Canada-China Relations Committee on March 22nd, 2021

In the work that the Citizen Lab has done, one of the points we have made is that there's a concern that we have in that there's a great deal of attention focused on Huawei and the vulnerabilities in Huawei equipment. While it's appropriate to be concerned about that vendor, there's an equal need to look at how other companies that may serve a 5G infrastructure operate. We believe that both Ericsson and Nokia, as well as Samsung and other parties, should similarly go through strong assessments to ensure that all equipment that goes into Canada's infrastructure is strong.

It's not sufficient to remove Huawei and then let in other vendors who may have security deficiencies.

Even in the context of critical infrastructure development, such as telecoms, Canada can't go it alone. Indeed, for most services, Canada can't go it alone. As a result, one of the things the Citizen Lab has recommended is that Canada, along with like-minded friendly nations, figure out ways of doing information assurance collectively. That may mean that in the hardware space, one country looks at Samsung, another at Huawei, another at Ericsson. When it comes to services, such as Microsoft's challenges, again, a coordinated analysis by the NSA, the CSE, the GCHQ and other intelligence alliances is important to assess and identify these vulnerabilities.

The concern that I and my colleagues have written about in the past is that there does seem to be an ongoing incoherence to the way that Canada has developed its cybersecurity strategy.

I would note that, while there is a federal policy, it is somewhat out of date, and the instrumentalization of that policy has not seen the light of day, so if it exists, it's not public to date.

I believe that was directed to me.

Thank you for your question.

Unfortunately, the Citizen Lab does not have that kind of intelligence.

I believe, and this is paralleled by the CSE, that what's required is to ensure that our networks have multiple vendors operating in them. That may mean that there's a combination of Samsung, Ericsson, Nokia and other vendors as appropriate.

In order to assess them, again, I think we would work collaboratively with our international partners to ensure that the technologies that are going in are fit for duty. Moreover, we're talking about billion-dollar purchases. We can impose some sort of expectations on interoperability.

Further, with regard to stickiness, there's a process taking place right now called Open RAN, which would, in a way, democratize some of the way telecommunications equipment is set up. It would basically let you take equipment off the shelf, as opposed to highly specialized equipment, and use that to develop parts of the 5G radio network.

I believe that the Canadian government pushing towards that would be one way of improving the network and reducing some of the stickiness at least.

Because it is an open standard, I think it's something to be mindful of that China is involved, but it makes sense economically for their carriers as well.

I think it's an area where Canada has to actively engage, and one of the ways of doing it—in addition to, of course, the Government of Canada directly participating—is finding ways of encouraging our corporations, businesses and academic units to also participate, which could involve some sort of fund set up by the Government of Canada to enable academics or non-profits to participate and possibly find other ways based on tax incentives to encourage our companies to also get involved in those discussions.

One of the aims and aspirations of the Open RAN alliance is to ensure that the technology is in fact open, a series of standards that aren't inherently captured by one organization or one company or another.

They are self-interested in getting involved in that because, right now, if you purchase equipment from any of the large vendors, it's quite expensive, and Open RAN currently promises to reduce those costs, so there is an incentive, even if they don't own the IP, to be involved in developing the standard itself.

There aren't currently any in North America that adhere to all of the recommendations we have. We are certainly trying to advocate for increasing trust writ large, so not just in Chinese social media but also companies that we're very familiar with, such as Facebook, Twitter and the rest.

There are some elements on which we're seeing movement in North America. As an example, we have more robust transparency reports that are available in other jurisdictions. Facebook and others do disclose their lawful access handbooks. They're quite useful and quite accessible. However, we don't have things like algorithmic transparency or accountability, nor do we necessarily have the degree of awareness as to how companies interpret the law, which is almost more important than anything else, because how a company interprets the law versus how the law is written can often be not one to one.

To the best of my knowledge, and based on open-source information, there has been a relatively minimal breach of Canadian organizations to date, although we are learning almost on a daily or weekly basis that the number of victims is going up. The current impact seems to be relatively minimal, but I suspect that the actual assessment of that will take a considerably longer period of time.

Encryption is one of the few things that can be relied upon to keep data safe. One of the things that the Citizen Lab has argued for repeatedly is the availability of what's called end-to-end encryption. It's encryption where a message is secured from your device, goes to someone else's device, and only the two parties can access it. That's especially important as we see more and more systems move to the Internet, because it ensures that when and if the network is compromised, whoever is compromising the network can't gain access to the communications that are transmitted across it.