Public Accounts Committee on April 23rd, 2013

Thank you very much.

That exhausts our rotation of speakers. What we have to do before we go, however, is deal with some information that was requested.

Just before I do that, I wanted to call your attention to the Auditor General's comment in his ninth paragraph, where he ended it by saying that officials raised concerns that the cyber-threat environment might be evolving faster than the government's ability to keep up with the changes. If that's true, it's inevitable that at some point we're going to lose the race and be in serious trouble.

Mr. Guimont, give us your thoughts.

Thank you. I appreciate that.

Colleagues, a number of you have asked for some information. This has become a bit of an issue within the committee as to how we proceed in this regard. We have an informal committee struck to deal with that, which has not yet started to meet. I noted six items that we need to get some understanding on. I'm going to ask for the extraordinary cooperation of members. Please bear in mind that we haven't yet worked out what the rules we will be in terms of doing this.

We're going to try to do this one at a time, ad hoc, and see if we can come to an agreement. Where we can't, let's get a quick process in place. Then, at least on an ad hoc basis, we will have dealt with these individual requests that are coming up. I'm going to start with what I think are the easy ones—although one never knows—and work my way to the more difficult ones.

Early on Mr. Allen requested an org chart, and I believe that I saw a nod from the deputy that this can be provided. When would that be possible, Mr. Guimont?

All right, committee? Two weeks. Can we all live with two weeks?

Okay. That's good. Fine, thank you. That's one.

Second, there were progress updates asked for by Madame Blanchette-Lamothe. It was kind of quick, but I did make a note of it, and I think I saw a nod there, too, for those progress updates. The nod was yes, but I didn't hear how that was going to happen.

Could I get some indication as to how you will honour the commitment you made in terms of giving us that information?

Let me clarify with the member who asked the question.

Madam?

Thank you.

Given all the very interesting action plans presented today, it would be good to have follow-up on the progress of these action plans in general.

Since I had only five minutes, I asked questions about one specific aspect of an action plan. However, I would like to know about the progress of these action plans in general, if possible.

We do that; I think we do that. That's done, isn't it?

Usually that's in our committee report, and then it goes into our matrix, and then we follow up on it. So that should be captured by virtue of the draft report, and if not, you can make a note or have your staff make a note that you want to raise it during draft writing.

Alex is here, and I'm getting a sense from him that there will be something in there that addresses that because it's a matter of routine. We do get the action plans, but the other half is our obligation to follow up and make sure these things are being done, and if they aren't, haul in the folks that are responsible and ask them why.

Does that work for you, madam?

Yes.

Thank you. That's two down.

The third one I'll come back to later.

Four, Mr. Byrne asked a question of Mr. Guimont vis-à-vis the $780 million and the $570 million. Were you seeking where the full $780 million went, Mr. Byrne? I come back to you now for clarification.

Thanks, Mr. Chair.

I asked Mr. Guimont a question, and to answer on behalf of the government. The Auditor General identified 13 departments and agencies that could have been ascribed up to $780 million related to security activities for critical infrastructure and government systems. It appeared to us, readers of the Auditor General's report, that there was an attempt or a desire to identify what, if any, of that $780 million could be ascribed to cyber-security specifically.

I did not ask for a catalogue of projects or expenditures, but if each of the 13 departments that were recipient of some of the $780 million could account to Parliament, through us, what specifically was provided for cyber-security activities and capital purchases, that would be very helpful. I would include with that the $200 million subsequently identified as well.

Mr. Chair, it is clear that $570 million was identified for the Communications Security Establishment Canada. Obviously, some of that would be for electronic eavesdropping; some of it would be used for cyber-security. Not all of it, however, would be used for either one. I would ask in the provision of this data from these 13 departments that they be very specific what money was provided for cyber-security. Where there is an identifiable cross purpose that some of the money could be used for cyber-security as well as, for example, electronic eavesdropping, it should be clearly identified what percentage or what basis, so that we can determine what has been established by the Government of Canada for expenditure on cyber-security.

Is that clear, Mr. Chair?

I'm going to have two parts to this. I'm going to ask the deputy, number one, is it clear to him? Does he know what's being asked, and secondly, what is his response to that actual request?

So, two parts, do you understand the question and, if so, are you able to provide the information, Deputy?

I'm sorry. Pardon me?

I'm sorry, Mr. Chair. That was me.

We could ask the AG as well, Mr. Chair, if that would meet his—

Well, let's start with the deputy minister and see where we are.

Sorry to interrupt. Go ahead, please.

Okay, I think it's fair.

Mr. Ferguson, do you have any thoughts on this?

Let me try one thing and then I'll come back.

Can you take an attempt at this, Deputy? One of the things that we're looking at in terms of making requests—and I can't get too far ahead of my own committee—one of the things that we're factoring in is that it's one thing to ask for information in order to do our job, to hold you and the rest of government to account, but it has to be within reason. We can't just trigger a question that suddenly generates a million dollars' worth of expenses without being able to justify that this million dollars was well spent.

I sense from your comments we're into that realm of explanation. In the absence of our again having our definitive rules as to how we're going to approach these—I'm asking my colleagues to listen as much as I'm proposing this to you— could you take an initial run at this with the assistance of the Auditor General, who has said that he will provide some information that might help to provide some framework? Provide us with what you can, and as much as you can, as quickly as you can, and then we'll have to make a determination from there as to whether we consider the information received to be complete and acceptable or not.

Can that work? Can we try it that way, Deputy?