Public Safety Committee on May 3rd, 2022

The answer is yes. Particularly Australia, the U.K., the U.S. and also Scandinavian countries have a lot to teach us in terms of drawing the appropriate line between not revealing information that would be threatening to Canada's national security and where the security agency is not, in effect, protecting its own inadequacies in the performance of its duties as described in the mandates to the ministers that oversee them.

In Canada, I think we have far too much polite agreement with security agencies that say that they can't tell you this or that. I think it's a cultural issue. To some extent, frankly, I feel that they disdain parliamentary committees and do their best to tell you as little as possible for fear that if you find out something, it might reflect negatively on them or on past assessments that may not have been accurate.

I do think there needs to be more trust of parliamentarians to maintain secrecy. We need to be looking at the kinds of parliamentary or congressional committees that exist in other countries. We need to try our best to see if we can make Canadian committees more able to inform decisions about what legislation needs to be made based on a full understanding of what is going on.

I really don't think that in any other country the Cameron Ortis matter would be suppressed for so long, or that Quentin Huang, who was alleged to have transferred military technologies to the Chinese state—

I would suggest that we start with the safe harbour legislation. Make it easier for organizations that have been attacked, through any of the methods, to not just report that they were attacked but to tell the world what happened. That creates transparency on the threat and helps other organizations. Echoing what Michael was saying, it's a team sport. If we are telling each other what has happened and how people got into our systems, it will prevent further attacks.

I think that is the easiest thing to do, the safe harbour legislation.

On the cryptocurrency side, you would have to really speak with the banks to find out. There is no transparency on cryptocurrency. That's the nature of it. Who has been paid what, by whom and when is very difficult to speak to.

Thank you for the questions.

On the amount of money that has been provided to CSE, I would look for specific outcomes in cybersecurity and in Canada—specific outcomes in the fields in which they play, which is just about everywhere in Canada.

I think we want to be very outcomes-based on the spend. I also think we want to be very careful to build our organization for today's and tomorrow's threats, not last year's threats.

Thank you.

I'm of the opinion that it would be better if these matters were addressed through a committee of Parliament—people with security clearances—with perhaps some sessions held in camera, not publicly. I would rather see it as part of the regular parliamentary process. I'm not aware of any other country in the world that has anything comparable to our process, and I am concerned about whether it can be as effective as the committees of other parliaments in terms of ensuring that our public safety and national security agencies are being fully accountable to Parliament and that they are providing parliamentarians with the information they need to draft or change legislation to better meet the threats.

One example I can offer is our legislation on the transfer of classified technologies to agents of a foreign state. I have had the honour of working for the RCMP in preparing some cases on these. When the cases were sent to the Department of Justice—the two I know about—they were not acted on because our legislation is too weak and it was felt that the people alleged to have been traitors to our country by transferring classified technologies to agents of a foreign state would not be made accountable for it.

Our legislation does not compare favourably to that of other nations more successful in this. The British and the Americans are doing dozens of cases a year. When was the last time you heard of anybody prosecuted for this in Canada? To the best of my knowledge, never. This is a problem. It means we are considered a good sort of place for people who want to tap into our high tech through various legitimate or illegitimate means, and that just shouldn't be the Canada that we are.

Absolutely, and thank you. I was afraid you were going to ask me that question. I may give a bit of a different perspective on this, having spent most of my federal career within that community.

With all due respect, I wouldn't necessarily accuse the community of stonewalling. However, I would potentially accuse them of overclassifying information. I think this comes down to the culture and the culture of those organizations.

When I joined CSE on April 2, 1988, I wasn't allowed to tell my family how many people worked there. There were so many things that you.... You were behind that iron curtain. We had this...call it a cloak of secrecy or “need to know”. Call it what you want. The community needs to mature on that front.

If we are going to really engage critical infrastructure, critical infrastructure players can get security clearances. We can provide them with classified information. The government can do that. That is available. We need to declassify when we need to declassify. Having valuable threat information but not being able to act on it is not a good place to be. Those are my thoughts on that.

As it relates to the national security committee of parliamentarians, I can tell you that I personally did a happy dance when it was formed. I thought that was a tremendous step forward. It was good on us and good on Canada for doing that. Does it require some tweaking as it matures? Potentially, but it is a very good construct for Parliament.

I think we have done one good thing. I was very pleased with the government's budget with regard to critical minerals. As the situation develops, and as I believe that Russia will move more into alliance with China, it will be challenging for us to engage in secondary sanctions against China if China does with Russia what it's been doing with North Korea: facilitating the breaking of the sanctions that we are imposing on Russia to try to induce Russia to come into compliance with the norms of the international, rules-based order. It will be harder.

If the world is going to split into two camps of the autocracies and the countries that Russia and China are able to bring into alliance in various ways.... China has quite a successful ability to rally support in the UN from nations that have received benefits under their belt and road infrastructure program. If we're going to be in that kind of situation, it's important that we ensure our supply chains as a matter of national security, so that we cannot be subject to coercion by countries that will say, “We will give you the element that you need, but if you're not nice to us in complying with our political agenda in your country, we'll cut you off.” We saw that with the Chinese sanctions against canola seeds and meat at the time of the fiasco with Meng Wanzhou and the completely unjustified and brutal incarceration of Michael Kovrig and Michael Spavor.

We have to look at the situation seriously. We have to look at the CSIS assessments, which are critical for you to understand what Canada has to do. It's not going to be without cost. There's no point in our pretending that this is not happening, because it is, and we have to make the hard choices necessary to protect our nation and the other nations of our like-minded allies as a consequence.

Sure. I would certainly support mandatory reporting for select critical infrastructure players, and what I mean by that is when you look at the 10 sectors within critical infrastructure, they're very large, agriculture being one of them. Are we going to ask for mandatory reporting from a dairy farmer with 60 head of cattle? We need to approach that with caution.

That being said, if we are moving to a regime of mandatory reporting, we need to absolutely ensure that the reporting is safeguarded, that the source of that reporting is safeguarded, that the after actions on that reporting are safeguarded, and so on and so forth, and that we find a way to share that knowledge nationally, because the last thing we want to do is have organizations report on breaches and have that disseminated where we don't want it disseminated. When you aggregate all that information, that's a lot of information.

Absolutely. Mandatory reporting is a good concept. It certainly assists the government to understand the size of the threat, but if the information that we learn from that mandatory reporting is not disseminated to the greater economy to help it defend against the same threat, then really we're just going to be seeing the same thing happen over and over again. There's no point in—

The first recommendation would be to the government, as a player within critical infrastructure, to get it right, to take the series of reports on this subject and to tiger team those reports and look at how we're going to better protect the government infrastructure.

As I mentioned earlier, there was a report by the committee that was accepted very broadly. It covers 169 federal organizations. I think the first step would be to understand the threats that are prevalent in each one of those 169 organizations to ensure that they are reporting on those threats, identifying gaps and identifying how they're going to lower those gaps.

I think it's very difficult to go out to providers of critical infrastructure and tell them what they must do, if you're not doing it yourself. I think the funding, the teams and the people are there to accomplish this. Teaming across government departments is not always easy. They come with different cultures. They have different mandates, but I believe we really have to ensure that we can do so.

Number one would be for the government to get it right.

Then, of course, we need to look at how we are providing, how the government is providing, advice and guidance to critical infrastructure providers and others. I would really want to look at the number of organizations out there that are supporting cyber-environments, such as CCTX and others, and how can we harmonize that level of support to Canadians and Canadian infrastructure.

The reason I say that is there is a wealth of organizations. Some security officers are really looking at who they should talk to, amongst this wealth of organizations. Where will they get that valued information and who can be that trusted partner? Those are some of my recommendations.