Past Session:

Proceedings of the Standing Senate Committee on
National Security and Defence

Issue 9 - Evidence - Meeting of October 29, 2012

OTTAWA, Monday, October 29, 2012

The Standing Senate Committee on National Security and Defence met this day at 5 p.m. to examine and report on Canada's national security and defence policies, practices, circumstances and capabilities.

Senator Pamela Wallin (Chair) in the chair.

[English]

The Chair: Ladies and gentlemen, welcome to the National Security and Defence Committee for Monday, October 29. I have a couple of apologies. One is that I have a bad cold so the voice does not sound good, but it of course will not stop me from interrupting from time to time.

One of the guests that we had booked was unable to join us today; he is in Washington. Hurricane Sandy put that adventure to an end today. He was unable to get to the building to be hooked up with us, so we began our meeting a little late.

We will carry on and deal with two of the topics we originally had booked. We will be talking about cybersecurity a little later, but we will begin on a topic that we have touched on most recently when we were on the West Coast and were briefed on the whole Asia-Pacific tilt or pivot that we see on the part of Western nations. The region has become hugely important in world affairs; the U.S. military is rapidly rebalancing its forces there, as they say, largely because of the rise of China.

As of October 9, Canada has joined the Trans-Pacific Partnership and is pursuing other regional trade arrangements in that area. While the trade imperatives are pretty obvious, and the need to pursue those, the question of what is Canada's defence interest in the area has engaged us, including what are the defence and security implications for the region and for Canada as part of this, as a Pacific nation.

Joining us today from Vancouver is Brian Job. Mr. Job teaches at the University of British Columbia and is an associate at the Liu Institute for Global Issues, focusing on Asia-Pacific.

With us here in Ottawa is Paul Chapin, formerly with the Department of Foreign Affairs and International Trade Department. He is an expert in security and defence matters, a co-author of The Strategic Outlook for Canada published this year by the Conference of Defence Associations Institute, where he is the vice-president.

We will start with Mr. Chapin. First, though, I need a motion to be put forward. We have an opening statement from Mr. Chapin, but it is in English only, including some graphs that might explain this. May we permit that the documentation be distributed? Thank you Senator Dawson.

We will proceed. Welcome, and please begin with your opening statement.

Paul Chapin, Vice President, Conference of Defence Associations Institute, as an individual: Honourable senators, thank you for inviting me to appear before you today to discuss a subject that I fear I may be a little out of my depth on in respect of certain of the dimensions. I will take a global perspective and hope that that suffices for purposes of your study.

In my opening remarks I propose to make three points. Point one is that Canada has had a long security and defence relationship and interests in the Asia-Pacific region. Regrettably it seems to be a Canadian affliction to regularly rediscover our security interests in the region and then some time later on forget them. If we go back just 50 or 60 years, we had 8,000 Canadians fighting in Asia in World War II. They were fighting for the purposes of defeating the Empire of Japan. A little later we had 25,000 Canadians fighting in Korea to arrest aggression and contain communism in Asia. More recently in Afghanistan we have had 40,000 Canadians pursuing yet a different security objective, namely, to defeat terrorism, restore the integrity of the Afghan government and help it secure its territory, thereby bringing a greater measure of stability to the region as a whole. We should not also overlook the cases in which Canadians, civilian and military, have served in peacekeeping missions and observer missions in places like Kashmir, Cambodia and Vietnam.

The second point is that our security interests today have evolved from those that I have cited earlier, but they are hardly less consequential. Let me explain what I think are the three gravest security interests we have, starting with what I think is the least important, although very consequential and going up the scale.

The first is to secure the sea lines of communication in Asia. This is a very long stretch of water going from the Persian Gulf and the Indian Ocean, right through the Strait of Malacca into the South China Sea, across the littoral of China into the East China Sea in Japan, and hence onwards to North America. Through that route travel something like 50,000 ships a year. It accounts for the five busiest ports in the world, and something like one third of all global merchandise trade passes along those routes, including — and this is very substantial — 80 per cent of China's and Japan's energy imports.

Interrupting that flow of commerce is not a matter to be taken lightly and in some cases one can understand particular states might consider it a casus belli.

What does it mean for Canada? Canada has a direct and immediate stake in securing these sea lines of communication. Approximately 5 per cent of all our exports go to Japan, China and South Korea, and 15 per cent of our imports come from those three countries.

The second major security interest we have in the region is the freedom and independence of the states there. Nothing promotes peace like democracy. We do not have nearly enough of it in the world. Fewer than half of the countries are judged to be free. In the most recent report of Freedom House, the trends are in the negative. That said, there is one positive trend in its analysis, and that is the growth of respect for human rights and political freedoms in the Asia-Pacific region, believe it or not.

We clearly have an interest in helping to solidify that trend. It is at risk, however, because as China's economic and military power grows, it intimidates its neighbours, its own longer-term objectives remain somewhat murky, and there is a distinct possibility that when faced with an enormous Chinese economic and military presence the smallest states in the region will consider themselves under some kind of pressure. In earlier times we described that phenomenon as the "Finlandization'' of a country. Canada obviously shares with other democratic states a powerful motivation to ensure that that does not happen.

The third is the plain and simple requirement to see if we can do what we can to avoid war. China has been investing in naval power, air power and ballistic missile forces. While its long-term intentions are obscure, its immediate objectives appear to be twofold: first, to avoid in future being coerced, as it felt in the past, by the United States and to a lesser extent Japan, when confronted with military force; and, second, to back up its maritime claims to the South China Sea, which are enormous. Eventually, if it continues on its present track, it will have a blue water navy, and that navy's intent is obviously to secure its own long-term supplies of natural resources to fuel its economy. Canadian interests there are to ensure that hostilities do not break out in the region and potentially spread through other parts of the world.

What is Canada's security agenda here? It is a little controversial, but let me point out that I think we have a need for a security agenda to match our economic agenda for the region, which is quite well developed. I believe we need both if we are to be successful there.

I propose that that agenda have three basic elements. The first, which we called for in the past, is for the government to articulate a national security strategy globally, and in that context explain the security interests and the security objectives it seeks to pursue in the Asia-Pacific region. That would necessarily require some rebalancing of resources. You either find a whole lot of new resources for this new region or rebalance from elsewhere. The elsewhere has to be Europe, the Mediterranean and Africa. My own view is the Europeans are more than capable of looking after the security interests of the democratic states in that region.

As a practical matter, this rebalancing probably requires working on the three "D'' tracks, the first being greater political involvement, by which I mean ministers and senior officials. They have to become engaged in regional issues. They have to show the regions that Canada is as interested in their security issues as they are in order to have any kind of credible role there. We also need to enhance our diplomatic presence.

Second, we need to redirect a great chunk of CIDA's budget, not into the region but into the problems of the region. CIDA has a $5 billion budget. It spends only a fraction of that in what I would call dealing with the problems of the front-line states — the ones that are vulnerable — and the failing states that we end up having to fight over down the road.

Third, we need to shift the focus of our naval effort from the Atlantic to the Pacific. We have to reconfigure the navy to do this kind of work. The Pacific is much larger than the Atlantic; getting across the Pacific is an enormous undertaking and then sustaining your capability there is a huge challenge.

Having called for a national security strategy and a rebalancing of resources, I think we need to take the first step in a leadership function in the region by proposing something like an alliance of democratic states in the region. I think it can start modestly in the same way NATO started modestly, of which I can explain more later, but I think some time down the road the democratic states of the region have to get together.

The Chair: On page 2 in your reference to the number of casualties, are you referring to Afghanistan there? It is the third paragraph, fifth line down. I think that number is too large.

Mr. Chapin: Sorry. Yes, it is.

The Chair: We will correct that.

Mr. Chapin: It is 158.

The Chair: Thank you. That is what I was going to change it to.

Senator Mitchell: I thought that in Korea —

The Chair: It is not Korea; it is Afghanistan.

Senator Mitchell: No, I am going to the second paragraph. To follow up your point, I thought 516 Canadians were killed in action in Korea, not 309.

Mr. Chapin: It is possible. I take my notes from the book that Professor Denis Stairs wrote on the Korean War.

The Chair: Mr. Job, do you have any opening remarks following those of Mr. Chapin?

Brian Job, Professor, Political Science, University of British Columbia, Senior Fellow, Asia Pacific Foundation of Canada, as an individual: Good afternoon, senators. I appreciate the opportunity to appear, especially by video conference, and I certainly appreciate your continued interest in the Asia-Pacific region in Canada.

Rather than rehearse prepared remarks, I will attempt to tap dance around Mr. Chapin's comments. It is good to be on a panel again with him; we have worked together often in the past, very productively. I will counterpoint, not at all in opposition to the things that Mr. Chapin has said, and make a couple of comments.

His first point was regarding our long relationships and interests in the Asia-Pacific. What I would add to that are two things. One is that we have been engaged in traditional security matters but increasingly in what would be called non- traditional security matters. This would be a response to natural disasters with the Canadian Forces or in peace operations, as in East Timor.

Second, the footprint of Asia in security terms has expanded substantially. We now consider, relatively often, South Asia as being a part of this. We consider Central Asia, with the states in Southwest Asia, with Afghanistan. We are looking at a larger perspective, or we need a larger perspective on Asia-Pacific than we have had in the past.

As Mr. Chapin has said, we are beginning to pay attention to our interests in the Asia-Pacific, but it simply cannot just be an economic agenda. Our partner states in the Asia-Pacific will see us in that context, but they will not necessarily see us as relevant players in the region unless we pick up the political and security sides of this.

On security interests, his second point, I would make one or two additions there. For Asian states, the first priority for most of them is regime security, however you want to cut it. It certainly is for the Chinese leadership, but when you look at what the domestic politics are in countries like Japan, South Korea and Taiwan, much of their external policies, even their security policies, appear to be dictated by manoeuvring within the domestic political context, and certainly you see that with regard to China at the moment.

Moving to China, we have to see China as aspiring to the role of a global power. That is legitimate, given China's size in the world economy and given where it is going. The consequences of that are that China will extend its security capacities to protect its natural resources and the sea lanes that Mr. Chapin pointed out. I think I sent a graph that indicates that 80 per cent of China's imported oil goes through the Strait of Malacca and 40 per cent through the Strait of Hormuz. Their interests will expand far out of the Asian oceans as we know them into the Indian Ocean and beyond.

Another point about China is the presence of Chinese citizens around the world. China was involved in the Libya mission to get 35,000 Chinese citizens out of Libya. As China's economic reach expands, they will expand their security capacities accordingly.

Finally, as Mr. Chapin noted, the issue here is force projection, certainly in a maritime context, but also in certain technical areas. China is expending enormous resources on cybertechnology. We consider cyberwarfare a concern but also in space, so you have a high-tech dimension there.

As far as Canadian interests are concerned, I have little to add to where Mr. Chapin left us. I am sure you will have concerns there, and I will chip in if I see any information I have that would be distinctive to add.

The Chair: Do I take it that you agree with this notion of a NATO-like alliance, that we have to propose it to show we are serious? Do you think that is realistic?

Mr. Job: I am not sure it is realistic. I am not sure there is much appetite for it on the part of Asian countries, even the democracies, to be blunt, which would take us to Japan, Korea and a couple of others. I think that the concern of even the Asian democracies is that anything that appears to be isolating of China is not seen in the long term to be a positive step towards overall security.

The Chair: Okay. We will pursue that later.

Senator Plett: Thank you, gentlemen, for coming out. I appreciate your testimony.

You have spoken quite a bit about China but not a lot about North Korea. Where do you think our biggest and most serious threat to security is? How does North Korea compare with a nation like China? Clearly they are increasing their military strength. Where would North Korea fall?

Mr. Chapin: Let me start by saying that North Korea is an enormous problem, and it is probably a larger problem now than it was before the most recent regime change. One had the sense that after the North Korean invasion of the South in 1950 under Kim Il-sung, that they settled into a tense but understandable ceasefire arrangement. His successor, Kim Jong-il, was prone to the occasional adventure, very good at tweaking people's noses, unnerving the South, the Americans and the Japanese, but knowing when to pull back. The trouble with the 29- or 30-year-old military genius — so described — now running the country is that you have no assurance that he will be as astute as his ancestors were. Moreover, the head of the military was removed apparently in a gun battle that killed 20 people, including him. There is a power behind the throne in the form of his aunt, who is the daughter of the founder, and her husband, who appears to be the one of the principal interlocutors with the Chinese.

Where the Chinese stand on all this is a curiosity. I think Mr. Job is far better at assessing that picture, but it seems to me that the Chinese are playing a rather dangerous game, as well, in allowing events to proceed in North Korea. I would have imagined that they had their opportunity to put a stop to the nonsense at the last regime change and they did not do so, so they must see some measure of advantage in allowing the situation to proceed, presumably hoping they can control it, but if it falls out of control it is prime for an interstate war of some character.

The North Koreans have 1 million troops on the border and another 4 million all told. They have ambitions to have a nuclear weapon. They have some missile delivery capacity. In a first assault on the South, there would not be much left of the city of Seoul after the first salvo.

Mr. Job: I have very little to add. The Chinese perspective is that their current interests and their long-term interests are satisfied with the divided peninsula. They do not look positively on a Korean Peninsula that is united in some form under a South Korean administration. They find themselves, I think, in an incredibly difficult spot because much of what North Korea's adventures have done is drive other states closer to the United States, yet at the same time they argue they have little influence.

I tend to doubt the little influence part, especially with the current leader. As Mr. Chapin said, we are at a very precarious time internally. I do not see the North Koreans at this moment trying to upset the apple cart for external relations in the near future, but longer term the real concern is either an accidental or purposeful attack, which would be suicidal for the regime in North Korea, but who knows; and second is a collapse of the state, which neither China nor South Korea can comfortably contemplate.

Senator Plett: Mr. Chapin, when you talked about us having a national security strategy, you also mentioned that we needed to enhance our diplomatic presence. I thought we had been working diligently on that. Would you expand a little on that?

Mr. Chapin: We have been working on it. My suspicion is that the diplomatic presence that we are most focused on is in fact a commercial and trade presence. We have quite an interesting range of consulates within China. My sense is, though, that on the front of our diplomatic and political relations and our security relations with the regions, we are pretty thin on the ground. Canadian embassies in most of those countries, with obviously the exceptions of Beijing and Tokyo and one or two others, are comprised of one or two political officers, maybe three. Many do not have military attachés — there ought to be a great many more of them — and that has inhibited our ability to engage, to converse, to stay involved, to report back and to have ideas back here in Ottawa about interesting initiatives we can take to demonstrate our interest in their issues and contribute to solutions. The basic diplomatic infrastructure is there, but it needs to be enriched significantly.

Senator Mitchell: Thank you both for your interesting remarks. On the one hand, Mr. Chapin, you are suggesting that China constitutes a threat at some military level, potential or otherwise. On the other hand, we are looking to sell a chunk of our oil industry to it. There may be certain advantages to that because you have also alluded to the idea that good economic and diplomatic relations could reduce the threat. Could you comment on the Nexen issue and the sale of our resources in that regard?

Mr. Chapin: China is a challenge of a different kind. It does not compare in any degree to, for instance, the Soviet Union, with which I am intimately familiar, having spent many years of my life on that issue. I think it would be wrong, and Mr. Job will probably agree with this, to consider China a military threat today. There is not much history of Chinese aggression in the region. I think much of their military buildup is explained by a sense of insecurity, a sense of defensiveness, but once you acquire a formidable military capacity to deal as a potential equal with the United States, your attitudes will likely change. If in the meantime your economy is struggling, there is competition for scarce resources and you have to get them from the Gulf or from Africa or elsewhere, at a certain point you will use your military muscle subtly or otherwise to do so.

We do have to work two tracks with the Chinese. One of the hopes in the future, and it is not a particularly edifying situation to contemplate, is that the Chinese economy will slow down, and in due course that will modify their military ambitions as well.

The Chair: Mr. Job, did you have a comment?

Mr. Job: No, I think I will stay away from that one. Thank you.

Senator Mitchell: Speaking of Russia, the U.S. actually invited Russia to the most recent RIMPAC exercises and it accepted. First, are there security issues in that regard? I think General Beare assured us, and I have no reason to expect there are not, and I would like your opinion on that. Second, would it be totally and utterly unreasonable to include China is such an exercise, given that we are including Russia?

Mr. Chapin: On your second question, there is potential for that sort of thing. Indeed, I think I read recently that there is a scheme for the Americans and the Chinese to jointly exercise some military capability related to disaster relief and so on.

You can have less than amicable relations with adversaries and still find lots of practical ways of cooperation in the mutual interest. In Russia, for instance, there is lots of cooperation on piracy and on counterterrorism. They are helping us to a modest degree in Afghanistan with logistics. One can see the same kind of practical agenda being worked out with the Chinese to the benefit of both sides. That will not materially change the large facts that dominate, but it will certainly help to acclimatize the various sides to the character and intentions of the others and that will help down the road.

Senator Boisvenu: I invite you to have the interpretation.

Do you understand?

Mr. Job: I do not have interpretation.

The Chair: He does not have interpretation.

Senator Boisvenu: I will try my best in English.

First, it is my second appearance on this committee, and it is a great pleasure to be here. I would like to salute your presentation. It was great.

Mr. Chapin, your presentation was about some kind of shifting in the strategy. Do we have examples of allies or friendly countries that have made the same change in their strategy, such as the U.S.A. or other countries?

[Translation]

Mr. Chapin: Interesting question. I suppose that if I went back to my history books, I would find some examples.

[English]

I suspect that if I went back to my history books, I could find some examples.

[Translation]

Senator Boisvenu: Did the Americans make this strategic change?

[English]

Mr. Chapin: Let me give you the example of Australia. Until about 30 years ago, Australia saw itself largely as a strong partner with Britain and with the United States. The focus of its foreign and defence policy was therefore cooperation with the British and the Americans. They were very much involved, therefore, in what the British and Americans were involved with — the Middle East and other areas.

About 30 years ago, the Australians came to the conclusion that they were a middle power, like Canada, and that they should be a little bit more careful about what their priorities ought to be. The conclusion they drew was: "Australia is in Asia. We need to start recognizing that, and we need to become an Asian country in the sense that that is where our priorities are. We need to spend time on Indonesia, Malaysia, the Philippines and Singapore, deal with the Japanese and the Koreans, and spend far less time on the Middle East and Africa.''

I am suggesting in some respects a modest reappraisal of our priorities of the same general character, not because Europe is no longer of importance to us — it will remain very important — but because our security interests in Europe have largely been satisfied with the end of the Cold War and the growth of the European economies. Europe has 500 million people, among the wealthiest in the world. They frankly do not need the Canadians or the Americans to defend them, nor do they necessarily need either of those two countries, although there are some technical issues, to help them with the Balkans or the Mediterranean or North Africa, which are their neighbourhood.

I am saying that while we do not forget about other parts of the world, we recognize the limitations of our resources and we get more effectiveness out of directing them at places that really matter and where we can expect to have some results.

Mr. Job: I apologize to the senator. I understood the question in French, but any response that I made in French would be painful, so I will proceed in English.

I would direct the committee's attention to what just came out yesterday, which is a white paper from Australia called "Australia in the Asia Century.'' This document is about 200 pages long and represents a year or more work on the part of Australia's government, all sectors of its government, to define its interests and strategies in Asia. As I said, I would strongly recommend it to your attention and elsewhere, actually, in the Canadian government.

With regard to the United States, to build on Mr. Chapin's comments, they are in a position of desperate reorientation of their defence sector in light of the drawdown in Iraq and Afghanistan and especially the concern over the national debt. With the Obama administration, you saw greater attention to Asia, and now we see this so-called pivot, which I think is misnamed. It is really a repositioning of U.S. attention and assets farther south in the Asia- Pacific to Guam, Australia, Singapore and the Philippines, which, as you think about it, is clearly a strategic positioning vis-à-vis China.

Senator Johnson: Following up on the question of Senator Boisvenu about the United States and this strategic rebalancing that it is doing in the Asia-Pacific region, what should Canada and the world take from this? I agree with Mr. Job about the reasons it is happening and why they are going farther south.

Mr. Job: You are asking me what the implications are for Canada.

Senator Johnson: How should we view this in terms of the world, taking what they are doing and how they are rebalancing strategically? Is there anything further than what you said?

Mr. Job: I think that this gets caught up in a lot of the rhetoric and the think-tank industry in the United States that wants to hype what they would see, or certain individuals see, as an impending inevitable conflict with China. I think the Obama administration has been careful to attempt to avoid that, and Hillary Clinton spends a lot of time on that. The notion of moving away from Northeast Asia in a context where the assumption is that Japan and South Korea will increasingly be able to attend to their own interests, especially maritime interests in their region, puts U.S. farther south and also positions the U.S. vis-à-vis the Indian Ocean, which is, for many analysts, the next strategic maritime area of concern.

Senator Johnson: Another question would be about Canada promoting the establishment. Should we promote the establishment of a formal military alliance with like-minded countries in the Asia-Pacific region? If so, what type of alliance should be sought? Would it be a multilateral, NATO-like alliance, bilateral military relations with individual countries, or something else?

Mr. Chapin: What you have in the region at the moment is a plethora of regional organizations, some of which are strictly regional and others with extra-regional countries attached to them — Russia, the United States, Canada and so on. Most of those organizations, with one or two exceptions, have a largely economic and commercial character to them. The one exception is the ASEAN Regional Forum, which has the nucleus of the ASEAN countries but has a large contingent of other countries coming together for a day or two and, in between their annual meetings, engaging in good works to help collectively improve the security of the region. That is a very modest start, and it includes everyone from the Burmese to the Australians. It is not in any sense an organization of like-minded states.

Where I think our thinking should be going is towards a multi-lateralization of the "bilateralization'' that has been happening. The United States has bilateral treaties with Japan, Korea and I believe Australia. It is working out new relationships with the Philippines. It was pushed out of the Philippines some time ago. It is in discussions with Vietnam and Singapore. The intent there is clearly to position the United States with those countries to help those countries, first of all, feel more secure in the relation they have with the United States, and also to benefit from the contacts and the work that will go into an alliance of that kind.

I think we should be looking at some of the players in that association. The Americans have alliances, or treaties or agreements or close understandings, with Japan, Korea, Australia, New Zealand, the Philippines, Malaysia, Singapore, Vietnam and maybe one or two others. They have a relationship with us as well. Maybe the time has come to ask what there is in common here that could serve as the fundamentals, not of a NATO organization, but of a North Atlantic type treaty created in 1949, 14 little articles, unlike the very large UN charter, where people pledged to support certain kinds of principles and purposes, and just about left it at that.

They did provide for a council that would meet and they did provide for a committee of military chiefs of staff and said — this is 1949 still — that if we need more subsidiary bodies down the road we will go that route.

It seems to me NATO started modestly as a kind of pledge of mutual support, which was not directed against anybody. The Soviet Union was not mentioned anywhere in the North Atlantic Treaty. One could imagine something like that being concocted for Asia-Pacific. It does not mention China. It simply says that this is not about you, this is about us. We have certain things in common and are beginning to realize we need to work in common together on those issues and see where it goes from there.

The Chair: I do not want to be pejorative, but let me see what Mr. Job has to say about this in terms of the relative usefulness of talk shops. Do we need another one of those? If not, do you have any specific things in which Canada might engage?

Mr. Job: I will have to disagree with Mr. Chapin about a NATO-like alliance. You could say it did not mention the U.S.S.R., but the elephant was in the room and it was the entire focus of the purpose of the organization. In fact that was the only time the organization actually functioned well, which was when they had a pronounced and articulated threat.

I do not think that is the answer in the Asia-Pacific. I do think there is a good point in thinking that we should look to promote our interests and the interests of open societies in key countries. One that has not been mentioned thus far is Indonesia. However, Indonesia, the Philippines, Thailand and Vietnam should all be targets of our attentions.

What else should we be doing? Going back to where we were a moment ago, there are ways in which we do want to keep our presence seen as relevant in the region. Frankly, we dropped off the radar screen about half a decade ago, or further. We picked it up on the economic front. We are beginning to pay attention to some of the security oriented institutions. The oddly named Shangri-La Dialogue, for instance, is one of the key ones. Our Minister of Defence has shown up only twice in 10 years, and in that context we are simply being seen as not interested. Therefore, we do not get invited to the ASEAN defence ministers' meeting. We have now not been invited to the East Asia Summit, which I think is on the directions that Mr. Chapin is actually talking about.

The model is not NATO; the model is the OSCE, which had a specific confidence-building and inclusive intentionality rather than an exclusive one.

The Chair: That is an interesting point.

Senator Dawson: As you know, there is a parliamentary association meeting. Senator Day was there last week, with 130 countries represented by 900 people. In two years, the next conference will be in Mongolia. They are lobbying harder in these international conferences than they used to in the past and they have "solidity.'' The Asia-Pacific group made some common requests, which was not known in that forum in the past. Perhaps they are not going towards NATO, but they have a lot more "solidity.'' The complex chart of the organizations that exist makes it difficult for them to arrive at easy solutions.

I could go on and on about what was said there, but informally you could sense that some of the comments were such that if China cannot buy Canadian companies, how will we get guarantees for resources that we need? They basically go back to the past wars and say that every time there was a war was because some of the countries felt they did not have access to resources. That is their biggest issue right now. They are all battling for the same level of resources regionally. If they do not get them through peaceful ways, they might become more aggressive.

Do you have any comments about how to look at trade, democracy, and conflict and ask what would be the best solution to these economic difficulties they are having?

Mr. Chapin: I do not think there is a best solution. I think you muddle through on a lot of these issues. Clearly, it is a very dangerous game to anticipate or telegraph the notion that you will deny a country the resources it needs to survive and sustain its economy. That has produced wars in the past. Just the anticipation of the deficiency can produce conflict.

Beyond that, I am not sure there is very much I can add to the picture other than to say that you deal with the situations one at a time. I am not sure that we need to pledge our resources to China to demonstrate our bona fides and our interests in national peace and security. That is not the price we need to be contemplating and that is not the price they should expect us to pay. However, the fight over resources has probably historically been the single greatest spur to war of which I am aware.

The Chair: We have looked, as you well know, at the Arctic, which is one of the underlying issues in that whole discussion.

Mr. Job, did you want to make any other comments?

Mr. Job: Not particularly on that point, thank you.

Mr. Chapin: Can I ask for the next tough question to go to Mr. Job rather than to me?

The Chair: We will work on that.

Senator Day: I am siding more with Mr. Job than with Mr. Chapin in relation to the issue that Senator Johnson raised in terms of NATO.

Mr. Chapin, you did not mention Article 5, which seems to me to be the critical part of the NATO formation. The North Atlantic Treaty is coming to the defence of any nation that is in distress from another nation, but NATO has evolved a lot from that to try to create another type of organization in the Asia-Pacific region rather than following where NATO has been going. NATO has been working with China, as you mentioned with Libya, off the West Coast of Africa with respect to pirates, and partnership in the Indian Ocean with Indians and with the Indonesians, the Australians, Singapore, and that is all through partnerships and an expansion of an existing mechanism rather than trying to create another one. Can you comment more on that aspect of the partnership, as opposed to the Article 5 type security that some nations might be looking for?

The Chair: Did you want me to ask Mr. Job that question? Mr. Job, do you want to take the first shot at it?

Mr. Job: I will go back to it, yes. I think I made my initial point fairly clear, but at the same time I think that Mr. Chapin has a legitimate and important point to make, which is greater engagement by Canada in these sorts of issues. The dilemma I would have is that I think our interests are in a more inclusive or most inclusive sort of institution.

The notion of a military alliance in Asia is simply not going to work. You already have extraordinary tensions on the part of the Japanese and the South Koreans vis-à-vis how their relationship could develop in any kind of, shall we say, military crisis. I think the prospect of getting any kind of immediate agreement on response is almost zero.

One of the dilemmas is that if you look at the Libyan mission, you cannot say that NATO is functioning effectively in that regard, either. As you get diffuse security interests among nations, you will find it harder and harder to develop military alliance logic for their cooperation.

As I said at the beginning, going back to Mr. Chapin's point, I think you do want to see our engagement and some institutional innovation in the Asia-Pacific.

Mr. Chapin: As Mr. Job says, there is the alternative model to the one I have proposed, which would be a treaty or an alliance among democratic states in the region, or something more akin to the OSCE, where you have one group of democratic states, at least when the whole thing started out. Then you had the Warsaw Pact members, and then you had a number of European neutrals. That process was very successful. It was not the only initiative that brought about the end of the Cold War, but it was very successful in reducing tensions and expanding understandings. There is probably a role for some institution like that in Asia.

I will put it to you, however, that one way or the other, something similar to that probably exists in bits and pieces in the institutions that are already there.

To Senator Day's point about NATO's partnerships being another avenue, if NATO's partnerships were ever to seriously contemplate the membership and the full involvement in decision making of some of the major countries that have helped us out in the past in Afghanistan — countries like Japan with its money, South Korea with their police, and Australia and New Zealand with their troops — if NATO would ever contemplate that, I would say that is your main chance and you go with that. I have to confess that I see almost no possibility that NATO would be willing to contemplate that route.

In the meantime, because we are members of NATO and we signed on to Article 5 — in theory, anyway — we are supposed to be ready to come to the defence of Bulgaria or Romania and other countries were they to be attacked by Russia or some other entity. That is an unbelievable scenario.

You may say to yourself that there is some struggling in NATO at the moment. It has served a variety of purposes very well, up to and including the peaceful termination of the Cold War, the reintegration of societies, the democratization of the military forces of Eastern Europe and the socialization of Eastern Europeans back into the mainstream of European life. NATO has been the single most important instrument for achieving these wonderful results. The question now is whether the next step is to have Georgia and the Ukraine join, and how will the Russians react to that?

I think the time has come to re-conceive the international security architecture, which we have had up until now, inter alia to take account of the growing interests that many of us have in the security of the Asia-Pacific region and our tight relationships with democratic states in that region.

Senator Dallaire: In 1992, Boutros Boutros-Ghali produced a seminal document in which he argued the requirement for regional capabilities and in which he felt the UN should be nurturing regional capabilities through its membership, like the African Union, the Organization of American States, the European Union and, of course, the Far East and what they would have as regional capability. He also argued that we should be striving to build capacity in those regions in order to respond to nascent crises and catastrophes, and under Chapter 8 we might reinforce them in that context.

I am wondering whether there is a more specific role we could play, as we are doing in helping the African Union build capacity with their African standby force, to consider using the mantra of the UN to actually go in and try to assist that region in building its capacity.

Mr. Job: Senator, I think you are onto something. In particular, if you are looking to regional capacity-building in the sense of peace operations broadly constituted as you described them, there is a positive and a negative here.

First, the negative is that the likely counterpart to the African Union in Asia is ASEAN, the Association of Southeast Asian Nations. They have been particularly reluctant to engage in conflict resolution. There were tentative steps in the last year or two with regard to a couple of incidents.

On the positive side, they have shown substantial interest in developing peacekeeping centres and early warning and preventative diplomacy capacities, and that is where, if you are looking for a specific Canadian uptake, I believe it could be most effectively focused. I think Indonesia has already set up a centre in that regard. I am not sure about a couple of the others, but I think there is some possibility of traction there.

Mr. Chapin: I think it is an idea worth exploring, but the pre-condition is that the UN needs to enhance its own capacity to build capacity. It is struggling in a lot of places. One of the agencies to build capacity in Third World and conflict situations that has been really successful has been NATO rather than the UN. I do not think we should give up on the UN just yet, but the UN does not seem to have much of a track record in the last little while.

Senator Dallaire: I will not defend NATO, that is for sure, certainly out-of-area NATO.

My other point is that we just had RIMPAC. What command and control is above RIMPAC? What sort of guidance is there? What are the strategic focus and the aim of RIMPAC above building standing operating procedures between 20-odd countries on how to do certain specific tasks in the ocean?

Should there not be a body above it that is actually providing that guidance and command and control? Should we not be looking at that sort of entity, where Canada could be far more engaged in building with some of those friends versus simply letting Americans produce an exercise every couple of years?

Mr. Chapin: If that is not a rhetorical question, my answer would be that we should. If we find something that works, we should reinforce it in any conceivable way we can.

The Chair: Mr. Job, do you have a final word on that?

Mr. Job: I would not add to that. I think the issue for Canada is finding roles that are within our capabilities in which we can make a relevant contribution. The notion that we would cede to some position of larger authority in the Asia-Pacific in a military command sense is not on.

However, I think there are specific niche roles in there that we should be looking for much more actively than we are at present. One of those is response to disasters. There is an area where naval capacities and our talents can translate very nicely from domestic to international.

The Chair: Thank you both very much. There have been some very interesting ideas put on the table for us to consider.

Our thanks to Brian Job, Professor, Political Science, University of British Columbia, and Senior Fellow, Asia Pacific Foundation of Canada; and to Paul Chapin, Vice President, Conference of Defence Associations Institute here in Ottawa.

We will have our Library of Parliament staff do the fact-checking and alter that document, with your permission.

Honourable senators, we had hoped to have with us this week as well James Lewis, Senior Fellow at CSIS in Washington, but the storm has delayed him and he cannot get to a studio to connect with us. We will continue on in looking at this issue.

We have heard in the last month some pretty dramatic statements. The American Secretary of Defense gave a rather stark speech to a business community in New York and talked about cyberthreats, that we were facing cyber-Pearl Harbors and that we were at a kind of pre-9/11 moment on this issue, just as we had been when it came to the terrorist threat just prior to the events that we know so well in 2001.

We have been looking at this issue in Canada. There has been a fair amount of activity over the last 10 years, in particular. Last week, the Auditor General reported on how the federal government is doing in protecting critical infrastructure against cyberthreats. He noted progress since 2010 but also found some shortcomings.

Public Safety Canada has agreed to many of the recommendations that were put forward. We will discuss some of them today.

With us is Graham Flack, Acting Deputy Minister for Public Safety Canada.

Welcome, and thank you for being here again. We see a lot of you at this committee.

Robert Gordon is also with us, Special Advisor, Cyber Security, and Windy Anderson, Director of the Canadian Cyber Incident Response Centre, which has its acronym as well, CCIRC.

Mr. Flack, I gather you have opening comments.

[Translation]

Graham Flack, Acting Deputy Minister, Public Safety Canada: Thank you, Madam Chair. With your permission, I would like to raise three points by way of introduction.

The first point, as you have mentioned, is that the threats to cybersecurity facing Canada and other countries have increased significantly in recent years.

The Canadian government has made considerable progress with regard to the identification of evolving threats and the strengthening of our ability to better protect our essential infrastructure.

Still, we need to adjust our systems continually so as to deal with the various and growing sources of cyberthreats.

[English]

Second, just to situate some of the acronyms you talked about in the report, we have Ms. Anderson here, who runs the Canadian Cyber Incident Response Centre. In some of your questions, you may want to ask her how it operates because I think there is misunderstanding as to the role we play with a response centre like that.

The primary role of the CCIRC, which is Ms. Anderson's organization, is to monitor the cyberthreat environment and provide technical and strategic advice on cyberthreats, as well as to coordinate the national response against cyberattacks on systems outside the federal government. For instance, CCIRC has an ongoing project to evaluate weaknesses in industrial control systems used by many critical infrastructure providers. This work helps companies to then protect their own networks.

I want to stress that CCIRC is not responsible for monitoring or protecting federal government networks. That is the responsibility of individual federal departments, which have their own IT systems to protect sensitive information. As the committee may be aware, Shared Services Canada was recently created to streamline our federal IT systems and make them more secure and reliable. They are ultimately assisted by the Communications Security Establishment, which the committee will be familiar with, which plays a role in detecting, analyzing and mitigating the impact of high- level cybersecurity incidents that affect the integrity and availability of our federal networks.

The Communications Security Establishment and CCIRC do collaborate on risks that cross over between the public and private spheres, but I wanted to clarify in simple terms that CCIRC is an outward-looking organization dealing with critical infrastructure partners and the private sector and other levels of government, whereas the Communications Security Establishment would be the ultimate technical adviser for the government on their systems, given the more sophisticated nature of the attacks on government.

A final point that received some attention in the Auditor General's report that I want to highlight is that CCIRC's hours of operation are expanding so that they will have staff on site 15 hours a day, seven days a week. This is to permit them to cover the full core business operating hours of all their clients from coast to coast.

I did want to highlight, though, that CCIRC has always provided 24-hour coverage to clients to deal with emergency situations. This is done through an on-call system similar to that used in equivalent cyberincident response organizations such as that in the United Kingdom, and to date that approach has been very effective in addressing Ms. Anderson's clients' demands in a cost-effective way.

The Chair: With regard to the relationship you have with the Auditor General, in reading the report, it looked like there was a lot of back and forth in terms of concerns and issues. Are they discussing these issues with you on a continual basis? I know the study has been going on for a decade and went up to and included I think the summer months.

Mr. Flack: Certainly for the duration of the report when the Auditor General was studying it, there were many discussions back and forth, but if you read the Auditor General's press conference, he recognizes how this is a dynamic threat environment. One of the lines he used, which is one of the realities we live with, is that the only 100 per cent secure cybersystem is one that has no users, which defeats the purpose of the system.

As this committee will know, we are in the business of managing risk. Just like our transportation system, if my children ask me if it is safe, I say it is safe, but there are risks and there are steps we can take to mitigate the risks.

What we found helpful in the dialogue with the Auditor General was the recognition that to be effective, these cybersystems need to be interconnected. We need to get the benefits to society that we are getting from this fast lane or connected system, but the interconnections have grown exponentially over time and with that have grown the vulnerabilities, because there is an ability to exploit those systems in ways that were not true before.

In the dialogue with the Auditor General, it was well recognized that this is a question of how we manage this risk. We cannot eliminate the risk. In managing that risk, we have to take a pragmatic risk management approach, one that I think the Auditor General also recognized will be dynamic. There will never be a point at which we say we are done. Ms. Anderson is dealing with a constantly involving threat environment, and so we are going to have to continually adapt to address that.

The Chair: Thank you for those remarks. That is where everyone is when you look at all the speeches, regardless of where they come from on this. It is the risk of doing business.

Senator Dallaire: I am not sure whether there is a strong enough strategic concern in regard to cyber. When we went nuclear, it did not take us long to realize the extraordinary threat that that had, and we did some interesting things to try to prevent nuclear blasts from affecting our IMP capabilities and so on.

The concept of total war, where you engage the total population, came about massively in the 20th century. I read articles by David Gewirtz, Distinguished Lecturer of CBS Interactive, also Director of the U.S. Strategic Perspective Institute, Cyberwarfare Adviser to the International Association of Counterterrorism and Security Professionals. He says there is an ever-present part of the industrial, military, government and consumer worlds that is now vulnerable, to the extent that we have now entered a digital arms race.

This is a lot more than just worrying about very capable smartphones. We are talking about whole nations becoming vulnerable in all the dimensions. Why do we not look at it like that, in a more deliberate strategic fashion, and look at it as if it is like a nuclear threat, like the threat we had during the Cold War? A number of experts are saying that is the level we are at right now.

Mr. Flack: Senator, it is in part because of how the threat grew over time. Unlike strategic nuclear weapons, which were designed for the purpose of engaging in warfare or preventing warfare and were by their very nature a strategic military application and the implication of them was well understood, the Internet was not developed with that potential in mind. In fact, initially, the early funding was through DARPA, which is an American organization that funds these applications. The first applications, as you will be aware, were on the academic side. It was to connect people in terms of information. What we have seen over time is an evolution of a technology whose primary purpose has been to connect people and allow more effective interaction between individuals. It has succeeded spectacularly in that regard.

The technology was not seen at the front end as a threatening technology; rather, it was seen as an enabling technology. Many of the applications and risks that the technology posed were not immediately apparent. For example, if you invited Commissioner Paulson from the RCMP here, he would talk about how child sexual exploitation has been transformed as a threat by the nature of the Internet. It has allowed communities of individuals with these motives to connect across the world in ways they never could before, to find communities of interest such that acts that may have once just taken place in an individual community and been confined to that community are now globalized instantaneously.

If we look at critical infrastructure systems for power plants or other areas, it is true that for some time we have had control systems in those plants that were computer controlled, but you would have to break into the plant in order to get to the computer control system. If you wanted to do damage to the plant, frankly, if you could break into the plant, there were easier ways to do damage to the plant.

Companies found that by interconnecting these control systems together, they could more efficiently manage their systems and reduce costs, which was positive. However, it did not become immediately apparent the degree to which that exposed the very vulnerabilities you are talking about, which is you now have the ability from outside the country to penetrate networks that were previously only penetrable through physical attack. Certainly on the cyberwar side, this is something that would be highlighted by my colleagues at the Department of Defense. You now have capabilities, and asymmetric capabilities, many would argue, for individuals to affect the homelands of countries in ways they never could have before.

Again, the core reason for this is that the origins of the technology were not military. The application was positive. Many of these vulnerabilities only emerged as they came on line, which is why I think you are right that there is a shift going on now. When we did the national security policy in 2004, cybersecurity was relatively low on the risk assessment at the time. If you had Dick Fadden here from CSIS, for example, he would argue, as would many of his colleagues, that cybersecurity has probably come up to about as high as terrorism in terms of national security threats to Canada. It reflects the very environment you are describing. That is why we need to approach it from a strategic basis in a more integrated way. It is the asymmetrical nature of it and the pervasiveness of the system, for very positive reasons, that is creating the very vulnerabilities you are talking about.

Senator Dallaire: You are sounding nearly like the start of the Cold War here with your statement that it sort of snuck up on us. I am trying to extract from you the fact that this is not a purely military dimension, but it is a national security dimension. It is hard to say that it is the Chinese, the Russians and a couple other guys who are really into fiddling with this capability that are the threat, and we cannot articulate it that way. There is, however, recognition in a number of venues that the cyber-instrument of good is also an extraordinary instrument of vulnerability. We have leapt from Google to everything else, yet that vulnerability has not come to the fore and saying this whole thing can crash if someone really wanted to be nasty about it.

Do you not feel that there should be a structure totally and completely dedicated to this, integrated and whole-of- government, a command within DND, a significant operational capability and oversight within government to take a much higher anticipatory look at this threat than simply putting it on a priority list and hoping that Treasury Board or whoever might consider it really significant?

Mr. Flack: I would suggest we need to break down the dimensions of the problem. The dimension, as you would expect, that I am least capable of commenting on is the military dimension.

Senator Dallaire: I am not worried about that one right now.

Mr. Flack: On the non-military application, in terms of how we protect government systems and how we protect critical infrastructure in Canada, I think we are taking the approach that you describe. In 2010, Canada released its first cybersecurity strategy. As you know, it is a team sport, because virtually every player in government has a role in cybersecurity.

No government that I am aware of has centralized all of the activities in one place because of the very pervasiveness of what you describe, which is that cyber is present in all of our systems, and so we need a collective approach to this. Public Safety Canada leads in coordinating the cybersecurity strategy, but it is a strategy that involves virtually every player in government.

Cyber Command is a different issue in the military context in the United States. For example, with respect to our American colleagues, President Obama appointed a cyber-czar, Howard Schmidt, who we work with very closely and in some ways is our counterpart on this. We had many conversations about the challenges Howard faced, which were identical to the challenges we faced. Even from the White House, he could not control a system that was as pervasive as this. He had to set strategic objects and try to bring partners along, so we very much play that similar role and it is one of the challenges of an issue that is so pervasive. I do not think we can structurally deal with it by just combining organizations together under one approach. I am not sure if that is what you are suggesting that, but it is so pervasive we will have to deal with it in an integrated way and in a way that recognizes that virtually every player is involved.

One of the real challenges, whether it is online banking or virtually every aspect of our lives and how we are dealing with it, is that at the same time all organizations are enhancing their cyberdefences against vulnerabilities that are present there. The vulnerabilities that you highlighted are constantly evolving. There is not even a strategic approach where you can say that when we get there we will be done.

The way we have done it is through a cybersecurity strategy with public safety as the lead integrator around it, but the list of departments involved is very long.

The Chair: Next week we do have the DND representative here, the man who is in charge there, so we will be talking about that.

Senator Plett: In your presentation you referred to the hours of operation. I want to talk a little more about that. You used to be staffed eight hours a day. We are spending some $13 million over five years to go to 15 hours a day. You say that CCIRC has always provided 24-hour service to its clients. I got the impression that you felt this had been a good thing they had been doing. Was that satisfactory? What has improved by going from eight hours a day to 15 hours a day? If that is important, why would we not go to 24 hours a day? If people know we are only going to staff it until nine o'clock in the evening they will wait until ten o'clock. Obviously these hours are broadcast. I want you to talk more about that, please.

Mr. Flack: I will give Ms. Anderson an opportunity to respond because she runs the organization.

There is sometimes a misconception about what the centre does. It is not that you have individuals looking at screens, watching in real time for attacks, and then defending against those attacks in real time. Much of that is done through automated software, for example. Much of the work of Ms. Anderson's organization is not tactical, it is more strategic, where they are seeing systemic vulnerabilities in the system and then working with private sector and other government clients to address those systemic vulnerabilities.

The reason we moved to 15 hours a day is a function of the geography of the country. We wanted to be present when Ms. Anderson's clients were present. Given that we stretch from Newfoundland to British Columbia the Ottawa hours were not cutting it, which is why we have moved to the wider hours.

We have always had 24/7 capabilities in the event that private sector or other government operators encounter an emergency where they immediately have access to on-call people from CCIRC who have available to deal with their responses. In fact, I asked Ms. Anderson how many after hours calls we had, so she pulled the records from the last six months. I believe there were six in the last six months.

With the new money we have, there is enough money if we wanted to, instead of doing the 15-hour shifts, we could go 24/7 with people actually at the office in the seats. Ms. Anderson's assessment was if we did that we would be doing that for optics reasons. It would not improve capability, in fact it would decrease it because having people present where on average they are receiving one call a month during those hours because their counterparts are not present to take the information back if we have it, would not work.

Ms. Anderson may want to describe how the operation works and why in her professional assessment, even if we provided additional resources, she would not recommend moving to 24/7 people in the office.

Windy Anderson, Director, Canadian Cyber Incident Response Centre, Public Safety Canada: That is correct. At this point in time I personally would not recommend going to 24/7. I will explain further why we went to 15/7.

This decision was made approximately a year and four months ago. The reason for that was in June of 2011 we changed our mandate. That is when CSE took over the new clientele of the federal government and we took over new clientele, which were provincial, municipal, and territorial. We took over the client critical infrastructure private companies and we took over the international clients. It was determined at that point in time, when we got our new clientele, that we would have to do a longer day simply because we had folks from Newfoundland. That is why we are starting at 6:00 in the morning to hopefully help them when they start their working hours at 7:30, and then we are closing at 9:00, which is 6:00 in Vancouver.

The decision to go to 15/7 was made about a year and a half ago. The reason it has taken so long to get there is simply because I have hired 20 people in the past 10 months. It is very difficult to find the expertise that I need to do this job. It is not something that a lot of people have.

As well, we have a very high security clearance for the folks working in this field and you probably all know why. It takes a while to get their clearance. I have probably done five or six different competitions, both internal to the government and external to the government, just to find enough people to increase the number of people to allow us to go 15/7.

Mr. Flack is right; we could take those employees and go 24/7, but right now our clients, our partners, work during the day. They do not work in the evening and they do not working 24/7. In reality, they have the same office hours that we do when we go 15/7. They do not have someone there 24 hours a day, so they have someone on call like we do. When something does happen after hours and one of their automated systems have gone beep, beep, beep, someone on call will pick it up. They then need time to go in and figure out what is going on and that all takes time. By the time they do their assessment and get back to work, they can call CCIRC. Usually they do not call us until the next day.

If they do call us during the evening, I have someone on call who can phone our number. They press zero if it is an emergency and they are directly connected to one of my staff. My staff is able to bring extra people back into work if need be. If it was an incident that we felt was difficult or very serious, the cyber-duty officer has the authority to say that we need five more people in there to work on this problem.

We do feel the coverage is there and I do not feel it is worth taxpayers' money at this point in time to work 24/7.

Senator Plett: Thank you. We appreciate you taking care of taxpayers' dollars.

Recently there were some attacks that are believed to have come from Iran, using unsophisticated software, which destroyed data on some 30,000 computers at the Saudi Arabian company, wiping out the hard drives. You are disturbed by this, I am sure. How disturbed are you and how concerned should we be, considering our warm relations with Iran?

Mr. Flack: It would not be appropriate for us to comment on specific incidents and specific attacks, but maybe I could link your question to Senator Dallaire's question.

From a systems perspective, the capability of state actors and non-state actors to cause harm to other countries' critical infrastructure or businesses, in the case you were citing from the media reports, is greatly heightened because you do not need a physical presence in that country in order to cause the damage. It is a little bit in the way we saw the asymmetric impact of terrorism, where small groups of devoted individuals could create great harm in a system without having armies. In the cyber-area, we similarly see individuals from offshore have the ability to penetrate systems and cause harm to them without actually entering the territory that they are impacting.

It is of considerable concern and it is of growing concern because, for very positive reasons, that infrastructure is becoming more and more connected to the digital web for the same reason we have all become more connected. We see the upsides to those connections in terms of efficiency, in terms of greater ability to share information and coordinate information. With that, as the Auditor General recognized, short of eliminating all the users comes vulnerabilities. We will need to continually adapt to address those vulnerabilities that are emerging.

In the case you cited, as is true in Canada, the vast majority of critical infrastructure is owned and operated by the private sector or administered by provincial levels of government. That is why we set up about two years ago the National Strategy for Critical Infrastructure, which is about getting all those people in sector groups around the table to talk about and share practices around the risks they are facing and highlighting.

Without responding to the specific incident, the systemic threat you are talking about of individuals being able to impact on critical sectors like banking or transportation is growing by virtue of the interconnection of our cybersystems and, by definition, their vulnerability, then, to individuals penetrating systems and impacting them.

Collectively, we will have to continually improve our ability to defend those systems so that we can not only get the benefits of that interconnection but also limit the risks associated with the interconnection.

The Chair: That is one of the concerns, whether you are government or private sector. One can eliminate a lot of the risk in our own network system internally, but the shared point of connection is the Internet, over which one does not have control. Internally we can talk to ourselves; it is when we try to talk to somebody else, which is all of the time, that we risk exposure. It is two different streams. Whatever we do internally in government or inside a corporation, provided we do not need to talk to anyone else, we could solve that.

Mr. Flack: What you are seeing in the critical infrastructure sector is a good example. You might think of an electricity company or a pipeline company as an individual company that has their own internal systems. The control systems they have had for sound business reasons are increasingly interconnecting so they can operate them remotely with fewer individuals and be able to pick things up quickly and deal with them. The vehicle through which they are interconnecting them on their internal corporate network is usually over the Internet.

By definition, those exposures are there. The question is how to address them.

[Translation]

Senator Boisvenu: I am going to speak in French and give you time to hear the translation.

Thank you very much for being with us today to talk about a very interesting subject. Mr. Flack, thank you for your submission.

Cyberattacks highlight the differences arising from old rivalries, particularly between democracies and so-called totalitarian countries such as China and Korea. Does the real threat not come from the fact that these countries are relatively secretive in terms of protecting some things? I am sure that, if I go to China's site tomorrow morning, I will not have access to the site for the President of China the way Americans or other citizens can so readily have access to our systems in Canada, even contact the Prime Minister if they want.

Does the real threat not stem from the fact that we have such open systems and that those countries have completely closed systems? Last week, one of the American media outlets posted the assets of the Chinese leaders on the Internet. Automatically and immediately, China shut down its Internet to all types of information. Is that not a real threat, namely that of having unequal access to information?

Mr. Flack: Bob and I took part in an event in Russia, presided over by their senior national security advisor. And one of the main paints discussed was cybersecurity. I must say that, with some 50 countries there, both democracies and non-democracies, including China, Iran and Russia, of course, it was obvious that there were significant differences in terms of approach, how they saw cybersecurity. For us, it was obvious that we wanted to protect the possibility of having interconnections on the Internet. It had to do with thwarting criminal, terrorist and other elements that might crop up. But the ultimate goal for us was to make sure that citizens could connect in order to take advantage of the Internet. It was obvious for some of the countries attending the conference that cybersecurity was a risk in that Internet access might give some democratic opposition groups an opportunity to speak out against the government. That was something those countries were not very comfortable with.

I think you are right. We have different systems in terms of our openness to the Internet and even in terms of the possibilities that we see for citizens, and Canada's position at the event was that governments could not and should not try to control the Internet. That was not necessarily the position held by some of the world's other countries.

If we take China, for example, I believe it is the world leader in terms of the number of people connected to the Internet. It has surpassed the United States, and that will have impacts in the medium term even though, as you mentioned, they take a different approach to regulating the sharing of information. The fact that people are connected will have an impact on their system. That is why we really believe in the openness of the system and in openness for all citizens throughout the world: it will be beneficial for all citizens and the world in general.

Senator Boisvenu: In relation to our American and European partners who have open systems, how would you say Canada ranks with regard to the level of security of our system, without revealing any state secrets?

Mr. Flack: We created our first policy on cybersecurity in 2010. There were half a dozen countries among the first to do so, and Canada was among the first to present its cybersecurity strategy. If you read the American strategy, or that of the United Kingdom or Australia, you see there are major similarities, showing that the risks are the same for all of us and that the approach we should take requires that we do so as partners. This is the reason why a very important component of our cybersecurity strategy is cooperation with our allies; faced with the same risks, we can share the approaches we take. It may mean improving the knowledge of the general public about protecting themselves at home. There might be videos or tools, or something at the opposite end of the spectrum: very close cooperation among Australia, New Zealand, the United Kingdom, the United States and Canada in cybersecurity where very high risks of attack are concerned.

John Forster of the Communications Security Establishment Canada will appear before you next week. John is an example of someone who works in very close cooperation with his colleagues. We are more or less at the same stage as the others and we are all going to say that a lot of work remains to be done and that this is an environment in constant evolution. So we have to continue evolving. We are at just about the same level as the others, but we acknowledge that the risks are great and constantly evolving.

Senator Boisvenu: Are judicial proceedings an area where it is hard to go after those who launch cyberattacks?

Mr. Flack: Absolutely. One aspect I mentioned earlier is crime against children.

Everything has changed since the arrival of the Internet because of the possibility of creating, across borders, a community of individuals who share these same problems in terms of what they are seeking. They have the means to share photos, for example, and it is hard for police to manage this type of situation because it may not physically exist in a country. That is why you are increasingly going to see a global approach being taken, rather than the police coming up with one or two people from within a community. When there are police announcements, they involve about 1,000 people around the world with different legal systems in every country.

You are right; we are just beginning legal reform around the world so that we can manage the sort of thing that may have begun in another country, but ends up occurring electronically, in digital form, in our country.

[English]

Senator Mitchell: It is very interesting. As I understand it, CCIRC deals with things outside the federal government, from province down to municipal, to industry, and the CSE does the federal government.

There was a report that implied or suggested that Nortel was hacked by the Chinese. Whether or not that is true, certainly there is a potential for major corporations to be gutted or bankrupted in some senses by those who would steal their intellectual property.

Is there any mechanism under CCIRC — because you could not work with every company — or standards of major companies or trainings or best practices or some coordinated way in which we could establish with some confidence that companies like Nortel, RIM, major oil companies and banks are up to scratch to some level of acceptability in their approach to cyberthreats?

Mr. Flack: That is what the two strategies — the cybersecurity strategy and the critical infrastructure strategy — are designed to do. We have 10 sector networks — for example, the financial sector network that the Department of Finance chairs. An increasing percentage of their meeting time is looking at cyberthreats because an increasing percentage of the risks they are facing as a sector are from these cyberthreats. The working group is designed to do some of the very things you describe — that is, sharing information about the threats, benchmarking, including doing exercises around the vulnerabilities that may present themselves.

You spoke about a case where there was a high level threat. Is there an ability to use the resources at the Communications Security Establishment to assist private actors? After Ms. Anderson has done the work she can in a general way, if we become aware of a very high-level attack, can we do that?

One of the advantages of having Mr. Gordon here, although he is at Public Safety Canada now, is that his career has included time at CSIS and at the Communications Security Establishment. Maybe I could turn to Mr. Gordon on this.

Robert Gordon, Special Advisor, Cyber Security, Public Safety Canada: The response would actually be a whole-of- government approach. Without talking about a specific case, you would look at a number of aspects to it. First would be the mitigation piece; how you are dealing with the incident itself. That could involve either CCIRC or CSE, working in collaboration, sharing information back. You would then shift it over to the Royal Canadian Mounted Police, as an example, or a law enforcement agency in the jurisdiction, if there are criminal aspects to it. CSIS would also be involved if there was an international threat to the security of Canada, say a nation state doing it.

We have a committee structure in place that sits down and brings all those together. We chair that in Public Safety. We bring all the players together. We say here is the situation and we all play specific roles, but we do it as a whole-of- government coordinated approach.

The cyber does not neatly stop at one company, so we will want to look at it and say that it has affected this company, but are there lessons we want to share with other companies in the same working area? How do we mitigate it across the sector and just outside the company?

The same could apply if you are responding to an intelligence threat to the security of Canada, a law enforcement perspective or a threat, or dealing with it as a group coming in.

At the outset, you may not know who is actually doing it, so you may need all those players together to find out who is undertaking the activity in order to respond accordingly to it — or the military.

Senator Mitchell: That would be coordinated by CCIRC. What is the budget of CCIRC? How do you assess whether you have enough or not? Do you think you have enough?

Mr. Flack: In terms of the Communications Security Establishment, which is the organization responsible, which is our highest level of capability in terms of understanding cyberthreats, the most sophisticated cyberthreats and cybercapabilities, John Forster is coming to speak next week and he can speak about his budget.

Ms. Anderson, do you want to walk through your budget in CCIRC, the outward facing part dealing with the private sector? Maybe I can then speak to some of the other things.

Ms. Anderson: I have currently 30 staff on board and the budget I have is $3.1 million a year. That pays for all of their salaries and any O&M money I need to purchase new equipment, new automated software tools and to fight against cyberattacks.

Mr. Flack: As the Auditor General's report recognizes, and as committee members here would know, having been around national security issues for a while, if you go back to 2006, cybersecurity was not at the top of our agendas in terms of the national security risks we were facing, and the resource allocations reflected that. We were more focused on physical risks to infrastructure because that is where we saw the vulnerabilities.

There has clearly been, as the Auditor General has recognized, an evolution in this. To your point about resources and when they are enough, we need to go through a constant reassessment. The government recently announced another $155 million largely focused on government systems that reflect the dynamic environment in which we are operating, in which different vulnerabilities are emerging, and we need to make purchases to address those vulnerabilities.

It is a dynamic environment in which we will have to constantly adjust. In terms of CCIRC and its client base, which is largely the private sector, the critical infrastructure that is outside of government, it is an ongoing dialogue with them. They are having that dialogue within their sector and their own company. What are their IT budgets? How high a percentage of that will be focused on security and addressing vulnerabilities?

An example of it is the critical infrastructure control systems I mentioned in my opening remarks. These systems are often computer controlled. When they were designed, they were not designed with the vulnerabilities inside because that control system was in the middle of a power plant, let us say, that would have had all kinds of physical security around it; you did not think about the risk of someone getting in because the system was never designed to be connected to other systems. Since they have become connected, that is when the vulnerabilities are created. As a result, we need to dynamically work to address those.

Ms. Anderson has to work with Defence Research and Development Canada, I believe, looking at these control systems and how to enhance their protection that will be applicable across the critical infrastructure sector.

We will see what the demand is from the sector for these things and how collectively we are apportioning the assets against that demand.

To your larger point, this will be a very dynamic environment in which we will never hit a point where we will say we have the balance exactly right, because the balance will be continually changing.

The Chair: That you for that fulsome answer.

Senator Plett: Ms. Anderson, you said your budget was about $3.1 million a year.

Ms. Anderson: That is correct.

Senator Plett: The Auditor General says that you have been given an additional $13 million over five years; that is about $2.5 million a year just with that. Where does that come into play in your budget?

Ms. Anderson: Prior to this new MC money, CCIRC did not have near as many staff as it has now. As I previously indicated, I have hired approximately 21 new staff members in the last 10 or 11 months. A lot of the money we received in this MC was for the additional staff. That is part of that $3.1 million.

Senator Day: I think I am feeling better. I was ill at ease when I heard Mr. Flack's presentation; he kept saying "just outside of the government.''

I had read the Auditor General's report that said that you were created seven years ago to collect, analyze and share cyberthreat information among federal departments, provincial and territorial governments and then outside businesses. You are now telling us that your primary focus is outside and the Communications Security Establishment looks after the internal.

Mr. Flack: Mr. Gordon negotiated the agreement on how this works, so I will maybe turn to him. It was thought, in this dynamic environment we were working in, that we needed the organization with the highest overall technical capability, given that the highest level threats are actually threats coming at the government, to have core responsibility as the ultimate backstop against those government systems, but then to have Ms. Anderson's organization focused exclusively on that outward phase, provincial governments and other levels of governments, the private sector, et cetera, to ensure that we had a good focus there.

Mr. Gordon: When we started into the discussion, what had changed over the last few years is the nature of the attacks coming in and the way we were defending against them. It required extremely sophisticated equipment and people dedicated to that.

It would require two things. First, CSE still had some of that responsibility, and so did CCIRC, and it would be duplicating. Second, we were starting to get an increased demand from the private sector for assistance, and we talked about the some of the things we are now providing. We came to an agreement where it would make more sense in terms of not having to duplicate equipment and resources that the CSE would focus inside the government, using sophisticated equipment to deal with the types of attacks that would typically come from nation state to nation state, and CCIRC would focus on the private sector.

One of the things that the private sector had looked for when we went through the discussions in putting together the cyberstrategy is they wanted one place they could come in to the government, rather than trying to sort it all out, where do we come to and who could give us a hand. We said Public Safety would be that place, and we created CCIRC to actually do that.

The advantage to that is that there is one focal point in to the government, and information actually coming from the private sector on the nature of attacks could be shared in the government, because sometimes we have the same problem. At the same time, we could use the collective capacity of all of the government departments, in terms of the intelligence information that we have and the technology and the people expertise, and funnel that back through to CCIRC and provide that out to the private sector. The private sector was happy that we were doing that. It worked better. It was clearer inside the government as to who would actually be responsible for dealing with the attacks.

Then we had to be sure that we were putting structures in place internally to make sure we were sharing that information back and forth. We have now done that. There is a person from Public Safety who goes out and is on secondment into CSE to ensure that if there is information in there that would be of use, we can get that information flowing back and forth. We developed standard operating procedures to ensure that information flows between those two organizations both to and from CSE and CCSIRC.

Senator Day: That is helpful.

This committee was familiar a number of years ago with OCIPEP, the Office for Critical Infrastructure Protection and Emergency Preparedness, and that was taken over by Public Safety Canada. Can I assume that this cybergroup has sprouted out of that larger group that is also concerned with physical challenges?

Mr. Gordon: That is correct.

Senator Day: In terms of international cooperation and the dividing up in that gray area, let us talk about the Canadian gray area first. The RCMP is considered federal and fire departments are not federal. How did you divide up those various groups that are very important as first responders in critical infrastructure situations?

Mr. Gordon: They actually are one of the ten critical infrastructure sectors. We actively participate with them through the cross-sector forum. They are a full participant in that. We provide briefings to them both on a classified and unclassified basis and make available to them all products within the government in terms of technically how to deal with the issues but also then sitting down and looking at the policy issues that come along, because we actually have that function as well, so assisting them on multiple fronts.

Senator Day: Internationally, Estonia is doing a lot of work in this area because of an attack that closed down the country. Is it the CSE or is it Public Safety Canada that deals internationally with these various bodies so that we do not have to reinvent what has already been worked on?

Mr. Gordon: Again, it is a shared activity across the government. Public Safety Canada chairs that or does that coordination. In that particular case, we bring together the Department of Foreign Affairs and Industry Canada, because when you look at the international standards aspect, international and telecommunications standards are part of that, and ourselves. We also bring in CSE as a technical expert and sit down and look at that. We have a robust sharing agreement across the spectrum internationally. We attend many international conferences, and we are actively engaged in multiple forums. That is at a broad strategic level.

At the tactical level, our cyberincident response centre belongs to a series of organizations. We cover it off at the two levels. Strategically, we cover that horizontally across the departments with us chairing it, and at the tactical level we belong to a number of international bodies that share tactical information that we can then provide out to the private sector.

Senator Day: Public Safety takes the lead as opposed to CCIRC?

Mr. Gordon: That is correct.

The Chair: Could you explain how a private sector company feeds in? They may not want to publicly acknowledge that they have been hacked or cracked, but they may want to share that information for future consideration. Is there some way for those things to be done discreetly and to preserve proprietary information?

Ms. Anderson: We are careful with ensuring that we protect our clients' information. To be perfectly honest, that is one aspect that if we do not do well, they will not come back to us, so one of our major concerns is to ensure that whoever does provide the information, that we "anonymize'' it so that when we pass it out to the rest of the community we are giving them mitigation advice and what may be happening in the world, but we are not saying which company was hit. We have a 1-800 number for our clients, a normal number for our clients, an email account, and two or three months ago we set up a secure portal with our clients. There are many ways they can contact us, and they do have all of our information.

Senator Johnson: In terms of the critical infrastructure networks, what remains to be established that will facilitate partnerships with other levels of government and critical infrastructure owners and operators?

Mr. Flack: The networks were formally established after the critical infrastructure plan was released in 2010, but the networks often built on things that have been in place for a long time. For example, one of the sectors was the water sector, but a Canadian water and wastewater association had an annual workshop on security issues, and that was the nucleus of what ultimately became the working group that has done that.

The working groups are up and running. They continue to evolve in terms of the representation on them. We can get you the information on the 10 working groups that exist, which include transportation, manufacturing, water, and information and communications technologies. There are 10 in total.

One of the innovations we have had in the last year is partly in recognition of the discussion we have been having today. It is difficult to compartmentalize any of these issues, so we have created a cross-sector working group that links together all 10. On issues like cybersecurity or even electricity, many of those other sectors are completely dependent on reliable electricity supply. If you look at the transportation sector, increasingly cyberconnectivity is critical to its business line, so we added this cross-sector forum to try to enhance the cooperation.

What do those sectors do? Threat information sharing is one of the pieces we have, right up to tabletop exercises where we game what is happening there.

I would still say they are dynamic and evolving organizations, given the fact that the infrastructure is largely owned by the private sector and other levels of government. We are in a partnership to try to learn how to improve the operations as we go along.

Drawing on the international question earlier, we do look at the practices our other international partners have used to enhance this. My observation would be that there is an equal amount of complexity in every other jurisdiction I am aware of in terms of trying to deal with this.

We are still early days, I would say, in the evolution of these critical infrastructure sectors from the days when we started in OCIPEP. There is still a lot of work left to be done in terms of getting all those partners fully engaged.

Senator Johnson: Do you have a time frame on that?

Mr. Flack: Again, this is something where I do not think we will have a time. All sectors have been established, and the Auditor General recognized in his report that since 2010 there has been considerable progress against the sectors. They are moving in the right direction, but I do not think we are ever, frankly, going to hit a point where we can say we have got it exactly right, because the dynamic nature of the threat environment is such that it is not like a check list where once it is all done you will be able to stick with it.

The threat environment is evolving. As Senator Dallaire raised early on in the first questions, these systems did not contemplate the risks associated with them or the cyber-dimension. The risks were not fully contemplated when adopted. We fully expect that as the world becomes more and more interconnected and as these systems become more interconnected, new risks will emerge. We will need these critical infrastructure working groups as permanent entities to deal with what will be a very dynamic threat environment.

I do not think there will ever be a date. There will be a date where we will say we have a high level of dynamism and flexibility in the organization that can deal with new threats, but they will never run out of work because the threats will keep evolving.

The Chair: I really appreciate you being very forthcoming today. Thank you for that, Mr. Flack.

Mr. Gordon, with your background, it was very helpful to have you here.

Thank you, Ms. Anderson. You were very specific, even on the budget questions.

We will continue to look at this issue, amongst others, next week.

(The committee adjourned.)

National Security, Defence and Veterans Affairs

Proceedings of the Standing Senate Committee on National Security and Defence

Issue 9 - Evidence - Meeting of October 29, 2012

Proceedings of the Standing Senate Committee on
National Security and Defence