CSE Chief testifies before HoC Standing Committee

FRONTLINE NEWS

May 31, 2016

House of Commons Standing Committee on National Defence hears from Communications Security Establishment (19 May 2016)
(FrontLine-edited and officially-translated transcript)

Ms Greta Bossenmaier, the Chief of the Communications Security Establishment (CSE) spoke before the House of Commons Standing Committee on National Defence on 19 May 2016 to explain the CSE mandate, role and ongoing activities. She was accompanied by Mr. Dominic Rochon, Deputy Chief, Policy and Communications, and Ms. Shelly Bruce, Deputy Chief, Signals Intelligence. It is our pleasure to appear before you today to talk about the mandate, role and ongoing activities of CSE.

Twitter: CSE_CST (English), CST_CSE (French)

Ms. Greta Bossenmaier (Chief, Communications Security Establishment):

This year marks CSE's 70th anniversary. In the past 70 years, the Communications Security Establishment has adapted to enormous changes in the international security environment and in the rapidly evolving nature of communications technology. From the Cold War and telegraph to terrorist groups like ISIS, and the Internet, the nature of our work is more complex and more diverse than ever.

Allow me to start by providing some background. Just over five years ago, CSE's place in government was changed to that of a stand-alone agency within the National Defence portfolio, reporting to the Minister of National Defence. Today, CSE is one of Canada's key security and intelligence organizations.

Our mission is derived from our three-part mandate under the National Defence Act.

The first part of our mandate is the collection and analysis of foreign signals intelligence. The National Defence Act authorizes CSE to acquire and use information from the global information infrastructure to provide foreign signals intelligence based on the Government's intelligence priorities. This intelligence helps provide a comprehensive view and unique insight into the potential threats Canada faces. It's important to emphasize that CSE only targets foreign entities and communications, and is prohibited by law from targeting Canadians or anyone in Canada.

The second part of our mandate is cyber defence and protection. CSE provides advice, guidance, and services to help ensure the protection of electronic information and information infrastructures of importance to the Government of Canada. Our sophisticated cyber and technical expertise helps identify, prepare for, and respond to the most severe cyber threats and attacks against computer networks and systems, and the information they contain.

Finally, the third part of our mandate is to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties. As Canada's national cryptologic agency, CSE possesses unique capabilities and expertise. Under the assistance mandate, those capabilities may be used to assist a requesting law enforcement or security agency under their legal authority.

It's also very important to highlight that the principles of lawfulness and privacy are critical to our work. We have a responsibility to protect privacy, and we take that responsibility very seriously. Protecting Canadians' privacy is a fundamental part of our organizational culture and is embedded in our organizational structures, policies, and processes. CSE has a strong privacy framework as well as internal review and independent external review.

The external review of the Communications Security Establishment is performed by the independent CSE commissioner. The commissioner, a retired or supernumerary judge, and his expert staff have full access to CSE's employees, our records, our systems, and our data. He has the power to subpoena, if necessary. These measures contribute to ensuring that CSE's activities are conducted in a way that protects Canadians' privacy interests.

As I mentioned earlier, throughout its 70-year history, CSE has proudly served our country while adapting to enormous changes in the international security environment. As you might imagine, this dynamic environment will continue to shape our current and ongoing activities.

In terms of results, our intelligence has played a vital role in supporting Canada's military operations. It has helped uncover foreign-based extremists' efforts to attract, radicalize, and train individuals to carry out attacks in Canada and around the world. It has provided early warning to thwart foreign cyber-threats to the Government of Canada and critical infrastructure and networks. It has identified and helped to defend the country against espionage by hostile foreign intelligence agencies. It has furthered Canada's national interests in the world by providing context about global events and crises and informing Canada's government decision-making in the fields of national security, defence, and international affairs.

As part of our ongoing efforts, we will continue to ensure that we provide timely and valuable foreign intelligence to meet the priorities of the Government of Canada. In an increasingly complex international environment, the need for foreign intelligence is as critical as ever.

Specifically, CSE support for Operation Impact provides vital information and helps protect Canadian troops from threats on the ground in Iraq. The Minister of National Defence has identified intelligence as an important aspect of this mission, and I'm proud that CSE will continue this contribution as Canada's mission evolves.

We will also continue to place an emphasis on cyber security. More and more of the world's and Canada's government operations, our business, our military systems, and citizens' lives are conducted online. This increased prevalence of digital information and electronic systems represents tremendous opportunity for Canada, but it also presents risks and threats to our government systems, to Canadian industry, and ultimately to Canadians.

While protecting Canada's most sensitive communications and information has always been core to CSE's mandate throughout our 70-year history, increased reliance on digital information has necessitated a heightened focus for us on cyber security. This is a realm in which the Communications Security Establishment has proven to be an innovative leader and trusted partner, leading the CSE to be a centre of excellence in cyber security for the Government of Canada.

The number of nation-states and non-state actors that possess the ability to conduct persistent malicious cyber-operations is growing, and Canada is an attractive target. CSE's cyber-defence activities play a critical role in the whole-of-government effort in combatting cyber-threats.

For example, CSE's sophisticated cyber-defence mechanisms block over 100 million malicious cyber-actions against the Government of Canada every day. In addition, CSE's cyber-defence information sharing has helped prevent significant losses to the economy and to Canada's most sensitive information, which has helped Canadian businesses protect their systems and information.

Through CSE's educational initiatives, such as our “Top 10 IT Security Actions”, which I provided you a copy of today, we're helping to protect Government of Canada networks and information. We help ensure that government IT professionals are informed about the latest threats and mitigation measures to protect Government of Canada systems and the information they contain.

Finally, we are committed to becoming more open and transparent about how we protect Canadians' security and their privacy.

In January, CSE held its first-ever technical briefing for media and for parliamentarians. Explaining complex technical aspects of our work in unclassified settings is challenging, and this media briefing was a positive first step.

We are taking other steps to tell Canadians more about the work that we do to help protect them, from recently entering the social media world by launching a Twitter account, to posting new content to our website, to producing videos about our cyber defence work.

I'll conclude my remarks by stating that I am confident in our ability to remain resilient in the midst of significant change, to address the growing demands posed by cyber threats, to provide timely and vital foreign intelligence to the Government of Canada, and to continue to safeguard the privacy of Canadians.

My confidence stems from the professionalism and commitment of CSE's highly skilled workforce. CSE's employees play a fundamental role in shaping our organization and our capabilities, and in delivering on our objectives. They are our most important asset.

Thank you for inviting us here today. It would be our pleasure to answer any questions you might have.

QUESTIONS:

Mr. Darren Fisher (Dartmouth – Cole Harbour, Liberal):
I'm interested in the balance of protection, the privacy of Canadians versus how we make sure that we protect Canadians by getting the intelligence that we actually need. That's your job, right?

When you discovered that you did share that metadata containing the identities of Canadians, what did you do right away? What did you did to correct that? You'll see there are lessons learned here, but what types of things did you do immediately when you discovered that had happened?

Ms. Greta Bossenmaier:
I think it's really important, as the member pointed out, that when this issue occurred, CSE actually found the issue, and proactively informed the Minister of National Defence and the commissioner who reviews the Communications Security Establishment. We found the issue. We proactively informed our authorities. We also proactively suspended the sharing of the metadata in question. We also did a review in terms of the incident overall. We looked at and determined that there was a whole suite of additional privacy measures in place; hence, we assessed that the privacy impact was low.

We also took note that the commissioner did a review of the issue as well. He noted that he believed the error was unintentional. He also noted the CSE's full co-operation with his review. Basically, we found it, identified it, informed those responsible, and we undertook a review. We continue now to update our systems and our processes to ensure that we have robust processes in place and that we are able to share the important intelligence.

Mr. Darren Fisher:
Have we resumed that sharing process of the metadata again with our allies?

Ms. Greta Bossenmaier:
We have not yet resumed the sharing. We want to ensure that a solid process is in place and procedures are in place before we start sharing again. That's something the minister will make the final decision on.

Mr. Darren Fisher:
In your opinion, do you think that any changes are needed to Canadian laws or legislation as a result of the commissioner's recommendations?

Ms. Greta Bossenmaier:
It's most prudent for me to leave legislative changes in the purview of government and Parliament. I will note that over the last number of years, commissioners and previous commissioners have made a number of recommendations with regard to CSE's activities. Over 90% of those recommendations have now been implemented. Some of those recommendations did touch on potential legislative changes.

Mr. Randeep Sarai (Surrey Centre, Liberal):
I want to thank you for taking valuable time out from protecting our country on the cybersecurity side to come here. As guardians of Canada's cyber security and cybercrime, you prevent intelligence breaches and control the firewalls. Do you think Canada has adequate security measures as of now for the cyber-threats that we face globally?

Ms. Greta Bossenmaier:
The whole realm of cyber security is a very dynamic environment, because the threats are changing, the nature of technology is changing, and threat actors are changing. It's a very dynamic environment and from the CSE's perspective of working with our partners across government, we are putting a lot of focus on that.

Over the last number of years, protecting and enhancing the protection of the Government of Canada's systems has really been a core focus for our organization. I would say that we've made a lot of progress over the last number of years in terms of upping the defences around the Government of Canada's systems and also helping to protect critical infrastructure in Canada.

At the same time, I would be remiss if I didn't say that this is a constantly evolving challenge. We can never rest on our laurels saying we've done a good job, as it's just too dynamic an environment. One of our key challenges going forward and working with our partners across government will be to continue to remain diligent and try to continue to stay ahead of the threats and ahead of the demands.

While we've made, I believe, significant progress, I would never want to leave the committee with the impression that we're done and there's not more to do. This will be an environment in which we will have to continue to remain ever vigilant and continue to up our game.

Mr. Randeep Sarai:
What percentage of the government's IT budget is used to defend against cybercrime? Would you know that in terms of each department? Do you monitor that?

Ms. Greta Bossenmaier:
We monitor systems, that's for sure. We don't monitor in terms of the actual expenditure across the Government of Canada.

I'd have to say that perhaps one of the central agencies would be better able to answer that question in terms of the total amount that government spends on information technology and information technology security.

Mr. Randeep Sarai:
A little along the same lines, many countries now are budgeting separately or have a separate line item for cyber security versus just IT. Do you recommend that Canada also have that same separate line so we can monitor in each department how much we are spending for cyber security rather than just having it clumped in with IT and have it a very small percentage?

My understanding is that a lot of agencies or foreign or organized crime are trying to penetrate our systems, whether it be minutely to gather someone's personal intel to blackmail them or whether it's to get corporate espionage. Do you think it would be recommended to have it as a separate line item so that we could also see and budgets don't get all clumped into IT?

Ms. Greta Bossenmaier:
To your point that the environment is so dynamic and the nature of the threat actors, we're seeing everything from cybercriminals to the so-called hacktivists, to state actors and non-state actors, all playing a very active role in this cyber-threat realm.

In terms of creating a separate line item or showing the amount of expenditure, maybe on that I would just note that the government has committed to undertake a cybersecurity review that is led by the Minister of Public Safety and Emergency Preparedness in collaboration with a number of other ministers, including the Minister of National Defence. Perhaps that's a question that will be raised in the midst of that review.

Mrs. Cheryl Gallant (Renfrew – Nipissing – Pembroke, CPC):
How is Canada sharing threat intelligence and with whom is it sharing? How does it do the sharing of threat intelligence?

Ms. Greta Bossenmaier:
In terms of sharing threat intelligence, I'll go back to our three-part mandate. First, it's a mandate in terms of foreign signals intelligence and also a mandate in terms of cyber-protection. We share threat information from both of those domains.

I'll start on the cyber-protection mandate. I'm going to turn to my colleague, Madam Bruce, to talk a little on the foreign intelligence side.

In terms of cyber-protection, we share threat information with two key parties, if I can put it that way. First, we share within the Government of Canada family. It's often said that cyber security is a team imperative, that in order to be truly protected, all the pieces of the Government of Canada need to work together.

One of the key roles for CSE is to share the cyber-threat information that we're seeing and detecting with other Government of Canada partners. Some of those partners include Shared Services Canada, which plays a very important role in terms of providing IT infrastructure for the Government of Canada. We also share threat information with individual departments that may be coming under attack or facing particular threats. Such is that first bucket of whom we share with in terms of cyber-threats. We also share cyber-threat information via our partners in the Department of Public Safety and Emergency Preparedness. They run a cyber centre, which has an important role of providing both threat information and mitigation advice to critical infrastructure components in the private sector. So there are two big families in which we share our cyber-threat information.

Mrs. Cheryl Gallant:
Very quickly, does threat intelligence sharing occur with IT security firms in the private sector?

Ms. Greta Bossenmaier:
Via our partners in Public Safety in terms of critical infrastructure providers, one of their roles is to share cyber-threat information with critical infrastructure providers.

Mrs. Cheryl Gallant:
The USA Freedom Act has revised the USA Patriot Act, which was passed shortly after 9/11 and it required certain phone companies to give the NSA bulk records, metadata, and the number, dates, times, and duration of phone calls, but not the identity of callers or the contents of the conversations.

Would a similar amendment to Bill C-51, removing your ability to collect metadata, impact your ability to carry out your mandate?

Ms. Greta Bossenmaier:
I'll try to answer that in a couple of perspectives. I'm not an expert on the USA Freedom Act, so I won't spend too much time on that.

In terms of our sharing of metadata, I'll just talk a bit about our answer about what we've gone through there in terms of identifying the issues. We will not resume that sharing of metadata until both I and the minister are confident that the processes are in place.

Mrs. Cheryl Gallant:
If you were not allowed to collect the metadata, would that impact or impede your ability to fulfill your mandate?

Ms. Greta Bossenmaier:
Yes, I can tell you that metadata is critical to CSE's operations from three perspectives, and I'll try to be brief.

As you know, metadata is not the content of the communications; it's the context around the communications. It's routing information, how telecommunications are routed through the global information infrastructure.

There are three critical roles that metadata plays for CSE and for the Government of Canada. First, it helps us to better understand the global information infrastructure, that vast intranet of information, and how it works. Second, it helps us to identify foreign threat actors – who they are and whom we'll target our defence activities against. Third, it helps us from a cyber-defence perspective. It helps us to identify malicious cyber-actors and to protect Government of Canada systems.

So the short answer is yes, metadata is critical to our operations.

Mrs. Cheryl Gallant:
Does the U.S. share its information from Prism with Canada, with CSE?

Ms. Greta Bossenmaier:
I don't have that information off the top of my head.

Mrs. Cheryl Gallant:
Individuals in the private sector knew about the Heartbleed bug months before anyone publicly reported the vulnerability. Recognizing that the CSE does not monitor Canadian individuals, when was it that the CSE first learned about the Heartbleed bug?

Ms. Greta Bossenmaier:
I believe the Heartbleed virus incident happened before my time at CSE. It was back in 2014, I believe.

Mrs. Cheryl Gallant:
To what extent does the CSE monitor the dark web?

Ms. Greta Bossenmaier:
Our cyber-activities and cyber-defence activities are critically important to the Government of Canada. Mr. Chair, I'm sure the committee can appreciate that it wouldn't be appropriate for me to get into our capabilities, methods, and techniques here.

Mrs. Cheryl Gallant:
Does the CSE track or monitor threats emanating from the dark net?

Ms. Greta Bossenmaier:
We take our cyber security responsibilities very seriously, and we use a variety of techniques and tools, but from a national security perspective, it would be inappropriate for me to talk about our methods, capabilities, and techniques.

Mrs. Cheryl Gallant:
From the standpoint of the CSE, we're in the policy development stage of cyber security from a defence standpoint. Would it help the CSE to fulfill its mandate were Canada to adopt more than just a defensive posture on cyber security? What if we were to adopt an offensive posture? Would that be of assistance to the CSE?

Ms. Greta Bossenmaier:
CSE is here to assist the Government of Canada both in terms of foreign signals intelligence and cyber-defence. There are two reviews. One is the defence review ongoing now, led by the Minister of National Defence. The other is the cyber-review, which the Minister of Public Safety and Emergency Management will lead. It's an interesting question that perhaps those reviews will consider.

Mrs. Cheryl Gallant:
Mr. Chairman, I would like to ask our witness to provide us with the date that the CSE first detected the Heartbleed virus or knew about it.

The Chair:
Can we get that reported to us after the committee meeting? If you could take that under advisement, we'd appreciate it.

Ms. Greta Bossenmaier:
I'll take that down in my notes.

Mr. Randall Garrison:
I think we all recognize the important work that CSE does in protecting national security, but the very nature of your work also brings into question the other part of the dual responsibility of governance, and that is protecting civil liberties and privacy.

The question of metadata raises serious concerns for many Canadians, especially given the 2012 project that CSE seemed to have been running in partnership with the U.S. National Security Agency, which had to do with monitoring airport Wi-Fis and people's movements. The commissioner, as the review authority, recommended that CSE request a new ministerial directive on the use of metadata. He said that your mandate and your instructions were unclear.

Have you requested or received a new ministerial directive on metadata?

Ms. Greta Bossenmaier:
The incident, actually, that the member referenced was covered in, I want to say, last year's report by our commissioner. He looked into this incident, and he determined that CSE, number one, had the authority to conduct the activity, the study, and also did so in a lawful manner. I thought that would be important to put on the record.

In terms of addressing the commissioner's recommendations, I noted he's made over a hundred recommendations. Dom will correct me in terms of the actual number, and we have implemented over 90% of those recommendations. The recommendations that the member has cited were recommendations that he made in his most recent report, and we are still in the throes of actioning those.

Mr. Randall Garrison:
Given the problem that came up with information-sharing of metadata with the Five Eyes, and I know you were asked previously by Mr. Fisher whether that sharing is taking place, I just want to reconfirm that while we're still collecting and still analyzing that metadata, without a new ministerial directive we're not sharing that with any of our partners at this point.

Ms. Greta Bossenmaier:
We have not resumed the sharing of that type of metadata with our allies, but we do continue to collect it and to analyze it.

Mr. Randall Garrison:
There was a remark by Ms. Gallant earlier that of course CSE doesn't monitor Canadians, and I think we all understand that on your own legal authority, your mandate doesn't include monitoring Canadians here or abroad.

Ms. Greta Bossenmaier:
Correct.

Mr. Randall Garrison:
But under the third piece of your mandate, you provide assistance to Canadian law enforcement authorities. Isn't it true that in fact CSE does monitor Canadians under the legal authority of other agencies?

Ms. Greta Bossenmaier:
I think it's very important to reflect on the various parts of our mandate. I have actually given out a little summary sheet about the three-part mandate. In terms of our foreign signals intelligence and information protection mandates, the part A and part B, it's in our legislation, and we do not direct our activities at Canadians – anywhere or anyone in Canada.

We do have a part C mandate, which is an assistance mandate. Under that mandate we can provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties and under their authority. It's under their authority that these activities take place.

Mr. Randall Garrison:
To be clear, then, your agency is involved in doing this.

My question would be, do you take for granted when those requests come that they're lawful, on behalf of the other agencies, or is there an independent review of those requests in your agency as to their lawfulness before those activities are undertaken?

Ms. Greta Bossenmaier:
When we receive a request, it is a request. We review that request to ensure that the lawful authority is there.

Mr. Randall Garrison:
Do you report these activities that you undertake on behalf of other agencies as part of your annual reporting or your reporting to the commissioner, or do you depend on those agencies to report those activities to their monitoring bodies?

Ms. Greta Bossenmaier:
In terms of the commissioner of the Communications Security Establishment, I already noted earlier that he has the authority to review all of CSE's activities, and again, that includes our information, our people, our systems, etc. His review and his authority to review cover all three parts of the CSE mandate.

Mr. Randall Garrison:
There is no proactive monitoring of Canadians for other agencies to any body.

Ms. Greta Bossenmaier:
We do produce a classified annual report to the minister. I produce that to the minister, so I do report to the minister on an overview of all of CSE's activities, and again, the commissioner also produces a public report that touches all of CSE's activities.

Mr. Randall Garrison:
Do those reports contain at least a summary of your activities undertaken on behalf of other agencies which monitor Canadians?

Ms. Greta Bossenmaier:
Dom, do you want to provide an overview in terms of what the reports include?

Mr. Dominic Rochon:
The annual report to the minister, the classified annual report, absolutely does. It covers those activities.

I'll just clarify again that actually under me, we have a responsibility, whenever there is a request that comes from a security agency such as the RCMP or CSIS, to verify that they do have lawful authority, meaning they have to have a warrant or whatever it is. Then when we engage, we're operating under their lawful authority, so we're acting as their agent. We're acting as though we were a CSIS or RCMP employee, and absolutely, those are reviewed by the commissioner. The commissioner reviews those activities making sure that we actually verified that.

We have Department of Justice staff on the premises to help us, if there's any question as to whether or not the lawful authority is indeed in place. So, yes, we report annually to the minister in a classified report and those contain statistics.

Mr. Sven Spengemann (Mississauga – Lakeshore, Liberal):
I have two brief questions. If I could refer to page 2 of your testimony, the second paragraph, “It's important to emphasize that CSE only targets foreign entities and communications, and is prohibited by law from targeting Canadians or anyone in Canada”.

Bracketing the “in Canada” portion, how seamless are operations in the case of Canadians with dual nationalities? If someone is Canadian and holds a second nationality and is outside the country, are you still prohibited by law from gathering information with respect to that person? If you're not, is somebody else able to?

Ms. Shelly Bruce (Deputy Chief, Signals Intelligence, Communications Security Establishment):
We do not distinguish between dual nationality and Canadian citizenship. We use the definition under the Immigration Act of what constitutes a Canadian.

Mr. Sven Spengemann:
If you don't have authority, is there another entity in the security establishment that would have authority? I'm thinking of our police forces.

Ms. Shelly Bruce:
Absolutely. We work very closely with the security and intelligence community within Canada. Everybody has their own remit and their own mandate and they operate within those constraints. The RCMP and CSIS would be the two that are more likely.

Mr. Sven Spengemann:
It's fair to say that operationally it really is quite seamless. Even though your jurisdiction stops, the other jurisdiction kicks in right at that spot where yours stops.

The second question goes back to testimony that this committee received early on in the review of the aerial readiness of North America. Can you comment on and ideally substantiate the testimony that this committee received that domestic terrorism, defined as terrorism that would occur within Canada, is our principal security threat?

Ms. Greta Bossenmaier:
Mr. Chair, I'm not au courant of the previous testimony that occurred here. I will note that in terms of overall threats to Canada, I reflect on the remarks that were made not too long ago by the outgoing national security adviser who talked about two primary threats that he was most concerned about. He had a responsibility of looking at the overall threat environment for Canada. The two that he referred to that were utmost in his mind were counterterrorism and cyber-threats.

In terms of overall threat reporting, the national security adviser and CSIS both have an authority to look at the overall threat environment.

The Chair:
The parliamentary secretary asked if he could have a question. I'd like some latitude to give him an opportunity to speak. Mr. McKay, you have the floor.

Hon. John McKay (Scarborough – Guildwood, Liberal):
One of our NATO partners, Estonia, had a cyber-attack from what's presumed to be Russia. It was pretty serious. What are the implications for NATO, and therefore indirectly for us, and what were the lessons learned from that cyber-attack?

Ms. Greta Bossenmaier:
Many of the questions today go back to the heart of what I think we're seeing, a watershed change in the nature of the cyber environment, the types of attacks that are occurring. To the point the member made, there are a wide variety of attacks.

You're referencing attacks at a state level. We're seeing attacks on critical infrastructure in various countries, attacks against the Government of Canada systems from a variety of threat actors. From each one of these either successful or unsuccessful attacks, we all learn something. The international community learns something. One of the things we learn over and over again goes back to my earlier point that we can't be complacent, that we always have to continue to look at our methods, our tools, our techniques, the types of threat actors.

It's impossible to be complacent. You always have to try to stay ahead of this.

The other item I raised before is it has to be a team imperative. No one organization or one country can do everything alone. It very much is trying to work together and bring together the various resources to deal with these complicated cyber-attacks.

Looking forward, we'll have to continue to be very vigilant. The advice that we provide to the Government of Canada, I've given you our “Top 10 IT Security Actions”, those have evolved. We continue to learn from various actions that are taken. We also learn from when people have implemented some of our recommendations. Once those are taken care of, what are the next variety of steps we recommend that people take?

It's constantly evolving, necessary to be a team imperative, and impossible to say we're done; I don't think we're ever going to be done in this domain.

Mr. Jean Rioux:
If I am not mistaken, your $583 million envelope comes from the Department of National Defence. You are in charge of providing intelligence to all the other departments. This intelligence is useful not just to defence or foreign affairs, for example. What is the connection or what are the ramifications with the other departments?

Ms. Greta Bossenmaier:
As a point of clarification, our budget doesn't actually come from the Department of National Defence. It's appropriated to the Communications Security Establishment. As I mentioned, it was about five years ago that the Communications Security Establishment became a stand-alone agency, still under the National Defence portfolio and clearly reporting to the Minister of National Defence, but we're now a separate organization. Again, that happened about five years ago.

In terms of the funds we have and the efforts we make, the member is absolutely correct. I can talk both on the foreign signals intelligence side and on the information protection side. We work very closely with our colleagues in the Department of National Defence. We have a long-standing relationship that goes back throughout our 70-year history of working with the Canadian Armed Forces and supporting them in their operations. That continues today with our efforts with them, for example, in Operation Impact in Iraq.

At the same time, we do provide foreign signals intelligence to decision-makers across the Government of Canada, not only in terms of the Minister of National Defence and colleagues at the Department of National Defence, but through other decision-makers across the Government of Canada in line with the intelligence priorities that the government sets.

The member is also absolutely correct in terms of our cyber-defence activities. We work very closely, of course, with the Department of National Defence to help ensure that their systems are secure. At the same time, we work with the whole-of-government partners, again whether it be Shared Services Canada, or Public Safety emergency management, or the Treasury Board of Canada Secretariat, and individual departments, all of which are part of this overall effort to secure the Government of Canada systems.

Yes, our efforts across all three of our mandates are there to support Government of Canada priorities. We work not only with our colleagues in the Department of National Defence, and of course in the Canadian Armed Forces—we're very proud to work alongside them—but across the other government departments as well.

Mr. Jean Rioux:
Earlier, the parliamentary secretary was talking about cyber threats. This is an area he is quite familiar with. It is new to me. For my own knowledge and for those watching us this morning, can you provide some very simple examples of cyber threats?

Ms. Greta Bossenmaier:
In terms of specific examples of cyber-threats, I'll try to answer that in two parts. I'll talk briefly about the cyber-threat actors, because it's an important piece, and also about some of the cyber-threats we are seeing.

To speak briefly on the actors, there are sophisticated nation-states that target and try to infiltrate systems. There are non-state actors. We've seen the prevalence in recent months of reports that ISIL is developing cyber capabilities. There are state actors and non-state actors. There is cybercrime, as was raised by one of the other members of the committee a moment ago, and there is the rise of cybercriminals who look to steal information or to steal resources.

There are also examples of the so-called hacktivists. These are organizations or people who are trying to be disruptive, and who are trying to disrupt a government service or disrupt a system. There were examples in the last year. In terms of giving a concrete example of those people who are trying to be disruptive, there were a number of so-called denial-of-service attacks. Those are from people or organizations trying to flood the government systems with requests through a variety of systems that slow down or impede legitimate Canadians trying to do business with the government from being able to do so.

You can see that nuisance and threat activity, and you can see defacement of government websites. The earlier example that was raised was in terms of significant attacks that could be trying to steal intellectual property or trying to infiltrate systems to gain personal information. There was a significant cyber-attack recently with one of our partner countries, and what the cyber-attackers were trying to go after was personnel information, Government of Canada employees and other people who are working for the government.

To underline the point, it's a variety of different threat actors and a variety of different techniques that are being employed for a variety of different ends, all of which either are disrupting systems and trying to infiltrate information, or trying to steal information or shut down systems.

I hope that gives you a bit of an idea of the range of threats and actors we are seeing.

Mr. Pierre Paul-Hus:
Ms. Bossenmaier, in your handout it says that more than 100 million cyber attacks are directed at the Government of Canada's systems daily. That is huge. I suppose that of that number, there are attacks that are made continually by automated systems. There must also be some attacks being made directly by people. Do you have an idea of the source of the attacks being made against National Defence?

Ms. Greta Bossenmaier:
In terms of the nature of attacks, I'll go back to my earlier comments. They are coming from a variety of sources with everything from sophisticated cyber-actors to the hackers or hacktivists, perhaps in someone's basement or perhaps not. There is a wide variety.

In terms of those that are focused on the Department of National Defence, I would have to refer you to the Department of National Defence because it's their responsibility to have that overall view of their systems. We're there in a support role for them.

With regard to your reference to the 100 million probes we are seeing a day, the variety of different types of activity, some are just probes. They're trying to look at the Government of Canada writ large for the weak spot. There is an old phrase, “the weakest link in the chain”. They are looking for weak spots and trying to understand if there are systems that haven't been updated, or if there are weak spots they can try to infiltrate. They are trying to probe. One of CSE's responsibilities is to help thwart those probes on Government of Canada systems.

In terms of using automation, those are all things that are important for us.

Mr. Pierre Paul-Hus:
In your mandate described in subsection 273.64(1) of the National Defence Act, it mentions an assistance role in paragraph (c): “to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.”

Is Bill C-51 currently of capital importance in order for you to be able to perform those duties?

Ms. Greta Bossenmaier:
In terms of our assistance mandate, federal law enforcement security organizations may request CSE's technical assistance, an important part of our overall mandate and, aptly, that's in part C of our assistance mandate. In order for us to consider the request, the organization has to have the lawful authority to be able to ask us. If an organization has the lawful authority, and as my colleague pointed out, if we've confirmed that they have that, we can consider providing that assistance to them.

In terms of Bill C-51 in particular, that bill has not impacted CSE directly, in the sense it's not changing CSE's authorities, etc. It has altered CSIS' authorities. If they, again, had the lawful authority to ask us, we could consider assisting them in their lawful mandate. But it's not directly affecting our mandate. Our mandate stays the same under that reference to the National Defence Act that you made.

Mr. James Bezan:
I have two quick questions. First, we always talk about the Five Eyes relationship that you share, but as a branch of National Defence I assume that we're also sharing intelligence with our NATO members. Mr. McKay talked about the Russia cyber-threat, and how they attacked Estonia back in 2008. I wonder if there were lessons learned there that were shared with Canada through CSE.

Second, you talked about protecting critical infrastructure. I know that you mean energy systems and financial systems and things along those lines, but are you also engaged with protecting the cyberbsecurity for corporations that have defence contracts? I draw your attention to the issue where there was a cyber-attack on a subcontractor for the cruise missile. The schematics were stolen, then sold on the open market. That's how it's believed China got the information to develop their own cruise missiles.

I wonder if you work with defence contractors in Canada who are providing equipment to our military to ensure that they're protecting their systems.

Ms. Greta Bossenmaier:
As I noted, we do work with Public Safety and Emergency Preparedness Canada. They have a particular role with regard to the Canadian Cyber Incident Response Centre that is a link to critical infrastructure providers and a link to the private sector in terms of providing everything from threat mitigation advice to information on if we see something coming, how they can help themselves. We provide information to Public Safety and work with Public Safety dealing with those critical infrastructure providers.

In terms of defence contractors in particular, I would want to confirm in terms of their relationship with CCIRC, but I also would have to confirm in terms of their relationship and how they work with the Department of National Defence.

Mr. James Bezan:
Okay. Just the question on the NATO relationship.

Ms. Shelly Bruce:
We have very robust sharing relationships with our Five Eyes partners, and obviously we're working, as the chief mentioned, in Operation Impact in a broader coalition context. There are aspects of our work that can be shared beyond the Five Eyes, but they have to be subject to different rules.

The Chair:
Very good. Thank you so much for attending. Your work is fascinating. It's very important to all Canadians.