Evidence of meeting #7 for Government Operations and Estimates in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equipment.
A recording is available from Parliament.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
I believe our colleague from Global Affairs said that their practice is to have any maintenance workers escorted by embassy staff, in which case that would be observable behaviour. I will leave it to him to weigh in on that.
Assistant Deputy Minister, International Platform, Department of Foreign Affairs, Trade and Development
That's exactly correct. Yes, we would see if that was happening and whether or not it would pose a risk. We are obviously going to look at that, moving forward. Our new approach will correct and minimize that risk.
Conservative
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Aside from having an escort during the servicing, how possible is it to manage those kinds of disks remotely?
Assistant Deputy Minister, International Platform, Department of Foreign Affairs, Trade and Development
I can't speculate as to how possible that would be. We don't want that to happen, so our procedures moving forward will prevent that from happening.
Conservative
The Chair Conservative Robert Gordon Kitchen
Thank you, Mr. Danagher.
Now we'll go to Mr. Green for two and a half minutes.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you very much.
I'm going to ask a very pointed question, and please forgive me if this comes off as terse.
In 2018, there was an Auditor General's report on the physical security of Canadian missions abroad. The AG report concluded that overall Global Affairs Canada had not taken all measures needed to keep pace with the evolving security threats at its missions abroad. The department had identified security deficiencies that needed immediate attention at many of its missions. Many of these deficiencies were significant, and several had been identified years ago, yet not all of the recommended measures to address these security deficiencies were in place. These measures included improved video surveillance, alarms, and the installation of vehicle barriers at entrances.
The report found that most of the department's capital projects to upgrade security were at least three years behind schedule, usually because of the weakness in the department's project management and oversight. The physical security measures at any mission did not always match the levels of threat it was under. For example, one mission in a high-threat environment had no X-ray machine for visitor screening.
Two years ago, the AG reported that Global Affairs was already at least three years behind schedule. Now we're at the five-year mark and counting, and we still don't have a contract to purchase this necessary equipment. This lack of adequate or appropriate security equipment means that the safety of Canadian diplomats abroad, and of the local country staff, is still at risk.
How can you justify these delays? What do you have to say to the diplomats and their families who still don't have the equipment they need?
Assistant Deputy Minister, International Platform, Department of Foreign Affairs, Trade and Development
Thank you for the question.
Conservative
The Chair Conservative Robert Gordon Kitchen
Excuse me just for a second, Mr. Danagher.
Maybe we could get you to unplug your mike and maybe just lean forward and talk into your computer a little bit closer, and we'll see if that works a little bit better. There are still some issues with the interpretation, so we'll just check it. If that doesn't work, we'll have you go back to the way you've been doing it.
Assistant Deputy Minister, International Platform, Department of Foreign Affairs, Trade and Development
Unfortunately, it defaults to this thing when I take that off.
Is this any better?
Assistant Deputy Minister, International Platform, Department of Foreign Affairs, Trade and Development
I will do so right now.
Conservative
The Chair Conservative Robert Gordon Kitchen
We'll try it and see.
Thank you very much.
Mr. Green, I did stop the clock for you, so we'll give you time to answer.
Assistant Deputy Minister, International Platform, Department of Foreign Affairs, Trade and Development
We do take very seriously the security of our personnel around the world. Obviously it's a major challenge keeping 178 missions around the world with the latest equipment. I can assure you that where we need X-ray equipment right now, the missions have it. For the one mission at which the auditors found that there wasn't an X-ray machine working, that was because on that day it was unplugged and being serviced, but a manual bag search was in place to keep our people safe. Every time equipment is being serviced or it fails, we have a manual process in place to keep our people safe. It is absolutely my top priority. We have taken very seriously the Auditor General's recommendations, and we've made enormous strides.
Thank you.
Conservative
The Chair Conservative Robert Gordon Kitchen
Thank you, Mr. Danagher. I appreciate that.
Mr. Paul-Hus, go ahead, please, for five minutes.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Thank you, Mr. Chair.
Since the beginning of our meeting, we have been watching a baseball match: everyone is throwing each other the ball.
I want to be very clear with all the participants. First, we have a report from the Library of Parliament that confirms that Nuctech is controlled by the Chinese communist regime.
Second, I don't know how the equipment assessment was carried out by Deloitte, but I can confirm that the machine does not meet the requirements of ISO/IEC 27001:2013 or of the NIST Cybersecurity Framework. In addition, the machine's operating system is not even supported anymore. So it is very vulnerable in terms of security.
Third, before we talk about the contract that was soon to be awarded for that equipment for our embassies, let's mention that the Canada Border Services Agency has acquired five pieces of equipment. During testimony, we heard that the situation concerning embassy equipment was not very serious, as there was no connection and we could rely on equipment purchased from Nuctech this year. The Border Services Agency is talking about communication equipment with images, video, cabling and components.
I served in the Canadian Armed Forces for 22 years, and I have sat on the House of Commons Standing Committee on Public Safety and National Security. I have never seen this kind of a security breach situation. This is not about politics; this is really about the public. Our government is dealing with a company that is problematic in terms of national security despite our security agencies' reports confirming that China and Russia are countries that are dangerous for computer security.
Could I get a clear, straightforward and precise answer, as well as confirmation that the Government of Canada will immediately stop dealing with Nuctech?
Acting Assistant Deputy Minister, Procurement Branch, Department of Public Works and Government Services
Thank you for the question.
If your question is about whether we will stop doing business with that specific company, I would like to tell you that the answer is yes. Currently, based on the standards, rules and approaches we use or the legislation, I cannot guarantee or tell you that will be the case.
Conservative
Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC
Okay.
We'll conduct verifications. However, according to all the information, it's quite clear. If the Canadian legislation currently contains shortcomings, I urge my Liberal friends to work together to change the legislation. Canada's national interests must be protected. Sometimes, I get into petty politics, but I'm not doing this right now. This is an important security issue.
I also understand that the organizations have their own work to do. At some point, it gets so complicated that the right hand no longer knows what the left hand is doing. We're experiencing this situation to some extent.
The Global Affairs Canada assessment went to Public Services and Procurement Canada. The security issue wasn't raised. As a result, there was no security investigation. This isn't working. Let's take note of this at the committee.
I'll now give the floor to Mr. Lloyd or Mr. McCauley.
November 18th, 2020 / 5:15 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
I think I'm taking it, Mr. Paul-Hus.
Ms. Mullen, it sounds like some of these security issues are going ahead without CSE's knowledge. How do we change that so that the CSE has input into this, because it's obviously valuable input?
You've identified Russia and China, for example, as state-sponsored threats to Canada in the report that came out today. Should we ever be allowing their tech, their state-owned tech, to be in any Government of Canada operations?
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
That's a difficult question to answer rapidly, but I'll do my best.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
No, it's okay.
The CSE is not a regulatory agency, so it does not endorse or ban specific technologies or specific companies. However, I think, more importantly, the first part of your question gets to the heart of the matter: How do we ensure that departments and agencies know when to come to the CSE to have it do its assessment, one part of which, in this case, is looking at the ownership and the business practices of the entity in question?
I think that's exactly what I was getting at earlier when I said that, because technology is evolving, things we didn't use to look at we now should start looking at because capabilities with embedded operating systems and USB ports that didn't use to exist in X-ray machines now do.
I think that's really the biggest step that those of us here as witnesses today are working on together: to add into the procurement process flags that come up when equipment that falls into these particular categories is being acquired so that the departments making the acquisitions know to reach out to the CSE.
Conservative
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Thank you, Mr. Chair.
Thank you to the witnesses.
I'd actually like to continue on the same thought process.
A lot of my colleagues have covered various aspects of the process and the way it was granted, the lack of review or the limited scope of the review that was done. I was really intrigued by the response that PSPC provided when asked if it would work with Nuctech again. The answer was that you don't know about the future, but that given what the rules and regulations are today, you have to—if my understanding is correct because I'm quoting you.
What changes to the rules and regulations do we need to put in place? I think Madame Mullen already talked about some of the elements of the process that could be enhanced, regardless and independent of the rules and legislation. I found that very interesting.
I'm going to go back to PSPC. Can you talk about where we have to strengthen the rules and where we have to strengthen legislation to make sure that we don't run into a situation like this again?
Acting Assistant Deputy Minister, Procurement Branch, Department of Public Works and Government Services
Thank you, Mr. Chair, for the question.
As quick background, the question that I was responding to was whether I could guarantee that we will never do business with Nuctech moving forward. In my brief response to that, I indicated that I can't provide the guarantee that that will never occur.
As I indicated before, when we undertake a procurement process, we don't know in advance who is going to be the winning bidder, the winning company, so there's always the potential that a company, state-owned or otherwise, may be successful in undertaking the procurement.
As was indicated by Ms. Mullen, there is work being done to be able to identify commodities that may be at higher risk of vulnerabilities moving forward, where we need to ensure that we have the appropriate security approaches or mechanisms to decrease the potential risk.
If the question is whether we want to limit or exclude a specific company or exclude, for example, a country or geographic region, I don't know what that would mean in terms of having to make changes to the current procurement process. I can't point to a specific rule, but chances are that that would be something that would be fairly broad in terms of an approach.