Evidence of meeting #48 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cse.
A recording is available from Parliament.
4:30 p.m.
Conservative
The Vice-Chair Conservative James Bezan
Thank you. Your time has expired.
I'll just say that when you appear in person the screen never freezes up. Cyber-hacks can't get at you.
The final questions go to Mr. May.
4:35 p.m.
Liberal
Bryan May Liberal Cambridge, ON
Thank you kindly, Chair. Your point is taken, as we had trouble hearing me today.
First of all, I want to thank the panellists for being here with us today and getting us off on the right foot on this study. My questions are going to be around Russia and Ukraine.
With the beginning of Russia's invasion of Ukraine, particularly as we're seeing significant material support from Canada, and, of course, many NATO allies, we've heard warnings that Russia may retaliate against NATO with cyber-like attacks. In your opinion, has that threat materialized in any way?
4:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
The threat has not materialized in a direct way, but the threat has materialized through some spillover effects.
In the case that my colleague Alia brought up, Russia went after satellite communication against Viasat. As a result, for some western entities that were also users of that service, their communication got disrupted. Russia's intention was to disrupt Ukrainian communication, but the spillover effect was bigger than Ukraine. We've seen those kinds of threats materialize.
We've also seen those state-aligned hacktivist groups that have aligned themselves with Russia going after western governments, most notably through DDoS attacks in Germany and other places as a way of registering a message.
4:35 p.m.
Liberal
Bryan May Liberal Cambridge, ON
For some reason, my little fob here isn't working very well. Can you hear me now, sir?
4:35 p.m.
Liberal
Bryan May Liberal Cambridge, ON
Thank you.
Given that, can you spend a moment to share with this committee the strategies or how Russia uses cyberwarfare against Canada? Has that changed over the last year?
4:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
We've seen, as I mentioned, that Russia is a formidable cyber-player. We've seen the extent of its capabilities in Europe, or at least in Ukraine, with the deployment of cyber-capabilities that are destructive in nature. We've seen it use them against Ukraine by shutting down the power grid over there twice.
We are very concerned about that, and that's why we work with critical infrastructure providers in Canada to make sure they are taking every precaution or every measure to protect themselves and their networks from those kinds of cyber-threats. Everything we learn, everything we see in Ukraine and everything we learn from what Russia is doing around the world we try to promulgate through cyber-flashes and other information bulletins to Canadian businesses.
4:35 p.m.
Liberal
Bryan May Liberal Cambridge, ON
In that regard, how does CSE assist the work of the Canadian Armed Forces, particularly in the areas of intelligence-gathering and counter-intelligence?
4:35 p.m.
Deputy Chief of Signals Intelligence (SIGINT), Communications Security Establishment
I can take that one.
We work extremely closely with the Canadian Armed Forces in terms of intelligence provision. We share with them all intelligence that we collect, whether it relates to threats to their armed forces' deployments abroad or internal threats to Canada that would affect the Department of National Defence, as we have a very close working relationship there.
In terms of other forms of co-operation, I spoke about foreign cyber-operations and how we work very closely with them on that mandate.
I would add that, under our act, we also have an assistance mandate. It is explicit that we can provide assistance to the Canadian Armed Forces and in so doing, we'll be operating under their mandate. However, we can use our technical skills, abilities and capabilities to assist them in their operations if they were to make such a request.
Thank you.
4:35 p.m.
Conservative
The Vice-Chair Conservative James Bezan
Thank you, Mr. May.
To follow up on that and exercise a bit of my prerogative as chair, when you are assisting the Canadian Armed Forces in their activities, as well as what CSE is doing under its new mandate since 2019, does that include both defensive and offensive postures?
4:40 p.m.
Deputy Chief of Signals Intelligence (SIGINT), Communications Security Establishment
The nuance with the request for assistance part of the mandate is that we would act under the Canadian Armed Forces' mandate and authority, so it would be to the extent that they have the authority to do something. Whether it be active or defensive in nature, we could assist them insofar as their authorities permit.
4:40 p.m.
Conservative
The Vice-Chair Conservative James Bezan
I'll also drill down a bit more into protecting Canadian infrastructure.
How much do you work with our public sector as well as private sector partners, like financial institutions, transportation hubs, health care systems and things along that line that would definitely be considered soft targets by our adversaries?
4:40 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
We work extensively with the private sector and the public sector. We have a number of engagement fora through which we are briefing them regularly. For example, with the health care sector, we have a forum with them every two weeks to brief them on the latest threats. There are often over 500 people on a call.
We have more intimate collaboration, for example, with the banks, the electricity sector or the natural gas providers. We tailor our engagements to communities that share similar infrastructure, similar technologies or similar capabilities, but we are talking to almost all 10 critical infrastructure centres in Canada.
4:40 p.m.
Conservative
The Vice-Chair Conservative James Bezan
Thank you very much.
I want to thank both Mr. Khoury and Ms. Tayyeb for joining us today. That was very interesting, and it was a great way to kick off our study on cybersecurity.
With that, we're going to suspend.
I would ask that the next round of witnesses please come to the table and log in online, so that we can continue in an expeditious manner.
4:40 p.m.
Conservative
The Vice-Chair Conservative James Bezan
I call the meeting back to order. Here we go.
For our second hour, we have the Centre for International Governance Innovation. Joining us is Aaron Shull, managing director and general counsel, who is joining by video conference; and Dr. Wesley Wark, who is a senior fellow and is sitting with us at the table, which we really do appreciate.
Each of you has five minutes for your opening remarks. I have Mr. Shull going first.
February 7th, 2023 / 4:45 p.m.
Aaron Shull Managing Director and General Counsel, Centre for International Governance Innovation
Thank you very much, Chair.
Thank you very much to the committee for having me. I'm honoured to appear before you today to discuss the critical issue of cybersecurity and the capabilities of foreign actors.
To effectively address the issue, I believe the government should take a multipronged approach. Now, I understand the urgency of the issue, so rather than discuss the current state of cybersecurity—we already heard from the previous two witnesses about the various threats we face as a country—let me begin at the end and offer a few thoughts about what I think you can actually do about it.
I've had the benefit of reviewing the comments of my colleague, Wesley Wark, so I will focus on a different set of prescriptions, although I will say that I agree with what he's going to offer.
First, I think the government should incentivize companies to adopt the latest security measures, such as the “CyberSecure” standard established by ISED and CSE for small and medium organizations. The standard provides a high level of protection, but its adoption—this is the problem—has been limited.
Implementing a tax credit system as an incentive to help increase the overall level of cybersecurity in the country and reduce the risk of cyber-attacks on businesses would be a way forward. These attacks result in significant financial loss, damage to reputation and disruption of operations. If we were to advance this, we could attract investment and increase productivity and profitability. The standards are already there, but too few companies are doing them. There's that old saying that you cannot herd cats but you can pick where you put the food out, so incentivize those businesses through a tax credit.
Second, the government should establish a clear and concise legal framework for dealing with cyber-attacks that includes guidelines for attribution, response and liability, but the governance structure should be nimble and responsive to the fast-changing environment. The regulations should be expert-driven, focusing on sound policy and not good politics. The Governor in Council should be able to approve standards, codes of practice and certification programs to act as an integrated compliance mechanism.
Third, the government should establish an annual multistakeholder platform for collaboration and engagement on cybersecurity issues. This platform should include participants from all levels of government, private sector, indigenous communities, academia, not-for-profits, law enforcement and industry leaders. In my view, cybersecurity is a whole-of-society concern for Canada. Everyone, including think tanks, needs to do more to address this issue.
As a consequence, my organization, CIGI, plans to host the first Waterloo security dialogue in June to bring together various stakeholders and focus on discussions and simulations to better understand the impact of cyber-incidents, response and recovery measures, and the roles and responsibilities of different parties.
Let's talk about the threats. As previous speakers have mentioned, there are active persistent threats, or APTs, in coordinated and highly targeted cyber-attacks often carried out by state actors who aim to steal sensitive information or disrupt critical infrastructure over a long period of time.
You have ransomware, which we've talked about already as well. That's malicious software that encrypts the victim's files and demands payment for a decryption key. There's also now something called double extortion, where they threaten to release very sensitive information. Not only is your information locked up, but they threaten to release sensitive things to either embarrass you or push you to payment.
Then we have supply chain attacks. Supply chain attacks occur when an attacker actually compromises the software or hardware of the supplier to deliver malicious code to its customers. Probably the best known of these in recent memory is the 2020 SolarWinds incident, where that popular IT management software was used to compromise thousands of organizations.
We also have election interference and foreign actors using cyber means to hack into voter databases, spread disinformation and manipulate social media, all with the view to influence public opinion.
We also then have critical infrastructure attacks. This was already talked about in terms of the Ukrainian power grid. This is a great example of a critical infrastructure attack having a real-world effect where, in 2015, 225,000 people were without electricity.
The full capabilities of states will certainly vary, but here's my view: In light of current geopolitical trends, I believe the safest operating assumption for Canada is that we will be existing in a grey zone for the foreseeable future.
As for what I mean by “grey zone”, I'm actually going to adopt the definition from Canada's defence policy, which I thought was the best definition I'd seen.
Here, it says:
State and non-state actors are increasingly pursuing their agendas using hybrid methods in the “grey zone” that exists just below the threshold of armed conflict. Hybrid methods involve the coordinated application of diplomatic, informational, cyber, military and economic instruments to achieve strategic or operational objectives. They often rely on the deliberate spread of misinformation to sow confusion and discord in the international community, create ambiguity and maintain deniability.
In conclusion, my own view is that this is a whole-of-society concern for Canada. It's not just about government. It's actually about governance.
I believe it's our collective duty to better prepare the country for an existence in this grey zone.
Thank you, Mr. Chair.
4:50 p.m.
Conservative
The Vice-Chair Conservative James Bezan
Thank you for your opening comments.
Please proceed, Dr. Wark.
4:50 p.m.
Dr. Wesley Wark Senior Fellow, Centre for International Governance Innovation
Thank you, Chair.
Chair and members of the committee, I'm grateful for this invitation to appear and give testimony.
The terms of reference of your study touch on many facets of the cyber-threat, but I will focus on just one here in the five minutes I have for this opening statement, and that's the Russian invasion of Ukraine, which has provided important real-world insights into the ways in which cyber-weapons can and will be used in wartime in conjunction with more conventional military attacks.
This alignment was first exemplified in the Viasat hack of satellite-based Ukrainian communications on the opening morning of the Russian invasion. You've heard previous speakers from CSE mention that attack.
What do we know of events since February 24, 2022? Let me take you to two open-source studies. I've provided links to these studies to the clerk of the committee.
In June 2022, CSE's Canadian centre for cybersecurity produced a threat bulletin that catalogued significant Russian cyber-activity in conjunction with military attacks on Ukraine for the period from February 2022 through to May 2022.
Among the key judgments in that CSE bulletin were that the scope and severity of Russian cyber-operations were more sophisticated and widespread than had been reported in open sources and that, beyond the Ukraine theatre itself, Russian cyber-threat actors were engaged in widespread cyber-espionage campaigns against NATO countries and looking to develop further cyber-capabilities against such targets, including Canada.
In January 2023, the Ukrainian cybersecurity agency released a report—translated, fortunately, into English—using a methodology very similar to that employed by CSE, which documented the scale of Russian cyber-attacks and their alignment with conventional bombardments from February through to November 2022.
A key finding in the Ukrainian report concerns the ways in which Russian cyber-attacks have targeted energy infrastructure in Ukraine as part of a ramped-up Russian effort to destroy Ukrainian sources of civil power supply and undermine morale. According to the Ukrainian security service—SBU—report, Russia carried out on average more than 10 cyber-attacks on Ukrainian critical energy infrastructure per day in November of 2022.
Ukraine's cybersecurity leadership wants the world to recognize the reality of cyberwarfare as they have experienced it. They urge a common approach to cyber-aggression, the use of sanctions to undermine the cyber-capabilities of an aggressor, the need for enhanced sharing of information about cyber-threats and a clear designation of cyber-attacks on civilian critical infrastructure as a war crime, along with a determination to pursue accountability for such crimes.
How should Canada respond to this set of appeals? I would suggest the following.
First, ensure that CSE is able to provide the maximum possible aid to Ukraine in terms of signals intelligence and cybersecurity support.
Second, the Government of Canada should continue to provide financial support to ensure the resilience of Ukraine's cyber-systems.
Thirdly, along with our allies, we should be using targeted sanctions to undermine Russian state and proxy cyber-capabilities. I think we should also continue to document and publicly call out Russian cyber-aggression against Ukraine and NATO. I would urge us to take a lead role in supporting Ukraine's call to designate cyber-attacks on critical infrastructure as a war crime in international law and assist Ukraine to pursue accountability.
Finally, we should ensure that we maintain a robust capacity to monitor and learn from the use of Russian cyber-weapons against Ukraine. This should include research support for Canadian academic and NGO studies and engagement with expertise in the private sector.
We have learned three things from the Russian cyberwar against Ukraine. First, civilians are prime targets. Second, cyber-weapons are not precision munitions, and third, that cyber-aggression knows no rules or bounds.
Worse still is what might be waiting in the wings: the looming possibility of another—I'm going to refer to this operation in Russian—NotPetya malware attack, with global ramifications. NotPetya was a Russian GRU—that is the military intelligence agency—hacker operation launched in June 2017 against Ukraine. It morphed out of control, as many of these malware attacks will do, crippling global container shipping. It was described by one Homeland Security adviser to the President of the United States as “the equivalent of using nuclear bomb to achieve a small tactical victory”.
The cyber-nuke outcome is one we must strive to avoid, just as we strive to avoid escalation to nuclear war over Ukraine.
Mr. Chair, I'll conclude by saying that I hope this doesn't sound too much like Dr. Strangelove.
Thank you.
4:55 p.m.
Conservative
The Vice-Chair Conservative James Bezan
Thank you very much.
Those were very good opening comments. I appreciate both testimonies.
With that, we will go to our first round.
Ms. Kramp-Neuman, you have six minutes.
4:55 p.m.
Conservative
Shelby Kramp-Neuman Conservative Hastings—Lennox and Addington, ON
Thank you, Mr. Chair.
Dr. Wark, thank you for your testimony. I'll start my questions with you.
In what ways do the tensions in Russia increase the need for more resources and military defence supports to ensure that Canada can effectively compete on the international stage?
4:55 p.m.
Senior Fellow, Centre for International Governance Innovation
Thank you.
Through you, Chair, I didn't quite catch it. I think the question is about defensive capabilities or armed forces capabilities. I think there would be.... I'd certainly agree.
The conventional view would probably be.... We shall see what the government decides in its upcoming defence review update, but I think the view will be that the armed forces need a lot of new equipment to be able to engage effectively in any future conflict, including along with allies in support of our own sovereignty. There is a great deal we have to do in that area.
I think we all recognize that the Canadian Armed Forces lacks a range of things, from sufficient manpower through to key military capabilities. Many of these have been called to attention.
I must say, as a private citizen, the fact that we were only able to supply four Leopard 2 tanks to Ukraine struck me as a terrible symbol of the ways in which our military has been allowed to be degraded over the years.
Thank you.
4:55 p.m.
Conservative
Shelby Kramp-Neuman Conservative Hastings—Lennox and Addington, ON
Thank you. I'll continue.
There's a lack of manpower and a lack of morale. In addition to that, there are growing concerns that Canada is being left behind in the Five Eyes relationship as the U.K., U.S. and Australia continue to collaborate.
How has this worsened in the past 10 years, and how can Canada re-establish a relationship?
4:55 p.m.
Senior Fellow, Centre for International Governance Innovation
Thank you for that question.
I'll go in a slightly different direction. I'm not sure that I entirely agree. I would make a distinction between, perhaps, our military capabilities and the way that they have declined, and our intelligence capabilities, particularly on the signals intelligence side and our contribution to the Five Eyes.
I think that Canada, through the CSE, is regarded as a key actor in the Five Eyes, and it is regarded with respect. I am told by Five Eyes counterparts that we are regarded as being one of the leading countries in terms of our ability to provide cybersecurity for federal data infrastructure and communications. We're regarded, in that regard, with respect.
I think the challenge for Canada is keeping up in the face of a wide range of threats.
We are regarded as a key player in the Five Eyes. There are always things that the Five Eyes would like us to do more of. There has been consistent pressure for decades, for example, for Canada to create a foreign intelligence service and a humint agency, which we've already resisted. On the signals intelligence and cybersecurity side, I think we're a strong player.