Information & Ethics Committee on Feb. 6th, 2024

I'm actually the one, Mr. Chair.

Mr. Chair and members of the committee, on behalf of the Department of National Defence and the Canadian Armed Forces, thank you for inviting us to the Standing Committee on Access to Information, Privacy and Ethics.

My name is Sophie Martel, and I am the acting chief information officer. I am the functional authority responsible for the department's entire information and communication technology program. I ensure that National Defence and the Canadian Armed Forces have a reliable, secure and integrated digital environment that meets operational needs.

My team delivers information and communication technology to support the core functions of defence, which are intelligence, surveillance, reconnaissance, communications, cyber-warfare, command, management and cybersecurity. The defence chief information officer is also responsible for the development and operational availability of the cyber-force within the Canadian Armed Forces cyber-command.

I'm joined today by the director general of cyber and command and control information systems operations, Brigadier-General Yarker.

Brigadier-General Yarker is responsible for the organization and execution of cyber operations and exercises within the Canadian Armed Forces, including the digital forensic function and the maintenance of key national command and control infrastructure.

I would like to emphasize that the protection of personal information is a top priority, and the Department of National Defence is committed to doing everything possible to protect that information. However, there has to be a balance. There's only a limited expectation of privacy when using our IT systems and mobile devices because they are subject to monitoring for the purposes of system administration, maintenance and security, and to ensure policy compliance.

Our monitoring is compliant with applicable government policies and standards.

In conclusion, I wish to reiterate that the Department of National Defence and the Canadian Armed Forces will continue to deliver on their mandate while protecting personal information.

My colleague and I would be pleased to address any questions you may have. As a matter of policy and to ensure operational security, we cannot disclose details on the use of specific equipment or on systems used operationally.

Thank you.

Good morning, and thank you very much.

Thank you for this opportunity to speak about Natural Resources Canada's use of technological tools to safeguard our technological and data assets and ensure the consistent evolution and growth of our scientific endeavours.

I would like to recognize that I am speaking to you from the traditional unceded territory of the Algonquin Anishinaabe people. We recognize Indigenous peoples as the customary keepers and defenders of the Ottawa River watershed and its tributaries. We honour their long history of welcoming many nations to this beautiful territory and uphold and uplift the voice and values of our host nations.

As noted, I am Francis Brisson, the chief financial officer and assistant deputy minister responsible for corporate management services at Natural Resources Canada. My primary responsibilities include corporate services, human resources, information technology and security. Our department's chief information officer and CIO, Pierre Pelletier, who is here with me today, is responsible for the management, implementation and usability of information and computer technology at NRCan.

NRCan is both a science-based and a policy and economic organization. It is critical for NRCan to ensure its core functions remain resilient and responsive to internal and external threats. Threats affect not only our digital data but also our physical systems and devices. As the complexity of our digital environment grows, so does the risk of compromising our systems and assets. These risks include data breaches, intellectual property theft, service disruptions, financial setbacks and security threats.

Protecting against and responding to risks requires regular and sustained effort. Our department, like others, has many different systems, policies and tools to manage and respond to risks. Addressing and responding to threats can require forensic software tools. NRCan purchased a licence for magnetic forensics to have this tool in our tool kit, but we have never used it.

I would also underline that should the department have business requirements to use this software or similar software, NRCan will follow protocols and requirements for appropriate use and privacy impact assessments.

Thank you for your attention. Pierre Pelletier and I are pleased to answer your questions about our work.

Thanks for the question.

We have a number of privacy impact assessments on the go right now. From a CIO point of view, as we are responsible for the security of our network, we follow the FAA, the standards of Treasury Board and all the laws. Outside that, if there's a need for a PIA, we actually work on it. For example, at this point in time we're looking at Microsoft 365, because we're starting to record information and do transcripts, and we're starting to look at what this will imply from a PIA point of view.

Currently, a number of them in the department are ongoing.

Good morning.

From our perspective, like we said at the beginning in our opening remarks, we did purchase the tool. It was a tool we've purchased to have in our tool kit, and we have not used it from our perspective. One thing I wanted to reiterate and assure the committee of is that, should we plan on using the tool, that would be done only through a security mandate and clear protocols would be followed. Should we be using the tool, we will be doing a PIA from our perspective should that be the case.

At this point, we haven't used it. Should it be used further to an approved mandate from our chief security officer, we'd look at doing a PIA as we moved forward.

From an NRCan perspective, we have tools and we have to monitor our system and so forth from that perspective. We ensure we are respectful and we support the policies around all of that. From our perspective, there are tools we are using to ensure we gather information, but it's done in the context of TBS policies and so forth.

The tool we've talked about, the forensic, has never been used, and should it be used, it would only be used internally. All the monitoring systems we have from our perspective in that space are used for internal purposes for within the organization and for administrative purposes in line with security requirements following a clear security mandate as we move forward.

Yes. In 30 seconds, we investigate networks, not people. In order to investigate networks, we do need to use tools to ensure the confidentiality, the integrity and the availability of data. That's following the FAA, the Treasury Board standard and the Privacy Act.

It's used to monitor our network, only our network.

The purpose of the privacy impact assessment is to make sure that we protect the information of citizens.