Public Safety Committee on Sept. 20th, 2018

That really goes to the general caretaker convention status but also to working with Elections Canada. This is something that we are talking to them about, because at the end of the day the nightmare scenario for a public servant would be to ever do anything that would interfere in the election. I can't overstate how much of a nightmare scenario that is for me right now.

Oh, oh!

That's something that we are talking about with Elections Canada, to make sure we respect that, and also for the Commissioner of Canada Elections, to make sure that we respect the independence. That might be the better route. That is something we're discussing right now in terms of how we're going to approach this.

It's a bit of a new world. Normally what we tend to do in the public service is that we kind of turtle. We retreat into the public service and we just do the normal things. Cyber has changed that.

We're working through the scenarios now.

We've been working collaboratively with Elections Canada since before the last election in 2015 in terms of augmenting cybersecurity and starting to discuss these issues. I think we're working through this as we also figure out how to engage with political parties if we find something. How do we share the information that we see if a particular political party is being targeted for activity? I think it's part of working out that protocol.

I think we look to liaise with them, but we're respecting their independence. Being outside of the government and more of a parliamentary agent, we look to partner with them and really follow a strict protocol and respect that.

We absolutely have a process for that. Our standard process is that we work with the company to try to do it in a responsible way and to not create a vulnerability that somebody could then exploit. Every company takes time to prepare software patches, etc. We want to make sure that they're able to have those patches in place before any public disclosure so we don't get the cybercriminals or any actors that—

Not yet. It's something that we've been talking about—how do we share that?

We're always looking to provide advice and guidance in terms of just helping to raise the bar initially so that it's more secure. When you're looking at infrastructure, regardless of ownership, if it's Canadian infrastructure, in Canada, we would treat it as Canadian in terms of our work with them. If they were suffering an incident, we would certainly encourage them to report to the Canadian centre for cybersecurity so that we could try to help. At the same time, it's always a business choice in terms of what technology they use, how they implement it, and the need to balance factors—cybersecurity but also affordability and other factors.

Really, it's a combination of a few things. It's advice and guidance and helping to make it more secure. We're trying to publish more and more practical advice and guides. I'd say that in the past, some of our things were—

We're designated as part of the Investment Canada Act process. We provide advice to, in this case, the Minister of Public Safety, who then works with the Minister of Innovation, Science and Economic Development.

In terms of the Canadian companies, though, we're also looking to see how we can increase their resiliency so that they're able to defend against these types of cyber-activities. That's part of this as well. But it certainly is a consideration.

The key thing for us, when we talk about suppliers, is that almost everything is manufactured around the globe. Where the final product is assembled doesn't necessarily equate to where, say, the software is written, etc. We work in a global market. That's one thing we really look at: How do we bring security into something where the product of origin, or the company that provides it, is only providing a small piece of what's actually embedded in the product?

On the telecommunications company side, it's difficult for us, because we do work under.... They provide a lot of information so that we can work very proactively in terms of what's coming in the future, so it's competitive information for them. At the same time, I've seen them make substantial investments in cybersecurity without requiring fanfare or government intervention, etc. I think they're taking security very seriously. I'm really proud of the relationship. I think we have found a good Canadian model for working between government and industry on trying to address some of the cybersecurity challenges, not from a very narrow national security threat but broader. How do we make sure we're building a very resilient telecommunications network that spans from coast to coast to coast? That's something we've really been working on.

It is a complicated issue. With cybersecurity, unfortunately, as we were saying, it's really hard to characterize this in 240 characters. That's one of the biggest challenges in the telecommunications sector. It is very complicated and it is broad.

In terms of directly dealing with it, that's one of the challenges we have with an open democracy that encourages communication. We simply don't monitor for that type of thing. We don't direct our activities at Canadians, and on the Internet it's hard to tell Canadians from everybody else.

I think the key thing is that the social media platforms themselves are trying to address this. One of the things is that certainly, for example, if I saw somebody trying to impersonate me—I don't know why they would, but if they did—I would certainly take advantage of the reporting tools they have. They have tried to address this, so it's been somewhat in public.