THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS
EVIDENCE
OTTAWA, Monday, March 20, 2023
The Standing Senate Committee on National Security, Defence and Veterans Affairs met with videoconference this day at 4 p.m. [ET] to examine and report on issues relating to national security and defence generally.
Senator Jean-Guy Dagenais (Deputy Chair) in the chair.
[Translation]
The Deputy Chair: Welcome to this meeting of the Standing Senate Committee on National Security, Defence and Veterans Affairs. I am Jean-Guy Dagenais, senator from Quebec and deputy chair of the committee. Unfortunately, our chair, Senator Tony Dean, could not join us today. I invite my colleagues to introduce themselves, starting on my left.
Senator Cardozo: Andrew Cardozo, Ontario.
[English]
Senator Dasko: Donna Dasko, from Ontario.
[Translation]
Senator Boisvenu: Pierre-Hugues Boisvenu, from La Salle, Quebec.
[English]
Senator Yussuff: Hassan Yussuff, Ontario.
Senator Boehm: Peter Boehm, Ontario.
[Translation]
The Deputy Chair: Thank you, colleagues. For those of you watching live from across Canada, I would like to remind you that today we are focusing on cyber threats to Canada’s defence infrastructure. We have three distinguished panels with us today. We’ll get started immediately.
For our first panel of witnesses, we are pleased to welcome, from the Communications Security Establishment, Mr. Sami Khoury, Head, Canadian Centre for Cyber Security, and Mr. Daniel Couillard, Director General, Partnerships and Risk Mitigation, Canadian Centre for Cyber Security.
Welcome, gentlemen, and thank you for being with us today. You have been invited to speak in the context of your National Cyber Threat Assessment Report 2023-24, from the Canadian Centre for Cyber Security.
We will begin by inviting you to make your opening remarks, which will be followed by questions from our members. Mr. Khoury, you may begin whenever you are ready.
Sami Khoury, Head, Canadian Centre for Cyber Security, Communications Security Establishment: Thank you very much, deputy chair.
[English]
Good afternoon. I am the head of the Canadian Centre for Cyber Security, often referred to as the “Cyber Centre,” within the Communications Security Establishment, or CSE. I am pleased to be joined by my colleague Daniel Couillard, Director General of Partnerships and Risk Mitigation at the Cyber Centre.
[Translation]
We thank you for the invitation to appear today to discuss cybersecurity and, specifically, our National Cyber Threat Assessment 2023-24 released on October 28, 2022. You may have noticed there is a lot in the news about cybersecurity, but I am happy to say that our assessment remains as relevant — dare I say “fresh” — today as it was when we released it five months ago. I will refer to this report throughout my remarks by its acronym, the NCTA, or ECMN in French.
[English]
I’d like to begin by providing an overview of CSE’s Cyber Centre, which serves as a unified source of expert advice, guidance and support on cybersecurity operational matters.
[Translation]
We work closely with other government agencies, industry partners, and with the public to improve cybersecurity for Canadians and to make Canada more resilient against cyber threats.
[English]
At the Cyber Centre, we deliver world-class defence of Canadian government networks. We defend systems of importance, which are specifically designated by our minister, from malicious cyberactors by deploying sophisticated digital defence protections that are informed by our unique information advantage as part of CSE.
The Cyber Centre supports Canadians and Canadian businesses around the clock by posting threat alerts and advisories, undertaking cybersecurity public awareness campaigns, such as Get Cyber Safe, and even providing the cybersecurity community with free tools like Assemblyline, our malware detection and analysis tool, to ensure all Canadians have access to resources that make them feel safe online. By forming partnerships with stakeholders across the country, from government institutions to critical infrastructure service providers and academia, the Cyber Centre works tirelessly to collectivity raise Canada’s cybersecurity bar.
One of the Cyber Centre’s roles is to keep Canadians informed about cybersecurity and the possible threats they may encounter. To do this, we monitor the evolution of cyber-threats against Canada and produce assessments and reports. These reports are unclassified, publicly accessible analyses of the threats Canada is facing in the constantly evolving cyberlandscape. I strongly encourage members of this committee, and Canadians more broadly, to read these assessments, as they provide an invaluable look into the threats the Cyber Centre defends against every single day.
[Translation]
One of these reports, released every two years and based on both classified and unclassified sources, is the NCTA. Our goal with the NCTA is to inform the public about the threats we expect due to the increasing digitization of all aspects of our lives.
[English]
The assessment’s findings are based on reporting from classified and unclassified sources, including those related to CSE’s foreign intelligence mandate. While the Cyber Centre must protect classified sources and methods, we have tried to provide readers with as much information as possible.
I will now provide a brief breakdown of the Cyber Centre’s key findings from the most recent NCTA regarding the cyber‑threat landscape. We have chosen to focus on five cyber‑threat narratives that we judge are the most dynamic and impactful and that will continue to drive cyber-threat activity to 2024.
First, ransomware is a persistent threat to Canadian organizations. We reported that cybercrime continues to be the cyber-threat activity most likely to affect Canadians and Canadian organizations. Due to its impact on an organization’s ability to function, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians.
Second, critical infrastructure is increasingly at risk from cyber-threat activity. This means that cybercriminals can exploit critical infrastructure. State-sponsored actors target critical infrastructure to collect information through espionage, to pre‑position in case of future hostilities and as a form of power projection and intimidation.
Third, state-sponsored cyber-threat activity is impacting Canadians. Notably, the state-sponsored cyber programs of China, Russia, Iran and North Korea pose the greatest strategic cyber-threats to Canada.
Fourth, cyber-threat actors are attempting to influence Canadians and degrade trust in our online spaces. We have observed cyber-threat actors’ use of misinformation, disinformation and mal-information evolve over the past two years.
Finally, disruptive technologies bring new opportunities and new threats. Digital assets, such as cryptocurrencies and decentralized finance, are both targets and tools for cyber-threat actors to enable malicious cyber-threat activity. Machine learning can be exploited by cyber-threat actors, and quantum computing has the potential to threaten our current systems of maintaining trust and confidentiality online.
[Translation]
Although these trends can be worrisome, our hope is that we can help Canadians stay aware and informed of the potential threats they may encounter online. The good news is that many of the cyber risks we identify in this report can be mitigated. In fact, the vast majority of cyber incidents can be prevented by basic cybersecurity measures. That is why the Cyber Centre has released advice and guidance tailored to the five narratives identified in this report. These companion publications outline practical steps to mitigate the risks associated with each theme. The Get Cyber Safe website also offers simple and effective cybersecurity tips for individual Canadians.
[English]
As technology continues to accelerate with rapid speed, threats also continue to evolve. The Cyber Centre is working hard to bolster cybersecurity capabilities across Canada, in partnership with industry, academia and all levels of government. Although Canada has strong defences in place, our tool kit can be bolstered to better protect our country against the rapidly evolving threats posed by cybercriminals and state-sponsored threat actors.
Moving forward, and as a means to continue to adapt to the evolving threat environment, bolster defences and help better protect Canada and Canadians, we’re hopeful to see the continued progress of Bill C-26, An Act respecting cybersecurity, currently in second reading in the House of Commons. This legislation would establish a regulatory framework to strengthen cybersecurity for services and systems that are vital to national security and public safety and give the government a new tool to respond to emerging cyber-threats.
As well, the Government of Canada is currently undertaking a renewal of the National Cyber Security Strategy, which originally launched in 2018. CSE and its Canadian Centre for Cyber Security are important partners in this strategy, and we are continuously monitoring the cyber-threat landscape, evolving trends and proposing new programs and ideas.
In closing, I would underline that Canada is facing a complex and rapidly evolving cyber-threat landscape.
[Translation]
Briefings such as this are an important opportunity to discuss the risks we face and the steps we can take to better protect ourselves online.
[English]
CSE and the Cyber Centre are working hard to mitigate many of these threats and protect Canadians and their interest.
I am grateful for having had the chance to talk to you about this today. Thank you.
[Translation]
The Deputy Chair: Thank you very much for your statement, Mr. Khoury. Before we proceed, I would like to acknowledge Senator Richards, who has just joined us.
I would also like to ask participants in the room not to lean too closely to the microphone and not to remove their earpieces. This will help avoid sound feedback that could negatively impact committee staff in the room.
Mr. Khoury and Mr. Couillard are with us for approximately one hour. In order for each member of the committee to participate, I will limit the questions and answers to four minutes. I would ask that you keep your questions succinct and identify the person you wish to address.
[English]
Senator Boehm: Thank you, Mr. Khoury and Mr. Couillard, for being here and for the important work that you and your teams undertake for Canada.
In the Centre for Cyber Security’s National Cyber Threat Assessment 2023-24, it states:
Critical infrastructure is increasingly at risk from cyber threat activity . . . .
State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position in case of future hostilities, and as a form of power projection and intimidation. However, we assess that state-sponsored cyber threat actors will very likely refrain from intentionally disrupting or destroying Canadian critical infrastructure in the absence of direct hostilities.
We are in a situation where we are supporting Ukraine in the war that Russia has started. We are not in direct conflict with Russia, but we are providing military, economic and humanitarian forms of assistance in Ukraine’s defence. Do you in the centre consider that our critical and defence infrastructure is at increased risk of cyber-threat activity by Russia, given our support for Ukraine, despite the absence of direct hostilities? Is there an increased risk of cyberattacks on Canada — to name another country — by Iran, given that it is an ally of Russia and that our government and, indeed, Canadians have been very critical of Iran, particularly on human rights within the country?
Mr. Khoury: Thank you, senator, for this question.
We have been paying particular attention to the Russia-Ukraine conflict. Since the early days of the conflict, we have been warning Canadians and Canadian businesses to take every possible precaution to protect their infrastructure from cyberattack, either direct or indirect. We have published alerts and bulletins continuously since the early days of the conflict — the most recent one was in February of this year — where we continue to warn about what our concerns are. We are definitely concerned about critical infrastructure.
We have learned a lot from the Russia-Ukraine conflict. We are an organization that also has an intelligence mandate, and we learn a lot from what we are observing happening in Ukraine. We turn that information around very quickly to warn Canadians.
It is no secret that Russia is a sophisticated adversary, and they have demonstrated that they use their cyber capabilities in a very irresponsible way. Not only do they use them in Ukraine, but they use them against civilian infrastructure beyond just Ukraine — in the case of Viasat, for example. When they do that and cross cyber norms, we call them out, and there have been a number of instances where Canada has joined allies to call out the irresponsible behaviour of Russia.
From a Cyber Centre perspective, we are concerned, and definitely critical infrastructure is top of mind, but we are doing everything we can to share what we know and be on point with our colleagues in the CI space to warn them about any forms of cyberattacks.
Senator Boehm: Do you want to add anything on Iran?
Mr. Khoury: In our national cyber-threat assessment, we call out the four countries: Russia, China, Iran and North Korea. Each one has different motivations in terms of their cyber programs. When necessary, we will put out a bulletin about Iranian activities, and we did that last year jointly with the U.S. to warn against Iranian activities. We learn a lot through our intelligence mission and then turn around that information to warn Canadians about the activities of these four countries.
Senator Boehm: Thank you.
[Translation]
Senator Boisvenu: Welcome to our two witnesses. We cannot ignore a subject that is currently much in the news in Canada, namely interference in the electoral process by China or Russia. Has your centre been asked to share any information? In fact, do you have any knowledge of such interference?
Mr. Khoury: Thank you for your question. Yes, the centre has been involved, and there are different ways in which the centre gets involved in these types of issues.
First of all, in the report, we have documented publicly that we are concerned about interference in the electoral process in Canada.
During elections, we work very closely with Elections Canada to protect the electoral infrastructure and ensure that it is well secured from a cybersecurity perspective. The CSE is part of the Security and Intelligence Threats to Elections Task Force. This is a non-partisan committee of public servants who, during the election period, manage the risks that are raised; it is their responsibility to decide whether or not the threshold has been met.
In our cybersecurity role, we actually protect the electronic infrastructure of elections, but other government partners inside and outside of CSE are also involved in this committee.
Senator Boisvenu: Can this security operation lead you to make direct interventions in external interference?
Mr. Khoury: If we’re talking about technological interference, if we see something of concern on the networks, we work with Elections Canada to manage those concerns, whether they’re criminal or otherwise. If it’s non-electronic interference, I defer to other departments that have that responsibility.
[English]
Senator Dasko: Thank you for being here today. It is a very important and very interesting topic.
I read the background material, and coincidentally there is a piece in The Globe and Mail today about cybersecurity where it says the federal government is subject to between three and five billion malicious actions daily. Now, of course, this boggles the mind. I wonder if you can unpack that a little bit. Surely, if we had that many attacks — and I’m not saying that this is wrong, but it would seem that we would be destroyed through such attacks. Just give us a sense of what that looks like.
Another question I would like to throw in is about a great concern I have about your comments with respect to foreign actors attempting to degrade trust in our democratic institutions. I would really like it if you could provide some examples of who and what. What are some of the things that they have done to degrade our trust in our institutions? I have more questions, too.
[Translation]
Daniel Couillard, Director General, Partnerships and Risk Mitigation, Canadian Centre for Cyber Security, Communications Security Establishment: Hello, and thank you for your question. I will answer the first one.
One of the functions of the Canadian Centre for Cyber Security is to protect the federal government’s network, in partnership with other departments, such as Shared Services Canada. In this effort, we have deployed an infrastructure that monitors what is happening on government networks.
[English]
This infrastructure that we deploy on government networks provides us automated 24-7 monitoring of activities on our network, and we also build in an automatic response to some of these threats. Of course, we’re talking about government networks that are operating at very high speed. We are processing lots of information. That results in those huge numbers that you have seen. Not every one of these attacks or actions that we block are necessarily direct high-risk attacks against the networks. Some of these are just reconnaissance activities. Those are all technical activities that any network is subject to. Of course, working with allies, we have a large set of indicators of compromise, which could be many things, and one of them could be an IP address, that we know are nefarious or are associated with some kind of malicious actor in the government. Those are the ones we block. That’s how we get to those numbers that we are blocking, and those are daily. They are all automated and keep knocking on our door every day. That’s how we get to these numbers.
Senator Dasko: You’re just batting them away.
Mr. Couillard: Exactly.
Mr. Khoury: On the second part of your question about disinformation, in our report, we name actors like Russia and China as being active in that space. Case in point, during the conflict last year, Russia put out some information that Canadian soldiers or Canadian involvement in Ukraine was false. We knew it was false, and, as a result, the CSE took the unusual step of declassifying intelligence to make the point. They are flooding the air waves with a lot of misinformation in order to erode trust in our institutions, whether it is the Canadian Forces, the government or others. We need to be vigilant and invite Canadians to be critical of the information that they read, be aware of the sources they get the information from and, when required, we will use our intelligence and declassify it to prove the point.
Senator Dasko: What would the sources be for the examples you gave? Would it be sources on Twitter or social media? Where are they disseminating this information?
Mr. Khoury: I think it was on Twitter, but I would have to get back to my sources, if you don’t mind.
[Translation]
The Deputy Chair: Before we continue, I want to acknowledge Senator Deacon, who has just joined us.
[English]
Senator Cardozo: I have so many questions to ask, but I wonder if I could talk about the issue of electoral or political interference a little further. Could you give us some examples of the things that are happening? We know some of the stuff out there that we’re reading about, but can you give us a handful of examples of actions that foreign governments or foreign players are taking in our electoral and political systems overall?
Mr. Khoury: Thank you for the question.
In my role as the head of the Cyber Centre, our primary focus is to defend the infrastructure of Elections Canada and the infrastructure that is meant to support the conduct of an election. We work with Elections Canada, and we start working with them even before an election to ensure the security of the network and systems, which is very important. That’s our role in monitoring the cybersecurity of the infrastructure. If there are cyber-threats that we notice on these networks, we will be able to detect them. Whether they are criminal or whether they are nation states, we will be able to detect them on the networks and neutralize or remove them.
If there are any threats that are not of a cybersecurity nature, other government agencies would then be better-suited to answer your question about the kinds of other threats, whether it’s the RCMP, CSIS or other departments.
Senator Cardozo: Is some of the interference people spreading misinformation and disinformation about the electoral system or about political parties?
Mr. Khoury: There could be both. There could be misinformation out there about the election or about the political parties.
During the election, we have worked with the political parties, all of them, to inform them of threats. We’ve set up a 24‑7 hotline where people can call us. The candidates can call if they have any concern from a cybersecurity point of view. We work with Elections Canada, as I mentioned, and we work with the House of Commons to secure the infrastructure there. We’re definitely at the cybersecurity of the infrastructure, but if there are additional concerns, they might have to resort to some of our other partners across government.
Senator Cardozo: How many of those cyber-threats would you say come from within Canada or North America as opposed to China or Russia?
Mr. Khoury: Where a cyber-threat comes from does not necessarily point you toward who is behind it because foreign actors will try to cover their tracks by making it appear as if it is coming from elsewhere. Our priority at the Cyber Centre is to block all these cyber-threats to make sure we neutralize them regardless of where they come from. Attribution becomes a secondary effect. We will get there once we make sure that the system is secure and there are no more threats on it. Primarily, our job is to stop the threat or to neutralize it.
Senator Cardozo: Are there bad actors that you think are based in Canada?
Mr. Khoury: It’s possible that there are bad actors that are leveraging Canadian infrastructure to attack government systems. That is possible. Determining who is the bad actor behind the keyboard would probably be for RCMP or CSIS to investigate, but it is possible that there are cyber incidents that are originating from Canada or that appear to originate from Canada as opposed to from outside of Canada.
Senator Yussuff: Thank you, witnesses, for being here today.
Given the myriad challenges we face, obviously government infrastructure and defence infrastructure are important. In addition to that, there are the things we hear about every day — hospitals being attacked or retail outlets being hijacked with demands for ransom to be paid. Does that also involve your work in alerting businesses? You said earlier that some of the things that could be done are fairly simple. My question is, if they are simple, why are they not being done, and why are so many institutions still vulnerable to cybersecurity attacks? It seems to me, from what I have read publicly and certainly in regard to these attacks, that we have yet to catch a culprit that is initiating the attacks. Maybe you can elaborate a bit more based on your experience and knowledge.
Mr. Khoury: Thank you for your question.
We live in a world where our IT networks are getting more and more complex. To get to a state that is 100% foolproof is probably very challenging. It sometimes only takes a small vulnerability to exploit a network.
There is a lot of interest in cybercriminals to impact pain on critical infrastructure because that’s a pain point for society, whether it’s a hospital, an energy sector provider or otherwise. They go after these organizations. We know they have no scruples. They are only in it to get money. They will launch a ransomware campaign against them for whatever money they can get.
We put out a lot of publications to encourage these organizations to up their cybersecurity games. There are simple things, as you mentioned, such as passwords, backups and things like that. In late 2021, we launched an anti-ransomware campaign with a letter signed by four ministers encouraging businesses to take the threat seriously. We have also published a playbook to help organizations defend against ransomware but also recover from a ransomware incident.
There is a lot that is out there in terms of a space where organizations can help defend themselves. Obviously, in some cases, it does require an investment on behalf of these organizations to up their cybersecurity capacity. There is a lot that can be done to raise the bar and raise resilience to make it more challenging for a ransomware actor to perpetrate an act of ransomware.
Senator Yussuff: At the national level, I assume there is some coordination with the provinces and territories in regard to how they are dealing with cybersecurity. They are not simply relying on you to defend their interests; they are going to look at their own interests. How much collaboration happens between your offices and the provincial and territorial offices across the country?
Mr. Khoury: Thank you for this.
We have various levels of engagement with the different provinces. We do talk to our provincial counterparts about cybersecurity. We exchange a lot of information. Between our SOC — security operation centre — and the provinces, there is also operational information that goes back and forth.
It’s important to note that, when there is an incident, we hold the privacy of that incident very closely. We don’t talk. Whether it’s a hospital, municipality or a school board, it is between us and the victim. Unless they decide to pull in other elements within the conversation, we absolutely respect their privacy and keep it very tight to just the two of us.
Senator Richards: Thank you to the witnesses. I apologize if you have answered these questions partially, but I was late.
How complicit and cooperative are these bad actors with one another when it comes to dealing these various blows to Canadian sovereignty? How much more sophisticated, if they are more sophisticated, are the states such as Russia, and especially China, with our own cyber knowledge? Lastly, do we have our own collaborative firewalls with the U.S. and other NATO allies? I assume we do.
Mr. Khoury: Thank you very much for the question.
These cyber actors are getting more and more sophisticated. What we are seeing is that capabilities that used to be in the nation-state category are seeping into the criminal organizations. Criminal cyber capabilities are moving up in sophistication. They are seeping from the nation state down. We are also seeing that, in some case, nation states are using cybercriminal capabilities to hide their tracks so that it doesn’t point in their direction.
As far as our knowledge of these actors, we have good knowledge about them. We have good collaboration with the U.S., for sure. Our critical infrastructure is connected in many cases. We have to collaborate with our allies to the south, but also with our international partners. There is a good level of collaboration in the cybersecurity space, not just within Canada but between Canada and the U.S., between Canada, the U.S. and the U.K., our Five Eyes partner and the international community.
Senator Richards: Would you say that China, in dealing blows to us, is more sophisticated than our ability to stop them at the moment, or do you think we’re on par and we can rebuff these attacks?
Mr. Khoury: I think it is difficult to compare one actor to the other. At the Cyber Centre, our priority is to stop them all, regardless of their sophistication.
Senator Richards: Sure.
Mr. Khoury: Whether it’s China, Russia, Iran or North Korea, we work tirelessly to make sure that we stop them all.
Senator Richards: Thank you.
Senator M. Deacon: I am going to backtrack. I know there are a number of timely topics that are relevant and near and dear to us, but I’m going to go back and remind us how we felt during the Rogers outage last summer. In that area, I’m referring to the question around the resilience of our telecommunications network. We learned a lot. Certainly, it lay bare how disruptive prolonged internet outages are to our lives, spanning the spectrum from inconvenient to actual security issues, and pretty dangerous for some.
This afternoon, I’m curious to what extent you can share with this committee what that day meant for our national security network. Were government installations also affected? Perhaps there may have been some learning, stepping back and watching, saying, “We were okay but …” If you could help me with that, that would be great.
Mr. Couillard: Thank you for the question. Absolutely, that was a unique event.
First of all, immediately when that started, we were in communication with Rogers, because obviously the question of whether this was a cybersecurity-driven event was on everybody’s mind. We at the Cyber Centre have a great relationship with all of the telecom service providers in Canada. That comes in handy. I know they were talking to Sami right away. Obviously, they kept us informed of the event. Immediately, they made it clear that so far as the incident was involved — those are always dynamic. When they start, it’s never clear what happened at the first moment, but clearly, the indication was that this was a non-cyber-related event. Lucky for us, that was the case.
What it did, though, to your point, absolutely, is showed the importance of how critical, essential infrastructure is dependent on one another. Obviously, some financial institutions were affected by this. It shows that resilience is a job that is never finished.
I cannot speak for Rogers on what happened, obviously, in their activity. There have been a few places where they came forward and explained that it was really — I would say for this place — a configuration issue of their network. How did that happen? Obviously, this merits a discussion with them, for sure.
The reality is that it showed a great step up by the various telecom service providers, realizing that they needed to work together and they needed to work in partnership with other federal entities. ISED, Innovation, Science and Economic Development Canada, also worked with us to engage the telecom service providers, and Rogers, to understand what happened and then learn from that. Our friends at ISED have been leading an activity where all the telecom service providers are now actively learning from this event and implementing — Minister Champagne was clearly demanding action by a Call to Action by the telecom service providers. That has been documented, and they are now delivering this. The industry stepped up to the plate and worked with us to address these things. There is a new protocol in place calling for action, and we are part of this. Of course, again, this was not a cyber event, but it could be a cybersecurity event in the future. The Cyber Centre has been part of those discussions and is included in the protocol for future events.
Senator M. Deacon: Thank you.
My colleague, Senator Dasko, asked a question related to today’s The Globe and Mail article. With regard to cybersecurity in our Crown corporations, they noted that while the organizations are independent of government, they still operate on the same network, acting as a kind of back door to more sensitive information. It was also said that just 5 of the 50 such federal entities use Enterprise Internet Service, which incorporates the technology from the CSE to better protect against threat. Could you comment on the implication in this article that this could act as a soft underbelly in cyberdefence?
Mr. Khoury: Thank you for the question.
We live in a more connected society, so making sure that our networks are secure is key. From a Cyber Centre perspective, besides government or core departments, we work with small departments, agencies and Crown corporations. We are available to provide cybersecurity support to any Crown corporation that reaches out to us, and we have done so in the past. It’s more of a bilateral engagement on that front. The Treasury Board and CSE are trying to bring the collective of Crown corporations together, but in the interim, we are more than happy to work individually with any one of those Crown corporations.
Senator M. Deacon: Thank you.
[Translation]
The Deputy Chair: Before we get to the second round, I’m going to take the liberty of asking a very short question. Because of its proximity to the United States, could Canada be used as a computer base for cyberattacks targeting Americans?
Mr. Couillard: Thank you for your question. Obviously, Canada and the United States share a tremendous amount of critical infrastructure on the continent. We’ve mentioned before that the point of origin of an attack is not necessarily related to who is conducting that attack.
[English]
Based on that premise, it’s possible that a foreign actor would leverage some infrastructure in Canada to launch an attack against the U.S. This is where we are building those relationships with a lot of our colleagues from the U.S. government. We have also built relationships with critical infrastructure operators, such as energy and telecommunications, where there is extensive connection with the U.S. infrastructure. We’ve also built relationships with private sector associations to build resilience together. That’s a key priority for us during this time of the war in Ukraine. We gave advice to our critical infrastructure operators to proactively increase the level of awareness and security in relation to this threat and in thinking about these scenarios.
Senator Boehm: Mr. Khoury, you have answered the question in different ways. When they think of interference of this kind, most Canadians think of malign state actors. The state actors, as you have said, will cover up what they have done and perhaps push it into the direction of rogue actors. The rogue actors, in turn, might pretend that they are state actors. Through all of this, I guess you have to find the path as to what is what. Do you have a sense that the rogue actors — who may or may not be acting on behalf of state actors — are actually increasing their activities? Are there any related Canadian vulnerabilities, particularly in our defence sector, to that end?
Mr. Khoury: Thank you for the question.
I would say there are three camps. There is the purely cybercriminal camp, there is the nation-state camp, and there is the state-aligned rogue actor, so criminal organizations that are state-aligned. At the Cyber Centre, we have to defend against all of them. Whether it’s a cybercriminal motivated by money, a nation-state motivated by espionage or stealing international property, or a rogue actor motivated by ideology, we have to defend against all three of them, and possibly more. The goal of the Cyber Centre is to make sure that we inform Canadians and Canadian businesses of the threat and adjust our publications to cater to the various types of attack actors we might see.
Senator Boehm: Would you also inform our closest allies and say, “Hey, we’ve found a new one here. Do you know about this one?” And would they do the same with us?
Mr. Khoury: We work closely with our allies — the U.S., U.K. and international partners. Our deepest partnerships are with the U.S., U.K. and Five Eyes partners. A lot of sharing takes place amongst the five of us in terms of intelligence sharing and cyberdefence. When it comes to cyberdefence, for the good of the community and for the good of Canadians, we push out as much information as possible.
Senator Boehm: Thank you.
[Translation]
Senator Boisvenu: You know this committee is conducting a study on Arctic security. Canada is poised to invest heavily in protecting the Arctic, especially in technology.
Are your ties with the Americans consistent? Will the exchange of information allow you, as an autonomous entity — even though you have ties to the Americans — to have a good view of what goes on in the Arctic, after the modernization and increased presence of technologies that are much more at risk than what we have today?
Mr. Khoury: Thank you for the question.
Indeed, in all of the government’s technology projects, we try to bring in the cybersecurity component to support those developments and make them as secure as possible. We also participate in public forums with the private sector to invite companies to invest in cybersecurity. We try to make sure that cybersecurity is included in the definition of the problem, and not something that is added at the last minute. How do we make sure that cybersecurity is built into the development of a project so we don’t regret its omission later? With that in mind, we hope that any investment projects in the North or in Indigenous communities, in particular, will be projects that have a good foundation in terms of cybersecurity.
Senator Boisvenu: Thank you.
[English]
Senator Dasko: I want to keep pursuing the topic of efforts to degrade our democratic institutions with disinformation. You gave one example. Could you give a few more examples of how this has happened and in which instances?
I also want to ask you this: What is it you do with this information? Do you do a risk analysis? Do you inform, let’s say, government departments? Do you take on activities to answer the misinformation with correct information? How do you handle the information? Where does it go, and what happens to it in terms of the actions that might ultimately be taken, or not?
Mr. Khoury: Thank you, senator, for the question.
From a Cyber Centre perspective, we are definitely concerned about cybersecurity and the protection of Canadian information, government information and Canadian privacy. We work in concert with other partners, both inside CSE or with defence, with other agencies or departments within the government.
We are not a regulator, so in a sense we’re not here to regulate what goes into cyberspace in terms of information content, but the CSE and other government departments have taken the sometimes rare measures to declassify intelligence to prove that information that is out there is not correct. From a Cyber Centre perspective, we want to make sure that the Canadian government infrastructure, or that of others, is not used in a malicious way or not used to promote that sort of misinformation. We have put out advice and guidance for Canadians. We have put out advice and guidance for social media applications. We are informing Canadians of the threat that some of these environments out there, social media apps and others, can pose to their privacy and security. That’s the contribution of the Cyber Centre.
Senator Dasko: That would be at a high level that you’re warning Canadians.
Mr. Khoury: Yes.
Senator Dasko: With regard to specific information, where does that go? When you collect the information about instances, whether it be within elections or I am thinking mainly outside elections when disinformation is disseminated, where does the information you pick up go?
Mr. Khoury: We would only pick up the technical information that supports or indicates that there has been a malicious cyber event. Other types of information would be picked up by other departments. I would probably defer to other departments to bring the content element of that information together and maybe answer that question.
Senator Dasko: I see. It would be handled by other departments.
Mr. Khoury: Yes.
Senator Cardozo: I want to come back to the domestic scene. In past decades, security forces have looked at terrorism as being something that would come from the outside. In the past few years, they have begun to understand that certainly there are forces within Canada, White supremacist being probably at the top of the list. Is it your sense that forces like that are active in the cyberworld? Do you watch groups within Canada as sources from where cyber-threats might come?
Mr. Khoury: Thank you.
To answer your question directly, no, we don’t watch groups. The Cyber Centre is primarily concerned with the infrastructure layer and making sure that the infrastructure layer is secure from cyberattack. I would defer to other departments who have the mandate to monitor or to watch activities by groups. If the cyber event comes from outside of Canada, we can sometimes categorize it as cybercriminal or nation state. When nation states are behind a cyber event, if they cross those lines of cyber norms, the government might choose to call them out, but we don’t look domestically at who is behind the keyboard.
Senator Cardozo: Your first focus is the hardware of the cyber system?
Mr. Khoury: Yes.
Senator Cardozo: But you also do look at where it’s coming from?
Mr. Khoury: Our first concern is the security of the infrastructure layer, so the network and hardware that underpins, but malicious cyber activities can come from anywhere in terms of who is behind those cyber activities. In some cases, we know that Russia, China, Iran and North Korea are perpetrators of some of these cyber activities, and they each have a different signature that informs us as to this is a typical Russian attack or typical Chinese attack. That’s how we learn about how to better defend government systems and how to share that information with our partners to make sure that we stay on top of the threat that they pose.
Senator Yussuff: A very biased question to you directly: Given your responsibility, how would you say we’re performing on the broader question of cybersecurity? This is something that is obviously very much topical to Canadians these days, given the issue of election interference.
Mr. Couillard: Thank you for the question.
It’s a difficult question to answer. How do we perform? Our focus is to protect the Canadian government, Canadian infrastructure and Canada at large. That’s the focus we have. It would be difficult for me to compare us to any other nation or institution like that.
We have a group of people dedicated to do this. We work collectively with our colleagues from the federal government, the provinces and our international partners, and we’re committed to this. We are investing our time and effort to stay in line with the threat. As the threat evolves, we want to be moving forward and constantly blocking those threats and continuing our mission.
I think we’re doing a good job, obviously. The Canadian taxpayers are getting something good out of us, and we’re committed to this. Where we rank against others would be difficult for me to answer that.
Mr. Khoury: If I can add a few comments, over the years we have developed what I believe to be world-class cyberdefence capabilities that we circle the Canadian government with. These capabilities are the envy of many of our partners. They look to us on how we wrapped our hand around government departments with cyberdefence capabilities. From a GC perspective, I’m extremely proud of the work of the Cyber Centre. Everything we learn across the government or everything we learn from these 5 billion events that we see every day, we turn around and share with critical infrastructure and with small-to-medium-sized businesses as a way of taking that knowledge and putting it out there to raise the collective cyber resilience. We have some work to do, for sure, since we continue to see cyber incidents pretty much every day, but we are committed to supporting Canadians and Canadian businesses as much possible to raise their collective cybersecurity.
Senator Yussuff: Quickly, I was going to ask you a question. Canadians take the internet for granted, like riding a bicycle or drinking a glass of water, but it’s not so innocent in that regard. What level of confidence do we need to give Canadians about how we can better collectively deal with the reality? It’s not as simple as what we would like to believe anymore?
Mr. Khoury: We have put out a lot of advice about how to better protect yourself on our website, and Canadians should pay attention to some of the advice and guidance that we put out: better passwords, enable multifactor authentication, patch. All these things will make us a more secure society. That advice is out there, and I would invite everybody to visit our website and have a quick peek at it.
[Translation]
The Deputy Chair: This brings us to the end of our first panel. Mr. Khoury and Mr. Couillard, thank you for your input and for taking the time to share your expertise on cybercrime with us. We greatly appreciate it.
We now turn to our second panel. For those of you joining us live, this meeting is about cyber threats to Canada’s defence infrastructure. For this second panel, we are pleased to welcome Ms. Kristen Csenkey, Fellow, North American and Arctic Defence and Security Network, and PhD candidate, Balsillie School of International Affairs; Mr. Alex Wilner, Associate Professor of International Affairs, Norman Paterson School of International Affairs, Carleton University; and finally, via video conference, we welcome Dr. Christian Leuprecht, Professor, Department of Political Science and Economics, Royal Military College of Canada.
Thank you for joining us today. We will begin by asking you to make your opening remarks, followed by questions from the committee. I remind you that you each have five minutes for your opening statements. Ms. Csenkey, you have the floor.
[English]
Kristen Csenkey, Fellow, North American and Arctic Defence and Security Network, PhD Candidate, Balsillie School of International Affairs, as an individual: Good evening to the chair, deputy chair, committee members and other experts called to this meeting. I thank you for the invitation to address the committee, and I am honoured to participate in the important discussion on cyber-threats to Canada’s defence infrastructure.
I am a PhD candidate at the Balsillie School of International Affairs through Wilfrid Laurier University and a fellow with the North American and Arctic Defence and Security Network. My remarks are based on my academic research on cyber governance and the management of emerging technologies. It is through my research and previous publications where I situate my approach to the discussion topic for the committee.
My remarks on the topic of cyber-threats to Canada’s defence infrastructure are organized around two themes: complexity and interoperability. I will link these two themes by using the conceptual image of a chain to think about threats and solutions. These themes highlight the challenges that Canada faces today, and I hope this will aid in your examination of the issue.
To begin, when we talk about infrastructure, whether defence, critical or civilian, we are talking about complex cyber-physical systems. Broadly, these infrastructures are comprised of different technologies, devices, software, hardware and information, but also of services, people and other connected things requiring energy sources and physical locations. Each one of these things in cyber-physical systems are similar to links in a chain. They each have their place, but they are also fastened to other links in the chain. Links can connect in many ways and become weaved together to create bigger structures. Complexity comes as these interconnections comprise large infrastructures, bringing challenges especially from a defence perspective.
Defence infrastructures are complex, and their connections, or links, go beyond a single field, but they also have sector-specific challenges, for example, the defence-specific challenge of secure cloud computing for distributed command and control. These systems can enable effective communication and coordination across an operating environment, yet they require more than secure cyber systems to make them functional. Among other requirements, they need a reliable and safe power source that can function in diverse and extreme locations, such as a portable high-performance microgrid. This infrastructure is not unique to defence, as these technologies could be used in other contexts and for other purposes. In addition, each of these things may need to connect to older or legacy technologies and systems still in use today. The interoperability of these new technologies and systems is an issue not only from a functional standpoint, but also because it provides opportunity for malicious cyber-threat actors to disrupt systems that link multiple infrastructures.
With the challenges of complexity and interoperability in mind, how can Canada protect against cyber-threats to defence infrastructures? The interconnectedness of systems, technologies, people, etc., is our current reality as services and interactions are increasingly digitalized and interdependent. This also poses unique capabilities and capacity challenges from a defence perspective, especially in protecting against threats targeted at the individual links in the metaphorical chain. The chain must be flexible and strong. It must be built to adapt to the changing environment and allow for pivots. This can mean resiliency by strengthening the links through cooperation in trusted partnerships. In the cloud computing system example, cooperation through standardization can ensure secure networked integration of the connected technologies shared between partners and across sectors. This solution is akin to transforming each link in the complex defence infrastructure into a strong chainmail, thereby enhancing Canada’s ability to remain strong and safe.
I thank you for your time, and I look forward to your questions.
[Translation]
The Deputy Chair: Thank you very much, Ms. Csenkey. Now we’ll hear from Mr. Wilner. Mr. Wilner, you may begin.
[English]
Alex Wilner, Associate Professor of International Affairs, Norman Paterson School of International Affairs, Carleton University, as an individual: Honourable senators, colleagues and friends, my opening statement will provide insights along two general themes. First, I want to provide a synopsis of contemporary cyber challenges with lessons from authoritarian use of cyberspace and the conflict in Ukraine, and second, I want to briefly explore two elements of Canadian cyber deterrence, largely based on my research, which is funded by SSHRC, DND and the Government of Ontario.
Cybersecurity is our era’s defining challenge. Most national security and intelligence bodies have placed cybersecurity well ahead of other concerns, including transnational terrorism. Indeed, recently, the meaning of “cyber” itself, especially when used as a prefix, has expanded. A broadened understanding of cyber now includes humans and their societies; machines, computers, and networks; and the digital spaces and the ideas shared within them. Indeed, several emerging trends are shaping contemporary cybersecurity and, by extension, informing the future of conflict.
First, open-source data of state-sponsored cyber incidents show that since 2005, over 30 countries have launched offensive cyber operations, and yet China, Russia, Iran and North Korea are responsible for over 75 percent of these events. Cyberspace may be open to everyone, but its malicious use is reserved to a few.
Second, different authoritarian regimes prefer certain types of cyber aggression. Russia largely uses cyber to sow disinformation in the hope of shaping foreign behaviour and beliefs. It does the same domestically to impede political challenges. Conversely, China favours using cyber for espionage, data theft and intelligence-gathering purposes. Finally, North Korea, a relative cyber minnow, uses cyber aggression to generate state revenue through financial theft, ransomware and other forms of extortion. Of course, besides these regimes, democratic states also show patterns of cyber behaviour. Nearly 30 percent of known American cyber operations, for instance, are conducted with allies, something that should resonate with us.
A third series of cyber trends emanate from Russia’s war of aggression against Ukraine. It is, to my mind, the first truly modern war, pitting two hi-tech societies against one another. Four lessons stand out.
First, the war has shifted Russia’s cyber preferences. Before the war, less than a quarter of Russia’s cyberattacks might have been deemed destructive in nature, whereas today, more than two thirds are meant to be.
Second, despite this, Russia’s vaunted cyber capabilities have largely fallen flat. NATO observers have been warning of a cyber Pearl Harbor for a decade. Something like it seemed almost imminent in the weeks preceding Russia’s invasion of Ukraine, but clearly that didn’t happen. At the onset of the war, Russia’s cyber campaign didn’t come close to landing a knockout punch. Ukrainian preparations for it, following a decade of collaboration with the U.S., Canada and many others, helped to prevent it. This past winter, Russia failed again to knock Ukraine’s energy systems offline, something it did repeatedly and rather easily in the past. Instead, since October 2022, Russia has resorted to massive physical destruction rather than cyber disruption of Ukrainian energy infrastructure.
Third, the conflict has brought entire commercial industries not generally accustomed to warfare to the very frontline of a shooting war. Tech companies like Microsoft have helped Ukraine fend off hacks by providing it with security services and engineering solutions and by openly identifying, attributing and tracking Russian attacks. At one point, Microsoft opened a 24‑7 cybersecurity hotline dedicated to ridding Ukraine of Russian malware sitting on its networks. Other companies, like Starlink — a satellite internet constellation operated by SpaceX — became an integral aspect of Ukraine’s war effort. Starlink internet has proven difficult to target, hack and disrupt. The capability has sharpened Ukrainian operations and targeting. It has ensured broadband connectivity between troops and decision makers, and it enabled Ukrainian innovations in drone warfare, a startup effort that has paired homegrown software and hobby drones with satellite internet. This latter innovation has rankled SpaceX, which limited certain services over Ukraine last month, providing us all with a stark lesson on the emerging nexus between commercial internet services, statecraft and war.
The conflict illustrates with clarity that cyberwar now stretches from the device in your hand, to the satellite providing it with connectivity, to the apps informing operations, to the drones providing real-time intelligence, to the GoFundMe campaigns that supply military kit, to the ideas and to the communities celebrating each and every Ukrainian success.
Of course, take these findings with a grain of salt. I am using imperfect, open-source information to assess the murky world of cyber statecraft in which subterfuge and deception are often the name of the game.
In response to these emerging trends, let me turn briefly to a rather quick discussion of cyber deterrence. In theory, deterrence entails an absence of open conflict, but in practice it relies on a combination of threats, like the sting of retaliation, the hindrance of defence and denial and the reputational cost of delegitimization.
For Canadian cyber deterrence, two considerations stand out. First, cyber deterrence will rest on a whole-of-government application. It isn’t exclusively about hard power or threats of punishment, nor must our punitive responses rest within cyberspace alone. Instead, cyber deterrence should rely on a range of capabilities that can harm challengers in both cyber and physical space. At times, DND and CSE will be called upon to take action, so Canada must ensure that both have the technical capability to do so. Besides them, RCMP and Justice also have a role to play with prosecutions, Global Affairs with economic sanctions, and Shared Services by denying services attack. Cyber deterrence also needs to be nimbly communicated. I don’t think Canada has a deterrence posture; we have never had one. My second recommendation ultimately is that Canada needs to think about cyber deterrence, but also how to communicate it at best.
Thank you.
[Translation]
The Deputy Chair: Thank you very much for your presentation, Mr. Wilner. I now yield the floor to Mr. Christian Leuprecht.
Christian Leuprecht, Professor, Department of Political Science and Economics, Royal Military College of Canada, as an individual: Thank you for the invitation, Mr. Deputy Chair. I will speak in English, but please feel free to ask me questions in both official languages. My remarks will follow upon what you just heard.
[English]
Harvard University’s Belfer Center Cyber Power Index ranks Canada in eighth place as a comprehensive global cyber power. The CPI characterizes Canada as a high-intent, low-capacity cyber power with notable strengths in cyberdefence, cyber norms development initiatives and surveillance. By contrast, Canada’s intent and capability to conduct cyber-enabled foreign intelligence and offensive cyber operations places it in the middle of the CPI pack, lagging Russia, China, the Five Eyes partners, the Netherlands, Israel and so on. On the one hand, the CPI’s evaluation of Canada reflects two decades of Canadian cybersecurity initiatives; on the other hand, the ranking shows that Canada has a strategic cyber deficit.
For 20 years, cyber diplomacy has largely failed to generate broad agreement on international norms to constrain malicious behaviour by state-based and state-tolerated actors in cyberspace. To deter and constrain bad behaviour, Western states need to engage, using active and offensive cyber measures. This is what the U.S. doctrine of persistent engagement has been enabling since 2018. However, no U.S. ally comes close to matching U.S. resources and capabilities.
In 2019, the passage of Bill C-59 expanded the role and impact Canada could have in cyberspace by authorizing CSE to conduct offensive cyber operations. The addition of these capabilities to CSE’S mandate was hailed as a major step in aligning Canada’s cyber operations authorities with its Five Eyes allies. In theory, the combination of foreign intelligence, active cyber operations and defensive cyber operations mandates enables the full spectrum of cyber espionage, sabotage and subversion operations. Canada now has capacity but it lacks political will to demonstrate independent international leadership to reduce instability and uncertainty in cyberspace.
I propose a cyber doctrine of functional engagement to bolster tacitly accepted norms. Regularly employing cyber capabilities is the most effective way for Canada to reduce uncertainty in cyberspace and limit threats to its national interests. Due to Canada’s resource constraints and limited foreign policy ambitions, functional engagement prescribes that Canada employs the full range of its cyber capabilities to establish and reinforce a limited set of clearly defined and communicated focal points to deter and constrain unacceptable behaviour in cyberspace.
Instead of continuously and globally employing cyber capabilities to change the balance of power in the international system, functional engagement calls for Canada to employ its cyber capabilities more narrowly in specific instances when a malicious cyber actor conducts activity that is antithetical to Canada’s focal points. Those focal points of unacceptable behaviour could include malicious activities such as directly degrading Canada’s sovereignty and the security of people, degrading or subverting international law and the integrity of international, electoral or democratic institutions, and undermining Canada’s economic security, competitiveness and prosperity. The proposed cyber doctrine of functional engagement seeks to shape adversarial behaviour cumulatively by strengthening the tacitly accepted cyber norms within the limited resources and unique character of Canada’s historical leadership on foreign policy niches as a traditional middle power.
[Translation]
Thank you.
The Deputy Chair: Thank you very much, Mr. Leuprecht. We will now proceed to questions. I remind the committee that we have until 6:10 p.m. for this panel. So each question, including answers, will be limited to four minutes. We ask that you be brief and identify the person to whom you wish to direct your question. We will begin with Senator Boisvenu.
Senator Boisvenu: Welcome to our witnesses and thank you for your very informative testimony.
My question is for Mr. Leuprecht. Your description of the cybersecurity situation in Canada is worrisome.
I would like to hear your thoughts on the strategy Canada should take immediately in view of the future redeployment in the North, in the Arctic, in order to reach the same level of technology as the Americans. We have just returned from a visit to NORAD, in Colorado Springs, which showed us how far out of step Canada is with the agreement concluded for North America. That gives us an idea of the discrepancy we are facing as regards cybersecurity management.
What are your thoughts on harmonizing the cybersecurity strategy with the massive investments that have to be made in the Arctic?
Mr. Leuprecht: That is an interesting question. I sent you my latest book, Polar Cousins: Comparing Antarctic and Arctic Geostrategic Futures, which examines in detail the threatening activities that Russia and China are conducting in both polar regions.
As you pointed out, cybersecurity and kinetic approaches have to be combined because the current threats in the Arctic and Antarctic and the resulting instability will have a huge impact on overall global stability. So neglecting the Arctic and not investing in that region will have a major impact on Canada’s interests elsewhere in the global system.
Canada therefore has strategic weaknesses relating to kinetics and cybersecurity. As you indicated, the recent AUKUS security pact is not simply an alliance involving nuclear submarines; it is also a technological alliance between our closest partners. Canada chose not to be part of the most important alliance in the world for sharing advanced technology. As for National Defence, it has used constraints and dissuasion against hostile states.
Senator Boisvenu: Was it Canada that decided not to participate or was it not invited?
Mr. Leuprecht: I would say it is a two-way street, but Canada has failed to invest in national security, intelligence and defence for a number of years. As a result, Canada is increasingly excluded from the conversations, dialogues and partnerships among our closest allies. Canada is increasingly marginalized and that is a problem, because these partners provide tremendous added value for our national interests. So we are less and less able to protect our national interests because we are being marginalized by our closest partners.
Senator Boisvenu: Thank you very much, that is very interesting.
[English]
Senator Boehm: I would like to thank our witnesses. I have questions for all three.
Ms. Csenskey, my first question is for you. You recently co‑authored an article entitled “Post-quantum cryptographic assemblages and the governance of the quantum threat.” We know that gasoline-powered vehicles, because of their electronics, have been vulnerable for some time, but it’s the first time I have seen anything on how electric vehicles are moving into that vulnerability category as well. In other committees in the Senate, we have looked at the benefits of electric vehicles and the need to set up charging stations, et cetera. You specifically mentioned the threat of quantum computers basically being able to outwit systems that would be built into electric vehicles, particularly with respect to brakes. Could you elucidate on that point, whether we or industry will be ready to deal with that or whether you are aware of any specific groups that would stoop to those lows in terms of exercising malware into that domain?
Ms. Csenkey: Thank you so much for that question.
I very much appreciate your bringing up that paper. As you mentioned, it’s a co-authored paper in an academic journal. My co-author and I looked at how different cooperating states are trying to understand what the quantum threat is and what the capabilities of quantum computers are — both very generally, but in specific contexts and instances. As a technology, quantum computers can have a wide range of capabilities and things we can do with them. There can be great things that we can do with them — they are excellent as powerful computers processing large amounts of data — but they can also be used for not‑so‑good things.
Basically, in our paper we were looking at how cooperating states understand the quantum threat, and what do these intersection points of understanding or misunderstanding mean for future defence and security cooperation? We found that there was some discrepancy among different cooperating allies in, first of all, understanding the quantum threat and cooperating for solutions. We found that there were a number of pathways, both of understanding and misunderstanding.
One of them was cooperation and partnership on infrastructure. Some of that was understanding how the quantum threat can impact infrastructure and how different states, through their various departments, can work together through various associations to protect against this threat and protect their internal government infrastructure, as well as critical infrastructure, against quantum threat and quantum threat actors.
As one of those pieces of infrastructure, as you mentioned, we could talk about electric vehicles and the whole infrastructure that includes electric vehicles. It’s not just the physical vehicle, but it’s also the computers that are those vehicles. It’s also the data collected, where that data is stored and all the different technologies that have to be connected to make this work. It also includes the physical infrastructure of our roads and charging stations and individual people who will be using this type of technology as part of these larger intersecting infrastructures.
Senator Boehm: I’m sorry to interrupt you, but this would also apply to defence equipment. As we’re learning more from the war in Ukraine and want to modernize and maybe use more electric and other vehicles and systems, is there a danger that the quantum computing aspect could impact or, shall we say, outwit algorithms that might already be in existence?
Ms. Csenkey: Thank you for that question.
That’s something that I will be looking into in more detail. I just received a grant from the Department of National Defence through their Mobilizing Insights in Defence and Security Target Engagement Grants to look at this specific issue.
Senator Cardozo: I have two questions. I’ll pose them both to you, and each of you can take whichever one you like.
We talk a lot about cyber-threats being international. Do you think there are domestic cyber-threats? Are there non-state actors, bad actors within Canada, who are now beginning to get the attention of the security forces and who may be threats to our cybersecurity system?
The other is a longer-term system. I think of globalization and trade. About a decade ago, it seemed to be gone forever. Then about five years ago, we suddenly said no, we’re not going to go global, or there was a move away from globalization. Is there any world in which we will pull back from our cyber system, the internet? The online world being global, the World Wide Web, is there ever a system where we would pull back parts of it for security reasons because we just have no control over the security of the system at some point?
Mr. Wilner: To your first question, there are domestic actors that are poised and that are conducting attacks. Many of them are criminals. Some of them are organized. Some of them are small. I think the focus of this discussion and the focus of our energies has been on state-driven cyber activity. I think that’s the tip of the spear, frankly. We know that the online marketplace is being undone by cybercriminals, and many of them — or some of them, certainly — are active within this border. The same would go for some extremist groups, terrorists, far-right extremists and so forth. We need to be looking both internally and externally.
In terms of your second question, the splinternet is coming. We have this world of divided internet access, depending on your nationality, effectively. We know that Russia and China are creating islands of their own. You can imagine a future in which, for a number of reasons, you have maybe not a Canadian internet island but one that is shared and partners with traditional allies and partners. I think that’s especially likely.
Mr. Leuprecht: On the domestic versus international threats, the key, of course, is that there are state-based actors — in particular, Russia and China — that have capabilities that no one can match. The SolarWinds infiltration is probably the best example to that effect. It’s estimated that it took about 18 months and probably a thousand people for Russia to build that particular exploit. Russia and China have capabilities that pose a genuine existential threat in the way they can be deployed against our systems and in a way that I think non-state actors and domestic actors simply cannot provide. At the same time, only about 1 to 1.5% of those risks emanate from state-based actors, but those risks have a potentially high impact against which only governments can effectively deter and dissuade.
Ms. Csenkey: Picking up on your question about dealing with globalization and understanding this connectedness of technologies and people and services and ideas via the internet, and if we are approaching a moment where maybe these things would be less connected and more secluded, and I don’t think so.
We are seeing more devices, more technology and more people coming online and connected. We have seen this especially during the pandemic, and now, as a result of that, many services are available online. Many people have different connected devices in their home. We can think of that as the internet of things, the internet of devices, but also the internet of services and of people too. It’s not only thinking about how we’re connected globally through the results of globalization, but also that there are so many different products that need to connect to the internet to work, and in so many different sectors, too — not just in our home, but in hospitals or in the transportation sector.
I don’t think there is a time where we can say that we’re not going to be as connected or that there will be fewer things and people connected. I think we have seen that there has been more engagement in the online space and more critical services being offered and accessible through these spaces. I think that is an opportunity, but it also comes with risks and potential threats. Especially when those critical systems and critical services are online, that is something that we need to understand and protect.
Senator M. Deacon: Thank you for being here today.
Ms. Csenkey, I’m a very big fan of the Balsillie School, and I’ll start by asking you a question. I’m thrilled to speak to students there. You started off in your opening remarks on the importance of reliable power sources for our cybersecurity systems. You made reference to old legacy power sources and technology and part of these chains. As I was sitting here thinking about that, it made me recall the power outage we had in eastern North America that blacked out large swaths of Canada. That is coming up to 20 years ago, surprisingly, but it also highlighted to us how vulnerable our power grid is. I am wondering if we have done anything, or from your perspective, enough to reinforce this, or are we continuing to put off this essential and necessary work because it’s expensive and disruptive?
Ms. Csenkey: Thank you so much for that question.
It’s definitely an important issue, especially when we’re thinking about connecting more devices or the example that we brought up today of electric vehicles. Those things require electricity in order to function, and we can see how important it is to just have electricity to function in our daily lives. We have also seen that recently in Ottawa as well when there was a power outage due to another storm.
I think we need to be making sure that the systems already up and running are able to be securely transitioned to digital networks. When you have these legacy systems that perhaps don’t necessarily have the security that we need today connecting with devices, connecting with other services or making those internet connections with other infrastructures, we need to make sure they are speaking together, but they are speaking together securely and safely.
We can always do more. When we’re talking about this in the context of cybersecurity, it isn’t just one and done. It’s something that we always have to revisit. We always have to be adaptable to that. We need to make sure that we’re not just setting a standard or setting a framework and hoping it works for the next 5, 10 or 15 years.
Senator M. Deacon: Let’s leave that and fast forward to something else that you have mentioned and which has come up earlier today. We touched on quantum corrupting already, and most recently through our assessment to the CSE, which was just before, as mentioned. Quantum computing and the potential to disrupt the field of cyberdefence is a pretty big deal, specifically around the matters of encryption. My staff and I recently met with Professor Greg Dick from the Perimeter Institute just across the street from you. He left us with the impression that Canada is or is becoming a global leader in quantum computing, with a great number of bright young minds working on this. As you have spoken on quantum computing at great length already, I am wondering if Canada is doing enough to build homegrown talent and knowledge in this field that clearly is here now and ever so much around the corner.
Ms. Csenkey: Thank you so much for that question.
It’s another very important issue. I think Canada has the expertise base. We have many different regional hubs of experts, both in academia and in industry, who are working on developing and understanding these technologies.
With the recent release of the National Quantum Strategy, as well as the S&T strategy, it is really providing the space and framework to have more engagement with these centres and researchers to really cultivate that relationship between industry, academia and with the government in various interested government departments and government actors. Fostering that triple helix relationship between all of these parties is really important. That’s really how we can, as a country, make sure that we’re investing in the right types of technologies and in secure applications of those technologies, as well as thinking ahead and making sure that we have the continued expertise base to continue working on these technologies and continue making new advancements. That includes bringing in people who perhaps might not have engaged in this type of work. I’m thinking of women and other underrepresented groups being engaged in STEM and these types of fields.
Senator M. Deacon: Thank you.
Senator Richards: Thank you very much to everybody here for their expertise.
I’m going to Mr. Leuprecht a question. It’s a question that I don’t think can be answered, but that’s the problem. Why do you think Canada lacks the will to shape its own independent policies in the North or anywhere else? I mentioned in an article I wrote last week that if the U.S. had a reliable ally among the former colonies, it was not Canada any longer but was Australia, which in my mind is extremely unfortunate given the times we are now in and the bad actors on our shores. Could you comment on that, please?
Mr. Leuprecht: That is a fantastic question.
First, we still have a very linear and kinetic thinking, especially when it comes to issues such as cyber, national security or defence in general. It’s very outdated and outmoded. People simply can’t or don’t want to wrap their head around issues of contemporary international security. They are complex, they are difficult and, ultimately, they call for significant changes in investments.
Second, much of this conversation is controversial as a policy, and it’s controversial in terms of the investment required. In that context, governments, and I think politicians of certain stripes, would rather avoid it. At the same time, I think there is a sense that it also distracts from other policy agendas that governments prefer to drive, so let’s not draw too much attention to it.
Third, I think we really lack a sense of strategy in this country, both domestic and international. We always criticize the United States, but for better or worse, people in the United States have a very clear vision for their country. We might not agree with some of those visions, but they have a clear vision. Show me a politician in this country that has a clear vision for this country for where we want or need to be 10 or 20 years from now. What do we need today to preserve the security, the prosperity and the democracy that we so cherish?
There is an opportunity here for us to think hard. I think this comes out of a certain — I want to be charitable, but say, on the one hand, intellectual laziness. We have hitched our wagon to the United States for decades, like many allies, for that matter, and it’s just easier to draft behind the United States. Of course, the United States, both in interests and ideology is diverging from both Canada’s and other key allies’ national interests and priorities.
Having genuinely independent policies — in particular foreign policy, but also more generally defence and security — could be extremely divisive in a country such as Canada. I would remind you, senator, as you appreciate, the single-largest national unity crisis in this country was as a result of defence policy — of course, conscription. Governments realize this is going to be very difficult, so they would just rather steer clear. That means we reduce our ability to shape the international security environment because increasingly we are become an unreliable and unpredictable ally.
Senator Richards: I said something the same in my article. Thank you very much.
Senator Dasko: I would like to probe the topic of Russia’s strengths and weaknesses a little bit more. Professor Wilner, you said earlier that the Russians’ specialty is disinformation. You also said they have moved into the destructive mode but that their capabilities have proven to be flat. However, Professor Leuprecht a few minutes ago talked about the strengths of Russia and the strength they have in cyber activity, cyberwarfare, the resources and their particular strengths. Actually, your comments about Russia’s flat capabilities remind me of what we heard about the Russian military after they invaded Ukraine. We heard that, in fact, they were poorly trained and poorly resourced, so a similar kind of theme as to what you just said.
Given these perspectives, I’m not sure if we disagree with each other or if we could just probe a little bit more the strengths of Russia in cyberwarfare, and the weaknesses as well. I would like us to probe it just a little bit more so that I can understand that better. Obviously, with their activity in Ukraine and in Canada, it’s of great interest to Canadians to understand this.
Mr. Wilner: Thank you for your comments.
Christian and I work together quite a bit, so we see eye to eye on many things. I would agree probably on this point as well.
I think what has happened is Russia’s focus historically has been using cyber for disinformation, but its focus has shifted obviously because of the war in Ukraine. It was meant to try to soften the ground with cyber operations in advance of its operation last February. That didn’t go too well for Russia. I think some commentators, including myself, were a bit surprised at the lacklustre cyber showing, if you will, of Russia.
I think part of the reason they weren’t successful is that Ukraine wasn’t sitting still for the last 10 years. They have been beefing up their cyber capabilities, as I suggested, with corporate entities, with allies, including Canada and the United States, and they anticipated far worse. They were then able to respond, both from an infrastructure protection process and a communications perspective, effectively to Russia.
Now, doesn’t mean that Russia doesn’t invest heavily, as Christian suggested. They do. They are still a shark in the cyber realm. And yet, I think the lesson from Ukraine is appropriately planning and investing in cyberdefences can undo some of that investment that they are putting in offence.
Mr. Leuprecht: Dovetailing on what Alex just said, indeed, Soviet active measures are well known. They were deployed, including in this country. This is well documented. Russia is building on a strength that it has honed for decades.
At the same time, what we see in Ukraine if you look at some of the reports, such as the open-source reports by Microsoft, for instance, you see some of the CSE warnings. We do know Russia has had some success, especially combining cyber operations and kinetic operations. It is not entirely that this is the dog that didn’t bark. We have also been very effective in helping Ukraine with hunt forward teams and other capabilities to ensure that Ukraine has the support it needs, both on its own and with support, against larger Russian efforts to destabilize in particular civilian but also defence cyber infrastructure. As Alex says, this has been as a result of foresight, of real capabilities that have imposed real constraints, but also real deterrents on Russia’s ability to deploy some of its capabilities.
But certainly in light of CSE warnings, Russia’s capabilities are not to be underestimated. I have often compared our own government infrastructure to the minivan that I drive, which is over 12 years old. It runs okay, but it is certainly not the best opportunity to drive. There is a lot of heavy lifting that needs to be done to make sure that we get our networks to the point where we have the insurance pieces that we need against hostile activity.
Senator Yussuff: Thank you, witnesses, for being here.
Ms. Csenkey, I want to come back to some statements you made earlier. As you know, both Canada and the United States are involved in this renewal of NORAD, and both countries have committed a huge amount of resources. There is a sense that, with the president coming here later this week, there is a need to accelerate the time frame for the implication of NORAD and a renewal. Much has been learned in the many decades now since the NORAD relationship has existed.
Recognizing that 40% of our territories are in the North, it’s very challenging despite developments and ongoing efforts to link our communities in the North to those in the South. You have made a point in regard to the different levels of infrastructure we have and, more importantly, the links with each other. I recognize you are talking about quantum disruption that could come. Is it also in itself not a blessing, the fact that it is not linked? It may be an opportunity for us to learn that it can be disrupted. At the same time, in the context of NORAD renewal, what would you suggest that we can learn from this experience? Also at the same time, both Canada and the United States are very much aware that our major source of disruption is going to come from two countries which are extreme allies against us in the war in Ukraine, China and Russia and their friendship. Both are posing a tremendous threat to our Northern borders. Is there anything you would like to say in regard to the NORAD renewal that’s about to happen? More importantly, what would you offer in terms of advice that we can benefit from?
Ms. Csenkey: Thank you so much for that question.
NORAD modernization and renewal have come up again and again. When it comes to talking about modernization, it’s important to understand that modernization also needs to include modernization of organizations, of the infrastructure that we’re talking about and of devices and services and how those are connected.
When I think about modernization in the context of NORAD, the systems have to be compatible. They have to be interoperable, especially if we’re thinking from a defence perspective. One of the examples that I brought up was the cloud computing for command and control, so thinking about bringing technologies and developing technologies to spaces where maybe they haven’t necessarily gone before and making them work in place, in a location, but also making sure that they work with our allies and that they are talking to different technologies, and talking securely so there isn’t the space and opportunities for malicious cyber-threat actors to disrupt those secure communications and come in and exploit those threat vectors. When I think modernization, I think we need to have the interoperability of systems when we’re updating systems. We need to make sure those systems are compatible but also understanding that there is a physical place to them with an existing operating environment. If we want to update certain systems in the context of NORAD modernization, if we’re thinking about it in more remote locations, maybe in the North, in harsher operating or climate environments, how are those systems going to physically function in those spaces?
The other example that I brought up was we have the example of cloud computing for command and control systems, but then how is it powered? Will we be relying upon the electrical infrastructure that is there, or are we going to be bringing in portable high-performance micro-grids to make sure those systems work? If we are bringing in those systems, how are we making sure those systems are securely communicating with our allies? How are we working with the U.S. to protect our digital borders in addition to our physical borders in these different operating environments?
There are two things: We need to make sure that it’s compatible and interoperable, but that it can also withstand disruptions in both physical and digital environments.
[Translation]
The Deputy Chair: Thank you, Ms. Csenkey. Before we begin the second round of questions, I have a question for Mr. Leuprecht. The threats of cybersecurity attacks are multi‑faceted and the attackers’ objectives vary from country to country. Are we more vulnerable to having secrets stolen and attacks that could compromise the ongoing operations of our institutions, such as power stations and banks?
Mr. Leuprecht: There are two different worlds in this regard in Canada right now.
There is an old law that requires organizations to report to government every time there is a cybersecurity incident at a company.
The problem is that there are no clear conditions or scales right now. Consider a bank, for example, if the entire financial sector were attacked or threatened in a way that exceeded that bank’s ability to defend itself. Under what conditions could that bank appeal to the CSE or use other avenues to get help? This relates not only to defence, but potentially also to the deployment of active and offensive measures to neutralize the threat to the company or to certain critical infrastructure in the country. There is a lack of dialogue and cooperation at the operational level between the government and critical infrastructure for the defence of our systems.
The Deputy Chair: Thank you very much. We will now begin the second round, with Senator Boehm.
[English]
Senator Boehm: My questions will be for Professors Leuprecht and Wilner.
First, I’m not comfortable with the blanket notion that there is intellectual laziness in the policy development in this country, no matter who is in power. I don’t like expressions that we are an unreliable or unpredictable ally. I think we’re proving quite the contrary right now in Ukraine.
Professor Leuprecht, you talked about your cyber doctrine of functional engagement. In a realistic perspective, how would you see that going forward? Is it something that we as legislators should think about in terms of domestic legislation and push for the government to introduce something? On the other hand, is it something that could be handled in an international organization and get others to join in? I would like you to think about that.
Professor Wilner, in the last part of your presentation, you talked about a national cyber deterrence posture. What will that require in terms of political will, or will it be set off by some galvanic event we can’t predict, after which we are reacting again and pushing forward?
I would be interested in both of your comments, even though we have only about two minutes remaining.
Mr. Leuprecht: I will keep it to 60 seconds.
On your comments with regard to policy development and function, there are few votes to be gotten in foreign policy in this country — 88 might be the sole exception — so I think it’s just simply not where governments and politicians necessarily focus most of their energies, usually.
Functional engagement is a matter of determining the key areas where we find behaviour unacceptable. I made a few proposals in my opening statement. It is to get together with allies and lay out clear red lines for adversaries, with the United States as well but where we are also allies, as middle powers, and demonstrate that we will act in concert when you cross those lines and that we have the authorities and capabilities in place, and that politicians will act. The problem we have in Canada is similar to the problem of many European countries have, where we have the capabilities and the authorizations is placed in legislation but we don’t have the political will to follow through. It is less a matter of legislation than it is of drawing those red lines and what adversaries can expect —
Senator Boehm: Thank you, Professor Leuprecht. That’s a great answer to that question.
Mr. Wilner: Canada has never had to create its own deterrence posture because we’ve been part of the two greatest alliances in the world, NORAD and NATO, and they provide us with deterrence clout. Cyberspace is sufficiently different such that NORAD and NATO won’t realistically accomplish everything we need it to do. That’s why I am suggesting a cyber deterrence posture that starts with intent and resolve to respond when attacked; to draw out those red lines we have been discussing; to create credibility, which I think we have; and then to communicate the threats to our adversaries. Communication is critical to deterrence.
A posture means standing up to all three of those things. It means political leadership, but it’s also a question of smart military and strategic thinking, some from DND, Public Safety and CSE. We can start, grassroots up, but at some point, it needs to be a political decision.
[Translation]
The Deputy Chair: Before we conclude, I have a question for Mr. Wilner. In fighting cybercriminals, are we condemned to always only being on the defensive, or might there one day be arrests and charges against cybercriminals?
[English]
Mr. Wilner: Cybercrime is pervasive. Part of what Canada needs to do — and I think we are doing it — is to create the tools and mechanisms for stopping crime when it is happening and to intersect criminals when we are able to catch them. We are certainly capable when it is done domestically, but it also has to happen in partnership with our allies. Fighting crime in cyberspace is like fighting crime anywhere. There are smart lessons we can use from how we do it in physical space. It’s a great question. I don’t have a fulsome answer for you, but it’s a work-in-progress.
[Translation]
The Deputy Chair: That concludes this group of witnesses. Thank you all for being here. Your ideas and knowledge are greatly appreciated. We will suspend briefly and return at 6:20 p.m. for our third and final panel.
I would remind committee members that we now have our third witness panel. We are still examining cyberthreats to Canada’s defence infrastructure.
Once again, we have some very interesting witnesses. I would like to welcome Brandon Valeriano, distinguished senior fellow, Marine Corps University, and senior advisor, Cyberspace Solarium Commission 2.0; and Alexis Rapin, research fellow, Raoul-Dandurand Chair of Strategic and Diplomatic Studies, Université du Québec à Montréal. Finally, we welcome, by video conference, Quentin E. Hodgson, senior international defence researcher, RAND Corporation. Welcome and thank you for being here.
You will each have five minutes for your opening remarks, and then the committee members will have some questions. We will begin with Mr. Valeriano. Please go ahead.
[English]
Brandon Valeriano, Distinguished Senior Fellow, Marine Corps University and Senior Advisor, Cyberspace Solarium Commission 2.0, as an individual: Thank you. I’m glad to be here, and I hope we can have an interesting session.
To set the stage, cybersecurity and malicious cyber operations represent transformative national and domestic security threats. From weaknesses in systemically critical infrastructure to the vulnerabilities emanating from information campaigns seeking to reshape the hearts and minds of the defender, these threats are pervasive and all-encompassing. However, many purporting a revolution in military affairs brought on by cyber power and other emerging technologies are grossly wrong and misconstrue the threat in dangerous ways. Cyber tools are helpful for some goals, like dismantling confidence in the state or harassing dissidents, but they are poor tools of war and coercion.
For many, the Russo-Ukrainian war was expected to fulfill the age-old warning of a cyberwar. Some contended that this would be a dramatic cyber shock and awe campaign, with others suggesting this would be the first time that states with real cyber capabilities put it all on the line. Yet, these sweeping predictions have not materialized. Instead, the war has evolved into something entirely different than was predicted by most pundits. While there was a dramatic uptick in cyber operations during the conflict, there is no difference in the style of attacks, the targets or the effectiveness of the operations, based on data we’ve collected on this war. The numbers are stark. There is an increase in operations to 47 incidents in 2022 compared to 28 between 2014 and 2020. What is interesting is that the severity of these incidents actually declined and the targets did not shift to government or military targets. They continued to target the private civilian critical infrastructure.
The overall conclusion we have to take from this is that some of the dramatic outcomes we’ve seen predicted have dramatically failed. The question, then, is why are we seeing these outcomes? Many will purport to tell you the story of why Russia has failed in its cyber operations, but many will be wrong because these are multi-causal social events and a combination of factors has led to this outcome. We can dissect them during the question-and-answer period, but the basic point remains that cyber operations have yet to fulfill their stated purpose of battlefield effects.
It is important to remember that the fantasies about the evolution of warfare enabled by cyber operations are purely that — they are fantasies disconnected from reality. Cyber effects are imagined in popular culture, but the reality is much different. Cyber operations and modern technology will not sanitize war. The Russo-Ukrainian war has been a devastating return to old-fashioned war of human waves, tank attacks and trench warfare.
The question is, “Now what?” Evolution under the Biden administration and its National Cybersecurity Strategy has been rather slow but also likely very transformative. The recently released strategy seeks to impose costs economically but does not mention the imposition of costs in or through cyberspace. Military and offensive actions are now downplayed. There is an effort to shift the burden to software and hardware producers to protect the user rather than depending on the state to protect all targets.
For Canada, there are many lessons to be learned. The promise of military dominance in cyberspace has been a dead end and is best avoided. Working to establish strong defensive organizations that can protect critical infrastructure and organize the state for defence is the first step to thwarting the impact of dramatic cyber operations. Taking a lead in the West to protect civil society is warranted and critical. The influence of zero-click malware that can be purchased like a weapon must be moderated and eliminated. The international rules-based order is making progress in establishing norms for cyberspace, but implementation has been disjointed and regulations are lacking. Canada can take the lead here and push for a more realistic vision of cybersecurity internationally.
Overall, a state that cannot keep the lights on, the schools open and the hospitals running is a state with limited power. Preparing for the defence by identifying critical infrastructure targets, organizing for the defence, including having plans for the continuation of the government, and establishing resiliency in both the private and public sectors are critical. Don’t be swayed by the dramatic proclamations of futurists; rather, shore up the clear weaknesses evident in society. Organization, developing a workforce, establishing plans to share data between the public and private sector and coordinating the collection and analysis of data are the true roles of the state in the context of cybersecurity. These roles are less dramatic than promised but nonetheless important. Understanding that cybersecurity is truly about secrecy, defence and organization is the first step towards properly countering the threats that emanate from cyberspace.
Thank you.
[Translation]
The Deputy Chair: Thank you, Mr. Valeriano. I now invite Mr. Rapin to make his presentation.
[English]
Alexis Rapin, Research Fellow, Raoul-Dandurand Chair of Strategic and Diplomatic Studies, Université du Québec à Montréal, as an individual: Mr. Chair, members of the committee, good evening and thank you for the opportunity to be here today.
My research focuses on issues related to cyber strategy, interstate rivalries in cyberspace and more generally on the impacts of information technology on military affairs and international security.
Since 2019, our research team has maintained a database dedicated to publicly record geopolitical cyber incidents targeting Canada, whether it be its government entities, its companies, its research institutions or its civil society. As of today, throughout our open source research, we have registered a total of 96 geopolitical cyber incidents in Canada since 2010. Among those, at least eight past incidents can be considered as having been directed at defence-related IT infrastructure. These include, for instance, a cyber intrusion at Defence Research and Development Canada in 2011; a Chinese cyber espionage campaign targeting naval technology research institutions in 2019; or, more recently, a ransomware attack against Black & McDonald, a major Canadian defence contractor, in early February. These examples demonstrate that cybersecurity issues related to Canada’s defence infrastructure are not futuristic, hypothetical, distant threats for Canada. They are already with us today and, in fact, have been for several years, as some of these incidents illustrate.
These incidents also demonstrate that cyber-threats against Canada’s defence infrastructure may take various forms and target various types of entities, not just the federal government. If we consider the defence industrial base as well as the military research and development community as integral parts of the defence infrastructure, we can observe that cyber-threats are not necessarily the same for everyone and that our defence supply chain is only as strong as its weakest links.
In this context, the fast-growing threat of ransomware attacks against Canadian entities, for instance, represents a major challenge for the protection of defence infrastructure. While ransomware attacks are mostly conducted by profit-motivated criminal actors, they may nevertheless entail national security issues. For instance, criminal hacker groups that have compromised strategically important companies may try to covertly sell the data they’ve stolen to third parties such as foreign powers. This is especially plausible with regard to Russian ransomware gangs, who are strongly suspected of maintaining ties with the Russian intelligence community. In the last 12 months, we have recorded three instances of major Canadian defence contractors being targeted by ransomware attacks. At least one of these — against the aerospace company CMC Electronics — was conducted by a Russian-based group whose relations with the Russian state are not fully understood.
It is also important to mention that we are beginning to see state-sponsored cyber actors using ransomware attacks as cover for clandestine intelligence collection. In recent months, Iranian actors, for instance, have apparently tried to disguise cyber espionage campaigns as criminal cyberattacks in order to confound incident responders and maintain plausible deniability for their actions.
[Translation]
Other types of cyberattacks conducted directly by state actors could target Canada’s defence infrastructures. It is conceivable and even probable that hostile powers are seeking to infiltrate Canadian systems to map them and evaluate our defences with a view to potential confrontations in the future. Similarly, it is also possible that they will attempt to discretely pre-position malware that could be activated on short notice.
In 2019, for instance, Russian government hackers attempted to explore the digital networks of certain American and Canadian power infrastructures. Such cases show that critical Canadian infrastructures will from now on be actively scrutinized by hostile foreign actors and that much greater vigilance is therefore required.
While national security issues, including cybersecurity, are of growing concern to the Canadian public at this time, it is important that cybersecurity threats are discussed more openly, more vigorously, and with fewer silos from now on.
I think we have an excellent opportunity for that with the group you have gathered here today. I look forward to your questions. Thank you.
The Deputy Chair: Thank you for your presentation, Mr. Rapin.
Now for our last witness today, Quentin Hodgson. Mr. Hodgson, you may begin your presentation.
[English]
Quentin E. Hodgson, Senior International Defense Researcher, RAND Corporation, as an individual: Thank you for the opportunity to present and talk to you today on this very important topic. I’m a senior international defence researcher for the RAND Corporation, a nonprofit, non-partisan public-policy research organization.
I will not touch too much on the nature of the threat; you have just been given two presentations that have given slightly different takes on the nature of the threat. I will simply note that this idea of cyber-threats to critical infrastructure is not new. If you think back to the U.S. President’s Commission on Critical Infrastructure Protection in 1997, it’s one of the first times at a national level in the United States, at least, that the concept of cyberattacks against critical infrastructure was raised. Even though that committee said that there was not an impending expectation of a cyberattack, they did find there was widespread capability to exploit infrastructure vulnerabilities.
Since that time, we have seen that not just information communication technologies — the business systems that people rely upon every day, including what we’re using right now to conduct this hearing — are subject to exploitation. Increasingly, operational technology, the hardware and software that controls physical processes, is also subject to threats — from the manufacturing sector, to electricity generation and distribution, to water treatment plants. Those are just a few examples.
Dr. Valeriano talked about the nature of what is going on in the Russia-Ukraine conflict. It is an interesting case study of how an adversary could employ cyber capabilities in the context of military operations. There has been a considerable amount of debate about the extent to which Russia has deployed cyber operations, how effective they have been and to what extent we are not getting the whole picture, at least in the public space.
It’s important to note that the Russian cyber operations have continued to target many of the same critical infrastructure entities that Russia has always targeted, particularly in Ukraine: government institutions, the media and telecommunications, including, as we know from last February, a very widely reported cyberattack on the satellite communications system provided by Viasat. At the same time, the Ukrainian government noted that the attack on the Viasat system and the end points that were supporting that system had very little effect on military communications.
The Russian invasion of Ukraine is an ongoing conflict. It is one from which we should take a note of caution about how much it really will tell us about the future role that cyber operations might play in future conflicts, but that doesn’t mean we shouldn’t be concerned about the potential threat that cyber can play in future crises or emerging conflicts, particularly with near-peer state adversaries such as Russia and China. There are many ways in which they may desire to affect our critical infrastructure and understand what we are planning, how we plan to deploy and how we plan to support military operations and engage in national security episodes. This is an important area where we should be focusing, even if we’re not clear exactly on what the future of cyber conflict may end up being.
What can we do to address these threats? Governments have developed an array of tools and relationships to try to address cyber-threats. A lot of work has been done to try to agree on norms of behaviour in cyberspace, which has met with mixed success, to say the least. Leaders such as President Biden have sought to signal that cyberattacks of critical infrastructure will not be tolerated. There is also a vibrant and growing private sector that is providing cybersecurity services to critical infrastructure entities, including ones that conduct vulnerability assessments and penetration testing, referred to as “hunt operations,” to actively identify malicious cyber activity as well as provide incident response. We have seen the development of better and more actionable cyber-threat intelligence-sharing from the government through bodies such as information-sharing analysis organizations. Companies that run a lot of the critical infrastructure we rely upon are more acutely aware of the nature of the threat and how it can potentially affect their operations.
The United States government, as well as others, has often pursued a more voluntary approach to adopting cybersecurity standards rather than imposing regulations. That is increasingly being seen as an insufficient approach to the problem, so more recently in the United States, at least, we have seen some efforts to use existing regulatory and hortatory powers of government, such as the Environmental Protection Agency issuing guidance to the states regarding including cybersecurity as an element of sanitary surveys, which I will note was in the news today as being challenged by the critical infrastructure owner-operators. Also, there is the Transportation Security Administration’s work to revise cybersecurity requirements for oil and gas pipelines because of the Colonial Pipeline incident.
I’ll conclude by noting that attacks on critical infrastructure are not simple things. I agree with Dr. Valeriano that we can often be misled by what we see in the popular culture. These are extremely difficult and complex operations to undertake, so we should take a note of caution and yet also be aware of the threat.
Thank you. I look forward to your questions.
[Translation]
The Deputy Chair: Thank you for your presentation, Mr. Hodgson. We will now move on to questions from senators.
I would remind you that, as with previous panels, your time is limited to four minutes for both questions and answers. Let us begin with Senator Boisvenu.
Senator Boisvenu: Thank you to the witnesses, who were very interesting. Mr. Rapin, I am curious about something. How do you detect cyberattacks in your team?
Mr. Rapin: We rely entirely on public reports. We rely on what is reported in the media and in the reports of cybersecurity company, for instance, that have researched the incidents. We rely on statements by the federal government. So we gather information from open sources and try to be as exhaustive as possible, but we do not know any more than what is publicly reported.
Senator Boisvenu: So you do not look further into actors or system weaknesses? Your research does not dig any deeper?
Mr. Rapin: The incidents we identify can of course be used as case studies, and we also look into how the incident unfolded, its cause, what might have been done differently, and so forth. Our first step is to try to gather data as a basis for our examination.
Senator Boisvenu: You stated an opinion that did not surprise me. I was not surprised to hear you say we need discussions with fewer silos. Is that something you have noticed, that there are a lot of silos in the area of cybercrime in Canada? Those silos are often very reluctant to share information. We can see what has been happening in the past three weeks with regard to the Chinese communist government. There are bribes left and right, but no overall picture; is that how you see things in Canada?
Mr. Rapin: I cannot really say that much about what is happening in the federal government since I don’t work there and don’t have sensitive information about what has changed or not. I can say for sure, though, that we researchers — and I would say the same thing for the Canadian public in general — , we do not sense a great deal of transparency about what has been done or not been done. That is one of the obstacles we face in assessing the solutions or potential solutions that could be considered. From our perspective, we do not really know what has already been done, what has not yet been done, and what could be done.
Senator Boisvenu: I would like to take part in the second round, Mr. Deputy Chair.
[English]
Senator Yussuff: Thank you, witnesses, for being here.
Mr. Valeriano, you made some very interesting points in regard to where our focus should be as opposed to being alarmist, but I think Canadians in general are concerned about things when they are happening as opposed to when they’re not happening. Your point is in regard to advice for the government to deal with the things that are connected to people’s lives so at least there is some confidence in that. In many of the things we have seen that have happened in this country, especially around cybersecurity, malware at hospitals and other institutions, it certainly gives us reasons for being alarmed. It seems the frequency is increasing. More importantly, they are very disruptive when they happen, as we saw with Rogers Communications most recently and some hospitals in that regard.
I would also try to get all the other witnesses to partake in this. I mean, it’s not apples or oranges. It’s a combination of both. It is being vigilant, but, at the same time, this is an evolving area of responsibility of both the national government and private companies. Given what we have seen and experienced in the country, and given what Mr. Rapin has said in regard to the most recent cyberattack on some specific defence companies, what would you suggest is Canada’s effort in the evolution of this given we’re a federation? The federal government is limited in regard to what it can do nationally, but it also has to work with the provinces and territories if we want to have a comprehensive strategy in dealing more specifically with some of the things that you outlined in your remarks.
Mr. Valeriano: In the United States, we often talk about a whole-of-nation approach. The reality is that we’re not even developing whole-of-department approaches. We need to think broadly. We need to think collaboratively. Academics often speak of public-private collaboration in cyberspace. Working in policy these last 10 years, I can tell you that I have not seen much collaboration. There is contact. There is working together. But there is no sharing of information. There is no sharing of threat data. In fact, the cyber intelligence community often sees this as a business. I’m very concerned, particularly in the United States, that in making this a business, they have sold so much data to so many different silos, as my co-presenter said, that we’re not able to share and collaborate.
I think the first and the most important thing is understanding the need for data — that data can be the canary in the coal mine — and getting data up to the federal government and all the way down to the private sector will be a problem. In the United States, there are intense legal barriers. There was recently an incident reporting law that was passed, but that law will not be implemented for at least two years. We don’t know how to implement these laws. We don’t know how to analyze this data. We don’t know how to share data.
I think solving the federal problem of how you share data, how you collaborate and how you share information is really the first step to getting the defence right. We, sadly, don’t talk about this enough. I think it’s a very critical problem, but you have to ask who holds the data, who is analyzing the data, who is sharing the data and then go from there.
[Translation]
Mr. Rapin: I will answer in French, if I may.
The Deputy Chair: You still have some time left.
[English]
Senator Yussuff: If he wants to offer any advice, yes.
[Translation]
The Deputy Chair: Mr. Rapin, would you like to say something?
Mr. Rapin: To answer your question, yes.
I think you have touched on something very important. A number of critical infrastructures are not operated by federal entities, but rather by entities at lower levels of government. In the past, in the United States, for instance, foreign cyber actors have investigated, if you will, infrastructure at the regional or local level, because they assumed that the entities operating them would have fewer resources, that they might not be as well defended and that they would have less expertise to protect them. That is the reality. Municipalities, for example, do not have the same resources to protect the cybersecurity of certain infrastructure.
Consideration must be given at various levels to ensure very high security standards, and not just at the federal level. There is still a lot of complacency at the lower levels.
[English]
Senator M. Deacon: Mr. Hodgson, when you were speaking in your opening, you finished off with “Here are some of the things that are being done, and here are some of the things we can acknowledge as being done.” I just want come back to you in that thinking. If you were to carry on with what you were saying about “Here are some of the things,” and you comment on the U.S., what do you think are the misses right now that we need to react to first or act on first?
Mr. Hodgson: Thank you.
I agree that sharing of information is a key part of this. One of the things we have seen, though, is initially the sharing of information was seen as an unaltered good. Push as much information out there as can possibly be done. Of course, that just creates an overwhelming wave of information that people find very difficult to wade through. Some more recent action is taking place, where it’s the U.S. government trying to share more actionable intelligence at levels that could be shared with entities, that’s actually shown some improvement, and not just in terms of here is what the nature of the threat is, but here is what actually can be done to address it. I’m actually a little more optimistic that action has been taken to make that kind of information sharing better, but, of course, that’s on things that we can see right now.
The other area that needs to be focused on and that I didn’t touch on but is in my prepared remarks is on the resiliency aspect. How can we work to make sure that the critical infrastructure sectors are prepared for when things go wrong? They inevitably will. We have to be working on the contingency plans to make sure that we can fail gracefully as opposed to fail catastrophically.
Senator M. Deacon: If we move that from the sharing of information to action, jump in there literally on the field, you touched on the Russian actions in Ukraine. Absolutely, they have launched cyberattacks on critical infrastructure, as you said earlier, but they also relied on conventional weapons to do this as well. I am wondering, from your perspective, if we have learned anything from this conflict about how cyberwarfare will be employed in a conventional state-to-state conflict between two developed economies like that.
Mr. Hodgson: I think to a limited degree. Generally speaking, when it comes to a shooting war, the level of confidence that we might have in the employment of cyber capabilities to have an impact on critical infrastructure — to be honest, from the Russian perspective, I’m sure this is the same — is going to be less than, quite frankly, using kinetic action. In those kinds of circumstances where the target, such as critical infrastructure like an electric power grid, is reachable by kinetic means, I think most governments that are engaged in conflict will rely more on that than they would rely on cyber capabilities. Cyber capabilities will be a sideshow. It will be an important way for these adversaries to try to sow confusion, to try to understand what we’re planning and how we are planning to conduct things.
Also, if I were sitting in their shoes, they would probably want to focus more on the support infrastructure that is more amenable to these kinds of things, such as the logistic systems, the small- and medium-sized businesses that are providing key services to military operations in ways that are really important but we don’t necessarily think about. It’s sort of the equivalent of the ball‑bearing plants in World War II. What are those key critical supplies? We saw it similarly within the COVID-19 pandemic with the development of vaccines and how adversaries were going after supply chains there as well.
Senator Cardozo: I would like to ask you a question that I asked the previous witnesses. Since two of you are from the U.S., I would be interested in your thoughts. We focus a lot on the cyber-threat coming from other countries such as China, Russia, North Korea and Iran — I don’t know if anyone is thinking about the next batch of countries that will be a threat in the next few years — but we don’t think much about cyber-threat coming from within. Are you thinking about bad actors within Canada and especially within North America, some of the forces that are getting pretty angry about how our countries are run and are reaching to new extremes in terms of how they respond to that? Do you have concerns about homegrown or North American-grown cyber-threats? I would like to hear all three of you on that, if I could.
Mr. Valeriano: Yes, sure. I was particularly delighted that the new Biden National Cybersecurity Strategy mentioned criminals as the fifth major actor and that it was not just Russia, China, North Korea and Iran. We need to stop, in this community, blaming everything on the Big Four. In fact, I think it’s more important that we understand the relations of the target states and what they are doing to prepare and what they may not be doing to prepare to counter these threats.
Now, on the issue of homegrown threats and insider threats, these have always been pervasive, and they will never go away. In fact, they may be the most pernicious threat. But, really, I worry about the threat of what the state may do to the individual. What will happen in terms of repression, which we saw with Pegasus and what the Citizen Lab has uncovered? That’s going to be the most important thing moving to the future. It’s not so much what these right-wing extremists might do to the state but what may happen when other states target what they view as extremists operating within your state — dissidents and diaspora communities. These are the main targets moving forward, and this is what I’m really concerned about in the future.
[Translation]
Mr. Rapin: I have a methodology problem: I think our database is designed to focus on incidents coming from outside Canada. We do not automatically consider what might be initiated from within our borders. With regard to the information and disinformation featured in certain conspiracy theories that circulate a lot in Canada and that can be destabilizing factors, these narratives clearly come from our neighbours south of the border. These narratives are devised and democratized by political forces south of the border. The potential emulation and dissemination of “dangerous” narratives is of course something we should be thinking about.
[English]
Senator Cardozo: Mr. Hodgson, do you have thoughts on that?
Mr. Hodgson: It is also a challenge, the insider threat, as you mentioned. One of the key pieces of this, which we’ve talked about, is ransomware. You are seeing more and more of the commoditization of some of these basic tools that could be used to be very disruptive. I agree with Dr. Valeriano that we do also have to be concerned about trying to employ tools that become overly repressive or end up treating everyone like they’re a potential perpetrator of cyber incidents.
One of the things we also discovered in the cybersecurity field is that the more onerous the controls we try to place on the user, the more they are going to try to find a way to circumvent them. They may not be malicious in what they are trying to do, but it can have some negative impacts.
We have seen ransomware — which, to be honest, at its root level is not a terribly sophisticated tool and is often exploiting very basic vulnerabilities, including human vulnerabilities like the fear of missing out, clicking a link and so forth — which can lead to pretty disruptive actions. There are technological but there are also educational as well as organizational things that need to be done to try to improve the cybersecurity posture. As I mentioned previously, how do you create better resilience in these organizations so that the one click doesn’t lead to shutting down a hospital for a week?
Senator Cardozo: Thank you.
Senator Dasko: The concept of the development of norms has come up a couple of times from Mr. Valeriano and Mr. Hodgson. Both mentioned norms in their presentations, and others mentioned it earlier today. If the departments themselves cannot be organized, how can we develop norms? Who would be part of the development of norms? I’m wondering if you could comment on this. Is this something that is feasible? Is this the way to deal with some of the issues in this field? Who would the norms apply to? What would they involve? Is this development of norms something that takes the place of a regulatory framework or laws? Any of the witnesses can comment on the concept because it has come up a number of times.
Mr. Valeriano: It’s an interesting and important question, and it animates a lot of research. We do have an extensive system of norms in the international community, but as I mentioned, there are not a lot of standards and regulations to enforce these norms. That’s why standards and regulations go hand in hand with norms. That’s why international law goes hand in hand with norms. For norms to work, we need strong entrepreneurs in the system. The norms that are being developed in the UN have been progressive, but there have also been extensive attempts to dismantle the development of these norms, particularly by Russia. For states like Canada, particularly right now with Singapore being in charge of the open-ended working group, these are the important moments to step up and to articulate what sorts of norms we want the rules-based order to operate under. But as to what these norms will be and how we will enforce them, these are the open-ended questions. The first step is developing a strong regime of rules, standards and regulations to move forward.
[Translation]
The Deputy Chair: Before we begin the second round, I have a question for Mr. Valeriano. I have already asked other witnesses this question. Given our proximity to the United States, could Canada serve as a computer base for cybercriminals targeting the United States?
[English]
Mr. Valeriano: Sure, I think anyone can. We are obviously seeing this extending very deeply into Latin America right now, so everyone needs to be prepared. Everyone can be a victim. Canada has a particular challenge not just from criminals but also from China. There are clear worries in this domestic space. There are things that you need to do in order to shore up your defences.
[Translation]
The Deputy Chair: Mr. Hodgson, I can imagine that our power stations, drinking water reservoirs and data banks could become key targets. If someone wants to disrupt activities in a country, as we saw in Ukraine, they attack the power stations. Do we have any information about the interests of other countries where cybercriminals might attack those infrastructures?
[English]
Mr. Hodgson: It’s hard to understand the potential motivations. Going back to my point about the declaration or sort of deterrent value of statements, President Biden presented a statement to President Putin when they met in Geneva a while back about attacks on critical infrastructure not being tolerated. For a nation-state, even one such as Russia which is engaging in pretty horrendous acts in Ukraine, I think they understand that the stakes are much higher if they are going to be targeting critical infrastructure in a destructive manner. We have seen a lot of probing of networks, understanding what the networks look like and stealing of intellectual property. In some cases, it’s unclear what the actual intents behind those are, and that’s why it’s been important to signal why we find those inappropriate.
To tie back to the previous question about norms, it’s been really important that the international community has come together to express what it believes is inappropriate behaviour, such as happened with the Chinese exploitation of Microsoft Exchange server vulnerabilities in 2021. NATO, the European Union, the United States, Canada and the U.K. had all released statements to identify and point the finger at the people who perpetrated it. They pointed out that they thought it was not just inappropriate but indiscriminate, and that was really not acceptable behaviour. Will that stop it from happening? No, I don’t think it will, but it does show that there’s resolve. Norms are about how you act, not just about what you say.
[Translation]
Senator Boisvenu: My question is for Mr. Valeriano. Yesterday, the newspaper La Presse published an article about a thousand secrets, a thousand dangers, which also referenced the previous witness. That article indicates that the Chinese government’s fundamental strategy is to gather information. In addition, China passed legislation in 2017 that requires Chinese citizens, wherever they might be in the world, to gather information for the Chinese government in order to improve its ability to penetrate computer systems or political systems.
My colleague asked you this earlier: is Canada more vulnerable to this than the United States? Experts say that Canada is the weak link in cyber protection of North America because it can be easily penetrated. It is much easier than going to China to gather information.
For the United States, which has major systems for North American protection, among other things, this makes Canada the weak link. Is that of great concern to Americans?
[English]
Mr. Valeriano: I wouldn’t say it’s a concern; I believe it’s a reality. I believe it’s something that everyone’s aware of. I think it’s very true that China is trying to seek and collect as much data as possible. The challenge is also what they are going to do with that data. We have known for a long time that China has swept up OPM data. It has swept up Marriott passport data. It has swept up various airline data. To what end? I work with machine learning data all the time. I work with collected data by A.I. systems. I can tell you that it’s very difficult to analyze and produce any actionable intelligence from this data. I wouldn’t say we ignore this problem. I think we need to leverage data for our own ends. We need to use data proactively to defend the nation.
[Translation]
Senator Boisvenu: Knowing that it is much easier for Chinese spies to live in America, whether in Canada or the United States, and it is much more difficult for us to go to China to spy on the communist system which has pervasive control over its citizen, what strategy should be taken to address the threats from China and Russia, but especially China?
[English]
Mr. Valeriano: Yes. I think that’s a realistic challenge right now. I know that we’re not very good at adversary work and perceptions and that we worry very much about what they are attacking and not so much about what they are developing and how things are undertaken within their own state. I think it’s a blind spot. It’s a weakness. We think a lot about cyber intelligence, but we don’t think about cyber intelligence to understand the behaviour of the opposition. I think the behavioural aspect of cybersecurity is one of the most important challenges that we have right now that I think a lot of people, particularly academics, are failing at.
Senator Yussuff: The public attitude towards cybersecurity is evolving. It’s not new, but it is evolving in the sense of how people may view the seriousness of it. From my perspective, I think we have a long way to go. You made the point earlier about the sharing of information. If you don’t know, you don’t know. You can’t really get the public to be incensed or angry about something that is going on if they don’t know what’s going on. Given most of the things that are happening in terms of the cyberattacks are also happening with private companies, some of it they share when our data is exposed, but if our data is not exposed, they don’t tell us about it; there is that reality.
In the context, Mr. Valeriano, of the U.S. and the legislation that was passed about trying to collect this information and share it, how valuable do you think that would be in terms of changing public attitudes so governments and our elected people can become more ambitious in their effort to do more around cybersecurity and get the nation’s efforts to be more robust in the same vein?
Mr. Valeriano: I think it would be critically important. We have a lot of folk sayings in cybersecurity, and the most pervasive is that if you haven’t been hacked, you’re about to be hacked. There is no evidence for that. There is no evidence for most of the statistics we have in cybersecurity. There is no real evidentiary basis for a lot of things that are said in cybersecurity.
Recently, the U.S. government said they want to develop some sort of colour-coded warning system for cyberattacks, much like we did during the Department of Homeland Security and terrorism era after 9/11. I’m not so sure that was effective. But in developing more actionable ways of demonstrating to the public that we have a problem, that there is a seismic shift and thinking about how we develop earthquake warnings in the United States, I think that that is something very important. Israel moved to a hotline system. Now, you’re not going to get a lot of actionable data from a hotline system and by ordinary citizens reporting cyberattacks, but you will start to see patterns. We will start to see waves. I believe we haven’t even begun to explore what we can do with data and notifying and engaging the public moving into the future.
Mr. Hodgson: One of the things that we’re challenged by is that even when cyberattacks are reported, it doesn’t seem to materially impact most people. When your identity is stolen and you have to go through the painful process of resurrecting your identity, to close accounts and reopen them, that’s pretty powerful, but that’s an individual level. Dr. Valeriano mentioned a couple of incidents. It’s unclear, despite millions of records having been impacted, what the real consequences of those cyberattacks have been. More recently, when you see ransomware, such as was executed against Colonial Pipeline, and what the result of that was, that has raised more awareness. Again, when you’re not personally affected by it, it’s very hard to motivate people to deal with it. Quite frankly, it can be extremely esoteric and technical for most people to understand what they should do.
I see you have a phone on your desk. How many people really understand exactly how that phone works? They don’t, but they know how to use it. When they are told about the security vulnerabilities in it, I think for 99.44% of people, it really doesn’t mean anything.
[Translation]
The Deputy Chair: Before we finish, I have a question for Mr. Rapin which I also asked the other witnesses earlier.
In fighting cybercriminals, are we condemned to always being on the defensive or can we hope one day to arrest and charge the cybercriminals?
Mr. Rapin: First, I am not sure it is true that Canada is only on the defensive since, if memory serves me, in late 2021, the Communications Security Establishment said it was conducting an offensive operation against a cybercriminal group. That is the first time we heard of such an event in Canada. So Canada is also taking proactive measures.
In terms of legal action, that is something the United States is doing increasingly. We are seeing more and more extremely public charges by the FBI, sometimes with photos of the persons identified or wanted. In late 2022, the U.S. convicted a first cybercriminal with links to Chinese intelligence who was arrested in Belgium, extradited to the U.S. and prosecuted. So we see that these things — This can work in one case but not in many others, but these efforts are sometimes successful. This is something Canada should consider doing more intensively, either of its own initiative or in cooperation with the United States to bring charges jointly. I think that is something that needs to be explored.
The Deputy Chair: That concludes our meeting. My sincere thanks to Mr. Valeriano, Mr. Rapin and Mr. Hodgson, and all of our witnesses today.
These discussions are extremely important and we appreciate your input. Thank you once again.
Our next meeting will be next Monday, March 27, at the usual time of 4 p.m. (Eastern Time). Thank you and have a lovely evening.
(The meeting adjourned.)