Speaking Notes for Scott Jones, Deputy Chief of IT Security, Cyber Security Day at GTEC - November 1, 2016
Good morning. Thank you Jamie for that kind introduction. (Jamie O’Hare from Telus).
I appreciate the invitation to speak with you this morning on the opening day of GTEC, especially on this first day focusing on cyber security. This is an important conference as it brings together public and private sectors to discuss technology, its impact, and its potential for all Canadians.
These discussions are particularly important now in the cyber security realm. As the head of IT Security for the government’s lead technical cyber agency, I’ll be the first to tell you that cyber security is everyone’s business.
This morning, my goal is to leave you with a better understanding of who the Communications Security Establishment is, what it does, and how it works with its government partners, and, in particular, the private sector, to help protect Canada’s important information. I also have an announcement to make about critical cyber research in Canada.
Who is CSE?
So, over the last few years there has been a lot said and written about the Communications Security Establishment, or CSE. But it hasn’t necessarily translated into a solid understanding of who we are and what we do.
If you ask people on the street about CSE, you’re more than likely going to hear that we are “that super-secret spy agency”. But I’m not sure that’s a fair or accurate representation. First of all, it completely ignores the critical cyber security work we lead to protect the information that Canadians entrust to the government and to important private sector entities.
Secondly, after the last three years, I’m not sure it’s fair to call us “super-secret.”
So what, or who, is CSE? Well, we report to the Minister of National Defence and have a three-part mandate under the National Defence Act.
We provide foreign signals intelligence to the government, which has a critical role in protecting Canada, Canadians, and our allies against threats.
We provide advice, guidance and services to help ensure the protection of electronic information and information infrastructure of importance to the Government of Canada. That’s the work I lead at CSE.
And we provide technical assistance to federal law enforcement and security agencies in support of their lawful mandate.
But I prefer to think of CSE in terms beyond our mandate. First of all, we are Canada’s cryptologic agency. That means we’re code makers and code breakers. And we’ve been doing it for 70 years.
Given my role, I’m on the code making side. In other words: Encryption and how encryption is deployed and used.
Encryption plays an integral role in our cyber protection function, in the protection of the Government of Canada’s information and of Canadians’ information.
And we’re good at it. We are the centre of technical expertise in all aspects of cyber security. On the protection side, we are Canada’s Communications Security (or COMSEC) authority.
Our expertise and technical support ensures secure classified communications for the Government. We work closely with Shared Services Canada to make sure that security for Government of Canada email, data centres and internet gateways are baked in from the start.
And we are the Canadian authority for the international Common Criteria program. What that means is that we set and certify cyber security standards. We also run the Canadian Crypto Module Validation Program in collaboration with NIST to validate that encryption is implemented properly in commercial products. When the Government of Canada is purchasing IT products, it knows that the products they are buying meet the standards and are best suited to protect the information Canadians entrust to government.
We are also the lead in defending Government of Canada systems against threats. CSE develops, builds and applies sophisticated, tailored and wide-ranging measures to defend Government networks. We do that dynamically and in near-real time.
Across the government, we are protecting 700 million connections daily from a user population of about 377,000 people. Every day, we block over 100 million malicious attempts to identify vulnerabilities and penetrate or compromise Government of Canada networks. And I can tell you that volume is not shrinking.
Like many other sectors, government systems are only as strong as the weakest link. So CSE is working to educate government staff about cyber security.
With Shared Service Canada and the Treasury Board Secretariat, through GC-CIRT we inform government departments about emerging and existing threats, strong mitigation actions to take, and appropriate responses to attacks.
We have developed the Top 10 IT Security Actions, 10 practical actions that, if followed, dramatically reduce the threat surface and vulnerabilities for the government. And by the way they also apply beyond government. They are listed on our website along with much of our advice, guidance and alerts – everything from hardening networks to mobile device security.
CSE also has a strong educational and training program. Our IT Security Learning Centre shares our expertise, knowledge and skills in a variety of formats to help IT practitioners in government and beyond to keep their systems safe. On average we’re training over 1400 government IT professionals every year.
SIGINT Helps Make The Cyber Security Difference
As I mentioned off the top, CSE is also a foreign signals intelligence agency. Emphasis on foreign, not domestic. From a cyber security perspective, SIGINT, as it’s known, is part of CSE’s competitive advantage. The foreign signals intelligence side helps inform the government about cyber threats. It can give us advance warning by showing the intentions and plans of foreign threat actors and the methods they intend to use. So, it’s another tool in our arsenal to help detect, prevent and defend against cyber threats.
And I can’t overstate when I say that our people are key to our success. We have bright and talented people working for us, and we have a critical mass of skills in our engineers, mathematicians, computer scientists, analysts, technicians and linguists, all working to defend Canada against cyber threats. With our SIGINT, and our people, combined with our tools, technology and capabilities, we are a world-class defender of the Government of Canada. And, if you will permit me a moment of uncharacteristic Canadian pride, I have yet to find any other government that has defences as sophisticated as those of the GC.
So, while I mentioned our technologies, I can’t get into a lot of detail about our capabilities. However, I can say that CSE has capabilities that don’t exist anywhere, including from commercial vendors. Our automated detection and blocking tools are state-of-the-art using advanced machine-learning capabilities.
What does that mean? It means that when our tools observe a new or evolving cyber threat signature or pattern, they can adapt their defences to protect against that new or evolving threat – all without human intervention.
And there is no shortage of cyber threats to defend against.
I already talked about those 100 million plus probes and active attempts we block each and every day in their attempt to compromise government networks each and every day.
I’ve spoken at GTEC before about the types of threat actors commonly understood to be operating in cyber space: State Actors, Criminals, Hacktivists, and Terrorists. They still remain, but to some extent we’re seeing a change in their methods. Some of the biggest threats have not necessarily been sophisticated, but cheap, even free, tools that are easy to obtain. Why would a threat actor develop something themselves, when they can find a useful tool online for free? The economics of cyber-attacks is increasingly unbalanced. Breaches are costly to the victims, in terms of mitigation, clean-up, reputation and their bottom line. And the reward for the attacker can be high, because of the low-to-no cost, and the potentially high reward.
Leveraging our defence to protect Canada
One of the approaches CSE has taken to this dichotomy is to change the economic formula, by making it harder and increasingly frustrating for attackers to succeed.
So that should give you a broad sense of what we’re defending against. But as I said off the top, cyber security is everyone’s business. Not just the government’s. You don’t have to search too far or long to come up with a list of companies that have dealt with the fall-out of cyber breaches: Home Depot. Sony. The World Anti-Doping Agency.
It’s for this reason that CSE’s work extends beyond our federal government. We also work with industry to protect critical infrastructure.
So, what is critical infrastructure? Think of all the things that would be catastrophic if they went down due to a cyber-attack. No, not your football fantasy league. I’m talking about banks, telecommunications companies, power companies.
Because the protection of our critical infrastructure is so important – to our country and to Canadians – CSE shares information widely so current commercial tools can implement blocks on their systems.
We work closely with Public Safety and the Canadian Cyber Incident Response Centre, the CEO Council of the Business Council of Canada, the Canadian Cyber Threat Exchange, and the Canadian Security Telecommunications Advisory Committee, to build a stronger capacity to resist and defend against the increasing threats to our systems.
The Long Game
But information sharing of indicators of compromise, no matter how quick, will always be behind the threat actor. We need to start thinking longer term. We need products that come secured by default. Where a threat actor can’t easily exploit a poorly implemented system. And this will become increasingly acute in the next few years as an increasing number of cheap devices become connected in the so-called Internet of Things. We won’t be discussing securing servers, desktops and mobile phones, we’ll be talking about the latest DDoS attack launched from those Internet-enabled refrigerators, lightbulbs and thermostats. The ones we all installed because they were cool. In fact, newspaper reports have attributed the DDoS attack on Dyn to vulnerable web cams. This will only become more acute and more impactful as our networks converge, more and more of our activities go into the so-called cloud and, increasingly, our daily lives become more dependent on our connectivity.
We need to start thinking long-term about security and it can no longer be an afterthought.
So what lies ahead? Canada’s success in the world of cyber security will be heavily dependent on partnerships between the government, academia and industry. As we look into the not-so-distant cyber horizon one glaring unknown is the development and use of quantum computing. The challenge of protecting cyber systems and information is about to get a lot harder.
Quantum’s immense processing power will bring with it tremendous opportunities. It could result in incredible advances in engineering, medicine and science.
But it will render today’s current methods of encryption ineffective. Nearly every company, every government and every organization currently employs some form of encryption. And of course, encryption is at the heart of how we protect government systems and information.
We see the world economy being driven by emergent global trends in communication, security, sensing, and computing. But as performance limits are reached in existing technologies, quantum enhanced technologies will increasingly disrupt and replace current approaches.
So we have a two-part challenge ahead of us. We need to collectively get ahead of the threat that quantum computing could pose and rethink encryption. We need new quantum-safe encryption methods. Otherwise, the systems and information of every company, every government and every organization – and potentially every Canadian could be vulnerable. But as a country we also need to capitalize on the economic opportunity that quantum computing presents to our Canadian industry.
It’s not really a question of if quantum will be a reality, but of when. Some experts estimate quantum computing could be realized in the next ten years. The clock has started to tick.
I realize this may sound like gloom and doom, perhaps befitting of a Halloween theme. However I have some significant news this morning about quantum research in Canada.
The Government of Canada is committed to facilitating a vibrant Canadian quantum ecosystem with world-leading R&D and globally-competitive Canadian companies exporting quantum technology. Through the Quantum Canada initiative, a national quantum strategy is being developed to ensure that Canada’s present day advantage in quantum is maintained and expanded.
Canadian Quantum Security research Centre
As a sign of that commitment, this morning I am announcing the establishment of the Canadian Quantum Security Research Centre, as a joint effort between CSE, the National Research Council of Canada and other government departments, to be housed at the NRC campus on Montreal Road here in Ottawa. Depending on the project and type of research, the Canadian Quantum Security Research Centre will also work with select industrial and academic institutions.
Work at the centre will focus on providing partners and clients with access to technical experts and research infrastructure to advance and de-risk quantum security and defence technologies, without capital-intensive investments. Researchers will also receive technical guidance on the viability of future quantum security and defence technologies, such as chemical detection sensors, perimeter sensors, high sensitivity imaging, quantum networks, quantum key distribution, and quantum resistant algorithms. All of which may influence the future landscape of security, defense and communications.
This can’t help but lead to an increased understanding of potential threats and opportunities for quantum security and defence technologies in Canada. In conjunction with partners, researchers in the quantum field will monitor and track progress of next generation technologies, and will prototype next generation quantum security and defence technologies.
Canada is well positioned to leverage its strength in quantum R&D and its industrial base to become a global leader in the future quantum industry. Through our partnerships and our skilled researchers, Canada has an opportunity to develop and deliver critical security and defense technologies that will protect the digital infrastructure and communications systems on which our safety and security so heavily rely. This is an exciting time to be working in quantum computing, and Canadian research, brain-power and technology will be a critical part of this field.
As I wrap up, here’s my pitch for our presence at GTEC. Our CSE staff will be in booth 307 in the Exhibition Hall throughout GTEC. Please come by to meet our subject matter experts during our “Ask the expert” sessions. We are also hosting a panel discussion tomorrow about the Quantum Safe Strategy for Canada I mentioned earlier. On Thursday one of our experts will be talking about Government Services on the Blockchain, which is another area of research we’re examining.
So, I hope I’ve left you with a better understanding of CSE, an appreciation of the threats we’re facing, and the future we’re working towards with our partners.
I hope you come also away from today knowing that CSE is more than the lead cyber technical agency that protects Government networks, systems and information – although that is certainly important. CSE’s unique technology, highly skilled people and advanced cyber capabilities are also vital tools in helping Canadian industry protect their own networks.
But most importantly, the takeaway from this morning is that a cyber-safe future for Canada and for Canadians is a responsibility we all bear. Because no single entity can do it alone. It will take all of our expertise and innovation.
Ultimately for all of us, it’s about protecting Canada. Our information. Our infrastructure. Our economy. And our security.