Evidence of meeting #65 for National Defence in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was russia.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Stuart Wright  Chief Information Security Officer, Aegis Technologies, As an Individual
Alan W. Bell  President, Globe Risk International Inc.
Viktor Siromakha  Defense, Naval and Air Attaché, Embassy of Ukraine

4:15 p.m.

Liberal

The Chair Liberal Stephen Fuhr

You have about 20 seconds, so you can respond.

4:15 p.m.

President, Globe Risk International Inc.

Alan W. Bell

Do you want to answer that question?

4:15 p.m.

Chief Information Security Officer, Aegis Technologies, As an Individual

Stuart Wright

I'll answer that question.

We need to develop a framework, come up with a common knowledge and approach, and start training resources now, because the threat is escalating. It's evolving every day, and new tools are coming out. If we don't have a common framework to protect all critical infrastructure, then we are basically operating from a dark position.

4:15 p.m.

Conservative

Randy Hoback Conservative Prince Albert, SK

Thanks, guys.

4:15 p.m.

Liberal

The Chair Liberal Stephen Fuhr

Ms. Hardcastle, welcome. You have the floor.

4:15 p.m.

NDP

Cheryl Hardcastle NDP Windsor—Tecumseh, ON

Thank you, Mr. Chair. It's good to be here.

I am really intrigued by everything that you gentlemen have offered.

Mr. Wright, I want to go back to you. From what you've been talking about, the question of Canada and our next steps.... Do you believe that, in order for us to harden our systems, whether it's a province or a municipality with water supply or a power grid, the onus for the framework you were talking about, developing a strategy, should be on some national entity, maybe in the Department of Defence, which would be approving or screening these new infrastructure grids?

From what I am hearing and from what I've understood from my reading, we are beyond using the metaphor of the firewall. It's almost like we need to be using some kind of metaphor that's similar to the way we construct buildings in earthquake-prone areas. We have to have these self-contained structures.

How do we have a master strategy? I just wanted to hear more. I think you were cut off a bit, so I'll use up the rest of my time with that and let you freestyle.

4:15 p.m.

Chief Information Security Officer, Aegis Technologies, As an Individual

Stuart Wright

There are a number of different measures and mechanisms we can take. The framework.... Again, I have to tread very carefully here. I am speaking as an individual, and I'll caveat my statements.

It would behoove Parliament to consider a federated model to adopt a framework not just for the Department of Defence but for all critical infrastructure providers uniformly across this country, whether it's transport automation, waste-water management, or the financial service sectors. There are precedents here: in Australia, Italy, and other jurisdictions. I know the United Kingdom and Germany looked at this.

My guidance would be to take the core elements that we've seen out there, like NIST and the Department of Energy's C2M2, with the mil-spec, and incorporate two additional elements. One would be security by design; for every item and mechanism we are putting into place, fundamentally incorporate that into the actual development as part of our infrastructure build-out and our measures build-out. The second one, respecting the fact that we live in a democratic society, would be privacy by design. I think of Ann Cavoukian here. We should be espousing that with leaps and bounds. This wouldn't be specific just to the energy sector. It would be specific to all our sectors.

We need to look at this holistically. We need to work with our provincial partners inter-jurisdictionally, both here in North America and abroad, to respond collectively as a sector. Collectively, we are stronger. Individually, we are weak. We need to think federally, and we need to think beyond our borders. We need to engage with our partners abroad, with NATO and our counterparts in Ukraine, to basically come up with a mechanism such that we can speak the same language, respond in the same time and fashion, and have the same types of resources and training, so that if we need to deploy to a certain theatre of operations, we have the resources available, both in industry and in defence, to actually respond.

I won't speak about quantum computing right now, because I don't want to terrify anybody.

4:20 p.m.

NDP

Cheryl Hardcastle NDP Windsor—Tecumseh, ON

I have a little more time.

You had an example earlier. You were kind of cut off in your presentation. Do you want to go back and talk to us a bit about some of the examples that prompted you to tell us that we need a federal plan that goes beyond our borders?

4:20 p.m.

Chief Information Security Officer, Aegis Technologies, As an Individual

Stuart Wright

We were cut off around the Baltic attack. Around the same time was the 2015 Ukraine attack. One of the three Baltic states—Estonia, Latvia, and Lithuania—saw its power grid attacked, but it wasn't taken down. The exact country that was attacked had not been announced publicly. The attack on the Baltics followed a similar methodology as in Ukraine.

What we are seeing here is that they are using the same playbook to disrupt different jurisdictions, but we need to respond not just individually but collectively: a federated model, a federated framework based on industry practices. I know that Google, Apple, the Department of Defence, and Homeland Security are all standardizing on NIST as a solid framework. We've had a lot of conversations along those lines. Separately, I can share with you what we are doing here in Ontario.

Overall, that attack was largely unsuccessful, but it did expose one thing: the actors' presence in the Baltic power grid. They may already be in the power grid systems, and they may have already deployed that malware. What we need to do is take the appropriate measures to validate that these systems haven't already been compromised.

For us to do so, we need to have the resources and the training, and we need to start hardening those systems. If we want to replicate it—whether it's in Estonia, Ukraine, or here in Canada—we need to speak a common language. That framework would be the foundational element that is required. My recommendation to this panel is to start considering that, and adopting it as a measure.

4:20 p.m.

NDP

Cheryl Hardcastle NDP Windsor—Tecumseh, ON

Thank you.

4:20 p.m.

Liberal

The Chair Liberal Stephen Fuhr

Mr. Robillard.

4:20 p.m.

Liberal

Yves Robillard Liberal Marc-Aurèle-Fortin, QC

Thank you, Mr. Chairman.

Good afternoon gentlemen.

Thank you for your input today.

Mr. Bell, I'm going to quote from your bio.

Mr. Bell has trained close protection teams for two kings, two presidents, and has been involved in countering terrorism operations and training throughout the world.

4:20 p.m.

President, Globe Risk International Inc.

Alan W. Bell

Yes. I have done that.

4:20 p.m.

Liberal

Yves Robillard Liberal Marc-Aurèle-Fortin, QC

Given your expertise, what can you tell us about the security risks the current leaders of the Ukrainian government face?

4:25 p.m.

President, Globe Risk International Inc.

Alan W. Bell

The main risk is Russia going one step further. In other words, what the Ukraine is worried about, as well as the other former Soviet Union bloc countries, is the fact that Russia is going to take back more areas within those countries, to enable it to have a bigger operating battle space if NATO decides to attack.

There is very little chance that NATO will attack, obviously, the way things are at the moment, but NATO did agree—I can't remember how many years ago—that they would not increase the size of NATO using other countries in Europe, but in fact, they've gone to 29 countries that are now involved with NATO.

Obviously, as I stated in my presentation, Russia is getting very paranoiac. They're not only worried about Europe. They're also worried about the Turks. That's another issue, because the Turks have indicated that whilst they are a member of NATO they also want to try to become the leader of the Muslim world, and those two ideas aren't computing.

Also the Black Sea fleet.... If NATO decides to stop the fleet from coming through the Bosporus and Dardanelles, that fleet is no longer able to operate in a warm water. The only port they now have is Tartus, in Syria. That's the reason why they're engaged in Syria.

4:25 p.m.

Liberal

Yves Robillard Liberal Marc-Aurèle-Fortin, QC

Are private security forces increasingly playing a role in the conflict in Ukraine? Is that a trend you're seeing?

More broadly speaking, how involved is the private sector in the conflict in Ukraine and its most dangerous areas?

4:25 p.m.

President, Globe Risk International Inc.

Alan W. Bell

There have been a lot of private military corporations, mainly U.S. private corporations, that have gone in. They are assisting the Ukrainians with various different training and how to operate, especially in urban areas where a lot of these battles are taking place.

In terms of how many companies and what their strengths are, we do not know at this particular moment, but they are starting to move in there. That's why PMCs were actually put together to go in and assist these countries when these countries didn't have a lot of help from outside their country.

4:25 p.m.

Liberal

Yves Robillard Liberal Marc-Aurèle-Fortin, QC

Given what you know and what you've seen, what condition is the border between Ukraine and Russia in? Is it porous, and, if so, in what way? How great are the security risks in that area?

4:25 p.m.

President, Globe Risk International Inc.

Alan W. Bell

Ukraine is facing a very fast, mobile, highly equipped and trained army. While Russia has not gone any further than Donbas at this particular time, who knows what's going to happen?

The cyber-attacks are getting more and more intense, and that's for one or two reasons. They're either trying to ensure they have it right the first time, or they're just seeing what happens, what the response is. The responses from the west, and NATO in particular, have been negligible at this time and this has emboldened them to do more and more. Consequently, until some type of peacekeeping force is put into place, Ukraine is going to be in constant fear of there being a total invasion or an annexation again, as happened in Crimea.

4:25 p.m.

Liberal

Yves Robillard Liberal Marc-Aurèle-Fortin, QC

What do you make of the tactics being used by pro-Russian separatist groups against Ukrainian armed forces in the Donbas? How has Russia's support for separatist groups in the Donbas changed since the conflict began? What type of support has Russia provided?

4:25 p.m.

President, Globe Risk International Inc.

Alan W. Bell

Russia is providing assistance right across the board. A lot of the pro-Russian side is actually Russian special forces. The media call them the green men. They are all over the place. They have a huge special forces capability in Russia, and that is now filtering over the border at various times to assist, train, and actually operate on behalf of the separatists within the Ukraine. This is something that's very difficult for the Ukrainian governments, and in particular the Ukrainian military, to be able to deal with because of the simple fact that they don't know who these people are because they all speak the same language. If you take a uniform off of a special forces soldier, he can be anybody.

4:25 p.m.

Liberal

The Chair Liberal Stephen Fuhr

We're going to move to five-minute questions now.

The first five-minute question will go to Ms. Young.

4:25 p.m.

Liberal

Kate Young Liberal London West, ON

Thank you very much.

Thank you, gentlemen, for being here today.

I want to pick up a bit of the conversation with talking about Russia pushing the envelope and watching our response. I'm trying to get a sense of what the west needs to do or what we need to do to make sure they back off. What is it specifically? Working together is one thing, but what do we need to do to show them that they can't continue with these cyber-attacks?

4:30 p.m.

President, Globe Risk International Inc.

Alan W. Bell

We have to be committed. The country that's been attacked is Ukraine. We have to show commitment from the outside that we're willing to protect and go to the next level with Ukraine. If we don't, Russia will start looking at all the Baltic states, and then that becomes a bigger issue. All they're trying to do, from a Russian perspective, is to buy themselves some time, and in between that time is a country. They have to either have a foothold in that country or they have to annex that country.

That's what all the other countries are worried about. If you speak to anybody all through to the west of the Ukraine, they all think the same thing. All these countries have had their own meetings, and they've had collective meetings, and they are saying, “We're worried. What are we going to do?” Until NATO or the west or the U.S. decide on what they're going to do, they don't really know what to expect.

The problem they also have is that the leader of the free world, President Trump, has his eyes on other parts of the world and not particularly on Europe at this moment in time. They're worried about that. If there had been another president in the White House, maybe they wouldn't be as worried, but at the moment they are worried about what is going to transpire in the weeks and months ahead.

4:30 p.m.

Liberal

Kate Young Liberal London West, ON

Go ahead, Mr. Wright.