Skip to main content

NDVA Committee Meeting

Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.

For an advanced search, use Publication Search tool.

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

Previous day publication Next day publication

STANDING COMMITTEE ON NATIONAL DEFENCE AND VETERANS AFFAIRS

COMITÉ PERMANENT DE LA DÉFENSE NATIONALE ET DES ANCIENS COMBATTANTS

EVIDENCE

[Recorded by Electronic Apparatus]

Tuesday, May 29, 2001

• 1601

[English]

The Vice-Chair (Mr. Peter Goldring (Edmonton Centre-East, Canadian Alliance)): Thank you all for your attendance today.

Today we wish to welcome the Associate Deputy Minister of National Defence, Ms. Purdy, and Mr. Harlick.

Ms. Purdy, as I mentioned to you before, we have a vote in the House. The bells are expected to ring at 5:15. So if we could try to keep the presentation within the realm of about 10 minutes, it would be much appreciated.

Mr. Stoffer.

Mr. Peter Stoffer (Sackville—Musquodoboit Valley—Eastern Shore, NDP): Mr. Chairman, weren't those votes changed?

The Vice-Chair (Mr. Peter Goldring): Not to my knowledge.

An hon. member: Just your party.

An hon. member: I have to make a phone call.

The Vice-Chair (Mr. Goldring): Order, please. If the votes have been changed, the intention is to run the questioning up to when the bells start.

Ms. Purdy, please.

Ms. Margaret Purdy (Associate Deputy Minister, Department of National Defence): Thank you very much. It is a real pleasure to be here today.

I think you have before you, or available to you, a full text, which runs to a good 25 pages. I don't plan to use that full text as my introductory remarks. I'm going to scale it back. I'll try to keep it to 10 minutes, and then we can move to questions. Is that acceptable?

The Vice-Chair (Mr. Peter Goldring): Yes.

Ms. Margaret Purdy: Good.

The new Office of Critical Infrastructure, Protection and Emergency Preparedness, which is my primary responsibility in the Department of National Defence, is a civilian organization. It has no direct role in military operational readiness, which I know is the focus of your deliberations and analysis. Rather its mandate is a national one, and it's focused on Canada's critical infrastructure.

Having said that, there are many linkages between the work we're planning and that of the department and the Canadian Forces, and I think there's much we can learn from each other and can do together that will make this country and indeed the world safer and more secure.

Let me take a minute to explain exactly what I mean by the term “critical infrastructure”. It's part of our title, and I think it's important to define things first. We define critical infrastructure as the systems, facilities, and networks on which the health, safety, security, and economic well-being of Canadians depend and that are critical to the effective functioning of government in this country.

We break the critical infrastructure into six highly interdependent sectors: first, energy and utilities—gas, oil, and electricity; second, transportation in all its forms; third, communications, including telecommunications; fourth, the safety sector—nuclear safety, 911 services, and search and rescue; fifth, three key service areas—financial services, food services, and health services; and, finally, the essential services of government.

These sectors I have described, which have both physical and cyber dimensions, face an increased risk in the 21st century. I want to take a few minutes to describe what I call the “threat” environment.

• 1605

First, there are the serious accidents and natural disasters that are going to continue to occur in this country. They're going to affect our physical infrastructure, with significant consequences in many cases for Canadians. We conclude that there have been 30 what we call major disasters in the past five years in this country. In the years to come, hazardous spills, fires, and other industrial accidents will persist, as will severe weather events, which we've had our share of in recent years—the ice storm, the Saguenay River flood, the Red River flood, which together resulted in costs of more than $5 billion, including $1.5 billion that was paid out by the Government of Canada alone.

At the same time as we'll continue to have these physical disasters, natural disasters—and they will continue to challenge us—they've been joined by a whole new set of threats to our critical infrastructure, those that have a cyber dimension, in that they exploit information technology and our country's dependence on information technology. All the vital services I listed depend on information technology, and that brings new vulnerabilities.

First of all, the Internet, the backbone of global communications today, is immature. It's unsecure and it's unstable. Secondly, those who develop and sell commercial off-the-shelf software are often more concerned about getting to market first than they are about checking their products thoroughly for glitches and faults that may make them vulnerable.

Criminals and terrorists and spies and unfriendly foreign governments can take full advantage of these vulnerabilities and others to economic advantage, to bilk individuals and national economies of millions of dollars a day, or to advance their political, religious, and ethnic causes. Another possible way they may do damage is to be a tax on the critical infrastructure.

While attackers with clear motives, like terrorists, are a clear and present danger, so too is the hacker, the individual who uses his or her computer skills to attempt to attack or corrupt or manipulate computers and networks of others. Hackers often have no motivation beyond just seeing how far into a network they can penetrate, how much damage they can do. Most of the most serious cyber attacks in the past three years have been perpetrated by hackers acting alone, not affiliated with any organized group.

In total, these threats are, in my view, real. And they're serious. Let me just give you a couple of examples—quite different kinds of examples. A computer hacker in Australia altered the control mechanisms in 100 pumping stations, causing one million litres of raw sewage to overflow. Here in Canada, a 15-year-old Montreal boy, working from his parents' home in a Montreal suburb and using the cyber name of mafiaboy, attacked e-Bay, Yahoo, Amazon, and several other major Internet-based businesses. His handiwork is estimated to have resulted in lost revenue of up to $1.2 billion U.S. That was the work of a fairly amateur youth in Canada. The impact was in the United States and globally.

In this year, 2001, we've seen the emergence of what I call a new kind of cyber event, one involving individuals and groups on opposing sides of a political struggle but not necessarily operating under state control or direction, although one never knows. The first widespread event involved the opposite sides of the Israeli-Palestinian conflict. We saw more than 200 attacks that were launched within four months, including website defacements; denial of service attacks, which are very serious; and the launching of computer viruses, which are also serious. The attacked entities were the government, businesses, and infrastructure, and they spilled well beyond the Middle East. Then more recently, following the crash of the U.S. military plane on Chinese territory, U.S. and Chinese computer users engaged in a similar kind of cyber confrontation, so to speak, using similar tactics.

To summarize the threat environment, I would say that threats to our critical, physical, and cyber infrastructure in this country will put Canadians, Canadian communities, and Canadian businesses at risk in the 21st century.

To better equip Canada to prepare for these challenges, the Prime Minister created, in February of this year, the office I now lead. I think you have a copy of his announcement before you. Let me say that this office is a uniquely Canadian approach. As far as we know, no other machinery of this kind exists. It's unique in that it combines the national leadership and emergency preparedness, preparing for those natural disasters I mentioned, with a new leadership role with respect to protection of this country's critical infrastructure, regardless of the vulnerability and regardless of the kind of threat.

• 1610

So we're an all-hazards kind of agency. And significantly, we encompass the mandate of the former Emergency Preparedness Canada, which some of you may know.

We believe the work we're going to do will not only help reinforce our infrastructure, but it will also help our efforts on e-commerce, e-government, and public safety.

I think in the submission, starting at page 16, we have outlined the main components of the framework we're going to work under. We're going to give a high priority in our own house, getting the Government of Canada's infrastructure house in order, particularly the cyber elements. Partnerships are going to be critical—partnerships with provinces, with the private sector, and with the United States in particular. We're going to implement programs particularly in the operational area. We already have a 24-hour, seven-day-a-week operations centre to monitor approaching tornadoes, earthquakes, floods, and so on. We have supplemented that already with information technology expertise, so we are now in the process of issuing advisories and alerts on cyber attacks and cyber threats to the Government of Canada.

We're also obviously looking at policy and legal implications. Do we have the right mechanisms to share information with our partners in this new area and to protect information that they may provide to us? There is a lot of work to be done in this area. We do not have in this country at this time a complete or accurate map of our critical infrastructure, particularly on the cyber side. We don't know where the most serious knowledge gaps exist and we don't know where the critical nodes are in that infrastructure. We also need to improve our understanding of the interdependencies between sectors. We need to understand the vulnerabilities better.

So we're going to give a high priority to partnerships, as I mentioned, to programs, to enhancing not only our operational capabilities in the Government of Canada but also extending that cooperation to our partners in the provinces, the territories, and in the private sector.

Let me just finish by talking a bit about what it means to have this office in the Department of National Defence and how we will work with the department, how we will work with the Canadian Forces.

Let me start with my own views on why DND is a good fit for this new endeavour. I say it's a good fit for a number of reasons. First of all, as you know well, the Canadian Forces have a strong and I think positive reputation for helping Canadians in times of need, in times of distress. We saw that in the Manitoba flood; we saw it during the ice storm. Secondly, the Minister of National Defence is the lead minister for emergency preparedness and for providing leadership in areas outlined in the governing statute, the Emergency Preparedness Act. Emergency Preparedness Canada was already well established in the department at the time this new office was created. And finally, both the department and the Canadian Forces take computer security very seriously, as well as contingency planning for all kinds of threats.

I certainly am, in the early days, according a very high priority to defining exactly what it means to have this new office within the department. What are the internal so-called synergies and partnerships? We certainly are working very closely with colleagues in the department who are looking at the security of defence and military systems and assets. We're also working very closely with the intelligence component of the department and others who are exploring this whole new area of asymmetric or unconventional threats, because they are of concern to the military but they're also a concern to other members of the critical infrastructure community.

We're also working very closely with the research component within the department and the Canadian Forces, those who are looking at cyber security problems, making sure we don't overlap or duplicate any work that's underway anywhere else in the government, trying to bring some coherence to research in this area. CSE, the Communications Security Establishment, another part of the department, is an important partner on the research agenda as well.

And finally, we work very closely with colleagues on the bilateral relationship with the United States where homeland defence, as you know, has been, under the previous administration and under this administration, a very high priority. The United States has also put critical infrastructure protection at a high point on their list of priorities. President Bush has confirmed that it remains a priority for him.

So we work very closely, for those reasons, but in addition because the critical infrastructure on which we depend is in many cases a North American infrastructure. The electricity grids, for example, are North American electricity grids, so threats to the American component of the grid will have an impact on Canada potentially, and vice versa.

• 1615

For those parts of the infrastructure that cross the border invisibly, such as telecommunications and electricity, it is critically important that we work together. That's not to say we will do things exactly the way our American colleagues do, but we will work in tandem with them, where working together makes sense.

I'm sometimes asked—and I'll conclude here—what role the forces might play in the event of a really serious national-scale cyber attack, or if we had a series of attacks concurrently—something of the order that would really affect public confidence or public safety. Would we expect the Canadian Forces to do the same sort of thing they do during ice storms and floods, helping people in distress and helping businesses that are affected? Or would it be expanded to include some kind of specialized cyber response team that could move in to help communities, governments, or businesses reconstitute their computer systems using the IT expertise within the Canadian Forces?

The short answer is that I think it's too early; it's certainly too early for me to say. We need to do more analysis and consultation with some of our partners on exactly what Canada and Canadians need. What's the full spectrum of services, and what's the right role for the Canadian Forces, the department, and indeed the Government of Canada to play in all of this?

The important thing to remember is that 90% of this critical infrastructure I talk about is not owned, in the custody of, or managed by the Government of Canada. It is in private sector hands, or managed and controlled by provincial and other levels of government. So our part of the infrastructure is quite small, since the role of national leadership we're going to play will be quite large.

Let me conclude by saying that Canada must respond to these new infrastructure and emergency management challenges I've described. I believe we can meet those challenges, but it will require what I call an unprecedented peacetime level of horizontal cooperation, not just within government but also outside of government and with our international partners.

We thank you for inviting us. We know we're a little bit out of the scope, perhaps, of your review, but we appreciate this opportunity to have a dialogue with you.

The Vice-Chair (Mr. Peter Goldring): Thank you very much, Ms. Purdy.

We'll begin our round of questioning of seven minutes, starting with Mr. Anders.

Mr. Rob Anders (Calgary West, Canadian Alliance): Thank you very much, Mr. Chairman.

You mentioned in your speech that during the conflict between the United States and China over the downed jet there were cyber attacks on U.S. installations. My understanding is that they were not just United States installations but NORAD installations, which means, of course, Canada's intimately involved. I was very surprised that we didn't hear more about the whole issue of China's attacks on NORAD sites, which are also Canadian sites.

Maybe you can comment on the fact this isn't just an American problem. The RCMP, with their Sidewinder report, also went through some of these issues of Canada being vulnerable. Canada, being part of the ANZUS network of nations with the Pacific countries—for example, Australia and New Zealand—and Canada and Britain having territories... near the United States. We have been identified as the weak link in the chain. As a result, we're the ones who are facing the brunt of some of these penetrations, aside from any downed jets.

• 1620

Ms. Margaret Purdy: In terms of attacks on cyber installations of NORAD, I can't confirm that. My understanding is that the analysis of what took place around the time the plane was downed is still being done. Most of the attacks, as I understand it, that took place in that confrontation were mainly website defacements and attempts to penetrate. I certainly don't know of any penetration into the NORAD system, in that scenario or any other scenario.

It's certainly true that attacks these days often follow very circuitous routes and their impacts are instantaneous and often global. So if attacks are being launched in any part of the world, they can hit Canada, the U.S., and many other countries simultaneously.

In terms of Canada being a weak link or a soft link in the cyber security field, I don't know of anything to confirm that, and I don't know of any concrete and reliable criticism to that effect. Indeed, I think we are seen as one of the leaders in this area, partly because we have such a vibrant and excellent telecommunications network in this country. We generally take matters of security, public safety, terrorism, organized crime and others very seriously, because we have specialized units in the RCMP and elsewhere to deal with these matters. If you recall, I told you the story of mafiaboy. Good RCMP forensic and other work, in cooperation with other countries and other police forces, led to his fairly prompt arrest and conviction.

So I think we have shown, in this modern world of cyber threats and cyber crimes, that we have the capacity to respond. Just as attacks that are started in Canada, as in the case of mafiaboy, can have an impact on the United States, the reverse can also be true. So there's all the more need to cooperate, particularly with the United States, to make sure we have our defences up and get early warning from them of activity in their country that may have an impact here.

This is a very complicated landscape we're working in now, even in terms of jurisdiction, in some of these instances. Where does the offence really occur? Where does the event occur? Who has jurisdiction? Whose laws apply, when the events are happening in cyberspace and the attack may pass through routers and switchers and interfaces in five, six, or a dozen countries on the way to their target?

It's a very complicated landscape. The only way we're going to get ahead of the wave is by not working just in our own national interests but working internationally and cooperatively.

Mr. Rob Anders: Just to add a final comment, that cyber attack was actually brought to my attention by our top man at NORAD, General George Macdonald, who I understand was in top consideration—I see some heads nodding across the way, because they were there—when some of my colleagues and I were down at NORAD just recently. So it was a Canadian source that gave me this information.

Ms. Margaret Purdy: Was it a website defacement, or that type of attack?

Mr. Rob Anders: I believe it was a successful website defacement, and the Internet connections themselves were also being tampered with.

Ms. Margaret Purdy: Unfortunately, this is commonplace now. It's not that you shouldn't take website defacement seriously, but as soon as you put your public face out there on the Internet, this is an immature, unstable, unsecure environment. So with a website, you can put some defences up but you're very vulnerable. You have to constantly monitor it to make sure it hasn't been corrupted or manipulated.

As to whether that was Chinese, I'll accept General Macdonald's conclusion on that.

Mr. Rob Anders: Say, for example, we had a scenario where Vancouver—I used to live there so I have some concerns—had an earthquake. We no longer have an army base in Chilliwack. We have troops stationed as far away as Comox on Vancouver Island or Esquimalt, but those are navy.

What type of response could we get, in terms of actual physical troops on the ground, within one hour, six hours, 24 hours, in the event of a serious earthquake?

• 1625

Ms. Margaret Purdy: I haven't worked with this plan, but I know there's a national earthquake support plan that comes into play, no matter where the earthquake occurs. Obviously, British Columbia is in a vulnerable zone.

With respect to the possibility of this happening on the lower mainland of British Columbia, my understanding is the plan calls for the land forces western area commander, who is based in Edmonton, to provide logistic support, assistance to the civil authorities, if that is requested—and you know there are means to do that—as well as assistance to other departments, such as Health Canada, the Solicitor General, and others that may need help at that time.

As I understand it, Canadian Forces also has a very detailed plan that covers giving immediate assistance to British Columbians in the case of a catastrophic earthquake. Command, control, communications capabilities, people, equipment—all could arrive. As I understand it, the timeframe for getting people there—and they may not all come from the western part of the country even—would be 12 to 24 hours.

So the plan calls for immediate enforcement from the western region, but depending on the extent of it, Canadian Forces resources from coast to coast could well be dispatched there.

The Vice-Chair (Mr. Peter Goldring): Thank you very much, Ms. Purdy.

We'll move on to Mr. Plamondon.

[Translation]

Mr. Louis Plamondon (Bas-Richelieu—Nicolet—Bécancour, BQ): Thank you, Mr. Chairman.

I'm almost tempted to ask you a somewhat indirect question. We're in the process of drawing up a plan for your security office, one that would anticipate different attack scenarios. As I see it, even if we draw up a perfect plan for the vast Western region, we'll always be dictated to, so to speak, by U.S. security concerns. When the United States decided to conduct nuclear missile tests here in Canada, we didn't have any say in the matter. Regardless of which government is in office, we always say yes to the U.S.

This is true of a number of areas and since Canada covers more territory than the U.S., it seems a little silly to me to speak of protecting our territory. I recall a scheme to build a special ice-breaker to protect border areas. It wasn't much more than a pipe dream.

You can put in place any kind of program you want, but if the Americans suddenly decide that they don't like what we've done and want a more comprehensive plan in place, all the money spent will have served to do nothing more than advance a philosophical position or to provide training exercise for people on our side of the border.

Instead of spending all this money drawing up plans, I'm wondering if maybe we wouldn't be better off waiting until the Americans have drawn up their own plan and then make the necessary adjustments. In matters of defence, we excel in international humanitarian missions and in direct aid missions when disaster strikes, as was the case during the Manitoba floods or the Quebec ice storm.

Ms. Margaret Purdy: In my opinion, it is a matter of national interest. The United States are preoccupied with their own problems, their critical infrastructure and national planning issues. As I see it, it's virtually impossible for the U.S. to arrange to protect Canada's critical infrastructures. We have the knowledge and the information to understand the vulnerable areas of our infrastructure. We need to work with the provinces and territories and with the private sector to determine an appropriate response for Canada. It is a matter of national interest, in my view. It is a matter of ensuring our national security and the smooth running of our national economy. This is a Government of Canada responsibility.

Mr. Louis Plamondon: However, given our modest budget and our population of only 30 million, and given that Canada covers a much larger area than the U.S. and our resources are more limited, aren't we being a little philosophical when we talk about protecting our territory, considering that we will never be able to invest enough in this area. Basically, we're wasting money to appease our conscience.

• 1630

Ms. Margaret Purdy: Let me reiterate that we are talking about our country's critical infrastructure which must be protected. It's not a question of geography or land. We're talking about our infrastructures, namely communications and transportation systems, utilities and so forth. These are vitally important to Canadians. In my view, it's Canada's role to protect the nation's critical infrastructure.

Mr. Louis Plamondon: Thank you.

[English]

The Vice-Chair (Mr. Peter Goldring): Thank you, Mr. Plamondon.

We'll now go to Mr. Provenzano.

Mr. Carmen Provenzano (Sault Ste. Marie, Lib.): I think you make a basic point that it's necessary to build partnerships with the private sector for the reason that much of the critical infrastructure in the country, in Canada and in the United States, is owned by the private sector. Any attempt to destabilize whether it's economic infrastructure or communications infrastructure would be a very serious threat to the country.

I listened carefully to see whether you might expand on the role that the private sector needs to play in order to achieve the objectives of the agency. There was a statement made that partnerships will be built. The committee might be interested to know, and there's a whole host of questions here, certainly to what extent the private sector is committing to the objectives. I would think the various components of the private sector that relate to the economy and our communications have their own protection systems.

There's a question as to what extent they are willing to share that information with anybody. I think the committee might be interested to know what you're doing with the private sector in terms of forging the partnerships you're talking about in meeting those objectives. Then I have a couple of follow-up questions.

Ms. Margaret Purdy: Sure. I did skip that part of my text. Let me go back and talk a bit about how we have worked with the private sector, what they are doing, what they want to do with us, and the way ahead as we see it.

Let me go back to the preparations for Y2K as a start, because I think that did display an unprecedented cooperative effort on the part of private and public sector entities in this country, with the electricity sector, and the telecommunications sector and so on, working with the provinces and with us to overcome that problem.

Some would say that was easy because it was a time-specific period. You could cooperate and then go away. But we collectively didn't go away. We kept up that dialogue. We realized because of Y2K—and we knew it before but it was confirmed by Y2K—how interdependent these sectors are. Yes, it's true that banks, and electricity companies, and energy companies do take security seriously, and they do have plans and preparations in their own sectors. But what they realized, and the kind of dialogue we have with them, is that you can't do this alone. You can't have the best security program unless you have good partnerships between the banks and the electricity sector, between the banks and the energy sector, because one is dependent on the other.

So a couple of the sectors, the banking sector and the electricity sector—and I'll have Mr. Harlick add to this—have already organized themselves on the cyber security front. They have set up among the banks, for example, a way of sharing information about attacks, attempted penetrations, threats they've seen, trends that bother them. But as they say to us, it's great for us to have that among the banks, but first of all we need help in understanding it. We need help from you, the Government of Canada, in analysing these trends and helping us understand them. But also we want to share what we know with other sectors in an anonymous, sanitized way, so we can get the information flowing nationally.

• 1635

Mr. Harlick had a letter from the chief executive of the Canadian Electricity Association last week asking us to take a leadership role and to bring together the sectors at one table at a very senior level to talk about how the sectors can work together and how we can help facilitate that discussion, but also how we can help develop national awareness programs, national approaches to research and development, national approaches to getting educational programs in our schools to discourage hacking. We don't want each sector and each government to be undertaking those things one at a time. So it is a national effort, and my sense is that there is a positive appetite out there to work together on this from the key sectors we've spoken to, every single one of them.

I'm an optimist by nature, and I'm quite positive as I look ahead to the level of cooperation, but I'm not naive. I know the information-sharing bit is going to take a lot of work. Companies are going to be cautious with regard to liability and competition. They're not going to want to share something that may affect their stockholders' confidence in them. And on our part, in the government, we have to get over some of our tendency to keep intelligence secret and not share it with those who can use it. So getting this two-way flow of information going and building trust is going to be difficult.

Before I go on to your supplement, do you want to add anything?

Mr. Carmen Provenzano: It's related, and perhaps we could save some time if I ask it now. When we look at this whole topic of readiness of the Canadian Forces, the question comes up, readiness for what? We can engage in long dialogues on what we're supposed to be ready for.

I guess the same question comes up with respect to this newly created office. Now, I understand there's certainly some feeling of the way at this point, but I would be particularly interested to know whether the role of the private sector has been defined, whether you've got to that stage where you can define a role, whether the private sector is buying into it.

Ms. Margaret Purdy: Several people have suggested to me that the only way ahead on this is if we go out there and demand, regulate, and legislate, and tell the private sector, you must report this to us, and that's the way ahead. I don't think that's the way ahead at all. I think it has to be much more of a consensus-building and voluntary effort. So we're not going to go to the private sector and be directive in that way. We would rather start and reach a consensus with them, and I think we're doing that. The way they are moving is exactly the way I would like to see them moving. They are setting up information-sharing and analysis centres in their own sectors, and they're interested in looking for ways to report out information on vulnerabilities and threats with others and with us. So that certainly is one way.

Getting them to invest more in research on cyber security, getting them to sponsor some programs at universities, so we actually graduate more people in this country who have a specialty in computer security, to help us prepare for the future—there are all kinds of ways the private sector can help, and I think they'll be prepared to help.

The Vice-Chair (Mr. Peter Goldring): Thank you very much, Ms. Purdy.

We'll go to Mr. Stoffer.

Mr. Peter Stoffer: Thank you very much, Mr. Chairman.

Madam, I must say I'm quite impressed by your background here. I noticed you spent a couple of years in the good old province of Nova Scotia.

Ms. Margaret Purdy: I grew up there.

Mr. Peter Stoffer: Well done.

Ms. Margaret Purdy: Paradise, Nova Scotia.

Mr. Peter Stoffer: You can't be all bad, then.

You used to be with CSIS, and I'm wondering what the relationship is between your new role in your new department and that of CSIS.

Ms. Margaret Purdy: CSIS is one of those partners—they're in that list. CSIS, as you know, is a domestic security intelligence collection and reporting agency. It is the most knowledgeable agency in this country with respect to terrorism and espionage, for example. As I said in my opening remarks, I think it is inevitable that terrorist groups, organized crime groups, and in some cases foreign espionage services are going to use cyberspace as one of their areas of endeavour in the future. So it's critical that we know from CSIS who are the terrorist groups, which terrorist groups are engaged in developing the capacity and are showing an inclination to launch cyber attacks, and what form they are going to take.

I care less about who is going to do it than what it's going to look like and what advice we should be giving collectively to the infrastructure owners about what defences they should put up against those attacks. So CSIS and the RCMP are key partners.

• 1640

It's been reported in the media that our office is going to somehow oversee or coordinate some work of RCMP and CSIS. That's not correct at all. We're not taking over anybody else's responsibilities. We're going to work with them. We're not going to duplicate what they do. We're not an intelligence agency. We're not a police agency. We're going to depend on CSIS to give us good intelligence and to help us, as I was saying to the previous question, where it's appropriate, to sanitize or get that information into an unclassified form, so we can share it with others, get out alerts and early warnings, to avoid some of these economic impacts of cyber attacks.

Mr. Peter Stoffer: Much of the dialogue this afternoon has been focused on the cybernet and concerns about hackers, but one thing we've heard about in regard to the Department of Fisheries and Oceans and the national defence is the cutbacks in our infrastructure. My colleague Mr. Anders indicated that Chilliwack was shut down. There are other bases throughout the country that have shut down.

The aspect of getting military troops to an earthquake zone in Vancouver is not what it should be, and everyone knows that. Is there not a fear that as we rush along—and rightly so—regarding what the Internet and what cyber attacks can do to our infrastructure, we're overlooking the traditional sources of prevention, Aurora craft over the water to detect illegal immigrants, oil spills, illegal fishing, drug smuggling, etc.? Because a lot of that still happens.

As you know, in Nova Scotia, when those ships come in now, we don't have port police any more, we have the regular Halifax police, and I believe they're down to two out of every 100 containers they actually check. With that minimal amount of checking on those containers coming in, what assurances can you give the Canadian public that those traditional methods of police work, for lack of a better word, will be able to enhance our security?

Ms. Margaret Purdy: It's a tough question, and deciding where to put resources and how to spend public money is difficult—and it is a matter of choice. I think the creation of our new office reflects that the government believes it has to prepare for the future threats, and indeed threats that are already with us, in addition to taking care of the traditional threats, as you call them.

In my view, the future threat landscape is going to be more varied than it was in the past. My prediction is that cyber security threats, threats to the infrastructures, threats that move through cyberspace, that exploit information technology, that actually begin to cripple, corrupt, and have a direct impact on countries, businesses, and individuals in their homes are increasingly going to have an IT element to them.

I think preparing for the future means that you have to prepare for this whole range of threats and vulnerabilities. Unfortunately, even for a safe and secure country like Canada, you have to cover more bases—I guess that is what it comes to with threats. Similarly, organized crime, which has always been the element in the criminal justice system that has to be taken care of, is, as RCMP and police witnesses would tell you, a growing enterprise.

So how do you take care of policing on the streets of communities of Canada and, in addition, handle organized crime? How do you handle terrorism? How do you handle illegal migration? You have to do your best. It's a matter of choices. It's a matter of assessing the risks and putting the money where the risks are most likely to affect Canadians. In the case of cyber security and preparing for emergencies, the government has made this choice to enhance its capability, and to do it at a time when incidents are on the rise.

Mr. Peter Stoffer: Wouldn't you agree that prevention is actually an investment? For example, you talked about electrical companies and the concerns they have about hackers. I'm very concerned about the east coast fishermen and those companies with regard to a large spill, illegal spills, or people who break into the country illegally or smuggle drugs into, as you know, Nova Scotia. And there is what it costs the Canadian people after those drugs get in or the destruction of the fish. Yet you're indicating, or at least perceiving, that the government is making its choices. It's going to put it into cyber concerns and maybe not pay as much attention to those so-called manual methods of prevention.

• 1645

Ms. Margaret Purdy: No, it's not taking from one to the other, necessarily. I agree with you, and I'm sorry if I left a wrong impression about our focus in this new organization. We are absolutely focused on prevention. With the whole spectrum of disasters we have to prepare for and deal with, including things like hail and earthquakes, the natural disasters, we want to do as much as we can to create a culture of prevention, to try to do things to reduce the impact of those disasters when they do occur. Natural disasters you usually can't prevent absolutely, they're going to happen. But you can do a lot to mitigate the impact.

There's a program in Manitoba or Alberta—I forget which—that actually involves, at very low expense, I think, shooting something—and I don't pretend to know what it is—into the clouds when a hailstorm is being predicted to reduce the size of the hailstones to a point where they're not as damaging. That's a good mitigative, preventive action, I think. The Winnipeg floodway is another example of spending some money up front to reduce the impact at the back end with natural disasters. And all of our focus in cyber is on prevention as well.

Mr. Peter Stoffer: Thank you.

The Vice-Chair (Mr. Peter Goldring): Thank you.

And now we'll start the second round of questions, five minutes.

Mr. Bailey.

Mr. Roy Bailey (Souris—Moose Mountain, Canadian Alliance): Thank you, Mr. Chairman.

I was interested, Ms. Purdy, in your defence, you might say, of the new agency. Having read this and looked at the criteria, I agree with you that this agency should come under DND, I'm not arguing with that.

You've already alluded to the specialized units of the RCMP, most of our people who work with the infrastructure, including the firemen, have specialized units to deal with chemical spills, and the list goes on and on. So with this new agency, I'm wondering if within the military we are going to have some specialized training, some specialized people to deal with such things. Let's suppose we had somebody blow up the transmission line and power went out in the city. I was in the States when this happened, and the military were there to back up the local police right away, and they were specialized people trained in that regard. Is there going to be any specialized training within the forces of people who could move very quickly to deal with these various situations?

I thought the other day at the Quebec summit about our neighbours to the south. They don't hesitate. They call in this specialized unit of the armed forces. Maybe that would be a good thing for our armed forces, to bolster their public relations at the present time, to let people see them at work. They don't hesitate in the U.S. to protect the private infrastructure with specialized units, and I don't think that occurs in Canada. I wonder what your thoughts would be on that.

Ms. Margaret Purdy: I'm quite new to DND and the Canadian Forces, but I do know they have some specialized teams that are completely applicable to the kinds of scenarios we've been talking about today. I know there's a joint biological-chemical response team. I believe it's based at Borden and they operate in conjunction with the RCMP. It is, I think, quite unique in Canada. I believe it was initially established, obviously, to help protect the Canadian Forces when they're deployed into areas where biological or chemical agents may be used, but clearly they would have a role in a major national disaster in Canada as well.

So that's one specialized team, and the establishment in Suffield, I believe, has run some specialized courses for not only military, but also civilian officials, to prepare them for responding to an incident where a biological or chemical agent might be dispersed into the atmosphere. And certainly you know about Joint Task Force II, which is a specialized counterterrorism team that is usually dispatched at major events like the Quebec City summit.

So I think in these niche areas, where there really is a need, the Canadian Forces have filled the need or been asked by the government to fill the need.

• 1650

I think you know there is quite an apparatus and procedure involved when disasters happen in Canada. The general rule is that the local authorities take care of it as long as the local authorities can take care of it, then it goes up to the province, and then the province requests assistance. There are many instances where the Canadian Forces do provide assistance, perhaps to another government department. They were deployed in large numbers in Quebec City in support of the Solicitor General and others who were responsible for security for that event. They are often deployed, as you know, at the request of provincial authorities during major weather events and other events.

So I think they have proven themselves, as I said in my opening remarks, in times of distress, not necessarily filling a specialized niche, but they do have specialized skills, let's not forget, that no other part of the Government of Canada apparatus has in respect of equipment and training, particularly in being able to take control and command during a serious crisis. I think they will always be a factor with regard to disaster response in this country.

Mr. Roy Bailey: What if some Canadian were to ask you, right now—how long would it take to have a unit deployed in a riot in Regina? They did have one in the thirties. How long would it take to have a unit there?

Ms. Margaret Purdy: I can't say with certainty, and I don't want to speculate on that. You should ask some of my Canadian Forces colleagues about that. But I do know they have plans that cover the eventuality of having to deploy to any part of this country, and the timing is different depending on whether it's Nunavut or Regina. A lot depends on what resources are required, what kinds of equipment you need, and where that equipment is. I don't have the answer.

The Vice-Chair (Mr. Peter Goldring): Thank you, Mr. Bailey, and thank you, Ms. Purdy.

[Translation]

Mr. Plamondon.

Mr. Louis Plamondon: In your presentation, you spoke at length about espionage, electronic or otherwise. How do you go about targeting your actions, given that the face of espionage has changed considerably from what it was in years past. Previously, we had the Communist bloc and our efforts were focused on these countries. Now , we deal with religious terrorist groups that either visit us or draw up plans.

Much of this type of espionage can be linked to a single individual with no political or economic ties. Such was the case with mafia boy, who set out to spy electronically on large multinationals. No doubt there are still people engaged in more traditional forms of espionage.

How do you go about targeting individual cases? Have you rejected religious cases and are you still contending with more traditional forms of espionage? How do you proceed?

Ms. Margaret Purdy: I've never been closely involved in the field of espionage, but it's a fact that today's spies increasingly seem to be focusing on economic secrets. I have a mandate to focus on the impact of espionage, terrorism and organized crime. If these adversely impact our nation's critical infrastructure, then it is the Office's responsibility to ensure the safety of the nation's critical infrastructure. We are not so much concerned about the source of the cyberspace attacks, but more about the impact such activities may have on Canada's infrastructure and government and on the private sector. These attacks can take various forms. Do they affect services such as telecommunications? Our focus is the impact of these activities, not their source.

• 1655

[English]

So it's not so much who does it, it's what happens and what you can do about it.

[Translation]

Mr. Louis Plamondon: I have a problem with attacks on the private sector and large corporations. The latter spend millions of dollars to protect their secrets and to develop anti-terrorism and anti-espionage system. Each corporation devises a different system. You arrive on the scene and announce that you will coordinate these efforts. The implication is that these large corporations or electrical or water utilities have a great deal of confidence in your abilities because as a rule, they already have virtually foolproof systems in place. Will you in fact be duplicating their efforts?

Ms. Margaret Purdy: There is no such thing as foolproof protection. That's impossible with today's computer technology. It's virtually impossible to guarantee this. However, we have discussed with businesses and with the broad sectors of our national infrastructure opportunities to share information on threats, vulnerable areas and ways of protecting infrastructure. In my opinion, it's extremely useful for the government to engage in an ongoing dialogue with the private sector, the provinces and territories and to share information. This approach benefits not only corporations, but Canadian interests as well. The ties between the various sectors in Canada as well as between large corporations and the Government of Canada are numerous. For this reason, we need to promote an ongoing dialogue with the private sector.

[English]

The Vice-Chair (Mr. Peter Goldring): Thank you, Ms. Purdy.

Now we'll have Mr. Wilfert.

Mr. Bryon Wilfert (Oak Ridges, Lib.): Thank you, Mr. Chairman.

With regard to the OCIPEP, I presume municipal leaders would be one of the major stakeholders, given that municipal governments have local disaster relief plans and that we are more urbanized than the United States on a per capita basis—about 80% of Canadians live in cities. I have, again, just returned from the Federation of Canadian Municipalities, and many of my colleagues there indicated great concern about the fact that we have these layers that are the first line and it's easy to tamper with or to contaminate a water filtration system or sewage. You mentioned the Australian example—100 million litres or something, I believe. What mechanism is there for cities to be brought into the discussions, and what kind of sharing of information goes on in that regard?

Ms. Margaret Purdy: Let me start with the work the former Emergency Preparedness Canada undertook over the last many years and the relationships they established with provincial governments and, through the provincial governments, with municipal governments, mainly with respect to natural disasters and planning for natural disasters. Some of you may know that we have an Emergency Preparedness College just outside of Arnprior, and if I remember correctly, we offer training to approximately 1,500 people a year, many of them, if not most of them, from municipal governments, fire chiefs, mayors, those kinds of first responders who you mention, including people from the large urban areas. We give them training in specialized areas, particularly, for instance, how to set up an operations centre during a disaster and how to deal with communications with citizens. We run through simulated disasters with them. I think this kind of specialized training is very much appreciated by the municipalities.

• 1700

I don't know if you saw the OCIPEP kiosk.

Mr. Bryon Wilfert: Yes, I did.

Ms. Margaret Purdy: We were actually out in Banff at that particular federation meeting.

At this stage our main relationship with municipalities is in the natural disaster planning area, through training. As well, we have regional offices across the country in each of the provinces. We work day in, day out with the emergency measures organizations in those provinces and have a great deal of communication and liaison with municipalities.

But I think you're right, we also do specialized things. Someone mentioned earthquakes. Vancouver is one of I think four cities in Canada working toward developing heavy urban search and rescue capabilities to give them the capacity, when there is a disaster where buildings fall, not unlike the situation in Israel last week, to move equipment in and hopefully search for and retrieve victims and survivors.

So there is that type of specialized support. We certainly support those teams that could be deployed in either the cities in which they exist or elsewhere in Canada, or eventually perhaps internationally. So we do, in specialized areas, work directly with municipalities.

We also have the Joint Emergency Preparedness Program, or JEPP, where we make available a small fund of money to provinces and territories for specialized emergency preparedness programs. Much of that money flows to municipalities.

I'll be frank with you, though, that in terms of the new area, the cyber area, on our to-do list is how to work with the provinces and territories. It probably, in most provinces, will not be through the emergency measures, or the EMOs as they're known. It may be in some cases, but generally they specialize in natural disasters. We need to find allies at the provincial level to deal with computer security. Where they will be, whether they exist, and how long it will take us to develop is something for the future. We have been in touch with each and every province and territory and asked for that kind of dialogue.

Mr. Bryon Wilfert: I would, through you, Mr. Chairman, make a comment and a suggestion.

With regard to, by the way, the presence, the booth was very well attended. In fact, that prompted a lot of questions. The difficulty—and I make this as a general observation—is that as a government we are tremendous at producing excellent literature that nobody gets their hands on. I have to tell you, as a member of Parliament I came home with umpteen things from different departments that I'd never seen before. There were things there I could use but had never seen, including this information. It's rather fortuitous, I guess, that you're here today. I looked at this and said “Why didn't we get this? This is great material.” People admitted... and obviously behind the booth it was the same situation. They don't get it out enough.

I used to be the president of that organization, and I would suggest to you that, from my conversations, one of the things they might like would be a presentation at some point to either the national board of directors, which represents every territory and province in this country, and/or one of their standing committees. I'm not sure now which standing committee, because there have been a few changes. But certainly as a key stakeholder, because of the vulnerability of many municipal services in this country, they would like that.

Again, some of them said “I've never seen this kind of information. This is wonderful. How do we plug in?” I would just make that observation.

The Vice-Chair (Mr. Peter Goldring): Thank you very much, Mr. Wilfert.

Mr. Stoffer.

Mr. Peter Stoffer: Thank you, Mr. Chairman.

Ms. Purdy, were you in Quebec City during the summit of the Americas?

Ms. Margaret Purdy: No, I was in Ottawa.

Mr. Peter Stoffer: I was there and I didn't see you, so I was thinking maybe you'd been on the other side of the fence.

I worked 18 years with the airline industry and have watched airports become private authorities, organizations like CANUTEC and the Transportation Safety Board, and now the private authorities to the airports themselves. I know you're a new department and you have many other departments you have to connect the dots with as an overall concern, but if you look what happened with Swissair, although that was a terrible tragedy, the aftermath of Swissair, when Nova Scotia and the federal government were able to coordinate their efforts, was fabulous. That's the litmus test in terms of how you do it, right?

• 1705

Is your organization working very closely with airport authorities and organizations like CANUTEC and the Transportation Safety Board under the assumption that wherever these types of incidents happen the Nova Scotia example would be exactly how you'd deal with them?

Ms. Margaret Purdy: We do work closely with Transport Canada and with transportation authorities. We have what is known as the National Support Plan, the master plan to deal with an emergency. Flowing from that are some specialized plans that deal with specialized kinds of emergencies, such as ones in the nuclear area, ones in the health area, and ones in other specialized areas. For example, there's a specialized plan for dealing with earthquakes.

We certainly participate in exercises. As you know, at international airports in this country they have simulated exercises, and often they're not tabletop exercises but the real thing. They bring actors in and run through a terrible disaster at an airport. We certainly participate in those exercises along with provincial and municipal authorities.

At the college in Arnprior, of course, we walk through, with a variety of municipal authorities and provincial and private sector representatives as well, some of these disaster scenarios.

So we do participate. I think we're very active with the provincial and territorial organizations that do the planning and prevention and training exercises. The running of exercises is extensive, and you have to choose the kind of scenario that really needs to be tested and that will really pay off when the incident happens.

Mr. Peter Stoffer: Okay.

A while back in the media it was reported that a woman, I believe from Africa, was suspected to have the Ebola disease. As well, a recent couple of federal buildings received envelopes with suspicious powder in them.

Before you answer the question I want to ask you—you're going to be leaving soon—if you're talking to the people at DND, if you would tell them to protect Shearwater at all costs that would be fabulous.

I just had to throw that in there.

Ms. Margaret Purdy: Does anyone else have anything?

Mr. Peter Stoffer: In terms of that powdery substance and the woman with the Ebola, when you hear something of that nature how does your department react, and what does it do to assure Canadians that it's under control?

Ms. Margaret Purdy: I wasn't in my job when either of those occurred—I was in the Privy Council Office—so I can't take you through step by step. As I said earlier, the way we manage emergencies in this country is that local authorities take care of it when local authorities can, and then they ask for specialized help. In the case of the so-called anthrax scare at the immigration headquarters here, and then, I think, at the legislative building in Toronto, or the Ontario government buildings, my understanding is that local police, local fire departments—local authorities—took care of most of the activities in terms of the shutting off of the building, in conjunction with the owners and managers of those buildings.

To my knowledge, the specialized federal help that was called into play, in the case of the anthrax scare, was the new level 4 laboratory in Winnipeg, where the samples were shipped for analysis and confirmation that, in the end, it wasn't anthrax. I'm not sure what happened in the case of the Ebola, where that was tested, whether it was in Ontario or in Winnipeg. Of course, the RCMP and the Solicitor General... because when those things occur, you never know whether it's terrorism or not. You have to be ready and be prepared to launch a counterterrorism-type investigation and examination.

So we were monitoring and sharing information. As I understand it, we acted as a bit of a communications conduit for information, but local authorities managed most of the activities around those incidents, with some specialized help.

The Vice-Chair (Mr. Peter Goldring): Thank you very much, Ms. Purdy.

Now to you, Mr. Bailey.

Mr. Roy Bailey: I have a real interest in something you mentioned on page 7 of your presentation, “services—financial, food, health”.

• 1710

One of the things that has bothered me a great deal is that for two years in a row we have had excessive flooding. This flooding, Ms. Purdy, was not because of a river. It wasn't because of a creek. Rather, it was because of a huge rainfall, plus melting snow, taking out roads, fences, and in some cases buildings and so on.

Now, under the Department of National Defence, only the minister can declare an area a disaster area from flooding—only the minister—and my interpretation of the act was that flooding must be only from a moving body of water. Two years in a row, much of a portion of Saskatchewan and Alberta was denied any assistance under the disaster plan simply because it didn't meet that criterion.

I bring that to your attention because the loss to Saskatchewan and Manitoba from two years of flooding greatly exceeded the total loss from Red River flooding. And yet we sat there and couldn't collect a cent. I've asked the minister again to take a look at that, and to date he's said that's all covered by other insurance. But it is not.

Millions of dollars were lost, and yet there was no financial compensation in any way.

Ms. Margaret Purdy: I don't know the specifics, but my understanding is that you're talking about the Disaster Financial Assistance Arrangements, correct?

Mr. Roy Bailey: Right.

Ms. Margaret Purdy: That's not legislation. Those are administrative guidelines that we operate under in terms of giving money to provinces or territories after a major disaster.

And it's not the minister who declares the disaster. My understanding is that the Governor in Council has to declare that the disaster is out of proportion, that it affects the national interest. I think that's the wording in the guidelines. There has to be a specific request in from the province that this disaster has exceeded their ability to deal with it.

I don't know in this case—

Mr. Roy Bailey: When that request comes in from a province, is there expectation that the province has to contribute a certain portion toward that?

Ms. Margaret Purdy: Yes. The Disaster Financial Assistance Arrangements have a sliding scale. The minimum scale, if I recall correctly, is that the cost of the disaster has to exceed $1 per capita of the population. As soon as that happens there is the possibility of submitting a request for assistance under this plan. The scale of assistance goes all the way up to 90%, as you know.

But not everything is eligible. There are things that are eligible, but on the not-eligible list are any costs covered under other assistance programs—for example, under normal insurance, or where insurance would have been expected to have been in place.

So it has been, I think, fairly generous with respect to the floods we've talked about, and the ice storm, for example, and a whole series of other kinds of disasters that qualify. But I don't know the situation you describe.

Mr. Roy Bailey: The province has to make the call first.

Ms. Margaret Purdy: That's right. The province has to—

Mr. Roy Bailey: Make the request.

Ms. Margaret Purdy: Yes.

Mr. Roy Bailey: Thank you.

The Vice-Chair (Mr. Peter Goldring): Thank you, Ms. Purdy.

An hon. member: The mayor can't make the call?

Ms. Margaret Purdy: No, only the province can. That's a different thing. That's not the same plan. That was a different kind of assistance. You're right, municipalities can...

The Vice-Chair (Mr. Peter Goldring): Thank you, Ms. Purdy.

As there are no other questions, possibly I could get a question or two in here.

I would like to know, Ms. Purdy, if you have an idea of the overall budget of your department. I know you said before it's in the planning stages, but there must be some idea of an overall cost.

As well, would you have some idea of the plan on the number of staff or personnel who would be particularly dedicated to this department, not who just come from another department and share information but who are actually dedicated?

Ms. Margaret Purdy: I'm going to have to say no to that, and I'll tell you why. First of all, the office is now operating on the basis of resources that were already existing at the time the office was created. There were approximately 78 positions in the old Emergency Preparedness Canada, and they're still here. I inherited them. I'm using them to build the plan ahead with our new, expanded mandate.

The minister has put forward specific proposals in terms of how much he believes we should grow in terms of both staff and overall operating budget. But that is still being discussed with the central agency, so I just can't at this time say more on that.

• 1715

What I can say to you is that, in our view, the way ahead in terms of the cyber security and critical infrastructure protection matters we've discussed is that resources will be required not just for the new office. Our submission also covers some increases for other departments, some of whom we've discussed today, who we believe need to be part of this partnership and need to have some increase in their ability to work with us.

The Vice-Chair (Mr. Peter Goldring): But would we be looking at an increase of a hundred people, a thousand people? Surely we must have some idea of how far this department is expanding, and some parameters.

Ms. Margaret Purdy: I'm sorry, but because of where we are in this submission, I really hesitate to do that today. As soon as I can tell you that I'll share it with you.

The Vice-Chair (Mr. Peter Goldring): All right.

Thank you very much for appearing here today, Ms. Purdy.

Ms. Margaret Purdy: Thank you.

The Vice-Chair (Mr. Peter Goldring): Thank you, ladies and gentlemen. We're right on the wire, with the bell for the vote coming in a second or two.

We are adjourned.

Top of document