Government Operations Committee on May 31st, 2021

Evidence of meeting #33 for Government Operations and Estimates in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.

A recording is available from Parliament.

On the agenda

Government’s Response to the COVID-19 Pandemic
Nuctech Security Equipment Contract
Committee Business

MPs speaking

Robert Gordon Kitchen
Pierre Paul-Hus
Majid Jowhari
Julie Vignola
Matthew Green
Kelly McCauley
Irek Kusmierczyk
Rachael Thomas
Francis Drouin

Also speaking

Scott Jones  Head, Canadian Centre for Cyber Security, Communications Security Establishment
Sony Perron  Executive Vice-President, Shared Services Canada
Marc Brouillard  Acting Chief Information Officer of Canada, Treasury Board Secretariat

4:35 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

Mr. Chair, there is a process that is called the supply chain integrity process that is managed by the Communications Security Establishment. SSC will refer procurement activities with suppliers or new products to CSE for review and advice, to look at the security aspect. It's not only the product or the service, but it's how the service is constructed and delivered that needs to be reviewed before we make a decision.

On this, maybe if you agree, Mr. Chair, we'll turn to Mr. Jones to explain what is being performed in terms of assessments.

4:35 p.m.

Conservative

Rachael Thomas Conservative Lethbridge, AB

I'll just interject for one second.

I'm not looking for an overall summary of the evaluation process. I'm actually looking for quite a simple answer, and that is whether Huawei technology is prohibited from being secured by the Government of Canada for any of its services.

4:35 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

Okay. I will try to be a bit more clear.

We don't have any Huawei technology operating on our network at this time. If there were any provider that would be coming with that technology, it would be part of the package that would be reviewed through the supply integrity chain, and CSE would provide its advice.

At this point, we haven't procured...we are not using Huawei technology on the Government of Canada network.

4:35 p.m.

Conservative

Rachael Thomas Conservative Lethbridge, AB

I can appreciate that you're not doing that at this time, but is there a policy in place in order to protect us from any future procurement of Huawei technology?

4:35 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

With regard to the policies when we are acquiring services or technology, we go through the supply chain integrity process. We ask for advice from CSE before taking action. There is a built-in process to assess the integrity of the supply chain and to make sure we are making the best decisions to support government operations and the service to Canadians. This is called the supply chain integrity process.

4:40 p.m.

Conservative

Rachael Thomas Conservative Lethbridge, AB

What I'm hearing from you is that Shared Services Canada would be open to the possibility of securing Huawei technology. Is that correct?

4:40 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

What I'm saying is that each time we are procuring new products or new devices, we are going through the supply chain integrity process that has been put in place to assess each and every transaction.

4:40 p.m.

Conservative

Rachael Thomas Conservative Lethbridge, AB

That supply chain you're talking about, that integrity—there's nothing in there that would preclude Huawei technology from being set up here in Canada.

4:40 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

Mr. Chair, to answer the question from the member of Parliament, this process is managed by the CSE, so in terms of describing what the steps are and how this proceeds, I think Mr. Jones would be better equipped than I would be to explain that.

4:40 p.m.

Conservative

Rachael Thomas Conservative Lethbridge, AB

I will allow Mr. Jones to comment on the question.

4:40 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

In the supply chain integrity checks, we check a number of things—the type of equipment, the vulnerability, foreign ownership control and influence, and many other aspects. Then we come up with a risk rating. If the risk rating is too high, the department, in this case Shared Services Canada, would make the decision on whether or not to accept or reject and look for another type of product. Because we do this on a product-by-product basis, we always look from the start so that we are always following the rules of things like trade agreements, etc., and providing the best advice to Shared Services.

The goal for us there is to make sure that we're giving a complete and comprehensive assessment of the supply chain risk so that departments can make their decisions.

4:40 p.m.

Conservative

Rachael Thomas Conservative Lethbridge, AB

Thank you.

To my specific question, then, with regard to Huawei, we have concrete evidence of Chinese espionage, infiltration and systematic interference in Canadian companies and the federal government. That seems like a pretty high risk in terms of doing that risk assessment that you're talking about, which includes foreign ownership, and then, of course, the risk that this type of technology would pose to Canadians and the government.

Is Huawei being discussed? I mean, the Five Eyes have all banned Huawei technology or come up with very significant protocols in terms of its use. Is Canada going in that direction? Are you giving that any consideration? Is that going to be part of the policy going forward?

4:40 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

As Monsieur Perron has said, the Government of Canada does not have any Huawei technology operating on our networks. We put our equipment purchasing, any equipment purchased, through our supply chain integrity process.

4:40 p.m.

Conservative

Rachael Thomas Conservative Lethbridge, AB

I'm sorry. That didn't answer my question. Is there a process being put in place to protect Canadians and the government in terms of the sensitive information that is held within our data systems? Is there any initiative being put in place to make sure that Huawei technology is not used in future endeavours?

4:40 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

The supply chain integrity process is there to ensure that all decisions made are made to ensure the safety and security of Canadians' information and Canadian networks and Government of Canada networks, in this case with Shared Services Canada.

4:40 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Ms. Harder.

We'll now go to Mr. Drouin for five minutes.

May 31st, 2021 / 4:40 p.m.

Liberal

Francis Drouin Liberal Glengarry—Prescott—Russell, ON

Thank you, Mr. Chair.

I want to thank the witnesses who are before the committee.

I want to jump back to the supply chain integrity. Perhaps I can ask Mr. Perron how long this supply chain integrity has been in place.

4:40 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

You're asking me a historical question. I haven't been at Shared Services Canada that long. I won't be able to answer that and give you a date.

I think Mr. Jones or Mr. Brouillard could probably give us the date when this was created.

4:40 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

Unless Scott knows the exact date, we would have to get back to you on the specifics. I've certainly been aware of it for many years. I've been here since 2016, but I couldn't specify an exact date.

4:40 p.m.

Liberal

Francis Drouin Liberal Glengarry—Prescott—Russell, ON

Okay.

Mr. Jones.

4:40 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

In terms of the formal program, it goes back to the initial stand-up of Shared Services Canada. However, there was supply chain integrity advice given well before that, in the years leading up to it and before my involvement in cybersecurity, which has been about 14 or 15 years.

The formal program really started with Shared Services Canada and the fact that there was one central place to work with in the procurement and to work on these big projects.

4:45 p.m.

Liberal

Francis Drouin Liberal Glengarry—Prescott—Russell, ON

Okay.

I just want to make sure that I understand this correctly. A company—and it doesn't matter whether its Huawei or whomever it is—may be able to participate in a procurement, but as soon as it goes through the supply chain integrity, that may come back and say, “Sorry, but your security just won't pass, so you can't participate.” Is that the goal here?

4:45 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

Exactly. It's also to make sure that we don't only look at the surface. The process looks deep. What is behind? What is behind in terms of technology?

Sometimes we buy services. These service providers will have their own technologies and their own infrastructures. These have to be transparent. This information is supplied by the bidders through the process to SSC, and this information is provided to the CSE to perform the assessment. We are relying on the advice to make a final decision on the procurement.

4:45 p.m.

Liberal

Francis Drouin Liberal Glengarry—Prescott—Russell, ON

Right.

A Canadian company could appear at the forefront to be secure and whatnot, but its own suppliers may be compromised or may use technologies that are compromised. That's the point of the supply chain integrity process.

4:45 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

It's the assurance that SSC is looking for through that process. It's to make sure that those with the expertise and the knowledge will go through the process and perform that kind of assessment that our technical team may not have the expertise to do. We are lucky in Canada; we have this centre with specialized resources that focuses 100% of its energy on this question. It's providing us with the assurance that we are making the best choice from a security perspective.