Evidence of meeting #86 for National Defence in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was going.
A video is available from Parliament.
4:30 p.m.
Bill Matthews Deputy Minister, Department of National Defence
Thank you, Mr. Chair.
I have a couple of points on DRMIS. It is a key system. As we upgrade to DefenceX, it will broaden our capability to digitize and will actually be quite key to the transformation that we're looking to do across the system in a number of areas. We are looking to rationalize and reduce spending on contracting as part of the reductions. DRMIS's replacement is a critical project for us in terms of moving forward.
4:30 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Is it going to still be delivered within the billion-dollar cut?
4:30 p.m.
Conservative
4:30 p.m.
Deputy Minister, Department of National Defence
I can't give a yes or no, Mr. Chair, because the work to identify the final spending reductions has not yet been completed, so I can't be unequivocal. However, DefenceX is critical for our transformation.
4:30 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Okay.
For our CSE representative, welcome.
Is there a direct line of communication established when a cyber-attack occurs, whereby the CSE and the Canadian Centre for Cyber Security alert the relevant government departments targeted?
4:30 p.m.
Caroline Xavier Chief, Communications Security Establishment, Communications Security Establishment
Thank you for the question, Mr. Chair.
Yes, CSE works hand in glove with many partners across the nation, as well as internationally. Therefore, when a cyber-incident becomes known to the cyber centre, for example, we make all efforts to contact any victim that may be impacted. Whether it's a private stakeholder, critical infrastructure or a province, we are able to have that direct communication with that organization.
4:30 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Just this September, a denial-of-service attack from an Indian hacker group briefly brought down the CAF's main website and the House of Commons website for a few hours. This is with a relatively minor cyber-attack, with nothing stolen, yet it speaks volumes on how poorly our cyber system is operating.
What has CSE and the cyber centre done since then to reinforce our cybersecurity?
4:30 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
Every department is managed by Shared Services Canada, so we work hand in glove with Shared Services Canada as well as with the department CIO and Treasury Board to ensure that the necessary measures are in place to protect from denials of service.
That said, a denial of service, as you mentioned, does not automatically mean that data is stolen. However, we do continue to work with everyone to ensure that the necessary measures are in place to add robustness and rigour to the protection.
4:30 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
Just this October, a more serious ransomware attack targeted BGRS and its server, which are responsible for moving our troops. They stole personal data dating back to 1999. A cybercriminal group known as LockBit was identified. LockBit 3.0 ransomware is up at an increasing severity across the world. How is CSE's cyber centre responding to this threat that LockBit poses?
4:30 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
We are not able to comment directly on any of the incidents we manage, but what I can tell you with regard to BGRS is that we were informed by the company on September 29 of the cyber-incident, and we have offered our assistance to help them in any manner we can.
Since we were advised of the cyber-incident, we, along with Treasury Board and many other government departments, have been working collectively to ensure that we offer the necessary support to the server of BGRS. However, it is now deemed a privacy breach, and that is being led by the Treasury Board Secretariat.
4:35 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
BGRS moves our military, so it stands to reason that the military would have been notified. However, when my office started getting complaints from the people who were supposed to move from point A to point B to serve in the military at a specific point in time, the minister's office didn't know. Why was that direct link not made between the attack and notifying the minister's office?
4:35 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
I don't know if national defence officials would like to take that question. That said, we were advised by BGRS on September 29. If the company knew before that, they didn't advise us before September 29.
4:35 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
That's not what I'm asking. I'm asking when CSE advised the ministry of national defence. Also, is there a required time frame between the time when you know and when you're supposed to let the related or affected ministry know?
4:35 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
The minute we know of a cyber-incident that could be impacting a department, we advise them immediately.
4:35 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
The problem is, then, working up the department hierarchy chain to let the minister know.
4:35 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
If the cyber centre is made aware.... For example, in the case of the BGRS, the minute we would have known, we would have advised. What I'm trying to say to you is that we became aware of the incident by BGRS on September 29. The minute we all knew, we took the necessary action to ensure that everybody was made aware.
4:35 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
There are different attacks on our infrastructure all the time. At NORAD, they have the major points of critical infrastructure on their map and they can see what's happening.
Is there a similar sort of real-time, situal awareness available to the related departments, so that when we have hospital after hospital attacked, somebody is putting this together and suggesting that maybe we should find out if the problem is with the cloud they're all using? Where does the follow-up begin, or is it just a reporting system and nothing's really investigated, sorted out and enforced?
4:35 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
Just to be clear, with regard to the cyber centre and the Communications Security Establishment, in our role we are an incident responder, but we do provide technical support and technical information protection to Government of Canada systems. That means the Government of Canada systems that we manage directly. We are not the ones who protect, for example, the provincial hospitals.
4:35 p.m.
Conservative
Cheryl Gallant Conservative Renfrew—Nipissing—Pembroke, ON
But they report to you when they have a breach.
4:35 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
They may report to us.
4:35 p.m.
Conservative
4:35 p.m.
Chief, Communications Security Establishment, Communications Security Establishment
It's not required. It's not automatic. However, because of all the great relationships we have with critical infrastructure sectors, many of them do work hand in glove with us and report to us all the various incidents that may happen.
4:35 p.m.
Liberal
The Chair Liberal John McKay
I'm sure we'd like to carry on with this conversation, but we're not going to.
With that, Madam Lambropoulos has the floor for six minutes.
4:35 p.m.
Liberal
Emmanuella Lambropoulos Liberal Saint-Laurent, QC
Thank you, Chair.
Thank you to our witnesses for being here with us today.
I'm going to stick to the issue of culture and the much-needed culture change at the Canadian Armed Forces.
StatsCan released its report, based on a 2022 survey, and found that 3.5% of CAF personnel were sexually assaulted by another military member, either in the workplace or outside the workplace. This was a significant increase from 2018, when only 1.6% reported being sexually assaulted. The majority of victims said they did not report the assaults to authorities because they felt it wouldn't make a difference.
We have heard from you on several occasions, and it's been told to us that it has been addressed. I'd like to know what exactly it means to say that it's been addressed when the victims themselves feel that it won't make a difference. Has it not been told to CAF members as a whole that it's not acceptable and that there will be consequences if someone is found guilty of doing something like this?