Evidence of meeting #9 for Transport, Infrastructure and Communities in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
4:20 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
Thank you.
Mr. Vinette, is it true that Russia often uses non-state actors, such as criminal networks, to carry out its attacks, so that it can better deny them?
4:25 p.m.
Vice-President, Travellers Branch, Canada Border Services Agency
This is a very good question, but I think my colleagues Mr. Schwartz and Mr. Gupta are better equipped to answer it.
4:25 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
I can answer, Mr. Chair.
In our ransomware threat assessment we did highlight the links between Russia and some criminal organizations in saying that they were able to operate with relative impunity in the countries in which they operate.
4:25 p.m.
Liberal
Angelo Iacono Liberal Alfred-Pellan, QC
Thank you.
What do you think are the vulnerable elements of our own transport networks? What do we need to protect ourselves from?
4:25 p.m.
Acting Director General, Critical Infrastructure Directorate, National and Cyber Security Branch, Department of Public Safety and Emergency Preparedness
I can attempt to answer that one, Mr. Chair.
From the perspective of public safety and critical infrastructure resilience, one of the main vulnerabilities that we see across CI sectors are what I referred to in my opening remarks as the industrial control systems or the operational technologies that run power plants, regulate water pressure in valves or even operate traffic lights. These are some legacy systems that were not necessarily intended to be connected to the Internet but now are, just given the Internet of things and the increasing connectivity across critical infrastructure sectors. A key vulnerability from our perspective is industrial control systems in general.
That wouldn't just apply to the transportation sector. I would say that applies across health, as my colleague from the cyber centre mentioned. The impact there is the interdependencies. If something happens in one sector, there will be a domino or knock-on effect in other sectors. We're concerned with cascading impacts. To that end, that's why our program, with colleagues from the cyber centre, focuses on industrial control system security exercises. Preparing and planning for such events are helpful as well.
In terms of the energy sector, in the previous question, there are a number of exercises that we undertake with the private sector. Natural Resources Canada is the lead federal department for the energy and utilities sector. There are a number of exercises with Canada and the U.S., for example, energy command and GridEx.
We are focusing on those vulnerabilities, namely industrial control systems.
4:25 p.m.
Liberal
The Chair Liberal Peter Schiefke
Thank you very much, Mr. Iacono.
Thank you very much, Mr. Schwartz.
Mr. Barsalou-Duval, you have the floor for two and a half minutes.
Have we lost Mr. Barsalou-Duval?
Mr. Barsalou-Duval, can you hear us?
Since he is not responding, I will give the floor to Mr. Bachrach.
Mr. Bachrach, if you're ready to go with your line of questioning, I can go to Mr. Barsalou-Duval afterwards.
Mr. Bachrach, the floor is yours for two and a half minutes.
4:25 p.m.
NDP
Taylor Bachrach NDP Skeena—Bulkley Valley, BC
Thank you, Mr. Chair.
I will continue with my questions for Mr. Gupta from the CSE.
In 2016, Transport Canada issued a best practices advice paper on cybersecurity for the maritime sector. I imagine you're familiar with this. I note that it hasn't been updated since 2016. Have the cyber-risks in the last six years evolved at all when it comes to the marine sector? If so, why has that best practices paper not been updated?
4:25 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
I'd note that it's not a product of the cyber centre. I'm not entirely aware of it.
I'm certainly up to speed on the products that we put out from the cyber centre. We put out our cyber-threat assessment and we update our advice and guidance regularly within the cyber centre's web pages.
Much of our advice and guidance applies across the sectors. I would recommend that people visit cyber.gc.ca to get the latest and greatest information.
4:30 p.m.
NDP
Taylor Bachrach NDP Skeena—Bulkley Valley, BC
I'll ask a question of our guest from Public Safety.
Transport Canada publicly released proposals to modernize the marine security clearance program in 2021. These proposals adjust the existing risk base requirements for individuals based on their access to critical systems. It adjusted them to include extending security vetting to anyone who is involved in the movement of marine cargo.
Do you believe that the current profile of cybersecurity threats necessitates a significant expansion of security clearance requirements?
4:30 p.m.
Acting Director General, Critical Infrastructure Directorate, National and Cyber Security Branch, Department of Public Safety and Emergency Preparedness
Unfortunately, I'm not able to answer that question. I believe that's a question that's better directed to Transport Canada. That's not an area that falls under my purview.
4:30 p.m.
Liberal
The Chair Liberal Peter Schiefke
Thank you very much, Mr. Schwartz and Mr. Bachrach.
Mr. Barsalou-Duval, you have the floor for two and a half minutes.
4:30 p.m.
Bloc
Xavier Barsalou-Duval Bloc Pierre-Boucher—Les Patriotes—Verchères, QC
Thank you, Mr. Chair.
I hope that I can be heard clearly and that there are no technical problems. Today, I had a lot of trouble connecting to the meeting. I think I was disconnected five times from the Zoom meeting.
My question is for Mr. Gupta. I hope I am not repeating what has been said, but I may have missed a few things that have been highlighted so far.
Canada's national cyber security index is 66.23 out of 100, which ranks 36th in the world in terms of cyber security. If we take Germany, which has an index of 90.91, or France, which has an index of 84.42, Canada pales in comparison, not to say that it looks like an amateur.
I'd like to know what we need to work on to raise that score. As the head of the Canadian Centre for Cyber Security, could you tell me why our score is so low compared to the benchmark countries?
4:30 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
Mr. Chair, I'm unfamiliar with the index that the member is referring to, unfortunately.
4:30 p.m.
Bloc
Xavier Barsalou-Duval Bloc Pierre-Boucher—Les Patriotes—Verchères, QC
You can still talk about the elements on which we need to work more.
4:30 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
Most importantly to me is that we start implementing the basics of cybersecurity right across the country. It's foundational, and it applies to every type of threat there is, whether it's Russia, ransomware, cybercrime or hacktivism. We've put out baseline advice and guidance just to make our country solid.
Obviously, yes, I would like to see our country as number one and 100% there as well, but I think working on those types of basic elements of cybersecurity is critical to making sure we're ready and resilient to respond to any type of threat.
We put out advice and guidance for a small business that I think is critical. It's 13 controls that we believe are achievable in terms of implementing, and we'd very much recommend that organizations look to these as a bar to implement as well as—
4:30 p.m.
Bloc
Xavier Barsalou-Duval Bloc Pierre-Boucher—Les Patriotes—Verchères, QC
My time is almost up, but I would like to ask you another question.
Are you working on implementing or strengthening cybersecurity for provincial or municipal governments, or are you simply focusing on the federal government?
4:30 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
We work very closely with our provincial partners. I recently met with all of the provincial CISOs, chief information security officers, across Canada. We have good, collaborative efforts, and we really see this as a collaborative effort to be able to increase the cybersecurity in Canada.
4:30 p.m.
Liberal
The Chair Liberal Peter Schiefke
Thank you very much, Mr. Gupta.
Thank you very much, Mr. Barsalou-Duval.
Next we have Mr. Dowdall.
Mr. Dowdall, the floor is yours. You have five minutes.
March 24th, 2022 / 4:30 p.m.
Conservative
Terry Dowdall Conservative Simcoe—Grey, ON
Thank you, Mr. Chair.
I want to thank Mr. Gupta and Mr. Schwartz for taking time to be here today. This question will probably go to Mr. Gupta, but Mr. Schwartz may want to comment as well.
During a media briefing on February 24, 2022, Daniel Rogers, who is the associate chief of the Communications Security Establishment, said that in light of the Russian invasion of Ukraine, the CSE “strongly encourages all Canadian organizations to take immediate action and bolster their online cyber-defences.” While Mr. Rogers said that the CSE was “not aware of any specific threats to Canadian organizations related to events in and around Ukraine,” he pointed to “a historical pattern of cyber-attacks [against] Ukraine and other countries.” In particular, Mr. Rogers said that the CSE was monitoring cyber-threats “directed at critical infrastructure networks, including those in the financial and energy sectors.”
This is particularly concerning to Canadians, as so much of our personal and financial information is now stored in the cloud, on our computers or on our phones.
I know some of these questions might have been asked before, but have we seen an uptick in attacks by either Russia or China since the invasion actually began?
4:35 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
Within Canada from the cyber centre perspective, we have not seen that uptick in attacks against Canadian infrastructure.
4:35 p.m.
Conservative
Terry Dowdall Conservative Simcoe—Grey, ON
In your opinion, do you think Canadian energy and financial companies are putting in all the necessary levels of security that they should be at this time to combat cyber-attacks and to keep our personal information safe?