National Defence Committee on Feb. 10th, 2023

I would say both. That ad hoc policy that I referred to was very much new policy every year, or finding that our policy last year did not work, so let's do something new. There really isn't much coherency and logic through the years.

I would agree in principle, but I would caution against painting it as black and white in that sense as there are varying levels to this, just as there are varying levels to security clearance. The problem is that these silos exist without much thought to whether this needs to be silos in the first place and to what degree these silos are being detrimental to the actual productive work of the armed forces.

The specifics on the databases in question is definitely separate from the policy. The ad hoc nature is very much overall, but the policy that I would really put my finger on that needs to be clarified is CAF's position and strategy related to persistent engagement.

Persistent engagement is the U.S. strategy of how to respond to adversarial states in cyberspace.

Good morning, Mr. Chair, Vice-Chairs, members of the committee and the other witnesses on this panel. I'm honoured to be invited and thank you for the opportunity to speak to you all today.

I would like to acknowledge that I'm speaking to you from the traditional territory of the Anishinabe Algonquin nation, whose presence reaches back to time immemorial and continues today. This land acknowledgement is meaningful to me as a commitment towards reconciliation practices and recognition of our relationship to place and identity.

My name is Kristen Csenkey and I'm speaking to you as a Ph.D. candidate or “all but dissertation” at the Balsillie school of international affairs through Wilfrid Laurier University. My research focuses on cyber-governance and the management of emerging technologies in Canada.

I have the honour of being called by the committee to speak on the study topics of cybersecurity and cyberwarfare. My approach to these topics comes from my personal capacity as a researcher and academic focusing on the governance side of cybersecurity. I have written on issues of relevance to the study topics, including threats associated with cybersecurity, the roles and responsibilities of involved actors, and the intersections with conflict. It is through my research and previous publications that I approach these topics.

In my opening statement, I will focus my remarks on two main points that may benefit the committee in its study. These two main points are, first, that the threats associated with cybersecurity are dynamic and, second, that preparing to address these threats requires coordination and co-operation among diverse actors.

Let me elaborate on each of these points for the committee.

When I say “dynamic”, I mean that cybersecurity is complex, constantly changing and involves multiple actors, contexts and ideas. This is because cybersecurity is an interconnected social, political and technical endeavour, wherein humans and technologies are intertwined. We live in a cyber-physical world, where many aspects of our lives occur in digital spaces with physical linkages. Therefore, threats associated with cybersecurity should include a nuanced understanding of their technological capacity and capability, as well as the role of human actors, especially in interpreting threats and the responses to said threats.

This leads me to my second point. Preparing to address threats associated with cybersecurity requires coordination and co-operation. If we are to speak about the evolving nature of threats associated with cybersecurity, including the technological capabilities and capacities of various actors, we also must speak about how to address them. This point may seem straightforward, but it is not always this way in practice.

I will provide an example for the committee. In a recent journal article, my co-author and I looked at how different co-operating states understand the quantum threat. A quantum threat is a specific cybersecurity threat associated with the capabilities of quantum computers. Among the Five Eyes partners, we found differences in how this threat and its intentions, associated technology, users and potential threat actors were understood in policies. Discrepancies in understanding the threats associated with cybersecurity will have an impact on the roles and responsibilities of actors involved in addressing these threats.

Coordination among diverse actors involved in interconnected political, social and technical aspects of cybersecurity must occur. This could take shape by leveraging existing pathways and expertise beyond a single contextual understanding of the threat. This requires co-operation.

Co-operation is a key part of addressing cybersecurity threats and keeping Canada safe. Canada can leverage existing trusted partnerships to coordinate responses to threats that appreciate the dynamicism of cybersecurity. This could mean fostering informal or formal engagement with other like-minded, high-tech allies to holistically define threats and understand the associated technological capability and capacity, as well as the complex human and technical dimensions of cybersecurity. Prioritizing innovative partnerships may help ensure security, as well as protect and promote Canadian interests abroad.

It is through co-operation and coordination that Canada can work to ensure we remain safe and secure in an already complex cyber-physical world.

I look forward to discussing any ideas and issues raised in the course of my statement during the question period. This concludes my statement.

Thank you for your kind attention.

I can answer that.

Right now, the Government of Canada, through the various departments that are tasked with protecting Canadians and Canadian critical infrastructure, is doing the best job it can. There's always room for improvement, especially when it comes to reporting cyber-attacks. Right now it's not mandatory to report major cyber-attacks. Especially for SMEs, or companies in that category, to have a mandatory reporting for cyber-attacks would help us understand the breadth of the situation. It would also provide us with more information so that we can come up with a better threat assessment, risk assessment and framework to better protect certain industries and private sector companies.

The government is doing the best it can, but we can always do more. Part of doing more is mandatory reporting of major cyber-attacks.

I will answer in French, if I may.

As far as critical infrastructure is concerned, I think there is a risk. Critical infrastructures are indeed extremely important. They are aptly named because they are critical. Cyberattacks on critical infrastructure are a high-risk but unlikely threat.

The fact that cyberattacks on critical infrastructure are a high-risk threat means that, of course, you have to think about them, prepare for them and have plans in place in case they happen. However, they remain fairly unlikely.

In my view, there is perhaps a risk to us in paying too much attention to threats to critical infrastructure insofar as, as I say, these are things that are relatively unlikely.

Very few, if any, have actually materialized in Canada. On the other hand, many other threats that are much more subtle, less serious, but still have consequences because they are repeated and occur on a daily basis, get less attention and less thought from us.

I think that's a problem, because the critical infrastructure issue is something that is very visible; it's not necessarily very difficult to draw red lines, to be clear about what would be tolerated or not and what would elicit a vigorous response or not.

In the face of this set of smaller threats that individually are not deemed serious enough to elicit a response, but cumulatively produce damage that I think is problematic, I'm not sure we have a good strategy and ways of trying to discourage and prevent them.

In my opinion, in comparative terms, Canada is not, at this time, a priority target for Russia or for cyberactors who would put themselves at its service.

From what we observe and the information I have, the geographical factor still seems to play an important role. It is the countries that are rather close to Ukraine or Russia and the NATO members that are most targeted. I'm thinking of Poland, Slovakia, and the Baltic States in particular, which, from what I've seen publicly, have suffered far more attacks than Canada.

If Russia's goal had been to punish Canada by encouraging its criminal networks to deploy ransomware or by encouraging activists to conduct hacking and information disclosure operations against Canada, for example, we would have seen them by now, and we would have seen a very marked increase by now. But from what I can see, that's not the case.

That being...

Thank you so much for that question from Mr. May.

I would say that there are certain technologies that can have huge impacts related to cybersecurity issues. We can call them disruptive. We can call them emerging technologies. Sometimes we think of them as being a threat themselves or as being very disruptive. However, how I see this problem or this concept is that technologies also interact with humans. Humans create the technologies. We work with them. We can use them for a variety of purposes.

When we think about quantum computers, for example, quantum computers have the potential to benefit many fields. It's not just from a defence perspective that we can look at this. We also can look at the benefits in, for example, accelerating artificial intelligence and for improving simulations and a variety of other purposes, including weather predictions, etc.

When it comes to talking about investing in and developing certain technologies with the intention of developing capabilities for Canada, I think we have an expert base in this country in a variety of regional hubs that are doing excellent work, but I think what needs to happen is that there needs to be more co-operation to address the threats we associate with the use of these particular technologies, while also keeping in mind that it is not just the technology that's the threat. It's the potential for certain malicious actors to use these certain technologies in a way that could cause harm.

One of the ways in which we can help to co-operate to address those threats is through leveraging these existing partnerships. It's by leveraging existing partnerships at home, in Canada, between government, industry and academia through the various research centres that we have dedicated to these particular types of technologies, but also by leveraging existing pathways for partnership amongst our allies.