:
Good morning, everybody. I hope you have had a good week.
[Translation]
Welcome to meeting number 121 of the Standing Committee on Procedure and House Affairs.
[English]
Colleagues, we are continuing our study on the question of privilege related to cyber-attacks targeting members of Parliament.
I have just a friendly reminder, as always, as we begin. Please ensure that your audio devices are placed securely on the stickers to either side of you in order to protect the health and well-being of our interpreters, who do such important work for us.
Colleagues, we are joined by a number of our parliamentary colleagues today. The format remains the same.
With us today, we have James Bezan, the member of Parliament for Selkirk—Interlake—Eastman; Garnett Genuis, the member of Parliament for Sherwood Park—Fort Saskatchewan; and the Honourable John McKay, the member of Parliament for Scarborough—Guildwood.
Each witness will be given the opportunity to speak for up to five minutes, and then we will proceed to our regular opening round.
Gentlemen, I'm not sure who wants to begin. I'm not sure if you've had a conversation amongst yourselves, but do we have a volunteer in terms of who would like to go first? It's Mr. Genuis. Okay.
Mr. Genuis, with that, the floor is yours for up to five minutes for your opening remarks.
The material facts of this case have already been laid out in the House. I am happy to repeat them in response to questions, but I'll use my opening statement to instead make some specific arguments about what we can learn from this situation.
Generally speaking, we expect a high level of secrecy when it comes to national security. While, in a free democracy, people should generally have access to information about what the government is up to, information pertaining to national security is closely guarded because it could be used against us by adversaries.
On the other hand, it is a well-established principle of national security that information must be shared with citizens if they need that information to defend themselves. For example, if we were at war and a particular area faced imminent bombardment—
:
Thank you, Chair. I appreciate your indulgence.
On the other hand, it is a well-established principle of national security that information must be shared with citizens if they need that information to defend themselves. For example, if we were at war and a particular area faced imminent bombardment, we would expect the government to warn citizens of the attack so they could shelter themselves. We would not expect government to keep that information secret, obviously. If a terrorist planted a bomb in a building, we would expect the building to be immediately evacuated and not for the government to keep that information secret simply because it involved security.
What is obviously true of physical attacks should, based on an extension of the same principle, also apply in the more benign cases of cyber and other kinds of foreign attacks. The principle remains that the victim or potential victim has a natural right to know, so they can defend themselves.
Moreover, foreign interference is a particular case where exposure is a central part of the solution. The impact of foreign disinformation is significantly reduced when people become aware of the source. In this way, it is exposed as propaganda and loses its persuasive power. The impact of foreign takeovers of institutions can be undone simply through exposure, and politicians identified as foreign collaborators are less likely to be re-elected. When people are aware that the source of something is a hostile foreign state, that awareness may dissolve the impact of the threat.
The current government has used national security as an excuse for keeping secret information related to foreign interference that it would be in the national interest to expose, or where exposing that information would protect victims and reduce the overall impact. Three known examples of this phenomenon are the secrecy that long surrounded the Winnipeg lab documents affair, the failure to inform members of Parliament of threats against them or their families—which resulted in two separate questions of privilege recognized by the Speaker—and the current insistence of the government on keeping secret the names of parliamentarians who have intentionally collaborated with hostile foreign states. It is hard to see how the public interest is served by secrecy in any of these cases.
When it comes to foreign interference, we should be strategically declassifying certain information precisely as a tool to fight against interference. The government's defence of their failure to inform me of threats against me was that they told the House of Commons about these threats, and that they respect the role of the House of Commons as an institution separate from the executive.
In response to this, I will make five observations.
Firstly, as you know, I was targeted at my personal email. House of Commons IT were informed about attacks on parliamentary accounts. I suspect the administration here wasn't even informed of the attack on me, because that had nothing to do with their jobs.
Secondly, we have still not heard clear testimony regarding what information exactly was shared with House IT and when—whether it was merely a few technical details or the full robust picture that was shared with our intelligence services by the FBI. Without the full picture, it would have been hard for us to be briefed.
Thirdly, the government's argument seems to badly misunderstand the nature of the work expected of IT professionals. House of Commons IT are not an intelligence or communications service. They work on IT. It would seem strange, in principle, for those IT professionals to have decided of their own accord to walk around the building and talk to parliamentarians about the threats they face.
Fourthly, CSE acknowledged in their testimony that there were likely caveats associated with the information shared that prevented House of Commons employees from resharing the information without permission. I would suggest that the committee send for further and clearer information about what exactly was shared with House of Commons IT services—when and with what caveats.
Finally, the underlying logic of the government's argument for secrecy is deeply flawed, because the rights and privileges of members of Parliament are vested in them as members of Parliament. Those rights are what enable us to do our jobs for our constituents. Those rights can be given up or modified by the agreement of the House, but they are not held, controlled or modifiable by House administration. The way to respect the rights and independence of members of Parliament is to give them the tools and information they need. The government's argument here implies that the House administration is the holder of our rights, as opposed to members themselves. That is, of course, dead wrong.
Chair, that's my opening statement. I look forward to questions.
Good morning, colleagues.
I am also one of the 18 members of Parliament and senators who are members of the Inter-Parliamentary Alliance on China. APT31 targeted us way back in 2021 and 2022.
Now, what is shocking is that as parliamentarians we were never informed that we were the subject matter of a hack attempt or cyber-attack by the Communist regime in China. By letting us know, we could have then, as parliamentarians, taken protective and corrective actions, but we couldn't because we were never told. We were not informed of this by the House of Commons IT services. We were not informed of it by the RCMP. We were not briefed by CSIS, nor did CSE reach out to us, which ultimately found out through the FBI and informed the House of Commons IT services.
All of us did get briefed on May 9 by the FBI. That, I think, is embarrassing. That was the way we were finally told about how the attack occurred and how we could protect ourselves.
Now, I have to say that the Sergeant-at-Arms in the past has...and was offering a briefing to us this afternoon. It's unclassified, but it's on how we protect ourselves from cybersecurity attacks and what types of measures we take. CSE has briefed me in the past and also others who were targeted on social media by misinformation and disinformation from the PRC.
Also, of course, all of us who have travelled and have been given burner phones by the House of Commons, Global Affairs or the Department of National Defence in our parliamentary activities have received those briefings for travel. I may have a bit better understanding than others of the cybersecurity threats that are out there, but that doesn't make acceptable the actions that were taken by the House of Commons and those in charge, because this isn't an isolated incident. This is happening all the time, and we need to be better informed.
The PRC has been spying on me for a while. I have activities. I'm a patron of Hong Kong Watch. I'm a member of the parliamentary Canada-Taiwan Friendship Group, along with many of you. A number of us at this table travelled to Taiwan as recently as last year.
Iran is also named in the NSICOP report. I'm a co-founder of Canadian Parliamentarians for Human Rights and Democracy in Iran. As you know, I was very big on the charge to get the Quds Force listed as a terrorist organization in 2012. In government, I led the shutdown of the Iranian embassy and consulates here in Canada, and I've been recognized by the Persian community for my advocacy.
Of course, the Russian Federation has been targeting me on social media with trolls, not with bots, for a long time. I was one of the first group of 13 that was banned from Russia back in 2014. I'm vice-president of the Canada-Ukraine Parliamentary Friendship Group. I've been outspoken in my support of Ukraine and, of course, Russia is going to take actions against any of us who are advocates for Ukraine. I brought forward the Sergei Magnitsky Law.
Why does all that matter, all my activities that are beyond what many would say is my scope as a parliamentarian and my day-to-day activities? Modern espionage, intimidation and foreign interference tactics are violating our collective rights and our privileges, but also our privileges as individuals, and this is the new norm.
In Bosc and Gagnon, the Speaker's ruling as referenced on pages 107 and 108 says that we have to make sure that:
...Members should be able to go about their parliamentary business undisturbed. Assaulting, threatening, or insulting a Member during a proceeding of Parliament, or while the Member is circulating within the...Precinct, is a violation of the rights of Parliament.
It also says, on page 111:
A Member may also be obstructed or interfered with in the performance of his or her parliamentary functions by non-physical means.
We have to modernize our efforts to protect our privilege from cyber-attacks. It's no different from a physical obstruction or interference in performing our duties. That particularly is concerning to me. I'm the Conservative shadow minister for national defence. I'm vice-chair of the Standing Committee on National Defence, and John is the chair. We serve on these committees. We talk about information. I provide advice to our leader. We develop policy and platform ideas.
If I'm being targeted by those who try to hack into my emails and my communications, Mr. Chair—and I know I'm getting close on time—then we have to take corrective measures. The laissez-faire and “we don't care” culture coming from the PMO and PCO has infiltrated through the rest of our departments and the way we operate up here. We have to make sure that we are more aggressive in how we protect each and every one of us from these cyber-attacks. That means that we need to know when we have to reclassify how information is shared.
Thank you.
I'll just pick up where James left off, with the core issue that is in front of this committee, which is when members should be informed of these attacks. These attacks are simply a fact of life. They are massive, and they will increase.
I'm rather hoping this committee will grapple with how, when and where we are to be notified of these attacks, because, frankly, I'm given to understand that there are something like a million attacks a day on this organization, the Parliament of Canada. I don't think every member wants to be informed of every one.
In some respects, we're in a fortunate position in that the evidence at this point shows that we didn't actually suffer any damage. There was no breach and the firewalls held. Having said that, it is—and I adopt my friends' views—kind of embarrassing to learn from a foreign security service that we've had an attack. Frankly, I don't think that's quite acceptable.
The FBI tells the CSE, the CSE tells our security services, our security services are satisfied that the breach does not occur and we're in the dark. We're in the dark for two years, and we only find out about these attacks by virtue of the unsealing of an FBI document.
When we were briefed by the FBI, the FBI representative told us they felt outgunned—I think that's the word he used—50:1. These attacks are massive, and the FBI feels overwhelmed.
This committee needs, in my view, to start wrestling with our protocols. Clearly, the current protocols are not acceptable. For two years, the three of us, plus all of our other colleagues, were quite vulnerable.
I'm rather hoping this committee actually gets to the nub of it. I'm not interested in the blame game. I'm not interested in “we should have done this or done that.” Protocols need to be established, because everyone at this table, every one of our colleagues, is vulnerable. I'm rather hoping you take this example of vulnerability—which I don't think has entered into any kind of damage—and give instructions to those whom we ask to protect us.
We are all engaged—and, again, I adopt James's view—in multiple activities that create a vulnerability and are within our privileges as members of Parliament.
I support Garnett's motion, but I want this committee to focus on the protocols that would be appropriate.
Thank you.
:
Thank you very much, Mr. Chair.
Thank you, colleagues.
The committee received a chronology of events from the CSE. The chronology states that CSIS issued a briefing on the Beijing-directed APT31 cyber-attack to 35 Government of Canada clients as early as November 2021.
I asked the director of CSIS who received this briefing, and he has undertaken to provide this committee with a list. However, he did say that, as a general rule, “such a product would indeed be distributed to the Privy Council Office, and that would include the national security and intelligence adviser” to the Prime Minister.
What does it say to you—the fact that, as early as November 2021, 35 Government of Canada clients, likely including the 's own department, the PCO, were briefed about this cyber-attack, but you and every other member of Parliament who was a target were kept in the dark?
Whoever wishes to—
:
I'll just jump in on this.
You have information shared to government officials. The national security adviser, as we read in the NSICOP report, withheld information from people who should be informed. That information should have been shared with us, as individuals, as to the matter of the attack.
When you look at the culture that exists within the Government of Canada on how they classify information and how they share information, especially when it comes down to foreign intimidation—and APT31 is nothing more than foreign intimidation—we have to be taking on new protocols for how we deal with it. The national security adviser has to be a lot more aggressive in making sure that information percolates through the system and not just to the Prime Minister.
In this situation, where it's involving members of Parliament, that information should be distributed or individuals contacted directly, whether it's through caucus leaders or caucus chairs. We need to make sure we don't repeat these mistakes. I think that is paramount to our ability to do our jobs.
:
I agree with what my colleagues have said.
Thank you for an important question, Mr. Cooper.
I have just one point to add in terms of the dissemination of information.
In the previous hearings with previous witnesses, we have tried to get at what exact information was disseminated, in particular what information was disseminated to House of Commons administration. The government's communication on this has said that “the information”—implying all the information—was given to House of Commons administration.
I pursued this matter with Ms. Xavier, from CSE. I asked her if the House of Commons administration was informed that the source of the threat was APT31.
She chose her words very carefully. I didn't actually notice what she was doing until I read over the testimony afterwards. She said, in response to one of my questions, “As part of the various meetings and the reports we provided, we were able to share with the House of Commons IT security staff what we believed at the time to be the originating source of the threat.”
Then I followed up that she had shared with them that it was APT31 and at that point she refused to answer. She said we should go in camera and various other points.
She said she shared what they thought was the source of the threat, but she never actually said they shared that the source of the threat was APT31, so there are big questions. I think there's a little bit of sleight of hand being attempted by officials about what information was actually shared, especially with House of Commons administration.
While I completely agree with Mr. McKay that we need to look at solutions to ensure that what happened doesn't happen again, there does have to be some level of accountability. To that end, the government has essentially washed its hands clean insofar as they have tried to place the blame squarely on House of Commons administration.
Then, when we begin to probe House of Commons administration, it seems to have fallen all on House of Commons IT, yet 35 Government of Canada clients, including likely the 's department, the PCO, were briefed in November 2021. That's more than a year and a half before you were finally briefed, thanks to the FBI.
Again, the notion that it should be left to IT services, which was dealing with the technical matter of ensuring the integrity of IT systems in the House of Commons, to inform members of Parliament seems to be completely untenable. Wouldn't you agree?
Shouldn't there be some level of responsibility if, in fact, the PCO and the national security and intelligence adviser were informed in November 2021 and said nothing and did nothing for a year and a half, and would not have done anything but for the FBI?
Thank you for appearing today. It's interesting to see us in this different set-up, as opposed to in committee together.
I want to go back to what you said, Mr. McKay, in terms of the when, the if and the how.
It's difficult. As we all know, in the House of Commons, our emails are fairly semi-public at this stage. People crack the code all the time. There are millions of attacks daily upon the House of Commons. This particular APT31 attack was thwarted. Therefore, as it's been told to us, you were not informed.
How, in your opinion, should we go forward in terms of that when, if and how, when there are so many? How do you expect the House of Commons to move forward within such incredible complexity and that sheer number?
:
I'm expecting that AI is going to be used to amplify and expand the number of cyber-attacks we all face. I think the one side of this is what's happening collectively. We need to know when it's very targeted. APT31 was very targeted at the 18 of us.
That, I think, is where you need to start saying, okay, you guys need to start watching your personal accounts. You need to be watching what you're doing on your iPhones and in other apps and how your passwords are protected. You know, those types of pieces are what you start sharing with individuals.
If it's just a broad-based attack going after all the P9s, all A1s, all our individual staff or all staff collectively, I think then we just leave it up to IT and CSE to thwart that. When they're targeting us as individuals or going after those of us on the national defence committee, we should know.
No, I don't. I made, I think, five distinct points in my opening comments about why I don't. It was, in my case, a personal account. There are gaps in terms of what we know about what the House was even told. The government misunderstands the nature and expectations of IT professionals, the potential for caveats and the fact that members of Parliament are not creatures of the House. We have rights of our own.
Mr. Cooper, just to follow up on your previous comments, we can talk about systemic failure, systems not doing the things we would expect of them. Then we can talk about individual accountability, people not making the choice to ensure that the information got there.
I think it's important to talk about systems, but also we can't miss the accountability piece that you've pointed out, which is that people had this information and made a choice not to take the steps necessary to get that information to those who were being targeted. I don't think we should use a discussion of systems to detract from the fact that individuals in those systems made choices, and those choices led to members of Parliament being more vulnerable to foreign threats.
I want to thank my colleagues for appearing today.
Mr. Chair, I'm not a veteran of this committee. I think I've been on since the session started in October. For about two-thirds of the time we've been focused on motions of privilege related to foreign interference. There are some very common themes. There's the lack of coordination, the lack of communication and, of course, members of Parliament not being informed, which, I think we all agree, has been totally unacceptable.
The other observation I've made is that this has become a very partisan issue. I was struck by one of the things said by Mr. McKay, the longest-serving member of Parliament around this table, who has served with distinction for many years—I'm not buttering you up, don't worry—which was that we really have to get beyond partisanship on this particular issue. This is about our country. This is about the safety of members of Parliament.
Mr. McKay, you may have heard the NSICOP chair, who did a number of interviews yesterday, when he lighted on this very theme. This is about the security of our country, the security of our decision-makers. This is bigger than any MP and bigger than any party. His suggestion was that the leaders of the major parties in our Parliament have to get together in a room. They have to put their heads together. They have to down tools on the partisanship. As we've been talking about today, they have to come up with solutions and protocols, obviously taking advantage of the Hogue inquiry.
I just wonder what your reflections are. I'd be interested in my other colleagues' reflections as well.
:
Far be it from me to disagree with on anything. I think he makes a valid point. I would add to the point, though.
Don't just defer to the leadership. Apparently, we're all adults here. We need to take care of our own security. I would be pretty upset if the leadership didn't take it seriously, but I'd be even more upset if we didn't take it seriously. This is a serious committee.
Ms. Mathyssen asked a very difficult question. I thought that Mr. Bezan started to disaggregate the answer to that question a little bit better than Garnett or myself, and that is the hard work that needs to be done here because this is going to keep on happening.
I honestly don't know where the protocols need to be drawn. I dare say, you want to put them in pencil or something that disappears because they're going to change about a week after you actually land on them. We need to take responsibility, and 's point is absolutely right. We need to take that.
:
Mr. Chair, I'd just add to that. To Mr. Duguid's point, there's definitely some of this that can be talked about at the caucus level, whether it's through party leaders, House leaders or whips, on the collective action, but there's still the individual privilege here as well and how we balance that off. It ultimately comes down to how we share information and the classification of that information.
When it comes down to cyber-attacks, we're not talking about intelligence and how that intelligence is collected. We're actually talking about a kinetic cyber-attack that has been documented and is known. Some of it may have been shared through Five Eyes partners, but the other Five Eyes partners—or other NATO allies, for that matter—have often taken action a lot quicker than us.
For the APT31 attack, in particular, Sweden knew about it right away and shared it with those who were targeted almost immediately, and there's one other European country that shared that information very rapidly.
I think that is a key point. We don't have to rest on our laurels and look at what other countries are doing. We need to be aggressive now, and we need to make sure that what we're doing is proactive in making sure that each and every one of us is better prepared and protected.
:
No, I am automatically careful. Domestically, though, I think we get a little more relaxed. When we're at home, we think we're all right. I've had burner phones hacked when I've been in Ukraine. We take extra protocols when we travel to Europe.
Lindsay, John and I were in Estonia last summer. We all had burner phones. We left our other phones and iPads and everything at home. When we were coming up to the Russian border at Narva, I even went as far as shutting off my phone and putting it in my safety bag. I put it in airplane mode before I shut it off. When we went to the border, we were filmed the whole time we were there by Russian border guards. When I got back on the bus and we were a good 30 kilometres away from the border, I opened up the bag, and my phone was on. It was out of airplane mode, and it was hacked.
Those types of attacks happen. I think all of us have stories like that when we're travelling. I had it happen when I was parliamentary secretary of defence back in the day as well, on a good old BlackBerry, but this is different. This is happening right here at home, so we have to be even more careful.
:
Colleagues, we are going to resume our meeting.
We head into the second panel on the same topic.
We'd like to welcome the following members of Parliament, our colleagues who will be joining us for the second panel today. We have Mr. Kmiec of Calgary Shepard, Ms. Stephanie Kusie of Calgary Midnapore and the Honourable Judy Sgro, the member of Parliament for Humber River—Black Creek.
Colleagues, you will each have up to five minutes for an opening statement, and then we will head into a round of questioning no different from any other committee setting.
Witnesses, have you had an opportunity to discuss who may like to go first, or does someone just want to put their hand up?
I was trying to be a gentleman.
I've had the opportunity, now, to listen to the testimony given this morning in the first panel. I didn't hand speaking notes to the interpreters, so I'll speak slowly and will pause when I switch to French.
I'm going to repeat what I said in the House of Commons. I believe the Government of Canada had a moral and ethical responsibility to tell those 18 parliamentarians that we were targeted by a PRC special unit for a form of digital surveillance, including me. I'm one of them. I'm a member of IPAC. The Government of Canada failed in its moral and ethical responsibility to tell us.
I have six points I want to make based on testimony I heard. I want to refer to these.
The first part was during the CSE's testimony here about when they became aware. They said:
...from January to April 2021, more than a year earlier, the cyber centre had already shared reports with the House of Commons IT security officials, specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.
Based on this testimony, I have to assume it was APT31. I had no idea this was going on at the time. I also did not know what APT31 was until I was told on April 24—by my two co-chairs and the executive director of IPAC—that I had been one of the targets of this PRC campaign.
Since then, I have not had any type of contact directly from CSE or CSIS. I have heard, though, from the FBI. I had the same May 9 FBI briefing that other members received, detailing exactly what APT31 is.
Later, in testimony provided before the committee, the CSE's Caroline Xavier said, “I can confirm that when we became aware in 2021 of some anomalies”—it's interesting that she called them “anomalies”—“that we were seeing with regard to potential cyber-activities towards the House of Commons, we did, indeed, inform the House of Commons IT security team.”
She went on to detail this, saying:
...we did, indeed, share that list of parliamentarians with the House of Commons IT security team. We also shared it with CSIS.
When I became aware that I had been targeted, they responded to me with a citation on April 25. Here it is, as copied and pasted by the Sergeant-at-Arms: “For your records, we have been involved in investigation of this activity while it was ongoing, well before it was publicly disclosed.”
My staff followed up and asked the question, “Are you saying that the Sergeant-at-Arms office was aware and investigated this activity before, or are you referring to the House IT administration?”
The office of the Sergeant-at-Arms, or SAA, was not aware of this investigation. However, the HoC cybersecurity team, information service, IT administration, stated that they were involved in this investigation while it was ongoing.
I want to draw your attention to another piece of testimony in questioning by Mr. Genuis. In that, Ms. Caroline Xavier said, as part of those actions, “We provided 12 reports to the House of Commons.” This would have been since January 2021. Again, I am not aware of the contents of those reports. I don't have the benefit of the in camera sessions that members of this committee received, so I am at a disadvantage.
[Translation]
In response to a question asked by Marie‑Hélène Gaudreau, Ms. Xavier said:
Since 2019, we've offered parliamentarians the opportunity to get support from the Canadian Centre for Cyber Security, especially if they've had problems after a cybersecurity incident. That is also part of the services we offer, but it is important for parliamentarians to contact us if they want our help.
You can't contact the Canadian Centre for Cyber Security at the Communications Security Establishment if you don't know it exists. This is the first time I've realized that there is such a service for parliamentarians. I was elected in 2015, and this is the first time I have heard about this service, which has been in place since 2019.
In addition, it is impossible to ask the government for help from the Canadian Centre for Cyber Security if you do not know that you are being targeted by a foreign agency as a parliamentarian.
[English]
In cross-examination and following up on questions asked by Ms. Mathyssen, Mr. Genuis raised the point that the CSE made the following observation in different rounds of questions: that government institutions need to respect the parliamentarians of the House of Commons. However, it's hard to feel respected by CSIS, the CSE or the House of Commons IT cybersecurity administration when they don't bother to tell us we are the targets of foreign campaigns and they don't bother to tell us we're targeted by foreign agencies.
I do a significant amount of work with diaspora communities among Canadians. I have people often tell me that they cannot be seen in a picture of me that will be posted online, so they jump out of the picture.
In my office I also have a Ukrainian flag signed by many of our UCC interns in past years, so I am sure that Russian Federation officials don't like it.
Lastly, I have protest pictures from Hong Kong brought to me by Albertans who were there. Hong Kongers who come and visit me do not take pictures in front of that with me in it.
Thank you, Chair.
:
Good morning, colleagues.
On the morning of Thursday, April 25 of this year, I received an urgent message from my colleague indicating the necessity of a call as soon as possible. I was not alone on the thread, so the call was set for later that afternoon. The contents, once shared, were disturbing. Those present on the call had been the target of a cyber-attack by APT31, which is a hacker group set up by the PRC.
To receive this news is unsettling, to say the least. You immediately think of your most intimate transactions. It's impossible not to. Your thinking regresses backward quickly through all communications.
It's no secret that our electronic communications confer the most precious details of our lives: where we are, who we're with and what we're doing. One comes to Jesus quite quickly in these moments, which is rapidly followed by the crushing resentment of “how did this happen and why?”
I've never taken my stations for granted, as a member of Parliament or a former diplomat for Canada. I've recorded, in thorough detail with the authorities in the past, relationships where I questioned the motivation of those forming a bond with me. My triggers were always lavish gifts, suspicious backgrounds and a forced effort to create a closeness.
In 2021, after changing residences, I requested a sweep of my homes for bugs. I was informed by the authorities that these services were not available for those outside of the executive of government. I had a security assessment done in my home and the recommended security system installed, to the remark of a colleague who indicated that they could see who killed me after I was dead.
Do I desire the 24-hour protection of some of my colleagues? I'm very nervous about reaching that level of notoriety. Yes, I've been stopped in the vitamin aisle and in the deli section by those who recognize me, but this is, of course, another level.
The most disturbing aspect of this is having been informed by not even a second but third hand, so I'm very grateful to have run into Luke de Pulford at the inauguration of the Taiwanese president in Taiwan and to have thanked him personally for his intelligence and for sharing with us.
Despite our differences, I've also always had an affection for the United States, having done my master's degree there and having served as the Canadian consul to Dallas from 2010 to 2013. I'm not surprised that it was actually the Federal Bureau of Investigation that surmised this breach and informed IPAC, which then informed my colleague, who then informed me.
This does, however, not dismiss the pervasive and persistent disappointment I have in not being informed directly by the Canadian government. As a consul, I felt a keen guardianship for all Canadians in my host region. I wish the Canadian authorities reflected the same sentiment in informing me about my violators. I can only deduce that they did not.
My sense of disappointment is overwhelming. The fear that consumes you when you think about the possible effects on you and your family, you try to push it out of your head, like a tooth your dentist says needs to be pulled at a later date. As a legislator, you consider what needs to be done to protect you and those around you, as well as your colleagues. You take this path knowing that a part of your life is not your own, but this validates it in a manner far more vast than you would like to consider.
In closing, I believe in evil and not just in the biblical sense. I believe in malice in the hearts of men—those who wish to intentionally inflict harm upon others. One need only refer to Navalny or the 37 murders in the republic of Mexico in the most recent elections. I'm not talking about someone saying I'm hot or not online—I have thicker skin than that—but about the potential for real harm to me or to my loved ones.
This attack appears on the surface to have been minimal in impact, but it indicates a far greater concern that someone is watching. They want to know what I'm doing, who I'm meeting and where I will be.
Evil, when confronted, will always try to realign, but the tactics are always the same: divide, conquer, intimidate and extort. These micro-acts of aggression are the genesis of the foundation of intelligence-gathering. The reality is that what you don't know can hurt you.
Thank you very much.
:
I won't take five minutes.
Thank you very much for hosting this study. I'm grateful for your doing it because it's the first time I've talked to anybody about this issue. This is two months later, and that's unacceptable for sure.
Going back, yes, I was furious. I was livid when I got the call from IPAC. We had a joint conversation, as my colleagues have already indicated. The anger left, but then I was left with a huge disappointment, as my colleagues have said. This is not what I would have expected. More importantly, you know, it happened. The firewall held, and because of that, they felt there was no reason to tell us. Well, I want to know.
All of us on this panel do a lot of human rights work, and we take on some pretty hot topics in the House of Commons and outside the House of Commons. I think the intent of a lot of this is to intimidate all of us so that we will stop standing up on behalf of people who don't have a voice. I think that a big, important part of our job is not just to represent our local constituents but also to be a voice for those who are voiceless. It's because of members of Parliament that some of the progress we are seeing in different files is happening, whether it's the Tibet file, the Iran one or the Taiwan one, of course. It's because members of Parliament had the courage to stand up and be counted.
Yes, they did this and we didn't get notified, so let's move on. What did we learn from this? I think I always try to figure out what good comes out of a negative situation. My anger is gone, but my disappointment is still there. My hope is that we are going to use this as an opportunity to put down the when, how and where. My hope is that all of us become much more aware of the threat that we could be under and take more responsibility, ourselves, to make sure that we are protecting our systems. I'm told that turning them off once a week helps to eliminate any viruses or anyone trying to access them. That's a very simple thing. No one's ever told me that in the many years I've been here. However, we need to get serious. We need to, with your help, put a plan in place.
I mean, I didn't even know who to ask about any other damage that might have been.... I had no idea after all the years I've been here. I know the Sergeant-at-Arms is there, but I had no idea where to go, who to ask or how to better protect myself. I think those are things about which we are all or we have been, until now, extremely naive, but based on recent conversation with CSIS and others that I asked for.... There is AI that can clearly reproduce me at another meeting a half an hour from now that I'm not at, but it could look exactly like me with this AI business going on.
I think we are under much more threat now than we've ever been previously, and we need to figure out how to do that. How are we going to protect each other? What's the role and who puts what into place? It needs to be more public. I think our Liaison Committee should also report once a year at minimum, along with all the other reports, on how many cybersecurity issues there have been and that kind of issue. We need to become more knowledgeable, and you have the role of coming up with those suggestions.
I think there needs to be much more emphasis put on parliamentarians being respected, as my colleague mentioned. Thinking that we're dispensable and that, therefore, they won't bother to tell us that there has been something on social media attacking us—that if we don't know ourselves, they're not going to tell us.... Well, their job is to make sure that we are protected. When we talk about trying to get more people to run for public office, if they're going to run for public office, we have the responsibility, at least, to make sure that they have all the tools necessary to be protected so that they and we can do the jobs that we all want to be doing here.
Thank you very much.
Thank you to our witnesses for being here.
I'll build on what you've said in your intros and the first hour with our other colleagues who were here. Maybe I'll just lay the groundwork here a little bit.
In the aftermath of your becoming aware—and its becoming public knowledge—of the threat and what happened or, frankly, what didn't happen in terms of your being notified, have any of you three on this panel had any conversations or exchanges since this came to light with the PCO, the 's Office, the or the department about exactly what happened? Did they ask for your feedback or suggestions on how this situation can be avoided in the future?
I'll ask you to answer if you have been in contact with any of those aforementioned groups or departments.
Where I want to go with this is that there's a protocol problem, clearly, but I think the bigger issue here is a culture problem. There are protocols in place right now that officials thought would inform parliamentarians, and that hasn't happened. There's a bigger issue here of a culture that comes from the PCO, the PMO and different agencies that just frankly, I felt, were careless in assuming somebody else would look after it, so there was no proper follow-up.
I want to ask each of you for your comments on the culture that's out there of not doing that follow-up and not making sure that people who are actually being threatened are being informed in a timely manner, provided the proper resources and so forth. Then maybe in your response you can talk about what needs to change and who is responsible.
On the disappointment Ms. Sgro mentioned—which you still have—who's that disappointment with in terms of where the responsibility lies?
:
Chair, my response to that would be to repeat something Judy said.
I believe that the government sees us as disposable, because we're members of Parliament. We come and go, which is the way our system is supposed to work. Especially for us backbenchers, I think there is this culture in the agencies and government in general that because we're temporary, we're temps—to use a term that I sometimes read in my ATIPs from civil servants. They know we'll leave and think that we're infinitely disposable. I think the government had a moral and ethical responsibility to tell us, to go straight to the top as soon as they knew.
Just tell us—that's the answer. I can take care of myself. I can then go and ask CSE for the cybersecurity centre's help. I can then go and ask the Sergeant-at-Arms for help. I know what I can do, but if I'm not told, I can't do anything if I don't know.
:
Where I'll go with that, the culture of secrecy and I think disrespect of parliamentarians, is that since other questions of privilege and other issues started to come to light, multiple directives were issued to actually improve the process and say that parliamentarians must be informed. Even after those directives were issued, parliamentarians still weren't informed.
My point about the culture is that the protocol, that directive, was given to improve the process, and it was literally ignored with every excuse in the book as to why.
I'll just talk about the culture, Ms. Sgro. It's new and maybe we've been naive, but to me, it's the culture of taking any protocol or directive seriously and improving that. We've seen examples of that said, but not followed through on.
I'd appreciate hearing from anyone who has comments on that.
:
Obviously, the protocol is not working. The fact that you had to proactively reach out yourself is an issue.
When CSIS and CSE were here, I think there was a fundamental misunderstanding about what MPs actually do. I'm not an intelligence officer. I would not know what they do, but there really is a disconnect, I think. They don't realize, as Ms. Sgro said, that the work we do puts us more at risk in terms of interest from others, whether they be state actors or non-state actors. We never want MPs to change what they're doing. We want them to continue to do what they're doing, because it is important work, whether it be here in Canada or abroad or standing up for human rights.
What would you recommend that this committee put forward in terms of making sure that intelligence agencies and those who are asked to protect us, whether physically or in the virtual world, understand what we do and how we do it? What would you recommend that we recommend to them?
That's for any of the witnesses.
:
Chair, I'll go ahead and give that a shot.
The first thing is that these agencies need to have a positive requirement on them to inform parliamentarians. What I don't want to see is what I've now experienced, where the Sergeant-at-Arms office says that HoC cybersecurity knew but the Sergeant-at-Arms office didn't know. Then they come here and everybody says someone else was told to tell someone. It's unclear to me. Again, you have the in camera discussions that were had. I note that CSE kept saying that they could answer some of those questions in camera.
I need to know. I need to know whether I'm a target. It will change the way I do my work, because it's already had an impact on my work. When I have people reach out to me who want to meet with me, if you Google my name, this is one of the things that will come up, so some people, some dissidents and journalists in exile, will self-censor. They will not reach out to us. If I email him, if I contact him on his social media, that might be tapped. That might already be compromised by a foreign agency.
There is public information showing that these foreign agencies have an interest in me for the work that we all do here. Because of that, it's already had an impact on the work I can do.
Thank you, Chair.
:
Mr. Chair, I can honestly see that this is a very relevant meeting today. I don't sense much of the usual partisanship. We're really talking about the problem.
I would like to go back over what happened. I heard what you said about the need to take charge of this and get ahead of it.
I asked this question. One day, there will be another government. Is it normal that trust is no longer there? When we met with the representatives of the Communications Security Establishment, I raised my hand and said that, since I'm not currently their client and they do business with the government, I want to be their client.
I would like to hear your comments on that. What do you think about getting this out? It's part of our lives, being an MP, it's 24 hours a day, seven days a week. What do you think about that?
:
I was going to say that, in my case, it was on my public account that I use. I have the three emails with me today. I printed them off, because they're still in my account. I can open those emails at any time.
However, in the cybersecurity system, no one told me whether or not I could open emails. So I opened them and printed them off, all three of them. They're still in my account. No one told me I couldn't do it. As far as I know, the digital surveillance technique for these attacks works with pixel spies. Since this is a new topic for me, I did a Google search to find out, with the help of my staff. It's all described perfectly.
In my case, it affected my public email account. My staff in my constituency office and my staff in my Hill office have access to these accounts to assist me in my work. Every single one of those computers could have been affected by these attacks because of a lack of training, which should have been given to me.
I have another question. Earlier, I was explaining my annoyance with the fact that I, someone with no qualifications in espionage, found an article on the web on December 15, 2021, explaining the APT31 attack campaign. There are newspaper articles, including the one from May 12, describing what was requested during the visit from representatives of the Communications Security Establishment, who gave us nothing in the way of information. We've learned nothing.
That being said, and I'll close with this, there's an MP—it's in Le Monde—who said she intended to file a legal complaint, because she's experienced exactly what you have. On that, in your situation, where do you stand on this? Are you angry enough to get things moving?
Thank you to all three of you as well for joining us today and sharing this experience with us.
In the last round, I was talking about the fact that this institution and parliamentarians overall would get millions of hits. I'm a little concerned and I worry about how, when CSIS and CSE were here, they talked about the fact that—and I think House of Commons administration said—they regularly provide parliamentarians with general warnings and that they thought that was enough in terms of understanding what foreign interference or a cyber-attack would be. We also talked about personal responsibility and what that means to the individual MP. We just talked about the fact that we were briefed by CSIS this week at caucuses.
Ms. Sgro, you were talking about the need for those briefings. What do you want to see far beyond that in general? I know it would probably be overwhelming for members of Parliament if they were briefed on every single attack that was put forward, but what do you see those briefings looking like? Would they be quarterly, because that information changes so quickly?
Just give me an idea of what you're thinking on that.
:
I think we have to stop not talking about it, and we have to start learning more about it and how many threats there are. Again, it depends on the category of threat that is there as well.
More knowledge needs to be shared. Things are moving so quickly that, even if we had a briefing a year ago or six months ago, by the fall, things will have moved again very quickly. We have to make sure we are staying on top of it. We're all busy. I don't even look at the social media. I don't go on it. I don't care what they say. Let them do what they want, because I'm going to do what I need to do.
However, when the category of threat reaches a certain point, I rely on somebody getting in touch with me and saying, “You know, what you said last week has generated this particular threat.” Just let me know. I will handle it accordingly. I think it needs to be frequent. With the way things are moving so quickly, I don't think doing this once a year or once every three years at the beginning of a new Parliament is enough.
:
Thank you for the question.
My view is that these generic briefings or emails we receive that tell us not to open an obvious phishing scam by email, and there's that “phishing” button.... I have never used that button in 20 years of using Outlook, so I can't tell you what it does. I just know not to open the email. It's obvious to me.
I know my colleagues here. I know that Mrs. Kusie is very involved with Cuban exiles who are fighting for freedom in Cuba. I know that Ms. Sgro shares my interest in a free Iran and she leads one of the different parliamentary groups. When there are specific attacks on us by foreign governments or foreign groups, we should be told in the moment, instead of getting these generic quarterly briefs or as they happen when there's a phishing attack on Parliament Hill on our emails. That's not useful.
I will praise one group: the ParlVoyage people, who give us the burner phones and inform us on what to do and on the security-level threats. When I travelled to Iraq last year with a parliamentary delegation, they were excellent. They told us exactly what was reasonable, what was unreasonable and how to be digitally secure as you're travelling through different airports.
Outside of that, like I said, nobody from CSIS, CSE or any of the other alphabet soup agencies has come to talk to me, except for the FBI, to tell me and to explain to me what I could do to be safer and to provide actual, technical, usable things.
I want to differentiate because I think there have been attempts to conflate so many attacks with the incident that happened in this particular case. We're dealing with phishing here. This is a different thing altogether. This is not a denial-of-service attack. This is not a cyber-attack. A phishing attack is a personal attack, because the vulnerability is at the human level.
I'm fully convinced that our technical experts.... I actually did IT work in a previous life. I'm so outdated now that I wouldn't know some of the new things they're doing.
The difference here is that it involves a human being making an error. That's how they do it. We can actually thwart most of the cyber-stuff. We can thwart denial-of-service attacks. We can thwart all of these things that attack the technology. However, this is an attack whereby the vulnerability is one of us clicking on something that we ought not be clicking on.
The difference in this particular case is that it was serious enough.... It was not just somebody looking to try to scam us out of some money. It's not the Nigerian prince type of question. This was serious enough because it was from a hostile foreign state actor, or considered to be a potentially hostile foreign state actor, directly targeting a group of us—18 of our colleagues—with this attack.
The frustrating part for me is that our job and our primary responsibility.... We're not in the sausage grinding of government. We're actually very nimble people. We're much more nimble than Monday to Friday, nine to five. If we're going to be able to do our jobs, we need to know what's going on. If we're not informed....
I think it's absolutely embarrassing for a country that 18 parliamentarians basically found out because the FBI released this. It is different from a cyber-attack. It's different from all the other random stuff that our emails might get hit with. This is hostile activity meant to do something subversive or damaging to individual members of Parliament and, thereby, the entire institution and our democracy at the root level.
If we're not told about something this specific.... The FBI thought it was important enough. It seems to be able to sort out cyber-attacks, denial-of-service attacks, other infrastructure attacks and other random phishing or malware attacks. Why can't Canada do this?
How are we supposed to hold our government to account if we don't even know that something is happening?
I'm looking to you three to say something that would give this committee some direction about this. What do you think would have been, to the best of your knowledge, a more appropriate way for you to find out? What would have been a more appropriate timeline for you to find out in?
The only reason we're talking about this is because somebody else tipped us off.
:
Thank you for the question.
I'll add that the Government of Canada needs to treat our digital security like the House of Commons treats our physical security. I feel safe around the parliamentary precinct because I know there are enough PPS officers around, who are actively managing the security of the area.
On digital security, I'm sure they can shut down our emails and keep our files safe, whatever device that they're on, but when the CSE found out that this was APT31.... These aren't basement goons. These are men and women for whom there is a $10-million reward by the U.S. State Department for information leading to their arrests. This is an active foreign intelligence unit that was used.
As soon as that was found out, there should have been a positive responsibility on the part of CSIS, the CSE and all of the alphabet soup agencies. Don't send me an email. Call my office. Contact me directly. Tell me I'm a target. Tell me why I'm a target, if they know, because I would like to know.
On the phishing stuff, I entirely agree with you. People go through that in their private life and businesses, but being targeted by a foreign intelligence service is new.
Thank you for the information that we've had this morning.
NSICOP, of course, came down with a report. Evidently, as we've learned, some people are named in that report. It is based on intelligence that surfaced during a variety of work done by our agencies.
I want to pull it back to the issue of privilege. There's been a lot said about whether we should divulge the names of those people to the world. Should we perhaps think about ways of divulging the names of those people to those people? Is that a question of privilege?
I'm just asking for an opinion here. You don't have to be encyclopedic or well read on the whole issue, but what do you think?
We'll start with you, Mrs. Kusie.
There's some character running around Surrey right now who's identified as a proxy for India. He's telling everybody, including the reporter that I spoke to last weekend, that he and I are just like this. That's not the case. I wouldn't doubt that my name is in that report just based on that. I would deserve to know, even if it's just private, because I think it's a matter of privilege.
Mr. Kmiec, I have to compliment you on the work that you have done on the Canada-China committee. You've been in the thick of a lot of very interesting testimony and commentary.
We know that China is very persistent. They play the long game. APT31 is one thing, but I'm concerned about the cumulative effect of APT31 on top of what the United Front does on top of all of these other things.
Do you care to sort of gather all of that and comment on what we should be looking at here?
:
I'll try to keep it as brief as possible.
I agree in general. There are many different APTs out there, as I've discovered with my staff. When you do a search of it, there are multiple units. This is the thin wedge of the sword that the PRC wields. As you know, Chair, we expect that a lot more of these types of activities in the future, entire campaigns that will be led against western democracies and against legislators. In many cases, legislators are seen as the weak point in the government because you typically don't have the help of the agencies.
I'll draw your attention to the statement made by Belgian legislators, who said that they equally were not told by their government that they had been targets of APT31. In their case, they said there was a direct attack on their democracy and on their Parliament for their government not having told them, and they expect other attacks by PRC entities and agencies.
I will say that, since 2012 when Xi Jinping took over, the United Front Work Department has basically become a state security apparatus that operates in all western democracies, and we should be paying serious attention to all of their subentities like these APT31-type groups.
:
We have to fix the system. That's a real, serious problem, if intelligence isn't evidence.
This goes back to my initial point of what I perceive to be a naïveté and the necessity to revamp the entire system. As I said, I believe it's a result of naïveté. I believe it's a result of indifference, inaction and incompetence.
It shouldn't be that way. We should be able to trust what's in the report. That's a huge problem. I really hope—whether it's this government or another government—that it can be addressed so that, when something is published, we can have confidence in it.
If not, what does that say about us as a nation, that we can't even have faith in the information within what is supposed to be the most sound and most sensitive report? I think that's a pretty sad statement. I hope one day to live in a state where we can trust a report such as that and the information within it.
Thank you.