National Defence Committee on Jan. 30th, 2018

Thank you for the question.

I will answer in English simply because this industry is really a lot easier to describe.

Let me just be clear. Any military operations are governed by the Canadian Armed Forces. Bringing CSE into an operational environment is under the authority of the Canadian Armed Forces. Their ability to bring their capabilities to bear for us right now is somewhat inhibited by legislation, because we're not defined as an agency they're allowed to use and operate with. We're looking to fix that with some of these legislative changes.

The scenario you described would be a military-led, integrated team approach using our equities and CSE's equities in concert. That would be in the future, once the legislative—

The impact of the proposed CSE Act is more relevant in its broad terms to their operations than to ours. We have dependencies on them to move into cyber operations and be able to work with them in a more integrated fashion than we can today in operations.

I want to leave you the perspective that we've done the work, we've done the exercises, and we've done simulated operations with them. We've been heavily integrated and invested with that agency to work together in cyber operations going forward, but that will be defined by the government, and I can't speak to the other areas of that.

As I said, we have terrific relationships with our allies. I can tell you that those I work with regularly don't all share the same construct of governance, of design of our governance, when it comes to where cyber capabilities rest inside of government. I can tell you how Canada is engaging, and I'm hoping to do that, but I can't speak—

The concept of whether we're good, better, or best among our allies is an opinion. It is what we have established in Canada. For us, our abilities and our current design and portfolios are deemed to be very effective in cyber-defence. It has worked very well in signals intelligence and in other areas and capabilities we've brought to bear for the Canadian Armed Forces. It's the construct we've chosen to propose to government that we will move out on cyber operations.

Commodore Feltham may have a better perspective globally of other militaries. Simply put, he has been deployed and is an operator, versus a civilian member of the defence team. I don't have that perspective.

Do you have anything, Commodore Feltham?

Let me clarify the perception of our relationship with the Canadian Communications Security Establishment that I would like to leave you with.

We have abilities in technology that we have needed to operate in the past. They are of great value to us, but somewhat limited. Before we would invest to grow that arsenal, if you will, of cyber ordnance, we recognize that a lot of that capability exists inside CSE. Getting access to it and giving them the legislative mandate to come to our side and use those capabilities as part of the military construct is the gap. That's the incremental difference that we're looking for, and it's a very small part of that bill.

As for what the rest of the bill addresses and the changes, they are very relevant to the Canadian Communications Security Establishment and, I would offer, are not in my jurisdiction to comment on.

Rich, is there any part of that question you would like to...?

Yes. Mr. Chair, I would just add one point.

Like many other government partners, we will work with the Communications Security Establishment to increase the capabilities of the Canadian Armed Forces, but I want to be perfectly clear. Any military operation that the Canadian Armed Forces engages in, whether in traditional military structures of naval, air forces, army, or in cyber, are government-mandated military operations conducted in accord with the law of armed conflict and the rules of engagement specifically authorized by the chief of the defence staff through the Government of Canada.

The answer to your question is that we would not operate cyber any differently from any other kinetic military structures outside of the government mandate. What CSE would do within their mandate is beyond my scope to comment on, sir.

Let me open, and then I will ask Commodore Feltham to comment on potential policy gaps internationally in cyber engagement or the rules of engagement, if you will, for cyber.

I can tell you that in my experience we've realized the reality that every nation has a different set of legislative and policy constructs for their respective militaries to engage in cyber activities. Some nations fully endorse offensive cyber, while others are completely prohibitive. There's a real variation as you wander around the globe and look at different constructs. I think Canada is looking at its options. Our policy of “Strong, Secure, Engaged” has proposed a scope for cyber—an arc of fire, if you will—that is reasonable, and we've been given explicit direction to implement that.

Commodore Feltham, if there are any activities within NATO or other fora with regard to establishing policy around rules of engagement for cyber, I'd ask you to explain.

If I have time, Mr. Chair, I'll continue.

Just to clarify one term, Mr. Chair, “active cyber” is a mixture of what we would consider active defence and what we would consider offence. It's the difference between standing on your castle wall waiting till the guys are coming in through your wall and then attacking them or seeing the guys come to your wall and attacking them there. That's active defence. The other is going to the other person's place to actively attack.

What's the intent? If my intent is to defend myself, I can still be active, but it's to defend my own equities. If my intent is to attack another person's networks, that's offensive. “Active” is a component of both. The NATO community and the broader communities at large are working to understand where those lines lie. If you read the output from the Tallinn Manual, for example, you'll see that there are ongoing efforts from the legal community and military forces within our alliance to understand that better.

Are there agreed-upon rules across all of the alliance and all allied nations? I don't think there are, but it's a growing and emerging conversation that is very rich.

I wouldn't want to have misrepresented the fact that in a classified environment with the right situation, with all the conditions met, a classified conversation in certain key areas would not be a richer dialogue between committee and us as witnesses. What I would simply offer is that in the line of questioning we received today, there were great questions that allowed me to talk about our business and to talk about our situation in the world and our relationships with our partners without compromising national security or safety.

You're right. Should the questions—