Evidence of meeting #43 for Access to Information, Privacy and Ethics in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was scisa.
A recording is available from Parliament.
5 p.m.
Liberal
Emmanuel Dubourg Liberal Bourassa, QC
Right.
Mr. Rochon, you spoke earlier about the scope of the work you do. You said you block more than 100 million malicious access attempts almost every day. In terms of other access attempts in other departments, what do you do with that information? Do you keep it or do you automatically inform the department?
5 p.m.
Deputy Chief, Policy and Communications, Communications Security Establishment
No, it's impossible to keep that information.
Part B of our mandate deals with defending systems of importance to the government. Obviously, we see all kinds of situations every day. We block the malware we already know about. The goal isn't to keep all this information, but to see it pass, to block it and not to let it get through our defence systems.
5 p.m.
Liberal
Emmanuel Dubourg Liberal Bourassa, QC
I have one last question for you.
Are you concerned about the fact that the exchange of information between these institutions doesn't require legal intervention or a warrant from a judge?
5 p.m.
Deputy Chief, Policy and Communications, Communications Security Establishment
Under the current system?
5 p.m.
Deputy Chief, Policy and Communications, Communications Security Establishment
No, not to my knowledge.
5 p.m.
Assistant Chief of Defence Intelligence, Canadian Forces Intelligence Command, Department of National Defence
As I've mentioned a few times, it isn't that we couldn't share information before. This simply helps to better manage information sharing.
5 p.m.
Conservative
5 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Thank you very much.
I have just a few questions, first on relevance versus necessity. The legislation is, perhaps, too vague. We've had law professors come before us and say we should make it crystal clear that recipient institutions continue to operate within their own mandates. Perhaps we should also be very clear regarding a necessity test that the information accepted by recipient institutions will be necessary to their mandates, that relevance is only on the disclosing institution's side of things, and that it is being done to make it easier. These disclosing institutions aren't completely familiar with national security and your mandates, so rather than hindering the sharing of information, the relevance test would enable that information to flow.
Do you think that making it crystal clear that you are to operate within your mandates and that you are subject to a necessity test would be a hindrance to your operations in any way whatsoever?
5:05 p.m.
Assistant Chief of Defence Intelligence, Canadian Forces Intelligence Command, Department of National Defence
I would say that, for any public servant, it's already crystal clear that you operate within your mandate. That's fairly fundamental to what we do.
The issue of necessity versus relevance, I think, is a question for the committee and for the government, in terms of what the appropriate test is to enable sharing.
5:05 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
To pick up on the chair's point, I want to be clear about whether it would get in the way of your jobs in any way if we clarified that the recipient institutions were subject to a necessity test, that the information you receive had to be necessary to your mandate.
5:05 p.m.
Assistant Chief of Defence Intelligence, Canadian Forces Intelligence Command, Department of National Defence
It's hard to say. My perception is that it would raise the bar. It would be a more difficult bar to meet for sharing, but it would depend on how it was formulated. It depends on what the committee and the government would like to achieve.
5:05 p.m.
Liberal
5:05 p.m.
Deputy Chief, Policy and Communications, Communications Security Establishment
I'll jump in and say that I can only use our example and our mandate. From a necessity versus a relevance perspective, in my case, if you're sharing information with me, it can't be directed at a Canadian. It has to be directed at a non-Canadian outside of Canada, number one. It has to be relevant to intelligence priorities as mandated by cabinet. It has to be for international affairs, security, or defence. Is it relevant to that or is it necessary for that?
Also, in terms of what I'm going to do with it or what my organization's going to do with it, we do foreign intelligence. You're going to give us a tip. We're going to then follow that tip down. If you think there's a threat against a Canadian embassy abroad, we're going to run down that tip. Is that tip necessary? Is it relevant? We don't know. It's the beginning of something that we're going to chase down, and then we're going to produce foreign intelligence on it. Then when we share foreign intelligence under our National Defence Act mandate, the assessors, the people who are going to fuse that intelligence, will ultimately decide whether there needs to be action upon that intelligence. It's difficult to answer your question.
5:05 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
I have one last question. Two of your organizations have not actually received information, and Mr. Burt's has just one time. When that occurred and if that were to occur for the other two, who would be responsible for overseeing whether that sharing of information was responsible and appropriate?
5:05 p.m.
Assistant Chief of Defence Intelligence, Canadian Forces Intelligence Command, Department of National Defence
Within our system, within my organization, we have a release and disclosure coordination office, whose business it is to determine what should be done with various information, whether it's being dealt with through a judicial process or being released through an access to information request, or in this case, being dealt with under SCISA. We have two points of contact under the act, two possible heads of organization: first, the minister for the department, and second, the chief of the defence staff for the armed forces. Two organizations have been delegated to receive that information and track it on their behalf. One is the release and disclosure office in my organization, and the other is the Canadian Forces integrated command centre, which is a 24/7 operation within our operational command.
5:05 p.m.
Deputy Chief, Policy and Communications, Communications Security Establishment
In our case, in terms of receiving information, it's very clear how it can be done mechanically. We have a 24/7 operations centre that at any given time would receive information coming in. Then there's a strict protocol in place under which it would reach out to disclosure offices, operational policy offices that report to me, which would ultimately then vet whether or not we're in a position to receive it and whether it fits within our mandate.
As Mr. Burt just said, we have delegated authority under SCISA. It's delegated to three deputy chiefs. I am one of them, and there is the deputy chief of foreign signals intelligence and the deputy chief of IT security, who ultimately will then weigh in as to whether or not we follow through with it.
5:05 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
With CSIS or with CSE, is there no independent review?
5:05 p.m.
Deputy Chief, Policy and Communications, Communications Security Establishment
Independent review by someone who would receive information that—
5:05 p.m.
Liberal
Nathaniel Erskine-Smith Liberal Beaches—East York, ON
Well, SIRC is currently reviewing the information that CSIS has received subject to SCISA, for example. There's no independent review in that way.
5:05 p.m.
Deputy Chief, Policy and Communications, Communications Security Establishment
In our case, we have an independent commissioner who could review it.
5:05 p.m.
Assistant Chief of Defence Intelligence, Canadian Forces Intelligence Command, Department of National Defence
We haven't received anything yet, but if it were to be reviewed, we would ask our chief of review services internally to undertake that.
