National Defence Committee on Jan. 30th, 2018

Mr. Chair, I agree with that statement. With our allies, we have invested significantly in that part of the world.

I believe you were asking about what risks or threats we are worried about. Let me explain how we operate inside National Defence.

Cyber, although relatively new, is an established environment of military operations, like land, air, and sea, and as is done for land, air, and sea, the institution of National Defence prepares capabilities inside the department. I'm mandated to help prepare the cyber equities for eventual use in deployed operations.

That said, it's actually the commander of Joint Operations Command who utilizes those capabilities to operate and control his mission. I can't comment on how he's using those capabilities. I can tell you, however, that I am accountable and responsible to prepare them, to generate them, and to get them ready for his use, and we do a lot to make sure that the men and women of the Canadian Armed Forces deploy with the best possible chance of success. Our cyber equities being deployed are the best we can possibly produce for them.

Thank you for the question, Mr. Chair.

Let me tell you that cyber-defence operations have been a part of our reality for many years. We've been doing this for a long time, with no real concerns. It's an area of expertise that we've developed and enhanced over that time. Recently, in the announcement of our policy of “Strong, Secure, Engaged”, there is explicit direction from the government to make even further investments in cyber, in cyber-active operations. That will involve the opportunity for us to use offensive cyber capabilities to enhance our mission success.

I'm going to hand it over to Commodore Feltham, because he can provide some more tangible information around what that might look and feel like.

Thank you, Mr. Chair.

In terms of what Canada writ large is doing, I can't comment on it because I'm not there, but from a DND perspective, as Mr. Bastien mentioned, the recent policy has just given us the policy to do active cyber. That's to say that this is nascent. We are learning how to conduct this business. We are working with our partners within government and with our allies around the world in order to learn how to get into this business. I have not been involved in any offensive cyber operations to this date.

Thank you for the question, Mr. Chair.

The function of procurement within the government is centralized with another department, PSPC. Within our department, it is authoritatively controlled by another assistant deputy minister in charge of materiel. I can tell you from experience that we have used the national security exemption when we're dealing with sensitive national security issues or concerns when procuring IM/IT capabilities. On the integrity of our procurement or supply chain, I would have to defer that question to my colleagues, who are the experts and the authoritative voice in that area. I don't procure my own contracts. I need to use those authorities to do that.

I can assure you that we do set the high-level requirements for the scope of the contract for the capabilities we're seeking. I can tell you that there is a significant effort to shore up our supply chain integrity within the government in general. I'm aware of that, but it is not under my control. Naturally, when setting my high-level requirements, I would obviously seek out the best and most secure capabilities needed to get what we want.

I can see why that language would have given you that impression. I can assure you that although I mentioned high-level requirements, it's not taken for granted that...

We're significantly aware and involved in making sure that the capabilities we are procuring are compliant. There are many checks in place, not only during the procurement process but also during the design and implementation, to make sure that the integrity of the capability we're procuring does not create a risk or a threat for national defence.

I am aware of the situation you're describing. I have been asked as an authority and have been involved in allowing the intellectual property to be released for use by industry and in future bids. In fact, the MDA contract win with NATO is an example. They worked with my organization in the past and asked for permission to use the intellectual property that was created in their bid with NATO, and they actually won the business as a result.

I can tell you that I have experience with the positive outcome of that situation. For any other details in the area of procurement and intellectual property, I have to defer to my colleague ADM in materiel in National Defence, because that is his authoritative lane.

Mr. Chair, my best answer to that is that I have no awareness of any examples in my domain that I could cite to ratify anything like that.

The invitation to the board today was focused on NATO. However, in our introductory remarks, we did open the dialogue to—and frankly, our new defence policy is explicit in—talking about how important our partners are. We consider NORAD, the U.S. bilaterally, the Five Eyes, and NATO to all be very valuable partnerships and alliances.

We have significant investments in the Five Eyes realm. We participate actively in several governing bodies that include intelligence and defence forums, which I participate in personally. We take these relationships seriously. We've benefited from and contributed significantly to meeting with our colleagues in these other nations. Doing so allows us the opportunity not only to establish interoperability by default, as with all of our guiding principles, but also to benefit from each other's investments in certain areas, including cyber.

It's a tremendous forum for us to take advantage of, and I can assure you we participate in several levels, both on the military and on the civilian side, to make sure we keep those relationships healthy.

Mr. Chair, I would again restate the fact that in the established policy among NATO nations, it's the nation itself that is accountable for its own cyber concerns, which fall back to us to manage.

Your query into the cyber-health or well-being of NATO is outside my ability to answer, simply because it falls back to the fact that the mandate of cyber for NATO rests with the agency. We do participate in the supervisory board of that agency—the board of directors, essentially—where we ensure resources and policy are in place for them to succeed. Operationally, however, they're accountable to the North Atlantic Council, so it's very much NATO business. We couldn't possibly speculate as to the threat and risk of NATO cyber.

I could ask Rich to describe our awareness of how they are set up to handle incidents or how they are set up to react, but I'm not in a position to state the relative health of NATO cyber at this time.

Yes, Mr. Chair, thank you again.

I would reiterate a couple of points that Mr. Bastien raised earlier: the NATO pledge clearly specifies where the responsibility for cyber lies, and that is within each nation's own constructs.

In terms of working in coalitions, I described earlier the federated mission network, the deployed networks that adhere to some protocols that we've all agreed to, but I would comment on one point when we're talking about collaboration and moving forward to ensure that NATO nations can improve their individual cyber capabilities by working together. I referred in my opening remarks to an example of a smart defence project. All that means is that we're sharing data in the multinational cyber defence capability delivery program—