Evidence of meeting #31 for Procedure and House Affairs in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

  • Toni Moffa  Deputy Chief, IT Security, Communications Security Establishment Canada
  • Robert Gordon  Special Advisor, Cyber Security, Canadian Cyber Incident Response Centre, Department of Public Safety and Emergency Preparedness
  • Commissioner James Malizia  Assistant Commissioner Protective Policing, Protective Policing Branch, Royal Canadian Mounted Police
  • Tony Pickett  Officer In Charge, Technological Crime Branch, Royal Canadian Mounted Police

11:05 a.m.

Conservative

The Chair Joe Preston

We will go ahead and start our meeting today. It's meeting number 31. We're here pursuant to an order of reference of Tuesday, March 6, the question of privilege relating to threats to the member from Provencher.

We have some guests today, and our meeting is broken into two parts. Let's go ahead and get started. I understand that you have some opening comments. Please introduce yourselves, and go ahead with your opening comments. We'll have questions from members right after.

11:05 a.m.

Toni Moffa Deputy Chief, IT Security, Communications Security Establishment Canada

Thank you, Mr. Chairman.

I am happy to be given the opportunity to appear before the committee today. My name is Toni Moffa and I am the assistant deputy minister or deputy chief of the information technology security program at Communications Security Establishment Canada, or CSEC. With me today is Scott Jones, the director general of our cyber defence branch.

I will begin with some opening remarks that summarize the mandate and activities of CSEC. The mission of CSEC, for over 65 years now, is to provide information and to protect information of importance to the Government of Canada.

As you may already know, CSEC leverages its leading-edge technology expertise and national and international partnerships to provide three key services to the government of Canada. First, we collect foreign signals intelligence in accordance with the federal government's intelligence priorities that are established annually by cabinet.

Second, we provide advice and services that help protect electronic information and information systems of importance to the government of Canada through our IT security program. This is the program that I am responsible for and representing today.

Third, while we are not a law enforcement, investigative, or regulatory agency, we do work with our federal partners in the security intelligence and law enforcement community in the form of technical and operational assistance that allows them, on their request, to leverage our unique expertise and capabilities at CSEC in the lawful pursuit of their own mandates.

All of our mandated activities are subject to numerous internal and external accountabilities and reviews, including the external and independent review by the Communications Security Establishment Commissioner, to ensure our strict adherence to applicable laws that govern our operations and to respect the privacy of Canadians.

I am the assistant deputy minister responsible for managing the IT security program. That program provides products and services that help prevent, detect, and defend against information technology security threats and vulnerabilities. In this capacity, we share a responsibility with other federal departments and agencies. We work with the Treasury Board of Canada Secretariat's chief information officer branch, with Public Works and Government Services Canada, and with the newly created Shared Services Canada to reduce vulnerabilities and diminish the success of IT security threats in federal IT systems.

For prevention purposes, we develop technical standards and guidance, which, when implemented by federal departments and agencies, help strengthen their IT systems' security and resilience. To detect and defend against IT security threats, we work closely with the Treasury Board of Canada Secretariat and Shared Services Canada, and with the additional cooperation of the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, and Public Safety Canada, we track the activities and methods of IT security threats seeking to steal or do harm to federal information systems, or to systems that the federal government cares about.

The contribution of CSEC to these shared efforts is to use our unique technical expertise, capabilities, and classified information to complement the commercial security technologies already available or in use by federal IT security practitioners. Commercial security technologies used in federal systems, similar to those used by individual citizens on home computers and networks, help track millions of publicly known threats, and prevent the success of cyber-activity that could result in the theft of sensitive, classified, or personal information, or an online criminal activity.

Similarly, CSEC has developed its own methods and operations to monitor federal government communication connections to the Internet, and to detect and defend against those IT security threats that are not in the public domain. For systems that fall victims to these activities, CSEC offers assistance for a focused and quick response to mitigate the IT security incident, and prevent it from recurring. Technical information on these IT security incidents that occur in one area or department is also shared across government IT departments, including the parliamentary precinct, in an effort to avoid similar IT security threat activities from occurring there.

In order to take greater steps to enhance IT security across the country, this information is also shared with our Public Safety Canada partners, who will share the information through their partnerships outside the federal government.

The Internet has evolved into an indispensable and useful tool for government operations, businesses and their financial transactions, social networking, and information sharing for citizens. However, with two billion users on the Internet, it is also an environment that is attractive to those who seek to take advantage of its inherent vulnerabilities for criminal or other nefarious activities. Through CSEC's IT security program, our products and services try to help prevent those things from happening on government networks, and we also help them recover when they become the victim of serious IT security threats.

That is my brief overview of CSEC and its IT security program. I'd be happy to respond to any of your questions.

11:05 a.m.

Conservative

The Chair Joe Preston

Thank you very much for your opening statement. It has brought more questions than answers to me, but I'm sure the members will help take care of that for me.

Mr. Albrecht, you're up first, for seven minutes, please.

11:05 a.m.

Conservative

Harold Albrecht Kitchener—Conestoga, ON

Thank you, Mr. Chair.

I want to thank our witnesses for being here today.

As I entered the room, I assured the witnesses that we were here today to learn a bit about what we can learn about this issue. Mr. Bard appeared before us earlier in our study. I think he gave us, as a committee, a pretty clear assurance that the actual security systems on the Hill are as secure as we can possibly ask for, and there's a lot of good activity going on surrounding the security.

Your entire address this morning dealt with IT security. As you know, we're dealing with another issue today that delves into some of that, but broadens out into the Anonymous group. Could you just tell me briefly what you're aware of in terms of Anonymous, how they operate, and what kinds of threats they may pose in terms of hacking into IT systems here on the Hill?

11:10 a.m.

Deputy Chief, IT Security, Communications Security Establishment Canada

Toni Moffa

What we generally know about Anonymous is available from open sources mostly.

Certainly what we're interested in, when we look at groups or individuals such as these, are the techniques they use and some of the technical techniques they could use to conduct IT security breaches of systems for their own purposes and to meet their own ends.

Some of the techniques and methods that we try to mitigate against would address things like how to address a distributed denial of service attack or a spear-phishing attack, which is a luring attack on a system, and put measures in place that strengthen security overall on that system.

It would look at things that network owners could do at the perimeter of the network in terms of monitoring and looking for signs of alerts, responding to those quickly and mitigating the damage that they could cause, as well as looking internally to the systems to provide advice and guidance on how they can better protect themselves and their information holdings as well.

Those are the types of things we would look at in relation to those types of groups and individuals.

11:10 a.m.

Conservative

Harold Albrecht Kitchener—Conestoga, ON

Thank you.

The issue that we're looking at today, and through this study, deals with a threat as regards a parliamentarian to actually carry out their duties as a legislator to introduce legislation—a threat to do whatever they can to make sure that legislation doesn't pass. I think that's a pretty serious threat.

One of the challenges we face is how to determine who actually posted this threat in terms of accessing IP addresses and that sort of thing. Certainly we know that we have challenges here locally.

Is there any mechanism or are there any international arrangements that would allow us, if someone would post a threatening video on YouTube, to access the source of that and identify the person posing a threat that, I think, is a real threat to the entire democratic process?

11:10 a.m.

Deputy Chief, IT Security, Communications Security Establishment Canada

Toni Moffa

The threat that you're referring to, I assume, is referring to—

11:10 a.m.

Conservative

Harold Albrecht Kitchener—Conestoga, ON

Mr. Toews.

11:10 a.m.

Deputy Chief, IT Security, Communications Security Establishment Canada

Toni Moffa

—the posting of the videos.

From our perspective, it's not an IT security breach that we would deal with.

11:10 a.m.

Conservative

Harold Albrecht Kitchener—Conestoga, ON

No, exactly.

11:10 a.m.

Deputy Chief, IT Security, Communications Security Establishment Canada

Toni Moffa

It would be best dealt with by an investigative body or agency that would do that type of investigation and leverage their partnerships.

11:10 a.m.

Conservative

Harold Albrecht Kitchener—Conestoga, ON

Do you have working relationships with other investigative bodies, whether it's FBI, Scotland Yard, or any other agencies that would allow our authorities to be able to investigate who in fact is behind a specific threat?

11:10 a.m.

Deputy Chief, IT Security, Communications Security Establishment Canada

Toni Moffa

Our international partnerships are most closely aligned with those who conduct similar activities to our own, so those are not investigative bodies.

11:10 a.m.

Conservative

Harold Albrecht Kitchener—Conestoga, ON

Okay.

I want to go back to what you said at the first, that your primary responsibility is IT security. I respect that. I understand that. Do you have any advice for the committee in terms of how we can deal with this very amorphous Anonymous group?

I mean, we don't even who know they are. Obviously no one does. What advice would you have for a committee that's trying to prevent the kind of threats to the democratic process that I think this particular situation dealing with Mr. Toews and a piece of legislation that was proposed and actually threatening to short-circuit our work?

11:10 a.m.

Deputy Chief, IT Security, Communications Security Establishment Canada

Toni Moffa

Unfortunately, the best advice I can provide only relates to IT security: how they may be breached and how we can prevent those.

As to other issues surrounding this situation, I'm not very qualified to respond to that.