The head-designate of the newly created Canadian Centre for Cybersecurity told members of the House of Commons Public Safety and National Security committee (SECU) that a holistic approach is necessary to defend the country’s digital infrastructure.
Asked about Canada’s decision to continue supporting Huawei, in spite of intense criticism launched against the company by the U.S. government and former Canadian spymasters, Scott Jones — who currently serves as the deputy chief of IT security at the Communications Security Establishment (CSE) — said that his group looks at an entire system and defends against “all forms of cyber risk.”
“Number one would be how do we make sure that we’re increasing the resilience regardless of where the product comes from,” said Jones, at a September 20th, 2018 SECU committee meeting.
“We wanna build in security measures no matter what, so how do you protect against making sure that the supply chain is adequately protected, for example, making sure that you are bringing in products that have good security practices that are built-in as they’re building the product themselves.”
“We wanna build in security measures no matter what…”
Jones said that his organization has established relationships with all of Canada’s major telecommunications service providers in order to ensure that the country is protected against threats.
“We have a very well-established relationship with all the major telecommunications providers in Canada to really work on raising that resiliency bar, regardless of vendor, regardless of where the equipment is coming from, and to work collaboratively to make sure that happens,” said Jones.
Jones added that he believes that Canada has a “really effective” program in place that’s able to deal with the cybersecurity risks faced by the country.
“…collaboratively building solutions to cybersecurity challenges is not something that all countries enjoy.”
“One of the things we’re working on sharing with our Five Eyes [allies] is making sure that they’re aware of our program and our approach, which is very comprehensive in terms of dealing with the full risks across the telecommunications spectrum, said Jones, referring to the ‘Five Eyes’ intelligence-sharing alliance between Canada, Australia, New Zealand, the U.K. and the U.S.
“In terms of sharing information, sharing risks, collaboratively building solutions to cybersecurity challenges is not something that all countries enjoy. That’s something that is a very good Canadian strength, something that I’m really quite proud of the work that the team has done.”
Jones’ comments come in the wake of a Globe and Mail report that revealed that the CSE has had a formal program since 2013 aimed at verifying all telecommunications networking equipment sold in Canada.
“I think it’s important that we look and for us, we look at risk across all vendors, but also all products as well, in terms of how do we layer cybersecurity and make sure it’s being addressed as a systemic issue,” said Jones.
“Because at the end of the day, I believe we actually have very secure telecommunications networks because of those relationships that we’ve had.”
“We can’t keep up with the rapid innovation pace that the private sector’s able to bring to bare.”
In addition to questions about Huawei and national security, Jones also received inquiries about a potential dependency created between the private sector and the public as a result of the Canadian Centre for Cybersecurity.
Jones defended his organization by arguing that it’s no longer possible for government to develop its own independent solutions to technological problems.
“We can’t keep up with the rapid innovation pace that the private sector’s able to bring to bare,” said Jones.
“That’s actually one of the biggest challenges in the cybersecurity sector right now…that innovation is outpacing security.”
“…innovation is outpacing security.”
Jones concluded his committee appearance by commenting on the state of cybersecurity as it pertains to the upcoming debut of 5G networks.
“I think the biggest thing for us is you don’t want one vendor and only vendor, because that makes you vulnerable across your entire spectrum and across all of your telecommunications companies to the exact same vulnerability,” said Jones.
“You want to build different vendors in, you want different vendors at different layers, and that bakes in a large amount of security just because you can’t easily traverse up and down the so-called telecommunications stack.”