Public Safety Committee on Feb. 13th, 2018

I know that Doug is here more in the policy capacity than a charter expert capacity, so I'm happy to address that.

There are a couple of things to keep in mind. One, again, is that it will be reviewed for lawfulness. With the ministerial authorizations that we will have or will seek that capture any information that comes into our possession, where there would be reasonable expectation of privacy, when we put together those authorizations, the Department of Justice is part of reviewing those authorizations, which are like affidavits, to make sure that we've sufficiently captured that space.

As the publicly available information is laid out here, the idea is that it was public, it was intended to be public, so to that degree, any information we acquire under those provisions would have to meet those kinds of tests, and those tests will be reviewed and commented on going forward.

As my colleague has already mentioned, this is not new. CSE has to take these kinds of unknown entities and elements of information and try to flesh them out to understand exactly what we're dealing with. It could be as simple as a Google search. It could be looking or working with other databases that are out there that might help us contextualize this. In the case of an IP address, there are registries that exist online that tell you where an IP address is geographically registered.

Probably the best I can do to reassure you is to say that we've had a commissioner who has reviewed CSE's activities for privacy for more than 20 years. In assessing our activities and looking for privacy concerns or lawfulness, he touches on these kinds of activities, the open source research that we do to support our activities, because a lot of our activities require this to be effective. To my knowledge, he has never found any issue with the degree of research that CSE has done, the sources that we have accessed, or how we have handled and managed that information.

No, that's correct.

I guess the other thing to underscore is that, again, these activities are in furtherance of our mandate. I think there's an important thing to underscore here, and it's something we haven't had the opportunity to talk about much yet. Keep in mind that some of those activities involve us doing cyber-security on Government of Canada networks and systems. They're the same networks that hold taxpayer information and employment insurance information—very sensitive, private Canadian information. Our sensors block up to a billion malicious cyber incidents a day. Those are cyber-threat actors looking for vulnerabilities or indeed trying to attack.

I mention that because I recognize, in the discussion about the degree to which private information is.... Are we dealing with both security and the privacy of information in a reasonable and proportionate way? I'll underscore as well that part of our mandate is actually protecting the private information of Canadians. The degree to which we do these activities is in furtherance of that kind of information protection mandate.

On our website we do have a fact sheet that outlines the measures we take to protect privacy at the moment. As technology evolves, as information evolves, we need to make sure we are staying current and are adopting more and more effective measures to protect privacy. So they are not captured in legislation, they are captured in ministerial authorizations. The minister can lay out his expectations and he can increase those expectations and any parameters in terms of how we work as part of those authorizations, which are required to be renewed every year.

If I may, I answered incompletely a previous question about what changes for us under this legislation. We talked about mandates and other things. The accountability and review measures build upon the existing robust measures we've had to date with the CSE commissioner, but that element of NSIRA, the review agency, with the committee of parliamentarians gives that element where folks who are cleared and can see the full aspect of what we do, whether in an unclassified or classified space, can review us for all those elements of reasonableness and proportionality.

The legislation also makes more transparent—as transparent as you can be in a piece of legislation—the activities that we undertake, under what restrictions we do them, and the prohibitions and so on. We are trying to put out more and more on our website. We are a clandestine agency that needs to act clandestinely in order to understand the threat picture and protect Canada. But we're getting out there. We're on Twitter. We're pushing out reports on democratic institutions and threats against democratic institutions. We'll always be looking for ways in which we can share more about what it is we do.

I would say as well—

The bill does not refer specifically to critical infrastructure, but I think it makes reference to non-governmental systems, which are tantamount to critical infrastructure, because as you say, our global information infrastructure is made up of public and private enterprises.

In that space, CSE, which is currently focused on defending and blocking activities on the government infrastructure, is limited right now to providing advice and guidance only to critical infrastructure owners in a way such that the information is available to the general public.

In this regard, Bill C-59 opens up CSE to take the expertise that has been developed—the tools, the capabilities.... In fact, some of that capability has been exposed to critical infrastructure owners in the form of a tool called “Assembly Line”. We've put it out there. It's a tool that was developed in-house, but we've made it available to others who can use it to help triage and understand malware that might be affecting their systems.

CSE would be able to go even further with this legislation to helping critical infrastructure owners who request our assistance and whom the minister has designated as eligible to receive assistance from CSE.

It's a good question.

As the legislation firms up and we understand what the scope is, should these authorities be granted it will be up to CSE to work with Public Safety, critical infrastructure owners, and the minister to look at where the risks are and to start designating and prioritizing, because as you point out, it will be impossible to address all of the concerns and all of the infrastructures that exist in Canada.

Some of this falls under the ambit of the Minister of Public Safety. You're asking a framework question on the way in which the government is going to approach it. This is an important building block. It was a gap within CSE's mandates that they were constrained on the help they could provide in the existing context.

As I said before, the government is conducting a cyber-security review. The results of that will be available shortly, I hope. One of the key pieces in this—and here I would add that Public Safety manages the relationship with critical infrastructure sectors—is about knowing where to go, who to call when there's an issue. It's not about the size of the systems; it's about having the right connections. Right now, they sometimes call CSE, and they call our critical cyber-emergency response team, CCIRC, at Public Safety. We need to do a better job of coordinating that.

Much of this information is in an ecosystem where it needs to get shared really quickly, and that's a key role that CSE can play. It's about technical expertise. I will use the analogy of a fire. We send firefighters to a fire. In this instance, it might be one firefighter, because it's actually just a connection that needs to be made so that people understand that there's a fix, and this fix can be applied across the entire infrastructure.

There's an unnamed large American company that dealt with a lot of people's private data. It was one simple fix that was missed, and it had a profound impact on the entire organization.

It's important to frame this. I think we will see a further elaboration in the coming months. This is one important building block.