Public Safety committee  Ransomware typically doesn't work in that way. It's typically used to target, and then it's holding something for hostage, whether it's holding your data for hostage by taking it out of your system and then using that to say that if you don't pay them they're going to release the information, or by encrypting your data and making it unavailable to you.

Public Safety committee  Yes, absolutely. I'm happy to answer that. First of all with regard to DNS, the Internet works on a series of numbers and we go to www.website.com, but the Internet doesn't understand what that is. DNS translates back into the actual address on the Internet, which is called an IP address.

Public Safety committee  I think there are a few things we talk about in the security realm. We talk about confidentiality—protecting the information itself—then the availability and then integrity of what's being transmitted so that you can't change it en route. You're really talking about availability, and I think that's such an important question.

Public Safety committee  Yes.

Public Safety committee  I think there are a few things I'm.... I'm a little concerned. The report is meant to inform; we're hoping not to scare. We believe that fear doesn't really motivate Canadians, in most cases, to take action. However, what we are hoping is that we can give Canadians simple things that they can do to help themselves be secure online.

Public Safety committee  I think there are a few things. Certainly, embarrassment and shame and fear about a potential loss of business are preventing organizations from reporting. In cybersecurity, unfortunately, we tend to punish the victim and not the perpetrator in our actions as citizens. We tend to shift away, and so there's an incentive for an organization to not admit when they're victims of a cybersecurity incident.

Public Safety committee  I can. It's really the Canadian Internet Registration Authority's project, and I'm hoping that I'm not scooping them, but they did advise us that earlier this week we now have 100,000 Canadians using the service. That's a good number—although not as much as I would like, honestly, because it does offer a significant boost to the privacy of information.

Public Safety committee  That's actually a great question that I was really hoping someone would ask me. It wasn't an easy decision to name countries because it immediately draws the attention from all the other aspects of the report to the four countries named. However, in reality, we, the Government Canada, had called out....

Public Safety committee  Thank you for that question. There's a lot in there. We have been working since the beginning to build up the resiliency of the health care community. One of the things we have been working on, which we've done in partnership with the provinces and territories—which clearly have such an important role to play in health care, in providing advice and guidance—is targeted briefings, targeted information, specifically to that health care sector to build resiliency over time.

Public Safety committee  Mr. Chair, that's a really great question. I'm glad to get the opportunity to address this. We've been working with Canada's critical infrastructure providers for quite a while. Now, we do have to concentrate on the ones that are most at risk, so when we talk about the electricity sector in this report, that's a sector where we have been working both to build the relationships that we need across the country and with energy providers such as the Canadian Electricity Association to make sure we're addressing cyber-threats proactively.

Public Safety committee  Thank you for the question, Mr. Chair, and your comments on the report. I think there are a few things. If we look at cybercriminals, they very much reply upon an extremely developed ecosystem that relies on things like anonymous financial transactions—Bitcoin and the like. Having online digital currencies really does facilitate that.

Public Safety committee  The value of attribution is pretty variable. The primary value of being a cyber defender and somebody who is worried about cybersecurity is that it spurs action. When we do an attribution, it tends to get organizations to take seriously the alerts we put out. When we say, “You need to apply this patch; it's important,” people will respond.

Public Safety committee  Thank you very much for that, Mr. Chair. Good afternoon, committee members. Thank you for the invitation to appear today to discuss cybersecurity and specifically the “National Cyber Threat Assessment 2020” report released on November 18. As the head of the Canadian Centre for Cyber Security at the Communications Security Establishment, I am very pleased to be here.

Health committee  Yes, we have had successful breaches. We've been looking to continue to reinforce other research institutions, including through proactive advice and guidance. One of the challenges, I think, that's mostly unknown is that research institutions tend to be what we would call more of a small or medium-sized organization, so we'd also refer them to not only the specific health sector guidance but also the pragmatic steps and advice on guidance that we've given for small and medium-sized organizations to look at.

Health committee  Typically, if there is an attempt to compromise a health organization, we would respond from the cyber centre. We've done a few different things. The first is alerts. When we see anything that a health organization needs to take action on, we issue those alerts, and they're timely.