Transport Committee on March 24th, 2022

Thank you, and good afternoon to all of you.

Good afternoon Mr. Chair, and members of the Standing Committee on Transport, Infrastructure and Communities.

Thank you for inviting me to participate in the discussion today.

I am pleased to be here to answer your questions about the role of the Canada Border Services Agency, or CBSA, with respect to the arrival of Ukrainian nationals in Canada and sanctions against Russia.

The CBSA is responsible to facilitate the flow of legitimate travel and trade into Canada. Its role is to assess the security risk and admissibility of persons coming to Canada. All persons, including Canadian citizens, seeking entry to Canada must present to the CBSA and may be subject to a more indepth exam. Admissibility of all travellers is decided on a case-by-case basis and based on the information made available at the time of entry.

The CBSA is committed to protecting the health and safety of Canadians and will examine, detain or seize goods entering Canada if they pose a health, safety or security risk.

Further and beyond the screening of travellers, the CBSA also uses a number of automated advance information sources from carriers and importers to identify goods and conveyances that may pose a threat to Canada.

The Agency uses a risk-management approach to facilitate legitimate trade while focusing on higher or unknown risks. This approach involves screening goods at several points along the trade continuum: at the earliest opportunity overseas, in transit, and upon arrival at the Canadian border.

The agency's focus is on getting the right information at the right time in order to know when, where and how to target its enforcement efforts. CBSA targeting officers work in collaboration with border services officers who are trained in examination, investigative and questioning techniques. Together they are the agency's greatest assets when it comes to identifying, detecting and intercepting contraband or other goods at the border.

As it pertains to commercial sanctions, the CBSA is supporting the whole-of-government response to the Russian invasion of Ukraine and is assisting Global Affairs Canada in the administration of the Special Economic Measures Act, the United Nations Act, the Justice for Victims of Corrupt Foreign Officials Act, the Export and Import Permits Act and other associated regulations at the border.

The CBSA is also an active partner in the marine security operations centres and supports Transport Canada with relevant and timely customs information.

The CBSA works closely with the RCMP to deliver the broad range of border services with the CBSA mandate focused on delivering services at ports of entry.

Border services officers also review import and export documents, including bills of lading, invoices and certificates of origin to determine if the goods or shipments and transactions are subject to sanctions or control measures. Shipments that appear to be in contravention of the legislation, regulations or sanctions are detained and referred to Global Affairs for further assessment. Upon direction from Global Affairs, the CBSA may detain the shipment or seize it to make sure that all the applicable regulations and sanctions are applied at ports of entry.

The CBSA also conducts risk assessments on travellers and goods seeking entry to the country. We work with our partners in the intelligence sector to conduct security screening on foreign nationals seeking entry to the country. Both the screening and risk assessment processes include the collection and analysis of information from a variety of sources and partners to determine the admissibility and the risk.

The agency also regularly shares, under strict legal parameters, relevant information on border and national security issues to our partners, as well as other government departments in Canada to ensure the health, safety and security of Canadians.

All goods, conveyances and people may be subject to an in-depth exam. The CBSA risk assesses 100% of all vessels and their cargo in order to identify potentially higher-risk vessels and the goods they are carrying.

Our officers exercise their professional judgment in a highly complex environment and are well supported in their training to apply these measures. We further work closely with other partners, including Transport Canada and the RCMP, to ensure that security and sanctions are applied appropriately.

I will be happy to answer questions from committee members.

Thank you.

Good afternoon.

Thank you, Mr. Chair and members of the committee for the invitation to appear today to discuss Canada’s preparedness to respond to Russian threats to Canadian waters, ports and airspace.

My name is Rajiv Gupta and I am the associate head of the Communications Security Establishment's Canadian Centre for Cyber Security, which we more commonly refer to as the cyber centre.

CSE, reporting to the Minister of National Defence, is one of Canada's key intelligence agencies and the country's lead technical authority for cybersecurity. The cyber centre is a branch within CSE and a single point of expertise on technical and operational cybersecurity matters. We defend the Government of Canada, share best practices to prevent compromise, manage and coordinate incidents of importance and work to enable a secure digital Canada.

Canadian cyber systems inside and outside of government hold information and personal data that is critical to Canada's prosperity, security and democracy. Canadian cyber systems are also essential to critical infrastructure operations. It is critical that these systems are protected, and I can assure you that CSE and its cyber centre recognize this importance.

While I can't speak to our specific operations in this setting, I can confirm that we have been tracking cyber-threat activity associated with the current Russian invasion of Ukraine. We know that Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly. The NotPetya destructive malware of 2017 is an example of this behaviour and illustrates how a cyber-attack on Ukraine can have international consequences.

As the situation evolves, CSE continues to monitor the cyber-threat environment in Canada and globally, including cyber-threat activity directed at critical infrastructure networks and operational and information technology systems.

For Government of Canada networks, we have the tools in place to monitor, detect and investigate potential threats and to take active measures to protect and defend against them. For Canada, we have issued unclassified threat bulletins urging Canadian critical infrastructure operators to be aware of the risks and to implement mitigations against known Russian-backed cyber-threat activity.

We strongly encourage all Canadian organizations to take immediate action, increase organizational vigilance and bolster their online cyber-defences. We also encourage all Canadians to visit getcybersafe.gc.ca, and all businesses to visit cyber.gc.ca to learn more about our best practices that can be applied to protect them from cyber-threats.

Ransomware poses a significant threat to Canadian organizations. Its impacts can be severe, including business downtime, permanent data loss, intellectual property theft, privacy breaches, reputational damage and expensive recovery costs. We are calling on Canadian organizations to implement the best practices specified in the ransomware playbook put out by the cyber centre.

In addition to public advisories and guidance, the cyber centre continues to share valuable cyber-threat information with Canadian critical infrastructure partners via protected channels. This information includes indicators of compromise, threat mitigation advice and confidential alerts regarding new forms of malware and other tactics, techniques and procedures being used to target victims.

Within government, CSE has been sharing valuable cyber-threat intelligence with key partners supporting Ukraine. CSE continues to support the Department of National Defence and the Canadian Armed Forces on measures to support enhanced intelligence co-operation, cybersecurity and cyber-operations.

Members, as geopolitical tensions continue to rise, I want to assure you that CSE is constantly working to help address foreign and cyber threats facing Canada,

and we will continue to do so.

I'll be happy to answer any questions you may have.

Thank you.

Good afternoon, Mr. Chair and members of the committee. I'm very pleased to be here.

Thank you for the opportunity to discuss the Government of Canada's approach to critical infrastructure security and resilience.

I will start by going back in time a little bit, to 2009, when federal, provincial and territorial ministers responsible for emergency management approved the national strategy for critical infrastructure. It established a collaborative approach to CI resilience that's based on building partnerships, all-hazards risk management and sharing information.

The strategy set direction for enhancing CI resilience against current and emerging hazards. It also established the classification of CI in Canada on the basis of 10 sectors, including transportation as well as networks for each sector.

These sector networks are led by a responsible federal department. For example, Transport Canada leads the transportation sector. Public Safety Canada leads federal efforts to strengthen CI resilience. We add value to partnerships between the public and private sectors by bringing stakeholders together through the national cross-sector forum and other engagement mechanisms.

Public Safety also leads federal cybersecurity policy development, which includes the national cybersecurity strategy first published in 2010 and updated in 2018. This was followed by a December 2021 mandate letter commitment for a renewed cyber-strategy.

In this context, we work with international partners to promote the rules-based international order calling out malicious cyber-activity where warranted. Canada did just this in January in the prelude to Russia's invasion of Ukraine, condemning the cyber-attack on Ukraine's government systems and fear campaign against the Ukrainian people.

The Government of Canada, including Public Safety, has taken steps to help make sure Canadians, and especially CI owners and operators, are aware of cyber-threats, including those posed by Russian-backed actors.

Public Safety and other departments and agencies work closely with allies and partners to ensure a common understanding of the threat posed by malicious cyber actors and to ensure that we are prepared to respond if Canadian cyber-systems are targeted. This is particularly important considering the interconnectivity of today's CI.

Public Safety also leads work with federal partners on national security policy, including countering hostile activities by state actors as well as economic-based threats to national security.

In terms of specific programs and initiatives, Public Safety delivers CI resilience and impact assessments, conducts physical and cyber exercises and works with the Canadian Centre for Cyber Security to share information with industry partners on cyber-risks and mitigation measures.

Our CI impact assessments support decision-making and situational awareness on hazards and risks. They consider cascading impacts that can disrupt or degrade the distribution of goods and services via Canada's supply chains, for which ports are a key dependency across CI sectors.

The regional resilience assessment program undertakes all hazards assessments across Canada. This is a tangible way governments and industry work together to examine vulnerabilities, implement corrective measures and improve resilience. Since 2012, we have conducted hundreds of assessments at Canadian CI facilities, including electricity grids, major transit hubs and ports.

In June 2020, Public Safety, working with the Canadian Centre for Cyber Security, launched the Canadian cybersecurity tool in response to an increasing number of cyber-incidents targeting the health sector. Designed specifically for Canadian CI owners and operators, this virtual self-assessment tool is a short survey that provides a picture of an organization's operational resilience and cybersecurity posture.

Malware, particularly ransomware, has hit physical infrastructure such as pipelines, power plants, water treatment and manufacturing plants and transportation and logistics systems. As my colleague mentioned, the NotPetya malware crippled logistics companies in 2017 with ripple effects across key ports and other transportation nodes globally, leading to billions in damages.

With these types of events in mind, Public Safety has launched a cyber-physical exercise series that saw nearly 600 participants attend launch events in February and March. I would also note that we're hosting one of our quarterly industrial control systems security symposiums on March 29 and March 30, for which 900 people have registered.

I would be remiss if I didn't say that CI stakeholders also bear responsibility for protecting their assets and systems. This includes ensuring basic cybersecurity hygiene and business continuity and emergency response planning. Indeed, CI security and resilience is a shared responsibility.

Looking ahead, Public Safety is committed to working closely with provinces and territories, the federal community and the private sector to develop a new strategy and approach to CI resilience. This work is under way with the goal of developing a forward-facing strategy and approach by the end of next year.

I would conclude by noting that we are committed to working with partners to enhance and improve CI security and resilience in Canada, including addressing cyber-threats against our most vital assets and systems.

Thank you very much for your time. I'm happy to answer any questions you may have.

Absolutely.

I will make the assumption that we're talking about incidents that happened within government, but please clarify that after if you want.

Within the government, the Canadian Centre for Cyber Security does monitor government departments. We have a variety of sensors. We look at networks, hosts, the cloud. We gather all this information. We have analytics that run. We take automated actions to defend the government.

Occasionally something gets through and there is an incident. In that case, we have a shared inbox, basically, for all government departments to notify us of the incident. Otherwise, we are typically notifying the departments of incidents that have happened. We assess the severity of the incident.

If the incident is looking like it's going to expand beyond the simple control of a single department, then we escalate through a process called the GC CSEMP, which is the cybersecurity event management plan led by TBS. That involves a variety of stakeholders, mainly the tripartite, which is CCCS—the cyber centre—Treasury Board and Shared Services Canada. There's a very structured process in which we escalate through that program by calling on different levels of communications and whatnot involving different departments.

It depends on the assessment. If it's serious, it can happen within an hour of understanding it—

It's through the command system, so basically the GC CSEMP, and that will specify the levels of notification as you progress through the levels, depending on the severity of the incident.

Not that we are aware of in terms of incidents.

We don't speak to operational specifications here. That's where I'll leave it.

I'm not sure of the exact number. We total them each week and we gather them together. We receive all sorts of reports as Canada's national cyber centre—

It's probably in the hundreds or less than a hundred per week in terms of our typical intake. That's typically the scope. Then we categorize them by sector and severity.

One thing to notice is that yes, we have the front door for the country. We're always encouraging more and more organizations across Canada to reach out to us. We are here to help. We really do want them to report these incidents into this so that we get a very good picture as to what's going on. To some extent, the numbers that I would provide for you are not necessarily representative of what's actually going on, because we believe everything to be under-reported.

It's across the sectors that we've seen.