Evidence of meeting #49 for National Defence in the 44th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
Are you referring to technology, especially new technologies, innovation?
Liberal
Bryan May Liberal Cambridge, ON
Yes. I'm thinking in terms of things like smart vehicles, wearable tech and that sort of thing. Are there certain things we should be concerned about that might be vulnerable to cyber-attack?
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
I wouldn't be able to prioritize the issues according to their importance, but something is attracting my attention a lot, and that is the Internet of Things. There is an exponential proliferation of connected objects. For Canada, very simply, it means that the attack surface is increasing. There are more devices through which to conduct cyberattacks and cyber operations.
Actually, in many cases, connected objects are the weak link in the chain. They are small objects that have been designed to be low cost and very easy to use, among other things. Often what manufacturers will sacrifice in their design is cybersecurity.
There may be thoughts to be had about cybersecurity standards to be imposed on connected objects. We should ensure, for example, that they do not become, in the near future, a kind of privileged gateway for larger system breaches or compromises.
Liberal
Bloc
Jean-Denis Garon Bloc Mirabel, QC
Thank you very much.
I thank both witnesses for being here today.
Mr. Rapin, I would like to know whether, in terms of cybersecurity information sharing, Canada is a credible player among its allies. I am thinking in particular of the Group of Five. How are these exchanges carried out? Is it give and take?
Is Canada able to be effective enough in collecting and producing information to be a credible ally with the Group of Five, in particular?
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
In the case of the Group of Five, it's a bit of a potluck. Everyone is supposed to bring something to eat and then we share what's there.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
That's it. Now, what we need to know is whether Canada cooks a lot.
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
I am not in a position to answer that. Unfortunately, I don't sit on the Group of Five committees and I don't have any inside information on that.
However, the secondary view I can give is that, for many researchers and many people who work on this, Canada is not seen as a player that brings much to the table. I'm not saying that's necessarily the strong opinion that all members have, but it's often the opinion that comes through.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
We understand the nuance, and it is only appropriate to mention it.
That said, I note that Canada has been very slow to make strategic and important decisions in many cases lately. The Huawei one comes to mind, but there are others. I wonder if this has damaged our credibility with our allies and negatively changed their perception of us.
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
It is true Canada did not shine particularly brightly in this regard. It may have looked like we were following the trend rather than making a firm and determined decision.
In my view, there are a lot of factors involved. What I often hear, from foreign colleagues in particular, is that Canada has an image of a country that is very “nice”, or perhaps has what you might call a national security culture...
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
No. At least, that's not the views I hear at all. However, perhaps it's a matter of maturity in terms of national security issues; we're not always quick to seize the problem and want to tackle it head on.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
Let me change the subject a bit and address a current issue that I find extremely important.
You know that the McKinsey firm has done a lot of business with Canada. We are talking about hundreds of millions of dollars in contracts awarded, notably by the Department of National Defence. We know that McKinsey, a firm that is not known for its high ethical standards, does a lot of business with China. This has been part of the development of its new core market over the last 15 or 20 years.
Are Canadians and Quebeckers right to be concerned about potential information leaks? If so, do you think we need to have transparency mechanisms for these more elaborate types of contracts?
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
I am not at all able to answer this question, quite honestly.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
I understand.
Ms. Csenkey, we talked about the threat of quantum computers, among other things. My impression is that in a lot of circumstances where you have vulnerabilities, like cyberattacks, the human factor is a big part of it. In many cases, social engineering makes us vulnerable, regardless of the investments we make in our infrastructure.
In your opinion, is Canada doing enough to ensure that risk related to human factors is as minimal as possible?
Ph.D. Candidate, Balsillie School of International Affairs, Wilfrid Laurier University, As an Individual
Mr. Chair, I'd like to thank Mr. Garon for the question.
I'd like to pick up on a question that you posed earlier about Canada's role in the Five Eyes, and then I'll get to your other question.
The Five Eyes, as we know, is an important and trusted intelligence-sharing partnership, and this partnership could extend to information relating to cybersecurity.
As I mentioned in my opening statement, in a recent paper that I co-authored, we found that the specific cybersecurity threats are understood differently between these co-operating allies, especially in the Five Eyes. When it comes to working on solving these particular cybersecurity-related issues, I think one opportunity for Canada to lead on this issue area within the Five Eyes would be in addressing and understanding certain cybersecurity issues, such as the quantum threat. Perhaps this could be through a Five Eyes quantum consortium.
This is understanding that the Five Eyes is an intelligence- and information-sharing partnership. That's its primary purpose. However, we've seen in other partnerships between allies, such as AUKUS, that there can be secondary purposes that might allow us to align and co-operate on particular issues. We know that—
Liberal
The Chair Liberal John McKay
Unfortunately, we're going to have to leave the answer there. I'm sure you'll have an opportunity to elaborate further.
Mr. Boulerice, you have six minutes.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Thank you very much, Mr. Chair.
I thank our witnesses for being here for this important study.
Ms. Csenkey, in July 2021, you published an article entitled “Selling Simulations: The Seduction of Cold War Techno-Fetishism in a Postmodern Cyber World”.
Firstly, would it be possible for you to send this scientific article to the committee so that it can form part of our report?
Secondly, can you tell us how this analysis applies right now to the tensions or conflicts that we see with Russia and China?
Ph.D. Candidate, Balsillie School of International Affairs, Wilfrid Laurier University, As an Individual
Mr. Chair, I would be happy to provide that for the committee.
Incorporating some of the arguments I made in that paper referenced by the committee member, when we're thinking about technology and cyber-threats, it's often caught up in a narrative that excludes human actors, human intentions, ideas about certain technologies and certain capabilities from the lived experience and reality of what cybersecurity is, which is that complex sociotechnical system. If we see cybersecurity threats and that interconnection with humans and technologies, we can also add in services, people, private sector businesses and other connected technologies that flow between different sectors.
What I would like to emphasize is that, when we're talking about connected technologies and we're associating it, for example, with critical infrastructure, it's a more dynamic understanding of cybersecurity issues as related to critical infrastructure. It's that combination of people, services, private operators and those technologies that flow between....
Also, picking up on something that was mentioned in the earlier session, we can't really think of cybersecurity issues as a siloed issue. This goes between different prerogatives of defence, yes, but also of national security. There's also that economic component as well.
I think when we're talking about cybersecurity issues and we're linking them to technologies and people and services, etc., we need to understand that there are cybersecurity considerations for each particular sector. There are different services that are provided within each sector and different technologies, again, appreciating the linkages between them.
We can also appreciate that there are different threats, vulnerabilities and risks for each sector, but there are differences and commonalities in between. When we're talking about what cybersecurity problems are, I think we also need to think about cybersecurity solutions. It's not an across-the-board answer for all.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Thank you very much, Ms. Csenkey.
Mr. Rapin, you talked about the concrete effects of cyberattacks on people's lives.
We saw it last summer with the Rogers outage; it was not caused by a cyberattack, but by a maintenance problem. People were left extremely helpless. They were walking the streets and looking for addresses on maps.
There were no consequences, no punishment, for Rogers. Isn't being so dependent on a handful of unaccountable private telecom companies evidence of our vulnerability?
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
I don't think I'm in a position to comment on the issue or on the link that there may be between industry concentration and infrastructure vulnerability.
I feel that what is going to be more important than market dispersion is redundancy of infrastructure, as well as having backup systems and having thought about resilience upfront, no matter how many players are involved. Someone has to think at some point about what would happen if such and such an attack happened against such and such an infrastructure and so on.
I have a feeling that maybe that's where we should start.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Do you think the federal government should have the responsibility of requiring system redundancy standards, so that there is better system resilience in any situation?
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
I think we will need to think about that, yes.
People are thinking about these things in the US, particularly since the ransomware cyberattack against Colonial Pipeline. On the surface, on paper, this incident could have been like any other ransomware attack, but it ended up having huge consequences. Once pressure was applied to a specific link in the chain, the consequences became disproportionate.
I do think we need to think about this.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Boulerice.
Colleagues, again, we're in the same situation. This time we have to have a hard stop at quarter to eleven, so we'll do three minutes, three minutes, one minute, one minute, three minutes and three minutes.
We'll go to Mrs. Gallant.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
On July 8 we had the Rogers outage that was mentioned, and the 911 system went down in the Maritimes last week. Two weeks ago there was the Transport Canada civil aviation NOTAM failure on the heels of the FAA outage.
Should the government be compelled to alert the public when a cyber-attack is under way on a major system? The government didn't tell us about the balloon when it was overhead, so you know, why would we believe that it would even tell us there was a cyber-attack under way?