Public Safety Committee on April 18th, 2023

Thank you very much.

Mr. Chair, committee members, thank you for your invitation to appear today.

In addition to Senator Frances Lankin, I am joined by two representatives of the NSICOP Secretariat: Ms. Lisa‑Marie Inman, executive director, and Mr. Sean Jorgensen, director of operations.

It is my pleasure to be here to discuss the committee's 2021 annual report. The report accomplishes two objectives. First, it fulfills the committee's legislated annual reporting requirements. Second, it summarizes the special report we completed in 2021, which was our cyber-defence review.

I'll begin with the committee's four annual reporting requirements.

First, our annual reports must include the number of times a minister determined that a review we propose cannot proceed because it would be injurious to national security. To date this has not occurred.

Second, our annual report must disclose the number of times a minister refused to provide information to the committee because the information constituted special operational information and would be injurious to national security. To date this has not occurred.

Third, we are required to report the number of issues the minister referred to us for potential review. In 2021 there was one such referral. On June 4 the Minister of Health sent a referral to the committee regarding possible security incidents at the National Microbiology Laboratory in Winnipeg.

Fourth, we are required to include our findings and recommendations. In 2021 the committee came to four findings and made two recommendations, all as part of the cyber-defence review. I will discuss that report later in my remarks.

In addition, Mr. Chair, pursuant to the Avoiding Complicity in Mistreatment by Foreign Entities Act, 12 departments are required to provide their minister with an annual mistreatment report and then to provide it to NSICOP as soon as is feasible. All 12 departments have provided us with their annual mistreatment reports.

Next, I'd like to highlight that last year, the committee marked its fifth anniversary. Since its creation in October 2017, the committee has completed nine reviews, with 29 recommendations for the government.

In 2018 the committee completed reviews related to the Prime Minister's trip to India that year, the military's intelligence activities and how the cabinet sets the government's intelligence priorities.

In 2019 the committee completed reviews related to diversity and inclusion, foreign interference, the Canada Border Services Agency and the collection and use of information on Canadians by military intelligence.

In 2020 the committee completed an overview of the threats to Canada.

In 2021 the committee completed the cyber-defence review.

In 2022 the committee completed a review of the national security and intelligence activities of Global Affairs Canada.

Presently, the committee is completing its review of the federal policing mandate of the RCMP.

In the interest of pursuing our second foreign interference review, the committee has temporarily paused its work on the review of the lawful interception of communications for security and intelligence activities.

Members might recall that NSICOP is dissolved during writ periods and is then reconstituted within 30 sitting days after the return of Parliament. Therefore, over the past five years approximately there was one year in total not available to the committee to pursue its work. It was not operating because of two elections, in 2019 and 2021.

Now I would like to turn to the “Special Report on the Government of Canada's Framework and Activities to Defend its Systems and Networks from Cyber Attack”, published in 2021.

We conducted the review because of the importance of federal systems and networks, which form part of Canada's critical infrastructure. These networks store large amounts of personal information and are used to deliver essentially every government service.

Government networks are under relentless cyber-attack by a number of states, most notably China and Russia, and may be vulnerable to malware and other forms of cybercrime. Today, the federal government is a world leader in defending its networks, but this was not always the case.

In the early 2010s, China carried out damaging cyber-attacks against 31 federal departments. This was a wake-up call in terms of the scale of the government's cyber-vulnerability and its poor defences.

Since then, the government has incrementally developed a strong cyber defence system, in terms of both governance and technical capability.

This brings me to two of our findings.

First, our report found that over time the government's approach to cyber-defence evolved towards one that considers all government systems as a single enterprise. This horizontal approach, colleagues, has considerably improved cyber-defence, although we found it is challenged by the vertical nature of accountability in the government.

Second, our report found that not all federal organizations receive the same cybersecurity protection. There are two related reasons for this. First, the Treasury Board’s cybersecurity policies do not apply to the entire government, and when they do apply, they do not always apply evenly. Second, departments are not obligated to adopt the cyber-defence services offered by Shared Services Canada and the Communications Security Establishment. This means that many federal organizations are entirely outside the government’s cyber-defence perimeter, while others pick and choose services and do not subscribe to them all. These gaps and inconsistencies undermine the enterprise approach to cyber-defence. A system is only as strong as its weakest link.

With all this in mind, the committee made two recommendations. First, the committee recommended that the government continue to strengthen the enterprise approach to cyber-defence. Second, the committee recommended that the government fully bring all federal organizations into the cyber-defence perimeter, and that the cybersecurity policy suite should apply to all federal organizations, including Crown corporations.

The government agreed with both recommendations. Indeed, we are pleased that, for the first time, the government provided an official response to our recommendations in this cyber-review. However, the government has still not provided any updates with respect to 20 other recommendations contained in six of our previous reviews.

The last point we would like to raise is that this year we expect Parliament to begin a comprehensive review of the NSICOP Act. We're aware that your committee has sought to be designated as the House committee for this review. Once a committee is designated to conduct the review, our committee would be happy to make a specific series of recommendations about potential reforms of the act.

Today, I will only emphasize the importance of the committee’s access to government information. Indeed, the committee faces several challenges to obtaining the information we are entitled to under the law and that we need to fulfill our mandate. For example, the committee is concerned that departments are applying an overly broad interpretation of what constitutes a cabinet confidence.

In closing, I wish to say that all of our reports are the result of the incredible and dedicated work of my colleagues on the committee. The cyber-defence report is yet another example of a unanimous, non-partisan review of a crucial government activity by a committee of security-cleared senators and members of Parliament from all major parties and groups.

Thank you very much, colleagues.

Thank you, Mr. McGuinty, and thank you all for all your work over these many years to work to keep us safe.

We'll start now with our first round of questions. We'll start with Mr. Shipley for six minutes, please.

Thank you, Chair, and thank you to the members for being here today and for sharing your time.

I'd like to start off by directing my first question to Mr. McGuinty, and if he has to pass it along, that's fine.

Mr. McGuinty, at the beginning of March, the Prime Minister's Office asked the Clerk of the Privy Council and the Minister of Intergovernmental Affairs to bring forward a plan to implement the five years of outstanding recommendations from your committee.

Given that it is now mid April, are you aware of any outstanding recommendations having been implemented since that announcement?

The committee received, I believe maybe a week ago or less, a document that is an attempt to update Canadians on recommendations to counter foreign interference in Canada's democratic institutions. I believe the assignment given to the clerk and to Minister LeBlanc by the Prime Minister was to speak directly to recommendations not only from NSICOP but also from other authors who had evaluated the protocol process. I think the assignment was to let Canadians know how far the government has come in implementing our recommendations and its recommendations.

We're encouraged with what we've seen, but we would encourage this committee to call the government again to perhaps provide more detail on how it is moving forward.

Thank you for that. It's a nice segue to my next question.

I was a little shocked to find out that the government has only responded to one report in the five years of NSICOP's existence. Do you think a set time period in which the government must respond to your report should be implemented?

It's an issue that's live among the committee members. Trying to ensure that the work that's done...it's very difficult, to be candid with colleagues. It's difficult and it takes a long time to arrive at these recommendations. We don't arrive at them lightly. The deliberations are long and extensive. There are some folks at this table who, I think, sat on our committee and understand what we speak about here.

We are hopeful that the government will now pay close attention, perhaps closer attention, to some of the recommendations, like what we put forward here today on cyber.

Again, I would encourage this committee to ask the government to come forward and to explain to what extent it has implemented the recommendations to bring more federal organizations inside the cybersecurity perimeter.

Thank you for that. Maybe I'll delve into that a little further.

We are all, obviously, sitting on committees, and it's great work that your committee is doing. We all work hard in these committees. Sometimes I wonder about these reports and what happens to them. Do they just go and sit on a shelf somewhere?

From what I mentioned in my last question, is your committee sometimes feeling that perhaps it's just not being acted on enough?

There may be some times when we're looking for more immediate take-up. Sometimes it's difficult to point to the effects of the work. For example, the new architecture of review in Canada has compelled many organizations that are now subject to review to actually buttress and create new units inside their departments, such as the Department of National Defence. Prior to the existence of NSICOP and NSIRA, the Department of National Defence didn't really have a formal mechanism to respond to external review and now it does. That's encouraging.

The new architecture of review is pulling the government forward as a whole. There are some things we can point to directly. For example, the government did announce in the budget the creation of a foreign interference coordinator role at Public Safety—which is also in its recent report that I pointed to a minute ago entitled “Countering an Evolving Threat”. We've seen that some of the recommendations from NSICOP ended up directly in mandate letters for ministers, like DND and Public Safety. We've seen the public safety minister act directly on a CBSA review recommendation and implement direct change.

We're always looking for more take-up and more traction, because the purpose of the committee, why we're here, is to improve the situation for Canadians.

Thank you for that.

Mr. McGuinty, you touched on something in your opening remarks, namely, that we will soon be implementing or starting a five-year review of NSICOP.

I know this might be a little premature, but just to get our minds centred around some things, are there any major themes you would see for changes that we should be looking towards and implementing from that review?

Thank you, Mr. Shipley.

I'm out of time, so thank you, all of you, for the work you do and for being here today.

We will go now to Mr. Noormohamed.

Go ahead, please, sir. You have six minutes.

Thank you, Mr. Chair.

Thanks to all of you for your appearance here and being with us today.

I'd like to dig a bit into the importance of this committee.

Mr. McGuinty, you, your team and your colleagues have done a remarkable job of making sure that the work your committee does has been in the main non-partisan, with a tremendous amount of collaboration, and with what I hope are recommendations that all of us take seriously.

One of the concerns I've had over the course of the last few weeks particularly has been the attempt to politicize the nature of the work you do. I want to quote a specific comment that was made by the Leader of the Opposition in which he says, “NSICOP has been used in the past...and is being used here...to avoid accountability. It takes place in secret and is controlled by Justin Trudeau.”

I think it's important for Canadians to hear first-hand from you, as the chair, (a) whether or not that is true, (b) how you believe the role of NSICOP should be seen and, most importantly, how Canadians should view the committee and the important work your committee does.

Perhaps, Senator Lankin, you might also like to weigh in on this.

The committee scrupulously avoids partisanship. I think the highest compliment that's been paid to the committee since we began is that a number of folks who have appeared before us have often said that if you were to close your eyes and listen to the conversation at the table, you actually wouldn't know from which political persuasion the commentary is coming.

We built what I think we like to refer to as “a nobility of purpose” around the work. We think there are some issues that transcend partisanship, that transcend any one government, and national security and intelligence is one of those issues.

It was a unique opportunity for Senator Lankin and me, in particular, who have been there since the beginning, to stand up the organization. It was like flying a fighter jet as we were building one. But the purpose of the committee really should transcend my chairmanship, our membership, the senior secretariat staff. It's an important mechanism for the future to allow for a full airing of classified information among colleagues from both Houses to treat these very important issues.

We all respect and understand that what goes on in the other arena, called the House of Commons or the Senate, is natural and is going to occur. The push and pull, the cut and thrust of that, is democracy, but when it comes to access to classified information and the treatment and the handling of that information, and the quiet, non-partisan opportunity to deliberate as colleagues, on behalf of 39 million Canadians, we think this is a really important structure for Canada, going forward, no matter who is in government, no matter who holds the seat as prime minister or minister, no matter what configuration the committee has.

There are comments sometimes about the role of the Prime Minister or of the government in the work of the committee that are, I would say, considerably off the mark. In the nine, 10 and soon 11 reviews that we have conducted, the Prime Minister of Canada has never instructed this committee to do anything. In fact, the only time we consult with the Prime Minister of Canada on our work is when we're presenting our reviews when the product is finished. The Prime Minister has an obligation to instruct the committee to redact, but on very, very transparent grounds.

The team that is here with us today—not just the members, but our senior secretariat folks—is extremely agile when it comes to entering into a discussion with officials in the government to say, let's talk more about that proposed redaction. We always tend towards being more transparent rather than less. We think that's important for Canadians to understand.

The debate that's going on now in the House, the Senate and in society is an important one; it's a really important one, but it's also a teachable moment for a lot of Canadians. For example, what is classified information? Why is classified information classified, and when can it be shared and when can it not be shared, and why isn't it being shared? Canadians get that. They can fully understand that.

We're trying to do our part in helping them understand that, and I'm sure Senator Lankin has much to add to that.

Thank you, Senator.

Thank you, Mr. Noormohamed.

I will now give the floor to Ms. Michaud for six minutes.

Thank you, Mr. Chair.

Mr. McGuinty, thank you very much to you and your team for coming here today. Thank you as well for the work that you do.

Before diving deeper into the annual report and the reviews you have carried out, I have a question. You mentioned that starting now, instead of publishing the summaries of your reviews in the annual report, you will publish them in special reports. I could not tell whether there was a reason for that decision. If there was, could you please explain it?

We have to submit a report to Parliament every year. At first, we combined all reviews, like this one on cyber-attacks. As you can see, it's quite lengthy. We decided that, instead of presenting everything together in the annual report, we should conduct the reviews one at a time and submit them individually. That way, we have more time to work together. It is also easier for Parliament, the Prime Minister, and senior officials to receive the reviews and follow up on them.

That is the reason why we chose to separate the reviews. Before, in a single annual report, there might have been three reviews all at once. We made this decision to better manage our work. It was easier for us to operate this way.

Thank you. This approach might also enable people to look into each detail of the reviews. Otherwise, when everything is lumped together, it's time-consuming to read and difficult to keep track of all the information.

As you probably know, our committee has studied Canada's posture in relation to Russia. In particular, we looked into the issue of cybersecurity, to determine if Canada was prepared to respond to threats of this kind. I take it that your committee has also looked at this matter in depth.

You say the government adopted a horizontal framework to protect itself against cyber-attacks. When we questioned witnesses who appeared before the committee, what we gathered was that non-government organizations are not always required to rely on the government or the various government services that are there to help them deal with threats or cyber-attacks. While it's understandable, I was nevertheless surprised to see that some government organizations did not possess exactly the same resources and tools, or if they do have them, they don't necessarily want to use them.

Can you tell us more about that and come back to the recommendations you made to the government?

It is an architecture problem. The Financial Administration Act of Canada gives deputy ministers and the CEOs of Crown corporations the authority to decide if whether or not they will be part of the cyber‑defence program provided by the federal government. We believe that this is a significant weakness.

We're only as strong as our weakest link.

Our cyber‑defence system is well regarded nationally and internationally; it's a very solid system. However, if a cyber‑attack is launched on a department, agency or Crown corporation that is not protected by our defence system, that could be used as a gateway into the entire governmental system.

That's the reason we are recommending that the federal government amend The Financial Administration Act in order to require that all organizations and Crown corporations be protected by the system provided by Shared Services Canada and the Communications Security Establisment.

Has the government answered in the affirmative? Actually, has it answered at all? I don't remember if there was an answer.

We are still awaiting a definitive answer, but we do encourage your committee to go ahead and communicate with the government, in this case that would be Treasury Board, to ask how things stand.

As you explained, departments and agencies that have chosen the cyber‑defence system could be indirectly infiltrated through others that haven't made that choice and have become the targets of a cyber‑attack. That's why it's so important to use the system.

Do you have any other recommendations that you would like to make today or is there anything else you'd like to highlight from your cybersecurity review?

We know that cyber‑attacks are a sign of the times. There are more and more of them. Just last week, there were all sorts of reports in the media. The websites of the Prime Minister, Hydro‑Québec and many other organizations were hit by cyber‑attacks. I am guessing that recommendations will be made and that the system is unfortunately not quite 100% bulletproof right now.