Citizenship and Immigration Committee on Oct. 3rd, 2012

I think you could start with even local law enforcement. I have seen and know of senior law enforcement officials who have been very active in engaging diverse communities. As opposed to waiting for these communities to come and talk to us, we should be going to them and talking to them, saying, “Tell us a little bit about your part of the world.”

You could say this of government and many other sectors: we suffer from institutional silos. There are both institutional barriers and there are cultural barriers. There's plenty of information that I think you can find on this in numerous research studies, that certain departments have traditionally not worked well together because there's a cultural base.

To go back to almost the same idea from the previous response, it's dialogue. Within your own institutional silo, you could probably handle your issue. But once we start crossing into different departments and into different spectrums, person A from organization A might not work that well with person B. We need to actually start chipping down these silos and getting a more inter-agency response going on.

As a function of that, we are going to start sharing a whole lot more information between each other, and the more information we share with each other, we create a larger database. The larger database that we create is something that we need to safeguard, because like most databases, they become a target; they are a risk. Unless we start chipping down these institutional silos, which could be between departments...and I would even suggest internationally, with some of our traditional allies, we need to talk a little bit more. To take a quote from one of my other fields, in disaster and emergency management, the time to exchange business cards is not when the disaster happens, it's before.

That's a long question. I'll try to give a short response.

There's both the technological side and the human side to this. For example, you can have the absolute greatest technological solution, but if you have someone, say, from this committee walk to a computer and plug in a USB key with a piece of malicious code, you have just compromised the entire system. Not only do we have to have this technological safeguard, and you can see this on numerous reports—the most recent one would probably be the CSIS one that came out last week; we are getting attacked daily. If you want me to get you some statistics on how malicious.... Do you want statistics? Okay.

Again, you have to understand that these are estimates, because not everything is reported, and these are coming from places like McAfee and Google—

We are attacked daily by a cyber threat. We need the technological solution and we need a human solution.

To clarify, are we talking Canadian and U.S. citizens only, or are we talking at large?

That's an absolutely great question. It's a question that I think gets to the very heart of how our two nations need to address a continental, if not a regional—two thirds of the continent—problem or challenge. Yes, we have made tremendous progress over the years—certainly since 9/11—in cooperation and information sharing. ITAC and NCTC both work very closely. You are exactly right. This is that complicated interaction between terrorist information, intelligence, law enforcement information, and relationships between our largest trading partner.

How do we make that all work? I would suggest to you—I'm going to be a little bit cynical here and probably predicate it on only a marginal amount of fact. I would be surprised if we were to say our processes, while evolving, are all predicated on how we protected against rum runners coming across the border during Prohibition. I'm not sure I want to spend a lot of time on bona fide commercial traffic going across the border, so I'm with you. For the legitimate traveller and businessperson, we need to work to solve those relationships. The problem is, we have to have absolute transparency and understanding and the ability to control our borders from the exterior.

I would venture to say the typical resident of Ottawa and the typical resident of Washington, D.C., are not the threat coming across the border. What we have to do is make sure we have the right application of technology and processes that allow us to verify that truck coming from DuPont into Canada contains the materials that are on the bill of lading and that it's driven by a driver who has correct identification. Whatever we can do to make that easy, whether it be RFI technology, biometric technology, as well as sound, protected processes within our individual nations....

I personally believe we should work to the best of our ability to eliminate as many of the controls as possible across the northern border of my country and the southern border of yours, but that means we have to get a number of other things right first. I am not worried about the typical inhabitants of Ottawa. I am worried about people who come up illegally through my country, either to gain access to my country, or to potentially gain access to your country, or people coming in from the north or other points of entry into your country and then trying to come across an unprotected border to the north of mine.

We have to make sure we have the processes and correct interaction between agencies. Again, this gets back to the—intelligence always took place in another part of the world. Now it's law enforcement. I would venture to say—

—in my country, we were much better prepared to do foreign intelligence than we were when the threat came to our own shores.

That's a good point.

Do you want me to take the first crack? Okay.

No technology will be perfect. That's something the committee should understand, not only for this committee, but any study. For any technology, it's simply a function of time before it breaks down—any secure system. It could be a matter of seconds, it could be a matter of years, depending on the security infrastructure that's there.

Will mistakes happen? Yes, mistakes do happen. Of course, I'm not going to name names. I'm going to give an example of where a NEXUS cardholder, someone who has been processed by both countries, has been vetted by both countries, somehow randomly, somewhat frequently, still manages to get four S's on their boarding pass when leaving from a certain airport and not going to a particular other state. The four S's, for people who don't know, is a secondary security threat.

That's a little bit of a problem when you rely solely on the technology to be doing this.

I do not think that tossing away the benefits or the technology writ large of biometrics would be the best of ideas. It's an evolution of how we do identity, and I think the Admiral explained that quite well. We went from tombstone data to photographs to fingerprints. I think the information needs to be secured, with the understanding that it will not be perfect.

So if we're going to invest in these sorts of systems, be it information sharing between departments or biometrics, we have an inherent responsibility also to safeguard the systems, the databases, the infrastructure that they are predicated on.

Again, any sort of database—and this is a great example—becomes a target for others. So we have a responsibility, as we're collecting personal information, that while we do use it to verify and make sure that the right people are coming here, we need to protect it.

This is just my last point before I pass it over to the Admiral.

Starting a biometric file on someone or starting a file at all on someone when they just show up to our border doesn't really do much. We need to know more about the person before they actually come to us. I could just show up, for example, to the United States and give a fingerprint scan. If there's nothing to talk about—George Platsis or this fingerprint or this retina—the file starts there.