Speaking Notes for Greta Bossenmaier, Chief, CSE: A Canadian Perspective on the Cyber Challenge

John Tait Memorial Lecture

Canadian Association For Security and Intelligence Studies Symposium

September 23, 2016

A Canadian Perspective on the Cyber Challenge

Good morning, everyone.

Thank you very much, John, for that very kind introduction. John and I were very fortunate to be able to share a stage with other former CSE Chiefs earlier this month to celebrate the 70th Anniversary of CSE.

Together with the other former Chiefs, we recognized the tremendous work and achievements of generation after generation of dedicated CSE staff.  I’ll talk more on that in a few minutes.

But let me say today, I am very honoured to have been invited to speak at CASIS, and particularly to deliver this year’s John Tait Memorial Lecture.

I have to say that it’s a particular privilege for a CSE Chief to deliver a lecture that pays tribute to John Tait. John’s distinguished career greatly impacted and influenced the entire federal public service. He was of course instrumental in shaping the government’s Security and Intelligence community in the late 80s and 90s.

And John’s contributions to the public service and the S&I community still deeply resonate at CSE today.  As the Government’s Security and Intelligence Coordinator in the mid-90s, he was the Deputy Minister responsible for CSE’s policy and operations.

Through a CSE lens, perhaps his most important accomplishment in that role was establishing a strong and professional relationship between CSE and our then-recently established independent review body – the CSE Commissioner

The Commissioner’s Office recently celebrated an anniversary of its own – 20 years of providing Canadians with independent and expert review of CSE’s activities.

But John’s impact on CSE goes further. He published his 1996 ground-breaking work in public service values and ethics: “A Strong Foundation”.  That paper is as meaningful today as it was then.

It proved instrumental in CSE adopting its own values framework.

And it has influenced our current Ethics Charter – the cornerstones of which are lawfulness and integrity. Critical values that speak to what CSE is, and who our employees are.

So it’s indeed a great honour to be addressing CASIS today in recognition of Mr. John Tait.

This morning, I’m going to be discussing a Canadian perspective on the cyber challenge. 

An extremely timely topic, for a number of reasons. 

As you may know, the Government is currently examining the issues, evolving threats, gaps and opportunities in cyber through its Cyber Security Review. This is an important policy discussion happening at a critical time.

As well, we are all having to face the rapidly evolving nature of the cyber challenge. 

So what I’d like to do this morning is to share my views on what the cyber challenge is. Or perhaps more accurately put – what the challenges are.

The challenges are serious. And it will take constant vigilance, determination and skill to address them.

But those challenges also contain tremendous opportunities for Canada  to collaborate. And to drive innovation and economic prosperity and security.

I’ll then tell you how CSE is working with its government partners and other partners to respond to the challenge.

And lastly, I’ll talk about what we can do collectively to innovate and to address the challenges.

But first, I’d like to share with you a bit more about what CSE has done in the past, and what it does today.

CSE: Yesterday and Today

Off the top, I mentioned that this is the Communications Security Establishment’s  70th Anniversary. An important milestone for a vital Canadian organization. After making significant contributions to the wartime effort in World War II, in September 1946, the Canadian civilian and military signals intelligence units were brought together to form the Communications Branch of the National Research Council. That set us on the first 70 years of our journey.

It’s been 70 years of tireless efforts to protect Canada and Canadians against threats.  And in leading-edge work to protect Canada’s most important systems and information.

We have a CSE badge, which was designed by the Chief Herald of Canada and given to CSE in 1994. The motto on that badge says: “Protecting and Providing Information.” 

CSE’s history is rooted in decrypting foreign radio signals to provide essential war-time intelligence on the intentions of Canada’s adversaries.

But what is less known is that our 70-year history – back to the beginning – has also been about protecting government communications and information.

It has ranged from encrypting Canadian communications signals in the 40s and 50s, to our more wide-spread work today in protecting the government’s online systems and networks, and the sensitive information they contain. 

So I think it’s appropriate that the word “protecting” comes first in our motto.

A celebration of history is really a celebration of people. And I can tell you that the people of CSE – both yesterday’s and today’s – are among the smartest, the most dedicated, and the most professional that I have encountered in my career.

They are among the best and brightest minds you will find anywhere. And they are dedicated Canadian public servants singularly committed to serving and protecting Canada, and doing so with integrity and lawfulness.

So what does today’s CSE do?

As you may know, we have three key roles under our mandate:

CSE provides foreign signals intelligence to the government. I’ll emphasize the word “foreign” here. It bears repeating that CSE cannot and does not direct its foreign signals intelligence activities at Canadians anywhere or at anyone in Canada.

Our foreign intelligence plays a critical role in protecting Canada, Canadians and our allies against threats. For example:

  • Our intelligence has protected, and is protecting, the brave men and women of the Canadian Armed Forces. It’s supporting crucial Canadian military operations, including current missions in Iraq, and past missions in Afghanistan.
  • It is helping uncover foreign-based extremists’ efforts to attract, radicalize, and train individuals to carry out terrorist attacks in Canada and abroad.
  • And most relevant to today’s topic, it provides early warning to thwart foreign cyber threats to the Government of Canada, and to Canada’s critical information infrastructure and networks.

The second part of CSE’s mandate is cyber security. To provide advice, guidance and services to help ensure the protection of electronic information and information infrastructures of importance to the Government of Canada.

And third, we provide technical assistance to federal law enforcement and security organizations. When we provide that assistance, it’s only at the request of those organizations. And it’s under their legal authority.

This morning, I’ll be focusing of course on the cyber security part of our mandate.

It’s an absolutely critical part of how CSE serves and protects Canada and Canadians. 

Why the focus? Because the online world plays such a critical role in how Canadians live their daily lives. It connects us together socially. It drives the economy. It is tied to our collective prosperity and security.

Lives lived on and through the internet

And, as Canadians, we are online. Alot.

Canada is among the most connected countries in the world. A few stats… As of July, 2016, Canada had an estimated 32 million internet users. A staggering number when you consider our population is around 36 million people.

And with that high level of internet usage, Canadians can access more than 200 federal government services online.

That number is growing. We can file our taxes. Veterans can apply for benefits. Aspiring new Canadians can check the status of their citizenship application. All through their computers.

Add in provincial, territorial and municipal online services, and the number of services available is in the thousands.

As well, online commerce in Canada grows every year in both value and importance to the economy

According to a 2016 Yahoo Canada survey, more than two-thirds of internet users say they use online banking at least once a week. By contrast, only 16 percent say they visit a physical bank branch.

Online sales in Canada totaled $136 billion in 2014, the last year for which stats are available.

The curve has been rising. So it’s not a stretch to suggest that figure is much higher today.

As well, almost 4 per cent of our Gross Domestic Product is directly dependent on the internet.

In fact, almost every aspect of Canadian life – whether it’s finance, electricity, education, research and development, transportation, entertainment or social interaction – almost every aspect depends in some way, shape or form on the internet.

And our online activities have become increasingly mobile. Based on 2014 statistics, two-thirds of Canadians owned a smart phone and half owned a tablet. Again, fast-forward two years and imagine where those numbers are today.

Which is brilliant in terms of convenience.  And commerce. And speed. And innovation. And mobility.

But here is where we get to the fundamental challenge.

For Canada to realize all of the benefits that internet technology can offer, it also has to offer trust and confidence.

When Canadians are interacting online, when they’re making an online purchase, when they’re accessing a government service, or when they’re taking an online course, they need to do it with trust and confidence.

But that’s not the way the internet was built.

One of the first uses of the internet was academics sharing innovative thoughts, ideas and research. Security was an afterthought.

So over the decades, those of us whose business is cyber security have been busy. Filling the security holes. And finding new solutions.

Our cyber security efforts are aimed at getting and staying ahead to ensure the Canadians can have that trust and confidence.

That’s the challenge in a nutshell.

The cost of compromise

We’ve seen evidence of that challenge in the news headlines every day.

Whether it’s Home Depot, Sony, or more recently Eddie Bauer or the World Anti-Doping Agency, or Yahoo, compromises occur. They occur quite often.

And they can be costly. They can result in significant financial costs – whether it’s loss of intellectual property, or simply the costs of stopping and cleaning up the damage.

They take up time and other valuable resources.

And they can harm a company or organization’s trust and reputation.

The bottom line is: cyber compromises impact the bottom line.

As with all organizations, the Government of Canada is not immune to such cyber incidents.

You may all recall the compromise in 2014 of the National Research Council.

It caused significant harm. And significant cost and it took significant time to remediate.

That’s an expensive lesson in the cost of successful cyber attacks.

So why do these cyber attacks keep happening?

The Threat and Risk Landscape

There are three points here I’d like to talk about.

The first is the evolving world of threat actors. Cyber threats used to be the exclusive domain of nation-states. That’s certainly not the case anymore, as malicious cyber tools become easier to obtain and the motivations for malicious actors becomes more diverse.

Cyber threats come at companies, governments and other organizations from any number of sources. And for any number of motivations.

Foreign state-sponsored threat actors are still a prominent source of the threats.

I am not going to discuss specific foreign threat actors today. But I will say there are over 100 countries with the ability to launch cyber attacks.

Criminals are another prominent source of cyber attacks. The reason they do it is simple. It can be lucrative.

The latest trend we’ve all heard about is ransomware, a form of malware that encrypts data until you pay money to have it unencrypted. Only to run the risk of being hit again.

There are also so-called hacktivists, who attempt cyber compromises with a desire to embarrass or make a statement.

And of course, terrorists are active in the cyber world. They do it for profit. They do it for propaganda. And like all terrorist activities, they do it to instill fear.

As the number and type of threat actors have grown, so too have the number of attempted cyber attacks.

The government’s own systems are probed on average over one hundred million of times per day by threat actors searching for vulnerabilities.

Today’s threat actors are greater in number. With more reasons to attempt attacks. And with easier-to-obtain tools and knowledge.

It’s often a perceived case of low investment, and potentially high rate of return. While our colleagues in law enforcement and justice are working hard to prosecute perpetrators of cyber crimes, we at CSE are working to change the investment/reward equation by making it harder for threat actors to succeed.

The second point I want to make goes back to what I said earlier about the internet being built, and added to, without security being the main focus.

That also applies to the way hardware and software have evolved over the years.

As a former Chief Information Office in a number of departments, I can speak to the fact that computer technology used to be self-contained, and fairly simple. And there were parts of the technology, whether it was hardware or software, that were common to all.

Over the years, new technology has been developed and built. But most often it doesn’t replace old technology. It’s actually built on top of those older common components.

Those common components are everywhere.

And they come with security vulnerabilities.

So what you end up with are these complex and layered technologies. But with vulnerabilities that can have wide-spread impacts.

A recent example is the 2014 vulnerability in Open SSL, or Heartbleed as it became known. That single vulnerability opened half of the entire internet to a single exploit.

And the government was among the organizations impacted by this vulnerability.  The Canada Revenue Agency shut down its website and suspended some of its services to Canadians, right in the middle of tax season.  Another illustration of the costs of cyber compromises.

And finally, no discussion of the threat and risk landscape today is complete without at least touching on quantum computing, which brings me to my third point.

The challenge of protecting cyber systems and information is about to get a lot harder, thanks to quantum computing.

Quantum’s immense processing power will bring with it tremendous opportunities. It could result in incredible advances in engineering, medicine and science.

But it could also render today’s current methods of encryption totally ineffective. Nearly every company, every government and every organization currently employs some form of encryption.

Encryption is also part of almost every Canadian’s daily life – whether they realize it or not. Credit cards, debit cards, work and building passes – just to name a few examples – all work on some form of encryption.

And of course, encryption is at the heart of how we protect government systems and information.

So unless we collectively get ahead of the quantum challenge and rethink encryption, the systems and information of every company, every government and every organization – and potentially every Canadian could be vulnerable.

It’s not really a question of if. But of when.

Some experts estimate quantum computing could be realized in the next ten years.

The clock has started to tick.

You’re going to hear more about quantum and cybersecurity later today from the University of Waterloo’s Ray Laflamme.

Waterloo’s Institute for Quantum Computing has been doing some incredible work in that area, so stay tuned.

So those are some of our challenges. In the face of them, how do we realize all of the benefits and potential that technology brings to our society? And how do we do it in a way that ensures trust and confidence.

I’ll give you my perspective. We do it together. All of us. And we innovate. Again…together.

Before I get into that, I want to talk about some specific ways that the CSE has been responding to this challenging cyber environment.

How CSE is responding: Partnerships

And in keeping with what I just said, partnerships are at the core of our efforts.

The CSE often has the reputation of being a “top-secret spy agency”. That implies that we simply stay within our walls and don’t work with anyone. That’s not at all a fair or accurate portrayal, as I think you’ll see.

I’ll discuss how we work with government first, and I’ll start with a key partner, Shared Services Canada, or SSC. 

Before SSC was established, each and every government department had their own systems and networks.

And how CSE worked with all those government departments was not very consistent.

Most often, we would see something potentially bad happening on a department’s network. We would write a report about it.

And we would give that report to the department. And each department had different complexities and capabilities in terms of responding to the reports.

Then two important things happened.

First, SSC came along. And instead of dealing with 43 different system owners for 43 departments, we are now dealing with one.

Having SSC-operated internet gateways has enabled a key improvement in defending government networks. For CSE, that means one set of networks to defend, instead of 43.

That’s an immense benefit when your business is cyber security.

At around the same time, CSE was turning how we did cyber defence on its head.

Instead of seeing, telling someone and working on individual solutions CSE experts developed more automated and intelligent detection and defensive tools to defend government networks.

And although I can’t get into specifics of the classified tools that we use, our strong capabilities are better able to quickly detect malicious activity, and to prevent or restrict that malicious activity from causing damage.

I saw a specific example of this part just this summer.

A sophisticated malware attack was attempted against a multitude of Government of Canada departments.

With the SSC gateway, CSE’s leading-edge cyber defence tools, and very quick action by an individual department, we were collectively able to quickly detect, diagnose, analyze, and successfully defend against that malware.

The result: the impact was limited and no Canadians’ data was at risk. A lot of damage – and a lot of costs – were avoided.

I can tell you that if this had happened five years ago, or even two years ago, the outcome could have been very different.

This is just one example of the strengths of the Government of Canada’s systems: SSC-operated internet gateways enable CSE’s security services and expertise to be applied effectively and efficiently, with real results. But we can never, ever be complacent. Departments must remain vigilant.

We also work closely together to make sure we are architecting and designing systems with security baked in. Right from the very start.

Working together, CSE and SSC are protecting Government of Canada systems. And the important Canadian information they contain.

That means fewer compromises. Less lost data. Less service disruption. Less damage clean-up. And for the taxpayer, better service, increased trust and confidence, and less cost.

How CSE supports Public Safety’s cyber role

Another one of our key partnerships within government is with Public Safety Canada.  Among other roles, Public Safety shares cyber security information to help Canadians protect themselves, their families, and their small and medium businesses online.

So it’s fitting that Public Safety is well represented on today’s CASIS program, icluding Monik Beauregard from their National and Cyber Security Branch, who will be chairing a panel later this morning.

One of the ways CSE and Public Safety works together is through the Canadian Cyber Incident Response Centre, which is Canada's national cyber coordination centre. Among other things, it’s responsible for reducing the cyber risks faced by Canada’s key systems and services. That includes banks and telecommunications companies.  

It shares information on cyber threats and provides advice on cyber security for the benefit of all Canadians.

It also coordinates the national response to any serious cyber security incident.

The Centre functions through partnerships. With provincial, territorial governments. With industry. And with the Government of Canada.

Of course, given CSE’s expertise, we are a key partner with CCIRC. I like to think of CSE as the technical advisor to the Centre. When you see one of their cyber security bulletins or alerts, there’s a good chance that CSE’s experts provided or validated much of the technical information that you read.

Public Safety Canada also helps CSE’s share its expertise and partnerships beyond the federal government. And particularly with industry.

Industry Partnerships

Partnerships with industry are key and CSE is working to build on and expand those partnerships, and how we work with Public Safety to share information with industry.

Last December, the Canadian Council of Chief Executives, along with several leading Canadian companies, announced the launch of the Canadian Cyber Threat Exchange, or CCTX.

Its purpose is to share information about cyber threats so that companies can better defend against them.

That’s valuable for the companies of course, but it’s equally valuable for their customers. And their shareholders.

The CSE, along with Public Safety, have important roles with the Cyber Threat Exchange.

CSE will be sharing through the CCTX unclassified cyber threat information gathered through our unique capabilities. 

We will also be sharing some of our cyber defence tools to help companies better defend themselves.

The CCTX will also use its networks and contacts to share CSE’s best cyber practices. That will help raise the bar across multiple industry sectors.

The result: companies will be better able to defend against these threats. Their information will be better protected. Canadians’ information will be better protected.

Academic Partnerships

Beyond the Government and private sector, CSE’s partnerships also extend into academia, and leading edge research.

Which brings me to CSE’s Tutte Institute for Mathematics and Computing. It’s not as nearly as well-known and well-appreciated as it needs to be. It’s one of the first of its kind, and I’m pleased to be able to spend a few minutes now to talk about it.

The Tutte Institute for Mathematics and Computing is housed at CSE. It brings together top academics and researchers from a variety of fields.  They collaborate and conduct classified leading-edge research in mathematics and computer science – with a specific research focus in cryptography. 

By gathering together CSE’s best minds with those from the academic world, we can address the greatest cryptologic challenges, and discover innovative solutions.

Tutte has already established key partnerships with learning institutions, including Carleton University and the University of Calgary.

I talked about the challenge and opportunity of quantum computing earlier. I’m confident that the work of the Tutte Institute will play a strong role in meeting our future quantum challenges.

Learning and education

CSE also has a strong educational and training program. Our IT Security Learning Centre shares our expertise, knowledge and skills in a variety of formats to help IT practitioners in government and beyond to keep their systems safe.

We also publish much of our advice and guidance on our public-facing web site, and our recently launched Twitter account. For all to see. And for all to benefit from.

One product you’ll find on our site that I’m particularly proud of is our Top 10 list of security actions to protect Government of Canada Networks and Information.

Ten practical steps that departments can take to better secure their networks, systems and information.

And while they are geared to a government audience, the principles apply to anyone who runs a network. And frankly, if every network and system owner in Canada followed those ten steps, we would be light years ahead in responding to our cyber challenge.

The last partnership I’ll touch on is our international partnerships, and in particular our Five-Eyes relationship. It’s a partnership that has endured throughout CSE’s 70-year history.

This partnership has and continues to provide Canada and its allies with valued intelligence to protect the safety and security of our respective countries.

That includes providing valuable insight and information on the cyber threats we all face.

So that’s how CSE has been addressing the cyber challenges. Through our partnerships. Through our people. Through our knowledge. And through innovation.

This brings me to the last part of my talk this morning. 

What can we all do to address the cyber challenges of today and tomorrow.

Cyber Review

I’ll begin here with the Government’s Cyber Security Review that I mentioned earlier.

The review will be looking at many of the themes and topics that I talked about this morning, and that are on your program today.

It will examine how Canada can remain secure, resilient and economically prosperous in the face of an evolving cyber threat environment.

I urge you to participate in the online consultations. They are a critical part of the review process.

There is a tremendous amount of expertise in this room. Many great perspectives. And many innovative ideas.

Go to the consultation website before October 15. Share your ideas and your perspectives.  

This is a policy discussion worth having, and worth participating in. It’s one that we have to have. And it’s one we have to have now.

People + technology + partnership = innovation

From my perspective, there are three important building blocks that have helped CSE add value in its important cyber security role. 

And they are three pieces that will contribute to Canada effectively tackling the cyber challenge. To ensure Canadians have trust and confidence in the Internet. To have that trust and confidence contribute to our economic prosperity.

Number one is people. Smart people who can not only see today’s challenge. But who can look ahead and predict the challenges of the future. And people who can find the solutions we all need.

There is tremendous brain power in the cyber-field in Canada. We need to find ways to harness it and focus it on the cyber challenge.

Smart people will lead us to the 2nd thing we need: leading-edge technology.

Whether it’s quantum-safe encryption, or advanced technology to defend against sophisticated malware, or better network or system design.

Technology will be critical in helping Canada get and stay ahead in the cyber race.

The third element is partnerships. 

No one organization has all the answers. Not the Government. Not industry. Not academics.

Cyber security is a team imperative.

It will take all of us working together. Sharing information. Sharing ideas. And sharing solutions.

We need to look for and develop more collaboration opportunities between government, industry and academia. To research and collaborate together for a cyber-safe future.

Added together, the three elements I mentioned really can be summed up in one word. Innovation.

Innovation will lead to a future where Canadians have well-earned trust and confidence in a safe and secure Internet.

At the CSE, we are focused on cyber excellence, coupled with integrity, trust and confidence in all that we do – leveraging our people, our technology, and our partnerships – to help meet the challenges together of protecting the government and Canadians in cyberspace.

Thank you. Merci.