Minister Sajjan delivers keynote address at the 2016 SINET IT Security Entrepreneurs Forum

Speaking notes for the Honourable Harjit Singh Sajjan, Minister of National Defence

Security Innovation Network – IT Security Entrepreneurs Forum

Silicon Valley, California

20 April 2016

Good Morning. Thank you for the warm welcome. I am pleased to be here to speak with you today. Your forum this week is about innovation in cyber security… A critical topic for everyone here… And for industry, governments and academia around the world.

This morning, I hope to provide some insight on how Canada is approaching evolving challenges in the cyber security world. More importantly, I want to share the vital importance of partnerships and innovation…Of working more closely together.

Innovating to solve complex cybersecurity problems simply cannot be done alone. And that is why forums such as this are so important.

As you may know, as Canada’s Minister of National Defence, I am in the unique position of having one of Canada’s key security and intelligence agencies reporting to me… the Communications Security Establishment, or CSE.

I will discuss the important role CSE plays in Canada’s cyber security in a couple of minutes.

But first, a little about why cyber is important to me.

I came to my role as Minister of National Defence with a background in security and intelligence.

I have been a police officer in Vancouver, working on organized crime files… I have been deployed internationally to Bosnia and Afghanistan as an officer with the Canadian Armed Forces.

Throughout my police and military career, the security of my colleagues, my country and Canadians has always been top of mind… And I have learned that secure technology is critical to overall security.

I know what it means to depend on technology… To confidently rely on devices and systems that are not compromised and that keep Canadians and our allies safe. In my career, my life and the lives of the people I have served with have depended on those secure communications.

Cyber security is not just about security… It is about prosperity... It is about using technology with confidence. Canada is a perfect example.

We are among the most connected countries on earth. Over 85 percent of Canadians are online… more than in any other country in the world. Three-point-six percent of Canada’s GDP directly depends on the Internet.

Over two hundred Government of Canada services are available online. Our trade, shipping industry, border control and so many more functions depend on the Internet.

So, while it is hidden from general view, the Internet powers the work of the government as well as almost all Canadian business... The same is true here in the United States.

It is easy to see how the security of the technology you are working on affects your own citizens. The citizens of your closest neighbours… And the global community.

And that is one of the reasons I was interested in being here this morning.

As entrepreneurs… true builders… developers… and creative minds behind evolving cyber security technology, you have an insight into the fluid nature of the cyber world, as well as what it takes to stay ahead of threats.

Today, we all face a global security environment that is complex and quickly evolving. Traditional rivalries persist on the world stage... But non-state actors are also challenging the status quo.

Criminal networks are expanding and fueling bigger strategic threats… We are witnessing a dangerous interplay of ideological extremism, violence and crime, state failure, regional disorder and humanitarian struggles.

These significant changes and trends are not isolated… They are crashing into each other… They are creating new and novel security dynamics.

And one of these dynamics is that we are trying to secure something that was not originally designed for the way it is being used today.

I do not think I am telling you anything new when I say that the Internet was designed for open communication by researchers… It was designed in an environment of high trust among the users… It was not designed to be fundamentally secure.

So, the work that we are doing in Canada and many of you are doing is like fitting a square peg in a round hole. The cyber security industry has valiantly attempted to retroactively fix a system that was originally designed to be open.

And of course, there is a toll on our society and all of our citizens when cyber security is pushed aside to make things easier, faster, and cheaper.

The cyber security risk increases even more as we layer hardware and software in increasingly complicated ways.

Computer technology used to be relatively simple and self-contained.

Today, new technology is built on top of older common components.

These layered technologies are everywhere. And they power the Internet’s networks, servers, mobile devices, industrial control systems and “smart” consumer products.

They also underpin the operations of governments, enterprises, and households across the globe.

And that layering makes it more likely that at least some of the technology is out-of-date. It could be the hardware… the operating system… or software. This means potential vulnerabilities and risk.

And as we all know, a successful attack can affect not just a single computer, network, or enterprise… but huge numbers of Internet stakeholders. This of course, includes governments and industry.

A single vulnerability in one piece of software has the potential to bring down giants.

When looking at the threats and vulnerabilities together, it is a staggering illustration of the potential risk in technology.

Yet, at the same time, we see the incredible impact and benefit that technology has on society. It is changing the way we work. The way we live and play. In fact, it is even changing the way we think.

With all of this at stake, over the last few years the Government of Canada’s cyber thinking has focussed on three key pillars:

First… securing the Government’s cyber systems.

Second… partnering with industry and our provincial governments to secure the vital cyber systems outside of the federal government.

And finally… helping Canadians to be secure online, which is no small feat.

As I mentioned, I am responsible for the Communications Security Establishment. It plays an important role in all three of those pillars.

It lives the cyber security challenge every day.

For close to 70 years, CSE has worked to help protect the safety and security of Canadians and our allies. It works closely with its valued 5 eyes partners… here in the United States… and in Britain, Australia and New Zealand.

CSE has three key roles.

  • It collects foreign signals intelligence;
  • It helps protect the government’s computer networks and information, and networks of importance to the Government of Canada;
  • And it provides technical assistance to our federal law enforcement and security organizations.

For the next few minutes I am going to focus on the second point… helping protect government systems and networks of importance to the Government of Canada.

First, a little bit of history… CSE has been in the business of protecting the Government of Canada’s most important and sensitive information and communications throughout its long history.

The way it has been done has certainly changed over the years. From encrypting radio signals… To securing stand-alone main-frame computers… To keeping Canadian information safe as internet communication and technology has exploded.

That explosion revolutionized how Canadians - and the world - talked to and did business with each other.

In the 90s and 2000s, government departments in Canada built and managed their own IT and communications infrastructure… Their own email systems… Their own data centres.

That created a multitude of individual networks and systems… More than 100 different email systems… More than 300 data centres… All with various levels of security and efficiency.

In the last few years, the people, technology resources, and IT infrastructure assets of 43 federal departments and agencies were brought together under one roof.

This is an enormous transformation for our federal government. And it represents a tremendous opportunity for CSE’s cyber security work, especially when you consider the security of those networks.

We are now able to monitor and help protect the vast majority of the Government of Canada network from a handful of key gateways that CSE is guarding.

So what CSE is helping protect has changed. A handful of gateways instead of hundreds… But how it helps protect has also transformed. In fact, CSE has turned its method of cyber defence on its side. Simply put, it has innovated.

With its unique abilities, capabilities, and highly skilled staff, CSE focused on the automation of its defence systems. Host and network sensors became the backbone of that system.

Through various automated measures, our network defence systems are detecting… and blocking… millions of malicious cyber activities against Government of Canada systems.

For example, on average, CSE is blocking over 100 million network scans per day on Government of Canada systems.

So things have changed in Canada. A new Canadian government IT structure. Innovative approaches to cyber security. And intelligent real-time systems.

The results?

We can now see the edge of our networks and know exactly what we are protecting…

We are now able to block malicious activity without any impact on the users or the government. The only impact is on the threat-actor who cannot penetrate our defences.

We have gone from a passive, reactionary stance… to an active, dynamic position.

The impact of all of this cannot be understated. Nor can it allow us to be complacent.

Systems are not invulnerable. Systems are also much more than just technology.. Systems include people, processes and procedures.

No system can be perfect. But this innovative approach has put the Government of Canada in a much better position to address the threats of tomorrow.

With many nation-states… countless cyber-criminals and unknown others taking malicious cyber actions, innovation is more crucial than ever.

But, as I said off the top, innovation in cybersecurity does not… and cannot… happen alone. CSE’s innovative work and the knowledge they are building cannot be confined within its walls.

CSE works with its domestic and Five Eyes partners to share knowledge and awareness of threats with our critical Canadian infrastructure partners. This includes operators and industries, and provincial governments.

But partnership does not stop there. We are also working hard to partner with academia. First, to get their insight, and to support cyber research and development…

But also to ensure the skills we need are being taught to our cyber security experts of the future.

These partnerships are essential to providing intelligent cyber security. Whether it is issues of national security, economic prosperity, or protecting our individual privacy, the one constant is the need for collaborative, innovative cyber security. No one can do this alone.

We, as a community, are constantly encountering and addressing new threats. Threats which are innovative in their own right.

So we all need to work together to be as innovative as possible to meet… and predict… new threats before they happen.

Organizations like CSE must team up with our partners. And when I say partners, I mean international allies, the private sector, academia, and people like you.

Industry leaders, academia and other key players… All working together to constantly improve… To constantly innovate… And ultimately to ensure that our citizens can use technology with trust and confidence.

This is a commitment that we take seriously. Work in this area is well underway.

The Government of Canada has been focused on developing strong relationships with the companies that have the largest impact. For example, with Canadian telecommunications companies. It should be fairly obvious why.

There is no single industry in Canada that does not depend on telecommunications technology and systems to conduct its business. Businesses across the energy and utilities sectors… the financial world… the transportation sector… and the health and food sectors rely on secure telecommunications technology for their success.

To build on the work with the telecoms sector, CSE is increasing its sharing critical information about cyber threats with companies that will have to defend against them.

Specifically, CSE will be taking classified threat information… gathered from a variety of sources… declassifying certain aspects of it, and sharing it.

The result should be timely, useful, and relevant information that can be used to protect networks and systems from the types of increasingly sophisticated attacks we are seeing.

The transfer of technology and knowledge… to and from our industry partners… will result in a better protected, better prepared Canadian society.

There are so many players in the picture when it comes to securing our systems and keeping our countries safe. A forward-thinking strategy is essential.

And I am not just talking about Governments. We certainly have a significant role to play, but Governments cannot be the sole entity responsible for cyber security.

As we think to the future, there are many questions we need to ask… And many questions we need to answer.

How can governments, industry and academia work more closely together? Governments do not own the vital cyber systems and infrastructure on which our societies depend.

So how do we improve our ability to identify, report and share cyber threat and other information between all of the players… all in real time?

How do we focus on enhancing the cyber security of our products?

How do we manage the risks that exist within the supply chain?

These are among the questions that we need to think about… And we are thinking about them in Canada. I will be working with my colleague, the Minister of Public Safety, who will be leading a review on how we protect Canada’s critical infrastructure from cyber threats.

In addition, a couple of weeks ago I launched the largest public consultation on defence policy in my country in the past 20 years.

Cyber security is a critical part of defence policy. And it will be a significant item examined as part of this review.

Our government’s reviews of cyber security come at a critical time. Not only because of evolving threats, but because of how important the internet is to our country... Our security… And our economy.

In summary, let me reiterate a few key things.

The evolution of the cyber security world is collectively outpacing our collective ability to protect it. I have touched on the vulnerabilities that are created when new technology is built on old, out of date technology.

From a protection perspective, and given my background from a military and policing perspective, we cannot protect what we cannot define... Or predict.

With cyber threats constantly evolving and changing, defining and predicting the next generation of cyber threats is incredibly difficult.

So as the cyber security world evolves, and the tools and techniques of cyber-attacks accelerate, we collectively need to find innovative ways to secure and defend against threats.

Threats we have yet to define... Threats we cannot yet see… Vulnerabilities yet to be introduced.

The drive to make cheaper, faster technology cannot be done in isolation. It has to go hand-in-hand with cyber security. Everyone is at risk if it is not.

Cyber security is one of the biggest challenges our generation faces. But it is also an opportunity for governments… For industry… For academia.

As we have all seen, failures in the cyber security domain can have huge economic impacts. The reverse is equally true.

A robust cyber security environment, built by industry, government and academia, has the potential for economic prosperity.

It is government providing safe and secure online services to its citizens… It is companies doing business with customers with confidence and trust... And it is people benefitting from the most modern and secure technology that innovation can offer.

Through innovation and partnerships we can meet this challenge head-on.

On that note, before I close, I would like to take a moment to recognize the outstanding work that CSE employees do every day.

Without their careful protection of our cyber environment, our efforts to innovate through these important partnerships may be fruitless. They keep our cyber security environment safe… they help us prevent the crippling attacks that others many try to make on our system…

…And they often do so without much recognition at all. So I offer them my thanks today, for the critical work they do.

I want to thank you for your attention this morning. I hope you have a better sense of how Canada is approaching cyber security.

And I hope I have given you a sense of the immense opportunities for innovation between governments, industry and academia. Working together means security and prosperity for our nations… And for our citizens.

Thank you.