Evidence of meeting #7 for Government Operations and Estimates in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was equipment.
A recording is available from Parliament.
4:55 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Thank you for the question, Mr. Chair.
Normally a supply chain integrity assessment, which is what CSE would perform in support of a department making a risk-based decision on a procurement for a piece of technology like this—
4:55 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Sorry, maybe I didn't ask the right question.
Your threat assessment report came out today, specifically naming China for the first time and state-sponsored actors attempting cyber-threats. What kind of information could such state-sponsored actors gather from our embassies from this equipment? Do you share the lack of concern that seems to be coming from Global Affairs and PSPC?
4:55 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
To be honest, sir, I think the nature of the X-ray machines over time has evolved such that they are becoming more of interest.
4:55 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
But this is not about the nature or the past. This is about the exact machines that the Government of Canada decided we were going to okay for our embassies.
4:55 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Understood, sir, and this is exactly why we're working together now to identify this and other types of equipment that perhaps should be flagged in future under procurement activities, because the nature of the technology has evolved such that it could gather information that could be of risk to Canada, even though—
4:55 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
If the media hadn't highlighted this issue, would the CSE have been concerned?
4:55 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
Again, we only perform these assessments when we're approached by a department that's making the acquisition, because it is the risk-based decision of the department making the acquisition.
4:55 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
How do we stop this from happening again? Does it start with Global Affairs asking you if they can bring state-owned Chinese equipment into our embassies?
4:55 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
The way this changes in the future is for them to ask us whether the types of equipment they're looking at should be assessed for supply chain integrity, in which case we would look at ownership as one of the three prongs of things that are assessed.
4:55 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Mr. Chair, how much time? Oh, I think you've answered my question.
4:55 p.m.
Conservative
4:55 p.m.
Liberal
Francis Drouin Liberal Glengarry—Prescott—Russell, ON
Thank you, Mr. Chair.
Thanks to all the witnesses for taking the time on this important issue.
I want to get back to Global Affairs, but I'd love to hear from CBSA because I know they're also big purchasers of scanners as well. I'm not sure if I have the right folks to answer this—Mr. Harris or Ms. Zafar—but does CBSA invoke the national security exemption clause or have higher security requirements when they buy similar technology?
5 p.m.
Scott Harris Vice-President, Intelligence and Enforcement Branch, Canada Border Services Agency
Thank you. I'll just check the sound. I was having technical issues, so I will try to speak slowly for the benefit of the interpreters.
To date, in our X-ray detection procurement, we have not invoked the national security exemption for that purpose. As has been noted by my colleagues at GAC and Public Services and Procurement Canada, we do a review of the security requirements under the contract security policy.
As X-ray equipment does not handle sensitive or technical information in our context, it hasn't to date risen to the bar that would trigger enhanced security in that space, and as a result we do procure X-ray technology from a number of different companies, including from Nuctech.
5 p.m.
Liberal
Francis Drouin Liberal Glengarry—Prescott—Russell, ON
Again, depending on where this similar technology would be installed, would the person installing that technology require a security clearance to install this at the border or anywhere else? I'm not sure if you deal with the company itself or with a subcontractor.
5 p.m.
Vice-President, Intelligence and Enforcement Branch, Canada Border Services Agency
Yes, absolutely, we have a number of mitigating interventions that we put in place around this technology. As I said, one of the first ones is obviously to keep it disconnected from our networks and from any Government of Canada networks. This retains its integrity as a tool that can support our border officers' work in terms of secondary examinations.
As you mentioned, the second is the fact that anyone affiliated with any of our suppliers would be screened through security processes and would be escorted on site if they were present in our facilities.
5 p.m.
Liberal
Francis Drouin Liberal Glengarry—Prescott—Russell, ON
I'd love to get back to Global Affairs on this.
Again, if we take Nuctech for example, if the company had been successful and were to install in the embassies, does GAC require those who would install that particular technology in our embassies to have security clearance? I know X-ray is not exactly top-notch technology. There are some out there, and we can find them in some places where civilians often operate, but I'm just wondering, for general purposes, for this committee.
5 p.m.
Assistant Deputy Minister, International Platform, Department of Foreign Affairs, Trade and Development
In the past, no, we haven't required that, partly because any service personnel would be accompanied by security personnel at Global Affairs Canada watching everything they do. That is changing, moving forward. Understanding that we have 178 locations around the world, servicing can get very expensive, but it's an expense that we will be incurring as we move forward.
5 p.m.
Liberal
Francis Drouin Liberal Glengarry—Prescott—Russell, ON
Okay.
To PSPC, I know that normally there would be...when security requirements are triggered, but is there a second process where PSPC would advise the client department that, for example, we've seen other departments procure similar technology, and perhaps you may want to invoke the NSE? Does that sort of interaction happen with the client departments?
5 p.m.
Acting Assistant Deputy Minister, Procurement Branch, Department of Public Works and Government Services
Yes, that interaction happens with the client departments. That interaction happens primarily at the beginning of the process. The decision to invoke a national security exemption is taken early on in the procurement process. If a national security exemption is triggered, what that means is that we set aside all or part of that procurement from our obligation in a trade agreement. That needs to be determined early on.
When our client departments raise requisitions with us in terms of what they need from a good or service perspective, our procurement officers have conversations with them in terms of potentially the best way forward, while recognizing that in most instances our client departments obviously know their operating environment much better than we would.
5:05 p.m.
Conservative
The Chair Conservative Robert Gordon Kitchen
Thank you, Mr. Drouin.
We now go to Ms. Vignola for two and a half minutes.
5:05 p.m.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Thank you very much.
VOTI Detection, a company set up in Montreal, bid unsuccessfully in the standing offer process. Here is what its president and CEO told the media:
Even though the contract did not stipulate the walkthrough X-ray machines be connected to embassy networks...hard drives will be accessible, and data downloadable when the machines are serviced.
How accurate is that statement?
My question is for Ms. Mullen from the Communications Security Establishment.
5:05 p.m.
Director General, Partnerships and Risk Mitigation, Communications Security Establishment
I will do my best to answer that. Normally, we have to take all of the surrounding details of a particular deployment into account when we explain something like this.
Typically speaking, in the more recent versions of equipment like this, they are starting to emerge now with embedded hard drives and USB ports that can be used for maintenance purposes for uploading and downloading data and software updates and that sort of thing. In the truest sense of the word, those would indeed give vectors for something like that to be done with malicious intent.
5:05 p.m.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Okay.
So it is in fact possible to access embassies' hard drives while the machines are being serviced.
Did I understand correctly?