National Defence Committee on Jan. 30th, 2018

We do provide updates to our allies in those meetings in that forum as a national update. At the beginning of every one of those meetings, nations are asked to speak to the goings-on of their government or nation's capital or broader perspective that would be relevant to the mandate or—

Let me clarify your scenario. I believe I said that at the request of the government, National Defence equities can be brought to bear in any of the environments, including cyber, to address a national concern or interest or national security. I didn't say there was policy or legislation to prohibit us from doing that; I said we wouldn't unilaterally make that decision. It would be a decision taken by the government and administered through the Canadian Armed Forces.

Rich, would you like to elaborate?

I think it's important to know what our mandate is and what the government wants National Defence and the Canadian Armed Forces to do. Right now, as it stands, our mandate is to protect the Canadian Armed Forces networks and provide support when we're asked.

Coming back to an earlier point, Mr. Chair, in terms of domestic infrastructure, do we report to NATO on the status of our critical cyber and domestic infrastructure? I'm not aware that's what the Department of National Defence and the Canadian Armed Forces do. Unless we're given a mandate to support civilian infrastructure, that is not within our current mandate.

Those are excellent examples.

At this stage of our cyber interoperability evolution, as Rich mentioned earlier, to our awareness there is no hot wash, so to speak, among the nations, among the allies, that would provide those lessons learned in the current construct.

We do share at the most senior levels, in the most classified environments around intelligence—top secret, for example—more open and easier communication. It's simply a smaller environment to have to manage. The broad environments of the nations of NATO and their cyber-exploits that occur, frankly, regularly, we do not necessarily manage or monitor.

We are participating in that centre of excellence. It is relatively new in its evolution. It will grow and evolve quickly. I'm sure we will get more value as time goes on.

We do learn from the exploits around the world. Globally, if a vulnerability gets exploited, the entire community reacts by addressing the vulnerability, learning from it, and patching for it. We're not complacent when these events occur. We're very aware. It may not necessarily even be through our alliances with NATO or Five Eyes that we find our way to a return to service or a state of compliance by reacting to those exploits. It's done through the normal operation and maintenance of our cyber environment.

It's a very good question.

The impact of an event is a case-by-case issue. It's measured as it would be in any other environment.

To try to answer your question, I would offer that a cyber-event would now be considered or looked at like any other kind of kinetic event from a military perspective, and it could qualify for article 5 if the impact to the nation was deemed sufficient to invoke that policy. It's really not for me to comment what it would take to get there.

I don't disagree with you that it's the industries of our nations that are vulnerable to these kinds of attacks. I just want to clarify our mandate for you here today, which is that we engage to help and provide service to Canadians through the national defence institution, so that you have a good understanding of what to expect from us should something like that happen.

Thank you for the question, Mr. Chair.

I didn't bring the details of that contract exchange with NATO with me today. It was meant to be an example of the value of return on our investment in exposing Canadian industry to the agency at NATO that spends upwards of 450 million euros a year. A lot of the work and contracting was not getting to North America. It was staying in Europe, and we were motivated to see Canadian industry have a better share in that market. It was meant to give you an example of the success, if you will, of our investment in working with the agency. If you like, we can return to you more details of the scope of what that contract will mean to MDA, but we'll have to bring that in later. I didn't bring it with me today.

Thank you, sir, Mr. Chair.

As I have stated, the details of that contract.... That contract was not with National Defence but with the agency at NATO. My awareness of that is limited to the extent I've shared with you today, namely of its success for Canadian industry and its value. Should they be available, we will gladly provide you with details of the scope and requirements of that contract. I didn't bring them with me today.