Procedure and House Affairs Committee on Oct. 3rd, 2024

Good morning, Chair and members of the committee. It's an honour to join you today and to have the opportunity to discuss Bill C-377.

We hope to provide some insight to this committee on government security screening processes and policies, as well as on access to classified information and the importance of protecting it.

In the interest of time, as the chair mentioned, I have the honour of providing opening remarks on behalf of the entire panel of witnesses.

Security screening is a fundamental practice that makes it possible to establish and maintain a relationship of trust within the government, between the government and Canadians, and between Canada and foreign countries.

Security screening involves the collection of personal information from individuals with their informed consent, as well as information from law enforcement, intelligence sources and other sources, using methods to assess their reliability and loyalty to Canada. My colleagues here from TBS and PCO will be very pleased to expand upon these issues.

A security clearance is sometimes misunderstood or portrayed as a special designation, a set of privileges or an earned qualification like a rank. It is none of these. Simply put, in the Government of Canada, it is an administrative decision taken by the deputy head of an organization that an individual is an acceptable security risk when accessing government information, assets and facilities, and when working with others in government.

The deputy head makes their decision based on the information and advice provided by the police and intelligence services, including the RCMP and CSIS. A security clearance may be granted, denied or revoked by the deputy head at any time.

Since clearance holders work in every part of government, a security clearance does not automatically grant the holder access to all information or assets at that level of clearance.

Safeguarding sensitive information is critical to the Government of Canada's ability to function and to keep Canada and Canadians safe. There are rigorous measures in place to prevent the release of classified information to anyone who does not strictly require it.

These measures are imposed with very good reason. The inadvertent release of sensitive information can result—and, very sadly, has resulted—in serious harm to individuals, even costing lives, Canada's national interest and our international relations. Mitigating this risk underpins everything that members of the security and intelligence community do. The release of information could mean risking the safety of human sources, exposing the tradecraft and other methodologies used to conduct investigations, and threatening the stability of indispensable allied relationships upon which Canada depends so heavily for intelligence. Put simply, if partners cannot trust Canada with their information, they will no longer provide it to us.

Similarly, if human sources do not trust that CSIS can protect them by safeguarding the information that they provide to us, our ability to recruit sources and collect information vital to Canadian security will be seriously impeded. We could also lose access to a valuable technical collection source that took years and expensive investments to develop.

What may appear in the first instance as information that's not especially sensitive or harmful, when viewed in conjunction with other publicly released information, can be used by adversaries to make inferences with very serious consequences. This is called the mosaic effect. Our adversaries carefully watch and track every word we say and release publicly, and we're very confident that they are watching now. They put together many pieces of information to identify our sources, our methodologies, our tradecraft and intelligence gaps. Many adversaries are very good at their jobs.

There are important principles that reinforce this system and that lie at the foundation of safeguarding all sensitive information. This is the need-to-know principle. An individual's specific duties and functions and the files they were working on at that particular moment in time are what establish their need to know for relevant sensitive information. Even the most senior officials at CSIS, who have the highest possible clearance levels, do not receive sensitive information that is not relevant to the current job and files that they're working on. In other words, there is no deemed need to know.

We need to ensure that sufficient information is disclosed to hold the government to account while also ensuring that classified information is protected. There are several critical avenues for review and oversight of classified information, including the National Security and Intelligence Committee of Parliamentarians, the National Security Intelligence Review Agency, the intelligence commissioner and the Federal Court, among others.

The people who work for these organizations have the necessary security clearances; they will receive the information classified as secret that they need for performing their specific jobs.

There are safeguards in place to ensure that no national security injury occurs as a result of disclosure of that information. These individuals are bound to secrecy under the foreign interference and security of information act, formerly known as the Security of Information Act, SOIA, and they must not knowingly disclose any information they obtained or to which they had access in the course of their duties and that a department is taking measures to protect.

At the same time, CSIS is making efforts to enhance its transparency, including in its public annual reports, which now say more than ever about its operations and the threat overview, and in its discussions with the media and the information it communicates to the public proactively.

We have taken extensive efforts to “write for release” information, for example in the proactive provision of chronologies of events to parliamentary committees. We've done that in the last couple of months.

Recent amendments to the CSIS Act through Bill C-70 further enhance CSIS's ability to share information, and we look forward to working more closely with parliamentarians as we up the national security conversation in this country.

We will be happy to answer your questions.

Mr. Chair, I think those are excellent observations, and I have perhaps two comments to offer.

First of all, one of the changes that was made to section 19 of the CSIS Act as part of Bill C-70 really removed what essentially was a prohibition from CSIS sharing any information or analysis outside the federal government, including unclassified information. Those amendments enable us to also provide a lot more unclassified information, advice and expertise in a way that we couldn't before.

That's enabling us, for example, to participate with allies in multibranded security advisories in a way that perhaps we couldn't before. It's also to enable sharing unclassified information that we previously couldn't provide. As the member mentioned, this gives us a great opportunity to have a far more sophisticated national security conversation.

Now, in some particular cases there will be specific pieces of information that are classified that we would like to be able to share outside the federal government to those who have the appropriate clearance. For example, there could be a situation where a parliamentarian is representing a particular constituency where we know a foreign interference actor might be interested, given the natural resources in the area or a particular ethnic or minority community that makes up the riding.

What we would like to be able to do is provide that specific and perhaps classified information to the parliamentarian to enable the parliamentarian to build their resiliency by being able to recognize and then, as a result of that, manage the threat.

That's the purpose of the changes to the CSIS Act. It is to allow us to do those resiliency disclosures.

Sometimes it will be unclassified information. Sometimes it would be classified, but classified information would be provided to only those who do have the requisite clearance.

In each of those cases there would need to be a determination by the owner of the information as to whether there was a specific need to know for that particular specific piece of information.

Thank you very much.

Through the chair, I'm not sure that I would go and criticize Mr. Wark for his opinion. Obviously, that's his opinion.

I would say that what he's getting at, if I were to interpret his remarks, is the issue around safeguards. In fact, Parliament has discussed safeguards in the context of NSICOP before. You'll recall, Mr. Ruff, that you went through a clearance, which is what we're discussing here.

There is more to security in the Government of Canada than just a clearance, as you well know. If you look at NSICOP, for example, every member there is permanently bound to secrecy. They have given up their parliamentary privilege. In fact, if they divulge something in Parliament, that information can be used against them in a court of law. They've taken an oath.

The other thing I would emphasize, though, is that Parliament allowed the Governor General to pass regulations. Those regulations set in place all the very safeguards that I think Ms. Giles covered very well. That is around who can do what, when they can share the information, how they can process it and what they need to use. All of those safeguards are what I think make up—and I hate this word—the ecosystem of security in the Government of Canada, of which security clearance is one part.

I'm not sure I'd agree that it's fatal. We already give clearances in certain circumstances to MPs. The NML issue is one and NSICOP is another. I think that all of those were buttressed with the safeguards that we're talking about.

I can't say that this has been the case.

I would also just remind everyone here that they also took an oath not to do so.

As officials we're never in a position to provide policy advice on specific pieces of legislation, but there is often some confusion around language and vocabulary. The term “need to know” is understood differently in different contexts.

When we talk about need to know, that applies to each and every individual specific piece of information. Therefore, in our work, there is no deemed need to know on any piece of information. It's the originator and owner of the information that determines who gets access to it. To give you an example, when we get information from an international partner and we want to provide it to the RCMP for a law enforcement investigation, we at CSIS have to go back to the international partner, ask if we can use these exact words, and give this exact information to the RCMP for the purposes of a criminal investigation. It's very regimented.

From our perspective, there's always value in being very precise about the language that's used. In our business, in our world, there is no deemed need to know on pieces of information. It's determined on the basis of that very specific circumstance.

Every day, for example, there are a number of meetings that I'm not allowed to attend, because, despite my position, I don't have a need to know for that specific operation.