February 15, 2019

Cybersecurity Risk and National Security Planning: Testimony Before the Canadian House of Commons

Jonathan Reiber,

Find me on:

Last week I testified in front of the Canadian House of Commons Committee on Public Safety and National Security about cybersecurity risk and national security planning. I was invited to testify by The Honorable Pierre Paul-Hus, Member of Parliament representing the riding of Charlesbourg—Haute-Saint-Charles in Quebec and Vice-Chairman of the Committee. My written submission to the committee, "Defend Forward and Assume Breach: Preparing Canada for a Cyberresilient Future," is available here.

Below are four questions from members of parliament that kept me on my toes, along with video of my responses. 


1. What should countries do about data manipulation, particularly for the internet of things?

You may be concerned about disruption, manipulation, or theft, but to overly focus on the end result is to take your eye off the most important thing you should do to protect yourself: companies should focus on controlling as much of their own terrain as they can. That begins with the data center – for all types of intrusions. "If an intruder can break into a data center, everything is on the table." 


2. How can we defend ourselves against the most advanced adversaries, and will we stand up against the most able among them?

While the private sector cannot respond to a powerful nation-state in the event of a significant cyberattack (that’s the job of a government), companies can invest to drive down risk for themselves. The trick is to make the right investments and partner with the government for actions that require a government response. Here are some thoughts in the video. I would also add that it is a country’s duty to invest in the military forces, security teams, and policy response options to deter a potential attacker – a fact which I highlighted in the oral statement, the written statement, and in another part of this testimony, but didn’t say enough about here. 


3. One member opined that it can be hard to defend ourselves against an adversary when we don't know what they want or how they are going to attack us.

It helps to try to think like an adversary might in relation to your data and networks. What data do you have that will matter most to a potential attacker? If you don’t know the answer to that question, think about your most important missions (flying planes, sending money, underwriting insurance) and the applications and data that underpin those missions. Those applications and data are probably what an adversary will go after first. Once you’ve thought about that data, then you can think about the steps you can take to protect your assets.   


4. What can we do to protect small businesses? 

Regulation can help nudge them to invest. Since there are so many businesses that could be at risk, regulation can help spur everyone to invest in services.   



Topics: cybersecurity

Share this post: