I've actually had a little bit of de déjà vu this morning, given that I was at the defence committee and I see most of the same people here. It's nice to see everyone again.
I'd like to start by thanking all of you for the tremendous work that you have done in studying Bill . These discussions and the experts you have talked to have helped inform the development of this important legislation, so thank you for all of your efforts.
I am accompanied today by Greta Bossenmaier, the Chief of the Communications Security Establishment; Shelly Bruce, the Associate Chief of CSE; and senior officials from CSE, National Defence, and the Canadian Armed Forces. It's our pleasure to be here today as you continue your review of the National Security Act, 2017.
This legislation demonstrates our government's recognition that the pursuit of national security involves two inseparable objectives: the protection of Canadians and the defence of our rights and freedoms. This commitment is apparent in part 3 of Bill , which would establish stand-alone legislation for the Communications Security Establishment.
Last November, I had the opportunity in the House to speak to CSE's proud history of serving Canadians. For over 70 years, CSE has been Canada's foreign signals intelligence agency and the lead federal authority for information technology security in the Government of Canada. Over that long history, CSE has successfully adapted to remarkable change, including very rapid technological advancements and evolutions in the global threat landscape. However, what is needed now are modernized authorities to ensure that CSE is able to continue to adapt in this ever-changing environment both today and into the next 70 years.
In my remarks this morning, I'd like to underscore the importance of this legislation to ensuring that our security and intelligence agencies can keep pace with security threats, while at the same time enhancing accountability and transparency.
First, the CSE act would modernize the foreign intelligence aspect of CSE's mandate by allowing CSE to use new techniques to acquire intelligence through the global information infrastructure. CSE's foreign signals intelligence program is essential to keeping the government informed on matters of national security, national defence, and international affairs. These proposed changes will ensure that CSE is able to continue to collect this vital intelligence.
Second, as Canada's centre of excellence for cyber-operations, CSE operates at the forefront of changes in technology. The act would strengthen the cybersecurity and information-assurance aspect of CSE's mandate. Notably, the act would improve CSE's ability to defend important non-Government of Canada networks and to share cyber-threat information and mitigation advice. Taken altogether, the CSE act will strengthen Canada's cyber-defences by better protecting Canadians' most sensitive information and important cyber-networks from compromise.
Third, and of particular interest to National Defence, the technical and operational-assistance aspect of CSE's mandate would clarify that CSE is allowed to provide assistance to the Canadian Armed Forces and the Department of National Defence. This will enable CSE to better support Canada's military missions and the brave women and men of the Canadian Armed Forces serving in theatre.
Of course, CSE already provides important intelligence to the forces under the foreign intelligence aspects of CSE's mandate. This legislation would allow CSE to do more to help them to, among other things, conduct active cyber-operations in support of government-authorized military missions. Bill will enable CSE and the Canadian Armed Forces to better co-operate to ensure the best use of tools and capabilities to meet mission objectives.
The Department of National Defence and the Canadian Armed Forces look forward to the opportunity to work more closely with CSE to leverage its capabilities and expertise, as outlined in Canada's new defence policy “Strong, Secure, Engaged”.
I also want to discuss a crucial element of the proposed CSE act: foreign cyber-operations. I know that in her appearance before committee last month, the associate chief of CSE, Shelly Bruce, spoke to you about the active cyber-operations and exactly what they would look like in practice. Today I want to reiterate why these operations are important and why they are needed to protect the security of Canadians.
CSE's foreign cyber-operations mandate will provide Canada with the cyber-means to respond to serious foreign threats or international crises as part of a broader strategic approach.
For example, CSE would use active cyber-operations to prevent a terrorist's mobile phone from detonating a car bomb, or CSE could impede the ability of terrorists to communicate by obstructing their communications infrastructure.
CSE's active and defensive cyber-operations would be carefully targeted, by law, to the activities of foreign individuals, states, organizations, or terrorist groups that have implications for Canada's international affairs, defence, and security. Foreign cyber-operations would be subject to strict statutory prohibitions against directing these operations at Canadians, any person in Canada, or the global information infrastructure in Canada, and would require a robust approval process.
This brings me to my final point. This bill will considerably enhance oversight and review of Canada's national security and intelligence community, which includes CSE, the Department of National Defence, and the Canadian Armed Forces.
The oversight and review positions in the national security act demonstrate our government's commitment to enhancing lawfulness and transparency. I look forward to working with the proposed new bodies, including the national security and intelligence review agency and the intelligence commissioner.
By updating, clarifying, and clearly outlining in legislation what CSE is permitted to do, this legislation will empower Canadians to better understand what CSE does to protect Canada and Canadian interests. By adding new oversight and accountability measures, the national security act should also give you and all Canadians confidence that the measures are in place to ensure that CSE will continue to abide by the law and protect the privacy of Canadians.
To the members of the committee, I'm very proud of Bill . This is very important legislation that will deliver on our government's promise to protect Canadians and their rights and freedoms.
Thank you.
[English]
I will ask my questions in French for those who need the earpiece.
[Translation]
Minister, it is a pleasure to see you and your entire team again. Welcome to the committee.
I have just come from a two-hour meeting of the Standing Committee on Access to Information, Privacy and Ethics, where representatives from Estonia talked about e-governance.
Clearly, beyond what is done on land, on sea and in the air, information is becoming the new battlefield. Big data is becoming a new target and a new playing field for conflicts between countries.
How will those new powers granted by Bill serve the CSE?
Thank you, Mr. Chair and others, for being here this morning.
I think it's safe to say that Canada, allies, and countries in general are really facing a very dynamic cyber-threat environment. The technology has been changing. If you think back to when our legislation was first put in place some 17 years ago, this was before we were talking about things like cloud computing and artificial intelligence, the dynamic cyber-threat environment. Different types of actors were involved in the types of threats we're facing. I think it's safe to say that countries around the world, our allies, and Canada are all facing this very new dynamic threat environment.
As the minister said, this is really about putting the legislation in place that will allow us to have the authority to be able to operate and to protect Canada and Canadians in this new space.
To the question that was posed in particular—
Minister, welcome to the Standing Committee on Public Safety and National Security.
Bill states that you must work with the . We already know that, as , you have a close relationship with the Minister of Foreign Affairs. Probably weekly, you have to discuss a number of issues and the deployment of the Canadian Armed Forces around the world. I am wondering why the bill has to require you to contact the minister, since this co-operation is already part of your day-to-day work, I think.
There is a problem that you will surely be able to help me understand, given your close co-operation with the . It's about a security breach. I do not know how that expression will be translated, but as a former member of the military, you must know what I'm talking about. The incident took place in India, namely the invitation sent to Jaspal Atwal. We are hearing two contradictory stories. According to the , Mr. Atwal was invited by rogue elements in the Indian government. On your side, your colleague, the Minister of Foreign Affairs, confirmed that the invitation came from Canadian government officials. So we have two versions, that of the Prime Minister, to whom you are accountable, and that of the Minister of Foreign Affairs, with whom you work every day.
Which version do you believe?
:
Mr. Chair, since the minister cannot answer my question even though he was in India and is working closely with the , I would like to introduce the following motion, which I sent to the committee earlier this week:
That pursuant to Standing Order 108(2), the Committee invite the Prime Minister's National Security Advisor, Daniel Jean, to provide the committee with the same briefing he gave to journalists on Friday, February 23, 2018, and that the briefing take place in public and no later than Friday, March 30, 2018.
I'm introducing this motion because the Conservatives and the New Democrats on this committee have serious questions about the Atwal case in India.
On February 23, the Prime Minister's senior adviser on national security told reporters that the officials responsible for the invitation sent to Mr. Atwal were officials from India. This created a diplomatic incident with India. On February 27, the confirmed in the House of Commons what Mr. Jean said. Then the mentioned that the invitation was from Canada's officials. The MP for Surrey Central, , confirmed that the invitation came from him. Mr. Atwal also confirmed that the invitation was from Canada, not from India. So we have two versions of the facts now.
Parliamentarians have the right to know what happened in India. The briefing was given publicly to journalists. We should be able to receive the briefing as well. That's why I think the committee should pass this motion.
In addition, Liberal members of the committee can vote independently, with full freedom of conscience. At his last appearance, the confirmed that he was not responsible for giving direction to the committee and that its members were independent. If the Liberal members vote against the motion, we can assume that the Prime Minister's Office makes the decisions.
We need to shed some light on this. I think Liberal Party members would also like to shed light on this diplomatic incident that is serious for Canada.
:
Sure. Thank you, Minister.
When the National Defence Act was amended some 17 years ago to recognize the role of CSE, at that point CSE was actually part of the Department of National Defence. We've always had an assistance mandate, the so-called part (c) of our mandate, that allows us, upon request from another organization such as a federal law enforcement organization, to request whether CSE could be supportive of their work under their lawful mandate. Again, given that we were part the Department of National Defence, assistance to National Defence or CAF wasn't explicitly spelled out because we were part of that department.
About six years ago, to give a bit of history here, we separated from the Department of National Defence and became a stand-alone agency, the Communications Security Establishment, albeit still reporting to the Minister of National Defence. Therefore, this proposed legislation adds the Canadian Armed Forces and National Defence as an organization that could request our capability, request our support, as the minister explained, on one of their lawful missions. We would be in a support operation to the Canadian Armed Forces.
We also have representation here this morning from the Canadian Armed Forces. They may also want to speak to their operations.
I seem to always go back to history, but I think a little bit of history is important. For over 70 years, as the minister noted in his opening remarks, we have been in the business of protecting Canadians' most sensitive information.
Today, fast forward 70 years, we're now blocking on average every day over a billion malicious attempts to compromise government systems. We operate sophisticated cyber-defences on behalf of the Government of Canada on Government of Canada systems. That's our reality today.
We also provide advice and guidance and services to the public and to critical infrastructure owners about how best to defend themselves, everything from our top 10 actions that one should take to protect themselves in cyberspace to more detailed technical advice.
If a critical infrastructure owner were to request that CSE provide them with additional services to help protect them, for example when under attack, this proposed legislation would allow us to do that. The minister would have to designate the critical infrastructure owner as a system of importance to the Government of Canada. The critical system owner would have to make a written request to us. We would do it only at their request and if the minister had designated them as being critically important. It would allow us to use some of our sophisticated tools to help protect them. For example, if they were under attack from a malicious cyber-actor who was trying to steal their information or infiltrate their systems, this act would allow us to try to provide some of the sophisticated techniques and methods that we use to protect Canadians' information every day on behalf of the Government of Canada and to do that on behalf of critical infrastructure owners as well, for example.
:
When it comes to national security, this is one of the reasons why in a government we have things that are also.... For example, the is responsible for the security within Canada. That's why I, as the Minister of National Defence, look at foreign threats. This makes sure that there is a separation, but at the same time, on request, we can provide the right level of support.
For example, with forest fires, we can provide a domestic response if there's a threat, if that's needed. If there's terrorism, I need to make sure that our special forces, our capabilities, are there if needed, upon request, inside Canada.
This is something that I look at very seriously every single day, and it's a responsibility that is shared by me, , and also the . We're constantly working together. More importantly, our officials constantly work together to make sure that we keep Canadians safe, and that's something that we take extremely seriously.
:
In the overall context, we have to look at current threats, threats that are potentially emerging, and what we can predict as future threats. This is the responsibility of the government, to make sure that we have the right resources to be able to deal with threats today and tomorrow.
We've been dealing with non-state actors for some time, as well as with state actors.
Cyber is a significant concern, but I also want to say that, because we have done extremely well in Canada, CSE has the ability, the expertise, to give Canadians the assurance of tremendous safety when it comes to cyber. However, as you know, with technology, we need to stay at the cutting edge.
My bigger concern, I'll be honest with you, with nations like Russia, is how they can take cyber and what we call hybrid warfare, such as with what's happening in Ukraine, and try to manipulate and influence populations. That is a concern and not just strictly from a government perspective. We have to make sure we educate our citizens and our media. We've noticed this, and we are actively engaged in making sure that we speak with the right nations who have good experience with this, and that's the reason we're making the right investments in the right area. We're looking at the really tough threats, but at the same time, we have to be looking at the emerging threats out there as well.
In terms of active and defensive cyber-operations, which I believe was the nature of your question, this legislation, the proposed law, says that CSE will not be able to direct active or defensive cyber-operations against Canadians, against any person in Canada, or at the global information infrastructure in Canada. It's part of the legal framework we'd be operating under.
In addition, as I mentioned before, these operations would require senior-level approvals and, as the minister has mentioned, review by the new national security and intelligence review committee and also the committee of parliamentarians that has been put in place.
By law, the activities we would undertake could not be directed at Canadians or Canadian infrastructure, or anyone in Canada.
:
I'll just point to the new Canadian centre for cybersecurity that was mentioned in budget 2018 and that has been brought up a number of times around this table today.
A number of our allies who moved to this kind of model when they saw that they needed to integrate within their own cryptologic agencies—our sister organizations—to consolidate their cyber-operations' capabilities within their cryptologic agencies, see a couple of things. Number one, I think they see the need to have a unified, trusted source, and a single source of information, advice, and guidance, a place for their citizens and their businesses to be able to turn to.
Number two goes a bit to the earlier comments about expertise. I feel very fortunate for the men and women who work in CSE, truly some of the best and brightest minds in our country, whether they be mathematicians or engineers or computer scientists or linguists, who are dedicating their time and attention to work in CSE and to bring their capabilities and skills to bear. Again, one of the best practices, I think, we've seen from allies is to consolidate their cybersecurity operations within the sister organizations to CSE and to truly leverage the skills and capabilities they have to be able to better protect their own citizens.
:
The whole issue around publicly available information, I understand, has been considered around this table. I'll just try to perhaps add a couple of pieces to it.
For us, mandate is critical. Mandate matters, and it matters throughout the entire piece of legislation that is in front of you, and that includes publicly available information. We can use publicly available information only if it is related to our mandate, our foreign signals intelligence mandate or our cybersecurity mandate. We do not have within our legislation, currently or proposed, any mandate to focus our activities on Canadians, to have an investigative capability, to create dossiers on Canadians. That is not within our current or proposed legislation.
I would start with the fact that mandate matters.
The second piece I would relate is that, as I think has been raised before here, publicly available information—and it's defined in our act—would not comprise information that has been hacked or stolen. This is information that would be publicly available to any Canadians.
Also—
:
You covered a lot of territory there. Maybe I'll start with the piece about CSE being asked by the to look at this issue around democratic institutions.
I'm thinking back and I'm looking to Scott. About a year ago, in about June 2017, CSE was asked by , the Minister of Democratic Institutions, to look at cyber-threats to Canadians' democratic institutions. For the first time in our history we actually produced a report that's available to this committee, if you haven't seen it, which looked at broad cyber-threats to democratic institutions.
We really looked at three different aspects of that. We looked at the electoral process per se, so how the electoral machine works. We also looked at cyber-threats to politicians and political parties, and we also looked at cyber-threats to the media. We came out with an assessment at that time, about a year ago.
The now is asking us to review our threat assessment in light of changes that have occurred over the past year. Even when we put out the initial report, we said that this would probably be an evergreened report based on new information and new threat information.
That's the kind of work we expect to be doing over the coming weeks, to review our threat assessment based on information and activities that have occurred over the past year. This is refreshing it.
:
Thank you for the question.
[English]
I'll stay in English and try to answer by looking at this from the angle of foreign signals intelligence.
When we collect information, you're quite right that given the nature of how communications work, we may come across information related to a Canadian. Let me use a tangible example. We're looking at known bad guy X in country Y. This bad guy X is in line with an intelligence priority of the government. It stands to reason that they're a bad person wanting to do bad things that are an affront to national security. We're collecting against this person.
Now this person, unbeknownst to us, could phone you. When we collect that, we need to understand that the resulting call becomes a private communication. The Criminal Code is very clear that it is against the law to collect a private communication.
We have ministerial authorizations that cover the various activities that we use to collect information and that allow us to keep that information, if indeed it is of national security or intelligence interest. As you pointed out, we are to delete it immediately if it doesn't. If the phone call is to you and it's talking about something that is not related to national security, we are to delete it. We annotate that. We delete it immediately, and that is reviewed by our commissioner to make sure we delete these things on an annual basis.
If indeed it has a national security interest, then we keep it, but even in keeping it, we write a report that talks about the conversation you may have had, possibly about blowing up something somewhere that is of interest to Canada. We would still protect your identity in that report, by using a generic term to render your identity illegible.
Then it comes time for information sharing. Where does our report go? Obviously there are domestic agencies within the national security apparatus here in Canada—CSIS, RCMP, and others—that have an interest in reading the report. Now they may have a legal mandate to know the identity of that Canadian, so there are procedures in place to disclose that information to them.
Similarly, when we're writing reports, some of the information is obviously shared with foreign partners, and there are other things that govern that exchange of information. Again, though, if they wanted the disclosure of that information, they would have to show us why it was imperative for them to get that information.
Of course, we're bound by other things. We have a ministerial directive, for example, which was recently reissued by our minister, related to information sharing that may lead to the risk of mistreatment. We do an analysis of what our partners want that information for and what they are going to be using it for, and we do a risk analysis to make sure it isn't going to be leading to mistreatment. There's a calculus that happens before any information is shared.
:
Sure, and I will ask Scott Jones, our deputy chief of IT security, to come in.
Perhaps to answer the question, Mr. Chair, I'll go to three different pieces of the proposed legislation.
First of all, to prevent cyber-attacks, we need to have not only good capabilities and tremendous Canadian men and women working on this but also good intelligence to try to understand what those threats are before they even come to Canada. In the legislation, there is a strengthening of our ability to ensure that we can continue to collect foreign signals intelligence, including that relating to cyber-threats. That's a piece of it.
The second piece I would draw attention to is that the cybersecurity aspect of the legislation talks about us being better able to share threat information with the private sector, and it also talks about us being able to—again, at their request—help defend their systems. That's another way this legislation would strengthen our ability to help do cyber-defence for Canadians.
The third piece I would focus on is the defence of cyber-capabilities. If there was a cyber-attack, instead of us sort of standing back with a shield with which we would try to protect against these billion malicious attempts per day and waiting for them to happen, if we could go and say, “Let's try to stop that cyber-attack from even happening”—there could be a server outside which we know is now trying to infiltrate a Canadian system and steal Canadians' information—we could, through this legislation, which would be a new piece for us, try to stop that attack before it got to our shores and into our systems.
With that overview, maybe I'll ask Scott Jones, our IT security—
:
Really, when we're talking about a billion malicious actions, we're talking about the gamut, all the way from people poking at our systems, looking to see where they're vulnerable, up to people trying to compromise or install malicious software called malware, or basically exploit any vulnerability that exists. It's a wide range of activities, but what we're trying to do is counter the full range, no matter where it originates. We want to counter any malicious activity that's coming at the Government of Canada, and the number is astonishing. I think that's really where we are going into a few different areas. Number one is making it better. How do we work to make the systems that we have more defendable? That's working with the commercial sector, and that's being able to share more information, being able to share some of our tools and techniques, and pushing it forward.
We've shared some of our tools publicly. We have a system called Assemblyline which we have made open-source and publicly available to anybody who could leverage that. That's how we, for example, defend the government and look at millions of malicious files a day.
The second piece is providing that level of defence that fills the gap between the best available commercial and the state-of-the-art threat activity that we're facing today. Bill would allow us to then use that on critical systems of importance, as designated by the , but also with the informed consent of the system's owners. Informed consent is something that's particularly important in this case.
The third piece is general information sharing, whether that is providing advice and guidance or being able to share what we're seeing, what's going on, and very much clarifying our authorities to share information.
That's where we kind of layer all these things together and start to deal with those billion events.
The reality is that it is a formidable task. That's why it's something we take extremely seriously. Again, we've been in the business for 70 years, and I'm sure we have the best technology, the best people we can have to work on this task, and to work on it in partnership. We often talk about this being a team imperative. No one organization can have all the information or all the answers, so we do work closely with academia. We work closely with other partners. We work closely with our allies in terms of developing knowledge and capability to be able to defend against this very, very challenging environment.
In addition to what was already discussed around budget 2018.... Budget 2018 is proposing an increase in resources and a consolidation of Government of Canada cyber-operational capabilities within CSE, so it provides a bit of a multiplier effect and a single source of trusted advice and guidance, but this legislation would also allow us to exercise additional authorities in the cyber-protection space. Again, that goes back to ensuring we can collect foreign intelligence in a very challenging world and that we can see threats before they reach our shores, have broader threat information sharing, and deploy our cyber-tools—some of the advanced tools Mr. Jones spoke about—on private infrastructure if that is requested and if it is designated.
Also in the defence of cyber-operations, instead of trying to defend only at the periphery of our networks, if we see something that is outside—in a foreign land, on a server, for example—trying to take down Canadian infrastructure or trying to steal Canadians' information, Bill , this legislation, would authorize CSE to go out and try to protect Canada before that threat actually reaches our systems.