SECD - Standing Committee

National Security, Defence and Veterans Affairs

45-1 45th Parliament, 1st Session (May 26, 2025 - Present)
Select a different session
Download as PDF

THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS

EVIDENCE

OTTAWA, Monday, December 1, 2025

The Standing Senate Committee on National Security, Defence and Veterans Affairs met this day at 4:01 p.m. [ET] to examine and report on such issues as may arise from time to time relating to national security and defence generally, including veterans’ affairs; and, in camera, to consider a draft agenda (future business).

Senator Hassan Yussuff (Chair) in the chair.

[English]

The Chair: Honourable senators, I am Hassan Yussuff, a senator from Ontario and Chair of the Standing Senate Committee on National Security, Defence and Veterans Affairscommittee. I am joined today by my fellow committee members. I welcome them to introduce themselves.

[Translation]

Senator Carignan: Good day. Claude Carignan from Quebec.

Senator Youance: Suze Youance from Quebec.

[English]

Senator White: Judy White, Newfoundland and Labrador.

Senator Ince: Tony Ince, Nova Scotia.

Senator M. Deacon: Good afternoon and welcome. Marty Deacon, Ontario.

Senator Cardozo: Andrew Cardozo, Ontario.

Senator Dasko: Donna Dasko, Ontario.

Senator McNair: Welcome. John McNair, New Brunswick.

Senator Kutcher: Stan Kutcher, Nova Scotia. Thank you so much for the great work you do.

The Chair: Thank you, colleagues.

Today, we are stepping back from our work on defence procurement to hear from Karen Hogan, Auditor General of Canada. Ms. Hogan is with us today to speak to her recent reports related to the mandate of our committee, specifically recruiting for Canada’s military, housing of the Canadian Armed Forces members and cybersecurity of government networks and systems.

The Auditor General is accompanied today by Jean Goulet, Principal; Gabriel Lombardi, Principal; and Stuart Smith, Director.

Thank you all for joining us today. We will begin by inviting you to provide your opening remarks to be followed by questions from our members. Ms. Hogan, you may begin, and you have five minutes for your opening remarks. Thank you very much.

Karen Hogan, Auditor General of Canada, Office of the Auditor General of Canada: Thank you, Mr. Chair. I think I might take a little bit more than five minutes because I’m covering three reports, if you’d permit me. Thank you.

Good afternoon and thank you for the opportunity to appear before your committee today to discuss three of our audit reports that were tabled on October 21, 2025.

I’d like to begin by recognizing that we are meeting on the traditional, unceded territory of the Algonquin Anishinaabe people.

I will begin with our two audits of programs related to the Canadian Armed Forces. The first focused on whether the forces recruited and trained enough members to meet operational requirements.

Between 2022 and 2025, the Canadian Armed Forces fell short of their target by about 4,700 recruits. Though the forces were able to attract thousands of applicants, only 1 in 13 started basic training.

[Translation]

The Canadian Armed Forces did not always know why applicants abandoned their applications during the recruitment process. Without this knowledge, the Canadian Forces are not able to determine what needs to be done differently to increase the number of successful candidates.

The Armed Forces also did not have sufficient basic training capacity to meet demand if the recruitment targets had been met. The challenge attracting and training enough highly skilled recruits to staff many occupations, such as pilots and ammunition technicians, could affect the army, navy and air force’s ability to respond to threats, emergencies or conflicts and accomplish their missions.

[English]

Our second audit relating to Canada’s military forces focused on housing.

Overall, we found that National Defence did not manage living accommodations to meet its current operational requirements or to respond to the needs of Canadian Armed Forces members and their families. This is even more important because the forces are working to add more members in the future. National Defence did not have enough living spaces at the right locations, including furnished quarters, that met its own standard for living space per person. We also found that some buildings were in poor condition, lacking basic amenities such as safe drinking water or working toilets.

[Translation]

In addition, the Canadian Forces Housing Agency — which manages residential housing units on bases — did not plan to build enough new housing units to fill existing gaps. Work being done to update their assessment of housing needs did not incorporate plans to expand the Canadian Armed Forces to their authorized full strength.

Canadian Armed Forces members can be required to move frequently. It is important for their morale and well-being that they can access affordable housing in good condition, with sufficient living space for themselves and their families.

The last audit we are covering today examined whether the federal government had the tools in place to protect its IT networks and systems against cyber-attacks. While the government did have a comprehensive strategy, there were gaps in some areas such as cybersecurity defence services, and response during active cyber-attacks.

[English]

Fifty-eight per cent of federal organizations are not required to use the cybersecurity defence services offered by Shared Services Canada and the Communications Security Establishment Canada. Although some have opted in, this inconsistent use of services has resulted in a fragmented cybersecurity landscape that could undermine the federal government’s ability to protect critical information and manage risks.

We also found coordination among the Treasury Board of Canada Secretariat, Communications Security Establishment Canada and Shared Services Canada was too slow during active cyberattacks. Slow coordination and limited information sharing during a recent major attack delayed the government’s response, extending the time during which the attacker had access to public servants’ personal information.

Malicious actions, external events and attacks involving the Canadian government’s digital systems are becoming more sophisticated and frequent.

[Translation]

A coordinated and comprehensive approach to the government’s cybersecurity posture, better collaboration and a current inventory of IT assets are key to safeguarding Canadians’ information and their trust in government IT systems.

Mr. Chair, this concludes my opening statement. We would be pleased to answer any questions the committee may have.

Thank you.

[English]

The Chair: Thank you, Ms. Hogan. We will now proceed to questions.

Colleagues, our guests will be with us until 5 p.m. today. As always, we will do our best to allow time for each member to ask their questions. With this in mind, four minutes will be allotted for each question, including the answer. I ask that you keep your questions succinct in an effort allow as many interventions as possible.

I would like to offer the first questions to the members of our steering committee, starting with Senator Carignan.

[Translation]

Senator Carignan: Welcome. We normally see each other at another committee.

I would like to hear your thoughts on salaries. You saw that the government announced a substantial increase in the budget for salaries. I personally discussed this with the Minister of National Defence and said he should give instructions to ensure that this is done fairly quickly. Do you think this will significantly help with recruitment and retention? As we sometimes see in studies on human resources, salary is effective in retaining people over a short period of time, but normally it takes more than salary to keep people in a job.

Ms. Hogan: I think there are several contributing factors here. Salary is always a factor when it comes to attracting and retaining people.

In our audit on recruitment, we did not focus on salary levels. Thousands of people apply each year, and there is a bottleneck or delay in the process that results in only one in thirteen applicants starting basic training. In these cases, it is not really about salary. It is important for National Defence to determine why people are abandoning the process.

I think salaries will help with retention, but I also think housing plays a very important role. The housing costs for Canadian Armed Forces members are adjusted to ensure they remain affordable. Housing costs are set at a threshold of about 20% of their salary, so it’s not the housing costs. I think it is the availability of housing that helps with retention.

Obviously, in any job, a pay raise is always appreciated. However, as you mentioned, I think it is more anecdotal that this will make them stay longer. I do not know, and it was not the subject of our study, but it will play a role in retention.

Senator Carignan: One out of every thirteen applicants were hired, so twelve out of thirteen were not hired. We see they gradually abandoned the recruitment process. Did you look at those who did not complete the process, those who are referred to as “no further contact” or who did not make it to the end? We do not know whether they applied to several places, such as the Canadian Armed Forces, for example, and whether they went elsewhere, and it was a choice C, D, or E, when they got other opportunities first.

Ms. Hogan: Applying to join the Canadian Armed Forces is an intensive process. It should be to ensure that individuals who start basic training truly want to be part of our armed forces. However, the government does not follow up with applicants who drop out along the way. They do not know why, after a few months, a large number of applicants had no further contact with National Defence.

Delays are one of the contributing factors. Applications are supposed to be processed within 150 days. We found that it takes twice as long. Like any job, when you apply, you apply to several places. If you need a job, you take the first one that comes along. The Canadian Armed Forces really need to look at the reason for these delays, but also why people are dropping out. It was very difficult for us to contact them to ask why they abandoned the process. It is really the responsibility of the Canadian Armed Forces to determine the reason.

[English]

The Chair: We are joined by Senator Hay and Senator Anderson. Thank you both for joining us.

Senator Cardozo: Thank you for being here and for all the work you do.

In terms of the issue of cybersecurity, we’re obviously not doing it properly. Is there a better way of coordinating what the Government of Canada does? I see this range of organizations. You have Treasury Board, the Communications Security Establishment, the Canadian Centre for Cyber Security and the Canada Cyber Security Event Management Plan. There are a range of organizations. Is there one that would be best suited to coordinate across government? Is it not happening because people are not taking it seriously enough?

Ms. Hogan: This is a pretty loaded question. I’m going to prepare Jean in case he wants to jump on it, because I think I would have to go back to more than just this audit report. We have done other work.

If I think about the work on fighting cybercrime, I would tell you that in that space where you are expecting Canadians to report when they believe that they have been a victim of cybercrime, it is so confusing for the average Canadian to know where to go. There are so many organizations. We made a recommendation to the government that they should have one single place for Canadians to report and then let the federal public service send it to the organization that they think is best equipped, whether it be about a person or about infrastructure or an organization. Right now, we are leaving it up to every Canadian to figure that out. That’s how someone reports a crime.

When we look at this, which is about cybersecurity within the federal public service, we see the same sort of every party has their own approach. Here there was a policy choice around who would use certain tools and cyberdefences, and not everyone is required to. When you have that, you create this approach. It is not saying that other people are not doing cyberdefences. My office is not required to use these tools because I have to have all my own cyberdefences, but I have opted in to use some of these cyberdefences because they are seen as being very effective. It is an extra layer. Why wouldn’t I?

Here, it is about a policy choice on how the government wants to approach this, whether it be helping Canadians report crimes or even defending the federal systems against crimes. Do we want it to be siloed and fragmented, or do we want it to be one approach? What we are seeing is that it is leaving some gaps and potentially exposing.

I don’t know if I did a decent job there.

Senator Cardozo: It was more if there is an agency that should be pushing or coordinating everybody to do more and do what needs to be done.

Ms. Hogan: I know you have an opinion, so I’m going to let you jump in on that. I’m definitely going to give Jean some time here.

I would tell you that here it’s Treasury Board that is making the policy choice over who should use the cyber-tools that Shared Services has available. Crown corporations are sitting in at arm’s length. They have a different set of rules. These are policy choices. It would be hard for me to tell you one organization should control it all, but they are the ones that make the policy choice.

Jean Goulet, Principal, Office of the Auditor General of Canada: Just to add more to your question, both Shared Services Canada and Communications Security Establishment have a specific role to play. They are complementary from one to the other. It is when we come to coordination between them when there is a cyberattack, for example, that there are definitely some weaknesses in terms of how fast they can go, what kind of information they can share and so on. This is where Treasury Board is supposed to play a role. That role has to be complemented by the cooperation of those two entities. They are aware of that. I think all three entities are fully aware of that, but they just need to sit down and hammer it out.

Senator M. Deacon: Thank you to all of you for being here as a team. This is an important study at an important time.

I have a question around housing. I know there was the audit around housing for Canadian Armed Forces members. We in the committee on Veterans Affairs looked at housing for vets. Housing itself, right across the spectrum, is a massive concern in and amongst some islands of excellence, quite frankly.

Regarding the audit on housing for Canadian Armed Forces members, in the report, one of the findings stated that more than a quarter of the inspections were not completed within the required time frame, and therefore the reported result was not based on complete information. Could you explain why the agency report might meet a numerical target even when the underlying data quality issue suggests the results might be misleading?

Ms. Hogan: There are two sets of inspections here. There are quarters where the inspections are done by National Defence. We saw that there was a backlog of about 20% of the buildings there. Then there are inspections done by the Canadian Forces Housing Agency, which manages the unfurnished homes, residential units, and there is a backlog there, too, in inspections not being done.

The concern I was highlighting was not so much about having bad information about the units but that when you don’t do your inspections, you don’t know how much money you need for repairs and maintenance, and then you don’t know how to plan for the future. You don’t know the condition of your homes so it is difficult to plan when to replace units or when to replace quarters. There is a lot going on when you are just not doing your inspections.

We saw that National Defence was not spending all of their money on repairs and maintenance, but again, we could not split that out because they don’t break it down between quarters and units and all their other types of buildings and bases. We can just tell you that, in general, they are not spending all of their repairs and maintenance. Maybe that means they are spending none on houses. I just couldn’t break it down.

We do know that when they identify high-priority repairs, very few of them are being done. There is clearly an opportunity to spend some of the additional funding there, but in order to prioritize what you spend, you need a better picture.

Senator M. Deacon: Thank you.

We all want to be accountable and transparent to Canadians. There is a lot of information here today with housing, cybersecurity and a variety of pieces. I’m going to ask you, if you wouldn’t mind stepping back, with that in mind, the filter, accountability, layers, duplication, when you look at the reports you are looking at in Defence, are there one or two general things you draw from and could say, “If there were the top two things I could do to make this reporting or these gaps better, they would be A and B”?

Ms. Hogan: When I take a step back, I get asked many times, “How confident are you that they can spend the additional funding? How confident are you that they will do . . .” insert a statement. I am confident that the Canadian Armed Forces, when they are called on to protect our country, will step up and can do that. They are designed to respond to a crisis.

They are not good at managing administrative things. They don’t know where their quarters are. They don’t know who is using their quarters. They let every base take care of it, so they don’t have this big, global picture. I think if they want to get better at all of those administrative things, they need to take that whole approach instead of asking each base to manage, or even each area. Let the navy do its thing and let the army do its thing. You need a global picture to have better budgeting and planning. That is one of the key things I would tell them to do. While decentralized makes sense when you are in the time of a crisis, to do something like this you need a big, global picture.

Senator Kutcher: Thank you, all, for being here.

My question builds on Senator Deacon’s question. I have to say that when you look at your written comments about housing, we have such substantive problems: does not manage living accommodations to meet current operational requirements; does not have enough living spaces at the right locations; and buildings lack basic amenities such as safe drinking water, working toilets. Plus, they cannot plan ahead. I assume this is due to years of inadequate oversight and inadequate administrative management. Who was in charge?

Ms. Hogan: Well, here it could mean every head of the navy, army and air force are taking some accountability for managing all this. I think what I would point back to is probably the original needs assessment. It was done in 2019, and that’s what they are using now. It is starting to get outdated when you think about how long it is. What was concerning about that original needs assessment is that it was based on outdated information. This is something we do see in a few successive reports lately at National Defence. They were using compensation from 2019 but they were using market data from 2011. The Canadian housing market has significantly changed. When you think about needing to have places for the military in a community that might already have housing challenges, you need to work with that community. I think they should start with at least updating their needs.

Senator Kutcher: I hear exactly what you are saying, and it makes me feel even more concerned. Who is in charge? This has to be on somebody’s plate. Somebody has to have responsibility for making sure that these things are done right. In my previous occupation, I knew who was in charge of everything in the unit and who was doing what they were doing. If they weren’t doing it properly, I took measures to make sure that they were doing it properly. Frankly, it doesn’t give me great comfort to hear you say they are using data from 2011. Who is in charge?

Ms. Hogan: When I am often asked this question, I will always tell you that the deputy head of an organization is ultimately accountable for actions or lack of action. In the military’s case, you have the deputy minister, but you also have the Chief of the Defence Staff who should ensure that whomever they have delegated this to is carrying it out. I think here it is a very decentralized world where they let many bases handle things, and then you add in the complexity of having the Canadian Forces Housing Agency mixed in with this, so you move out accountabilities. But ultimately, that agency as well reports to the deputy head, even though they are somewhat autonomous within National Defence. I think ultimately the questions that the committee could ask would be to the deputy head around how they plan on dealing with this and how they haven’t addressed it up until now.

Senator Kutcher: The person in charge is also the person that needs to fix it?

Ms. Hogan: Ultimately, the deputy head is the one who has to make sure things get fixed, yes.

Senator Kutcher: Thank you.

Senator White: My questions are along the lines of both Senator Deacon’s and Senator Kutcher’s, but I will drill down to a specific part of your report as it relates to Shared Services Canada and Communications Security Establishment agreement. It is just data inventory of all the government IT assets. I’m wondering why isn’t something like this, a very first basic step of an inventory of what you have, not done?

Ms. Hogan: I feel like I’m going to repeat myself from a statement I made earlier about how every department has to have that inventory, but it is then sitting back and getting the global picture for the federal public family that’s missing. When you are trying to monitor day-to-day cyberthreats, it is good to know all of the devices and end users that could be accessing, and that piece is missing. We are not saying that we have no cyberdefences. We are saying that there are some important gaps that we should close. You do that by having a better global picture.

If I could give you a live example, if you work in an organization, you want every employee to report potential phishing attacks as they come in their emails. The more people who report different sources, the more you can bolster your defences to block these things so you don’t have potential risks. What we’re seeing here is it is only part of the federal family that is being called in to participate and report, and that just gives you a vulnerability. We could have stronger cyberdefences across the country if the whole federal family was part of it.

Senator Dasko: Thank you, witnesses, for being here today.

I am very interested in the cyberworld, the world of cyberattacks, and particularly your comments that these attacks are more frequent and sophisticated. I would like to get a sense of what the numbers are and what the sophistication is and the sources of the cyberattacks. Are they changing? What are the main sources that they have been able to determine? Have those sources of attacks changed?

We talk about defence activities and defending cyberattacks, but there must be significant prevention activities that are undertaken, and not just in terms of technology. Obviously, there would be massive technology we have in place to prevent, but there are other forms of prevention. You mentioned people reporting. There must be other prevention activities because this would have to be an important part of this process.

Ms. Hogan: The report that we just issued on cybersecurity of government networks and systems is one in a series of reports that we have been doing. If you go back, you will see one on protection of personal information in the cloud. We looked at the health of networks across the federal public service. This is another one. I think they are all part of a picture that needs to be put together.

In this one, there were many different sensors. We have some statistics. I will turn to Jean if he wants to add anything. There would have been trillions of potential attacks that are blocked. That could be someone trying to access a federal server who isn’t allowed to because they are not an authorized user device, or it could be phishing attacks. There are all kinds. Trillions of them are blocked by these sensors every single day. There are reports regarding the sources and so on, and I’ll let Mr. Goulet add to that. This was about defences. We were looking at what the security posture in the defence is, and then we turned our attention to the case in which one of them gets through and there is a live attack. How do you respond? That’s where there needs to be a much better coordination among the parties. There needs to be an understanding about what they can and can’t share, because the delays left information available to attackers longer than it should have been.

Mr. Goulet: I have a few things to add.

In terms of the sophistication, a good portion of the attacks — without going into numbers — are state-sponsored. They have access to technology and sophisticated resources that allow them to have very high rates of penetration without necessarily being discovered, which, in effect, is the best cyberattack. There is no risk when we’re talking about IT. However, as the Auditor General mentioned, every day, both Shared Services Canada and the Communications Security Establishment Canada are blocking billions of potential events that could eventually become attacks.

Last year, there were 1,170 events that triggered the need for a more detailed intervention on the part of Shared Services Canada and the Communications Security Establishment. That doesn’t mean that it actually was an attack. It doesn’t mean that it was successful. It just means that, based on specific criteria, there was a need to intervene within the specific events.

Senator Dasko: If you know it’s state sponsored, then you must know what states are sponsoring it. Can you tell us about that?

Mr. Goulet: To be honest with you, we did not ask. Even if we had asked, they would not have told us because it’s classified by Shared Services Canada and the Communications Security Establishment.

Senator Dasko: So they presumably know.

Mr. Goulet: Yes, I would assume so.

Ms. Hogan: This is a space where it’s difficult to talk publicly about the topic because we don’t want to divulge weaknesses and give a bad actor the missing piece of information. This is something that the committee can study more privately with departments if they want to, but we just have to be cautious about what we put in the public domain.

The Chair: Thanks.

[Translation]

Senator Youance: Thank you to our witnesses. I wanted to return to the issue of housing in relation to your previous report and the recommendations you made. For the current process, have any housing-related recommendations been followed?

I have a second question for you. In the 1950s, there was a housing program for the Canadian Armed Forces in Montreal and housing for veterans. Do you think a similar program could be relaunched today?

Ms. Hogan: I will ask whether Mr. Smith wants to take part in comparing our previous report with this one.

When it comes to addressing the housing shortage, the armed forces are being creative. Building new housing is not the only option. You can build an entire housing complex in a community and have the military and the community share it. They are looking into the possibility of purchasing existing housing. Since our audit, they have taken certain steps. Going back to the way things were is one option, but I think they need to think creatively. We did not go that far; we wanted to know whether they were meeting their current needs and whether their plan even took the increase in the number of military personnel they hope to recruit into consideration. Mr. Smith, would you like to add anything to the comparison?

Stuart Smith, Director, Office of the Auditor General of Canada: We compared our 2015 audit on military housing to the 2025 audit. The response to our previous recommendations to National Defence took a long time.

One of our key recommendations in 2015 was that National Defence establish an operational requirement, a policy that explains the priorities and rationale for military housing. The new policy took nine years.

Second, our other recommendation was that, upon implementation of this new operational requirement, National Defence should also put in place a sound plan to obtain the necessary resources. National Defence now has a process in place to implement this plan and follow up on our 2015 recommendation.

Ms. Hogan: They are slow.

Mr. Smith: Yes, they are very slow.

Senator Youance: In your opinion, how fast does the department need to move in order to at least meet the current needs or if —

Ms. Hogan: It takes almost ten years to draw up a plan. This is a long time when you consider that the plans are based on information that is already out of date. The longer it takes, the slower the response. At this time, we need to increase the number of military personnel, so there must also be a corresponding increase in housing. They should be addressing this issue now if they truly want to increase the number of recruits.

[English]

Senator Ince: Thank you all.

My question is about the recruitment. It’s just a light question. To what extent did the inadequacies of the CAF’s IT systems and portals affect the recruitment and training?

Ms. Hogan: I don’t know the extent because there were many people who abandoned the process. We just don’t know why they abandoned it, and neither does the Canadian Armed Forces. However, we noted that their systems are not very automated. It’s a very manual process. As they start to automate it, they still make a candidate refill the same information in many places, so there is human error in data entry which will cause further delays in handling an application.

We also saw their own delays in entering things in the housing side. For example, when they asked when people were going to start working in order to make sure their housing was available, if you put the wrong date for when they are going to start on a base, they arrive and don’t have housing.

There is a lot to be said in favour of investing in the digitization of recruitment processes and in general in the Canadian Armed Forces. That will help make things easier. Any application process for which you can take away some of the routine tasks will speed it up and then hopefully move people through the recruitment process faster.

Senator McNair: Thank you, Madam Auditor General and your staff, for being here and for all the work that you do.

I’m going to start with cybersecurity. In your report, you say:

There is a significant number of federal organizations that are not required to use cyber security services offered by Communications Security Establishment Canada and Shared Services Canada and do not use them. The inconsistent use of these cyber security services has impacted the government’s awareness of cyber security events across the federal public service and its ability to defend . . .

Of the organizations not using the cybersecurity services, did you find in your audit that there was an increase in cybersecurity incidents or attacks? Was there a notable difference in those who do use cybersecurity services?

Ms. Hogan: We didn’t actually audit the 204 federal organizations. We were auditing those who are required, the 85 that are required, and how that looks. What I can tell you about those others is that there is a group of them that are voluntarily using some of these services. A little over 60% are using some of the defence sensors — not all of them, but some of them. It’s important to note that every organization must have its own cyberdefences. You should have a cyberplan, and that’s true whether you’re a department or a Crown corporation. You must have your own thing. These are just one other layer on top of it. I couldn’t tell you whether every Crown corporation has the proper cyberdefences because we weren’t setting up to look at that here, but they do have a requirement to make sure that they have good cyberposture and cyberdefence. Many of them are voluntarily using this as well.

Senator McNair: Thank you.

I’m going to jump over to housing and the Canadian Armed Forces. As you indicated, the Canadian Forces Housing Agency requires conditional assessments or inspections to be done every three years. You found that the agency met this requirement in 74% of the cases, meaning there is 26% of units lacking in up‑to‑date assessment. Compliance rates vary by region, you indicated, from a high of 91% in the central region to a low of only 52% in the Atlantic Canada region. Do you have any sense of why the compliance was significantly lower in the Atlantic region?

Ms. Hogan: I’m going to turn to Stuart and see if he has something there. He is sort of going through his memory banks on it.

What I think is important to note is that when we looked at major repairs, about 70% of them aren’t done, and that doesn’t matter where it is in the country. When you have a major repair, like a heating system not working, and you haven’t prioritized it, that’s a concern, right? It’s the kind of conditions we wouldn’t want to live in and we shouldn’t expect our Armed Forces to live in.

Did I give you enough time, Stuart, to see if you can help?

Mr. Smith: Just enough time.

When you talk about the difference in compliance, particularly the lower rate in Atlantic Canada, certainly what we heard from National Defence on that issue was a need to reinforce training but particularly at the regional level with the requirements to conduct inspections and to keep them updated on that three-year cycle.

Senator Hay: Thank you all for being here.

I’m going to move back to cybersecurity as someone who has experienced it in an organization I worked in before. We all know it’s not if it happens, but when it happens. Defence is absolutely important, but so is an enterprise risk-management framework, and preparedness is essential for when it happens, how you mobilize quickly, what to do and scenarios practised in advance and so on. I understand the magnitude of the question and the issue. Can you speak to the enterprise risk management around cybersecurity? Is that a gap or is that well covered? I don’t know if that’s out of scope for today.

Ms. Hogan: We have our expert over here, so I am going to give him a heads-up that I’m going to turn to him and get his thoughts and views.

Here, the policy around defence is a robust policy, but it just doesn’t apply to everyone. To bolster defences would be to have everyone participate.

I think the concerning thing we found here was when it came to how they respond to attacks. When a federal department or agency puts up their hands and says, “I’ve been breached, help me out,” there shouldn’t then be the desire to determine how should we share, what should we share and when can we share? That just delays the response. What we saw here is that that was the case in a recent attack in 2024. That should be well understood and known so that the response can be very timely and you can shut that down as quickly as you can. We talked about it earlier. They just have to sit down and hammer it out, because everyone agrees that we should, as a government, respond faster.

Do you want to add?

Mr. Goulet: Everybody has a role to play — the departments, then Shared Services Canada, then Communications Security Establishment. My understanding of what I have seen in the various reports that we did on cybersecurity is that everyone is trying to do their best. There is no question with regard to that. There are integrated risk management frameworks that are in place at all of these levels. There is a cybersecurity strategy that exists for the federal government, and it’s a good cybersecurity strategy. They have got good tools. The problem right now is that there is coordination that needs to be enhanced. There is a policy gap where some entities within the federal government are not required to buy into the additional layer that is provided by Shared Services Canada and Communications Security Establishment. I know those departments are aware of it. They would like for this to change. But this is a policy gap. So the government has to move on that.

Senator Hay: Is it a risk? Do you feel there is a risk at that stage?

Ms. Hogan: There will never be a world in the cyberspace where there will not be risks, right? I think Canadians would expect the federal government can do everything it possibly can. Why wouldn’t everyone use every defence possible out there to protect not only personal information but the federal government’s information?

Senator Hay: I’m more referring to when it happens and the mobilization, but I’m comfortable, thank you.

Ms. Hogan: That’s a risk when you’re debating, “Can I share this or not share this,” with an organization in the middle of an attack. That’s a clear risk, for sure.

The Chair: Thank you. We now move to second round.

Senator Kutcher: Thanks again.

I will go back to management 101. I am going to go to basic training applications. Fewer than 7% of applicants actually get to basic training. You said something that I didn’t quite understand, 150 days or 300 days. Could you clarify that?

Then, the other question is, if they had actually recruited enough, they don’t have sufficient basic training capacity, so how does an organization try to create a recruitment strategy if they don’t have the capacity to actually hand deliver recruits that they are expecting to get?

Ms. Hogan: First, I will clarify the 100 to 150 days. That is their target recruitment timeline, from the time someone puts in an application to when they could or should be starting basic training. The goal is to do that in 100 to 150 days. It is about twice as long right now to get through that. That’s the back and forth. That’s the physical assessments and some security assessments. All of that is taking a really long time, which we believe might be part of the reason that so many people are abandoning the process and only ending up with one in thirteen being recruited. That’s a lot of energy spent to get one person to start basic training.

You did identify another concern that we raised, which is that even if they had met their recruitment targets — so part of the reason they are not meeting is because of how long it’s taking to get recruitments to the door — but if they had met their recruitment targets, they wouldn’t have had the capacity to actually put them all through basic training. There is only the last year in our audit where they exceeded slightly how many people they recruited that they could train. That is because they don’t have trainers, tools and the capacity. You have to have all that in place in order to ramp up, but I appreciate that they don’t want it in place and then not have the recruits to train. It’s a fine balance to try and find the right time. However, it’s clearly something they need to address. They tried some interim measures, and we talked about those in the audit, but they felt it was not sustainable on a go-forward basis. They did need something more sustainable for the future, but a clear concern is that if you increase recruitment, you need to also be able to train those people.

Senator Kutcher: This is not a new problem?

Senator Hay: This is not a new problem. It existed years before the three that we covered in the audit, yes.

Senator Kutcher: Thank you.

Senator McNair: I’m going to take up where my colleagues left off. I appreciate your accurate but worrisome comments when you’re talking about the state of readiness of the Canadian Armed Forces with respect to recruiting, training and housing. The housing stat, that there will be 205 units in spring of this year for 3,700 applicants, is staggering. CAF has accepted all your recommendations in both reports, but what surprises me is the time frame for their implementation of the response. Some of them go out to December of 2027. Do you get the sense they have the same sense of urgency I think your department is saying exists?

Ms. Hogan: When I take a step back and look at these reports, I would tell you that the Canadian Armed Forces isn’t recruiting enough people to meet their needs. They lack capacity to get them fully equipped and trained to be full-functioning service members, and then they have the added layer of where to house them. Not every Canadian Armed Forces member looks for housing from the military, and many own or rent on their own, but when they need the support of the Canadian Armed Forces, when they move around so much, they should be able to get it.

As I mentioned earlier, I think they are seized with the urgency when they are called to defend our country, and now they need to be seized with the urgency of building up our military. I hope that they will act in a timely way. We talked about how some of our previous recommendations took almost a decade to be acted on, but I think with the additional funding coming, that they want to recruit more, so they need to also figure out this ripple effect that will come.

There is the additional layer we haven’t talked about here, which is about specialized training, making sure we have enough pilots to fly jets and technicians to maintain them. There is specialized training when you go beyond basic training. I do think that these are fundamental things that they should be seized with trying to solve soon. I would always love faster action plans, but I recognize that, especially when it comes to building houses, it takes some time. You need leeway unless you can find a more creative solution than the traditional build from the ground up.

Senator McNair: But 3,700 on the waiting list is a staggering number for 205 units.

Ms. Hogan: It is a large number, absolutely. That has existed for some time. If your plan doesn’t have all the most up-to-date inputs, your gap doesn’t look as bad as it is. It’s about them updating their assessments and then focusing on how to meet those needs.

Senator McNair: Thank you.

Senator Cardozo: I have three quick questions which build on each other.

The first is: To what extent is it your sense that housing is relevant in the recruitment process in the Canadian Armed Forces, in the sense that Canadians will decide to join or not join based on whether there will be housing? The second is: Will this matter of being able to build more housing become easier with the additional large funds that are being put towards defence? The third is: A number of these issues you have talked about, I would assume, were because of tight budgets. Now, they have got a much more robust budget. Are they going to be able to deal with a number of these issues?

Ms. Hogan: To the extent to which housing might be relevant for recruitment, that really is an “it depends” answer. There will be some new recruits who will need housing. In fact, I believe there was a policy change recently where they were trying to prioritize housing for new recruits. What they are seeing is that long service members are now losing their housing, so it’s becoming more of a retention issue than it is a recruitment issue. I think it’s about balancing having some available for long service members and some for recruiting, but it will depend on where you end up sending recruits. It’s a tough one for us to answer, but it’s clear there are thousands on a waiting list, waiting for something now.

Should some of the money that they are receiving go to this? Well, I shouldn’t tell the deputy minister how to spend the additional funding, but I would hope that some would be put towards dealing with the housing issue so that it is not a problem for retention and recruitment. Right now, there isn’t a problem attracting people to apply. There is a problem getting them through the door and trained and eventually housed. They do have a bit of leeway, but I would hope that some of the funding will go that way. That is really up to the department to decide how to spend.

I do believe some of this was because of tight budgets. When you have a limited amount of money to spend, you make decisions on which repairs you will focus on and which you won’t. We all do that in our own homes. I would imagine that when you’re spending taxpayer money, you will make tough decisions, but part of increasing the capacity of Canadian Armed Forces is that it has to come with some investment in the things you don’t see, like IT and infrastructure, and in things that you do see, like housing and more military members.

Senator Cardozo: Thank you.

Senator M. Deacon: My question is in regard to housing. Housing is a household issue right now. You hear it across the country in every sector and location. We have had in the Senate a housing study in the Banking Committee and a housing study in the National Finance Committee. That is not focused on the CAF, absolutely. It is housing in general. We’re learning a ton from those studies on innovation, on creation and getting away from what we call traditional housing and moving to modular, small, tiny, whatever they are. I’m trying to appreciate this because it is complex. Capacity in the CAF is as complex as the day is long. We have this issue in the country, and we have this issue in the CAF. Can one be learning from the other? Can we be looking at some alternatives that make sense given what we’re learning in housing in general in Canada and really try to fast‑track and apply this with CAF?

Ms. Hogan: I’ll see if Stuart wants to add something to this. We definitely see the CAF thinking about accessibility and inclusivity, as well as greening what they are doing, and recognizing that when they go into a community, they need more creative options so that they cannot take from the community but help bolster the community’s housing and the Canadian Armed Forces. A place for them to start, though, is understanding what their needs are, for example, knowing whether they need single dwellings or family dwellings. Right now, they have a mismatch in some of their needs in that they might have a single member living in a home meant for a family, so they are not adjusting their plans even to what their needs are. What do the Canadian Armed Forces look like? Who are they recruiting? Then they need to know that they will evolve as their family situation might change. So how are they adjusting? There are a lot of moving parts. I would love to think that they are learning from the market, but we’re seeing that their plans right now use 2011 market data. I’m hoping that they are going to learn from what is happening now.

Senator M. Deacon: Just a final sentence, you said it nicely, politely and professionally and about seven different ways this afternoon, which is something, I think, that keeps us awake at night. That is: What is the vision? What does the CAF want to be, going to be, need to be, moving forward? With this great influx of possible funding, if we’re not super careful on what we stand for from the get-go, this is not going to be a good process, and I just say that for the record.

The Chair: I have one question. I don’t know if you attempted to answer this in your audit. We talked about outside cybersecurity threats, but where there is infection internally, has that been looked at? Did it affect other departments? If we had a virus that was put in the system and we didn’t have the protection internally as we were transmitting information and data, would that cause problems internally because one department didn’t take all the necessary precautions and is sharing information with other departments?

Ms. Hogan: If you want to jump in, let me know. Jean would like to jump in on this one for sure.

It is important to know that when we talk about cyberthreats, it is not just external cyberthreats. It can be someone from the inside. You can have a USB key that you receive from someone and you plug it into your computer with no malicious intent whatsoever. When we talk about cyber events, they are not all bad actors. Some of them are the oopsies that humans make, that people think this phishing email looks real legit and click on something, and you didn’t intend to cause a problem. It is a real risk, and that’s why every organization has to have their own cyberdefences up and running well, and you have to stay on top of them. That is something that is constantly evolving. But these tools we looked at, the cyberdefence ones, are tools you should have over and above that, that would add a layer of protection. That is why we say it would just bolster the defences if everyone had to use them versus letting people choose.

I will let you add, as I know you are passionate about this.

Mr. Goulet: Thank you. Communications Security Establishment Canada’s sensors are very sophisticated and they have multiple sources similar to the ones from the private sector — for example, Norton — but they have other sources with the Five Eyes allies, whether it’s the United States, Australia or the U.K., which make their sensors highly effective in finding extremely sophisticated attacks. And it is layered. It is just added on top of everything else without an impact on the performance of your systems, so it is difficult to understand why not all the departments may want this.

To answer your specific questions, there have been some instances where an attack in one department was afterwards able to go into other departments as well. CSE plays a role there, and SSC also plays a role, but each department also plays a role in terms of its defence.

Ms. Hogan: I think this is why that coordination element is really important. We should not avoid sharing information with others in the federal family so that we can all defend the federal government’s network and protect its information better.

The Chair: This brings us to the end of our time with this panel.

Ms. Hogan, I want to thank you for all you do on behalf of the nation. I know the work you do quite often shines a light on things we sometimes don’t want to look at, but I think it is absolutely necessary in the greater effort of the country in that it allows us to remind ourselves again that whatever good intentions might be, we also have to meet the goal, and too often the goal is missed. I think you are shedding light on our military and about some very basic things we could do to make it much better if we are going to recruit more and be more agile and more effective in what we hope to do in the future. I also want to thank all your colleagues for coming — Mr. Goulet, Mr. Lombardi, Mr. Smith — and all your staff for what you do. You have also broadened our work that we need to continue on, and we will have other people here to hold them and scrutinize them in regard to their responsibility. Again, thank you for taking the time tonight. The country is better off as a result of what you do.

Senators, the next items we are about to discuss in the committee will be in camera. Is it agreed that we proceed in camera for these discussions?

Hon. Senators: Agreed.

(The committee continued in camera.)