Evidence of meeting #21 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.
A recording is available from Parliament.
1 p.m.
Professor, Polytechnique Montréal, As an Individual
I don't know who the question is for.
1 p.m.
Liberal
1:05 p.m.
Professor, Polytechnique Montréal, As an Individual
When it comes to transportation, the key is to work on the supply chain, which is done using multimodal transportation. In fact, vulnerabilities tend to occur at the border of two modes of transportation, for example, from marine to rail or rail to road. It's at these stages of transition in the multimodal transport chain that vulnerabilities are found, and it's these that need to be addressed as a priority.
1:05 p.m.
Liberal
The Chair Liberal Jim Carr
Thank you very much.
Mr. McKinnon, it's over to you now for a six-minute round. Begin whenever you're ready, sir.
1:05 p.m.
Liberal
Ron McKinnon Liberal Coquitlam—Port Coquitlam, BC
Thank you, Chair.
I'm going to start with Dr. Paquin. You made a remark about NATO and article 5 that I'd like to clarify. It seems to me—perhaps I heard you incorrectly—that you said article 5 could be used to justify a response to an attack on us. My understanding of article 5 is not that it would justify a response by us for an attack on us, but it would require us to respond to an attack on one of the other NATO members.
Are you suggesting that, by a cyber-attack on one of our NATO allies, we would be required to respond via article 5?
1:05 p.m.
Full Professor, Department of Political Science, Université Laval, As an Individual
That's a very important question.
There is growing concern within NATO about the consequences of cyber‑attacks, because we know that cyber‑attacks can be significant. Indeed, under NATO's growing position, a large‑scale cyber‑attack within a country against its facilities or critical infrastructure could be considered an attack against one of the members of the organization.
Furthermore, article 5 of the North Atlantic Treaty does not provide that all members of the alliance will automatically enter into a military confrontation against the state that has perpetrated the threat. Rather, it provides that each member will be responsible for taking whatever means are deemed appropriate to assist the state that is the victim of a cyber‑attack.
The main problem with cyber‑attacks and NATO is attribution, as my colleagues Dr. Nora Cuppens and Dr. Frédéric Cuppens mentioned. That means being able to prove beyond a shadow of a doubt that a major cyber‑attack was perpetrated by the Kremlin, for example, in Canada, by the government, and not by hackers who act autonomously or independently on Russian territory. This is not an easy thing to prove.
It could have the effect of causing member states to debate whether that's really the case, and therefore loses much of its relevance.
1:05 p.m.
Liberal
Ron McKinnon Liberal Coquitlam—Port Coquitlam, BC
Thank you, Dr. Paquin.
I'm going to switch now to Dr. Nora Cuppens. Some of our previous witnesses have identified that one problem in Canada is the lack of a central agency to coordinate and manage, across our society, possible attacks. CSE has a very narrow role in that respect.
Is that a role that CSE should be undertaking, or do you have any comments on the fundamental premise?
1:05 p.m.
Professor, Polytechnique Montréal, As an Individual
Thank you for the question.
I come from Europe, and it's true that in France, in particular, there is the Agence nationale de la sécurité des systèmes d'information, which plays an observatory role as well as a sovereign role, as Dr. Frédéric Cuppens mentioned earlier. So we need a similar institution that would operationalize, if you will, the protection of our systems and infrastructure. It could be the Communications Security Establishment.
We have all kinds of rules on computer hygiene and rules that tell us how to protect ourselves or react to attacks, but there is no obligation to enforce these rules on protection, detection and response to intrusions. It seems to me that establishing such an institution that would play a role as a cyber‑surveillance and observatory, that would push for regulation and verify that the rules are being applied, is of paramount importance to ensure that we are moving in the right direction.
Some might say that it's complicated for small‑ and medium‑sized businesses to apply certain rules. However, they could be associated with an entity that is conducting cyber‑surveillance to help them gradually acquire that protection. We talked about the supply chain earlier. Attacks aren't directed at entities head‑on; they always come from third parties, particularly in the supply chain. So they tend to be the least secure entities.
1:10 p.m.
Liberal
Ron McKinnon Liberal Coquitlam—Port Coquitlam, BC
You mentioned, of course, small enterprises and so forth. For the dairy farmer or the garage down the street, they are connected to the Internet and they're possibly either vulnerable themselves or perhaps a gateway to someone else's vulnerability. This kind of protection, the detection of an attack, is a very specialized and arcane skill set.
How are those kinds of companies and organizations going to protect themselves and, therefore, the network from attack?
1:10 p.m.
Professor, Polytechnique Montréal, As an Individual
I can answer the question in two ways. The first is a classic answer that everyone is familiar with—
1:10 p.m.
Professor, Polytechnique Montréal, As an Individual
It involves taking action on cyber hygiene.
The second is outsourcing. When you don't know how to do it, you ask for help from experts. The approach is to outsource that work to entities that know how to do it. The company is then an entry point.
1:10 p.m.
Liberal
1:10 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
I'd like to thank the witnesses for accepting our invitation to appear before the committee.
Dr. Paquin, I suspect you were my professor at Laval University in another life. You taught me a lot about American foreign policy, and I'm sure that your expertise on Canadian security, among other things, will be of great benefit to the committee.
At the beginning of the conflict in Ukraine, you mentioned that since World War II, there has been a desperate desire to avoid a conflict between two nuclear superpowers, and that's why western powers didn't want to go beyond economic sanctions, for example.
How might Russia react to these economic sanctions, and how should Canada prepare?
Do you think Canada is sufficiently prepared for any kind of attack?
1:10 p.m.
Full Professor, Department of Political Science, Université Laval, As an Individual
Thank you for the question, Ms. Michaud. It's a pleasure to see you again in a context other than academia.
To answer your question, I would say that it's very important for Canada to do everything in its power to limit the conflict in Ukraine to Ukrainian territory. As long as we focus on economic sanctions and remember that our goal is to help Ukrainians liberate their territory in the name of international law and liberal values, things will work out relatively well, in my view.
The problem I see is that in the last week or two a new Western strategy has emerged in relation to Ukraine. The goal is no longer just to help Ukrainians defend themselves, it's also to weaken Russia.
Canada's Deputy Prime Minister and Minister of Finance Chrystia Freeland said when she tabled the federal budget on April 7 that democracies, including Canada, would only be free when the Russian tyrant was defeated.
Of course, we can see this kind of rhetoric as being legitimate, but the signal it sends is that our strategy is not to liberate Ukraine, but that we really have taken a more offensive strategy focused on weakening Russia. This could lead Russia to counterattack. We know that Russia feels humiliated and that is certainly true for a number of reasons with regard to President Putin, and it has been for at least 30 years. Because of our actions in Ukraine, including the delivery of heavy artillery—and that's what Canada is doing right now with its allies—if Russia were to lose the war or if Russia were unable to win in eastern and Southern Ukraine, it's a safe bet that there will be retaliation and that, essentially, the Russians will not maintain the status quo.
I think there could be cyber-attacks, not against small or medium-sized businesses, which are not integrated, as it were, into large value chains, but rather on critical infrastructure. That's why I feel governments absolutely must increase investment not only to secure Canada's digital space, but also to increase coordination with key Canadian businesses, provinces and territories as well as our key partners, including the United States and the United Kingdom.
1:15 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you very much.
You touched on a pretty important point in your opening remarks when you spoke of Canada's role in this conflict and the perception of that role.
We know that China and India, in particular, have not denounced the Russian invasion of Ukraine.
What impact might this diffusion of Russian perception have on other world powers in terms of Canada's role? In what ways do you feel this could come to throw the world order off kilter?
Are we safe from this kind of global disinformation campaign?
1:15 p.m.
Full Professor, Department of Political Science, Université Laval, As an Individual
Thank you for the question.
Before February 24, many observers wondered whether Western countries, including Canada, were willing to go far enough to defend the values they hold. Many doubted it. President Putin and Chinese President Xi Jinping doubted it.
In my view, the situation in Ukraine shows that Western countries, Canada and other NATO members in particular, are able to be more cohesive in terms of their actions as well as their cooperation when danger is in the air, in a sense. That's important. This is a decisive moment because the message we're sending to countries like China, in relation to Taiwan, is that we're ready to do whatever it takes, that we are even ready to wage a proxy war to defend our allies, our democratic partners. The Canadian government's message is very clear. Canada's approach is quite dichotomous, if not Manichean, when it comes to good democracies versus autocracies, which are not good.
Canada has a very clear position on this situation. That's not always been the case. For a long time people wondered where Canada stood.
1:15 p.m.
Full Professor, Department of Political Science, Université Laval, As an Individual
Canada was struggling to move forward with clear and assertive positions. Now it's made its bed, and the world knows where Canada stands on these issues.
1:15 p.m.
Liberal
The Chair Liberal Jim Carr
Thank you very much.
Mr. MacGregor, the last slice of this round goes to you. You have six minutes, sir, whenever you're ready.
1:15 p.m.
NDP
Alistair MacGregor NDP Cowichan—Malahat—Langford, BC
Thank you very much, Mr. Chair.
Thank you to all of our witnesses for helping guide our committee through this study.
Dr. Nora Cuppens, I would like to start with you.
In your opening remarks, you were talking about the information war that exists and Russia's responsibility in that. Here in Canada, during the month of February, we noticed a switch at the end of that month from a lot of groups that were involved in anti-vaccine protests. Suddenly, with the war beginning in Ukraine, there was a noticeable shift to a pro-Russian stance. They started echoing Russian propaganda and really trying to promote that. It was almost overnight from the beginning of the war in Ukraine.
Dr. Nora Cuppens, what can we learn from that?
I guess it speaks to the level of Russian involvement in developing that misinformation and spreading misinformation in Canada. I think many of us rightly perceive that as a threat to our democracy, if we can't even agree on a common set of facts.
Moreover, what programs and policies can the federal government effectively enact to combat that when we have a state actor that is very hostile to Canada's interests meddling in our internal affairs and exploiting those divisions in our democracy?
1:20 p.m.
Professor, Polytechnique Montréal, As an Individual
Thank you for the question.
It's true that we keep coming back to this issue, which all three of us have brought since the beginning of this meeting: the attribution aspect.
In our cybersecurity efforts, we often correlate to try to see if there is an intrusion or an attack going on, what the target is, and what the security objective is. The reasoning is the same. It starts in cyberspace and ends up in the everyday space on the ground, therefore protests and so on.
So it's hard to say whether the motivations or reasons that led to the protests are necessarily related to the Kremlin, the Russians or other such events. There are also isolated initiatives, even pro-Russian ones, where people personally take action to help move things in Russia's direction.
It's not easy to determine whether it was a Russian initiative that led to protests like these. It's also difficult to correlate when the Russian invasion started on February 24 to some events that happened on the ground in connection with the protests or with attacks on energy sector infrastructure in Ukraine, operators or satellites, because we mustn't forget the space element.
We are looking into this issue, and we haven't yet found the answer when it comes to this attribution aspect, which allows for investigations. Once we determine attribution, that will bring in other legal aspects and responsibilities—
1:20 p.m.
NDP
Alistair MacGregor NDP Cowichan—Malahat—Langford, BC
Thank you, Dr. Cuppens.
I'm sorry to interrupt, but I only have two minutes left. I want to get to Dr. Frédéric Cuppens.
Sir, you mentioned France's cybersecurity law. I think you're referencing the critical infrastructure information protection. France has identified 12 sectors, which include food, health, water, telecom and broadcasting, space and research, industry, energy, transport, finance, civilian administration, military activities and justice. You used that as an example. Canada needs to take the lead at the federal level on establishing cybersecurity.
What kind of recommendation would you, sir, like to see this committee make to the federal government? Would you like to see us take the France model and introduce federal legislation here to really have that basic level of requirement across those sectors?
If you could elaborate on that, it would be helpful, sir.
