually done some research
about this and he's talked abouthow surveillance powers that
(41:57):
government has traditionallyturned to have sometimes had a
really detrimental effect oncybersecurity.
And he pointed to some reallyinteresting research that talked
about how, when the publicperceives or believes that the
government has had a reallylarge role in terms of
surveillance, that can lead to asort of disempowering reality
(42:17):
where the less control weperceive to have over our data,
the research actually has shownthat the less likely we are to
take steps to protect our ownpersonal security.
In one study, they showed thatindividuals were actually less
likely to implement strongpasswords when they perceive the
government to have a largersurveillance role, or were less
likely to implement strongpasswords when they perceive the
government to have a largersurveillance role, or were less
(42:39):
likely to take other types ofmeasures like two-factor
authentication.
And so I think it does speak toreally competing dynamics that
have been unfolding, but part ofa larger shift towards
recognizing that the public,while they may not be looking at
the very innermost nuts andbolts of our networks, they can
and do have a really importantrole to play.
Takara Small (43:01):
That was Kate Robertson, who is a senior
research associate at theUniversity of Toronto Citizen
Lab.
Ok, so next week is the finalepisode in our series and we
want to look forward.
Sami Khoury (43:15):
The thing that we can count on is that there's
going to continue to be moreinnovation and change, and we're
going to need to be agile andadapt.
Takara Small (43:24):
Yes, we'll be looking at future trends in
cybersecurity and how emergingtechnologies are going to impact
this space.
Remember, you can email theshow at podcast at CIRAca, and
you can find me on social mediaat Takara Small.
You can also check out CIRAcaslash cybersecurity if you want
(43:44):
to learn more aboutcybersecurity in Canada.
Thanks for listening and we'llsee you again next week.
So we've been talking a lot over the last few
weeks about the many cybersecurity threats we're facing,
but how are we fighting back?
We trust the state to keep ussafe, but are they doing a good
job?
Aaron Shull (00:17):
If we're going to get our kind of act together in
Canada, it's going to have to beabout this national approach.
Takara Small (00:24):
Trying to stay ahead of the criminals and bad
actors is a tough gig, and onethat governments all over the
world are struggling with.
So this week, on what's Up Withthe Internet, we're looking at
what the Canadian government'sresponse to our current
cybersecurity threats has been.
As always, I'm your host,takara Small, and this podcast
(00:45):
is brought to you by CIRA, theCanadian Internet Registration
Authority, which is a non-profitbuilding a trusted internet for
Canadians.
So then, what is the governmentdoing about the issues we've
been talking about in ourprevious episodes?
First, let's hear from one ofthe government bodies leading
the fight.
We spoke to Sami Khoury acouple of weeks ago in episode
(01:09):
three.
Sami has now taken up a role asthe Canadian government's
senior official forcybersecurity, but until very
recently he was the head of theCanadian Center for
Cybersecurity, and that's whenwe interviewed him.
He told us what the governmentis doing to help combat cyber
attacks.
Sami Khoury (01:29):
So we are actually we're doing a lot, and at the
cyber center and with ourpartners across government.
So, from the pre-ransomwarenotification so a lot of it, we
do a lot behind the scene thatisn't often known because it's a
sort of capabilities that weare developing that generate
things like pre-ransomwarenotification.
(01:51):
We are putting a lot of adviceand guidance out there.
I'm speaking like I'm doingright now to bring attention to
the fact that this is a bigissue and we need to, as a
society, we need to take itseriously.
We make a lot of ourcapabilities available in open
source.
So on GitHub we've publishedsome of the tools that we use,
(02:13):
some of the tools that wedeveloped here at the Cyber
Center, that if somebody wantsto use them, they can go and
download them and make use ofthem.
When we see something, we shareit.
So we see a lot of things.
We see a lot of activityagainst the Canadian government,
people trying to hack into it,trying to scan it for
vulnerability.
(02:34):
Everything we learn from that.
We publish it through some ofour threat feeds and people can
subscribe companies mostly cansubscribe to our threat feeds
and be up to date with threatsthat we know of, and then we
issue alerts.
If there's something happeningwe will issue an alert or we
(02:55):
will issue a cyber flash to letpeople know.
And lastly, we've partneredwith the private sector, with
companies, so we partnered withCIRA to make available Canadian
Shield.
Canadian Shield is a capabilitythat anybody can download on
(03:18):
your phone, on your homecomputer, and it essentially
makes sure that you don't go towebsite that we know are
malicious.
So, effectively, when you typesomething in your bar of your
web browser, if where you aretrying to go, or whether you
(03:40):
click on a link, the minute thatcomputers try to go out there,
canadian Shield will stop youfrom going if we know that this
site is malicious.
So that's a free service thatwe've partnered with CIRA on to
make sure that Canadians haveaccess to that capability called
Canadian Shield.
There's a commercial versionfor businesses, but the free one
(04:04):
anybody can use it and downloadit and make use of it.
It's a one-way feed, so we tellCIRA what we know is malicious,
so there's nothing that comesback to us.
So, from a privacy perspective,I think your listeners can rest
assured that we don't getanything in return in terms of
your browsing history or whatwebsite you go to.
(04:26):
We just tell CIRA these are allthe websites or all of the
domains out there that we knoware malicious.
If you get an SMS we'vepartnered with the telecom
companies you just have to sendforward that malicious SMS to
7726.
And behind the scene, magichappens and we encourage people
(04:48):
to send their SMS.
And if that SMS is maliciousbecause there's a link in it
that we know ends up beingmalicious, then it will be
blocked, and it will be blockedby all of them and it will be
blocked also.
It will be added to our feedthat is then shared with CIRA
through Canadian Shield andblocked there too.
So you are making a differenceand you're contributing to doing
(05:13):
your part in ensuring thatcybersecurity, that Canada is
more resilient in that space.
So those are examples of thingsthat we do.
Takara Small (05:21):
And you know, another government initiative is
also Bill C-26.
Do and you know anothergovernment initiative is also
Bill C-26.
For people who aren't familiarwith that provision, can you
tell me a little bit more aboutwhat it is and how it addresses
the problem of cybersecurity?
Sami Khoury (05:34):
Yes, absolutely so.
Bill C-26 is still going beforeParliament, so we hope that it
will come out at the other endand it will receive royal assent
.
But that's a bill that is goingto raise cyber resilience in
Canada for four sectors.
(05:55):
So telecommunication, finance,energy and transportation these
are four sectors that have beenidentified in Bill C-26.
These are four sectors thathave been identified in Bill
C-26.
And through that bill, therewill be an obligation on the
companies that fall within thosedesignated sectors.
Not everybody will be subject toBill C-26.
(06:16):
That is something that still isyet to be decided.
But companies that areoperating within those sectors,
primarily the big companies,will have an obligation to have
a cybersecurity plan.
So, if something happens,what's your readiness?
But also that will have anobligation to report cyber
incidents to the cyber center,to our organization, to the
(06:39):
organization I lead, and that'svery important because it will,
by reporting incidents, which isone of the key messages I'd
like to leave people with.
It's important to reportincidents to us.
We connect, we then understandhow it happened, what happened.
We can connect a few dots,maybe by connecting dots between
two or three incidents andstarting to see a pattern there.
(07:01):
So Bill C-26 will essentiallymandate that those companies
that will be designated at theend of the process have a
cybersecurity plan and reportcyber incidents to the cyber
center.
Takara Small (07:18):
So that's some of what the government is doing,
but it's not enough to impresseveryone.
Back in June, a report from theAuditor General, karen Hogan,
said that the RCMP and otherCanadian security agencies do
not have the capacity orcapability to effectively police
cybercrime, and a new, updatednational cybersecurity strategy
(07:42):
still hasn't been introduced.
David Shipley (07:45):
We are sadly lagging our G7 peers in level of
investment.
Takara Small (07:50):
That's David Shipley.
He's the CEO of BeauceronSecurity Inc.
David Shipley (07:55):
We are lagging our peers in legislative tools,
frameworks, requirements,standards and more.
We're making some progress, andI would be remiss if I didn't
acknowledge that we're headingto third reading on finely
updated laws to protect criticalinfrastructure that's federally
regulated in Canada, like thebanking sector,
(08:17):
telecommunications, energytransmission and transportation
Yay.
But the reality is as I wrotein an op-ed recently for the
Hill Times is we still have afederal government where we are
castle and moat, and so they areconcerned with protecting the
castle, without realizing thatthe castle lives off the
proceeds of the village, thatthey will starve to death
(08:38):
without the rest of us, and weare getting pillaged by the
cyber vikings left, right andcenter, and so we need to have a
couple of really keyconversations in Canada.
The first is our policingmodels don't work in the 21st
century when it comes tocybercrime.
The idea that your locallyfunded municipal police force in
many parts of Canada is yourjurisdiction to report crimes to
(09:03):
, to resource to deal with, isabsolutely insane when faced
with these internationalmulti-hundreds of millions of
dollars cyber criminalorganizations.
We need a single nationalpolice force, resourced to deal
with cyber crime and able todeliver an equal response across
the country, whether you'reurban or rural, rich province or
(09:24):
poor, across the country,whether you're urban or rural,
rich province or poor.
We need a new nationalcybersecurity strategy that
looks at policing, like I justmentioned, that looks at
preventative investments indefense, so a dedicated cyber
fund for municipalities and forhealthcare, who are not
federally regulated, so they arenot getting the legislative
support they need and certainlydon't have the money on their
(09:44):
own to do this, and the areas ofCanadian life when they're hit
are the most disruptive eitherto safety or overall well-being.
So we need to put some moneyinto national cyber defense
preparedness, invest inoffensive cyber when we can't go
after criminals, so that we canraise the cost of cyber crime
(10:07):
by ruining their infrastructure,hacking them back.
And that needs to be anexplicit mandate of the Canadian
forces.
Right now the Canadian spyagency, cse, has a mandate for
active cyber.
I would prefer and I've hadthis debate with national
security folks back and forththat they stick to their
espionage mandate because that'snormal and expected in global
(10:29):
affairs.
But I think when it comes tohacking back and working outside
of law enforcement regimes, Ithink that's a role for the
Canadian forces.
Takara Small (10:38):
Why do you think we've lapsed in this area
compared to some of our peers?
Why do you think Canada isn'tat the forefront when it comes
to cybersecurity, whether it'snationally, provincially,
locally?
Why is it some of our EUcounterparts are so far ahead?
David Shipley (10:55):
We have slept under the blanket of American
security since the end of theSecond World War and we have
cashed in the dividends frombeing able to rely on American
investment in this to fund allkinds of really important things
for Canada social programs, etc.
You know, universal health care, other things.
(11:17):
We have slept ourselves intocomplacency and we struggle in
this country to take nationalsecurity seriously on a numerous
front.
So I'm obviously you know, I'ma proud Canadian Forces veteran.
So I have strong feelings aboutthe need and necessity for us
to show up and be a valuedmember of NATO, to actually
contribute our 2% GDP spendingto that, so that we can continue
(11:39):
to benefit from that collectiveinvestment in defense in a
world that's a lot more hostile.
We for some reason cannot seemto rouse ourselves to the fact
that we are in an activeconflict of ideologies with
China, that the idea that we hadin the 1990s that we could
normalize relations with Chinaand China would become like the
(11:59):
West through trade has failedmiserably, and that we are
living through the consequences,whether that's, you know,
election interference, whetherit's, you know, actual impacts
on diaspora communities inCanada.
That's just one country'sforeign policy being pursued
without a lack of response.
Here in Canada we have othersIndia, you know, we had a
(12:21):
Canadian citizen murdered on ourterritory.
So the reason I mentioned allof these issues in the national
security context is if we can'teven take national defense
seriously, if we can't takeforeign interference seriously,
cyber does not even make it tothe top of the list for most of
our most important conversationsat the most senior political
(12:41):
level in Canada.
It just isn't there.
I have been to Parliament Hilltwice.
I have testified in front ofthe National Security and Public
Safety Committee twice.
I have watched one of mytestimonies was delayed while a
filibuster on the EmergenciesAct for political performative
reasons was performed ratherthan listening to expert
testimony on the issue at hand.
(13:01):
So we're not a serious country.
Takara Small (13:04):
Okay, well, aaron Shull, who we heard from in our
last episode, is a little bitmore positive about how
well-equipped we are.
He thinks the provinces andcity councils need to be more
involved, though.
Aaron is the managing directorand general counsel at CG, and
his work is helping influencegovernment policy.
(13:26):
I want to talk about policy,then, a little bit.
We've discussed so much when itcomes to the impact of
cybersecurity, cyber warfare,and I'm wondering if Canada is
well equipped to deal with thesethreats now and in the future.
Aaron Shull (13:42):
Yeah, so maybe as a starting point, canada's part
of something called the FiveEyes Alliance, so that's the UK,
united States, australia,canada, and so we're in this
intelligence sharing arrangementwith our closest allies.
So that's good with our closestallies, so that's good.
(14:06):
Within that, canada contributesthrough something called the
Communications SecurityEstablishment.
That's our nationalcryptological agency, kind of
Canada's code makers, codebreakers, and that's where all
of our premier cybercapabilities reside.
The CSE is some of the best inthe world, and you don't have to
(14:27):
take my word for it.
This is what I've heard fromallies, and so we are very well
equipped for a nation of oursize by virtue of having this
institution.
But that's one piece of a bigpuzzle, right, like the problem
is that the government doesn'town most of the critical
infrastructure in the country.
Right, it's privately owned.
And also we've got aconstitutional division of
(14:50):
powers Right, we've got afederated system, and so
hospitals and schools are underprovincial jurisdiction, right,
and so so we've got to take thatinto account.
Plus, we've also gotmunicipalities, and it's a bit
weird because it's actually atthe municipal level where people
have their closest relationshipwith democratic institutions.
(15:13):
Right, this is where they'vegot their closest relationship
with government.
Like I said earlier, if yourpower turns off or your water
doesn't come out of your tap oryour garbage doesn't get picked
or your hospital goes down oryour kid's school gets hacked,
you'll notice right, and wherewe do most of that work is
actually at the municipal level,but that's where our
capabilities are the lowest.
(15:34):
And so if we're gonna get ourkind of act together in Canada,
it's gonna have to be about this, a national approach and I'm
using the word national hereadvisedly, as opposed to federal
.
It's going to have to be anational approach where we bring
together the feds, theprovinces, territories,
municipalities, indigenousgovernment groups, along with
(15:57):
critical infrastructureproviders, in a bit of a
holistic way, like it can't justbe a one and done type of thing
, and we also have to beprepared to continue to update
our approach to this as wecontinue to hook more stuff to
the internet and as the threatsget more and more sophisticated.
Takara Small (16:16):
You've actually talked a lot about this and you
know what other-.
Aaron Shull (16:20):
I'll talk to anybody who'll listen to me
about this.
Takara Small (16:22):
I mean you've talked in parliament about this.
You've also done extensive workwhen it comes to government
policy.
I'm going to just plug yourwork reimagining a Canadian
national security strategy.
Can you tell us about yourproject and what your hopes are
for your advocacy on this issue?
Aaron Shull (16:40):
Yeah, sure, sure.
Well, maybe I'll back up a stepand so say I work at a think
tank, we do public policyresearch right, and we always
talk about wanting to have apolicy impact from our work.
So it's a little bit differentthan like a typical university
where you know a lot of the workcan be, you know, curiosity
(17:01):
driven or whatever this is meantto.
Our work is meant to have apoint and to have a kind of
impact in the, in the realpolicy world, and so.
But for me it's not just aboutimpact.
I actually break impact intotwo constituent elements.
The first is, if you want tohave an impact, you want to be
helpful to policymakers, and thesecond is you want to be
(17:25):
relevant to policymakers, and sothe easiest way to be helpful
and relevant is to work on stuffthat policymakers would think
would be helpful and think wouldbe relevant, and so our last
national security strategy wasdone in 2004.
So 20 years ago.
And so to say that that isoutdated would be the
understatement of thisconversation, right, like, think
(17:45):
about your computer 20 yearsago.
And so to say that that isoutdated would be the
understatement of thisconversation, right, like, think
about your computer 20 yearsago, anyways.
So I thought this is an areawhere we could help, and so we
put together a team of about 250experts and, along with current
government officials, to thinkthrough some of this.
We wrote a whole bunch ofreports.
(18:06):
But the nice thing is, in our,our kind of capstone report that
my colleague Wesley Wark and Iwrote, we had a bunch of
recommendations in there.
The first was you got to do anational security strategy, but
come on and the governmentagreed, in something called the
defense policy update, which was, I'm saying, maybe released a
month ago.
They agree.
(18:27):
So there's going to be a newnational security strategy
that's going to be updated everyfour years.
So we can tick that one off thelist.
The second we argued for thecreation of a national security
council chaired by the primeminister, and they agree.
Now there is a nationalsecurity council chaired by the
prime minister, and so, kind ofone by one, we're ticking things
off of our list.
(18:48):
But the point here is that whenwe're looking at our work, we
are always doing it with a viewto being helpful and with a view
to being relevant and to usingour good offices to try and
advance a national conversation,and so I'm thankful that we
were successful at it.
Takara Small (19:08):
So you know, I'm thankful that we were successful
at it.
Do you think Canadians are nowmore concerned with
cybersecurity than in years past?
And I say that because we haveseen quite a list of
institutions, both public andprivate, that have been hacked
and have been taken down in thisyear and last year alone.
So one of the big ones,obviously Toronto Public Library
.
That's Canada's largest librarysystem.
In this year and last yearalone so one of the big ones,
obviously toronto public library.
That's canada's largest librarysystem.
(19:30):
Um, the lcbo and medicalhospital, like the list goes on
and on.
Do you think now voters andpoliticians, as an extension of
that, are much more aware?
Aaron Shull (19:42):
yeah, oh, for sure, for sure, and that's what I was
saying, kind of at the top ofthe interview.
What this will now require is,you know, uh, depending on whose
, whose notes you're looking at,we're, we're going to be in an
election in the next, you know,12 months, or whatever.
I think that this, like everyparty, should have to say
something about this and whattheir, their vision is for the
future, because you'reabsolutely right, like it's
(20:04):
impossible to have a localschool hacked or a hospital
taken down and to not notice,right, like this is, this is
genuinely affecting people'sreal lives now, and so, while it
might not be the topic ofconversation around most dinner
tables, I think this is one ofthose areas where politicians
(20:27):
and the political parties needto lead, they need to shape the
discourse in the country, andwe've got to get serious about
it because, like we've beensaying throughout the duration
of this conversation, the trendlines do not look good.
Like if you think this is goingto get better on its own, like
I got news for you, it's not,and so this is one of those
areas where, while it might notbe the top of mind when people
(20:51):
are thinking about who they wantto vote for.
This is one of those areas thatrequires political leadership
and vision.
Takara Small (20:58):
And then there's Bill C-26.
If you're not familiar with it,that's the new cybersecurity
bill aimed at protectingCanadians.
It's been called one of themost important pieces of safety
regulations for a generation andit's been in the pipeline for
years.
The bill has already gonethrough the House of Commons and
(21:23):
is waiting to be rubber stampedby the Senate.
Bill C-26 is supposed to be ourcybersecurity hero, but there
are concerns around privacy andtransparency.
We got Matt Malone on the linefrom Waterloo to discuss it.
Matt Malone (21:46):
Matt is an expert in all sorts of law around
cybersecurity and privacy, andhe's a Balsillie scholar at the
Balsillie School ofInternational Affairs.
So Bill C-26 was a bill thatwas introduced in the summer of
2022 by then Minister of PublicSafety, marco Mendicino.
The bill has two maincomponents to it.
It makes a series of amendments, principally to the
(22:07):
Telecommunications Act and a fewother acts, and then it passes
a new act entirely, which iscalled the Critical Cyber
Systems Protection Act.
So if you zoom out and you lookat this bill, it can be situated
with a series of legislativeefforts that have been taken in
(22:27):
recent years across peer statesof Canada, like Australia, the
United States, across the EU,where you've seen an interest by
governments to use regulationto nudge or to require certain
postures when it comes tocybersecurity.
And that's really rooted insomething that became clear when
(22:51):
our last national cybersecuritystrategy came out, where it
became very clear that there wasa recognition of the role of
regulation in changing andimproving our cybersecurity
posture as a country.
So more or less, we settled onthat view in 2016.
But it took us until about 2022to come up with this law and we
(23:14):
have not by any means expeditedthe law.
It's more than two years later.
Now we're in September 2024having this conversation and the
bill still hasn't become a law.
It's currently in the Senate onsecond reading as I'm talking
to you, but we'll see the stageit gets to later on.
So just to answer your questionabout what the bill is, these
(23:36):
two main parts of the bill, theamendments to the
Telecommunications Act reallyrecognize the role of security
as a key objective of Canadiantelecommunications policy.
So we have a TelecommunicationsAct that recognizes various
policy rationales that guide ourpolicy, you know, through
(23:59):
entities like the CRTC and soforth.
But what it does is it addssecurity to those rationale and
it endows the government,technically the governor and
council and the minister ofindustry, which has
responsibility overtelecommunications, to direct
TSPs or telecommunicationservice providers to take or
(24:21):
refrain from taking actions thatmight be necessary to ensure
security.
So that's sort of the main partof the bill that concerns the
Canadian Telecommunications Act.
But there's a second part, andI apologize if this is boring
because it is a little bitboring.
Takara Small (24:37):
What are you talking about?
Matt Malone (24:39):
Right, that's the attitude.
Takara Small (24:41):
Maybe scary is the actual right word, but continue
.
Matt Malone (24:43):
Well, you know, I think we'll talk about scary in
a second, and that's for me whenit comes to transparency.
So the second part is really.
The second part of Bill C-26 isthe Critical Cyber Systems
Protection Act, and this got alot less attention, but it's
equally important because itallows the government again
technically the governor andcouncil to designate certain
(25:08):
services as vital systems, sosystems that would be under the
federal jurisdiction, systemslike and there's already a few
that are recognized in the law,like telecommunications,
pipelines, energy, nuclearenergy, banking, various
transportation systems and soforth.
So what this bill does is itallows the government to
(25:30):
recognize these systems as vitalservices, vital systems, and
then it authorizes thegovernment to designate certain
operators of those systems asparties whom the government can
direct to do all different kindsof things.
And perhaps the most importantis, once a designated operator
(25:52):
of a vital system is recognized,there's an obligation to create
a cybersecurity program whereyou have to identify risks,
protect the system and so forth.
But there's other requirements,and this is where the bill gets
really interesting, where thebill endows the government with
the ability to take alldifferent kinds of actions,
(26:12):
including so it's not just aboutthese entities engaging in
certain conduct, like reportinga cybersecurity incident to the
government or establishing acybersecurity program.
But the bill also allows thegovernment to issue what are
called cybersecurity directions,which are totally secret
directives that the governmentcan issue to these entities to
(26:35):
take, or refrain from taking, acertain action to bolster the
cybersecurity of their services.
So it's really interestingbecause there's not a lot of
transparency over thosedirectives, and so I think this
continues a trend that we'reseeing with cybersecurity
generally in Canada, where we'reendowing the government with a
(26:59):
lot of power that is notaccompanied with a lot of
transparency around that power,and I don't think that that's
necessarily a good recipe forbolstering trust in federal
institutions.
Takara Small (27:10):
Personally, so there is a history of Canada
following in the footsteps ofour closest neighbor, the US,
when it comes to legislation,when it comes to initiatives and
funding, but I'm wondering whatgovernment initiatives you
would suggest need to be put inplace, divorced from what's
happening south of the border.
(27:30):
What would you think thegovernment needs to focus on or
needs to enact?
Matt Malone (27:38):
would you think the government needs to focus on or
needs to enact?
Well, I think, as muchcriticism as I have of Bill C-26
, I think it's, you know, toborrow a phrase from Christopher
Parsons, who was a seniorresearcher at the Citizen Lab,
who's now at the OntarioInformation and Privacy
Commissioner I think Bill C-26is incredibly well-intentioned.
This is definitely a bill thatwe need, but I think a few
(28:01):
things need to happen.
I think the first is that weneed to get back into this
show-don't-tell approach.
It's important to remember thatBill C-26 only regulates the
private sector.
It doesn't actually regulategovernment itself and the
government.
Cybersecurity is characterizedby a lot of fragmentation and
approaches that are sometimesillogical, and this
(28:24):
fragmentation is apparent fromBill C-26 itself.
Right, the bill was introducedby the public safety minister,
but what it really does is givea lot of powers to CSE, which
reports to the national defenseminister and sort of.
Who is responsible forcybersecurity overall in the
Canadian government is aninteresting question.
I mean, you recently had SammyCurrie on, you know, an
(28:47):
incredible individual who's donea lot of service for Canada,
and he's actually just beenappointed or elevated into a new
role, and I'm not entirely surewhere that resides in
government, but there's you know, there's folks who sit in the
Privy Council who have someresponsibility with
cybersecurity policy and SharedServices Canada with respect to
devices that are issued togovernment, and then Global
Affairs Canada has its own sayin certain conduct that CSE will
(29:11):
take, in particular, when ittakes active or offensive cyber
operations against other states.
So there's a lot offragmentation here, and I think
one of the main things thatneeds to change in Canada is an
approach that really operates byshow, don't tell.
Cse's annual report came outthis summer and it highlighted a
(29:34):
lot of the incredible work thatthey do.
I mean, this is a supertalented group of people,
probably one of the mostcompetent entities in government
and highlighting things likeleading multilateral efforts to
take down a ransomware gang andliaising with sensitive
industries like oil and gas, andso forth.
(29:56):
So a lot of good stuff comingout of that.
But one of the things thatcaught my attention was that CSE
is very well known for sensorsthat it places on networks to
identify and anticipate andmitigate cybersecurity risks,
and something I found veryinteresting in their report was
that some 50 federalinstitutions still don't have
(30:20):
any of those sensors installedon their networks, and these
sensors are famous.
I mean the UK has actuallyinstalled more than 100,000 of
them on their networks, theseCanadian sensors.
So you know it's brought in CSEa lot of.
So you know it's brought in CSEa lot of.
You know praise, and rightly so,but the government itself
(30:58):
hasn't responded to shortarians,NSICOP or NCCOP.
So I think show not tell is animportant part of it.
If I were to critique the billitself, I have a few overriding
critiques.
I mean one of them is that thebill is titled the Critical
Cyber Systems Protection Act,but what is critical?
(31:20):
And the government has a verysort of limited remit for what
is defined as critical?
As I said, it only applies toprivate sector entities, so it
doesn't apply to the federalgovernment's own conduct.
And it also fails to mentionsectors that are very clearly of
(31:43):
tremendous importance and youcan imagine space is going to
continue to become a majorsector in Canada over the next
few years Water and wastewaterinfrastructure.
I mean the European Union'smain cybersecurity law
identifies that as one of itscritical sectors.
It doesn't mention food and soforth.
(32:04):
So I think there's someinteresting questions around
what is being brought in oridentified as critical and what
is not.
It makes sense when you thinkabout the cybersecurity threats
that we have faced.
I mean, the colonial pipelinewas a very notable disruption
(32:25):
caused by a threat actor and youknow it makes sense that we
might want to focus on pipelinesand energy and nuclear within
this bill, but we shouldn'tlimit it there.
The other problem I have withthe bill is that it's based on
an approach where the governmentneeds to register a designated
(32:47):
operator for the bill to applyto them, and I think there's a
lot of problems with thisapproach because it basically
requires us to count on thegovernment being vigilant and
identifying everyone who couldpossibly be critical, taking the
right action and putting themon.
Forget what it stands for NIS1and NIS2, the cybersecurity, the
(33:20):
big cybersecurity legislations.
They have these long EU namesthe Directive on Network and
Information Security, something,something specifically
identifying and addingdesignated operators by
government entities and made itso that there were certain
requirements that automaticallytriggered the application of the
(33:40):
law.
So entities that were above acertain size in certain
industries would automaticallyhave requirements to follow
NIS2's obligations with respectto taking certain measures, and
I think that's a much moreorganic and sustainable approach
, because it doesn't requiresomeone in government to
(34:01):
constantly be out there scanningthe threat environment and
adding specific entities to thelist.
Rather, it automatically addsthem as they grow or as they
gain in importance.
So I think that's a big part ofit and, of course, with that, I
would probably say the penalties, the administrative monetary
(34:21):
penalties in the law.
Although they're tiered forindividuals and corporations, I
think they actually need to bematched to follow the EU example
, where we basically, just inthe EU EU use a percentage-based
approach, so failure to act cancause a penalty that is X
(34:42):
percent of your total revenue inthe last year, as opposed to
the Canadian approach, which isjust $1 million, $10 million,
whatever it is.
So I think those are the maincritiques that I would have.
I think the overarchingcritique, however, is a
transparency critique.
The bill endows the governmentto issue these directives
(35:05):
shrouded in complete secrecy,and that's a major problem
Because, as much as CSE is a youknow, an entity that deserves a
lot of praise, it also is stillgetting its sea legs when it
comes to showing its work andbeing transparent about its work
.
It's been called out by reviewagencies for failing to submit
(35:29):
its own records that it needs toprovide to those review
agencies.
For years it has one of theworst rates in responding to
provide to those review agencies.
For years, it has one of theworst rates in responding to
access to information requests.
It refuses to answer sort ofbasic questions around its
practices, including whetherit's using third-party spyware
(35:50):
like NSO Group's Pegasussoftware, and the BC Civil
Liberties Association has calledout CSE saying that it's in
dire need of oversight, and Iwould share that view.
They've done great workcooperating with various sectors
, issuing pre-ransomwarenotifications having a tangible
impact on the private sector,but transparency is lacking and
(36:16):
that's a major concern.
Takara Small (36:19):
And that was Matt Malone.
Now, that issue of findingbalance with government power is
a bit of a trend.
Fighting cybercrime shouldn'tmean creating limitless
government powers.
Kate Robertson spoke to usabout Canada's involvement with
the UN Cybercrime Treaty.
It's an agreement that wants toharmonize laws around
(36:40):
cybersecurity across its memberstates.
Kate Robertson (36:44):
Well, this is a good example of where Canada has
been playing an important rolein demonstrating leadership and
calling for the need for humanrights standards to inform how
we approach cyber threats,including the threat of cyber
crime, and the agreement you'rereferencing is an international
(37:07):
treaty that has been put forwardin draft form for the United
Nations General Assembly toultimately consider and vote on,
and it remains to be seen whatcountries like Canada and others
around the world will do aboutit, because there have been many
experts in both cybersecurityand civil society and digital
(37:33):
rights who have pointed to howsome of the powers that are
being discussed, includingcooperation powers around
cybercrime, will actually posereally significant risks when
conceived at an internationallevel, given these same powers
might be used by authoritariangovernments against human rights
(37:53):
activists, journalists orpolitical opponents, and so it's
again one of the importantbalances that policymakers need
to strike when you're respondingto a problem like cybercrime,
so the need to react to thosetypes of problems rather than
operating from a place of fear,but instead to bring forward a
(38:16):
really right-centric approach tocybersecurity, which says that,
yes, we do need to respond tosome of the new and or even
growing threats that we'reseeing on an online environment,
but taking a really long viewthat protects the security of
our networks, which is reallyabout protecting the security of
us as people, making sure thatwe're not exposing individuals
(38:43):
unnecessarily to other types oreven more dangerous types of
security threats in the process,particularly when it's not
necessary to do so.
Takara Small (38:49):
If I can be frank, you know, governments really
are only likely to take actionwhen there's public demand for
it, and it creates this kind ofcatch-22 because you need the
general public to care aboutsomething in order for the
government then to acknowledgeand take the next steps.
So I'm curious you know, how doyou go about increasing public
(39:11):
awareness around this topic andincreasing, I guess, education
for the general public aboutwhat can be perceived as a very
complex issue?
Kate Robertson (39:23):
I think that is a really fair comment and an
important comment, and toucheson some of the broader themes
that you've been speaking abouton this podcast and in recent
weeks with other guests as well,and I think it's helpful
perhaps to return to the analogyof thinking about cybersecurity
as a team sport.
(39:43):
Yes, we do think of it as areally technical area, but it's
also a highly interdisciplinaryarea as well.
Effective cybersecurityintegrates expertise from a
whole range of sources,including independent regulators
and government, industry, civilsociety, academic researchers,
security researchers, datajournalists like yourself, who
(40:07):
hosts really informative andtranslatable messages around how
technology impacts us in ourday-to-day lives, and so I do
think it is true that it canoften feel overwhelming for
certain individuals to hearabout some of the
vulnerabilities that do exist,and sort of a powerlessness
(40:30):
feeling can surface at times,but I also think it's important
to look at it in light of whatamazing dynamics are already
unfolding, when you have manywho are working with the public
at large to help translate andshine a light on some of the
ways that governments andcompanies can be doing much more
(40:51):
to protect us at a human leveland a policy level, and so I
would actually even think of thequestion a little bit
differently is that there aremany, many in the public who are
participating in reallyimportant public debates about
cybersecurity and, in fact, whenyou look at how the
parliamentary process aroundBill C-26 has been unfolding,
(41:15):
there are many pointing to howthe secrecy that's embedded in
many of these new governmentpowers are actually running up
against a desire from the publicto have much more transparency
about what's going on, andthat's really a reflection of
the really rich part of societythat has and has historically
(41:37):
played a really important rolein protecting us at an
individual level.
And one of my colleagues hasactually done some research
about this and he's talked abouthow surveillance powers that
(41:57):
government has traditionallyturned to have sometimes had a
really detrimental effect oncybersecurity.
And he pointed to some reallyinteresting research that talked
about how, when the publicperceives or believes that the
government has had a reallylarge role in terms of
surveillance, that can lead to asort of disempowering reality
(42:17):
where the less control weperceive to have over our data,
the research actually has shownthat the less likely we are to
take steps to protect our ownpersonal security.
In one study, they showed thatindividuals were actually less
likely to implement strongpasswords when they perceive the
government to have a largersurveillance role, or were less
likely to implement strongpasswords when they perceive the
government to have a largersurveillance role, or were less
(42:39):
likely to take other types ofmeasures like two-factor
authentication.
And so I think it does speak toreally competing dynamics that
have been unfolding, but part ofa larger shift towards
recognizing that the public,while they may not be looking at
the very innermost nuts andbolts of our networks, they can
and do have a really importantrole to play.
Takara Small (43:01):
That was Kate Robertson, who is a senior
research associate at theUniversity of Toronto Citizen
Lab.
Ok, so next week is the finalepisode in our series and we
want to look forward.
Sami Khoury (43:15):
The thing that we can count on is that there's
going to continue to be moreinnovation and change, and we're
going to need to be agile andadapt.
Takara Small (43:24):
Yes, we'll be looking at future trends in
cybersecurity and how emergingtechnologies are going to impact
this space.
Remember, you can email theshow at podcast at CIRAca, and
you can find me on social mediaat Takara Small.
You can also check out CIRAcaslash cybersecurity if you want
(43:44):
to learn more aboutcybersecurity in Canada.
Thanks for listening and we'llsee you again next week.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.