Public Safety Committee on Oct. 5th, 2006

Mr. Chair, we'll follow up as to what exactly was sent, if that's acceptable.

You're right, that's a tougher question.

With respect to the definition of critical infrastructure, you're absolutely right, it's not in the legislation. In terms of whether we are referring to a specific definition, we intentionally did not describe it because how each province and how each sector looks at what is critical is different from province to province. For our purposes, to respect jurisdictional responsibilities, it's important that the provinces themselves decide what is critical within their own jurisdiction. As to the federal government, from our perspective we will be identifying critical infrastructure within the federal government as well.

Perhaps I can make an initial comment. It includes some of the coordination work that we talked about in terms of working with and bringing jurisdictions together while at the same time totally respecting provincial jurisdiction and their responsibilities and integrating what needs to be done. So it's a coordinating role at the federal level, clearly, and it's a facilitating role in terms of bringing jurisdictions together. At the most basic level, that's the way I would characterize it.

Ms. Wong may have further comments based on the proposed legislation.

Paragraph (h) is very specific to non-financial assistance because there are other provisions in the legislation specifically for financial assistance that triggers the DFAA. So in terms of this section, it's very much to coordinate non-financial assistance, in term of federal resources, federal expertise, as well as to make sure that our DFAA, or our non-financial assistance program, doesn't overlap with other government programs. It's to distinguish between our minister's role and other ministers' roles.

Could it be something as simple, Ms. Wong, as, if there were three or four federal departments providing assistance in a given instance, coordinating the work of the federal departments and agencies in that regard?

Just to restate what I was saying, we do need to obtain information. There's no obligation for the private sector to provide the information. That being said, we are developing relationships and looking to develop relationships to get the information we need in order to carry out the emergency management functions appropriately.

With respect to the Access to Information Act, the proposed amendment would make a mandatory exemption from disclosure for this kind of information. That is the purpose: to provide that safeguard, that security in terms of private sector information.

Right now the Access to Information Act does not specifically reference information that you just spoke about in terms of vulnerabilities to an electrical grid or a nuclear facility specifically, so it doesn't actually say that information shared with the Government of Canada on specific vulnerabilities on a networking system will be explicitly protected. Having this provision does provide each minister with clarity in terms of what protection could be afforded to the private sector when this information is shared with us.

Maybe I'll respond from the cyber point of view. It's probably the best example, because within the Government Operations Centre is also the Canadian Cyber Incident Response Centre. It's a CCIRC, similar to those in four or five other countries.

We are now, particularly over the last few months, seeing a very large growth in information that companies are sharing with us. They talk about their vulnerabilities, though not with Microsoft. As a result of Microsoft, there are other vulnerabilities out there. They are sharing a lot of information with us, so for one thing, if you look on our website under the CCIRC page, Canadian Shield, or CShield, we list the ten biggest threats and how you describe them. That comes from the information we get from the private sector. It also talks about ten or so origin countries. I think China is number one. That just means that the original attack comes from that country, and it could be connected to many other countries in behind that.

Certainly from the cyber point of view, and with the telephone companies, we're seeing a lot of information. We have to be very careful, though, to receive it in a way that's generic so that we don't compromise until we can get this kind of protection in. We're able to provide some kinds of services and give them a general overview of the threats, and tell them what they need to take a look at and what may be coming down their way from other countries. That has started very well, and it's been successful.

Do you want to answer on the CIP?

Yes.

In terms of this legislation and the amendment to the Access to Information Act, the amendment is not just for the Minister of Public Safety. It extends to all ministers, so information shared with the Minister of Natural Resources in terms of what you just raised--pipelines or oil patches--would be protected as well. Protecting their information would I think create a trusting environment in which they would feel more confident in sharing that information.