National Defence Committee on Feb. 7th, 2023

I'm sorry that Aaron can't take that question. I'll try to answer for both of us to the best of my ability.

I think the suggestion that Mr. Shull made about tax incentives is certainly one way forward. Regulation, at least of what we might determine to be critical data infrastructure and communications, is another. Bill C-26 may have an interesting impact in that regard, depending on what Parliament does with it. It's certainly worthy of study.

I think the conclusion that we've come to, which CSE has also spoken to, is that, while there are pretty high levels of cybersecurity capabilities, awareness and implementation on the part of the major private sector actors in Canada, including the financial sector and other aspects of critical infrastructure, the real problem is with small and medium-sized enterprises. They have neither the resources nor, perhaps, even the understanding of the degree to which they are vulnerable to cyber-attacks

I think the small and medium enterprises are the area of focus, as well as figuring out ways to help them up their game in cybersecurity in ways that are affordable and understandable to them. That is the challenge.

He is. He's turned off his camera.

I thank you for the question.

Mr. Kelly, we've seen a few examples of attacks on Canadian holders of data and private information over the years. We haven't seen crippling attacks at this stage, I would say. Probably the worst of the attacks that we've seen goes back a number of years now. That was the hack into the National Research Council. It took a long time to rebuild systems in response to that attack.

We're learning as we're going, so I don't have an example to offer you other than these isolated incidents, but we're learning as we go.

Mr. Chair, I'd answer that question by saying it would be interesting to hear from CFINTCOM, in particular, on that, because that's the organization within DND that is most affected by developments.

What we've seen recently—it was highlighted in the defence “Strong, Secure, Engaged” strategy in 2017, and perhaps will be reinforced in the update, whenever that appears—is that the Canadian Armed Forces decided it needed a much enhanced capacity to engage in cybersecurity and have cyber-capabilities for its own offensive and defensive operations. It has been attempting to build up an independent, stand-alone capability in that regard under its own mandate. CSE has been able to assist it.

It's not so much that there are gaps between CSE and CFINTCOM, as I would understand it. It's more the question of how well the Canadian Armed Forces and, particularly, CFINTCOM have been able to build that cadre of cyberwarriors that they need.

Thank you.

I think the answer to that question is that probably everything comes into play. I think the key challenges for CFINTCOM in particular in building its capabilities are partly technological—having access to the best kinds of systems they'll need—and also in terms of human resource capability. It's about finding that kind of talented pool of either civilian or armed forces members who can contribute to a sort of cyber cadre within the Department of National Defence. In that respect, they face the same challenges, although perhaps magnified, that CSE faces in terms of maintaining the workforce, which was the subject of questions here and that CSE responded to.

I think it's a particular difficulty for CFINTCOM. It's also the case that armed forces are not necessarily institutions that change rapidly, culturally, and we've seen this in many respects.

I couldn't really answer that question, to be honest. I'm not sure it's a huge price tag. It's just being able to identify the systems and acquire them. That is probably the key challenge.

Yes.

Thank you for the question.

I'm going to surprise you, perhaps, by saying that there is one sector that we have not typically considered being part of critical infrastructure but that we need to consider in the future, and that's space. Increasingly, we're going to rely on space-based platforms for critical infrastructure, communications, monitoring of climate change impacts and a whole range of things.

My hope is certainly that in the forthcoming critical infrastructure strategy the government is working on, they will include space as a new sector. I would say that is probably the most vulnerable area, because it is so new and because it is changing and developing so rapidly. There's a Canadian role to play there. Space is a big one.

The other thing I would say is that signals intelligence agencies, CSE and Five Eyes and other ones, have said that what we're facing are probing attacks at the moment by foreign state adversaries who are trying to figure out how our critical infrastructure systems work and where the vulnerabilities are. Will we actually see attacks on those systems, short of war? That's very hard to know. Probably, the answer is that it's not likely because it has such an escalatory impact, but there are certain aspects of it, in particular in terms of democratic practices and election infrastructure, for example, that can be vulnerable.

I would say that space and those critical infrastructure systems that feed our democratic needs around elections in particular are two key issues.

That's an interesting question. I don't really know the answer to it.

I think for those adversaries that might be paying attention, it would be a thing to look at to see how well a country can respond or recover and where the vulnerabilities might be exposed in terms of critical infrastructure, communications, services and so on. It's probably more in the field of study than anything else.