National Defence Committee on Jan. 30th, 2018

I'm not technically equipped to speak to our cryptographic engineering in great detail, but let me explain.

The concept of cryptography is a concept of exchanging keys. In other words, you need two halves of the key in order to open the compartment of the document, or the “crypt”. The ability for threat vectors to misrepresent the keys or break the keys is constantly evolving, so we have to build better keys, but we can't do that unilaterally or we wouldn't be able to speak to our allies. In working together, we establish the criteria for these evolved keys, and then we go across the global network—the fabric, if you will—and upgrade and update all the hardware and software that generate the keys. It's a very sensitive and complex environment, but it's one we're actually doing really well in, and I would say we're in good shape with respect to our compliancy among our nations.

I will open and then ask my colleague to follow up.

The relationship with CSE is not that complex, actually. They were a part of our department not so very long ago. When their act was originally created, they were mandated in their act to support other government security agencies with their capabilities, let's say. I can expand on their capabilities; that gets us into a different conversation. I can tell you that those capabilities would be very valuable to us in cyber. I don't think the government wants National Defence to create the equivalent capabilities inside of its institution, so we've been directed to work with CSE so that we come together as a team. We would deploy and operate in cyber as a team, because they have the capabilities.

However, when their act was created, National Defence was not named as an agency they could support, ironically. They were us, so there was no need to put defence in that legislation. I think some of the amendments happening in that bill will help remediate the legislative policy layer, if you will, to allow us to work together more actively. That's one part of your question. I really wanted to explain that we will move forward in cyber as a team as soon as we're able to.

To the other part of your question, as of the current day, in terms of day zero capabilities in cyber, we have limited cyber capabilities in the active cyberspace today that we could, without CSE, engage and use to support mission. I wouldn't want to give you the impression that we could provide extensive cyber capabilities that would be of concern to Canadians, but the ability for us to jam a radio, block a telephone, take an Internet site down, or block a service provider are things we are evolving quickly in order to support mission.

Under the defence act, we would be authorized to bring those equities to bear. We are working with our colleagues in CSE to make sure that what we do develop and work with inside the government construct is transparent to the government.

This is new territory. For the government to give us a mandate to move into active cyber operations—offensive cyber, as you described it—was not taken lightly, and we're not reacting lightly inside our organization.

We will brief and we will be held to account for the constructs we put in place to engage in any kind of active cyber operations.

As I said earlier, we cannot unilaterally engage in those kinds of activities in the way we can engage in any kind of military activity without the oversight and request of the government. There's ultimately a command and control structure that is connected to the administration of the government before we could actively get going in that kind of activity. I hope that answers your question.

Thank you, sir.

Mr. Chair, for that answer I will defer to my colleague, Commodore Feltham, since he is a military officer and an operator who has experience and can speak better to that question.

Thank you, Mr. Chair, for the opportunity to speak on this question.

As was mentioned earlier, the policy to conduct active cyber operations for the Canadian Armed Forces just came out in their recent defence policy. We're working with our international and government partners to develop this capability.

You asked the question, Mr. Chair, on how we ensure that the cyber operations active offensive as a component of active cyber adheres to the law of armed conflict. I can tell you that, just as in any military operation, kinetic or in cyberspace, we only conduct operations in the Canadian Armed Forces based on the government's mandate and in accordance with the law of armed conflict. This is what regulates us day in and day out, and there are no exceptions to that.

In terms of ongoing operations within the cyber realm, this is not my field, and I can't comment on that in any great detail, but I can assure you that from our perspective—and I've developed this capability with our partners—we stick to the mandates. We go on government missions and we operate within the law of armed conflict.

In our reporting structure, when we're employing the Canadian Armed Forces, it is through the chief of the defence staff. He does a report back to government on Canadian Forces operations. I would offer that it is better for his office to address exactly the semantics of how that feels and looks from a government perspective, but I can assure you that we report in to him. We'll leave it there.

Thank you for the question.

The threat vector vulnerabilities that we monitor change every day. Every day there are new vulnerabilities that are brought to bear, whether through industry or other governments, and those vulnerabilities are assessed.

A vulnerability is not a threat until it becomes exploited, so we are constantly reacting to what I would call “vulnerabilities”. With that, the same would exist for industry, for Canadians, and for NATO when those vulnerabilities come to our awareness. We work usually as a government, as a collection of government agencies, to bring the right get-well-plan and to shore up those vulnerabilities through patching and the evolution of technology to avoid the moment in time when a vulnerability becomes an exploit.

The way it works is that the good guys are out there trying to learn about vulnerabilities and protect themselves from the exploits. The bad guys are out there trying to figure out how to use a vulnerability to exploit, so it's a race. Our ability to stay in front of that comes back to our security posture and our compliancy with our own standards, whether within government or within National Defence. I would offer that NATO's agency responsible for their cyber would have the same perspective, as they're constantly reacting to the potential vulnerabilities that have come to our attention that we need to react to.

I hope it explains the environment a little bit to know that it's not a single event that happens. It's typically a series of vulnerabilities that have been exploited that you hear about in the news. Our ability to stay in front of those vulnerabilities and stay protected comes back to our ability to interoperate with our allies, to work closely with industry, even academia, as well as with our colleagues in the government. We're constantly reacting to new vulnerabilities.

I'd like to clarify the nature of the relationship between these two entities.

The Communications Security Establishment has a very different mandate from CSIS. We work with both agencies. What I described was a relationship with CSE specific to cyber and cyber-active operations. That doesn't negate that we work with both those agencies in many other areas of intelligence. In terms of the cyber role, the cyber mandate I described, the relationship was with CSE. We have a very strong interoperating relationship with CSIS as well, but for different reasons.

Some of the answer to that question will fall back into my own personal opinion, so I'll avoid that. However, I would offer to you in all sincerity today that I felt quite comfortable with the information I shared with you, in that a change in classification would not have significantly changed my testimony. I think you're getting a good perspective from today's interview. I hope you are.

Typically classification is more about timing than it is about the content of the information. We use classification to protect national interests—national security and national safety—and we do it because the information at any given time would be incredibly valuable or risky should it fall into the wrong hands. However, given time, that same information is no longer a threat and therefore should no longer be classified.

I think there's a tremendous amount of information available in an unclassified discussion about lessons learned and about our reaction to certain situations that will give you a very good perspective on how we operate day to day. When we start talking about active operations and about things we're going to do tomorrow, that level of classification is there for a reason. It is to protect equities that are important to Canadians, and that's where you may be running into a challenge.

In my realm, in today's discussion we didn't go there, so I'm hoping you're getting rich content that will help advise you in your decisions that are forthcoming.

I'm going to open by saying that I'm not entirely familiar with the details of PESCO, so I may not be able to offer you a full, comprehensive answer to that question. I'll ask Commodore Feltham if he has anything to add. We may have to get back to you regarding the impacts that PESCO will have on the cyber-equities of NATO. I just don't have that today.