National Defence Committee on March 10th, 2023

It absolutely does. Defence manufacturing is critical to the defence infrastructure, and if you can poison those processes, you can hurt it. Furthermore, you can steal secrets. Stealing secrets is a big one. There's a lot to be gained there, and it will be gained for a long time. It has to do with plans for the future and existing provisioning capacity, and all of those things are very valuable as targets for what we call an “advanced persistent threat”—a state-sponsored actor, somebody who might want to hurt Canada. We can imagine who that would be.

To the degree to which the government is a target, it is, but also, the organizations, the private contractors that provide to the government, can be targets as well, and that's another way the state-sponsored actors can get the information they're trying to get.

There is a vast raft of strategies and technologies that are needed. One of the things to understand is that you really have to build a security fortress, and any way in is a way in, so you have to look for complete comprehensive coverage, while the attacker just needs to find one gap or one hole or one vulnerability. As we mentioned, this could be things like social engineering attacks. This could be things like inadequate encryption. This could be things like firewalls and email protections that are not quite in place.

It's very complex. There are professionals who dedicate their entire lives to understanding and staying current on these activities. There are entire departments that focus on this, and there need to be.

As we talked about, 85% of the critical infrastructure in this country is actually owned and operated by the private sector, so we have a very important role in securing our own infrastructure to keep everyone safe.

Second, we have talent and expertise within our organizations and are continuously developing and innovating so that we can bring that competency to the agencies in order to keep them on the bleeding edge of what is available to protect Canada and Canadian society as well. It's that collaborative exchange where we can all be better as a nation if we're willing to open up a bit to each other.

Yes, that's CMMC.

They're studying the American standard, which is going through the process of becoming a standard. It will be imposed on us. It will be imposed on anyone who wants a piece of a DoD contract in the near future or in the future. We're looking at it from a.... We're in that supply chain, so we're going to have to use it anyway. We're going to have to make sure the industry is in line with it and has adopted it.

Second, do we want to adopt it in Canada so that National Defence, for example, would make reference to that standard for its own procurement of products and services? Does it need to be a “standard by reference”, meaning exactly what the Americans have, or is there something particular that we have to add for Canada?

I haven't delved deep into the subject, but I would concur with your assessment. I think classifying things initially was a way in which people with that information kept value. When they transfer that value, they have to ask “What am I bringing to the table?”

In this country, we also fear what people will do with that information and whether it will come back to harm us. I think Canadians by nature, along with our government institutions, are a bit more risk-averse than our allies are. Perhaps that comes from the fact that we don't often feel as though we are in risky situations where we need to take risk.

I think it's kind of a self-perpetuating model, and it's not getting us as far as we need to get. I think it requires reflection. Do we need to classify all the things we classify? Can more people have access to information, and can more information be declassified so as Canadians we become smarter, better and more nuanced about what's going on? It's not about making us afraid; it's about making us more educated.

Thank you, Mr. Chair.

I will make my statement in English. However, I will be happy to answer your questions in English or French.

The statement was distributed to you beforehand, so I will skip some parts of it.

Harvard University’s Belfer Center's cyber-power index ranks Canada in eighth place as a comprehensive global cyber-power. The CPI characterizes Canada as a high-intent, low-capacity cyber-power with notable strengths in cyber-defence, cyber-norms development initiatives and surveillance. By contrast, Canada’s intent and capability to conduct cyber-enhanced foreign intelligence and offensive cyber-operations place it in the middle of the CPI pack, lagging behind Russia and China and its Five Eyes partners—in particular, the U.S. and the U.K.—as well as the Netherlands and Israel. On the one hand, CPI’s evaluation of Canada reflects two decades of Canadian cybersecurity initiatives. On the other hand, the ranking shows that Canada has a strategic cyber-deficit.

For 20 years, cyber-diplomacy has largely failed to generate broad agreement on international norms to constrain malicious behaviour by state-based and state-tolerated actors in cyberspace. To deter and constrain bad behaviour, western states need to engage using active and offensive cyber-measures. This is what the U.S. doctrine of persistent engagement has been enabling since 2018. However, no U.S. ally comes close to matching U.S. resources and capabilities.

The 2019 passage of Bill C-59 expanded the role and impact Canada could have in cyberspace by authorizing CSE to conduct offensive cyber-operations. The addition of these capabilities to CSE’s mandate was hailed as a major step. In theory, the combination of foreign intelligence, active cyber-operations and defensive cyber-operation mandates enables the full spectrum of cyber-espionage, sabotage and subversion operations. Canada now has the capacity but lacks the political will to demonstrate independent international leadership to reduce instability and uncertainty in cyberspace.

I propose a cyber-doctrine of functional engagement to bolster tacitly accepted cyber-norms. Regularly employing cyber-capabilities is the most effective way for Canada to reduce uncertainty in cyberspace and limit threats to its national interests.

Due to Canada’s resource constraints and limited foreign policy ambitions, functional engagement prescribes that Canada employ the full range of its cyber-capabilities to establish and reinforce a limited set of clearly defined and communicated focal points to deter and constrain unacceptable behaviour.

Instead of continuously and globally employing cyber-capabilities to change the overall balance of power in the international system, functional engagement calls for Canada to employ its cyber-capabilities more narrowly, in specific instances when a malicious cyber-actor conducts activity that is antithetical to Canada’s focal points, such as by directly degrading Canadian sovereignty and the security of its people; degrading or subverting international law and the integrity of international, electoral or democratic institutions; and undermining Canada’s economic security, competitiveness and prosperity.

The proposed cyber-doctrine of functional engagement seeks to shape adversarial behaviour cumulatively by strengthening tacitly accepted cyber-norms within the limited resources and unique character of Canada’s historical leadership on foreign policy niches as a traditional middle power.

Thank you for your attention.

The premise of smart cities is their interconnectedness and the ability to track both the content and the connections of people within that city.

This is similar to the problem, that, for instance, TikTok poses on a micro level: that an adversarial actor can learn a lot about people, even if it cannot read their content. It's understanding the edges that connect different notes—that is to say, how often you, Mrs. Gallant, are communicating with someone else in your network. In addition, the ability to extract that data would allow an actor who can decrypt it, through quantum or more primitive measures, to then build a very comprehensive picture of your behaviour, Mrs. Gallant, and then potentially deploy misinformation and disinformation campaigns that are deliberately and intentionally targeted to your specific behaviour. That's in order, for instance, to influence your current behaviour, as well as to collect that data over many years to then influence your behaviour in the future.

That is the concern with TikTok. It's the ability to both influence the generation now and keep data on those individuals so that adversarial actors can attempt to influence their behaviour once they become voting populations.

Well, Mrs. Gallant, I don't know what car you drive. I drive a minivan. It's about a dozen years old. Think about much of what's happening in terms of our networks within the Government of Canada as driving an old car. We're driving on old infrastructure where the government has not sufficiently invested in the actual infrastructure itself.

This is the cybersecurity part of the challenge we face. The other is the cyber-domain part, which is the risky behaviour that is created by individuals who click on links—as was likely the case in this Defence Construction Canada contract—and then inadvertently end up spilling information or making networks vulnerable.

In the previous session, you had a conversation about classification. One of the things we do in Canada is constantly and vastly overclassify material: 90% of the material we classify we probably don't need to classify. The 10% of material that remains we absolutely need to protect at all costs. What we're currently doing is classifying way too broadly instead of targeting our protection, our resources, to make sure that those elements that must never reach the outside are actually protected. Recent discussions over leaks show that, indeed, we have a lot of work to do.

That is a very good question, Mrs. Gallant, because you can imagine that a hostile [Technical difficulty—Editor] social credit system for its 1.4 billion people would have the capabilities of building out that system for the rest of the global population. If I were a betting man, I would be saying that this particular country has already built out a fairly sophisticated profile on you, as well as your digital communications and your own data.

I think it is very critical that, precisely as you say, we think very carefully, for instance, about what sort of data we might inadvertently be sharing. Just very recently, Australia decided to pull tens of thousands of Chinese-made products out of government buildings and government networks out of concern about the sorts of surveillance capabilities they might pose.

Certainly quantum will be a significant leap. My best understanding, although this is not my area of expertise, is that it will be a bit like Big Blue. We are not going to go from one day to the next with this capability. There will be somewhat of an off-ramp, but certainly this is a future for which we need to prepare, because the encryption measures and mechanisms that we have in place today would not protect us in that future.