Evidence of meeting #49 for National Defence in the 44th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
Unfortunately, I don’t have all the information I need to answer that question.
Liberal
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you, Mr. Chair.
Thanks to both of you for appearing today.
Mr. Rapin, I wanted to talk about the differences in your database that I find very interesting, the differences between an attack, for example. It's my understanding that it's pretty cheap on the dark web to purchase some sort of malware or program. That sort of blackmail-type of attack on a business might not even be linked to a foreign adversary, for example. There's that distinction. Then there's a distinction between an attack on a government agency, for example, or a department, and then there's a distinction between private entities.
In the course of this study, we would be looking for recommendations to improve our systems. One of the areas at issue is that there is no ability for CSE, CSIS or our cybercommunity to actually intervene with private entities, even if they have been attacked by a foreign actor. That also goes, in some cases, for critical infrastructure. A lot of times, municipalities would be the ones owning that infrastructure. In fact, the CSIS Act directly prevents CSIS from communicating or sharing information with municipalities, provinces, etc.
Could you maybe speak to the differences and maybe some recommendations on how we can make sure we're distinguishing between attacks from, let's say, a bad actor versus a bad foreign actor, and the various levels?
Research Fellow, Raoul-Dandurand Chair in Strategic and Diplomatic Studies, Université du Québec à Montréal, As an Individual
We have to look at different approaches. CSIS, the RCMP and even federal agencies won’t be able to fix everything. As you said, a lot of the infrastructure that could be considered critical and that is the most vulnerable is at a relatively low level, where there can be fewer resources and less expertise for cybersecurity.
There are different cases, particularly in the US, where foreign state‑sponsored hackers targeted municipal or state infrastructure, expecting them to be less protected at that level. There are therefore various approaches and levels to consider.
I believe Ms. Csenkey talked earlier about making it mandatory for organizations that manage critical infrastructure to report cyber incidents. I believe the US just did this, or is about to. It’s a best practice, and I think we should be doing that as well.
Liberal
The Chair Liberal John McKay
Thank you, Ms. O'Connell.
I want to thank both witnesses on behalf of the committee.
As you can see this is a hot topic and a very complex topic. I take note that, in this morning's news, the Elon Musk group is cutting off Ukrainian access to the information provided through that satellite. This strikes me as an immense security risk, a clear and present danger to the prosecution of that war.
In the event that you have any thoughts along those lines, I particularly would be interested.
Regardless, I do, unfortunately, have to bring this meeting to a close.
With that, colleagues, the meeting is adjourned.