National Defence Committee on Jan. 30th, 2018

Thank you for the question, Mr. Chair. I'll start and then I'll ask my colleague, given his experience in the navy, to comment on what that might look and feel like.

As I said earlier, we prepare the cyber capabilities that deploy with our navy, army, and air force. That's our mandate. We make sure that they have the best possible chance of success by making sure they have the best technology we can afford and provide to them. However, once deployed, once they have left the shores of Canada, they come under the operational control of joint operational command.

Rich can maybe explain the look and feel of what it's like to be on board a ship and what kind of force protection would be in place, and perhaps comment on the cyber-readiness that we would deploy with.

Thank you, Mr. Chair.

Just to be a bit more specific, and coming back one step, whenever we send our troops into operational missions, there is a full analysis done on threat. That's been done forever, and the new threats emerging in the last 20 years have been the cyber threats.

Part of the mandate when the chief of the defence staff deploys people on a mission is that the joint operational command ensures that those deploying troops are prepared for whatever threat they may face. Cyber is one of those threats, so it's an education process, among others, that is based on that threat analysis.

Coming back to a ship deploying in a broader context, we come back to Mr. Bastien's earlier points that ships, like many other units, communicate as a necessity through networks, so we develop secure protocols and networks to communicate among the ships that are working together.

There is a twofold answer, then, to your question: from a personal security perspective, we prepare our deploying troops, whatever the threat analysis is, and from a capability perspective, the networks are designed to be secure so they can communicate and share intelligence among the units in any given group.

What I can talk about is what we're doing. From a policy perspective, Canada has a full-time cyber officer within NATO headquarters to help inform NATO policies. That's what we're doing. As Mr. Bastien talked about earlier, in multiple governance groups, we are participating in these smart defence projects. I would say that the contribution is not small, so maybe I misspoke earlier. I would like to clarify that a little bit. In the MN CD2 construct, for example, since about 2013, we've contributed over 900,000 euros to that common defence effort. I would not say that's small. It's a sizable contribution, not only in treasury terms but also in intellectual capacity, as we send individuals from Canada, qualified experts in a domain, to participate in a multinational forum to help everybody come to a better option for all of us together. I might have misspoken that maybe our footprint was small.

I will come back to one other point if I have time. One of the constraints in any cyber operations field, whether in government or industry or whatever you have, is HR. We are searching for qualified people to come to work for us. Where we put people, we do it very judiciously, person by person, and we choose venues where we can have the greatest impact for the greatest common good.

That's a fascinating example that we all read about recently and that the U.S. is reacting to.

I would come back to our current defence security posture inside our institution. We have distinct and explicit policy around any electronic or digital devices in certain areas where we operate our business. For example, there are rooms and floors in our buildings where no digital devices are allowed, including the athletic monitoring devices you referred to. We provide lockboxes for them to be checked in, and they can be picked up after the activity. We are enforcing compliance with those policies every day. We operate with that limited tolerance when it comes to taking any kind of risk in that area.

I really can't speak to other nations or NATO on how compliant they are toward similar policies, but I can tell you we take that very seriously inside National Defence and our institutions. I would offer to you that the commander of Joint Operations Command, or CJOC, would give you the same answer about deployed environments.

This is a very exciting time. The announcement of our policy and the explicit direction to us to get on with investing in cyber operations is a direction that we take very seriously. An environmental scan of the current landscape would tell you that we're not the only ones investing in cyber. In fact, the entire federal government, and industry as well—indeed, the entire community—is looking to invest in and recruit and retain the subject matter experts in this area. The Canadian Forces has been directed to stand up a cyber force. I'll ask Commodore Feltham to explain what that's going to look like and exactly where we are today and where we've come in just a few short months since the policy was announced.

We are becoming very creative in our HR strategies when it comes to recruiting and retaining cyber expertise. We are looking to partner with academia. We are looking to work with industry. We are looking to share amongst ourselves and our allies in NATO and Five Eyes fora to find solutions to this challenge, because we all share the same objective, which is to find the right amount of capability to operate safely in cyber.

To that end, I think the story of what the Canadian Forces is doing is very important, because our mandate explicitly to defend National Defence, especially in cyber, will fall to that regime. I'll ask Rich to explain that.

I would like to come back to Mr. Bastien's earlier point, from a Canadian Armed Forces perspective, about what we are doing for a cyber workforce way ahead. The policy was very clear that we shall stand up a cyber operator trade. As Mr. Bastien also mentioned, it's very exciting. The trade was stood up this summer, and we have our first members of that trade. The follow-on efforts will try to bring the reserve forces into that trade. They have also stood up a trade in the reserves to make sure that we get all the talent we can within that domain. That's moving ahead.

The next challenge is always going to be where we get the people and how we keep them. How do we attract, recruit, and retain them into that domain? That's an ongoing challenge that we're putting a great deal of energy into. To be quite frank, we are using different levels of thinking outside our standard ways of recruiting within the Canadian Armed Forces, because this is really a specialized group that we're paying close attention to.

I will come back to your specific question. As the available talent pool is so small, when contractors work for us, they are security-cleared and vetted to the appropriate level to do the work that we need done by them. From a security perspective, I'm not concerned about that. I need manpower who are qualified and willing to work within that domain. Contractors are a source, as are reserves and the regular force. I'm working with academia and industry on the broader concepts.

That is an accurate statement that IM/IT at National Defence is delivered through service providers that are in a federated governance construct. Let me explain what that is essentially.

As the chief information officer, I'm the functional authority for all IM/IT in the department. I don't necessarily have to own it to authoritatively control it. The army, navy, air force, and chief military personnel provide IT services on wings, bases, and garrisons across the country. They do so, however, under a policy construct that my group authoritatively controls.

Although we're not centrally owned, we are centrally operated, so to speak. We are centrally governed and regionally delivered. We do a lot of centralized governance in order to make sure that our investments are prudent and of value to Canadians.

The concept of cyber introduces a reality that we all have to work in collaboration. My stakeholders, my partners, and service delivery across the department have been directed by the chief of the defence staff to line up behind Commodore Feltham and his team to make sure we provide the cyber service delivery and service assurance needed to run the business of defence. The reality is that our operations in defence are very good as is. At this time, there is no direction for me to centralize or take ownership of all IM/IT equities inside the department. In fact, we're finding that strong governance and authoritative control are providing the outcomes and outputs that we need.

Let me explain our technical environment in terms that are a little bit more simple than the engineering terms that my team might try to get me to use.

Essentially, as Commodore Feltham says, we want to communicate with our allies. It's an essential part of working in coalition. Whether we're communicating at a top secret level, a secret level, or designated protected B level, our networks are set up in a way that they can interoperate. However, as I said earlier, gates and firewalls are left in place to segment, in the case of an incident, the different allies from those networks. Although we haven't had any major incidents of the kind you describe, the ability for us to protect our equities nationally is always built into the design and engineering of those networks.

We meet often as allies, as Five Eyes, or as NATO to discuss that interoperability and that engineering and that design function to that end.

Again, Mr. Chair, thank you for that question.

As was said earlier, the cyber environment is without borders. It's not quite as easy to put your hands around a terrestrial or geographical distinction of where the lines are. What you described is a concern for the government, I would offer. At National Defence, we are part of “cyber Team Canada”, if you will, and we are but one member. The Team Canada approach to cyber is led by Public Safety. Although we participate on committee with them to build a better cyber policy for the government and for Canadians, the answers you're looking for would be better brought forward by the lead department for the cyber hygiene of Canada.

I can tell you that there is a cyber policy being worked on. We are a member of the committee that is trying to get the cyber policy forward, so I have an awareness, but I'm not an authoritative voice on the objectives and outcomes of that policy.

I need to address several areas of your statement just to hopefully provide some clarity and some context for what I will ask Rich to deal with, which is the concept of measuring our strength and reporting it into the alliance as one forum that we work with.

When you look at the Government of Canada and our IM/IT fabric and you look at the cyber for that, you see that National Defence has a mandate in the National Defence Act that clearly states we are to defend Defence, and we can do that with our abilities and current constructs.

When it comes to deployed operations, we take direction from the government. The government has to ask us whether it's land, sea, air, or cyber or space. We react to a request from the government, whether it's domestic or abroad, and that becomes a mission. It becomes an operation, and it's guided by, as I said earlier, the commander of Joint Operations Command. I would offer that the mandate to protect the government and the equities of the government's data is actually a mandate that is provided to the Canadian Communications Security Establishment, and they work closely with Shared Services Canada to do that. They help us manage the parts of our network that are involved in the government back office, so to speak, with Shared Services, but we are still authoritatively in control of defending Defence.

I just wanted you to understand that National Defence really doesn't have a mandate to protect the government or defend the government unless the government asks us to, and they have. In issues like the National Research Council or other exploits that the government had been managing, at times National Defence was asked to come in as a domestic operation and provide services to the government in that area. I just wanted to explain the command and control—