Canada 4.0: Cybercrime and Cybersecurity Digital Conference

Catalogue number: Catalogue number: 11-629-x

Issue number: 2020001

Release date: February 14, 2020

Canada 4.0: Cybercrime and Cybersecurity Digital Conference - Transcript

Lynn Barr-Telford: Good afternoon everyone. French. My name is Lynn Barr-Telford and I am the Assistant Chief Statistician responsible for the Social Statistics Field here at Statistics Canada. I am very pleased to welcome everyone, both in person and online to the second of a series of expert panels co-hosted by Statistics Canada and Innovation, Science and Economic Development Canada as part of a larger initiative called Canada 4.0: Canadian Society, the Economy and Digital Transformation. Statistics Canada's helping Canadians be better placed through data to understand the impact of digitization. This initiative, in partnership with innovation, Science and Economic Development Canada, is intended to gather the views of Canadians, businesses, governments, and international experts on their emerging data needs in the era of digitalization. Given we are aiming to better measure digitalization, we've organized a series of digitally-delivered expert panel discussions to be held over the next six months. Each panel discussion aims to explore a different digital topic, such as measuring the digital economy, gig employment, or health and wellbeing. The value and role of data are a central focus throughout. The panel discussions are being streamed live as well as recorded and posted on the Statistics Canada website. And this brings us to why we are here today, the second expert panel as part of the series on a key element of digital transformation in Canadian society. That is cybercrime, cybersecurity and public safety in the digital age. Today we will hear from four expert panelists for about an hour and then we'll take questions from online participants via WebEx and Facebook Live, and for those joining us online, a couple of housekeeping items. Please ensure that your microphone is muted and that your camera is turned off to minimize any technical difficulties on the WebEx line. To get things started I am very pleased to introduce your moderator for today, Yvan Clermont, Director of the Canadian Centre for Justice Statistics here at Statistics Canada.

Yvan Clermont: Today compose of four very experienced and knowledgeable individuals, each bringing a somewhat different and unique perspective to these, this discussion we're going to be having today. So, joining our panel today is, online we have Dr. Benoit Dupont. Dr. Benoit Dupont is a professor at, of criminology at the University of Montréal where he holds the Canada Research Chair in Cybersecurity and Research in the Prevention of Cybercrime. We also have joining with us today, on my right, Barry MacKillop who's the Deputy Director of Operations at the Financial Transactions and Reports Analysis Centre of Canada, which is called FINTRAC. And next we have Signy Arnason who is the Associate Executive Director of the Canadian Centre for Child Protection and , which is a national charity dedicated to personal safety of children. And finally, last but certainly not the least, we have Jeff Adams here, Assistant Commissioner of the Technical Operations for the Royal Canadian Mounted Police where he oversees, the National Cybercrime Coordination Unit. So please join me in a round of applause to welcome all these expert panelists. Thank you very much for joining us today. So, now before we start with Benoit's presentation I'd like to ask each panelist to take two minutes, only two minutes if you can, and tell us a little bit about your particular interest in today's conference, and your interest in cybercriminality and talk to us a bit more in depth about, how you, you are working in this area of cybercriminality and cybercrime and security, so, I would like to start with Barry on my right here. So if you can tell us about your particular interest in this Barry, please.

Barry MacKillop: Actually really, at FINTRAC, I mean, we don't, we're not into , the cybersecurity per se in terms of protecting , cyber elements, for us it's more the cyber-enabled crime and I think that's what we're seeing more of. We deal with financial intelligence, and it's the cyber area of financial intelligence where we're looking into new methods of payment, , the Fintec, the block chain, the dark Web, the virtual currencies, it's all those kinds of things. It's all those kinds of challenges that I think,  are coming to the forefront more and more at, at FINTRAC and around the world as we deal with our FIU partners, our financial intelligence unit partners. I'll try to keep the acronyms to a minim , or just raise your hand and go I didn't understand that and I will , I'll tell you what it is.  but I think that's really more where we're interested right now and , when we get into the presentation I'll talk a little bit about  our , public-private partnerships, how we're working with industry and others, , to advance particular elements, , be it human trafficking, be it opioids, fentanyl, those kinds of things, and, and, , very specific crimes, predicate offenses to money laundering and terrorist financing of course, which is also , more and more cyber-enabled. So I think that's two minutes, I'll be quiet now and come back later.

Yvan Clermont: Thank you very much Barry. So I'd like to pursue with you Jeff, if you don't mind.

Jeff Adam: Thank you and, good afternoon. I've been, in charge of, cybercrime for several years, even before the RCMP actually got into it. I'm, was at one point quite fatigued from attending international meetings with law enforcement partners from around the world and having them ask me so where is Canada in relation to cybercrime and , they called us a silent movie. So  part of what the NC3 is going to stand up is hopefully going to be a single port reporting for Canadians and businesses to report cybercriminality and I'll get into that in the talk later. But it, right now we have only in, a rough idea of how much cybercrime is impacting Canadians. We're, more than eighty percent of our small-medium businesses are dealing online, and they're the weak link in the chain right now, for both critical infrastructure and for our digital economy that's online. Parliamentary committees, Senate committees, they all want to know how much cybercrime, crime is out there and has the RCMP ever arrested anybody for cybercrime, and thankfully they send me because I can say yes I did that once. So, anyways, yeah, and money laundering too but that's yeah that's another time, another place. , so obviously the police in, in relation to our, one of our primary mandates of public safety is very, very concerned about how Canadians are being victimized by criminals from basically around the world. And that's why I'm here today.

Yvan Clermont: Thank you very much Jeff. And Benoit, would you tell us about what is your particular interest and the type of work you're doing in this area please?

Benoit Dupont: So as an academic, I'm mainly interested in how society adapts to technology, and as a criminologist how offenders innovate and develop their modus operandi to take advantage of new technological developments, and hence also how we can prevent the uses the malicious uses of technology and how we can design prevention and mitigation programs and policies that are actually effective. Also I'm, I like to be involved in designing and implementing collaborative initiatives that bring together academia, and when I say academia it's both computer sciences and the social sciences. I think cybercrime and cybersecurity is not only a technical problem it's also a social problem, a policy problem and I, I'm trying to develop initiatives that bring together academia, government, and industry. A lot of people talk about it but it's really actually very hard to implement and we're trying to, to achieve that through a number of platforms such as the Smart Cybersecurity Network.

Yvan Clermont: (French) Merci infiniment Benoit. Signy, if you want to tell us what is your particular interest in to this topic today and what type of work you're doing before we start the presentation please.

Signy Arnason: Yeah, sure, thank you very much for having us. I'm at the Canadian Centre for Child Protection, so we play an interesting role in this space. We're an NGO, we're a charitable organization as you had mentioned, dedicated to the personal safety of children. For the last seventeen years we have been operating, Canada's national tip line to report the online sexual exploitation of children. We are the on the frontlines of dealing with, how technology and the Internet has significantly impacted the lives of children and, we're on the dark side of that line. Certainly there are positive aspects but we're inundated with the harm facing children and how offenders take advantage of the Internet to commit crimes against children. So as an organization we see the role of technology as imperative in fighting this social epidemic. There are a variety of ways at, at, by which we tackle this problem. Certainly police have a significant role to play but any police officer would tell you the problem is so pervasive, we are not solving this problem by arresting our way out of it. There's the role of NGOs and hotlines like ours in the international space with notice takedown and removing content. There's the role of industry and being way more proactive in preventing this material from ending up on their services. And then if they choose not to act, what is the role of the upstream providers and how we start to reduce the significant availability of child sexual abuse material. So in my portion of the presentation I'll run through all the ways in which we're leveraging these things to reduce the harm to children.

Yvan Clermont: Thank you very much , Signy, this , we can't wait to hear from your presentation, already seeing the video so far this is great, so I think,  looking forward to hear you talk about the great work you're doing. So, before we start with the formal presentation maybe just a few words, from our part as an intro as the interest is on our side regarding the cybercrime and cybersecurity and how we wish to play a role so we all go about our daily life in this increasing digital era, we're texting, we're emailing to communicate with family, friends, business partners and everybody. And we're doing it more online, we work online, we do it in a very mobile way, and we also transfer funds to pay our bills, to send money to our friends, our children and everywhere, and we buy and sell goods online, and we also use our credit card and debit card to pay everywhere we're going, so if we engage in this cyberworld in this way we can expect that criminals do as well. And they're exploiting our vulnerabilities as we live in these digital times. We're all more and more exposed, which is not to say more vulnerable, and offenders are being more and more inventive and the ways in which we need to protect ourselves becoming, is becoming more and more complex. So we can think of a slew of already established, not so new crimes, and new crimes, for example identity theft like we've seen in the newspaper recently, malware attacks, cyber intimidation, fraud, extortion, sexual exploitation of children, hacking, data theft, firearm trafficking, terrorism, online hate crime, intellectual property theft. These are all activities and transaction happening on the Internet and on the dark Web as we speak now. So if we take this into account, one might question be is, is an increasing quantity of crime these days or incidents not only some sorts of cyber component, but do they get more and more not reported to the police, for example? In 2005 Stats Can began measuring if criminal incidents were cyber-related, we included some flags into the Uniform Crime Reporting Survey, and also there were more recent initiative with the , Survey of Businesses Cyber Security and Cybercrime in Businesses in 2017. So, this kind of survey is one of the first in the world. It examined the economic impacts of cybercrime in businesses and there's a lot of lessons learned in this initiative that are being recorded and being held as lessons learned for other organizations in the world to be conducting their own survey. But just to give you a few findings on this study that was done. , Canadian businesses spent a total or fourteen billion dollar to prevent, detect and recover from cybersecurity incidents, and one fifth of Canadian businesses indicated that they had been impacted by a cybersecurity incident. And about only ten percent of impacted businesses reported these incidents to a police service, which is very low. So, the survey's going to be conducted again in 2019. But beyond businesses, also Canadians are being vulnerable in terms of human trafficking and I've already mentioned a few items, or aspects in which Canadians are vulnerable every day, , beside businesses. So eventually, we certainly see new cybercrimes emerge and, and we need to find ways of measuring these so we can monitor these. So despite what is believed to be a proliferation of new and not-so-new crimes because of the cyber, there was about 28,000 criminal incidents that were reported to the police last year that were cyber-related. That's only a small proportion if you account for the more than two million criminal incidents that came to the attention of police. So you can see that there's a gap here. This is slightly over 1%. So Benoit, if you're still connected and with us now, I'd like to engage you, and, and have you to provide us with a presentation on some of your work on the ecology of cybercrime and cybersecurity, which will be setting up very nicely to hear from, the other panelists. And I'd like to come back to the other panelists after so they can have reaction and impression about your presentation which is a very nice overarching presentation about the cybercrime ecosystem, which I think is a very good way to be looking at this problem. So please, go on Benoit.

Benoit Dupont: Thank you Yvan. So cybersecurity and cybercrime remain a policy puzzle, we wouldn't be here otherwise to try to understand it a bit better. While human societies are in the midst of a digital revolution that is proving as, proving as disruptive and transformative as the 2 preceding Industrial Revolution. The complex problem of how to safeguard the new technological systems that we depend so much upon, against a broad range of online, online risks and harms proves extremely challenging to say the least.

(Power point slide appears on screen. Image of the City of skyline and title of presentation.)

Alarming headlines such as the one we saw last week in Québec where Desjardins experienced a major data breach with about two point nine million people, whose personal information was compromised remind us that the personal and financial data that we entrust our banks, our insurers, our employers, our retailers, or even online service providers, are being plundered,

(Screen returns to speaker)

on a systematic basis by hackers who have become very skilled at exploiting technical vulnerabilities and human errors. And to be clear, the Desjardins was not an external hack, it was an insider incident, but still the same. You know, the data is going to end up, if it hasn't already, on the, on the dark web or on criminal underground markets. As we'll hear today as well, sexual offenders leverage online platforms to develop illicit communities that facilitate the sexual exploitation of children. Meanwhile, police organizations are facing severe constraints that make it very challenging for them to hire, to train, and to retain specialized investigators and the forensic experts required to prosecute local and international cybercrimes. But security is not only a liability, it can also become a source of economic development and job creation when companies are able to design and to market products and services that offer consumers and citizens enhanced security features. Cybersecurity is a market that is global and is estimated to be worth about 206 billion Canadian dollars in 2019 and countries such as Israel have demonstrated how it can become an engine of economic prosperity for a nation. So, to understand and make sense of cybersecurity, one, and cybercrime of course, one must consider at the same time this unique mix of three trends. First, rapidly transforming technologies that are often developed and adopted so quickly that convenience takes precedence over safety considerations. Second, we have very innovative criminal groups that are able to identify and to exploit technical and human vulnerabilities. And finally, we have security stakeholders that blend public and private expertise and resources to prevent and to mitigate cyber harms. So in order to make sense of this complexity, I have found that using the ecological analogy is very helpful and maybe if we move to the second slide we can see what I, I mean a bit better by that.

(Power point slide appears showing the cybercrime ecosystem's 3 communities)

Using the ecological analogy enables us to better map and to grasp the constant interactions between the companies that build unsafe technologies, the cyber criminals who profit from these vulnerabilities, and the security professionals who attempt to minimize negative impact of these cyber harms. Cybersecurity can be modelled as an ecosystem where three communities coexist and interact in the digital environment. The first community is industry, which generates immense positive outcomes for society through innovation and economic development, but the competitive pressures on this industry and the lack of regulation compared to other sectors also mean that industries rarely, rarely,  sorry, that security is rarely baked into the design of products and services when they are rolled to market. The second community is the criminal community, which has leveraged the de-centralized structure of the Internet and the relative and unlimited grants its users to build international networks of very skilled offenders who are able to collaborate without prior knowledge of each other to generate very significant profits on an unprecedented size of organizations. We've heard about police organizations that are often constrained by national boundaries to combat a global problem, even if international cooperation efforts are improving and the government of Canada has invested heavily to upgrade the RCMP's capacity to intervene and to, and to coordinate national and international capacity. Access to more resources, more expertise and more data, but represent very narrow corporate interests and we also have hybrid organizations such as NGOs and professional associations that attempt to increase the collective capacity to solve these problems through public-private partnerships. The members of these three communities are in constant interactions, within and between communities, and these interdependent ties are definitely, are defined sorry, by three main modes that influence the beneficial or the harmful nature of these relationships. The first mode of interaction is competition, which fosters innovation but can also skew incentives away from security practices if they are viewed as obstacles to gain new market shares and to increase profitability, competition between cybercrime groups and unfortunately sometimes between security organizations. The second mode of interaction is predation, more prevalent between groups of actors from different communities when one group attacks another claiming resources or to neutralize it. And like the natural world however, the features of cybersecurity and the cybersecurity ecosystem means that very small and individual can sometimes launch predatory actions against massive amounts of victims and even sometimes against security organizations. And the speed of adaptation between preys and predators is also much faster than in the natural world and means that various actors need to innovate constantly and to be ready for very unpredictable changes. And finally, we have cooperation. My belief that cybersecurity ecosystem but it also relies to a large extent on cooperation between security and industry to mitigate the impact of cybercrime. And this is I think, in the strengthening of this cooperation efforts, that our policy options seem the most enticing. So by this point you might surely ask yourself what is application of ecological concept to security and cybercrime, has to do with statistics. Well, if we are to design and implement effective policies that take into account this complexity and manage to leverage the positive ties I have alighted while reducing the negative externalities we need reliable data for each of the three communities that make up the ecosystem. We also need to be able to track the impact on cybercrime of competitive, predatory and cooperative relationship. Next slide please.

Yvan Clermont: Thank you Benoit. We have one minute left, I believe. So thank you very much.

(Power point slide appears on screen. It consist of a table listing the communities, types of data and data sources.)

Benoit Dupont: I'm almost finished, so what I was going to say is that we need to start thinking about the diversity of metrics we need to track and we need to understand what kind of unconventional sources of data can contribute to this broader understanding and I'm thinking about cybercrime forums or Internet service providers who can be very interesting sources of very helpful statistics. I have listed in the slide, I'm not going to go through the slide but I have listed some examples that illustrate how an effective national cybersecurity policy will need to consolidate very disparate sources of data to measure cybersecurity outcomes from different angles. Including Stats Can Victimization Surveys, police statistics, but also private sector and insurers' statistics and we could also try to measure the illicit profits that are being generated in the process. I think, in conclusion, there has never been so much data available so the main message of my presentation is a message of hope and I think the main constraint at this stage is probably our imagination and there is a lot we can do to improve the metrics we need to provide better preventative and mitigative policies to limit the negative impact of cybercrime.

Yvan Clermont: (French: Merci beaucoup Benoit, c'est extrement intéressant.) Before we continue I would like to ask the participants on WebEx to please mute your mics, as we're experiencing a number of people who have not muted, causing sound quality issues at the moment.

(French: J'aimerai continuer sur cette lancé Benoit)

We find in any ecosystem is, we find that there are very often if they want them to work well, central to that, a data integration, system as well, which is central to that to help with at least, evaluate where we are, how the problem is evolving, the impact our interventions are having and as well to guide us into how we should be fostering innovation in that area so we make sure that what we're doing is not in vain. So, maybe quickly I would like Benoit, after your presentation here, hear a bit from the people who we have with us today. So, I would like to ask if the panelists here would like to react to your presentation and maybe bring a little bit more information. I'd like to start with Jeff, Jeff if you would like to start and provide us with your quick impression and reflections on Benoit's presentation and then we're going to follow up with Signy and Barry.

Jeff Adam: Thank you. Thanks Benoit, pleasure to getting that perspective again from the outside.  I'm wondering if the ecosystems might be widened a bit to include the general public, or the user group. They're the ones that we're finding are getting the highest degree of victimization and yet have that market force drivers on industry and security, i.e. security by design, on security forces to respond to criminality events and it's, those three pieces work very well together in that ecosystem drawing but I think the underlaying and around it will be the user group that is both victimized and the drivers of changes to, to technology and regulation and legislation. That's, the only, the only comment I had. That was very well done. Thank you.

Yvan Clermont: Very good, question posited, Jeff, I would like to hear from Signy if you have some reflection about Benoit's presentation.

Signy Arnason: Yeah, sure, thank you Benoit. , in terms of the ecosystems and what we're seeing in our space again, I'm going to speak specifically to child sexual abuse material and what's happening to children online. In terms of industry, they are not regulated, at least the content providers are not and we're seeing varied responses. Some providers will remove material about, without any question, others will enter into lengthy debates, and some will ignore notices.  There's a complete lack of transparency around how this is implemented, so even, even the idea of taking hash lists and  trying to detect that proactively on services. There's no way of knowing whether in fact, companies are in fact doing this. So the lack of transparency is a huge problem on our side with children and then you get into the criminal aspects knowing that police are inundated with you know, little children, toddlers, babies being sexually violated. That being recorded, shared online, and the urgency of identifying who those children are. So much of what we're dealing with online is the historical contents, so a lot of these children are now adults and they're living with the reality that their material is trading in perpetuity and the tremendous traumatic experiences as a result of that is something we never properly planned for or could have even anticipated. So there's no question children are an after-thought in this entire model and ecological system. Their rights and their protection is not placed as a priority, and as an organization we think it certainly should be. And some of the information I'll share in a moment, in a little bit, hopefully will provide that important context.

Yvan Clermont: Thank you very much, Signy for this comment. I would like to ask Benoit to maybe provide us with an answer about the place of victims in this ecosystem after when we're at the question period. But first I would like to proceed, mindful of the time we have at our disposal this afternoon, and the bit of the delay we have beginning, the panel here. So, maybe after our three panelists do their presentation, if it's possible, maybe to narrow it down to maybe eight minutes or so. So I'd like to start with Barry, and, to make your presentation about the work you're doing and share with us what FINTRAC is doing in this area and the role it plays in cybercrime and cybersecurity, please.

Barry MacKillop:

(French: Merci Benoit, c'est très intéressant.)

Users, general public, but also the users, like the big banks and others that actually use these tools, and I agree with Signy that we, we need to bring in the victims and I think the concept of prevention when we're talking predation, we're talking collaboration, and on the criminal side I think we need to talk about prevention, education, and going right to early education on that. So I will skip that because I'm no longer working in public safety and I won't talk about early childhood intervention or anything.  For preventative purposes I'll talk about FINTRAC. I'm guessing the vast majority of people don't actually know what FINTRAC is. My FINTRAC 101 when I talk about everything we do is about an hour long so get comfortable, no I'm kidding. I won't. I'll skip very quickly.  A couple of things, one is we are Canada's financial intelligence unit which means we receive reports from a number of reporting entities. There's nine sectors, about thirty one thousand reporting entities, but our big banks and our big money service businesses really provide about 90 to 95% of all our reports, so we do focus a whole lot of our efforts on our big banks. 

(Power point slide showing the PPP Model appears on screen.)

If we look at a public-private, partnership model, what we've done is we've evolved over the years. We've always worked very, very closely with our law enforcement national security partners, our international FIUs we've worked very closely with. But up until maybe about three, four years ago the reporting entities were essentially reporting entities and our regulatory role that we have at FINTRAC to go out and ensure that they're reporting under the PCMLTFA, Proceeds of Crime Money Laundering Terrorist Financing Act,

(French: J'essaie de parler vite, parce que j'ai juste 8 minutes apparemment.)

Lots of time for questions after hopefully.  But what we started to do is we started to look at is there a better way of working together. Is there a better way of looking at some of our large reporting entities as partners rather than just entities that we regulate? And is there a way to balance, as I'm the Deputy Director of Operations and I have both the regulatory and the intelligence component, is there a way to balance our intelligence needs and our regulatory role so that they participate in providing better and better intelligence without necessarily sticking their necks out and feeling like they're going to be hit on the regulatory side?  It was an interesting balance, I think it is one that we have struck well. If we look at our PPP model we have government agencies involved, financial institutions, NGOs in some cases, depending on what the topic is because the public-private partnership model tends to be topic driven.  And we work with all of these folks as well as across government in Canada, and our role really is to work with our reporting entities, in this case some of the big banks, and to develop with our law enforcement partners and to develop financial indicators that are as unique as possible to predicate crimes to money laundering, so that they can then plug these into their systems and develop the patterns and the tools necessary to highlight suspicious transactions. We get a lot of reports that are threshold reports, large cash electronic funds in and out of Canada, our most important report that we get are the suspicious transaction reports that we get from all our entities. There's no threshold on those and they can look, and those are the ones that we try to help them design their own tools for, so that they can identify suspicious patterns that are related to whatever the public-private partnership topic is. We're now up to three, four right now and it's likely the way of the future is to continue to develop these for predicate offences. The finer, the more finely tuned their systems are for identifying suspicious transactions, the less likely they have false positives and the better quality and the better quantity of suspicious transactions reports we get at FINTRAC.

(Power point slide on Project Protect appears on screen.)

So if you look at Project Protect, that's, the first one that we've done, it was led by the Bank of Montréal, FINTRAC doesn't actually lead the public-private partnerships. We participate and we usually get one of our big banks to lead it. In this particular case it's related to human trafficking. This started at an ACAMS conference. We were in attendance, Bank of Montréal was there. (inaudible) who was a survivor of human trafficking was speaking and she basically challenged the financial institutions in the room to do something to help reduce the amount of human trafficking in Canada. Bank of Montréal put up their hand, volunteered as long as FINTRAC participated with them. We agreed immediately, worked with them, law enforcement and others and NGOs, both domestically and internationally, to develop indicators for the specific to human trafficking, for sexual exploitation. This will likely evolve to slavery or organ transfers as well. We've developed others on fentanyl use as well as romance scams and the use of casinos for money laundering. So if we look at Project Protect there is a, an alert, an operations alert with the indicators on our website if anyone's interested. But if you look at just the impact that it had, in 2015 we had 450 STRs, the suspicious transaction reports that came in. We had only done about nineteen disclosures to then. We're now, last year we've done 201 disclosures on human trafficking domestically or internationally and we've received well over 3600 STRs last year alone related to human trafficking. Which is both a good thing and a bad thing. The reporting's increased, and unfortunately human trafficking is still a significant problem in Canada. And this is the sexual exploitation component, which is human slavery, mostly young women. And as you can see, as the reporting has increased, both the quality and quantity, our ability at FINTRAC to do proactive disclosures, which are basically me telling Jeff here's a crime, here's a criminal that's committing crimes that Jeff does not know about yet. So it's a proactive ability to help , address some of these and attack some of these networks before in fact, they're too far down the road in terms of what they were doing. And that compared to 2015 where we were about fifty-fifty on the reactive, where we react to the police telling us they're after someone, versus what we can identify ourselves.

(New Power Point slide on the 4 stages of human trafficking appears on screen.)

These, it's hard to see, basically the four stages of, that we see in human trafficking. We have the luring, recruitment area, we have the grooming. We have coercion, manipulation, and exploitation. The use of financial intelligence there and what we can do, what some of the indicators are that we've developed for each stage of this. This is provided to all our reporting entities. Our big banks, for the most part do a lot of the reporting on this and we see some very, very good suspicious transactions that come in. We've had a lot of domestic as well as international success. We've helped take down rings, that spread to Portugal for example and that was I believe a Toronto police case. So what happens, happens in Canada, it also often has international components as does most cyber-enabled crime.

(Power point slide on Financial Networks: Discovering the Story appears on screen.)

And that is basically what we come up with, when we put together a financial disclosure, we will put together an IQ chart that will show the connections, whether it's through email addresses, financial transactions, phone numbers, whatever we have in our databank, we will do it. We are an administrative FIU. We don't do any covert work; we don't do any dark Web work. We do open source and we rely on the financial transactions that we've received. And the curious thing on this one, or the nice thing on this one is that those green dots. The blue ones were basically all the ones that the police knew. Red ones were people that we identified through our transactions, and the green ones were actually missing women that were identified through the financial transactions that the police had not yet found. They had been gone missing, reported missing, and we were able to point the police in the direction of a couple of women, missing women, so that was extremely satisfying for our work and for my analysts who were able to do that. And to show that the work that we do and the work that our reporting entities do at the frontline really does have an impact on saving lives of Canadians.

(French: So, je pense que je suis dans le temps.)

Yvan Clermont: Here after, if we have time about what are the barriers here facing and making this work even more fruitful or more productive. So we also have another very interesting presentation. This time it by Signy Arnason, from the Canadian Centre for Child Protection, and that's another example of how technology can enable detection and helping the victims as well. So, Signy, if you hear us, you can start, we would like to hear you on the work you're doing at the Canadian Centre for Child Protection in this area, please.

Signy Arnason: Wonderful. So I'll start with, we can jump to the slide on just describing the tip line, the first slide.

(Power point slide describing the tip line appears on screen)

If we could do that.  So as I had mentioned, we have a unique role in this space. We've been operating the national tip line now for seventeen years. We are built into the government of Canada's national strategy and have been built into that since May of 2004. You can see progressively over the years what we have had to manage in terms of public reporting. However when you get into 2017-18, and then 2018-19, those numbers start to change significantly. And that is predominantly due to our work with Project Arachnid, which I'll be talking about in a moment. So, essentially the tip line has two sides to its mandate, which is to accept reports from Canadians, process that information, pass along stuff to law enforcement and/or child welfare to investigate. And then we deal with the whole educational side as well. So, back in, if we could go to the next slide, don't play the video, sorry, the next slide that talks about survivors.

(Power point slide about International Survivors' Survey appears)

I'll give you a little context leading up into how we've been dealing with this from a technology standpoint. But back in 2016, we took on a, first of its kind really in the world, International Survivors' Survey. We ended, you know, we started off, we thought if we got, you know, 20 respondents, that would be quite extraordinary. Because keep in mind this is a population you only see in content, you never hear from them. So, we ventured to connect with survivor groups around the world and in fact, got 150 respondents in when we assessed the results. And a lot of the information that came back certainly is intuitive but it was still , incredibly significant for us to certainly recognize that there's no question, the recording of sexual abuse has a significant lifelong impact on the victim. So there, they may be safe, the offender may be in jail, but the one thing they've been told consistently is there's nothing we can do about the ongoing sharing of your material on the Internet. I won't get into the other aspects of some of our findings but for the purpose of this presentation, we also heard from survivors related to the recording, that nearly 70% of them constantly worried about being recognized. So this would be them as teenagers, then leading into adults, and in fact 30% of them were identified by a person who had viewed their child sexual abuse material. So this an incredibly significant issue.

So then moving into the next slide, you know, we decided certainly police are inundated, they can't keep up with what's on their desks, we have to have a multitude of approaches by which we tackle this problem and an organization like ours and how we invest in technology and our ability to send notices is something that can significantly help victims in the survivor population. So, we created Project Arachnid. So I'll give you a short little video just so you can understand, essentially what it's about.

(Project Arachnid video appears on screen)

Project Arachnid video: Every time I see someone looking at me, I wonder if they know. If they've seen the pictures. Sometimes it feels like I'm being abused over and over again. In the dark throes of the Web, every day under the cover of anonymity, technology is being misused to share images of child sexual abuse across the world. And with every single share, victims are forced to relive their abuse over and over again. To fight fire with fire, the Canadian Centre for Child Protection has created Project Arachnid. Virtual crawlers that scour the Internet to find and remove images of child sexual abuse. To identify these images, Arachnid uses a ground-breaking combination of Microsoft's photo DNA technology along with digital fingerprints received from institutions like the RCMP and Interpol. Now even if the image has been cropped, reformatted or augmented in any way, the crawlers find the matching images and help take them down. Arachnid is a giant step forward in helping victims of child sexual abuse reclaim their lives. But the battleground shifts every day, as technology evolves and offenders find new ways to victimize and evade. And while we vow to relentlessly fight on the frontlines every day, we need your support. So please share this video and help break the cycle of abuse.

Signy Arnason: So in terms of the next slide, essentially what is Project Arachnid. It's a platform to reduce the availability of child sexual abuse material. It is victim-focused, it is not offender-focused.

(Power point slide about Project Arachnid appears on screen)

So our goal is to get material down as quickly as possible so that survivors don't have to live with the horrible reality of becoming a popularly traded series online, which a number of our first generation of survivors are living with today. And you'll see that when I show you the dashboard of Project Arachnid. So we find child sexual abuse material based on photo DNA matches and that's because again, the images get altered or cropped and we want to be able to pick, you know, the needles in the haystack out when we're crawling on the Internet. But there's also human intelligence that feeds into Arachnid as well. And our organization then when we detect this material, it is child sexual abuse material, we send the notice to the content providers requesting its removal. So in terms of the work flow, I won't spend a lot of time here, it gets pretty complicated but we're on the open web as well as on the dark web. We incorporate not only crawlers but we scrape, so analysts, if you move to the next slide.

(Power point slide with Workflow chart appears on screen)

So if analysts identify a particular forum or chatroom that is specifically seems to be specifically, dedicated to child, those with sexual interest in children. Let's say it's titled Daddy daughter incest, all of the images, and videos, in that forum will be scraped and put into Arachnid for analyst assessment.

(Power point slide about Public Availability of Child Sexual Abuse Material appears on screen)

There's an industry API where they can come and report to us, so there are a number of different aspects to it, the result and notice going out. So if you actually just play this it will look like a real time crawler. This was kind of recorded as a video but essentially what you're looking at there is the, we have, through Project Arachnid, analyzed close to 77 billion images, again looking for potential child sexual abuse material. We've detected, in two and a half years, close to 9.5 million suspected images. We have sent over 3 million notices out to content providers requesting removal. And then finally you can see from a victim's standpoint, this is how often, Arachnid is detecting particular series. So the idea that survivors are living with the traumatic impact of wondering who was looking at their material and when, whether it's being used to groom other children. Children, excuse me, is obviously a significant issue. So we're sending approximately 22,000 notices per day.

(Power point slide titled Global Response – Unified Tiplines appears on screen)

In terms of the next slide, our, the global response, technology is certainly imperative but we can't solve it with technology alone. We needed to increase the analyst pool that are contributing to assessing the backlog of images. So we're working with hotlines around the world. We can no longer approach child sexual abuse material from a geo-centric assessment. We've got varying laws around the world, content moves. Offenders take advantage of that and it's basically resulting in a tonne of this material being available on the Internet, so we have to be pooling our resources together and working within the same system to be sending these notices for removal.  There's a predictable workflow that comes from this and also educating other analysts around the world on whether that's an identified victim they're seeing in the image, what series it belongs to, if the age has been identified, then you know whether you can send a notice or not. If it's a seventeen year old, it's illegal. If they're an eighteen year old, obviously it's not. So in terms of the industry response to this issue, we have over 300 providers that we're sending notices to within Project Arachnid. We're seeing a variety…to the next slide.

(Power point slide titled Current Industry Response appears on screen)

We're seeing a variety of responses. As I had mentioned earlier, there's proactive responses, the large companies are pretty good at this. Reactive responses, smaller companies are generally faster at removal, large companies slower. Top 50% remove material in a day; bottom 10% take thirty or more days. As long as it stays up it allows other offenders to grab the material, it continues to trade. You can see the inevitable problem with this model. So finally, I'll finish quickly with the importance of data.

(Power point slide titled Importance of Data tied to Current Challenges appears on screen)

So, Arachnid has really changed the rules of the game. It's painting a picture. It's telling the story, of what's happening global, globally as it relates to child sexual abuse material, which Canadians have access to it. Doesn't matter if it's sitting on a server in the Netherlands, as Canadians that's seamless. We don't know that, and we're able to access that material if it's, if it's up and available. So we're seeing, these varying responses, we know that with removal we're too dependent on criminal law definitions, it's not helping us. So only, no, only 42% of the images related to known victims are actually actionable. So typically where there's smoke there's fire. If there's illegal image of a known child victim who's been sexually abused then why is that material up and it begs the question of what's going on. There's the inconsistent approach we need to be addressing the long-term risks for survivors, which we're not adequately doing. There's an arbitrary application of terms of service and a willingness to utilize bulletproof posts that's making the removal of CSAM much more complex than our ability to tackle that. So, Arachnid provides this critical intelligence that tells a story so that we start to better understand how we need to adjust, essentially how we're tackling this very serious problem online.

Yvan Clermont: Thank you Signy, this is fantastic work you're doing, plus you seem to be producing very interesting metrics with your web crawler and everything in a very innovative way. So if we have time at the question period, I would very much like to hear about the impact that you're having on the victims afterwards. So, I'd like, so far we've heard about the business side. We've heard about the security community's side. We've heard about the criminals, and how they interact and mostly, more importantly about the victims. Now I'd really like to hear about the policing side in the security community and, and Jeff, I would like to pass the word on you for telling us about the wonderful work you're doing in this area as well.

Jeff Adam: Thank you. Good work done by the C3P for certain. One of my areas is the Canadian Police Centre for Missing and Exploited Children and they've been a good partner all along in what I would call the scourge of the Internet. That's the CSAM material that's out there.  Just to take us back a tiny bit, one of the key points that police grapple with is what is the expectations of Canadians with respect to cybercrime? And I throw this slide up on the screen to make a point here. And in, back in 1829, the Peel Principles of Policing, Mister Robert Peel, took over policing in London and he started, and he came up with three foundational  principles upon which policing was built: public order, public safety, and law enforcement. Now, that's good when those three apexes of the triangle are in the same geo-political region. Back in the old days, they used to be in the same town. And then it became the same city, province, and off we go to the borders of the, of the countries, and then in a little bit the telephone came along.

(Power point slide titled Traditional Policing Model: From 1829 appears on screen)

The telephone changed that because you could pick up a phone and call somebody long-distance and threaten them. Where did the offence take place? So now you have what's interesting is our complete notion of policing is based on the jurisdiction that pays for policing services has the victims in it and has the court in it, but the offender is nowhere to be seen. Could be anywhere. So it has really shattered this paradigm. So we go back to what do Canadians want, Canadians want cyber criminals pursued. Yes, but they're in their mother's basement in Bolivia. How do we deal with those changing expectations? I have the ticker, I was going to click.

(Power point slide titled Defining 'cybercrime'?  appears on screen)

The next piece, maybe, good, is just to make sure that we're all fundamentally on the same page of the definition of what constitutes cybercrime and what does not. So if I pick up my smartphone and I were to hit Barry on the head with it, would that be a cybercrime? So then it becomes a question of what is and what is not. And I have a very simple analogy for this, or, whatever it is, if there was a giant switch here that I could turn off the Internet, what crimes would continue and which would not? And so if you look at that diagram, those on the right hand side of that oval would cease to exist. Those are cybercrimes. All the rest of them are just old crimes done in new ways with new ways to have multiple impacts and new ways to hide from prosecution. So when we are counting cybercrime on various surveys and asking the public and asking everybody else, do they know what cybercrime is? When they say yes, I was a victim of a cybercrime. Was that a phishing email? Was it a port scanning? That's when somebody basically checks to see if all the windows of your house are open or closed. Like, that is frankly an attempted offence, perhaps, is that reported? I hope not 'cos that happens every day by the billions. There's no way we could keep up to it. So again, survey information that comes forward has to know what it's asking and what it's looking for with clear definitions of what constitutes a cybersecurity event versus a cybercrime. So I'm glad you brought up the Desjardins case, 'cos that is not a cybercrime, it is digital data that was exfiltrated the same mistaking of filing cabinet full of papers, but the impact is so much greater because you can drop it on GitHub and a million bad guys can get access to that. So that simple act of taking the data out just alone is not a cybercrime, but the activation and the impact and the scope of that crime is where it really starts to bring the cyber playing field into play. And I guess that's why I mentioned to Benoit at the you know, after his presentation, that the user group would constitute, in my vision, a very, very direct and pertinent part of the cyber ecology that is out there now. If we look at it from only those three perspectives we're going to miss the big picture. So how many people in here, or are online, I can't see your hands, but in here I can ask a simple question, how many people have an iPhone? Okay, so you've paid a premium for improved security. That is not the business model of today's economy. First the market, first the market share, security by design, no, we're just going to throw a patch out there later on. And then when that doesn't work, another patch. And if that doesn't work, get out of the business. So, our whole model is predicated on the user group understanding the fundamentals of security. Now sadly I'll bring my mother into this. Because she can buy a laptop tomorrow and go driving down the super highway without a license. Without a clue. And sadly, there's a lot of people that are completely safe of my age and older in the kitchens of their houses. In their little fuzzy slippers and housecoat with their cup of coffee and they're reading the paper online. They're completely safe. But if you were to go downtown Detroit or Chicago or somewhere in an unsavoury area all of your senses are attuned, all of the ones that are feeding you in, are telling you this isn't good. Is it the smell, the sights, the sounds, what is it that makes you do that? Well my mom's in her kitchen, like I said, in her terrycloth housecoat, with a coffee and has no sense at all about what she's looking at. And I dare say that would be everybody in this room. So, sadly it's not just my mother, I could cure that. And the last part I'd like to talk about is why cybercrime happens, Cybersecurity instances happen.

(Power point slide titled Motivation appears on screen)

And it is basically can be grouped into these clusters of what motivates the bad guys. And I could talk her for about two hours about the organization of organized crime with relation to cybercrime. Used to be, all of the grade twelve computer science kids would get out for a week at Christmas and the cybercrime reporting would spike. Because all the kids were trying the stuff they'd just learned in the previous three semesters from their mom's house. That's how it worked at the end of the school year, same thing happened. We saw that trend happen, we did a little of proactive work with the universities and high schools and it started to diminish. What we see now is organized crime get organized about this. And Barry knows this one because he handles the other side, the financial get the money back to the organized criminals. Which is a whole separate part of an organized crime group. So they've got the hackers, they got the hosters, they got the programmers, they got the money mules, and they've got the staffing people, the HR department of organized crime and they're all separate. They have industrialized cybercrime. That's just one of the groups, that's the financial game group, excuse me. There's the disgruntled employee, another arrest that I had where the bad guy didn't get his vacation when he wanted it, basically wiped out the web server and quit. That's like frankly, that's an insider much like the Desjardins. The notoriety is the ones where they spray-paint something on the web page and off they go and they can brag to their friends, they send out the picture and they, they send it out now they're using the forums on the dark net to send that out to say yay, that was me 'cos I was first to publish this. You get the political, or the ideological motivated people, nobody has heard about China in relation to cyber espionage I'm sure. That's not just nation-states, it's industrial groups, and as Benoit alluded to, predatory industry against one another. Trying to get the one-up on somebody else. Ah, self-gratification of course, the cybercrime that's what, CP3 is,  collecting data on. And of course, why this is lucrative is because they get money out of it and they are virtually untouched and untouchable. So some of the things that we're trying to do with the National Cybercrime Coordination Unit is as I said be that front page for public to report cybercrime. Now we know we're going to get everything, we're going to get death threat by email all the way through to somebody got beat up and it's posted on YouTube somewhere. Which is incidentally not a cybercrime. We know we're going to get those. But we're going to be able to disaggregate out those to see if we can then start to partition. We're going to be able to dump that data back into the police forces across Canada so that they can do something with. Child sexual exploitation started out very similar where the centre opened up and took complaints. The complaints came in, we started farming them out, farming, to the municipal and provincial police partners that we have. They had to develop integrated child exploitation units to deal with it, and now there's sixty units across Canada where before there was zero. Cybercrime will be very much like that when we start saying here this happened in your area. And where cybercrime is different, is that one guy can hit everybody in this room regardless of where they live. And maybe 25,000 other people across Canada. So which municipality, or which police jurisdiction is going to be handling the file? We need to have coordination, there's not enough police to investigate each one of those so we'll have one unit coordinate for the benefit of all. That's basically where we are with cybercrime in Canada so far. I encourage everyone to drive safely on the information highway and wear your seatbelt. Thank you.

Yvan Clermont: Thank you Jeff. Maybe we should get our driver's license so. Thanks for the very interesting insight about the definition, the different groups, here, very interesting. What I'd like to do now, I think we have some time remaining for questions coming from the web. Or the participants who are on the web, how much time do we have? I think, maybe fifteen, twenty minutes. And while we're collecting the questions I think we… what I collected through the conversation we had is, in the cybercrime ecosystem that we have currently, I think we, we could expand a little bit more about the role of, the data to be central to this ecosystem and helping us about the monitor and, measure the impact of our interventions. But also what is the place of victims in this framework? So I would probably would like to start the conversation on these two aspects and what you see the role of national statistical office or agencies into this role, especially when it comes to data, but maybe before we can hear about Signy, about , what is that she thinks, should be the impact on the victims , how the work she's doing and, and see how she measures the impact on the victims and maybe after we can ask Benoit about what is his response about the place of victims in his framework. And then we can have the conversation and see what are the other questions coming from the web. So Signy, would you like to start?

Signy Arnason: Yes, sure. So what we know is that survivors have historically been pretty absent from this conversation and they actually need to be front and center in what we're talking about relative to this space. There's an enormous impact. I mean in courts we often talk about you know, is it is it too far reaching to remove Internet access from someone who has been charged and then is going to be convicted of these types of crimes against children. You know, they have to apply for a job. There's the idea of online banking, is this too restrictive? We never talk about the fact that survivors actually don't even have the ability necessarily to re-enter into the online world because they're incredibly fearful of being contacted, of which a number of them have been. How do they protect themselves? How do they protect their families, offenders' ongoing interest in them, as well as, as adults if they have their own children, the dialogue that exists online relative to offenders' sexual interest in survivors' children? So it gets pretty dark and disturbing in terms of the activity online. What I can say in terms of hope, is that when we first started to talk to survivors, particularly the Phoenix 11, so a group of women who are part of popularly traded series online that are basically putting their voices out there and taking back control. When we started to talk to them about Arachnid and its' ability to go out and detect historical content, at a pace you can't find through public reporting, and then triggering notices. You know, one of the survivors was brought to tears because of course, yeah, the offender may have been brought to justice but they are always told there is nothing that could be done about the ongoing sharing of their material. And frankly our organization thinks that's entirely unacceptable so we're positioning survivors front and centre and it's about time that that takes place.

Yvan Clermont: Thank you very much for this, Signy, very interesting. And I'd like to hear about Benoit and what, what do you think Benoit, where the victims should hold into this framework you have for the cybercrime ecosystem. You must have thought of this I'm pretty sure.

Benoit Dupont: Yeah, I think, Jeff is absolutely right, the victims and general users are central to the framework, because cybersecurity is a common good. It shouldn't be a club good where only the best resourced companies can afford systems and technologies that are cyber-safe and the rest of us have to do with second-hand technologies that have been thrown into the market without any consideration for security. So who can speak on behalf of victims? I think it's the government agencies that need to regulate a lot more this ecosystem, and that's why I use this kind of industry, criminal and security communities to try to explain how it works because then it helps us understand where we can apply regulatory pressure to make sure that certain companies exercise a bit more caution that we define and we design systems that enable victims to report cybercrimes very quickly and very easily online for example, I understand that the RCMP and the Canadian Digital Service are preparing a new platform inspired by the Acorn platform in Australia to facilitate that.  So I thought, so I think the ecological framework, its ultimate objective is to try to understand how can we better deliver services for victims because now you know, the reality is that cybercrime is the number one property crime in developed societies and it's also ranking very high in sexual offending as we've heard.  So we need to design better systems, better ways of intervention, and I think that the ecosystem framework helps us understand where to start from and how to assess the effectiveness of what we're doing.

Yvan Clermont: Absolutely Benoit, and I think of victim preparedness, victims' digital literacy and pattern of victimization outside the digital space, and how it interacts with victimization on the web as well. So these are I think, there's a huge area for research and consideration in that area of victims. Now we have a question coming from the web and the question would be for Jeff here. So what is the role of the RCMP National Cybersecurity Crime Coordination Centre, Jeff?

Jeff Adam: So the role of, for that, which is being stood up as a result of a buzz, budget funding initiative from 2018, is it'll be roughly, say a hundred people that has a couple components to it. The first one will be the public facing reporting system for people to report online crime. That's cybercrime.There's another step, which will be the data warehousing analytical part of that. , we'll take in all the complaints, we'll be able to map them, we'll be able to see hotspots, we'll be able to see if there's trends, indicators. Part of the analysis there will work with the Cybersecurity Centre which will then say oh yes, this is floating around as well when they're monitoring the networks. That's CSC.  The next phase for us will be the aggregation of that information to be packaged, to be able to send out to another police force. And with that, we'll go some experience about how to investigate, or how to coordinate an investigation of these issues with some technical background with it. The fourth one of course will be then the international liaison with partners, so we'll have one person in the Europol and another person down at NCFTA. It'll be liaising there to bring that international perspective in 'cos as I said cyber's not a Canadian thing, cyber's an international thing and we need to be able to either share information out, law enforcement information, police to police, or bring it in to say that Canada has a bulletproof holster in Montréal and we want to do something about that. So it's multifaceted, it's a fairly dynamic and complex endeavour for the RCMP to take on. It is not just the RCMP. This is the national police service, it is to the benefit and funded for all policing in Canada.

Yvan Clermont: Thank you very much Jeff. Maybe one other question as well is, what would you think, and this is for all the panelists here in, in a minute, for an example or two, what are the most important gaps in measuring cybercrime and, and efforts to increase cybersecurity and how would you go about, what would be the major challenges associated to fulfilling this information gap? And, and maybe if I can try with, you Barry, if it, for an answer, and maybe Jeff if you want to substantiate then I would also like to invite Benoit to speak about this as well.

Barry MacKillop: Over to you, Jeff. No. Well I think one of the challenges, probably still remains the ability or the desire of people or companies to actually be honest, at being victims, if you take a victim focus.  Certainly it'd be nice to canvas the criminals and find out what they're doing but they likely won't respond so given that it will be essentially a victimology type survey, it's always challenging to get the truth.  But I think it's important that we do that.  It's the same thing, I think when we're looking at virtual currencies for example. And everybody's coming up with BitCoin and all these other virtual currencies. I couldn't say right now even though I'm in the financial intelligence world, how much this is being used by business and how much it's actually being taken up by individuals across Canada. Is virtual currency really becoming a household day-to-day use or is it something that's still in large part being used by the criminals? Is it becoming current for Canadians and if so, that may lead to how we want to address it and what we need to do in order to address those kinds of things, if in fact it's something that's being taken up the same as cash was or electronic banking or something like that. So I think those are areas where we have gaps in knowledge.

Yvan Clermont: So do you think new legislation could help in that regard? Or for reporting to the police for example about companies?

Barry MacKillop: I'm not sure it's always legislation, I think an understanding of it first of all and then perhaps legislation if we need to legislate something. The worst thing we can do is create legislation based on a hunch, which will usually lead to bad legislation.

Yvan Clermont: Thank you very much and Jeff, what about you?

Jeff Adam: So there's been a great deal of conversation going on in relation to this, so Acorn in Australia had a requirement that when you reported a crime you got a number and that number had to be then reported to either the bank or the insurance in order to get your money back so to speak, to be compensated for the loss in a cybercrime.  What we found was that the reporting started off very high and then diminished because, notwithstanding the disclaimer, it said do not expect police action as result of your report, we're using this for data reason, for stats. They stopped reporting cos they wanted their pound of flesh. So that goes back to "What do Canadians expect in this new model", where the offender, the crime victim and the courts and the police are not in the same jurisdiction. Ah, the other one that we're looking at is, or we're discussing at the very least, would be some kind of industry-led set of requirements that would then feed into the insurance business. So if you are not protecting your data of your clients to a set standard then anything that happens to you will not be covered by an insurance policy for data loss. Now, that has got a lot of people going holy smokes Batman, that's going to cause, yes, it's going to cause activity, but it might be timely for that to happen, and the RCMP has been, and myself in particular, talking to insurance underwriters of Canada about that very issue. Even now, it is not a requirement for somebody with a loss to report it to police, in the cyber environment. That needs to change.

Yvan Clermont: Thank you very much Jeff, and I'd like to hear from Benoit about this. How we can build in the, using the interaction between the different elements of the ecosystem, how we can maybe have an integrated data system that helps the ecosystem to function well in fighting cybercrime? So, Benoit I'd like to get your view on that, on the gaps and how we can make this happen.

Benoit Dupont: So to answer your two questions at once, I think there are victims who know they have been victimized because they've lost money but you also have in cyber, a number of victims that have been infected by malware, their machine is infected by a bot and is being used to do some nasty, nasty stuff to other people all around the world. And they have no idea that they're participate in that kind of malicious activity. So, they can't even report that because they're not even aware of that. And one interesting source of data on that are the Internet service providers who provide access to all of us, to the Internet, that track this kind of malicious activity. And it would be interesting as is the case in other countries, to have those Internet service providers work in collaboration with their industry regulator, which is the CRTC, to try to , provide more reliable statistics on the level of infection in Canada, across provinces, of general users, companies, how many machines are being infected by bot nets, what kind of traffic we're seeing in Canada, and how we could be designing mitigation strategies to help people get rid of those nasty malicious software on their machines to produce a cleaner and less harmful digital ecosystem. So that's one example that where countries have used their internet service providers, and telecommunications regulator to work together with statistical agencies and law enforcement to help people to clean up their machines and , in the end benefit from a cleaner ecosystem.

Yvan Clermont: Thank you, that, that's very good input Benoit. To end this conference I'd like to maybe give the last word to Signy. And hear from you, what you believe to be the most important gap in information that if you had the information it would help much more your business and what you're doing to protect victims.

Signy Arnason: Well, there's two sides to that. I guess from an industry standpoint we need much greater accountability and transparency. You take Project Arachnid for example, which is a global tool and solution. You know, it's only crawling certain services, so Facebook sits behind a walled garden, we have no idea in fact what Facebook detects, they do have mandatory reporting schemas that does get reported in. But you know, there are significant challenges in our space because there are varying laws around the world but at the same time as I was referencing earlier, you know, even if the site is sitting on a server in the Netherlands, you know, thousands of Canadians in Canada still have access to that material. So we've sadly approached child sexual abuse material and I think all online crimes in fact, more from a geo-centric standpoint and certainly in our space that has not helped us because material moves and we have to get better at working together to in fact remove content that is harmful and not exclusively focusing on criminal law. So there are a number of gaps that exist and we wouldn't be able to point to those gaps though, without having a system like Project Arachnid to tell that story. So I think that's the first essential part of what we need to do to change this narrative for children, so that we can start to attack this issue not just from criminal law but what's harmful to children and have providers act in a more responsible way in relation to their protection and safety, which again we're seeing through Arachnid is not happening. It's certainly not happening consistently, and if we don't have consistency across the board then the material remains available and it is able to propagate. So there's tremendous problems with that, so that's certainly what we're going to be pushing for as an organization, some significant changes in that regard.

Yvan Clermont: Thank you very much Signy, this is very true as well, education. Barry and I were whispering here. So I think this was a very interesting panel. I'd like to conclude with this. I think we would need full conference just for that, there's too much information. It's very interesting. I'd like to conclude this panel by thanking, first of all the four panelists we had with us today. Starting with Benoit, Signy in Winnipeg, Barry and Jeff on my side here. So thank you very much for participating and also the people who came in the room here today, and the people who are on the web, sending questions and listening in. This was very great. So I hope that you consider joining us for the next panel in the series, which is going to be held in September and the theme is going to jig, gigs, superstars, the post-job economy, and the skills we need in Canada in the digital era. So please join me in a round of applause for today's panelists, so thank you very much. Thank you Benoit and thank you Signy. And hope to be contacting you soon. Thank you.

Date modified: