Past Session:

Proceedings of the Standing Senate Committee on
National Security and Defence

Issue 10 - Evidence - Meeting of November 5, 2012

OTTAWA, Monday, November 5, 2012

The Standing Senate Committee on National Security and Defence met this day at 4 p.m. to examine and report on Canada's national security and defence policies, practices, circumstances and capabilities.

Senator Pamela Wallin (Chair) in the chair.

[English]

The Chair: Ladies and gentlemen, welcome to the meeting of the Standing Senate Committee on National Security and Defence.

We will continue our look at the issue of cyber security as we did last week at the committee. A little later on we will hear from the chief of the Communications Security Establishment Canada, but we begin today by looking at the cyber safety and security issue inside the Department of National Defence. Public Safety, as we are trying to explain, is Canada's lead department for cyber security, and officials told us last week that about $155 million in new cyber spending has now been agreed to. Their role is also to coordinate cyber security within the government and with the private sector.

However, National Defence also plays a cyber role, and last spring a new cyber directorate was set up in that department. So far our main ally, the United States, has taken a slightly different approach. In the military, they have declared cyberspace to be a new military domain — along with land, sea, aerospace — with its own cyber command. We will look at different approaches to this today.

From the Department of National Defence, I would like to welcome Brigadier-General Greg Loos, Director General Cyber, Chief of Force Development; and Brigadier-General Roberto Mazzolin, Director General, Information Management Operations.

Welcome, gentlemen. We are glad to have you here at committee. I understand Brigadier-General Loos has an opening statement.

[Translation]

Brigadier-General Greg Loos, Director General Cyber, Chief of Force Development, National Defence: Thank you, Madam Chair. Hello, I am the Director General Cyberspace responsible for the force development of the Canadian Forces cyber capabilities. I am pleased to be given the opportunity to provide this committee with an overview of my organization, including its establishment, role and future plans.

[English]

Joining me at the table is Brigadier-General Roberto Mazzolin, who is responsible for most of our current cyber capabilities, our network operators and defenders, strategic military signals intelligence and the CF electronic warfare support unit.

[Translation]

I would like to begin by situating our efforts within the context of the whole-of-government approach to cyber security.

As you will be aware, Public Safety Canada is the Government of Canada lead on cyber security. Public Safety Canada developed and leads the implementation of Canada's first national Cyber Security Strategy, issued about two years ago.

The three pillars of the Strategy are: securing government systems, partnering to secure vital systems outside government, and helping Canadians to be safe online.

[English]

The strategy calls on the Department of National Defence and Canadian Forces to strengthen our capacity to defend our own networks, work with other government departments to identify threats and possible responses, and work with allies to exchange best practices and develop policy and frameworks for the military aspects of cyber security. Maintaining and strengthening the defence of DND/CF networks is a top priority for my organization in collaboration with the Communications Security Establishment Canada and Shared Services Canada. However, it is also my responsibility to develop the capability for the CF to operate more effectively in the cyber environment writ large. The Canada First Defence Strategy stipulated in June 2008 that the Canadian Forces requires core capabilities and flexibility to successfully address both conventional and asymmetric threats, including cyber attacks. As I will explain in a moment, the Canadian Forces must be able to operate as effectively in the cyber environment as it does on land, on and under the water, and in air and space.

[Translation]

Before describing what I mean by this, allow me take a step back and explain the origins and specific mandate of my organization.

In September 2010, the Canadian Forces established an ad hoc Cyber Task Force to determine the military's cyber requirements. Its mandate was to optimize current cyber-related capabilities while setting the conditions for the force development, force generation and force employment of future cyber capabilities, with capabilities being defined as people, processes and equipment or tools.

One of its first tasks was to develop a coherent definition of the cyber environment and to conceptualize what it means for the military to operate within that environment.

[English]

In April 2011, the Chief of the Defence Staff established a permanent DG cyberspace organization belonging to the Vice Chief of the Defence Staff and reporting directly to the Chief of Force Development, Rear-Admiral Lloyd, who spoke here last month. As that DG, I am responsible for the Director Cyber Force Development. This directorate is tasked primarily with identifying and developing future cyber capabilities, including continuing critical conceptual work and designing and building cyber capabilities. It incorporates the Canadian Forces Cyber Task Force with ongoing support from Level 1 organizations across DND/CF. These organizations are branches headed by assistant deputy ministers or their military equivalents.

Let me skip to my organization's work plan. It is organized along four lines of effort. First is a policy line. Along with our ADM(Pol) team, we provide input to Public Safety Canada on the implementation of the Canada's Cyber Security Strategy as well as informing policy development regarding the role of the military in the cyber environment. Second is command and control, including designing an authority, responsibility and accountability regime for cyber capabilities to be led by operational commanders. Much like the national Cyber Security Strategy, our approach is to avoid treating anything cyber as fundamentally new and instead seek to integrate our cyber activities into existing planning and operational frameworks as fully as possible.

The third line is capability building, including ensuring that resources are appropriately focused on core functions and helping to synchronize the force's various cyber-related programs. A top priority for strengthening our cyber capability within the Canadian Forces is to provide commanders with a common operating picture and improved situational awareness of their cyber environment to enable more timely and informed decision making. Finally and most importantly is human resources and training through the definition of training requirements, development of a program for building the specialized competencies required to operate effectively in the cyber environment, and putting in place measures to sustain the competencies by avoiding skill fade and ensuring appropriate retention levels.

[Translation]

As I noted earlier, the top priority of DND and the CF is to defend its own systems. Our needs are quite different from those of most other government departments, particularly in that commanders must remain accountable for command and control and sensor systems upon which our military operations entirely rely.

We work closely with Shared Services Canada and CSEC to help secure and defend some of our networks, but we must also maintain a capability of our own. Current DND/CF cyber capabilities related to computer network operations are focused primarily on defensive cyber operations and information technology security measures. The core defensive capabilities reside within the Canadian Forces Information Operations Group, housed in the Canadian Forces Network Operations Centre.

The mission of the unit is to conduct cyber defence operations and to conduct network operations.

[English]

A common thread through all of our work is the need to continue the shift from treating cyber as a series of discreet, and often technical, management activities towards a more coherent operational command-driven approach. This will require new processes and procedures, new training at all levels and a different way of thinking. I would be happy to elaborate, but we will leave it at that for now.

Recognizing that operating effectively in the cyber environment requires close coordination and cooperation with other government departments and with our closest allies, building and strengthening partnerships is another ongoing priority. In particular, DND and CF have enjoyed a long partnership with CSEC that will only become more important in the years to come.

We of course also place great value on our partnerships with the U.S, the U.K., Australia and New Zealand. The trust amongst this group is a great strength as we each grapple with similar challenges. NATO will be another key forum for cooperation.

[Translation]

In summary, DND/CF is taking the cyber threat seriously. It is real and present, so we have to be vigilant and effective in combating threats and reducing vulnerabilities in the cyber environment. More broadly, a modem military must be able to understand and operate effectively in the cyber environment. My organization is still in its early stages, but we have begun to make a difference and are actively working with key interdepartmental partners in the context of Government of Canada policy direction to deliver credible and comprehensive options for further development.

[English]

That concludes my overview of the CF cyber force development efforts and my organization's responsibilities. Brigadier-General Mazzolin and I would be happy to respond to your questions.

The Chair: As we begin, let us see how you frame it. In our discussions last week we talked about a recent speech from Leon Panetta, Secretary of Defense, talking about the responsibility of a cyber Pearl Harbour. He talks about cyberwarriors; the U.S. military is looking at new rules of engagement. Are you using the military terminology as you discuss this and look at it from your vantage point?

Brig.-Gen. Loos: We are trying to look at it through a normal military operational lens. We do look at it as another environment that has been institutionalized and normalized. We will have to undertake operations in the cyber environment. We look at it as a domain and it is something that we have to understand from an enabling perspective of providing capabilities to enable command and control, to enable operations in other domains but as well emerging as its own domain where you can undertake operations or others can undertake operations against us, to take away from our ability to command and control or connect up our sensors to decision makers, to military units that will have to deliver effects.

The Chair: Thank you very much. That is helpful.

[Translation]

Senator Dallaire: I want to be sure I understand correctly. We operate on land, sea and in the air. We have ventured into space a bit. Cyber space, by nature, makes us perceive this environment as new, somewhat as a fourth dimension of possibilities for conflict. Is that the basis of your analysis?

Brig.-Gen. Loos: That is exactly what we believe.

Senator Dallaire: The magnitude of this is significant, which leads me to the following point.

[English]

Your shop, working for the vice, versus let us say General Beare's outfit, means you are working at the strategic level for establishing the doctrines that will be required, the structures that will be needed, the rules of engagement, as the chair has mentioned, beyond our borders, because there are no more borders with your environment. Your offensive operations and active defence, all that stuff, are you saying nothing has been put together yet in sort of an environmental construct like we see within the army with its doctrine and training and so on, that you are actually trying to create that from scratch with this new directorate?

Brig.-Gen. Loos: That is a very interesting question, and I will try to step through it and answer it in a way that is helpful.

From first principles, we already have a structure in place that allows us to carry out a number of the functions that we are talking about. Some of what we are doing is a little bit of old wine into new bottles. The cyber environment has been around for a long time. We have had to defend our networks for a long time. What we are looking at now is a first principles analysis of what we have and what we need, and then we will let form follow function to decide what we need to do to build beyond that.

I work for the vice, but I work for the Chief of Force Development, who is responsible for all joint capabilities. This is, if anything, a joint capability that will touch all the other environments. It is explicitly a process of going from conceive and design to then build, but we will build on what we already have. In relative and comparative terms, we have a strong starting point in terms of what we have on the shelf today, what we have in terms of capabilities. What is emerging is how that environment is being leveraged by our allies and adversaries. We have to look at it first conceptually to see what is in the range of possibility, what will be confronting us, and then look at the capabilities we need to deal with that, to make sure we can operate, to make sure we can defend and protect, to make sure we have freedom of manoeuvre, but ultimately, depending on what that analysis yields, it may speak to new structures.

One of the areas we are working on in my force development organization is command and control: How does that have to be shaped? We are already building on the structures we have. We are putting pieces in place at the start to inform our effort. We have folks working inside the new joint operational command to make sure we can synchronize what we are trying to do in the cyber environment and make it just another range of capabilities that has to be organized, planned, synchronized and laid out for joint commanders.

Senator Dallaire: You are scaling significantly, and we are talking a new environment, and we are not talking about ADMIM, making sure we have firewalls and tempest rooms and that kind of stuff. We are not just talking garrison here; we are talking garrison but also in the field, and both of them are continuously interwoven because they are linked in. Does ADMIM become a three-star position and we take a different perspective to cyber versus what has often dominated, which is the environments do the operational stuff and you do most of the garrison stuff?

Brig.-Gen. Loos: At this point, it is too early to come up with final. You have touched on one of the key issues. When we get to the end of analysis and look at what we have versus what we think we need, there is a question about presenting that operational value case to the senior leadership in a department and beyond. We can afford something but we cannot afford everything in terms of what we can build. We will be on a different scope and scale than some of our allies — that much is clear at the outset — but we do have a view to significantly enhancing our capability to operate.

There are a number of options for how that structure will pan out. Regardless of what the structure is, we have it clearly in our sights to ensure that the command and control relationships will allow commanders and staffs to properly integrate this into their set of tools as necessary to make sure they have a proper appreciation for what is going on in the cyber environment because it will affect all of their operational environments, but as well, to make sure we have the right governance and oversight.

We intend to treat this like other operations — rules of engagement, strategic targeting oversight when and where appropriate to make it normalized and institutionalized in a way that makes it not something new and different but just part of the mix.

The Chair: Thank you. That was a very good answer.

Senator Johnson: You state in your opening remarks that Public Safety is the lead department under which cyber security falls. You have also said there is a role for National Defence in protecting Canadians against cyber attacks. Can you expand on and explain what role National Defence and the Canadian Forces play currently and what role they will play in the future as the cyber threat develops further?

Brig.-Gen. Loos: The Cyber Security Strategy is fairly clear about DND's role. We have a responsibility to protect our own information and networks; that is clearly within our remit. We have a role to contribute to the whole-of-government effort in characterizing the threat and sharing information on what is going on in the cyber environment. Beyond that, it is the normal extension of the department's remit to provide assistance to other government departments when the security situation reaches a point where the scope, scale and consequences take it from being an isolated incident to something of greater importance, or it becomes a security event at a national level.

That is pretty much the current limitation on how we are directing our efforts. I think there is more to be looked at as we go forward. We will not lead in that space; that is not our role. However, I do believe we will have a seat at the whole-of-government table. When the threats are coming in, we see events at network speed, and it is necessarily difficult in the early stages to figure out what is going on. If that is the case, then we have to be at the whole-of-government table early to be informed and to have visibility to what is going on.

Normally, events affecting the Government of Canada will be handled by Public Safety and the Communications Security Establishment Canada, CSEC, but when it trips beyond an isolated event and looks like it is something that is either state-sponsored or something with wider repercussions, then clearly National Defence would be brought in if not to assist then at least to be at the table to provide advice to government.

Senator Johnson: This is such a new area for most Canadians. I am a replacement on this committee and this is my third week here, unlike some of my colleagues. I am asking from the ordinary-Canadian point of view of public safety.

You mentioned a bit about NATO. What about our allies and working with CF to combat this growing threat? Do you think NATO will play a more prominent role in cyber security?

Brig.-Gen. Loos: NATO has much on the go in terms of their conceptual and policy work and in terms of smart defence. They will be part of our way ahead.

The problem space, in my estimation, is much larger than any one nation or any one government department. Therefore, we look at it as a team sport in that the only way to get a leg up on those who would cause us harm or take malicious actions is to share information in every venue and every forum we can. When we do that, we will be better off. NATO and our key allies in the Fives Eyes offer us those opportunities. We attempt to move at the speed of trust. The more we can share and safeguard the information we share the better off we will be.

The Chair: I guess one of the distinctions we are trying to get at here is that you are a department unlike others in some respects. A breach or a hack at DND has larger implications than at some other departments, so you have to focus on that primarily; is that fair to say?

Brig.-Gen. Loos: That is absolutely so. In fact, Brigadier-General Mazzolin has most of our current forces under his control today. His folks are waging the daily battle.

The Chair: Will you speak to that for a moment Brigadier-General Mazzolin?

Brigadier-General Roberto Mazzolin, Director General, Information Management Operations, National Defence: Fundamentally, it becomes an issue. This is what we consider cyber or the network environment — the Internet as most Canadians would recognize it. The technology embeds itself into the very fabric of everything that Canadians do. By extension, that applies to militaries.

The challenge that we face is one we share with our partners in defence around the world. The doctrine, tactics, techniques and procedures that normally apply to any global commons such as the air, land and maritime environments have been established for millennia and the organizational constructs and the doctrine for that period is long-standing. Air power has been in place for 100 years. Cyber is intrinsically new from that perspective.

Conceptually framing this is the challenge that many militaries are dealing with. When we look at the role of defence in this context as the means of asserting national will or national political intent as part of a broader strategic security construct, the challenge is how we fit into this environment. Cyber permeates every facet of everything we do. Where do we fit into these broader areas? These are some of the challenges we seek to embrace.

Senator Lang: I just want to go back and refer to Secretary of Defense Panetta's statement two months ago on September 11. As you well know, he had a significant statement to make on cyber security. I want to quote this, because I want to follow on to what Senator Johnson said in terms of most Canadians not being aware of how serious the situation we face is. I want to ask you to elaborate further on the significance of Mr. Panetta's statement and what we actually do face and the reason why we are doing what we have to do.

For the record, in talking about breach of cyber security, he said:

The collective result of these kinds of attacks could be a cyber Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.

Statements like this made by the Secretary of Defense for the United States have to be taken seriously. Can you comment on that? I think it is important that Canadians understand the significance of what this is.

Brig.-Gen. Loos: Absolutely. I will share the mic with Brig.-Gen. Mazzolin on this one. I do not think I am in a position to either affirm or discount Secretary Panetta. I think there are many commentators out there who will offer up what are technically valid representations of what is possible. I am not in a position to comment on what is probable.

There is a bit more of a calculus that goes into determining those actors, and there is a range of threat actors out there from hacktivists, to criminal organizations, through to terrorist organizations that are perhaps enabled down to state-sponsored, where we see the most sophisticated capabilities. However, when you get to the most sophisticated capabilities, there is a cognizance that, if it is state-sponsored, there are other factors that go into the determination of whether they will use those capabilities in some of the ways described there.

I do not necessarily have an opinion. I think there are some possibilities there. I certainly would be loath to predict whether we see that rising up to us tomorrow.

However, back to the question, the point was about that scenario, this department and the Canadian Forces. Clearly, when it becomes a broader security issue, then we will be involved. We have to be aware of it, if only from the simple perspective that we have to assure the military mission. If the power is out, telecommunications are down or transportation is affected, that affects the military's ability to carry out its mission. To go back to my earlier point, that is why we have to be at the whole-of-government table and be aware of what is going on at the same time as other partners in government are carrying out their functions and roles.

I would suggest that if the repercussions of the event have either online or off-line implications, then we would be part of dealing with that. However, in terms of tying that back to my effort to build what is right for the Canadian Forces today, it is not a big driver. I do not think the apocalyptic predictions are what will fundamentally bound and describe what we will build, certainly within DND and the CF.

I do not know if Brigadier-General Mazzolin wanted to speak to the threat.

Brig.-Gen. Mazzolin: Thank you. Again, it is very difficult to predict the likelihood of any scenario in terms of characterizing the threat. There is a tendency to focus on foreign state actors and the high end of the threat continuum. That is represented and understood by many in the intelligence community, and it would be inappropriate to speak to that specifically here.

A significant effort is devoted to protecting our own defence infrastructure, command and control networks to allow us to operate.

Perhaps the more challenging question is that of the asymmetric threats we end up having to face. That is of particular interest to the Canadian Forces, where we are a general-purpose military. We have a long tradition of responding to a wide range of operational exigencies, from disaster relief, humanitarian operations, to high-intensity conflict. Part of that responsibility includes supporting our federal first responders and security agencies when called upon to do so.

The challenge with an asymmetric threat is that the threat has very little investment: The initiative is always with the attacker, and this requires a nation or military to devote significant effort to defending against a threat that can be initiated with nominal resources.

To that end, the big challenge for us is how we embrace cyber in the context of facilitating operations.

Senator Lang: To follow that through, the reason I raise this is that the way I see, in part, your responsibility is to do whatever we can to prevent that particular event taking place.

General Loos, in your statement you said this will require new processes, procedures, new training at all levels and a different way of thinking, not unlike the body of the statement made by the Secretary of Defense for the United States two months ago.

What time frame are we looking at here? We are changing the way we look at cyberspace threat. Some resources have been made available. What time frame are you looking at from the point of view of bringing in these new procedures, new training, different way of thinking and the question of whether you have the trained personnel to do that, which again was referred to in Secretary of Defense Panetta's public statement?

Brig.-Gen. Loos: In terms of time frame, you are absolutely right that time is pressing on us. I would characterize it as a ramped-up effort to move up on those lines of operations I mentioned, looking at capabilities, looking at command and control, looking at the policy and governance issues that need to be normalized so we can carry on and look at the HR.

Realistically, the HR piece of it is likely to be the most challenging. How do we, in the short term, use our existing system of trades and classifications in our HR system to deliver some of the right answers in the short term while we go through a very methodical force development process to analyze what we need and then put in place the program and the pieces that we need to get there? This will likely involve structural change, some new approaches to HR and doctrinal changes in how we bring this in, not just for a specialist cadre but across the rank and file of everyone in the Canadian Forces.

Everyone who sits at a keyboard is part of that environment and represents both an actor for good but also vulnerability when we do not attend to information assurance and protection of information.

As for realistic time frames, we are looking at a number of years, initially, to better organize and apply the resources that we have and introduce some of the initial cadres for some new capabilities. We are looking at a number of years beyond that before the full program will start to deliver.

A bit further down the road is an architectural piece as well. We have what we have today in terms of our network space and infrastructure, but it is not necessarily completely designed and architected with network protection and defence in mind. In some cases, that gets added on as we go along. In an enabling vein, trying to make our operations better and more swept up, we get involved with connecting things up to help commanders and staff understand their environment and prosecute operations.

Knowing what we know now and designing for our infrastructure of the future, we will make it stronger at the outset in our design, but also instrument it so we can make it more defendable in the future in terms of specific capabilities for the defence.

There is a lot that goes into the program. You are entirely right that there are a number of challenging areas that we have to move out on.

Senator Day: There are many things spinning around in my head here in terms of the discussion we have had. Thank you for being here to help us gather a little bit of understanding. In my reading, I am looking at the various relationships that exist.

First, can you clarify for me, are Shared Services Canada in DND, or are all the people in information technology in DND separate from Shared Services Canada?

Brig.-Gen. Loos: I will share the microphone with General Mazzolin on this, because he is in the organization that has Shared Services Canada as part of its integrated approach.

Part of the statement that I did not go into detail on is that we do not look at the cyber environment as just our network space from a military perspective. It necessarily involves, beyond network space, anything that goes over radio frequency, anything that connects up between our sensors and sensor systems, back to decision makers and then out to units or platforms that have to take action. All of that we consider to be part of our cyber domain or cyber environment. That is definitely beyond the remit of Shared Services Canada.

We also look at our command and control systems at ``secret'' and higher as weapons systems, as a means we need for effecting command and control and for carrying out operations. That is necessarily something that we have to ensure and have controls over. That is currently a dividing line in the effort.

The other thing I would say is that Shared Services Canada has a remit to deliver us a certain range of services and capability for commodity IT, email and data centres, but it is still our job to integrate that into a whole, fused picture. We use those systems as well to support operations, to support the function of command. It is still important to us what is going on with the services that are delivered by Shared Services Canada, or if there are other defensive services provided by Communications Security Establishment Canada. We need to fuse that together and present a coherent picture so that commanders understand what is up, what is down, where we are being attacked today, if we are, what we can do to mitigate that and how we can work around that.

I know it is a swept-up effort within the information management group to deal with the transition of Shared Services Canada being stood up and taking over responsibility for some of those services..

Brig.-Gen. Mazzolin: Brigadier-General Loos has covered it very well. What I would offer is that the Shared Services Canada initiative, to which we have devoted a significant amount of effort in terms of partitioning out the respective resources that are transferred over to us to ensure those we retain within the National Defence, actually presents an opportunity for us.

The commodity-based information management and information technology, which SSC is responsible to manage, still captures a significant portion of what we consider to be command and control infrastructure networks. Virtually everything we do within National Defence impacts on our ability to conduct operations.

I guess the partition line that we have tried to respect is one that we retain within the department, and it allows us to focus on those networks in the classified environment that are integral to supporting our deployed communications, command, control, computing, intelligence, surveillance and reconnaissance operations. To that end, we have undertaken a significant effort to try to understand the delineation point. We recognize that even in the corporate environment, which facilitates military operations, the application environment, which is specific to DND, the data and the information that resides in the networks that are provided by SSC and that we use are what we are trying to focus on and ensuring and developing our specific network environment to be able to protect the information and facilitate operations in cyberspace.

Senator Day: You have a larger role than just DND in terms of protecting information and cyberspace, and that is for Canada. Canada's defence requires you to play that broader role; does it not?

Brig.-Gen. Loos: I would say that at this point, no, sir, that has not been laid out for us as a broader role. Certainly, we see ourselves as part of the whole-of-government team to respond to security instances that reach a scope and scale, but in terms of protecting government systems, that is CSEC's role. In terms of reaching out and down to provinces, territories and critical industries, that is Public Safety's role to lead and coordinate.

We are certainly interested in all of that. There is military nexus there, as I have said, in terms of mission assurance and understanding what is going on for if and when it becomes a national security issue for which the military should have a voice in providing advice and contributing to the fight.

Senator Day: I would like to get a feeling for the role of the electronic warfare group, your relationship with them and your relationship with the communications and electronics establishment in Kingston within the military. You have discussed Australia, New Zealand, the U.K. and the U.S. and how you cooperate with them. What about the countries from NATO that have gone into the Estonian research establishment for cyber and the lessons we have learned from that Estonian cyber attack? Can you talk about that? I want to get a feeling for your role within those various parameters.

Brig.-Gen. Loos: I will let you take the electronic warfare part.

Brig.-Gen. Mazzolin: There are a number of questions there in terms of trying to characterize the extent capability. The principle operational entity within the CF at this point is the Canadian Forces Information Operations Group, part of which involves the Canadian Forces Electronic Warfare Centre, which provides support from an electronic warfare perspective in terms of supporting our tactical platforms. The CFIOG looks after our military-specific signals intelligence, network defence operations and electronic warfare capabilities, which basically comprise what we look at operating in the cyber environment and in the terms I think you are referring to.

We work in close collaboration with our international partners, again, in terms of a lot of the doctrine, the tactics, techniques and procedures and also in terms of interoperability with our partners. When the Canadian Forces deploy internationally as part of coalition operations, our deployed platforms have to work in close proximity and in conjunction with our allies. To that end, it is very important that our systems are interoperable.

You mentioned the school in Kingston. I believe you are referring to the School of Communications and Electronics. Again, fundamental in terms of being able to develop a military capability, education, training, professional development and doctrine are absolutely integral to that. A significant amount of effort is being devoted towards developing the school's capacity to be able to do that, to provide that capability.

The Chair: Thank you very much. Senator Nolin, you are next.

[Translation]

Senator Nolin: A number of my concerns have been addressed. General Loos, correct me if I am wrong, but is your field of work already being practiced in a theatre of operations? Given the reaction speed needed to deal with the enemy in this case, the normal reactions of a defence system, even though we are talking about an abnormal world, will not work. You will have to react very quickly. If we take the example of Estonia, the systems stopped working in a matter of hours.

My question is the following: how are your services integrated into the joint forces? What level of efficiency is there in the chain of command to ensure that reaction speed is at the heart of your superior's concerns?

Brig.-Gen. Loos: If I may, I will respond in English in order to express myself better.

Senator Nolin: Of course.

[English]

Brig.-Gen. Loos: There are a couple of ideas there. You are absolutely correct regarding the daily activity — if you want to characterize it as a battle — dealing with events in terms of probes and malicious activity. It is here, absolutely.

In terms of trying to deal with what is coming at us, it is absolutely correct that, from a technological perspective, the intent is to try to deal with it at network speed. It is why one of our fundamental areas of examination is how we can do better with situational awareness. It comes back to instrumenting networks and talking a bit about how we do better at that. It is how you build in up-front the security and the defensive systems so that you can get a better appreciation of what is going on faster with information technology infrastructure information, what is up, what is down, security event information, so the sensors you have instrumented your networks with tell you what is going maliciously, as well as operational information, operations and exercises that are using those systems to carry out operations. That is part of it.

Other partners in government are working in capabilities to get us closer to being able to deal with threats in real-time. That is part of it.

Organization and structure are absolutely factors that will come into our analysis to say what is good, better and best in terms of how we are organized.

Senator Nolin: I must tell you that the answer you gave to my colleague is a bit troubling because it is a work-in-progress, and you are counting in years to get a result. That is where my concerns are.

Brig.-Gen. Loos: Yes, but today we have an organization that is charged with the defence of our networks and carrying out network operations. It works under General Mazzolin's command and control. The information operations group, our network operations centre, carries out that responsibility today. They have a chain of command, but they are responsive to and work directly with our strategic joint staff as well as our joint operational commander to share that information that is deemed critical in real time. We have invested already cadres of personnel to start normalizing that and bringing that into those operational headquarters and into our strategic joint staff. That exists today. Is it what we will have at the end of this process? It is probably not. We have work to do, but we have some of those things in place.

Part of normalizing this is allowing operational commanders to understand the environment and then to pose their questions, what we call commander's critical information requirements. What does a commander wish to know about, in this case, the cyber environment? The folks who are working on network operations and defence will then have that list and be able to respond to it, to ensure that the commander and his staff have what is available to help them shape operations.

[Translation]

Senator Nolin: As far as defence of the continent is concerned, Canada and the United States developed NORAD a number of years ago. Do you foresee—as soon as possible I hope—given the importance of a quick response when it comes to cyber defence, developing an approach with the Americans that is similar to the one used for NORAD? In other words, one that goes beyond the chain of command and implements a command unit that is agile and capable of reacting quickly?

[English]

Brig.-Gen. Loos: I think we are probably treading a little bit into policy questions beyond my current remit.

Senator Nolin: That is fine.

Brig.-Gen. Loos: I do believe we have gained much benefit from our approach in defence of the continent in NORAD, for those reasons and for those areas that are considered strategic in nature, to make sure the right questions get escalated to the right levels for decision.

Do I believe that will be part of our future? I think it will be part of our future, but I cannot tell you right now what that constellation will be. Is it just defence? I think it is a whole-of-government answer.

The Chair: That is fair. We have seen indications that both the President and the Prime Minister have identified that as an area of joint concern under perimeter security and under the question of shared borders. You are right; it is for others to answer.

Senator Mitchell: This is really interesting, and you are explaining it very well. As I am listening to your presentations, it is clear that what you are always talking about — and I do not mean this in any pejorative sense — is defence, so we are defending against these attacks. By definition, it means that some other country, some other entity, is viewing cyber elements as a weapon. Are we looking at weaponizing from the other side, in a sense, or are we simply looking at it as defence; or are we in a new era of warfare, attack and retaliation, where you actually have to look at these cyber considerations not in defensive capability or posture but in attacking posture, that new wars will be fought on those grounds?

Senator Day: Sort of like a good defence is an offence.

Senator Mitchell: It is a weapon in the arsenal that others are using, but do we have it, and should we, or can you say?

Brig.-Gen. Loos: I can say a little bit, but perhaps not as much as you would like.

What I would say is that it is true that there are many nations around the world that are looking at the cyber domain as a domain for military operations and looking at what is in the art of possible for offensive capabilities or, rather, whether you consider it to be offensive or just to deliver effects. If you can accomplish something in your military mission without using kinetic means, which causes less collateral damage but delivers the same end result from a military perspective, then I think many countries are looking at that. Certainly there are many potential adversaries out there that have demonstrated they are prepared to use capabilities to further their own national ends, and that is available in the open press.

Regarding our own ambition, we see that this domain is absolutely one within which we have to be able to operate competently. While our priority is on defence and situation awareness, we have to ensure that we retain the ability to continue to use the cyber environment for purposes to support operations, at a minimum. We have to be able to command and control. We have to be able to connect with sensors and shooters. We talk about being able to assure our own mission, to be able to continue to operate and manoeuvre freely in the cyber environment, but I cannot really speak much beyond that.

Senator Mitchell: You start to imagine a new cold war era where you have mutual virtual deterrents, because they are afraid of what we could do to their cyber configuration as much as we are afraid of what they could do to ours.

Brig.-Gen. Mazzolin: The only adjunct I would mention is that, given the topical nature of cyber, there is a tendency to look upon it as a separate, discrete form. We are indicating that in the context of a contemporary progressive military that is responsible for being able to assert will across the various global commons — air, land and sea, and now cyber — one aspires to being able to provide a range of options to operational commanders and, by extension, our national will to be able to provide a calibrated response to any attack, incursion or activity by a hostile entity.

Senator Mitchell: This raises an interesting question. If another country came and bombed the factory and created a good deal of damage by doing that, it is clearly an act of war. However, now another country could come and meddle with the technology of that factory, do every bit as much damage, send trains off tracks, ending up in huge economic implications, and maybe killing people. Would we view that as an act of war? If so, it speaks to your point about what is a proportionate response to that and whether we have the mechanisms to do a proportionate response to that, which might not be flying over and bombing them. It is an interesting question, how the world is changing and how our perceptions will change, or you could change.

Brig.-Gen. Loos: I am not sure whether that was a question, but let me respond.

I believe it is entirely possible to view cyber activities that yield effects as an act of war. You will find a growing consensus, certainly among Western, like-minded nations. They are looking at this from an effects perspective. The growing legal interpretation, under the law of armed conflict, is whether the effects are such that you cause significant damage — there is always a range of interpretation for ``significant'' — or injury or loss of life. Ultimately the question of whether it is an armed attack that necessitates a response will always be a political question, whether it is NATO Article 5 or any other response. It will ultimately come back to a political appreciation of whether that was severe enough to merit a response.

Certainly there is a growing consensus among the legal folks who are looking at this. Back to an earlier question on Tallinn, one of the great benefits of the efforts at the NATO Cooperative Cyber Defence Centre of Excellence is their work in exposing these ideas and drawing in consensus on how we could and should view these activities. The belief is that international law is actually good enough to consider some of these things if you look at it from an effects perspective and what effect was delivered and whether it was severe enough.

The Chair: The issue, of course, is authorship, figuring out who did it.

Senator Dawson: I was in Tallinn, and we did a study. I will not repeat the fact that we do not have a digital plan for Canada. We do not have one for the whole country. Therefore, it is quite obvious that we have problems with digital literacy. Not only are we ignorant about cyber attacks, but we are basically ignorant of cyberspace. We are not educating our young people. Technology is overtaking us.

The question would basically be, as far as Tallinn is concerned, that they could react because they had the digital strategy. They knew what they were doing in the digital world. They invented Skype.

How can you play your role if the rest of the country, the provinces and the private enterprises, are not intertwined with you to be sensitive to not only the text but also the whole literacy part of the Internet, how it should be better planned by governments, plural, because it does concern the provinces as much as the central government? Is the rest of the government playing a role to support you in your efforts? Yes or no?

Brig.-Gen. Loos: If I can paraphrase, I think you are asking me whether the government is doing a good enough job on the cyber file.

Senator Dawson: All governments, the provinces, et cetera.

Brig.-Gen. Loos: Honestly, I do not think I am in the best vantage point to offer an opinion on that. Certainly, I do know that Public Safety has the explicit lead for coordinating with other levels of government and with critical infrastructure.

As I mentioned before, you are absolutely right: There is a military nexus there; there is an interest because they have to understand their role. When it is time for operations — even if it is domestic response aid to civil power operations — if the power is out, it affects military operations. If the transportation system is down, then it will effect military operations. We have an interest, and we have to have a seat at the right whole-of-government tables. For what it is worth, we have something to offer at those whole-of-government tables because we are versed in dealing with security situations of a scope and scale that are multivariate, with many different activities going on, and we can bring planning expertise to the table, if and when it is required, to deal with something coming out.

Do we need industries to be better aware of what is going on? Absolutely. Public Safety has that remit. From what I know and from recent reports from the Auditor General, progress is being made.

The Chair: We had testimony on that last week. There are industry groups feeding in and vice versa. The point that we have all seen written about a lot is that we all have to take more responsibility for this and ensure that we are taking some precautions when we use these things and when we go to the bank because every piece of this puzzle counts.

I want to thank you both very much for giving your testimony today and for being careful. We know when you had to because there are some large issues at stake here. Our thanks to Brigadier-General Greg Loos and Brigadier-General Roberto Mazzolin. I am sure that we will talk to you again in the future.

Ladies and gentlemen, we continue with this session of the Standing Senate Committee on National Security and Defence. Last week at our meeting, Public Safety department officials told us a bit about the cyber security role of the Communications Security Establishment Canada. Today, we will learn more about CSEC and all of the acronyms that we are coming to learn and love on this committee. CSEC is a stand-alone agency that reports to the Minister of National Defence. CSEC is our ultra-secret foreign signals intelligence agency. It protects the federal government's electronic information and communications system and provides specialized advice within the federal government. It is a huge job, getting larger all the time. To shed a little more light on this today, we are joined by John Forster, Chief of CSEC, and Toni Moffa, Deputy Chief, IT Security.

John Forster, Chief, Communications Security Establishment Canada: Thank you, Madam Chair. I have distributed a copy of my remarks, but, in the interests of time, I may skip parts of it and try to leave as much time as possible for questions. Thank you for the invitation to be here today. It is a pleasure for me as the chief of the Communications Security Establishment Canada, or CSEC, your favourite acronym. In the short time I have been chief — I was appointed in February — I have to say that I am tremendously amazed and pleased to be the leader of an organization with such tremendous capabilities and dedicated people.

[Translation]

Today, I would like to briefly go over who we are, what we do, and how we contribute to the security and safety of Canada. After which, I would be happy to take your questions.

[English]

CSEC has a three-part mandate: first, to collect foreign signals intelligence in accordance with the government's intelligence priorities; second, to provide advice, guidance and services to help protect the electronic information and information infrastructure of importance to the government, which is sort of the key part of our mandate that interests you in terms of your work on cyber security; third, to provide technical and operational assistance to our federal law enforcement and security partners.

I would like to start off by saying explicitly that our legislation prohibits CSEC from directing our activities at anyone in Canada or at Canadians anywhere in the world.

[Translation]

We have strict policies, procedures, and review mechanisms that ensure that the privacy of Canadians is protected and that the activities of CSEC are lawful.

[English]

The most notable of our mechanisms is the external, independent CSE Commissioner, the Honourable Robert Décary, a retired federal court judge, whose office has full authority and complete access to review any aspect of our operations for lawfulness. In every public report on the activities that he and previous commissioners have reviewed over 16 years, CSEC has always been found to be lawful. Last December, we became a separate agency. We were formerly part of National Defence, and we are very much still a part of the National Defence portfolio and family. We work closely with National Defence and the forces, and we report to the Minister of National Defence.

In terms of our organization, our operations, let me explain briefly what it is we do. I trust that the committee understands there will be limits on what I can say in a public forum due to the sensitive nature of our work.

The Chair: Indeed we do.

Senator Dallaire: We are most disappointed about that.

Mr. Forster: So noted. The first part of our mandate is for signals intelligence. We collect foreign signals intelligence, which often can include decrypting information, today's equivalent of code breaking. We produce intelligence that responds to the annual priorities of the government. The government sets the priorities and we work within those. We work with our allies in counterterrorism and other threats and with the forces in their missions abroad, such as in Afghanistan, and provide information to the Government of Canada for policy development, decision making, advance warning, counter measures and forensics on cyber threats.

[Translation]

These activities have helped to identify threats to Canada and Canadians beyond our borders, protect the lives of our brave men and women of the Canadian Forces serving abroad, and ensure that senior government decision-makers operate with the best available information.

[English]

The second part of our mandate, and of interest to this committee, is the information protection aspect. I should point out how challenging and increasingly vital this part of our work has become in the last several years. The growth of the Internet and associated computer and communications technology has been quite astonishing in the past decade. Today over 2 billion people use the Internet, visiting 500 million websites. In 2011 the monthly amount of global traffic was 327 times what it was 10 years earlier in 2000. By 2020 the number of devices used on the Internet will exceed 16 billion, so there will be more mobile devices than people.

Canadians have embraced this technology and are very active and keen users of it, with 81 per cent of Canadians online. The average Canadian spends 45 hours a month surfing the net — probably your kids and grandchildren do considerably more; the rest of us bring the average down, I am sure — generating $15 billion of sales online. Globally, the Internet provides a staggering $570 billion in commerce.

While this explosive growth in communications technology has been revolutionary, it provides a new conduit for malicious activities that can threaten Canadians and their government. Threat actors targeting Canada are increasingly using the Internet as a medium of choice, and threat actors online range in sophistication from the amateur and the curious, to organized criminals, to foreign states that can and do use the Internet for a wide variety of malicious purposes.

Our role is to protect against sophisticated cyber threats that target the government's systems and information. Specifically, we identify potential cyber threats to the government's systems, help departments harden networks, monitor systems for cyber threats, block threats when we can, and help mitigate any potential impact.

Like many defence versus offence situations, our adversaries are constantly changing and improving their methods and technology. Our challenge at CSEC is to remain on the cutting edge of technology to stay ahead of them.

The third element in our mandate is to support federal law enforcement and security agencies in the lawful pursuit of their mandates. We may provide technological advice and assistance to them under their authority, often when they have a warrant or a court order to do so.

[Translation]

I should stress that all the activities I just described rely on our partnerships, both domestic and international. Partnerships are essential to what we do.

[English]

Domestically, among the most important partners of CSEC are the Department of National Defence and the Canadian Forces, CSIS, RCMP, Foreign Affairs, the Privy Council Office, Public Safety Canada and CBSA. As I mentioned, we work closely with National Defence and the forces to ensure that their systems are protected and that their information needs are met.

We also work closely on cyber-defence responsibilities under the leadership of Public Safety Canada. With the implementation of the Cyber Security Strategy announced in 2010, there is a whole-of-government approach to cyber. As my colleague Graham Flack explained last week, Public Safety is the overall policy lead, as well as serving as the primary interface with other governments, the private sector and the public.

Our role is focused on the first objective of the strategy, which is to protect government systems. We use our unique mandate and our knowledge to discover, detect and respond to cyber threats against the government.

Since 2011, the Cyber Threat Evaluation Centre, or CTEC, has been responsible for receiving reports of suspected cyber activity within the Government of Canada. We are the operational nexus for cyber defence for government systems.

I should note that all government departments and agencies, as you heard from Brigadier General Loos, have a responsibility to protect their systems as well as Shared Services Canada, which is now providing services to a number of departments to ensure their IT systems are protected and robust. We provide advice and support to those efforts.

Internationally, CSEC relies heavily on our cryptological counterparts in the Five Eyes: the United Kingdom, the United States, Australia and New Zealand.

[Translation]

We work very closely with our Five Eyes partners to share intelligence, track common threats and tackle technological challenges. These international relationships are vital to the everyday operations and success of CSEC in providing value to the Government of Canada. These relationships give us access to intelligence and technology that would otherwise not be available to us, as it would not be financially feasible for Canada to develop such capabilities alone. We estimate that the government's $387 million annual investment in CSEC provides access to a $15 billion global partnership represented by the Five Eyes.

[English]

The demand for information in the government is growing, both getting it and protecting it, and it is our mission to do both. Information is our business. We continue to gather intelligence to help decision makers safeguard Canadians and promote Canadian interests, while at the same time protecting information entrusted to government from cyber threats.

[Translation]

That is why CSEC must constantly continue to develop our own capabilities to ensure that we are properly positioned to combat these threats and protect Canada and Canadians.

[English]

Thank you for your attention. Ms. Moffa and I look forward to your questions.

The Chair: I will give you a test case here and see what you feel free to talk about. Say there is a 17-year-old radical hacktivist in a Western country who has been able to hack into the Department of Finance Canada. You become aware of this because of your domestic and international sources. What happens?

Mr. Forster: Our role in CTEC is to monitor government networks. You have to think of it in two sets. We work with international partners to collect intelligence and share information about threats. We then use that and monitor government networks. When we detect incidents, then we work with Treasury Board, which puts out guidelines and standards for government systems; Shared Services Canada, because they now have consolidated the core computer operations for about 45 departments, so it is easy for us to work with them to help; and other departments. We will advise other departments about threats. We will advise them on how to help mitigate the impact and how to get the systems back up and running as soon as possible.

The Chair: You might be the first line, the actual detector?

Mr. Forster: We may be but not always.

[Translation]

Senator Dallaire: You said that the government establishes your priorities annually. Can you tell me which government entities give you these priorities? Are they the same entities that fund your operations?

[English]

Mr. Forster: The priorities are established by cabinet, so they decide what the government's intelligence priorities are. They do not fund us. We are funded through appropriations like any other department in the Government of Canada.

Senator Dallaire: When you mentioned government, you meant cabinet gives you your priorities. What happens if Google goes rogue? It can digitize everything that is out of print and there is no structure, so the information can be manipulated. Would that fall into your realm or someone else's?

Mr. Forster: I will speak to my realm, which is to protect the Government of Canada's systems and information regardless of where the threat would come from, whether it is from a state actor, hacker group or whomever. Our mandate in law is to help the government protect its information and the systems that are important to the government.

Senator Dallaire: Senator Wallin raised the fact that we just passed a law on anti-terrorism where a Canadian who goes to a country to train to be a terrorist is susceptible to Canadian law and goes through our whole process. You said you do not monitor Canadians beyond our borders. However, if a Canadian is involved in subversive operations, would you be getting that information through your colleagues that would be coming in as one of intelligence sources available?

Mr. Forster: I am not allowed, by law, to direct my activities to Canadians anywhere in the world. I target foreigners, not Canadians. There is a protocol between us and our Five Eyes partners. We do not target each other's citizens regardless. I would no more target an American than they would a Canadian.

Senator Dallaire: Thank you very much.

[Translation]

Senator Nolin: In his recent report, the Auditor General of Canada addressed your information sharing mechanisms with your Canadian partners.

First, I would like to know what mechanisms are in place for sharing this information. Then, I will come back to the Auditor General. My question is on the nature of the mechanisms. I do not want to get into the details. I just want to know how it works.

Mr. Forster: Certainly.

[English]

I will speak briefly and perhaps Ms. Moffa can add in some of the details. Looking at an incident that happened early in 2010 or 2011, the Auditor General found that we needed to share information more quickly. They found it took us a week or so. Since that time we have made progress. One of our concerns must always be the security of the information we provide because it is highly classified, highly sensitive top secret information. We have obligations to our partners who provide it to protect it.

Certainly since that incident we share information with CCIRC, which is the public safety office that works with the private sector and provinces. They have an employee that sits inside our government CTEC centre so we are able to share information more quickly. We have a network between Treasury Board, Shared Services Canada and ourselves to distribute information to government departments extremely quickly through bulletins and emails, et cetera.

Toni Moffa, Deputy Chief, IT Security, Communications Security Establishment Canada: When we have a department that has become a victim, first and foremost we get on the phone quickly with them and deal with their particular situation. As the situation involves other government departments, we pay them visits and explain what they can do to mitigate against what we are seeing. First and foremost is the victim themselves.

Senator Nolin: Have you informed the Auditor General of the steps you have taken, and is he satisfied with that?

Mr. Forster: Yes, we explained our role and development since then. He was commenting on how that particular event unfolded.

Senator Nolin: Was it only one event?

Mr. Forster: His observation was related to that event and we explained how we work now and are trying to share information.

Senator Nolin: Is he satisfied with that?

Mr. Forster: He has never personally told me he is satisfied.

The Chair: I think that was stated in these reports.

Mr. Forster: I do not want to paraphrase him incorrectly, but he made an observation that there that been recent improvements in that vein.

Senator Nolin: Now it is on the record.

The Chair: I think he commented on the clarity and distinction between your responsibilities and CSEC.

Senator Lang: I want to compliment Mr. Forster. Prior to coming to your position now, you were involved in the design and delivery of many government infrastructure stimulus programs under the Economic Action Plan. From where I come from, I can say it was very well done. If you can take any of that credit, you should.

An area of concern is the technology, where we purchase the technology, where it is manufactured and the implications thereof when we buy it.

I notice that we are now saying you must be Canadian for principal jobs for building the new federal email system; you have to have Canadian citizenship. Are we looking at a situation down the road where, in order to ensure that all our technology is fully understood but cannot be interfered with by other international states, we are looking at manufacturing that type of equipment here in North America as opposed to going beyond?

Mr. Forster: Not necessarily as a requirement. I will ask Ms. Moffa to speak to this.

One of our roles is to evaluate equipment and systems and provide advice to Shared Services Canada, which is procuring it across the government, about how to best protect it.

Ms. Moffa: We have several evaluation programs for commercial products that the government procures for their own systems, and particularly in the security aspects of those products. We have programs that look at the security claims and evaluate products to ensure they live up to the claims before being deployed into the government systems. Certainly with Shared Services Canada and the consolidation of government IT enterprise, security becomes even more important. We are putting all our eggs in one basket and we want to ensure we build security in from the outset. All of the components of infrastructure that we are moving toward with Shared Services Canada require extra looks at security. It has become more important to us, yes.

Senator Lang: If we get a chip made outside the country and it comes in and goes through the process you have outlined, what comfort can I take as a Canadian that the information that eventually goes into that chip cannot easily go back to the country that built it? Is there a mechanism built in so that cannot happen from a security point of view?

Mr. Forster: At the moment we focus on equipment that the government will buy for its systems. That is our primary focus. Our goal is not to ensure that your home computer is okay; our role is to help the government to ensure that its equipment and networks are safe and secure.

Senator Lang: I understand that. I am trying to understand this ``star wars'' that we are now involved with on a day-to-day basis. Looking ahead, when we do buy that chip, that is basically a question of security and whether it will maintain its security. If we are not building it here in North America, it is built somewhere else. I will not say ``anywhere else.'' They will have some information of what that chip is, what is in that chip and how to access that chip. Am I correct in thinking that?

In other words, how do we ensure once it arrives here if we buy it offshore that full security is there and access is not available to other countries because of the technology they have?

Mr. Forster: When we work with Shared Services Canada for procurement, such as the systems put out for tender, our responsibility is to give them advice and to ensure in that process that they buy equipment and systems that we feel we can absolutely trust in terms of security. That is the advice we provide them.

We help them in that procurement. We have worked with them in the one they are doing now, and we will provide that advice to them with regard to their options and equipment they will purchase for government systems.

Ms. Moffa: Perhaps it might help to add that when we do an evaluation of products, we examine them closely. All commercial products have some vulnerability in them, whether deliberately or inadvertently, as part of the product. As we find those vulnerabilities in those products, we look at ways to deal with them, whether they require changes to the products or changes to network configurations and architectures to mitigate some of those vulnerabilities. There are many ways to deal with the vulnerabilities we may find in any particular product — whether that be hardware or software — that the government uses.

It is a difficult question to answer because there are many ways of assessing vulnerabilities and mitigating them. Depending where they fit in the overall architecture of a system, we would provide tailored advice in that regard.

The Chair: Thank you. I realize that is a difficult one to be specific about when the technology is neutral in some cases; it is how you put all the pieces together.

Senator Day: You indicated in your remarks that your annual budget is $387 million per year. Is that correct?

Mr. Forster: Yes.

Senator Day: How many employees do you have?

Mr. Forster: We have around 2,000.

Senator Day: Would most of those be on site? You do not have people throughout government departments, like Shared Services?

Mr. Forster: No, we are located on one campus.

Senator Day: Okay. With respect to your comment earlier about targeting, you do not target Canadians externally, and all of your work is offshore. However, if it turns out that your target was communicating with or that part of the communications involved a Canadian but that is not what your target was, you would not cease having that target by reason of a Canadian being involved, would you?

Mr. Forster: Maybe I can describe a bit how that works. In the amendments passed in the 2001 Canadian Anti-terrorism Act that you were looking at, there was an amendment to the National Defence Act, which included changes to our mandate. It recognized a shift from the previous days where you might have a single Cold War target and you were monitoring a communication between a person and a person. Now it is into the world of the Internet where you have large volumes of information.

The act allowed that, in pursuit of a foreign target and foreign intelligence, if we inadvertently collected a communication with a Canadian, we had to do it under a ministerial authorization, and we still have to protect the privacy of that individual. It must meet four conditions: It must be directed at a foreign source; it had to be unable to be reasonably obtained otherwise; it had to have value as foreign intelligence; and we had to take steps to protect privacy. We have detailed procedures that protect the privacy of the information that is reviewed by the commissioner when he looks at our operations.

Senator Day: Thank you. The use of the term ``intelligence'' implies some analysis of the information and the communications that you have picked up. Is there any situation where you would have a direct feed of information without any analysis to either our foreign partners or to other government departments, or is all of the work that you communicate all intelligence-analyzed communication?

Mr. Forster: We collect and then provide information to federal departments and they then use that in their decision making and policy setting. The government has two areas where it does assessment of intelligence: Within the Privy Council Office, there is the Intelligence Assessment Secretariat, and there is ITAC located at CSIS, which looks at intelligence that could come from a variety of sources, human intelligence or electronic, in our case.

Senator Day: Would there ever be a situation where you would communicate intelligence or communication that you have developed directly to a Canadian company? For instance, you might learn about intellectual property being hijacked and stolen, or you might develop some information with respect to a takeover bid that would be of value to the Canadian company.

Mr. Forster: We generally provide intelligence to government departments. If there was a threat to a Canadian company, we would work with CSIS and the RCMP.

Senator Day: Should I play on the word ``generally''?

Mr. Forster: No, no intention was implied. We would work with our domestic agencies — RCMP and CSIS — who have that responsibility for domestic.

Senator Day: Thank you.

Mr. Forster: Having said that, just to clarify, in terms of general threat information and advice to industry in the private sector, again, we work through the sector councils that Mr. Flack explained to you last week to help them understand cyber threats and the things they need to do.

Senator Day: This might be information that a particular company would not want shared with all of its competitors in the council, but very important information all the same — intelligence for its own purposes.

Mr. Forster: We would provide information, as I said, to the RCMP if there was criminal activity or to CSIS if there was a threat to national security.

Senator Day: Thank you.

The Chair: Is that again how you would deal with a Canadian bad guy somewhere? Are your rules preventing you from dealing with that directly? Would you just supply others with that information?

Mr. Forster: We would share the intelligence. We would protect the privacy of the Canadian. If the agencies come to us under their lawful mandates to get access to that, then we can provide it under their lawful authority.

The Chair: Thank you. That is clear.

Senator Johnson: Thank you for your presentation. I think there was a lot in there, especially about Canadians spending two days a week surfing the Internet.

You stated specifically three things about your mandate. I am interested in the foreign signals intelligence you collect in accordance with government intelligence priorities. First, can you tell us what you are looking for when you are scanning foreign signals and what you do with what you find? Second, is your scope as broad as that of the American National Security Agency?

Mr. Forster: In terms of how we operate, as I said, the government sets its priorities for our mandate. If it is counterterrorism or cyber security, our role is to try to provide intelligence and information to the government to assist with that issue. Again, we collect it and we provide it to other departments to help them with their decision making, their actions and so on.

Each of the Five Eyes partners has a different mandate, but we work closely together. We have different structures. Some of us are in different agencies, so I would not want to draw comparisons between them.

Our mandate is as it is defined here, as I have explained.

Senator Johnson: There is a great deal of discussion among our allies, especially the United States, about the need to move from passive to active computer network defence. Can you discuss that, your interpretation of ``active network defence'' and some of the issues it raises for CSEC?

Mr. Forster: Again, at this point, if you look at our legislation and our mandate, I am an intelligence agency, I have a mandate to collect foreign information and I have a mandate to protect the Government of Canada's networks from people trying to infiltrate it. I do not look at my mandate in terms of defence and offence. My job is to protect those networks and how to protect them, either through verifying the equipment and so on that goes into them, monitoring those networks for threats from a range of actors and then helping the government departments mitigate, correct and repair those systems. I do not have an offensive mandate, if you will.

Senator Johnson: How do you think we stand in the world in this field? Where would you position us comparatively? Are we number one?

Mr. Forster: Canada and CSEC, like others of our agencies, are smaller in size than the U.S. and the U.K. I would like to think our people are second to none and that we have certain capabilities that are world-class, world-leading technology. It is hard to evaluate our agency against some of our much larger partners.

Senator Johnson: I understand. Where do we excel?

Mr. Forster: I have to tell you as a newcomer to this organization for nine months, these people blow my socks off. They are some of the smartest people, not just in the government but also in the country. The technologies they use are leaders in the government. They are amazing people, and it is an amazing organization.

Senator Johnson: That is good to know. Thank you.

The Chair: We heard last week from the CCIRC people that this is a difficult world in which to recruit. It is still new. You want top of the line, the folks who will blow your socks off, but we are still in the process of creating them, if you will. Do you have enough people to recruit from in the pool?

Mr. Forster: Generally speaking, overall, I would say we are in good shape. It is certainly a challenge for all of the agencies, whether it is in the U.K., the U.S., Australia or Canada. You are looking for some of the brightest people with the best technological skills possible. You are competing against the Googles and the Facebooks of the world who may be able to offer slightly more than the Government of Canada.

The Chair: Do you think?

Mr. Forster: Maybe a few better perks, but we also offer some pretty unique things. When you talk to people who work at CSEC, they come and a lot of them stay. You will not find more interesting work anywhere in the country than what these people do.

The Chair: With respect to Senator Johnson's question, you folks have chief responsibility for developing the mitigation strategies, not out there waging cyber war but figuring out what to do as opposed to within each department. You are the brain trust for the mitigation piece.

Mr. Forster: I think Brigadier-General Loos spoke to this in his remarks. You have to think about cyber as a team sport; each of us has responsibilities. Public Safety has the overall policy lead. We play a leadership role in protecting government systems. That does not mean each department is let off the hook — absolutely not. Each and every one of them has a responsibility to protect their networks. If you look at our website, we put up 35 basic steps. If we, Canadians and businesses did just 5 or 10 of those, you would deal with 80 per cent of what is coming at you. We have a responsibility and the private sector and provinces do as well to protect their information and protect their systems.

The government strategy tries to recognize that this is not a Government of Canada issue; this is a Canada issue. You need to provide leadership and coordination in getting everyone on that.

Senator Day: My question relates to your comment earlier about your role on the team. You were part of National Defence and you still report up through National Defence, but you are an agency. What was the reason for creating you as a separate, stand-alone agency? How did that relate to your relationship with the rest of the departments within the Canadian government?

Mr. Forster: With respect to the history of the organization, it was started in 1946. It was a small, dark corner at the National Research Council, and in the 1970s it moved to National Defence. It has always played an integral role with the forces, helping them protect their communications and information.

The decision recognized two things: First, the agency has a broader mandate with the government as a whole, but it still has a close mandate with the Canadian Forces and the Department of National Defence; second, with cyber becoming more important, it made sense to establish it as a separate, stand-alone agency. We have to work with a range of departments: Treasury Board, Shared Services, and CSIS. We do a lot of work with the service. We have quite a job to do with a number of departments.

Senator Day: Does being an agency make it easier to deal with those other departments?

Mr. Forster: I think it is just recognition of that broader mandate and that the size of the agency has grown to a point where it made sense.

Senator Manning: You mentioned the Five Eyes partners, and the countries are definitely our allies: the United Kingdom, the United States, Australia and New Zealand. You made a comment in your opening remarks about the importance of the partnership because it would be financially unfeasible for Canada to develop such capabilities alone. How did the Five Eyes partners come about? Is any effort being made to include others in the partnership, so that you deal with it from the financial aspect of the information and intelligence that is gathered? Maybe you can explain to us how that works.

Mr. Forster: The origin of the Five Eyes partnership came out of the Second World War. There was very close collaboration, particularly between the United Kingdom and the U.S. in that space. It evolved after the war into a partnership with Australia, New Zealand and Canada being part of that Commonwealth effort.

The partnership there is extremely close. It is not to say that we do not work with other countries or nations or that others do not as well. It is just that the Five Eyes in particular collaborate very closely in sharing both intelligence and information on threats. When you are looking at cyber, part of the value we can bring is that we are sharing information with these other countries on threats and what we are all seeing in the global information infrastructure. That is not to say that we do not work with other countries when and where we need to.

Senator Manning: That segues into my second question. When you go outside the partnership of the Five Eyes, how do you decide or figure out whom to trust when you are sharing information and intelligence? Is it criteria-based? How do you decide that?

Mr. Forster: It is a decision made about what the government's intelligence priorities are and how we can best fulfill those priorities. If it makes sense to collaborate with another country on a particular aspect to help meet the government's priorities, then you may do that, but it is not exactly a formula and it must be a mutual interest.

Senator Manning: When you are gathering information on threats to our own networks, for example, sometimes you will hear of how many hits were made against the security network today. Is that information public? How many attempts are made on a daily basis to the networks in Canada?

Mr. Forster: We do not make that information public. We are measuring the government's systems, not the country's systems.

Senator Lang: If I could ask a supplementary. Why do we not make it public so that people are aware that this is going on and so that Canadians are aware of how serious this is? We should be following the 35 steps you outlined earlier.

Mr. Forster: The 35 steps are certainly public. We promote them, as does Public Safety.

We are measuring the Government of Canada's systems; we are not measuring what happens in the country. We are not able to do that. It is not part of our mandate.

Senator Lang: Who measures that?

Ms. Moffa: There are companies that put out annual reports about global statistics, such as Symantec, McAfee and others. They have good information resources about what they learn about publicly known threats.

The Chair: Senator Lang's question goes to a point. I guess it is always an issue in the defence department, and certainly the security issue, which is that there is some responsibility to educate and maybe even to shock people into some kind of action, when you lay these statistics out about usage and how much time in a day we use these pieces of equipment, how vulnerable we might be, and the need to not tell them what we know or, maybe more important, tell them what we do not know. That is constantly the juggle, and which one of those things is more problematic?

Mr. Forster: As Ms. Moffa mentioned, a number of the security companies do publish estimates of this sort of activity. For example, McAfee estimates there are 75 million unique pieces of malware floating out in the global Internet, or that botnets create about 89.5 billion unsolicited emails every day. There are estimates out there by private firms for that. We are not monitoring the Internet in Canada; we are monitoring the Government of Canada's systems.

Senator Manning: From your perspective, what is the greatest challenge for this space and for CSEC today?

Mr. Forster: I think the greatest challenge for all of us in this space is to continue to keep up our skills and abilities and to invest in the technology we need to always stay ahead of adversaries that are trying to infiltrate our government's systems. That is what our people do constantly.

You also have to understand that it is not a static space. The things you see today you would not have seen five years ago. People's capabilities are getting better. The technology is always getting better. You always have to be working and developing your capabilities and technology to stay ahead of that.

Senator Dallaire: You collate intelligence and distribute it to agencies inside the country for their action. As an example, approximately how many military are working in CSEC now?

Mr. Forster: Brigadier-General Mazzolin just said there are about 28 military integrees embedded inside CSEC, but then we work very closely with the CFIOG, for example.

Senator Dallaire: You are still under the National Defence Act; am I correct?

Mr. Forster: Yes.

Senator Dallaire: Why not then move you to the Canadian Security Intelligence Service Act, as a branch of them versus a branch of DND, if I can use the term ``branch''?

Mr. Forster: The government decided that the agency would not be a branch of the Department of National Defence; it would be a stand-alone agency, similar to CSIS. Our mandate is foreign, and one of our primary partnerships continues to be with the military, as well as other departments.

Senator Dallaire: It is because cyber is total war, so it covers all spectrums now, more and more. I was wondering whether you feel yourself being limited or whether you are covering the whole spectrum of possible threats that are coming against a nation.

Mr. Forster: We are not a military agency; we are an intelligence agency. We will work with Brigadier-General Mazzolin and Brigadier-General Loos and support them as they look at the military capabilities in cyberspace. Do I feel constrained by being in the defence portfolio? Not at all.

Senator Lang: I would like to turn our attention away from the defence department and towards the responsibility to the private sector and their responsibilities vis-à-vis the technology they have been using. Where do these organizations come in? I am primarily thinking about the area of financial institutions and the vulnerability there with respect to the changes they are looking at to protect our financial systems so that we do not get into a situation that obviously could happen if they do not do what the government is doing. I notice the government says they are consolidating, cutting back on data systems and on the overlapping of computer networks. Are these recommendations being put forward in the private sector as well? Are you involved in that?

Mr. Forster: I will ask Ms. Moffa to speak to that. Again, we work through Public Safety, and there is a committee in the financial services industry that they work with to provide that information. Ms. Moffa could maybe talk a bit about that.

The consolidation of systems under Shared Services Canada is actually making our lives and jobs a whole lot easier and better.

Senator Lang: As well as less vulnerable.

Mr. Forster: Yes. I will steal Ms. Moffa's analogy, so I will give her credit for it up front. Which is easier to protect, a house with six windows in it, or 60 houses, some with bars and some without, some with locks and some without? It will be easier for us. When we see something and we need to move quickly to protect systems, we can deal with Shared Services. It covers 45 departments, so it is an efficient and effective means of securing our systems.

Ms. Moffa: As far as the private sector goes, certainly we share with them. Through Public Safety, we share cyber-threat information with them so they can be as informed as we are. We may have some unique information in that regard so that they can better protect themselves. Hopefully that will influence their decisions over how they implement security in their own systems.

Also, all the advice and guidance we provide government on IT security in general is available on our website as well. We have extensive guides and technical standards out there that are available for all to use.

Senator Lang: I just want to go into one other area, and that is the provinces. Are the provinces able to buy into the federal system, with your IT system, and consolidate what they have with respect to basically the direction you are going in the federal government?

Mr. Forster: Obviously they manage their own systems, and, again, Public Safety has that responsibility to work with them. I know a number of provinces are moving in that direction. It is something everybody is doing, not only to lower costs but also to make your systems more efficient. One of the benefits of it is that it will make our job that much easier.

The Chair: Thank you. We did hear testimony on a lot of that last week.

Thank you again to John Forster, Chief, Communications Security Establishment Canada, and to Toni Moffa, Deputy Chief, IT Security.

That brings an end to our session today here at the Standing Senate Committee on National Security and Defence. We will see you all again next week.

(The committee adjourned.)

National Security, Defence and Veterans Affairs

Proceedings of the Standing Senate Committee on National Security and Defence

Issue 10 - Evidence - Meeting of November 5, 2012

Proceedings of the Standing Senate Committee on
National Security and Defence