Public Safety Committee on April 18th, 2023

Thank you very much.

Thank you, Ms. Michaud.

We'll go now to Mr. Julian.

Please go ahead, sir, for six minutes.

Thank you very much, Mr. Chair.

I would also like to thank the witnesses, Ms. Lankin and Mr. McGuinty.

I'm going to pursue Ms. Michaud's line of questioning.

Mr. McGuinty, you mentioned the fact that 31 federal departments were targeted by China. Most of these cyber‑attacks were not successful. Last week, the Internet sites of Hydro‑Québec, the Port of Quebec and the Laurentian Bank were hit. In all those cases, Russia was responsible.

I would firstly like to know how we can determine if these cyber‑attacks were successful or not, or if their defence systems were up to the task or not.

Secondly, as you so eloquently said, Mr. McGuinty, these attacks are going to become increasingly complex and more and more frequent. I am looking at the recommendations, and it seems to me that the federal government has not followed up on all of them. Are we too slow to respond to the growing threat to our infrastructure?

As to knowing if Russia was successful or not or if we did indeed counter an attack, I think those questions should be addressed to the Communications Security Establishment. They would be able to answer you. Our committee has not really looked at the attacks carried out over the last two or three weeks.

The case studies that we have put forward illustrate how sophisticated foreign state actors and other actors can be. In some cases, the attacks have taken place on a federal organization. They were completely unaware of it, and were only informed of it by CSE after the fact. In some cases, under new powers the government has given some companies in our essential systems, a private sector company can now come to the Minister of National Defence and ask for authorization to deploy CSE capacity to help stop a problem with a critical infrastructure company.

We seem to have a translation issue here. Can we check that please?

The floor audio works, but English doesn't. Can we try a little bit of French?

As you wish, I will say a few words in French. Is it working?

Please proceed.

As I was saying, the six case studies, Mr. Julian, illustrate.... They were chosen deliberately by the members to allow parliamentarians, Canadians and readers to understand the practical implications of not taking steps to protect. As I say, the private company...the first time using CSE powers. That's the first time this case study has been made public.

The attack on the CRA called the Heartbleed attack is case study number 3. In case study number 4, the National Research Council was attacked by China. We talked about the loss of 40,000 files. China used its access to the NRC to infiltrate other government organizations. It was very expensive to clean that up—$100 million at least. In case study number 5, huge amounts of data were stolen from DND by a foreign actor. In case study number 6, in 2020, a state compromised the network of a Crown corporation.

Are we slow off the mark to respond to this? I don't know if the committee really examined that. I don't know if we examined it comparatively. We do know that CSE's abilities are now increasingly called upon internationally. We know for example that the government of the United Kingdom has called upon Canada's CSE to help with their cyber-defence systems.

I hope I've answered some of your questions.

Let's come back to NSICOP. You did talk about the five-year review. I hope I quoted this accurately. I put quotation marks around it. One of the concerns that you had was the overly broad interpretation of cabinet confidence. First, does that make it more difficult for NSICOP to do its work? Second, what are the other tools that you need to do your work better at a time when there are more threats around foreign interference, more threats around cyber-attacks, more threats than we've experienced perhaps previously in our history as a country?

I'm going to ask Lisa-Marie Inman to address the question of cabinet confidence, because she's on the front line often dealing with this.

One of the things that might help the committee is positive reinforcement by all parliamentarians. All parties and the Senate are represented on the committee, so respect the fact the committee has to work in closed quarters, has to proceed with enormous discipline and can't go out and comment gratuitously on subjects that are part of media reports or the cut and thrust of debate.

We really do try to focus on the evidence, focus on the classified information, and we like to think that the quality of the reviews speak for themselves, but on this question, if I could, on cabinet confidence, I think Ms. Inman is best placed to speak to it.

Thank you, Mr. Julian.

That wraps up our first round. We'll start our second round. It seems probable that we won't be able to do a full second round, but we'll start with Mr. Motz.

Mr. Motz, go ahead for five minutes.

Thank you very much, Chair.

Thank you to the committee, Chairman McGuinty, Senator Lankin and the secretariat officials. Thanks for being here.

When I look back over my years so far in this responsibility, they pale in comparison to my experience on NSICOP. It was probably the best and most enjoyable time I've had, because it felt like I was making a difference. Why? It was non-partisan, and it was legitimately non-partisan. I can say that unequivocally. Kudos to you guys for setting that up. It was well done, and I enjoyed my time there.

There's so much I'd like to say and ask, but I'll try to focus my comments.

I appreciate your comments on the same battle we had back then on the broad interpretations of cabinet confidences and the realization that people on that committee, not only those on the secretariat but also the members of the committee, Senators and MPs, have the same or higher security clearance than most cabinet ministers do. That's important to remember—and we're bound by legislation. There is frustration, and I think this committee needs to have full access to cabinet confidences, because that broad an interpretation doesn't allow full transparency. I appreciate that.

The other thing I really appreciated about NSICOP is the fact that its chair has pushed for broader transparency on the redaction process. I think that is key for public confidence in what we do and what we do as whole of government. I want to applaud those efforts. We're not there yet, but we're headed in the right direction, so thank you for that.

I want to get to a question on cyber-defence and cybersecurity, but we talked a couple of years ago—

Pardon me, Mr. Motz.

The bells are ringing. We need unanimous consent to carry on. I propose we carry on to 5:30.

Do we have unanimous consent?

Very well. Thank you all.

Carry on, Mr. Motz.

Thank you, Chair.

We talk about a legislative requirement to have the NSICOP review within five years. It has been nearly seven years. What steps do you think we need to take to push that a little harder to make sure it happens? I believe, as others around this table, that this is probably the best committee to do that review. When we do it, there should be some urgency to it, I believe. We can get into lots of things, but what would you suggest, as NSICOP, we focus on?

There are some practical challenges we do face from time to time. We're making, I think, great progress. Maybe Sean Jorgensen, our director of operations, can speak a little bit about the progress we've made on the redaction process.

Let me step back and publicly thank you, Mr. Motz, for your service at NSICOP. You were a superb member and represented not only your constituents, but also your party and the House very well. We miss you.

There are some practical challenges. For example, one of the challenges Lisa-Marie Inman faces is that we often can't get top-secret interpreters. We can't rely on interpreters, for example, who interpret for cabinet, because they're not sufficiently cleared, so we need a different category of interpreters. That's sometimes a bit of a challenge. During the pandemic we managed to hold ourselves together by having people on very secure satellite systems and meeting virtually across the country and so on. Sometimes the pace—

Sorry, Mr. McGuinty, I don't mean to cut you off, but I want to get into cybersecurity.

Oh, I'm sorry. Okay.

I have a follow-up question to Ms. Michaud and Mr. Julian's.

Now, the report on cyber-defence and preparedness states that many governing organizations, such as Crown corporations, do not fall under Treasury Board policies on cybersecurity issues. We dealt with this a number of years ago. You recommend that this needs to be fixed. That hasn't happened—as of a month ago, that has yet to occur. Can you reinforce the urgency that those agencies fall under Treasury Board policy, because cyber-attacks and cybersecurity affect them as well?

I would implore this committee to call forward here to this committee a number of federal government representatives, including the Treasury Board, and perhaps CSE, Shared Services Canada representatives, to put those questions directly to them. They know what we've called for. They've seen the recommendations.

But on the urgency, I think Mr. Jorgensen is best-placed to give you 30 seconds on why this is so important to do now.

Thank you very much. I appreciate your service.