Evidence of meeting #23 for Canada-China Relations in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was need.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Carolyn Bartholomew  Chairman, United States-China Economic and Security Review Commission
Clerk of the Committee  Ms. Marie-France Lafleur
Michel Juneau-Katsuya  Expert in National Security and Intelligence, As an Individual
Anne-Marie Brady  Professor, University of Canterbury, As an Individual
Steve Waterhouse  Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual
Christian Leuprecht  Professor, Department of Political Science, Royal Military College of Canada, As an Individual

9 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

9 p.m.

Liberal

The Chair Liberal Geoff Regan

Thank you very much, Mr. Lightbound.

Mr. Bergeron, you have the floor for six minutes.

9 p.m.

Bloc

Stéphane Bergeron Bloc Montarville, QC

Mr. Waterhouse, Mr. Leuprecht, thank you for joining us this evening.

Mr. Leuprecht, we had an opportunity to engage in a discussion just a few days ago.

Mr. Waterhouse, as a former Quebec minister of public security, I thought it was very interesting to hear you say that Quebec claims to be able to do things on its own. Once the situation improves and we can meet for a coffee, I would like us to discuss this.

Gentlemen, I am completely fascinated by the apprehensions expressed about a power like China in terms of cybersecurity. According to Greg Austin, who leads the Cyber, Space and Future Conflict Programme at the International Institute for Strategic Studies, China's cyber defence capacities are clearly inferior to those of most western powers, including Canada. According to him, Canada ranks ninth out of the 155 countries evaluated, while China ranks 27th.

Why is China such a threat to Canada?

In light of this very interesting information, I am wondering why Canada and other western powers are not an equivalent or higher cybersecurity threat to China.

My question is for both witnesses.

9 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

I yield the floor to you, Mr. Waterhouse.

April 19th, 2021 / 9 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

Mr. Bergeron, I accept your invitation to have a coffee. It would be nice to meet with you at any time.

I haven't seen Mr. Austin's assessment points. I don't know how he figured out where China stood and where Canada stood. However, I can tell you that a key element is the power of each country. China has a team of about 100,000 cyber soldiers, if I may use that unit of measurement. In the United States, between 5,000 and 6,000 cyber soldiers work at the National Security Agency at Fort Meade. In Canada, only 200 or 300 people are mandated to carry out cyber defence. Conducting cyber-attacks is even a recent mandate.

In terms of the balance of power, we need to know whether we have full command of the technology, in comparison with China. China can absorb losses, but we can't. This would have a greater impact on us.

I would need to study this issue further to gain a better understanding of Mr. Austin's position.

9 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

It's a matter of resource allocation. China has much more to gain by infiltrating other countries' networks than by protecting its own networks from infiltration. It's simply a matter of maximizing the available resources.

9 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

I'll add that China has an airtight network that's very difficult to penetrate. It's also very difficult for Chinese people to get out. China controls the information in every respect, which gives the country another advantage.

Canada, on the other hand, is quite democratic. People can get on and off the Internet at will.

9 p.m.

Bloc

Stéphane Bergeron Bloc Montarville, QC

Obviously, I haven't delved into Mr. Austin's data, but I gather that we have access to the technology. It's probably high-quality technology as well. However, we don't necessarily have the networks and the impunity— because China isn't accountable—that make it possible for China to do more or less what it wants, with a huge number of people involved. We don't have that here in Canada.

Have I summarized the facts correctly?

9 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

I believe that this speaks to Mr. Lightbound's comments.

Cybersecurity is a political issue. When it comes to the quality of cybersecurity and our networks, and the trade-offs between security and convenience, you must make the decisions and keep Canadians safe by improving the security of the tools and networks used in Canada and by strengthening data protection.

9:05 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

To update the ways to make this possible, we also need laws that are restrictive enough to discourage some people. We recently spoke about Bill C-11, which concerns the ability to protect individuals' personal data.

Without a definition of what constitutes a cyber conflict, on what basis can we declare the existence of a conflict with an organization that confronts us?

Even article 5 of the North Atlantic Treaty Organization, or NATO, doesn't define the term. This makes it difficult to know whether the unexplained shutdown of a power grid constitutes an act of war. Once a cyber conflict is defined, we'll be able to understand the scope.

9:05 p.m.

Bloc

Stéphane Bergeron Bloc Montarville, QC

I gather that decisions must also be made at levels other than the federal level, including at NATO.

9:05 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

Exactly. This happens at the international level.

9:05 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

We currently need clear restrictions so that our opponents know that there will be severe consequences if they fail to comply.

9:05 p.m.

Bloc

Stéphane Bergeron Bloc Montarville, QC

It's the red line.

9:05 p.m.

Professor, Department of Political Science, Royal Military College of Canada, As an Individual

Dr. Christian Leuprecht

We must make it very clear to our opponents that certain behaviour is unacceptable.

9:05 p.m.

Bloc

Stéphane Bergeron Bloc Montarville, QC

Thank you, gentlemen.

9:05 p.m.

Liberal

The Chair Liberal Geoff Regan

Thank you, Mr. Bergeron.

We'll go on to Mr. Harris for six minutes.

9:05 p.m.

NDP

Jack Harris NDP St. John's East, NL

Thank you, Chair.

Mr. Waterhouse, I saw a profile on you, describing you as one of Canada's first cyber-soldiers. I didn't know what to expect, but you look quite normal to me. When I heard you speak about countries having 5,000 or 6,000 cyber-soldiers, I realized that's a term that's in use and I hadn't heard it before, so thank you for enlightening us on that.

You told us about the threat that had taken place when the Nortel information was taken. The codes for the systems that ran the pipelines and the electrical system were stolen, but how does one overcome that? Has that been overcome, and what damage does that do to industry into the future? Can that be repaired and fixed? Do you have to restart everything to do that?

9:05 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

It is very difficult to repair what has been done. If we take the case of Nortel, it is one example of technology thriving in the 2000s. It made Nortel one of the foremost technological companies in the world, and made today what is Huawei, because it transferred all the technology over to Huawei. The cherry on the sundae was finding the microphones in the Kanata HQ when DND took over the infrastructure. That's one.

Two, is the Telvent codes. What's mesmerizing is that these codes are present in manufactured valves and installed in pipelines, so they cannot be replaced overnight. They cannot be updated, so if there is a flaw found in one code, it has to be communicated over an infrastructure. The advantage is to the attackers. You have to mitigate that vulnerability so that they won't be able to attain it. If they have access to it, and we saw a few attacks in Turkey almost 10 years ago in which they were able to create overpressure and blow up the pipeline.

That's the kind of critical infrastructure security we have to think about. We have to review completely where we are vulnerable or not. Every time there is a cyber-attack and there is a leak of information, the threat risk assessment has to be done all over again, which is absent in most cases.

9:05 p.m.

NDP

Jack Harris NDP St. John's East, NL

Tell me about something else that concerns me. I was reading about Citizen Lab, for example, saying that TikTok normally follows the proper rules of industry, but that it also has dormant codes contained within its software infrastructure.

What is a dormant code? Is there something we need to be concerned about when we have no knowledge of the history and background of people we're dealing with?

9:05 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

TikTok is meant, first and foremost, as an information operation platform, meaning that it can influence and it will introduce some information between small videos. If it controls the platform, it can can control the message. Once the program is installed in a phone, a tablet or whatever technology, they can remotely activate anything they want, because they control it.

It was found in a few types of similar applications that they had the reach to possibly turn on microphones, document pictures that were in the phone, and so on. It's in a minority of these applications that are out there, but that's the reality of playing with open sources, open platforms, that exist. They can reach and take the information they need.

9:10 p.m.

NDP

Jack Harris NDP St. John's East, NL

Is that something that can occur in industrial applications as well? Can you sell equipment and include in the equipment some kind of dormant code that allows someone else to control it five years later or whatever?

9:10 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

That's what keeps me up at night, because you never know where they have access to the code. As we saw in a few attacks a few years ago, some NSA tools to get access to some systems were leaked out, so there is access to electronic tools to get access to some systems, and this is what we're saying would happen in an attack on Microsoft Exchange servers. Tomorrow morning there could be another type of zero-day attack, and “zero-day” means it's newly discovered, newly exploited. Those are the intricacies of technology. It's because there is a serious lack of quality control with the type of code that's laid out on the market.

I underlined this in another intervention four years ago, saying that medical code embedded into pacemakers or insulin pumps can be accessed remotely by someone who would like to do harm to someone.

9:10 p.m.

NDP

Jack Harris NDP St. John's East, NL

Take, for example, the electrical grid in Canada. It's complicated and complex. Our pipeline grid is as well. Is there an effective defence of that to provide resilience that can be relied upon by companies or by Canadians to know that they are safe?

9:10 p.m.

Captain (ret'd), Former Information Systems Security Officer, Department of National Defence and Cybersecurity Specialist, As an Individual

Steve Waterhouse

We are safer certainly than the U.S., because we have fewer companies in the U.S. than in Canada, so as often as they can review the code, review the defence posture, they will be safer every time, but this has to be done every time there is a new threat. They don't perform these kinds of threat evaluations often, so they have to do it over again and often to be certain they address the right threats and apply the right mitigation.