---

Proceedings of the Standing Senate Committee on
National Security and Defence

Issue 2, Evidence - Meeting of March 21, 2016

---

OTTAWA, Monday, March 21, 2016

The Standing Senate Committee on National Security and Defence met this day at 1:01 p.m. to examine and report on Canada's national security and defence policies, practices, circumstances and capabilities; and to study security threats facing Canada.

Senator Daniel Lang (Chair) in the chair.

[English]

The Chair: Colleagues, welcome to the Standing Senate Committee on National Security and Defence for Monday, March 21, 2016. Before we begin, I would like to introduce the members around the table. My name is Dan Lang, senator for Yukon. On my immediate left is the clerk of the committee, Mark Palmer. I'd like to invite the senators to introduce themselves and state the region they represent, starting with Senator Wells.

Senator Wells: David Wells, Newfoundland and Labrador.

Senator Mitchell: Grant Mitchell, Alberta.

Senator Carignan: Claude Carignan, Quebec.

The Chair: Thank you, colleagues. Joining us for the first panel are representatives from the Canada Border Services Agency. Last June, this committee tabled a report on the Canada Border Services Agency entitled Vigilance, Accountability and Security at Canada's Borders. The report was unanimously adopted by the committee of the Senate and contained 10 specific recommendations which included, as follows: recommended oversight of Canada Border Services Agency; the establishment of a civilian review and complaints body; audio and video recording of interviews conducted by Border Services officers; and improved screening of visitors, immigrants and temporary visa holders, including students, temporary foreign workers, refugees and permanent residents. It urged the implementation of an entry and exit registry of all travelers, Canadians and non-Canadians. It called for more resources to be made available to the front line for the Canada Border Services Agency officers, and it recommended biometrics be collected from all foreign nationals arriving in Canada subject to existing provisions and agreements with other governments.

Joining us on our first panel today to provide an update on what has been happening with the Canada Border Services Agency are Martin Bolduc, Vice President, Programs Branch; and Caroline Xavier, Vice President, Operations Branch. Welcome. I understand that you have an opening statement, so please begin.

[Translation]

Martin Bolduc, Vice President, Programs Branch, Canada Border Services Agency: Thank you. It is a pleasure to be here, and I thank the committee for the opportunity to discuss our work at the Canada Border Services Agency. I have with me today our vice-president of operations, Caroline Xavier.

[English]

I have a short opening statement, after which we would be pleased to respond to any questions from the committee.

The Canada Border Services Agency is the second-largest federal armed law enforcement organization. Our mission is as simple as it is complex: ensure the security and prosperity of Canada by managing the access of people and goods to and from Canada. Our job has been summed up in many ways, often in terms of keeping out the bad without impeding the flow of the good.

The CBSA's responsibilities in this regard range from customs and immigration enforcement to food, plant and animal inspection. To do this we administer and enforce the Customs Act, which outlines our responsibilities to collect duties and taxes on imported goods, interdict illegal goods and administer trade legislation and agreements.

[Translation]

With Immigration, Refugees and Citizenship Canada, we share responsibility for administering the Immigration and Refugee Protection Act, which governs both the admissibility of people into Canada, and the identification, detention and removal of those deemed to be inadmissible under the act.

Finally, the agency enforces over 90 other statutes on behalf of federal departments and agencies. On an average business day, the CBSA processes more than a quarter-million people seeking to enter Canada by land, air and sea. That's close to 100 million people a year.

[English]

In the past year, we processed tens of millions of commercial shipments and collected some $29 billion in taxes and duties, or 10 per cent of all government revenue.

In the course of these activities, the CBSA made more than 8,000 drug seizures worth over $400 million, well over 7,000 seizures of weapons and firearms and 43,000 seizures of prohibited food, plants and animals. And, of course, we've been closely involved in the screening and admission of 25,000 refugees from Syria.

As an agency and in collaboration with our partners in Canada and internationally, we continue to seek out and implement new ways to enhance our capacity to carry out these crucial activities efficiently and effectively.

For example, as of last November, critical wants and warrants information is automatically queried at our primary inspection booths from the Canadian Police Information Centre database. We're now able to use this information at the point of arrival.

Just last week, an Electronic Travel Authorization requirement for visa-exempt foreign nationals flying to or transiting through Canada came into effect. These eTAs are issued by Immigration, Refugees and Citizenship Canada and add another level of pre-departure screening.

[Translation]

As announced by Prime Minister Justin Trudeau, we will move forward with the entry/exit initiative, building on our relationship with the United States to establish a coordinated and common approach to perimeter security.

As a next step, Canada and the U.S. have agreed to exchange routine biographical information — basically name, date of birth, and nationality/citizenship — for all travellers at land border ports of entry. With this exchange, a record of entry into one country would be considered a record of exit from the other.

[English]

Looking further ahead, within the next four years, with the exception of U.S. citizens, all foreign nationals applying for work or study permits, a visitor visa or permanent residency in Canada will be subject to biometric screening. This will ensure we keep pace with our partners, including the U.S., the U.K. and Europe. Partnership, as would be expected, is of fundamental importance to the CBSA.

[Translation]

It has a role in almost everything we do, including our work with domestic and international law enforcement partners to assess the risk of export shipments leaving Canada. In this regard, the CBSA agrees with the findings of the recent report from the Office of the Auditor General. We have developed action plans to respond to the recommendations of the Office of the Auditor General, and we are on track to address most of these by the end of the calendar year.

I am pleased to note that the Office of the Auditor General's report recognized the processes we have implemented to select high-risk shipments for counter-proliferation. The report also highlighted our success in blocking exports of property obtained by crime, such as stolen vehicles.

[English]

In many ways, targeting capacity is at the root of success in border management. Our targeting program allows us to perform pre-arrival risk assessments of traveler, cargo and conveyance information with the goal of facilitating movement of low-risk cargo and people and identifying those which may pose a threat to security and safety in Canada. We've been continually improving this program since 2012 and will maintain this commitment going forward. The audit's recommendations and consulting action plan will help strengthen our efforts in this regard.

Where enforcement is concerned, the agency's responsibilities also include identifying and removing from Canada foreign nationals and permanent residents who may pose a threat to our security or may be inadmissible under the Immigration and Refugee Protection Act. Last year we removed more than 11,000 people deemed inadmissible to Canada, with the priority on those with criminality.

[Translation]

I would emphasize that the decision to remove someone from Canada is not taken lightly. Anyone ordered to be removed from Canada is entitled to due process before Canadian law. All removal orders are subject to various levels of appeal. There are also administrative review procedures that assess the potential risk to the person of returning to the country of origin.

We continue to work closely with our partners, including the Canadian Red Cross and the United Nations High Commissioner for Refugees.

Along with enhancing our capacity for enforcement, we continue to grow programs that help facilitate the legitimate movement of people and goods.

[English]

The NEXUS program, for example, which speeds the border process for low-risk, pre-approved travelers between Canada and the U.S., now has more than 1.2 million members. Programs and initiatives such as eManifest and Trusted Trader are helping commercial importers by streamlining and simplifying processes at the border. Here, again, partnership and collaboration are essential to success. For example, we consult frequently with marine, airport and bridge authorities, where there is a significant interest in working with us to modernize infrastructure and the process at the border.

[Translation]

We maintain close relationships with industry stakeholders through our commercial consultative committee, which is attended by 25 trade associations, including the Canadian Chamber of Commerce, the Canadian Federation of Independent Business, Canadian Manufacturers and Exporters, the Shipping Federation of Canada, the Canadian Society of Customs Brokers, and the Canadian/American Border Trade Alliance.

The importance of our cooperation and collaboration with the United States in terms of both trade and security cannot be overstated, and we are active participants and contributors in an intelligence alliance with Australia, New Zealand, the United Kingdom and the United States.

[English]

We also have a growing relationship with Mexico, which is important for strengthening North American cooperation in areas that improve border security while supporting trade and the facilitation of travelers.

Mr. Chair, I could go on and on, but I recognize that my time is limited. I would like to add that like everyone at the Canada Border Services Agency, I am proud of the role that the people of the CBSA play in protecting our country and our economic prosperity, and of the commitment, dedication and professionalism they bring to the challenges they face every single day.

Thank you for this time, Mr. Chair. I look forward to any questions honourable senators may have.

The Chair: Thank you very much, sir.

I'd like to note for the record that Senator Day, Senator Ngo and Senator L. Smith are here as well.

Before we get into the recommendations of our report of last spring, I'd like to raise an issue that has come to our attention: the death, which was made public, in a detention centre in Ontario about a month ago. Perhaps you could clarify for the record exactly what happened. We also had a death in Vancouver, I believe two years ago. First, could you give us some background in respect of the detention by the CBSA? Second, could you also give us an indication of how many individuals have died in the custody of or in detention by CBSA over, say, the last 10 years?

Mr. Bolduc: I'll turn it over to my colleague, Ms. Xavier.

Caroline Xavier, Vice President, Operations Branch, Canada Border Services Agency: I will not be able to get into the details of the two recent deaths in the news. However, as you say, they happened at two provincial facilities, one at Maplehurst Correctional Complex and the other at the Toronto East Detention Centre. That's the extent of what I will be able to speak to with regard to those two recent deaths. We take seriously the matter of the care of individuals within our detention facilities or those within the provincial facilities on our behalf.

You asked about how many deaths have occurred over the last 10 years. Since the creation of the agency in 2003, we have had 11 deaths, two of them in the immigration holding centres of the CBSA and the remaining in provincial facilities where they were held on our behalf. Quite a bit has been done with regard to lessons learned every time an incident occurs within our facilities. The other death that you speak of happened in the British Columbia Immigration Holding Centre in Vancouver. There has been a coroner's inquest into that case and recommendations have come forth.

We have adhered to many of those recommendations, including the fact that on a national level we have looked at all of our immigration centres, policies and the way in which our programs are managed, including changes to physical infrastructure in our immigration holding centres to minimize any potential for self-harm. As well, we have ensured that programs in our detention facilities are run to the appropriate standards. We work with entities such the Canadian Red Cross and the UNHCR, who come to our centres to review programs and make recommendations to us on a regular basis.

We've also continued to put in place such policies as medical forms, which are updated every 60 days, to ensure that we take good care of individuals in our facilities with regard to both their mental health and their physical health.

I could go on a bit more, but I think that gives you an overview.

The Chair: I'll pursue this a bit, colleagues, because it is important, current and of concern, obviously, to your organization and to the general public.

Is the Canada Border Services Agency doing their own investigation, or is an outside agency doing the investigation to ensure objectivity?

Ms. Xavier: I'd say both of the above. We always do our immediate fact-finding and investigation to ensure that policies were adhered to and find out what the incident is. We also work in collaboration with the province where the incident may have occurred, with the local police in the jurisdiction of the facility and with the coroner, in particular cases such as the B.C. incident. As well, a series of reviews and investigations are done with outsiders. On an annual basis and as part of our regular regime, there is also collaborative work with our colleagues in the Canadian Red Cross and the UNHCR, who come in and give us feedback on how well our programs are being managed.

The Chair: I want to hone in on what was said specifically. You talked about collaboration. It seems that you would call in a provincial authority to do their review and come out with their findings. For example, in the case of Ontario, you would call in Ontario's Special Investigations Unit so that you're made totally aware that things were done properly. If they weren't, then you'd be told so that you could take corrective action. Is that what would happen?

Ms. Xavier: Again, it depends where the incident occurs. In the case of provincial facilities, we work with them. Whatever mechanisms of review are done by those facilities, we adhere to that and work with those investigative organizations, including, as you said, some of the bodies you mentioned and the local coroner of the province. For any death, the majority of the time a coroner's inquest will occur, and from that, an independent review is also done.

The Chair: To conclude this, are they automatically called when there is a death?

Ms. Xavier: They are automatically called. Whether they choose to do an inquest for every investigation, you'd have to confirm that with the provinces' coroners.

The Chair: I'm not talking about that. I'm talking about, for example, the Ontario Special Investigations Unit. Are they called immediately or later?

Ms. Xavier: I can't say they're called automatically because it depends on where an incident takes place and the rules within that facility.

As I said, we work within the provincial facilities and whatever review mechanisms or bodies they may have with regard to their facilities. We work with all the various organizations and authorities of jurisdiction within each province where the facilities are held.

[Translation]

Senator Carignan: I would like to come back to the answer to a question I put to a representative of the Office of the Auditor General, Nancy Cheng, who said the following:

Herein lies the problem with non-declared shipments, for example, because for those, the CBSA doesn't have authority to do random checks.

She says, at least in her statement, that you supposedly don't have the authority to do random checks for non- declared shipments. Can you tell me whether that is how you understand things, and why you cannot do random checks for shipments, considering that you do checks for individuals anyway? If random checks can be done for individuals, I feel that they should be fine for shipments. Right?

Mr. Bolduc: I don't have the context for the quote to know what she was referring to, but there are no legal provisions preventing us from doing random checks for commercial goods. Obviously, given the volumes we process, and depending on the mode of importation, it may prove to be difficult, but there are mechanisms in place. I would need some more details regarding the context of that statement.

Senator Carignan: Okay. My second question is about having an organization that would oversee the agency's activities or an inspector general. Are you comfortable with the idea of not having that kind of an organization for overseeing activities? Or do you think there should be one? If so, what are the steps you are currently taking to implement something like that?

Mr. Bolduc: The decision to provide the agency with an oversight organization will obviously belong to the government. There are a number of ways to review the decisions made by the agency. One of those has to do with our seizures, which can be appealed to the minister. We refer to it as our recourse program, and it stems from a legal obligation.

As far as detention goes, each of our decisions to detain an individual is reviewed by the Immigration and Refugee Board of Canada, after 48 hours of detention, after 7 days, and over the next 30 days. So there are some neutral organizations that review the agency's decisions. We refer to the Office of the Auditor General, the reports on plans and priorities, and so on. Now, if the government wants to provide the agency with a different framework, the agency will collaborate on its implementation.

Senator Carignan: Don't you have any suggestions you could make to the government on oversight measures that should be implemented? You are waiting for the government's decision?

Mr. Bolduc: Like you, I read that the Minister of Public Safety told the media that he was thinking about a framework that could suit the agency. Of course, we will work with the department on providing suggestions, but the decision will rest with the government.

[English]

Senator Mitchell: Chair, if I had three questions it would make a difference to how I would start, rather than just two. Would you give me two? I should have asked for four; maybe I could have got three. Thanks.

Thanks to both of you for being here. I'm interested in following up a bit on the chair's questioning about imprisonment. There are reports — I think they're quite broadly known now — that many refugee-type arrivals end up being held without charges for many years. I think one is, in fact, now for 11 years.

That doesn't seem consistent with proper human rights. It doesn't seem consistent with the rule of law. How do you propose we deal with that in a fair, more just way?

Ms. Xavier: Just to be clear, are you looking for how we propose the way forward? That would be difficult for me to speak to. What I can tell you is consistent with what you heard from my colleague, that there are dialogues I expect this government may have as a result of some of the things they're hearing and the views that this government may have.

However, I can speak to what exactly we do currently. As Martin was saying earlier, when somebody is being detained they have a series of avenues available to them immediately, within the 48 hours, and then the seven and then every 30 days. Usually when we detain somebody, it is because they're a public safety, health or national security concern, for reasons of identity confirmation or for reasons that they could potentially be a flight risk, or it was a mass arrival, as we call it.

There are various reasons, but the ongoing detention of an individual is really under the remit of the Immigration and Refugee Board because that's where we go every 30 days to confirm whether that detention should be continued.

Again, it's not taken lightly. We take detaining somebody very seriously. We do look at various options other than detention before we get there, depending on the case before us.

Senator Mitchell: Specifically now to recommendations. One of our recommendations in the report that the chair referred to in his opening comments was that all interviews with prospective immigrants or people arriving at the border, visitors, should be videotaped. Have you given that some consideration? Can you give us an update as to where you might be in the implementation of that? Questions arise, sort of he said, she said.

Ms. Xavier: With regard to when we're doing interviews, for example, in our secondary examination centres, those are recorded, less so video, perhaps, but at least audio, depending.

In terms of the IRB hearings, those are held in a manner that is more or less — I'll use the term lightly — public. There are recordings of those proceedings, and they are made public depending on what the IRB members determine, because each case can be sensitive.

The information is in the public record when it's before the IRB. For other reasons when we're interviewing some individuals, they are recorded in some manner as well, whether it's audio or audiovisual.

Senator Mitchell: I'm going right back to the recommendations. On number 9, we were quite struck to find that there was a wall between central CBSA information, intelligence operations and the information that didn't get past that wall that could have been used by front-line border workers, which would be the Integrated Customs Enforcement System database. We were also struck that there wasn't a great deal of exchange with the Canadian Police Information Centre database information at the point of primary inspection, that is, the border. How can that be? Has it been corrected? Have you worked on it?

Mr. Bolduc: In fact, it's been corrected since November of last year.

Senator Mitchell: Is that because of our recommendation?

Mr. Bolduc: I think your recommendations were the push that we needed to move, but the work with the RCMP had been started. So front-line officers now have access to warrants at primary, and we're already seeing the success of having that information available. We've been able to effect arrests and refer cases to the police who issued the arrest warrants. So it has been very successful.

As for your question vis-à-vis the intelligence, in fact, our intelligence program is there to support our front line. I would say that we have a very dynamic workforce that is spread out in all of our regions and, again, works in collaboration with other law enforcement because the day-to-day reality of our business is that you are as effective as your intelligence is good.

I think what might have been perceived as barriers are coming down. Again, as I said, often we will have intelligence officers right at the POE, the port of entry, who will then support the front line day-to-day.

Senator Wells: Thank you, Mr. Bolduc and Ms. Xavier, for appearing.

I have a question that is a follow-up from Senator Carignan's question. One of the recommendations was that the Auditor General called for the CBSA to take steps to ensure that gaps in coverage for export examinations aren't predictable.

First, why were they predictable? As you can appreciate, this kind of predictability can help those who wish to exploit our systems. And second, what actions have you taken to make them less predictable?

Mr. Bolduc: The predictability was derived where on some occasion we put a hold on a shipment to give us the ability to do an examination. When you don't act quickly on that examination, you open up your game book to the outside world. What we've been focusing on is that, as soon as there is a shipment of interest to the CBSA, we act upon that examination to either confirm or deny that there is a need for us to investigate further. So those corrective actions have been taken by the CBSA so that we're a little more action-oriented when it's time to inspect shipments for export.

As for the other recommendations that were made by the Office of the Auditor General, they speak to the timeliness of the information that we get and also that we be a little more structured in identifying what is of priority. If we do the ratio, we get about 1 million export declarations a year. If you look at the import side, we process over 15 million commercial imports. Again, a smaller team looks at exports, but I think the recommendation will help us to have a better-managed program that has demonstrated, according to the Office of the Auditor General, that it can be efficient and effective.

Senator Day: My apologies for being a wee bit late getting here. I'm caught up now.

My first question goes to the relationship at the border. Do every one of your border crossing points — I'm thinking Canada-U.S. — now have an armed CBSA person in attendance?

Ms. Xavier: That's correct. So, as part of the initiative with regard to arming the Border Services officers, one the priorities was ensuring that at the land border port of entry, our officers be armed at the primary inspection line, and that indeed is the goal of the initiative. To this day, at this point, we're pretty much there with having armed all of our officers who are at the front primary inspection line with a firearm.

Senator Day: What percentage? You're almost there — 90 per cent?

Ms. Xavier: No, I'd say we're pretty much 100 per cent there. The only reason I had that hesitation — "pretty much there'' — is that, for example, you may have the odd officer who is about to go back onto the primary inspection line who just came off of parental leave. They may have to get trained, recertified, and get back on the front line. All of the officers who are expected to be manning the front primary inspection booth are armed.

Senator Day: That's helpful for us to know that, chair.

My colleague Senator Mitchell was asking a question about the information at your primary inspection place. That's the first place that someone coming into Canada would stop at.

In the past, we have learned that you had difficulty with calling in if you felt you should call in the RCMP. They weren't always standing at the ready to come, and that posed a difficulty in the coordination to effect the action you wanted to effect.

Can I assume now that, with the armed personnel, that problem is less than it was? Do you have arrest and detention authority and facilities?

Ms. Xavier: We always had the authority to arrest and detain with regard to the CBSA mandate. The ability to have the side arm now is just an additional tool for us to use in the bailiwick of tools that we already had with regard to our posture.

We feel we have an excellent relationship with our RCMP colleagues, and they continue to be quite responsive to us on the calls that we make to them with regard to anything that goes beyond our mandate or that we're exercising on behalf of their mandate. As you know, the CBSA does a lot of work on behalf of others. Over 90 acts are managed by the CBSA on behalf of others. Although we may be that first point of intervention, if you want, we would potentially still need to call the RCMP, depending on the situation, because it's for them to take over that investigation from a particular point.

Senator Day: I have another line of questioning, but I wonder if I can go on second round.

The Chair: Fine, sir.

Senator Ngo: I would like to continue the questions asked by Senator Mitchell.

Of course, one of the mandates of the CBSA is to ensure that the free flow of export goods complies with Canada's laws. Does the CBSA have the necessary information, practices and authority to prevent the export of goods that contravene Canada's export laws?

Mr. Bolduc: Again, CBSA is sort of the guichet unique, the single window, if I can use the expression, for many departments when we're talking about exports. Our ability to get timely information to be able to make decisions relies on the cooperation we have with other government departments. I think there are 12 government departments that are involved or have a nexus when we talk about exports.

I think the Auditor General's report highlighted the fact that we are effective in addressing proliferation and that we are successful when it comes to goods acquired through criminal acts. We seize annually, on average, 450 stolen cars at the different ports we have.

As for the authorities, again, the Customs Act is built in such a fashion that a lot of focus is put on imports and a little less focus on exports. I think the Auditor General made six recommendations. We're following up on those six recommendations, and we believe that we'll be in good shape, as I said, by the end of 2016 to have addressed all of those recommendations.

Senator Ngo: The Auditor General's audit said about one third of the targets were not met because the CBSA came too late, or some other things prevented you from doing anything until after the shipment was gone, or the ship left the port, and so on. Could you explain those delays of one third of the targets not met?

Mr. Bolduc: Well, it speaks a bit to the point that I was making earlier. It's being less predictable. It's having a framework that is more rigorous about acting on those shipments that we have an interest in, but it's always the dilemma of competing priorities. As I said, it's about a ratio of 1 to 15, export versus import. We will always be challenged with priorities, but our commitment is to do a better job. The next time that the Auditor General comes and visits, it won't be one third.

Senator Ngo: What do you recommend to address the situation?

Mr. Bolduc: Again, it's having the right focus. In our day-to-day work, it's always a challenge to find the right thing to look at and to direct the right resources for those high-risk goods and high-risk people. It's a daily challenge.

I think we have a good program. I think the recommendations of the Auditor General will make our program better, and I am confident that we will meet the expectations and that we will be able to report to Canadians what is expected of us, that we deliver and protect Canada.

Senator White: I apologize for being late as well. Thanks to both of you for being here.

When I listen to the discussions around CBSA, I always end up with a fish or fowl discussion because really, in the past decade and a bit, CBSA has moved from being a revenue or taxation department to being a police agency in this country, protecting our borders, as you just said, and I do appreciate that. But really, we haven't moved to the level of being a true police agency. Firearms, from my perspective, being carried by uniformed personnel in every location, and the ability, when in pursuit, to actually pursue rather than have to hand off to another police agency — those pieces may sound like they don't matter much to some of the public. After October 22, I know Calgary airport became an issue even for us, even with our own union.

Do you see us getting to a point where you become a police agency, one of the largest in the country? If you do, then oversight is obvious. Every police agency, all 198 of them, give or take — whatever number we have — would have an oversight body. Do you see that being the end game for CBSA, becoming a large police agency protecting our borders?

Mr. Bolduc: Maybe I can start and then let my colleague weigh in. Thank you for the question.

The arming initiative for CBSA was introduced in 2006, following a decision made by the government. As Caroline mentioned, we are at the end of that 10-year period, having close to 6,400 officers armed out of close to 7,000. So the ratio is fairly significant.

The biggest change that came with the side arm was a change in the culture of the organization and, to your point, becoming a recognized law enforcement organization that is armed.

Right now we draw our authorities from the Customs Act and the Immigration and Refugee Protection Act, which stipulate that we have authorities at ports of entry, and on some occasions inland, when we're talking about our inland enforcement activities.

Do I see a future in five, six, seven years where CBSA will be recognized as having authorities at POEs but also outside of POEs? I would think that it would be the normal evolution of an organization. Again, there are certain challenges that come with that, but I'm pleased daily — and Caroline hears that from colleagues — that we hear feedback. I think we're a valued partner from the RCMP but also from other law enforcement organizations.

Maybe, Caroline, you want to add to that.

Ms. Xavier: I don't have much more to add. The bottom line is that although we may not have the series of authorities that you talked about, at this point in time we feel quite satisfied with the authorities that we have to be able to do the job that's been assigned to us by this government in terms of where we land with the Customs Act, the CBSA Act and IRPA.

We have, however, really progressed in terms of our reputation and our ability to add value with our law enforcement partners, at both the federal and the provincial levels. We are recognized as well internationally with regard to our international network and the role we play in continuing to manage the safety of our country.

Senator White: Thank you very much for that. I'm telling you that you actually have increased your credibility with police agencies as you've changed your role, for sure.

As we're moving to discussions around more pre-clearance, obviously there will need to be the ability to perform more functions or different functions in a pre-clearance perspective 500 kilometres from the border, for example, if we ever get into, at some point, sea containers or railway. Then you're not at a POE anymore. You will have to change some of those functions anyway. Would you agree, Mr. Bolduc?

Mr. Bolduc: I think we'll need to engage with the U.S. as to what will be the authorities, similar to what U.S. Customs and Border Protection has when they operate in Canada, as you know. With some of the enforcement activities that they take, they call in either CBSA or the local police jurisdiction. I see a model that could operate very similarly if one day we end up operating out of the U.S.

Senator L. Smith: Just looking at your report, could you give us a summary of what learnings you went through with the Syrian refugee program, especially in terms of your interpersonal relationships, the horizontal relationships within other departments of the government? What did you learn, if there are two or three things?

There was an earlier question to you, Ms. Xavier, about the deaths of people and what the learnings were. You never really told us any learnings. It would be helpful it you could tell us a couple of your key learning points that are not confidential to you but that are good for us to understand in terms of the government, in terms of value for money, making sure that we do the right thing, et cetera, with people who come into our country.

Ms. Xavier: As you know, the steering initiative was led by our colleagues at the Immigration Department. I would say one of the key learnings is the fact that we worked extremely well on a joint initiative in a horizontal manner and in a very collaborative manner.

Senator L. Smith: What was it? Be specific. What was your role?

Ms. Xavier: Our role was specifically ensuring that those who would be landing here as permanent residents were, first of all, cleared appropriately from the get-go overseas. We played a role there with our international network, providing support to our immigration visa officers, giving them guidance on the questions they were asking of the refugees, as well as facilitating them aboard airplanes, ensuring that those who started the process were exactly the same people who would be boarding the airplane to Canada. So from an identity management perspective, the whole multi-layered security screening apparatus was primarily managed through the CBSA, working in collaboration with our colleagues in the portfolio.

At the ports of entry, our role was ensuring their arrival and finalizing the screening process, just as we would with any other arriving passenger, and so completing the permanent residency application process at the ports of entry.

As you know, the process took place at two ports of entry, primarily: Montreal and Toronto. From that, we'll continue to have a role with any incidences with regard to post-arrival if any of those situations arise.

I'd say the primary learning is the fact that our role in being able to bring people from overseas and then managing the whole multi-layered approach of security screening was one that the CBSA did very well, and we were seen as working well with international partners and other government departments. We were seen as having a very good leadership role in that perspective.

We learned as well that there are ways in which we can continue to streamline our security screening process but in a manner to ensure that we're not compromising it. I can assure you that was not the case, and we took that role quite seriously.

Another lesson I would mention is just the fact that we were able to mobilize quickly by bringing people across the country, because we did have to add more assets in Toronto and Montreal to be able to continue to meet the day-to- day mandate we were performing in the normal business of those ports of entry, as well supplementing in order to be able to meet the magnitude of people we were bringing in. At a national level, we mobilized really quickly and worked again in collaboration with colleagues here in Canada as well as with those overseas.

Senator L. Smith: These are all your people that you moved from one part of the country to the other in order to handle this?

Ms. Xavier: Correct.

Senator L. Smith: President Obama said he felt better because Donald Trump in his speeches was saying he wouldn't allow Syrian refugees to come in. It was controversial. In the papers, the President said that he felt better with the implication of his border services people working with our people to make sure that whatever extra screening or work that was done gave confidence that the people we were allowing in were mostly good people. Could you comment on that? What was that all about?

Ms. Xavier: As part of the security screening process, one of the things we do is check against a variety of databases: immigration, law enforcement, national security screening databases. Those databases included some of our own as well as those of the U.S., for example.

If we had any questions with regard to somebody we were processing, that case was either set aside because they required additional information; or, again, if we needed to get additional information, there was the possibility of working directly with the U.S., for example, on a particular case. But in most cases, anything that required additional information, with the amount of time we were working under, was exactly set aside and not processed at that point in time.

Senator L. Smith: What's the number one issue that came up during this process of screening that was a challenge to you? Was it the volume? Was it the time frame? What was the number one problem or challenge that you faced that you were able to successfully overcome?

Ms. Xavier: I would say it's the time aspect. To your point, it wasn't that it wasn't overcome. We found a strategy, which is basically that where it needed to take more time, we needed to set it aside to take the time it needs. I think that was a very valuable lesson learned, and the manner in which you can process things quickly, but at the end of the day, you need to go back to the case and do the due diligence. I think that would be the number one challenge.

Mr. Bolduc: You asked, senator, about lessons learned. I think if you put a task to the public service and you challenge them to deliver it, the public service can do extraordinary things. I think it was a real Team Canada effort from all departments that were involved.

The Chair: Colleagues, I just want to follow up on a couple of questions. I want to get back to the recommendations we had in the report that all interviews be done with audio and recordings and that recordings be retained for a period of 10 years.

If I'm not mistaken, Ms. Xavier, you responded that there was some audio and maybe some video. Could you tell me why you have objections to this particular recommendation? Because it would seem to me that this recommendation is very common sense that in this day of technology there be a recording of events so that there's no question, as we've had in the past, that what took place actually did take place. Can you tell me if you are looking at implementing this recommendation, and if you're not, can you tell us why?

Ms. Xavier: I want to start out by saying there is no objection to the recommendation. Audiovisual cameras are actually in place across all of our ports of entries.

The Chair: I know that.

Ms. Xavier: The issue isn't that the visual aspect is not going to be there. It's sometimes that the audio aspect isn't. We only do audio primarily in interviews, as you were recommending. Audio is not on, for example, in all ports of entry. In the airports, you're not picking up private conversations of individuals. So we try to be very particular and specific as to where some of the features are turned on with regard to our audiovisual equipment.

You're absolutely right. We do use this technology to ensure as much as possible the factual instances of what's happened. It's just that in certain cases, depending on where you are, you may only have the visual and not the audio, but in the secondary interviews, audio is at the very least there, and in most cases both exist.

The Chair: I hate to get right down to this, but why isn't it mandatory to have video along with the audio for the secondary? It is in a stationary place. As I understand, it's generally an office where you have a private conversation, but at the same time it has implications for the individual and for the CBSA. It would seem to me that for your protection and their protection it should be mandatory because then you have a record. Perhaps you could come back to us at another time and let us know how you're updating and seeing if that can be done, because it's not a lot of expense.

Ms. Xavier: Just so you know, it is part of our infrastructure renewal, as we're going throughout our ports of entry, to ensure that where there is supposed to be audio and visual, there is. I don't want to leave you with the impression that it's not something that we're seriously doing. In some cases, it's part of the infrastructure renewal of those ports of entry.

The Chair: You meant seriously not doing?

Ms. Xavier: Sorry?

The Chair: You're seriously doing or seriously not doing?

Ms. Xavier: No, we are seriously doing. Did I say "not''? Sorry.

The Chair: I'm not quite sure how that was interpreted. At any rate, we can expect to see the visual aspect implemented over time; is that right?

Ms. Xavier: Correct.

Senator Day: What is your total budget annually?

Mr. Bolduc: It is $1.87 billion fiscal that will come to an end at the end of March.

Senator Day: Are you not anticipating any difference in the appropriation for fiscal 2016-17?

Mr. Bolduc: We have a few budget items that are sunsetting, and I think we will be watching tomorrow afternoon to see if we're referenced in the budget, but overall I think there's a slight decrease in the next fiscal. Unfortunately, I don't have the budget.

Senator Day: We can look that up. What about the total number of personnel at the Canada Border Services Agency?

Mr. Bolduc: We don't expect any significant changes to the personnel we have, which is roughly 14,000.

Senator Day: And you said 7,000 of those carry firearms now or will?

Ms. Xavier: Seven thousand of them are uniformed personnel, and, yes, the large majority of them will have a firearm in their possession.

Senator Day: The people who collect tariffs at the border and those who run the VACIS machine, the X-ray machine that looks into trucks and other things that you run through, are in uniform, but do they carry firearms?

Mr. Bolduc: Yes.

Senator Day: They do now. Just a general question on equipment, this committee visited a Border Services post in New Brunswick a number of years ago, and when I say the VACIS machine, I'm using terminology that you understand, but maybe our listeners don't.

Mr. Bolduc: Giant X-ray machine.

Senator Day: A big X-ray machine that you can drive around different places, and it was being shared between the police force and Border Services, I presume, because of lack of equipment in each, so they have to share it.

How are you coming with your technology now and the implementation of new technology?

Mr. Bolduc: Well, we operate our own VACIS machines, which are located strategically along ports at the land border and in marine ports, as you know. We're always looking for new technology, leveraging what other border organizations are doing, for example, the U.S., the U.K. and others.

I think we have a decent panoply of tools that we can use, but what's interesting these days is that what was the latest or the most updated machine two years ago, because of the evolution, you need to keep pace. So we have our own lab with people whose day-to-day activities are looking at the new technology and what could be useful to our front line.

Senator White: I talked about after October 22. I know there were issues at the Calgary airport as a result of the union pulling officers off the line, as I understand it. Can you confirm that, and tell us what you have actually solved so that it doesn't occur again?

Ms. Xavier: I think what you're referring to is a possible work refusal. Is that what you're referring to?

Senator White: I understand the union actually told their employees not to go on the line because they weren't carrying side arms.

Ms. Xavier: I won't speak to the specific union's direction to their officers. What I can tell you is that we continue to actively work with the union as well as our staff specifically in Calgary or all our other ports of entry to ensure that they have the necessary tools to do their jobs. We try to ensure that where there needs to be the side arm, they are properly certified and equipped to do so.

At this point in time, the side arm is not used in our terminal airports, as per the direction of the implementation, so for the time being, only those who are at other ports of entry and other modes are permitted to carry their side arm.

Senator White: Can you provide us with a list of how many refusals you've had over the past 36 months so that we can look at it and see whether we should be making recommendations?

Ms. Xavier: We can. I don't think we've had very many, actually. I think that might have been the only one.

Senator Mitchell: At the very bottom of page 5 of your presentation, Mr. Bolduc, and at the top of page 6, you mentioned that you've removed more than 11,000 people deemed inadmissible to Canada, with a priority on those with criminality. This was last year. You also mentioned earlier in the paragraph that it has to do with those who may pose a threat to our security.

Are you returning people whom you suspect of terrorist intent, or are you returning people who have criminal records? If you were returning people whom you suspect of terrorist intent, what steps would you take to make sure that they're not let loose when they return from wherever it is they came from?

Mr. Bolduc: We remove people who are deemed inadmissible to Canada. This can be for national security concerns, criminality, misrepresentation or other reasons. We essentially detain for four reasons. When we decide to effect an arrest and send the people into detention, either there's a flight risk, so we believe they will not show up for the rest of the proceedings; we don't know who they are, so we've got people showing up at a POE and we cannot confirm their identity; we believe they represent a risk for national security; or they've been deemed part of a mass arrival as designated by the Minister of Public Safety. Those are the four grounds why we detain people.

When we say that we removed 11,000, the priority is always on the criminals. That's the first tranche of people we will focus on. The rest of the people that have been removed are people who have been deemed by the Immigration and Refugee Board as being inadmissible to Canada.

The Chair: Back in 2013, just under 17,000 individuals were deemed inadmissible by CBSA. In 2014, there were 44,000 inadmissible individuals who did not comply with removal orders. As far as you know, they did not leave the country. They could still be here. We were also told it takes the CBSA an average of 85 days to remove a person found inadmissible. My notes say that CBSA's lookout system contains more than 19,000 outdated lookout records.

Could you update us with respect to the number of people who were deemed to be inadmissible, who stayed in the country, even though they were asked to leave, and whom you have now identified and then removed from the country? How successful are we in removing these people?

Mr. Bolduc: I believe we are successful. The numbers have been decreasing year over year because the inventory is becoming more and more difficult to manage. To be able to remove someone, we need a travel document issued by the country of which that person is a citizen. Sometimes there is difficulty in obtaining travel documents.

The Chair: Meaning they don't want to accept them back?

Mr. Bolduc: Meaning they don't want to issue a travel document for us to be able to remove them back.

The Chair: They don't want to accept them?

Mr. Bolduc: For some they don't accept them. For other countries, it's being able to confirm their identity and that they're citizens of country X, Y and Z. That's a major obstacle.

As for the warrants you referred to, our latest count is 46,000 warrants have been issued. These are people who have not shown up for proceedings with the CBSA. It's been announced that we will be introducing entry/exit to help us manage that number. Right now, somebody could be scheduled for an interview with a CBSA officer, not show up for the interview, and we issue an arrest warrant. We enter the arrest warrant into CPIC, and the person can voluntarily decide to leave the country without us knowing about it. Until we have proof that the person left the country, the warrants remain open. So entry/exit will help us manage that, and hopefully we'll be able to reduce that number.

I would not equate the 46,000 warrants to 46,000 people that are out there without us knowing where they are. We've seen, through our CBSA wanted program, that people do leave voluntarily from Canada without informing us.

The Chair: It's still a number that perhaps we should speak to at another time.

Mr. Bolduc: I agree.

The Chair: Twenty thousand is a lot of people, individuals we may not want to have here.

Thank you very much for coming. We certainly appreciate the information you've provided to us.

Colleagues, joining us on our second panel today is Greta Bossenmaier, Chief, Communications Security Establishment Canada, Canada's electronic or signals intelligence agency.

Your mandate is to gather, analyze and report on all electronic intelligence, both national and international, that pertain to our national security here in Canada in one manner or another.

Ms. Bossenmaier was appointed Chief of the Communications Security Establishment effective February 9, 2015. Prior to her appointment, she was the Senior Associate Deputy Minister of International Development as part of the Department of Foreign Affairs, Trade and Development. Ms. Bossenmaier holds a Master of Science degree in operational research from Stanford University in California, and a Bachelor of Commerce honours degree from the University of Manitoba.

Ms. Bossenmaier, we're pleased to welcome you to this committee. This is your second appearance before us since your appointment. The last time you were here was to be part of the evidence provided for the study of Bill C-51.

We're pleased that you're able to spend an hour with us to help Canadians better understand what Communications Security Establishment Canada does and how it functions under the National Defence Act.

I understand you have an opening statement. Please begin.

[Translation]

Greta Bossenmaier, Chief, Communications Security Establishment Canada: Good afternoon, honourable senators.

I want to thank you for the invitation to appear before you today to talk about the work of the Communications Security Establishment and the priorities we are tackling.

Since I was appointed chief of CSE last year, I have had the opportunity to see first-hand the challenging and valuable work undertaken by our organization. I have the privilege of witnessing — on a daily basis — the professionalism, skill and determination of the women and men of CSE to help protect Canada, its people and its vital information. I am very proud of the hard work that they do, and it has indeed been a privilege to lead this organization over the past year.

By way of background, I would like to begin with what CSE does and why we do it. As you know, we have a three- part mandate under the National Defence Act.

It should be pointed out that CSE is Canada's national signals intelligence agency, and is authorized to acquire and use information from the global information infrastructure to provide for intelligence, in accordance with the intelligence priorities that the Government of Canada has identified. It is important to emphasize that CSE only targets foreign entities and communications, and in fact is prohibited by law from targeting Canadians or anyone in Canada.

[English]

In terms of results, our intelligence has played a vital role in supporting Canada's military operations, including the current effort in Iraq. It has helped uncover foreign-based extremist efforts to attract, radicalize and train individuals to carry out attacks in Canada and around the world. It has provided early warning to thwart foreign cyber-threats to the Government of Canada and critical infrastructure and networks. It has identified and helped defend the country against the actions of hostile foreign intelligence agencies. It has contributed to the integrity of Canada's borders and infrastructure. Finally, it has furthered Canada's national interests in the world by providing context about global events and crises, and informed Canada's decision-making in the fields of national security, defence and international affairs.

The second part of our mandate is cyberdefence and protection. CSE provides advice, guidance and services to help ensure the protection of electronic information and information infrastructures that are of importance to the Government of Canada. Our sophisticated cyber and technical expertise helps identify, prepare for and respond to the most severe cyber-threats and attacks against computer networks and systems and the important information they contain.

We help protect Government of Canada systems from foreign states, hackers, terrorists and criminals. We track threats from around the world, and we work with government departments and agencies to strengthen and defend systems that have been compromised. We help protect information of value to the government, including personal information, from theft.

[Translation]

The third part of CSE's mandate is to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties. As Canada's national cryptologic agency, CSE possesses unique expertise and capabilities. Under the assistance mandate, those capabilities may be used to assist a Canadian law enforcement or security agency to perform tasks in accordance with their legislated mandate.

The principles of lawfulness and privacy are critical to the work of CSE. Protecting Canadians' privacy is not an afterthought. It is a fundamental part of our organizational culture and is embedded within our operational structures, policies and processes. CSE has a strong privacy framework — detailed policies and procedures, as well as internal review and independent external review, in particular that of the CSE commissioner. These measures contribute to ensuring that CSE's activities are conducted in a way that protects the privacy interests of Canadians.

[English]

This year marks CSE's seventieth anniversary, and throughout the past 70 years, CSE has helped protect Canada and Canadians while adapting to enormous changes in the international security environment and throughout the rapidly evolving nature of communications technology. From the Cold War to ISIS, from telegraph and radios to the global Internet, the current threats to Canada and its allies, and the very nature of our work, are increasingly more complex and more diverse than ever. It's this dynamic environment that is the underlying theme of three of CSE's top priorities.

The first of those priorities is to ensure that we continue to provide timely and valuable foreign intelligence to meet the intelligence priorities of the Government of Canada. In this increasingly complex international environment, the need for foreign intelligence is as critical as ever.

I will note the example I mentioned earlier: CSE's support to the government's mission in Iraq. Just as we did in Afghanistan, CSE provides vital intelligence to this mission, and we help protect Canadian troops from threats on the ground. Intelligence has been identified as an important aspect of this mission, and I'm proud that CSE will continue this contribution as the mission evolves.

Nevertheless, there are challenges that CSE must confront to remain successful. Our foreign intelligence plays an important role in countering terrorist threats to Canada; however, CSE and our allies are dealing with significant changes in recent years, not only in the operations of terrorists, but also their adoption of new and sophisticated communications technologies. For example, ISIS has demonstrated an unprecedented ability to take advantage of modern technology. In a very short period of time, they have leveraged the Internet to spread propaganda and to inspire and plan attacks. This has underlined our need to adapt our capabilities to the rapid changes in technology and our adversaries' use of them.

The next priority for CSE that I'd like to address is an increased emphasis on cybersecurity: protecting, defending and educating to deter cyber-threats. Protecting Canada's most sensitive communications and information has been a part of CSE's business throughout our 70-year history.

While this has always been core to our mandate, the fact that more and more of the world's and Canada's government operations, business, military systems and citizens' lives are conducted online has necessitated a heightened focus on cybersecurity. The growing reliance on digital information and electronic systems by government, private industry and citizens has introduced new risk, new threats and new actors, challenging the very digital infrastructure on which Canadians rely.

The number of nation states and non-state actors that possess the capability to conduct persistent, malicious cyberoperations is growing, and Canada is an attractive target.

CSE, working alongside our government partners, is at the forefront of safeguarding information. CSE's sophisticated cyberdefence mechanisms block over 100 million malicious cyberactions against the Government of Canada every day, thus playing a critical role in safeguarding Canada's national security and government operations. Through CSE's educational initiatives, such as our Top 10 IT Security Actions — which I believe you have a copy of — we protect the Government of Canada's networks and information, and we help ensure that government IT professionals are informed about the latest threats and mitigation measures.

The government has also recognized that Canada's private sector and critical infrastructure, in particular those sectors at the leading edge of innovation, are also at risk of malicious cyberattacks. For this reason, CSE and its federal partners are increasingly providing cyberdefence support beyond government networks, including cyber-threat information and mitigation advice.

The third priority is to ensure that we have organizational capacity, both today and in the future, to meet the government's requirements for world-class cyberexcellence across our three-part mandate, while always upholding the highest standards of lawfulness and privacy protection, and doing all of this in an increasingly demanding environment.

[Translation]

This requires CSE and its people to be agile, innovative, determined and principled. That is something that we have been doing successfully for 70 years, and we will continue to do so.

[English]

I will conclude my opening remarks by saying that I am confident in our ability to meet these challenges, to remain resilient in the midst of significant change, to address the growing demands posed by cyber-threats, to provide timely and vital foreign intelligence to the Government of Canada and to continue to safeguard the privacy of Canadians.

My confidence stems from the professionalism and the commitment of CSE's highly skilled workforce. CSE's employees play a fundamental role in shaping our organization and capabilities and in delivering on our objectives. They are our most important asset. Their strong teamwork, their integrity and their focus on excellence are also a reflection of their commitment to public service. They are Canadians who are committed to doing the best for their country. Their dedication and skills will be instrumental to CSE's success in helping to protect Canada's national interests and security as we look forward to our next 70 years.

Again, I thank the committee for your invitation, and I welcome your questions.

The Chair: Thank you very much, Ms. Bossenmaier. I want to say that the responsibility of your organization certainly cannot be understated with respect to the responsibility you have for all Canadians.

Ms. Bossenmaier: Thank you for that, sir.

The Chair: Especially in view of the world we live in today and the global terrorist threats that are so prevalent across the world. In a letter in February 2016 you said that you detected foreign-based extremist plots against Canada and our allies. These activities are against Canada and our national interests.

Then you went on and mentioned two or three times, with respect to your opening comments, terrorism and the responsibility that you have with respect to identifying these threats, and obviously using this information when necessary and appropriate with other agencies.

Could you give a further outline of how many foreign-based extremist plots against Canada you have identified over the last five years to give us a sense of the scope of what we're dealing with here?

Ms. Bossenmaier: Thank you for the question, Mr. Chair. You're right: Communications Security Establishment Canada's foreign intelligence priorities are set by the Government of Canada. We basically work against the intelligence priorities that the Government of Canada sets for our organization and others.

The work we're doing is often in concert with other organizations that are working on foreign threats to Canada. Our role is focused on the foreign signals intelligence, looking at whatever information we can gather on foreign threats to Canada and then putting that into the mix with other intelligence that other agencies may gather.

I don't have a particular number for you, Mr. Chair, but I can tell you, as I noted in my opening remarks, that CSE's efforts have been important in dealing with and continuing to deal with these foreign threats to Canada.

The Chair: I just want to hone down on this a bit further. We're trying to get a sense of what we're dealing with here. When you open the newspaper every day, you see what's happening in Europe, Canada and the United States. When you say you don't have a number with respect to the number of actual — I'm going to call them "plots,'' the activity that is occurring — is it increasing from what it was three years ago?

Ms. Bossenmaier: Mr. Chair, respectfully, I would have to suggest that that would be a good question to pose to CSIS. That organization has a responsibility to look at all threats to Canada and assess the threat information and threat perspective to Canada.

I can definitely talk to you about cyber-threats, because that is something particularly within our mandate. One of our mandates is to focus particularly on cyber-threats to the Government of Canada. In terms of cyber-threats and what we're seeing, absolutely, it's a much more dynamic environment, both the number of threats and the nature of how they materialize and how quickly, and also in terms of the different threat actors. There are now nation states, as we know. We have terrorist organizations. We have new types of cyber-threats emerging in cybercriminals.

From a cyber perspective, I can definitely answer your question in the sense of a much more dynamic environment, different types of threat actors and overall a higher pace. I think not a day goes by now that we don't open the newspaper, to your point, and read about different types of cyber-threats, whether they're in the private domain, the public sector or the business or private sector domain. It's a much more dynamic and challenging environment, I can tell you, from a cyber-threat perspective.

Senator White: Thanks for being here today. We really appreciate it.

A recent report from the U.K.'s Intelligence and Security Committee talked about whether a Chinese company should be allowed to participate in U.K. critical infrastructure. Have you had similar discussions with the Canadian government about Huawei, as an example, or other Chinese entities being involved in critical infrastructure bids?

Ms. Bossenmaier: Thank you for the question, senator. As you may know, in Canada we have an Investment Canada Act review process. Part of that is the national security review mechanism or process that can be implemented. From a CSE perspective, if we have information relevant to that national security review process, we can bring that information forward to be considered as part of that review process. The Minister of Public Safety looks at security, threats and risks overall, and that becomes part of that discussion in terms of the Investment Canada Act.

Senator White: Have you done that?

Ms. Bossenmaier: We have.

Senator White: How often? Once, twice or 10 times a year?

Ms. Bossenmaier: I don't have a number for how often we've done it, but we have done it on cases with relevance and information to bear.

Senator White: Can it be triggered by anyone else other than CSE in case you miss it? Could other bidders, the other agencies, for example, identify it as something you should do, or does it have to be triggered by you?

Ms. Bossenmaier: We're not a trigger. There are triggers within the national security review process that would cause a review to happen. We're not a bidder either, but if we have information to bring to bear that is relevant from our sector, we can bring that information to bear into the process.

Senator White: I'm just trying to figure out who would cause that to happen. For instance, could other bidders cause that to happen if they were concerned? Could outside agencies raise an issue if they thought there was some concern? I'm just trying to figure out how it gets to the stage where you actually do that.

Ms. Bossenmaier: I want to be sure I'm giving you the full information, senator. My understanding is it's a dollar threshold that may trigger certain actions, but because I'm not the party responsible for the actual review process but a contributor to it, what I would suggest is either we get back to you or have someone from Public Safety or Industry get back to you in terms of what would cause a national security review to happen.

We're a contributor to it, so I want to be sure I give you the right answer.

Senator White: You could get back to us. Thank you.

Senator Mitchell: I'm particularly interested in the issue of cybersecurity. You can see where government is probably pretty well taken care of. You mentioned that. You highlighted that in your report. We have CSIS and other agencies that are concerned about their own work, so they would be taking care of it. You also mentioned a great focus on the private sector.

What I worry about is that the private sector is quite dispersed. I don't worry about that, but I worry that, being dispersed, it would take a great deal of coordination to make sure there weren't gaps in the way in which we were protecting critical infrastructure against cyberattack.

Is there an agency within government that takes on that responsibility as the agency responsible?

Ms. Bossenmaier: If I may, you made the earlier comment that it looks like we're taking care of things from the government perspective. I would provide two pieces of context around that, even from the government perspective.

The government has made a lot of progress in terms of cyberdefence. There has been a lot of emphasis on everything, from how we have structured ourselves, to bringing in the requisite players forward, to having attention put on it at the highest levels. A lot of attention has been put on the government, but I would never want anyone to be left with the sense that there is nothing left to do.

This goes back to my earlier response. It's such a dynamic environment that you can never have a laissez-faire attitude by saying we're done, we're taken care of. We always have to continue to look at new threats, new actors and new vulnerabilities. Even though the government has come a long way, we need to keep that focus and attention.

On your question with regard to the private sector, a number of years ago the government established a three-part Canada cyber-strategy. The first part of that strategy is what we've talked about, namely, protecting and securing government systems; the second pillar of that strategy focuses on supporting the private sector; and the third part of the strategy is also helping Canadian citizens directly.

The overall strategy is coordinated by the Department of Public Safety. The Department of Public Safety is the lead on that second pillar in terms of working with and supporting the private sector. To answer your question, they are the lead agency. CSE is involved in that. I'll give you perhaps two examples of our involvement, if I may, the first being from cyber-threat information. Part of our job is to look at sophisticated cyber-threats to Canada. You can get a lot of cyber-threats information from various companies, but our job is to look at the most sophisticated cyber-threats facing the country. We can share some of that cyber-threat information with the private sector.

The second piece that we do is around mitigation advice. When a cyberattack happens, a number of pieces of the system must kick into place. How do you mitigate and remedy that? We've also been providing cyber mitigation advice to the private sector. I hope that answers your question.

Senator Mitchell: Maybe you can't tell us entirely, but I would be interested in knowing how you organize it. Clearly, the banks have critical infrastructure. Clearly, pipeline companies, refineries, the energy industry have critical infrastructure, all of which is highly computerized. How do you divide up the different sectors? It would seem to me that it would take different expertise. It would take different relationships, obviously. How do you even begin to organize that, and how do you pick which sectors? How do you prioritize?

Ms. Bossenmaier: That's a good question. It goes back to your question about a lot of different players, sectors and interests.

I refer back to my colleagues in Public Safety with the responsibility to look at critical infrastructure not only from a cyber perspective but overall in terms of critical infrastructure. My understanding is they have organized along with a number of key sectors. I believe they have 10 sectors, and each sector is organized around common themes and interests. They deal with those sectors, and I guess they organize themselves accordingly in terms of what are the key interests and the key players in each of those sectors.

[Translation]

Senator Carignan: I would like to come back to Senator Lang's question about the number of foreign-based extremist plots against Canada over the past five years. I understand it is difficult to provide a precise figure, but can you give us a rough estimate? Arrests are another issue. That data should nevertheless be accessible. Can you give us a clearer picture?

Ms. Bossenmaier: Thank you for your question. I will answer in English.

[English]

We are not a law enforcement organization, senator. We are a foreign signals intelligence organization and a cyberdefence organization. In terms of arrests, that was not the domain of my organization.

Again, looking at the overall threat picture to Canada, it's the responsibility of CSIS to look at the overall threat environment facing our country. Unfortunately, I won't be able to give you a precise number of arrests or that kind of outcome. I'd have to refer to my colleagues at CSIS or the RCMP.

[Translation]

Senator Carignan: Can you give us an order of magnitude when it comes to specific elements you have identified that have led to an exchange of information with CSIS?

[English]

Ms. Bossenmaier: Once again, senator, I don't have an exact number or order of magnitude that I can provide to you regarding how they've used information or, again, what the actual outcome is.

[Translation]

Senator Carignan: In the case of external agencies that are hostile toward Canada, are threats to Canada identified often? What are the main sources of those hostile external agencies? Do they come from China, from Russia? What are the main suspects or hostile agencies that pose a risk?

[English]

Ms. Bossenmaier: Senator, are you speaking particularly from a cyber-threat perspective?

[Translation]

Senator Carignan: Yes, or other elements you may have identified.

[English]

Ms. Bossenmaier: Maybe I'll speak again from a cyber-threat perspective. As I mentioned, it's a very dynamic environment now — not only in terms of the nature of the threats we're seeing but also, to your point, in terms of the various types of threat actors.

Perhaps I could try to characterize them in four major buckets. The first are sophisticated nation states that are working in the cyber domain. Without actually naming any of the particular countries — we don't name our targets, our methods or our capabilities in our organization — there are definitely sophisticated nation states that are conducting cyberoperations and cyberattacks.

We're seeing the rise of non-state actors that are now getting into looking at cyber from an offensive perspective. I gave the example in my opening remarks about how we're now seeing terrorist organizations that are looking to use the global Internet infrastructure to plan attacks, for sure to radicalize and inspire attacks. We've seen that increasing over the recent past. It's sort of a new phenomenon, terrorist organizations using the Internet for that purpose. It is a relatively inexpensive cost to entrants, but they have the ability to connect with so many people in a borderless world. The rise of non-state actors has been a new phenomenon.

There is also the rise of cybercriminals. We think of criminals in our non-cyber world, but the rise of cybercriminals is interesting and, again, presents more challenging aspects that we've been seeing in the last little while. We hear now of cyber ransom, where cybercriminals are holding companies and individuals ransom by locking them out of their own computer systems and actually asking them to pay or forcing them to pay to get back onto their computer systems. That is a new type of criminal activity that we wouldn't have seen in the recent past.

We often talk about the hackers. Well, there are different motives, perhaps, but we've seen organizations now that are bringing down websites — not necessarily to steal information or to infiltrate the websites, but to be able to stop legitimate business from happening. They could be doing that to try to raise awareness for their cause or to campaign around a particular issue.

There is a diverse and dynamic set of threat actors that we're seeing changing and evolving. What that means for an organization like ours is that we need to continue to ensure that we are adapting and being aware and trying to stay ahead of what the threat actors are and what that threat environment looks like. More to your point, that's not just a threat environment to Canada; it's a global threat environment.

Senator Wells: Thank you, Ms. Bossenmaier. Does the CSE have a public complaints channel? How can Canadians feel assured that you're not harvesting data related to personal and legal actions and that this information isn't shared with our allies?

Ms. Bossenmaier: Thank you for the question, senator. I think you had the privilege of having before you, not too long ago, the Communications Security Establishment Commissioner. I'll refer to the role of the CSE Commissioner, actually, in answering a couple of your questions, if I may.

In terms of review, I would say CSE does have a very robust independent review mechanism in place, in the form of the Communications Security Establishment Commissioner: a respected jurist who has a lot of experience and a staff that is very experienced with the nature of our work and has full access to all of our systems, our people and our information — that is, independent but with full access to our organization.

If someone has a concern or complaint, they can raise that with the commissioner; that is one of the commissioner's roles. As well, internal to our organization, we have a series of folks that our own employees can go to, including an ethics and values organization. That has a mechanism to allow someone inside of the organization to raise an issue or raise a complaint; they can go inside to our ethics and values coordinator.

Senator Ngo: Does CSE have the legal authority to monitor permanent residents in Canada or Canadian citizens who are participating as jihadist foreign fighters?

Ms. Bossenmaier: We are a foreign signals intelligence organization, and our mandate is derived directly from the National Defence Act. In terms of targeting people under our foreign signals intelligence mandate, we are not allowed, under the National Defence Act, to target Canadians anywhere, or anyone in Canada. We are a foreign signals intelligence organization.

Senator Ngo: Even though those Canadians or permanent residents are participating as jihadist foreign fighters?

Ms. Bossenmaier: From a CSE mandate, we are not allowed. It's against our authority to target Canadians regardless of where they are, or anyone in Canada.

The Chair: Where are we getting the information on these Canadians that have made the decision to become jihadist fighters over in the Middle East? Who is monitoring them? If you're not doing it, who is?

Ms. Bossenmaier: Thank you, senator. I'll make two points to address your question. First of all, we're a foreign signals intelligence organization.

The Chair: They're over in a foreign land.

Ms. Bossenmaier: We do foreign signals intelligence. There are other types of intelligence activities. For example, you had my colleague from CSIS here not long ago.

We have a three-part mandate, as I mentioned in my opening remarks. The first is foreign signals intelligence that has to be directed at people outside of Canada and not Canadians. We have a cyberdefence mandate that I have talked a lot about so far. We have a third mandate, which is an assistance mandate. Under that, a federal law enforcement or security agency can request the assistance of CSE if they have the legal mandate to do so, and we are then allowed to provide assistance to them under their legal authority. So, if an organization has the legal authority to investigate someone abroad and they need assistance, they can ask CSE to assist them in that perspective, and we do so under their authority, under their legal mandate. That's the third part of our mandate.

The Chair: Let's get this clear: CSIS can ask you to conduct foreign surveillance on a Canadian that's involved in jihadist terrorist activity. Is that correct?

Ms. Bossenmaier: They can ask us, but they have to have the legal authority to do so.

The Chair: When do they have the legal authority?

Ms. Bossenmaier: It depends on their circumstance, Mr. Chair, if I may. Depending on what their circumstance is, they would have to seek a warrant and ask in that warrant if they can conduct the activity, and whether they can ask for our assistance. If they have the legal authority to do that, then we would consider it.

The Chair: I want to ask another question if you don't mind, colleagues.

Do you think you should have the authority to do that surveillance when a Canadian or a permanent resident is identified overseas in these types of activities, so that you can do your job?

Ms. Bossenmaier: We have a three-mandate job, Mr. Chair, which comes to us from the National Defence Act. Part C of that mandate does allow us to assist federal law enforcement and security agencies in their mandates. In the other parts of our mandate, again, we deal with foreign signals intelligence.

The Chair: It sounds to me like you're somewhat prohibited.

Senator Day: I think that's a good check on your activity. In the event of Part C — and this is the assistance to other law enforcement agencies — that agency has to involve lawyers and judges in order to satisfy you that you can do the activity they're asking you to help them with.

Ms. Bossenmaier: That's correct. We have different mandates.

Senator Day: Yes. So this "prohibited by law from targeting Canadians'' is only with respect to the first part of your mandate?

Ms. Bossenmaier: With respect to the first two.

Senator Day: First two.

Ms. Bossenmaier: Yes.

Senator Day: The second mandate is what I wanted to talk to you about: cybersecurity. You're saying that you're prohibited from targeting Canadians or anyone in Canada with respect to cyberterrorism and cyberactivities.

Ms. Bossenmaier: That's correct.

Senator Day: Is there a law enforcement agency in Canada that could ask for your assistance under Part C to deal with cybersecurity issues?

Ms. Bossenmaier: You'll feel like I'm answering every question in two parts, but I'll answer this one in two parts as well.

You're absolutely correct, senator. The second part of our mandate is a protection mandate for electronic systems of importance to the Government of Canada. We look at foreign threats; we look at threats to Canada; we help provide mitigation advice; we help engineer solutions for the Government of Canada, for example; and we also, through our sophisticated cyberdefence mechanisms, defend government systems from threats. I'll give an example: If a sophisticated cyberactor is trying to penetrate into a government system, we will help identify and defend against that based on technologies and systems that we have in place.

Again, we're not a law enforcement organization. Part C of our mandate deals with providing assistance to a federal law enforcement agency that has a legal mandate to conduct that business. For example, the RCMP could also, under their legal mandate, ask us to assist them in an instance that they needed our assistance — again, under their legal authority.

Senator Day: I guess my question was going to cyber and cyberactivity, and I thought I had to go to the second part of your authority, but if we're dealing with something outside of the information system of the government, we're into the third part. For example, what role do you have in terrorism and counterterrorism on social media? Is it always only under the third part, assistance to other government agencies in developing strategies to deal with terrorism and counterterrorism on the Internet?

Ms. Bossenmaier: I'll have to talk about Part B of our mandate to begin with, because it talks about protecting and defending and providing assistance to systems of importance to the Government of Canada. Systems of importance to the Government of Canada absolutely include Government of Canada systems, but that also gets into other systems of importance. I had a question from another senator about critical infrastructure, which could be a system of importance to the Government of Canada.

Senator Day: That could be anything.

Ms. Bossenmaier: As such, we can provide support. I talked about giving mitigation advice, for example, and cyber- threat information, from a law enforcement perspective, because that would be under Part C of our mandate, providing assistance through the federal law enforcement security agency.

Senator Day: Just to finish this up, does the advice include monitoring?

Ms. Bossenmaier: For the private sector?

Senator Day: Yes.

Ms. Bossenmaier: We are not monitoring the private sector.

Senator Day: So from a social media point of view, who is doing that? If you're not doing it, who is?

Ms. Bossenmaier: We think of ourselves as individual Canadians. When we're on the Internet, we're hopefully doing things with good Internet hygiene and keeping our computers safe and following the right kinds of processes. Just as businesses protect their operations from a variety of threats, they're also protecting themselves from cyber-threats. From a CSE perspective, we're looking at, along with our colleagues particularly in Public Safety, how we can share our knowledge and expertise with them so that they can better defend themselves.

Senator White: Thanks for your replies. I have to say that your answers tend to bring more questions for some of us. I think it has to do with the job you do, not so much with the questions or the answers.

Is any proactive work being done with Canadians? When we talk about cyber-threat, I would argue that it has greater potential against individuals more often than it has against corporations and such. It is a greater amount but not the number of threats.

Does CSE do any work to try to help Canadians understand the cyber-threats so that they are better prepared? You talk about being vigilant; but not a lot of people are vigilant, to be fair. Are you doing any proactive work in Canada? Who is doing that work?

Ms. Bossenmaier: I'll try to be clear. I will refer back to the government's cyber-strategy. Briefly, a three-part cyber- strategy was put in place a number of years ago to look at three things. First is to protect Government of Canada networks, where we have a very important role from CSE's perspective in terms of defence, prevention and education. Second is to support and help to support private industry in their cyberprotection roles. The third part of the strategy, senator, is exactly to your point: to look at helping Canadian citizens living and working in this increasingly cyber world.

For example, my colleagues in Public Safety come out with information and advice to citizens in terms of cyberawareness week and things that you can do to be better cyber-prepared. I've given everyone today a copy of the CSE's top 10. Those top 10 are good advice from CSE, in our experience given what we're seeing in dealing with cyber- threats, that we're encouraging and providing guidance to all government departments to do. As well, many of those are appropriate to private industry, for example.

It's about education, getting the message out and helping to share that information. Public Safety is very much in the zone of working with private citizens and the CSE to share our advice and guidance where we can.

I may also mention two other things, senator. The government has committed to launching a cyber review in the next little while that will be under the purview of the Minister of Public Safety with support from a number of ministers, including the Minister of National Defence to look at cybersecurity and cyber issues in Canada. That important review will come forward and no doubt may touch on a lot of the conversations we've had today.

The Minister of National Defence is also undertaking a defence review, and cyber will likely be a part of that conservation as well.

In particular, the cyber review led by Public Safety with support from my minister and others no doubt will look at these important questions in terms of cybersecurity for Canada.

Senator Mitchell: I'm interested in your top 10. You mentioned that you shared Shared Services Canada Internet gateways. Recently there was a report in the media about the problems with Shared Services Canada, specifically with respect to security issues in the RCMP's system and unanticipated security issues holding that up. How do you sort of reconcile the two?

Ms. Bossenmaier: Senator, I can tell you from an overall security posture from the Government of Canada that Shared Services Canada and moving government departments onto shared services from an infrastructure perspective has been absolutely key to improving the Government of Canada's cyber preparedness and cyber readiness. Our number one recommendation, and they are in order of priority, for government departments is fully utilized Shared Services infrastructure from a cyberprotection perspective. The additional kinds of cyberprotection tools that are in place are key. That's really our number one piece of advice.

I'll mention one more piece around shared services. Shared Services Canada is building solutions and services for all government departments. CSE is working with our Shared Services colleagues to help build in and design in security from the beginning — security by design. It's a matter of building stronger systems from the beginning and not doing it across 90 or 100 different departments. Do it once for the Government of Canada. From a cybersecurity perspective, the standing up of Shared Services Canada and having departments use them for their infrastructure services and core applications has actually been a key part of the Government of Canada's cyberoperations.

I guess someone asked me the question earlier about what other governments are doing. Other governments are looking at the way we operate in Canada, from a cyber perspective in terms of the government, and are recognizing that this is such a critical component to strengthening the Government of Canada's systems.

Senator Mitchell: Is it optional? Can a department opt in or out of shared services? If you're having to put so much emphasis on it, it sounds optional.

Ms. Bossenmaier: Shared Services Canada covers a number of core departments. For some smaller, perhaps regional, departments, there was some optionality. We're saying that everybody should get on and use it fully for whatever they can because it provides a really strong cyberprotection.

[Translation]

Senator Carignan: I was looking at your chart on risk reduction. I understand that, even when the rules are followed, there is still a substantial risk of cyberattacks. When it comes to espionage or the possibility of us being victims of espionage or infiltration, do you have a training program for members of Parliament, senior officials, directors and department heads on precautionary measures to be taken to avoid being victims of espionage, such as in telephone conversations or exchanges?

We are hearing that there is a threat, that we are victims of certain things and that you protect the systems. But I have never heard about training provided to members of Parliament on what to avoid. Are there any training programs for senior officials or individuals likely to be victims of espionage?

[English]

Ms. Bossenmaier: It's an excellent question. When you first look at the chart, you see that the threat surface at the end doesn't go away. It goes back to my earlier comment that none of us can be complacent. We can never think that we're done, that it's taken care of, that it's over. The threat constantly evolves as more and more work is being done on the Internet. We need to be constantly vigilant about it.

One of our roles at the Communications Security Establishment is to help provide education and training to IT specialists within the Government of Canada. A lot of really good training is happening elsewhere in the Government of Canada in terms of broader training and even systems training. But for IT security expertise, we run special training programs for IT specialists to help them become more aware and more able to address those threats and issues when they go into their departments. You raise an excellent point. It's not enough. It's necessary, but it's not sufficient to speak only to the IT practitioners and the security practitioners. We need to speak and share that information all the way up the chain to the other managers, the highest management that we have.

One of my roles is that I speak to, for example, my deputy minister colleagues and give regular updates on everything from the types of threats that we're seeing to what they as senior managers, as leaders in the federal public service, need to do. You can't leave this to your IT professionals. They are very experienced and play critical roles, but it takes a management imperative to say, "This is important. I'm going to spend time and resources on that.''

I speak to my colleagues about the importance of following the top 10 in terms of the types of threats we're seeing. I also work with our colleagues at the Treasury Board Secretariat and at Shared Services for when a cyberattack happens. It's not if — it's when a cyberattack happens. How does one then respond as a senior leader within the organization?

To your question about the House of Commons, I'm not sure. I've been in the CSE for a year; I'm not sure if we've ever provided any type of guidance. I would presume that, within Parliament, some type of process or training would be happening. That's definitely something I can look into, to see whether there's something that CSE could help with; I could get back to you, chair, about what services are available. I'm not sure.

The Chair: If you would report back, that would be good.

Ms. Bossenmaier: It would be my pleasure.

The Chair: I notice time is marching on, colleagues. If I could ask you one question before you go, it has to do with the suspension of some of the metadata with our Five Eyes partners, with the United States, the U.K., Australia and New Zealand. Perhaps you can describe exactly what took place there? Second, did they suspend sharing metadata with us? What steps are we taking to ensure that our metadata meets our legislative requirements and, at the same time, to provide the information to our allies?

Ms. Bossenmaier: Mr. Chair, I have a short answer or a longer answer.

The Chair: Just be concise. Yes, no, yes, no.

Ms. Bossenmaier: I'll try with the short one, and if you feel that I need to go back, I'd be happy to do that.

With regard to this metadata issue, I would start by first saying that the information that we're talking about is metadata. It is information about a communication. It's not the communication itself. It's the context, not the content, of the communication. It's basically information that's used by computer systems to route or identify or manage telecommunications across the global Internet. Metadata is not the content.

I spent a bit of time talking today about our various authorities. CSE is mandated to collect metadata as part of the National Defence Act. We're authorized to acquire and use information from the global information infrastructure to produce foreign intelligence in accordance with the government priorities that I spoke to you about. In the course of a regular system upgrade, CSE itself detected that some of this metadata that we do share with our Five Eyes colleagues was not being minimized. There's another term: What's "minimized''? "Minimized'' means altering certain fields that could have a privacy interest. During a regular system upgrade, we identified that certain fields were not being properly minimized.

CSE proactively did a number of things. First of all, CSE informed the Minister of National Defence and informed the CSE Commissioner, whom you saw here not along ago. CSE also suspended the sharing of the metadata. CSE proactively undertook a review to try to understand what was happening and also undertook an assessment of the privacy impact of that. We assessed the privacy impact as low based on a whole series of privacy protection measures that we have in place.

CSE then worked closely with our commissioner, who was in the midst of a review on metadata within our organization, and he noted in his report and maybe publicly his belief that this metadata incident was unintentional — it was a systems technical deficiency — and that we cooperated fully with him to address it.

As for what we have done since, we have not resumed the sharing of metadata yet. In his statement on this issue, the minister said he needs to be assured that whatever system we put in place has to be robust and meet the privacy protection measures that are required. We are in the throes of ensuring that we are developing a system that will do both things in, help to protect Canada's national security but also, at the same time, ensure that we meet the privacy protection measures that are required. When we have such a system to propose to the minister, we will bring that to the minister for his consideration.

The Chair: Just as a follow up, what did you do with the metadata that was shared and that was found to be not within your legislative mandate to share? Where is that? Has it been destroyed?

Ms. Bossenmaier: As to the metadata that was shared, as I mentioned, we have a series of privacy protection measures in place to help to ensure the privacy protection of that metadata. Looking at that suite of privacy protection measures, we assessed the privacy impact as low. We did not have the metadata deleted from our Five Eyes systems. They have regular retention and deletion schedules that they follow that will result in that metadata being overwritten through their normal practices.

Again, based on the suite of privacy measures that we have in place, we also felt confident that the overall privacy impact was low.

The Chair: I could probably follow that up further, but, Senator Day, I'm going to give you the last question. Be very concise.

Senator Day: What minister?

Ms. Bossenmaier: The Minister of National Defence.

Senator Day: In your report, you stated that CSE's sophisticated cyberdefence mechanisms block over 100 million malicious cyberactions against the government every day.

Ms. Bossenmaier: Correct.

Senator Day: Is each of these malicious cyberactions a cyberattack, as we've discussed? Are they synonymous?

Ms. Bossenmaier: You have attack. You have infiltration. You have incident. The best way to describe this is these are probes. These are probes looking at vulnerabilities against the Government of Canada's systems. These are actions looking to map our systems, to probe, to look for vulnerabilities. As to that number, an extremely alarming number, 100 million per day, we've seen significant growth in that number, senator, over the last number of years. If I had to go back a number of years, it was probably at 60 million, 70 million and now to 100 million. So there has been a significant increase. That's just people trying to figure out the vulnerabilities, probing, trying to understand, map, sort of as the first foray into a full-blown cyberattack.

Senator Day: A pre-attack.

Ms. Bossenmaier: You could use that terminology.

The Chair: I would like to thank Ms. Bossenmaier for coming before us. We appreciate what you had to say.

In our third and fourth panels today, we'll continue our look at threats to the security of Canada, including but not limited to cyberespionage, threats to critical infrastructure, terrorist recruitment and financing, and terrorist operations and prosecutions. Our focus in the next two panels this afternoon will be the threats to Canada's critical infrastructure.

Joining us on our third panel is Stephanie Carvin, Assistant Professor of International Relations at the Norman Paterson School of International Affairs at Carleton University. Ms. Carvin earned her PhD from the London School of Economics and recently published a book entitled Science, Law, Liberalism and the American Way of Warfare: The Quest for Humanity in Conflict. She currently teaches in the areas of critical infrastructure protection, technology and warfare, and foreign policy.

Next to Ms. Carvin is Adam Chapnick, Deputy Director of Education at the Canadian Forces College and Professor of Defence Studies at the Royal Military College of Canada. Mr. Chapnick holds an M.A. in international affairs from Carleton University and a PhD in history from the University of Toronto. He has published six books and over 40 academic essays and book chapters. He currently teaches courses in Canadian government, strategic decision making and Canadian foreign policy. He is also a frequent commentator on international security issues and Canada- U.S. relations.

Welcome to the committee. I understand each of you has an opening statement. Mr. Chapnick, if you want to begin.

Adam Chapnick, Professor and Deputy Director, Education, Canadian Forces College, Department of National Defence, as an individual: Thanks very much to the committee for inviting me. The reason we thought I might go first is that Dr. Carvin is the real expert here. I have some general comments to make as someone who teaches strategic decision making at the federal level in a national security program. The views that I have for you today are my own. Although I'm technically a Department of National Defence employee, I have complete academic freedom. So the views are from me, not from DND.

The main message I hope you take away from my comments is as follows: I know Michel Coulombe spoke to you two weeks ago, and he mentioned the importance of the United States and Canada-U.S. relations to any discussion of national security. My point is that any discussion of Canadian national security cannot underestimate the critical importance of maintaining a strong, stable relationship with the United States. I'd actually go further than Mr. Coulombe and suggest that a breakdown of cooperation at the Canada-U.S. border is a greater threat to long-term Canadian prosperity than any so-called national security threat. That border is critical to our prosperity.

In that context, there are four implications that I'd suggest this committee take into consideration when we're talking about national security as it relates to critical infrastructure. I think there are four measurements of security that we should be thinking about.

The first is the physical and cyber, the traditional idea of security as it relates to Canada's critical infrastructure, the most obvious one.

The second is the security of shared North American critical infrastructure, again, in the traditional sense of cyber and physical.

The third and fourth are the ones I'd like to add. The third is the Canadian public's perception of the security of Canadian and North American critical infrastructure. And the fourth is American perceptions of Canada's commitment to secure Canadian and North American critical infrastructure. So there's Canadian, North American, the Canadian public's perception and American perceptions of what we are actually doing.

With those measurements in mind, I have four operational-level recommendations to meet and manage these implications.

First of all, Public Safety Canada must continue to push ahead on its 2014-17 Action Plan for Critical Infrastructure, with its focus on three things: one, sustaining and enhancing inter-Canadian partnerships; two, sharing and protecting information; and three, implementing an all-hazards management approach. That's the first step.

The second step is that when the new United States president arrives in 2017, I think that Public Safety Canada must ensure that the 2010 Canada-United States Action Plan for Critical Infrastructure is renewed and reinvigorated. I think that is critical.

Third, I believe that Canadians, and especially service providers, must be made better aware of how they can personally contribute to national and continental security.

Fourth, I think that Americans must be made aware of what Canadians and their government are doing to promote national and continental security.

There are a couple of risks that come with pursuing these recommendations. I'll identify two of them, and then I'll suggest some mitigation efforts that can be made.

The first risk is that if we educate Canadians about the security threats facing this country's and North America's critical infrastructure, we can inadvertently provide fodder for U.S. isolationists and economic protectionists who seek to thicken their northern border to support their own domestic industries. If we make this country look insecure, those who want to manipulate the market to support their own can more easily do that.

Second, in educating Americans about Canadian efforts to better coordinate continental security, we can inadvertently create fear among certain members of the Canadian public that the United States is already too intimately involved in the Canadian national security process. Such fear, however irrational, could limit the political capital available to the Canadian government to support increased continental integration, which I believe will likely be necessary on the security side to maintain U.S. confidence and a relatively open yet still safe Canada-U.S. border.

How do we manage these risks? First of all, keeping in mind that there is no perfect security solution, I think we need to focus on establishing a narrative that supports increased North American resilience in the face of what will inevitably be demanding security challenges in the future. This means stronger partnerships at three levels: first, between Canadians and their government; second, between Canadian federal departments, their provincial and municipal counterparts, private owners and operators of critical infrastructure, and private industry more broadly; and third, between Canada and the United States on as many levels as possible.

Second, although this committee in particular has had a lot of success in the past drawing public attention to national security risks by highlighting Canadian vulnerabilities, in the context of this challenge, I recommend that great caution be taken in using fear to spur Canadians to action. Drawing extensive attention to Canadian and North American vulnerabilities, without paying sufficient notice to progress that has and will be made in terms of mitigation efforts, risks encouraging Canada's American partners — who will continue, I believe, to privilege security over trade — to conclude that an open border with Canada is a liability that cannot be countenanced.

In sum, to reiterate, any discussion of Canadian national security cannot underestimate the critical importance of maintaining a strong, stable relationship with the United States. Breakdown of cooperation at the border is the greatest threat that we face as a country when it comes to security and prosperity. It follows that we must focus — and this committee should focus, I hope — not just on the reality of the threats to Canadian and North American critical infrastructure — and as Dr. Carvin will suggest, they're very real — but also on the commitment of the government and the people of Canada to manage those threats appropriately. I'll stop there. Thank you.

Stephanie Carvin, Assistant Professor, International Relations, Norman Paterson School of International Affairs, as an individual: Thank you for inviting me to speak to you today. By way of background, I've worked as a national security analyst with the government for three years. Now at Carleton, I teach at the Norman Paterson School of International Affairs, and specifically in our master's program in infrastructure protection and international security.

Today I will keep my remarks to what I see as the main national security threats to critical infrastructure and key challenges for policy-makers going forward.

In my view, national security threats to critical infrastructure can be characterized as diffuse, dynamic and fluid. First, these threats are diffuse in that they are spread out amongst a wide variety of actors. For example, many recent studies have demonstrated that there is no obvious profile for those who seek to engage in extremist violence. It is true that many are young and male, but there's diversity within this Canadian cohort of extremists, including young women. Additionally, whereas during the Cold War threats from states emanated from the militaries and their intelligence services, states with hostile intentions towards Canada and the West today have substantially widened their tool kits to achieve their ends. This includes economic and cyber instruments.

Second, threats to critical infrastructure are dynamic. They are constantly changing and adapting to their environment. Violent extremists and their supporters are able to capitalize on information flows enhanced by social media platforms that increasingly allow for mass communication but also targeted propagandizing and facilitations. States can also take advantage of new technologies to enhance their reach into our society and infrastructures, or monitor those they see as rivals and potential challengers to their authority within our borders.

Third, threats to critical infrastructure are fluid. They are malleable and can adapt in order to move around obstacles put in their path. This enhances their resiliency in the face of counterterrorism pressure, counterespionage strategies, and national security efforts against them.

Importantly, these three characteristics highlight a strong uniting feature of these major threats to our critical infrastructure, namely, the fact that they thrive in network form. This allows them to access areas they may not otherwise have access to, to easily engage with others around the world, and to exploit nodes that connect high-tech pathways to ancient smuggling routes still exploited today for illicit ends. Paradoxically, this means these threats require the critical infrastructure networks they threaten.

In this sense, it's important to recognize that the threat is not just nefarious elements that seek to destroy critical infrastructure, but also those that seek to exploit one critical infrastructure sector in order to achieve its aims against another.

I will highlight three major threats to critical infrastructure that exemplify the characteristics I have just spoken of.

First, extremist violence. Activities that support violent extremism include radicalization, facilitation, financing and conducting attacks. The threats from al Qaeda and Islamic State-inspired groups are the paramount threat to Canada. They manifest into three separate threats to critical infrastructure: extremist travellers using and threatening transportation; those who wish to conduct attacks within our borders, whether a lone act or attacks or those approved or even directed by the leadership of extremist groups overseas; and finally, the financing and facilitation of these individuals on Canadian soil.

However, it is essential that we recognize that the extremist attacks do not come from one source. This is especially true for critical infrastructure in Canada. It is worth remembering that every attack against critical infrastructure between 2004 and October 2014 was allegedly conducted by either left-wing groups or single-issue extremist groups. This includes the 2004 bombing of a hydro tower in Quebec, claimed by Résistance internationaliste; the May 2010 bombing of an RBC bank in Ottawa; and the July 2010 bombing of a Canadian Forces recruitment centre in Trois- Rivières, Quebec.

Second, cybersecurity. It is well known that Canada is regularly subjected to hostile cyberoperations. The majority of these are cyberexploitation attacks that seek to gain information, not only from governments but from private companies and institutions that states and private actors believe will give them tactical and strategic advantages in business, military and foreign affairs.

However, we are increasingly seeing cyberattacks that may cause physical damage to supervisory control and data acquisition, or SCADA, systems and critical infrastructure itself. The 2012 attack against Saudi Aramco and the 2013 data breach of a dam in New York are illustrative of the growing risks.

Finally, there are cyberactivities such as ransomware viruses which blackmail operators for cash, including this year a hospital in California. In fact, a recent report suggests that up to 30 per cent of ransomware attacks are targeted at hospitals. These operations may not constitute a threat to the security of Canada, but they may be funding illicit activities.

The final threat is state-owned enterprises, or SOEs. In my view, Canada needs to rethink its strategy regarding SOEs. While Canadian infrastructure requires foreign investment, the extent to which we should allow companies with direct or clandestine links to foreign governments to control the backbone of our economy and society is something that our leadership must reflect on, especially when these countries have shown hostile intentions towards Canadian interests. Aided by the resources of a state, including information gathered by cyberespionage, SOEs have an unmatched advantage in our system, based on the rule of law and the notion of free and fair competition, which may result in a skewering of the playing fields and an uncompetitive advantage.

Although Canada made changes to its Investment Canada Act following CNOOC's purchase of Nexen in 2012, challenges remain. SOEs can easily find ways to own less than 50 per cent of a company and still maintain control over it. They can also find ways to disguise their ties to states through layers of legitimate and shell companies, rendering it very difficult for Canadian authorities who may actually be calling the shots.

In my final few minute I will speak about what I see are the central challenges ahead for policy-makers. The first major challenge is the balancing of threat reduction in ways that do not inhibit the flows of the networks I discussed earlier. In enhancing our border security, we do not want to risk establishing impediments to tourism and trade. While protecting our companies from SOEs, we do not want to block them from much-needed foreign investment.

Second, the very nature of our system that makes critical infrastructure work is also what makes it vulnerable. This is true in at least three ways. First, critical infrastructure sectors are of necessity linked to one another. A collapse in one may have catastrophic effects in another. Second, redundancy in these systems is important, but it also serves to add complexity and even potentially make them more vulnerable with more components in a system. Finally, our federal system of government and Canada's capitalist system means that responsibility in our system is shared over many levels of government and among many actors. Developing a framework in which to develop standards and strengthen our infrastructure has been a challenge for years and is likely to remain so.

The irony of major attacks and disasters is that they provoke moments that a nation looks to its government for leadership at the very time it is least capable of acting, and this is the central challenge for government and this committee going forward.

Thank you for inviting me to speak.

Senator Mitchell: Thanks to both of you. These are provocative presentations. I'm very interested, Professor Chapnick, in the relationship you draw between fomenting fear and emphasizing fear in Canada and its relationship to trade with the United States. You would at least include in that fomenting of fear, fear about radical attacks and terrorism, would you not?

Mr. Chapnick: Historically, one of the ways to get Canadians' attention on the challenges that we face in national security is to draw attention to vulnerabilities that we already have. This committee has actually been extremely good at that in terms of security to airports, for example, where Canadians only learned about this largely because this committee did some work. The report was on the news, and all of a sudden Canadians were asking, "What are you doing about security at airports?''

Senator Mitchell: Do you want to say that again?

Senator White: We'd like it in writing.

Mr. Chapnick: We need to make Canadians aware, but we have a trend in the United States right now where there's a good-sized constituency that is simply looking for excuses to tighten controls at the border and looking for reasons to make it harder for Canadian goods to cross that border. If we suggest that Canada is not doing a good enough job securing its own, that is the exact information they need to justify pushing through policies that make the border thicker than it has to be.

So there's a real balance to be had between recognizing the vulnerabilities that we have but also speaking about what we're doing to deal with them, rather than just using the recognition of the vulnerabilities to get Canadians to say to their government, "What are you doing about this?'' That is the fear I have. There are all sorts of vulnerabilities, including the ones you mentioned, sir.

Senator Mitchell: Until recently, the focus on dealing with the terrorist threat in Canada has really been laws, some would argue threats to civil liberties. I voted against Bill C-51. My Liberal colleagues in the Senate also voted against Bill C-51, because they felt it went too far that way.

Could either or both of you comment on the emphasis that some say — in fact, I think I've even heard Senator White suggest — that policing organizations feel that the best days of their work are when they work within the community to prevent ever having to get to a point where laws need to be applied and civil liberties need to be threatened.

There is, is there not, much more developing evidence that working within communities and catching young people who are going down the wrong path early — that such a thing is perhaps the way to emphasize — and it would be consistent with what you're saying about minimizing this fomenting of fear?

Ms. Carvin: That's a very challenging question. Thank you for it.

Based on my experience in government and studying this from an academic perspective, there are two things. First, we have to be careful when we assign national security agencies a role in covering violent extremism. I don't necessarily think it's what they're good at or good for. This is why, generally speaking, I'm in support of an office for a coordinator for radicalization, which is one of the current proposals — someone who can coordinate efforts.

The challenge there is, what does coordination mean? Is it directing? Is it looking for best practices and sharing those best practices across cities? Again, it's actually a very similar problem to critical infrastructure in municipal, provincial and then federal programs. So I think that's one positive step.

The other step I would suggest in that direction in terms of a non-legal approach is that we need to responsibly widen our understanding of what the effects of terrorism are. I do not mean this in a scary way but in an empathetic way. We need to actually promote awareness that when extremists go into communities, regardless of what communities, they target children; they may try to siphon funds and redirect them to terrible purpose; and they create terrible situations in mosques, churches and things like this. This could potentially have very devastating effects on communities.

The two things I would promote are a lot of care and consideration toward the ways we think about CVE, countering violent extremism, in Canada, including what the role of the counter-radicalization office — I think I have the name entirely wrong, for which I apologize — will be; and the second thing is to have an empathetic widening of our understanding of how these extremists actually affect the communities. When a child goes off, the family of these individuals suffers terrible stigma. Maybe they can't go to their community centre anymore, and they hide it.

Those two approaches might hopefully prove fruitful.

Senator White: I have only one question. Thank you very much. Interesting commentary — and also some of the challenges we're seeing when you talk about borders with the U.S.

Do you see a need for us to have a national standard when it comes to infrastructure, whether it be at the municipal, provincial or federal level, that allows us to satisfy — rather than being treated differently, if it's New Brunswick and Maine compared to Saskatchewan and North Dakota — that we have a national standard that ensures that we are meeting a particular level when we are talking about trade with the United States?

Mr. Chapnick: That's a very fair question. We should have a national understanding. Given the jurisdictional challenges that we face in this federal country, having an organization like Public Safety declare to all provinces, municipalities and their relevant public sectors that "Thou shalt do things this way'' could discourage some of the information sharing that we need. In other words, if they are not meeting the arbitrarily imposed national standards, they may be more inclined to not reveal such a thing. That is as opposed to, "We have some national priorities. We have a national understanding of the language we're going to use to explain what 'secure' means, and it may be that different provinces have slightly different approaches to meeting those national ideas.''

The most important thing is to encourage cooperation. Imposing national standards in that context may actually discourage some of the openness and cooperation that we need.

Senator White: I appreciate that, but Public Safety Canada came to be as a result of post-9/11. The Department of Homeland Security happened in the south. It didn't include the FBI; it probably should have.

In Canada, Public Safety came about with promises of standards. We still don't have a national standard for a police officer in this country. We have 198 agencies, and they could be as different as A to Z.

Don't you think that maybe that's why Public Safety was put in place, to start identifying some of those? I'm not arguing standard or no standard, but we have nothing right now. It's absolutely right that the argument from the U.S. side could be that we're a threat or risk because, to be fair, the argument from me could be the same. I'm not convinced, either, in some cases.

Mr. Chapnick: Part of the reason Public Safety was put in place was to coordinate, because there was no central agency to wrap their heads around all of the different security-related institutions at every level that we have. More than to regularize and standardize, it was to figure out what was going on across the country. Whether Public Safety has done a good job of that is certainly up for discussion. Can they do better? Probably.

Senator White: We'll invite you back for that discussion.

Mr. Chapnick: However, I would say that given that 90 per cent of the critical infrastructure in Canada is privately owned, Public Safety doesn't have the same type of leverage to impose that it would if 90 per cent of the infrastructure in Canada were federally owned and controlled. It's not speaking from a position of power in quite the same way that it would be in other circumstances. So it would be challenging for Public Safety to do what you'd like it to do effectively.

Senator White: But we do it for nuclear. They're not owned by the federal Government of Canada. Whether a province owns it or it's privately owned, we do it for nuclear across this country right now.

So you're suggesting we couldn't do it for other high-level infrastructure?

Mr. Chapnick: I think that nuclear has a special way of getting into the public mindset that allows people to look at it with different rules than they would, say, hydro. People hear nuclear, they think of Hiroshima or Nagasaki, in which case their flexibility on control is different than —

Senator White: Great answer. Thank you.

Senator Beyak: Thank you for your excellent presentations. You have a great understanding of what we have to face.

I was interested in what you said about the border, because given that so many things are dependent on us cooperating and getting along — I'm thinking of the defence strategies, and the rail and highway systems — should we be moving toward some sort of bilateral agreement? Those are practices that they already do. Can we learn from them or other countries?

I liked what you said about making sure we keep it balanced — recognize the threat but also keep the border open.

Mr. Chapnick: I'll try to answer generally, and then Stephanie can answer in more detail.

This 2010 Canada-United States Action Plan for Critical Infrastructure is the beginning of that. It needs to be reinvigorated with a new American administration, but that is the place to go there. Encouraging this government to put some emphasis on that organization is not a bad thing.

Ms. Carvin: I would echo that.

The other thing I would suggest, though, is that when we're talking about the U.S. and Canada, one of the challenges — and I teach this in my class — is that we haven't actually really been able to define "critical infrastructure.'' Canada and the U.S. have sectors that we've defined, but what within those sectors is critical is really up for debate. For example, I've seen reports from the United States that suggest that tourism sites are critical infrastructure, as they're important for morale and the economy.

So that's one of the challenges we have, namely, understanding the principle of criticality in these systems.

That doesn't stop us, however, from looking at the very basic things, such as the electrical grid, for which already there's great interprovincial and state cooperation — also things like railways. Any cooperation like that can facilitate trade. Keeping an open border should definitely be supported.

Senator Beyak: Those are excellent observations, though, because we haven't really described it, have we?

Ms. Carvin: No, we haven't. It's one of the things I actually like to open my class with when I teach. What is critical infrastructure? Everyone has a general idea of what infrastructure is, but what is critical infrastructure?

One example I like to give is what about a hospital parking lot? Normally you wouldn't associate a parking lot as critical infrastructure, but in an emergency the doctors need to get to the hospital and park their cars, and we need to get people in and out. You have to widen it, but you don't want to widen it too much so that suddenly all parking lots are critical infrastructure, so it is a challenge. It has to take into consideration the local context.

The Chair: If I could just maybe have a few comments in respect to this, and maybe we can hear from Mr. Chapnick on this and Ms. Carvin. You talk about our relationship with the United States of America, and I don't think anyone would argue that we need to have good relationships with Americans, and they need to have good relationships with us. We have NORAD and an electrical system that provides a great deal of electricity for the Eastern Seaboard and on the West Coast. Our countries are intertwined.

At the same time I would like to go further, Mr. Chapnick, on what you had to say in respect to us having our own debate in Canada about our vulnerabilities. Are we taking the necessary steps to meet our responsibilities in the area of public security? If we're not, why not? That's part of a democracy, part of a public debate. That's why we have these meetings, and that's why you're here.

I would like to comment on this. The fact is that over the last 10 years we have gone into I think well over 40 free trade agreements with other countries, which gives us diversification and the ability to take our product and sell it to the highest bidder, depending on what it is.

Wouldn't that be part of our conversation with our friends south of the border, that we are becoming a much more diversified country, much more independent, yet at the same time we are your partner and we're prepared to work with you as long as you're prepared to work with us?

Mr. Chapnick: I think, senator, that some codependency is taking place: 35 American states look to Canada as their number one trading partner, and another 12 look to Canada as either their number two or three.

I think the challenge is that American trade with Canada represents about 12 per cent to 14 per cent of their GDP, and our trade with the United States is somewhere around 30 per cent of our GDP. So if the border were to close tomorrow, it would hurt us a lot faster than it would hurt them.

When it comes to the trading agreements, I agree that government has done a good job opening doors, but it remains the private sector's job to walk through them, and still today 75 per cent of our exports go to the United States. In spite of the fact that there are about 40 more countries we have agreements with — assuming CETA goes through — they're not being taken advantage of to the point that the percentage of Canadian exports is changing dramatically. We were as high as 87 at one point, but 75 per cent is pretty big.

The Chair: I wanted to raise that because that is another issue in this part of the discussion.

Senator Jaffer: Thank you for your presentations. I have questions for both of you. I'll start with you, Mr. Chapnick.

When I was listening to you, I was hearing the word "fear,'' fear in the community. Correct me if I'm wrong, but I was hearing that we have to be careful that we don't raise the fear, especially talking about Canadians. There has to be education.

I'm very interested, because I'm sure you've thought about this. What do you mean by "education,'' and how would that education be implemented?

Mr. Chapnick: That's a very good question. Thank you, senator.

I think we have to help Canadians understand what they can do to make themselves less vulnerable, for example, at the cyber level. Why is your password so important? Why is sharing your password such a bad idea? If we start at the grassroots with some basic security 101 issues that you can teach your children — in addition to crossing the street you also don't do this and you do that — I think we can change the conversation and the culture about what security means. From there we can move to how Canada is responding to the challenges instead of challenges you should be afraid of.

We end up talking about the same thing, but I would prefer to have the conversation in the context of what Canada is doing, as opposed to why you should be afraid.

Does that answer part of your question?

Senator Jaffer: I think that's very useful. When you say what Canada is doing, that would certainly raise the comfort level of Canadians. I wanted you to explain what you meant by "fear,'' and I think I understand.

I have a question for you, Ms. Carvin. I was very interested when you spoke about radicalization. I felt you spoke with a lot of passion about what it does to the family and what it does to the mosque. That is one side of the equation.

What does it do to the mosque, to the community, when the community feels threatened by the authorities, when CSIS walks into your mosque? I hear all kinds of horror stories. I'm sure you've studied this. There is a double-edged sword. There is one threat from your child, who sadly becomes radicalized, and the other is when authorities walk in. That's another fear and threat, and I would like you to explain that, please.

Ms. Carvin: Absolutely. Thank you for the question. I think the big fear is overreaction, and this is actually one of the things that extremists are often trying to promote —that they're not on your side; they can't protect you. It's awful. That just creates more fear, generally speaking.

I think it would be very important for the government to consider finding ways that communities can talk about these issues without feeling that they're going to end up in a database. What resources can we put forward around perhaps the question about non-legal remedies? We have to find ways for parents to feel comfortable going to someone who can do something.

You often see that perhaps the parent wants to take a child to an authority figure, but that authority figure may not have the resources to do something about it. Trying to connect resources to people in such a way that they don't feel that they're putting their entire family in some kind of database is important.

I'm not sure what stories you've heard. I don't think that national security authorities even have the ability to just walk into a mosque or anything like that, but the disruption — they can walk into a workplace. I believe those things are taken very much into the way they work. That's just based on my understanding of the process.

This is what I was saying about also having a more empathetic understanding of the effect on the community. I think we need better research on what happens in these processes. When you have extremists, is the result a galvanizing effect? Is that because we've actually put resources in place, or is it actually damaging social capital within these communities? It's a fascinating issue.

Senator Day: Thank you both for being here. It's a very interesting discussion.

Mr. Chapnick, you gave us two suggestions of how to manage the risks. You talk about the inevitability of demanding security challenges for the future. I guess we're all starting to recognize that.

Could you tell us what you had in mind? You talk about partnerships, but what did you have in mind in terms of increased North American resilience?

Mr. Chapnick: That is a very good question, senator.

I remember after 9/11 there was 7/7 in Great Britain. The day after 7/7 the British went back to work, and there was a great degree of national pride in the way the British said, "You can't scare us. You can disrupt us, but you can't scare us.'' I think we need that type of culture in North America.

If something bad happens, we and the Americans together, instead of hearing that the terrorists came from Canada, should say that we're going to fix this and we're going back to work. I think we need to work to build a relationship that is strong enough to withstand the problems we're going to have. I don't think you can create 100 per cent security. I think there will be breaches, and it is how we deal with them that matters. If we deal with them separately from the United States, I think we're asking for problems because they can cause trouble to our economy very quickly.

Senator Day: So it's how we will bounce back from attacks. I do quite a bit of work with NATO, and that term "resilience'' has taken on major prominence. I expect you will see it repeated several times in the meeting in Poland that is coming up this summer, in July.

The other question is for Ms. Carvin, if you could help me — as soon as I find what I was thinking about — regarding the point you made with respect to ransom at a hospital on the Internet. We're familiar with ships being hijacked and then someone asking for ransom, and we're familiar with threats that we're going to blow something up if you don't deposit some money in a mailbox somewhere. We see that kind of thing quite often.

Can you tell us about this situation, I think you said in California? Is this a growing trend? What are we doing about this one? Is it the same? We react to the ships being hijacked quite nicely as an international community. How are we reacting to ransom on the Internet?

Ms. Carvin: Thank you for your question. Yes, it is something of a growing trend. I have some excellent students who did some research on this last term, which is great.

One of the concerns is that it's not just the information systems that these ransomware viruses go to but to the actual medical equipment itself. Increasingly, we can see computer ransomware being targeted at actual medical equipment, and that's a bad situation. This is something that we have to increasingly consider. There's not a lot of attention on it.

As to what we are doing, to be honest, I can't tell you. It's beyond my knowledge. I believe we need to direct more attention to this, particularly when it comes to hospitals, but there really is no standard as far as I'm aware for the cyberprotection of medical equipment. Even if you could develop it, the rate at which these ransomware viruses develop and the many vulnerabilities to them pose such considerable challenge in trying to deal with them going forward that I do believe this is something we'll increasingly be dealing with in Canada in the next couple of years. I wish I could be more optimistic on this point, but right now I'm just not.

Senator Day: I'm a little concerned. I don't know if you were here for the last witness from Communications Security Establishment Canada, but she made the point that incidents of cyberattack or some cyberactivity that is not welcome are up to 100 million a day. To fit in with that, I can't see how we're going to deal with this very quickly.

Ms. Carvin: I believe that Canada is dealing with a cybersecurity strategy, but it seems to be a little slow in coming. I know that it was part of the last government and part of this government to have cybersecurity initiatives, but it does really get back to the heart of some of the challenges we have with critical infrastructure, with the additional problem that this is moving exponentially faster than some of the other challenges that we're having.

I believe it is something the government should absolutely be prioritizing. It comes down to the challenge when I was in government. What are the paramount threats to national security and how do you rank terrorism over cyber? In this case, I'm not sure it's useful to think of them. They rely on one another to a certain extent, but this is such a considerable problem in such a multifaceted number of ways that I absolutely would advocate much more attention and much more resources being dedicated to the cyber issues that we're facing if only because they're so interconnected to all the other problems I talked about.

The Chair: Could I just perhaps go into a different area, and Ms. Carvin, perhaps you have some knowledge on this. I'm referring to the issue that is now being addressed more in the United States than in Canada, namely, the issue of electromagnetic pulse. In your research and background, have you any comments regarding how you see it in the United States? It's just becoming an issue here in Canada, actually through our committee, for public discussion.

Ms. Carvin: It's a very glamorous issue in some ways because I think the weapon has been featured in so many films and things like that. We've seen a lot of it.

I would put two things forward first. First, you can actually produce effects similar to those of an electronic magnetic pulse without an actual electronic magnetic pulse. There are believed to be conventional weapons that could do it, such as a cobalt bomb. It is believed this may have been used by the Americans in the Balkans and in the Iraq conflicts, and they were able to produce a similar effect to an electronic magnetic pulse. It is not just an electronic magnetic pulse that is at issue here; there are other ways of doing it.

Second, to a certain extent I think there is some skepticism within the academic community as to how much of a threat these are. The more important thing is do you want to have a strong electrical grid irrespective of where these threats are. There could be a solar flare, for example. To a certain extent, I think that would be more likely than an EMP. There is no reason not to have strong, protected electrical grids.

With EMPs, the often heard line is the only way you really get one is with a nuclear weapon, and if a nuclear bomb goes off in Canada, we will probably have considerably larger problems than just the electricity not working.

That being said, the other factor here is would a terrorist group use one? In my view, terrorists or violent extremists in Canada tend to be practical in their orientation. They're instrumental and want to get things done. Rather than getting hold of one of these, they would use a pressure cooker gun or a bomb in a mall to produce chaotic effects.

Would a state use one? You have the usual suspects. China needs us to be fully operational for them to be profitable. Would North Korea use it? The extent to which they have a nuclear weapon is not entirely clear yet. I don't yet believe they have the capacity to deliver such an attack, if they did.

I'm not saying they don't exist, and I'm not saying they're there. I just think we need to take a breath. There seems to be an industry of individuals with kind of sketchy former ties to the intelligence sector that are trying to push this forward. To a certain extent, I think these succeed because the idea of an EMP is so terrifying that a lot of people get scared. However, when you sit down and think about who would use it and what would be the strategy behind it, it is a bit more sobering. There is no reason why we shouldn't have a very strong electrical grid that could protect against either solar flares or other electrical problems.

The Chair: That is a very significant financial commitment.

Ms. Carvin: Yes.

The Chair: That is, to upgrade the current system the way it exists today. Are you telling this committee that, even from the point of view of a solar possibility and also the other possibilities that are out there, Canada should be seriously looking at not only the expansion of existing grids but also the current grids, looking at reinforcing them? If they are, it is a huge financial commitment.

Ms. Carvin: The last great threat to our electrical infrastructure was a tree branch in Ohio in 2003 which caused the blackout. Maybe we should also look at trimming the trees. It's hard for me to say. I think it is a little much to go that far. It's the high-impact, low-probability event that all analysts kind of think about going forward. I do believe that the risk of such an event is fairly low. Is that the actual standard to which we want to develop our critical infrastructure? I think we have to balance the probability with things that might be better spent on, again, tree-cutting issues, general maintenance and things like that. I can't say that it would be my first recommendation to this committee.

Senator Mitchell: Mr. Chapnick, again, back to the Canada-U.S. border and the thinning of it, it seems to me that it would follow from your observations that the agreement that was captured by Mr. Trudeau and Mr. Obama with respect to the exchange of information isn't an undue threat to privacy or a concern in that regard.

Mr. Chapnick: I think that Canadians will have to accept that we are going to have to trade a little bit of privacy for the combination of security and access.

Senator Mitchell: Dr. Carvin, I think this committee is very interested in looking at a specific study on cybersecurity. An earlier witness mentioned the fact that it's really focused in Public Safety, and it's in the minister's mandate letter, in fact. If you were the Minister of Public Safety for a day or two, what would you suggest needs to be done for Public Safety to coordinate effectively, particularly for the private sector?

You can see where the federal and provincial governments are at least definable in a way that the private sector isn't. What does it take to do that?

Ms. Carvin: Thank you for the question. I believe, to a certain extent, one of the most important things we could do is information sharing, not just between federal agencies, but also between the private and the government sectors.

As it stands, private companies have virtually no incentive to go public with their giant data breaches; we've seen the horror stories that result, whether it's Target or Sony, from their data breaches.

Again, to a certain extent, it's creating strong relationships with the private sector so that they feel comfortable coming forward with their needs or saying, "We've come into an attack here,'' just so we have a better understanding of the scale of the problem. I can't speak to what the CSE representative, perhaps, said, but it's my understanding the government has a fairly good idea of the number of attacks against the government, but we don't actually necessarily have the mandate to understand the number of attacks against the private sector or against Canada as a whole.

I think one of the most important things the government could do is to promote better information sharing, in some kind of confidential way, so that companies would feel better coming forward with their breaches. We would have, perhaps, a better understanding of where they're coming from, but also what the private sector is doing in reacting to it, if they're doing anything at all, which might be another problem as well.

Senator Jaffer: I have a quick question for you, Ms. Carvin. I believe that the community would cooperate much more if it didn't think it was going to be part of a database, or if their child would be marked. I believe the mother knows when the child has more money or weapons, or is doing something out of the ordinary. But a mother is not going to go to the authorities because of what could happen to that child.

I wonder if either of you have ideas about how we can create that place of trust that families can go to without their child being marked.

Ms. Carvin: Thank you for that question. This issue is one that fascinates me very much.

What I would suggest first, however, is that one of the problems that communities have is that they do actually have challenges in identifying those indicators that their child may be moving toward violence. Perhaps they had a partying lifestyle beforehand, and suddenly they're religious, and they say, "This is a great thing. This is not a bad thing at all.'' Perhaps they're not that familiar with some of the websites they're going to, or not monitoring them. Increasingly, we're seeing that radicalization takes place online, on smartphones, and through targeted recruitment over peer-to-peer messaging. I think it's hard for parents to know.

I'm a little bit concerned that we haven't yet properly defined the role of law enforcement agencies in the CVE, or countering violent extremism, efforts. One of the things those law enforcement agencies can do is work with the communities to provide those indicators to help create trust. But then, as you say, the second problem emerges, which is how you then establish those relationships where they can come forward to a trusted partner.

We're seeing innovative stuff happening in Montreal and, to a certain extent, in Calgary, in terms of trust and commitments. Public Safety Canada had round tables where they went to the communities and shared stories and narratives, and I think it's wonderful that they did that.

Those kinds of initiatives — perhaps not at the pointy end of the stick, but much further down the stick, as it were, to go forward and explain what the roles are — are absolutely vital, but I also believe that much of this has to be community-driven, and this perhaps is where the offers of the coordinator for radicalization or CVE will come in handy because they can look at the different efforts and say, "Have you tried this? This program is working here.'' There is a lot of potential.

Senator Beyak: Thank you, Mr. Chapnick and Professor Carvin. You're both impressively knowledgeable on this issue.

I wonder if you could give me your opinion on a three-part question. We had Professor Rudner here back in 2010, and he said at the time that Canada's approach to critical infrastructure was passive and reactive.

I wonder three things: whether you have feel we have come forward since that time; if you agree with his assessment; and if either of you have found, in your research, a model that is working elsewhere — a nation that has got it right — that we could learn from instead of reinventing the wheel. Thank you.

Ms. Carvin: Thank you for that challenging question. Fortunately, the program I teach on was partially founded by Martin Rudner. He is a very interesting individual who is passionate about these issues.

I would suggest that because of some of unfortunate events we have experienced, like the October 2014 attacks and the increasing awareness of cyber issues, I no longer believe that we are passive. I believe there is general awareness of these issues and what these threats are, and that has something to do with it. If that's coming forward, I think that is one important step that we are definitely taking.

In terms of a model that is working, what I can tell you is that we, in our program, are regularly approached — this isn't an advertisement, I swear — by countries from the Middle East in particular, who see us as a model, and they don't know how to make policy in this area. We sometimes are able to provide them with advice, or they send individuals on our courses, to learn what the Canadian system is and how it's doing, and sometimes that's as simple as how you create a policy between different levels of government. We can have those conversations.

I don't want to say we're the best model, but perhaps we shouldn't always be afraid that we're the worst, either, because other countries are actually looking to us.

Mr. Chapnick: Very briefly, Martin Rudner taught me, so that connection is all over the place.

I agree that we might have been passive pre-2010, but I think that we are more active now; I believe this committee is evidence that we are more active now than we were. I think reactive is somewhat inevitable in a liberal democracy that hasn't experienced the type of catastrophic events that galvanize the combination of the public and the political level to act aggressively. I think it's unfortunate and lucky at the same time.

The place that we looked to in my class quite often when we talked about cyber resilience is Estonia, which happens to have been the victim of a brutal cyberattack. They seem to have their act quite well together when it comes to cyber, but I wouldn't want to have the incentive that Estonia had to get it right.

The Chair: Colleagues, it is 4:30. I want to thank Mr. Chapnick and Ms. Carvin for coming to the committee. We very much appreciate what you had to say.

As we continue our look at threats to Canada's critical infrastructure, we're pleased to welcome Kevin Quigley, Associate Professor and Director, MacEachen Institute for Public Policy and Governance at Dalhousie University. Mr. Quigley currently teaches strategic management in the public sector. His research interests include public sector risk, crisis management and critical infrastructure protection. He has been an investigator on several critical infrastructure protection projects, including supply chain risk analysis and management in New Brunswick; strengthening the resilience of the Canadian water sector; adapting to vulnerabilities in the transportation systems' critical infrastructure; and terrorism, security and society, among others. He holds a PhD from Queen's University Belfast.

Next to Mr. Quigley is Andrew Graham, Adjunct Professor of Public Administration, Queen's University. He is the National Editor of the Case Study Program at the Institute of Public Administration of Canada. Professor Graham has over 30 years of public service experience, including 14 years as an assistant deputy minister with different departments, such as Agriculture and Agri-Food Canada; Senior Deputy Commissioner of Correctional Service Canada; and Warden of the Kingston Penitentiary. He has written a textbook entitled Canadian Public Sector Financial Management. In 2011 he edited a publication entitled Canada's Critical Infrastructure: When is Safe Enough Safe Enough? for the Macdonald-Laurier Institute's National Security Strategy for Canada series.

Welcome. I understand you each have an opening statement. We will begin with Dr. Graham.

Andrew Graham, Adjunct Professor, School of Policy Studies, Queen's University, as an individual: Good afternoon. I appreciate this invitation to participate in this important discussion. Over the years of my career as a public servant and subsequently, I always looked forward to discussions in the other place because they tended to have much longer- term perspective than what would be the headline tomorrow. It's always a pleasure as a public servant to appear as a witness.

I understand that the base of my invitation is the publication that I did several years ago, which you just referenced and which is available in PDF form on my website. We will get it for you. This was published as part of two reports, the second part of which I would also bring to your attention, by the Macdonald-Laurier Institute. The second was a series of short pieces on solutions to some of the problems that I've identified, which may in fact be of some use to you.

I conducted this research through a thorough review of published material, including, obviously, Professor Quigley's material, which is seminal and very important to thinking in Canada today; a series of interviews with some government officials; a number of industry representatives from some sectors, most notably the electrical sector; and discussions with certain police services across the country. One of the other areas of research and activity I'm involved in is police oversight and governance. I continue to work after my many years in criminal justice with police services across the country. My observations will go to those towards the end.

While I came to this research with relatively fresh eyes in terms of both the security of infrastructure issue and its relationship to terrorist threats, I base my work on my extensive experience, which has already been referenced, and on my continuing interaction with police. I propose to briefly summarize my research findings on the first report and conclude with some brief commentary on issues senators may wish to consider in terms of the direction for policy and practice in this area following from this committee's previous work, which I think has been very important in moving the goal posts.

Perhaps the rub of my findings was that we have a massive decentralized complex of critical infrastructure, which you've heard many times, for which there are many residual forms of risk but for which we have scant evidence that there are specific risks associated specifically with terrorism that we can respond to. In other words, we could foresee all kinds of problems, but what's the evidence that we are having all kinds of problems? That has to be the first question asked.

I do not mean to say this is simply a "Don't worry, do nothing, be happy'' sort of conclusion. Rather, it was an effort to take what I see as a realistic review of risk, studying that and teaching it, as I have, to what should be done. I think it's very easy in this area to foresee all kinds of unforeseen risks. I think it's very easy in this area to create more fear and anxiety than resolve to mitigate real risk. There are so many triggers in this field, some of which have already been discussed in the short time I was here this afternoon, that can create an elevated sense of risk without evidence to back it up.

Coming to a ready conclusion that we are doing enough, even if we knew what enough actually looks like, is fraught, I think, with real danger. I can readily see that this whole issue fits into what we have come to call a wicked problem or complex issue. This complexity, in itself, can create confusion and fear with the public and is readily open to manipulation, most notably by the media.

After taking a closer look at the various forms of critical infrastructure that we have in this country, I realize we don't have a system of critical infrastructure in this country. We have a complex of infrastructures. That complexity, in and of itself, lends itself to both confusion and the potential for people feeling that we are more at risk than we are. Further, within that complex, there are certain well-defined systems, such as the electrical distribution system and oil pipelines, that function very well as systems. They function very well on their own, but mostly on their own, having developed over the years to respond to specific challenges in their own specific areas.

So I can talk to the head of security for Ontario Hydro, which I did as part of this research, and they have a very specific sense of the threats that they are facing. I really believe you have to talk to the front line in any of these organizations and not simply to the people at the head office, and they have a very specific, concrete set that don't necessarily fit into a terrorist Armageddon-type of worldview. I'm going to describe later what I think it's founded on, which is a knowledge of the local community in which they're operating and a knowledge of how the systems actually work.

Where we do face some threats is in how the systems either interact or have mutual dependencies, which is what's further growing. Critical infrastructure in Canada is complex, and it's getting more so. It's geographically dispersed and owned by many different players with different agendas and concern for those threats, real or perceived. By its very nature, much of it is vulnerable. The question that arises is if so much of it is vulnerable, why haven't a whole bunch of bad things happened? While we can cite some bad things that have happened, we are not seeing a consistent pattern that would suggest it, even though there are some of those vulnerabilities, like an electrical line crossing northern Quebec in a very isolated way, physically inspected maybe once every six weeks or two months, monitored with electronic monitoring systems that could be overridden by a cyberattack. Why haven't things gone wrong? Because there's a lot of good work being done at the front end of organizations.

Powerlines and pipelines that cross vast, sparsely inhabited areas of land are, by definition, more vulnerable than those in more populated areas due to isolation. However, the intensity of critical infrastructure in more populated areas often represents an inherent risk due to its complexity and due to its proximity to large populations. The degree to which such risk can be mitigated is defined by the interests at stake, not necessarily by the degree of the risk. For instance, the costs of mitigation for privately held critical infrastructure are very real. They're very real to their owners, and they affect the profit margin of those organizations. Are they incentivized to do something only if they feel they have to? Is their line going to be different than for someone perceiving it from a broad systems point of view, say, sitting in Ottawa, from a government point of view, doing analysis? Yes. There are going to be quite different views about what they should be doing, and getting to some common ground is really, I think, a challenge.

I have heard private sector people quite rightly assess such risks with an eye to how credible the risk is and what it would cost to fully mitigate it. Is that right? I'm simply reporting what I have heard.

Such calculations weigh heavily in this field, even when regulatory oversight comes into play. I want to speak to that later.

My broadly based conclusion was that what we really lack are the metrics or measurements to determine an adequate level of response to threats and that this is a systemic, endemic and global problem. It's a dynamic process. I give the federal government credit for trying to herd this bunch of kittens, but it is a bunch of kittens. As we all know, some kittens have claws. By that I mean that there are so many jurisdictions and sectors involved that having the ability to say that everything is under control would be fanciful fiction at best.

My overview conclusion, however, was that the actual threats to critical infrastructure, most notably from the terrorist source, are unstated but also subject to exaggeration based on what we call, in the risk-analysis field, the available heuristic. In other words, if this bomb blew up in Ankara last week, it could blow up in Burlington tomorrow. That's just taking an example and moving it into your own environment, and that's a real tendency that happens in the world of risk.

But I would also add that good and effective risk assessment does not happen on global levels; it happens in communities and at the front end of how systems operate. There are a lot of interesting things going on, but one of the things that I observed was a seeming disconnect in that conversation between those who tend to try to generalize at the national level, try to make it all one system, and the fact that we are living in a complex world with a lot of pointed ends. There are great people doing great work down there. The communication between the two isn't great.

I would just add four critical observations and then turn it over to Kevin.

I saw a real disconnect between those taking the national, macro view, with a strong focus on terrorism, and those engaged at the front end of critical incident systems and local police, with a great concern for vandalism leading to major systems breakdown. A gang of bikers taking out an electrical distribution system to steal the copper wire can shut down the system just as much as someone driven by terrorism. Local police working with their communities over time produce a level of intelligence, awareness of these systems, that the macro systems are not necessarily equipped to do.

What we are now seeing emerging as an alarming threat is the single radicalized actor working on his or her own, who has been inspired, as in this previous discussion, to do something by such groups as IS. These are the ones that only local and ongoing conversations can, in fact, deal with.

I have long believed that we need to listen to those at the front end of organizations. I'm not sure that their voices are being heard enough. That observation came out of my research basically very viscerally when you talk to people, saying, "We're identifying these things; we're talking certain danger; we're hearing another agenda at the national level.'' Interesting observation.

A couple of broader observations: I think that there's a very real human resource capacity issue at play with respect to critical infrastructure and the threats that they face. By that I mean the need to grow the skill sets for people working in the system, the need to develop, as we saw with the Carleton example from your previous witness, courses to understand and develop skills in this area. Developing areas of expertise within the various critical infrastructure systems and across them is a human resources challenge. I know that this isn't sexy, but, in fact, having the right people with the right skills in the right place is kind of important in this area. This is a new and emerging set of knowledge.

There are people with considerable skills in this area, and I'm impressed by them. They often work either in isolation or within one of the system's stovepipes. Therefore, someone in the pipeline is a pipeline person; they would never talk to someone in cyber. Yet, today, these things are becoming integrated. There's no human resource strategy in a field that demands a human eye and instinct to understand potential risk and validate it.

I would advocate for a sector human resources council, such as have been in existence, although it was unfortunately suspended in the police area for a number of decades. The police sector council was an attempt to develop police human resource capacity, and it did some amazing work over the period of its existence.

There's a knowledge capacity issue at play here, one that Canada can make a major contribution to given who the players are in the field right now. In some respects, we really do not know what we do not know in terms of the nature of the risk, what can be done, who is doing things that we can learn from, and how we can develop transferable knowledge of solutions, techniques and risk mitigation that can transcend these stovepipes.

I would suggest more research capacity. I'm sounding like an academic, but it would be really nice to talk from an evidence base on a lot of these things. Unfortunately, in this field, while there's a lot of evidence, there's also a lot of non-evidence walking around the issue. Therefore, thinking about how we develop knowledge in this area is very important going into the future.

The speed of change in the cybernetic area is of concern for two reasons. Obviously the hacker phenomenon writ large remains a growing concern. We now see a nation stage attacks and their victims responding. What can this mean for the future? The need to ensure our defence systems are up to date is a key concern. The other side of these phenomena with respect to critical infrastructure is the growth of remotely monitored control and observation systems being put in place in our critical infrastructure in the name of improving safety. These are not immune from manipulation. We have to worry about the potential for attack.

Over the past decade, I have seen our police services — nationally of course through the RCMP, but most notably in our large urban police services — engage more and more in investigations, operations and community-based interventions associated with the detection and prevention of terrorist activities. They have been compelled to skill up to respond to these and have done some amazingly good work, both at the point of investigation and on the part of trying to develop community interactions that ensure we never see a situation where a problem has arisen and it becomes a cold call between the community and the police. They have to be interacting.

The police services, in responding to these circumstances and doing this work, have incurred major costs. This has become a major cost driver in the area of policing as resources are deployed. New analytic capacity is added, and greater interoperability adopted between and among police services. These costs have not been given the recognition they deserve.

So these are some trends that my research has identified. A number of remedies are available. I've suggested some to you. I see three broad areas where we need to improve, as well as those specifics I've just mentioned. We need to improve how government and industry assess risk and communicate it; we need to grow our knowledge base through research, centres of excellence, sharing of leading practice through documented cases and forums for professionals in this field to interact; and finally, we need to develop more incentives for industry to invest in critical infrastructure resiliency and resource new players within the public sector, as well as increase the regulation by government and the setting of standards for this through the government's regulatory capacity. Thank you.

Kevin Quigley, Associate Professor and Director, MacEachen Institute for Public Policy and Governance, as an individual: I'd like to talk about risk regulation to limit the possibility of low-probability, high-consequence events, disasters, crises, so-called black swan events, to our critical infrastructure. I'm talking about natural disasters, industrial failures and terrorist attacks. I'm not going to limit myself to terrorist attacks.

My recent research is focused on two critical sectors in particular, the Canadian transportation sector and the chemical manufacturing sector. I've done a fair bit of work on the food sector as well. I study risk regulation in a broad context looking at the law, markets, media, public opinion, organized interests and organizational culture.

Markets, left to their own devices, do not always prepare for black swan events. In fact, markets can increase the probability of black swan events by rewarding risk-taking behaviours. We saw this in in the Lac-Mégantic tragedy in which regulatory standards and business practices designed to improve efficiencies and reduce costs contributed to a failure that ended in disaster. Small and medium-sized enterprises, companies like Montreal, Maine and Atlantic Railway, are increasingly important to global supply chains, but they don't often have adequate risk management staff, expertise or insurance. They respond to profit motives and don't give much attention to preventing disasters they feel are unlikely to occur. This makes perfect market sense. Markets are central to our society. They are the foundation of our economic system, but they reward behaviours and ways of thinking that don't always contribute to effective critical infrastructure protection.

In particular, while some critical infrastructure organizations have a safety culture, with the exception of larger airports and larger rail companies, few organizations have a security culture. Not having a security culture creates vulnerabilities for companies but also for supply chains and everyone who depends on critical infrastructure. This is a failure of market forces which governments must address.

Yet governments are ill-equipped to address these market failures in critical infrastructure. Since the 1980s, the dominant narrative in Canada has been that private industry with the profit motive is better at managing critical infrastructure than government. As a result, most critical infrastructure has been privatized or outsourced and, at a minimum, afforded considerable regulatory flexibility.

At the same time, governments have been hollowed out. They have been unable to keep pace with the technical sophistication of critical infrastructure. As a result, government officials now arguably lack the knowledge, skill, time, flexibility and credibility to keep an eye on the CI owners and operators who manage risks to critical infrastructure.

Government finds itself in a conundrum. Polling data suggests Canadians do not consider security a high priority, certainly not compared to health care and economic concerns. Yet the public holds government partly, if not completely, responsible for critical infrastructure failures, despite the fact that government has less and less control over it. The public expects their governments to act and will blame them if they do not. In response, governments assume a cooperative stance with industry and use euphemisms to mask unclear accountability, terms like "information sharing,'' "trust building,'' "partnership,'' "stakeholder,'' "leadership at all levels'' and "federal family.''

Meanwhile, media fails to keep a watchful eye on critical infrastructure risk regulation. Black swan events generate a lot of media coverage and a ruthless hunt for someone to blame, more so with industrial failures than natural disasters. However, disasters and crises are complex and require thoughtful and prolonged examination. Despite this, most media coverage ends the same month it starts and focuses more on personalities than on rational risk assessment. When a seemingly healthy boy in Ottawa died of H1N1 in 2009, for example, that event generated 15 times more media coverage in The Globe and Mail than the Canada Revenue Agency 2007 computer glitch that limited government's ability to collect or disseminate funds online, which, unlike the boy's death, had very serious and far-reaching economic implications.

Despite the rhetoric of markets and competition, many large CI organizations are protected from market competition. After all, to borrow and modify an American catch phrase, they are too critical to fail. This dynamic increases government's incentives to restore CI companies after CI failures. Under the guise of competition or security considerations, companies can withhold information from the public. As a result, government often doesn't know how seriously companies take it and how effectively they are managing risks. We do know, however, there are few incentives for most CI sectors to spend time or money on security.

Market failures, ill-informed media coverage, governments' diminished capacity for risk policy and management, and companies that are too big and too critical to fail — these forces converge to empower already powerful critical infrastructure institutions, which the public trust less and less.

While some careers end abruptly after critical infrastructure disasters, for the most part, organizations maintain power after black swan events, and sometimes even gain power. The governance system in place privileges stability, efficiency and political expediency. It is concerned less with transparency and accountability. Its commitment to learning over blame shifting could be improved.

It is increasingly important that we learn and adapt so that we can address risks associated with climate change, security, aging infrastructure and emerging cyber-threats. To strengthen our critical infrastructure, we must strengthen and extend independent audits, and I welcome the work of this committee in that area; report more frequently on performance, as Andy Graham just mentioned; share information more widely, including to the general public — we need an informed public on these issues; manage the risks associated with small and medium-sized enterprises; deconcentrate single points of failure; enforce appropriate standards and behaviour in a timely manner; increase mindfulness of security; and enhance fairness in our distribution of risks.

Critical infrastructure protection is not exclusively about government or security; it is about the assets that enable our civilization. We all have a stake in critical infrastructure protection.

The new government plans to spend considerable sums of money on our critical infrastructure. These investments can enable a significant step forward toward a more desirable society — smarter, greener cities, for example. Critical infrastructure investments can reflect the values and communities we wish to build. The planning we do today will take years to come to fruition. We must consider security, climate change, trade, and the economic challenges and opportunities of the future to maximize the benefits of today's CI investments.

Thank you again for the opportunity to comment on this subject.

The Chair: Thank you. We'll begin our questions.

Senator Mitchell: These were very interesting presentations. Thank you.

Dr. Graham, I'm very interested in your building-of-skills issue. You did give us some context and some you flushed out a bit, but could you give me some more? How would you do that? Are you talking about programs in university — master's degrees, technical programs, subspecialties in computer science or all of the above?

Mr. Graham: All of the above. I don't have an inventory of the current level of offerings in this area across the country, and I think it's time we took a look at what's available.

When you talk to practitioners in the field, one the questions I would ask — and I've usually become quite impressed about what they know and what they've learned — I've sort of said, "Who is going to replace you?'' And the answer is, "Well, we'll find somebody, and I'll train them.'' That's fine; that's a real knowledge-transfer way, and sometimes that's the only way you can do it.

But something struck me: I did a very cursory look around about how many degrees we have in engineering and critical infrastructure assessment. They have a degree between the engineering department at Carleton — and I don't mean to advertise for another university, but you have to give them praise where it's due — between Carleton's engineering department and the Paterson School. They're trying to bring that stuff together.

I think our community colleges and technical levels need to find ways to begin to teach certain areas systematically, at a tactical level: risk in equipment and all the cyberskills that are going to be needed in the future.

I don't have that inventory, but those are the kinds of things we'll have to build.

Senator Mitchell: Dr. Quigley, I don't know whether this was an implication of your statement, but it captured me, because I'm very interested in climate change, as are most Canadians — the threat to critical infrastructure because of climate change. We have a dam that doesn't have water any more. Is that an implication of what you're talking about?

Mr. Quigley: When we interviewed people at seaports, for instance, their number one concern was climate change. We frequently ask people: "What's your top-of-mind critical infrastructure threat? Low-probability, high-consequence sort of stuff.'' While there is this frequent reference to terrorism, and it gets a lot of media coverage, et cetera, to maybe reinforce the point that Andy was making, at the street level, that's not necessarily what people are as concerned about. At the seaports, there was a lot of concern around climate change — rising sea levels and what that meant for seaports. The Hurricane Sandy event was very troubling for people at seaports.

Senator Mitchell: There's a really important study, chair: climate change and critical infrastructure.

Mr. Quigley: If I may extend on that one point, I am almost reluctant, though, to pick a danger, because it's like casino-activity type stuff. So you need to bake it into the infrastructure, reduce the vulnerabilities around single points of failure and have some adaptive capacity.

I know the committee has talked about resilience before. There are different ways to talk about resilience. There's the organic concept where you modify the bounce back. The problem with the bounce back is that you bounce back to where you were when you were vulnerable in the first place. Why would you want to go back there?

You might actually want to bounce back better, which is a new way of talking about resilience, or use, as I say, a kind of organic process where you're kind of trying to survive, so you adapt according to your threats.

But I think it's a bit of a fool's game to zero in on the terrorism one, the natural disasters or the industrial failures — the accidents sort of thing. Rather, try to build better infrastructure that tries to take into account what the climate is going to be — not the climate change, but the threat environment, let's say, in the future.

For these critical infrastructure investments we're going to be making shortly, it will take a long time to roll that out, and then we will be living with that for the next decade or two. So we need to start thinking about what it will look like 10 or 15 years from now, and ask, how do we build strong, resilient, dependable critical infrastructure that allows us to take advantage of trade deals, be prosperous and efficient — and also manage the security environment where these trade deals will open up?

Senator Mitchell: This question probably more directed to Dr. Graham, but it might apply in both cases: Are you aware of Kanishka and the government-funded project, and is it something that could be focused on these issues?

Mr. Quigley: I've been funded through Kanishka. I wrote three papers. It was enormously beneficial for me, because I had collected quite a bit of data. I interviewed about 80 or so people on critical infrastructure in agriculture, transportation and dangerous chemicals. The Kanishka funding allowed me to get that data and flip them into three working papers, which are now on my website and have been handed in to Public Safety Canada.

So it was enormously beneficial. They built on funding I already had, and I could flip them into usable papers for everybody, mine that data and hire research assistants to do the work. It will be put into a manuscript, also. So it was enormously beneficial. I thought it was very worthwhile.

Senator White: Professor Quigley, I always go back to nuclear power, because when they look at their facilities, they look at the myriad of problems they could have rather than the one that's most likely to happen. So you're saying we should be doing that in infrastructure, looking at the myriad of problems that may happen with the dam system, whether climate change, terrorism, power outage, et cetera?

Mr. Quigley: It's worthwhile. If you're talking about what kind of scenario planning you do and what kind of exercises — I pointed out one of the limitations of some of the scenario exercises sizes that organizations sometimes do. They can sometimes pick friendly and convenient partners when they do these scenarios; they come up with these implausible scenarios, because those are the four or five departments that want to work together. But disasters don't come at you in a jurisdictional way. As Andy said, it straddles all three levels and orders of government, a lot of the private sector, and it requires a certain community response. So I think these over-orchestrated learning opportunities are highly constrained in that sense.

Then, are we actually transparent about what we genuinely learned that that exercise?

Just on that point in terms of how we learn, that's a really important one we have to be more creative about.

My sense would be that these are extremely low-probability events, and how we could focus all of our attention on — and also just the kind of the additional risks and threats we take on by overemphasizing terrorism as opposed to saying, "Do we have a genuinely institutionalized learning culture in place where we can bring forward mistakes and errors, and learn from those and build on them?''

The "lessons learned'' phrase always kills me. It's "lessons identified.'' It's not clear to me that we ever learn lessons; our organizational cultures resist it. How do we internalize genuine challenges to organizational culture and adapt? I think we need to do more work in that area.

Whether we learn from an industry failure or otherwise, it might help us to deal with a low-probability, high- consequence event. It will play out differently in the popular culture or media, but there's a lot to be said — we could concentrate a lot more minds if we can get some buy-in across a spectrum of low-probability, high-consequence events instead of saying, "Let's focus on terrorism,'' in which case you might get a certain degree of skepticism.

Senator White: Professor Graham, if I may, you talked about educational opportunities. Back about 15 years ago, concerns were raised about departmental security officers in every department in the country, primarily because they started at a different level. Often they were about administration and passes and things like this, and post-9/11 they became much bigger. But certainly from 9/11 to 2010-11 there hasn't been a dramatic change in the educational opportunities for those people. There may be some more training, but that is rote-based and not about learning new things. It's often about repeating the same thing over and over.

Are we in a better place now? You're trying to think of a place that you might be able to recommend without going outside of your university, I'm sure, but I can't think of a place. There are some programs, but they're all small.

Mr. Graham: Just to build on your comments, because I think they're right on, the security was, as you say, somebody who was looking after the administration. They have to now apply skills that they never had to apply if they're going to get into a safety culture.

Senator White: To gain skills they've never had.

Mr. Graham: They're going to have to do analysis of events. One of the things they have to get involved in is looking at patterns and advising around operations and understanding things going on. I've spoken to people in security and who may wear this moniker of the risk officer, and I hear, "What do I do?'' One thing that struck me continuously is how isolated they are from the overall process of running the organization.

Going back to your point about education, some good stuff is going on. I would suggest that there's not enough, and there's not enough that moves them into being effective at the new job of security officer. I would say a lot of these people before just got on with their experience and minimal education, and now they have to deal with analytics and a whole bunch of capacities that they never had. Degrees make a lot more sense in that regard.

Some universities and colleges are doing some things, but I don't think we're funding a lot of that sort of thing on a systemic basis. That actually drives it into the provinces, not just the federal government.

The Chair: That was the one thing that I would like to raise. Probably 80 per cent or 90 per cent of the infrastructure that we're talking about will be provincial, if not in the private sector, as to what is perhaps expected in terms of giving some care and attention to the question of critical infrastructure and what you can do to prevent it from being damaged or attacked.

I don't think we can concentrate just on the question of the terrorist attack. There are so many other elements to this that we have to understand. This is a very broad issue.

One aspect that we can take as an opportunity, I would say, and I'd like to hear Dr. Quigley's comment on this, is that from the point of view of what is happening globally and within the terrorism activity that's happening around the world and in Canada, it gives us an incentive to take a hard look at what we have and have this conversation. We can then promote a constructive look at how we're running our various systems so that we prevent ourselves from getting into a situation that we don't want to be in. That's primarily to have those individuals, companies and others, take it very seriously and take a second look, and look at how we can prevent someone or some people from damaging this particular type of infrastructure.

Perhaps you want to comment on that.

Mr. Quigley: Sure, I'm happy to. Thank you for that question.

I'll make a couple of points. First of all, I've done a fair bit of work with the U.S., the U.K. and Australia on critical infrastructure also. When I mentioned earlier that these documents are peppered with phrases like "trust building,'' "information sharing'' and whatnot without any kind of reference to standards or appropriate behaviour change, Canada is not alone in this. These phrases are in the U.K., American and Australian documents. The documents seem very similar in many respects.

However, I would say — and this is maybe a reference to an earlier comment from one of the earlier sessions — that security is a cultural issue and is deeply embedded in who we are and how we respond to it. I don't think it's all that easy to look at the British, Australian and American experiences. You just call that a best practice, let's say, and pick it up and bring it here. Even if you took the same strategies and put them here, it would be operationalized differently, because it would be operationalized in a Canadian context — maybe in terms of the Canadian identity, but also Canadian institutional arrangements. The fact that we have a strong federal system, that most of the assets are at the provincial and municipal levels and in the private sector, that might be different from the cultural and institutional arrangements in the U.K. I'm not really sure it's as easy to lift those experiences and plant them, even if you have the same language. I think it would be operationalized a little differently.

To your point about how we protect critical assets and how we prepare front-line staff, to go back to Mr. Graham's point about how we listen to front-line staff, I would really emphasize that with a lot of the critical infrastructure interviews we did, front-line staff don't take the terrorism threat that seriously. They just don't think it will happen here. "Not to me, not on my watch, not on my system.'' It seems like something for television.

That's why I would say that broadening the spectrum of possibilities and talking about low-probability, high- consequence events, sure, talk about terrorism on the menu, and the fact is that terrorism, if it happens, will have a different impact in terms of public response than a natural disaster or industrial failure; they play out differently in the media. In terms of practical application, there is benefit to thinking about these black swan events, talk about it that way, because you'll get more buy-in on the front-line level.

They're saying to us that they're worried about rising sea levels. As psychologists say, why not start with where the client or patient is? If that's what they're worried about, start there and try to introduce different kinds of scenarios that might include terrorism also. But I believe it has to be put in that broader context in order for it to be credible. It's such a low-probability event and so dramatized on television and in popular culture that I don't think people connect with it in their day-to-day living. That would be my observation.

Senator Mitchell: You make the point, Dr. Quigley, and I accept it implicitly because I'm an independent Liberal, that markets left to their own devices don't always prepare for black swan events, but I also believe that markets drive things, as you do. You're not saying that they don't.

It just dawned on me that there's a huge amount of investment risk in the potential for critical infrastructure attack and/or erosion in one form or another due to climate change. We have begun to require that public companies report on their assessment of risk due to climate change. I wonder if we need to require companies to report on their assessment of risk due to critical infrastructure vulnerabilities.

Mr. Quigley: I think we could be looking at a much more rigorous program in critical infrastructure. To give the players the benefit of the doubt, I think we've been in a maturing process, and a lot of it is about information gathering and getting the right people to the table. We're several years after 9/11 now. It's taken a bit of time, but I think we're getting there.

One the points I've tried to make before is that information gathering and sharing alone will not control the system. Not to suggest you want ultimate control over the system, but if you're trying to exert a level of control we need to talk about standards and appropriate behaviour. These are the critical assets upon which society depends, so maybe we need to have more discussions about more transparency and accountability, about how these assets are being managed, and have some confidence in the public.

Senator Mitchell: If we looked at it from the additional perspective of financial investment risk, it would draw in a whole different realm of intensity.

Mr. Quigley: I'm not sure what you mean by that. Could you clarify?

Senator Mitchell: If I'm investing in a bank, maybe I want to know which bank is taking best care of the potential for infrastructure cyberhacking.

Mr. Quigley: Indeed. I would add one nuance to it, but I agree. When I talk about fair distribution of risk in my statement, whether I invest in the bank or not, I depend on the bank, and even if I don't have money to invest in the bank I want to know the bank is safeguarding my money appropriately because these are critical assets for this whole community, not just the shareholders. I wonder if we shouldn't be thinking in those terms.

Let me make one other point.

Senator Mitchell: It would be one way to catalyze them.

Mr. Quigley: You're correct. I think that's true. One other point that I would make is do people trust the owners and operators of critical infrastructure? I was quite interested in hearing the discussion about cyber that's been occurring this afternoon. People don't trust banks generally, and government doesn't do much better, actually. Canadians tend to trust their bankers and government more than our allies trust theirs, but it's still a bit low. However, people trust the technology sector. They have incredible optimism, and they're very positive, yet there is quite a bit of vulnerability. You spent a good bit of the day talking about the vulnerabilities in the technology sector, but it doesn't resonate with Canadians. We talk about media coverage of cyber stuff, but cyber doesn't come anywhere near the other disasters I've been talking about — the industrial failures, the natural disasters, the pandemics. This blows cyber out of the water. People think highly and positively about their technology and very optimistically. They don't feel there is a danger or threat. However, when we get together as a security community, we talk about it, and we all agree that it is a big threat, a big vulnerability, but the general public does not connect with it in that way. They're very positive about that sector. An education program is required — not to scare them, but to bring them along and to say that there is a lot of vulnerability. We're in an unregulated space here, and there is risk associated with that.

Senator Mitchell: Some time ago, we did a study in the Energy Committee on transportation of petroleum safety, including pipelines. We met with Mark Fleming from Saint Mary's University, who is big on safety culture. A lot of what you're talking about, Dr. Graham, is culture. You referred to security culture.

Mr. Graham: Right.

Senator Mitchell: I don't know that I need an answer as much as I'd like to encourage that thought, because Professor Fleming makes some powerful points that what we think is safety culture really isn't. It's not just counting slips and near misses. And security culture is even more complicated. It took us years to get to the place we are now with safety culture to the extent that we got there at all.

Mr. Graham: One of the pillars of both the safety culture and the security culture is actually dealing with real problems. I would go back to Senator White's reference to the nuclear industry as one that has had a pretty good record of identifying and doing two things. First, it has identified real problems, not potential unreal or pretended problems. You mentioned near misses, but part of that culture is that you encourage and find ways in which the cracks are identified and you don't go to blame so quickly. The nuclear industry has done a really good job at that in terms of developing that kind of culture, and there is a lot to be learned from it. It is really quite shocking.

We have a rolling pipeline system called the railway. Is the safety culture as strong there? Well, I don't know what the answer is, but I don't know that we have the metrics or that it has been studied enough to know, but it needs to be.

Mr. Quigley: If I may add to that point, first, Andy's earlier reference to the risk officer could be a bureaucratization of security rather than a genuine engagement with safety culture. If you put somebody in charge, and if there is a template and a form to check off, that's an organizational culture of bureaucracy responding the way bureaucracies do. Put someone in charge and give them the forms, but that's not generally engaging in safety and security.

What I found in my research is regulatory simplicity, if I can say such a thing can exist in critical infrastructure. What I mean by that is that with telecoms, for instance, where you've got one government that largely regulates the sector, that makes it a lot easier. However, when you get into the messy business of the federal, provincial and municipal all having a stake in one sector, there is an overlap, and it becomes a lot harder to get a national standard. Telecoms make more progress; also, areas where the U.S. makes progress, Canada tends to make progress, for instance, in aviation. We found that regulatory simplicity, where customers thought the risk was real and where the owners and operators had a financial interest in it, for example with airports, you tended to get more progress. But where there was more complex federal and provincial interaction on the issue, where people didn't think the threat was real, customers didn't believe it. Seaports, for instance, are out of sight and out of mind, so no one deals with the threats at seaports regularly, whereas at airports you see it and feel it. There is a genuine emotional engagement from the customers, and they accept it because of the searing images of 9/11. But the seaports are off to the side.

The Chair: I have a general question here on your research. Perhaps you can tell us what is Canada's definition of "critical infrastructure,'' and have we also identified, as a government, the question of the key assets so that we understand what we have identified to be able to take the necessary steps to protect it? Have we got a list?

Mr. Quigley: The U.S. always had a short, sharp definition which I didn't think was too bad. I don't know if Canada picked up the same one. It was the cyber and physical assets upon which our society depends. Something like that.

The problem is that "critical,'' "infrastructure'' and "protection'' — each of those words — are totally explosive. What is critical? Who is on the list, and who is off the list? Because if you're not critical, that means you're not critical. That might even have funding implications for you if you're not critical.

The Chair: That's not always a bad thing.

Mr. Quigley: No, it's not maybe from our perspective, but sometimes you want to be on the critical infrastructure list if you —

The Chair: You don't just want to be there to get financed.

Mr. Quigley: Who wants to say you're working on something that's not critical?

The Chair: Somebody has to make a determination, don't they?

Mr. Quigley: That's right. What I heard from government departments at the provincial level is their anxieties over determining what's critical, because once you label it critical, then you will have to protect it, and you will have to take on responsibilities, and there might be liabilities associated with that. That's why there is anxiety about committing that pen to paper and saying what is critical around here.

The interdependence issue is highly complex. One small failure — we talked about the trees knocking down the power grid — where does it end? It is a highly interdependent and fragile system. My colleague mentioned earlier about which parking lots become critical when she was talking about the hospitals. Where does that discussion end? I think if you start identifying that, then you have a long inventory that is probably changing every day anyway. That is another risk: having an out-of-date list. That is, doing the list one year, and then the next year it has changed and then you have an out-of-date list.

I know with computer modellers they tried to have some complex, interdependent modelling. It is a huge undertaking, and it can pass its shelf life quickly because the systems are always changing. It's a tough one.

Senator White: Professor Quigley, you raised the seaport issue. In northern Australia there is an issue around a Chinese company — owned by China, obviously — that is trying to purchase a seaport in Darwin, I think it is. In Canada, I'm not sure that we would actually raise the same concerns if they were looking at purchasing the port at Sydney in Cape Breton, although it is a deep seaport. I know a Chinese company is actively looking at it. Do you think we need to do more around that issue and the issue from a perspective of the infrastructure of our national security — not so much natural disasters or terrorism but an infrastructure and national security perspective?

Mr. Quigley: You asked the question about foreign ownership. I've observed it, like others, in the media. I know the Americans have a lot of issues about who should own critical assets. I have written on this subject and can make the paper about seaport security available to the committee.

This is a pretty stressed-out group of people working in seaport security. When I made my own opening statement about markets, this is a group that really finds itself betwixt and between. Are they in market service, trying to get things to market as quickly possible? Or are they about security? We have done a lot of work on seaport security, and they are feeling more and more in the direction of markets and about efficiency, and they are concerned they wouldn't have the support to stop to do the checks they need to do. They don't necessarily feel like they have the support of the security apparatus in the country as well because they feel like they are a quasi-independent organization. Are they government? Are they not? It's a stressed-out group of seaport people.

Senator White: If you don't mind sending that paper, I would appreciate it.

Mr. Quigley: I don't mind at all.

The Chair: We're coming to the end of our time. I'd like very much to thank our witnesses for taking time and sharing their knowledge and experience with us. I'm sure we'll have you here another time in the future. Once again, thank you.

(The committee adjourned.)