Honourable senators, I welcome the opportunity to say a few words about the report of the Standing Senate Committee on Banking, Trade and Commerce, entitled Cyber Assault: It should keep you up at night.

Quite apart from having one of the punchiest, if not indeed the scariest titles in the Senate collection of reports, it’s a timely and popular reminder of the challenges we face in this interconnected digital age.

I subscribe to virtually all of the recommendations in the report, save one with which I have some reservations, and I’ll return to this one later.

But my main purpose today is to place this report in the larger context of how we are addressing the cyber-threats posed to our country, what tools we have and what tools we lack, to respond effectively to those threats.

First, it is important, though obvious, to remind ourselves that cyber is a means to an end, it’s not an end in itself. It’s the vector by which a certain objective is pursued. The objective may be espionage, whether commercial or the spy versus spy variety — I date myself with that MAD Magazine reference. It could be economic, as in the stealing of funds or financial data, or it could be political, as in attempts to disrupt our elections or to undermine our faith in our democratic institutions. But although cyber is the means to these ends, they all share one thing in common: They represent threats to our national security. Indeed, as the current director of CSIS has stated on more than one occasion, the two biggest threats to our national security are economic espionage and foreign interference.

[Translation]

That is why it is very important to ensure that our intelligence and security agencies have the mandates and tools needed to protect us against such threats and keep us safe. Unfortunately, our current security framework is simply not up to the task.

The primary agency with the mandate and expertise to protect against cyberattacks is the Communications Security Establishment, or CSE. However, its current mandate for dealing with such threats is limited to protecting federal government institutions. While I realize that it also provides advice to other organizations, including those in the private sector, the CSE cannot play any kind of active, ongoing role in the fight against cyberattacks.

Second, its powers are entirely defensive. It can prevent hacking attempts on federal government systems — between 500 million and a billion attempts every day — but it cannot take any active measures to stop attacks before they occur or to stop them once they are under way.

[English]

These limitations on CSE’s mandates and powers put our financial institutions and the infrastructure that support them at great risk. And not only our banks and financial institutions, but all of our infrastructure, governmental and private sector that relies upon digital interconnectivity and is part of what we now call the Internet of Things.

That’s why it’s so important that we modernize our security and intelligence framework and give CSE the proper mandate and the powers to do their job. Fortunately, we in the Senate have the opportunity to do just that.

Bill C-59 would permit the government to designate any information infrastructures to be of importance to the Government of Canada. This would allow CSE to partner with an organization, whether in the private or public sector, who requests its assistance in protecting it from the cyber-threats it faces. The help can go beyond simply providing the institution with the latest anti-malware tool or the like. CSE could play a more active role to help the institution stop the attack in its tracks.

This is the operational architecture we desperately need. Until it is in place, no amount of education — none of the recommendations of this report, however, well-thought-out they are — will prove sufficient, adequate or effective.

This leads me to the one recommendation with which I have some reservations, and that is the creation of a minister of cybersecurity to be responsible for cybersecurity policy and to oversee the new Canadian Centre for Cybersecurity.

My reservation is this: As I stated earlier, cyber is the means through which actions are taken, whether in the service of espionage, economic crime or foreign interference with our democracy. Cyber engages all aspects of national security. It’s for that reason that I’m not persuaded that the category of cybersecurity should be treated as distinct and hived off from national security more generally. To be sure, one can fairly ask whether the current mandate of the Minister of Public Safety and Emergency Preparedness might be too broad, encompassing as it does public safety generally, CSIS, the RCMP, the corrections system and the Canada Border Services Agency, and that it might be preferable were there to be a minister exclusively mandated with responsibility for national security. Indeed, this has been suggested by amongst others Professor Stephanie Carvin at the Norman Patterson School of International Affairs at Carleton University. Be that as it may, I remain unpersuaded that a minister of cybersecurity is necessarily the best way to proceed.

But that reservation aside, let me conclude where I began, honourable colleagues. This is an important and timely report which highlights critical issues that we ignore at our peril. I recommend it to you most highly, and thank you for your kind attention.