Good morning, Mr. Chairman. It's a pleasure to be here today.
It is a pleasure to join you to discuss this very important issue. I am accompanied by two of my department heads. Louis Bard is the Chief Information Officer of the House of Commons.
He is responsible for the Information Services Directorate. The Sergeant-at-Arms, Kevin Vickers, is responsible, among many other things, for security, through the security services of the House of Commons, for providing the physical security of the parliamentary precinct and of course of members.
I don't really have an opening statement as such, but I have a few opening remarks, perhaps, to situate this discussion in terms of how we view things.
I'm very pleased that you chose to invite the Sergeant-at-Arms and the CIO, because I see very important parallels in the way each of these service heads operates in order to ensure the security of the precinct.
The first thing that I want to say is the security posture here at the House of Commons is always intelligence-led. There's a parallel between the physical security that's provided through the Sergeant-at-Arms and the House of Commons security services—and their partners—and the IT security provided through the chief information officer and the House of Commons information services team.
I'll explore that a little just to give you an idea of how we approach this. Obviously I'm not an expert in security. These are the experts I rely on, and I am really very confident that the House and members are in very good hands.
Let me first of all turn to something that's perhaps less foreign or less difficult to understand. This is what the Sergeant-at-Arms does. On a daily basis, the sergeant and his director of security are in touch with our security partners—the RCMP, the Ottawa Police, CSIS, etc.—to discuss the threat-level assessment for that day, for the precinct and for members. This goes on on a regular basis. It's a regular conversation they have.
If for whatever reason there is an elevated threat level, whether it be for the precinct because of a particular demonstration that's going on related to a summit that's happening somewhere else in the world, or something like that, or whether it's, for whatever reason, an interest in a particular member or a minister, or something like that, then the outside partners who are responsible for this continuing monitoring of the threat level will tell us what they recommend as the threat-level posture. If the threat level is such that it is elevated, for whatever these reasons might be, we then adjust our posture appropriately here in order to respond to that and to be able to do our part in the seamless protection of the precinct and of members.
Obviously, no details of those kinds of adjustments are discussed publicly. The consultations are not even discussed publicly. In the interest of good security, you keep this basically quiet, and you get on with the business of protecting the precinct and members.
In a very similar way, and on a regular basis, the chief information officer and his team are in constant contact with CSE, the Communications Security Establishment, to monitor cyber-threats. One of the things we are all trying to adjust to is the fact that the Internet, for all of the wonderful access that it provides, is nonetheless something we're all coming to grips with in various ways. The new and ever-expanding use of social media means that there are all kinds of things happening out there in cyberspace. We have to be aware of what's going on there; but at the same time, we have to make our peace with the idea that we can't control it.
It used to be that demonstrations for or against a particular issue or position, or whatever, were fairly straightforward. People had placards, they gathered on Parliament Hill, on the lawn, they shouted slogans, they heard people, they applauded, and then they went home. And that was fine. Some of that still occurs, and that's fine too. But increasingly there are now organized campaigns for and against various issues, advocating positions and so forth, that take place using the Internet and using social media. Those, of course, with the usual range of human behaviour, range from the conscientious and the serious, right through to the anarchic, and the perhaps more threatening, as in the case, for example, of this Anonymous group.
The difficulty one has there, in a way that perhaps other organizations don't entirely face—I'm thinking of businesses and the like—is that when we create a parliamentary network here, the campus network for information technology, it is built to what we believe is an appropriate security level and we monitor that constantly. But the important thing to remember is that from our point of view—and I believe from the point of view of members, since the network exists to serve members in the first instance—it has to be accessible to people who want to reach you. The communication going both ways, from here out and from out in, is the bedrock of political conversation in this country. We can't protect a situation to such an extent that access becomes so cumbersome and so difficult as to become an irritant, or worse yet, God forbid, an obstruction to this free flow of information and communication.
At the same time, I think we have to realize that regardless of how one might want to create a network, a situation that is hacker-proof is simply not possible. The WikiLeaks business that happened, which garnered headlines some months ago, is a perfect indication of that. There really is no such thing as a perfect network. If you say that, you issue a challenge, and somewhere out there there will be somebody who is bound and determined to break in just basically because that's how they pass their time. I think we have to make our peace with that.
What we have to do—and this is something I'm confident we are doing—is take very seriously the idea that we need a protected network, that we need a secure network, in order for parliamentarians to do their work. We do that by monitoring very carefully the activity on the network on an ongoing basis so that anything that seems unusual is something that immediately jumps out. We do that in various ways through the security measures that are in place. When we see some kind of unusual activity, we take appropriate action to address that activity, whether it's isolating a particular computer or whatever. All of this of course goes on with our partners at CSE and the stakeholders there.
We have various ways—and I won't get into the details of them, not least of all because I don't think I could explain them adequately—and various themes, I think, under which our operations fall. There is the idea, for instance, of protection. We have firewalls around the parliamentary network. We have filtering gateways. We have encryption software. In terms of detecting unusual activity, we have the usual types of software, the anti-spam and anti-virus software that's out there, which is constantly being upgraded and monitored as systems and technology develop.
Access control is certainly very important. I remember testifying before you on a different case in which we said that a network is only as secure at the weakest person using it. So whoever is using it,
It is very important to know who has access, who has the passwords and all of that. There are very important protocols that govern the use of the network.
The other aspect is the physical security of the different pieces of equipment we have, naturally.
So that's the physical security, whether it be laptops or whatever.
In communications between the network here and the network in your constituencies, that is possible through the creation of what's called a VPN, or a virtual private network. It allows for secure communication within the network environment.
Administratively, we have awareness campaigns in security that are run by the Sergeant-at-Arms and the CIO. We have appropriate policies, from the wearing of badges to the appropriate use of technology.
We try to sensitize people to the dangers out there, without overreacting in such a way as to give more attention than is merited to various troublemakers who ask for nothing more than a chance to make headlines.
We work very closely with CSE and with CSIS. I have here an extract, a statement from CSIS, which I think is useful. It says:
The threat of attacks on critical information systems and the infrastructures that depend on them will, in the foreseeable future, be almost impossible to eliminate entirely, owing to the fact that attack tools, networks and network control systems are constantly evolving. As new technologies develop, so too will new attack tools along with the sophistication of the perpetrators who use them.
I don't want to leave the impression that the situation the Minister of Public Security suffered was anything that we condone. It was nothing short of appalling. But at the same time, I think we have to put that in the context of what is happening in the world today. It should not engender unwarranted anxiety about the thoroughness of our security posture.
That's about all I had to say.
We're in your hands for answering questions, and my two experts are of course at your disposal.