DC ITS Opening Remarks: Standing Senate Committee on Banking, Trade and Commerce

Good afternoon, Mr. Chair and Members of the Committee. My name is Scott Jones and I am the Assistant Deputy Minister for IT Security at the Communications Security Establishment. I am accompanied by Andre Boucher, Director General of Cyber Security Partnerships. It is our pleasure to appear before you today, as you undertake your study on cyber security and cyber fraud.

This topic is both timely and extremely important. Canada, as you are well aware, is amongst the most connected countries in the world. Every day we are witness to stories of how online commerce is driving economic growth and creating opportunities in all sectors of the economy, including online banking and online sales.

But, of course, Canadians can only reap the benefits of online commerce when they can conduct their online activities with confidence and trust.

Unfortunately, we’ve all borne witness to cyber compromises that result in significant financial loss, loss to intellectual property, even loss to a company’s reputation. Today’s cyber threat actors represent different threat levels, motivations and capabilities. They include state actors, hacktivists, criminals and terrorists capable of a broad range of disruption, from ransomeware attacks to the exposure of personal information.

And I can tell you that as the head of IT security for CSE, the government’s lead technical cyber agency, we are very concerned about the vulnerabilities Canadians face online from these threat actors.

My goal today is to  answer your questions and leave  you with a better understanding of who we are, what we do, and how we work with our government partners, and, in particular, the private sector, to help protect Canada’s important information.

As this is my first time appearing before this Committee, please allow me to take a few moments to introduce CSE.

CSE is one of Canada’s key security and intelligence organizations. Our mandate and authorities are defined in the National Defence Act, and we report to the Minister of National Defence. Our mandate is comprised of three parts.

The first part of our mandate, Part A, involves the collection of foreign intelligence in accordance with Government of Canada intelligence priorities.

The second part of our mandate and the work that I lead, Part B, involves providing advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada.

And finally, the third part of our mandate, Part C, is the provision of technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

CSE is Canada’s centre of excellence for cyber operations. We use our cyber and technical expertise to monitor federal government systems in order to identify, prepare for, and respond to sophisticated cyber threats. Our work also extends beyond the federal government. Because cyber security is everyone’s responsibility, we work to support the private sector, including critical infrastructure operators, by sharing cyber threat information and mitigation advice. This helps them better protect their systems and the important information they contain.  

Partnerships are key to our success. We know that effective information sharing can help manage and mitigate the impact of cyber threats. That’s why we work closely with key partners like Public Safety, the Canadian Cyber Incident Response Centre, the Canadian Cyber Threat Exchange and the Canadian Security Telecommunications Advisory Committee, to build a stronger capacity to resist and defend against today’s diverse cyber threats.

Still, even the most secure systems can be rendered ineffective if not used properly. A core part of our work is to increase awareness and education of cyber security issues. We’ve developed the Top 10 IT Security Actions, building on years of mitigation advice to Government of Canada departments and agencies, to help dramatically reduce the threat to all types of organizations. You can find them listed on our website along with much of our advice, guidance and alerts. We also frequently post cyber security best practices to our Twitter account and website in an effort to increase public awareness.

I am especially pleased to appear before you today on this important issue because October is Cyber Security Awareness Month.  This annual event encourages Canadians and organizations of all sizes, including Government of Canada departments and agencies, to promote strong cyber security practices. I want to emphasize that cyber security is the responsibility of all of us and no single entity can do it alone. We need to adopt a cyber neighborhood watch. So it is crucial that everyone get involved in cyber security initiatives to better protect Canada’s sensitive information. Together, we can collectively make Canada stronger and more resilient against cyber threats.

As part of this effort, today CSE is releasing Assemblyline, a malware detection and analysis tool developed within CSE’s Cyber Defence program to detect and analyse malicious files as they are received.  Assemblyline will benefit businesses by allowing them to better protect their data from theft and compromise. Most software of a similar nature is proprietary to a company and not available to the software development community.

CSE is releasing Assemblyline to businesses, malware and private researchers, industry, and academia.  The release of Assemblyline benefits the country and CSE’s work to protect Canadian systems, and allows the cybersecurity community to jointly evolve this valuable open-source software.

I hope that if I have the privilege to appear in front of this committee a second time, I will be able to share with members the results of Assemblyline. In the meantime, I thank you for the opportunity to participate in this study. We will be pleased to answer any questions that you might have.