Evidence of meeting #101 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cse.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Greta Bossenmaier  Chief, Communications Security Establishment
Shelly Bruce  Associate Chief, Communications Security Establishment
Scott Jones  Deputy Chief, Information Technology Security, Communications Security Establishment
Dominic Rochon  Deputy Chief, Policy and Communications, Communications Security Establishment
Richard Feltham  Director General, Cyberspace, Department of National Defence
Stephen Burt  Assistant Chief of Defence Intelligence, Canadian Forces Intelligence Command, Department of National Defence

12:45 p.m.

Chief, Communications Security Establishment

Greta Bossenmaier

Maybe I can talk about the composition of the organization overall. Sometimes it's hard to parse a person who perhaps, for example, is working on cyber-policy within our group, looking at cyber-policies, versus the person who is out there building the defensive tool versus the person who is collecting foreign signals intelligence that might identify a foreign threat. It's sort of hard to divide people into particular—

12:45 p.m.

Conservative

Blaine Calkins Conservative Red Deer—Lacombe, AB

I'm looking for some anyway, so...

12:45 p.m.

Chief, Communications Security Establishment

Greta Bossenmaier

CSE overall has about 2,300 employees right now. We have Canada's best and brightest mathematicians and computer scientists, and we are hiring, in case you still are interested, in the IT field.

12:45 p.m.

Conservative

Blaine Calkins Conservative Red Deer—Lacombe, AB

I'd like to think I'll be gainfully employed in this as long as I like.

12:45 p.m.

Chief, Communications Security Establishment

Greta Bossenmaier

In case there's anyone else out there....

We're about 2,300 people overall. If you look at Mr. Jones's organization, he's in particular focused on the IT security component of the organization.

I think, Scott, you've provided numbers in the past about the magnitude of your organization.

12:45 p.m.

Deputy Chief, Information Technology Security, Communications Security Establishment

Scott Jones

It's around 500 right now and growing slightly.

12:45 p.m.

Conservative

Blaine Calkins Conservative Red Deer—Lacombe, AB

Here's my question, and it's not meant to be in any way a slight against the fantastic people we have. I'm sure we have the best and the brightest and I'm appreciative of that, but we know that China has an army of about 200,000 people. We know this from reports we've heard, so it's 200,000 against 500. I'm basically looking to you to tell me why Bill C-59 makes those 500 better off, in defence against what those 200,000 might be doing.

We've seen what's happening right now in the United States with sanctions against China under the guise of security, espionage, and all these kinds of.... It's no secret that the Chinese government has been doing this for years. We've had the current government actually very much engaged with China. We sold some assets to Chinese interests recently, and we've been doing so for years and years. This is not meant to be a partisan comment in any way, shape, or form. How is Bill C-59 helping our 500 against the 200,000? It seems like a formidable task.

12:45 p.m.

Chief, Communications Security Establishment

Greta Bossenmaier

Thank you, Mr. Chair.

The reality is that it is a formidable task. That's why it's something we take extremely seriously. Again, we've been in the business for 70 years, and I'm sure we have the best technology, the best people we can have to work on this task, and to work on it in partnership. We often talk about this being a team imperative. No one organization can have all the information or all the answers, so we do work closely with academia. We work closely with other partners. We work closely with our allies in terms of developing knowledge and capability to be able to defend against this very, very challenging environment.

In addition to what was already discussed around budget 2018.... Budget 2018 is proposing an increase in resources and a consolidation of Government of Canada cyber-operational capabilities within CSE, so it provides a bit of a multiplier effect and a single source of trusted advice and guidance, but this legislation would also allow us to exercise additional authorities in the cyber-protection space. Again, that goes back to ensuring we can collect foreign intelligence in a very challenging world and that we can see threats before they reach our shores, have broader threat information sharing, and deploy our cyber-tools—some of the advanced tools Mr. Jones spoke about—on private infrastructure if that is requested and if it is designated.

Also in the defence of cyber-operations, instead of trying to defend only at the periphery of our networks, if we see something that is outside—in a foreign land, on a server, for example—trying to take down Canadian infrastructure or trying to steal Canadians' information, Bill C-59, this legislation, would authorize CSE to go out and try to protect Canada before that threat actually reaches our systems.

12:45 p.m.

Liberal

The Chair Liberal John McKay

Thank you, Mr. Calkins.

Mr. Spengemann, go ahead for five minutes, please.

12:45 p.m.

Liberal

Sven Spengemann Liberal Mississauga—Lakeshore, ON

Thank you very much, Chair.

My first question is for Commodore Feltham. We spoke a lot about non-state actors and private-sector threats, as both initiators and recipients of activities. What about military-to-military cyber-attacks? What do you see as current trends? Russia is one problem. Who are the other problems? What trend lines and what observations can we make at the moment? Is there going to be an increase in military-on-military cyber-activity? If so, how does it break down from what you see so far?

12:45 p.m.

Commodore Richard Feltham Director General, Cyberspace, Department of National Defence

Thank you, Mr. Chair.

I can't give you the specific numbers of state and non-state actors we see trying to penetrate the networks both within our structure and outside of it on a daily basis, but I can tell you that both state and non-state actors are trying to penetrate networks, and that number is rising every week—every day, almost.

I can't give you the specific breakdown. I don't have those numbers with me today, but state and non-state actors are involved in that domain, and the numbers are rising.

12:50 p.m.

Liberal

Sven Spengemann Liberal Mississauga—Lakeshore, ON

Is it fair to say that there is investment in cyber-capacity and offensive cyber-capacity by potentially hostile or openly hostile militaries?

12:50 p.m.

Cmdre Richard Feltham

We are seeing increased numbers of people trying to gain access to our networks, which suggests increased investment. I don't know for a fact, but we are seeing large numbers of different entities trying to get into our networks.

I think you have a comment, Mr. Burt.

March 22nd, 2018 / 12:50 p.m.

Stephen Burt Assistant Chief of Defence Intelligence, Canadian Forces Intelligence Command, Department of National Defence

From the defence intelligence standpoint, the simple answer to your question is yes. It is a rising threat across nation-state actors within their militaries, and it is a crosscutting threat. We're interested in it the same way we're interested in growth, for example, in submarine fleets, because it is increasingly used across the board by large and small states.

12:50 p.m.

Liberal

Sven Spengemann Liberal Mississauga—Lakeshore, ON

Can you qualify in any meaningful way the priority that this issue of potential hostile miliary on miliary is being given within DND?

12:50 p.m.

Cmdre Richard Feltham

Mr. Chair, I can qualify that cyber as a domain of operations has now been certified as—much like air, land, sea, and space—its own domain.

We saw in the recent defence policy the increased mandate to incorporate an act of cyber. We've been defending military networks for a long, long time, so I wouldn't want to imply that we haven't been doing that.

The very fact that we are embarking upon an active cyber component to our cyber-operations is indicative of how we're taking this threat, and the accompanying investment within that domain. The short answer to your question is that we are looking at this domain very carefully. We are growing our forces and our ability to work in that domain every day, sir.

12:50 p.m.

Liberal

Sven Spengemann Liberal Mississauga—Lakeshore, ON

Thank you very much.

My second question is for Ms. Bossenmaier and Mr. Jones.

You spoke about the dynamic cyber-threats environment earlier in your conversations and gave some precision on what that means for Canadians. I'm wondering about your assessment of Bill C-59 as an instrument that is sufficiently agile, adaptable, and flexible for a look beyond the horizon and into the future.

Ms. Bossenmaier, I think you mentioned AI, and I think quantum is another unknown unknown. We don't really know how these two dimensions are going to play out.

Is the instrument that we're contemplating and about to put on our books flexible enough to address future challenges as they may arise?

12:50 p.m.

Chief, Communications Security Establishment

Greta Bossenmaier

It's a very important question, Mr. Chair, because, again, it is such a dynamic environment.

Whether it's quantum or artificial intelligence or the Internet of things or cloud computing, or whatever the new technology is going to be in the future, our sense is that this legislation will allow us to be able to respond and be proactive in looking at what those threats of the future are.

It's sort of technology-agnostic in the sense that it talks about various threats that could occur and, again, provides us with the authority to be able to work with whatever those undefined threats of the future may be.

Scott, you may have something to add on that as well.

12:50 p.m.

Deputy Chief, Information Technology Security, Communications Security Establishment

Scott Jones

I think the key aspects are that the pace of change in technology is accelerating right now, so I think what we're going through.... For example, on quantum, we're working on this on a number of fronts. First of all, we do have a duty to protect the Government of Canada's most sensitive information, and so we're preparing for that future as well.

Also, as Canada's national cryptologic agency, we are the experts in cryptography, so we are working with partners across the private sector, National Research Council, etc. That's something we've been doing for 70 years.

A lot of these technology changes are things that fit well within our advice and guidance mandate in terms of preparing for the future, and also with the information-sharing mandate in terms of how we work as partners. The Internet is interconnected. We need to have a new way of approaching this, and that's very much about partnership and working together with companies, with academia, with other levels of government, and internationally as well.

12:50 p.m.

Liberal

Sven Spengemann Liberal Mississauga—Lakeshore, ON

Thanks.

I think that's my time, Mr. Chair.

12:50 p.m.

Liberal

The Chair Liberal John McKay

Thank you.

Mr. Dubé, it's a good day for you today. Please finish up for the final three minutes.

12:50 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

Thank you. I appreciate it, Chair.

I want to come back to the line of questioning I was on before.

Would interactions taking place on Facebook or information that's put out on any social media, quite frankly, fall under this bill's definition of global information infrastructure?

12:50 p.m.

Chief, Communications Security Establishment

Greta Bossenmaier

I think we addressed this question before. I won't give you the same answer again, which doesn't seem to be completely answering the question, but I will ask Dom to speak a bit about publicly available information and how it has to fit within our mandate.

12:50 p.m.

NDP

Matthew Dubé NDP Beloeil—Chambly, QC

I don't have very much time, so I'm wondering if I can get a yes or no.

12:50 p.m.

Deputy Chief, Policy and Communications, Communications Security Establishment

Dominic Rochon

Yes, information on the GII, the global information infrastructure, would include all sorts of things. However, our mandate is very specific that we cannot collect information about Canadians under foreign intelligence.