Evidence of meeting #107 for Public Safety and National Security in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was debate.
A recording is available from Parliament.
Liberal
The Chair Liberal John McKay
We can encourage those pointed answers.
Mr. Motz, do you have a pointed question?
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Should CSE be in a position where they are going to be testing telecommunications equipment, and let's just say that this equipment was made in China, and you're testing that equipment for backdoor software, you would need China's approval to do that, based on this amendment. Is that what I'm hearing basically? A yes or no answer would suffice.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
In that hypothetical situation, yes, that would be my reading of it.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
My understanding is that since this is about the work that CSE is doing within Canada to ensure the information infrastructure, I don't know if that would be the case, but perhaps we can seek clarity from officials.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
I guess an example of where this would be used would be testing things that are going to be deployed in government systems to make sure, from a supply chain perspective, that there aren't back doors or the like built into them. Should somebody build in those back doors and we ask them whether it's fine to test those systems and so on, it just seems from an operational perspective to be challenging and maybe it's more contrary to the purpose of why we do this kind of thing.
Matthew Dubé NDP Beloeil—Chambly, QC
I just want to say, Chair, for the record, that some of the tests that have been conducted before, we know from leaks, have been disruptive. Again, this is the reason that Citizen Lab recommended this type of amendment, to ensure we're minimizing the impact this type of research can have on Canadians. Perhaps it's a large undertaking to find the consent of everyone, but it's whose product software and systems are concerned. I think if you're testing telecom X's infrastructure here in Canada, not to name any of them, it makes sense that they would be advised. As I said, I would hope that's already something that would be taking place. I would expect that type of public-private partnership would be happening when it comes to cybersecurity. If it's not, it is problematic, as is not having an amendment such as this, in my mind.
Conservative
Blaine Calkins Conservative Red Deer—Lacombe, AB
This is a further question for Mr. Millar, given the fact that the Department of National Defence and other various organizations—Public Safety, whoever it might be—are constantly acquiring software, hardware, and outside expertise. That expertise or that equipment would generally be brought in through a contract. We buy fighter jets from Lockheed or whatever the case might be.
In virtually every one of those cases, they are not obviously contracts about making sure the proprietary technology, the NATO technology, and all these other kinds of technologies would be protected to a certain degree. How involved would CSE be in testing some of that equipment? Where do you guys do your work? Do you work in that space, or do you leave that up to the nature of the contract to govern that? Do you do an ad hoc upon request, or do you use your intelligence to figure out where you need to go? How does that work?
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
Unfortunately, I'm not personally an expert on military procurement and the like, but I would say we're basically available when called upon to do this kind of testing evaluation. Obviously, there are other measures that are built into contracts and works that perhaps PSPC and other folks would do to do that. There are experts in our organization that would help support that in terms of an advice and guidance perspective, but in terms of when we do this kind of thing, it wouldn't necessarily be in all cases where that would happen.
Conservative
Blaine Calkins Conservative Red Deer—Lacombe, AB
You would have to have a suspicion or a reason to do it. Is that correct?
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
Someone would ask us to do that, or it would depend on what element of.... Obviously core networks are things at the periphery or at the core. You basically would do a risk assessment. That is my understanding.
Conservative
Blaine Calkins Conservative Red Deer—Lacombe, AB
How would you be able to maintain your clandestine notions if you had to make it known to everybody whose products or software you would be testing and that you were going to do so?
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
That would be a challenge.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I'm wondering if I can ask the folks from CSE who are here whether some of the activities done under proposed section 24 include the use of malware being introduced into systems or software.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
Can you repeat that, just so I make sure—
NDP
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
Would we introduce malware? No, this is the test for vulnerabilities of the system. This isn't for us. This is in the cybersecurity part of our mandate. At the end of the day, I'm not an expert on the testing evaluation of it. I should say again that the purpose is to protect cybersecurity systems, not to introduce something that will put those systems at risk.
With regard to how those things are tested and stress tested, there would be experts in our organization who could speak to that. The element of this is to capture something that we do now, something for which we're reviewed now, and to make it clear that when we're doing these kinds of things, we're not directing our activities at Canadians. That's the purpose of these provisions, to make it clear for review agencies that will be reviewing these things for reasonableness and proportionality, and to know that when we're doing this, we're not directing our activities at Canadians. It's making that specific reference there to help with legal clarity around this.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I'm confused. Again, proposed subsection 24(1) says, “Despite subsections 23(1) and (2)”, which are the sections that specifically say no activities against Canadians and persons in Canada. I don't want to rehash what we've already had a lot of back and forth about over the course of the study of this bill. I'm just wondering if you're not exploiting vulnerabilities.
How then do you go about research and development for the purpose of testing systems or conducting cybersecurity information assurance activities on the infrastructure without inevitably creating a strain on those systems? How do you measure...? You can't measure the strength of a bridge until someone has actually driven over it.
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
I see what you're getting at. I guess there are two things to talk about here. One is that we test things within the labs as well. It's not like we're going on to Canada's networks and stress testing networks in a way that's going to interfere with something.
The other thing that's very much worth mentioning is that with LIB-30 that has just passed, anything we could do that could interfere with a reasonable expectation of privacy, again would be triggered under that ministerial authorization and would have to be captured within that.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
I'll end here, Chair. I appreciate the indulgence.
Given the potential disruptive nature of this, I'm wondering, with any of these activities under proposed paragraph 24(1)(b) that are being conducted, say on a network here, Bell or Rogers or Telus or whatever, is it the normal practice to advise them that these tests are taking place on their network—if you're even allowed to say?
Director General, Strategic Policy, Planning and Partnerships, Communications Security Establishment
To tell you the truth, I don't know enough about the specifics of how that works. I just don't know.
NDP
Matthew Dubé NDP Beloeil—Chambly, QC
Thank you for that.
I'll end here by saying, for the sake of colleagues, that this is what the amendment seeks to do. In that type of situation, it's to ensure the companies or owners of software are aware when these types of tests are taking place, and they have that certainty that if there is going to be disruption, it's done in a consensual way.
Thank you.
