Evidence of meeting #48 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cse.
A recording is available from Parliament.
4:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I'd like to add a couple of things.
We belong to a number of communities that share information for the purposes of cybersecurity. The Five Eyes partners share a lot of information.
At a more global level, we share information with computer emergency response teams all over the world. When we receive information about malicious activity, we send them a note so that they can take steps domestically to neutralize the threat.
4:25 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Does information sharing within the Five Eyes alliance involve all the partners, or do discussions happen on a more one-to-one level?
4:25 p.m.
Deputy Chief of Signals Intelligence (SIGINT), Communications Security Establishment
Broadly speaking, I would say both scenarios are possible. It depends on the type of threat affecting the partners. Mr. Khoury may have something different to say about that.
4:25 p.m.
Conservative
The Vice-Chair Conservative James Bezan
We're out of time. We have to move on to our next two and a half minute question. I'm sorry about that.
Go ahead, Ms. Mathyssen.
4:25 p.m.
NDP
Lindsay Mathyssen NDP London—Fanshawe, ON
Thank you.
Ms. Tayyeb, you mentioned in your opening statement the expanded powers that you have. A lot of folks were, of course, concerned about that expansion and the fact that your department can collect information on Canadians for research purposes, and then there's no requirement to release that information. It's there forever.
Of course, a lot of human rights and civil rights organizations were concerned about the use of that data and about it being used against folks when they're exercising their rights. There were also other concerns in terms of the oversight of that and the accountability of that, and how you're monitored continuously now that these laws have been in effect for several years.
Could you comment on that?
4:25 p.m.
Deputy Chief of Signals Intelligence (SIGINT), Communications Security Establishment
Thanks very much for that.
Allow me the opportunity to just clarify a point, if I misspoke earlier. To be clear, CSE is not permitted in any way, shape or form to target Canadians or any individuals in Canada. That's a basic prohibition. That extends to our foreign intelligence mandate and our cyber-operations mandate.
What I believe I was referring to was that, in that space, the interest would be on the foreign actor. If the foreign actor is targeting Canadians, we'd be interested in what that foreign actor is doing that would be harmful to Canada. That's a very specific prohibition.
In terms of review, absolutely we are reviewed. We have two review bodies, the NSIRA, the National Security and Intelligence Review Agency, and the NSICOP. We also have an intelligence commissioner who approves our ministerial authorizations to ensure that they're in keeping, on the foreign intelligence side, with our charter obligations, and to maintain and ensure the privacy of Canadians should any information on Canadians be collected incidentally.
We have both oversight and consistent review in all aspects of our mandate.
4:25 p.m.
NDP
Lindsay Mathyssen NDP London—Fanshawe, ON
Within the CSE Act, you are allowed to research the activity of Canadians nationally and domestically—are you not?
4:25 p.m.
Deputy Chief of Signals Intelligence (SIGINT), Communications Security Establishment
No, we are not.
4:25 p.m.
Conservative
February 7th, 2023 / 4:25 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Thank you.
Mr. Khoury, less than a year ago at committee, you said, “the state-sponsored cyber programs of China, Russia, North Korea and Iran pose the greatest strategic threat to Canada.”
First of all, is that still the case? Do you have any comments on non-state actors?
4:25 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
The assessment that we've reiterated in our most recent national cyber-threat assessment is that those four countries—Russia, China, North Korea and Iran—continue to pose the greatest strategic threat to Canada.
As far as non-state actors are concerned, obviously cybercriminals are a threat that we have to address. As well, as a result of the Russia-Ukraine conflict, we've seen a number of state-aligned hacktivist groups. These are cybercriminals who have sort of flown the flag or taken sides. A number of ransomware affiliates have decided to align themselves with Russia in the conflict and taken sides. These are always things of concern.
4:30 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Are you saying that these state actors avail themselves of mercenary-type services from international criminals?
4:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
In some cases, there's a close relationship between the state apparatus and some of these cybercriminal organizations.
4:30 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Okay.
Also in the report there was a recommendation number 10, which followed from your last appearance. It recommended:
That the Government of Canada invest in defensive and active cyber operations capabilities. As well, the Government should increase its recruitment and training of cyber specialists for the Canadian Armed Forces and the Communications Security Establishment, and ensure that all federal systems are adequately protected against cyber threats.
What action has been taken within your department on recommendation number 10 of the report?
4:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Maybe Alia can take the first part of that.
4:30 p.m.
Deputy Chief of Signals Intelligence (SIGINT), Communications Security Establishment
I don't have that report in front of me, but indeed, on the first recommendation, in terms of investing in active and defensive cyber-operations, as I indicated, in the budget announced in 2022, we did [Technical difficulty—Editor].
4:30 p.m.
Voices
Oh, oh!
4:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
In the meantime, I can address the second part of that recommendation, which was defending government systems.
4:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We are constantly monitoring government systems. We are updating them with the latest threat indicators. We work closely with SSC and with Treasury Board on making sure that government IT is very well protected.
Also, as a result of the NSICOP recommendation, we are working with the small departments, agencies and Crown corporations, to bring them into the fold of the defensive capability of the cyber centre.
4:30 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Okay. Thank you.
What about the Office of the Privacy Commissioner? In response to an earlier question, you mentioned that there is not a requirement for businesses to report ransomware, hacks or loss of data, but they are required to report that to the Privacy Commissioner. Do you take cues from or do you work with that office to determine threats in the furtherance of your work in your agency?
4:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
No, we don't get tipped off by the Privacy Commissioner. Businesses have an obligation to report to a number of bodies. Sometimes it's the Privacy Commissioner. Sometimes it's regulatory bodies. We reach out as soon as we hear of an incident. We always reach out to the victims and offer our assistance.
4:30 p.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
You, on your own, just monitor the media. It seems like there must be a better way to ensure you are aware of hacks or ransomware attacks and these kinds of things as they happen.
4:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We are made aware of incidents through a variety of means, media being one of them, but we also have partners who tip us off. Sometimes the victims themselves reach out to us to inform us that they've been a victim of a cyber-incident. We are aware of victims through a number of ways, but the coverage is not 100%, of course.