Procedure and House Affairs Committee on March 15th, 2012

Great.

Good morning, Mr. Chairman. It's a pleasure to be here today.

It is a pleasure to join you to discuss this very important issue. I am accompanied by two of my department heads. Louis Bard is the Chief Information Officer of the House of Commons.

He is responsible for the Information Services Directorate. The Sergeant-at-Arms, Kevin Vickers, is responsible, among many other things, for security, through the security services of the House of Commons, for providing the physical security of the parliamentary precinct and of course of members.

I don't really have an opening statement as such, but I have a few opening remarks, perhaps, to situate this discussion in terms of how we view things.

I'm very pleased that you chose to invite the Sergeant-at-Arms and the CIO, because I see very important parallels in the way each of these service heads operates in order to ensure the security of the precinct.

The first thing that I want to say is the security posture here at the House of Commons is always intelligence-led. There's a parallel between the physical security that's provided through the Sergeant-at-Arms and the House of Commons security services—and their partners—and the IT security provided through the chief information officer and the House of Commons information services team.

I'll explore that a little just to give you an idea of how we approach this. Obviously I'm not an expert in security. These are the experts I rely on, and I am really very confident that the House and members are in very good hands.

Let me first of all turn to something that's perhaps less foreign or less difficult to understand. This is what the Sergeant-at-Arms does. On a daily basis, the sergeant and his director of security are in touch with our security partners—the RCMP, the Ottawa Police, CSIS, etc.—to discuss the threat-level assessment for that day, for the precinct and for members. This goes on on a regular basis. It's a regular conversation they have.

If for whatever reason there is an elevated threat level, whether it be for the precinct because of a particular demonstration that's going on related to a summit that's happening somewhere else in the world, or something like that, or whether it's, for whatever reason, an interest in a particular member or a minister, or something like that, then the outside partners who are responsible for this continuing monitoring of the threat level will tell us what they recommend as the threat-level posture. If the threat level is such that it is elevated, for whatever these reasons might be, we then adjust our posture appropriately here in order to respond to that and to be able to do our part in the seamless protection of the precinct and of members.

Obviously, no details of those kinds of adjustments are discussed publicly. The consultations are not even discussed publicly. In the interest of good security, you keep this basically quiet, and you get on with the business of protecting the precinct and members.

In a very similar way, and on a regular basis, the chief information officer and his team are in constant contact with CSE, the Communications Security Establishment, to monitor cyber-threats. One of the things we are all trying to adjust to is the fact that the Internet, for all of the wonderful access that it provides, is nonetheless something we're all coming to grips with in various ways. The new and ever-expanding use of social media means that there are all kinds of things happening out there in cyberspace. We have to be aware of what's going on there; but at the same time, we have to make our peace with the idea that we can't control it.

It used to be that demonstrations for or against a particular issue or position, or whatever, were fairly straightforward. People had placards, they gathered on Parliament Hill, on the lawn, they shouted slogans, they heard people, they applauded, and then they went home. And that was fine. Some of that still occurs, and that's fine too. But increasingly there are now organized campaigns for and against various issues, advocating positions and so forth, that take place using the Internet and using social media. Those, of course, with the usual range of human behaviour, range from the conscientious and the serious, right through to the anarchic, and the perhaps more threatening, as in the case, for example, of this Anonymous group.

The difficulty one has there, in a way that perhaps other organizations don't entirely face—I'm thinking of businesses and the like—is that when we create a parliamentary network here, the campus network for information technology, it is built to what we believe is an appropriate security level and we monitor that constantly. But the important thing to remember is that from our point of view—and I believe from the point of view of members, since the network exists to serve members in the first instance—it has to be accessible to people who want to reach you. The communication going both ways, from here out and from out in, is the bedrock of political conversation in this country. We can't protect a situation to such an extent that access becomes so cumbersome and so difficult as to become an irritant, or worse yet, God forbid, an obstruction to this free flow of information and communication.

At the same time, I think we have to realize that regardless of how one might want to create a network, a situation that is hacker-proof is simply not possible. The WikiLeaks business that happened, which garnered headlines some months ago, is a perfect indication of that. There really is no such thing as a perfect network. If you say that, you issue a challenge, and somewhere out there there will be somebody who is bound and determined to break in just basically because that's how they pass their time. I think we have to make our peace with that.

What we have to do—and this is something I'm confident we are doing—is take very seriously the idea that we need a protected network, that we need a secure network, in order for parliamentarians to do their work. We do that by monitoring very carefully the activity on the network on an ongoing basis so that anything that seems unusual is something that immediately jumps out. We do that in various ways through the security measures that are in place. When we see some kind of unusual activity, we take appropriate action to address that activity, whether it's isolating a particular computer or whatever. All of this of course goes on with our partners at CSE and the stakeholders there.

We have various ways—and I won't get into the details of them, not least of all because I don't think I could explain them adequately—and various themes, I think, under which our operations fall. There is the idea, for instance, of protection. We have firewalls around the parliamentary network. We have filtering gateways. We have encryption software. In terms of detecting unusual activity, we have the usual types of software, the anti-spam and anti-virus software that's out there, which is constantly being upgraded and monitored as systems and technology develop.

Access control is certainly very important. I remember testifying before you on a different case in which we said that a network is only as secure at the weakest person using it. So whoever is using it,

It is very important to know who has access, who has the passwords and all of that. There are very important protocols that govern the use of the network.

The other aspect is the physical security of the different pieces of equipment we have, naturally.

So that's the physical security, whether it be laptops or whatever.

In communications between the network here and the network in your constituencies, that is possible through the creation of what's called a VPN, or a virtual private network. It allows for secure communication within the network environment.

Administratively, we have awareness campaigns in security that are run by the Sergeant-at-Arms and the CIO. We have appropriate policies, from the wearing of badges to the appropriate use of technology.

We try to sensitize people to the dangers out there, without overreacting in such a way as to give more attention than is merited to various troublemakers who ask for nothing more than a chance to make headlines.

We work very closely with CSE and with CSIS. I have here an extract, a statement from CSIS, which I think is useful. It says:

The threat of attacks on critical information systems and the infrastructures that depend on them will, in the foreseeable future, be almost impossible to eliminate entirely, owing to the fact that attack tools, networks and network control systems are constantly evolving. As new technologies develop, so too will new attack tools along with the sophistication of the perpetrators who use them.

I don't want to leave the impression that the situation the Minister of Public Security suffered was anything that we condone. It was nothing short of appalling. But at the same time, I think we have to put that in the context of what is happening in the world today. It should not engender unwarranted anxiety about the thoroughness of our security posture.

That's about all I had to say.

We're in your hands for answering questions, and my two experts are of course at your disposal.

Before I ask CIO Louis Bard to reply to Mr. Lukiwski's question, I want to say that the threats from the group Anonymous really had nothing to do with the network. This was something posted on YouTube, so it's completely outside our control or our environment.

With regard to the hacking situation and what measures are in place, Louis can speak to this matter.

Thank you.

Those are very good questions. There's no doubt that the House of Commons as a symbol of Parliament is regularly identified in potential security threats. Every threat you can find out there, Parliament is noted somewhere because of the symbol of Parliament.

We are, as mentioned by Madam O'Brien, working very closely with all kinds of partners, such as CSE. We're working with RCMP. We are working also with the industry. We've highlighted a number of scenarios, technologies, and layers that we have to protect the environment, and we rely on the industry in terms of also bringing a third dimension to the threats, what's going on, and what we should be preparing ourselves for. Therefore, as Kevin does on physical security, every day we assess those threats, every day we evaluate the situation.

Around three or four years ago the board approved the creation of an IT security team, which we have implemented. We have put in place a lot of new technologies and mechanisms to secure the environment.

For us, when something happens like it did two or three weeks ago, there's no doubt that at that point we strengthen our monitoring activities based on the threats. We have a lot of alarms. We follow up on alarms. We follow up on notices. We make sure that we reinforce our security measures. We make sure that we make adjustments to our protocols of the day. A good example of that is the major spoofing that happened to the Treasury Board last year. Immediately, we were ahead of the game to analyze this, and there was actually no incident to Parliament Hill following that incident.

We also adjusted our BCM strategies, such as how to deal with international threats, as an example. If need be, I can export my website somewhere else to protect the campus. There are all kinds of strategies behind the scenes that are possible, and we can act very rapidly. There's no doubt we always maintain a very close meeting with our other officials, with CSE and others, to make sure we can inspire ourselves on everything that is possible to minimize the impact.

The bottom line for me, however, is the way we make decisions. My job is to provide access to services to all members of Parliament, to provide transparency, and to make sure I eliminate all those stresses. We reject 70%, I would say, of all e-mails sent to Parliament before they enter Parliament Hill. And beyond that, we provide members with tools to identify spam, to try to filter that, and to put rules in place. At the end of the day, I still believe I need to leave the members with the flexibility that they need to operate.

Concerning the riding offices, there's no doubt that in Ottawa it's a secure environment. It's well protected. We provide all kinds of tools to members in their ridings. However, in your ridings, you've made the decision. You've set up your environment and how you want to work. Therefore, I can only be there to help, to advise, to suggest that you use a secure tool we provide you with. I have not a lot of control when you are in your constituency, but we always remain available to help you this way.

In term of the recommendation, there's no doubt that the acceptable use policy gives you a good framework in the ways you operate. There's no doubt about it in terms of how to better use the IT resource on Parliament Hill. But the same things can apply with your staff in your riding and how you behave yourself in your riding. They're good guidelines. At the same time, as we always say, it's so essential to separate your job as a member from your personal life. Very often we try as much to keep that totally separate—how you set up your house, your families, how you decide to create other Internet access, having your own private e-mail accessibilities, outside of the environment of the House of Commons. It's also a strong recommendation. It's exactly what I do for myself.

However, security is evolving every day. It's a question of every day we need to make.... It's like peeling an onion. There's always something new to discover. The strength that we have is the ability to react. I think we have proved that several times. And there's the board has supported us and this committee on all of the investments we've made in security technology over the last ten years.

Thank you.

The question that you ask really goes to the heart of the work of the committee on this issue. It's certainly not an easy task, partly because, as Ms. Charlton has said, this is an unprecedented situation, in that the attacks in question come from an unknown entity. The name Anonymous is there. As I understand it, that particular title or brand is out there; the various loose grouping of people who operate under its banner encourage the use of that title for people who are protesting in various ways.

If I may be very blunt, I don't see much to be gained by trying to identify the culprit as such. I think that this exercise—and in this sense I'm very happy that this isn't an in camera meeting and that we can talk this way—is a very useful educational opportunity for everyone to realize that for all of the advantages and for all of the extraordinary.... I remember reading somewhere somebody comparing the Internet to having at your disposal the library at Alexandria.

For all that this is the case, there's also a sort of darker side to it, an ability for people who want to make mischief or who want in fact to engage in activities, as the Anonymous group do in the threats they have uttered.... That's also a possibility there.

The Sergeant-at-Arms and I were discussing this question this morning when the three of us were meeting prior to coming before you, and he was reminding me that it's a criminal offence to threaten a public official. One can assume that the Minister of Public Security has talked to the authorities with regard to whatever appropriate inquiry is to be made at a policing level.

With regard to this committee, frankly I'm not sure that seeking out a culprit as such wouldn't be a giant waste of time, because I think that the nature of these attacks, as I understand it and from the reading that I've done, is that they're extremely fluid. It is not even that you have—as you might have, for example in the Wikileaks situation, wherein you have Julian Assange saying he's the head of this and wherein he has taken ownership of a particular approach to information and so forth.... This is really a set of people whose way of protesting, I gather, is basically to cause difficulties for various institutions. It has a whole anarchic side that is very dark indeed.

At the same time, I think that what is important for this committee to recognize and to applaud is the many ways in which informed citizens are using the Internet and using social media to have conversations about political issues and to take sides and to advocate in one way or another. The engagement—and the engagement over space and time—that the Internet permits is something that is to be applauded. We shouldn't let the people who want to use this for evil, for lack of a less simplistic way of putting it, carry the day. That's one thing.

In terms of remedies, I think really awareness is the most important thing, awareness that if you're using Wi-Fi in a cafe somewhere and are on the Internet, you're more likely to be open to attacks than if you're just sort of looking at new sites and so forth.

I don't know that this answers your question fully, but that would be my take on it.

Oh, absolutely. I guess I was linking this to the hacker conversation earlier.

Forgive me. I think I may have gone on too long, which is a tendency of mine.

You are absolutely right, and I didn't mean to trivialize this as a matter of staying away from Wi-Fi. But as soon as you look at the possibility of limiting what goes up on YouTube, you get into a conversation about freedom of speech. That's a whole thing that I leave to you to sort out.

Mr. Chair, Mr. Garneau's description of the situation is, in my opinion, very appropriate.

You were speaking about being hacked on your Twitter account. The important thing to know is that because you are on Twitter you are outside any kind of protective network, so basically anything goes. That's the whole other side of the social media thing.

Regarding the question of privilege referred to the committee, based on my understanding of what was said, everyone, no matter the political party, agrees that by issuing these threats, the Anonymous crossed certain lines. As members, you lead a public life, and in these conditions, you are ready to have your political positions attacked, but threats against a person are unacceptable. I know this statement may seem to lead to nothing, but it is important, in my opinion, that everyone unite to say that

there are lines that ought not to be crossed.

Oh, oh!

It could be spam. There are a lot of rules. The e-mail has to be valid, it has to be addressed properly, it has to have a proper sender. You cannot send an e-mail just to “Parliament”; it has to be addressed to a member of Parliament. Also, you cannot replace who the sender is. It cannot be a group sending.

We have a long list of rules that over the years, following industry best practices, we have applied to make sure we do not corrupt or fill your mailbox with unwanted e-mails that have no meaning.

Yes. We offer that service—not sending somebody to your local office, but we can arrange to provide consultation and work with your office and advise you accordingly.

Well, it's really the member's privilege to ask for this. I will advise that if you have not developed for your office this kind of plan, business continuity strategies, how do you secure your environment? How do you allow your volunteers to work on your network? How do you know it's the right person you're calling on a conference call? There's so much that is under your control.

I always say that my best clients are the members and my biggest risks are the members and their staff and the employees of the House.