This week, I changed much of the tech behind this site. If you see anything that looks like a bug, please let me know!

Evidence of meeting #28 for Procedure and House Affairs in the 41st Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Audrey O'Brien  Clerk of the House of Commons
Louis Bard  Chief Information Officer, House of Commons
Kevin Vickers  Sergeant-at-Arms of the House of Commons

Noon

Conservative

Harold Albrecht Conservative Kitchener—Conestoga, ON

I don't know how frequently that would happen, but if on a “regular basis” we would get updates and recommendations from your office and possibly an offer to even remotely review what we're doing and what we're not doing, I would find that helpful.

Thank you, Mr. Chair.

Noon

Conservative

The Chair Conservative Joe Preston

Thank you very much.

Mr. Lukiwski.

Noon

Conservative

Tom Lukiwski Conservative Regina—Lumsden—Lake Centre, SK

Thank you.

I just want to go back for a moment to the vulnerability issue. I appreciate all that you do and continue to do while we're in the parliamentary precinct, but my question is what happens when we leave the precinct? Obviously cabinet ministers travel extensively on an international basis, but individual members also do. We have parliamentary associations that are constantly going abroad. How vulnerable are members when they're outside the precinct? We still have to be in contact. In the case of cabinet ministers, there's a lot of parliamentary work that goes on whether they're in Ottawa or in China or some other location. How vulnerable are those members who are travelling internationally?

Noon

Chief Information Officer, House of Commons

Louis Bard

I think there's a high level of vulnerability, especially if you travel to foreign countries, because they probably know you are coming and somehow they will be watching you or observing who is out there and will follow you through the process. This is where your choice of technologies and what you use when you're travelling is so critical. As an example, if you are bringing confidential documents, secret documents, on your laptop, you are very vulnerable if you lose that laptop, if you have not secured the documents, encrypted the documents, encoded the documents, waterproofed the documents: there are so many things you can do to secure a document. At the same time, I will not bring secret documents while I'm travelling. I will find other ways to move these documents around.

12:05 p.m.

Conservative

Tom Lukiwski Conservative Regina—Lumsden—Lake Centre, SK

Are there any specific protocols you would suggest for those members who may be travelling internationally, or are they just vulnerable no matter what they do? A lot of this is common sense, and we understand that. But are there any specific protocols or provisions that you might suggest or that you're looking into based on the fact that we may be targeted by Anonymous or other groups now?

12:05 p.m.

Chief Information Officer, House of Commons

Louis Bard

I will give the same comments I gave last year when we were looking at developing committee reports. Often the problem with security is that people don't assess what they intend to do while they're travelling. You should really assess those risks before you travel, and then we can put in place proper measures to help you during your travel through some specific packages, specific tools, or specific telephones or BlackBerrys. There are all kinds of things we can do to help you: don't use your cellular phone, use a land line.... As a preventive measure, before you go we need to understand the purpose of the trip and what you intend to do, and from there, based on the risk, we can really identify the solutions.

12:05 p.m.

Conservative

The Chair Conservative Joe Preston

You have a minute left.

12:05 p.m.

Conservative

Tom Lukiwski Conservative Regina—Lumsden—Lake Centre, SK

Thank you very much.

Is there any history of any member's computer system being hacked? If so, what process do you follow there?

12:05 p.m.

Chief Information Officer, House of Commons

Louis Bard

We follow the same thing as the IT acceptable use policies on a regular basis.

It's happened at the caucus level, on your caucus web server. We've helped many of you with your caucus servers when there has been infiltration, corruption, spam, and things like that. This has happened with members' laptops that have been infected with viruses.

When we detect something, the first thing we do is inform the member and then request permission to remove that PC or that laptop to help restore the situation very rapidly. We do this on an individual private basis with every member of Parliament. If we notice a situation, we try to find a compromise and identify the threats. If I cannot at one point solve the issue with the member, I will go to the whip. That's the protocol.

There have been a lot of instances over the last 19 years I've been here, but I have to say that each time we've been able to correct the situation to the member's satisfaction. Never in the last 19 years have we lost access to our network, been paralyzed for days, or had to shut down the network. Touch wood—we have been able to keep things running.

12:05 p.m.

Conservative

The Chair Conservative Joe Preston

Thank you.

Now to Madame Charlton. And I understand you're sharing your time with Madame Latendresse.

March 15th, 2012 / 12:05 p.m.

NDP

Alexandrine Latendresse NDP Louis-Saint-Laurent, QC

Thank you, Mr. Chair.

First of all, thank you for the very useful information.

I have a question specifically for Ms. O'Brien about breaches of privilege, as was the case here.

I read in your excellent document that in a case in which—and this has happened in the past—it is recognized that there was a breach of privilege, but there's no way of identifying the source, nothing more can be done. A breach of privilege is recognized, and that's all.

In this case, it is quite clear that there was a breach of privilege, given that the minister received threats specifically related to his work. In fact, he was being asked to withdraw the bill. That being said, I think that Anonymous, as was said earlier, is something intangible. We can't even say it is an organization, because anyone can claim to be Anonymous and put that label on their actions. It is not an organized group taking concerted actions or something like that.

In this case, are we not in a situation where, because we won't be able to find the source, it will be impossible to take action?

12:10 p.m.

Clerk of the House of Commons

Audrey O'Brien

Mr. Chair, I think Ms. Latendresse is entirely correct. I can't see how you could identify a person or persons responsible for the threats against the minister.

As you say so well, because it is not even an organized group, anyone can use the name Anonymous, which is even encouraged by the people marketing it. In my opinion, there isn't much we can do about that.

However, I am dedicated to the institution of Parliament. Based on this morning's discussion, everyone seems to believe, as I was saying earlier to Mr. Garneau, that a line was crossed by Anonymous. Threats were used, which is unacceptable.

One of the things I learned this morning is that the group apparently sponsors certain malicious websites. If you oppose a bill, you are given instructions to express your opposition. In fact, they don't really help you send an email to the minister to express your disagreement; instead, they have you send something else that, suddenly, triggers a malicious process. Some people who are opposed to a bill, who may be of good faith and who would like to voice their opposition, may unfortunately find themselves on such sites.

I will say again that there needs to be education. It would be important for a report by the committee to indicate to citizens that we want them to be engaged and to participate in the political debate, but that they mustn't be fooled by things they may not understand. You have to be careful. Signing petitions and sending emails is fine. However, it is not always that simple.

I would like to clarify the following point. Mr. Bard said that 70% of emails are not sent to parliamentarians. It is important to specify what an email campaign is; they are done in certain ridings or regions and are perfectly legitimate. I'm talking about emails that have an address: that is acceptable. However, when an address is not identifiable, we have a case that is part of the 70%. I wouldn't want people to think that many emails on a given subject will not arrive because someone decided to clean up.

12:10 p.m.

NDP

Alexandrine Latendresse NDP Louis-Saint-Laurent, QC

In fact, all members receive a lot of these emails, which are legitimate.

12:15 p.m.

Clerk of the House of Commons

Audrey O'Brien

Absolutely.

12:15 p.m.

NDP

Alexandrine Latendresse NDP Louis-Saint-Laurent, QC

Thank you.

12:15 p.m.

Conservative

The Chair Conservative Joe Preston

Thank you.

Mr. Zimmer.

12:15 p.m.

Conservative

Bob Zimmer Conservative Prince George—Peace River, BC

Thank you, Chair.

Thank you for coming today. I appreciate your being here.

For the public's benefit, I think there are really two issues here: cyber-bullying, as I call it, and security.

I'll talk specifically about the cyber-bullying. I think there's a perception in the public that to some extent we politicians are unaccessible. I certainly have a Twitter account. I have a Facebook account. I think there is a perception, especially with Anonymous—and I haven't had a dialogue with Anonymous before—that it appears that things are escalating. I guess I would challenge the public and say: “Dialogue with us. We're approachable. Start off with a dialogue, as opposed to jumping to that higher level immediately.” I just would challenge them to do that.

I have a question about security, though. We're Canadians and we have good security systems as well, but do we consult with other entities—the CIA, the FBI, and Scotland Yard—to see what they're doing? Do we have that interaction?

12:15 p.m.

Clerk of the House of Commons

Audrey O'Brien

I'll turn it over to the CIO in a moment, but first of all let me say that I couldn't agree with you more. The idea of entering into a conversation and a dialogue with our political representatives, whether it be for or against a particular measure, is one that I think is entirely laudable.

Mr. Hawn I think said it very well about the people who engage in this kind of threatening situation, like Anonymous: it's a cowardly thing to do.

12:15 p.m.

Conservative

Bob Zimmer Conservative Prince George—Peace River, BC

Right.

12:15 p.m.

Clerk of the House of Commons

Audrey O'Brien

It has nothing to do with real political engagement.

With regard to the cyber-bullying and the question of security, I mentioned earlier that CSE, the Communications Security Establishment, is basically the authority here in Canada that is set up to look specifically at cyberthreats. They obviously have a network internationally with the Americans and with the United Kingdom.

We are, through our contact specifically with CSE, privy to the kinds of best practices that are being developed, and really all around the world, because I think every parliament is wrestling with this business of accessibility and openness versus the kind of bad situation that's faced with groups like Anonymous.

Perhaps, Louis, you have something to add.

12:15 p.m.

Chief Information Officer, House of Commons

Louis Bard

As indicated in what Madame O'Brien is saying, there is no doubt that CSE is the prime vehicle we are working with, because of their role. CSE has been very good in helping us in the choice of technologies, how to do monitoring, and all of that, and also they give us a heads-up on things that are happening. There's the RCMP, and also other vehicles within the federal government, such as ITSB and all of the shared services and all of those elements, that are good.

At the same time, my main focus is more on the tools, on the means and things like that, and we deal with all kinds of industries around the world to understand what's going on. Also, we have been visiting other parliaments and other institutions. As well, I went with Mr. Vickers to visit some security organizations in the States to also understand what they are doing. We're doing everything we can. Every piece of information and literature that we can put our hands on is part of what we do every day.

12:15 p.m.

Conservative

Bob Zimmer Conservative Prince George—Peace River, BC

Thanks.

I have one last question from a colleague. We're curious to know if it is possible for a particular hacker to put something onto a computer. Is that possible? It could be a false piece of information or a false document or something like that. I guess it would be similar to a virus. Is it possible to do that?

12:15 p.m.

Chief Information Officer, House of Commons

Louis Bard

There is no doubt that through attachments and through all kinds of things everything is possible. We have identified some very complex infection structures. As an example, they will connect to your PC and will try to make other connections, or import other material, or copy what is on your desktop. We've seen all kinds of shapes and forms of this and that. In every instance, we've been the first ones detecting this on Parliament Hill and have been able to inform our peers.

What I'm trying to be careful about is not to become a fishing expedition for other partners; that is not my job here. But yes, there are all kinds of possibilities. I can guarantee you that we are doing very extensive monitoring. When we see anomalies, we are very, very quick to call the members of Parliament. In each instance, I would say that members have been 99.9% very cooperative. Members, ministers' offices, whips' offices, caucuses, and caucus research--everybody is very, very cooperative.

12:15 p.m.

Conservative

The Chair Conservative Joe Preston

Thank you.

12:15 p.m.

Conservative

Bob Zimmer Conservative Prince George—Peace River, BC

Do I have more time?