Government Operations Committee on Dec. 7th, 2020

I think that is the overall thrust of the statement that this is a strategic challenge, but the strategic challenge then also needs to understand that, inherently, out of the umbrella remarks that have been made about the geostrategic engagement by China flow definite risks.

The problem is that we often, as Professor Carvin pointed out, start the conversation on the wrong end. We start focusing on the micro risks the particular technology poses rather than the broader macro scale, the macro elements, both in terms of strategic policy orientation as well as how that then is not reflected in adequate procurement practices and in adequate national security vetting that would then forgo having to have the micro conversation about the threats.

Make no mistake. These are real threats. As Professor Burton pointed out, any software ultimately needs to be updated, so the updates in and of themselves pose a significant risk.

This is the part that people don't get about Huawei, where people ask, “How is it that there are no back doors?” Well, there's no back door to date, no compromise today, but you need the back door built in by definition so that you can actually update the software in the actual equipment. Overnight, the hostile actor can embed malicious technology. Look, there's a lot to be learned, for instance, about traffic that comes through the embassy, the types of material and when that traffic comes in at unusual hours and so forth.

I think the ability to track how often these dissidents are going, how many of them are coming in and out, is a little bit like what signals intelligence agencies do. Just being able to track the traffic pattern, that in itself can give you a significant amount of information, particularly when their traffic pattern, for instance, doesn't line up with regular business hours. You can kind of go, “Well, there's something obviously up at the embassy. Now we should probably leverage some of the other technology or some of the other compromises that we have in the technology within the embassy to understand what that might be.”

That's one possibility. My concern would be that we simply would not be able to adjust fast enough.

My issue is that we seem to be all one way and not the other. What I'm arguing for is layered security. Again, I very much respect the testimony by other colleagues, but if we take the example of the X-ray machine, you're saying that if I were a dissident, I would worry about going through an X-ray machine. Well, I would be more worried about the street cameras that were certainly surrounding me—

There are so many other ways—

In my view, I think it would just be easier to harness the expertise that we have now within the Communications Security Establishment. They are perfectly able to provide technological reviews, as well as help with risk mitigation strategies. Certainly, that seems to have been the case with the CBSA. In its testimony on November 18, it said that, yes, it had reached out to and consulted with the CSE when it procured and used these technologies.

I think it would just be easier, would it not, to.... We have the expertise in place. What I think is lacking is exactly that box that needs to be ticked. We need to completely re-evaluate our boxes.

If I recall, what followed in the wake of that was a new policy on acquisitions by state-owned enterprises, but I'm not qualified to talk about the.... I wasn't involved in the Nexen review itself. However, we saw an evolution in policy, and certainly that evolution in policy has had to take account since then of the 2017 intelligence act in China, which Professor Burton referenced, which basically made every Chinese company an agent in the work of the Chinese Communist Party.

I think the policy we have that looks at net benefit to Canada and, again, looks at our national security interests should be sufficient.

I also think.... I've said this about foreign investment, foreign investment by many sources. We've seen major multinational financial institutions engaging in wrongdoing. We should be vigilant, and investment locales, notably provinces and municipalities, should also be applying the laws, rules and regulations that they have in effect.

Foreign investment involves all three levels of government, and I think that over time we're closer, particularly post 2017 and the Chinese intelligence act, to the scrutiny we need for SOEs.

I think this was backed up by Christian Leuprecht's testimony, in the sense that the risk is fairly moderate. Of course, these devices do have to be updated, and there is the fact that perhaps Chinese individuals would be coming in to fix the equipment. All of these are serious risks, but I suppose the point I was trying to make with that remark is that just because you ban a technology doesn't mean the threat is gone.

I'm concerned in particular with, say, the 5G discussion, in that we talk about banning a technology and we think that's going to make us safer. It may in some ways, but the fact is that all security products have flaws in them. All these vendors have serious issues. Just because they're not Chinese doesn't necessarily mean they're secure.

We need to be doing these tech reviews on all technology, for the reason that we do know that states like China are trying to hack into our embassies and other places. To me, it's not even just the Chinese, even though I think that should be, for reasons of the problems related to SOEs that have been I think well discussed in this particular session.... We need basically all of our technologies reviewed consistently and thoroughly. Clearly, that's not something that's in the procurement right now.

Yes, this is my concern. By focusing on this narrow issue of the X-rays themselves and whether or not they're vulnerable, we overlook the broader issues with regard to malicious action, say by China, against our embassies abroad and against our government, probably as we speak. We're probably being hacked as we speak. This is the reality.

That's what I meant about that specific technical threat being overstated. It's missing so many of the other broader issues that I think this specific committee could be dealing with in regard to broad overarching strategies for procurement.