What are the legal/regulatory/fiduciary responsibilities for Toronto City Council as it relates to Cyber/protection of privacy and are there any gaps related to Cyber?

Based on the City’s divisions and A&C’s, what are and how many regulations/acts/etc. exist (municipal, provincial, federal, north American (electricity, water), and international) that Council is directly accountable for (e.g. like a Board of Directors). Of these, which ones relate to Council having a duty to ensure that Cyber posture and controls are adequate. Which ones highlight liability for the city due to cyber negligence and/or personal liability. Any of them result in fines, etc.?

https://www.toronto.ca/wp-content/uploads/2017/11/91e9-city-toronto-organizational-chart.pdf

https://www.toronto.ca/wp-content/uploads/2020/06/9766-Agency-Chart-May-2020.pdf

How can quantum computers and AI be leveraged to defend the City of Toronto and go on the offensive when attacked?

What are the use cases that can be deployed in 2021, 22, 23 by leveraging the combination of quantum computing and AI to not only monitor and defend but go on the offensive against bad actors? What type of funding is available and who can we partner with in Canada, abroad? How do make this turn into a reality?

What are effective ways to extend cyber digital government services to underprivileged/vulnerable communities/population?

All around the world, governments are establishing online presences, launching digital services, and embracing e-government as part of the digital transformation of everyday life. As per latest statistics, only 63% of people use e-governance services across Americas. Despite some investments and developmental gains, many people are unable to benefit from this transformations because of poor connectivity, high cost of access and lack of necessary skills. Discuss practical ways to increase the reach and adoption of digital government cyber services.

Methods to automatically aggregate previously unseen cybersecurity data from open source and/or commercial products for downstream analysis

Accurate cybersecurity situational awareness requires a combination of data sources to achieve. While the storage and analysis of large quantities of data is achievable using existing commercial products such as Splunk, the process of configuring these platforms requires the existence or creation of data parsers to wrangle data into usable forms for downstream analysis. As new products and sensors are introduced or updated, each data parser must subsequently be updated creating a Sisyphean task for vendors to keep products up to date. While vendors are updating their products, cybersecurity operators’ situational awareness suffers blindspots. CybernetIQ has existing machine learning and analytics tools that work on structured data and is seeking a partner to help solve the data wrangling problem.

How to identify key policy and regulatory enablers and barriers to digital identity growth?

Particularly within government service delivery, there is a need for policy development around the acceptance of cross-sector digital identity and data sharing. Examples of existing challenges include in-person requirements for service delivery, physical document review (e.g. via fax), restrictions on interjurisdictional data sharing and user consent, and the potential for opening up government data sources for use by the private sector. Policies need to be considered for ongoing legal review and compatibility with digital identity initiatives. Further analysis needs to be conducted to ensure comprehensive alignment across member organizations.

How does the Digital Identity Community engage Canada’s Academia community for the development and expansion of the Canadian IT ecosystem for digital identity?

DIACC is interested in exploring ways to engage universities and students to educate on the potential opportunities in the Digital ID industry. As an example, supporting the development of a Digital Identity shared curriculum. Academic institutions are uniquely positioned to innovate new solution pathways and offer ideal multidisciplinary settings in which to develop identity curriculum. DIACC can help to coordinate the activities among academic institutions across jurisdictions and disciplines, and identify timely and relevant identity issues and topics for consideration for inclusion in shared curriculum resources. Would welcome any ideas to support this type of engagement.

How can agentless monitoring, immutable servers and infrastructure as code. eliminate or reduce our dependency on the supply chain and therefore our attack surface to both computing infrastructure and software systems?

As we are all aware, the recent SolarWinds attack involved hackers adding malicious code to a software system which was in turn, sent out to customers as software updates/patches. Could this supply chain attack have been avoided using an approach where systems are not “open” to 3rd party vendors?

We can obtain insights from Big Data to detect cybersecurity threats which can tell us whether we are being attacked and where our systems are vulnerable. However, how can we use Big Data to foresee what types of threats are on the horizon using trend analysis, event correlation, predictive modelling and machine learning to not only provide information to act upon but also a recommendation system identifying ways to address the security gaps – all in near real-time?

The SolarWinds cyber-attack is just one example of many where the breach was not detected for a number of months. The Big Data movement is creating the mindset to collect as much data as you can “get your hands on”, however, what is more important is determining what data is relevant, both structured and unstructured, what detectable events led up to attack and what the predictive indicators of cybersecurity threats are.

What is your opinion of using software defined networking as a cyber-defence tool?

.

What challenges do you see with protecting disruptive, intermittent and latent networks as most cyber defense tools depend on highly reliable and connected networks?

The 8 fallacies of distributed systems.

How could the combination of software defined networking with zero trust concepts work together as a possible means for remediating cyber attacks

.

What are the biggest challenges for our technology and organizations in securing effective cyber defence and/or cyber resilience programs today?

There is a growing concern that after years of investments in cyber security, it is not clear that we are keeping up in defending our cyber domains against the ever more sophisticates threats.

What are the needed and anticipated breakthroughs in Security (technology, process and people) that will eventually enable the effective cyber defence and/or resilience programs?

There is a growing concern that after years of investments in cyber security, it is not clear that we are keeping up in defending our cyber domains against the ever more sophisticates threats.

What is the current state of voice authentication and liveness detection innovation and where should this research goes next for security agencies?

.

How can organizations run data classification on their encrypted data and obtain the same results as running the classification on unencrypted data?

Data classification is a critical step in any data security strategy. It enables an organization to discover the location and type of sensitive data in structured and unstructured data repositories. The insight gained is then used to quantify risk so that the deployment of security controls such as database activity monitoring and encryption can be prioritized. Unfortunately, running data classification today requires gaining access to the data in an unencrypted state which may violate data privacy. Being able to run data classification on encrypted data would address this problem. But also poses interesting research challenges to do this in a manner that is accurate, scalable and performant. 

How can organizations predict security impacts to their business based on geo-political dynamics?

Topic is based on current situations, state actors are impacting businesses due to political dymamics between countries. Can a predictable model be developed based business type , geo presence etc.   

Is it the individual or company’s responsibility to defend and proactively offend against cyber attacks, or should the Government play a more active role in defending individuals and companies against nation-state threat actors?

One of the main roles of government is the protection of citizenry. Should the government’s role in digital protection of the citizenry be expanded? The Canadian Government has strong capabilities in cyber defence, and their ability to engage in offensive cyber has been expanded in recent year. But their scope is limited to protecting government and critical infrastructure. Individuals and companies of the country do not directly benefit from those capabilities as it relates to personal or corporate data (other than efforts to protect government and critical infrastructure).

Recent federal and local policy in Canada has promised equitable and affordable access to high speed internet to rural and underserved populations. Should security literacy (or centralized security controls) be considered as part of broader access to high speed internet? Is this a missed opportunity to connect wide swaths of the population without equipping them to be safe online?

.

How do we ensure that multi-factor authentication solutions are designed and developed to be inclusive of globally diverse user groups while maintaining highly secure environments?

Our businesses are global but our local teams may not always reflect the vast diversity of our user groups. As a result, products sometimes don’t work for all users. For example, the UK government released passport facial recognition software that wasn’t compatible with dark skin. The pandemic has also highlighted many areas where products weren’t built for users, for example complex device log-in requirements that may be difficult for the children now relying on them for education. As more and more applications move to multi-factor authentication, how do we ensure we’re considering all of our users in our design and development?

With regards to the development of digital identities, how can we collaborate across jurisdictions to build widely recognized, robust solutions that are available to globally diverse user groups?

More and more organizations are looking to solve the digital identity issue- often collaborating across jurisdictions within countries to ensure compatibility. How do we expand this collaboration to ensure that solutions are globally accepted?

How companies can train machine learning models and run statistical analysis on their encrypted data and get the same results as training models on unencrypted data? The solution should be saleable.

Keeping Data private becoming more and more important for companies during these era. One of the most proven way of keeping data private is to save them encrypted. Although, encryption is good for keeping data safe, it is hard to draw any meaningful insight from encrypted data.

We are looking at a comprehensive scalable solution that does ML on encrypted data. Encrypted data ensures privacy, but it makes ML extremely difficult in terms of extracting relevant information and building relationships between data points.

It is important for companies to find the vulnerability in their system before fraudsters do. How to do we implement reinforcement learning to detect vulnerabilities in companies public pages?

Software and websites can contain exploits or loopholes that hackers/fraudsters can take advantage of. This can have a variety of consequences, ranging from disruption of services to theft of information. Software & websites are often tested using heuristics via a process called fuzz testing. Can we use AI for fuzz testing? E.g. with generative algorithms or reinforcement learning

To what extent could large enterprises face these same risks, and most importantly, how can such an enterprise defend against this type of attack?

The last few years have witnessed a significant rise in the use of disinformation in the political realm, driven by hack/leak operations (both real and fake) and decentralised distribution and propagation via social media.

While cloud technology moves towards edge computing, and knowing edge computing prone to few attack surface how to proactively identify and eliminate those attacks?

Edge computing is a distributed computing paradigm that brings computation and data storage closer to the location where it is needed, to improve response times and save bandwidth.

What is the best way to predict a person’s vulnerability to cybersecurity threats? How can this information be applied to protect the global RBC family?

RBC is everyone’s Bank. We want to keep our clients, third party-partners, and employees safe from the ever-evolving system of cyber threats they face on a daily basis. That said, research suggests that human susceptibility to specific cyber-attacks can vary. What is the best way to map & mitigate individual exposure to cyber-attacks?


Reference [copy/paste if hyperlink fails]: https://academic.oup.com/policing/article/14/2/479/4970000

What is the most effective way to identify malicious correspondence (email, SMS, telephone, etc.)? How can AI be applied to make it easier for humans to manage this threat?

Every day, 100,000 RBCers receive myriad emails from seemingly infinite sources. Although we employ cutting edge filtration technology, RBCers remain exposed to phishing, vishing, and other thematically similar forms of cyber-attacks, each of which – when successful – compel significant post-incident management & can drain other resources. We are exploring imaginative ways to strengthen our resilience against all forms of malicious correspondence. Example: You’re invited.

What is the best way to customize global enterprise cybersecurity Awareness & Education activities? How might personality data be applied to optimize learning & retention?

RBC delivers cybersecurity awareness & education activities across the globe. With 100,000 employees from 33 countries calling RBC their workplace, one size rarely fits all. Research suggests that personality traits can be applied to optimize the delivery of learning activities. We plan to apply these ideas (and more) to optimize awareness & education activities across the globe.

Blockchain’s promise of an immutable, append-only repository was hamstrung by its reliance on high-latency low-throughput consensus algorithms. But what are the formal definitions of digital immutability, and what thresholds must be met to achieve it? Is replication and consensus amongst disinterested parties a theoretical prerequisite, or are there other ways of bestowing immutability and non-repudiation to digital records?

With the exponential spread of decision automation into ever more critical application domains, the input data is rapidly becoming one of the largest attack surfaces in the cyber ecosystem. Unauthorized manipulation of such inputs, if undetected, can bias decision algorithms and subvert whatever systems depend on them. For this and other reasons, it seems the scalable detection/prevention of such digital forgery is a pressing cybersecurity issue.

What AI/ML techniques exist for effective cybersecurity analytics on unlabeled data streams

When it comes to cybersecurity and using real world datasets from enterprises for training machine learning models for intrusion and threat detection, the datasets that enterprises carry are unlabeled (e.g. network communication). Additionally the malware behaviour evolves with time and malwares changes its attack patterns and becomes more sophisticated in hiding its tracks.

Given the above, we would like to address following research goals:
• What will be an effective architecture for intrusion detection systems given that malware and attackers become more sophisticated over time and behaviour evolves
• What would be the best way of evaluating intrusion detection systems give majority of the dataset is labelled
• What would be some of the ways of creating realistic synthetic data sets
• Once deployed in production, what would be an effective architecture and approaches to keep the IDS up-to-date. Can this be done in an automated way without human feedback

How can technologies like Federated Machine Learning, Mobile Edge Computing in 5G and Blockchain be used for intrusion and threat detection in CAVs.

What would be the most effective way of detecting rogue objects (vehicles, road side units etc.). Since vehicles are on the move what would be an effective architecture for intrusion and threat detection system in this case to effectively detect if a vehicle is exhibiting malicious and abnormal behaviour. Also when it comes to prediction past behaviour is relevant. In this case where a vehicle is on the move, what will be an effective system architecture to share vehicles past behaviour so IDS can use that along with vehicle’s current behaviour to decide if a vehicle is exhibiting malicious behaviour in sub second time

What aspects of a remote work arrangement represent the most vulnerability from an organizational data security perspective (IoT devices, routers, laptops, human vulnerability, insider threat etc.), and what systems, tools, governance approaches are best suited to detecting and preventing these data security risks?

Organizations have come to the realization that remote working arrangements are not only the “new normal” but are here to stay – even after the pandemic. In light of this, our clients have increasingly been focused on ensuring they are proactively addressing both short and long-term cyber issues related to remote working. As privacy and cybersecurity lawyers we routinely advice our clients on breach prevention and preparedness, and in that capacity we want to ensure we have a holistic view of the various the cyber-risks (systemic and otherwise) associated with remote work and the organizational and technological approaches and tools being currently contemplated and deployed to address those risks.

How can home-workers safely share paper-based documents without putting corporate data security or regulatory compliance at risk? What processes, governance, or hardware/software technologies can be leveraged? So safe company intellectual assets and personal information until such time as employees safely return to the office?

Most organizations have at least some of their knowledge workers working from home these days; however many business are still reliant on paper-based workflows.