Evidence of meeting #31 for Procedure and House Affairs in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was threat.
A recording is available from Parliament.
April 3rd, 2012 / 11:05 a.m.
Conservative
The Chair Conservative Joe Preston
We will go ahead and start our meeting today. It's meeting number 31. We're here pursuant to an order of reference of Tuesday, March 6, the question of privilege relating to threats to the member from Provencher.
We have some guests today, and our meeting is broken into two parts. Let's go ahead and get started. I understand that you have some opening comments. Please introduce yourselves, and go ahead with your opening comments. We'll have questions from members right after.
11:05 a.m.
Toni Moffa Deputy Chief, IT Security, Communications Security Establishment Canada
Thank you, Mr. Chairman.
I am happy to be given the opportunity to appear before the committee today. My name is Toni Moffa and I am the assistant deputy minister or deputy chief of the information technology security program at Communications Security Establishment Canada, or CSEC. With me today is Scott Jones, the director general of our cyber defence branch.
I will begin with some opening remarks that summarize the mandate and activities of CSEC. The mission of CSEC, for over 65 years now, is to provide information and to protect information of importance to the Government of Canada.
As you may already know, CSEC leverages its leading-edge technology expertise and national and international partnerships to provide three key services to the government of Canada. First, we collect foreign signals intelligence in accordance with the federal government's intelligence priorities that are established annually by cabinet.
Second, we provide advice and services that help protect electronic information and information systems of importance to the government of Canada through our IT security program. This is the program that I am responsible for and representing today.
Third, while we are not a law enforcement, investigative, or regulatory agency, we do work with our federal partners in the security intelligence and law enforcement community in the form of technical and operational assistance that allows them, on their request, to leverage our unique expertise and capabilities at CSEC in the lawful pursuit of their own mandates.
All of our mandated activities are subject to numerous internal and external accountabilities and reviews, including the external and independent review by the Communications Security Establishment Commissioner, to ensure our strict adherence to applicable laws that govern our operations and to respect the privacy of Canadians.
I am the assistant deputy minister responsible for managing the IT security program. That program provides products and services that help prevent, detect, and defend against information technology security threats and vulnerabilities. In this capacity, we share a responsibility with other federal departments and agencies. We work with the Treasury Board of Canada Secretariat's chief information officer branch, with Public Works and Government Services Canada, and with the newly created Shared Services Canada to reduce vulnerabilities and diminish the success of IT security threats in federal IT systems.
For prevention purposes, we develop technical standards and guidance, which, when implemented by federal departments and agencies, help strengthen their IT systems' security and resilience. To detect and defend against IT security threats, we work closely with the Treasury Board of Canada Secretariat and Shared Services Canada, and with the additional cooperation of the Canadian Security Intelligence Service, the Royal Canadian Mounted Police, and Public Safety Canada, we track the activities and methods of IT security threats seeking to steal or do harm to federal information systems, or to systems that the federal government cares about.
The contribution of CSEC to these shared efforts is to use our unique technical expertise, capabilities, and classified information to complement the commercial security technologies already available or in use by federal IT security practitioners. Commercial security technologies used in federal systems, similar to those used by individual citizens on home computers and networks, help track millions of publicly known threats, and prevent the success of cyber-activity that could result in the theft of sensitive, classified, or personal information, or an online criminal activity.
Similarly, CSEC has developed its own methods and operations to monitor federal government communication connections to the Internet, and to detect and defend against those IT security threats that are not in the public domain. For systems that fall victims to these activities, CSEC offers assistance for a focused and quick response to mitigate the IT security incident, and prevent it from recurring. Technical information on these IT security incidents that occur in one area or department is also shared across government IT departments, including the parliamentary precinct, in an effort to avoid similar IT security threat activities from occurring there.
In order to take greater steps to enhance IT security across the country, this information is also shared with our Public Safety Canada partners, who will share the information through their partnerships outside the federal government.
The Internet has evolved into an indispensable and useful tool for government operations, businesses and their financial transactions, social networking, and information sharing for citizens. However, with two billion users on the Internet, it is also an environment that is attractive to those who seek to take advantage of its inherent vulnerabilities for criminal or other nefarious activities. Through CSEC's IT security program, our products and services try to help prevent those things from happening on government networks, and we also help them recover when they become the victim of serious IT security threats.
That is my brief overview of CSEC and its IT security program. I'd be happy to respond to any of your questions.
11:05 a.m.
Conservative
The Chair Conservative Joe Preston
Thank you very much for your opening statement. It has brought more questions than answers to me, but I'm sure the members will help take care of that for me.
Mr. Albrecht, you're up first, for seven minutes, please.
11:05 a.m.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
Thank you, Mr. Chair.
I want to thank our witnesses for being here today.
As I entered the room, I assured the witnesses that we were here today to learn a bit about what we can learn about this issue. Mr. Bard appeared before us earlier in our study. I think he gave us, as a committee, a pretty clear assurance that the actual security systems on the Hill are as secure as we can possibly ask for, and there's a lot of good activity going on surrounding the security.
Your entire address this morning dealt with IT security. As you know, we're dealing with another issue today that delves into some of that, but broadens out into the Anonymous group. Could you just tell me briefly what you're aware of in terms of Anonymous, how they operate, and what kinds of threats they may pose in terms of hacking into IT systems here on the Hill?
11:10 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
What we generally know about Anonymous is available from open sources mostly.
Certainly what we're interested in, when we look at groups or individuals such as these, are the techniques they use and some of the technical techniques they could use to conduct IT security breaches of systems for their own purposes and to meet their own ends.
Some of the techniques and methods that we try to mitigate against would address things like how to address a distributed denial of service attack or a spear-phishing attack, which is a luring attack on a system, and put measures in place that strengthen security overall on that system.
It would look at things that network owners could do at the perimeter of the network in terms of monitoring and looking for signs of alerts, responding to those quickly and mitigating the damage that they could cause, as well as looking internally to the systems to provide advice and guidance on how they can better protect themselves and their information holdings as well.
Those are the types of things we would look at in relation to those types of groups and individuals.
11:10 a.m.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
Thank you.
The issue that we're looking at today, and through this study, deals with a threat as regards a parliamentarian to actually carry out their duties as a legislator to introduce legislation—a threat to do whatever they can to make sure that legislation doesn't pass. I think that's a pretty serious threat.
One of the challenges we face is how to determine who actually posted this threat in terms of accessing IP addresses and that sort of thing. Certainly we know that we have challenges here locally.
Is there any mechanism or are there any international arrangements that would allow us, if someone would post a threatening video on YouTube, to access the source of that and identify the person posing a threat that, I think, is a real threat to the entire democratic process?
11:10 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
The threat that you're referring to, I assume, is referring to—
11:10 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
—the posting of the videos.
From our perspective, it's not an IT security breach that we would deal with.
11:10 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
It would be best dealt with by an investigative body or agency that would do that type of investigation and leverage their partnerships.
11:10 a.m.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
Do you have working relationships with other investigative bodies, whether it's FBI, Scotland Yard, or any other agencies that would allow our authorities to be able to investigate who in fact is behind a specific threat?
11:10 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
Our international partnerships are most closely aligned with those who conduct similar activities to our own, so those are not investigative bodies.
11:10 a.m.
Conservative
Harold Albrecht Conservative Kitchener—Conestoga, ON
Okay.
I want to go back to what you said at the first, that your primary responsibility is IT security. I respect that. I understand that. Do you have any advice for the committee in terms of how we can deal with this very amorphous Anonymous group?
I mean, we don't even who know they are. Obviously no one does. What advice would you have for a committee that's trying to prevent the kind of threats to the democratic process that I think this particular situation dealing with Mr. Toews and a piece of legislation that was proposed and actually threatening to short-circuit our work?
11:10 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
Unfortunately, the best advice I can provide only relates to IT security: how they may be breached and how we can prevent those.
As to other issues surrounding this situation, I'm not very qualified to respond to that.
11:10 a.m.
Conservative
11:15 a.m.
NDP
Philip Toone NDP Gaspésie—Îles-de-la-Madeleine, QC
Thank you, Mr. Chair, and thank you for your presentation. It's certainly enlightening.
I have to say the security establishment is probably the least known of all of our security services. I only learned about it in university, when one of your colleagues explained to me that he worked for you. I was very interested to hear what he had to say.
My understanding is that the security establishment's limitation is that your mandate is to seek security breaches that may happen outside the confines of Canada. You're kind of a firewall against threats that may come into this country. Is that an accurate reflection?
11:15 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
For the purposes of protecting federal systems, yes, we look at those connections to the Internet and activities going on there for any signals of threat activity that may cause harm to our federal networks.
11:15 a.m.
NDP
Philip Toone NDP Gaspésie—Îles-de-la-Madeleine, QC
I certainly admit, you understand as well, that this is quite a task. The Internet is a network set up by the military many years ago, and specifically designed so that it could be entered into from just about any place, you could access it from just about any location. It was built so that there would be redundancies in case of failures or attacks in certain locations. It's a very difficult nut to crack. It's the beauty of the Internet. I think it's a highly democratic structure. I think the military has to be applauded for creating a democratic structure, but at the same time, any security agency is going to have a terrible time trying to detect threats and being able to deal with them appropriately.
Within the context of the threat we're looking at here, we were asked by Minister Toews—and just in passing, I'm sure we all wish him a speedy recovery. I understand he's still hospitalized, and that's never something I would wish on anyone. We're here because he was threatened specifically by a YouTube video that was posted, and my understanding is that in fact it was posted outside of Canada as well. So there was a YouTube video that was sitting on a server elsewhere. The very structure of the Internet makes it very hard to determine where it's residing. There are servers all over the place. Again, redundancies within the IP system would make it very difficult to determine where the fault lies and where the threat is coming from.
I'd just like to understand better. If your mandate is to protect us against foreign signals and intelligence, to protect the Canadian government and Canadians in general from IT security threats, threats that seek to steal or do harm to federal information systems, where does that fit in within our mandate here?
We started this with a YouTube video that was posted, so where is the threat exactly in the YouTube video? Is it possible that, if you click on the link for that YouTube video, a hack would automatically come into this country and possibly compromise your security here? Would that be a fair and accurate reason why we're worried about this particular YouTube video?
11:15 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
From our technical expertise perspective, a publicly available tool was used to post some information, in this case a video, to the Internet. So from information available to us, that is not an IT security breach in our minds, right? It's not a technical threat.
11:15 a.m.
NDP
Philip Toone NDP Gaspésie—Îles-de-la-Madeleine, QC
Have you been called upon to investigate this? Has the security establishment actually been called to look into this particular so-called threat?
11:15 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
I'm aware there's an investigation ongoing, but it would be inappropriate for me to comment on that.
11:15 a.m.
NDP
Philip Toone NDP Gaspésie—Îles-de-la-Madeleine, QC
If I understand your mandate, this wouldn't fall within your purview, would it?
11:15 a.m.
Deputy Chief, IT Security, Communications Security Establishment Canada
Part of our mandate is to offer assistance to other federal departments, should they request it, in the pursuit of their own mandate. So there is an opportunity for them to use our technical expertise, upon request.