Public Accounts Committee on April 23rd, 2013

Oh, oh!

Indeed. I'll say a few words, and then I'll turn to Madame Clairmont.

The first point is that essentially we have a 10-sector table—for instance, transportation, finance, energy, water production. There are 10 of them.

Second, we have a cross-sectoral table, where we essentially extract and meet together these various sector tables so that we have a common agenda.

The three basic functions that these tables, either the cross-sectoral one or the sector ones, deal with are critical infrastructure overall: multi-hazard-type risks that we may be facing. So it's cyber but it's not only cyber. To the point I was making earlier, cyber-threats now have taken more space and time, and we are focusing on that very point.

We deal with partnerships and relationships through those tables, with information sharing so that we bring people up to speed on various issues that they may be facing or that they are facing. We share that, and generally speaking we deal with risk management issues.

I'll turn to Madame Clairmont to add to this.

Actually, Bob was going to lead on this one.

Thank you.

There are actually some very specific actions we've been able to take in addition to the broad ones that Mr. Guimont was speaking to. We've established, on the risk management perspective, a number of guides and planning guides that are useful to a cross-range of critical infrastructure sectors.

We've also engaged in a United States action plan for critical infrastructure. We've engaged with the Americans on a regional resilience assessment program where we're actually doing cross-border assessments. For example, in New Brunswick this past year we completed six assessments. The first round was looking at the physical issues relating to it. This would be things like the cross-border sections or the border crossings at Woodstock and Edmundston, the port of Saint John, the Irving Oil plants, and the LNG plant, where we've actually undertaken those assessments and provided the advice back to the owners and operators of those systems on how they can improve the security of those.

We are now moving those out across Canada. We are doing another pilot in Ontario, and another one in Saskatchewan. We'll be adding into those a cyber component.

We've also established a number of information-sharing...both a framework to guide the sharing of information within critical infrastructure sectors, and information-sharing gateways to facilitate some of that sharing as well.

It's the third pillar. We've had a campaign website, and Canadians can ask questions and get some information. But as I said earlier on, while we provide this information, at the end of the day they have to assume some responsibility, and I think they are. People are more sensitive to cyber-realities than they were five years ago, let's say, or three years ago. Frankly, it's also because of the media stories that have existed out there.

I'll turn to Lynda, or to....

I can start it off.

In addition to our Get Cyber Safe website and Stop. Think. Connect., which I mentioned earlier, we're also working with the U.S. and other allies around the world to have a cyber-awareness month, which is in October. We're doing all kinds of activities with the private sector and with citizens to enhance cyber-security awareness.

One example is working with stores that sell a lot in terms of telecommunication—iPods and other stuff that kids would use. There is safety information inside, but we're having pamphlets that.... We would give them out so that parents would see them more, as opposed to children.

So there are number of things we're working through and coordinating, inside of Canada with the provinces and territories, but also externally with international partners.

It's an interesting question because certain threats in the environment we live in may be a bit more static in time.

Mr. Gordon was explaining to me, Madame Clairmont, and other specialists, that the cyber-world evolves very quickly. When you think about it, it's a world where you don't need much. You need minimal, technical apparatus, servers or computers, brain power, and time on your hands, if I can use that terminology.

It is an evolving threat in that sense. I think we are as active. We have a strategy, players are involved, and we have resources. I don't think one can put his or her guard down. The cyber-world evolves quickly and we have to keep up with that reality.

In terms of the budget what we lay out in the chapter is the fact that when many of these budgets were allocated cyber-security was considered to be part of a bigger security apparatus, early on. As has been discussed, the cyber-world is something that has evolved. Early on, it was just considered to be one of a number of threats.

Really, what we identified here was.... Because it was folded in with funding for other types of threats, it wasn't possible for us to separate how much money was just for cyber-security. Also, what we were looking for, in general, were overall plans, so that we could see what activities were supported to be conducted and then measure progress against it.

I will turn, if I may, Mr. Chair, to my colleague from CSEC.

Detail on the spending?

To answer that question certainly would reveal our level of capability in these areas, which we would consider classified information. It would not be prudent to disclose to those who seek to do us harm.

I will try to provide you an outline of the various activities, but the actual level of investment in those areas, particularly on our technological capabilities, is something we consider classified information for national security reasons.