Evidence of meeting #77 for National Defence in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was policy.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Len Bastien  Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence
Richard Feltham  Director General, Cyberspace, Department of National Defence

9:50 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

Again, thank you for the question, Mr. Chair.

Cryptography is the essence of our ability to communicate and share information in a secure way. To do that amongst allies requires cryptography architecture that is not only extensive and complex but that can also be responsive to our needs.

The Department of National Defence has invested a lot in the interoperability of cryptography among our allied nations. The evolution of cryptology is in response to the threat vector becoming more challenging, so the evolution of cryptography is very serious. It's mandated for us to stay compliant amongst the alliances, and it is a significant area of investment. It's laid out in our policy that we will not only maintain it but evolve it to compliancy level so we can continue to operate and interoperate with our allies and communicate securely.

9:50 a.m.

Liberal

Darren Fisher Liberal Dartmouth—Cole Harbour, NS

That's all good, and it tells me what you want to accomplish, but how do you evolve it? What types of things can you do to improve it?

9:50 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

I'm not technically equipped to speak to our cryptographic engineering in great detail, but let me explain.

The concept of cryptography is a concept of exchanging keys. In other words, you need two halves of the key in order to open the compartment of the document, or the “crypt”. The ability for threat vectors to misrepresent the keys or break the keys is constantly evolving, so we have to build better keys, but we can't do that unilaterally or we wouldn't be able to speak to our allies. In working together, we establish the criteria for these evolved keys, and then we go across the global network—the fabric, if you will—and upgrade and update all the hardware and software that generate the keys. It's a very sensitive and complex environment, but it's one we're actually doing really well in, and I would say we're in good shape with respect to our compliancy among our nations.

9:50 a.m.

Liberal

The Chair Liberal Stephen Fuhr

You're about out of time, Mr. Fisher.

I'm going to give the last formal question to Mr. Garrison, to make it fair for everyone.

9:50 a.m.

NDP

Randall Garrison NDP Esquimalt—Saanich—Sooke, BC

Thank you, Mr. Chair.

I want to take the conversation in a bit of a different direction here. I think we're running into a phenomenon here of cyberwarfare not really fitting under the normal protocols of war and the rules of warfare. It operates at the edges of those. International protocols prohibit targeting civilian targets, and those kinds of principles we're used to. I know that neither of you represents CSE, but the legislation that's before Parliament in Bill C-59 proposes to allow active use of cyber-attacks in sabotage. It's a concern for me that we, as Canadians, are stepping into an area of international conflict that's not well regulated internationally.

My question, I guess, would be directed largely to Mr. Feltham. What's your relationship with CSE in terms of their, I would say, requests for moving into active cyber-attacks?

The second part of the question is this: do you feel that you are already authorized in DND to use active cyber-attacks against both foreign states and individuals for CSE? Are you already authorized to do those things? What's your relationship with CSE on those aspects?

9:55 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

I will open and then ask my colleague to follow up.

The relationship with CSE is not that complex, actually. They were a part of our department not so very long ago. When their act was originally created, they were mandated in their act to support other government security agencies with their capabilities, let's say. I can expand on their capabilities; that gets us into a different conversation. I can tell you that those capabilities would be very valuable to us in cyber. I don't think the government wants National Defence to create the equivalent capabilities inside of its institution, so we've been directed to work with CSE so that we come together as a team. We would deploy and operate in cyber as a team, because they have the capabilities.

However, when their act was created, National Defence was not named as an agency they could support, ironically. They were us, so there was no need to put defence in that legislation. I think some of the amendments happening in that bill will help remediate the legislative policy layer, if you will, to allow us to work together more actively. That's one part of your question. I really wanted to explain that we will move forward in cyber as a team as soon as we're able to.

To the other part of your question, as of the current day, in terms of day zero capabilities in cyber, we have limited cyber capabilities in the active cyberspace today that we could, without CSE, engage and use to support mission. I wouldn't want to give you the impression that we could provide extensive cyber capabilities that would be of concern to Canadians, but the ability for us to jam a radio, block a telephone, take an Internet site down, or block a service provider are things we are evolving quickly in order to support mission.

9:55 a.m.

NDP

Randall Garrison NDP Esquimalt—Saanich—Sooke, BC

Are you authorized to do that now?

9:55 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

Under the defence act, we would be authorized to bring those equities to bear. We are working with our colleagues in CSE to make sure that what we do develop and work with inside the government construct is transparent to the government.

This is new territory. For the government to give us a mandate to move into active cyber operations—offensive cyber, as you described it—was not taken lightly, and we're not reacting lightly inside our organization.

We will brief and we will be held to account for the constructs we put in place to engage in any kind of active cyber operations.

As I said earlier, we cannot unilaterally engage in those kinds of activities in the way we can engage in any kind of military activity without the oversight and request of the government. There's ultimately a command and control structure that is connected to the administration of the government before we could actively get going in that kind of activity. I hope that answers your question.

9:55 a.m.

NDP

Randall Garrison NDP Esquimalt—Saanich—Sooke, BC

If you feel you're already authorized, what are the constraints that you're operating under? How have constraints been established to make sure that any potential offensive cyber-organization would not come into conflict with international law and would adhere to some of those basic principles of distinguishing between military and civilian targets and those kinds of principles?

9:55 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

Thank you, sir.

Mr. Chair, for that answer I will defer to my colleague, Commodore Feltham, since he is a military officer and an operator who has experience and can speak better to that question.

9:55 a.m.

Cmdre Richard Feltham

Thank you, Mr. Chair, for the opportunity to speak on this question.

As was mentioned earlier, the policy to conduct active cyber operations for the Canadian Armed Forces just came out in their recent defence policy. We're working with our international and government partners to develop this capability.

You asked the question, Mr. Chair, on how we ensure that the cyber operations active offensive as a component of active cyber adheres to the law of armed conflict. I can tell you that, just as in any military operation, kinetic or in cyberspace, we only conduct operations in the Canadian Armed Forces based on the government's mandate and in accordance with the law of armed conflict. This is what regulates us day in and day out, and there are no exceptions to that.

In terms of ongoing operations within the cyber realm, this is not my field, and I can't comment on that in any great detail, but I can assure you that from our perspective—and I've developed this capability with our partners—we stick to the mandates. We go on government missions and we operate within the law of armed conflict.

9:55 a.m.

NDP

Randall Garrison NDP Esquimalt—Saanich—Sooke, BC

Are there any special reporting mechanisms to government that have been put in place because of the nature of cyber operations being covert?

10 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

In our reporting structure, when we're employing the Canadian Armed Forces, it is through the chief of the defence staff. He does a report back to government on Canadian Forces operations. I would offer that it is better for his office to address exactly the semantics of how that feels and looks from a government perspective, but I can assure you that we report in to him. We'll leave it there.

10 a.m.

NDP

Randall Garrison NDP Esquimalt—Saanich—Sooke, BC

Thank you, Mr. Chair.

10 a.m.

Liberal

The Chair Liberal Stephen Fuhr

Okay. That ends the formal questions. We still have time left, so I'm going to predictably go around the track one more time. It will be five minutes, so it will be Liberals, then back to Conservatives, and then back to Mr. Garrison.

I will need to leave a little bit of time at the end. There are a couple of motions that I need to deal with, but we'll dispatch those when we get there.

I am going to turn the floor over to Mr. Rioux. You have the floor for up to five minutes. Share your time if you'd like.

10 a.m.

Liberal

Jean Rioux Liberal Saint-Jean, QC

Thank you, Mr. Chair.

Mr. Bastien, I have a basic question for you. What are the major cyber-threats facing Canada? Are they in the main the same ones as other NATO countries are facing?

10 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

Thank you for the question.

The threat vector vulnerabilities that we monitor change every day. Every day there are new vulnerabilities that are brought to bear, whether through industry or other governments, and those vulnerabilities are assessed.

A vulnerability is not a threat until it becomes exploited, so we are constantly reacting to what I would call “vulnerabilities”. With that, the same would exist for industry, for Canadians, and for NATO when those vulnerabilities come to our awareness. We work usually as a government, as a collection of government agencies, to bring the right get-well-plan and to shore up those vulnerabilities through patching and the evolution of technology to avoid the moment in time when a vulnerability becomes an exploit.

The way it works is that the good guys are out there trying to learn about vulnerabilities and protect themselves from the exploits. The bad guys are out there trying to figure out how to use a vulnerability to exploit, so it's a race. Our ability to stay in front of that comes back to our security posture and our compliancy with our own standards, whether within government or within National Defence. I would offer that NATO's agency responsible for their cyber would have the same perspective, as they're constantly reacting to the potential vulnerabilities that have come to our attention that we need to react to.

I hope it explains the environment a little bit to know that it's not a single event that happens. It's typically a series of vulnerabilities that have been exploited that you hear about in the news. Our ability to stay in front of those vulnerabilities and stay protected comes back to our ability to interoperate with our allies, to work closely with industry, even academia, as well as with our colleagues in the government. We're constantly reacting to new vulnerabilities.

10 a.m.

Liberal

Jean Rioux Liberal Saint-Jean, QC

I'm going to follow up on Mr. Garrison's questions and talk about CSIS.

We know that the Department of National Defence and CSIS are two distinct entities. I believe I understood from your answer earlier that you do not have a mandate to work with CSIS and that the law does not require that you work together. Did I misunderstand you?

10 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

I'd like to clarify the nature of the relationship between these two entities.

The Communications Security Establishment has a very different mandate from CSIS. We work with both agencies. What I described was a relationship with CSE specific to cyber and cyber-active operations. That doesn't negate that we work with both those agencies in many other areas of intelligence. In terms of the cyber role, the cyber mandate I described, the relationship was with CSE. We have a very strong interoperating relationship with CSIS as well, but for different reasons.

10 a.m.

Liberal

The Chair Liberal Stephen Fuhr

We have some time left, so I'm going to hand it over to Mr. Spengemann.

You have the floor.

10 a.m.

Liberal

Sven Spengemann Liberal Mississauga—Lakeshore, ON

Thank you, Mr. Chair.

I have a general question that loops back to your exchange with my colleague Ms. Alleslev. You mentioned to her several tiers of information that were communicated under top secret and secret clearance. It's a policy decision whether this committee should have elevated levels of security clearance to get a full view of the material that's in front of it.

I'm wondering if you could tell the committee, from your perspective and specific to the area of cybersecurity and its rapidly evolving dynamics, what this committee would see if there were an elevated classification in security. In other words, how much more of a fine-grained conversation could we have?

I appreciate that this is a public meeting, but were we to be in a meeting that would allow an elevated security clearance for this body, how would our understanding improve?

10:05 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

Some of the answer to that question will fall back into my own personal opinion, so I'll avoid that. However, I would offer to you in all sincerity today that I felt quite comfortable with the information I shared with you, in that a change in classification would not have significantly changed my testimony. I think you're getting a good perspective from today's interview. I hope you are.

Typically classification is more about timing than it is about the content of the information. We use classification to protect national interests—national security and national safety—and we do it because the information at any given time would be incredibly valuable or risky should it fall into the wrong hands. However, given time, that same information is no longer a threat and therefore should no longer be classified.

I think there's a tremendous amount of information available in an unclassified discussion about lessons learned and about our reaction to certain situations that will give you a very good perspective on how we operate day to day. When we start talking about active operations and about things we're going to do tomorrow, that level of classification is there for a reason. It is to protect equities that are important to Canadians, and that's where you may be running into a challenge.

In my realm, in today's discussion we didn't go there, so I'm hoping you're getting rich content that will help advise you in your decisions that are forthcoming.

10:05 a.m.

Liberal

The Chair Liberal Stephen Fuhr

Thank you.

Go ahead, Mr. Bezan.

10:05 a.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Thank you. I'm going to split my time with Mr. Paul-Hus.

In the opening testimony, we talked a little bit about smart defence within NATO and how you're doing that through cyber. The European Union recently stood up the permanent structured cooperation on security and defence, PESCO. How is that going to impact smart defence, especially in a cyber context? Does it make it stronger or better, or is it a competing factor?

10:05 a.m.

Defence Chief Information Officer and Assistant Deputy Minister, Information Management, Department of National Defence

Len Bastien

I'm going to open by saying that I'm not entirely familiar with the details of PESCO, so I may not be able to offer you a full, comprehensive answer to that question. I'll ask Commodore Feltham if he has anything to add. We may have to get back to you regarding the impacts that PESCO will have on the cyber-equities of NATO. I just don't have that today.