Thank you very much.
Mr. Chair, committee members, thank you for your invitation to appear today.
In addition to Senator Frances Lankin, I am joined by two representatives of the NSICOP Secretariat: Ms. Lisa‑Marie Inman, executive director, and Mr. Sean Jorgensen, director of operations.
It is my pleasure to be here to discuss the committee's 2021 annual report. The report accomplishes two objectives. First, it fulfills the committee's legislated annual reporting requirements. Second, it summarizes the special report we completed in 2021, which was our cyber-defence review.
I'll begin with the committee's four annual reporting requirements.
First, our annual reports must include the number of times a minister determined that a review we propose cannot proceed because it would be injurious to national security. To date this has not occurred.
Second, our annual report must disclose the number of times a minister refused to provide information to the committee because the information constituted special operational information and would be injurious to national security. To date this has not occurred.
Third, we are required to report the number of issues the minister referred to us for potential review. In 2021 there was one such referral. On June 4 the Minister of Health sent a referral to the committee regarding possible security incidents at the National Microbiology Laboratory in Winnipeg.
Fourth, we are required to include our findings and recommendations. In 2021 the committee came to four findings and made two recommendations, all as part of the cyber-defence review. I will discuss that report later in my remarks.
In addition, Mr. Chair, pursuant to the Avoiding Complicity in Mistreatment by Foreign Entities Act, 12 departments are required to provide their minister with an annual mistreatment report and then to provide it to NSICOP as soon as is feasible. All 12 departments have provided us with their annual mistreatment reports.
Next, I'd like to highlight that last year, the committee marked its fifth anniversary. Since its creation in October 2017, the committee has completed nine reviews, with 29 recommendations for the government.
In 2018 the committee completed reviews related to the Prime Minister's trip to India that year, the military's intelligence activities and how the cabinet sets the government's intelligence priorities.
In 2019 the committee completed reviews related to diversity and inclusion, foreign interference, the Canada Border Services Agency and the collection and use of information on Canadians by military intelligence.
In 2020 the committee completed an overview of the threats to Canada.
In 2021 the committee completed the cyber-defence review.
In 2022 the committee completed a review of the national security and intelligence activities of Global Affairs Canada.
Presently, the committee is completing its review of the federal policing mandate of the RCMP.
In the interest of pursuing our second foreign interference review, the committee has temporarily paused its work on the review of the lawful interception of communications for security and intelligence activities.
Members might recall that NSICOP is dissolved during writ periods and is then reconstituted within 30 sitting days after the return of Parliament. Therefore, over the past five years approximately there was one year in total not available to the committee to pursue its work. It was not operating because of two elections, in 2019 and 2021.
Now I would like to turn to the “Special Report on the Government of Canada's Framework and Activities to Defend its Systems and Networks from Cyber Attack”, published in 2021.
We conducted the review because of the importance of federal systems and networks, which form part of Canada's critical infrastructure. These networks store large amounts of personal information and are used to deliver essentially every government service.
Government networks are under relentless cyber-attack by a number of states, most notably China and Russia, and may be vulnerable to malware and other forms of cybercrime. Today, the federal government is a world leader in defending its networks, but this was not always the case.
In the early 2010s, China carried out damaging cyber-attacks against 31 federal departments. This was a wake-up call in terms of the scale of the government's cyber-vulnerability and its poor defences.
Since then, the government has incrementally developed a strong cyber defence system, in terms of both governance and technical capability.
This brings me to two of our findings.
First, our report found that over time the government's approach to cyber-defence evolved towards one that considers all government systems as a single enterprise. This horizontal approach, colleagues, has considerably improved cyber-defence, although we found it is challenged by the vertical nature of accountability in the government.
Second, our report found that not all federal organizations receive the same cybersecurity protection. There are two related reasons for this. First, the Treasury Board’s cybersecurity policies do not apply to the entire government, and when they do apply, they do not always apply evenly. Second, departments are not obligated to adopt the cyber-defence services offered by Shared Services Canada and the Communications Security Establishment. This means that many federal organizations are entirely outside the government’s cyber-defence perimeter, while others pick and choose services and do not subscribe to them all. These gaps and inconsistencies undermine the enterprise approach to cyber-defence. A system is only as strong as its weakest link.
With all this in mind, the committee made two recommendations. First, the committee recommended that the government continue to strengthen the enterprise approach to cyber-defence. Second, the committee recommended that the government fully bring all federal organizations into the cyber-defence perimeter, and that the cybersecurity policy suite should apply to all federal organizations, including Crown corporations.
The government agreed with both recommendations. Indeed, we are pleased that, for the first time, the government provided an official response to our recommendations in this cyber-review. However, the government has still not provided any updates with respect to 20 other recommendations contained in six of our previous reviews.
The last point we would like to raise is that this year we expect Parliament to begin a comprehensive review of the NSICOP Act. We're aware that your committee has sought to be designated as the House committee for this review. Once a committee is designated to conduct the review, our committee would be happy to make a specific series of recommendations about potential reforms of the act.
Today, I will only emphasize the importance of the committee’s access to government information. Indeed, the committee faces several challenges to obtaining the information we are entitled to under the law and that we need to fulfill our mandate. For example, the committee is concerned that departments are applying an overly broad interpretation of what constitutes a cabinet confidence.
In closing, I wish to say that all of our reports are the result of the incredible and dedicated work of my colleagues on the committee. The cyber-defence report is yet another example of a unanimous, non-partisan review of a crucial government activity by a committee of security-cleared senators and members of Parliament from all major parties and groups.
Thank you very much, colleagues.