Evidence of meeting #7 for Government Operations and Estimates in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equipment.
A recording is available from Parliament.
6 p.m.
Liberal
Steven MacKinnon Liberal Gatineau, QC
Okay. Considerable effort is being made.
Thank you for your diligence, Mr. Ieraci.
6 p.m.
Conservative
6 p.m.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Thank you.
My question is for the Communications Security Establishment representative.
I spoke to you earlier about the communications possibilities during the maintenance of the walkthrough X-ray machines, for example, where very small things can lead to a great deal of information being transmitted.
In your opinion, how likely is it that Nuctech or a company with the same goals will have access to the data?
What would be the risk to Canada if this type of company, and China indirectly, had access to embassy data and our telecommunications data?
6 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Thank you for the question, Mr. Chair.
I think the answer to your question really depends upon the sensitivity of the information that's going to be flowing through that machine. It will depend largely on where it's deployed, which is why typically when we do our assessment we have to do it in the context of an actual deployment, as opposed to a very general contract like this one, where it's not actually in the context of a deployment, but rather potentially for future acquisitions.
I think that's really where the crux of the matter is: where it's deployed, what the surrounding circumstances are, and specifically what type of information is going to transverse that product. That's going to determine the degree to which the risk is—
6 p.m.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
If this took place in an embassy, for example, what would happen?
6 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Clearly, what they are putting these pieces of equipment in place for, at embassies—and obviously Global Affairs is better to answer—is to screen people who are entering the embassy to make sure they're not bringing in anything they shouldn't be.
Really, the type of information that this machine itself would carry isn't going to be the problem. Where the problem lies is whether there are any additional capabilities embedded within the machinery that are of concern. That is where a supply chain integrity assessment, such as the one we do, comes into play.
6 p.m.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Thank you for your response.
Should the government review its procurement policy to ensure that Chinese technology companies no longer have access to Canadian infrastructure?
Nuctech was awarded a $4-million contract for image and video communications equipment with the Canada Border Services Agency.
Should the entire policy be reviewed to ensure that this type of situation doesn't happen? The contract is dated November 2019.
6 p.m.
Conservative
6 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Is that question directed at me, or is it directed at PSPC? My apologies.
6 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
In my opinion, the work we're doing right now to identify additional types of equipment that should be flagged within the procurement policy for review of this type will get us to where we need to be to be more aware of what sorts of things should come to CSE for evaluation.
6 p.m.
Conservative
The Chair Conservative Robert Gordon Kitchen
Thank you very much, Ms. Mullen.
Mr. Green, you have two and a half minutes.
6:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I want to go back to the original question to PSPC, just to be crystal clear that at no step along the way through this process did somebody flag that this could potentially be an issue.
6:05 p.m.
Acting Assistant Deputy Minister, Procurement Branch, Department of Public Works and Government Services
Thank you for the question, Mr. Chair.
During the procurement process, when we received the initial request from Global Affairs, we did go back and double-check with them to see whether or not the “no security clearance” was a potential issue or concern. My understanding is that prior to the award of the standing offer, we double- checked that there were still no security issues at the time.
I hope that answers the question.
6:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
It does, and I appreciate that. We're trying to get to a place here where, hopefully, people can have the ability to express any kind of dissenting opinions on policy that might protect people.
I have a question for Ms. Mullen that's a bit of a shot in the dark.
In 2014, there was a presentation called “IP Profiling Analytics & Mission Impacts”, which tracked the cellphones of travellers passing through Toronto Pearson Airport. Was anything learned from that that we might apply to potential risks that could have come through malicious technologies that could have been placed in our own equipment, in our own missions?
6:05 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Thank you for the question, Mr. Chair.
Although I'm not specifically familiar with that particular study, I can say that the cyber centre does issue quite a lot of advice and guidance in terms of specific mitigation measures that individuals who are travelling should take to protect themselves. This is in terms of the types of vulnerabilities that their communications equipment, their cellphones, etc., inherently have, which is informed by that report and others like it. I would say that there is quite a bit of advice and guidance available to travellers for exactly that reason.
6:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Not so much travellers.... I'm just suggesting that if you were able to do that to travellers, I can only imagine that Nuctech, if it was malicious in its equipment, could have done that within our missions as a form of a national security threat.
I'm wondering whether, through a reverse engineering thought process, you have learned anything from the work you're doing in the Communications Security Establishment to better check the profiles of our future procurements, to ensure that no malicious technologies are hidden or stowed away within equipment that we're procuring?
6:05 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Yes and no.
Yes, we are using the things we know about the techniques we employ within our lines of business to better design protections to those types of techniques; and no, in that we are not being asked to weigh in on specific changes to procurement activities, other than, as I said, urging departments making technical procurements to come to us for advice and guidance.
6:05 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
I hope that's a takeaway from today's meeting.
Thank you very much, Mr. Chair.
6:05 p.m.
Conservative
The Chair Conservative Robert Gordon Kitchen
Thank you, Mr. Green.
Thank you, Ms. Mullen.
We're going to our last grouping, and we'll go to four minutes.
We'll start with Mr. McCauley.
6:05 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Thanks, Mr. Chair.
Ms. Mullen, thanks for your comments.
You mention urging departments to come to you. In your opinion, then, should this committee ask PSPC and TBS to change the policy so that all such tech purchases have to go through a process such as that?
6:05 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Thank you for your question.
All tech purchases.... I couldn't even begin to know how my team could keep up with that level of demand. I think it's about choosing the right types of equipment in the right deployment scenarios that warrant our attention.
6:05 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
For security reasons, should we then have an outright ban on buying tech equipment that is controlled by state-owned operators in an adversarial position to our country?
November 18th, 2020 / 6:05 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
While I can see how you might feel that way, CSE, of course, is not a regulatory agency at all, so we don't weigh in on—
6:05 p.m.
Conservative