National Defence Committee on Feb. 10th, 2023

I would say both. That ad hoc policy that I referred to was very much new policy every year, or finding that our policy last year did not work, so let's do something new. There really isn't much coherency and logic through the years.

I would agree in principle, but I would caution against painting it as black and white in that sense as there are varying levels to this, just as there are varying levels to security clearance. The problem is that these silos exist without much thought to whether this needs to be silos in the first place and to what degree these silos are being detrimental to the actual productive work of the armed forces.

The specifics on the databases in question is definitely separate from the policy. The ad hoc nature is very much overall, but the policy that I would really put my finger on that needs to be clarified is CAF's position and strategy related to persistent engagement.

Persistent engagement is the U.S. strategy of how to respond to adversarial states in cyberspace.

Good morning, Mr. Chair, Vice-Chairs, members of the committee and the other witnesses on this panel. I'm honoured to be invited and thank you for the opportunity to speak to you all today.

I would like to acknowledge that I'm speaking to you from the traditional territory of the Anishinabe Algonquin nation, whose presence reaches back to time immemorial and continues today. This land acknowledgement is meaningful to me as a commitment towards reconciliation practices and recognition of our relationship to place and identity.

My name is Kristen Csenkey and I'm speaking to you as a Ph.D. candidate or “all but dissertation” at the Balsillie school of international affairs through Wilfrid Laurier University. My research focuses on cyber-governance and the management of emerging technologies in Canada.

I have the honour of being called by the committee to speak on the study topics of cybersecurity and cyberwarfare. My approach to these topics comes from my personal capacity as a researcher and academic focusing on the governance side of cybersecurity. I have written on issues of relevance to the study topics, including threats associated with cybersecurity, the roles and responsibilities of involved actors, and the intersections with conflict. It is through my research and previous publications that I approach these topics.

In my opening statement, I will focus my remarks on two main points that may benefit the committee in its study. These two main points are, first, that the threats associated with cybersecurity are dynamic and, second, that preparing to address these threats requires coordination and co-operation among diverse actors.

Let me elaborate on each of these points for the committee.

When I say “dynamic”, I mean that cybersecurity is complex, constantly changing and involves multiple actors, contexts and ideas. This is because cybersecurity is an interconnected social, political and technical endeavour, wherein humans and technologies are intertwined. We live in a cyber-physical world, where many aspects of our lives occur in digital spaces with physical linkages. Therefore, threats associated with cybersecurity should include a nuanced understanding of their technological capacity and capability, as well as the role of human actors, especially in interpreting threats and the responses to said threats.

This leads me to my second point. Preparing to address threats associated with cybersecurity requires coordination and co-operation. If we are to speak about the evolving nature of threats associated with cybersecurity, including the technological capabilities and capacities of various actors, we also must speak about how to address them. This point may seem straightforward, but it is not always this way in practice.

I will provide an example for the committee. In a recent journal article, my co-author and I looked at how different co-operating states understand the quantum threat. A quantum threat is a specific cybersecurity threat associated with the capabilities of quantum computers. Among the Five Eyes partners, we found differences in how this threat and its intentions, associated technology, users and potential threat actors were understood in policies. Discrepancies in understanding the threats associated with cybersecurity will have an impact on the roles and responsibilities of actors involved in addressing these threats.

Coordination among diverse actors involved in interconnected political, social and technical aspects of cybersecurity must occur. This could take shape by leveraging existing pathways and expertise beyond a single contextual understanding of the threat. This requires co-operation.

Co-operation is a key part of addressing cybersecurity threats and keeping Canada safe. Canada can leverage existing trusted partnerships to coordinate responses to threats that appreciate the dynamicism of cybersecurity. This could mean fostering informal or formal engagement with other like-minded, high-tech allies to holistically define threats and understand the associated technological capability and capacity, as well as the complex human and technical dimensions of cybersecurity. Prioritizing innovative partnerships may help ensure security, as well as protect and promote Canadian interests abroad.

It is through co-operation and coordination that Canada can work to ensure we remain safe and secure in an already complex cyber-physical world.

I look forward to discussing any ideas and issues raised in the course of my statement during the question period. This concludes my statement.

Thank you for your kind attention.

Mr. Chair and members of the committee, good morning. Thank you for the opportunity to be here today.

I am a research fellow at the Raoul-Dandurand Chair in Strategic and Diplomatic Studies at the Université du Québec à Montréal. My research focuses on issues related to cyber-strategy, cyber-defence and more generally on the impacts of information technology on international security.

In 2020 the research team that I'm part of launched a database dedicated to publicly recording geopolitical cyber-incidents targeting Canada, whether it be its government entities, its companies, its research institutions or its civil society. Our feeling at the time was that geopolitical cyber-incidents in Canada were quick to make headlines but were even quicker to be forgotten. We felt that the Canadian public was not fully equipped to grasp the full, cumulative and pervasive character of foreign cyber-operations targeting Canada. Thus, we set up an online and freely accessible directory of geopolitical cyber-incidents aimed at documenting publicly recorded incidents—their nature, their targets and, when possible, their initiators. The aim of the database was also to keep score of foreign cyber-activities targeting Canada so as to provide the public with a barometer of this phenomenon.

Three years later, as of today, our database has recorded 93 geopolitical cyber-incidents in Canada since 2010. Among those, 14 incidents took place in 2022 alone. In fact, we've observed that the frequency of such incidents is clearly increasing. As I mentioned, our work is based on only publicly recorded incidents, which means that many more incidents remain unreported to this day.

These 93 incidents include various types of malicious activity: economic espionage against Canadian businesses and universities; covert electronic surveillance of Canadian-based activists and non-governmental organizations; and intelligence gathering targeting Canadian government organizations, among others.

Our data further indicates that the overwhelming majority of these incidents originate from just four countries: China, Russia, Iran and North Korea. While it is not always clear that the governments of these countries are responsible for each of these attacks, there is little doubt that these four states pose major cybersecurity challenges for Canada.

In 2021 and 2022, our team also published annual reports summarizing our key observations of the most recent cyberincidents. These reports were also intended to highlight certain current trends that we felt were critical to Canada's national security.

Our last assessment, published in 2022, focused on the following trends: the growing threat of ransomware cyber-attacks against Canadian entities, sometimes state-sponsored, which may disrupt critical infrastructure or serve as cover for clandestine intelligence collection; the increasingly aggressive targeting of Canadian-based activists, exiles and dissenters by foreign powers for purposes of espionage, intimidation and harassment; and the rise of the cyber-mercenaries industry, which is starting to target Canadian entities, most probably at the request of foreign powers.

Needless to say, these three trends do not represent the whole picture of cyber-threats that Canada is currently facing. The conflict in Ukraine or the constant economic espionage against Canadian research and development, for instance, should also get our close attention.

What I have tried to demonstrate with these facts, however, is that cybersecurity issues are not a futuristic, hypothetical, distant threat for Canada. Cyber-threats are already here with us. While they may appear discreet or intangible, they directly impact the lives of many people in Canada every day.

Hence, I think it is urgent to address these issues more vigorously and also to discuss them more publicly and more frankly. Today's hearing is an excellent opportunity to do so.

I look forward to answering your questions.

I can answer that.

Right now, the Government of Canada, through the various departments that are tasked with protecting Canadians and Canadian critical infrastructure, is doing the best job it can. There's always room for improvement, especially when it comes to reporting cyber-attacks. Right now it's not mandatory to report major cyber-attacks. Especially for SMEs, or companies in that category, to have a mandatory reporting for cyber-attacks would help us understand the breadth of the situation. It would also provide us with more information so that we can come up with a better threat assessment, risk assessment and framework to better protect certain industries and private sector companies.

The government is doing the best it can, but we can always do more. Part of doing more is mandatory reporting of major cyber-attacks.

I will answer in French, if I may.

As far as critical infrastructure is concerned, I think there is a risk. Critical infrastructures are indeed extremely important. They are aptly named because they are critical. Cyberattacks on critical infrastructure are a high-risk but unlikely threat.

The fact that cyberattacks on critical infrastructure are a high-risk threat means that, of course, you have to think about them, prepare for them and have plans in place in case they happen. However, they remain fairly unlikely.

In my view, there is perhaps a risk to us in paying too much attention to threats to critical infrastructure insofar as, as I say, these are things that are relatively unlikely.

Very few, if any, have actually materialized in Canada. On the other hand, many other threats that are much more subtle, less serious, but still have consequences because they are repeated and occur on a daily basis, get less attention and less thought from us.

I think that's a problem, because the critical infrastructure issue is something that is very visible; it's not necessarily very difficult to draw red lines, to be clear about what would be tolerated or not and what would elicit a vigorous response or not.

In the face of this set of smaller threats that individually are not deemed serious enough to elicit a response, but cumulatively produce damage that I think is problematic, I'm not sure we have a good strategy and ways of trying to discourage and prevent them.

In my opinion, in comparative terms, Canada is not, at this time, a priority target for Russia or for cyberactors who would put themselves at its service.

From what we observe and the information I have, the geographical factor still seems to play an important role. It is the countries that are rather close to Ukraine or Russia and the NATO members that are most targeted. I'm thinking of Poland, Slovakia, and the Baltic States in particular, which, from what I've seen publicly, have suffered far more attacks than Canada.

If Russia's goal had been to punish Canada by encouraging its criminal networks to deploy ransomware or by encouraging activists to conduct hacking and information disclosure operations against Canada, for example, we would have seen them by now, and we would have seen a very marked increase by now. But from what I can see, that's not the case.

That being...

Thank you so much for that question from Mr. May.

I would say that there are certain technologies that can have huge impacts related to cybersecurity issues. We can call them disruptive. We can call them emerging technologies. Sometimes we think of them as being a threat themselves or as being very disruptive. However, how I see this problem or this concept is that technologies also interact with humans. Humans create the technologies. We work with them. We can use them for a variety of purposes.

When we think about quantum computers, for example, quantum computers have the potential to benefit many fields. It's not just from a defence perspective that we can look at this. We also can look at the benefits in, for example, accelerating artificial intelligence and for improving simulations and a variety of other purposes, including weather predictions, etc.

When it comes to talking about investing in and developing certain technologies with the intention of developing capabilities for Canada, I think we have an expert base in this country in a variety of regional hubs that are doing excellent work, but I think what needs to happen is that there needs to be more co-operation to address the threats we associate with the use of these particular technologies, while also keeping in mind that it is not just the technology that's the threat. It's the potential for certain malicious actors to use these certain technologies in a way that could cause harm.

One of the ways in which we can help to co-operate to address those threats is through leveraging these existing partnerships. It's by leveraging existing partnerships at home, in Canada, between government, industry and academia through the various research centres that we have dedicated to these particular types of technologies, but also by leveraging existing pathways for partnership amongst our allies.