Evidence of meeting #53 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
10:30 a.m.
Liberal
10:30 a.m.
Some hon. members
Agreed.
10:30 a.m.
Liberal
The Chair Liberal John McKay
Colleagues, I'm going to have to be pretty harsh. Even at three minutes, I'm going to run this very hard.
With that, Mr. Kelly, you have a very short three minutes.
10:35 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
We've heard that our allies and adversaries can deploy new capabilities within weeks or months, whereas we take years or decades. How does that impact Canada's ability to use, as you urged in earlier testimony, the existing powers and offensive capabilities in cyber-defence?
10:35 a.m.
Professor, Royal Military College of Canada, As an Individual
This is what happens when you don't have a strategy, especially not a forward-looking strategy. In 2017, people like me argued that “Strong, Secure, Engaged” was already outdated the day it was released. I think this was a premonition that has proven to be true.
What we need is a bipartisan 15-year strategy to rebuild our national defence, security and, arguably, our intelligence capabilities. I think it would be helpful to stop playing politics and do as Australia and France did, where all parties get together, have a common strategy and stick with that strategy. Then, we wouldn't be constantly falling behind and trying to play catch-up on too many fronts.
10:35 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
How do our procurement bottlenecks impact our ability to be on top of this issue?
10:35 a.m.
Professor, Royal Military College of Canada, As an Individual
Procurement is a problem. The greater challenge is people. People are the most important asset the government has, especially in this domain. It takes a very long time to build these skill sets. They are in very high demand, and they regularly get raided by the private sector.
I think the committee would do well to think long and hard about what government can do to ensure it maintains capabilities and the people my colleagues at RMC and I, for instance, spend many years building up with very exceptional skill sets.
10:35 a.m.
Conservative
Pat Kelly Conservative Calgary Rocky Ridge, AB
Your characterization of Canada driving the equivalent of a 12-year-old car, in this area, is a matter of both personnel and procurement. It's across the board.
10:35 a.m.
Professor, Royal Military College of Canada, As an Individual
The capabilities we have are very good, but they are very limited, because of personnel challenges, structural network equipment and procurement challenges, as well as challenges in updating policy and regulation. As you can imagine, a national defence organization that is struggling with the shortfalls it has doesn't have the time to update policy and regulation.
We have a host of challenges across a broad spectrum that cannot be resolved in a matter of weeks or months, or even within a couple of years.
10:35 a.m.
Liberal
10:35 a.m.
Liberal
Bryan May Liberal Cambridge, ON
Thank you, Mr. Chair.
Thank you, Dr. Leuprecht. It's a pleasure to have you here today.
If we can go back in time, about a year ago, to the outset of Russia's invasion of Ukraine, there was a lot of conversation and concern that those who supported Ukraine, and Ukraine as well, would be targeted by Russia with an onslaught of cyber-attacks, yet we have seen that this hasn't really materialized in the volume that was predicted, either for Canada or for Ukraine.
How do you explain this apparent lack of large-scale cyberwarfare in the war between Russia and Ukraine?
10:35 a.m.
Professor, Royal Military College of Canada, As an Individual
I would say that if you look at open-source reporting by Microsoft, Russia has actually been more effective at deploying cyber-capabilities than it has been given credit for, and at integrating those capabilities with kinetic offensive measures on the battlefield. What Russia has learned in Ukraine is that you cannot achieve political objectives on the battlefield through cyberspace. You need to be able to act kinetically. That is where is Russia is concentrating its resources.
However, as you know from repeated warnings from the Communications Security Establishment, Canada is at considerable risk of hostile...not just state-based actors, but in the Russian case, particularly, state-tolerated actors. Ransomware has been mentioned. This has been a major source of revenue for militia state-tolerated actors primarily concentrated in Russia.
10:40 a.m.
Liberal
10:40 a.m.
Professor, Royal Military College of Canada, As an Individual
I would say Russia is not to be underestimated, because there isn't much of a private sector for the many highly technically skilled individuals in this domain that Russia produces. They are disproportionately drawn toward malicious state-tolerated actors, as well as intelligence, military agencies and the like. Some of them have left the country, but Russia has considerable capabilities that are not to be underestimated and that we would do well to continue to pay close attention to.
10:40 a.m.
Liberal
10:40 a.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Mr. Leuprecht, you have piqued my curiosity. Let me ask you a brief question about the position of cybersecurity ambassador.
What would be the functions of this ambassador, and what would be the benefits of creating such a position?
10:40 a.m.
Professor, Royal Military College of Canada, As an Individual
We need to build links with the private sector and different stakeholders around the world, who may not be in a country per se. The field of cybersecurity is very widely distributed geographically, and establishing direct contacts requires effort.
The purpose of embassies and ambassadors is to provide the government with open information. I would say that the Canadian government currently does not have enough open information about the different stakeholders and private actors in this field.
A cybersecurity ambassador would allow us to build relationships with these important players who, in several cases, are more powerful than many of our mid-power partners.
10:40 a.m.
Liberal
10:40 a.m.
NDP
Lindsay Mathyssen NDP London—Fanshawe, ON
Thank you.
Mr. Leuprecht, you talked about the dangers of China, its relationship with TikTok and the release of information. I want you to comment on the Americans, who have the Foreign Intelligence Surveillance Act and section 702, which they're actually discussing right now in terms of being able to get information from Google, Microsoft, Apple and those companies, as we discussed before.
Can you talk about that, and whether it poses a danger in Canada? What should we be looking out for in that regard?
10:40 a.m.
Professor, Royal Military College of Canada, As an Individual
That is warranted activity that is being discussed, so it still requires an authorization through the rule of law. There are also safeguards in place with regard to how that information is subsequently used.
People will have different views on whether those authorizations and the laws in place are acceptable to them or not, and whether the oversight, review, accountability and governance mechanisms are sufficient. Certainly, though, that is an important distinction from the way any hostile authoritarian actor operates, where none of those safeguards are in place.
We need to remember that the Americans are at the top of the international security pyramid. They also have objectives that are different from ours in terms of the balance of power. As I often say, the Americans are our best friends, whether we like it or not.
10:40 a.m.
Conservative
James Bezan Conservative Selkirk—Interlake—Eastman, MB
I didn't think we were going to get a round out of this.
First of all, I want to thank Professor Leuprecht for joining us today. I know that his expertise in this field has helped a lot.
We did talk a lot about the regime in Beijing being a risk for our social media and for the broader spectrum of services we have in telecoms here in Canada, but can you also speak about how other nefarious transnational criminal organizations and/or other countries, such as the regime in the Kremlin, have attacked or can attack us here at home? How can we quickly be compromised, and how can we go about securing our own vulnerabilities so that it doesn't happen?
10:45 a.m.
Professor, Royal Military College of Canada, As an Individual
Mr. Bezan, that's a very good question.
I think the fundamental challenge we face is that we have focused on playing defence, and as long as you play defence, by definition, you will never be able to score. That is to say, you cannot win the game. At the very best, you can play to a draw. When you're dealing with determined, malicious, hostile actors such as China and Russia, chances are they will score on you.
This is an opportunity for the Government of Canada to be more robust and muscular in demonstrating to those adversaries that certain types of behaviour will not be tolerated in cyberspace and will draw repercussions, whether those repercussions are in cyberspace or kinetic.
10:45 a.m.
Conservative
James Bezan Conservative Selkirk—Interlake—Eastman, MB
Professor Leuprecht, what we're really talking about here is that we have to be able to shoot the archer rather than deflect the arrows. You talk about the Government of Canada, but often they're attacking civilian infrastructure, such as financial institutions and electricity grids, as we witnessed especially with what the Russians have done in Ukraine and in eastern Europe in their cyber-attacks.
Is it solely the responsibility of the Government of Canada to have the ability to attack, or do we also empower civilian organizations to be able to do it to protect their own infrastructure and Canadians at the same time?