Evidence of meeting #28 for Procedure and House Affairs in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

11:15 a.m.

Conservative

The Chair Joe Preston

We will go ahead and start our meeting.

I'd like to thank our guests for coming this morning. I apologize for the delay. We needed to move rooms so that we could televise.

We are starting our study on the order of reference regarding the motion of privilege for the member for Provencher.

I will caution our guests today and committee members that we'll start in public and do as well as we can to talk about the issues of the breach of privilege and items that relate to that. As chair, I do feel that there may be a time when we'll get to points or issues that may require us to go in camera for security reasons.

I ask members from all sides as well as the witnesses, if you feel we're getting near there, to warn us. We'll try to delay as much of that as we can until the end of the meeting so that we can bunch it all together, instead of going in camera and back into public. So we'll do that.

Members, we were also given another motion of privilege today by the Speaker, and as a committee we will need to discuss that and where it fits in our schedule. I recognize you're all using midnight to six just for sleep right now, and we can probably use some of that.

Madam Clerk, it's great to have you here today. I would like you to lead off and introduce your guests, and then we'll go into rounds of questions.

11:15 a.m.

Audrey O'Brien Clerk of the House of Commons

Great.

Good morning, Mr. Chairman. It's a pleasure to be here today.

It is a pleasure to join you to discuss this very important issue. I am accompanied by two of my department heads. Louis Bard is the Chief Information Officer of the House of Commons.

He is responsible for the Information Services Directorate. The Sergeant-at-Arms, Kevin Vickers, is responsible, among many other things, for security, through the security services of the House of Commons, for providing the physical security of the parliamentary precinct and of course of members.

I don't really have an opening statement as such, but I have a few opening remarks, perhaps, to situate this discussion in terms of how we view things.

I'm very pleased that you chose to invite the Sergeant-at-Arms and the CIO, because I see very important parallels in the way each of these service heads operates in order to ensure the security of the precinct.

The first thing that I want to say is the security posture here at the House of Commons is always intelligence-led. There's a parallel between the physical security that's provided through the Sergeant-at-Arms and the House of Commons security services—and their partners—and the IT security provided through the chief information officer and the House of Commons information services team.

I'll explore that a little just to give you an idea of how we approach this. Obviously I'm not an expert in security. These are the experts I rely on, and I am really very confident that the House and members are in very good hands.

Let me first of all turn to something that's perhaps less foreign or less difficult to understand. This is what the Sergeant-at-Arms does. On a daily basis, the sergeant and his director of security are in touch with our security partners—the RCMP, the Ottawa Police, CSIS, etc.—to discuss the threat-level assessment for that day, for the precinct and for members. This goes on on a regular basis. It's a regular conversation they have.

If for whatever reason there is an elevated threat level, whether it be for the precinct because of a particular demonstration that's going on related to a summit that's happening somewhere else in the world, or something like that, or whether it's, for whatever reason, an interest in a particular member or a minister, or something like that, then the outside partners who are responsible for this continuing monitoring of the threat level will tell us what they recommend as the threat-level posture. If the threat level is such that it is elevated, for whatever these reasons might be, we then adjust our posture appropriately here in order to respond to that and to be able to do our part in the seamless protection of the precinct and of members.

Obviously, no details of those kinds of adjustments are discussed publicly. The consultations are not even discussed publicly. In the interest of good security, you keep this basically quiet, and you get on with the business of protecting the precinct and members.

In a very similar way, and on a regular basis, the chief information officer and his team are in constant contact with CSE, the Communications Security Establishment, to monitor cyber-threats. One of the things we are all trying to adjust to is the fact that the Internet, for all of the wonderful access that it provides, is nonetheless something we're all coming to grips with in various ways. The new and ever-expanding use of social media means that there are all kinds of things happening out there in cyberspace. We have to be aware of what's going on there; but at the same time, we have to make our peace with the idea that we can't control it.

It used to be that demonstrations for or against a particular issue or position, or whatever, were fairly straightforward. People had placards, they gathered on Parliament Hill, on the lawn, they shouted slogans, they heard people, they applauded, and then they went home. And that was fine. Some of that still occurs, and that's fine too. But increasingly there are now organized campaigns for and against various issues, advocating positions and so forth, that take place using the Internet and using social media. Those, of course, with the usual range of human behaviour, range from the conscientious and the serious, right through to the anarchic, and the perhaps more threatening, as in the case, for example, of this Anonymous group.

The difficulty one has there, in a way that perhaps other organizations don't entirely face—I'm thinking of businesses and the like—is that when we create a parliamentary network here, the campus network for information technology, it is built to what we believe is an appropriate security level and we monitor that constantly. But the important thing to remember is that from our point of view—and I believe from the point of view of members, since the network exists to serve members in the first instance—it has to be accessible to people who want to reach you. The communication going both ways, from here out and from out in, is the bedrock of political conversation in this country. We can't protect a situation to such an extent that access becomes so cumbersome and so difficult as to become an irritant, or worse yet, God forbid, an obstruction to this free flow of information and communication.

At the same time, I think we have to realize that regardless of how one might want to create a network, a situation that is hacker-proof is simply not possible. The WikiLeaks business that happened, which garnered headlines some months ago, is a perfect indication of that. There really is no such thing as a perfect network. If you say that, you issue a challenge, and somewhere out there there will be somebody who is bound and determined to break in just basically because that's how they pass their time. I think we have to make our peace with that.

What we have to do—and this is something I'm confident we are doing—is take very seriously the idea that we need a protected network, that we need a secure network, in order for parliamentarians to do their work. We do that by monitoring very carefully the activity on the network on an ongoing basis so that anything that seems unusual is something that immediately jumps out. We do that in various ways through the security measures that are in place. When we see some kind of unusual activity, we take appropriate action to address that activity, whether it's isolating a particular computer or whatever. All of this of course goes on with our partners at CSE and the stakeholders there.

We have various ways—and I won't get into the details of them, not least of all because I don't think I could explain them adequately—and various themes, I think, under which our operations fall. There is the idea, for instance, of protection. We have firewalls around the parliamentary network. We have filtering gateways. We have encryption software. In terms of detecting unusual activity, we have the usual types of software, the anti-spam and anti-virus software that's out there, which is constantly being upgraded and monitored as systems and technology develop.

Access control is certainly very important. I remember testifying before you on a different case in which we said that a network is only as secure at the weakest person using it. So whoever is using it,

It is very important to know who has access, who has the passwords and all of that. There are very important protocols that govern the use of the network.

The other aspect is the physical security of the different pieces of equipment we have, naturally.

So that's the physical security, whether it be laptops or whatever.

In communications between the network here and the network in your constituencies, that is possible through the creation of what's called a VPN, or a virtual private network. It allows for secure communication within the network environment.

Administratively, we have awareness campaigns in security that are run by the Sergeant-at-Arms and the CIO. We have appropriate policies, from the wearing of badges to the appropriate use of technology.

We try to sensitize people to the dangers out there, without overreacting in such a way as to give more attention than is merited to various troublemakers who ask for nothing more than a chance to make headlines.

We work very closely with CSE and with CSIS. I have here an extract, a statement from CSIS, which I think is useful. It says:

The threat of attacks on critical information systems and the infrastructures that depend on them will, in the foreseeable future, be almost impossible to eliminate entirely, owing to the fact that attack tools, networks and network control systems are constantly evolving. As new technologies develop, so too will new attack tools along with the sophistication of the perpetrators who use them.

I don't want to leave the impression that the situation the Minister of Public Security suffered was anything that we condone. It was nothing short of appalling. But at the same time, I think we have to put that in the context of what is happening in the world today. It should not engender unwarranted anxiety about the thoroughness of our security posture.

That's about all I had to say.

We're in your hands for answering questions, and my two experts are of course at your disposal.

11:25 a.m.

Conservative

The Chair Joe Preston

Thank you, and thank you for bringing your experts.

We'll go to Mr. Lukiwski.

11:25 a.m.

Conservative

Tom Lukiwski Regina—Lumsden—Lake Centre, SK

Thank you, Chair.

My thanks to Madam O'Brien, Monsieur Bard, and Mr. Vickers for being here.

What most of us will be concentrating on, I think, is information you can provide on cyber-threats to the computer side of things. We're going to be talking to some law enforcement agencies over the course of the next few meetings to assess the threat Anonymous might pose beyond the precinct here in Parliament. So most of my comments will be directed to Monsieur Bard, although I would invite commentary from all of you.

Thank you, Madam O'Brien, for answering some of the questions I had in your opening statements.

First, given that no one can put security protocols or provisions in place that would render a system completely bullet-proof, I'd like to know right now, in your considered opinion, how vulnerable are we? How vulnerable are we if Anonymous wants to hack in? Secondly, do you have any plans to increase security provisions beyond what we currently have in the parliamentary precinct? Lastly, would you have any recommendations for our systems beyond the parliamentary precinct? I'm thinking specifically about our constituency offices.

One at a time, please, give us your assessment of how vulnerable we are right now, and then tell us what security provisions might be put in place.

11:25 a.m.

Clerk of the House of Commons

Audrey O'Brien

Before I ask CIO Louis Bard to reply to Mr. Lukiwski's question, I want to say that the threats from the group Anonymous really had nothing to do with the network. This was something posted on YouTube, so it's completely outside our control or our environment.

With regard to the hacking situation and what measures are in place, Louis can speak to this matter.

11:25 a.m.

Louis Bard Chief Information Officer, House of Commons

Thank you.

Those are very good questions. There's no doubt that the House of Commons as a symbol of Parliament is regularly identified in potential security threats. Every threat you can find out there, Parliament is noted somewhere because of the symbol of Parliament.

We are, as mentioned by Madam O'Brien, working very closely with all kinds of partners, such as CSE. We're working with RCMP. We are working also with the industry. We've highlighted a number of scenarios, technologies, and layers that we have to protect the environment, and we rely on the industry in terms of also bringing a third dimension to the threats, what's going on, and what we should be preparing ourselves for. Therefore, as Kevin does on physical security, every day we assess those threats, every day we evaluate the situation.

Around three or four years ago the board approved the creation of an IT security team, which we have implemented. We have put in place a lot of new technologies and mechanisms to secure the environment.

For us, when something happens like it did two or three weeks ago, there's no doubt that at that point we strengthen our monitoring activities based on the threats. We have a lot of alarms. We follow up on alarms. We follow up on notices. We make sure that we reinforce our security measures. We make sure that we make adjustments to our protocols of the day. A good example of that is the major spoofing that happened to the Treasury Board last year. Immediately, we were ahead of the game to analyze this, and there was actually no incident to Parliament Hill following that incident.

We also adjusted our BCM strategies, such as how to deal with international threats, as an example. If need be, I can export my website somewhere else to protect the campus. There are all kinds of strategies behind the scenes that are possible, and we can act very rapidly. There's no doubt we always maintain a very close meeting with our other officials, with CSE and others, to make sure we can inspire ourselves on everything that is possible to minimize the impact.

The bottom line for me, however, is the way we make decisions. My job is to provide access to services to all members of Parliament, to provide transparency, and to make sure I eliminate all those stresses. We reject 70%, I would say, of all e-mails sent to Parliament before they enter Parliament Hill. And beyond that, we provide members with tools to identify spam, to try to filter that, and to put rules in place. At the end of the day, I still believe I need to leave the members with the flexibility that they need to operate.

Concerning the riding offices, there's no doubt that in Ottawa it's a secure environment. It's well protected. We provide all kinds of tools to members in their ridings. However, in your ridings, you've made the decision. You've set up your environment and how you want to work. Therefore, I can only be there to help, to advise, to suggest that you use a secure tool we provide you with. I have not a lot of control when you are in your constituency, but we always remain available to help you this way.

In term of the recommendation, there's no doubt that the acceptable use policy gives you a good framework in the ways you operate. There's no doubt about it in terms of how to better use the IT resource on Parliament Hill. But the same things can apply with your staff in your riding and how you behave yourself in your riding. They're good guidelines. At the same time, as we always say, it's so essential to separate your job as a member from your personal life. Very often we try as much to keep that totally separate—how you set up your house, your families, how you decide to create other Internet access, having your own private e-mail accessibilities, outside of the environment of the House of Commons. It's also a strong recommendation. It's exactly what I do for myself.

However, security is evolving every day. It's a question of every day we need to make.... It's like peeling an onion. There's always something new to discover. The strength that we have is the ability to react. I think we have proved that several times. And there's the board has supported us and this committee on all of the investments we've made in security technology over the last ten years.

11:35 a.m.

Conservative

The Chair Joe Preston

Thank you. You are well past.

Madam Charlton, for seven minutes.

11:35 a.m.

NDP

Chris Charlton Hamilton Mountain, ON

Thank you very much, Chair.

Thank you so much for your presentation this morning.

I want to start at perhaps a more general level. As you know, when the Speaker makes a prima facie finding of privilege, that is what is referred to our committee. We have three responsibilities in that regard. Our first one, of course, is to confirm whether there is in fact a finding of privilege. And then it's incumbent on us to identify the culprit. Then our third task is to explore possible remedies to the breach.

I'm looking for some guidance here. It seems to me, although I don't want to prejudge the work of the committee, that all of us feel very strongly about the principle that all of us need to be free from threats or any kinds of attempts to intimidate us in our work as members of Parliament. I think we will likely be able to come to agreement on that fairly quickly.

It's not as clear to me how we go about identifying a culprit in this case. I recognize that this is also not unusual, and that in lots of other points of privilege we've been in that situation where culprits haven't in fact been identified. But I wonder whether you could give us some guidance in terms of how you think we ought to be framing our investigation here as committee members to actually take our responsibility with respect to the second and third referrals to us seriously, and how to do our work effectively, both with respect to identifying the culprit and then, in that context, how we pursue remedies.

11:35 a.m.

Clerk of the House of Commons

Audrey O'Brien

Thank you.

The question that you ask really goes to the heart of the work of the committee on this issue. It's certainly not an easy task, partly because, as Ms. Charlton has said, this is an unprecedented situation, in that the attacks in question come from an unknown entity. The name Anonymous is there. As I understand it, that particular title or brand is out there; the various loose grouping of people who operate under its banner encourage the use of that title for people who are protesting in various ways.

If I may be very blunt, I don't see much to be gained by trying to identify the culprit as such. I think that this exercise—and in this sense I'm very happy that this isn't an in camera meeting and that we can talk this way—is a very useful educational opportunity for everyone to realize that for all of the advantages and for all of the extraordinary.... I remember reading somewhere somebody comparing the Internet to having at your disposal the library at Alexandria.

For all that this is the case, there's also a sort of darker side to it, an ability for people who want to make mischief or who want in fact to engage in activities, as the Anonymous group do in the threats they have uttered.... That's also a possibility there.

The Sergeant-at-Arms and I were discussing this question this morning when the three of us were meeting prior to coming before you, and he was reminding me that it's a criminal offence to threaten a public official. One can assume that the Minister of Public Security has talked to the authorities with regard to whatever appropriate inquiry is to be made at a policing level.

With regard to this committee, frankly I'm not sure that seeking out a culprit as such wouldn't be a giant waste of time, because I think that the nature of these attacks, as I understand it and from the reading that I've done, is that they're extremely fluid. It is not even that you have—as you might have, for example in the Wikileaks situation, wherein you have Julian Assange saying he's the head of this and wherein he has taken ownership of a particular approach to information and so forth.... This is really a set of people whose way of protesting, I gather, is basically to cause difficulties for various institutions. It has a whole anarchic side that is very dark indeed.

At the same time, I think that what is important for this committee to recognize and to applaud is the many ways in which informed citizens are using the Internet and using social media to have conversations about political issues and to take sides and to advocate in one way or another. The engagement—and the engagement over space and time—that the Internet permits is something that is to be applauded. We shouldn't let the people who want to use this for evil, for lack of a less simplistic way of putting it, carry the day. That's one thing.

In terms of remedies, I think really awareness is the most important thing, awareness that if you're using Wi-Fi in a cafe somewhere and are on the Internet, you're more likely to be open to attacks than if you're just sort of looking at new sites and so forth.

I don't know that this answers your question fully, but that would be my take on it.

11:40 a.m.

NDP

Chris Charlton Hamilton Mountain, ON

Respectfully, with regard to remedies, this isn't about the minister having used Wi-Fi in an inappropriate way. This was an uploading of a YouTube video that would have happened regardless of whether any of us use Wi-Fi.

11:40 a.m.

Clerk of the House of Commons

Audrey O'Brien

Oh, absolutely. I guess I was linking this to the hacker conversation earlier.

11:40 a.m.

NDP

Chris Charlton Hamilton Mountain, ON

As I said, I feel really strongly about being able to do my work free from threats and intimidation, but I also feel equally strongly about freedom of speech. As you suggested, there's a vibrant conversation to be had.

So with respect to remedies, I don't think it is so much saying to us “don't go into Internet cafés”. I think if the remedies exist, they are in an entirely different direction.

I don't think I have any time left, and I regret that. Perhaps we can continue this—

11:40 a.m.

Clerk of the House of Commons

Audrey O'Brien

Forgive me. I think I may have gone on too long, which is a tendency of mine.

You are absolutely right, and I didn't mean to trivialize this as a matter of staying away from Wi-Fi. But as soon as you look at the possibility of limiting what goes up on YouTube, you get into a conversation about freedom of speech. That's a whole thing that I leave to you to sort out.

11:40 a.m.

Conservative

The Chair Joe Preston

Thank you.

Thank you, Ms. Charlton.

Monsieur Garneau, you have seven minutes.

11:40 a.m.

Liberal

Marc Garneau Westmount—Ville-Marie, QC

Thank you, Mr. Chair.

I would also like to thank the guests who are with us today.

In short, the Speaker recognized that there was, on the surface, a question of privilege. I am certainly not calling into question the decision that was made. It led to the following motion:

That the matter of threats to, interference with, and attempted intimidation of, the honourable Member for Provencher be referred to the Standing Committee on Procedure and House Affairs.

Frankly, I have been scratching my head since March 6, since the decision. I most certainly respect it. When I spoke, I said that it was important for the RCMP to be involved immediately because there had clearly been a threat. We all recognize that it is criminal and despicable. I've been wondering what else we can do.

You may have summarized the situation well by saying that being threatened from time to time is inherent to our profession. The Prime Minister, for example, is always physically surrounded for his protection.

We also know that on occasion ministers have had to be provided with protection because of a particular bill. It's in the nature of our business, and I believe I tried to make that point when I intervened before the decision was made. It goes with the job, in a sense, and it's something that we, and particularly cabinet ministers who bring forward laws, have to be aware of and accept.

So what can we do in these circumstances? You suggested awareness that these things can happen to us, and protecting access to our Internet materials, and that kind of thing.

By the way, I was hacked yesterday on my Twitter account. I must have been tired, but I was pulled in by probably a very old trick and realized that people are out there doing this kind of thing. That is something we should be more aware of; there's no question about it.

It seems to me that you are also saying we can react to individual cases and see what we can do and what the appropriate measures are. But at the same time, to some extent this goes with the job; while we want to protect members of Parliament as much as possible, we cannot provide a magic bullet here.

If Anonymous, for some miraculous reason—and I doubt that this will be the occasion—were to be caught and disbanded, there will be others. There are the OpenMedias and the Leadnows that make you aware that they are not in agreement with what a government decides, but they do so democratically; then there are the Anonymouses. But there will be lots of them, and that's the 21st century.

So what can we do—I'm asking the same question everybody else has asked—other than educate ourselves and be very careful?