National Defence Committee on March 31st, 2023

One of the reasons I have the access to information that I have today is the BC Civil Liberties Association lawsuit that resulted in disclosure. They then had to fight to publicly share the information they obtained, and only recently were they able to publish it publicly.

I guess what ties all of that together is that the information isn't coming from the CSE itself. It's coming from external bodies—from researchers, review committees and lawsuits—and it shouldn't have to be that way.

Yes, definitely.

One of the things we've seen in terms of both the intelligence commissioner and NSIRA is that they're not receiving the information they require in order to do their review work and, in the case of the intelligence commissioner, their oversight work. We think there need to be amendments made to the CSE Act that make authorizations for their various activities contingent on providing adequate and appropriate information to the intelligence commissioner, as well as examining the idea of providing the intelligence commissioner with a power to make binding amendments to the authorizations that the CSE is seeking—

Thank you very much for that question.

First, it's clear, as you said, that there is need for collaboration among national security agencies. Some of that does require the sharing of information.

However, as you pointed out, what we have seen is that there are deep concerns about how some of that information is shared and the impact it can have.

For example, again the BC Civil Liberties Association found in their research that CSE was sharing intelligence with the CRA in order to bolster their efforts to counter terrorist financing. However, what we have found in our research is that the CRA, through its efforts to counter terrorist financing, has taken a prejudiced approach to Muslim charities in Canada. It has been operating from an idea that because there are terrorist threats from Muslim-linked organizations, the Muslim community must be placed under greater suspicion. That results in greater surveillance, greater information gathering and sharing and greater repercussions as compared to other communities in Canada.

How this ties back to the study at hand is that the intelligence that is shared isn't known publicly to the organization that it's being used against, so they don't have the opportunity to challenge it. We see that also reflected in, for example, Bill C-26, where there's, we believe, an undue amount of secrecy and the ability to use information and to hide information from critical infrastructure companies that are providing telecommunication services to Canadians if they were, for example, to attempt to appeal or challenge an order made by the minister.

Thank you for your question.

Yes, I still share that view, because I think it's been a year since that document. I believe I wrote that the basic problem is that the threat environment was specified solely to where the Canadian Armed Forces are stationed at home in Canada and abroad. That is a failure in understanding the cybersecurity environment in general. There is no defence perimeter anymore. Not just Canadian Armed Forces and their members but also their family members are targets for a moderate attacker, a black hat hacker or especially some sort of group such as the Russian group Sandworm. They will attack not specifically hard and secure targets but rather so-called low-hanging fruit first. That means even attacking family members, for example, compromising their home networks and expanding from that point onwards. We had a similar case in Slovenia, in which our emergency response was taken down in the very same manner. It was a failure in strategic thinking.

I'm not familiar with whether that agenda has changed in the past year. If it hasn't, it should be updated and improved.

I hope that answers your question.

Thank you for the question.

To give you an example, as the Ukrainian experience has shown, a war cannot be won without the support of the native population. I think that is a term that quite sticks. It is the same in the cybersecurity sphere. Especially the western countries, the Americas, kind of rely on their ocean for defence, and on overspending for defence also, but that is not a concept that you can rely on in terms of cyberwarfare. Relying on crowdsource intelligence, utilizing everyone who can help and organizing initiatives is the way to go, in my opinion. A closed loop won't solve any problems.

If I may, I would like to take a minute to explain the cyber-damages I was talking about before, because it kind of relates to the subject.

For example, the F-35 program, which cost $1.7 trillion to develop in terms of R and D, got hacked by the Chinese, and all the plans were stolen. That's just one hack. If we combine everything together, we get a clearer picture of where the damages are coming from. That relates to the army, to the air force and to basically every part of modern society.

Thank you for that question.

Trust that the information that any company will give over to the government will be treated in a confidential way is really important there. Liability protections and all these things need to be taken into consideration. Currently, that trust has yet to be built fully.

One way to get there is through, for instance, what the U.K. or the U.S. is doing, which is to build a joint collaborative environment or a joint cyber-defence collaborative. Before an incident happens, channels of communication for information exchange and threat information exchange are shared on a voluntary basis, oftentimes, where the private sector gets a better understanding of how the information they give is actually used and flows. It becomes a true partnership between the private and public sector. Right now I think the situation is that there is some hesitancy for regulators, etc., to engage, but I think we all recognize that a closer public-private partnership is essential.

A huge driver of security, particularly in the automotive sector, has been an emphasis on safety, right? When consumers start demanding safety or security, it changes. I spoke earlier about a software bill of materials or an ingredients list. When we buy things at the grocery store, we know exactly.... There is an ingredients list there. It's listed, right?

There could be and there is discussion in multiple jurisdictions about, for instance, a cyber safety rating for IoT devices, whether that be for your fridge or elsewhere. That could be considered. More awareness about whether one product is safer than the other for public consumption could be something that's considered. I think these are important steps, not just to raise awareness, but to also entice producers to build in security up front, because that's not happening.

Agreed.