Transcript
Transcript: Innovate on Demand, Episode 24: Trust
Todd Lyons & Nathalie Crandall
Nice to meet you.
Aaron Shull
Nice to meet you as well.
Nathalie Crandall
We probably are going to work on a 25 minutes timeframe instead of a 30 minute.
Aaron Shull
Believe me, you don't want to have a lawyer talking to you for any longer.
Nathalie Crandall
Well, we can cut it down to four since you've just said you're a lawyer.
Todd Lyons
I'm Todd Lyons.
Nathalie Crandall
I'm Nathalie Crandall.
Aaron Shull
And I'm Aaron Shull.
Todd Lyons
And this is the Innovate on Demand podcast.
Aaron Shull
It's great to be here. Thanks for having me guys.
Nathalie Crandall
Welcome. Aaron, thank you very much. Why don't you tell us a little bit about yourself.
Aaron Shull
I work for the Center for International Governance, Innovation based in Waterloo, Ontario. And what we are is a Public Policy Research Institute. People call us a think tank. And so what we do is hire the smartest people that we can to work on some of the world's most pressing public policy challenges at the international level. And my topic today at the conference was on cyber, cyberspace, cybersecurity and data governance. And so you couldn't get a more complicated set of issues that's more important than these. And so this is an area in which my organization is working.
So when I think about cybersecurity, or cyberspace, there's a couple of immediately apparent observations. The first is that we're seeing a breakdown in trust - breakdown and trust in the system. What do I mean by that is there's two different levels where we see this stuff. One is at the individual level. And this is immense, because you can't pick up a newspaper without there being some story on the front page about a great hack that just happened. In fact, one of the one of the stats that I used in my presentation today was the number of Canadians that have had their data exposed in one year. So there's a report that the Privacy Commissioner did, and between November 2018 and October 2019 - so just a little less than one year, over 28 million Canadians were affected by a data breach. Wow, that's almost everybody. So that just gives you a sense of the scope of the problem.
Now, I'd mentioned that we do research. One of the things that we did is we partnered with a company called Ipsos, which is probably one of the largest polling firms in the world, to do a global survey of what this meant for people's trust in the internet and trust in the platform. And surprise, surprise, over 50% of people are more concerned now than they ever have been about their data and about their privacy. So we're also seeing this shift. People are waking up to this stuff. And so you see an erosion of trust at the individual level. That's point number one.
Point number two is that there's an erosion of trust between states. And this one's actually a little bit more dangerous, because you're starting to see countries behave in really aggressive ways in cyberspace. And there's a waning of trust between states, which is actually quite dangerous. The example that I use, probably the clearest example in Canada, is the ongoing discussions about banning Huawei from the 5G backbone. And I don't need to belabor the point for this audience because I'm sure most people have heard of it. But the broader issue that I raised is Senator Marco Rubio, a Republican and Senator Mark Warner, a Democrat, sent Justin Trudeau, Prime Minister Trudeau a letter imploring him not to let Huawei into the 5G network in Canada. That's the first time I've seen a Republican and a Democrat, agree on anything in a little while. But the broader issue is that this stuff is deeply geopolitical between states. We're seeing that erosion of trust as well. And so I talked a little bit about that - as my opening point - to say that this stuff is not academic. It's happening right now. And it's real.
Nathalie Crandall
There must be a lot of changes happening in this field as we have this sort of unbelievable explosion of data everywhere right now. And, I feel like some time ago, we were really concerned about how do we collect data? And now it's, how do we use it? How do we observe it? How do we make sense of all of this, these gobs of data that we have? How is that impacting all of these issues around cybersecurity?
Aaron Shull
Well I mean, so you're right. There's a lot more data and a lot more exposure. So an example that came to mind most recently is Life Labs, they got hacked - 15 million Canadians were exposed and (lost) sensitive medical data. I mean, try and think of something more sensitive or more important to you than your medical test results? Something more intimate? We'd have a real hard time coming up with something, right? And then you have Capital One. You got 6 million Canadians exposed; Dejardin 2.9 million Canadians exposed. Well, that's all their financial records. And again, try and think of something more pertinent, more deeply personal, then your personal finances. And then imagine for a second that you were a victim of both, right? That your personal health records are floating around out there and your financial records - you can't know more about more about a person!
So the broader point that I made is, we're hooking everything we can up to the internet. And we're doing that because it creates wealth, it creates efficiency, and it creates streamline service delivery - so it makes good sense. But on the flip side, we're also creating vulnerability. And if you believe what we're saying about this being a data driven economy, and (that) the principal value that accrues in many companies is about intangible assets. So things like intellectual property is more valuable now than ever before. Things like data are more valuable now than ever before. If you believe all that, then it makes you wonder about a paradox - we're hooking everything we can up to the internet, because it creates wealth and all that good stuff that I talked about. But it also creates a huge threat vector. And so we're effectively building vulnerability into the core of our economic model. And that's okay, as long as you've got a strategy for how to deal with it. And so the problem that I raised in my discussions with your colleagues from around the Government of Canada today was that the way we're structured actually makes it difficult for us to get our heads around this in a coherent way. Because in Ottawa, there's probably 12 or 15 departments that have some responsibility for this. Right. So if you think about cybersecurity, I mean, is it an issue for public safety? Is it for CSIS? Is it, because we're talking about the innovation economy, is it iSED? Is it about procurement and public works? Is it a national resource, or Research Council or is it for the RCMP? Is it solely for CSE and the Canadian center for cybersecurity all because it's foreign affairs (should) GAC to be there? Well, of course, the answer is all of the above and then some.
And so we've got this nuanced set of actors in this space, that all have departmental mandates. Cybersecurity, the innovation economy, and the data driven economy cuts across all of them. And so, as an outsider looking in, one of the things I wanted to chat a little bit about is how we're working together? How we're collaborating across these Westminster type of departmental silos. Because the fact is, is that this this problem doesn't respect disciplinary mandates. It doesn't respect departmental boundaries. And it doesn't care what was in the minister's mandate letter. It cuts across all of those. And I wondered how we're dealing with that across government. But then I also wonder, there's an international layer, there's a federal layer, a provincial layer, a municipal layer – then private sector needs to be involved - and there's also a bit of an issue around how we set technical standards, and how are we working across government. How are we working up and down that stack, starting at the international level, federal, provincial, municipal and the private sector? And do we have a coherent framework in this country to address this stuff? Because make no mistake, there's adversarial states out there, there's bad actors, and they are super cagey, extremely well-coordinated, and very smart. And I just wondered out loud whether or not we've got the right structures in place to be able to effectively deal with this issue. So I don't know if you guys got the answer for that. But I'm sure your listeners would love to hear it.
Nathalie Crandall
Sure. What would you say are some of the things that senior leaders in government should have top of mind around this right now? Like, what are some of the forward thinking ways that government can start to try and address some of this? How can we participate?
Aaron Shull
Yeah, well, it's a good question. And look, I don't pretend to have all the answers to this type of stuff. And my opening observation is that this is incredibly complicated. So you do need specialists. And I mean, I appreciate in the civil service we do a lot of rotational stuff, and we have a lot of generalists. But one might want to think about how you build specialized capacity in these areas. It's not something that is very easy to dabble in. You really do need to be expert in them, because there's a lot of pieces moving around, that you're going to have to keep your eye on. So that's maybe kind of observation number one.
Observation number two is that this is not a problem of government, or governments. It's a problem of governance, right? It's a multi stakeholder thing. Usually when we think of cybersecurity, there's a national security stack that deals with those issues. But how does one engage with the private sector-that are the most vulnerable to these attacks? And are the principal recipients of the attacks? I've got a lot of time for the folks at CSE. And they do good work there. But how do we build a culture of engagement of multi stakeholder engagement and stuff happening? Traditionally considered NATSEC, its national security stuff. So there's an interplay that we need to think about there as well.
Nathalie Crandall
It's interesting, whenever we have these shows, and we start talking outside of just the box, or the bigger box around innovation, which is our main theme for this podcast series, and come down to some of the real Meteor topics - and the common theme has always been, how do we identify the skill sets and competencies that we need and bring them in and retain them? (This) seems to be (the) sort of thing is how do we find the folks that can help us through this?
Aaron Shull
For sure. And I mean, it's hard because there's an interplay between what we've traditionally thought of as discrete areas. Like, there was a department of industry and they did industry stuff, and then there's a national security apparatus, and they deal with the National Security stuff. And then you've got your warfighters that deal with stuff overseas and that type of conflict. And the problem, of course, is all this stuff has collapsed on itself now. There's no distinction between national security and economic prosperity anymore. They run hand in hand. Don't take my word for it.
So I quoted the director of CSIS, in his public remarks during my conversation today. And he said that economic espionage represents a long term threat to Canada's economy, and to our prosperity. And when he made that set of remarks, he based his assessment on, and this is a quote, 'a trend of state sponsored espionage in fields that are crucial to Canada's ability to build and sustain a prosperous knowledge based economy, including areas such as AI, quantum technology, 5g, biopharma and clean tech'.
So if you think about that, and then what we're really talking about is the core building blocks of a knowledge economy, we're talking about Canadian National prosperity, how we're going to pay our taxes, build our roads, send our kids to school and fund our hospitals. That's the nature of the conversation that we're having. And he goes on, and he says that, 'owing to the highly sophisticated nature of these efforts, the reality is that adversarial nations are targeting and this is a quote, the very foundation of Canada's future economic growth'. So if you believe that, then the question immediately becomes how are we responding as a country. And if you don't have a coherent framework for how you're responding in a very strategic and very smart way, I'd want to hear a really good reason why (not). That's really kind of where the goalposts have shifted - to that security stuff, and economics, and trade and foreign affairs and innovation policy, they're all now in one layer. It's all mixed together, because of the way that the data driven economy and the knowledge based economy works. And for what it's worth, the way that our adversaries are behaving.
Todd Lyons
Where do you start trying to solve such a huge problem? Because you talked about there's a lot of questions, you don't have a lot of answers, you know, is there an answer? all this data being put online, it's, it's it is about making money, but it's also about convenience. And I can't imagine that anyone, any Canadian would be satisfied thinking - Well, you know, - I'll just have to do without online banking from now on because I can't have the possibility that someone will figure out some way to circumvent the security; because I don't know their server patches are behind or there's some undiscovered flaw in some open stack, open source stack that they're using to run their website with! And, you know, they've gotten in, they've downloaded a big tar ball of, you know, every account that was on the system. Where do you start to try to mount a defence when the world has changed? You know, software is always in a constant state of movement. So there are always new bugs and things being introduced into any sort of a code push...
Aaron Shull
There's two observations that I'd make. One is we've got this system where we're rushing buggy stuff to the market. And maybe we need to think about that a little bit. Because putting problematic code, or unpatched systems, or whatever that story is out, is just increasing our vulnerability. But I don't think you can discount the importance of technical standards. And every time I talk about technical standard setting, I can literally watch people's eyes glaze over. So for your listeners, if they listen to this podcast in the evenings, this will probably put them to sleep. But you know, it's not just about ones and zeros, but rather setting technical standards is the stuff of deep geopolitics. And what I mean by that is, countries are moving to try and sway standard setting bodies to adopt their own standards around stuff like facial recognition. And so one can very clearly see that there's going to be some privacy concerns around that some transparency issue. And basically bedrock kind of human rights about how this technology is going to be utilized and what it's going to be used for. There's also a push to create technical standards around cybersecurity. A friend of mine, he runs something called the CIO Strategy Council. And they were trying to build a technical standard for small and medium sized enterprises, around cybersecurity so that they can be certified cyber safe. If you got in an elevator today, you would look and there'll be a stamp from something. I think it's CSA, standard Canadian Standards Authority. And there's a standard around how big the cables need to be on an elevator and how much weight they can handle. And everyone's seen the no more than 12 people sign. There is a technical standard around the safety of that elevator. Let me ask you guys, have you ever been worried that the elevator is going to drop from the top floor to the bottom and the cables aren't going to work?
Todd Lyons
No, and you never hear what happened?
Aaron Shull
You never hear of it happening? There's a technical standard, there's a reason behind that there's a third party validation to make sure this stuff safe. Now, go back to what I said about the importance of the digital economy. Right? If we're going to make sure that our elevators are safe, why wouldn't we want to make sure that the stuff that we're hooking up to the internet safe, we don't do that, but we probably should, there should be there should be a standard process around this type of stuff.
Now, there's another point it's probably worth mentioning here, as well. So standards are not technically neutral, right? They reflect the wills and interests of various parties, and it happens at the highest level and it is deeply geopolitical. So countries are trying to push their own their own tech into the standards. Why? Well influence and power. All the regular stuff that countries like to do. But there's something a little bit deeper. And I don't know if you guys have ever heard of something called a standard essential patent before. But it's what happens when you can get your intellectual property into a technical standard that then needs to be adopted by others - it becomes cash for life because they need to adhere to the standard. And in order to adhere to the standard, they got to pay you a royalty. So people aren't dumb. This is what's happening right now in this space. And so we need to think coherently about how we how we engage in a strategic way as well, because that's what's happening around the world.
Todd Lyons
Do you think that the sort of intellectual property, proprietary software being introduced into something is actually making it more difficult to make sure that these products are safe - as opposed to an open source device, or an open source development model where everything's out there, anyone in the world can be looking at it? You know, many different corporations that feel like they have a stake in it could be putting some of their employees on actually looking for vulnerabilities here? Whereas if a corporation realizes that our cash cow is going to disappear, if they find out that there's this number of critical vulnerabilities in this essential software we've injected into the system, where's their motivation to be really transparent?
Aaron Shull
No that's a big one for sure. Obviously, proprietary technology, within companies, to your stuff and how they do data management, what they do with data is something that's closely held. That's the secret sauce. And it's not going to people are going to give it up lately. And so I agree with you, 100%. And let me add one additional flavour to this discussion, which is what happens when AI becomes more ubiquitous? So you've got a data stack, then you've got a proprietary algorithm chewing on the data stack to come up with some decision. And my supposition is that the decisions that we're going to allow artificial intelligence, and a human to use that term loosely here, but the decisions that we're going to be powered by algorithms and machine learning and deep learning, are going to become more important in our in our world, not less important.
So you've heard of trial uses in bail court to determine if someone's eligible for bail. You've heard of uses where people are determined for eligibility for credit based on an algorithmic access assessment. What happens when those important decisions are being made? And we don't know about the black box. We don't know about how the data was used. I don't know about the decision making vector of the algorithm. And we've got no ability to verify the veracity. And let's just pause there for a moment and think of a real world example.
So we'll use bail court because that's the one so you know. For example, Todd, I'm not accusing you of anything here, but let's say you were going to the parking lot, and there was a car that had a smashed window. You were walking by and the police came and arrested you because somebody fitting your description had been described smashing the window in the car. You go to bail court and then all of a sudden, there's a decision being made to determine whether or not you are free pending trial because you're effectively innocent until proven guilty - or whether you're remanded to custody – i.e. you go to jail until your trial comes. So you could be sitting there for a year, if you're lucky, right? This is a big deal! So don't make light of that circumstance. I know, we're joshing around here, but this is a big decision. An algorithm cranks it out and says, 'Well NO. I mean you wear glasses - and my algorithm assessment says that people who wear glasses are more likely to, for purposes of recidivism, are more likely to offend and therefore you're denied.
So we don't necessarily know how that decision would be made. There's no transparency around it. There's no one there so there is no way to verify the decision vector. In the real world, what will happen is that a judge will make that call. There'll be a record of the decision and the reasons behind why the decision was made. And then you can appeal it. And this is the part that we're missing in this conversation is how are we going to appeal those decisions that are being made by algorithms if they're proprietary, if you can't see in the black box? And if you believe with what I'm saying that the decision is going to be more important, not less important - we're going to have to get our heads around that pretty soon.
Nathalie Crandall
Thank you very much. And this has been really fascinating. Yeah. Cool. I think my favorite takeaway from this whole conversation is going to be it's not a government problem. It's a governance. Yes. Yeah. That's really powerful statement. Wonderful.
Thank you.
Unknown Speaker
You've been listening to innovate on demand brought to you by the Canada School of Public Service. Our music is by grapes. I'm Todd Lyons, producer of this series. Thank you for listening.
