NDDN Committee Report

The New Democratic Party supports the intent behind the Standing Committee on National Defence’s report on cybersecurity and the threat of cyberwarfare. Canadians are rightly concerned about the threat posed by advancing cybertechnology in the midst of escalating global tensions. Artificial Intelligence, misinformation, state-sponsored hackers, and advancements in cloud storage are creating unique threats to Canadians and our critical infrastructure. It is with these emerging threats in mind that the Standing Committee on National Defence began our study, with the aim to inform meaningful reforms that will protect Canadians.

New Democrats approach cybersecurity with the aim to protect Canadians first. We must modernize our cybersecurity laws to protect the private information of Canadians and the critical infrastructure upon which we rely. We need to ensure that Canadian’s Charter rights to privacy are protected from hostile actors and ensure our critical infrastructure are robustly defended from attacks.

Many of the recommendations we adopted should be actioned immediately, particularly the recommendations relevant to building a more adaptive and robust cybersecurity policy for the Federal government, critical infrastructure, and response to disinformation.

However, the committees report does not adequately reflect two major challenges to our cybersecurity policy: the growing role of monopolies on our critical infrastructure, and the lack of accountability for Canada’s intelligence agencies.

The Role of Monopolies in Canada’s Critical Infrastructure

Last July, more than 12 million Canadians lost access to internet and cellular networks. Interac was taken offline, multiple public transport agencies had outages, and multiple government websites were unavailable. Canadians became incredibly aware of the impact an attack on our critical infrastructure could pose.

But this threat was not posed by a foreign state actor – this was an internal breakdown of systems by the telecoms giant Rogers. If Canada is going to become serious about our cybersecurity vulnerabilities, we need to approach the growing monopolies of critical infrastructure through a national security lens. The committee would have benefited from challenging this vulnerability.

Further, throughout the committee we discussed the domain of social media for foreign disinformation extensively. We heard from Marcus Kolga from the Macdonald-Laurier Institute on the how cognitive warfare is “an extremely important tool in [the] tool kit” of our adversaries, and that this is often done through spreading disinformation through social media.

While we extensively discussed the use of social media as domain for cognitive warfare, the Committee’s report did not discuss the dangerous role of social media giants themselves. We heard from Dr. Wesley Wark from the Canadian Institute for Governance Innovation that “we clearly need better restrictions on efforts to use consent on the part of social media companies. I think there is a real role for the Government of Canada to play in that regard n terms of setting guidelines, as challenging as that might be, because the giant social media platforms will not like it”.

Social media, as a domain in which foreign disinformation occurs, is in the hands of a few billionaires that pursue surveillance capitalism. The drive to monetize Canadian’s data by these billionaires produces advanced algorithms that pose major national security threats, and the committee would have benefited from studying this issue further.

Finally, New Democrats do support the intent behind recommendations 3 and 12, which aim to bolster cybersecurity measures taken by contractors with the federal government. While our public servants work diligently to protect Canadian’s privacy everyday, too often the government outsources to private companies that do not follow the same standards. Deloitte, the major benefactor to government outsourcing, has had multiple historic breaches of consumer and citizen data.

New Democrats raised the example of an incident in 2017, when Deloitte suffered a major data breach that led to the leaking of passwords, IP addresses and identifiable data in relation to a contract with the U.S. Department of Defence, Department of Homeland Security, the State Department and the National Institute of Health. Companies like Deloitte must be held accountable when they do not follow cybersecurity best practices, and the security of Canadian data should be considered when outsourcing.

Canada’s Intelligence Community

Halfway through this study, the National Security and Intelligence Review Agency released a letter sent to the commissioner of the Canada Revenue Agency (CRA) to commence an investigation of the CRA’s Review and Analysis Division related to systemic islamophobia in the audits of Muslim charities.

This investigation was sparked by revelations from organizations like the International Civil Liberties Monitoring Group that 75% of the organizations whose charitable status were revoked following Review and Analysis Division audits were Muslim charities.

When Tim McSorley from the International Civil Liberties Monitoring Group was asked about this, he stated:

“The BC Civil Liberties Association found in their research that CSE was sharing intelligence with the CRA in order to bolster their efforts to counter terrorist financing. However, what we have found in our research is that the CRA, through its efforts to counter terrorist fundraising, has taken a prejudiced approach to Muslim charities in Canada. It has been operating from an idea that because there are terrorist threats from Muslim-linked organizations, the Muslim community must be placed under greater suspicion. That results in greater surveillance, greater information gathering and sharing and greater repercussions as compared to other communities in Canada”.

In light of this, the New Democratic Party is concerned with the recommendations put forward by the committee to greater integrate the collaboration of the Communications Security Establishment with other government agencies within meaningful oversight.

While we fully understand that a whole-of-government approach is needed to meet Canada’s cybersecurity needs, New Democrats remember Canada’s rejection of expanded intelligence agency powers under the Harper Government’s Bill C-51. We are disappointed by the Liberal government’s decision to continue or expand many of these powers under Bill C-59. As we have seen with intelligence sharing between intelligence agencies and the Canada Revenue Agency, systemic racism can manifest in the policing of marginalized communities.

As we heard from the Communication Securities Establishment’s Sami Khoury and Alia Tayyeb, the CSE has a dual mandate: Establishing and maintaining cybersecurity for the Federal government and industry partners, and signals intelligence. Their role in providing cybersecurity protections are vital to the functioning of our federal government, but we are concerned that the space between this defensive role is blurred with their signal intelligence mandate.

We heard from Tim McSorley that CSE is not “appropriately delineating between the two kinds of activities, despite each requiring a different approval process”. New Democrats firmly believe that before we expand the mandate of CSE further, we must enshrine clear barriers between signals intelligence and their cybersecurity operations.