Proceedings of the Standing Senate Committee on
National Security and Defence
Issue 3, Evidence - Meeting of April 11, 2016
OTTAWA, Monday, April 11, 2016
The Standing Senate Committee on National Security and Defence met this day at 1 p.m. to examine and report on Canada's national security and defence policies, practices, circumstances and capabilities; and to study security threats facing Canada, including but not limited to: (a) cyber espionage; (b) threats to critical infrastructure; (c) terrorist recruitment and financing; and (d) terrorist operations and prosecutions.
Senator Daniel Lang (Chair) in the chair.
[English]
The Chair: Welcome to this meeting of the Standing Senate Committee on National Security and Defence.
Before we begin, I'd like to have the people around the table introduce themselves. I will start. My name is Daniel Lang, senator for Yukon. On my immediate left is the clerk of the committee, Adam Thompson.
Senator Day: My name is Joseph Day. I'm a senator from New Brunswick.
Senator Kenny: Colin Kenny, Ontario.
Senator Mitchell: Grant Mitchell, Alberta.
[Translation]
Senator Dagenais: Jean-Guy Dagenais from Quebec.
[English]
Senator Beyak: Lynn Beyak from Ontario.
Senator White: Vern White from Ontario, as well.
The Chair: Colleagues, thank you.
Today, we'll be meeting for four hours. Joining us in our first panel are two representatives from the Canada Revenue Agency's Charities Directorate, Ms. Cathy Hawara and Mr. Alastair Bland. They are here as a follow-up to our hearings on June 1, 2015, and March 7, 2016. Ms. Hawara and Mr. Bland, welcome back to the committee.
Today, we are following up on the evidence they sent to the committee regarding the six of eight charities that have been linked to terrorism, according to your audits. It's important to note that over $17 million has been identified by the Canada Revenue Agency in these audits as being directly linked to terrorism financing. These numbers date, according to your agency, from around 2012 to 2013, and it's going to be important to know what has been done since then when it comes to charities and terrorism financing.
Mr. Bland and Ms. Hawara, I understand that you each have an opening statement, so please begin.
[Translation]
Cathy Hawara, Director General, Charities Directorate, Legislative Policy and Regulatory Affairs Branch, Canada Revenue Agency: I would like to thank you for welcoming us back before the committee. We are pleased to be here once again and appreciate the opportunity to continue our discussion on the CRA's role in protecting the charity registration system from the threat of terrorism. I will be sharing my time with Mr. Bland; I have asked him to speak briefly about the CRA's preventive role in the fight against terrorist financing and discuss, in further detail, the work of the Review and Analysis Division.
As the chair mentioned, during our most recent appearance before the committee on March 7, 2016, we were asked about the status of information that we had agreed to provide to the committee during a previous appearance. I understand the information package has since been provided to the committee.
[English]
As you're aware, the information package contains revocation letters that were sent to six organizations about which concerns relating to terrorism were raised. The letters explain the reasons for revocation under the Income Tax Act. I should note that the Income Tax Act permits the CRA to make public only certain information about a registered charity, including information relating to the grounds of revocation, as contained in the letters we have provided to the committee. Apart from this, however, the confidentiality provisions of the act prevent us from providing further details about individual charities.
These letters are intended to give the committee a sense of the complexity of our work and how we apply administrative measures when terrorism concerns exist. However, that is only a small sample of the work carried out by the Review and Analysis Division.
[Translation]
To provide further details about the work of the division, I would now like to ask Mr. Bland to continue with our opening remarks.
[English]
Alastair Bland, Director, Review and Analysis Division, Charities Directorate, Legislative Policy and Regulatory Affairs Branch, Canada Revenue Agency: Good afternoon, Mr. Chair and committee members. I believe a full copy of my remarks was shared with the clerk, so in the interests of time, I will just be covering the more salient points.
I wanted to take this opportunity to provide some context with respect to the work of the Review and Analysis Division as situated within the broader scope of the government's fight against terrorism financing. There is a recognized threat against the Canadian charitable sector from those that seek to abuse the sector to support terrorism.
The threat in Canada is consistent with the threat globally. In June 2014, the Financial Action Task Force, an intergovernmental body aimed at developing and promoting policies to combat money laundering and terrorism financing, published a typologies report.
That report identified five methods of abuse or risk raised by the sector from terrorism: a diversion of funds, affiliation with terrorist entities, abuse of programming, support for recruitment, and false representation or sham charities. Of these, the most common risk of abuse observed in the six cases provided to you involved the diversion of funds; that is to say, funds raised by the charities for humanitarian programs were identified as being at risk of being diverted to known or suspected terrorist entities.
Charities play a vital role in the world economy and in many national economies and social systems. In protecting the sector from the abuse of terrorism, we must ensure that the measures we adopt don't disrupt or discourage legitimate charitable activity. As the regulator of charities, CRA's role is to ensure that only organizations set up exclusively for legitimate charitable purposes obtain and maintain registration as charities under the Income Tax Act.
The Review and Analysis Division's role in fighting terrorism financing is one of prevention. To demonstrate how the CRA fulfills this preventative role, we have prepared a graphical demonstration entitled "Protecting the Charitable Sector from Terrorist Abuse." This continuum depicts a path that may be followed by organizations, knowingly or unknowingly, and may lead directly or indirectly to supporting a terrorist act. The continuum reflects the severity of the impact, from moderate to extreme, and the level of involvement, from passive to active.
In order to interrupt progression along this path, disruption techniques can be employed at different points along the continuum by various stakeholders. The left-hand side of the diagram encourages effective self-regulation by charities, as well as various administrative measures enforced by the CRA. These are significant methods of decreasing the risk of abuse by terrorist entities.
At some point along the continuum, a criminal line can be crossed. At that point, law enforcement and the courts become the primary competent authorities responsible for addressing such activities.
As the charities regulator, where risks related to terrorism abuse are identified, the division chooses the most appropriate course of administrative action, taking into consideration the circumstances of each case. This includes refusing to register an organization as a charity, issuing education letters, entering into compliance agreements, imposing sanctions and penalties, or revoking charitable status.
Where in the course of our administrative responsibilities we identify information that would be relevant to criminal offences related to terrorism or information relevant to threats to the security of Canada, we have the legal authority to share that information with other government agencies to support their mandated responsibility vis-à-vis national security.
While terrorism concerns guide the division's work, it is important to note that we do not investigate terrorism as a criminal activity. Our role is administrative in nature, and the decision to refuse to register an organization or revoke a registered charity's status is based on an organization's failure to meet the requirements under the Income Tax Act. Where there are concerns regarding the risk of terrorist abuse, there are likely also issues with an organization's ability to meet the requirements of the Income Tax Act. As a result, in our interactions with organizations, we do not always indicate to them that we have concerns related to terrorism.
The complexity of our files requires that we adopt a nuanced approach. For instance, in the course of an audit, we may come across information that suggests that a registered charity is providing funds to a foreign organization that has been identified as having links to a terrorist entity. Our concern would be that the funds raised by the Canadian organization in Canada are at risk of being diverted by the foreign organization to support their terrorist activity.
Our focus would therefore be on the Income Tax Act requirement that organizations must carry out their own charitable activity. Funding non-qualified donees — that is, providing funds to an unqualified recipient — constitutes a breach of the Income Tax Act and could form the basis for revoking an organization's registered status.
In conclusion, the Review and Analysis Division is focused on preventing organizations with links to terrorism from being registered, and we are focused on disrupting the ability of terrorist entities to abuse the Canadian charitable sector. We hope that the package provided to you, as well as our presentation here today, helped to clarify how the CRA, through its protection of the charitable registration system, contributes to Canada's whole-of-government efforts to combat terrorist financing.
We would be pleased to answer any questions members of the committee may have.
The Chair: Thank you very much.
At the outset, I want to say we appreciate the package that was sent to the committee. For listeners and anybody who is interested, this information is available from our committee because it does give the in-depth look at the audits that were done on the six charities that were identified.
Colleagues, I'll start with one question, and I think it's important for listeners, as well as us, to understand.
These audits date back to 2013 and earlier; therefore, a time frame of three years has gone past since then in respect to how the world has changed. I would like to know, are any charities presently under audit for the purposes of review on a suspicion of terrorism financing in the last three years? If so, how many are under audit, and when can we expect those audits to be completed?
Mr. Bland: Our audit processes are ongoing, so yes, we are conducting audits. I would caution the committee, however, to infer that our audits are audits of terrorist financing. We audit organizations where there are indicators or a risk that terrorist financing could occur from their activities. We then apply the measures, as I indicated in my opening remarks, of the provisions under the Income Tax Act to disrupt that possibility.
As I mentioned before, there are a range of compliance tools available to us, such as educating an organization of where they may be running afoul and identifying the reasons for those concerns, all the way to revocation, where education isn't going to work.
The Chair: If I could interrupt for a second, if you don't mind, I just want to get it clarified on the record. We've had three years since the last audit was done, as far as I know, for the purposes of revocation of a charitable organization linked to terrorism activities. The question that I put to you was, in these past three years, are there currently audits under way because there is suspicion of terrorism financing being utilized through these organizations? If so, how many are under way? I think it's a fair question. The public would like to know.
Ms. Hawara: Thank you, senator, for the question.
The difficulty is that not all audits end in revocation. The Income Tax Act only allows us to reveal information, as we've done with the committee, where there's been a sanction, a suspension or a revocation.
The answer is yes, there are other audits and there have been other audits in that time frame, but not all audits end in revocation, so not all audits will lead to a result where we can share information publicly with the committee or Canadians because of the restrictions that are contained in the Income Tax Act around protecting taxpayer information.
The answer is yes, there are other audits. I think Mr. Bland, in our previous appearance, did indicate that at any given time we have an inventory of about 10 or so audits on the go. The work has continued.
The other point I would make is that the work is not just audit work. The work also happens from a prevention perspective at the application stage. It's important to look not only at the organizations that are currently registered but also at organizations that want to be registered and that want to have access to the privileges of registration. That is also part of the function of the Review and Analysis Division. They review all of the applications that come in, screen them all, and hold back a certain number where they look at them more closely. Again, that is not information that would be made available to the public.
The Chair: I take it, then, you're not going to give us a specific number, but there still is terrorism financing going through charitable organizations in one manner or another — we don't know to what extent — and you have some audits under way; is that correct?
Ms. Hawara: We continue to identify risks and we take the appropriate action, whether it's at the application stage or in relation to our monitoring and auditing of organizations that are already registered.
The Chair: I'll pursue this a little later.
[Translation]
Senator Dagenais: Thank you to our witnesses for being here today.
In 2001, there were security rules for the registration of charities. Those rules were included in Canada's anti- terrorism measures.
Have you ever used these provisions to revoke the status of organizations? If so, how often? If not, why have you not applied those measures yet?
Ms. Hawara: You are probably referring to the Charities Registration (Security Information) Act. We have certain powers under that act, especially in cases where we want to reject an organization's request for registration on the basis of security information.
We have not yet used the powers we have under this act, mainly because we have used other tools to process open files that were still in our inventory. We prefer that approach, in particular, because it is more transparent; it allows us to process the information we use to determine whether an organization should be registered or not in a much more transparent way.
Those powers exist; they are significant reserve powers, but so far we have not had to use them.
Senator Dagenais: I would like to come back to the eight charitable organizations that are believed to have links with terrorist groups.
Have you given CSIS and the RCMP information on these eight organizations? If yes, do you continue to exchange information with the security services?
Ms. Hawara: Sharing information with the Canadian Security Intelligence Service and the RCMP is part of our current practice.
[English]
Senator Mitchell: Thanks to both of you for being back again. I was saying earlier that you're practically becoming members of the committee. Maybe we'll let you off the hook after this time.
I'm interested in following up on Senator Dagenais's question. It is a very important question, because even if they lose their charitable status, they can still exist and raise money without a tax credit to the donor, and they could still fund whatever they wanted to fund, one would presume.
Is that it? You write a letter to the RCMP, write a letter to CSIS, and who knows what happens? Do they come back to you and ask you for more information, or do you get involved in the further investigation in any way, shape or form, given that you have fundamental research that you've already done?
Mr. Bland: We wouldn't be involved in their work, but yes, we have regular information-sharing activity back and forth. We also have a program where our analysts are working on-site in those locations, as well as their people working out of our shop. There is good information sharing between departments.
As I said, this is a whole-of-government approach. Our role is the administrative role, given the information and the risks that we identify. If it's a criminal matter, then the police would look at whether or not there's evidence of criminal activity here and mens rea, whereas we deal purely with the administrative side of things.
Senator Mitchell: I think you probably answered it. It's just a question of things not falling between the cracks. You send it off to the RCMP, but there's got to be some structure to how that's done so that they don't get a letter and put it in the in-basket and it's forgotten forever.
Mr. Bland: Certainly. The information sharing that we do, obviously given the concerns around — our authority is under the Income Tax Act. They are formalized in written disclosure of exactly what it is that we have. I can assure you things don't fall through the cracks because of that liaison relationship between departments. They are well aware of what we have, and it's documented.
Senator Mitchell: You don't always mention the possible terrorism link, for whatever reason. Yet, when I read the excerpts from the six letters that you've pointed out to us, several of them explicitly mention terrorism links. How do you decide when to mention and when not to mention terrorism? Why did you emphasize that point in the way you did?
Mr. Bland: Again, the letters that we shared with the committee were those where we had raised with the organization our concerns around linkages to terrorism. There are many other cases where we don't raise those concerns. Reference was made to the Charities Registration (Security Information) Act. We would rather deal with an organization as transparently as possible and share under the Income Tax Act our concerns around whether it's carrying on their own charitable activity or these things, so they can fully understand why we're having concerns with them, but at the same time, sort of balancing the need to disclose national security intelligence. It's not a criminal test. It helps to triage our work and identify those organizations that are of concern. If we can address those concerns in an administrative manner so that the organization can understand why we're interacting with them, that's more transparent, and maybe they can fix the problems.
There are a range of compliance tools available to us. At the left-hand side of the diagram we shared with you are all the disruption activities that will help an organization make sure they're not on a track that would lead to terrorist activity. Often it's a matter of education or a matter of just ensuring that there is good governance in place so that they don't unwittingly become victims of terrorism abuse.
Senator Beyak: Thank you very much for the update and the additional information you gave. Could you tell me if any of the six charities that had their status revoked were required to pay taxes? If so, how much did it help to cover the cost of the investigation? If not, did you consider charging taxes?
Ms. Hawara: When an organization is revoked, it has a year to wind up its affairs. At the end of that year, whatever is left in the organization is owed as a tax to the government. It's called the Part V revocation tax. In most instances, we would prefer for the assets to stay in the sector because they were allowed to grow in the sector through tax assistance. So there are mechanisms for charities to be able to gift their assets or spend their assets on their programs so long as, if they are making gifts, they have to be making gifts to other registered charities that are in good standing with the CRA and that are at arm's length from them. So there's no opportunity for us to levy any other taxes, and there's no cost-recovery process in relation to the work of the Charities Directorate from an audit or monitoring perspective.
The Chair: So the answer is no; is that correct?
Ms. Hawara: There is a tax. It's a revocation tax.
The Chair: Yes, but do you charge it?
Ms. Hawara: If there are assets remaining in the organization, we raise an assessment, yes, and taxes are owed to the government.
The Chair: So in these six charities, did you collect taxes?
Ms. Hawara: First of all, that information would be confidential taxpayer information in terms of their particular assessments with the agency. In any event, I don't have the information here to share with the committee.
I believe it would be protected taxpayer information. There's a list in the Income Tax Act of very specific items we can share publicly about registered charities. I do not believe that we are allowed to share information about their Part V tax requirements or assessments.
The Chair: Can you come back to the committee and let us know if taxes have been levied? If you do have the legal authority, can you let us know what those taxes were, and if so, how much was levied? We talked about transparency and accountability. I've never heard of a tax that was ever administered that wasn't made public. Could you undertake to do that?
Ms. Hawara: We will certainly check to see what we are allowed to share under the Income Tax Act in that regard.
Senator Beyak: The members of the boards of directors of those revoked-status charities, are they allowed to sit on other boards of directors of current charities?
Ms. Hawara: There are relatively new provisions in the Income Tax Act in regard to what we call ineligible individuals. An individual who was involved with a charity that has been revoked for a significant or a serious breach of the Income Tax Act is an ineligible individual for five years. If we find an ineligible individual on another charity that's currently registered, or who is involved with an applicant organization that would like to be registered, we have the discretion to refuse to register or to revoke the registration. So there are provisions in place to address that issue.
[Translation]
Senator Carignan: The website of the Canada Revenue Agency indicates that Syed Imtiaz Ahmad is a member of the Islamic Society of North America's board of directors. The Islamic Society of North America is one of the charities whose registration you revoked because it allegedly transferred $300,000 to the Kashmiri-Canadian Council for the purposes of terrorism. We note that the Canada Revenue Agency also indicates that this individual is president of the Islamic Society of North America, which — according to the Canada Revenue Agency — still has the status of a charitable organization. My question is quite simple: why do you allow the other organization of which the same individual is a member to continue as a charity? Are you taking measures to prevent a certain person from sitting on the board of directors of other organizations and risking such transfers?
Ms. Hawara: Unfortunately, under the provisions of the Income Tax Act, I am not permitted to discuss the individual cases of charitable organizations. However, as I said, there are provisions under which we can take measures against organizations whose directors are linked to other organizations that have had their registration revoked as a result of an audit. Unfortunately, I cannot share information on a specific taxpayer with you.
Senator Carignan: Have measures been taken with regard to the Islamic Society of North America?
Ms. Hawara: Such information is also considered confidential when it pertains to a charity, and unfortunately, under the act, I do not have the right to share it.
Senator Carignan: If I understand correctly, your audits make these connections, you know what these links are, and you study them.
Ms. Hawara: Yes. We have sophisticated instruments that help us find the links between the various organizations and the individuals involved in them.
Senator Carignan: My second question has to do with FINTRAC. FINTRAC detected terrorism-linked transactions; I believe there were 683 financial transactions with links to terrorism. How many files amongst those 683 transactions would have been sent to you? Can you give us some sense, on an annual basis, of how many entities are subject to review following FINTRAC's recommendations?
[English]
Mr. Bland: I can't give you a precise number, but when FINTRAC identifies a transaction that is suspected of being related to terrorist financing and that transaction involves an organization that is either a registered charity or likely to apply or could apply to be a registered charity, then they have the authority to disclose that transaction to us for follow-up.
We routinely receive information from FINTRAC in that regard, and we follow up on all of it.
[Translation]
Senator Carignan: Without providing us with a specific number, can you give us a sense of the scope?
[English]
Mr. Bland: We would receive in the neighbourhood of 25 to 35 disclosures from FINTRAC in any given year.
Senator Day: Thank you, Mr. Chair. I have a lot of small questions and clarifications.
We are very pleased that you were able to be in attendance here last year before the election, and we discussed eight cases between 2008 and 2013. Now you've given us six. Were the other two not complete? Were they after 2013? Did we use the wrong figure in our report when we talked about eight cases during that time frame?
Ms. Hawara: Eight cases was the right number. What we explained to the committee and what Mr. Bland was referring to earlier is that on occasion, if there's a revocation, or in our audit activities, because our first consideration and our first priority is ensuring that the organization is respecting its obligations under the Income Tax Act — there are a series of rules under the Income Tax Act — we may have concerns in relation to terrorist financing, but if we identify significant concerns on the Income Tax Act side, it is open to us to simply proceed on that basis and not raise other concerns with the charity. Therefore, the official grounds for revocation are strictly in relation to the Income Tax Act.
When we were talking about eight cases the first time we were here, we corrected the record by noting that in two of the eight cases we actually hadn't raised the issues around terrorist financing. So it would be inappropriate to now identify those charities as having those links, when we didn't put those to the charity through the course of the audit.
It's more a question of fairness in relation to the charities in question.
Senator Mitchell: I am very concerned about that in the sense that let's say for this organization, you do have suspicions of terrorism links but you don't identify those in your relationship with them; you deregister them for some other reason.
Do you then refer them to the RCMP or to CSIS, so that they are not off the hook from that next step? You just don't go there, but rather than point that out to them you are happy to refer them to the RCMP?
Mr. Bland: I want to be clear about one thing. Yes, we do. When we identify concerns around terrorist financing, which is a criminal offence, we will make those disclosures to the RCMP in full.
Senator Mitchell: Even if you don't tell them.
Mr. Bland: Even if we don't tell them. We will raise our concerns with our partners so that they can take that information and fulfill their mandates. I think what we have to be careful about here is that we don't examine mens rea or whether the organization knew. It's very difficult for us to go through our examinations and determine whether the organization is doing this knowingly or is purely a victim of someone else. Plus the other thing we're doing is identifying what I would call "unacceptable risk" and stopping the activity when unacceptable risk has been identified, and we'll use our administrative tools to do that.
It's unfair, in a public forum, to sort of identify these organizations as being involved in terrorist financing, when we haven't said that, and they may not have any clue that that is the risk that we're concerned about.
We are trying to stop the activity before it becomes a criminal activity.
Senator Mitchell: That's fair.
The Chair: I just don't quite understand that. If an organization has been financing terrorism, knowingly or unknowingly, isn't that a criminal act? I don't think the excuse that I didn't know, at the end of the day, holds any water. The fact is, as a board of directors, I'm responsible for the authorization of these funds, and I would say that if terrorism financing has been identified, it's your responsibility to follow it up, identify it and let the public know. There's a consequence to these things, and it seems to me there are really no consequences at the end of the day. We're just going through a paper exercise, other than the fact that we give our assets away and the next year we start another organization.
Am I missing something here?
Ms. Hawara: I think our intervention is happening before. We need our intervention to happen before that criminal line has been crossed. Going back to the chart, we are identifying risks earlier in that process. So we haven't necessarily identified that money has gone to a terrorist organization. There is a risk that that's going to happen. There is a risk that because money has gone to a foreign organization that may be part of a network, that may be connected to a terrorist organization or a terrorist entity, that in and of itself is sufficient for us, and we have to take whatever steps are available to us to disrupt that from happening.
So our intervention is actually earlier in the process than what you're describing; what you're describing, that is for the RCMP. That is for law enforcement to investigate and determine whether that criminal line has been crossed.
Our intervention is happening much earlier in that we don't want the charity to be in the position where that might happen. That's the distinction that we're trying to convey, and hopefully this is helpful.
Senator Day: Ms. Hawara and Mr. Bland, you have been very patient with us in helping us understand the process that you are involved with, which is different from what we would normally see. We were thinking of a line that's crossed, which, I guess in your continuum is the line fairly far along between administrative and criminal. Once it's into the criminal, that's the line that we're normally talking about.
Ms. Hawara: Yes.
Senator Day: You have a number of other areas here that you call "disruption techniques," which I thought was an interesting term, and you just used it again.
If I understand this correctly, you don't want a charity to be in a position where it might possibly fall into the criminal activity, so you're doing disruptive activities along the line, whether or not those behaviours ever would have led to a criminal activity. Is that correct?
Ms. Hawara: That's exactly right. And we are well placed to do that, to take that preventive role, just looking at the provisions of the Income Tax Act. Under the Income Tax Act, all charities have to direct and control their assets. They have to carry out their own charitable activities. They can't simply gift their money or their resources to whomever they wish. By virtue of applying those rules, we can address the risks that we know are there. You're absolutely right. We're on the left-hand side of the diagram, and we are trying to avoid moving towards the right-hand side of the diagram.
Our role is about preventing or disrupting, and we do that by looking at the applications for registration, who wants to become a registered charity, and looking at the organizations who are already registered, and third and most importantly, sharing information with our partners, because we only have a piece of this continuum. There are others who have the mandate to be occupying other areas of this continuum.
Senator Day: Under the Income Tax Act, the legislation that you prefer and primarily follow, is there a possibility that you would be involved with the revocation of a charity that is registered — so deregistration — by virtue of either one of the directors being involved in a criminal or terrorist activity or the entity being found to have been involved in a criminal or terrorist activity without you having done your process of investigation beforehand?
Ms. Hawara: I was referring to the ineligible individuals provisions earlier. If someone has been convicted of a criminal offence, that would make them an ineligible individual. If an individual had been found guilty of terrorist financing, for example, that would make them an ineligible individual, and we could take very quick action in that regard.
The Chair: For only five years.
Ms. Hawara: I believe that for a criminal conviction, the status would last until such time as a pardon was granted. There is a five-year limitation for individuals who were involved with revoked charities, but for a criminal conviction, I'm fairly confident there is no time limit.
Senator Day: Just to finish up, you are dealing primarily with the Income Tax Act, and the administrative actions that you've talked about and the ultimate revocation, which would take place after a criminal investigation, is done by another entity? You don't do the criminal side of things?
Ms. Hawara: That's correct.
Senator Day: Last year, new legislation was passed that made it possible for you or obligated you to share information that you previously hadn't shared. There are 17 federal government entities now that can get information from you for their activities if it's relevant to their particular mandate.
Have you finished with a memorandum of understanding with those 17 entities? Can you share one of those with us so that we can see the type of protection you're putting in there to protect individuals against public disclosure that we would not normally see and would want to see?
Mr. Bland: Previous to that, we always had the authority to share with the RCMP, CSIS and FINTRAC taxpayer information related to charities, where we had concerns that there was a criminal offence under Part II of the Criminal Code, which is about terrorism offences, or threat security to Canada as defined under the CSIS Act.
Our authority to disclose under those two authorities hasn't changed. What has changed is the number of organizations that we can disclose to. It's not a prescribed list anymore. It's any taxpayer information that would be relevant. It doesn't necessarily have to be related to a charity.
So we have in existence two memoranda of understanding. We didn't need one with FINTRAC. It's purely based on our legal authorities and their legal authorities. They are very legalistic documents. They don't get into scenarios under which we would share. It's more about our understanding of the legal authorities and the need to protect that information.
SCISA, the new Security of Canada Information Sharing Act, doesn't dictate the need for memoranda of understanding; it encourages them where there is routine and regular sharing, but it's not a legal requirement to have a memorandum of understanding.
We do have the legal authority to share with the 17 entities. As I mentioned before, we had existing protocols in place where we identify the specific taxpayer information that we want to share, and we get into the grounds of what our authority is to share and why we're sharing that specific information with the RCMP, CSIS or whomever. Those processes really haven't changed; it's just who we're allowed to share with that has changed.
Senator Day: It's the other agencies that I'm interested in because of the change in legislation. You've expanded considerably the number of agencies that can now see taxpayers' information, and they can then share that with other agencies. It's that area that I'd like you to provide us with a copy, if you could, of the type of MOU that you're intending to enter into with these agencies before you start sharing it. Or maybe you already have that MOU and you're already starting to share information.
Mr. Bland: We haven't as yet finalized updating our memoranda of understanding with the RCMP and CSIS. Given that those are the two agencies that we most routinely share information with, those are the priorities to deal with first. Of course, we use those as models for others.
Senator Day: But Mr. Bland, isn't the concern that the agencies you don't have a comfortable feeling with we should be the most uncomfortable about? These are agencies that are going to receive taxpayers' information, and there's no oversight that we're aware of until you tell us what that might be; it might be a legal oversight. We want to be reassured some protection is built in for the taxpayer.
Mr. Bland: Certainly the packages, if you will, that we're sharing with other organizations outline why and under what authority they can use that information.
The Chair: Can you provide us with a copy of the template of a letter that would be sent? Secondly, could you tell us if the Privacy Commissioner has been involved in reviewing the way you share this information with other organizations? I believe that commitment was made.
Senator Day: The audit that's done by the Auditor General periodically, every five to 10 years, that's the only oversight that you have.
Ms. Hawara: My understanding is that the Privacy Commissioner is going to be looking at the new authorities to share that were implemented as a result of the Security of Canada Information Sharing Act, and we expect that we would be part of that review.
I don't know that there's an actual template for sharing of information. Each case is quite different, but certainly we could indicate to the committee the kinds of information that would be found in those disclosures.
What is of utmost importance to us is being able to demonstrate that the legal thresholds for sharing have been met. There are two such thresholds, as Mr. Bland was mentioning, under our authority to share. Under the Income Tax Act there is a threshold. Then there is a second threshold under the Security of Canada Information Sharing Act. It has to be relevant to the receiving organization's mandate, and we are under no obligation to share.
We take the confidentiality of taxpayer information very seriously at the Canada Revenue Agency, and we've put in place a number of processes and procedures to make sure that protocols are clear. All of that sharing under these new authorities happens through Mr. Bland and his division, so it's not spread out throughout the organization. There is one central point so that we can have the kinds of controls that we need to ensure that we are meeting the legal threshold to share.
Senator Day: I have a point of clarification on that. You are under no obligation to share. Do you mean to say that you are under no obligation to initiate the sharing of the information?
Ms. Hawara: That's right.
Senator Day: Because you are under an obligation to share if the agency asks for it, and you apply your test that it's relevant to their mandate. Then you have an obligation to share.
Ms. Hawara: The new piece of legislation imposes no obligation, so if there were reasons why we didn't believe that we could share, we retain that authority.
Senator Day: And the reason why is the threshold test?
Ms. Hawara: The threshold must be met in order for us to share.
Senator Day: There could be other reasons?
Ms. Hawara: There could be other reasons. I can't think of any off the top of my head. The act imposes no obligation on any of the organizations to share.
[Translation]
Senator Carignan: If you do not mind, I have a few more questions for you. Recently, the government and the Minister of National Revenue announced a $440-million envelope, and this morning, the minister provided further information.
Within that funding, did you receive further resources to help you attain your goals? Will there be an internal transfer of resources to increase the number of employees within the Charities Directorate, specifically for anti- terrorism efforts? If so, how many?
Ms. Hawara: Following last June's announcement, we are expecting more resources to increase our surveillance and awareness capacity with respect to organizations and also to enhance our tools' effectiveness. Those resources are not included in today's announcement, nor in the budget at the end of March.
As for tax evasion, that is a completely separate area from ours; we have colleagues in the agency who are responsible for that component, and that money will go to them. Thus, the measures and amounts announced today by the minister are not related to the program we are discussing today.
Senator Carignan: So, from what I understand, last June's announcements did not translate into money or supplementary resources for your unit. Do you think they will be applied over the coming weeks?
Ms. Hawara: Yes. We have already begun to implement the measures announced last June and we expect to receive funding for that work. So, that announcement pertained to the agency's work and Mr. Bland's division, and we expect to receive those amounts.
Senator Carignan: How much do you expect to receive?
Ms. Hawara: They announced $10 million over 5 years, and we have already begun implementing the measures mentioned in that announcement.
Senator Carignan: Even though you have not yet received the funds, you have begun the work using your current resources?
Ms. Hawara: Precisely.
[English]
Senator Mitchell: You mentioned that you have a series of escalating initiatives that you can use to prevent, or bring an organization on side, or reprimand it in one way or another. You said education.
If you educate, do you then follow up to make sure that they have learned the lesson?
Ms. Hawara: We have an education letter. When we conclude the audit, if there are some issues of non-compliance but we're satisfied that it doesn't require a written undertaking on the part of the charity, we send them an education letter that will outline the areas of non-compliance and the corrective measures they should put in place.
There would be some follow-up depending on the nature of the non-compliance. Generally speaking, in our general charities audit program we don't necessarily review all education letters. We do quite a few of them every year.
Then there's the compliance agreement. That's where the charity gives a written undertaking of the corrective measures it will put in place. Those ones absolutely are reviewed to ensure that the measures have been put in place within a certain time frame.
Senator Mitchell: This may be naive to consider, but it is a follow up to the chair's question with respect to taxation of deregistered organizations. Is there any way to reclaim the tax refund that the donors receive because they gave money to an organization that was then deregistered but had used their money inappropriately?
Ms. Hawara: If the agency has concerns that it wasn't a proper gift or the receipt wasn't issued properly by the charity, we have the authority to reassess the donor. This wouldn't necessarily be done in every case of revocation because perhaps the donor didn't know that this was happening. If we have concerns about the receipt and the gift, though, we have the authority to reassess the donors as well.
The Chair: Have you ever done that? In these six cases that you brought forward, did you do a reassessment of any of the donors?
Ms. Hawara: I don't believe so.
The Chair: It would seem to me that these would be one of the most important areas to review if you were going to do a reassessment of any individual. This is criminal activity.
Ms. Hawara: Again, it's not necessarily criminal activity because we're at the point of disruption. Each case will be different. In some instances the donors may have thought they were donating to legitimate causes, and so reassessing the donor doesn't cure the issues that we've uncovered. For example, in the cases of false receipting or in tax shelter cases, as a matter of course we would reassess the donor. It really depends on the situation we are confronted with.
The Chair: Did you want to follow up on that, Senator Mitchell?
Senator Mitchell: I don't mean to be tricky in this at all.
You mentioned earlier that you don't consider mens rea, that is, that they knew what they were doing. Therefore, that's one of the reasons why you tend to look at it as an Income Tax Act issue before a terrorism issue.
Yet, Ms. Hawara, you just mentioned that you would make an assessment as to what the motivation of the donor might be, which would be mens rea. I'm not a lawyer, but in the one case, you're saying you don't assess it; in the other case, you are saying you do assess it. Maybe it's just the use of words, and we're asking you a lot of the same questions. How do you make that distinction? Secondly, if you do have suspicions about the motivation of the person who made the contribution, would you refer that to the RCMP?
Ms. Hawara: I think I was referring to cases where there is a problem with the gift. It wasn't actually a gift because the individual was going to be getting something in return, or the individual received an inflated tax receipt. I was thinking more in terms of those kinds of situations where the donor might actually be very well aware that they should not be receiving a charitable donation tax receipt for the donation they are making. In those cases, we take the necessary steps.
The Chair: We're coming to a conclusion here fairly soon. I want to go through this so that I clearly understand this and we get it clearly on the record.
Looking at this document that you sent us, I would recommend those who are interested in this issue take the opportunity to go on our website through the clerk's office and access this information. They clearly outline beyond, in my judgment, a shadow of a doubt, that significant millions of dollars have gone through these charitable organizations for the purpose of financing terrorism activity. It's clearly identified. I fully support the revocation of their organizations.
This is a policy decision that would have to be taken, but, first, when that identification has been made — and this is very thorough work obviously that's been done, and the auditor's should be given full credit for the work they have done — we should be looking at changing the policy of letting that organization distribute their assets basically to anyone they want as long as they are charitable organizations.
It would seem to me that the government, the taxpayer, should be seizing those assets and distributing them, as opposed to this organization with a board of directors, who have, obviously, not always complied with the law.
My question would be this — and this is exactly what we allow them to do at this time — would you not agree that perhaps maybe the government in the future should be looking at changing that particular policy? When there is clearly a breach of the responsibilities by a board of directors in how they allocate these dollars, the policy should be that the government goes in and seizes those assets as opposed to leaving it the way it is, which is basically, as I can see, that there is no consequence for anybody on the board of directors for doing what they do here. I'd like your comments.
Ms. Hawara: I would add one additional piece of information that came to me as you were asking your question. In all cases, not just in relation to these files but more generally, where we have revoked a charity or are proposing to revoke a charity and we have concerns that someone may abscond with the resources, the CRA does have the authority to raise an assessment immediately and proceed to seize the assets. Normally, we would use that authority where we thought the assets were at risk. More broadly, though, in terms of the policy question you've posed, that likely goes beyond our mandate as officials of the CRA. Our task is to administer the act as it currently exists, and I think you have posed a policy question as to whether, in these kinds of circumstances, something else should be done with the assets.
The Chair: If I just follow this through, do you have the authority, in this case, if you so choose, as opposed to the members of that board of directors doing what they want to do with the assets? Do you have the ability now under the legislation, if you so wish to?
Ms. Hawara: The legislation provides charities with the opportunity over that year to disperse their assets, as we've discussed. If we thought that they were not going to do that and that the assets were going to fall into the wrong hands, we would have the authority to intervene, but it would be in that circumstance. Otherwise, the provisions of the act do allow the charity.
The Chair: Thank you. I'd like to thank the witnesses, Ms. Hawara and Mr. Bland, for appearing. Thank you for taking our questions. You seem to be regular attendees at our committee hearings. We always appreciate seeing you.
On our second panel we have Major-General Christian Rousseau, Executive Director of the Integrated Terrorism Assessment Centre. The Integrated Terrorism Assessment Centre's primary objective is to produce integrated, comprehensive and timely assessments of terrorist threats, both domestically and internationally. I understand your agency's threat assessments are distributed within the intelligence community, to law enforcement and to other first responders and critical infrastructure stakeholders in the private sector. According to your website, your agency reports to the Director of CSIS and the National Security Advisor and also the deputy minister's committee on security and intelligence. It is accountable under the Security Intelligence Review Committee's mandate.
Mr. Rousseau, welcome to the committee. I understand you have an opening statement.
Christian Rousseau, Executive Director, Integrated Terrorism Assessment Centre: Members of the committee, thank you for taking the time to study such an important topic as the security threats facing Canada, and thank you for the invitation to meet with you today. It's my distinct pleasure to offer this committee my insights on the current terrorism threat that faces Canada.
Before I do so, I'd like to offer some comments on the organization I lead, the Integrated Terrorism Assessment Centre, or ITAC, and our role as the Government of Canada's independent centre for terrorist threat analysis. ITAC's mandate, as was just mentioned, is to produce integrated, comprehensive, relevant and timely assessments on terrorism and the terrorism threat to Canada and Canadian interests at home and abroad and to ensure their dissemination so that measures can be taken to prevent or mitigate these threats.
[Translation]
ITAC was established in the complex threat environment that followed 9/11 through the national security policy of 2004. It was designed as a community-wide resource to better coordinate and integrate intelligence on potential terrorist threats, and ensure the timely distribution of its analysis to senior decision makers within government.
Administratively, ITAC functions as a component of CSIS and is subject to the CSIS Act; however, it operates independently of the service and is accountable to the National Security Advisor to the Prime Minister.
[English]
ITAC does not have a collection mandate. We produce and write intelligence assessments based on information and intelligence gathered by others and focused exclusively on the terrorism threat. ITAC's unique integrated model draws its expertise from several federal organizations within the security and intelligence community.
Our contributing partners include the Canadian Security Intelligence Service, the Communications Security Establishment, the Royal Canadian Mounted Police, the Canadian Armed Forces and the Department of National Defence, Transport Canada, the Canada Border Services Agency, Global Affairs Canada, the Canada Revenue Agency, the Department of Public Safety and the Ontario Provincial Police.
Objectivity is critical when it comes to writing our assessments, which remain independent of any one department's perspective, or consideration of policy, economics or politics. I would also like to point out that ITAC does not determine the responses to the threat of terrorism that we assess, nor do we talk about the resulting risk or vulnerabilities. Each department, agency and organization is responsible to evaluate how to respond to the threat explained by ITAC. In Canada, the lead federal department for coordination of overall counter-terrorism planning, preparedness and response is the Department of Public Safety and Emergency Preparedness.
[Translation]
To meet its mandate, ITAC has three lines of operations, and our series of products support these. Our first line of operation is to assess and report on the terrorism threats to Canada and Canadian interests throughout the world, a sort of horizon scan to make sense of what is happening on the terrorism front that threatens Canada and Canadian Interests. This way, decision makers within the government remain up to speed on all terrorist threats to Canada, Canadians, and our country's interests overseas.
[English]
Our second line of operation is to assess and recommend the terrorism threat level to Canada, what we call the national terrorism threat level, and the terrorism threat level to Canadian interests in other parts of the world. The threat level varies from very low — an attack is highly unlikely — to critical — an attack is highly likely and could occur imminently. This assessment informs the Canadian security and intelligence community of the general terrorist threat to Canada. Importantly, it is a tool used by government officials, including law enforcement, to determine and plan responses needed to prevent and respond to terrorism.
Our third line of operation is to assess and set the terrorism threat level for special events in Canada and abroad, like the Pan American Games last summer in Toronto or the Rio Olympics coming this summer.
Now let me turn to the terrorism threat Canada faces. Much of the world continues to experience the effects of a persistent terrorist threat, and Canada is not immune. In particular, the assent of the Islamic State of Iraq and the Levant, or ISIL, has been a significant factor in the rise of terrorist attacks around the world. ISIL is not the only terrorist threat to Canada, but it is the most pressing at the moment. ISIL has demonstrated an ability not only to plot and direct attacks from afar — think Paris or Brussels — the way other terrorist organizations have done in the past, but also to inspire attacks from lone actors or small groups without explicit direction or even prior knowledge of the attack plans before they are carried out. Think Saint-Jean-sur-Richelieu or Ottawa in October of 2014.
While most Canadians have now accepted that Canada is not immune from terrorism, the question on everybody's mind is the likelihood of a Brussels- or Paris-style attack occurring in Canada. There are several factors that reduce the likelihood. First, compared to Canada, there are many more extremists who have travelled from Belgium and France to fight with ISIL in conflict zones. Second, it is relatively easier for extremists to travel from Syria to Western Europe undetected than it is to travel to Canada. This does not mean that there is no chance for such an attack to take place. It means, however, that the added difficulty allows more chance of detection by our intelligence or law enforcement agencies.
The more likely scenario we see in Canada includes violent extremists inspired to carry out attacks. At present, this remains the main terrorist threat to Canada, with extremist ideologies espoused by terrorist groups like ISIL and al Qaeda finding appeal among certain individuals within our country. This is especially true of those who have failed to leave Canada for overseas conflict zones and instead would choose to resort to supporting or committing acts of domestic terror.
[Translation]
Inspired attacks often employ rudimentary methods such as bladed weapons. Others use small arms and improvised explosives. Targets can include areas with limited or no security like crowded venues and public transportation.
In closing, as ITAC continues to monitor the threat environment here at home and in other areas of the world such as Africa, the Middle East and Western Europe, we are always searching for any clues that might point to attack plotting in Canada.
[English]
At this time, I can inform the committee that ITAC has assessed Canada's national terrorist threat level to be at medium, meaning that a violent act of terrorism could occur and that the most likely scenario is one where violent extremists are inspired to carry out an attack and employ rudimentary methods such as bladed weapons, small arms or improvised explosives to carry out the attack.
Canadian national security professionals and law enforcement partners are well aware of this threat, take it very seriously and work diligently to stop or mitigate it.
Thank you again for the opportunity to discuss this situation with the committee, Mr. Chair. I would be pleased to respond to any questions that senators may have.
Can I add that I have distributed, along with my notes here, a copy of our 2016 agenda, which doubles as a repository of facts on the terrorism threat that we follow? You may find it interesting in your deliberation today or as you continue to look at this.
The Chair: Thank you very much, Mr. Rousseau. I will start with the question of the notification to the general public regarding the threat and the nature of the threat that we face at any given time. You referred to it in your opening comments, and you've said today that Canada has a terrorism threat level designated as medium.
In our report, which was released last July and which I'm sure you're familiar with, one of our recommendations was that we had asked that the various organizations be more transparent and more forthcoming in respect to the terrorism threat that faces Canada so that Canadians are aware on an ongoing basis. An observation I would make is that the way we designate the threat levels here in Canada really doesn't mean much to anybody outside the various organizations that are responsible.
Are you familiar with the Australian national terrorism threat advisory system, which designates the threat in five possible scenarios, going from not expected to possible to probable, expected and certain? Have you considered looking at how we notify the public and maybe taking scrutiny of the Australian method of informing the public?
Mr. Rousseau: Thank you, Mr. Chair. Definitely, assessing the terrorism threat is only part of the story. The really important part is disseminating that information so that people can do something about it.
The initial mandate of ITAC and the continuing mandate of ITAC is to make sure that decision makers within the federal family first, and then first responders second, get that information. With that in mind, the idea of having low, medium, and high fitted the bill. If as the decision makers, policy-makers, government in Canada decides to move to a more communicative stance on this, the words that we use to describe it might need to be changed.
That reminds me, if I can bring to your attention, in the agenda that I gave you, tab 2 actually gives the corresponding chart among our allies. As you just mentioned, you'll see where the Australian possible, probable and expected fit compared to Canada.
We each understand what level they mean, but I take your point that making it more understandable for average Canadians would be of value. If the government decides that this is going to be something to share with the Canadian public, we'll have to review the terminology we use.
Senator Kenny: Welcome, general. I had an opportunity to hear your presentation to the Edmonton Police Service conference earlier this year. I must say that even my second time through I'm not really clear about what you do, how you do it, and why you do it.
Could you start off by describing to the committee your budget and the size of your staff and what they do? Then, would you carry forward in terms of how you actually communicate your assessments, and you referred to key government people, and who those key government people might be? I'll go from there, if I could.
Mr. Rousseau: ITAC is a whole-of-government organization. We are housed within CSIS, but the members of ITAC come from the whole community. As you may know, because you called me "general," I come originally from National Defence. There are about 50 positions in ITAC, a relatively small organization, and those people come from across the organization. Most of our budget goes to salary. We have very few other expenses because we do not do collection; we only do assessment. Partners in the community who deal with terrorism would be doing collection for their own investigative purposes. The first reaction of those who investigate is not necessarily to disseminate that information because they concentrate on investigating while making sure that those connections are made with decision makers. The role of ITAC is to take those disparate pieces of information — a bit of a clearing house — and put them together, assess what that means, and tell the story on terrorism. That's how we do our business.
Our primary customers are decision makers within the federal family. The work being done there is then disseminated to other partners. Depending on the event or the circumstances, it will go down to first responders, such as police at the police chief level across Canada for specific things. When we do a national terrorism threat level, we do an unclassified version that can be distributed. It's the same when we do a terrorism threat level for the Rio Olympics or the Pan Am games. Those will be distributed. We'll do an unclassified version, which will be distributed to first responders. Hopefully that answers your question, sir.
Senator Kenny: No, but it leads up to it. The point I'm trying to make is that decision makers in government have access to all sorts of information coming up about the risks and challenges facing the country. CSIS has its way of briefing people. The RCMP has theirs, and so on. It sounds a little bit like what you're doing is redundant. What do you add to the party that the National Security Advisor didn't already hear about from Bob Paulson or somebody else?
Mr. Rousseau: In the wake of the 9/11 attacks in the United States, it was clear in the U.S. system that some of that information existed in different organizations. But connecting those investigative organizations and then telling the story so that policy-makers could make sense of it was lost. As the government looked at its counterterrorism strategy in the early 2000s, or following that in 2004, it was felt that we missed that opportunity of somebody in the government that looked at all threat streams and made sense of it so that nothing would be overlooked.
If I may, you're not the first one to ask this question. We've been reviewed twice in our short 12-year history. Both times it was seen that the value added we put was actually recognized. In the most recent one last year, the study looked specifically at information coming out of CSIS counterterrorism and ITAC's products. The view from the clients receiving our reports who had an operational mandate, doing investigation, found that the CSIS reports helped them most. If you're CBSA and you want to arrest somebody at the border, you need the name and date of birth of the person you would be looking for. The people who found ITAC products most interesting were the policy-makers, the decision makers that had to do the counterterrorism policy for Canada, to deal more generally with response and things like that.
Those clients are not served by individual investigative organizations. It's somebody that can do that clearing-house model. The work that ITAC does used to be done in each of those departments. We didn't create an extra 50 positions 10 years ago. We took three out of there, four out of there and so on and put them together to be able to tell the bigger story than just one specific investigation.
Senator Kenny: That's a helpful explanation, general. What about the warnings that the chair brought up earlier? Does anybody really give a damn whether it's medium, medium rare or well done in terms of the threat?
Mr. Rousseau: ITAC is specifically responsible to set the threat level. The response to the threat level and deciding vulnerabilities and risk are the responsibility of the deputy head of each department. They have certain responses at different levels. Going from low to medium, there is not much of a difference, only a bit of a difference. The real difference would be going from medium, an attack could occur, to high, an attack is likely. I could get into the details, but there's a series of changes in posture that kicks in — both first responders and the security of other departments.
Senator Kenny: Would the committee like to hear what happens at the different levels, chair?
The Chair: Yes, why don't you proceed with that? Give us a short dissertation on the difference. What does happen?
Mr. Rousseau: I can tell you, sir, the levels we have and how we come to those levels. The response to those levels is synchronized and organized by the Department of Public Safety. They would be a much better interlocutor to help you talk about this. This is very much the response of the federal government.
The Chair: Before we go to Senator Carignan and then Senator Mitchell, I'll ask a question. You referred to two assessments that were done of your particular agency. Could you give us a copy of the latest one so that we have a clear understanding of what Senator Kenny asked?
Mr. Rousseau: Yes. When I go back, I will look at this. I think some of it might be classified, but we can certainly —
Senator Kenny: Redact?
Mr. Rousseau: Redact in a way that you'll understand what the story is. Yes, absolutely.
[Translation]
Senator Carignan: I have a follow-up question to Senator Kenny's comments. I understand your organization is responding to the need to avoid having different departments working in silos. It ensures the information gets shared. Your role is somewhat centralizing to avoid the silo effect.
Are you receiving enough sensitive information from each department to provide you with a complete picture? In other words, is enough information being shared amongst various departments, or could the situation be improved? In listening to you today, I get the impression that sensitive information is not being shared between departments.
Mr. Rousseau: When it comes to sharing information, there are clear rules under the law about what information may be shared.
Senator Carignan: Are you talking about the Anti-terrorism Act, 2015?
Mr. Rousseau: The Anti-terrorism Act, 2015, is one aspect, but each act governing the agencies and departments lays out procedures on information sharing.
ITAC existed well before Bill C-51 was passed. When it comes to information management, ITAC has representatives from those departments and agencies, and representatives from the Canada Border Services Agency or National Defence have access to information from their own departments. So the information does not come to us. That person does not disclose information, but may inform us when incidents occur.
For example, when we draft a report detailing airport threats in Canada, there may be information that the CBSA cannot disclose to us under the law. However, the CBSA representative is a member of the team drafting the report. We will therefore ensure that the information contained in the report is consistent with information that may be privileged. This allows us to ensure that the substance of the information is included, while properly protecting personal details.
That is why we are now an integrated centre with representatives from each department who have access to information from their respective department.
Senator Carignan: So you are saying that, if one of those representatives did not properly weigh the importance of sharing such information, there might be some kind of a gap. I find this troublesome. We are talking about information that is provided to the Prime Minister's National Security Advisor and that is used to assess the level of risk. This seems fundamental to me.
I understand what you are saying, but seemingly, it is a superficial mechanism and, we are not being informed of sensitive information that could help shed light on other things. I do understand that the information sharing has not reached the upper echelons yet and that we are talking about information exchange at a fairly low level.
Mr. Rousseau: The basic information comes from CSIS. As we were saying earlier, ITAC is a component of CSIS. The people who work for us are subject to the Canadian Security Intelligence Service Act and, as such, have access to that information. That is the backdrop against which we operate. All departments and agencies that have the right to exchange information with CSIS have access to this information.
At times, the situation was complicated by the fact that, before Bill C-21 was passed, certain information could not be directly shared with the service. Now, if someone within our organization is aware of information, we make sure the report takes it into account. If, for example, a report on a threat to the aviation system is being drafted, the author can perform a search within Transport Canada or CBSA data banks to ensure nothing has been left out.
I think my perspective is the opposite of yours. We already have a very good perspective overall, and within that perspective, we ensure that any piece of information that may go unnoticed in the CSIS background does not slip through the cracks.
Senator Carignan: To bring this discussion to a close, I want to point out that, yesterday, there was a story on the French news about three young people who wanted to leave Canada to go fight abroad. Apparently, they were not detained owing to a lack of information. They were not prevented from leaving at the airport. There still seem to be gaps in the information being exchanged. Whatever the case may be, they were not prevented from leaving.
Mr. Rousseau: The decision to arrest people is made by police forces, not ITAC. As I was explaining to Senator Kenny a little earlier, our real clients are political decision makers; investigations are conducted by CSIS and the police. Therefore, if the RCMP claims it did not have access to that information, perhaps it existed elsewhere, but they did not receive it. Furthermore, ITAC would not have had a specific role to play in that situation, which is operational.
Senator Carignan: Therefore, there are still silos.
[English]
The Chair: Just to clarify for the record, three Canadians were detained in Frankfurt? Is that what you just said?
[Translation]
Senator Carignan: I was saying that there was a story on TVA yesterday about three young people heading overseas; they were intercepted and questioned, but the information on them was not sufficient to prevent them from getting on the plane. It would seem that they wanted to join ISIL. All three young people pretended not to know each other, even though they knew each other very well; they were caught on camera, but they were still able to leave the country. It looks like there were, again, gaps in the information shared.
[English]
The Chair: They were Canadians?
Senator Carignan: Yes.
The Chair: Do you have any comments?
[Translation]
Mr. Rousseau: ITAC was not included in that conversation. A threat is based on three things: intent, capability and opportunity. In the specific case of these three young people who were leaving, police intervention would have been required. It would be necessary to ask them where they lacked information. We were not involved in that file.
[English]
Senator Mitchell: My first question is quite specific. You listed in your presentation the contributing partners, and there were two police forces: the RCMP and the Ontario Provincial Police. The Ontario Provincial Police kind of sticks out when there is no other police force, provincial or municipal, and yet they would be significant. How do you relate to them?
Mr. Rousseau: The way ITAC was built was as an integrated set open to — I wouldn't say open to anybody, but people in the business of dealing with terrorism are invited.
In the past the Sûreté du Québec had officers with us. The OPP was mentioned because it so happens there is somebody from the OPP. Usually, the provincial organization that comes with us helps us to translate what we do for federal government clients to make it actually more relevant to provincial and first responders. That OPP person with us is specializing in turning some of the great work we do that is classified and to say that as an OPP person, "This would make sense to me, and I would like to receive this," so let's spend some time and effort to make that unclassified and publish it.
As I mentioned, it happens to be OPP now. In the past we've had other police organizations come.
Senator Mitchell: I guess this is an esoteric question. I'm trying to get at the difference between risk and threat. You alluded to a list of five or six criteria that you consider, one of which was opportunity, which sounds like risk rather than threat, in terms of the likelihood that there is somebody that is going to take that opportunity.
I am interested specifically in cyber-threat, particularly in the private sector, which is more and more difficult to assess, monitor and protect, perhaps.
How do you assess the balance between vulnerability and the likelihood that there's somebody out there — some specific individual or group — who is going to take advantage of that vulnerability? Is it really that you are emphasizing the latter and not the former so much?
Mr. Rousseau: ITAC specializes, if you will, in the threat: what the intentions of the bad people are, and what their capabilities are. And the opportunity is based on when they have done attacks in the past. Do they wait for a big show in a football stadium and then attack, or do they go in any restaurant when it's crowded? This is so that we understand their modus operandi, and then we can write to that threat.
The people who receive our information then have to look at what vulnerabilities they have. If in preparation for the Pan Am Games, let's say, we come up with an explanation of a medium threat level that somebody could be interested in perpetuating, then the organization that does security there has to see how easy it would be for people to come in if they really wanted to attack and consider how that could be mitigated.
So the threat is "this is what you have to face," the vulnerabilities are "what do I have where I can be infiltrated?" and the risk is the calculation of whether that will connect to the vulnerabilities.
Senator Mitchell: The law now in Canada was recently changed within the last year or so to allow authorities to revoke a Canadian citizenship for a convicted terrorist and then send them back to a country where they have a second citizenship.
It seems to me that you'd want to keep them in jail, rather than send them back to a country that might not keep them in jail and might not secure them at all. On the other hand, you might send them back to a country where they are going to get tortured.
How would you assess the risk of revoking somebody's citizenship and sending them to Iran, Syria or somewhere where they have a second citizenship? Wouldn't that pose a greater risk?
Mr. Rousseau: In ITAC, we look specifically at the threats. I take it you are asking what the threat of the person would be.
Senator Mitchell: Yes.
Mr. Rousseau: When we look at the threats for Canada or Canadian interests abroad, we look at all the actors: whether the actors are people who are currently fighting in Syria or Iraq, or whether they are originally from there; if they have travelled from here to there and have come back; and if that's somebody who has perpetrated a terrorism act before.
Those are all part of the fabric that we look at for the threat. I can't talk specifically on one or another. Whoever is out there — part of the bad guys — we take that into consideration when we come up with a threat against Canada or Canadian interests.
Senator White: Thanks for being here. I think about these reports and where they're going. Do you do any work with the agencies and the organizations receiving them to see whether they require or are requesting more information from a survey perspective, so that value is actually understood?
Mr. Rousseau: We do. I mentioned before that there had been a review of ITAC's value into the counterterrorism domain. We are right now, as we speak, going through a dissemination review, where we go to each of our clients and try to find out who in the organization reads, and "do you pass it on to somebody else?" and "how does that information come back?"
We're actually in the middle of that. It's usually difficult to get feedback if you don't go there. People are just too busy; they read it, it enters their consciousness, but they forget to tell us if this was a good or bad report. So we actually have to go and ask them.
Senator White: Thanks for that. I appreciate it.
The second question is more of a point, and I'm trying to get concurrence. I appreciate your commentary about what happened in Brussels and the reality that more could happen in Europe than could happen here. We have something between us and some of the risk called an ocean, thankfully. But I don't want the public to think that we provide a higher level of security, for example, at our airports than we see in Brussels, because in reality we don't have airport security, we have airplane security, and our transportation areas are just as high a risk; if there is an individual wanting to do something, we are at just as high a risk as what we saw in Brussels and elsewhere.
Wouldn't you agree with that?
Mr. Rousseau: Certainly, the idea that carrying out an attack in an airport wouldn't be more difficult in Canada than elsewhere —
Where it is more difficult is for the extremist traveller to make their way to Canada, whereas the Europeans have been overwhelmed with migration, so people who have terrorist interests managed to get through that.
Senator White: We are going to be having discussions around critical infrastructure, and I didn't want thoughts out there that we are in better shape.
The Chair: I'd like to follow up on that area, because that occurred to me, as well. A number of us have been at the airport in Brussels at one time or another. The airport didn't seem to be any different than what we have here in Canada, quite frankly, except that it was a little bit older.
In view of what took place there, are you asking for a review of that type of infrastructure to see what we should be doing further in respect of ensuring that we can get whatever protection in place that could negate that type situation happening here in Canada, from a security point of view? Because if Brussels and Europe are going to change their modus operandi at the airports, are we going to look at ours?
Mr. Rousseau: This comes to the point I was trying to make with Senator Kenny. ITAC's role is to explain what the threat is, as opposed to following up on the specific investigation. So whereas the service or RCMP would be following up on who the actors were who did the attack, we look at what the possibilities of such an attack happening in Canada are.
The Chair: It's called prevention.
Mr. Rousseau: Yes, sir.
So we look at all the factors that were at play in the Paris and Brussels attacks and try to see whether those factors are transferable to Canada. Then we come up with what we see the threat being to Canadian transportation nodes and things like that.
The request for review of the security posture would be the responsibility of the policy decision makers who receive our assessments to decide, "Now, that I understand the threat, could the facilities that I manage withstand that threat?" Then that decision would have to come from them as to whether they would need to review how they deal with their facility.
The service we provide is to explain to them what happened in Brussels, could it happen in Canada, and these are the circumstances or the threats here in Canada and how they compare to Brussels. That's the value we add to this.
Senator Kenny: That's precisely what I was trying to get at. The concern I have is whether the dots are connected. It's interesting to have you say that you send around your assessments, and the next thought anybody has is, who cares? Who is going to listen? Are they listening? How do we know that they're responding to what you say?
I don't doubt that your assessments are interesting, accurate and whatever else you want to call them, but the question for some of us around the table is, okay, who is listening to ITAC? When have we seen a response, a policy change or a reaction to what ITAC is doing, and what should give us confidence that we have a system that works?
The Chair: Other than the ocean.
Mr. Rousseau: Without repeating my comment earlier, the organization that synchronizes the response is really the Minister of Public Safety, or the deputy minister. They would be in the best place to help you with this.
I can tell you that our readership is very keen on having our opinion on when things happen.
Senator Kenny: Do you charge for your reports? Do they pay for them?
Mr. Rousseau: They pay by providing seconded personnel.
Senator Mitchell: So Sûreté du Québec thought they were useful for a while, and then they decided they weren't that useful when they pulled their guy out.
Mr. Rousseau: Or they thought that the service could be given by the OPP supporting them.
We don't need five people all the time from outside; we need a bit of a rotation. With SQ, it worked for a while, and now it's OPP. Sûreté du Québec might come back.
The way you pay for the ITAC report is by contributing people.
Senator Kenny: That was a good answer.
Senator Beyak: Thank you for that, general. I have the same line of questioning in that I am wondering what you would be advising right now. You talked about the extremists and how they only use bladed weapons and improvised explosives, maybe on public transportation.
In your opinion, what today is the threat of these homegrown terrorists to our critical infrastructure, and what level? What nature? Should we be concerned? Because our airports are so similar to the Brussels airport.
Mr. Rousseau: As we look at the threat, the difference between looking at critical infrastructure and looking at the threat as ITAC does is that instead of looking at 10 categories of critical infrastructure and what's the threat to each, we look at what the threat wants to do and then which critical infrastructure would they be interested in.
We know that terrorists, in general, are interested in public transportation because we've heard them say it. The ministry of communications says that. We know that they are interested in nuclear sites. We know that they are also interested in areas where people gather.
That's very much how we look at it. If somebody from within government or outside government asks us what is the threat against the power grid, then we can reflect on what we've seen bad guys talk about. Usually the power grid does not come up as an item that captures their imagination, whereas airports and trains capture their imagination. When we write our threat reports, we write on those parts of critical infrastructure that are of most interest.
My point earlier when I talked about bladed weapons, small arms and improvised explosives was that these are rudimentary because that's all they can actually put together, being lone actors or small groups, not that sophisticated. So that's why we think that that's the most likely form of attack that would place take here.
Senator Day: Mr. Rousseau, you were asked earlier about your budget, and you said most of it was salary. You are housed with CSIS, but you operate independently, as I understood, but I didn't hear any figure.
Are most of the salaries paid by the departments and agencies from which your 50 personnel are seconded?
Mr. Rousseau: Yes. Our budget is a bit complicated. It's a bit complicated because the salaries of Defence happen to be paid by Defence, but the salaries of people that are seconded to us by Public Safety happen to be paid by us.
I'll have to dig it out send it to you separately because I don't know off the top of my head. I know how much I spend internally, but if I wanted to add all the ones from the salaries of the people that are from other departments, I can put that together and send it to your organization. I'll have to check, sir.
Senator Day: I think we'd be interested in knowing not only salaries — you focused on the salaries — but your overall operation budget, or is that hidden in the operation budget for CSIS, even though you operate separately?
Mr. Rousseau: I'd say it's mainly salaries, sir, because we don't do collections. We don't have cars, microphones or anything like that.
What we do is we have analysts with their computers, with access to their department system. Most of the money we spend is on the salaries of those analysts. That's why I would suggest that salaries are probably 80 per cent of the cost, but I will dig it out and give it to your committee specifically.
Senator Day: Computers can be quite expensive, to have the information technology. Do you use Shared Services Canada, or are you separate from Shared Services Canada?
Mr. Rousseau: Most of our computers are provided by the agencies that support us. Defence would provide the computer that goes with their analyst. The computers that we use most of the day are CSIS computers because they are the ones that provide the backbone of the service for us.
Senator Day: To whom do you report?
Mr. Rousseau: I have a dual reporting chain. For administrative purposes, my boss is the Director of CSIS, but for the type of reports that we write, my operational boss, if you will, is the National Security Advisor to the Prime Minister.
There is a committee called the Deputy Minister Committee on National Security, which happens to be all the deputy ministers of the organizations that provide analysts to us. That committee, once a year, meets as my board of directors to decide whether we should spend more money, less money, or if we should change our approach or things like that. The chair of that committee is the National Security Advisor. He would be my operational boss, if you will.
Senator Day: That is interesting. Thank you.
[Translation]
Senator Dagenais: Before asking you my questions, I would like to make a comment on airport security after the incidents in Brussels. I recently flew from Montréal-Pierre-Elliott-Trudeau International Airport, and I was looking at the number of people waiting at the various airline counters. I have to tell you that I was eager to get into the secure zone, because I was telling myself that, if ever something were to happen, it would be here, where people arrive, in taxis with their suitcases. That is where the incident in Brussels happened. I was eager to get into the secure zone. And yet, it is complex, because we cannot predict everything.
It is known that the terrorist threat is complex; the fight against terrorism is, too. You know as well as I do that the situation is constantly changing and that we do not know where they will strike. Is the threat greater or lesser here, in Canada, as compared with the United States, Great Britain or Australia? How would you describe the situation today and the changes that should be expected? Terrorists are intelligent people who change with the times, and I understand that it is very difficult to predict how they will do so.
Mr. Rousseau: Thank you. If we come back to the intentions of ISIL members, it is clear that all of the countries you mentioned are on the list of countries that they would like to attack. The difference is that, in Europe, they have already successfully organized a support network to launch attacks, as we unfortunately saw. In Canada, the United States and even Australia, they do not seem to have been able to build such a network. Attack capability in Canada, the United States and Australia is different from that in Europe. The biggest difference between the two is the support network that the group was able to build. In ITAC's view, the threat is greater in Europe than in North America.
Senator Dagenais: My second question is difficult from a political point of view, but I will ask it anyway. During your expert meetings, perhaps you talk about it. Does our exposure to terrorist attacks increase as we open our door to immigration? France opened its door to immigration, and it would seem that that did not lead to more terrorism. By completely opening our door to immigration, are we further opening the door to terrorism?
Mr. Rousseau: The way in which Canada organizes and conducts immigration security checks is different than how it is done in Europe. For immigration into Canada — and I believe that the director of CSIS spoke to you about it a few weeks ago — the process is conducted while people are still outside the country. That does not mean that there are no risks, but the risk is significantly mitigated for people coming here. In Europe, it is different. With the migrations that occurred, people arrived at their doorstep, so they could not do those checks and they lost some control. That's how ISIL terrorists were able to hide in the stream of refugees, which would be extremely difficult to do here.
Senator Carignan: We mentioned earlier different types of transportation-related threats. Over the last few years, terrorist networks have managed to surprise us by striking where we did not necessarily expect. On that topic, I would like you to provide us with information on the risks of electromagnetic pulses. Has the risk been evaluated? Have you sent documents or information on it to your clients? How do you evaluate this risk? If you have documents available, would it be possible to share them with the members of the committee through our clerk?
Mr. Rousseau: When we look at the threat coming from terrorist groups, we look at absolutely everything. We do not concentrate only on explosives; we look at what interests them, what their intentions are and how capable they are of actually doing what they intend. You know, sometimes, they have wild ideas, and it is clear that they do not have the capability to actually carry out their intentions. Explosive risks, nuclear risks, cybernetic risks, electromagnetic pulse risks and chemical risks are all closely examined. We analyze their intentions and the feasibility of those intentions.
I cannot talk specifically about any of these risks at an unclassified level, but we do look at each of them, and we could prepare something in writing on the subject.
Senator Carignan: I understand, then, that you have no specific documents on this particular risk to give us?
Mr. Rousseau: No, not in this particular case, not at the classification level that we are at, unfortunately.
Senator Carignan: Therefore, I gather that you have evaluations, but they are classified, and that you do not have an unclassified product that you could send us.
Mr. Rousseau: Exactly. I do not have an unclassified product that deals with each of those threats, unfortunately.
[English]
The Chair: Really? Well, then who would have information on such a threat as electromagnetic pulse, EMP, so that Canadians would be made aware of the seriousness of it?
Mr. Rousseau: When ITAC looks at the threat, we look at all threats, including nuclear, chemical, EMP, as a possibility. We look at who has the intentions to do it, who would have the capability, and what would you need to be able to produce that capability. Then we do the assessment on whether that is now a threat that would come from al Qaeda or ISIL or another terrorist groups. Such reports, particularly on EMP, would be classified at a higher level than I can discuss here. That was the point I was trying to make. It would be classified at least secret if we wrote such a report, so I wouldn't be able to share it with you.
Senator Beyak: Sir, could you tell me what the major challenges are associated with Canada's approach to protecting our critical infrastructure, and if you've identified those major vulnerabilities to the sectors that are concerned?
Mr. Rousseau: We look at this not from the side of the critical infrastructure looking out, but we look at the threat into critical infrastructure. So from what we can even read in their own propaganda, groups like ISIL or al Qaeda are quite interested in public transportation. They're quite interested in nuclear sites, more to be able to steal nuclear material to make a nuclear bomb than to attack them. Those would be the two main things about critical infrastructure the current wave of terrorists would be interested in. I can't tell you what the challenges are to protecting them, because I'm looking just at the threat. The people that own or manage these critical infrastructures would have to look at how they can face that threat.
The Chair: Mr. Rousseau, thank you very much on behalf of all members of the committee. We appreciate your candour.
I would like to take a moment here to recognize our next witness, Mr. Paul Stockton. We are continuing with our mandate, discussing the security threats facing Canada, included but not limited to cyberespionage, threats to critical infrastructure, terrorist recruitment and financing, terrorist operations and prosecutions. As part of bringing a focus to this mandate, we have asked Mr. Paul Stockton to come before us.
Paul Stockton is the managing director of a private company, Sonecon LLC. Before joining Sonecon, Mr. Stockton served as the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs from June 2009 until January 2013. In that position, he helped lead the department's response to Hurricane Sandy and other disasters, guided Defense critical infrastructure protection and oversaw the U.S. Department of Defense continuum of operations programs and policies. Mr. Stockton was also responsible for the U.S. Department of Defense initiatives to strengthen security in the western hemisphere. He also holds a PhD from Harvard University.
Mr. Stockton, I understand you have some opening remarks. Please proceed.
Paul Stockton, Managing Director, Sonecon LLC, as an individual: I do, Mr. Chair. First of all, thanks to you, and thanks to the distinguished members of the committee. Merci beaucoup. I'm not going to torture you with my French anymore. No one deserves that kind of punishment.
Let me emphasize I'm here today as a private citizen not representing any government agency or any private sector firm. I'm especially pleased to be here because the United States has no stronger security partner than Canada. The North American Aerospace Defence Command is unique and uniquely effective in defending our shared airspace, and Americans will never forget the sacrifices that Canada made in Kandahar, RC-South and Afghanistan as a whole. Thank you for that.
We're a partner not only in traditional realms of security but also in critical infrastructure. The U.S. and Canadian power grids are deeply interconnected. The same could be said of energy infrastructure as a whole, especially natural gas, communications, transportation; a whole array of sectors of critical infrastructure are deeply integrated. That creates both shared challenges to our infrastructure and shared opportunities for progress.
Let me give you my bottom line up front, and that is that the owners and operators of critical infrastructure in Canada and the United States, I believe, are making significant progress in strengthening the resilience of their systems, but the threat is intensifying. That presents challenges for the public health and safety of U.S. and Canadian systems that depend on critical infrastructure, but it's also a national security challenge. That's why I'm so grateful that this committee is focusing on the question of critical infrastructure resilience. It's going to be the focus of my remarks today.
U.S. and Canadian Armed Forces, our installations here in Canada and in the United States, are utterly dependent on the flow of electricity and other critical infrastructure resources in order to be able to operate and defend our respective nations. The adversary knows this. The risk exists. The adversary will adopt a deeply asymmetric strategy to take down the ability of Canadian and U.S. Armed Forces to defend our respective countries by attacking the infrastructure on which our defence installations depend. That will be the focus of my remarks today.
Let me give you a road map of what I intend to cover today very briefly before turning to your insights and questions. I want to focus on the cyber-threat to critical infrastructure today, although I'd welcome the opportunity also to discuss electromagnetic pulse weapons, other threats to critical infrastructure.
I want to talk about the progress that the owners and operators of critical infrastructure are making in our respective countries but then also gaps that I see in our preparedness and opportunities to make progress for all of you to consider as you pursue this important line of inquiry.
Let me turn now to the first topic, which is the cyber-threat to critical infrastructure. Admiral Mike Rogers, the head of U.S. Cyber Command, offered testimony to your counterparts in the United States Senate last week. Last Tuesday he appeared before the Senate Armed Services Committee. I'd like to offer you a brief quote that he provided:
We remain vigilant in preparing for future threats, as cyberattacks could cause catastrophic damage to portions of our power grid, communications networks and vital services.
Now, this is obviously a threat not only to the U.S. economy, if adversaries were able to cause catastrophic effects on the power grid and other critical infrastructure, but it's also a national security challenge because, as Admiral Rogers emphasized to the Senate Armed Services Committee, the Department of Defense, its installations and its forces based at home that are prepared to support operations abroad are utterly dependent on the flow of electricity and other critical infrastructure services. The loss of those services, the disruption of that critical infrastructure, could have very severe effects on the ability of the U.S. Armed Forces to defend the United States. Above all, the United States needs to be able to ensure, no matter what, that its armed forces can conduct the critical operations necessary to defend the nation. "Mission assurance" is the term of art that members of the United States military, members of the Department of Defense, use when they talk about the importance of ensuring that critical infrastructure can survive state or non-state actor attacks.
What are the implications for Canada, for all Canadian citizens whom you help represent? Let's think about any significant Canadian military base that you'd like to consider — Esquimalt, what have you. These facilities, just like major bases in the United States, depend on electricity provided by the Canadian power grid. What would happen if there were a loss of power supporting Esquimalt or any other significant Canadian military base? First of all, the operations at that base, the cranes, everything else in the shipyard would be severely disrupted, the computers, the HVAC systems, everything else on which electricity depends. Also, you would have a cascading failure of other critical infrastructure. Water and waste water systems, as you all know, are utterly dependent on electricity in order to be able to function. If the adversary can take down the electricity, then water and waste water service goes away. It is the same for communications, the same for hospitals that serve the community where the workers in these military bases live.
My bottom line to you is resilience of critical infrastructure is a national security issue, and that's why it's so valuable that this committee is taking the question forward.
Now let me very briefly turn to areas of significant progress and then gaps and opportunities for progress in Canada. Now, I'm going to be very humble and preliminary in my recommendations on how to strengthen resilience. The United States and Canada have very different forms of government. Canadian sovereignty leaves you with special roles now in the infrastructure realm. For example, in the United States, we think it's a great idea for every governor in the United States to own her own armed forces, her own army and air force, in the form of the National Guard. I leave it to you whether your premiers ought to have their own armed forces.
I'm not going to pretend that an American can advise you on how best to strengthen critical infrastructure, but let me offer a couple of very brief remarks which we can then pursue in greater detail.
First of all, the electric industry, in Canada and in other infrastructure sectors, is making great progress in building their own resilience against cyber-threats. So the North American Electric Reliability Corporation, NERC, as you know, exercises regulatory authority over both Canadian and U.S. utilities and has imposed mandatory standards for cybersecurity that are becoming increasingly stringent. That's an excellent foundation on which to build. But let me suggest that more work needs to be done. We've got great progress under way in protecting electric utilities against attack. I believe, Mr. Chair, that we need to make additional progress on being able to get the lights back on if a successful attack occurs. I've provided the committee staff with a study I've recently written on how to restore power in the aftermath of a sophisticated, highly capable cyberattack. I think it's important to think about not only protection but also response and restoration.
Second, a big area of progress is collaboration between owners and operators of critical infrastructure and the government. The Electricity Subsector Coordinating Council, the ESCC, has membership from the Canadian government — Public Safety Canada, Natural Resources Canada — as well as our counterparts in the United States and the Canadian and U.S. power industries. That's an excellent thing, but one thing is missing on the Canadian side. In the United States, the Department of Defense participates in these meetings because they understand, as we were talking about before, that it's a national security issue to make the grid resilient. I'd urge you to consider the possibility that the Department of National Defence ought to begin treating these issues as an area of primary importance as an issue of national security.
Finally, cyber information sharing: The Electricity Subsector Coordinating Council is one opportunity for progress, but so is the Electricity Information Sharing and Analysis Center, the E-ISAC. That provides the basis for sharing sensitive information back and forth between Canadian utilities, U.S. utilities, and government entities that are watching the cyber-threat. We need to ensure that this kind of information sharing is accelerated, is deepened, so that Canadian utilities, when they find malware on their systems, can quickly provide it to the government, and the government can analyze that malware and get remediation efforts back to the private sector so that they can scrub that malware and maintain the resilience of the Canadian and U.S. power grids.
Mr. Chair, thank you very much for the opportunity to support you today. I look forward to your insights and the questions that you'll be able to offer.
The Chair: Thank you very much, Mr. Stockton. I'll start with Senator Dagenais.
[Translation]
Senator Dagenais: First of all, thank you very much for your visit. You're still able to enjoy a bit of the Canadian winter today.
From your point of view, can you identify essential Canadian infrastructure that would be most vulnerable? If so, what are the weaknesses that we should tackle?
[English]
Mr. Stockton: Thank you for that question. I always start with the electric sector as an area of special focus from a national security perspective because so many other critical infrastructure sectors — communications, the financial sector, the water sector — depend on electricity to be able to function. But the interconnection of critical infrastructure also needs to be borne in mind because, without communications, it's very difficult for utility workers to be able to restore power if there should be a successful attack on the electric power grid. Perhaps you're familiar with Lake Wobegon. All the children are above average. I believe all infrastructure sectors are especially important, although I tend to start with the electric sector because it's foundational.
[Translation]
Senator Dagenais: Compared with the United States, how much could Canada's security be affected? Our countries are similar. We know that infrastructure and its importance is very different from one country to the next. Could you give us an idea of the significance that an attack on our infrastructure could have? Of course, they would not all trigger the same degree of seriousness, but I would like to hear your opinion on the matter.
[English]
Mr. Stockton: First of all, the electric power grid in both the United States and Canada must comply with the same critical infrastructure protection requirements levied upon the sector by the North American Electric Reliability Corporation. That's the good news. Other sectors have voluntarily standards. Other sectors don't have this foundation on which to build. It's an area for further thinking.
In terms of special problems for vulnerability, I believe that the attack on the power grid in Ukraine recently was illustrative of the kind of challenges that we'll face going forward. No one knows — at least I don't know — who the attacker was. It's possible it was either a major nation-state — we'll go nameless today — hackers or perhaps hackers supported by that nation-state. As you go forward with the analysis that will contribute to your report and future legislation, I'd urge you to think about a spectrum of threats, starting, potentially, at the least dangerous end for national security — criminals, hackers, traditional extortionists — all the way to nation-states, the biggest, most capable nation-states who might potentially end up in a crisis with NATO members, including Canada. Then, in the middle, that grey area, there are state-supported terrorists, state-supported hackers, who may be able to do significant damage unless progress continues in strengthening the resilience of Canadian and U.S. systems and, above all, ensuring that these systems cannot suffer physical damage when an attack occurs.
In the Ukraine attack, Ukrainians were able to turn power back on in six hours. That's a bad day, but it's not a terrible day. If adversaries can inflict physical damage on dams, on water systems, on critical components of the electric power grid, that's an area for special concern.
Senator Mitchell: Thank you very much, Mr. Stockton. It's really good to have you with us. When you talk about electricity, it reminds me of a statement by a witness recently who said — I'll get to why it reminds me of this — that when he goes to ports and says, "What is your biggest concern with respect to critical infrastructure," which ports are, they don't say terrorists or terrorist attack. They say climate change because the seas are rising. It can also be an issue with respect to drought and, all of a sudden, dams that don't have water behind them because the water situation has changed. Have the powers that be in the United States, the people with whom you've worked, considered climate change? Do they consider it as an infrastructural threat, and should we be doing that in Canada? How do you handle that?
Mr. Stockton: Climate change is a very important challenge to port operations, both for civilian port operations and for the United States Navy, for the Coast Guard. That's a shared challenge for the United States and for Canada. I would also say that, for natural hazards in general, associated not only with rising sea levels and drought conditions in some portions of North America, but earthquakes and all the other severe natural hazards that our nations could confront, we need to think of those as potential national security challenges again because of the consequences of the Cascadia fault zone having a severe earthquake and tsunami, the effects then on military installations in that region or severe storms in the East Coast portions of Canada and the United States. It is very, very important that we take an all- hazards approach to building the resilience of infrastructure so that the U.S. and Canadian Armed Forces can do their jobs to keep our people safe.
Senator Mitchell: Absolutely. It's interesting to hear you say that. I think we do need to begin to emphasize that.
With respect to cyberattack, in Canada, and in the U.S. as well, we have government, federal and provincial, and that's somewhat manageable in the sense of ability to coordinate. It's at least defined. But then you have the private sector, where there's almost infinite numbers of actors who are private sector owners or have responsibilities for critical infrastructure.
How do you manage the protection, the protocols and the development of protection of private sector critical infrastructure in the U.S.? What role does government play, does the Department of Homeland Security play, for example, in coordinating cybersecurity threats in the private sector?
Mr. Stockton: The Department of Homeland Security and, in the case of electricity, the Department of Energy, play a very important role in supporting information sharing on emerging threats and also in supporting the development of models and frameworks that provide guidelines for industry to meet emerging cyber-threats, best practices and what kinds of technological innovations can be accomplished. But I want to go back again, Senator Mitchell, to the importance of information sharing in a real-time basis, so that as soon as malware is discovered by a utility on their networks that can be provided back to Public Safety Canada and can be provided back to whoever is going to be responsible — in fact, in Canada, the Canadian Cyber Incident Response Centre.
These kinds of capabilities need to be developed, and then the response centre, or whoever else is going to be in charge of this in Canada, needs to be able to rapidly analyze that malware and explain to private sector utilities how to remediate that malware, because we can't expect all of the individual companies in Canada who own and operate critical infrastructure to have that analytic capability themselves. It will never happen.
Some kind of more centralized, coordinated mechanism for support of the private sector owners and operators of critical infrastructure, and the public sector owners in the case of water and waste water systems, is something that I urge you to consider going forward in terms of your recommendations.
Senator White: Thanks for being here today.
As we walk through any effort we make to try to improve our infrastructure between Canada and the U.S., we can look back at the nuclear industry as being a success story. Canada and the U.S. went through a wave, but they similarly have managed the security around their nuclear industries. In fact, I would argue that neither of us is afraid of what's happening north or south of the border, as much as you cannot be with nuclear energy.
Why is it we're not taking something like that that's been successful and saying, look, in the case of other infrastructure like our power grid, we're actually even more inclusive when it comes to that border crossing, things that are moving back and forth and using that as a success story and building upon it instead of walking their own way on all the other areas, whether it's transportation infrastructure, power infrastructure or other areas as well?
Mr. Stockton: I believe that's a powerful argument. That is, borrowing from the success of the nuclear power industry and building resilience is an important thing to consider how that model might be applied to other infrastructure sectors. Clearly, every sector is going to have its own unique characteristics. We can't take a cookie cutter approach. INPO, the industry-based association that's been leading safety and security improvements, is important to look at as a model.
In the United States we have over 160,000 independent water and waste water systems and a relatively small number of nuclear power facilities. Clearly, the kind of coordinating mechanisms that are useful for one won't directly apply to another. Every sector needs a modified approach.
Senator White: I don't disagree with that, but we've done this in the past with setting benchmarks. If you look at the fact of the $2 billion we move back and forth across the border every day between Canada and the U.S., we've been very successful in managing that border right across this country because we set benchmarks. Everybody meets the benchmark. If they wish to be — I hate to use ISO standardized — they have to meet the benchmarks. Really, it's only about benchmarks. I don't care if there's 5 million; if they meet the benchmark I don't care how many there are really. So it's really about benchmarks, wouldn't you agree?
Mr. Stockton: I take your point. I think it's an excellent way of going forward. But when we go back to Senator Mitchell's point about what the coordinating mechanisms look like, it will look very different between sectors. But a benchmarking approach, best practices approach and voluntary standards, as well as mandatory, all of these tools will be valuable.
Senator White: Thanks for finding the time to be here.
Senator Kenny: Welcome, Mr. Stockton. Were you present when General Rousseau testified before you? He was the previous witness.
Mr. Stockton: I heard the tail end of it. It was excellent testimony. However, I didn't hear the first half.
Senator Kenny: Okay. Well, perhaps it was in the first half that he offered a different view than you have. He suggested that things like dams and water systems and electricity and natural gas weren't very popular with terrorists in North America and that the threats to our critical infrastructure came principally to transportation facilities like airports, trains, public gathering places and nuclear facilities. That was the one common area.
I think there's a difference between the two pieces of testimony we've heard, but can you comment on it, please?
Mr. Stockton: I'm sure that his testimony was compelling. Let me offer you my perspectives based on the United States. We know that potential adversaries have been mapping U.S. critical infrastructures, including the electric power grid. I call it preparation of the battlefield: very careful reconnaissance to try to understand how our networks are structured. In the case of black energy and other malware, establishing persistent presence on our networks. This includes other portions of the energy sector, including natural gas. Potential adversaries are mapping our systems in order to understand how they might be most effectively attacked should the motivation appear to do so.
I want to emphasize that although the owners and operators of critical infrastructure are rapidly improving their protections and their defences against attack, the threat is getting more severe. The threat goes far beyond transportation sectors, goes to all critical infrastructure sectors, including health care, and we need to be prepared to continue to strengthen resilience not just to match improvements in adversarial capabilities but to stay ahead of them.
Senator Kenny: Are you disagreeing with him?
Mr. Stockton: Not having heard his testimony, let me emphasize that the threat is severe, it's getting more intense, and it cuts across multiple infrastructure sectors.
Senator Kenny: Thank you.
I'm not sure if I heard you correctly, but you talked about something that sounded like NERC. I'm familiar with the FERC. I've been involved in hearings they've held for natural gas imports, and I presume they also handle electrical transmissions to the United States. Did I hear you right? Was it NERC with an N?
Mr. Stockton: Yes, sir; NERC, as in North America.
Senator Kenny: How would they have jurisdiction over Canada?
Mr. Stockton: North American Electric Reliability Corporation is designated as the industry lead for the establishment of the specific standards that in the United States FERC requires them to establish. So FERC says we need standards in cybersecurity, and then NERC proposes those standards, and FERC ultimately approves them.
I'm not familiar with how the Canadian government side of this works, but I do know that NERC applies to set standards for Canadian, U.S. and a small sliver of Mexican electric utilities.
Senator Kenny: Then surely it's a voluntary process for people who want to export to the United States and it's not a question of jurisdiction; somebody has voluntarily agreed to accept an industry standard.
Mr. Stockton: I'd urge you to contact NERC in order to get an exactly accurate assessment. But I do know that the reliability standards for cyber that NERC has imposed apply both to Canadian and U.S. utilities, with one important limitation, and that is the standards apply to what we call the bulk electric system, generation and high voltage transmission. The standards don't apply to the distribution systems that send the power to defence institutions, the City of Ottawa and other customers.
Senator Kenny: I only take exception to your word "imposed" and maybe also to the word "jurisdiction" because I don't think that either of those pertains. Perhaps one of the researchers could chase it down.
Mr. Stockton: I'll be happy to supplement my response for the record because I may not have used the accurate terms.
Senator Beyak: Thank you very much, Mr. Stockton, for your book, which is very timely; for your kind words about our shared national security strong partnership; and for taking a leading role on this critical issue. You spoke before our House of Commons committee in 2014. Your words were timely but chilling to me. You said it is inevitable that a successful cyberattack will occur on the electric, natural gas or other energy infrastructure on which both our nations depend. The offence is developing weapons much more quickly than we can defend against them.
I wonder if you could elaborate on those comments for me: who the offensive actors are in the scenario, what type of weapons they are developing that we're not ahead of, and if anything is improving. You did talk about the gaps and how we're filling them, but I'd like more information.
Mr. Stockton: The attack on the power grid in Ukraine is a tectonic shift. Now we know that it's not just a theoretical risk that power grids will be disrupted by cyberattack as we have an actual example. The degree of sophistication of that attack is interesting not only in the way in which the distribution system was disrupted but also in the fact that there was a simultaneous attack on a Ukrainian communication system, in particular the phone system. Not only did the power grid go down in these three big distribution companies, but also customers were unable to report that they had lost power because there was a simultaneous attack on a second sector.
As you go forward, senator, in your analysis, I'd urge you to think about the risk that adversaries will attack not only a single sector but also multiple sectors in Canada or in the United States simultaneously in order to magnify the risk of cascading failure across those sectors. That's not an issue I addressed when I had the honour of speaking before the house committee, but it is something now that we've seen evidence that adversaries are able to inflict. It's a straw in the wind that we need to prepare for multi-sector attacks, not just an attack on a single sector.
The Chair: I understand you recently published a book on the electromagnetic pulse and its implications. This is an area about which there's been very little public conversation in Canada. I know there's been a great deal more public conversation in one manner or another in the United States.
Perhaps you could just expand on that particular threat, how you see it possibly being initiated, what the implications could or would be, and what we should be doing in respect of taking the necessary steps for prevention.
Mr. Stockton: Mr. Chair, as editor in chief of a book looking at electromagnetic threats a year and a half ago, I'd be happy to provide a copy for the record.
The Chair: It would be very much appreciated.
Mr. Stockton: It would be my pleasure.
When we think about electromagnetic threats to the power grid and other electronic heavy infrastructure, there are two flavours of special significance: There is the risk of severe solar storms that create geomagnetic disturbances. In the realm of natural hazards, very long wave disruptions to the power grid could affect transformers and other equipment. Also, a very different threat can come from nuclear weapons: the nanosecond burst, the E1 burst, which is a very quick, intense burst of electromagnetic radiation that can essentially fry microelectronics and create physical damage to critical grid components that would be very time-consuming to replace. There's a risk of multi-week or even longer power outages over extensive areas.
As I said, the most likely way that an adversary might be able to create extensive electromagnetic pulse effects is with a high altitude burst of a nuclear device. Increasingly, however, there's also the risk of tactical electromagnetic pulse devices, perhaps carried by drones or other means to create disturbances over much smaller areas. Of course, these could fall into the hands of a much larger array of potential adversaries, including terrorists. I believe that preparedness against both types of EMP threats — nuclear power and these tactical improvised electromagnetic interference devices — bears further analysis.
The important thing going forward is to understand that this is just another hazard against which prudent investments can be made to buy down the risk that these hazards pose to the electric power grid. There's nothing especially horrifying about these hazards — nothing that makes them especially problematic. Shielding techniques and prioritized investments can be made to begin to protect, piece by piece, the most critical components of the electric power grid.
Just as we want to be concerned with the effects of the Cascadia fault zone having a catastrophic earthquake and cyberattacks of great severity, EMP falls into the category of a potentially very severe threat against which we need to begin to make prudent investments so that the power grid can be protected in ways that are most valuable for the Canadian economy, public health and safety, and national security, just as in the United States.
The Chair: Perhaps, if you don't mind, I'll follow up a little on this.
We know that this particular threat has been discussed for quite a number of years in one manner or another in the United States. As I said earlier, we've had very little public conversation in Canada. Perhaps you could outline what steps the federal United States government is taking to this point in being prudent and moving ahead in respect of putting the necessary infrastructure in place that would help to prevent that catastrophic type of threat becoming reality. What work is the U.S. government doing with state governments, who have a lot of that responsibility, and with the private sector?
Mr. Stockton: I can't speak to current U.S. government policy or initiatives to protect government systems against attack. Clearly, the Department of Defense and other entities will have been doing so since the Cold War era. Now increasingly private sector utilities are beginning to make investments in the resilience and survivability of their own systems against EMP effects. The progress that they're making, in some cases with the support of state public utility commissioners that enable them to recover their costs for these investments, is accelerating and needs to accelerate.
In this area, there are no mandatory standards, neither by NERC nor any other entity. Voluntary progress is going forward, and continued progress is going to be extremely important.
The Chair: Do you believe mandatory requirements should be put in place so that we get a time frame in respect of where we can meet those objectives?
Mr. Stockton: I'm a believer in voluntary initiatives at least as the starting point for building resilience. Sometimes those voluntary efforts prove sufficient.
What's under way today, Mr. Chair, needs to be accelerated because the threat, although it's one of many, deserves targeted investments to build resilience, with the equivalent of Faraday cages and the other technical fixes that can be made in order to protect critical grid components against E1 — that is, a nanosecond pulse of energy.
Senator Beyak: Dr. Stockton, given our interconnectivity as nations and the recent concerns of the U.K.'s security and intelligence committee over Huawei's participation in their critical infrastructure, should we be cooperating more and coordinating our efforts when it comes to foreign investments in our critical infrastructure?
Mr. Stockton: I think closer coordination is always going to be valuable. We have existing bodies that provide for that coordination. I would emphasize that as these efforts go forward, not only must they keep pace with an increasingly severe threat risk of supply chain corruption, insider threats and everything else that can pose a challenge to critical infrastructure, but also we must keep in mind the national security dimension of these challenges from both state and non-state actors: not only terrorists, but a full spectrum of potential adversaries with states having, by far, the greatest capability, certainly, in the cyber realm.
Senator White: Just a follow-up to that, if I may. Thank you very much for that response.
I know in Australia right now a discussion is ongoing in relation to a port purchase proposal put forward by a Chinese government-owned corporation to purchase the port, I think, of Darwin.
Do you believe also that North America should have a similar strategy around not allowing non-national organizations, in particular those that are supported by a government, to purchase ports in North America?
Mr. Stockton: Senator, that's not an area in which I have sufficient expertise to offer a comment.
Senator White: I appreciate that response, actually. Thank you very much.
The Chair: I'd like to follow up on another area and just refer back to your time, Mr. Stockton, as Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs. I understand you were responsible for the Defense Critical Infrastructure Protection Program, and perhaps you could just elaborate on your definition and what qualifies for defence critical infrastructure.
During the course of that review and the implementation of that policy, was there any coordination with Canada to identify what our critical infrastructure would be, as it relates to the infrastructure in the United States?
Mr. Stockton: Mr. Chair, let me start with the second part of your question first. The answer is yes: The Permanent Joint Board on Defence, an absolutely vital venue for collaboration between Canada and the United States, did address this question of critical infrastructure protection. I hope it will continue to do so.
In terms of defence critical infrastructure, the world looks like a pyramid, so there are a very small number of absolutely vital infrastructure components without which the United States military could not possibly function. That's a small number of systems, and their ability to survive cyberattack, natural hazards and any other threat is of paramount importance.
Then as you go down the pyramid, there are larger numbers of critical infrastructure components, communication systems, and what have you, that are important for particular missions. But maybe there are work-around solutions so that in case one goes down, there is a redundant system that could be used, and so on down the pyramid where, eventually, there are lots of critical infrastructure components, but they don't deserve the same investment in terms of protection that the most critical systems would have.
That's the way we categorize things in the United States. Let me add one more item for you that the committee may want to consider. The Department of Defense officials look very carefully at — no fooling — what it takes to execute a specific mission for the Department of Defense, in terms of the supporting civilian infrastructure: Which particular installations and which particular missions depend on the flow of power from particular utilities? That's an opportunity to think about mission assurance and the national security implications of infrastructure resilience in a way that proved very helpful in the Department of Defense.
Senator Kenny: The Permanent Joint Board on Defence is well-known and well established as a vehicle to have the Canadian Armed Forces deal with the American Armed Forces. Could you give us more detail about the areas that they studied?
Mr. Stockton: I'd be happy to but only for the period in which I had the honour of participating.
One of the first initiatives that we took in collaboration with the Department of National Defence was to bring Public Safety Canada and the Department of Homeland Security deeper into participation with the Permanent Joint Board on Defence. That was because so many of the security challenges confronting the United States and Canada involve issues that are led, in many cases, by Public Safety Canada and the U.S. Department of Homeland Security: disaster response, critical infrastructure protection and many cybersecurity issues.
To be able to have all parties together was an important innovation, and we took on those inter-agency challenges, if you will, as a special area of concern, in addition to the more traditional core areas of defence: looking at opportunities of mutual support in catastrophic events, where each nation would be able to support the other; for immediate life- saving and life sustaining operations; beginning a dialogue on critical infrastructure resilience; and really understanding the importance of the shared power grid, including having the CEO of NERC make a presentation to U.S. and Canadian participants on the power grid in North America and the way it is structured.
Senator Kenny: Can you give us other examples of where there might have been a geographic impact? Or was it a broad, more general discussion?
Mr. Stockton: Very concrete. For example, both Canada and the United States had capacity-building initiatives across the western hemisphere, especially Central America, and some South America initiatives. Prior to the PJBD taking on this issue of capacity building and the Americas, there was too much of the United States going forward with its programs, without first talking to the Canadians about which initiatives Canada had under way, in Guatemala, for example. There wasn't an effort yet to have these programs be a mutual support, so the overall investment by the two nations could be made more efficient and effective. An important, very concrete industry strategic initiative went forward to begin to understand how our respective sovereign investment programs in capacity building could be brought into closer coordination.
There is also important work on Mexico, which I would be happy to discuss at some future time.
The Chair: Could I follow up a little further on that, if you don't mind, colleagues, to try to understand the coordination between the United States and Canada?
I'm more of a pragmatist, so I have to use a real example. Have we actually identified the critical infrastructure vis- à-vis the electrical grid? What portions of the grid, between Canada and the United States, need more upgrading and protection, in order to be able to ensure that we can continue to operate if there is a solar-induced magnetic pulse or otherwise? Have we actually identified that? That goes to the provinces, and in some cases to the municipalities.
Mr. Stockton: There is an effort under way by the utilities in both nations to identify the most critical components of the power grid, and of the bulk electric system, that then need to be protected. There's also a growing focus on building resilience of the bulk electric system against physical attacks — that is, high explosive attacks — a very important area of NERC standards that again is providing a focus for progress, by both Canadian and U.S. utilities.
[Translation]
Senator Dagenais: A witness told us that there were no less than 100 million attempted cyberattacks per day on our critical sectors. I would say that that is an extremely high number. I wonder how there can be so many attacks. Where do they come from, and is it possible to identify the enemies that can attack our critical sectors? It is not always a case of public or government infrastructure. How can the private sector build its defences and resilience in the face of these attacks, which I would describe as malicious?
[English]
Mr. Stockton: The first opportunity for progress is to strengthen information sharing. As we discussed before, we need to ensure that the government is helping industry have the threat signatures and that they understand the malware they need to be looking for, and industry needs to be capturing this malware and providing it to government for analysis.
I'm not sure of the number of attacks that occur every day against a Canadian infrastructure, but I will say that the word "attack" is something to be very careful of. In many cases, as I mentioned before, these penetrations of U.S. and Canadian networks are mapping exercises: Potential adversaries seek to understand how the grid and other infrastructure sectors are organized and how they are controlled; they are attempting to steal passwords and attempting to move laterally within networks. All of this activity is under way in contrast to a Ukrainian-type attack that's actually disrupting the ability of utilities to deliver electricity.
We haven't been there yet, but going back to the testimony that I offered to the house, I believe such an attack is inevitable. I believe that if the Islamic State gained the ability to launch such an attack, we can anticipate they would do so for maximum effect.
Again, however, state-supported terrorists and potentially, someday, nation-states — we can't rule out the risk that, in a severe regional crisis, there could be escalation to cyberattacks on Canadian or U.S. critical infrastructure.
Senator Beyak: We as a committee had the privilege of going down to Cheyenne Mountain near Colorado Springs a couple of years ago. Given the success of NORAD, do you see any advantage to Canada and the United States cooperating on something like that with our infrastructure programs?
Mr. Stockton: I'm not sure which organization would provide for the best opportunities for collaboration. Clearly, NORAD is a unique model of defence collaboration. It's wonderful and wonderfully effective.
But Public Safety Canada and the U.S. Department of Homeland Security have got very important responsibilities in the infrastructure protection realm for cyber-threats.
The current U.S. policy-makers in the White House and also in the Department of Defense are still feeling their way forward as to what, exactly, the role of the military should be in supporting cyber resilience of privately owned and operated critical infrastructure. So I would urge that NORAD continue to grow and that it continue to meet the challenges that exist in its traditional realm, and explore where it could have added value for emerging security threats, as well.
This is overwhelmingly a challenge to the civilian sector and needs to be treated as such.
Incidentally, it's beautiful there, isn't it? I had the opportunity of climbing Cheyenne Mountain with my son two weeks ago. It's just stunning.
The Chair: Let me just to go to a different area, which is critical infrastructure, which is our airports and air travel. With an earlier witness, we had some questions in respect to whether we were reviewing our security requirements at our airports in view of what we witnessed in Brussels.
Do you have any thoughts on that in respect to the fact — and I think it was maybe Senator Kenny who stated it — that we basically have our security at the airports, and it's actually for the airplanes, not the airport itself. Do you have any thoughts about whether that scenario should be reassessed and reevaluated, in view of what we witnessed?
Mr. Stockton: I do. And I'd like to reference some comments made recently by the head of the Transportation Security Agency, Peter Neffenger, who said that in the past there has been too much of a focus on perimeter security in airports, that is, we'll build a secure line — the equivalent of a wall, if you will — and everything inside that wall is safe, but on the outside, maybe not so much.
We need to get away from a perimeter security and be able to treat airport security and transportation security in a much more holistic way and in a much more intelligence-driven way, so that we extend the monitoring of potential threats and provide greater outer layers of security, including more extensive use of trained dogs in American airports, and use other approaches to make sure that rather than having an inner sanctum that's carefully secure while everything outside of that is at risk, we extend out security in intelligent and intelligence-led ways.
The Chair: Colleagues, as we are coming to the end of our time here, I'd like to thank Mr. Paul Stockton for coming and providing his expertise. I know that you flew in this morning and are flying out tonight, I believe.
Mr. Stockton: Your fine weather is tempting me to stay.
The Chair: Yes, I'm sure. He's going back to the airport as soon as he can.
I really appreciate the time and effort that you have taken out of your schedule to come here and provide us your advice. On behalf of my colleagues, thank you. You are hereby excused. We will now go in camera.
(The committee continued in camera.)