Public Safety Committee on March 22nd, 2018

Mr. Chair, as the chief of CSE, I can answer that the way the legislation is laid out, we report to the Minister of National Defence. He is the responsible minister for the Communications Security Establishment.

For Bill C-59 and the CSE act in particular, CSE is responsible to the Minister of National Defence.

I want to ensure I'm understanding the question correctly, Mr. Chair. I'm taking that this is with respect to our cyber-defence mandate, under which we have a responsibility to protect Government of Canada systems and to provide advice and guidance for systems of importance to the Government of Canada. As I noted in my earlier remarks, this legislation would allow CSE, upon the request of the owner of a network outside of the Government of Canada and for a system that the minister has designated to be of importance, to work with that system owner to help protect their systems from cyber-attacks. We're not focusing on Canadian information—it's not part of our mandate—but we could be asked to help protect a system of importance from a cyber-attack, which could include something outside of the Government of Canada.

Sorry, I'm not sure I understand the question.

Dom, do you want to pick that up based on your earlier conversation?

In that particular example, CSIS would be interested in you as a Canadian. They have a legal mandate to do that. They could leverage us under our assistance mandate. We always talk about part (a) as foreign signals intelligence, part (b) as cybersecurity, and part (c) as our assistance mandate. Today, as with this new legislation, if CSIS is interested in you, they have to have a legal mandate to go after you, meaning they have to get a warrant. If they show us that they have a warrant, at that point in time they wouldn't have access to our systems. They would ask us to act on their behalf. We would then use our capabilities to help them collect information. Any information that we collect is segregated and is given back to them and is their information. Effectively, we're acting on behalf of CSIS.

Yes.

Sure, and I will ask Scott Jones, our deputy chief of IT security, to come in.

Perhaps to answer the question, Mr. Chair, I'll go to three different pieces of the proposed legislation.

First of all, to prevent cyber-attacks, we need to have not only good capabilities and tremendous Canadian men and women working on this but also good intelligence to try to understand what those threats are before they even come to Canada. In the legislation, there is a strengthening of our ability to ensure that we can continue to collect foreign signals intelligence, including that relating to cyber-threats. That's a piece of it.

The second piece I would draw attention to is that the cybersecurity aspect of the legislation talks about us being better able to share threat information with the private sector, and it also talks about us being able to—again, at their request—help defend their systems. That's another way this legislation would strengthen our ability to help do cyber-defence for Canadians.

The third piece I would focus on is the defence of cyber-capabilities. If there was a cyber-attack, instead of us sort of standing back with a shield with which we would try to protect against these billion malicious attempts per day and waiting for them to happen, if we could go and say, “Let's try to stop that cyber-attack from even happening”—there could be a server outside which we know is now trying to infiltrate a Canadian system and steal Canadians' information—we could, through this legislation, which would be a new piece for us, try to stop that attack before it got to our shores and into our systems.

With that overview, maybe I'll ask Scott Jones, our IT security—

Of course.

Scott.

Really, when we're talking about a billion malicious actions, we're talking about the gamut, all the way from people poking at our systems, looking to see where they're vulnerable, up to people trying to compromise or install malicious software called malware, or basically exploit any vulnerability that exists. It's a wide range of activities, but what we're trying to do is counter the full range, no matter where it originates. We want to counter any malicious activity that's coming at the Government of Canada, and the number is astonishing. I think that's really where we are going into a few different areas. Number one is making it better. How do we work to make the systems that we have more defendable? That's working with the commercial sector, and that's being able to share more information, being able to share some of our tools and techniques, and pushing it forward.

We've shared some of our tools publicly. We have a system called Assemblyline which we have made open-source and publicly available to anybody who could leverage that. That's how we, for example, defend the government and look at millions of malicious files a day.

The second piece is providing that level of defence that fills the gap between the best available commercial and the state-of-the-art threat activity that we're facing today. Bill C-59 would allow us to then use that on critical systems of importance, as designated by the minister, but also with the informed consent of the system's owners. Informed consent is something that's particularly important in this case.

The third piece is general information sharing, whether that is providing advice and guidance or being able to share what we're seeing, what's going on, and very much clarifying our authorities to share information.

That's where we kind of layer all these things together and start to deal with those billion events.