Procedure and House Affairs Committee on June 6th, 2024

I will ask Rajiv to answer that question.

Thank you very much.

From our understanding.... You can see the chronology; the timeline is laid out.

We were reaching out for information. We don't know what happened on the other side in terms of how long it takes to get that information. As I said, it's a collaboration. We've worked well with the HOC in the past and have tons of respect for their folk.

I think that when we did get together to meet, information was shared. There was that sharing of information. You can see on the timeline when that occurred.

I would add that it's not abnormal in any cyber-incident that we deal with, especially with critical information or a private sector company, that the information is perceived as one way, because they are managing their issue. They're living it. It's not abnormal for them to take the time they need to eventually get back to us or possibly not tell us. This is how that sometimes happens.

One item I'd like to add is that this was a very sophisticated threat actor on HOC networks. We found the very early stages. The tracking links are the first stage. The next stage would be a dropper. The next stage would be actual exploitation software, which would have been very serious.

We would like to reinforce that the steps taken between HOC and ourselves prevented a compromise of HOC networks by this sophisticated threat actor.

When we're going to be doing work with an entity that is in Canada in particular, or any entity with whom data may be exchanged that we may need to collect to be able to do some analysis to identify the threat in a better way and better understand the origins, a memorandum of understanding or an instrument of some sort is often put in place to really clearly outline how and why the information will be shared.

This is linked back to the fact that our mandate works really hard to protect the privacy of Canadians and not infringe on those rights. In particular, especially as an organization may take on some of the services we offer—host-based sensors, network-based sensors and cloud-based sensors—depending on the services that an organization takes on, that is the other reason an MOU would be put in place. It's the exchange of information that is happening or possible support to a monitoring element, so that we can continue to educate, learn from it, and clearly outline how the data is being managed.

Thank you for the question.

I’m not sure which CBC article you’re referring to. However, I can tell you that, during an interview with Ms. Bureau, if memory serves, we talked about the resources and skills the Communications Security Establishment needs and is looking for.

In that interview, I said that the Canadian Centre for Cyber Security and the Communications Security Establishment were not the only ones looking for those skills. In fact, those skills are very sought after throughout Canada and the world, because everything is becoming digital.

I think it’s worth mentioning that there is immense interest in the Communications Security Establishment. That is why we feel very capable in distributing our resources, based on the budget allocated to us.

Thank you.

As I said, as an organization, we like to keep learning and do things better. During your study, you will develop some recommendations. From there, we may be able to do better. The Communications Security Establishment does not set policy. In fact, we are given actions to execute, and we do our best to do so.

Yes. As mentioned, a cyber-incident is usually a moment of crisis for an organization. As a result, our job is to be there as a support. Sometimes we're the ones contacting an organization to say to them that we are seeing something that is of concern. Sometimes they have identified the cyber-incident, and we call them and ask if there is anything we can do to help. Sometimes we do have that regular, ongoing, two-way communication.

However, sometimes a company might choose to have an external service provider provide them the support, so then we're just more in monitoring and wait and see....

It's not automatic that an organization will come to us or continue to want to engage with us. It's not because they're not wanting to. Sometimes, especially when dealing with cybercrime, we're dealing with ransomware. We don't encourage the payment of ransomware, and sometimes that's another reason a company might not want to deal with us, as a government entity. They're afraid that it could mean something.

Although we are not all law enforcement—we're not a regulator—we work hard to build trusting relationships, and I feel that we do that on a daily basis. However, I don't want to mislead anybody to think that means that we know all the elements of cyber-incidents that happen in the private sector, for example, or with critical infrastructure.

We actually do continue to follow up with the entities. We continue to call them or work with them, and I don't want to leave anybody with the impression that there aren't relationships that exist. On the contrary, we have very great relationships with critical infrastructure, especially the energy sector, the telcos and the banks, where we meet with them regularly to talk about threats and to learn from each other about the threats they're facing. There are great relationships and governance bodies that exist to be able to work through understanding.

Having said that, though, we will continue to support and offer our support, but we can't force them. This is where, as I said in my opening remarks, Bill C-26 is really important in the four critical infrastructure sectors that have been identified as part of that bill, because they're really important to Canadians in the critical infrastructure space.

Typically on our reports there is a caveat that will say that you can't share this further without the explicit authority of CSE. That would probably be the caveat. I'd have to look at the reports.

All of the information belongs to them. If it's their information, that belongs to them under whatever authority: the FAA, for example, for the rest of the departments.