Public Safety Committee on March 22nd, 2018

CSE overall has about 2,300 employees right now. We have Canada's best and brightest mathematicians and computer scientists, and we are hiring, in case you still are interested, in the IT field.

In case there's anyone else out there....

We're about 2,300 people overall. If you look at Mr. Jones's organization, he's in particular focused on the IT security component of the organization.

I think, Scott, you've provided numbers in the past about the magnitude of your organization.

It's around 500 right now and growing slightly.

Thank you, Mr. Chair.

The reality is that it is a formidable task. That's why it's something we take extremely seriously. Again, we've been in the business for 70 years, and I'm sure we have the best technology, the best people we can have to work on this task, and to work on it in partnership. We often talk about this being a team imperative. No one organization can have all the information or all the answers, so we do work closely with academia. We work closely with other partners. We work closely with our allies in terms of developing knowledge and capability to be able to defend against this very, very challenging environment.

In addition to what was already discussed around budget 2018.... Budget 2018 is proposing an increase in resources and a consolidation of Government of Canada cyber-operational capabilities within CSE, so it provides a bit of a multiplier effect and a single source of trusted advice and guidance, but this legislation would also allow us to exercise additional authorities in the cyber-protection space. Again, that goes back to ensuring we can collect foreign intelligence in a very challenging world and that we can see threats before they reach our shores, have broader threat information sharing, and deploy our cyber-tools—some of the advanced tools Mr. Jones spoke about—on private infrastructure if that is requested and if it is designated.

Also in the defence of cyber-operations, instead of trying to defend only at the periphery of our networks, if we see something that is outside—in a foreign land, on a server, for example—trying to take down Canadian infrastructure or trying to steal Canadians' information, Bill C-59, this legislation, would authorize CSE to go out and try to protect Canada before that threat actually reaches our systems.

Thank you, Mr. Chair.

I can't give you the specific numbers of state and non-state actors we see trying to penetrate the networks both within our structure and outside of it on a daily basis, but I can tell you that both state and non-state actors are trying to penetrate networks, and that number is rising every week—every day, almost.

I can't give you the specific breakdown. I don't have those numbers with me today, but state and non-state actors are involved in that domain, and the numbers are rising.

We are seeing increased numbers of people trying to gain access to our networks, which suggests increased investment. I don't know for a fact, but we are seeing large numbers of different entities trying to get into our networks.

I think you have a comment, Mr. Burt.

Mr. Chair, I can qualify that cyber as a domain of operations has now been certified as—much like air, land, sea, and space—its own domain.

We saw in the recent defence policy the increased mandate to incorporate an act of cyber. We've been defending military networks for a long, long time, so I wouldn't want to imply that we haven't been doing that.

The very fact that we are embarking upon an active cyber component to our cyber-operations is indicative of how we're taking this threat, and the accompanying investment within that domain. The short answer to your question is that we are looking at this domain very carefully. We are growing our forces and our ability to work in that domain every day, sir.

It's a very important question, Mr. Chair, because, again, it is such a dynamic environment.

Whether it's quantum or artificial intelligence or the Internet of things or cloud computing, or whatever the new technology is going to be in the future, our sense is that this legislation will allow us to be able to respond and be proactive in looking at what those threats of the future are.

It's sort of technology-agnostic in the sense that it talks about various threats that could occur and, again, provides us with the authority to be able to work with whatever those undefined threats of the future may be.

Scott, you may have something to add on that as well.

I think the key aspects are that the pace of change in technology is accelerating right now, so I think what we're going through.... For example, on quantum, we're working on this on a number of fronts. First of all, we do have a duty to protect the Government of Canada's most sensitive information, and so we're preparing for that future as well.

Also, as Canada's national cryptologic agency, we are the experts in cryptography, so we are working with partners across the private sector, National Research Council, etc. That's something we've been doing for 70 years.

A lot of these technology changes are things that fit well within our advice and guidance mandate in terms of preparing for the future, and also with the information-sharing mandate in terms of how we work as partners. The Internet is interconnected. We need to have a new way of approaching this, and that's very much about partnership and working together with companies, with academia, with other levels of government, and internationally as well.

I think we addressed this question before. I won't give you the same answer again, which doesn't seem to be completely answering the question, but I will ask Dom to speak a bit about publicly available information and how it has to fit within our mandate.

Yes, information on the GII, the global information infrastructure, would include all sorts of things. However, our mandate is very specific that we cannot collect information about Canadians under foreign intelligence.