37-1
37th Parliament,
1st Session
(January 29, 2001 - September 16, 2002)
Select a different session
Proceedings of the Standing Senate Committee on
Defence and Security
Issue 2 - Evidence (afternoon session)
OTTAWA, Thursday, July 19, 2001 The Standing Senate Committee on Defence and Security met this day at 2:15 p.m. to conduct an introductory survey of the major security and defence issues facing Canada with a view to preparing a detailed work plan for future comprehensive studies. Senator Colin Kenny (Chairman) in the Chair. [English] The Chairman: Good afternoon, ladies and gentlemen. If I may take just a moment on this, I understand that some people who have been watching the broadcast on television or on the Internet have been phoning in with questions for members of the committee. We are not structured to deal with that. It is simply a contact point for further information, and the Web site is a contact point for further meetings of the committee and for information that the committee puts up from time to time, such as a record of the testimony. We would welcome those who are interested in the work of the committee to communicate with us by mail, and we would be happy to get back in touch with you. If I may, I will turn now to our witnesses today. Our panel includes Mr. James Harlick. Mr. Harlick is Assistant Deputy Minister, Office of Critical Infrastructure Protection and Emergency Preparedness in the Department of National Defence. In this capacity, he provides advice and support to the Associate Deputy Minister on policy and operational matters affecting the government's responsibilities for critical infrastructure protection and emergency management. His recent assignments have included Executive Director, Critical Infrastructure Protection Task Force in the Department of National Defence, and Executive Director, Year 2000, Planning and Coordination Group Activity in the Privy Council Office. Mr. Harlick will speak about the role of the Office of Critical Infrastructure Protection and Emergency Preparedness. He is accompanied by Mr. Gary O'Bright. Mr. O'Bright joined the Communications Security Establishment in 1975 and has held a wide number of positions at this institution. In 1991 he attended the National Defence College in Kingston. Upon completion of this program he became the Communications Security Establishment Director of Strategic Planning, and in 1995, Director, Corporate Management. In August of 1997, Mr. O'Bright was appointed to the position of Director of the Information Technology Security Strategic Services Group. In April of 2000, he joined the government's critical infrastructure task force, and in 2001 he assumed his current position as Director, General Operations for the Office of Critical Infrastructure Protection and Emergency Preparedness. We also have with us Mr. Alan Bartley. Mr. Bartley is the Director General, Policy, Planning and Readiness of the Office of Critical Infrastructure Protection and Emergency Preparedness. He was previously director of security policy with the Solicitor General of Canada. He was a member of the Canadian Security Intelligence Service prior to joining the Department of the Solicitor General. A former journalist, Mr. Bartley has a Ph.D. in political science from McGill University. Mr. James Harlick, Assistant Deputy Minister, Office of Critical Infrastructure Protection and Emergency Preparedness, National Defence Department: Mr. Chairman, I will read my statement to the senators and then take questions. Mr. Chairman, ladies and gentlemen and members of the committee, I welcome this opportunity to appear before you today. As Senator Kenny, the chairman, has noted, my colleagues Mr. Bartley and Mr. O'Bright accompany me. I thought these individuals could best bring contribution to the hearing today given their respective responsibilities in the office. I would like to use my opening remarks today to first provide background on the origins of the new office. Second, I would like to talk about the way ahead for Canada on critical infrastructure protection and emergency preparedness. Third, I would like to describe the office's link to the Department of National Defence and to the department and agencies of the portfolio of the Solicitor General. I cite these two departments because you heard yesterday from the Department of National Defence, of which we are a part, and this morning from the portfolio of the Solicitor General. The new office is a civilian organization located within the Department of National Defence with a mandate to provide national leadership on critical infrastructure protection and effective emergency management. The office reports to the Associate Deputy Minister in the department, Ms Margaret Purdy. I will address first the origins of the new office and the early work on the critical infrastructure protection. The origins of the government's work can be traced to 1996 when officials in the Canadian security and intelligence community conducted a preliminary review of the implications for Canada of the information technology revolution. This review was prompted by the emergence of serious concerns about the threat of information warfare, or electronic warfare as it was then known. One of the principle conclusions of that review was that the Government of Canada had to modernize its program of identifying and protecting the most significant facilities in the country; that is, those facility on which the most vital services depended. This review concluded that information technology had transformed the nature and configuration of those facilities, and Canada's protection efforts had not kept pace. The United States government was reaching similar conclusions at about the same time. A presidential commission on information protection reported in 1997 that urgent action was needed to protect U.S. vital interest from cyber threats and vulnerabilities. In Canada, we were ready in 1998 to take forward specific proposals on how to approach the challenge. We postponed that work in favour of doing a first-class job on the Y2K computer bug challenge. We could not have pursued both efforts with success given the level of resources both would have required and the involvement of many of the same players.On balance, we believe it was the right decision. The rollover occurred with no significant problems, and we benefited greatly from the sequencing after Y2K. We now have a clearer picture of the nature of our national critical infrastructure. Y2K showed our dependence on the structure and taught us - that is, private sector, the government, and indeed the public - much about the associated interdependencies and vulnerabilities of our infrastructure. We also forged groundbreaking relationships with the private sector, particularly the energy, telecommunications, banking and transportation sectors. As well, we formed stronger relationships with the provinces and territories and with our most important foreign partners. Early in the year 2000, soon after the Y2K file was closed, the government created a one-year task force to prepare detailed proposals on critical infrastructure protection. The work of the task force was to advise ministers on what ongoing role, if any, the Government of Canada should take in terms of protecting the country's critical infrastructure. The task force adopted a broad approach to its work, broader than that taken by the United States, which had focused on the threat of malicious cyber-based attacks. The tasks force adopted a Y2K-based definition of a critical infrastructure. Critical infrastructure is those systems facilities and networks whose failure or disruption would have a serious impact on the health, safety, security and economic well-being of Canadians and on the effective functioning of government in this country. Canada's critical infrastructure exists in six highly interdependent sectors. The first is energy and utilities. The second is transportation in all four modes - air, water, rail and land. Communications, which includes telecommunications and the Internet, is the third sector. The fourth sector is safety, including nuclear safety and search and rescue services. The fifth sector is services including financial, food services, and health. The sixth grouping is the government sector in respect of its essential services that all levels of government provide to citizens. The task force conducted extensive research and consultation in Canada and with international contacts. It concluded that Canada's critical infrastructure, in both its physical and cyber dimensions faced a state of increased risk in the 21st century. I will now address the threat environment to critical infrastructure. Physical accidents and natural disasters will continue to occur. They will affect our infrastructure with significant consequences for Canadians. Canada has experienced at least 30 major disasters in the past five years. In the years to come, hazardous spills, fires and other accidents will persist, as will severe weather events. Between 1996 and 1998, three weather-related events, the Saguenay River flood in Quebec in 1996, the Red River flood in Manitoba in 1997 and the Ontario-Quebec ice storm in 1998, resulted in costs of more than $5 billion for repair and recovery. The Government of Canada alone provided $1.5 billion to provinces in terms of disaster commitments. At the same time that physical disasters continue to challenge emergency planners in Canada, they have been joined by a new set of threats to our critical infrastructure. These new threats have a cyber dimension in that they exploit or impact information technology and telecommunications and our dependence on them. All of our vital services depend on information technology, which brings brand new vulnerabilities. The Internet is immature, unsecured and unstable. Those who develop commercial, off-the-shelf software are more concerned about getting their product to market than they are with checking the products thoroughly for glitches or faults that might make them vulnerable. Because we tend to migrate towards the same popular software suites, those faults and glitches can spread quickly, and with significant negative consequences. A range of cyber tools can exploit these vulnerabilities. Viruses, worms and Trojan back doors have become part of our everyday vocabulary. If you use a computer at home or at work, you will recognize the significance of Melissa and the Love Bug as serious cyber attacks that have affected computer users around the world since 1999. There is little relief in sight. Hacking tools are widely available. They are cheap or, worse, free and easy to use. Their use is becoming increasingly sophisticated. Old threats are also taking on a new face. Technology is revolutionizing the worlds of crime, espionage and terrorism. Computers, the Internet, data encryption and a full range of communication devices, whether wire line or wireless, are as prevalent in these worlds as in ordinary business. Criminals and terrorists in unfriendly foreign governments can take advantage of these technology-based vulnerabilities and attack tools to defraud individuals, businesses and national economies. They could advance their political, ethnic or religious causes through these tools. While attackers with clear motives are a clear danger, so too is the so-called recreational hacker. They use their computer skills to attempt to attack, corrupt or manipulate the computers and networks of others. They often have no motivation beyond seeing how far into a network they can penetrate, and how much damage they can do. Recreational hackers operating alone and not affiliated with any organized group have perpetrated most of the serious cyber attacks in the past three years. According to CanCERT, which is a private sector-based computer emergency response organization, malicious attacks on computer systems are increasing at an alarming rate. Canadian statistics on scanning and attempted attacks against systems and networks suggest a 430 per cent increase in the level of activity from 1999 to 2000, with a projected level of increase beyond that of an additional 525 per cent in the year 2001. The threats are real and serious. For example, a hacker in Australia altered the control mechanisms in 100 pumping stations, causing one million litres of raw sewage to overflow. In February 2000, as we will all remember, there was the distributed denial-of-service attacks against eBay, Yahoo, Amazon and several other Internet-based businesses. That attack is estimated to have resulted in lost revenue of up to U.S. $1.2 billion. This attack was the work of a 15-year old Montreal boy who used the cyber name Mafia Boy. Even Microsoft has been victimized. Last October, its high level internal network was hacked for a 7 to 12-day period. Microsoft officials admit that the hacker gained access to the source code of one product in the early stages of development. In 2001 we have seen the emergence of a new type of cyber event that involves individuals and groups on opposite sides of a political struggle, but not necessarily operating under state control or direction. The first widespread event involved opposite sides in the Israeli-Palestinian conflict. More than 200 cyber attacks were launched, including Web site defacement, denial-of-service attacks and viruses, over a four-month period. The attacks targeted government business and infrastructure, and they spilled over beyond the Middle East. Another example occurred in December, 1999, when the Electrohippies Collective, a group of five U.K. activists, organized a virtual sit-in of the World Trade Organization's Web site. In a denial-of-service attack, over 450,000 people swamped the site with multiple e-mails, disrupting its online presence. The same group attempted, with lesser effect, to do the same during the recent Summit of the Americas held in Quebec City this spring. In summary, the threats to our critical physical and cyber infrastructure will put Canadian communities and Canadian businesses at risk in the 21st century. These risks will be magnified by four factors. First, Canada's population infrastructure and wealth are increasingly concentrated in a small number of highly vulnerable areas. Many such communities are at risk from multiple hazards. Second, climate change is expected to increase the frequency and severity of some extreme weather events. Third, Canada's infrastructure is aging, and thus more susceptible to damage, whether from a tornado or a terrorist bombing. Fourth, communities are increasingly more reliant on advanced technologies that are more vulnerable for the reasons that I noted earlier. To better equip Canada to respond to these challenges, the Prime Minister created the Office of Critical Infrastructure Protection and Emergency Preparedness on February 5, 2001. In his announcement, he told us why action on critical infrastructure is needed. He stated, "The protection of Canada's critical infrastructure from the risks of failure or disruption is essential to assuring the health, safety, security and economic well-being of Canadians." Mr. Chrétien identified the role of the Government of Canada in this matter. He said, "I am confident that these new measures will enable the Government of Canada to provide national leadership on this important issue and ensure our preparedness to deal with emergencies." Mr. Chrétien further noted that the government cannot accomplish this task alone. He said, "We will also be able to build strong partnerships to ensure the protection of our shared North American infrastructure." The office is a uniquely Canadian approach - one that several other countries are considering. It embodies a unique "all hazards" approach to protecting both the cyber and physical dimensions of our critical infrastructure, regardless of the source of the vulnerability and threat. Significantly, the office encompasses the mandate and programs of the former agency, Emergency Preparedness Canada. The work undertaken by the office will directly support three other important national priorities. The first is e-commerce, which depends for its success on public users having sufficient trust in the security and privacy of personal and proprietary information that is provided during commercial transactions. The second is e-government, or government online, as we would term it. E-government is dependent on developing and maintaining client confidence in the security and privacy of its underlying systems and networks. The third is the government commitment to safer communities, which requires the capacity to fight computer crime, maintain essential services and deal effectively with all types of disasters. The new office has developed a national framework for critical infrastructure protection and effective emergency management that focuses on five elements. I will outline them for you. The first is to contribute to putting the Government of Canada's own infrastructure house in order. If the government is to provide credible national leadership on critical infrastructure protection and emergency preparedness, it must first ensure an adequate level of protection for its own portion of the national critical infrastructure. This includes physical assets, such as the class 4 Winnipeg laboratory, buildings that house IT systems and networks, bridges and dams; systems and networks such as those that support weather forecasting, search and rescue operations, Employment Insurance and Old Age Security programs. The Government of Canada does not have, but will need, a complete "map" of its critical infrastructure, particularly on the cyber side where the most serious knowledge gaps exist. It will need a full understanding of its IT interdependency, vulnerabilities and its overall state of IT security posture. We need to update and expand the excellent work done in this area for the Y2K rollover, so that we are well-positioned to address the possible cascading effects of infrastructure disruptions or failure. The office is developing a robust, 24-hour-seven-day monitoring and coordinating capability to support the Government of Canada in responding to threats and incidents affecting its own essential systems. Close cooperation with centres in other government departments is essential. Examples of the office's operational services and activities will include: information sharing on threats and vulnerabilities, the issuance of timely advisories and alerts, the compilation and dissemination of best IT security practices, the promotion and adoption of common security solutions and the coordination of the response to cyber incidents. These services will be delivered in close collaboration with other key federal security advisory organizations, particularly those in the portfolio of the Solicitor General. We will enhance and build creative and sustainable partnerships. The new office will give high priority to enhancing existing emergency preparedness partnerships and building new critical infrastructure protection partnerships that include: those with federal departments and agencies; provincial, territorial and municipal governments; public and private infrastructure owners and operators in business organizations, for example, the Canadian Chamber of Commerce and the Canadian Bankers' Association; non-governmental organizations such as the Canadian Red Cross; foreign government organizations such as the Federal Emergency Management Agency and the Critical Infrastructure Assurance Office in the United States, and international organizations such as NATO, G8 and OECD. The new office will build on the solid work and achievements of the former EPC, particularly in the areas of education and awareness, as it develops its programs. It will also enhance research and development work in relation to emergency preparedness and critical infrastructure protection. We will look into the most serious of the cyber security problems and try to improve our protection from these risks. National operational capabilities will be enhanced. We must strengthen these capabilities to take into account the new risk environment. Through its monitoring and coordination centre, the new office will work with key partners at all levels of government, the private sector and internationally, to enhance information and intelligence analysis and sharing, incident response, and investigation and prosecution efforts. We would enhance the existing policy framework for our mandate. The particular challenge in making sound decisions about risk mitigation and adequate levels of response during actual incidents is the timely exchange of threat and vulnerability information. The new office will need to examine whether, in the Canadian context, information sharing arrangements, perhaps modelled on the Information Sharing and Analysis Centre, a concept now under development in the United States, might be a useful way to promote private sector information-sharing. The office has already had an encouraging dialogue with some key infrastructure sectors on information-sharing. For example, the Canadian banking sector is now considering the creation of such an information-sharing mechanism. I will discuss now the office's link to the Department of National Defence and the Solicitor General's portfolio. The office fits well in National Defence for several reasons: First, the Canadian Forces, as you know, have a strong and positive reputation for helping Canadians in times of distress as evidenced during the Manitoba flood and the ice storm. The Minister of National Defence is also the lead minister for emergency preparedness and for providing leadership in the areas outlined in the Emergency Preparedness Act. Emergency Preparedness Canada was already well-established in DND at the time of the creation of the office, and both the department and the Canadian Forces put a high priority on cyber-security and contingency planning for emerging threats. We are working actively to identify and flesh out the possible synergies and partnerships with those in the department and the Canadians Forces who are responsible for a number of the following areas: identifying and understanding vulnerabilities associated with critical physical assets and computer network systems and devices; understanding the threat environment, such as the threats posed by hacking and information warfare to military personnel, operations and facilities; conducting research aimed at dealing more effectively with cyber-security problems; and managing the bilateral military relationship with the United States where homeland defence, critical infrastructure protection and cyber-security are high national priorities. In a similar fashion, the office will have close cooperative dealings with the Department of the Solicitor General, the Royal Canadian Mounted Police, and the Canadian Security Intelligence Service. These links could encompass the following activity areas where the department and agencies have existing roles and responsibilities, such as: operational response, including threats and incident analysis, vulnerability assessment and threat and incident response, including criminal and security intelligence investigations, which are, of course, conducted by the RCMP and CSIS; awareness and outreach to potential partners in the province and territories and private sector; research on and development of solutions to our technological vulnerabilities and risks; and training and education to teach and equip people and organizations to achieve a higher level of cyber-security awareness. Canada must respond to the new infrastructure and emergency management challenges I have described today. To do so successfully will require an unprecedented level of cooperation within and outside of government. Senator Stratton: Mr. Harlick, I had the distinct pleasure earlier last month of meeting with Associate Deputy Minister Margaret Purdy. She was kind enough to come to my office and give me an overview of the new security structure. I applaud the government for establishing such a structure because security is a real and serious problem that we have, and as you have described. I guess it is tiring to hear me repeat this so often, but I am most concerned about our response to natural disasters, particularly flooding. I live in Manitoba along the Red River where, three times in the last six years, we have seen significant problems with flooding. It seems to be occurring more and more often. I refer specifically to page 5 of your presentation, where you talk about these disasters. I understand that the Saguenay River flood in 1996 was an avoidable occurrence. Correct me if I am wrong, but I understand that that flood was caused by the operation of the water control structures along the river. The Ontario-Quebec ice storm power failures will be overcome in future by increasing the capability of individual power lines.Are you monitoring those two situations? I am also concerned that a solution to the Red River problem, despite ongoing studies, is likely to be 12 to 13 years down the road. Are you monitoring that? Can you assure people who live along Manitoba's Red River that they are not likely to re-live another flood like that of 1997? Can you push the province to make up its mind and move on that problem? Please give us an overview on the prevention issues of the Saguenay region, the ice storm, and the Red River flooding. What steps have been taken to prevent recurrence of those events? Mr. Harlick: I will couch the reply in a fairly broad context. Members of the committee here may well be aware, as is Senator Stratton as an expert in the emergency preparedness world, that unforeseen natural disasters - tornadoes, ice storms, floods - offer some difficult challenges to governments and other response organizations. We need to be prepared to respond when they occur, and to assist in recovery. The senator referred to the Province of Manitoba. In the emergency preparedness world, provincial and municipal jurisdictions have the primary responsibilities to prepare for and respond to disasters that occur in their jurisdictions. The federal government's role, under the Emergency Preparedness Act, is to ensure that, where we can, we help them to be well prepared for that purpose. We can achieve, through our efforts, a degree of national preparedness for these kinds of disasters. Let us turn more specifically to this issue: How do we get ahead of the inevitable problems that will occur? Yes, the Red River will flood again. The International Joint Commission report on Red River flooding referred to the fact that the people who live in that area are perpetually at a risk. One thing that I did not mention in preparedness response and recovery was mitigation. Knowing that the problems will occur, how can we get ahead of them to minimize the inevitable impacts? Senator Stratton did not mention this but he provided the keynote address at the World Disaster Management Conference in Hamilton recently. That was followed a day later by an announcement from Minister of Defence Art Eggleton on a National Disaster Mitigation Strategy. He said he was launching consultations by the federal government with the provinces and territories and non-governmental stakeholders to examine whether a national Canadian disaster-mitigation strategy can be developed to allow us to get ahead of the curve. We want to bring to bear the best practices, some good science and technology and as well, we hope, some resources to minimize the impact of the inevitable. Mr. Bartley is in fact the official who will be leading those consultations for the National Disaster Mitigation Strategy. With the permission of the chair, I would ask him to supplement my response. The Chairman: There is a supplementary question from Senator Atkins. Senator Atkins: Is any consideration being given to developing a disaster relief fund that would be in place and ready for use in equipping the Armed Forces or whatever? Mr. Harlick: We will look at that in the course of these consultations. People interested in the issue have floated that idea in the recent past. I will ask Mr. Bartley to respond, but this matter will come up in the consultations. Mr. Alan Bartley, Director General, Policy Planning and Readiness, Office of Critical Infrastructure Protection and Emergency Preparedness: The question of a national disaster mitigation strategy has been around for some time. As some honourable senators may be aware, there were a series of consultations on a regional basis involving the former Emergency Preparedness Canada as well as a number of provinces, territories, non-governmental organizations and stakeholders including the private sector, which started to lay bare some of the issues that needed to be considered in a more detailed way around mitigation. Flood plain mapping, water management issues and flood control matters were areas that were floated during those discussions. This is an area that has been under some discussion for some time. The experiences of the floods of 1996-97 and some smaller incidents since those times and the issue of compensation for disaster recovery have brought home to us how much mitigation is a factor in helping us to avoid some recovery expenses which are borne by citizens, provinces, territories and the Government of Canada generally in the recovery effort. This is a broad-ranging area that has real economic consequences. In the discussions that occurred in 1998 - and we anticipate that they will come up again during the current consultation exercise - there has been some suggestion of a disaster fund. We are looking at that as part of the overall review. We are conscious of the impact that recovery costs have on the public treasury and the existing mechanisms under the disaster financial assistance arrangements for assisting the provinces and territories to help their citizens get back on their feet. There may be other, better ways of dealing with these issues, and that is something that we would want to look at in that context. More generally, with respect to flooding issues, that is again something that is under consideration in the consultation. We anticipate hearing from the Province of Manitoba, specifically, on some of the concerns that they have in this area. At the end of the consultation exercise, I hope we will be able to provide you and others with more specific comments on the way forward with respect to mitigation issues. Senator Stratton: It is the gentle persuasion part of it that I would appreciate from your side, to keep the pressure on the provinces, to ensure that action is taken as quickly as possible. After the Red River flood of 1950, it took 18 years before the floodway was in operation, from the study, the debates and then the final construction of the system. My worry is that we are already into completing the fourth year after the 1997 flood. If we must spin it out another 14 years, that is a worrisome issue. When you look at the flood of 1997, it has a recurrence factor of about once every 100 years. They are now talking about trying to protect against one flood every 500 years, minimum, or one flood every 1,000 years. It is a real concern because it just does not seem to be getting better. The situation is dramatically worsening to the degree that when you talk about flooding once every three out of the last six years, that is significant flooding. It is not just flooding to the level where we can implement protections, but the worrisome part is that we will be hit with a 250-year flood or a 500-year flood within the next 14 years. If you go back to the 19th century, there were three floods in a period of 35 years that were equal to or greater than the flood of 1997; there were two floods within nine years that were equal to or greater than the flood of 1997. As you know, and you are experts in this field, as well, floods can come in clumps. My worry is that we are in that situation and we will need to move as quickly as possible. Your support in that area, and in pushing for a rapid conclusion for what we are trying to do in Manitoba, would be appreciated. Senator Banks: Mr. Bartley, am I correct in understanding that you have taken over from Emergency Preparedness Canada? Mr. Harlick: The Office of Critical Infrastructure Protection and Emergency Preparedness is composed of three organizations, the largest of which was Emergency Preparedness Canada. The second element that was rolled in was the Critical Infrastructure Protection Task Force that I referred to in my remarks.The third small entity was called the Government Information Protection Coordination Centre that was located at the RCMP headquarters in the east end of Ottawa. That body provided threat and incident analysis and coordination with the federal government with respect to computer problems or attacks. Those three elements were rolled together to form this office. Senator Banks: In Alberta we have a public radio network called the CKUA ratio network that is comprised of 17 radio stations throughout the province. CKUA has been in engaged by the Province of Alberta and the Government of Canada as the means by which the warning of an impending crisis, natural disasters or otherwise, will be made known to Albertans, and at the flip of a switch will take over all the radio stations in Alberta. That plan is largely in place. I assume that comes under the aegis of the new agency, or the federal contribution to it does. We are very happy about that in Alberta, because almost all Albertans can be reached almost instantly in that way, in the event, for example, of a tornado. Is there a plan in place to make that kind of early warning system, if I can call it that, available to other provinces? Mr. Bartley: The Alberta system is unique to the Province of Alberta. The jurisdictional responsibility for those kinds of services resides with the provinces. We support all forms of public warning for emergency situations in principle. We think the Alberta system is a good one. There was an announcement earlier this week that will see that system expanded to cover the entire area of Alberta. That is, from our perspective, a good thing. Given that this is a provincial jurisdiction, at our level we have no plans to support or encourage other provinces to do similarly. I understand that other provinces have been given access to the technology and the principle of how this particular system operates. However, it is their decision as to whether they wish to go forward with it. Senator Banks: I certainly hope they will. At present, the Energy Committee of the Senate is conducting a study into the subject of nuclear safety. As with many areas of concern, there are many different views about what is right and what is not right. How much attention have you had a chance to pay to the question of nuclear safety in a couple of areas? You may want to answer these questions later by contacting the clerk. First, the reopening of the nuclear plant in Ontario that is in process, against which there are some arguments, as there always are with things like that. Subsequent to the building of the plant now operated by OPG, which I believe is the Bruce plant, there have been fault lines discovered in the lake very close to that plant. I wonder if that has been made known to you? The second is a larger question. We heard a disquieting piece of evidence with respect to nuclear safety and radiation in general. There is radiation all over the place and we are getting it all the time. There are people who determine the acceptable level of radiation by which everyone in the world measures themselves, and according to which nuclear regulatory agencies in Canada and other countries are able to say that they are way below the accepted level of radiation. It turns out that an international commission, all members of which are appointed by the nuclear industry, determines the acceptable level of radiation. As far as we can determine, there are no medical doctors on the commission, although we will investigate that further. We have been told that that has been the case since the late 1940s or early 1950s. Are you paying attention to the refiring up of the OPG nuclear plant? Are you comfortable with it and in favour of it? I am sure that you are or you would have let us know by now. Second, have you any concern about what is the "acceptable level of radiation," which is arrived at on the basis of a cost-benefit analysis? An acceptable number of deaths per 100,000 is acceptable because of the benefits derived therefrom. That is the basis of the standard by which the world governs itself. I am not saying that the sky is falling, but in your concerns about nuclear safety, have you considered either of those things? Mr. Harlick: I am afraid that I cannot respond directly to those two very pertinent questions because we are not in the nuclear safety business. When I referred to nuclear in my opening remarks, I spoke of critical infrastructure protection and critical infrastructures, one of which might be the nuclear sector. We are certainly interested in how well the nuclear sector manages its risk because if the risks are not managed well, the impact on the populace could be significant. We come at it from a slightly different perspective than a regulatory one. Senator Banks: I am not talking about regulatory. Examination of the lakebed underneath the Bruce plant has found fault lines the existence of which were not known of when the plant was built. Some trenching has been done by which geologists are able to determine how old and how serious the fault lines are. We are in the process of determining whether that study has been completed and what the results are. If we have them, I do not know about it. I am talking precisely about what could be a catastrophic event. I cannot imagine anything more catastrophic. Again, I am not raising an alarm because I have no doubt that the chances of such an event are one in a million, or perhaps a billion. However, a question about a large earth movement beneath a nuclear plant is not a regulatory one; it concerns an event that could have catastrophic effects, and that is the context of the question. Mr. Harlick: I certainly appreciate your level of concern. From the point of view of nuclear safety, our responsibility would be to handle the consequences of a nuclear radiological accident or deliberate event. There is a federal nuclear emergency plan under the leadership of Health Canada for responding to that. We would work very closely with them on that issue in preparing for and responding to a nuclear radiological event that posed a threat to the population. It is from that point of view that we would be responding, as opposed to an oversight of the nuclear industry's standards of safety and that kind of thing. Senator Banks: I am asking about the reaction: into whose bailiwick would it fall? In the last two days, we have asked a lot of people a lot of questions about a lot of situations that overlap a great deal. I am beginning to be concerned about who is in charge. When this happens, who will run it? Who calls the shots? Who gives the orders? Is it you? Mr. Harlick: No, it is not. Obviously the provincial government is very strongly involved in nuclear - Senator Banks: Not in nuclear regulation. Mr. Harlick: In terms of Ontario Hydro, it is. There are also the federal nuclear arrangements, the National Energy Board and that kind of thing. Senator Banks: Nuclear generation is not regulated by any province. It is the only kind of energy generation that is not. It is regulated by a federal agency only. Mr. Harlick: Yes, by the Atomic Energy Commission and that kind of thing. It belongs to the Natural Resources Canada portfolio of agencies and departments here under that minister. Senator Banks: In the event of a nuclear accident, there or elsewhere, is your agency in charge? Mr. Harlick: No, it is not. As I mentioned, the lead agency for the federal nuclear emergency plan is Health Canada. We do liaise with them very closely as part of our coordination and support role. Given the uniqueness of that particular instance, it has been decided in government that they have the lead. We would generally have the lead in other, non-nuclear accidents. Senator Wiebe: I certainly applaud the government on this initiative. I must say, however, that you gentlemen have a tremendous job on your hands. I understand that the purpose of this office will be, in large part, to set up preparedness for an event similar to Y2K, if such a disaster again threatened this country. How long do you anticipate that the program will be in place such that you will be able to tell Canadians to rest assured in the event of a disaster? Second, we do not know whether what we did with regard to Y2K was successful. Either we did too good a job of ensuring that it did not happen, or it was never going to happen in the first place. We had up to 10 years to prepare for that. The next disaster could happen 10 minutes from now, or it could be a year from now. We will not have the time frame to prepare that we did in the Y2K situation. That is why I am asking about the time frame in which you believe that this office will be operating. Mr. Harlick: As I noted in my opening remarks, the Y2K event was a pretty seminal event in the field of critical infrastructure protection. We learned a lot about the criticality and interdependency of infrastructures. Y2K was driven by a unique kind of failure - the failure of code, that is, inability to read the date correctly at a very particular point in time. The world of critical infrastructure protection and cyberfailure attack is much more diverse than that. In fact, it has been with us for some time and will continue with us until an unforeseeable time in the future. There is no beginning or end. It is a constant situation of managing risk. In that sense, we do not want to tie ourselves unduly to the Y2K example. The second part is that it is a very diverse problem. Although the federal government put a lot of effort into Y2K, so did every other governmental jurisdiction, as well as companies and associations themselves. No one person or entity or level of government could fix the problem. That is quite similar to critical infrastructure protection. The Americans say that 90 per cent of their nation's critical infrastructure - and I would imagine it would be the same for us - is not owned or controlled by the U.S. federal government, and thus neither is it owned by the Canadian federal government in our case. It is out there, owned, controlled and operated by the provinces, and particularly by the private sector. As one knows, there is the principle of accountability. They are accountable and responsible for making sure that it works. It is all part of the business, whether we refer to electricity production, banking or telecommunications. The need is, in fact, very difficult. What is the problem? It could be any number of things, not just the failure of one kind of code at one point in time, never to be repeated for several hundreds of years. It is a very diverse, distributive problem. What the government has decided to do, and as the Prime Minister has articulated in his press release, is to try to create this office of CIP and Emergency Preparedness in order to provide a locus for national leadership on this issue. However, it is not a "silver bullet" fix; it is a focal point for the federal government to get its act together vis-à-vis its own systems security, and to dialogue with other levels of government and the private sector and to engage in a cooperative venture to help them protect themselves through the sharing of knowledge and information, through the coordinated analysis of threats, to a coordinated response to problems when they occur. Now that this office has been created, we are actively putting in place our capability, starting first with getting the government's own house in order, and at the same time dialoguing with key critical infrastructure sectors in Canada, to partner with them on very substantive, concrete, analytical and response functions. Senator Wiebe: You are telling me, then, that this is really, in effect, not a program or an agency that will protect Canadians from a national disaster? Provincial governments will get involved if it is a regional disaster, with some cooperation from the national agency. If it is large disaster, such as an ice storm or flood, we may try to bring in some reservists or army people to help. Basically, we will not be coordinating the effort or have a plan or program in place? Mr. Harlick: I may have misled you. National leadership coordination is the whole purpose. That is what the office's role is. However, there is no magic wand for the office to go out and say, "fixed, fixed, fixed." We must coordinate our efforts, as we did with the telecommunications sector with Y2K, so that they are apprised of problems and are coordinating with us to fix them. They must fix their systems. We want to work with them to ensure that that is done, and to contribute what we know about threats and vulnerabilities to assist them to do it. Senator Wiebe: You are unable to give me a time frame as to when you feel this will be up and running? Mr. Harlick: No, I can do that. Is the office up and running today? Yes, it is. Does it have a program for dealing with the banking sector? Yes, it does. Does it have a program for dealing with the electrical sector? Yes, it does. Will there ever be a solution to the problem? Will the problem go away? No. That is the nature of this particular problem of cyber-defence. Senator Wiebe: That is not very comforting. Senator Forrestall: That is scary. Mr. Harlick: It is not comforting, but it does recognize what the problem is. Senator Wiebe: Recognizing the problem and doing something about it, and giving assurances to the general public that we are doing something about it, is very key. I can recognize the problem until I am 400 years old, but I must do something within that 400 years to demonstrate that we are cognizant of the problem and indicate that this is how we will address it. Mr. Harlick: That is right. I have laid out for you the fivefold national framework that shows the components of how this office, partnering with other government departments and other levels of government, and particularly the private sector, will bring national leadership to that issue to tackle the problem and to try to get results. Senator Stratton: I have a very quick supplemental in defence of these folks. I believe this new office will do a remarkable job. If you look at the past, Emergency Preparedness Canada has done a remarkable job with respect to floods in Manitoba, as have the Armed Forces. I have great confidence in what they are setting out to do and I feel they will do a good job if past history speaks, and I think it does. Senator Wiebe: Past history is such that we can be very proud of what our reservists and our regular army people have done in the past. However, what frightens me, from a westerner's point of view, is that National Defence is starting to centralize a tremendous amount of its command positions. The west now has one command position, which is in Edmonton. That is where the men and the equipment are. Will we thin ourselves out more and more? We have two Hercules aircraft to fly men and equipment into an area, providing there is not a snowstorm. This causes me great concern, especially when I see that the key player in all of this will be the office of the Department of National Defence. Our reservists and our regular army people did a tremendous job in all three, particularly our reservists. I see us spreading ourselves too thin, and that is where my concern comes in. Senator Atkins: With global warming and weather patterns these days, there is one area we have not talked about that is a potential flooding area almost every year. That is the Lower Saint John River Valley. Since 1973 it has not happened, but I point that out because every spring we are concerned about whether we will have serious floods. The 1973 flood was a disaster. In dealing with the provinces, I assume each province has an emergency preparedness organization or set-up. Does it come under the Solicitor General or does it come under some minister designated by the premier in each individual province? Do you work with them? Do you feel comfortable with that relationship? Mr. Harlick: Just on your first note about the Saint John River, I will say that, in the past, our office has been proud to be able to organize the financial contribution of the federal government to the Province of New Brunswick to compensate it for some of its expenditures to return to the status quo in the Saint John River flooding area. With respect to the provinces, each province and territory does have its own emergency measures or preparedness organization. They report to a variety of ministers. It is at the choice of the province. In Ontario, for example, it is the Solicitor General. It could be the Minister of Housing or Community Affairs. Regardless of where they report to, our office, through our regional directors in our regional offices, deals closely with the provinces and their emergency management organizations. We have an office in each province and territory, and they are in daily contact with each other. It is our regional offices, through the regional director, that are the principal point of contact with the federal level from the provincial level in terms of both preparedness and the handling of an actual incident. It has been very tight historically and there has been very good cooperation. Senator Stratton's earlier point reflected that very good cooperation at the local level. Senator Atkins: Senator Banks made a point: I assume that if there were a nuclear problem in Ontario, the Ontario government would be called to move in as quickly as you would. Mr. Harlick: The liaison would be between the Ontario Emergency Management Organization, via our regional office in Toronto, directly to us in fast time. [Translation] Senator Pépin: My question deals with information technology services, as well as hacking tools that are currently available. This morning, I put a question to a representative of the RCMP, who told me you could probably give me a better answer. Like other industrialized countries, our country is increasingly dependent on computer systems. Having heard your presentation, should we be more concerned about these viruses that are circulating and the kinds of cyber-attacks that can occur? Without going into detail, can you tell us whether Canadians should feel reassured given what is currently in place? Have you already taken concrete action to counter such attacks? Also, if we passed tougher laws and increased the penalties, do you believe that would deter young computer hacks from attacking Internet sites? Mr. Harlick: I believe Canadians have every reason to feel reassured given the efforts currently being made by the federal government. We are in the process of implementing a plan of action. In terms of protection of our own computer systems, even our personal computers, we all have to take our responsibilities in this regard. I am sure you remember the Love Bug virus that affected users around the world. As soon as a user opened up the message attachment, his or her computer became infected. And yet in the months that followed, other viruses did not have the same impact, because we learned how to deal with the problem. We learned that you should never open up e-mail attachments if you are unsure of their origin. We are now learning how to deal with this type of problem and how to protect ourselves better. Senator Pépin: It is a learning/training process for everyone. M. Harlick: Yes, exactly. People have to be aware of the problem and know how to respond. Within the federal government, we are currently helping departments and agencies resolve issues associated with their computer network. Mr. O'Bright, the Director General of Operations, and his colleagues respond on a daily basis to questions and requests for assistance and support from other federal organizations with respect to threats to, or attacks on, their systems. Also, with a view to protecting our critical national infrastructure outside of the federal government, we are currently in discussions with critical areas to determine what we can do together to protect their systems. We had one meeting with the electricity sector a week ago to exchange information and advice with a view to gaining a better understanding of the problem. We will also be addressing questions that have to do with the kind of training that is needed, so that we can better protect ourselves against such attacks and find appropriate technological solutions. You also asked a question about criminal legislation here in Canada. According to my colleagues from the Department of Justice, the current provisions of the Criminal Code dealing with this sort of activity are relatively adequate for the time being. Parliament passed amendments to the Criminal Code four or five years ago. As you know, we can institute criminal proceedings against "Mafia Boy" here in Canada, whereas authorities in the Philippines were unable to proceed with charges against the person behind "Love Bug" virus. However, officials with the Justice Department are also aware that it is important to closely follow developments in computer technology, to ensure that our employees are able to deal with problems effectively. We can provide them with information based on our experiences. [English] Senator Forrestall: Could we deal with your structure, size, cost and the fact that you operate outside legislation as a line item of your own? Nevertheless, we want to know who you are and what you are doing. We must go to DND to search around for information. How big is your budget for critical infrastructure? Mr. Harlick: The budget for the office has not yet been fixed; it is in the process of being considered at senior levels of government. As I mentioned before, we were initially Emergency Preparedness Canada, and now, in two small entities, we are operating off the A base of Emergency Preparedness Canada and supplemented by resources provided to us on an interim basis by the Department of National Defence, pending a final decision on our A base. That final number will be available when the department approaches Parliament for the Supplementary Estimates. Senator Forrestall: Will we not see the numbers before then? You are as secretive as the rest of the bunch. Mr. Harlick: I cannot predict what the figures will be. Senator Forrestall: How many people do you envision for your staff when you are fully up and running one year from now? How large do you expect the organization to be? Mr. Harlick: Again, that is a function of the amount of money we will receive. I would envisage that we will be in the range of 180 to 200 persons, maybe a bit higher. Senator Forrestall: Do you anticipate being governed by legislation that supports the office? Or do you envision that you will remain under the legislation that generally supports the National Defence Act? Mr. Harlick: We will want to look at that question. In our current legislative base, we look to the Emergency Preparedness Act which sets out responsibilities of the minister responsible for emergency preparedness, which, for the last number of years, has been the Minister of National Defence. The former EPC, as a branch of the Department of National Defence, derived its authorities and power and mandate from that source. With the addition of critical infrastructure protection to the mandate of the government in this office, we will want to look at whether or not a legislative base would be desired or appropriate or necessary for the office. With the office being a part of DND and not a stand-alone agency, as I understand it, the usual practice in government may not be for it to require legislation, because it is part of another organization as opposed to a separate entity. We would want to look at that in the medium term. Now we are concentrating our efforts on getting staffed up to meet the challenges that we have today. Senator Forrestall: How many do you have now? Mr. Harlick: At the moment we would have about 110, 120. We are growing every day. Senator Forrestall: Do you have a competent, professional cyber staff? Mr. Harlick: We do, in fact. If the committee is interested, I can ask Mr. O'Bright to lay out the general components of his directorate, because that is where the threat analysis and incident response capability are located. Senator Forrestall: I would like to hear that but, first, I have a question. A critical event in the Port of Halifax would not be disruption of the rail line because that can be fixed in 72 hours. Rather, if someone were to confuse the bills of lading for 8,000 or 10,000 containers, to the point where none of the contents or destinations are identified, that would be mischief of a major proportion. It would disrupt banking and irritate the directors and chief executives of many companies across the country. It would not endanger anyone, but it demonstrates how simple it would be to turn away critical business from the Port of Halifax. Mr. Gary O'Bright, Director General, Operations, Office of Critical Infrastructure and Emergency Preparedness, Department of National Defence: The operations component of the new office will have five major parts. We are hoping that they will all work synergistically together.One part will deal with threat and incident analysis. We will not be front-line collectors of intelligence, for example, but we will hope to have close working relationships with the security service and others to receive their information. We will look at that information particularly in light of the impact on a particular sector, for example, the rail sector. What is the threat? Where does it come from and what is its potential impact on that particular sector? The second division within operations will deal with something we call the "mapping" of the national critical infrastructure. Mapping may be a slightly incorrect term but it is the best we could think of at the moment to imply that we will try to depict the infrastructures. What do they look like? In a physical world, a dam or a bridge does not usually move, so that is not so bad. As you move into the world of cyber, it is a significant challenge to map out infrastructure because networks are changed and reconstituted regularly by the owners or operators. The third division of operations directorate will deal with vulnerabilities and dependencies. In this particular area, we will look at how the infrastructures interact with each other. The ice storm was an interesting example. The hydro was taken out but there were many other ripple effects across a variety of infrastructures. We are looking at how the infrastructures are connected and where they are at risk. That will all be in close cooperation, we expect, with the people who own and operate these systems. The fourth division is essentially a planning division. We did some early work in the lead-up to the Summit of the Americas in April. A group of individuals, some from our organization and under the leadership of the RCMP, went to Quebec City to assess the information technology systems to be used by the participants. We were able to offer advice in terms of safeguarding those systems. The final division within operations is the organization to which Mr. Harlick referred - a 24-hour, 7-days-a-week, 365-days-a-year coordination centre that will monitor events as they occur, be they physical or cyber. It will handle any issue that requires Canadians to be alerted to potential problems, issue advisories on evolving issues, and then coordinate federal responses to those particular problems as they occur, particularly the serious ones. Senator Forrestall: Where are you physically located? Mr. Harlick: At the present time, we are at Bank and Slater Streets in the Jackson building. That is where Emergency Preparedness Canada was located. Senator Forrestall: If you had your `druthers,' would you prefer the route you are taking now or to have your own legislation? Mr. Harlick: At present, the implicit authorities and powers that we have as a part of DND are quite adequate. As I mentioned, we will review whether it is desirable or prudent, for a variety of reasons, to incorporate this responsibility and any of its associated requirements into a piece of legislation, a self-standing National Defence Act or whatever. For the moment we see no problems in doing what we must do within the current legislative context. Senator Forrestall: If you can do something about cyber problems, I frankly do not care what it costs - just do it. Good luck. Mr. Harlick: Your example about bills of lading in Halifax is a very good one. Many people in the surface transport world or even in air transport think of it as nothing more than an information transportation world. The actual, physical goods themselves are so often tracked by networks and systems that the information system is, in fact, a very significant area of vulnerability, as would be supervisory control and acquisition systems for pipelines. What makes a pipeline run but the electricity and the telecommunications riding on it? People in that industry are well aware of that, too. The question was examined in Y2K and we will be looking at it further in our examination of the transportation sector in Canada. The Chairman: Mr. Harlick, could you tell the committee what the payment formula arrangement is with the provinces in the event of a natural disaster? Mr. Harlick: I may turn to Mr. Bartley for the fine details but the government has put into place disaster financial assistance arrangements which are federal government arrangements to compensate provinces and municipalities for expenditures they make to restore property, businesses, homes, to the condition they were in previous to a disaster like a flood, an ice storm or a tornado.There is a formula in the DFAA, or Disaster Financial Assistance Arrangements, to get at that. The formula starts by saying that it is the responsibility of a province to pick up the tab up to a cost of $1 per capita of the population of the given province. If the province is 4 million strong, then it picks up the first $4 million. There is a scale on which the feds pick up an increasing proportion of the cost. In the large disasters, the figure is 90 cents of every dollar of eligible expenditures. There is a 90/10 split at that point. The Chairman: Following on Senator Wiebe's comments, when people first hear the name of your organization, do they think of you as being in charge of any emergency; would that be fair to say? Mr. Harlick: No, it would not. However, the office could well be in charge of handling a national emergency on behalf of the federal government. The Chairman: Are you able to give us an example of what you would be in charge of? Mr. Harlick: This derives from ministerial accountability and responsibility. If the Minister of National Defence were responsible for leading the federal government's response to a given emergency, then he would be able to rely on the office as well as on the rest of DND and the Canadian Forces to do so. For example, during an ice storm or a flood, the office would be looking at trying to coordinate the provision of federal assistance to the impacted province. The Chairman: Coordinate, not direct; is that correct? Mr. Harlick: That is correct. Especially in the emergency preparedness world, the jurisdiction primarily responsible for responding to public emergencies is the province. When their capacity is overloaded, or they need specialized assistance which the federal government can give, that request for assistance and flow comes from them through the regional offices to this office, which coordinates measures and assures delivery, to the extent that the federal government has that capability of assistance, to the region. The Chairman: As I understand your role, it is an important one. To a large extent your role is one of discussion, consultation, persuasion and planning. That sort of effort is very useful. There is a tendency for one to say, "Here are the folks in charge and they will make everything happen." However, that is not really how you see your role, is it? Mr. Harlick: I do not exclude that, sir. The office has the ability to act. For example, with respect to a cyber problem. In the last couple of weeks, we have been giving very good, direct advice to departments who have had a cyber attack on their systems: do this, fix that, see this as a source of information. That is not just saying, "Oh, we will hold your hand." The Chairman: I get terrific advice from my office, but I am the one who decides. Are you saying that you decide what the department should do? Mr. Harlick: No. That is important for purposes of accountability. To echo Senator Wiebe's earlier concern, it is impossible, either in the emergency preparedness world or the critical infrastructure world, for an office like ours to ride to the rescue on every issue at every time. Particularly in the cyber world, the people who know their systems and what the problems are and have the responsibility to fix them are those who own them and are responsible for them. The challenge is when they do not know what to do; otherwise they would not phone us, they would fix the problem if they could, or call their supplier. When they come to us, they are getting close to the end of their tether; it is spilling over, it is causing problems for them. They want advice beyond the box. That is what we are organized to do. We can pull on and from within the Canadian government, as well as within the private sector, expert advice to deal with this new variant of worm or virus in respect to this kind of system and give them advice on how they might fix it. The Chairman: You are advice providers, then? Mr. Harlick: Pretty much. The Chairman: Do you plan to do an evaluation of the top 100 events that might happen to critical infrastructure and the impacts that could flow from those events? Mr. Harlick: We have no explicit plan to do that, as of today, but it is quite likely we will do something like that. That was what was done in a very crude way during Y2K. A number of experts under the auspices of a national contingency planning group sat down and developed a matrix on what are the critical infrastructures, what is the criticality of each of those, and what is their degree of interdependency with each other. In other words, if something happened here, what would be the impact over there? That is what Mr. O'Bright was talking about when he spoke about vulnerability and dependency analysis. When you put that in the context of a geographic area of the country, or a system or network, that is what you map. Where is that infrastructure, what is its criticality and interdependency? If you have good hardware and software, you can game out what might happen if there is a failure here, what would be the consequences on a region, a people, a sector or an industry. That is important to do. We will do that and, in a way, we will end up doing 30 or 50 scenarios about what would happen. That informs the infrastructure owners and us as to what could happen. They then apply a risk analysis to that based on what might be happening in their area. That engages them in putting up appropriate protective measures. We will be working in that area. You are bang on there. The Chairman: Mr. Harlick, I would like to thank you and your colleagues for an interesting presentation today. It gave the committee a good insight into the work that you are doing. This portion of the meeting is now adjourned and the committee will now move to an in camera session. The committee continued in camera.