National Defence Committee on May 19th, 2016

Mr. Chair, I'm not au courant of the previous testimony that occurred here.

I will note that in terms of overall threats to Canada, I reflect on the remarks that were made not too long ago by the outgoing national security adviser who talked about two primary threats that he was most concerned about. He had a responsibility of looking at the overall threat environment for Canada. The two that he referred to that were utmost in his mind were counterterrorism and cyber-threats.

In terms of overall threat reporting, the national security adviser and CSIS both have an authority to look at the overall threat environment.

Agreed.

Thank you for the question.

Many of the questions today go back to the heart of what I think we're seeing, a watershed change in the nature of the cyber environment, the types of attacks that are occurring. To the point the member made, there are a wide variety of attacks.

You're referencing attacks at a state level. We're seeing attacks on critical infrastructure in various countries, attacks against the Government of Canada systems from a variety of threat actors. From each one of these either successful or unsuccessful attacks, we all learn something. The international community learns something. One of the things we learn over and over again goes back to my earlier point that we can't be complacent, that we always have to continue to look at our methods, our tools, our techniques, the types of threat actors.

It's impossible to be complacent. You always have to try to stay ahead of this.

The other item I raised before is it has to be a team imperative. No one organization or one country can do everything alone. It very much is trying to work together and bring together the various resources to deal with these complicated cyber-attacks.

Looking forward, we'll have to continue to be very vigilant. The advice that we provide to the Government of Canada, I've given you our “Top 10 IT Security Actions”, those have evolved. We continue to learn from various actions that are taken. We also learn from when people have implemented some of our recommendations. Once those are taken care of, what are the next variety of steps we recommend that people take?

It's constantly evolving, necessary to be a team imperative, and impossible to say we're done; I don't think we're ever going to be done in this domain.

Thank you for the question.

I am more comfortable speaking English. I will answer your question in English.

As a point of clarification, our budget doesn't actually come from the Department of National Defence. It's appropriated to the Communications Security Establishment. As I mentioned, it was about five years ago that the Communications Security Establishment became a stand-alone agency, still under the National Defence portfolio and clearly reporting to the Minister of National Defence, but we're now a separate organization. Again, that happened about five years ago.

In terms of the funds we have and the efforts we make, the member is absolutely correct. I can talk both on the foreign signals intelligence side and on the information protection side. We work very closely with our colleagues in the Department of National Defence. We have a long-standing relationship that goes back throughout our 70-year history of working with the Canadian Armed Forces and supporting them in their operations. That continues today with our efforts with them, for example, in Operation Impact in Iraq.

At the same time, we do provide foreign signals intelligence to decision-makers across the Government of Canada, not only in terms of the Minister of National Defence and colleagues at the Department of National Defence, but through other decision-makers across the Government of Canada in line with the intelligence priorities that the government sets.

The member is also absolutely correct in terms of our cyber-defence activities. We work very closely, of course, with the Department of National Defence to help ensure that their systems are secure. At the same time, we work with the whole-of-government partners, again whether it be Shared Services Canada, or Public Safety emergency management, or the Treasury Board of Canada Secretariat, and individual departments, all of which are part of this overall effort to secure the Government of Canada systems.

Yes, our efforts across all three of our mandates are there to support Government of Canada priorities. We work not only with our colleagues in the Department of National Defence, and of course in the Canadian Armed Forces—we're very proud to work alongside them—but across the other government departments as well.

Thank you for the question.

In terms of specific examples of cyber-threats, I'll try to answer that in two parts. I'll talk briefly about the cyber-threat actors, because it's an important piece, and also about some of the cyber-threats we are seeing.

To speak briefly on the actors, there are sophisticated nation-states that target and try to infiltrate systems. There are non-state actors. We've seen the prevalence in recent months of reports that ISIL is developing cyber capabilities. There are state actors and non-state actors. There is cybercrime, as was raised by one of the other members of the committee a moment ago, and there is the rise of cybercriminals who look to steal information or to steal resources.

There are also examples of the so-called hacktivists. These are organizations or people who are trying to be disruptive, and who are trying to disrupt a government service or disrupt a system. There were examples in the last year. In terms of giving a concrete example of those people who are trying to be disruptive, there were a number of so-called denial-of-service attacks. Those are from people or organizations trying to flood the government systems with requests through a variety of systems that slow down or impede legitimate Canadians trying to do business with the government from being able to do so.

You can see that nuisance and threat activity, and you can see defacement of government websites. The earlier example that was raised was in terms of significant attacks that could be trying to steal intellectual property or trying to infiltrate systems to gain personal information. There was a significant cyber-attack recently with one of our partner countries, and what the cyber-attackers were trying to go after was personnel information, Government of Canada employees and other people who are working for the government.

To underline the point, it's a variety of different threat actors and a variety of different techniques that are being employed for a variety of different ends, all of which either are disrupting systems and trying to infiltrate information, or trying to steal information or shut down systems.

I hope that gives you a bit of an idea of the range of threats and actors we are seeing.

Thank you for the question.

In terms of the nature of attacks, I'll go back to my earlier comments. They are coming from a variety of sources with everything from sophisticated cyber-actors to the hackers or hacktivists, perhaps in someone's basement or perhaps not. There is a wide variety.

In terms of those that are focused on the Department of National Defence, I would have to refer you to the Department of National Defence because it's their responsibility to have that overall view of their systems. We're there in a support role for them.

With regard to your reference to the 100 million probes we are seeing a day, the variety of different types of activity, some are just probes. They're trying to look at the Government of Canada writ large for the weak spot. There is an old phrase, “the weakest link in the chain”. They are looking for weak spots and trying to understand if there are systems that haven't been updated, or if there are weak spots they can try to infiltrate. They are trying to probe. One of CSE's responsibilities is to help thwart those probes on Government of Canada systems.

In terms of using automation, those are all things that are important for us.

Thank you for the question.

In terms of our assistance mandate, federal law enforcement security organizations may request CSE's technical assistance, an important part of our overall mandate and, aptly, that's in part C of our assistance mandate. In order for us to consider the request, the organization has to have the lawful authority to be able to ask us. If an organization has the lawful authority, and as my colleague pointed out, if we've confirmed that they have that, we can consider providing that assistance to them.

In terms of Bill C-51 in particular, that bill has not impacted CSE directly, in the sense it's not changing CSE's authorities, etc. It has altered CSIS' authorities. If they, again, had the lawful authority to ask us, we could consider assisting them in their lawful mandate. But it's not directly affecting our mandate. Our mandate stays the same under that reference to the National Defence Act that you made.

Thank you for the question.

As I noted, we do work with Public Safety and Emergency Preparedness Canada. They have a particular role with regard to—let me see if I can get my acronyms right—CCIRC, the Canadian Cyber Incident Response Centre, that is a link to critical infrastructure providers and a link to the private sector in terms of providing everything from threat mitigation advice to information on if we see something coming, how they can help themselves. We provide information to Public Safety and work with Public Safety dealing with those critical infrastructure providers.

In terms of defence contractors in particular, I would want to confirm in terms of their relationship with CCIRC, but I also would have to confirm in terms of their relationship and how they work with the Department of National Defence.

Sure.

Madam Bruce, do you want to talk about NATO?