Skip to content
SECD - Standing Committee

National Security, Defence and Veterans Affairs


THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS

EVIDENCE


OTTAWA, Monday, March 27, 2023

The Standing Senate Committee on National Security, Defence and Veterans Affairs met with videoconference this day at 4 p.m. [ET] to examine and report on issues relating to national security and defence generally; and, in camera, for the consideration of a draft agenda (future business).

Senator Tony Dean (Chair) in the chair.

[English]

The Chair: Welcome to this meeting of the Standing Senate Committee on National Security, Defence and Veterans Affairs. I am Tony Dean, senator from Ontario, the chair of the committee. I now invite my colleagues to introduce themselves.

[Translation]

Senator Dagenais: Jean-Guy Dagenais, Quebec.

Senator Boisvenu: Senator Boisvenu, Quebec.

[English]

Senator M. Deacon: Good afternoon. Marty Deacon, Ontario.

Senator Richards: David Richards, New Brunswick.

Senator R. Patterson: Rebecca Patterson, Ontario.

Senator Yussuff: Hassan Yussuff, Ontario.

Senator Dasko: Donna Dasko, senator from Ontario.

[Translation]

Senator Gignac: Clément Gignac, senator from Quebec.

[English]

Senator Boehm: Peter Boehm, Ontario.

The Chair: For those watching live across Canada, we are once again focusing our attention on cyber-threats to Canada’s defence infrastructure. We are pleased to welcome to today’s session, from the National Security and Intelligence Committee of Parliamentarians, the Honourable David McGuinty, Member of Parliament for Ottawa South and chair of the committee, The Honourable Senator Frances Lankin, a member of the committee, Lisa-Marie Inman, Executive Director and Nabil Bhatia, Review Analyst. Thank you for joining us today.

You have been invited to speak to your report from February 14, 2022, entitled Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack. We will begin by inviting you to provide your opening remarks to be followed by questions from our members. Mr. McGuinty, you may begin whenever you’re ready. Welcome.

Hon. David McGuinty, P.C., M.P., Chair, National Security and Intelligence Committee of Parliamentarians: Thank you very much, Mr. Chair, and thank you very much honourable members of the committee for your invitation to appear today as you explore the topic of cyber-threats to Canada’s defence infrastructure. As the chair has just announced, I am joined by Senator Frances Lankin, who has been a member of the National Security and Intelligence Committee of Parliamentarians, or NSICOP, since its inception. I am also joined by the executive director of the secretariat, Lisa-Marie Inman to my right, and Nabil Bhatia, a review analyst with our secretariat.

It is our pleasure to discuss the Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack. It is a 127‑page foundational report on the cyberdefence of government networks. Its time frame was between the years 2001 and 2021 — 20 years chosen deliberately by the committee to help indicate the evolution of our cyber systems and networks.

The National Security and Intelligence Committee of Parliamentarians submitted this report to the Prime Minister on August 11, 2021. It was tabled in Parliament on February 14, 2022.

[Translation]

The review examined how the government defends its systems and networks from cyber-attack. We conducted the review because of the importance of federal systems and networks, which form part of Canada’s critical infrastructure.

These networks store large amounts of personal information, and are used to deliver essentially every government service. They also store information on Canada’s military operations, defence technology and equipment, as well as information about military strategies, intelligence, and procurement plans.

The theft of information about military operations could reveal strategies, targets, and capabilities. This could jeopardize military operations, intelligence gathering, and the safety of Canadian Armed Forces personnel around the world. Government and military networks are under relentless cyber-attack by a number of states, most notably China and Russia, and may be vulnerable to malware and other forms of cybercrime.

Today, the federal government is a world leader in defending its networks. But this was not always the case. In the 2000s and early 2010s, China and Russia conducted successful cyber-intrusions against the Department of National Defence, for example. Also in the early 2010s, China carried out damaging cyber-attacks against 31 federal departments. This was a wake-up call in terms of the scale of the government’s cyber vulnerability and its poor defences.

Since then, the government has incrementally developed a strong cyber defence system, both in terms of governance and technical capability.

[English]

This brings me to our findings and recommendations. I’ll begin with two findings.

First, our report noted that over time, the government’s approach to cyberdefence evolved toward one that considers all government systems as a single enterprise. This horizontal approach has considerably improved cyberdefence, although we found it is challenged by the vertical nature of accountability in the government. Deputy heads have a lot of leeway to reject government-wide, horizontal cybersecurity policies and protections.

Second, our report noted that not all federal organizations receive the same cybersecurity protection. There are two related reasons for this.

First, the Treasury Board’s cybersecurity policies do not apply to the entire government. When they do apply, they do not always apply evenly.

Second, departments are not obligated to adopt the cyberdefence services offered by Shared Services Canada, or SSC, and the Communications Security Establishment, also known as CSE. They are not obligated to do so. This means that many federal organizations are entirely outside the government’s cyberdefence perimeter while others pick and choose services and do not subscribe to the full suite of government security services.

These gaps and inconsistencies, we concluded, undermine the strength of the government’s overall enterprise approach to cyberdefence. The interconnectedness of government systems means that the government’s cyberdefence perimeter is only as strong as its weakest link. For example, our report noted that the Department of National Defence, or DND, is responsible for monitoring its own networks. While the committee did not examine DND or any other departments’ cybersecurity specifically, we are confident that departments that receive cybersecurity services from Shared Services Canada and the Communications Security Establishment are far better protected than those that do not.

As we say in the report, CSE’s dynamic defence tools are world-class, and they are constantly evolving to keep pace with the threat. Because we did not look into DND in depth, we are very encouraged to hear that your committee is considering a study of DND’s cybersecurity.

Bringing more and more departments into the cyberdefence perimeter that has been created by Shared Services Canada and CSE creates a virtuous cycle, and this is how. As more departments subscribe to the government’s cyberdefence services, CSE obtains and analyzes more data, which allows it to better protect all the departments within the perimeter. Even though the protection offered by Shared Services Canada and CSE will never block all threats, their combined cyberdefence services offer the greatest likelihood of protecting government data and systems.

With all this in mind, the committee made two recommendations.

First, the committee recommended that the government continue to strengthen this enterprise approach to cyberdefence while keeping up with evolution in technology and the threat environment.

Second, we recommended that the government bring all federal organizations into the cyberdefence perimeter and provide them with a full range of cyberdefence tools and that the cybersecurity policy suite should apply to all federal organizations — which isn’t the case today.

The government agreed with both recommendations.

[Translation]

Indeed, we are pleased that, for the first time, the government provided an official response to our recommendations. And that it did so again when our special report on Global Affairs Canada was tabled in November 2022. The government’s responses strengthen accountability and transparency.

Having said that, the government has still not provided any updates with respect to the 23 recommendations contained in our other seven reports — all of which are listed in our 2021 annual report. This is not the only challenge that we have faced, however. As a committee, we also face three challenges in obtaining the information we are entitled to under the law and that we need to fulfil our mandate.

[English]

As a committee, we also face three challenges in obtaining the information we are entitled to under the law and that we need to fulfill our mandate.

First, several departments have cited reasons for not providing information that is outside the statutory exceptions found in the NSICOP Act, such as inappropriately refusing to provide relevant emails or a departmental study.

Second, several departments selectively refused to provide information even though the information fell within a request for information from the committee.

Third, the committee is concerned that departments are applying an overly broad interpretation of what constitutes a cabinet confidence. If departments were required to inform the committee of how many and which relevant documents are being withheld and on what basis, it would help resolve these challenges. Indeed, this year we expect Parliament to begin a comprehensive review of the NSICOP Act, which creates this committee.

While we look forward to making specific recommendations about potential reforms of the act to the designated committee at the appropriate time — drawing on seven years of practice — today I’d like to mention that the act could be amended to improve the committee’s access to government information.

In closing, I wish to say that all of our reports are the result of the incredibly dedicated work of my colleagues on the committee. The cyberdefence report is yet another example of a unanimous, non-partisan review of a crucial government activity by a committee of security-cleared senators and members of Parliament from all major parties and a number of Senate groups.

Thank you very much for your attention.

The Chair: Thank you very much, Mr. McGuinty. That’s a telling final comment. Thank you. I’m sure your presentation will provoke a lot of questions.

Before proceeding to those questions, I would remind participants in the room to please refrain from leaning in too close to the microphone or remove your earpiece when doing so. This will avoid any sound feedback that could negatively impact committee staff in the room.

Mr. McGuinty, Senator Lankin, Ms. Inman and Mr. Bhatia are with us today for one hour. To ensure that each member has time to participate, I’m going to limit each question, including the answer, to four minutes. Please keep your questions succinct and identify the person you’re addressing the question to.

I offer the first question, as in the normal course, to our deputy chair, Senator Dagenais.

[Translation]

Senator Dagenais: It’s good to see you again, Mr. McGuinty. There is no doubt that your reports are very important, although people still need to adopt them.

I’d like to briefly discuss the procedures involved when a report is produced, such as the 2019 report, which was already addressing foreign interference. I think security briefings are among the most important aspects of governing a country.

How is the Prime Minister informed of such a report? Is he briefed personally or through an intermediary? When he is informed of instances of interference, among other things, who else is in the room?

Mr. McGuinty: First of all, the committee does not make decisions lightly regarding the choice of topic. There are certain criteria used to arrive at a final choice. It involves deliberations among all members of the committee. After these deliberations, we proceed with the work. We obviously have an extremely qualified team within the secretariat; we work with departments, we work with the information.

In the case of the foreign interference report, I can’t recall the quantity of material, but I can tell you that we obtained over 2,500 documents and 37,000 pages of documentation. So we study the report, develop a plan for the review, and finalize the work. Once the work is finalized, the unredacted report is sent to the Prime Minister and the appropriate department. At this point, negotiations begin between the committee and the government. The issue is knowing where the government should remove certain information, but these tests are well established in law.

[English]

The government cannot redact our reviews on a willy-nilly basis. Upon receipt of an unredacted version, the Prime Minister does not sit with a black marker and black out passages. This is an iterative process among the committee, the secretariat and members of the government. They are bound, of course, to redact on four core grounds, which are stated in the act.

Once the review is finalized, it is presented to the Prime Minister. Once the Prime Minister has a copy of the unredacted version, I sit down with him and brief him for a period of time to walk through the details. The Prime Minister then takes the brief, will ask questions, might push back and might ask for more information.

You should know — and I think the committee and Canadians should know — that, wherever possible, the committee has always tended to be more transparent than less, pushing out for Canadians’ benefit.

That’s how the process works over time. Of course, once it is redacted, within a fixed period of time it has to be tabled on the floor of the House and the Senate.

Senator Richards: Thank you for being here today, Mr. McGuinty. These are two very quick questions. They might have been answered somewhat in your preliminary remarks.

How fast are these malware attacks evolving? How are we able to keep ahead of these attacks, or are we able to?

You mentioned cabinet confidence being interpreted, “too broadly.” I’m wondering how this might hamper security activities.

Mr. McGuinty: One of the things the committee was struck with when it came face to face with this challenge of cyberprotection by the federal government was the speed, multiplicity and different categories of actors — state, non-state, domestic, international and sometimes foreign state actors acting through criminal elements. It turns out it’s quite a sophisticated puzzle.

One of the things we came face to face with is that I think it’s fair to say that the speed of change, the speed of the challenge and the complexity are all accelerating.

With respect to cabinet confidence, the committee respects the need for cabinet confidence and understands cabinet confidence. There is a role for cabinet confidence. But there were a couple of instances where the committee came face to face with information where we had been informed that it was a matter of cabinet confidence but then we found the information through other sources. We have gently but persuasively worked with the Privy Council Office and the Prime Minister’s team to say, “No, sorry, you have to start working with us more openly and on behalf of Canadians; they need to know as much as we can inform them.”

Of course, we’re bound by the reality of dealing with highly classified information, where sources, methods and international relationships have to be protected, as well as the men and women who work in security and intelligence. I think we all accept that. I think Canadians accept that. But the cabinet confidence issue is one that is an organic, continuing dialogue.

Senator Richards: Thank you. As far as keeping up with the attacks by, say, Russia or China, we’re on par with that, or do you think we have work to do, sir?

Mr. McGuinty: I would say this on behalf of the committee: We were unanimous in concluding that Canada is a leader in and through its three main actors — the Communications Security Establishment, Shared Services Canada, and the Treasury Board Secretariat — we are very fortunate to have evolved. One of the things we did with the six case studies in this review is to illustrate the evolution and the iterative nature of where we’ve arrived at.

The committee is not in a position to say that we can deal with every and all and every sophisticated overture, but we have in front of us a very robust system, one which, for example, even the United Kingdom is now relying on from time to time. So Canada’s work through CSE is actually quite groundbreaking and I think internationally recognized.

Senator Richards: Thank you.

Mr. McGuinty: Thank you, sir.

Senator M. Deacon: Thank you, all four of you, for being here today. I welcome the question I ask to be answered across the table. That’s fine.

Again, I can still remember where I was when the report of 2019 came out, and the work of the committee with a high, as you said, degree of intelligence and competence is greatly appreciated.

You mentioned, Mr. McGuinty, when you were speaking, that the recommendations from the Treasury Board, the policies and the services be extended to all federal organizations, including Crown corporations. Last week, I asked the witnesses who were here from CSE about this and was told essentially that the work is ongoing, but the sense I got was it was almost voluntary. That’s the sense I got. It has been some time since these committee recommendations were made to the Prime Minister.

I’m wondering if you can give us a sense of why you think it’s taking so long to get Crown corporations under the TBS cybersecurity umbrella. You described a number of factors today — the responsibility that some may not recognize the urgency of protecting their cyber systems.

Mr. McGuinty: I’ll go first. Maybe Senator Lankin might want to chime in.

With respect to why the government has not moved more quickly on these recommendations, that’s a question you’d have to put to the government directly, and I encourage you to do so. Whether it’s through DND or anyone else you would like to call, whether it’s the Treasury Board Secretariat, for example, who have a lot to say about this.

What we have identified is that being in the perimeter is better than not being in the perimeter. Being entirely in the perimeter is better than being halfway in the perimeter. Being outside the perimeter is a risk not just to your own organization, Crown corporation or otherwise, but to the entire federal family of organizations. We have listed how many are in, how many are out and how many are partly in or out.

We’re of the view that Canada ought to up its game as a federal government. There’s a lot of material here at risk, a lot of Canadians’ personal data, military information, plans. This is national security writ large, so we are trying to illustrate through the study and through access to this information that we can really make improvements here. In many ways, that’s why we only made 2 recommendations, not 20.

We’re hopeful the government will move, and I would encourage you to call the Treasury Board Secretariat to ask them that question. Senator?

Hon. Senator Frances Lankin, P.C., Member, National Security and Intelligence Committee of Parliamentarians: Thank you. I think it’s relevant to remember within the structure — and I’m talking about small “p” political — within relationships between departments and central agencies, there are a lot of issues that fall into this basket in terms of compliance, non-compliance, willingness to be brought in if it’s not a compulsory direction. I think that’s why the recommendation is so important that it become compulsory.

The reality in our structures and many departments and Crown corporations, the authorities rest with the deputy and related to the minister as well. But the fiscal decisions that are taken, the allocation of resources that are taken, which is part of what we do in our framework reviews as well. We have looked at what’s the talk and what’s the walk, and how does it match up? In this report, we saw very clearly that there are gaps and those gaps are dangerous for Canadians and dangerous for our national security, personal data, as the chair said.

I think that there is a willingness to move, but there’s great reluctance and inertia at times within large departmental structures and the interdepartmental relations. So your voices on this will be important. I agree with the chair; calling Treasury Board is a very good idea.

The Chair: Thank you, both.

[Translation]

Senator Gignac: You delivered an amended report to the Canadian Prime Minister on February 8, 2022. The world has changed since February 2022. When we were in Brussels along with other parliamentarians, we were told that in the weeks leading up to the invasion of Ukraine, Russia had been very active in cyberattacks. One year later, in light of what you know about Russia’s tactics, are there things in your report that you perhaps should have expanded upon, or things that you should have focused on more, given that the world has changed in the past year?

Mr. McGuinty: That is an excellent question, senator. It’s not an issue that’s been discussed by the committee since the report was presented to the House. Certainly, it has been determined that foreign interference is ongoing. It shows no signs of slowing down; on the contrary, it shows signs of increasing, of accelerating, but with respect to Russia, I am sorry, we are not in a position to tell you more. Everything about Russia is already in the report. Obviously, Russia and China were extensively discussed in our foreign interference report.

Senator Gignac: Let’s move on to another part of the report, namely the government’s activities in defending the system, the network, from cyberattacks. In your experience — it’s not just the federal government, but also the private sector and private infrastructure — are there countries we could look to for inspiration in terms of having better coordination? There’s the federal government, the private sector, universities; it can come in many shapes and sizes. Does Canada have a forum where information is exchanged between the various stakeholders?

Mr. McGuinty: Not that we know of. I don’t think there is such a forum in Canada. The Communications Security Establishment works very closely with our universities; intellectual property and research are two issues. There is significantly more dialogue now with the provinces. The Communications Security Establishment (CSE) is also capable of detecting a problem. In the case studies presented in the report, several times it was the Communications Security Establishment that actually found a problem and notified the agency or Crown corporation to let them know they had a problem, before they even knew it. That’s exactly what happened with the Canadian Armed Forces.

So that’s why there’s such a strong push for all departments, all agencies and all federal organizations to be within that protective perimeter. It would go a long way towards standardizing an all-encompassing protection system. I know that CSE is working extensively with the private sector right now. One of the case studies involves a Crown corporation, and another involves a private company that, for the first time, used CSE’s resources, because it fell within a critical infrastructure sector; it was the first Canadian case study published in our report.

Senator Gignac: Thank you.

[English]

Senator Lankin: The chair just raised it with respect to the private sector and their own critical infrastructure in this country.

It is, to me, a critical issue that the communications are improved. CSE is doing an amazing job of reaching out. I would say CSIS does now too in a much broader way, but they’re hampered in what they can say. They can share resources and skills, but in terms of what they can share in terms of their knowledge, the national security restrictions apply to them, and most people, the head of critical infrastructure organizations in the private sector doesn’t have security clearance. That’s true of our police forces too.

There are issues that we have to come to terms with when we understand how pervasive this problem and the nature of these attacks are, and where they can come from, and where they can hit, which has equal effect on our economy, and our social well-being, as well as the structures of government and its relationship to people.

It’s an important question that you’ve asked.

The Chair: Thank you very much.

Senator Yussuff: Let me thank all of you for being here and the report.

I guess the positive is the recommendation that’s been accepted by Treasury Board, so you’re not fighting or arguing. That’s the good news. But what is more stunning, I guess, is the lack of resistance by the department to cooperate fully while you were conducting your report. I find it quite challenging to get my head around that, given that I thought the department would want to know if there are vulnerabilities and, more importantly, reveal what they might be able to tell you to help improve the system, given you’re a non-partisan committee, but given the desire to review the act and how we can bring that in concert, so we have a full review. I guess the timeliness is going to be something I see as a priority for the government. The longer we wait, the vulnerabilities are still there, so through you, chair, maybe some points you can reflect on the need for this to happen, what you see in terms of your thoughts?

Mr. McGuinty: One of the things we wanted to do through the review was to be practical and grab the reader by the eyeball in the sense of we’re going to illustrate what can happen. That’s why the six case studies — the China case study that targeted 31 departments with 8 suffering severe compromises, the Treasury Board Secretariat, also referred to as TBS, and the Department of Finance Canada were the worst affected; or study Number 2, the private company using CSE’s abilities for the first time; or case study 3, the heart bleed attack on the Canada Revenue Agency; or Number 4, the National Research Council attack by China, which cost us $100 million to repair, and we lost 40,000 files; or Number 5, the attack on DND by a state-sponsored actor, where significant amounts were stolen from DND; or case Number 6, perhaps the most worrisome for us, where in 2020 a state compromised a network of a Crown corporation and we believe a government department but other departments as well.

All this so that the government of Canada and those who are on the front lines of making these decisions at Treasury Board, or CIO’s of individual departments or Crown corporations, could understand they could be next. They could be next. And that buying shrinkwrapped technology off the shelf and trying to deal with this unbelievably sophisticated threat may not be your best approach.

That’s why we gave lift to these six case studies, to say you might just see yourself in here as a government department or an organization. We hope that would have helped to grab their attention immediately, but as Senator Lankin said earlier, I think the fact that you’re looking at this, you have an incredible voice and a role here, an opportunity to bring TBS, the Treasury Board Secretariat in here and shared services and CSE again to say, okay, well, where are we, how fast can you implement this? What is at risk?

Senator Yussuff: Security is not just in the federal domain. Private sector companies are responsible for information, and a lot of data we share. But provinces and municipalities are equally vulnerable, because they manage the infrastructure of this country. So in the absence of knowing what is going on in the country, we have no national legislation that anybody would have to reveal a cyber attack. Canadians know because it’s in the media, or your Rogers phone went out of service because the transfer of information or whatever didn’t happen.

To seek your opinion, do you think it’s desirable for us to have legislation that this information should be shared because if we’re not aware of the volatility and the challenges we’re faced with, how do we as a country come together to figure out how we’re going to better work together?

And the second one, private companies, of course, are private companies, but they have an obligation to the public to tell us things that we should have a database in place, and we should know, because that should reveal, despite their best effort, that they’re still vulnerable. Because if some of these companies shut down, it could have major impacts on what we do, and many are integral to the economy, to a large extent. If we don’t know that, how do we protect the economy?

Senator Lankin: I think the point you’ve raised and it follows on Senator Gignac’s point is important.

The answer of how we go about it is not something our committee has discussed, and so I won’t speak on behalf of the committee in any way with respect to that. But, we do note, not just in this report, but in our general review, framework reviews, and a couple of the activity reviews, we do note ourselves in our conversations that this is a significant problem in terms of the lack of coordination.

I sat for a while on the board of Hydro One and there I learned about the coordination of a North American grid, the kind of security concerns for critical infrastructure. This committee in 2016 or 2017 or so, did a report, that is almost quaint now, about pulse technology that could wipe out our communications systems. There are much more effective and advanced ways at this point in time, but those things are still real issues, and I think that those are questions that should be explored and to what extent we could do that.

I would just make two comments, through legislative changes, CSE — as I said before — and CSIS were enabled to do community outreach, which they had been beginning to practise, but it was not clear what the legal foundation for this was. A bill then went through the House of Commons and the Senate, was passed and changed that — it provided an enabling process there for them. CSE has been proactive in reaching out, but all of those things are constrained by what I said in terms of the, one, resources, which is always going to be a case, but, two, the nature of some of the information.

I think that the question you raised should be given a thorough airing and debate. I won’t comment on my own personal opinions about it, but I am concerned about critical infrastructure. If we can get that one in there again.

Senator Cardozo: Thank you very much for being here. I have a general question, and you can answer to the extent that you can, understanding that you operate with a lot of confidentiality. I think it probably intrigues a lot of Canadians as to how a committee like yours works, given that you come from different partisan backgrounds, the House of Commons, and the Senate. To the extent that you can, can you give us a sense of how you operate when people come to the table with different agendas? Is it somewhat like a committee, a House of Commons committee would work or Senate committee where people put their priorities first and you try and figure out what those priorities are, and then if you have time, if you can just share with us a little more thoughts about why some of these agencies and departments are reluctant to come under the umbrella?

Mr. McGuinty: I think the highest compliment the committee has likely ever received was from officials who had appeared, and their feedback to us was, if you close your eyes and listen to the voice of the speaker, you have no idea from which political persuasion it was coming.

I think we’ve found a way to work together in a non-partisan, consensual way where we treat national security and intelligence the way we believe it ought to be treated. We remove it from the immediate cut and thrust of the arena. Those of us who have been involved in elected life know all about the cut and thrust of the arena. These issues transcend any party or government, and we’re certainly seeing that right now with some of the concerns Canadians are expressing around this discussion on foreign interference.

We work in a very consensual way. Our reports are pored over and deliberated at length — sentence by sentence, paragraph by paragraph, finding by finding and recommendation by recommendation. If we can’t get agreement, we go back and do it again.

I will say that in six years of practice, we have never once had to vote on anything. It’s important for Canadians and senators to know that the government does not have a majority on the committee. It was designed not to have one. It’s more a question of, we think, putting the purpose and importance of the issues front and centre in order to try to make recommendations for change to improve the situation.

It’s not easy. We’re trying something new. It’s never been done before in this country. We seem to be making progress. We also generally don’t enter into the fray of cut-and-thrust political debate. We communicate when we have something to communicate. Today we think we have something to communicate. When we complete our next review on foreign interference, we’ll have something to communicate. We remain disciplined. We’re dealing with highly sensitive materials, so we have to remain disciplined.

That’s sort of how we work. We choose subjects using different metrics: Has it ever been examined before? Is it of interest to Canadians? How important is it? Is it public? We can take referred matters. The Prime Minister or a minister can refer matters to us. It doesn’t mean we’re bound by it. We can take it under advisement, we can decline or we can accept.

The committee is very much independent. If it wants more information, it goes back and asks for more information. There’s never a shortage of information, by the way. There are 25,000 to 50,000 pages of documentation per review, so it’s a heavy load.

There’s no delegation. You can’t substitute an outstanding senator like Francis Lankin. You couldn’t do it anyway, but the point being that Senator Lankin can’t turn to somebody else and say, “Can you pinch-hit for me today?” There’s a reason why the members are cleared to a very high level, sign an oath and wave away the parliamentary privilege — because of the nature of the work that goes on here. It’s serious business, and we try to rise up to meet that challenge for Canadians.

Senator Lankin: I think it’s important to know that our chair went through some of the criteria. We also take a look at the way in which these issues implicate Charter rights for Canadians. We look at the issues of sovereignty and integrity of our institutions and the economic and societal impacts. We bring forward the departments — sometimes individually and sometimes we’ve had grand presentations that are across departments. We reach outside of government as well for comment, whether it’s academics or people from particular NGOs who have expertise in a subject, on what the impact is on Canadians. That’s part of our mandate as well.

Within the legislation, there are two types: a framework review and an activity review. All of that has to relate back to why we’re doing this, which is for the Canadian public. In our reports, we try to speak in a way that can communicate to the Canadian public. As the chair said, we try to be as transparent as possible, except for those areas that are actually dictated in the legislation as exceptions and that, therefore, must be redacted.

Senator Dasko: Thank you, witnesses, for being here. I want to pursue the topic of the kind of information that the committee is entitled to receive and the granularity of the information.

You receive information briefings from departments, from the CSE and other sources, but how entitled are you to ask for information that is really granular, that has to do, let’s say, with individuals or specific situations that might even go beyond the case studies that you have in your report?

Mr. McGuinty, since you used the term “foreign interference,” I’m going to pick up on that.

Mr. McGuinty: I opened the door, did I?

Senator Dasko: You opened the door, just in time for me to ask you to pursue that topic in terms of, again, the granularity of the information.

Can you ask for information about individuals who may have been targets of attacks, or situations, notwithstanding the fact that departments are blocking some of the information you’re looking for, as you said earlier? Notwithstanding that, what are you entitled to receive? How far down can you go? How extensive is the information you can request and hope to receive?

Mr. McGuinty: The first thing to remember is that we’re a review committee, not an oversight committee, so there are some restrictions with regard to the kinds of information we can request. For example, we can’t ask for details on ongoing investigations.

If I can ask Lisa-Marie Inman to answer you with regard to the granularity. She’s perhaps best placed because she’s often negotiating and following through with the information owners.

Lisa-Marie Inman, Executive Director, Secretariat of the National Security and Intelligence Committee of Parliamentarians: Thank you very much for the question. In terms of granularity, there’s no limit to the degree of granularity we can seek in our requests for information. Of course, there is certain information that we’re not entitled to — notably, information about an ongoing investigation, law enforcement investigations that may result in prosecution, human source information, Witness Protection Program information and cabinet confidence.

As to the granularity, it can be any information at all that is relevant to our review. We regularly see very granular information.

I will make the point, though, that often we will get information about individuals, but the committee doesn’t have an individual complaint mandate. Folks can’t come to the committee to complain about their particular situation, so there won’t be a lot of occasions where we would look into, say, someone’s individual case. There are other mechanisms for that.

We have raised some challenges to getting particular types of information. Cabinet confidence was the one thing that the chair highlighted. Generally speaking, and particularly over the five years that the committee has existed, we have found that departments and agencies have evolved a fair bit. There’s now a relationship of trust with the security and intelligence community. I don’t want to speak for them, but they are confident that the committee can take appropriate measures to safeguard their information. They’re generally forthcoming and cooperative in the information that they provide.

Other than the specific instances that the chair described where we have had issues, getting information is generally a fairly seamless process. As the chair said, we’ll often get information, look at it, and realize that something is referred to in this or that document that we don’t have before us, so it’s an iterative process of asking for information. We’ll often get information and then ask for more information several times up until the end of a review.

Senator Dasko: At the same time, you’re getting blocked in some of the requests you’re getting. That is what I understood from the remarks that the departments are resisting or refusing information.

Mr. McGuinty: Senator, only in certain cases. We don’t want to overstate that case. It’s generally very good. We’ve cultivated a strong relationship.

In some cases — for example, after performing the DND/Canadian Armed Forces review of their security and intelligence activities — it actually helped lead to the creation of a review office inside the department to be able to start sharing information with us in a forthcoming way in the future, or with NSIRA, the National Security and Intelligence Review Agency, or some other group.

We don’t want to overstate the case. There have been a couple of instances where we’ve been very firm about information, and we’re working our way through that. We don’t expect to face many of those; to be honest, I don’t think we expect to face that very often in the future.

Senator Boehm: I’d like to thank the witnesses for being here. It’s great to have Senator Lankin back with us, even in a witness capacity.

I have a number of questions. I think I’ll just put them all out, recognizing we have only a few minutes and that I don’t think we’re going to have much of a round two.

Mr. McGuinty, you mentioned the cyberdefence perimeter a number of times. I think that when most people think about a perimeter, they think of a fence. I know you’re referring to something that is much more elastic.

Canada has over 150 offices abroad whether embassies, consulates or offices at embassies and the like. The provinces also have some offices abroad as well. When you speak about the cyberdefence perimeter and, perhaps, its weakest link, it’s conceivable that the weakest link could be far away from our shores, and we would have to have the electronic cyber protection to ensure that. That’s one question, I would like your thoughts on that.

The other is this: I know yours is a review committee. Other parliaments among the Five Eyes have similar sorts of committees. Is there any back and forth or discussion on best practices, since the NSICOP has been operating for some time? Are the reports shared? Do you get inputs — that sort of thing?

My last question is really to you. As a parliamentarian, you know well how many meeting requests we receive from embassies and from lobbyists. As chair of this particular review committee, do you feel you’re getting attention yourself, and if so, how would you handle it?

Mr. McGuinty: I’m not sure what kind of attention you mean.

Senator Boehm: Popularity. Sponsor [Technical difficulties].

Mr. McGuinty: I’ll start with the last question first.

Maybe. I think that all members have found we’ve had to govern ourselves a bit differently now that we sit on this committee in terms of meetings and attending diplomatic settings. As a general rule, I don’t anymore. I tend to be very careful. Or if I’m travelling, I’m very careful and so on and so forth. I think most of us have been briefed and briefed yet again about those risks.

On the question of how we share information, how we conduct our practice and whether there are other groups: Yes, we have liaised with the intelligence and security committee in the U.K. Ms. Inman led a delegation there just last January and had a week of meetings. We have had the Intelligence and Security Committee of Parliament, or ISC, members from Britain here to Canada previously. We’re hoping to get to Britain at some point. They have a longer tradition in that practice and approach. We’ve learned a lot from them. We’ve met with the New Zealanders, Australia and some U.S. counterparts. We’ve also had many overtures from other countries in the world, asking how we’re doing this — Romania, Israel, South Africa. They ask us to share our know-how in terms of what we’re doing here because they’re looking for models that might be appropriate for them. So we’re finding our way forward.

On your first question, I’m going to ask Nabil Bhatia to talk about the details of the technical side of this.

Nabil Bhatia, Review Analyst, Secretariat of the National Security and Intelligence Committee of Parliamentarians: Thank you very much for your question, Senator Boehm.

When we’re speaking about the cyberdefence perimeter, we’re speaking about three tools operated by the CSE, and we outline these tools from paragraphs 188 to 202 in our report. I understand that not long ago, you spoke to Mr. Khoury and Mr. Couillard from the Canadian Centre for Cyber Security, so they can speak to this with much authority.

The three types of sensors employed by CSE are network-based sensors, host-based sensors and cloud-based sensors. These three sensors work together at the network level, at the host level — which is on actual end-point devices — and at the cloud level to complement commercially available measures such as firewalls and anti-viruses. They serve two purposes. On the one hand, they identify malicious cyber activity, and on the other hand, they proactively defend networks against cyberattack. Sensors constantly monitor for anomalous cyber activity and analyze that activity to identify new, malicious cyber behaviour. CSE then uses this information to mitigate threats in the present and plan for threats in the future.

Senator Boehm: Thank you very much.

[Translation]

Senator Boisvenu: Welcome, Senator Lankin, Mr. McGuinty and Ms. Inman. It’s a pleasure to see you again.

You know we’re doing a study on Arctic security. I discovered — I can’t speak for my colleagues — that if it weren’t for the U.S. presence through North American Aerospace Defence Command (NORAD), Canada would be poorly positioned in terms of its national security, particularly with respect to that neighbour to the north, Russia. The Americans are safeguarding a substantial portion of Canada’s security.

Preliminary findings also indicated that military equipment and personnel are in a sorry state. We’re really lagging in terms of modernization and value for money in the Canadian Armed Forces.

In your 2022 report, you talked about government cyber defence. Theft of information in military operations could lead to the unveiling of strategies, and so on. That’s an important aspect of our study.

In terms of providing input to the government on improving this situation, how do you address the lack of equipment in the military and the management of an issue as important as cyberattacks? There seems to be a contradiction between the lack of resources and equipment and the need to counter these cyberattacks. Resources and equipment are needed.

What position do you take with the government regarding the huge disconnect between the current state of the military and the global monitoring of cyberattacks?

[English]

Senator Lankin: First of all, I think I’m correct in the words I’m using. DND monitors their own cybersecurity. It’s a different organization and a different culture, and the imperatives are different. Their use of cybersecurity and monitoring has implications in the field on the front lines, so it’s quite different.

About the issue of resources: I understand that this is something your committee may be looking at deeply. We didn’t do a stand-alone review of DND with respect to cybersecurity, and we would include them in the general recommendation that all should be inside the same perimeter and that the resources of CSE should be more widely utilized. But the question you raised with respect to the resources available would entail us doing a framework review to look at the administrative, legislative, regulatory and financial administration pieces of this, which we have not done at this point in time.

Again, these are good questions. One of the things I was saying in addition to what the chair said earlier — about how we have criteria for what we review, how we make our decisions and how the committee works to come to those decisions — is that every time we do a review, by the end of it, we have thoughts about what we need to go back on in an appropriate manner of time, making sure it’s review and not oversight. It’s been seven years of learning. It’s been seven years of learning for the government and departments who have never had this kind of interaction with parliamentarians before. While it took a while, I concur with the comments that we generally have excellent relationship — a trust-based relationship — and there has been a good exchange of information.

The question of DND and how that may be done warrants a review, whether it’s by this committee or by the National Security and Intelligence Committee of Parliamentarians some time in the future. That would be helpful because those questions are important, in particular, I would say, with respect to the foreign interference file and the Arctic at this point in time.

[Translation]

Senator Boisvenu: Mr. McGuinty, you spoke at length about exchanges with other countries, including Australia and the United Kingdom. Did your findings about our partners point to any worthwhile approaches that Canada could build on to improve its performance on cyberattacks?

Mr. McGuinty: We regularly obtain material, for instance, from the United Kingdom. Its committee has been active for decades. We share where we can, when we can. Obviously, we are unable to share confidential information. We learn from each other. There is a partnership, but we are different. Australia’s committee structure is not the same as ours; it’s not the same at all. In New Zealand, committees meet perhaps two or three times a year and the Prime Minister serves as chair.

It all depends on which country we’re talking about. I think people are becoming more aware of the whole issue of cybersecurity risk and cyberattacks. I know that internationally, the United Nations is negotiating at least one and possibly two conventions that would address this issue.

[English]

The Chair: If you will indulge me for one more minute, I have a quick question to ask you, to add to those you have received.

You mentioned, chair, CSE engaging in “proactive defensive operations,” I think is the term you used. Does that extend to measures that would degrade a known assailant’s ability to attack our critical infrastructure?

Mr. McGuinty: Mr. Chair, I’m not sure if you’re deliberately trying to be difficult or what here. I’d have to try to answer that question —

The Chair: I understand.

Mr. McGuinty: I’d have to go through this review a bit more carefully to answer it carefully for you.

The Chair: That’s fine. That’s great. Thank you.

This brings us to the end of the panel. I’d like to extend our thanks to you, Mr. McGuinty, to Senator Lankin, who we are delighted to see here with us, to Ms. Inman and Mr. Bhatia. We greatly appreciate the contributions and the time you’ve taken to share your experience with us. We thank you for your work on NSICOP. We know that is taken on in addition to your day jobs, to the other weighty responsibilities that you have. We’re grateful for the work you all do, and I thank you on behalf of the committee, of the Senate of Canada and on behalf of Canadians. We wish you well in the important work that you will do in the future, so thank you very much.

(The committee continued in camera.)

Back to top