Evidence of meeting #49 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
9:30 a.m.
PhD Candidate, Carleton University, As an Individual
I can elaborate as far as I'm aware that it is a plan. That's really the most knowledge I have on that.
From the information that I've heard from officials, it seems the existing relationship is very much ad hoc. They potentially have CSE individuals embedded with the CAF or vice versa. I don't know too much on that, because it just doesn't really exist in open sources.
9:30 a.m.
Conservative
Shelby Kramp-Neuman Conservative Hastings—Lennox and Addington, ON
With regard to the urgency of solving the aging and failing digital services, why do you think the government has been slow to address the failing system?
9:30 a.m.
PhD Candidate, Carleton University, As an Individual
It's been a long problem that....
Are you referring to just the CAF or broadly in the government?
9:30 a.m.
Conservative
Shelby Kramp-Neuman Conservative Hastings—Lennox and Addington, ON
I mean more specifically in the CAF.
9:30 a.m.
PhD Candidate, Carleton University, As an Individual
Part of that is the ad hoc process that I referred to. The creation of Shared Services Canada basically gutted the armed forces of their cybersecurity and cyber-talent. The idea of just centralizing it in SSC was a good idea, but it overlooks the central importance of national defence and the digital capabilities for that.
They had—
9:30 a.m.
Liberal
The Chair Liberal John McKay
Unfortunately, we're going to have to leave that answer there. I apologize again—insincerely, but I still do it.
Ms. Lambropoulos, you have four minutes, please.
9:30 a.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
Thank you.
I would like to start by thanking Mr. Rudolph and Mr. Keenan for being here with us to answer some of our questions and for giving us their interesting testimony.
I'm going to start with Mr. Rudolph.
You spoke about the fact that currently there is no specific way to address cyber-conflict. Given that the National Security Act could undergo a statutory review in 2023, do you believe there are any changes that should be considered in the course of this review?
How can we strengthen legislation or create legislation? What should we include in that, so that we can prepare Canada for potential cyber-threats or cyberwarfare?
9:30 a.m.
PhD Candidate, Carleton University, As an Individual
Thank you for the question.
I would say the number one thing that Canada needs to do is to state its position on persistent engagement. This is the U.S. strategy of constantly engaging adversarial elements in cyberspace. When you hear about U.S. Cyber Command or NSA conducting offensive attacks in order to arrest or target ransomware operators, this is the type of action that is under persistent engagement.
Canada has voiced certain ways of supporting this, but it's very unclear. The supports to such actions have been very inconsistent.
9:30 a.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
Okay, it's to be very clear and more consistent in the way that we deal with those threats.
Mr. Keenan, what I'm hearing you say is that we are very vulnerable due to our reliance on technology. There isn't too much we can do about that. I'm wondering if there are any suggestions you would make to that same review—the National Security Act. Are there any changes?
9:30 a.m.
Prof. Thomas Keenan
There's explicitly addressing what we call “hack back” or active measures.
I did question the Canadian Armed Forces. They directed me to the document “Strong, Secure, Engaged”. Alex probably knows more about this too. There's a spot in there where it does say that with the right level of authorization we can hack back. The reality is that we're going to have to hack back. It's not really negotiable anymore.
Of course, it becomes a definitional question. I was told at one point that the United States government was looking at physical facilities in Russia that might possibly be victims of an attack. We do know the U.S. government put a virus in printers that went into Iraq and so on. It's going on out there.
I don't think we have a clear policy on it. I think we need to know. I've realized for security reasons that they may not want to be forthcoming about when they actually do it. It seems to me, from what I've been able to find as a civilian, that they are not clear on when they can use active measures.
9:35 a.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
All right. Thank you.
Mr. Rudolph, my next question is for you again.
I'm wondering if you can give us a bit more of an explanation about the difference between cybersecurity and cyberwarfare. At what point does it become cyberwarfare? What are the overlaps between the two?
9:35 a.m.
PhD Candidate, Carleton University, As an Individual
I'll try to be quick then, which is difficult for an academic.
Cybersecurity is very much holistic, whereas cyber-defence and cyberwarfare are very targeted on the threats, and for the most part include states and not non-state actors. In cybersecurity you're dealing with low-level criminals as well as states, while cyber-defence is targeted, just like national defence.
9:35 a.m.
Bloc
Jean-Denis Garon Bloc Mirabel, QC
Professor Keenan, we've been talking about critical infrastructure. I have in mind electrical grids and hospitals, for example, which are obviously a provincial responsibility.
I wonder if, in Canada, the provinces and Quebec are sufficiently included in the discussions and protocols that would eventually aim to protect our critical infrastructure.
If not, what specifically should be done?
9:35 a.m.
Prof. Thomas Keenan
We need to consult the provinces and the private sector as well. So many of those things are in the hands of private companies. I know there are meetings. I know there is collaboration.
I don't want to bring up the balloon again, but the reality is that people have asked, “What if there was an electromagnetic pulse weapon in that thing?” It certainly is possible that somebody will do a high-level attack on our critical infrastructure. That would require all hands on deck.
I agree that there should be wider consultation. There should be contingency plans. We wouldn't last very long without our power grid, and that's a fact.
9:35 a.m.
NDP
Alexandre Boulerice NDP Rosemont—La Petite-Patrie, QC
Oh, I have one minute!
My question is for Mr. Rudolph.
Your comments about our inability to cope with cyberattacks are quite worrying. We are very dependent on private sector consulting firms, large telecom companies and web giants, who have a lot of control over our lives and personal information.
Are you not somewhat worried by our dependence on all these private companies and our lack of ability to cope at the public level?
9:35 a.m.
PhD Candidate, Carleton University, As an Individual
I'm not at all. I think cybersecurity professionals are just as important as members of the military and of a police force. Sure, they can be viewed as a risk in certain senses, but cybersecurity professionals are integral to the functioning of our society. It would be undue to say that it's entirely at risk, but it's a risk that we have to take into account, as with any organization for that matter.
9:35 a.m.
Liberal
9:35 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Just taking you back, Mr. Rudolph, to your opening statement in which you said that CAF is in no way prepared for cyberwarfare, you were limited by time to explain the different ways. I think that information is important for the committee and the report we're going to make, so you could take whatever time I have to itemize the recommendations that you would have for CAF to become prepared.
Go ahead.
9:35 a.m.
PhD Candidate, Carleton University, As an Individual
Thank you for that opportunity.
Fortunately, on many of the questions, I've been allowed to expand on many of the points.
The one I don't think I've touched on too much yet is a general lack of cyber-infrastructure in the forces. One part is the slow procurement process, as many of you will be well aware, but it's also not incorporating and understanding the unique challenges and differences that cyber has from a traditional defence sector.
I will preface that I'm still very much a novice in defence procurement, but I'm very much aware that current ITP policies, in many cases, fail to capture investments by large, potentially prime contractors in cybersecurity and cyber-defence. In addition, the slow process is even more damaging to SMEs working in cyber, because they don't have time to waste, 12 or 16 months for an ITQ, when they have funding for maybe a year at the most, if they're lucky, especially when you're dealing with AI and a lot of these advanced offensive capabilities. These SMEs need all the support they can get, and when your only customer is potentially the government, and it is going as slow as can be, Canada isn't necessarily going to be a customer.
9:40 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Is it fair to say then that PSPC or the Government of Canada's procurement processes are prohibitive for a small or medium-sized enterprise? You can't even deal with the bureaucracy, and you can't deal with the process. Is that correct?
9:40 a.m.
PhD Candidate, Carleton University, As an Individual
I won't say across the board, but specifically with cyber-oriented SMEs, I would say yes.
9:40 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Let's give you a minute to talk about CSE, because you said that neither CAF nor CSE.... You didn't have as much time to elaborate on CSE, so go ahead with what steps CSE needs to take to get prepared.