Evidence of meeting #101 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cse.
A recording is available from Parliament.
Noon
NDP
Noon
Voices
Oh, oh!
Noon
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Really quickly, I have just one question. I want to get back to the details I asked about on the Cambridge Analytica situation with Facebook.
There's clearly not a situation here of the information having been obtained illegally. It's nebulous, and perhaps dubious and immoral, but it's not quite clear that it's illegal. Information like this that is being obtained and being used by political parties in a variety of countries around the world arguably could fall under the definition of publicly available information. How do you see that, Minister, and how does CSE see that?
Noon
Liberal
Harjit S. Sajjan Liberal Vancouver South, BC
For CSE, the credibility of the great work they do and the credibility of any government to be able to function in a rules-based order is based on working within the law. That's exactly how CSE has been functioning.
More importantly, we're actually putting even more robust measures in place to make sure that CSE's activities and the activities of all our security agencies are done and that we have a mechanism in place for everything from the intelligence commissioner authorizing ministerial authorization to the national security and intelligence review agency and now actually having parliamentarians from all parties.
My answer to you is that CSE will always function within the law.
Noon
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I appreciate that, Minister. If we're talking about operating legally, and this information is obtained legally—although arguably the laws should be changed in that context—doesn't that mean that CSE could obtain that information under publicly available information?
Noon
Liberal
Harjit S. Sajjan Liberal Vancouver South, BC
As I stated, not only from a legal perspective, CSE's activities are designed to make sure that we are protecting Canadians and Canadian interests, and we will continue to do so.
Noon
NDP
Noon
Liberal
The Chair Liberal John McKay
Thank you, Mr. Dubé.
Minister, on behalf of the committee, I thank you for your appearance here. With that, we will suspend to let you leave.
Everybody else, please stay, and we'll continue, because the time is precious.
Again, thank you.
12:04 p.m.
Liberal
The Chair Liberal John McKay
I will ask members to return to their seats.
I'm going to work on the assumption, Ms. Bossenmaier, that there are no further statements to be made and we can simply proceed to questions.
12:04 p.m.
Chief, Communications Security Establishment
That's correct, Mr. Chair.
12:04 p.m.
Liberal
12:04 p.m.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
Thank you very much, Chair.
The first question builds from the conversation I just had with the minister, on the place of cybersecurity conversations with our allies. Certainly this is happening on a minister-to-minister level, but in terms of officials collaborating and having conversations, certainly that's taking place, I imagine. Where are we in terms of a priority on that? There are so many threats to national security.
12:05 p.m.
Chief, Communications Security Establishment
Absolutely cybersecurity is more and more a topic of conversation with our allies, with our partners. I don't think a meeting with our colleagues and with our allies goes by when we're not talking about cybersecurity now. Again, IT security has been part of our mission for 70 years, with the new demands and the frequency and the new kinds of challenges. For sure the nature of the discussion and the importance of this issue across the various issues that we deal with within CSE has risen.
To your point, there's definitely a high level of priority and a lot of conversation and a lot of sharing of best practices as well. I think one of the things we all appreciate is that in this domain no one has all the answers. The more we can share best practices, look at lessons learned, and bring various capabilities to the table the more those really enrich the conversation.
Where cybersecurity fits within other types of threats, I think, is a question this committee and other committees have asked, and I know some of my colleagues in other organizations have also answered that. We focus on the intelligence priorities the government sets. Cyber for sure is one of those key issues we deal with, but it's part of a broader landscape of intelligence priorities we work against, based on what the government sees as the priorities of the day.
12:05 p.m.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
Could you point to a best practice? Obviously, these are sensitive security measures, but have you gained something from the conversations that you could point to to say that it is the result of collaboration with our allies and that this is why having conversations on these matters is really important?
12:05 p.m.
Chief, Communications Security Establishment
I'll just point to the new Canadian centre for cybersecurity that was mentioned in budget 2018 and that has been brought up a number of times around this table today.
A number of our allies who moved to this kind of model when they saw that they needed to integrate within their own cryptologic agencies—our sister organizations—to consolidate their cyber-operations' capabilities within their cryptologic agencies, see a couple of things. Number one, I think they see the need to have a unified, trusted source, and a single source of information, advice, and guidance, a place for their citizens and their businesses to be able to turn to.
Number two goes a bit to the minister's earlier comments about expertise. I feel very fortunate for the men and women who work in CSE, truly some of the best and brightest minds in our country, whether they be mathematicians or engineers or computer scientists or linguists, who are dedicating their time and attention to work in CSE and to bring their capabilities and skills to bear. Again, one of the best practices, I think, we've seen from allies is to consolidate their cybersecurity operations within the sister organizations to CSE and to truly leverage the skills and capabilities they have to be able to better protect their own citizens.
12:05 p.m.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
Thank you very much.
We heard the minister speak about threats to our security, from a cybersecurity perspective, emanating from state actors, rogue states in particular, and non-state movements such as terrorist organizations. I wonder if you could speak to whether or not cyber-attacks take a different form, depending on whether they're launched by a state actor or by a terrorist organization. I think there could be a perception that terrorist organizations are not capable of carrying out very sophisticated sorts of attacks. That is changing. The fact is they can mount sophisticated attacks. It wasn't the case before, but now we're seeing that. Could you speak to that?
12:05 p.m.
Chief, Communications Security Establishment
Sure.
I'm going to ask Scott Jones, our deputy chief of IT security, to come in on this as well. Without stealing all his thunder, before I offer him that opportunity to speak, I'll just say that one of the things Scott often talks about is that now we're seeing a wide variety of cyber-threat actors. Yes, we've been worried about nation states for a long time and non-state actors, as you mentioned. We're worried about hacktivists, cybercriminals. In Scott's portfolio, in defending the Government of Canada's systems and providing advice and guidance to Canadians and Canadian critical infrastructure, he often says we have to protect and defend against this whole variety of threat actors. They are diverse, but our responsibility is to be able to protect Canadians' information and Canadians' most private information from this variety of threat actors.
With that, I'll ask Scott to speak a little about the threat environment he sees.
12:10 p.m.
Scott Jones Deputy Chief, Information Technology Security, Communications Security Establishment
Just building on that, I think some of the key points are that the cyber-techniques are within the reach of anybody, and that's more a result of the resilience level that we all face. There are simple actions we've been trying to promote that we can all take to make ourselves more resilient against any sort of actor, because to your point, no matter who they are, cyber-techniques are within their reach. These are our top 10, some simple things we can all do to increase our resilience.
The second piece of that is how we are able to purchase things that are better and more secure from the start. That's some of the work we do internationally. To your previous question about working internationally, there are things like asking for products to have better security features, things that are secure by default, things we don't have to worry about. One example of that is the common criteria program we have with 27 different nations.
How do we then share information quickly to let people take action on our behalf? We can't necessarily rely on ourselves. Some of these techniques are really sophisticated, but we can look at critical infrastructure to help us raise that bar.
12:10 p.m.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
You said something there, and I'm going to stop now, because the chair has said I've run out of time, but thank you very much for the....
12:10 p.m.
Liberal
12:10 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Mr. Chair, and I can assure the chair that I might be more focused on my questions in this round.
12:10 p.m.
Liberal
12:10 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
In part 3 with regard to clause 76
Activities carried out by [CSE] in furtherance of the foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate must not be directed at a Canadian or at any person in Canada.
As we know, the Internet is full of encryption; it's full of IP modifiers; it's full of virtual private networks, and on and on and on.
How will you be sure you aren't targeting a Canadian? How do you go about doing that? And here's a follow-up question, if I may, so you can answer them both. If you come across propaganda in the case of a known ISIS terrorist, and the person is spreading mass propaganda to Canadian citizens from a foreign country, would you then have to refrain from using cyber-operations and let that information get out to Canadians? How do you interpret the bill to manage that nuance?
12:10 p.m.
Chief, Communications Security Establishment
I'm going to start with the first answer, and I'll likely also look to Shelly Bruce, the associate chief, to chime in on this one. Then I think I'll have to come back to your second question just to be sure I've captured it.
In terms of your first question, you're absolutely correct that the legislation as it is proposed—and actually our current legislation as well—prohibits us in law from directing our activities at a Canadian or at anyone in Canada. We're focused on foreign targets in foreign lands, hence the foreign intelligence aspect of our mandate. Having that focus on foreign intelligence is something we've been doing for over 70 years.
This is a bit of the discussion that Shelly has already started in terms of how we actually ensure that we are focusing our efforts on parts of the information infrastructure that are outside of Canada. Ensuring that Canadians are not involved is a process that the foreign intelligence analysts go through.
With that, Shelly, I'll turn it over to you to provide a bit more information regarding how we ensure that.
12:10 p.m.
Associate Chief, Communications Security Establishment
Sure. You've referred to both the foreign intelligence mandate and the active cyber-operations aspect of the proposed authorities. I can maybe start by speaking about the foreign intelligence side.
Before any activities are undertaken, there is a really robust process in place around policies and training and testing. Every analyst does an online test and is not allowed access to any systems until they are very cognizant of all of the restrictions and the requirements to ensure that they are directing their activities against foreign entities outside of Canada and in a way that is consistent or directly related to an intelligence priority that the government has. There are three tests—