Consult the new user guides
For assistance, please contact us
Consult the new user guides
For assistance, please contact us
Add search criteria
Results: 1 - 15 of 21
View David McGuinty Profile
Lib. (ON)
Thank you very much.
Mr. Chair, committee members, thank you for your invitation to appear today.
In addition to Senator Frances Lankin, I am joined by two representatives of the NSICOP Secretariat: Ms. Lisa‑Marie Inman, executive director, and Mr. Sean Jorgensen, director of operations.
It is my pleasure to be here to discuss the committee's 2021 annual report. The report accomplishes two objectives. First, it fulfills the committee's legislated annual reporting requirements. Second, it summarizes the special report we completed in 2021, which was our cyber-defence review.
I'll begin with the committee's four annual reporting requirements.
First, our annual reports must include the number of times a minister determined that a review we propose cannot proceed because it would be injurious to national security. To date this has not occurred.
Second, our annual report must disclose the number of times a minister refused to provide information to the committee because the information constituted special operational information and would be injurious to national security. To date this has not occurred.
Third, we are required to report the number of issues the minister referred to us for potential review. In 2021 there was one such referral. On June 4 the Minister of Health sent a referral to the committee regarding possible security incidents at the National Microbiology Laboratory in Winnipeg.
Fourth, we are required to include our findings and recommendations. In 2021 the committee came to four findings and made two recommendations, all as part of the cyber-defence review. I will discuss that report later in my remarks.
In addition, Mr. Chair, pursuant to the Avoiding Complicity in Mistreatment by Foreign Entities Act, 12 departments are required to provide their minister with an annual mistreatment report and then to provide it to NSICOP as soon as is feasible. All 12 departments have provided us with their annual mistreatment reports.
Next, I'd like to highlight that last year, the committee marked its fifth anniversary. Since its creation in October 2017, the committee has completed nine reviews, with 29 recommendations for the government.
In 2018 the committee completed reviews related to the Prime Minister's trip to India that year, the military's intelligence activities and how the cabinet sets the government's intelligence priorities.
In 2019 the committee completed reviews related to diversity and inclusion, foreign interference, the Canada Border Services Agency and the collection and use of information on Canadians by military intelligence.
In 2020 the committee completed an overview of the threats to Canada.
In 2021 the committee completed the cyber-defence review.
In 2022 the committee completed a review of the national security and intelligence activities of Global Affairs Canada.
Presently, the committee is completing its review of the federal policing mandate of the RCMP.
In the interest of pursuing our second foreign interference review, the committee has temporarily paused its work on the review of the lawful interception of communications for security and intelligence activities.
Members might recall that NSICOP is dissolved during writ periods and is then reconstituted within 30 sitting days after the return of Parliament. Therefore, over the past five years approximately there was one year in total not available to the committee to pursue its work. It was not operating because of two elections, in 2019 and 2021.
Now I would like to turn to the “Special Report on the Government of Canada's Framework and Activities to Defend its Systems and Networks from Cyber Attack”, published in 2021.
We conducted the review because of the importance of federal systems and networks, which form part of Canada's critical infrastructure. These networks store large amounts of personal information and are used to deliver essentially every government service.
Government networks are under relentless cyber-attack by a number of states, most notably China and Russia, and may be vulnerable to malware and other forms of cybercrime. Today, the federal government is a world leader in defending its networks, but this was not always the case.
In the early 2010s, China carried out damaging cyber-attacks against 31 federal departments. This was a wake-up call in terms of the scale of the government's cyber-vulnerability and its poor defences.
Since then, the government has incrementally developed a strong cyber defence system, in terms of both governance and technical capability.
This brings me to two of our findings.
First, our report found that over time the government's approach to cyber-defence evolved towards one that considers all government systems as a single enterprise. This horizontal approach, colleagues, has considerably improved cyber-defence, although we found it is challenged by the vertical nature of accountability in the government.
Second, our report found that not all federal organizations receive the same cybersecurity protection. There are two related reasons for this. First, the Treasury Board’s cybersecurity policies do not apply to the entire government, and when they do apply, they do not always apply evenly. Second, departments are not obligated to adopt the cyber-defence services offered by Shared Services Canada and the Communications Security Establishment. This means that many federal organizations are entirely outside the government’s cyber-defence perimeter, while others pick and choose services and do not subscribe to them all. These gaps and inconsistencies undermine the enterprise approach to cyber-defence. A system is only as strong as its weakest link.
With all this in mind, the committee made two recommendations. First, the committee recommended that the government continue to strengthen the enterprise approach to cyber-defence. Second, the committee recommended that the government fully bring all federal organizations into the cyber-defence perimeter, and that the cybersecurity policy suite should apply to all federal organizations, including Crown corporations.
The government agreed with both recommendations. Indeed, we are pleased that, for the first time, the government provided an official response to our recommendations in this cyber-review. However, the government has still not provided any updates with respect to 20 other recommendations contained in six of our previous reviews.
The last point we would like to raise is that this year we expect Parliament to begin a comprehensive review of the NSICOP Act. We're aware that your committee has sought to be designated as the House committee for this review. Once a committee is designated to conduct the review, our committee would be happy to make a specific series of recommendations about potential reforms of the act.
Today, I will only emphasize the importance of the committee’s access to government information. Indeed, the committee faces several challenges to obtaining the information we are entitled to under the law and that we need to fulfill our mandate. For example, the committee is concerned that departments are applying an overly broad interpretation of what constitutes a cabinet confidence.
In closing, I wish to say that all of our reports are the result of the incredible and dedicated work of my colleagues on the committee. The cyber-defence report is yet another example of a unanimous, non-partisan review of a crucial government activity by a committee of security-cleared senators and members of Parliament from all major parties and groups.
Thank you very much, colleagues.
View David McGuinty Profile
Lib. (ON)
The committee received, I believe maybe a week ago or less, a document that is an attempt to update Canadians on recommendations to counter foreign interference in Canada's democratic institutions. I believe the assignment given to the clerk and to Minister LeBlanc by the Prime Minister was to speak directly to recommendations not only from NSICOP but also from other authors who had evaluated the protocol process. I think the assignment was to let Canadians know how far the government has come in implementing our recommendations and its recommendations.
We're encouraged with what we've seen, but we would encourage this committee to call the government again to perhaps provide more detail on how it is moving forward.
View David McGuinty Profile
Lib. (ON)
It's an issue that's live among the committee members. Trying to ensure that the work that's's very difficult, to be candid with colleagues. It's difficult and it takes a long time to arrive at these recommendations. We don't arrive at them lightly. The deliberations are long and extensive. There are some folks at this table who, I think, sat on our committee and understand what we speak about here.
We are hopeful that the government will now pay close attention, perhaps closer attention, to some of the recommendations, like what we put forward here today on cyber.
Again, I would encourage this committee to ask the government to come forward and to explain to what extent it has implemented the recommendations to bring more federal organizations inside the cybersecurity perimeter.
View David McGuinty Profile
Lib. (ON)
There may be some times when we're looking for more immediate take-up. Sometimes it's difficult to point to the effects of the work. For example, the new architecture of review in Canada has compelled many organizations that are now subject to review to actually buttress and create new units inside their departments, such as the Department of National Defence. Prior to the existence of NSICOP and NSIRA, the Department of National Defence didn't really have a formal mechanism to respond to external review and now it does. That's encouraging.
The new architecture of review is pulling the government forward as a whole. There are some things we can point to directly. For example, the government did announce in the budget the creation of a foreign interference coordinator role at Public Safety—which is also in its recent report that I pointed to a minute ago entitled “Countering an Evolving Threat”. We've seen that some of the recommendations from NSICOP ended up directly in mandate letters for ministers, like DND and Public Safety. We've seen the public safety minister act directly on a CBSA review recommendation and implement direct change.
We're always looking for more take-up and more traction, because the purpose of the committee, why we're here, is to improve the situation for Canadians.
View David McGuinty Profile
Lib. (ON)
The committee scrupulously avoids partisanship. I think the highest compliment that's been paid to the committee since we began is that a number of folks who have appeared before us have often said that if you were to close your eyes and listen to the conversation at the table, you actually wouldn't know from which political persuasion the commentary is coming.
We built what I think we like to refer to as “a nobility of purpose” around the work. We think there are some issues that transcend partisanship, that transcend any one government, and national security and intelligence is one of those issues.
It was a unique opportunity for Senator Lankin and me, in particular, who have been there since the beginning, to stand up the organization. It was like flying a fighter jet as we were building one. But the purpose of the committee really should transcend my chairmanship, our membership, the senior secretariat staff. It's an important mechanism for the future to allow for a full airing of classified information among colleagues from both Houses to treat these very important issues.
We all respect and understand that what goes on in the other arena, called the House of Commons or the Senate, is natural and is going to occur. The push and pull, the cut and thrust of that, is democracy, but when it comes to access to classified information and the treatment and the handling of that information, and the quiet, non-partisan opportunity to deliberate as colleagues, on behalf of 39 million Canadians, we think this is a really important structure for Canada, going forward, no matter who is in government, no matter who holds the seat as prime minister or minister, no matter what configuration the committee has.
There are comments sometimes about the role of the Prime Minister or of the government in the work of the committee that are, I would say, considerably off the mark. In the nine, 10 and soon 11 reviews that we have conducted, the Prime Minister of Canada has never instructed this committee to do anything. In fact, the only time we consult with the Prime Minister of Canada on our work is when we're presenting our reviews when the product is finished. The Prime Minister has an obligation to instruct the committee to redact, but on very, very transparent grounds.
The team that is here with us today—not just the members, but our senior secretariat folks—is extremely agile when it comes to entering into a discussion with officials in the government to say, let's talk more about that proposed redaction. We always tend towards being more transparent rather than less. We think that's important for Canadians to understand.
The debate that's going on now in the House, the Senate and in society is an important one; it's a really important one, but it's also a teachable moment for a lot of Canadians. For example, what is classified information? Why is classified information classified, and when can it be shared and when can it not be shared, and why isn't it being shared? Canadians get that. They can fully understand that.
We're trying to do our part in helping them understand that, and I'm sure Senator Lankin has much to add to that.
View David McGuinty Profile
Lib. (ON)
We have to submit a report to Parliament every year. At first, we combined all reviews, like this one on cyber-attacks. As you can see, it's quite lengthy. We decided that, instead of presenting everything together in the annual report, we should conduct the reviews one at a time and submit them individually. That way, we have more time to work together. It is also easier for Parliament, the Prime Minister, and senior officials to receive the reviews and follow up on them.
That is the reason why we chose to separate the reviews. Before, in a single annual report, there might have been three reviews all at once. We made this decision to better manage our work. It was easier for us to operate this way.
View David McGuinty Profile
Lib. (ON)
It is an architecture problem. The Financial Administration Act of Canada gives deputy ministers and the CEOs of Crown corporations the authority to decide if whether or not they will be part of the cyber‑defence program provided by the federal government. We believe that this is a significant weakness.
We're only as strong as our weakest link.
Our cyber‑defence system is well regarded nationally and internationally; it's a very solid system. However, if a cyber‑attack is launched on a department, agency or Crown corporation that is not protected by our defence system, that could be used as a gateway into the entire governmental system.
That's the reason we are recommending that the federal government amend The Financial Administration Act in order to require that all organizations and Crown corporations be protected by the system provided by Shared Services Canada and the Communications Security Establisment.
View David McGuinty Profile
Lib. (ON)
We are still awaiting a definitive answer, but we do encourage your committee to go ahead and communicate with the government, in this case that would be Treasury Board, to ask how things stand.
View David McGuinty Profile
Lib. (ON)
I believe that our committee would state without any hesitation whatsoever that this is just the beginning. The attacks will go on, there will be more and more of them and they will become increasingly complex.
We laid out the situation in the report using six case studies. Two of those case studies hadn't been made public before. We did this in order to present the risks that are involved when not all agencies and departments are protected by the federal defence system.
I think that the members of your committee, as well as other MPs, would find these six extremely concrete case studies most interesting. For example, the National Research Council Canada lost 40,000 documents and spent $100 million to repair its system. The Department of National Defence, another case study, was targeted at least once. Yet another case involves a Crown corporation. All these case studies show the inherent risks when information about Canadians is held by the government.
View David McGuinty Profile
Lib. (ON)
As to knowing if Russia was successful or not or if we did indeed counter an attack, I think those questions should be addressed to the Communications Security Establishment. They would be able to answer you. Our committee has not really looked at the attacks carried out over the last two or three weeks.
The case studies that we have put forward illustrate how sophisticated foreign state actors and other actors can be. In some cases, the attacks have taken place on a federal organization. They were completely unaware of it, and were only informed of it by CSE after the fact. In some cases, under new powers the government has given some companies in our essential systems, a private sector company can now come to the Minister of National Defence and ask for authorization to deploy CSE capacity to help stop a problem with a critical infrastructure company.
View David McGuinty Profile
Lib. (ON)
As you wish, I will say a few words in French. Is it working?
View David McGuinty Profile
Lib. (ON)
As I was saying, the six case studies, Mr. Julian, illustrate.... They were chosen deliberately by the members to allow parliamentarians, Canadians and readers to understand the practical implications of not taking steps to protect. As I say, the private company...the first time using CSE powers. That's the first time this case study has been made public.
The attack on the CRA called the Heartbleed attack is case study number 3. In case study number 4, the National Research Council was attacked by China. We talked about the loss of 40,000 files. China used its access to the NRC to infiltrate other government organizations. It was very expensive to clean that up—$100 million at least. In case study number 5, huge amounts of data were stolen from DND by a foreign actor. In case study number 6, in 2020, a state compromised the network of a Crown corporation.
Are we slow off the mark to respond to this? I don't know if the committee really examined that. I don't know if we examined it comparatively. We do know that CSE's abilities are now increasingly called upon internationally. We know for example that the government of the United Kingdom has called upon Canada's CSE to help with their cyber-defence systems.
I hope I've answered some of your questions.
View David McGuinty Profile
Lib. (ON)
I'm going to ask Lisa-Marie Inman to address the question of cabinet confidence, because she's on the front line often dealing with this.
One of the things that might help the committee is positive reinforcement by all parliamentarians. All parties and the Senate are represented on the committee, so respect the fact the committee has to work in closed quarters, has to proceed with enormous discipline and can't go out and comment gratuitously on subjects that are part of media reports or the cut and thrust of debate.
We really do try to focus on the evidence, focus on the classified information, and we like to think that the quality of the reviews speak for themselves, but on this question, if I could, on cabinet confidence, I think Ms. Inman is best placed to speak to it.
View David McGuinty Profile
Lib. (ON)
There are some practical challenges we do face from time to time. We're making, I think, great progress. Maybe Sean Jorgensen, our director of operations, can speak a little bit about the progress we've made on the redaction process.
Let me step back and publicly thank you, Mr. Motz, for your service at NSICOP. You were a superb member and represented not only your constituents, but also your party and the House very well. We miss you.
There are some practical challenges. For example, one of the challenges Lisa-Marie Inman faces is that we often can't get top-secret interpreters. We can't rely on interpreters, for example, who interpret for cabinet, because they're not sufficiently cleared, so we need a different category of interpreters. That's sometimes a bit of a challenge. During the pandemic we managed to hold ourselves together by having people on very secure satellite systems and meeting virtually across the country and so on. Sometimes the pace—
View David McGuinty Profile
Lib. (ON)
Oh, I'm sorry. Okay.
Results: 1 - 15 of 21 | Page: 1 of 2

Export As: XML CSV RSS

For more data options, please see Open Data