House Standing Committee on Public Accounts (PACP) Appearance, Associate Head, Canadian Centre for Cyber Security - March 31, 2023

Table of contents

• Appearance details
  • Opening remarks
• Committee information
  • Backgrounder on the Standing Committee on Public Accounts (PACP)
  • Committee Members' CSE-related interests
• CSE issue notes
  • OAG Report
  • Top cybersecurity points
  • Cyber security and recent cyber incidents
  • Foreign interference and cyber threats to democratic process
  • Russian invasion of Ukraine and Russian cyber threats to Canada
  • Accountability, review and oversight of CSE’s activities
• Potential questions and answers
  • Recent questions CSE has been asked at various committee appearances (2022-23)
  • Potential questions and answers
• Reference documents
  • OAG Report 7—Cybersecurity of Personal Information in the Cloud
  • Summary of OAG report

Appearance details

Date: Thursday, March 31, 2023

Location: Room 225-A, West Block

Time: 3:30 pm – 5:30 pm

Appearing:

• Rajiv Gupta, Associate Head of the Canadian Centre for Cyber Security, CSE
• Catherine Luelo, Chief Information Officer of Canada, Treasury Board Secretariat
• Paul Thompson, Deputy Minister, Department of Public Works and Government Services
• Catherine Poulin, Assistant Deputy Minister, Departmental Oversight Branch, Department of Public Works and Government Services
• Sony Perron, President, Shared Services Canada
• Costas Theophilos, Director General, Cloud Product Management and Services, Shared Services Canada
• Andrew Hayes, Deputy Auditor General, Office of the Auditor General
• Jean Goulet, Principal, Office of the Auditor General
• Gabriel Lombardi, Principal, Office of the Auditor General

Details: Invited to appear to discuss Report 7, Cybersecurity of Personal Information in the Cloud, of the 2022 Reports 5 to 8 of the Auditor General of Canada.

Opening remarks

Introduction

• Hello/Bonjour.
• Thank you, Mr. Chair, and members of the Committee, for the invitation to appear on the study of the Auditor General of Canada Report to Parliament on Cybersecurity of Personal Information in the Cloud.
• My name is Rajiv Gupta, my pronouns are he/his/il, and I am the Associate Head of the Canadian Centre for Cyber Security at the Communications Security Establishment, also known as the Cyber Centre.

Cyber Centre overview

• The Cyber Centre is Canada’s technical authority for cyber security, safeguarding Canada with our advanced cyber security capabilities and providing a unified source of expert advice and support on cyber security operational matters.
• I am happy to be joined by my colleagues from the Treasury Board Secretariat, Shared Services Canada, and Public Services and Procurement Canada, with whom we work closely on cyber security matters.
• As part of the Cyber Centre’s operational role, we share cyber alerts and threat assessments across the GC to ensure our information systems remain secure, responsive, and well defended.
• As part of our education role, we work to increase cyber security awareness across the government through initiatives like the Learning Hub.
• The Learning Hub is based at the Cyber Centre and provides training to improve the cyber security of Canada’s government and critical infrastructure organizations.
• During the 2021-22 fiscal year, the Learning Hub renewed its collaboration with the Canada School of Public Service, CSPS, to provide a standardized cyber security curriculum for all federal public servants.
• The Learning Hub and CSPS co-developed an e-learning course to introduce public servants from non-technical backgrounds to the basics of cloud computing. This is a priority topic for the public service as departments continue to migrate their IT infrastructure to the cloud.

Cloud

• Government of Canada organizations are increasingly leveraging cloud computing, which has the potential to deliver agile, flexible, and cost-effective IT services.
• As noted in our 2021-2022 Annual Report, CSE continues to function as a pathfinder for the GC in migrating to the cloud.
• CSE was an early adopter of cloud technology, and we ensured that we were the initial adopters of our own internal advice and guidance.
• We were the first department to securely implement several commercial cloud applications, securing them with our cloud-based sensors. We demonstrated leadership by sharing the lessons learned, and the relevant advice and guidance with other departments.

Working together

• As I mentioned earlier, the Cyber Centre is the operational lead for protecting the GC from cyber threats, such as ransomware and cyber espionage.
• We work with federal partners to defend the government’s networks and sensitive information of federal institutions.
• We’ve worked in close coordination with our partners to issue guidance on the classification of personal information in the cloud and the designation of some IT systems as High Value Assets, as the CIO mentioned in her opening remarks.
• While there is no such thing as zero risk when it comes to cyber threats, we are ensuring that the highest levels of protection are in place.
• The Cyber Centre uses autonomous sensors to detect malicious cyber activity on government networks, systems, and cloud infrastructure. We use three types of sensors:
  • network-based sensors, cloud-based sensors, and host-based sensors.
• These sensors allow the Cyber Centre to detect cyber threats happening in real-time. Our classified knowledge of threat actor behaviour allows us to defend against and block these threats.
• We work with our federal partners to ensure the appropriate safeguards have been applied to ensure security and privacy of their information that is hosted in the cloud.
• As cloud environment continues to evolve, we are ensuring we continue to evolve our tools to ensure the government’s systems are well defended and secure.

Report

• I would like to thank the Office of the Auditor General of Canada for their report and to the committee for bringing us together to discuss this important topic.
• Although none of these recommendations outlined in the report are specific to CSE – we welcome them.
• CSE and the Cyber Centre take information security very seriously, and this includes the government’s data in the cloud. We will continue to collaborate with our federal partners to move forward on these recommendations.

Conclusion

• Members of the committee, I can assure you that CSE will continue to work with partners to bolster Canada’s cyber security while at the same time ensuring the necessary protections are in place to respect Canadians’ privacy.
• Thank you for the opportunity to contribute to this important study, and I’m looking forward to answering any additional questions you may have.

Committee information

Backgrounder on the Standing Committee on Public Accounts (PACP)

44th Parliament, 1st Session

The Public Accounts Committee is Parliament’s standing audit committee. Under its mandate, the Committee…

• reviews and reports on the Public Accounts of Canada and all reports of the Auditor General of Canada
• studies and reports on all matters relating to the mandate, management and operation of the government department(s) that are assigned to them. In the case of the Committee, the department is the Office of the Auditor General of Canada.
• enquires into any other matter that the House of Commons may refer to it.
• reviews the work of the federal government’s external auditor, the Auditor General of Canada.
  • When the Speaker tables a report by the Auditor General in the House of Commons, it is automatically referred to the Public Accounts Committee. The Committee selects the chapters of the report it wants to study and calls the Auditor General and senior public servants from the audited organizations to appear before it to respond to the Office of the Auditor General’s findings.
• reviews the federal government’s consolidated financial statements – the Public Accounts of Canada – and examines financial and/or accounting shortcomings raised by the Auditor General.
  • At the conclusion of a study, the Committee may present a report to the House of Commons that includes recommendations to the government for improvements in administrative and financial practices and controls of federal departments and agencies.

No recent appearances

Upcoming Appearances

Thursday, March 30th, 2023: Report 7, Cybersecurity of Personal Information in the Cloud, of the 2022 Reports 5 to 8 of the Auditor General of Canada

• Rajiv Gupta, Associate Head of the Canadian Centre for Cyber Security
• Catherine Luelo, Chief Information Officer of Canada, Treasury Board Secretariat
• Paul Thompson, Deputy Minister, Department of Public Works and Government Services
• Catherine Poulin, Assistant Deputy Minister, Departmental Oversight Branch, Department of Public Works and Government Services
• Sony Perron, President, Shared Services Canada
• Costas Theophilos, Director General, Cloud Product Management and Services, Office of the Auditor General
• Andrew Hayes, Deputy Auditor General, Office of the Auditor General
• Jean Goulet, Principal, Office of the Auditor General
• Gabriel Lombardi, Principal, Office of the Auditor General

Key studies

• Report 7, Cybersecurity of Personal Information in the Cloud, of the 2022 Reports 5 to 8 of the Auditor General of Canada
• Report 6, Arctic Waters Surveillance, of the 2022 Reports 5 to 8 of the Auditor General of Canada
• McKinsey & Company

Previous meetings (current session)

Monday, February 13, 2023: Report 6, Arctic Waters Surveillance and Committee Business. Witnesses included:

• Annette Gibbons, Deputy Minister, Department of Fisheries and Oceans
• Mario Pelletier, Commissioner, Canadian Coast Guard, Department of Fisheries and Oceans
• Paul Thompson, Deputy Minister, Department of Public Works and Government Services
• Simon Page, Assistant Deputy Minister, Defence and Marine Procurement, Department of Public Works and Government Services
• Andrew Hayes, Deputy Auditor General, Office of the Auditor General
• Nicholas Swales, Principal, Office of the Auditor General
• Chantal Thibaudeau, Director, Office of the Auditor General

Thursday, February 9, 2023: Report 4, Systemic Barriers—Correctional Service Canada, of the 2022 Reports 1 to 4 of the Auditor General of Canada. Witnesses included:

• Anne Kelly, Commissioner, Correctional Service of Canada
• Alain Tousignant, Senior Deputy Commissioner, Correctional Service of Canada
• Larry Motiuk, Assistant Commissioner, Policy, Correctional Service of Canada
• Karen Hogan, Auditor General, Office of the Auditor General
• Carol McCalla, Principal, Office of the Auditor General
• Steven Mariani, Director, Office of the Auditor General

Monday, February 6, 2023: Report 9, COVID-19 Vaccines, of the 2022 Reports 9 and 10 of the Auditor General of Canada. Witnesses included:

• Stephen Lucas, Deputy Minister, Department of Health
• Celia Lourenco, Acting Associate Assistant Deputy Minister , Health Products and Food Branch, Department of Health
• Supriya Sharma, Chief Medical Advisor and Senior Medical Advisor, Health Products and Food Branch, Department of Health
• Arianne Reza, Associate Deputy Minister, Department of Public Works and Government Services
• Michael Mills, Assistant Deputy Minister, Procurement Branch, Department of Public Works and Government Services
• Karen Hogan, Auditor General, Office of the Auditor General
• Susan Gomez, Principal, Office of the Auditor General
• Nadine Cormier, Director, Office of the Auditor General
• Luc Gagnon, Assistant Deputy Minister and Chief Digital Transformation Officer, Digital Transformation Branch, Public Health Agency of Canada
• Dr. Harpreet S. Kochhar, President, Public Health Agency of Canada
• Stephen Bent, Vice-President, COVID-19 Vaccine Rollout Task Force, Public Health Agency of Canada

Thursday, February 2, 2023: Report 10, Specific COVID-19 Benefits, of the 2022 Reports 9 and 10 of the Auditor General of Canada. Witnesses included:

• Bob Hamilton, Commissioner of Revenue, Canada Revenue Agency
• Marc Lemieux, Assistant Commissioner, Collections and Verification Branch, Canada Revenue Agency
• Gillian Pranke, Assistant Commissioner, Assessment, Benefit and Service Branch, Canada Revenue Agency
• Adrianna McGillivray, Director General, Compliance Programs Branch, Canada Revenue Agency
• Jean-François Tremblay, Deputy Minister, Department of Employment and Social Development
• Tammy Bélanger, Senior Assistant Deputy Minister, Benefits and Integrated Services Branch, Department of Employment and Social Development
• Catherine Demers, Associate Assistant Deputy Minister, Skills and Employment Branch, Department of Employment and Social Development
• Mary Crescenzi, Assistant Deputy Minister, Integrity Services Branch, Service Canada, Department of Employment and Social Development
• Cliff C. Groen, Business Lead, Benefits Delivery Modernization, Department of Employment and Social Development
• Nathalie Manseau, Acting Chief Financial Officer and Director General, Financial Management Advisory Services, Department of Employment and Social Development
• Karen Hogan, Auditor General, Office of the Auditor General
• Mélanie Cabana, Principal, Office of the Auditor General
• Lucie Després, Director, Office of the Auditor General

Monday, January 30, 2023: Committee Business, Report 2, Greening Government Strategy, of the 2022 Reports 1 to 5 of the Commissioner of the Environment and Sustainable Development, Report 2, Processing Disability Benefits for Veterans, of the 2022 Reports 1 to 4 of the Auditor General of Canada. Witnesses included:

• Consideration of draft reports

Thursday, January 26, 2023: Report 10, Specific COVID-19 Benefits, of the 2022 Reports 9 and 10 of the Auditor General of Canada

• Bob Hamilton, Commissioner of Revenue and Chief Executive Officer, Canada Revenue Agency
• Cathy Hawara, Assistant Commissioner, Compliance Programs Branch, Canada Revenue Agency
• Marc Lemieux, Assistant Commissioner, Collections and Verification Branch, Canada Revenue Agency
• Gillian Pranke, Assistant Commissioner, Assessment, Benefit and Service Branch, Canada Revenue Agency
• Karen Hogan, Auditor General, Office of the Auditor General
• Mélanie Cabana, Principal, Office of the Auditor General
• Josée Surprenant, Director, Office of the Auditor General

Tuesday, December 13, 2022: Report 1, Access to Benefits for Hard-to-Reach Populations, of the 2022 Reports 1 to 4 of the Auditor General of Canada

• Consideration of draft reports

Tuesday, December 6, 2022: Reports of the Auditor General of Canada - December 2022

• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Andrew Hayes, Deputy Auditor General, Office of the Auditor General

Friday, December 2, 2022: Report 3, Hydrogen’s Potential to Reduce Greenhouse Gas Emissions, of the 2022 Reports 1 to 5 of the Commissioner of the Environment and Sustainable Development

• John Hannaford, Deputy Minister, Department of Natural Resources
• Sébastien Labelle, Director General, Clean Fuels Branch, Department of Natural Resources
• Christine Hogan, Deputy Minister, Department of the Environment
• Douglas Nevison, Assistant Deputy Minister, Climate Change Branch, Department of the Environment
• Derek Hermanutz, Director General, Economic Analysis Directorate, Strategic Policy Branch, Department of the Environment
• Martin Dompierre, Assistant Auditor General, Office of the Auditor General
• Philippe Le Goff, Principal, Office of the Auditor General

Tuesday, November 29, 2022: Report 5, Chronic Homelessness, of the 2022 Reports 5 to 8 of the Auditor General of Canada

• Romy Bowers, President and Chief Executive Officer, Canada Mortgage and Housing Corporation
• Nadine Leblanc, Senior Vice-President, Policy, Canada Mortgage and Housing Corporation
• Jean-François Tremblay, Deputy Minister, Department of Employment and Social Development
• Nisa Tummon, Assistant Deputy Minister, Program Operations Branch, Department of Employment and Social Development
• Kelly Gillis, Deputy Minister, Office of Infrastructure of Canada
• Janet Goulding, Assistant Deputy Minister, Community Policy and Programs Branch, Office of Infrastructure of Canada
• Kris Johnson, Director General, Homelessness Policy Directorate, Office of Infrastructure of Canada
• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Sean MacLennan, Director, Office of the Auditor General

Friday, November 25, 2022: Report 8, Emergency Management in First Nations Communities – Indigenous Services Canada, of the 2022 Reports 5 to 8 of the Auditor General of Canada

• Gina Wilson, Deputy Minister, Department of Indigenous Services
• Valerie Gideon, Associate Deputy Minister, Department of Indigenous Services
• Joanne Wilkinson, Senior Assistant Deputy Minister, Regional Operations Sector, Department of Indigenous Services
• Kenza El Bied, Director General, Sector Operations Branch, Regional Operations Sector, Department of Indigenous Services
• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Glenn Wheeler, Principal, Office of the Auditor General
• Doreen Deveen, Director, Office of the Auditor General

Tuesday, November 22, 2022: Public Accounts of Canada 2022

• Michael J. Sabia, Deputy Minister, Department of Finance
• Evelyn Dancey, Assistant Deputy Minister, Fiscal Policy Branch, Department of Finance
• Nicholas Leswick, Associate Deputy Minister, Department of Finance
• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Etienne Matte, Principal, Office of the Auditor General
• Chantale Perreault, Principal, Office of the Auditor General
• Roch Huppé, Comptroller General of Canada, Treasury Board Secretariat
• Monia Lahaie, Assistant Comptroller General, Financial Management Sector, Treasury Board Secretariat
• Diane Peressini, Executive Director, Government Accounting Policy and Reporting, Treasury Board Secretariat

Friday, November 18, 2022: Public Accounts of Canada 2022

• Evelyn Dancey, Assistant Deputy Minister, Economic Policy Branch, Department of Finance
• Nicholas Leswick, Associate Deputy Minister, Department of Finance
• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Etienne Matte, Principal, Office of the Auditor General
• Chantale Perreault, Principal, Office of the Auditor General
• Roch Huppé, Comptroller General of Canada, Treasury Board Secretariat
• Monia Lahaie, Assistant Comptroller General, Financial Management Sector, Treasury Board Secretariat
• Diane Peressini, Executive Director, Government Accounting Policy and Reporting, Treasury Board Secretariat

Tuesday, November 15, 2022: 2022 Reports 5 to 8 of the Auditor General of Canada

• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Andrew Hayes, Deputy Auditor General, Office of the Auditor General
• Carol Bellringer, President and Chief Executive Officer, Canadian Audit and Accountability Foundation
• Lesley Burns, Vice-President, Oversight, Canadian Audit and Accountability Foundation
• Michèle Galipeau, Vice-Chair, Board of Directors and Auditor General for the city of Montreal, Canadian Audit and Accountability Foundation

Tuesday, November 1, 2022: Briefing on the Office of the Auditor General

• Nicholas Leswick, Associate Deputy Minister, Department of Finance
• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Andrew Hayes, Deputy Auditor General, Office of the Auditor General
• Stephen Diotte, Executive Director, Employment Relations and Total Compensation, Strategic Compensation Management, Office of the Chief Human Resources Officer, Treasury Board Secretariat

Friday, October 28, 2022: Report 2, Greening Government Strategy, of the 2022 Reports 1 to 5 of the Commissioner of the Environment and Sustainable Development

• Bill Matthews, Deputy Minister, Department of National Defence
• Nancy Tremblay, Associate Assistant Deputy Minister, Material, Department of National Defence
• Saleem Sattar, Director General, Environment and Sustainable Management, Department of National Defence
• Michael Keenan, Deputy Minister, Department of Transport
• Ross Ezzeddin, Director General, Air, Marine and Environmental Programs, Department of Transport
• Jerry V. DeMarco, Commissioner of the Environment and Sustainable Development, Office of the Auditor General
• Milan Duvnjak, Principal, Office of the Auditor General
• Graham Flack, Secretary of the Treasury Board of Canada, Treasury Board Secretariat
• Malcolm Edwards, Senior Engineer, Centre for Greening Government, Treasury Board Secretariat

Tuesday, October 25, 2022: Report 1, Access to Benefits for Hard-to-Reach Populations, of the 2022 Reports 1 to 4 of the Auditor General of Canada

• Bob Hamilton, Commissioner of Revenue and Chief Executive Officer, Canada Revenue Agency
• Maxime Guénette, Assistant Commissioner, Service, Innovation and Integration Branch, Canada Revenue Agency
• Gillian Pranke, Assistant Commissioner, Assessment, Benefit and Service Branch, Canada Revenue Agency
• Lori MacDonald, Senior Associate Deputy Minister, Employment and Social Development and Chief Operating Officer for Service Canada, Department of Employment and Social Development
• Tammy Bélanger, Senior Assistant Deputy Minister, Benefits and Integrated Services Branch (BISB), Department of Employment and Social Development
• Atiq Rahman, Assistant Deputy Minister, Learning Branch, Department of Employment and Social Development
• Hugues Vaillancourt, Director General, Strategic and Service Policy Branch Department of Employment and Social Development
• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Nicholas Swales, Principal, Office of the Auditor General
• Josée Bégin, Director General, Labour Market, Education and Socio-Economic Well-Being, Statistics Canada
• Andrew Heisz, Director, Centre for Income and Socioeconomic Well-being Statistics, Statistics Canada

Friday, October 21, 2022: Report 2, Processing Disability Benefits for Veterans, of the 2022 Reports 1 to 4 of the Auditor General of Canada

• Paul Ledwell, Deputy Minister, Department of Veterans Affairs
• Jonathan Adams, Acting Director General, Finance, Department of Veterans Affairs
• Trudie MacKinnon, Acting Director General, Centralized Operations Division, Department of Veterans Affairs
• Karen Hogan, Auditor General of Canada, Office of the Auditor General
• Nicholas Swales, Principal, Office of the Auditor General
• Nadine Huggins, Chief Human Resources Officer, Royal Canadian Mounted Police

Tuesday, October 18, 2022: Report 2, Greening Government Strategy, of the 2022 Reports 1 to 5 of the Commissioner of the Environment and Sustainable Development

• Bill Matthews, Deputy Minister, Department of National Defence
• Nancy Tremblay, Associate Assistant Deputy Minister, Material, Department of National Defence
• Saleem Sattar, Director General, Environment and Sustainable Management, Department of National Defence
• Michael Keenan, Deputy Minister, Department of Transport
• Ross Ezzeddin, Director General, Air, Marine and Environmental Programs, Department of Transport
• Jerry V. DeMarco, Commissioner of the Environment and Sustainable Development, Office of the Auditor General
• Milan Duvnjak, Principal, Office of the Auditor General
• Graham Flack, Secretary of the Treasury Board of Canada, Treasury Board Secretariat
• Jane Keenan, Acting Executive Director, Centre for Greening Government, Treasury Board Secretariat
• Malcolm Edwards, Senior Engineer, Centre for Greening Government, Treasury Board Secretariat

Friday, October 7, 2022: Report 1, Just Transition to a Low-Carbon Economy, of the 2022 Reports 1 to 5 of the Commissioner of the Environment and Sustainable Development and Committee Business

• Consideration of draft report
• Review of Government Responses to Committee Recommendations due before 1 September 2022

Tuesday, October 4, 2022: Report 1, Just Transition to a Low-Carbon Economy, of the 2022 Reports 1 to 5 of the Commissioner of the Environment and Sustainable Development and Committee Business

• Consideration of draft report

Committee members' CSE-related interests

Chair– John Williamson (CPC) - New Brunswick Southwest

CSE-related interests

• Served as a member on the Special Committee on Canada-China Relations and Standing Committee on National Defence.
• What about the Canadian success story of Nortel Networks? In 2004, over 70% of the world's Internet traffic ran on Canadian fibre optic technology produced by Nortel. It is believed that the Chinese military launched concentrated cyber-attacks for 10 years against Nortel's headquarters in Canada, stealing thousands of sensitive documents and other company secrets. Nortel simply could not compete against Huawei, and ultimately ended up in bankruptcy. To quote Global News, “it would be similar to a foreign army constructing a hidden tunnel into Canada’s treasury vault, and marching out unimpeded with gold bars.” Were Canadian pensions, life savings and technology stolen? Again, another question for this committee. (Opposition Motion—A Special Committee on the Canada-People's Republic of China Relationship, May 12, 2022)
• When it comes to cyber-threat or cyber-attack, I'm not clear on the remedy or the response to that. Putting aside prevention, where, obviously, you want to be focusing your efforts, once it's actually occurred, is it a question of rebooting the system? How do you recover from something like that? (Standing Committee on National Defence, 2014)

Vice-chair– Jean Yip (LPC) - Scarborough—Agincourt

CSE-related interests

• Served as a member on the Special Committee on Canada-China Relations
• My next question is for CSE. On March 24, CBC News reported Facebook's announcement that members of Canada's Uighur community were being targeted in a cyber-espionage campaign. Facebook has managed to trace it to two companies in China reportedly attempting to infect devices with malware to permit surveillance. Has there been an increase in cyber-attacks traceable to Chinese entities since the House voted to qualify China's action in Xinjiang as a genocide? (Special Committee on the Canada-People's Republic of China Relationship, April, 2021)
• What measures is the IRCC taking to ensure that the information systems it uses to process the immigration applications aren't vulnerable to compromise, including insider threats and cyber security in general? Is it robust? (November, 2020)

Vice-chair– Nathalie Sinclair-Desgagné (BQ) - Terrebonne

CSE-related interests

• “The Bloc Québécois is in favour of Bill C-288, because it will allow consumers to make more informed choices about Internet packages. Consumers need to be able to see the actual download speeds they will be getting, rather than the theoretical highest speed. Since speeds are lower at peak hours, it is important that consumers get accurate information about the service they will receive at those times. In short, the bill is a step in the right direction, but it clearly does not go far enough. As my leader likes to say, the Bloc Québécois is never against apple pie. However, I know that apple pie alone does not make a nutritious dinner. We need more.” On Bill C-288, An Act to amend the Telecommunications Act (transparent and accurate broadband services information)

Blake Desjarlais (NDP) - Edmonton Griesbach

CSE-related interests

• “One of them, of course, is the innovation challenge. We've heard from multiple ministry officials today about how the innovation challenge is present, so when we're contemplating or even imagining what 2025, 2030 or 2050 will look like, I'm concerned that we do not have a strong enough or robust enough system to give Canadians the credit they deserve in terms of stability for this plan. I just want to make that thought very present, especially as it relates to the Ministry of National Defence.” At Public Accounts Committee 2022 on Greening Government Strategy

Valerie Bradford (LPC) - Kitchener South—Hespeler

CSE-related interests

• “Canada has a range of military applications and faces pressure to be involved on multiple fronts, including in Europe, the Indo-Pacific and the north. Can Canada significantly contribute to security in all of these regions? How should it balance its efforts?” NDDN on November 24th, 2022
• “Many countries, including Canada, have recently announced strategies and significant investments in emerging technologies such as artificial intelligence, quantum and genomics. What can we do to ensure that we empower institutions leading in this research so that they compete in these emerging areas?” At Science and Research Committee on Feb. 8th, 2022

Maninder Sidhu (LPC) - Brampton-East

CSE-related interests

• Served as a member on the Special Committee on Canada-China Relations
• Mr. Speaker, the Minister of Foreign Affairs has acted and she has declined a visa to a foreign operative from a country like China. We will always be there, with eyes wide open, to defend our democracy, to protect our sovereignty. We continue to stand up for Canadian values (March, 2023).
• Mr. Speaker, we are following the unfolding events in China very closely. We remain in close contact with our embassy and consulate. We believe in freedom of expression at home and abroad, including in China, and that protesters should be able to peacefully protest and share their views without fearing for their safety. We will continue to follow the events very closely (November, 2022).

Garnett Genuis (CPC) - Sherwood Park—Fort Saskatchewan

CSE-related interests

• “The issue of foreign interference, which is part of the context of the cyber-threats we face, is also not a new issue. Again, we have been calling for action from the government, but we have not seen other action from it… We are behind when it comes to defending our security. We are behind what we should have known much earlier. We are behind our allies. We were the last of the Five Eyes and very late to step up on recognizing the risks associated with Huawei” Debates of Dec. 1st, 2022 On Bill C-288, An Act to amend the Telecommunications Act
• “We have a bill in front of us today that deals with one avenue where we need to be engaged with and responding to the problem of foreign state-backed interference, and that is the issue of cybersecurity. I will be supporting this legislation at this stage to see it go to committee, mainly because we clearly need a new cybersecurity bill. We clearly need a new framework. The committee study will identify some of the significant gaps we see in the legislation right now, the ways the legislation needs to be improved and possibly the many additional steps required.” Debates of Dec. 1st, 2022 On Bill C-288, An Act to amend the Telecommunications Act

Peter Fragiskatos (LPC) - London North Centre

CSE-related interests

• Member of the Special Committee on Canada-China Relations
• “I do want to ask you a general question about three specific things, which are espionage, foreign interference and cyber attacks. To what extent is Canada actively working in concert with other countries—middle powers in particular—to counter any impact of those on our democracy? What can you share with us on that?” Canada-China Relations Committee on May 31st, 2021
• On CSE’s cyber operations authorities/Bill C-59: “We heard from the British Columbia Civil Liberties Association a few days ago, who told us of a number of concerns. In a subsequent article that was written since their testimony there was concern expressed about Bill C-59 on cyber-operations that could be conducted by the Communications Security Establishment. Since you focused today a great deal on the technological aspects of terror and how that can jeopardize Canadian security, I want to ask you about that…Their view is that Bill C-59, by empowering the CSE to conduct cyber-operations against foreign actors, constitutes a danger. Specifically, it would normalize state-sponsored hacking. Can you speak again to the importance of cyber-operations from a security perspective? How critical is this? The nature of security is changing. Canadians deserve to be protected. We have to make sure that our approaches are keeping up with changes that are under way.” Public Safety Committee on Feb. 1st, 2018
• “I think it's quite important to demystify some of the ideas around what actually constitutes an offensive cyber capability. This is obviously a new means of ensuring national security and I think there are some myths built up around it.”
• “I wonder if you could speak to whether or not cyber-attacks take a different form, depending on whether they're launched by a state actor or by a terrorist organization. I think there could be a perception that terrorist organizations are not capable of carrying out very sophisticated sorts of attacks. That is changing. The fact is they can mount sophisticated attacks. It wasn't the case before, but now we're seeing that. Could you speak to that?” Public Safety Committee on March 22nd, 2018

Brenda Shanahan (LPC) - Châteauguay—Lacolle

CSE-related interests

• “In the commentary from the OAG, the OAG notes that five organizations were subject to a cyber-attack in 2021. Which organizations were targeted? What personal information was stolen? What measures had been put in place to prevent cyber-attacks?” Public Accounts Committee on May 3rd, 2022
• I am very pleased to see that we will be able to do further work in this area, particularly with regard to democratic and electoral institutions, because I think we are seeing that the technology, the ways of practice, the industry of data collection, and particularly personal data collection, is an industry in its own right.
• “I think that the motion before us is commendable in that we are talking about the protection of democratic and electoral institutions from something that is very new on the horizon. Well, it's new in that we heard about it in detail in 2016, but even prior to that with various national referendums that were occurring. I don't know if the jury is still out on what happened with the Brexit vote, but it certainly would be a case study in what that kind of cyber-interference could look like. I appreciate that Mr. Dong has included non-cyber-interference, because it's like there's new school and there's old school, but the bottom line is that there is interference.” Information & Ethics Committee on Nov. 16th, 2020

Michael Kram (CPC) - Regina—Wascana

CSE-related interests

• “I believe I also heard you say that Canada will have, for lack of a better word, “perfected” quantum computing technology in the next 10 to 20 years… Do you have a best guess as to how far away the Russians and North Koreans are from developing these technologies?” Industry Committee on March 29th, 2022
• “You also mentioned that once you came back to Canada, you had to work with CSIS and CSEC to increase security measures around our quantum computing research. Can you expand a bit as to whether those security measures are adequate, in your opinion?” Industry Committee on March 29th, 2022
• “Let's pick up on that. If you were the special adviser to the Minister of National Defence and your objective was to just make sure that the army, the navy and the air force could communicate securely, what recommendations would you make?” Industry Committee on April 5th, 2022

Kelly McCauley (CPC) - Edmonton West

CSE-related interests

• “ How much IT equipment and software is purchased for the whole of government through Shared Services?... What I'm getting at is just the security. How do we ensure that the equipment coming in is secure? I know it's in your departmental plan for collaborating with TBS, the Centre for Cyber Security and CSE to maximize security, but how are we ensuring the security for those 20% outside of purchasing through Shared Services?” Government Operations Committee on Nov. 25th, 2020
• “The CSE just came out with their cyber-threat assessment report—I think it was today—highlighting a lot of issues with state-owned actors, naming China and Russia for the first time. How could the information that would have been gained from this equipment been gathered from our embassies and the CSE not have a concern about this?” Government Operations Committee on Nov. 18th, 2020
• “This goes back to Huawei. We're the only one of the Five Eyes that has not banned Huawei from our 5G or the major role. How will this affect us? Do we risk being excluded from the sharing of vital information if we move ahead with something like Huawei?” Government Operations Committee on May 25th, 2020

CSE issue notes

OAG Report 7 - Cyber security of personal information in the cloud

Top cyber security points

Cyber security and recent cyber incidents

Foreign interference and the democractic process

Russian invasion of Ukraine and Russian cyber threats to Canada

Accountability, review and oversight of CSE

Potential questions and answers

Recent questions CSE has been asked at various committee appearances (2022-23)

Foreign interference (Elections)

1. How much influence do foreign actors have in an election is it a few votes or a few seats?
2. What limitations are there on disclosing information with voters?
3. Are voters informed/aware of the issues related to foreign interference?
4. What threats do you see in terms of the IT infrastructure for Elections Canada?
5. One glaring example of foreign interference, was in the case of Kenny Chiu, was he informed of foreign interference risks? And pursuant to the protocol, if a certain threshold is met, the public is to be informed but the public wasn’t informed. Why not?
6. What would you classify as a political party (in relation to classified briefings given to political parties)/ would volunteers on campaigns be included in these briefings?
7. Do foreign state actors, which pose a different threat than third party funding coming from other countries, can foreign actors move the needle, 20,000-30,000 votes during an election campaign?
8. Reports indicate that CSIS told your government this past fall that China’s consulate in Toronto had targeted 11 candidates in the 2019 election. CSIS also indicated in its briefing notes released to committee that this foreign interference is a serious threat to the security of Canada. It advised the government, in its briefing note that “Canada can make use of a policy that is grounded in transparency and sunlight,” in order to highlight the point that foreign interference should be exposed to the public... We have been asking about who the 11 candidates are, who were targeted in the 2019 election, we’ve been asking for specific briefings from intelligence before and during elections and all we get are briefings of general application. Our national campaign team, in the last election, asked for specific names of candidates that were targeted and we didn’t get that.
9. The problem of the SITE task force is that it does not tell political actors, parties or candidates if there is a threat going on during an election. Clearly SITE was monitoring interference that was targeting MP. Chu, highlighted in the documents that were released months later, but the candidate Chu had no idea that it was taking place. Again, there is a lack of transparency in informing political parties, candidates, MPs about the threats were facing.
10. Could you name some foreign actors attempting to degrade trust in our democratic institution and what are some of the things they have done to that effect?
11. Are those who are interfering spreading misinformation and disinformation about the electoral system or about political parties?

Foreign interference (General)

12. What are the differences between Russia and China in relation to foreign interference?
13. Do you ever intervene directly on the topic of foreign interference?

Social media

14. What is SITE’s relationship with social media platforms?
15. What role do social media companies have in being responsible actors during and leading up to elections?

Mis/Dis/Mal information

16. Many social companies have signed what is called a declaration on electoral integrity, which commits among other things, for them to address MDM and we know that algorithmic transparency is an issue. It’s been talked about quite often and the algorithms that they use predominantly originate from the US. What impacts do you think this has in terms of foreign influence on an election?
17. Would you say that the majority of MDM out there is propagated through social media?
18. How efforts to degrade our democratic institutions with disinformation happen and in which instances, what is it you do with this information? Do you do a risk analysis of it? Do you inform government departments? Do you take on activities to answer the misinformation with correct information?

China/Russia

19. The Communist Party of China passed the national intelligence law in 2017 which requires organizations and citizens anywhere in the world to assist with communist party’s state intelligence work. Would you agree with that?
20. Could you briefly describe what the other countries are doing? Is it similar to what China is doing, is it different, is there any nuance between the activities of these four countries?
21. How many reports of cyber incidents has your agency received since Russia invaded Ukraine?
    • Of these, what industries are you most commonly receiving these reports from?
    • What types of places are reporting these? Can you give me examples?
    • Is this higher than in the last 3 years? Or is this consistent with what you’ve seen?
22. In terms of cyber threat, how would you rate these State actors in their attack capabilities? China, Russia, North Korea, and Iran?
23. We know that a lot of the cyber threats we have coming are from Russia, and I wanted to know how they are able to deny that they are committing such acts. Who do they use in order to get to Canadians and influence Canadians to think a certain way?
24. Do you consider that our critical and defense infrastructure are at increased risk of cyber threat activity by Russia, or its allies, given our support for Ukraine, despite the absence of direct hostilities?
25. How much more sophisticated are the national states such as Russia and especially China with cyber knowledge?
26. Would you say that China is more sophisticated than our ability to stop them at the moment, or do you think we are on par, and we can rebuff these attacks?

Cyber attacks

27. To your knowledge, where do most of the cyber attacks or attempted attacks against Canada, originate from?
28. What are the most challenging state actors to Canadian national security on the cyber front?
29. What sectors of Canada’s economy are most vulnerable to cyber attacks?
30. A piece in the Globe and Mail about cybersecurity says the federal government is subjected to between three and 5 billion malicious actions daily, can you elaborate on that?
31. How many cyber threats would you say come from within Canada, or within North America, as opposed to China or Russia?
32. How come so many institutions are still vulnerable to cybersecurity attacks, and what is CSE doing to alert businesses?
33. Seeing how close we are to the United States, could Canada be the object of cyber-attacks that are actually targeting the Americans?
34. Have there been an increase in rogue actors who may or may not be acting on behalf of state actors?
35. Do you watch groups within Canada, source from where cyber threats might come?

Resource/capabilities

36. Are we equipped to deal with cyber-attacks? Are we missing the boat when it comes to these interference groups? How do we compare with other countries and what do they do?
37. In regard to the increase level of foreign state interference, and you talked about the tools that you have available to you, are there any new tools or any other authorities that either of you think you would need in order to continue to protect Canada’s democratic institutions?
38. What are the legislative policy and funding gaps that parliamentarians should pay particular attention to, to enable your collection of agencies to be able to meet this ever-changing threat environment? What should parliamentarians, maybe those on the Public Safety Committee and maybe this committee, be paying attention to so that you have the tools required to do your job and protect our democratic system?
39. What would CSE need to help it fulfill its mandate?
40. Given the increase in serious cyber threats and certainly in the context of the overall deficiencies and defence spending by this government, would you say that there is a shortfall in what we should be spending on cyber security, particularly given the context of what’s going on in the world right now?
41. How would you say we are performing in the broader question of cybersecurity?

Collaboration

42. Is there enough collaboration between CSE, CSIS, the CAF and other government departments?
43. As part of the Canadian Armed Forces Operation UNIFIER, CSE is sharing threat intelligence with Ukraine and helping Ukraine defend itself against cyber attacks. Are CSE and/or the CAF engaging in act of cyber operations as part of Operation UNIFIER?
44. How much of a collaboration happens between your offices and the provincial and territorial offices across the country?
45. Do we have our own collaborative firewall with the US and other NATO allies
46. Would you also inform our closest allies if a new threat would emerge, and would they do the same with us?

Rogers outage

47. What did that day mean for our national security network? And were government installations also affected?

Potential questions and answers

Cyber security

1. How does CSE contribute to a secure Government of Canada cloud infrastructure?

• As noted in our 2021-2022 Annual Report, CSE continues to act as a pathfinder for the Government of Canada in migrating to the cloud.
• We were the first department to securely implement several commercial cloud applications, securing them with our cloud-based sensors and sharing the lessons learned with other departments.
• Over the past year, CSE has continued to shift workloads, services, tools, and applications to the cloud.
• This shift allows CSE to deploy new cyber defence tools more quickly and allows our employees to work and collaborate more easily.
• The Cyber Centre uses autonomous sensors to detect malicious cyber activity on government networks, systems, and cloud infrastructure. We use three types of sensors:
  • network-based sensors, cloud-based sensors and host-based sensors
• These sensors securely gather system data and feed it back to the Cyber Centre for analysis. Some critical infrastructure partners, including provinces and territories, also send us technical data from system security logs. This helps us protect them and improves our analytics for the Government of Canada and other partners.

2. Is CSE spying on Canadians’ information contained in the Cloud?

• To be clear, CSE is not permitted to target Canadians or persons in Canada in our intelligence gathering.
• CSE strives to be as transparent as possible so that Canadians can be confident that we respect the law and protect their privacy.
• CSE and the Cyber Centre’s defensive tools are working continuously with strict privacy controls in place.
• We work with our federal partners to ensure the appropriate safeguards have been applied to ensure security and privacy of their information that are hosted in the cloud.

3. Why is the Cloud infrastructure important for the Government of Canada?

• Government of Canada organizations are increasingly leveraging cloud computing which has the potential to deliver agile, flexible, and cost-effective IT services.

4. What are GC Cloud Guardrails and how are they validated?

• The GC Cloud guardrails set the minimum requirements that organizations need to meet for security and privacy in their cloud environments. As of May 2021, the cloud guardrails were formalized as a policy requirement under the Directive on Service and Digital.
• Departments are expected to implement these guardrails within 30 days of receiving access to a cloud account. Shared Services Canada (SSC) validates that these controls are in place, and a process for establishing an automated approach for monitoring cloud environments is underway, to ensure security is effective and consistent.

5. How do we know that Canadians personal information is safe in the GC Cloud environment?

• The GC depends on vendors for many aspects of security and privacy. The Government of Canada Cloud Security Risk Management Approach and Procedures document outlines https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/cloud-security-risk-management-approach-procedures.html the key points for managing security risks when services are hosted on a cloud environment provided by a Cloud service provider (CSP).
• One of the ways the government manages this risk is by requiring, CSPs to clearly document the security controls and features implemented within their cloud services so government can ensure that the environment is secure.
• The Government’s security approach and procedures document also outlines the requirement for departments to conduct a privacy impact assessment (PIA), in accordance with the Directive on Privacy Impact Assessment, when they are planning to implement a cloud-based service that involves personal information which will help to ensure that privacy concerns and risks are appropriately mitigated.

6. The Auditor General indicated that there was a risk to personal information in the cloud. Was Canadians’ personal information compromised?

• It is important to note that the Auditor General’s report did not find that personal information of Canadians had been compromised or that security breaches to personal information had occurred.

7. How does the Government of Canada ensure cloud service providers meet Government of Canada security requirements?

• In order for a cloud service provider to work with the Government of Canada, they must first agree to meet the Governments security policy requirements through the contracting process. The contract contains terms and conditions which bind the vendor to its obligations to implement the said security policies.
• Once a cloud service provider has been awarded a contract, the Department conducts a security assessment and authorization process to ensure the appropriate security controls are in place. This process is signed off by the Chief Information Officer and/or Department Security Official.
• The GC develops and maintains cloud security controls as idenfitied in the Government of Canada Security Control Profile for Cloud-based GC Services. This information specifies the security controls that must be met by CSPs and departments and agencies to host GC programs and services in the cloud and summarizes the context in which these security controls are expected to be implemented. These security controls are based on internationally recognized security certifications.

8. What support has CSE provided in response to cyber threats to Canada’s elections or democratic institutions?

• The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.
• In the lead up to and during the 2021 Federal Election, the Communications Security Establishment, the Canadian Security Intelligence Service, Global Affairs Canada, and the Royal Canadian Mounted Police worked together closely as part of the Security and Intelligence Threats to Elections Task Force (SITE).
• In advance of the 2019 General Election, CSE and the Cyber Centre made the decision to offer cabinet ministers a 24/7 cyber hotline service, providing centralized support in the event they suspected their ministerial, parliamentary, or personal communications, e-mail or social media accounts were compromised.
• The hotline provided a 24/7 priority service in the case of a cyber incident and is still operational today.
• In addition to this service, CSE and its Cyber Centre provided a point of contact to all 16 federal registered political parties for further discussion on the cyber security challenges related to Canada’s democratic process.
• If any political parties and/or candidates encountered any suspicious cyber activity, we had also designated a quick response point of contact for them, which was coordinated through each political party’s headquarters.
• SITE Task Force partners continue to work within their respective mandates to detect and counter possible foreign threats to Canada and its democratic institutions.
• While Canada’s democratic institutions and processes are strong and resilient, CSE will continue to actively work to ensure their continued protection.

9. Do we need more resources?

• We know that the global cyber security threat landscape is rapidly evolving. Cyber incidents, including significant critical infrastructure incidents, are increasing in number and sophistication.
• With adequate resources, CSE and its security and intelligence partners can help reduce the threat, strengthen our cyber defences by raising the bar, and responding to and recovering from (fewer) incidents.
• In spring 2022, the government announced $852.7M over 5 years, and $218.3M ongoing starting in 2027-28, in its federal budget for CSE.
  As the threats we face continue to evolve it is critical that we have the resources needed to protect Canadians.

10. What lessons have been learned about state-sponsored cyber threat actors' cyber tactics, such as election interference, and how to counter them?

• State-sponsored threats actors, such as Russia, have sophisticated cyber capabilities and has demonstrated a willingness to use them.
• Some trends noted in CSE’s most recent Cyber Threats to Canada’s Democratic Process Report, include:
  • The vast majority of cyber threat activity affecting democratic processes can be attributed to state-sponsored cyber threat actors, namely Russia, China, and Iran;
  • Cyber threat actors most often target some combination of voters, political parties, and election infrastructure;
  • This kind of activity included online foreign influence activity as well as more traditional cyber threat activities, like information theft or denying access to important websites; and
  • The world response to COVID-19, such as incorporating new technology into the voting process, almost certainly increased the cyber threat surface of democratic processes.
• In the lead up to and during the 2021 Federal Election, the Communications Security Establishment, the Canadian Security Intelligence Service, Global Affairs Canada, and the Royal Canadian Mounted Police worked together closely as part of the Security and Intelligence Threats to Elections Task Force (SITE).
• The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.

11. Does CSE have any concerns about the spread of misinformation or disinformation by threat actors on social media apps, specifically with an aim to interfere in Canada’s election process?

• It is important to note how pervasive falsehoods on social media and in the domestic information ecosystem create opportunities that foreign cyber threat actors can exploit to covertly disseminate information.
• Some governments and political parties employ disinformation or manipulate the online information ecosystem to influence voters.
• Threat actors can also spread disinformation after an election to undermine trust in the results or attempt to stop the elected government from taking office.
• More recently, CSE shared information on social media as part of the Government of Canada’s efforts to help inform Canadians on how to help stop the spread and protect themselves from disinformation.
• CSE continues to provide the Government of Canada with the most comprehensive information available related to Canada’s intelligence priorities, directly furthering Canadian safety, security, and prosperity.
• It is important for Canadians to adopt good cyber security practices – which CSE shares on the cyber.gc.ca website.

The National Cyber Threat Assessment report

12. What is the National Cyber Threat Assessment report? What information does it include?

• The Cyber Centre produces a report every two years outlining the greatest threats Canada faces.
• The key judgements in this report are based on reporting from multiple sources, including classified and unclassified information. The judgements are based on the Cyber Centre’s knowledge and expertise in cyber security and informed by CSE’s foreign intelligence mandate, which provides us with valuable insights on cyber threat activity around the world.

13. What are the primary concerns and observations made in the report?

• In the Fall, Friday, October 28, CSE released its National Cyber Threat Assessment 2023-2024, which provides an overview of five key cyber threat trends that are the most dynamic and impactful and that will continue to drive cyber threat activity to 2024:
  • First, ransomware is a persistent threat to Canadian organizations;
  • Second, critical infrastructure is increasingly at risk from cyber threat activity;
  • Third, State-sponsored cyber threat activity is impacting Canadians;
  • Fourth, cyber threat actors are attempting to influence Canadians and degrade trust in online spaces; and
  • Finally, disruptive technologies bring new opportunities and new threats.

Foreign based social media applications

14. Is CSE aware of the recent privacy concerns with regards to social media applications?

• We are aware of the cyber security and privacy considerations with many social media platforms and apps, which is why we’ve presented general advice and guidance to Canadians. It is important for Canadians to take the time to assess the risks associated with using social media platforms and apps, especially foreign based ones.
• We strongly recommend Canadians think about the information they share on-line, how it is likely to be protected, managed and used/shared by others, which nation’s laws will apply to their information and activity on a specific platform.
• There is a substantial amount of open source information available to Canadians on various social media applications and platforms, detailing the benefits and the risks. Canadians should proceed cautiously regarding their online presence and conduct their own research before joining new social media platforms.
• However, CSE’s Cyber Centre is not a regulatory agency and as such, we do not endorse or ban social media applications.

15. Does CSE have an opinion on the recent accusation that TikTok is leaking user data to the Chinese Government?

• The Government takes the security and privacy of Canadians’ data seriously.
• The government, including the Canadian Centre for Cyber Security, continues to work in close collaboration with partners and leaders in the technology sector to ensure Canadians and our systems are protected.
• Canada remains a target for malicious cyber activity, including cyber-enabled espionage and foreign interference. Cyber actors conduct these malicious activities to advance their political, economic, military, security, and ideological interests, by manipulating users and exploiting security vulnerabilities.
• It is therefore important for Canadians to adopt good cyber security practices, including assessing possible risks of using social media platforms and apps. The Cyber Centre has published updated advice and guidance to help Canadians with how they connect online and use of personal social media in the workplace.
• The Government is closely monitoring developments in the U.S. regarding TikTok and will not hesitate to take action to protect Canadian interests.

16. Did the Government of Canada ban TikTok because it’s a security risk?

• As announced by the President of the Treasury Board effective February 28, TikTok has been removed from government-issued devices and the application will be blocked from downloading in the future.
• This follows the determination by the Chief Information Officer of the Government of Canada that the application poses an unacceptable level of risk to the privacy and security of Canadians.
• The decision to remove and block TikTok from government mobile devices is being taken as a precaution, particularly given concerns about the legal regime that governs the information collected from mobile devices and is in line with the approach of our international partners. On a mobile device, TikTok’s data collection methods provide considerable access to the contents of the phone.
• As the President indicated in her statement, while the risks of using this application are clear, we have no evidence at this point that government information has been compromised.

Foreign interference

17. Can you confirm there was foreign interference in the 2019 election?

• We are aware of the persistent threat of foreign interference.
• Throughout the federal election, the Security and Intelligence Threats to Elections (SITE) Task Force actively monitored the situation for signs of foreign interference.
• A Panel of non-partisan senior civil servants administered the Critical Election Incident Public Protocol, which includes a mandate during the caretaker period to inform the public if an incident or series of events occurred that threatened Canada’s ability to hold a free and fair election.
• The Government of Canada did not detect foreign interference that threatened Canada’s ability to have a free and fair election, and that warranted public communication, as determined by the Panel under the Critical Election Incident Public Protocol.
• In the lead up to Canada’s 2021 federal election, CSE had defensive cyber operations authorities in place to protect the electronic infrastructure used by Elections Canada.
• Had there been malicious cyber activity targeting the election process, CSE would have been ready to act on it right away.

18. Why didn’t CSE and the Canadian Centre for Cyber Security help political parties during the 2019 and 2021 election?

• The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference and disinformation, regardless of the source.
• CSE’s Cyber Centre works with the House of Commons (HoC) to protect HoC devices, systems and information, including those of MPs.
• In advance of the 2019 General Election, CSE and the Cyber Centre made the decision to offer cabinet ministers a 24/7 cyber hotline service, providing centralized support in the event they suspected their ministerial, parliamentary, or personal communications, e-mail or social media accounts were compromised.
• The hotline provided a 24/7 priority service in the case of a cyber incident and is still operational today.
• The Cyber Centre reached out to all registered federal political parties to determine their top-of-mind cyber security concerns. Based on that feedback, we offered guidance and threat briefings to meet those priorities.
• CSE will continue to actively work to ensure the protection of all Canadians, including MP’s.

19. Why were Canadians not informed of this Chinese foreign interference? Did it not meet the threshold?

• We had advised the critical election incident protocol panel of the information, and it is their decision in terms of whether or not information meets the threshold make a public statement.

20. What lessons have been learned about state-sponsored cyber threat actors' cyber tactics, such as election interference, and how to counter them?

• CSE has provided an unclassified assessment of cyber threats to Canada’s democratic process in 2017, 2019, and 2021. Within each assessment, foreign interference is included as a key threat to Canada’s elections.
• In the lead up to and during the 2021 Federal Election, CSE worked with partners at the Canadian Security Intelligence Service (CSIS), Global Affairs Canada (GAC), and the RCMP as the Security and Intelligence Threats to Elections Task Force (SITE).
• CSE’s role in SITE was to monitor for foreign threats and interference with electoral processes in Canada.
• If CSE were to become aware of a cyber threat, including those directed at a provincial electoral process, we would take appropriate action to address the threat.

21. CSE received funding in Budget 2022 for Protecting Democracy- how are you utilizing this funding?

• The Government of Canada is investing resources to acquire greater insights on strategic priorities related to hostile threat actors. Hostile threat actors affect global events contrary to Canada's interests, making them priority enduring intelligence targets for Canada.
• The critical foreign intelligence acquired by CSE, in accordance with GC priorities, enables the Government to promote Canada’s economic prosperity, protect Canada’s digital infrastructure from malicious cyber activity, and defend Canada’s national security from threats such as foreign espionage.

22. What can Canadians do to protect themselves online from threat of foreign interference?

• There are a few things Canadians can do to help protect themselves online:
  • Always practice good cyber hygiene.
  • Use unique passphrases or complex passwords and two-factor authentication, wherever possible.
  • Be suspicious of unsolicited or unusual emails, and do not click on any links that may be contained in them.
  • Use as many security options (settings) as you can for each social media platform.
  • Remove unused or outdated apps, and update those you do use regularly to ensure the latest security measures are in place.
  • Visit www.cyber.gc.ca for more information about best cyber security practices.
  • If you think you are witnessing questionable activity online, you can report any suspected violations to the social media platform’s security centre.

23. Are you aware of foreign cyber threat activities targeting Canadian democratic institutions or processes?

• In CSE’s most recent report on Cyber Threats to Canada’s Democratic Process, we have assessed that state-sponsored actors with ties to Russia, China, and Iran are responsible for the majority of cyber threat activity against democratic processes worldwide.
• For example, state-sponsored actors have promoted content and messaging related to QAnon for the purpose of reaching voters in the US.
• These reports are intended to raise awareness and draw further attention to known state-sponsored cyber threat activity, including the tactics, techniques and procedures used to target Canada’s democratic processes.

24. Are Chinese or Russian state-sponsored actors attempting to disrupt Canadian democratic institutions or processes?

• CSE has assessed that both China and Russia, along with Iran, are responsible for the majority of cyber threat activity against democratic processes worldwide.
• Since 2015, over 90 percent of the cyber threat activity against democratic processes we observed by Russia, China and Iran targeted states and regions of strategic significance to them.
• State-sponsored actors such as these, have taken advantage of domestic groups and movements in other countries and used the messages and reach of these domestic groups to better influence voters.
• Adopting cybersecurity best practices goes a long way to offsetting risks of exploitation by any cyber threat actor.

25. The National Cyber Threat Assessment points to state-sponsored activities of China and Russia, as well as a few other countries, specifically. What is CSE doing to protect Government of Canada networks from these threats?

• CSE is the primary centralized voice and resource for senior leadership in Government on cyber security operational matters, including incident management, situational awareness, and technical advice and guidance.
• CSE defends Government of Canada cyber systems and respond to significant cyber security threats and incidents to reduce and mitigate harm to the Federal Government.
• CSE is a central resource for Government of Canada departments in support of their roles within their sectors.

26. What can we as Members of Parliament (MPs) do to protect ourselves online?

• Create strong passwords and use two step verification
• Utilize Virtual Private Networks (VPNs)
• Social Media: Review the privacy settings in your apps. Look for security features the app includes such as encryption and two step.
• Secure data storage and backup: Data encryption. Backup your data and know how to recover it (e.g. ransomware).
• Apply updates: Apply updates to your devices, operating systems and applications as they come out. This includes mobile phones. Use security software and keep it updated.

Russian invasion of Ukraine and cyber threats

27. Has CSE seen an increase in cyber threats to Canada’s democratic institutions or processes since the Russian invasion of Ukraine?

• There have been high volumes of cyber activity in the lead up to and during the Russian war.
• Cyber threats are constant and ever-present in Canada.
• Canada is one of the most targeted countries in the world and Canadian organizations remain attractive targets for cybercriminals and state-sponsored cyber threat actors.
• Our security and intelligence agencies coordinated integrated government efforts by raising awareness, monitoring, and reporting on threats, and providing advice to protect our democracy.
• While Canada’s democratic institutions and processes are strong and resilient, CSE will continue to actively work to ensure their continued protection.

28. The invasion of Ukraine by Russia and the destabilizing Russian presence in cyberspace have highlighted the need to reinforce our cyber defence. Could you tell us a bit more about the work that the Communications Security Establishment has undertaken to protect Canada’s democratic institutions and processes?

• The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.
• In the lead up to and during the 2021 Federal Election, the Communications Security Establishment (CSE), the Canadian Security Intelligence Service (CSIS), Global Affairs Canada (GAC), and the Royal Canadian Mounted Police (RCMP) worked together closely as part of the Security and Intelligence Threats to Elections Task Force (SITE).
• CSE’s Cyber Centre also worked with Elections Canada to help secure election systems and infrastructure.
• Our security and intelligence agencies coordinated integrated government efforts by raising awareness, monitoring, and reporting on threats, and providing advice to protect our democracy.
• SITE Task Force partners will continue to work within their respective mandates to detect and counter possible foreign threats to Canada and its democratic institutions.
• While Canada’s democratic institutions and processes are strong and resilient, CSE will continue to actively work to ensure their continued protection.

29. What lessons have been learned about state-sponsored cyber threat actors' cyber tactics, such as election interference, and how to counter them?

• State-sponsored threats actors, such as Russia, have sophisticated cyber capabilities and has demonstrated a willingness to use them.
• Some trends noted in CSE’s most recent Cyber Threats to Canada’s Democratic Process Report, include:
• The vast majority of cyber threat activity affecting democratic processes can be attributed to state-sponsored cyber threat actors, namely Russia, China, and Iran;
• Cyber threat actors most often target some combination of voters, political parties, and election infrastructure;
• This kind of activity included online foreign influence activity as well as more traditional cyber threat activities, like information theft or denying access to important websites; and
• The world response to COVID-19, such as incorporating new technology into the voting process, almost certainly increased the cyber threat surface of democratic processes.
• In the lead up to and during the 2021 Federal Election, the Communications Security Establishment, the Canadian Security Intelligence Service, Global Affairs Canada, and the Royal Canadian Mounted Police worked together closely as part of the Security and Intelligence Threats to Elections Task Force (SITE).
• The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.

If pressed on high altitude balloon:

• This is outside my area of remit, so would have to refer you to comments made by my colleague at the House defence committee earlier this week
• CSE has a mandate to provide the Government of Canada with intelligence on foreign threats, including the activities of state and non-state actors.
• Canada’s intelligence agencies, including CSE, are in constant contact with our American partners, working to safeguard Canada from foreign threats, safeguard our borders and protect our collective interests.
• [Redacted].
• Canadian national security officials have been working with, and remain closely engaged with, our U.S. counterparts on this issue.
• While we understand the interest in this issue, we are unable to comment any further on CSE’s operational activities.
• CSE continues to monitor for foreign threats and is working in close coordination with our Canadian Armed Forces colleagues to ensure Canada and Canadians remain safe.

Media lines

CSE key messages

• As Canada’s national cyber security and foreign signals intelligence agency, CSE has unique technical and operational capabilities.
• The Communications Security Establishment Act (the CSE Act) sets out five aspects of our mandate: cyber security and information assurance; foreign intelligence; defensive cyber operations; active cyber operations; and technical and operation assistance. We use our technical expertise in all five aspects of our mandate. We do so to keep Canadians safe and secure.
• CSE’s foreign signals intelligence program provides Canada’s senior decision-makers with insights into the activities, motivations, capabilities, and intentions of foreign adversaries, and the international readiness and foreign reactions to a variety of diverse global events.
• CSE’s intelligence reporting also identifies hostile state activities, and the CSE Act authorizes us to assist the Department of National Defence and the Canadian Armed Forces.
• We support Canadian military operations and protect forces deployed abroad through advanced cyber techniques. For example, CSE could protect Canadian forces by disrupting an adversary’s ability to communicate or providing intelligence regarding an imminent threat.
• The CSE Act gives CSE the legal authority to conduct cyber operations to disrupt foreign-based threats to Canada. This includes active cyber operations to degrade, disrupt, respond to, or interfere with the capabilities, intentions or activities of foreign individuals, states, and organizations.
• If there are reasonable grounds to believe that a foreign state or actor constitutes a threat to the security of Canada and/or Canadian military forces, we are prepared to take appropriate action to address the threat.
• We continue to provide the Government of Canada with the most comprehensive information available related to Canada’s intelligence priorities, directly furthering Canadian safety, security, and prosperity.

CSE’s support to the Canadian Armed Forces and Operation UNIFIER

• As Canada’s national cyber security and foreign intelligence agency, CSE has unique technical and operational capabilities. The CSE Act includes authorities that allow us to provide technical and operational assistance to the Department of National Defence and the Canadian Armed Forces (CAF).
• CSE is authorized to assist the CAF in support of government-authorized military missions, such as Operation UNIFIER. This support includes intelligence sharing and cyber security.
• CSE has been sharing valuable cyber threat intelligence with key partners in Ukraine. We also continue to work with the Canadian Armed Forces (CAF) in support of Ukraine, including intelligence sharing, cyber security, and cyber operations.
• The Communications Security Establishment (CSE), the Department of National Defence (DND), and Shared Services Canada (SSC), worked together with Telesat, a Canadian satellite communications company, to come to an agreement on providing satellite services to key Ukrainian government and non-government partners, including critical infrastructure.
• [Redacted]
• This increased support will help Ukraine strengthen its security and ability to defend itself against a range of threats. We continue to stand united with the people of Ukraine during this unlawful invasion by Russia.

CSE’s messaging on cyber security in response to Ukraine and geopolitical events

• The Government of Canada’s cyber defence team, including CSE, is constantly reviewing measures to ensure our systems and information networks remain secure. We have tools in place to monitor, detect, and investigate potential threats, and to take active measures to address them.
• While we can’t speak about specific events or tactics that we’ve monitored through our foreign intelligence mandate, we can confirm that CSE has been tracking cyber threat activity associated with the current crisis. CSE has been sharing valuable cyber threat intelligence with key partners in Ukraine and continues to work with the Canadian Armed Forces (CAF) in support of Ukraine.
• As the situation has deteriorated, CSE’s Cyber Centre continues to monitor the cyber threat environment in Canada and globally, including cyber threat activity directed at critical infrastructure networks, operational and information technology (OT/IT). We recently issued a statement urging the Canadian cyber security community to adopt a heightened state of vigilance and bolster awareness and protection against malicious cyber threats.
• CSE is aware of an increase in Russian state-aligned hacktivist groups seeking to target Ukraine and its allies.
• We remind Canadian critical infrastructure operators and defenders to be aware of the risks and take mitigations against known Russian-backed cyber threat activity. Now is the time to take defensive action and be proactive in network monitoring and applying appropriate mitigations.
• In addition to public advisories, the Cyber Centre continues to share valuable cyber threat information with Canadian critical infrastructure partners via protected channels. This information includes indicators of compromise, threat mitigation advice, and confidential alerts regarding new forms of malware, and other tactics, techniques, and procedures being used to target victims.

Foreign based social media applications

• We are aware of the cyber security and privacy considerations with many social media platforms and apps, which is why we’ve presented general advice and guidance to Canadians. It is important for Canadians to take the time to assess the risks associated with using social media platforms and apps, especially foreign based ones.
• We strongly recommend Canadians think about the information they share on-line, how it is likely to be protected, managed and used/shared by others, which nation’s laws will apply to their information and activity on a specific platform.
• There is a substantial amount of open-source information available to Canadians on various social media applications and platforms, detailing the benefits and the risks. Canadians should proceed cautiously regarding their online presence and conduct their own research before joining new social media platforms.
• However, CSE’s Cyber Centre is not a regulatory agency and as such, we do not endorse or ban social media applications.

TikTok-specific

• The Government takes the security and privacy of Canadians’ data seriously. We continue to work in close collaboration with partners and leaders in the technology sector to ensure Canadians and our systems are protected.
• Canada remains a target for malicious cyber activity, including cyber-enabled espionage and foreign interference. Cyber actors conduct these malicious activities to advance their political, economic, military, security, and ideological interests, by manipulating users and exploiting security vulnerabilities.
• It is therefore important for Canadians to adopt good cyber security practices, including assessing possible risks of using social media platforms and apps. The Cyber Centre has published updated advice and guidance to help Canadians with how they connect online and use of personal social media in the workplace.
• The Government is closely monitoring developments in the U.S. regarding TikTok and will not hesitate to take action to protect Canadian interests. As announced by the President of the Treasury Board effective February 28, TikTok has been removed from government-issued devices and the application will be blocked from downloading in the future.
• This follows the determination by the Chief Information Officer of the Government of Canada that the application poses an unacceptable level of risk to the privacy and security of Canadians.
• The decision to remove and block TikTok from government mobile devices is being taken as a precaution, particularly given concerns about the legal regime that governs the information collected from mobile devices and is in line with the approach of our international partners. On a mobile device, TikTok’s data collection methods provide considerable access to the contents of the phone.
• As the President indicated in her statement, while the risks of using this application are clear, we have no evidence at this point that government information has been compromised.
• The Cyber Centre continues to work closely with Government of Canada partners to ensure our network and information systems remain secure.

Foreign elections interference

• Throughout the 2019 and 2021 federal elections, the Security and Intelligence Threats to Elections (SITE) Task Force actively monitored the electoral situation for signs of foreign interference. A Panel of non-partisan senior civil servants administered the Critical Election Incident Public Protocol (CEIPP), which includes a mandate during the caretaker period to inform the public if an incident or series of events occurred that threatened Canada’s ability to hold a free and fair election.
• During the 2019 and 2021 federal elections, the Government of Canada did not detect foreign interference that threatened Canada’s ability to have a free and fair election, and that warranted public communication, as determined by the Panel under the CEIPP.
• As part of SITE’s operational mandate, the Task Force did regularly meet with secret-cleared representatives from political parties, to build awareness of foreign threats to Canada’s electoral process and exchange any relevant foreign-interference information.
• CSE cannot speak to what types of classified information (or the details) that was shared with the political parties, the Privy Council Office, or the Panel for security reasons. This same restriction applies to those members of the political parties cleared to receive information/briefings from SITE.
• Canadians should be aware about covert and deceptive activities conducted by foreign states, including the People’s Republic of China and its ruling Chinese Communist Party, with the intent to influence the results of democratic elections at all levels of government in Canada. Although Canada’s electoral system is strong, foreign interference can erode trust and threaten the integrity of our democratic institutions, political system, fundamental rights and freedoms, and ultimately, our sovereignty.
• To raise awareness amongst Canadians about this serious threat to the security of our country, CSE published its Cyber Threats to Canada’s Democratic Process July 2021 update, which assessed that although Canada’s democratic process remains a lower-priority target for state-sponsored cyber actors, they judged it very likely that Canadian voters would encounter some form of foreign cyber interference in the 2021 federal election.
• From a CSE perspective, in coordination with the Canadian Centre for Cyber Security (Cyber Centre), we have offered to provide cyber security advice and guidance to all major political parties, in part through a brochure on Cyber Security for Campaign Teams.
• In addition, throughout the General Election period CSE and the Cyber Centre provided points of contact to all 16 federal registered political parties for further discussion on the cyber security challenges related to Canada’s democratic process. If any political parties and/or candidates encountered any suspicious cyber activity, we had also designated a quick response point of contact for them, which was coordinated through each political party’s headquarters.
• CSE is working in close coordination with several independent review bodies as part of the series of measures announced by the Prime Minister on March 6, 2023, to take further action on foreign interference and strengthen Canadians’ confidence in our democracy.
  • This includes supporting the reviews by the Independent Special Rapporteur, the National Security and Intelligence Committee of Parliamentarians (NSICOP), and the National Security and Intelligence Review Agency (NSIRA).

Cyber threats to Canadian critical infrastructure

• CSE and its Cyber Centre released an updated National Cyber Threat Assessment 2023-24 (NCTA 23-24) which outlines the new and evolving cyber threats faced by Canadian individuals, organizations, and critical infrastructure providers.
• In the NCTA 23-24 we highlight the growing threat of ransomware to critical infrastructure, state sponsored cyber threat activity impacting Canadians and disruptive technology that is bring new threats.
• CSE and the Cyber Centre are continuously monitoring the threats from state sponsored threat actors, especially China, Russia, North Korea and Iran. It is likely that over the next two years, these states will continue to target sectors of importance for their own domestic economic development.
• The Government of Canada, through CSE’s Canadian Centre for Cyber Security (Cyber Centre), has been in contact with critical infrastructure operators to ensure they are aware of cyber threats related to geopolitical tensions. CSE continues to monitor Russia-backed cyber actors and share threat-related information with Canadians and Canadian organizations in a timely basis.
• Cyber threat actors are aware of the impact targeting critical infrastructure can have, exploiting their sensitivity to service interruptions to extort them for ransom. Financially motivated cyber threat actors, predominantly cybercriminals, exploit critical infrastructure because downtime can be harmful to their industrial processes and the customers they serve.
• CSE and the Cyber Centre are dedicated to advancing cyber security and increasing the confidence of Canadians in the systems they rely on by offering support to critical infrastructure networks.
• As outlined in the NCTA 23-24 report, the three technological trends that we foresee disrupting their respective fields: digital assets and decentralized finance, machine learning and quantum computing.
• As noted in the July 2022 cyber threat bulletin, our intelligence indicates that Russian cyber threat actors are exploring options for potential cyber operations against Ukraine’s supporters, including Canada. This would include activities like cyberespionage, pre-positioning and potentially disruptive cyber operations against critical infrastructure targets.
• Notwithstanding current geopolitical events, the Cyber Centre shares valuable cyber threat information with Canada’s critical infrastructure partners via protected channels on a regular basis.
• This information includes indicators of compromise, threat mitigation advice, and confidential alerts regarding new forms of malware, and other tactics, techniques, and procedures being used to target victims.
• Canada has a strong and valuable relationship with its Five Eyes alliance partners, including our intelligence, cyber defence, and law enforcement counterparts in the United States. We regularly share information with our partners that has a significant impact on protecting our respective countries’ safety and security. While we can’t confirm or deny, or offer specific details on the intelligence shared, threat information to help defend against critical infrastructure threats is regularly shared and acted upon as appropriate.

Specific cyber threats (incidents) on Canadian critical infrastructure

• As we noted in the 2023-24 National Cyber Threat Assessment, we are concerned about the opportunities for critical infrastructure disruption, particularly with regard to the operational technology (OT) underpinning industrial processes to the Internet. Internet-connected OT increases the threat surface of the organizations that employ it and increases the opportunity for cyber threat activity to have effects in the physical world.
• Cyber threat actors are aware of the impact targeting critical infrastructure can have, exploiting their sensitivity to service interruptions to extort them for ransom. State-sponsored cyber threat actors target critical infrastructure to collect information through espionage, pre-position in case of future hostilities, and as a form of power projection and intimidation.

We remain deeply concerned about this threat and urge critical infrastructure owners and operators to get in touch with us to work together to protect their systems.

Reference documents

OAG Report 7—Cybersecurity of Personal Information in the Cloud

https://www.oag-bvg.gc.ca/internet/English/parl_oag_202211_07_e_44153.html

Summary of Auditor-General Report on Cybersecurity of Personal Information in the Cloud

Background:

The Treasury Board of Canada Secretariat released the Government of Canada Cloud Adoption Strategy in 2016 and updated it in 2018. The strategy directed departments to consider the cloud as the preferred option for delivering information technology services.

• “The cloud” refers to computer servers that people access over the Internet and the software applications and databases that run on them. The organizations that use them, including the Government of Canada, do not need to own, run, or maintain their own physical servers or software application

Because federal organizations have started moving software applications and databases to the cloud, some Canadians’ personal information is stored there. To secure this information and protect it from cyberattacks, the government has implemented a shared responsibility model that relies on several parties to work together, including the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada, the Communications Security Establishment, and the individual departments themselves.

Focus: This audit focused on whether the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada, Communications Security Establishment Canada, and selected federal departments had adequate, effective governance, guidance, and tools in place to prevent, detect, and respond to cybersecurity events that could compromise Canadians’ personal information in the cloud.

Key findings and recommendations:

The report found that the requirements the government had in place to reduce the security risks of storing information in the cloud were not always followed by the departments audited. In addition, these requirements and their corresponding roles and responsibilities were not always clear, resulting in inconsistent implementation and increased risks.

• For example, all cloud servers must reside in Canada. Ensuring this is the responsibility of each department. However, several departments believed this was CSE’s responsibility.

The report states that the government must take immediate action to strengthen how it prevents, detects, and responds to cyberattacks. It should do this now, while departments are still in the early stages of moving personal information to the cloud.

• This action includes strengthening key security controls to prevent, detect, and respond to security breaches. It also includes clarifying shared roles and responsibilities for cybersecurity—which are highly complex in a cloud environment—so that all departments know exactly what they should be doing.

The report highlights funding as a key issue, as the Treasury Board of Canada Secretariat has not provided a long-term funding approach for cloud adoption.

The report also found that the federal government did not include environmental criteria in its procurement of cloud services, even though it was required to reduce greenhouse gas emissions.