Public Safety Committee on May 3rd, 2022

Thank you, Chair.

The threat posed by Russia to Canada's public safety and national security has increased significantly since the western democracies responded to Russia's invasion of Ukraine with measures designed to cripple Russia's economy and with weapons support for the Ukrainian resistance. Whatever the outcome of the suffering in Ukraine, Russia will remain shunned by the west and blocked from financial transactions and trade with lucrative European markets. Putin, I think it's fair to say, is seethingly angry, tormented and resentful, with dangerous capabilities to lash out at Canada in response. He is likely to make common cause with China, which will magnify the threat to us.

Canada is inadequately prepared for the range of threats posed by Russia, including threats to Canada's critical infrastructure, espionage and sabotage. We are less prepared than our allies.

A considerable concern in this regard is whether the RCMP, CSIS and CSE have been sufficiently accountable to the public safety and national security concerns of Parliament as represented by this Commons committee. We know that the RCMP, CSIS, CSE and DND gather a lot of information on Russian malign activities, but when Parliament asks for a briefing to inform the parliamentary development of legislation to protect public safety and national security, those agencies too often stonewall you, suggesting that the information is too sensitive or that disclosing it would reveal operational details that would be helpful to our enemies.

It would be reasonable to assume that Five Eyes, including Canada, were aware of Mr. Putin's megalomaniac ambitions regarding Ukraine. Nothing has changed in Russia. It's simply our perception of it that has become heightened. They know what he has in store for future invasions and what he has in store for threats to Canada, but how can Canada prepare if the RCMP, CSIS and CSE will not hand over their intelligence assessments on what we should prepare for? Too often, Canadian police and security agencies see their primary function as to simply curate information, which they can trade with the counterpart agencies. Again, this issue is more pronounced in Canada than for our allies.

For example, how badly does Canada need a foreign agents registry act, or something like the Australian Foreign Influence Transparency Scheme Act, as a national security measure? I judge this as very urgent for Canada, especially now, but CSIS would know better which Canadians influential in Canada's policy process have received benefits from a foreign state that put them in a conflict of interest that threatens Canadian security and sovereignty. How many of these are there? How high does it go? If CSIS has this data, they should give it to you.

What about the RCMP's Cameron Ortis? What should we be learning from his arrest? What about the Winnipeg labs matter? Was there a failing in protection of Canadian national security that should be addressed by Parliament? Then there's the Quentin Huang matter. Why is it that, unlike our allies, Canada does not successfully prosecute and send to prison people who transfer military technologies from Canada to agents of a foreign state?

Let me add one last point. As the Commons Special Committee on Canada-China Relations has examined, the Chinese-language media in Canada is strongly dominated by elements that support the Chinese Community Party's agenda in Canada. Since the outbreak of hostilities in Ukraine, Chinese domestic media and its proxies in Canada have been repeating the Russian conspiracy theories and associated disinformation day after day, week after week and more or less word for word. This Russian disinformation has the effect of discrediting the integrity of Canadian democratic and judicial institutions and debasing the loyalty to Canada of a significant fraction of Chinese Canadians.

Canada needs to take all of this much more seriously, in my view, and allocate the resources and the restructuring of our public safety and national security agencies to address it much more effectively than we have up to now.

Thank you, Mr. Chair.

Thank you, Mr. Chair.

My name is Jennifer Quaid. I'm the executive director of the Canadian Cyber Threat Exchange, the CCTX.

The CCTX is a pan-Canadian, member-based, not-for-profit organization focused on enabling Canadian companies to build cyber-resilience through collaboration. We represent 170 members across 15 sectors. We were founded by some of Canada's largest companies, but our mission is to enable organizations of all sizes to reduce financial and operational risk through access to relevant and timely threat intelligence. Members choose to participate, because they recognize that being aware of the cyber-threat environment and its ever-changing landscape is the first step to ensuring the cyber-resilience of their organizations.

As Canada's Minister of National Defence recently said, “Cyber security is one of the most serious economic and national security challenges we face.” As you know, cyber-threats are becoming more sophisticated and are increasingly pervasive. Driven by the growth and global adoption of innovative technologies, cybercrime pays. Who does it pay? Cyber-threat actors can be grouped into roughly a couple of categories: nation-states who are conducting espionage and statecraft through the Internet, and criminals who are engaging in cybercrime for financial gain.

It's this criminal element that has commercialized cybercrime. It's now an industry unto itself. It's an industry where the barriers to entry are lower than ever. Technical expertise is no longer a requirement. Cryptocurrency makes collecting your fee easier, and the chances of getting caught are low. Several countries allow cybercriminal groups to operate within their borders, but we also have hacktivists, cyber-attackers designed to target social injustice, and the ever-present insider threat.

The ongoing geopolitical tension in Russia and Ukraine has created an opportunity for an increase in hacktivism and criminal activity. The threat actors are targeting critical infrastructure on both sides, taking down banking websites and disrupting government service. The Conti criminal organization is acting in support of Russia. Anonymous claims to be waging a cyberwar on Putin. Network Battalion 65 stole and used Conti's code to lock up files inside government-connected Russian companies.

Canadian organizations have been following events unfolding in Ukraine and are operating under a heightened sense of alert. CCTX members, in collaboration with the Canadian centre for cybersecurity, are working to ensure that Canadian businesses can better defend themselves from these attackers.

This is a good example of public-private partnership in action. Through the CCTX, the cyber centre has the opportunity to disseminate information to businesses of all sizes in all sectors. We can then enable our members to collaborate, leverage and use that information in a meaningful way, but collaboration is more than sharing threat information. It's professionals sharing best practices and working together on cyber-problems that are impossible to undertake within a single organization or sector.

It's engaging with others to improve your cyber-resilience—the resilience of your supply chain, your customers and the Canadian economy. It's an effective way to expand your team's capacity, which is increasingly important in an economy where there are 25,000 open positions. According to CIRA, 25% of organizations have reported a data breach, and the attacks aren't stopping.

What more can be done? The government can make sharing easier for many organizations by the simple act of creating “safe harbour” legislation, laws designed to encourage businesses and organizations to voluntarily share information by protecting them from legal repercussions, sharing beyond statutory requirements. You can also enable more companies to join a collaboration organization by making membership as an ITB—anything to encourage sharing information.

Collaborating on cyber-threats and building our collective resilience are critical to prevent, detect and contain cyber-attacks in the private sector. Our success increases significantly when we work together.

Thank you.

Thank you very much.

Good morning. I'm honoured to be here this morning speaking on behalf of my organization, Optiv.

Our level of preparedness to the wide range of threats posed by Russia deserves this dialogue, our collective engagement and our commitment to focus on hardening our systems, preparedness and response. Optiv is pleased to be part of this dialogue.

As a practitioner who has contributed to national security in various roles in government for 30 years and now with the pure-play cybersecurity integrator for close to four years, I'm keenly interested in our approach to understanding and countering the cyber-threats facing us from Russia and other nation-states that wish to do us harm. This threat knows no national, provincial, territorial or municipal boundary.

Cybersecurity is a team sport that requires mature governance, focused attention, measurement and exercising. Continued diligence must be the standard.

I'll say a few words about Optiv.

Optiv is a world-class leading cybersecurity integrator. We work alongside clients and public, private and not-for-profit sectors to manage cyber-risks and equip organizations with perspectives and programs to accelerate business for program progress. We cover the wide range of cyber-products and services including but not limited to threat intelligence, threat hunting, incident response, managed services, and identity and data management.

In my role at Optiv as executive director of the office of the chief information security officer, I have pan-Canadian responsibility to engage all sectors and verticals in understanding, quantifying, exercising and enhancing their cyber-posture. Typically this is performed on a risk-based approach.

What do I mean when I talk about a risk-based approach? You begin by understanding your cyber-program. You then measure your cyber-program and identify gaps that must be closed to reduce risks to the organization. This is done on the backdrop of a changing environment requiring diligence and constant improvement. In the world of cybersecurity, your job is never complete. Organizations cannot take a day off. Digital transformations in cybersecurity are fast-paced, mission critical and increasing in complexity. It is incumbent upon all stakeholders and citizens to positively impact our digital environment.

Let's move to the weighty question of our level of preparedness on the threats posed by Russia, with a focus on continuity of government and critical infrastructure. Of course, government is part of critical infrastructure, but I'll speak specifically to the federal government.

At a high level, what is the threat posed by Russia? Let's take a look at the initial threat.

Prior to the ground offensive, Optiv's global threat intelligence centre widely distributed an advisory summarizing cyber-incidents related to ongoing tensions in Ukraine, as well as previous cyber-activity attributed to the Russian government and supported military operations in eastern Europe. Cyber-activity and Russian influence operations against Ukraine and NATO supporting Russian military shaping operations include denial of service attacks, psychological operations and disinformation campaigns as pretexting for military operations.

Let's move on to the question of preparedness. How do we measure our level of preparedness? We strive for a horizontal approach to cyber when threats and needs vary by critical infrastructure vertical. Cyber-programs should be right-sized to the organization; however, they can still be reported in a consistent manner. Every organization should know the health and status of their cyber-program. I can't put too fine of a point on that: every organization. You need to measure this. Then you need to determine the end state of your cyber-program. If there's a gap between those two, you need to endeavour to close that gap.

Practically, what does this mean? It means assessing your cyber-program, metrics, assessing gaps and developing a cybersecurity strategy. From the strategy, build programs and plans to address the gaps. You must evolve an incident response plan and business continuity plans to ensure continuity of operations. With this, you can support it by metrics and a dashboard. You need to exercise those plans to ensure that you are ready to respond to an incident. Then you need to continuously measure and improve the program.

I'd be happy to provide the committee with concrete recommendations during our discussions.

I will leave my opening comments at that, and I'll be pleased to take questions during the further discussion.

Thank you very much.

I think it is a cause of great concern. Essentially, because of Mr. Putin's badly advised or probably not advised invasion of Ukraine, Russia will be considerably weakened, both militarily because they're losing a lot of stuff—they lost the Moskva in the Black Sea—and they're also going to have their economy crippled. This will force Russia to have to rely more on China for export of the commodities that sustain Russia's prosperity, oil and minerals, and also to rely on China for bucking the sanctions that we've imposed. China has facilitated North Korea in effectively avoiding the sanctions that we attempted to impose on that regime.

We'll be in a situation where China I think will certainly extract a price for this, which will be that they will expect Russia to collaborate with China in China's overall global agenda, and that could include seeking Russian military support for action taken against Taiwan in the future, and combining with Russia with regard to claims in the Arctic.

Russia, as you know, claims pretty much everything under the Canadian continental shelf, and China has the resources and ability to actually start to exploit those Arctic resources. China referred to itself recently as “a near-Arctic state”. I think it's about as near to the Arctic as Yemen, but in any event, they want access to our northern resources for strategic purposes, ports and so on, and to our natural resources.

With the strategic positioning of Russia, if they go together, this is really very bad news for Canada. As I've argued elsewhere, unlike some of the other witnesses to this committee, I really feel that we need to start thinking about what sort of protection we can have for our northern regions. It's not really about do we give 2% or less or more. It's really about how much is it going to cost to overcome decades of neglect of our Arctic, particularly as Russia and China combine together and actually start to pose an effective threat in the light of global warming opening up those waters to navigation by Chinese and Russian vessels of various kinds.

I wouldn't want to politicize it in terms of a political party, but I do think that if we do not make diplomats in Canada accountable for activities that are not consistent with their diplomatic status, whether this is menacing and harassment of people in Canada, or attempting to influence discourse in Canadian newspapers, particularly Chinese-language media, by coercing advertisers and the persons who may have relatives back in China to not report on things or to report them in a certain way.... I think those diplomats should be made accountable and we should PNG them, declare them persona non grata, and bear the consequences of reciprocal expulsions.

Our passive attitude towards this simply emboldens these regimes to do more. I think we have to put a stop to it. I anticipate that we'll see more of this in collaboration with our allies, particularly in Europe, in the months ahead.

Thank you again for the question, Ms. Dancho.

You're absolutely correct. The small and medium-sized enterprises make up 98% of our economy, so in fact they're not just the supply chain for the large corporations but for the entire economy. They undoubtedly represent our weakest link, although I hate to use that term, and they represent that because, according to recent stats, 44% of them do not have any defences in place against a possible cyber-attack.

Many of our smaller organizations don't have the data. They don't feel that they're under attack or that they're a target for an attack. What they're not realizing is that data of any kind makes you a target.

You're quite correct. Forty-four per cent don't have any form of cyber-defence and 60% have no insurance, and we need to do more.

Thank you for your question. There are quite a few elements to that question.

Number one, historically—or when I began my career in government—when we looked at these threats, we certainly looked to nation-states, to the Russian threat and so on. It was handled in government, but it was not as pervasive in the private sector. Today, that threat against Canadians is not only a national security concern for governments themselves, but also a national security concern for critical infrastructure. We know that most critical infrastructure is not owned by government and, in a lot of cases, not necessarily regulated by government.

The weakest link is sitting back and thinking you're okay by not having a program, by not measuring risk, whether you're a small, medium or large enterprise.

I enjoyed Jennifer's comments on small and medium-sized enterprises, but I'd also like to highlight that larger enterprises are potentially a more lucrative target for our attackers. Therefore, an advanced persistent threat, such as Russia's, or other state-sponsored threats, is really tough. We have to be 100% vigilant, not only internally to the organization but across our suppliers when we're thinking of third party threats as we're moving to different platforms and so on. It's very important.

Now, the million-dollar or potentially billion-dollar question is, really, what do we do about this? I'd like to highlight some work the National Security and Intelligence Committee of Parliamentarians put together and was tabled not very long ago. They had a framework and activities to defend systems and networks of government. It was tabled in February. It's an extensive report. It's worth reading. By the way, all of the recommendations were accepted.

It raises a couple of issues, one being—and this is a direct quote from the report—“Who is protected depends upon who you ask”. We need to fix that, quite frankly. We need to fix that from both a responsibility and an accountability perspective, but we also need to fix “who do you ask?” That's really important to us.

Another quote is, “The threat posed by...gaps is clear.” We know we have gaps. This is not an effort to blame people or organizations for gaps, but we know we have them and we must be diligent in closing them. We must be doing so in a programmatic way, where we're hitting the high-threat items.

Cybersecurity, in my opinion, is not about dollars spent, because you can spend immeasurable amounts of money on this; there's no question. Cybersecurity is, once again, about team sport and spending your dollars in the right areas that are going to have the best effect on government systems, on critical infrastructure systems or on shared systems.

Sir, does that help?

We can talk about the responsibility for regulation.

My preference is not to overly regulate. Once again going to small and medium-sized businesses, do they have the resources to respond to regulation? It is potentially more of a supportive environment, communication environment. Whether you're a small or large organization, or a home owner with a network in your house, which we all have, there are immeasurable resources out there, from Public Safety Canada, RCMP and others, to help us secure our systems. For a small business, those can be very useful.

On closing the gaps, quite frankly, the gaps can be closed, but you need to understand them. You need to understand the gaps, the impacts of those gaps, and you need to understand who wants to do you harm.

I'll give you an example. If you look at the financial sector versus the agricultural sector, there may be different threat actors going after each one of those. The disruptive actors who just want to create disruption will go after anybody. You need to identify your gaps and you need to close them.

The bad news there is that the world is changing around you. The environment is changing around you as you're doing all of these things. If I assess a system today, or a system of systems, and I'm down a two-year road to close those gaps, which is not unreasonable, what other gaps are presenting themselves during that period of time, and how can I be relevant and move the program forward at all times?

Compared to other countries, Canada has been less proactive in prosecuting or outing elements that have engaged in cyber-espionage. The United States has identified a number of agents of the Chinese People's Liberation Army who have been involved in this kind of activity.

We tend to be reluctant to engage, particularly with the Chinese, with regard to activities like cyber-espionage, suppression of Chinese language media or indeed harassment of people who might wish to speak out. They are harassed either by Chinese agents directly or through various kinds of harassments over the Internet.

This has been because our government has given priority to the promotion of prosperity in our relations with China and is prepared to tolerate these sorts of activities, because the cost to Canadian business and Canadian prosperity would be high.

The Chinese government has made it clear that if Canada does crack down on these sorts of activities of agents of the Chinese state in Canada or cyber-disruptions, we will lose business. You may recall the hack of NRC aerospace data or the earlier hack of the Treasury Board and other related government departments. From what I've heard, they were attributable to the Chinese state, but there have been no consequences to China for doing these sorts of activities.

It really is a question of political will, and it would be great if your committee could start to compare the policies of other like-minded countries, particularly the United States, the U.K. and Australia, with regard to this sort of activity. Our cyber situation is really so grave that, arguably, it looks like the Five Eyes is being reduced to three eyes.

When you look at the Quad, it doesn't include Canada. When you look at the Australia, U.K., and U.S. activity in the Indo-Pacific, to the best of my knowledge, the United Kingdom is not an Asia-Pacific country. Canada is, so why have the United States and Britain decided not to include us in the recent consultations between the United States and the U.K. on Taiwan, along with Japan? Part of our country is geographically closer to China than Australia. Why are we being excluded?

I think it's because we have not been pulling our weight in terms of addressing threats to public safety and national security, and our allies just don't see us as reliable partners anymore, along with New Zealand, which is for different reasons. I feel very sorry about this, but I do feel it is not too late. This is the Parliament of Canada. We can turn this around.

Yes, if you look at the United Kingdom last year, it expelled three spies posing as journalists working in the U.K. It revealed that there was an agent of the Chinese state, Christine Lee, who was giving generous donations to certain politicians who then, one presumes in response, would be representing the interests of China over the interests of their own country.

We've seen in the United States much more concern about the leak of high-tech technologies that would facilitate a dual-use military technology or technologies that would facilitate cyber-espionage out of universities. Canada has not responded to things like the Australian Strategic Policy Institute's report that revealed that there were researchers of the People's Liberation Army working in sensitive areas of high tech at Canadian universities. They had entered Canada under false pretences by not revealing their status as military officers, and it goes on.

Why didn't we do more about the Michael Chan matter in Ontario? CSIS said he had frequent contacts with the Chinese consul general, but we don't know what they were talking about. It's important for Parliament to know.