Public Safety Committee on Feb. 13th, 2018

The purchase of malware doesn't necessarily come from those people who are generating the malware. There are organizations, anti-virus companies, who will allow us to purchase that information from their own legitimate analysis and work. We work very closely with that community to understand what the threats are that are being covered by a commercial software and services so that we can focus, then, on those malware threats that are not currently covered, the more sophisticated ones that are not part of the current complement.

In CSE's instance, that information, anything that has been hacked or stolen and then been made available for purchase, is not included in the definition of publicly available information.

That's correct.

There is no doubt that Canada and its allies face an increasing degree of threat from hostile state actors or hostile non-state actors out there. We work very closely with and are part of the National Defence portfolio, as you've mentioned. In the recent defence policy review, the military has declared its interest in working in the cyber domain and developing a framework and a platform for that. You'll note as well that the bill is set up in a way that would allow CSE to assist the Canadian Armed Forces under our assistance mandate, so that we would be able to work more closely with them, depending on the conditions and circumstances of activities that would need to be taken. There is a potential for us to work more closely in delivering capabilities for them on the military level.

It depends on the circumstances of the activity that is being defended against. In many cases, you will not be able to attribute that activity to a specific individual, but the more important issue is to stop that activity from happening before it becomes a crisis or before it materializes in the Canadian security space.

I would add that the capability exists with CSE now. One of the reasons National Defence and the Canadian Armed Forces have been added to our assistance mandate is that should they engage in cyber operations in support of government-approved military operations, they could leverage our capabilities in that regard. Where it's in a military context, leveraging us, when it's outside of a military context....

We have to keep in mind that some of the things we're talking about here would be, for example, if intellectual property were stolen from a Canadian company, we could perhaps go upstream and render that unreadable. This is not always in the stream of aggression and cyber-war, and that kind of thing. There are civilian uses of this and there are prohibitions built in to keep us within the swim lane of that, whether it's prohibitions against bodily harm and the like.... Having the dual key of the Minister of National Defence and the Minister of Foreign Affairs ensures that the kinds of activities we're undertaking are consistent with international priorities and international law.

Sure.

I would preface this by saying that active cyber operations are meant to achieve an objective that the government has established, and that it's a team sport. That means we each are bringing our mandates, our authorities, and our capabilities to this table. It really is a way of working together to figure out who has the right authority to address the right issue at the right time based on their skills, their mandates, and their authorities.

In the case of CSE, I mentioned some of these operations in my opening remarks, such as interrupting or disrupting ISIL communications, networks, media machines in a way that would stop attack-planning before things reached a crisis pitch. There's also interrupting the spread of ransomware that's being pushed around the world, and interrupting subversion to the democratic process. As my colleague mentioned, we have had instances in the past where sensitive information has been stolen from Canadian systems and is now on foreign systems abroad; therefore, we could find ways to corrupt that data or to make it inaccessible to others who want to take advantage of it and use it for their own benefit.

Yes, critical infrastructure is included. In the legislative proposal, CSE would receive the authority to take the skills and the technology and the capabilities that have been developed to protect Government of Canada networks and to make that advice, guidance, and those services available to critical infrastructure owners if that critical infrastructure element has been designated by the minister as eligible for CSE assistance, and if that critical infrastructure element system owner has requested our assistance.

No. The active cyber operations directed at foreign entities outside of Canada require the approval of the Minister of Defence as well as the Minister of Foreign Affairs. Necessity, reasonableness, and proportionality are all factors they have to consider. They cannot be achieved by any other means, cannot cause bodily harm or death, but also cannot subvert or obstruct democracy or the course of justice. There's an explicit prohibition there.