:
Oh, come on, Luc. Give me that one, man.
Whether it was a good joke or not, we started the morning with a laugh, and that's what's important.
[Translation]
I'd like to welcome you all.
[English]
As you know, we have a couple of witnesses with us here this morning.
[Translation]
We welcome Stéphane Perrault, chief electoral officer.
Welcome, Mr. Perrault.
Also with us is Karine Morin, senior director, integrity, regulatory policy and Parliamentary affairs.
[English]
I noticed that we have Ms. Idlout with us this morning. Welcome. It's nice to see you. We sit together on the indigenous and northern affairs committee, but it's nice to see you in this context.
Ms. O'Connell, welcome to PROC, as well, this morning.
Colleagues, we will follow the usual format: six minutes in the first round, followed by five minutes, with a couple of two-and-a-half-minute slots.
Mr. Chief Electoral Officer, between you and Madame Morin, there will be 10 minutes for opening remarks. You don't need to use those 10 minutes, but they're yours should you feel you need them.
I'm sorry. I forgot to mention this: Before we begin, colleagues and witnesses who may not be in front of committee often, I have a reminder about the headsets. In order to avoid damaging audio feedback and other challenges that can pose a health issue for our interpreters—who work very hard on our behalf—please make sure that when they're not in use, they are placed on the sticker in front of you. Try to keep your phones away from the microphone when you are speaking. Of course, if it's in your ear, witnesses, that's fine.
With that, Monsieur Perrault, I will give you the floor.
:
Thank you, Mr. Chair, for the opportunity to speak with the committee this morning about Elections Canada's pilot project to include the Inuit language on federal election ballots in the electoral district of Nunavut.
I am accompanied by Karine Morin, who is responsible for the project at Elections Canada.
As it involves variations to several rules prescribed by the Canada Elections Act, this pilot requires approval under section 18.1 of the act, which provides for the Chief Electoral Officer to devise and test alternative voting processes with the prior approval of the committees of the House and Senate that normally consider electoral matters. I am therefore seeking approval from the committee today.
There are a few unique realities in Nunavut that support this pilot project. First, Inuktut is recognized as one of the official languages across the territory, which also constitutes one electoral district. Most of its population are Inuit, at 84% or a little more, and speak Inuktut as their mother tongue.
If approved by the committee, this project would help identify improvements to make the electoral process more inclusive and accessible to Inuktut speakers, while also identifying operational and legislative issues that would need to be addressed in order to implement this as a permanent service offering.
In addition, this pilot would complement Elections Canada's efforts to gradually offer more communication products in Inuktut in the electoral district of Nunavut. Committee members will recall that during the 2021 general election, new communication products included a ballot facsimile and a poster-sized version of the ballot that were provided in Inuktut at polling places.
When I appeared before this committee in March 2022 during its study of the inclusion of indigenous languages on federal election ballots, I provided different options for the committee's consideration for the inclusion of indigenous languages on federal ballots and explained some of the challenges for each.
In its report, the committee recommended that Elections Canada undertake a pilot project to include Inuktut on federal election ballots in the electoral district of Nunavut. Following your report, my office began developing a proposal for this pilot, informed by discussions with several Inuit representatives and organizations and aligned with the experience of Elections Nunavut. I would like to underline today that all those consulted have welcomed the initiative.
[English]
I would like to remind members that this is a pilot initiative that is unique to the electoral district of Nunavut. It is a new and exploratory initiative that forms part of Elections Canada's efforts to pursue gradual approaches to better reflect the linguistic reality of electors in Nunavut.
In brief, the pilot would allow candidates and political parties running in Nunavut to submit their names in Inuktut, whether in Inuktitut using syllabic symbols or in Inuinnaqtun using the Latin alphabet, as well as in English and in French, and to have those names appear on the regular ballot. This would also allow electors in Nunavut to write the name of a candidate in Inuktut on a special ballot when voting by mail or at the local Elections Canada office when using write-in ballots.
Candidates and political parties would be invited to provide their names in Inuktut. Elections Canada would not translate or transliterate candidate or party names and would not require identification documents to verify candidate names in Inuktut. This is the same approach currently used by Elections Nunavut.
As we plan for the implementation of this pilot, there are a number of challenges and limitations that we are aware of. One of those challenges is ensuring quality control of the regular ballot in Inuktut, within the very short time frame between the close of nominations and the printing and shipping of the ballots so that they arrive in time for advance voting in the different communities in Nunavut. We have retained the services of readers of Inuktut to assist us with this task.
Another challenge arises from the fact that we are not planning any IT system changes as part of the pilot. This means that while Inuktut names will be reflected on the ballots, it will not be possible to fully incorporate Inuktut into all electoral information products, such as election results on our website on election night.
To ensure the integrity of the counting process for special or write-in ballots, the pilot will also rely on hiring readers of Inuktut at the local Elections Canada office in Iqaluit and at the counting facility here in Ottawa. Election workers who read Inuktut would assist in recording the intentions of voters who used Inuktut when filling out special ballots. It's important to be aware that Inuktitut is not a fixed language and that different symbols can be used to express a similar sound, so the name may vary. We need people who read the language, to be able to make sure that they are not unduly rejected if they're written in a different manner. Political parties would also be invited to send observers who can read Inuktut to maintain the integrity of the counting process during the pilot.
With respect to next steps, I have also written to the Senate committee and hope to meet with them later this fall. If we receive approval for the pilot project from both committees, we will invite the political parties to submit their proposed party names in Inuktut as part of our first implementation phase.
I plan to write to both committees after the pilot to report on operational and legislative issues that would need to be considered should Parliament wish to make this a permanent service offering, as I think is certainly the objective.
[Translation]
Before I conclude, I will point out to members that I have provided a table of the variations to the Canada Elections Act. There are not many, but they are required to carry out the pilot project. If it's approved, I hope they will be included in the committee's report.
I appreciate the committee's invitation and interest in this project. I would be pleased to answer your questions.
:
Thank you very much, Mr. Chair.
It's always a great pleasure to have you here, Mr. Perrault. It is important to have a good grasp of the situation. I, for one, am constantly learning about these things.
To be honest, I have to say that I had a few questions, but my colleagues have already asked them all. However, I have taken note of the request that the decision be made quickly, given the circumstances. Our concern, at least mine, is that you have everything you need to carry out this initiative given what might happen anytime.
Are there any challenges that have not been raised and that could give us the opportunity to help you if that situation were to materialize soon, and should we support the project?
:
Qujannamiik, Iksivautaq.
Thank you, Stéphane and Karine. It's nice to see you both again. I caught one of your focus groups in Iqaluit, so it's nice to see some of the results of what you've been trying to do in helping to make sure Inuktitut-speaking and -reading people can be more engaged in the federal election process. I appreciate all of the efforts you've made.
I want to ask some questions that would help give some context to what my experience has been, so more parliamentarians can understand some of the challenges you're talking about—and opportunities, even. Having been a territory since 1999, Nunavut has been holding elections for some years now. Having been from NWT before Nunavut became a territory, with the NWT electoral system as well, I understand that providing ballots in more than four languages is also a possibility.
I wonder if you could explain to the committee whether you've consulted with NWT on what they're doing. They have 11 official languages.
:
I would answer in two ways.
I have the power, under the act, to make certain adaptations. For a stopgap measure, we always typically allow for the possibility of printing copies of the ballot locally, without the stub and counterfoil, irrespective of what we're talking about here today in terms of languages. That's simply because there's a risk—weather or other circumstances—that we cannot get the ballot into some fly-in communities in time. There's always a stopgap measure. In that case, with adaptation of the legislation, the vote can proceed with, essentially, copied ballots, which are hand-numbered. We haven't had to use it, but it's always very close.
For a more fulsome solution, the alternative is to remove the counterfoil requirement. This is something unique at the federal level, to my knowledge. Provinces and territories do not have that element in their ballot format. That's something that brings a broader series of considerations to the table.
:
Thank you for that. I find that very interesting, because October 27, 2025, happens to be the same day that the Liberal government's Bill proposes to push the date of the next federal election back to.
The fact that Bill would set the date of the next federal election to the very same day as the Nunavut territorial election demonstrates that the story the Liberals have told Canadians about the need to move back the fixed election date by one week, namely to avoid a conflict with a holiday and with the Alberta municipal election, is completely disingenuous. It is about as dishonest as it gets.
They have moved it back for one reason and one reason only, and that is so that soon-to-be-defeated Liberal MPs who would not qualify for their pensions if the election was held on the current fixed election date would suddenly qualify for their pensions. It is a pension bill disguised as an election bill, and if the Liberals were honest, they would name the bill what it is, and that is “the loser Liberal pension protection act.”
With that, I will cede the balance of my time to Mr. Calkins.
:
Thanks very much, Chair.
Thank you, Mr. Perrault and Ms. Morin, for being here today. It's great to see you.
I'm really happy to hear about the work we did on PROC. I'm looking at Lori Idlout for her advocacy in this area and for the incredible contributions she has made. Lori, it's really great to see you back here.
I'm glad to be back on PROC. I'm glad to see this pilot moving forward. I think we can all agree that it's a real step in the right direction. Thank you for your commitment and your work on this. I do have a few questions, but I wanted to show my solidarity for your hard work to make this happen.
I read your opening remarks. I think there might be some differences, perhaps, in what you said and what you wrote ahead of time. I note that at some point towards the end of your remarks, you said that you envisioned coming back to the committee, or coming back to Parliament, with “operational and legislative issues” that might need to be remedied in order to make this pilot “a permanent service offering”. I think this is the way you said it, which is great.
What do you anticipate those might be? It sounds like you already have an idea that there will be some challenges that need to be overcome, or some legislative changes that may be necessary, in order to do this more permanently. What do you anticipate some of those to be?
:
Thank you very much, Mr. Chair.
Once again, I found it very interesting how the relevance of the pilot project will be measured and the results it will produce.
I like pilot projects, in that they are tests that also allow us to have long discussions afterwards. Maybe that's why I don't have a lot of questions for you, but I do have one.
In Quebec, we put candidates' faces on ballots.
Is that also the case currently in Nunavut, or is the situation somewhat the same as in the rest of Canada?
Have you thought about that situation?
:
I think that's a great question, and I thank you for asking it.
Yes, I have. I have to say that it raises challenges.
The Canada Elections Act, as it currently stands, doesn't allow for faces to be added to ballots. However, I think that option should be explored in the longer term.
In that case, I would also try the pilot project formula, but that project would not necessarily result in amendments to the act. We would suggest adding faces to the signs at the polling stations to see how that works.
Operational considerations should also be taken into account, including the production of candidates' images within a fairly strict time frame. We also have to think about the quality of those images. Some candidates may have reservations.
So that would be something we would want to experiment with. It won't be for the next election, but I would certainly do a pilot first, again, using faces on signs rather than on the ballot. We could see if there are lessons to be learned and go from there.
:
Thank you so much.
Qujannamiik.
I'm going to build on my line of questioning with regard to electors who happen to not be home in their communities on election day, because a lot of the time they have been away for weeks or months at a time, especially if it's medical travel.
As well, Nunavut, being such a huge territory, has three urban hubs—or four, maybe. In the west, we have Yellowknife and Edmonton. For the central part, we have Winnipeg, and then for the eastern part, we have Ottawa. As Mona pointed out, we have an increasing population of Inuit as well.
I wonder if Elections Canada has considered maybe doing special one-day polls in these urban centres to make sure that, for example, the medical patients' votes are counted.
:
It is a significant challenge for us to do that. I think we're taking an important step forward with this pilot to see what challenges we face and whether we can expand further.
At this point in time, people who are voting by special ballot in Nunavut will have the ability to use.... If, for example, they're in a hospital in Nunavut, out of their home, they will be served with a special ballot that includes Inuktut on it. If they are detained in Nunavut, they will be served with that offering. However, if they are detained outside of Nunavut, for example, we will not have different kits for different prisons across the country. Those electors would not have access to the special ballot. There are limitations to what we are doing now. I think we have to recognize that.
All electors from Nunavut can apply by mail, especially those who are outside of the district. If they are outside of the district for a significant amount of time, we would like to communicate as much information as we can so they can plan their vote and obtain a special ballot in Inuktut to cast their vote, but that would require an application online. We will not be distributing those kits directly across the country or even in the three hubs that you mentioned.
I think I just have a little bit more time.
Just to keep broaching the idea of the opportunity that elections can have with having special polls outside of Nunavut.... I just lost my train of thought. Damn it, I had such a good idea.
Having special polls is such a good opportunity to really make sure that some of the barriers that are experienced in the different communities within one riding, with having to fly out from different communities and with the challenges of weather.... By the way, I am excited to have the same election day as the Nunavut election day. I think that's a great opportunity to make sure that there's increased voter turnout. I think electors would prefer to vote on the same day rather than one week apart. I do hope that with the approval of this pilot project, we do consider how elections.... I don't know the terminology they use about how people would be less likely to go to vote if they are one week apart.
I'm glad to hear that you would make special provisions so that people in hospitals, at least in Nunavut, are visited by election officials to make sure they can vote as well. Hopefully that also goes for elders who might not be mobile.
:
Mr. Chair, with your permission, I would seize the opportunity to talk about the challenge.
I understand the enthusiasm for having a single day of voting in terms of having people drawn on the same day. However, there's the availability of locations and, more importantly, poll workers. We cannot have poll workers administering two sets of rules with different identification requirements at the same time.
Recruiting poll workers for a federal election is a huge challenge. We spoke about the challenges of having enough who speak the language. Having to compete for recruitment with any provincial or territorial management body would have an extreme impact on the availability of services.
I would caution the committee. Hopefully, if it does come to study Bill , I can speak to it, but I do not recommend overlapping provincial and territorial elections with a federal election.
:
Thank you, Mr. Chair. It's no problem. I have a thick skin, so I've gotten over it quite quickly.
Mr. Perrault, thank you for being here today.
I want to build on exactly that topic of the overlapping election date as proposed in Bill . It would present some massive logistical challenges in terms of polling locations and the human resources side of things for poll workers in a federal election and a territorial election. You've alluded to that.
I also want to get your comments on this. When we talked about this pilot project and the supports, you mentioned in your comments and throughout this morning about Elections Nunavut helping with those language requirements and verifications. Are you confident, or less confident, that on election day—if the counts are on the same evening and the same night—you're going to have the human resources in Nunavut, and you mentioned in Ottawa as well, to be able to prepare the ballots?
Will you, under the special voting rules and special ballots, for example, be able to interpret those that need to be deciphered?
:
My last question is on the report that you will do back to our committee on this pilot, and our support to do so.
In reviewing all of this, when we look at the poll-by-poll results or how individuals voted, it shows them by poll, and then group one or group two of special voting rules. Just looking at the last election in Nunavut, in 2021, there were 614 votes under the special voting rules, with only 12 rejected ballots as part of that, but it was about 8.4% of the votes cast. Are you able to break down further, just for numbers' purposes, whenever somebody would complete a special ballot, what percentage of individuals chose to write their special ballot in Inuktitut?
Then, if there were challenges—you mentioned that the spelling and the symbols could be a bit different—would you be able, in this circumstance, to break that down further, just to understand the scope, and if there is a challenge with that, the volume or magnitude of that, or lack thereof, if that would be the case?
Colleagues, that concludes our discussion with Monsieur Perrault and Madame Morin.
I want to thank you both very much for being here.
Just briefly, for the benefit of both committee members and the public who may be watching, in terms of the next steps here, I have asked our analysts to draft a report on this subject. That will come to the committee for consideration. At that point, we will determine whether or not we want to send that report, as is or amended, back to the House. That will be our contribution to this part of the procedure. Then, as has been mentioned, our colleagues over at the Senate, in the legal committee, will also have to render their own judgment.
In terms of the next steps for this, we will await the report from our analysts, and we will have an internal discussion. Mr. Perrault, we hope to be able to get back to you in the not-too-distant future with our findings and our analysis on that.
In the meantime, colleagues, that was a great meeting and very interesting discussion.
Thank you, Ms. Idlout, for joining us and providing your contributions here as a guest member.
We're going to suspend briefly, colleagues.
[Translation]
When we come back, we will continue the meeting with a completely different matter. We'll see you in a few minutes.
[Translation]
We will now begin the second part of the meeting.
[English]
We are transitioning into a different conversation now, colleagues.
Welcome to Mr. Genuis.
Ms. Mathyssen, welcome back.
Colleagues, we are here to discuss the question of privilege related to cyber-attacks targeting members of Parliament. We had several meetings in relation to this discussion in the last session, and we have some meetings dedicated to continuing the discussion as we move forward in this session.
We have a number of witnesses with us today. We do have some technical audio difficulties with the witness who's appearing online, but I would like to get us moving, and I hope we will be able to troubleshoot that in the very near future.
Appearing today we have with us Michel Juneau-Katsuya, former chief of the Asia-Pacific desk at the Canadian Security Intelligence Service. From the Centre for International Governance Innovation, we have Aaron Shull, managing director and general counsel; as well as Wesley Wark, senior fellow. From the Inter-Parliamentary Alliance on China, joining us online is Luke de Pulford, who is the executive director.
Colleagues, we are going to get under way.
Witnesses, you will have five minutes each. Mr. Shull and Mr. Wark, I understand you may be splitting your time, but it will be five minutes in total for your testimony in the introductory component here.
With that, I'm going to go to Mr. Juneau-Katsuya to begin.
The floor is yours, sir.
Members of the committee, thank you for giving me another opportunity to share my observations and concerns about the future of our nation.
[English]
I was asked to comment on the question of privilege related to the cyber-attack targeting members of Parliament. In short, expect a sharp increase of cyber-attacks in the next years targeting not only members of Parliament but many elected officials of all government levels: federal, provincial and municipal.
Cyber-attacks have been and will remain the weapon of choice for many threat agents. This implies direct and substantive attacks against elected officials, institutions and our democratic systems. The intelligence community identifies basically five threat agents: state-sponsored attacks, radicalized citizens, organized crime/hackers, political activists and insider threats.
In terms of state-sponsored threats, in the last two years, very dark revelations have come to be known publicly about how the current and previous governments have neglected or avoided—sometimes intentionally—acting against foreign interference threats. Since the cat is now out of the bag, foreign agents will be forced, for a while, to work a little bit more covertly, so cyber-attacks will be chosen. Today, we hope the public's and elected officials' awareness has been raised, but it's not enough, sadly. When it comes to cybersecurity, Canada is last in investment compared to others in the G7 and the Five Eyes.
As the work of the committee demonstrates, you are still working on the issue, and many of you must feel like you are pounding your head against a wall. Unfortunately, petty political gains prevent Canadians from receiving the necessary protection. Not enough has been done on the legal side, like bringing modifications to the Criminal Code. A bad course of action has been selected, I must say, despite the fact that many experts advised going in different ways. From the public's perspective, this has only increased the bitterness and the loss of confidence in our institutions.
[Translation]
I repeat: We inevitably expect a sharp increase in cyber-attacks against elected officials in the coming years.
Offensive powers such as China, India, Russia, Iran, Israel, Pakistan, Saudi Arabia and many others will have to change and adapt their strategies. They will also have to reduce their presence on the ground, at least for a while, and be more subtle and sneaky.
[English]
Thus, when launching more cyber-attacks against officials, various forms will be deployed: continuous negative and supportive campaigns against people opposed to them or in favour of them, hacking various systems to gain sensitive information, and neutralizing communications and compromising data by targeting specific individuals.
The nature of the work of elected officials is to travel to meet their constituents and to sometimes work at home—everything needed to weaken our cybersecurity. Therefore, more discipline, more awareness, more verification, more ongoing education and more vigilance are needed.
You must have noticed that I've used the words “elected officials”. I stress that we need to work with the federal, provincial and municipal levels. Currently, cities like Toronto, Vancouver and Ottawa, and even smaller cities like Brossard, Markham and many others, are under the influence of agents of China, as we speak, at the highest level. This is not fiction; this is fact. Do you want names? I have names. National security without the participation of the provinces is just wishful thinking.
[Translation]
The House of Commons Sergeant-at-Arms reports that there have been 800% more cyber-attacks against elected officials since 2018. The Royal Canadian Mounted Police, or RCMP, has noted that since 2023, it has received 65 times more requests for protection and doesn't have enough staff to protect all members of the House of Commons. In Quebec, since the last municipal election, more than 10% of municipal elected officials, more than 800 people, have resigned because threats were made against them or their families. In the last provincial election in Quebec, they had to give candidates bulletproof vests and bodyguards.
[English]
I will stop at this point, and I will be glad to take questions to develop a bit further the points that I have presented.
Aaron and I can be a dog-and-pony show, but I'm not sure how much value I can give you in 2.5 minutes. I'll do my best, but we are really appearing here as individuals.
The story of the APT31 cyber-attack—CSE calls it a cyber-incident—is a complex one, and I hope it might be of some assistance to the committee to provide my perspective on it.
The Canadian public and the members of Parliament first became aware of a cyber-attack, or cyber-incident, by a PRC entity known as APT31 in March 2024 when the United States Department of Justice unsealed an indictment against seven APT operatives. The indictment revealed that the efforts of this PRC group spanned some 14 years and targeted U.S. and foreign critics, businesses and political officials. One of its many targets was the Inter-Parliamentary Alliance on China, IPAC, which experienced an attack in January 2021 that was technical in nature and that was designed to elicit details of a target's IP addresses, browser types and operating systems through spearphishing. Caught up in this reconnaissance attack were a number of Canadian parliamentarians. The attack was understood as being unsuccessful.
CSE and its cyber centre were at the forefront of efforts to identify this cyber-incident—in fact, CSE was first tipped off by a trusted foreign partner—and to work with the House of Commons administration. Collaboration between CSE and the House of Commons administration is regulated, as I think you know, by an MOU first signed in 2016. Testimony at PIFI on September 24 indicated that a new version of the MOU has recently been signed, stimulated by lessons learned from the APT31 case.
Documentation provided to PIFI, including a chronology of events, indicated that information sharing among CSE, the cyber centre and the House of Commons IT security team about the APT31 reconnaissance was neither seamless nor sufficient in 2021.
CSE's mandate and capabilities need to be understood. It has a sophisticated sensor intrusion warning capacity that it deploys on networks and in the cloud to protect federal institutions and other levels of government. Here, I must disagree with my colleague, Mr. Juneau-Katsuya, in terms of understanding Canada's cybersecurity capabilities. The sensor capacity that CSE has developed has won praise from Canada's Five Eyes partners as best in class. It was first deployed to protect Parliament, starting in 2018, and has since been expanded.
According to the most recent annual CSE report, the organization blocks on average 6.6 billion intrusions a day. When CSE becomes aware of a cyber-operation targeting Parliament, it passes technical information about that attack to the IT security staff of the parliamentary administration for further action. CSE does not engage directly with parliamentarians in terms of providing threat warnings, in contrast to the process set in place for CSIS according to a ministerial directive issued in May 2023. CSE is not a domestic security service. However, it does have an assistance mandate under the CSE Act, and it can provide supportive intelligence and technical means to CSIS.
A directive issued by the chief of CSE in September 2023, and provided in an institutional report to PIFI, emphasizes the significance of its assistance mandate, as well as the need to—and I'll quote from that directive—“Ensure the timely dissemination of its products to the appropriate consumers of intelligence", including the House of Commons administration. That important principle must be upheld and continually tested in practice.
Going forward, and I will end on this point, I believe it will be particularly important—
:
Thank you, Mr. Chair and members of the committee, and thank you to the staff of your committee for facilitating my participation.
As has been described, I'm the executive director of the Inter-Parliamentary Alliance on China, or IPAC. Around March 23, 2024, I learned that the U.K. government was preparing to make an announcement regarding a PRC state-sponsored cyber-attack against certain U.K. politicians. I was involved in some of the journalism leading up to it.
On the morning of the 25th of that month, the announcement was given from the dispatch box by then deputy prime minister Oliver Dowden, who did not mention the Inter-Parliamentary Alliance on China, IPAC.
Later that day, the United States Department of Justice unsealed an indictment that said the following: “the Conspirators registered and used ten Conspirator-created accounts on an identified mass email and mail merge system to send more than 1,000 emails to more than 400 unique accounts of individuals associated with IPAC.” According to the U.S. government, then, this was clearly an attack. It was targeting IPAC.
For this and other reasons, on April 4, 2024, 42 IPAC members from around the world wrote to Secretary Blinken, saying, “We were very concerned to learn that the APT31 pixel-reconnaissance effort had focused principally on the IPAC membership.... We were further alarmed that no IPAC legislators appear to have been warned by their own security or intelligence services.” The letter precipitated some correspondence with the U.S. State Department.
During this time, the FBI, through the State Department, kindly offered to take our distribution list and cross-reference it with their list of 400 emails associated with IPAC. They agreed to inform us of emails appearing on both lists.
On April 19, we got back a list of hits—121 hits, to be exact. On April 22, I sent a second list to see whether more emails were attacked than we had sent from our list, as 121 is nowhere near the 400 that were claimed to have been targeted by the FBI. Later, I got four more hits on May 3.
As a result, I was able to confirm via the FBI that members of IPAC from 18 Parliaments had been attacked: 120 parliamentarian members, 116 of these using parliamentary emails, and four using non-parliamentary emails. One of those four, by the way, was Canadian, and I believe he is in the committee today. In total, there were 18 Canadian politicians. That number included five staff around the world.
I sought then to brief every person targeted on what had happened, as I did not consider it ethical to refuse to disclose such information to those targeted. As a very gentle corrective to Mr. Wark, who has just spoken, Canadian MPs did not learn from the United States Department of Justice that they had been targeted. They learned principally from me and from IPAC.
I have very little time, so here are a few issues to highlight that may provoke discussion.
First, we have high confidence that the attackers had obtained IPAC's distribution list, which included personal email addresses of politicians, including one Canadian.
Two, we have confirmed that two targeted countries were informed in 2021, before the FBI had contacted governments in 2022.
Three, in 2022, the FBI communicated to host governments that this was intended to be part of a progressive attack.
Four, two IPAC members, a French senator and one other whom I can't name as an investigation is ongoing, were successfully compromised in or around March 2021, two months subsequent to being attacked by APT31.
Five, there will be many more email addresses targeted than those I've confirmed. All I have is the correspondence between my list and the FBI's list.
Six, the response of various parliamentary security services was highly variable around the world.
For the committee's consideration, my arguments would be as follows, and I'm very happy to discuss these.
First, we believe that failing to inform parliamentarians meant that they could not protect themselves or the sensitive information to which they had access from a progressive cyber-attack, including high-risk transnational repression cases, which many of our parliamentarians handle.
Second, telling parliamentarians that this attack was not successful or not serious is questionable at best and misleading at worst. There is a marked disparity between briefings given on this by the FBI and other government agencies, especially regarding the severity of these attacks.
Regarding other recommendations, hopefully I'll have time to cover those in questions.
Thank you very much, Chair.
:
Thank you. I think that's a very important question.
The reason we have high confidence that they obtained our distribution list is that the list of hits that came back from the FBI included exactly the same personal email addresses that we used to contact various MPs. Most of the other email addresses on that list were just parliamentary email addresses, which are public domain. But the very ones that we used to contact people on personal addresses, sometimes Gmail addresses or Proton Mail addresses—which, as you know, Mr. Genuis, included yours—were exactly the ones that the attackers had also used.
I do not know how they obtained that, but I do have one possible theory.
Unfortunately, somebody who used to volunteer for us, a man named Andy Li, was arrested in China under the national security law. He is in prison in Hong Kong, and he awaits sentencing for national security law crimes, some of which are associated with IPAC. We know that they breached his system, and they may have gotten our distribution list from him. Very disturbingly, when he was apprehended, he was taken to Shenzhen prison in China and reportedly tortured. This is something the UN rapporteur on torture has actually raised formally, so this isn't just idle speculation. Very unfortunately, in fact very tragically, we believe that that might have been the way they obtained our list.
I want to thank all of our witnesses for painting a stark and concerning picture of the cybersecurity threats that our nation and other nations face, and that threat is increasing.
One thing that concerned me most was that our private devices were being targeted. We do have protections for our parliamentary systems, our parliamentary emails and some of the resources we have access to as parliamentarians. I'm a politician and I'm a parliamentarian, and there's lots of interplay. Sometimes the area is grey between the political and the parliamentary, as you know.
I'm wondering how you learn about attacks on private devices and how we can better protect ourselves as parliamentarians. Is there a gold standard out there somewhere? Is there a nation we could emulate? Mr. Juneau-Katsuya mentioned that we may be in the latter half of the pile with respect to G7 countries. Is there a nation on earth with the best training and the best cybersecurity hygiene that we could emulate?
I'll open that up to any one of our speakers.
I'd just like to say that the fact that Mr. Genuis's personal email was compromised is horrible. It was because of his job as a parliamentarian, so I thought I'd offer some concrete advice to this committee that I hope will be helpful.
First, allocate a parliamentary budget for personal cybersecurity protection. I'll tell you how I protect myself. I'll bet you that I'm probably better positioned than everyone in this room, and I'm just some guy. I'm not in the public eye and I'm not being targeted the same way you are. I use an encrypted multi-hop VPN for my data. I use biometric and cryptographically locked password managers. Each of my passwords is over 20 characters long and reads like gobbledygook. If you tried to brute-force my passwords, you'd have to really, really want to. I use the most sophisticated malware protection on the commercial market. I use a hardware multi-factor authentication for my most sensitive accounts. If you wanted to hack me, it would require a state-level actor who really wanted to get in. Then, for my most sensitive stuff, you'd have to get the keys out of my pocket.
For all of that we're talking hundreds of dollars, not thousands of dollars. Let's allocate some budget for that. Let's make sure that members of Parliament can be part of their own defence. If they're going after your personal accounts, it's not because of your personality; it's because of your day job.
:
There are several models, but they're not all infallible. I repeat that, at present, there is certainly a lack of collaboration between parliamentarians and intelligence agencies.
For a very long time, the Canadian Security Intelligence Service, or CSIS, and the Communications Security Establishment, or CSE, weren't even allowed to inform anyone except the prime minister or the Minister of Public Safety. Bill looks set to change all that. It remains to be seen how this will play out in practice.
One thing is certain: prevention is needed. Equipment can't do everything, and it can't stop everything. We need to develop a new business culture. I'm not talking about spyware or James Bond, but a business culture. We need to acquire new reflexes, because we're still very vulnerable. If we create a breach, we're literally letting everyone into the house.
The TikTok app has been cited as an example. Why is TikTok problematic? If someone blindly signs the terms and conditions and gives access to his or her phone, contact list, camera and microphone, which can be activated remotely, it becomes nothing less than clandestine wiretapping equipment.
Let's say I'm a teenager going to CEGEP or school. I'm not necessarily the target of cyber-attacks, but my contact list may contain information about my uncle, who works for the Department of National Defence, my mother, who works for the government, or my sister, who works for a very important strategic company. So we've just given a foreign power, like China, access to all this information.
:
The consequences are that we are losing our strategic position on the international stage. We're losing the confidence of our allies, who are now looking at us and saying that Canada isn't serious. From this perspective, there's a whole section of our population that is poorly protected, that is vulnerable and that will be used.
According to experts, Canada has literally millions of zombie computers. These are computers that hackers have managed to get into, which are used to bounce from one computer to another. We lose track of them.
We're very ill-informed at the moment. In my statement, I said that Canada was lagging behind the G7 countries. We're not investing enough in the fight against cyber-attacks, and we're not doing enough to raise awareness among the population, particularly parliamentarians, who are the primary target.
As the effectiveness of foreign interference has been reduced on the ground, in the years to come, many more covert means will be used. Computer attacks are a case in point.
Thank you to the witnesses for appearing today.
I certainly want to say how seriously we absolutely need to take this. You've made this very clear. I know we all take it seriously.
What I took from past conversations with our own security personnel and people in charge of this is that they were saying they didn't inform at the same rate. Eventually, they did, but they didn't inform because this was something that was stopped. It didn't get through the net. The idea was that there are so many attacks that if they were to let us know about all of them, that's all they would do.
What are your comments on that, per se? Do we have to change that mentality? Do we just say, let us know about all of them?
Could you comment on that a bit?
:
What will be targeted are the people of strategic importance. Parliamentarians are definitely people of strategic importance. Critical infrastructure is definitely of strategic importance.
There is a very easy technical term that everybody knows, called a “ping”. Every day they try. They ping. They knock at the door and see if the door is open. They try the handle. We don't necessarily need to know that because, yes, indeed, there are hundreds of thousands, if not millions, of attacks every day. From that perspective, we cannot....
When somebody is particularly targeted repeatedly because of what they do in their work, what they promote, what they challenge or what they denounce—like transnational oppression and things like that—they should be warned. They should receive better attention. They should also be receiving training to a certain extent, like I said, to develop a new business culture and a new way of being aware, because awareness is the only true defence that we have. The technical can only do so much.
:
In preparation for this, I went through all of the other witnesses' testimony. If I were to offer advice to remedy what I saw in the previous evidence, I'd offer you three pieces of advice.
The first is, get your information-sharing house in order. It was one of those kinds of things where everyone didn't really know who was sharing what with whom, when, and why. There was a recognition that this was a problem. As my colleague Mr. Wark has indicated, the MOU has been updated. If you haven't seen that, I would encourage you to take a hard look at that and just make sure that it's tight. Also, treat this like a dress rehearsal. This is going to happen again and again. Just make sure you know who's on first with respect to the sharing of information, what happens and what that threshold is.
The second, as I had already indicated, is to have some personal money to protect yourselves. While the evidence indicated that the threat was stopped, we don't know—I'm sorry, Mr. Genuis—about your personal account, because that wouldn't have fallen within the IT department of Parliament.
The third is training, but not just cyber training. It's general awareness so that you can be your own best partner in your defence.
:
Yes, absolutely. I would like to say, very quickly, that people from all parties in Canada were attacked in this attack. The attackers didn't care which parties they were from.
However, I do not believe it is correct to say that the attack was unsuccessful. In fact, we've already heard from one of the other witnesses today that because they do not know what happened with Mr. Genuis's personal account, they cannot assure us that the attack was unsuccessful. It is simply not possible to say that.
Not only that, but, technically speaking, it's very difficult to ensure that anyway, for the following reasons: Many parliamentarians around the world were told these were low-level, unsuccessful attacks, like marketing emails. That in itself is not incorrect. Pixel embedding or pixel tracking is very common. However, in the hands of a state-sponsored hacking group like APT31, it's very different.
Very briefly—I know I don't have much time—what they can do is triangulate where that person is from. They can find a vulnerable router, and then easily hack that on the basis of the information they gathered from pixel reconnaissance emails, or much worse. We have a member whose emails were compromised and given to a political opponent for kompromat, so this is rather serious. It ought not to be described as a low-level, unsuccessful attack.
:
Thank you very much, Mr. Chair, and I'd like to thank the witnesses for being here today.
I want to pick up on something that Mr. Juneau-Katsuya mentioned in a previous example of an incident that happened with the Treasury Board in 2010, and it was through a law firm.
Mr. Shull, you also mentioned how there are the physical tools that we can use, and there's also the training in personal responsibility and being careful about how we do the business that we do and get the training that's required. But in this case of APT31, we heard from the previous witness that it was through their organization that the email distribution list or email addresses were accessed. In the case in 2010, it was through a law firm.
There's educating parliamentarians in terms of us making sure that we're careful about what we're doing and that we're using every tool in the tool kit, as Mr. Shull said—and I would love to show him my phone as well after, to secure. There's the behaviour, and then there are the tools as well. But what would you advise organizations that we're involved with? For instance, many of us give our email addresses out when we're talking with people who want to meet with us, organizations and so on. They're creating distribution lists as well that we have no control over. We are public officials. We share our information so that people can get in touch with us.
How can we make sure that if a third party has these distribution lists, they're also being mindful of the fact that they are susceptible, especially if they're working with a lot of parliamentarians, to keep our information safe? What would you recommend to them as well?
:
To control and to be capable of raising awareness with a third party is a very difficult task, because you don't necessarily have control over what they do, how they do it, whom they train and stuff like that.
Again, it returns to general public awareness and being informed, but there's another element as well that should be taken. Sometimes you don't have control. As you pointed out, your email address is publicly known. People might take it and simply use it for their own purpose, and only at the end are you going to see that they used your address. However, when you do business with people, you should be able to ask them for certain standards. The Canadian government should be capable of imposing those standards as well, just like Public Works imposes certain standards when people contract with the government.
Somewhere, somehow, there's this kind of new business culture that I'm talking about. It still needs to be defined in its details, but somewhere, somehow, there's a general awareness and education that needs to start to percolate more to the general public.
:
That reassures me. I was told that it could take 100 years to find a good password.
What I wanted to talk to you about today is the CSE, which appeared before the committee.
I'll spare you the details, since you're well acquainted with the matter. However, as someone who isn't at all in the field, I found information on the APT28 attack campaigns since 2021 on the website of France's national cybersecurity agency.
In the end, I didn't need to ask you any questions because I found the entire procedure in a summary. That information is public on that site. In any case, you aren't answering questions, and you don't want to inform us.
My understanding is that we have a lot of work to do.
Mr. Juneau‑Katsuya, why hide?