Evidence of meeting #13 for National Defence in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was reservists.
A recording is available from Parliament.
Liberal
The Chair Liberal Stephen Fuhr
That's the amount of time we have for today. We're going to change panels. I want to thank you both very much for coming. I wish we had more time. Thank you for your care and attention to this very important manner, and thank you for your service.
I'll suspend for two minutes so we can switch our panels.
Liberal
The Chair Liberal Stephen Fuhr
Welcome back. We don't have a ton of time. I wish we had more.
Mr. Gerretsen, you had a point of order.
Liberal
Mark Gerretsen Liberal Kingston and the Islands, ON
Mr. Chair, I think it's prudent for this committee to recognize the fact that it's Mr. Bezan's birthday today, and happy birthday to him on behalf of the committee.
Thank you very much for that opportunity, Mr. Chair.
Liberal
The Chair Liberal Stephen Fuhr
I wish we had time to sing happy birthday; however, we'll have to do that after the fact.
Welcome back. I'd like to welcome the Communications Security Establishment folks, Shelly Bruce, Greta Bossenmaier, and Dominic Rochon. Thank you very much for coming. We're on a bit of a compressed timeline, so I will give you 10 minutes for the opening statement.
During the period for questions and answers, if you see me hold up this white piece of paper, I'm not surrendering. I just need you to wrap up so I can keep the questions and answers flowing so everyone gets an opportunity.
Thank you for appearing today. You have the floor.
Greta Bossenmaier Chief, Communications Security Establishment
Thank you so much.
Good morning Mr. Chair and committee members.
My name is Greta Bossenmaier and I am the Chief of the Communications Security Establishment, known as CSE. I am accompanied by Mr. Dominic Rochon, who is the Deputy Chief, Policy and Communications, and Ms. Shelly Bruce, who is the Deputy Chief, Signals Intelligence. It is our pleasure to appear before you today to talk about the mandate, role and ongoing activities of CSE.
This year marks CSE's 70th anniversary. In the past 70 years, the Communications Security Establishment has adapted to enormous changes in the international security environment and in the rapidly evolving nature of communications technology. From the Cold War and telegraph to terrorist groups like ISIS, and the Internet, the nature of our work is more complex and more diverse than ever.
Allow me to start by providing some background. Just over five years ago, CSE's place in government was changed to that of a stand-alone agency within the National Defence portfolio, reporting to the Minister of National Defence. Today, CSE is one of Canada's key security and intelligence organizations.
Our mission is derived from our three-part mandate under the National Defence Act.
The first part of our mandate is the collection and analysis of foreign signals intelligence. The National Defence Act authorizes CSE to acquire and use information from the global information infrastructure to provide foreign signals intelligence based on the Government's intelligence priorities. This intelligence helps provide a comprehensive view and unique insight into the potential threats Canada faces. It's important to emphasize that CSE only targets foreign entities and communications, and is prohibited by law from targeting Canadians or anyone in Canada.
The second part of our mandate is cyber defence and protection. CSE provides advice, guidance, and services to help ensure the protection of electronic information and information infrastructures of importance to the Government of Canada. Our sophisticated cyber and technical expertise helps identify, prepare for, and respond to the most severe cyber threats and attacks against computer networks and systems, and the information they contain.
Finally, the third part of our mandate is to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties. As Canada's national cryptologic agency, CSE possesses unique capabilities and expertise. Under the assistance mandate, those capabilities may be used to assist a requesting law enforcement or security agency under their legal authority.
It's also very important to highlight that the principles of lawfulness and privacy are critical to our work. We have a responsibility to protect privacy, and we take that responsibility very seriously. Protecting Canadians' privacy is a fundamental part of our organizational culture and is embedded in our organizational structures, policies, and processes. CSE has a strong privacy framework as well as internal review and independent external review.
The external review of the Communications Security Establishment is performed by the independent CSE commissioner. The commissioner, a retired or supernumerary judge, and his expert staff have full access to CSE's employees, our records, our systems, and our data. He has the power to subpoena, if necessary. These measures contribute to ensuring that CSE's activities are conducted in a way that protects Canadians' privacy interests.
As I mentioned earlier, throughout its 70-year history, CSE has proudly served our country while adapting to enormous changes in the international security environment. As you might imagine, this dynamic environment will continue to shape our current and ongoing activities.
In terms of results, our intelligence has played a vital role in supporting Canada's military operations. It has helped uncover foreign-based extremists' efforts to attract, radicalize, and train individuals to carry out attacks in Canada and around the world. It has provided early warning to thwart foreign cyber-threats to the Government of Canada and critical infrastructure and networks. It has identified and helped to defend the country against espionage by hostile foreign intelligence agencies. It has furthered Canada's national interests in the world by providing context about global events and crises and informing Canada's government decision-making in the fields of national security, defence, and international affairs.
As part of our ongoing efforts, we will continue to ensure that we provide timely and valuable foreign intelligence to meet the priorities of the Government of Canada. In an increasingly complex international environment, the need for foreign intelligence is as critical as ever.
Specifically, CSE support for Operation Impact provides vital information and helps protect Canadian troops from threats on the ground in Iraq. The Minister of National Defence has identified intelligence as an important aspect of this mission, and I'm proud that CSE will continue this contribution as Canada's mission evolves.
We will also continue to place an emphasis on cybersecurity. More and more of the world's and Canada's government operations, our business, our military systems, and citizens' lives are conducted online. This increased prevalence of digital information and electronic systems represents tremendous opportunity for Canada, but it also presents risks and threats to our government systems, to Canadian industry, and ultimately to Canadians.
While protecting Canada's most sensitive communications and information has always been core to CSE's mandate throughout our 70-year history, increased reliance on digital information has necessitated a heightened focus for us on cybersecurity. This is a realm in which the Communications Security Establishment has proven itself to be an innovative leader and trusted partner, leading the CSE to be a centre of excellence in cybersecurity for the Government of Canada.
The number of nation-states and non-state actors that possess the ability to conduct persistent malicious cyber-operations is growing, and Canada is an attractive target. CSE's cyber-defence activities play a critical role in the whole-of-government effort in combatting cyber-threats.
For example, CSE's sophisticated cyber-defence mechanisms block over 100 million malicious cyber-actions against the Government of Canada every day. In addition, CSE's cyber-defence information sharing has helped prevent significant losses to the economy and to Canada's most sensitive information, which has helped Canadian businesses protect their systems and information.
Through CSE's educational initiatives, such as our “Top 10 IT Security Actions”, which I provided you a copy of today, we're helping to protect Government of Canada networks and information. We help ensure that government IT professionals are informed about the latest threats and mitigation measures to protect Government of Canada systems and the information they contain.
Finally, we are committed to becoming more open and transparent about how we protect Canadians' security and their privacy.
In January, CSE held its first ever technical briefing for media and for parliamentarians. Explaining complex technical aspects of our work in unclassified settings is challenging, and this media briefing was a positive first step.
We are taking other steps to tell Canadians more about the work that we do to help protect them, from recently entering the social media world by launching a Twitter account, to posting new content to our website, to producing videos about our cyber defence work.
I'll conclude my remarks by stating that I am confident in our ability to remain resilient in the midst of significant change, to address the growing demands posed by cyber threats, to provide timely and vital foreign intelligence to the Government of Canada, and to continue to safeguard the privacy of Canadians.
My confidence stems from the professionalism and commitment of CSE's highly skilled workforce. CSE's employees play a fundamental role in shaping our organization and our capabilities, and in delivering on our objectives. They are our most important asset.
Thank you for inviting us here today. It would be our pleasure to answer any questions you might have.
Liberal
The Chair Liberal Stephen Fuhr
Thank you very much for your testimony.
I'm going to move along quite quickly here and open the floor up to Mr. Fisher.
You have the floor for seven minutes.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Thank you very much, Mr. Chair.
Thank you so much, folks, for being here. What's your Twitter handle? I'm going to follow you.
Dominic Rochon Deputy Chief, Policy and Communications, Communications Security Establishment
Yes. It's CSE_CST.
Deputy Chief, Policy and Communications, Communications Security Establishment
That's the English one. The French one is the opposite, CST_CSE.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Of course, I'm interested in the balance of protection, the privacy of Canadians versus how we make sure that we protect Canadians by getting the intelligence that we actually need. That's your job, right?
When you discovered that you did share that metadata containing the identities of Canadians, what did you do right away? What were the things that you did to correct that right away? I'm thinking, obviously you'll see there are lessons learned here, but what types of things did you do immediately when you discovered that had happened?
Chief, Communications Security Establishment
Thank you very much for the question.
Mr. Chair, I think it's really important, as the member pointed out, that when this issue occurred, CSE actually found the issue, and we proactively informed the Minister of National Defence and the commissioner who reviews the Communications Security Establishment. We found the issue. We proactively informed our authorities. We also proactively suspended the sharing of the metadata in question. We also did a review in terms of the incident overall. We looked at and determined that there was a whole suite of additional privacy measures in place; hence, we assessed that the privacy impact was low.
We also took note that the commissioner did a review of the issue as well. He noted that he believed that the error was actually unintentional. He also noted the CSE's full co-operation with his review. Basically, we found it, identified it, informed those responsible, and we undertook a review. We continue now to update our systems and our processes to ensure that we have robust processes in place and that we are able to share the important intelligence.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Have we resumed that sharing process of the metadata again with our allies?
Chief, Communications Security Establishment
We have not yet resumed the sharing. We want to ensure, as I mentioned, Mr. Chair, that a solid process is in place and procedures are in place before we start sharing again. That's something the minister will make the final decision on.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
In your opinion, do you think that any changes are needed to Canadian laws or legislation as a result of the commissioner's recommendations?
Chief, Communications Security Establishment
It's most prudent for me to leave legislative changes in the purview of government and Parliament. I will note that over the last number of years, commissioners and previous commissioners have made a number of recommendations with regard to CSE's activities. Over 90% of those recommendations have now been implemented. Some of those recommendations did touch on potential legislative changes.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Mr. Chair, in light of the fact that time is tight, I'd be pleased to give any remaining time to the member for Surrey Centre, if he has a question he'd like to ask.
Liberal
Randeep Sarai Liberal Surrey Centre, BC
I want to thank you for taking valuable time out from protecting our country on the cybersecurity side to come here.
As guardians of Canada's cybersecurity and cybercrime, you prevent intelligence breaches and control the firewalls. Do you think Canada has adequate security measures as of now for the cyber-threats that we face globally?
Chief, Communications Security Establishment
Thank you for the question.
Mr. Chair, as I mentioned in my opening remarks, the whole realm now of cybersecurity is a very dynamic environment, because the threats are changing, the nature of technology is changing, and threat actors are changing. It's a very dynamic environment and from the CSE's perspective of working with our partners across government, we are putting a lot of focus on that.
Over the last number of years, protecting and enhancing the protection of the Government of Canada's systems has really been a core focus for our organization. I would say that we've made a lot of progress over the last number of years in terms of upping the defences around the Government of Canada's systems and also helping to protect critical infrastructure in Canada.
At the same time, I would be remiss if I didn't say that this is a constantly evolving challenge. We can never rest on our laurels saying we've done a good job, as it's just too dynamic an environment. One of our key challenges going forward and working with our partners across government will be to continue to remain diligent and try to continue to stay ahead of the threats and ahead of the demands.
While we've made, I believe, significant progress, I would never want to leave the committee with the impression that we're done and there's not more to do. This will be an environment in which we will have to continue to remain ever vigilant and continue to up our game.
Liberal
Randeep Sarai Liberal Surrey Centre, BC
Thank you.
What percentage of the government's IT budget is used to defend against cybercrime? Would you know that in terms of each department? Do you monitor that?
Chief, Communications Security Establishment
We monitor systems, that's for sure. We don't monitor in terms of the actual expenditure across the Government of Canada.
Mr. Chair, I'd have to say that perhaps one of the central agencies would be better able to answer that question in terms of the total amount that government spends on information technology and information technology security.
Liberal
Randeep Sarai Liberal Surrey Centre, BC
A little along the same lines, many countries now are budgeting separately or have a separate line item for cybersecurity versus just IT. Do you recommend that Canada also have that same separate line so we can monitor in each department how much we are spending for cybersecurity rather than just having it clumped in with IT and have it a very small percentage?
My understanding is that a lot of agencies or foreign or organized crime are trying to penetrate our systems, whether it be minutely to gather someone's personal intel to blackmail them or whether it's to get corporate espionage. Do you think it would be recommended to have it as a separate line item so that we could also see and budgets don't get all clumped into IT?
Chief, Communications Security Establishment
To your point that the environment is so dynamic and the nature of the threat actors, we're seeing everything from cybercriminals to the so-called hacktivists, to state actors and non-state actors, all playing a very active role in this cyber-threat realm.
In terms of creating a separate line item or showing the amount of expenditure, maybe on that I would just note that the government has committed to undertake a cybersecurity review that is led by the Minister of Public Safety and Emergency Preparedness in collaboration with a number of other ministers, including the Minister of National Defence. Perhaps that's a question that will be raised in the midst of that review.