National Defence Committee on Jan. 30th, 2018

Thank you, Mr. Chair.

I am very pleased to be here with you this morning.

As assistant deputy minister for information management and defence chief information officer, I am responsible for ensuring that defence has a reliable, secure, and integrated defence information environment to support business and military operations. I am accountable to the deputy minister for administration and financial and human resources, and I am accountable to the chief of the defence staff for force development and readiness, including cyber.

The director general for cyber is embedded within my organization, and Commodore Feltham, who is with me today, will address you on this subject in more detail in a few minutes.

As you know, Canada's new defence policy represents a new vision: to be strong at home, secure in North America, and engaged in the world. As a G7 country and a founding member of NATO, Canada has a strong interest in global stability. To that end, we will pursue leadership roles and interoperability in our planning and capability development to ensure seamless co-operation with all our allies and partners, particularly NATO.

As DND's representative at the NATO consultation, command, and control board and the NATO agency supervisory board, I am here today to discuss Canada's involvement in NATO as it pertains to information management and information technology, IM/IT. I am supported by experts from across the Department of National Defence who participate in several multinational capability panels. Canada is a significant contributor to the programs that drive IM/IT policy and technical development activities overseen by the board.

Interoperability across the alliance depends in large measure on consistent application of, and compliance with, NATO IM/IT policies. There are three main compliance organizations.

The first is the North Atlantic Council, where Canada is represented by our ambassador to NATO. The council approves the consultation, command, and control policy compliance framework and mandates the NATO enterprise organizations to implement the policies and inform the council on waivers, policy changes, or new policy.

The second is NATO's consultation, command, and control board. It is the senior multinational policy body reporting to the North Atlantic Council and the defence planning committee on policy matters, including the interoperability of NATO networks and national systems. Its focus is on information sharing and interoperability, which includes cyber-defence, information assurance, joint intelligence, and surveillance and reconnaissance. Consultation, command, and control board strategy signals a commitment to deliver these capabilities and emphasizes the need for the modernization and interoperability of the force contributions of NATO nations and partners.

The third is the agency's supervisory board. It is the organizational governance body of the NATO communications and information agency and is responsive to the North Atlantic Council. The agency supervisory board ensures that the communications and information agency is set up to succeed by governing its resources and its performance. Canada has assumed the chairmanship of the board of this agency for the next two years.

The NATO communications and information agency was established in 2012 to provide NATO-wide IM/IT services, procurement, and support in areas such as command and control systems, tactical and strategic communications, and cyber-defence systems.

In April 2017, my group here in Ottawa hosted a three-day NATO industry conference where 750 experts from across NATO, nations, industry, and academia took a close-up look at NATO business opportunities and procurement specialists. It marked the first time this event was hosted in North America and it set records for its level of participation, all in an effort to give better exposure of Canadian-based industry to NATO business opportunities in our area.

In December 2017 the communications and information agency awarded the Canadian-based MDA, a business unit of Maxar Technologies, a $14.9-million contract to deliver NATO's project Triton, a maritime and control information systems project.

If I were to summarize Canada's focus in its role in IM/IT in NATO, I would prioritize information sharing and interoperability. Canada's new defence policy puts forward 111 initiatives, many of which detail positive steps to enhancing defence intelligence capabilities both at home and in the world. One of the initiatives, initiative 65, is our commitment to improve cryptographic capabilities, information operations capabilities, and cyber capabilities. We will focus on cybersecurity and situational awareness, cyber-threat identification and response, and the development of military-specific cyber and information operations.

At this time, I would like to turn over the floor for opening remarks to Commodore Richard Feltham, who will speak to cybersecurity and our contribution to NATO's cybersecurity efforts.

Good morning. Thank you for allowing me the opportunity to speak before this committee today. I am Commodore Richard Feltham, and I am the director general for cyberspace. In this role, I'm responsible for force development of military cyber capabilities that enable cyber operations, as well as strategic and operational command, control, communications, computing, and information.

Force development identifies the necessary changes to existing capability and articulates new capability requirements for the Canadian Armed Forces. For example, our current cyber force development efforts include scoping what requirements need to be fulfilled to successfully conduct cyber operations, designing the potential solutions to meet those requirements, and then helping to build and validate capability once a solution is chosen and implemented, respectively.

To date, Canada's international cyber-defence engagement has been focused on our Five Eyes partners and NATO's cyber-defence activities. The foundational work for a future concept of overall NATO cyber-defence is being developed by the allies now. As part of this, in 2016 the allies, including Canada, made a cyber-defence pledge to enhance their national cyber-defences as a matter of priority. The cyber-defence pledge reflects our international commitment, spelling out the priorities of developing strong individual cyber-defence through facilitating co-operation in the areas of education, training, exercises, and information exchange.

Further, we have taken an active role in numerous ongoing neighbour cyber-projects and policy bodies. While a final configuration of NATO cyber-defence has not yet been built, Canada has been taking an active role in its formulation to ensure not only its effectiveness but also our ability to contribute and function effectively in its eventual formation.

While the scale of Canada's commitment has not been large, we have selected areas of activity that fit well with our strengths and lead to mutual benefits both for NATO and for our own interests. In particular, one area of Canada's contribution is through the multinational cyber defence capability delivery, or MN CD2 for short. This is a smart defence project whereby allies have co-operated to develop, acquire, and maintain military capabilities to meet current security problems, in accordance with the NATO strategic concept.

Canada has been active since 2013 in contributing representatives and financial support. In addition to the value provided to NATO, our participation directly supports our own goals, furthering the direction and outputs we have pursued under the “Strong, Secure, Engaged” initiative 65, which was referred to earlier by Mr. Bastien.

Examples of mutually beneficial projects under this initiative include the cyber-information and cyber-incident coordination system and the malware information-sharing platform, which were developed for NATO cyber-defence. Both have proven valuable for Canada.

Other areas of Canada's contribution to NATO cyber-defence are through exercises in which Canada has engaged in NATO cyberwarfare exercises primarily as an observer. Thanks to our success in building our cyber-defence personnel, however, we'll be able to send participant teams this year.

In Exercise Locked Shields, for example, we will work with teams from two dozen nations to test our abilities to detect, defend against, and investigate cyber-attacks while exercising decision-making and command-and-control procedures. The Cyber Coalition exercise will see our team challenged not only with cyber-attacks through malware but also with social media and other hybrid challenges. This will test our operational and legal procedures, information exchange, and our work with industry and defence partners.

We have further combined cyber-defence experimentation with our targeting development, using the experience and facilities offered by the NATO cyber centre of excellence cyber range in Estonia. The upcoming NATO coalition warrior interoperability exercise, or CWIX for short, will directly benefit our command and control, as well as NATO interoperability.

Finally, Canada has been actively involved in the NATO cryptographic capability team and allied cryptographic task force since 2005. We have been able to provide leadership and expertise, as well as obtaining valuable insight that has guided our own cryptographic development efforts. We have been able to build communications and networks that address our own needs and are aligned with secure and reliable communication systems operated by our NATO allies in a cost- and time-effective way.

I will conclude by reiterating that Canada's defence policy outlines a new framework for how we will implement the vision of “strong at home, secure in North America, and engaged in the world”. We will continue to be a trusted partner to our allies as we work to develop our own cyber capabilities by anticipating, adapting, and acting.

Thank you for the question, Mr. Chair.

We do participate actively in NATO. Let me explain the constructs of how and where we participate.

You may have heard of the term “within the NATO construct”, and I'll define our contributions within that construct. There are also entities that contribute to NATO that are not within the NATO construct. For example, the NCI Agency I referred to is actually outside of the NATO construct. It was created in 2012 and was put outside the NATO construct deliberately so it could behave with a little bit more agility and more like an industry service provider. That came with hand-offs and exchanges around how our contribution gets calculated, because it is actually outside the NATO construct when it comes to looking at credits like flags to posts and our ability to work within the NATO construct.

Let me give you some numbers. Within the NATO construct, currently National Defence is contributing over 200 positions at a fill rate of about 96.6%. We are very active and very committed to filling our positions within the NATO construct.

Outside the NATO construct, our contributions are measured in approximately 120 to 130 positions that participate in activities in direct support of NATO operations or NATO support services, just by way of example.

Financially, the contributions are again spread across the different constructs of NATO. Let me see if I can give you some more detailed examples.

By way of example, in 2016 Canada's cost share of NATO was about 6.6% overall. In terms of funding for something like the agency, Canada was contributing about $20 million, and another $20 million was being contributed to the military budget. There were two contributions, in terms of the way you would add them up, but one would be inside the NATO construct and the other would be outside.

In terms of CIS support, which was part of the agency in 2018, the budget allocation was about $48 million. Canada's portion of that amount in 2018 is approximately $3 million. The agency needed, across the partner nations, about the first amount, and Canada's contribution is anticipated to be about $3.1 million, by way of example.

Thank you again for the question, Mr. Chair.

NATO compliance with policy, governed by the command and control NC3 board—one of the boards I described—is governed by the board itself. I think the best example of compliance would be the cyber pledge that my colleague referred to. It's a cyber pledge committed to by the partner nations, through which, basically, nations have signed up to commit to a certain level of cyber-hygiene that will allow us to interoperate together with the confidence we need to work and—

Richard, I'll defer to you.

Thank you, Mr. Chair.

To add some data to that point, here's a concrete example of how Canada is involved in NATO policy and structures.

The FMN, the federated mission network, is not necessarily within NATO but is supported by NATO in its overall structure. We deployed a network to Latvia recently that is consistent with those standards and protocols. I think Canada is leading in that respect by demonstrating the deployment of a deployable network in adherence to NATO standards. That's a good, positive example.

I cannot comment on the progress of other allies within that domain. My apologies.

No matter what operations we look at, whether military or non-military, the key to any successful operation is communication. More and more of our communication is done via network and data. If we can't interoperate with our allies, it gets harder and harder to communicate with and control our military forces. Our ability to operate with our allies, both within the Five Eyes community and the NATO community, is of the utmost importance to us. We've put a lot of emphasis and time into ensuring that we're able to do that. That's one of the primary goals of all of the working groups that Mr. Bastien referred to: ensuring interoperability. I cannot overstate the importance of that.

Yes. It's critical.

Thank you for your question.

If I understood correctly, you're interested in learning more about the kinds of attacks or cyber-threats that we manage, whether nationally or within our alliance with NATO.

I understand your question.

Let me start by explaining some of the conditions that are set out in the cyber pledge. One of the things that has been established is that nations are responsible for their own cyber, respectively. When a coalition comes together under the authority of NATO, its cyber is delivered by the agency. Therefore, I really can't speak to the integrity or vulnerabilities that may exist inside that cyber-environment.

I can speak to our National Defence cyber-environment. To that end, I can assure you that we take that very seriously and that we monitor and manage our networks with the utmost integrity when it comes to cyber-threats.