National Defence Committee on March 10th, 2023

It is a fantastic question, and it hits the nail on the head.

The problem with current political decision-making processes—not with respect to any particular government in this country—for years has been that we dither too long in making key decisions where we need to provide political authority, authorization and direction. The longer we wait, the narrower our margin to manoeuver gets and the fewer options we have in our tool box. We need decision-making processes that are more agile, and we need political decision-making processes that are faster in order to maximize the options available politically to the government and the instruments in terms of operations to achieve the effect that the government intends.

That's an excellent question, madam, because it has to do with the political culture and the strategic culture of each of these countries.

For example, Iran primarily has strategic purposes in the Middle East region. Iran is not primarily targeting Canada, the United States or European allies. One of North Korea's primary goals is to steal vast sums of money to fund its nefarious activities. Russia has global capabilities. What differentiates China and Russia from other countries is the scale of the capabilities and a strategic patience to develop those capabilities to optimize certain objectives.

For example, you may remember the computer infiltration of the SolarWinds company systems, about 18 months or two years ago. It was an attempted cyber-attack that probably took 12 to 18 months to plan. It probably took a thousand people to put all the pieces together. These actors have very different capabilities from other states. Therefore, active and offensive measures must be taken to deter them from taking actions that are against our interests.

There is always co‑operation for tactical reasons, i.e., to challenge the international political order, which Russia and China believe does not serve their interests.

Authoritarian regimes do not trust each other that much. That's why I'm not too worried about this long-term collaboration, especially on the Chinese side, because they have the capacity to act on their own and further their own nefarious interests.

Ms. Normandin, it's not a risk, it's a reality. That's what's happening.

Today, Canada lacks the capacity in several areas to be taken seriously by the other G5 partners, particularly the United States, the United Kingdom and Australia. As a result, Canada is excluded from certain collaborative measures in the kinetic field and in the area of cybersecurity. This reduces Canada's ability to look after its interests globally.

There is therefore an urgent need to make investments to develop and expand our country's capabilities in the area of cybersecurity.

I have had the pleasure of having some interactions with the Quebec team, and I find the province's efforts in these areas very interesting. The federal government could learn a number of things from Quebec.

The federal government certainly has more capacity than any province. I think there could be a lot more intergovernmental collaboration, as there is in Australia, where the Australian Signals Directorate, the equivalent of the Communications Security Establishment in Canada, or CSE, has offices in each of the Australian states.

It also seems to me that Canada could be more active. Several countries have cybersecurity ambassadors. Denmark was the first to create such a position, but the United States has as well. We don't have a cybersecurity ambassador, which shows that the way we think about the field of cybersecurity could be updated.

Ms. Mathyssen, I wrote a book on this called Intelligence as Democratic Statecraft. It's a great question.

There are considerable differences here. I had for years warned Canadians, when they were very concerned about surveillance by the Canadian state, that they might want to be more concerned about surveillance by private sector companies than the Canadian state. There are considerable safeguards, accountability and transparency processes in place for state surveillance that are not in place for the private sector.

In the case of TikTok, of course, we are talking about a country that not only has no safeguards for either state surveillance or private sector surveillance, but has actively, even just very recently, reinforced its laws requiring private sector companies to share data without any sort of legal or judicial authorization, simply at the behest of the government. Moreover, it has reinforced the presence of the Communist Party of China in all Chinese enterprises.

You cannot, in China, distinguish between the private sector and the public sector the way you would, for instance, in North America. To say that the risk is the same across the private sector would be a fundamental misunderstanding of the ecosystem in which private sector companies operate in China and their relationship with the Chinese regime.

Facebook is a great example, Ms. Mathyssen. Look at the joint investigation by the Office of the Information and Privacy Commissioner for British Columbia and the federal Privacy Commissioner. The problem is that there are currently very limited tools for the federal government to enforce measures against companies that do not follow Canadian rules.

The question I think the committee might want to ask itself is this: What opportunities exist, and what must be done in terms of government enforcement measures? Also, what incentives, through tax incentives, regulations and so forth, may provide opportunities for the government to act?

Within very short order, you will see a report by the Council of Canadian Academies on public safety in the digital age, which will provide very concrete measures on some of this conversation.

I suppose there's always a concern about state intervention in this domain, particularly when it comes to content.

There's probably an opportunity to lay out clearer swim lanes and provide more transparency for the private sector, and perhaps—as I've proposed in the past—for government to lay out voluntary certification measures by which companies behave. They can then get that certification from the government. In return, users know that a company engages in certain cyber-protection or cybersecurity measures, for instance, meets certain standards and, at the same time, will not use data other than for purposes the government intends.

I think a voluntary certification mechanism would give the consumer much greater confidence and provide an opportunity for government to intervene without being [Technical difficulty—Editor].