Evidence of meeting #23 for Canada-China Relations in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was need.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Carolyn Bartholomew  Chairman, United States-China Economic and Security Review Commission
Clerk of the Committee  Ms. Marie-France Lafleur
Michel Juneau-Katsuya  Expert in National Security and Intelligence, As an Individual
Anne-Marie Brady  Professor, University of Canterbury, As an Individual
Steve Waterhouse  Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual
Christian Leuprecht  Professor, Department of Political Science, Royal Military College of Canada, As an Individual

8:45 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Okay, thank you.

Mr. Waterhouse, what do you think?

8:45 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

The current cybersecurity policy is based on what has been seen over the past 20 years. It must now be changed because the threat has adapted. The way to respond to the threat and, more importantly, the laws and regulations have not been updated, and that is why we are currently at a disadvantage.

8:50 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Thank you.

Mr. Leuprecht, in 2019, Huawei Canada announced a partnership with ICE Wireless and Iristel to connect Canada's and Quebec's far north to the 4G LTE network by 2025. Michael Byers, an expert on Arctic affairs at the University of British Columbia, thinks it is alarming to see a Chinese company with a monopoly of communications infrastructure in the Arctic.

What do you think about that?

8:50 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

It is completely irresponsible. In the case of KPN, in the Netherlands, Huawei was not only able to engage in espionage within the largest mobile network in the Netherlands, but it also targeted judicial interventions involving various individuals, among other things. That enabled China to identify counter-espionage operations against Chinese spies, for instance.

8:50 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

I like the word “irresponsible”. It's a strong word.

Mr. Waterhouse, there is a group of Chinese hackers known under the name Hafnium. It has been determined that the group is sponsored by the state and is operating outside China. This group was behind the hacking of Microsoft Exchange.

What is your assessment of the risk for Canadian and federal infrastructure?

8:50 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

Mr. Paul-Hus, the irony in this is that the FBI, in the United States, had to get involved to address the threat in some companies that were still infected. Several months after having been told that their system had been infiltrated, a number of companies had still not done anything.

The threat level is pretty high. It is surprising that, despite repeated warnings from the authorities, there was not enough media coverage to raise awareness among company executives or force them to take action. Once again, those who did not respond quickly enough had information stolen, as it is very easy for hackers to exfiltrate all the information from emails, which gives them an economic advantage. However, there will be no consequences in Canada for those who did not stop the leaks quickly.

8:50 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Concerning cyber-attacks, could you paint a quick picture of the recent Chinese attacks on Canada's federal and provincial infrastructure?

Do you have an idea of what happened recently?

8:50 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

More recently, there was the Cloud Hopper operation, which tried to attack what we refer to as managed service providers. Those are companies that provide user support services in businesses.

CGI, a Canadian company, was one of that operation's victims. It was infiltrated and, through that third party, China had access to very important clients the company was doing business with through that contracting.

The Canada Revenue Agency and Statistics Canada were also among the victims. Through the web code, the leak can be intercepted and plugged quickly, but there is no doubt that it was a Chinese operation, as the same problem arose at Equifax, in the United States, afterwards.

8:50 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

What information do Chinese hackers favour?

8:50 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

Aside from stealing patents and intellectual property, they want to gather a lot of information on anything. As Mr. Juneau-Katsuya said earlier, they get anything they can and then they sort through it.

When it comes to the collection of personal information, I can cite the Office of Personnel Management, in the United States, which had anything that constituted Americans' personal information stolen, including security clearances.

The data stolen from Marriott and Equifax means that there is an information pool that makes it possible to take interesting photos, as facial recognition also comes into play. Around the world, a network is being established to catalogue people.

8:50 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

There are currently shortcomings in cybersecurity at the federal level, but I suppose that various provinces must not be better equipped than the federal government.

Overall, do you feel that we have a problem?

8:50 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

We have a very big problem, as, once again, everyone is working in a silo. That leads to information compartmentalization. It's even worse in Quebec because the province thinks it can do everything itself and rarely turns to the federal government.

Over the past two years, Quebec has requested assistance and information in order to make the right decisions concerning cyber threats. That's very recent. Before that, the province's mission was to be independent in every respect.

8:50 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Coordination must definitely be established among all players where cybersecurity is concerned.

Canada is the only member of the Five Eyes alliance that still accepts Huawei. We have seen what that kind of a situation can lead to in the Dutch report.

Mr. Leuprecht, can you tell me in a few seconds what we should do? Should we immediately ban Huawei, yes or no?

8:55 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

Huawei should have been banned years ago.

8:55 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Thank you.

8:55 p.m.

Liberal

The Chair Liberal Geoff Regan

Thank you very much, Mr. Paul-Hus.

Mr. Lightbound, go ahead for six minutes.

8:55 p.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

Thank you very much, Mr. Chair.

Thank you for joining us this evening, gentlemen. Your presentations were fascinating.

Mr. Leuprecht, I apologize if I am mispronouncing your name. You talked in your presentation about the importance of solidifying our relationships with our allies and focusing on our strengths. I am thinking of an article you published a month ago on the Russian and Chinese threat to Canada's sovereignty in the Arctic. In it, you discuss things like the ambitions of China, which claims to be a near–Arctic state, by I'm not sure what kind of a stretch of the imagination.

I would like to hear your comments on the importance of modernizing the North American Aerospace Defense Command, or NORAD, and on what can be done to better protect Canada's sovereignty in the Arctic.

8:55 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

My answer will be very brief. The major difference that has emerged over the past few years is that Canada itself has become a target because of the new weapons available to Russia and China and that the Arctic as such is now a geostrategic issue.

So it is not just a matter of renewing NORAD, but also of completely redesigning how data is shared within our defence system and within the Canadian Armed Forces. The command and control system must be reviewed across our entire continental defence system and our armed forces.

8:55 p.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

Okay, thank you.

Several years ago, you sounded the alarm about the importance of doing a better job of raising awareness among our university researchers and our research networks about potential infiltrations by foreign actors who, for example, have direct ties to the Chinese People's Liberation Army. Those people are on Canadian university campuses and are infiltrating research networks.

According to the “CSIS Public Report 2020”, activities have increased significantly during the COVID-19 pandemic. The report of the National Security and Intelligence Committee of Parliamentarians, or NSICOP, also mentions that Canada has been the target of sustained and increased efforts by foreign actors, including China, Russia and Iran, over the past year.

How aware do you think networks of university researchers are of that threat posed by China, for instance?

8:55 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

I would say there is almost no awareness. However, university chief information officers are becoming increasingly aware. A cultural shift is really needed.

Last year, the United States revoked the visas of some 1,000 individuals who did not meet the authorities' requirements concerning their relationship with Chinese intelligence services and military members. About 1,000 other people left suddenly.

The same thing must be done in Canada. We have the same problem. To my knowledge, Canada has not revoked any visas. This shows our lack of ability to adopt our own legislation to prevent the infiltration of our post-secondary institutions. As a result, our adversaries are benefiting from our investments in research.

8:55 p.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

I also think that an effort must be made to raise awareness. In that respect, CSIS has been more involved with the academic sector over the past few years.

Mr. Waterhouse, would you like to comment?

8:55 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

I concur with what Mr. Juneau-Katsuya said, to the effect that, over the past few years, until very recently, as you say, there has been a lack of awareness and, more specifically, of ties between educational institutions and the government. For example, there is a way to produce material, to declassify it in a particular way, to provide enough information to make very interesting products available to people who receive them. Those people can then implement policies or measures and foster a positive evolution in order to prevent the worst—in other words, intellectual property theft.

8:55 p.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

Thank you.

I would like to ask you one last question, Mr. Waterhouse.

A Citizen Lab representative recommended that we pay serious attention to China's efforts to obtain a new IP—in other words, a new Internet protocol.

Can you tell us in more detail what that initiative represents, what it consists of and what dangers it could expose us to?

8:55 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

Concerning the IP you are talking about, is it the protocol or another way to communicate? What comes to mind is a way to communicate. IP version 6, which was developed some 15 years ago, should take more space. It is based on the quantity of available IP addresses. It is another way to communicate. All devices are capable of doing it, but an adaptation is needed to increase communications security.

IP version 4, which is being used now and is the foundation of the modern Internet network, is not at all secure. In that sense, it may be possible to insist on IP version 6 being adopted as an addressing plan.

9 p.m.

Liberal

Joël Lightbound Liberal Louis-Hébert, QC

Thank you, Mr. Waterhouse.

We will have to continue this discussion at another time. The chair is signalling to me that I have less than one minute left.