Evidence of meeting #14 for Government Operations and Estimates in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
6:20 p.m.
Conservative
6:20 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
It's certainly not every day that you get to put questions to the Communications Security Establishment, so I'm going to go ahead and take that opportunity today, Mr. Chair, through you to Mr. Jones.
In 2018, the federal government launched the cyber centre as a part of the CSE by consolidating cybersecurity expertise from the CSE, Public Safety and the SSC. How many employees work for the cyber centre?
6:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
At this time we have about 800 employees spread across the traditional mandate of CSE—which was the cryptographic expertise that we brought—the Government of Canada security operations centre, plus the national CERT as well.
6:20 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
How many of them came from Public Safety and SSC respectively?
6:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Approximately 150 positions were transferred.
6:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
They were the people doing the functions that existed in those departments. Both departments transferred folks. We integrated them and designed a brand new cyber centre.
6:20 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
According to a media report, the CSE is working in coordination with its partners to ensure that COVID-19-related phishing sites mimicking the Government of Canada are removed. Who are those partners?
6:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We work with partners around the world in the international cybersecurity community. When we see malicious activity hitting our country, for example, we can make a request to a national computer emergency response team in any other country. We also have contracted to commercial partners. We typically don't give the name of the partners because we don't endorse companies. We have a contractual relationship, but because we also can give them a reputational boost, it tends to be something we're very careful about.
6:20 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
That's very well stated. Thank you.
Could you provide some further examples of how the CSE's cybersecurity work is related to COVID-19?
6:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Absolutely.
I've already talked about the example of taking down fraudulent websites and working with partners there. In another case, we've also issued many alerts directly to the health care sector. We have cross-sector tables where we've worked with Canadian industry on COVID-19 and the response. These include communications and technology, the health sectors and our provincial and territorial partners, to make sure that we're sharing as much information as possible.
In fact, we've hit all the major critical infrastructure sectors. At the height of this crisis, when this was first starting and everybody was getting on their feet, we had multiple calls a week and directed information to them constantly.
6:20 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
This might seem like a frivolous question, but I'm going to ask it anyway because fraud is a concern of mine. It might not be in your portfolio. Are new technologies in place that enable us to better target the old-school phishing scams through telephones, i.e., even as a member of Parliament, I continue to get CRA calls on my government phone that I'm about to go to jail unless I send them money right away.
Are there ways we can fight back against that type of traditional phone scam?
6:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I get those same calls as well.
6:20 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
That must be interesting. Do you let them know where you work?
6:20 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Sometimes, if I have a lot of time, I'll try to keep them occupied so at least if they spend time with me they don't spend time on another Canadian. In general, this is where I would look to the work that the CRTC and some of our telecommunication partners have been doing to try to deal with this. The problem is that the international telephone system is working off standards written in 1975 in some cases. It's not designed to have security in mind. It was designed for a very few monopolistic telephone operators who were all trusted, so they're trying to adapt to this. That's a challenge we're facing.
We are trying to support them and work with them through some of our collaboration tables, but it is a pretty significant challenge because of the environment, unfortunately.
6:25 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you.
That concludes my questions. I won't take up time for the sake of taking up time, Mr. Chair.
6:25 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Thank you very much, Mr. Green.
Now we'll go to five-minute rounds, and we'll start with Madam Block.
6:25 p.m.
Conservative
Kelly Block Conservative Carlton Trail—Eagle Creek, SK
Thank you very much, Mr. Chair.
Thank you also to our witnesses for joining us today.
As you noted in your opening remarks, Mr. Jones, these are extraordinary times, which have required us to change the way we work and communicate. While we have risen to the challenge, I believe it is more important than ever that we secure critical infrastructure as we shift government operations to digital and telework.
Also in your opening remarks, Mr. Jones, you noted that the Government of Canada has a strong and valuable relationship with our international cyber partners, and that we regularly share information, which has a significant impact on protecting “our respective countries’ safety and security”. Maybe this segues just a bit into the answer that you just provided to my colleague Mr. Green.
According to an article in The Telegraph on Saturday, the Prime Minister of the United Kingdom announced that he will reduce Huawei's role in Britain's 5G network in the wake of the coronavirus outbreak. If Huawei is a part of Canada's 5G network, will it pose a security risk to Canadians?
6:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
It's important to note that right now there's an ongoing security review led by the Minister of Public Safety. We're certainly supporting the cybersecurity elements of that, and we take all the information we have into account. Certainly, something we face is how to secure any network. One of the really important concepts is that we should have zero trust in any equipment we're using. That's the same structure we've taken with the Government of Canada, where we've tried to build in multiple layers of defence. You always assume that a layer is not going to be able to protect it and you add another layer of defence, so that there's always a belt and suspenders or a check and balance, depending on how you want to describe it, so that we can layer security in place.
Then ultimately, some of the other decisions will need to be taken as part of the policy.
6:25 p.m.
Conservative
Kelly Block Conservative Carlton Trail—Eagle Creek, SK
Thank you.
Other Five Eyes partners have already made a decision on Huawei and their 5G networks. Is there something different about Canada that dictates why we have not made a decision yet?
6:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We've been working to look at this to provide the cybersecurity advice as part of the broader, ongoing review. One of the key aspects for us is leveraging our experience since 2013 of running a cybersecurity review program, which was about building better security with our telecommunications partners from the start. We've been trying to leverage that experience, but provide a definitive and strong source of information to the government to make a decision.
6:25 p.m.
Conservative
Kelly Block Conservative Carlton Trail—Eagle Creek, SK
From your perspective, would it even be possible for Canada to make a decision right now on Huawei's involvement with our 5G networks?
6:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
The 5G standards are evolving. One of the key things for us is making sure that regardless of vendors—no matter where those vendors come from in the world—we're building in security that is agnostic of origin. It's a complicated supply chain for all vendors, and one of the key things for us is ensuring that we're positioning Canada to be protected, regardless of the vendor, wherever Canadians are located, making sure we're building those relationships and security elements in from the start.
6:25 p.m.
Conservative
Kelly Block Conservative Carlton Trail—Eagle Creek, SK
I appreciate what you said about always considering that a network is vulnerable.
Is Huawei considered a higher risk vendor when it comes to a 5G network?
6:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
One of the things we always look for is how products are being built, where they're being built, how they're being assembled, the origin of their components, the ownership of their companies, etc., and that's for any product.
We apply that expertise as part of something you heard talked about earlier today: supply chain integrity. We apply that expertise there, as well. We add on extra mitigation, extra risk-reduction activities, depending on those different factors, to try to bring the level of risk down to an acceptable level.
One of the key things in my job is that you can never fully sleep well at night, because there's always risk that remains. The only way to really reduce your risk down to zero on the Internet and communications is to shut it all off. That's obviously just not viable.