No.
Evidence of meeting #55 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
Evidence of meeting #55 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
9:55 a.m.
Voices
No.
9:55 a.m.
Liberal
The Chair Liberal John McKay
It will be the Conservatives, the Liberals, the Bloc and the NDP, and then we'll call it regardless. The rounds are two minutes.
9:55 a.m.
Conservative
James Bezan Conservative Selkirk—Interlake—Eastman, MB
Mr. Chair, before you start my clock, I want to give notice of the following motion.
That the committee undertake a study of no less than eight (8) meetings to review how the readiness of the Canadian Armed Forces is impacted by Canada’s procurement processes and the capabilities of our defence industry to ensure that the Canadian military’s needs are being met. And that the Department of National Defence, Canadian Armed Forces, Public Service and Procurement Canada, Office of the Auditor General, Parliamentary Budget Officer, Treasury Board, defence industry, military procurement experts and academics be invited to testify before committee on this matter; and that the committee report its findings and recommendations to the House.
We have that in both official languages, and we'll circulate it.
I will start my lightning round of questions.
First of all, I want to thank all the witnesses for being here.
The government has proposed Bill C-26 as a way to encourage industry to have a stronger cybersecurity defence. There have been a lot of concerns raised that the fines and penalties are overly prescriptive and brutal for individuals and companies, but yet these same types of fines and penalties aren't applied to the government itself.
I'd like to get feedback from Mr. de Boer in particular, as he represents a Canadian industry here. I do miss my BlackBerry phone from back in the day.
Who's responsible for protecting critical infrastructure, including in the private sector? Is it the Canadian Armed Forces, the Department of National Defence, CSE or the Government of Canada as a whole, or is it best that it come from the individual companies? You can also touch on the issue around available people, because the Business Council of Canada says that currently we have 25,000 unfilled positions in the cybersecurity world.
9:55 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
Who is responsible? It's unclear. That was part of my testimony. We need to clarify roles and responsibilities, and that clarity doesn't exist right now. We don't have a unity of effort.
When it comes to Bill C-26, it's an important start. We are late to the game when it comes to mandatory reporting on cyber-incidents in critical infrastructure, so we welcome that initiative. However, it's limited to four sectors.
The reality is that there's a lot of policy action happening right now. The critical infrastructure strategy is being renewed. It was drafted in 2009. Cyber isn't even mentioned. Then we have the national cyber security strategy and Bill C-26. All of these need to be united.
10 a.m.
Liberal
The Chair Liberal John McKay
We're going to have to leave it there. Thank you, Mr. Bezan.
Who's speaking for the Liberals?
Mr. Fisher, you have two minutes.
10 a.m.
Liberal
Darren Fisher Liberal Dartmouth—Cole Harbour, NS
Thank you, Mr. Chair.
Thanks, folks, for being here. I appreciate your testimony today.
I've asked this question previously. I'm interested in your thoughts on this: How can Canada better partner with the private sector to raise the cybersecurity bar across the country?
Yesterday I read a story in the CBC about Halifax Water. There was a test of their cybersecurity. Emails were sent to 55 people, and 45 of them responded. They clicked the link and sent all of their information.
We talk about mandatory reporting. We talk about the importance of critical infrastructure. When we think about infrastructure like Halifax Water and public utilities across our country in terms of mandatory reporting and sharpening their cybersecurity pencils, I'm interested in your thoughts.
We'll start with you, Mr. de Boer, and then maybe move to Mr. McSorley in the short time we have.
10 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
Very quickly, if AI-driven cybersecurity tools had been used on the Colonial Pipeline, our 2015 model would have stopped it. Use advanced technology. It can help with the personnel issue and also protect critical infrastructure.
10 a.m.
National Coordinator, International Civil Liberties Monitoring Group
Thank you.
I'll mention another bill here.
Currently the government is looking at the artificial intelligence and data act. I agree with Mr. de Boer that we need to be looking at innovative solutions, including AI, but we also need to make sure we have regulations in place. There are wide concerns in both the private sector and civil society. There are problems with what's contained in the AI and data act right now.
10 a.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you.
My questions tie in with what Mr. Bezan raised.
Mr. de Boer, you said that roles needed clarifying. You also said that the U.S. and Australia had their own versions of a cybersecurity minister. I recall one witness, Christian Leuprecht, telling us that Denmark had a cybersecurity ambassador.
You talked about uniting all the efforts under one position. What might such a position look like in our context? Do you have any recommendations for us? What features should such a role have?
10 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
The primary role of such an individual—it could be a parliamentary secretary—would, first of all, be to signal to all Canadians that cybersecurity is important. Second, it would be one individual empowered with ensuring policy coherence and program coherence across Canada. Currently, that does not exist.
I mentioned the Australian case, but the U.K. also has a parliamentary secretary responsible for cybersecurity. We used to have a parliamentary secretary for digital. That is no longer the case.
The role would be to look across the Government of Canada to ensure coherence and unity of effort and to unify our approach to defending the country.
March 31st, 2023 / 10 a.m.
National Coordinator, International Civil Liberties Monitoring Group
Yes.
I would just share that I think we need a centralized office to engage with cybersecurity. One of the questions we have around Bill C-26 is that it's not clear whether this would fall under existing national security review bodies. Having an agency tasked with not only ensuring cybersecurity is handled properly but also that it's reviewed and accountable, and that there's transparency around it, would be important as well.
10 a.m.
Liberal
The Chair Liberal John McKay
Thank you, Ms. Normandin.
Ms. Mathyssen, you have the final two minutes.
10 a.m.
NDP
Lindsay Mathyssen NDP London—Fanshawe, ON
In this committee, we've heard a lot about the overclassification of information, and that 90% of what Canadians classify doesn't need to be.
Mr. McSorley, how does that overclassification of intelligence create a barrier or problems for civil rights organizations in holding the community of those intelligence agencies truly accountable? What is your solution to that?
10 a.m.
National Coordinator, International Civil Liberties Monitoring Group
Thank you very much for the question.
It isn't just a concern among civil liberties and civil society groups but across many sectors in Canada that there needs to be a trust developed. There needs to be openness and transparency to the degree that we understand what Canadian agencies, including the CSE, are engaging in when they are engaging in protecting Canada's cybersecurity, engaging in active and defensive cyber-operations and engaging in signals intelligence.
The way to ensure this is happening is to have greater mandatory reporting around the activities that they're carrying out. For example, there's a lack of mandatory reporting in Bill C-26 right now, so it would be very difficult to track not only the ways that it's used but also whether there are any failings so we can improve the system. Oversight and review are simply not only about putting organizations on the defensive and calling them out but also seeing where we can learn from our errors and improve the operations.
Right now, there are the intelligence commissioner and NSIRA, and, as I mentioned, it's not clear that they have a role in reviewing Canada's cybersecurity operations, because they touch on national security but not necessarily in the way that those bodies always review it. Therefore, we think that either there needs to be a new position or there need to be amendments made to their mandate to clarify that they do have that mandate.
10:05 a.m.
Liberal
The Chair Liberal John McKay
Thank you, Ms. Mathyssen.
Mr. Nared, I saw that you had your hand up there. It's disadvantageous to be virtual when everyone else is physically present, so let me give you a minute or two to comment.
10:05 a.m.
Chairman of the Board, Slovenian Certified Ethical Hackers Foundation, As an Individual
Thank you very much, Mr. Chair. I'll be very quick.
An idea on how to quickly improve cybersecurity is to make the whole IT industry accountable, and that means software and hardware vendors, because right now they have quite a unique status among all other industries.
For example, if you have a car and the brakes malfunction or something like that, they would be held accountable. However, in terms of the IT industry, such scenarios just don't come into account, ever—they do not, and they should. They should not just put products that are non-market-ready and that are insecure onto the market and endanger all of us from that.
Thank you very much.
10:05 a.m.
Liberal
The Chair Liberal John McKay
Thank you, Mr. Nared.
I want to thank all the witnesses. It seems to me, sitting here, that we could have carried this conversation on for the rest of the day quite easily. Personally and on behalf of the committee, I want to thank you for your presence. This is an extraordinarily difficult subject to grasp, particularly for those of us who are not in it on a daily basis and don't necessarily understand the nuances.
With that, thank you.
We'll suspend, go in camera and continue with committee business.
Mr. McSorley, if you didn't get all of your recommendations in, please coordinate with the clerk.
Mr. Nared, I think the clerk will reach out to you at a further date.
Thank you again.
The meeting is suspended.
[Proceedings continue in camera]