Procedure and House Affairs Committee on June 11th, 2020

Evidence of meeting #22 for Procedure and House Affairs in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was vote.

A recording is available from Parliament.

On the agenda

Parliamentary Duties and the COVID-19 Pandemic
Committee Business

MPs speaking

Ruby Sahota
Blake Richards
Ryan Turnbull
Christine Normandin
Rachel Blaney
John Brassard
Kirsty Duncan
Todd Doherty
Scott Reid
Mark Gerretsen
Garnett Genuis
Ginette Petitpas Taylor
Omar Alghabra

Also speaking

Aleksander Essex  Associate Professor, University of Western Ontario, As an Individual
Nicole Goodman  Assistant Professor, Brock University, As an Individual
Pierre Roberge  President, Arc4dia
Michael Morden  Research Director, Samara Centre for Democracy
Ali Ghorbani  Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual
Guy-Vincent Jourdan  Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual
Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual
Clerk of the Committee  Mr. Justin Vaive
Andre Barnes  Committee Researcher

1:15 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

Fundamentally, this probably would be the case where the person does not use the proper equipment or system and software, so a third party could get in between, and the data in transit could be altered or changed, etc. That's how I can see it from the human perspective: an error to allow a vote to be altered and changed. It also makes a good understanding from the perspective of a person to be educated about encryption and how, from her end, data can be encrypted and sent to the other end so that the data in transit will not be altered, changed or grabbed. That's how I see it from the human perspective: errors that could be made.

1:15 p.m.

Bloc

Christine Normandin Bloc Saint-Jean, QC

Thank you very much, Professor Ghorbani.

Madam Chair, it appears that my time is up.

1:15 p.m.

Liberal

The Chair Liberal Ruby Sahota

Next up is Ms. Blaney, please.

1:15 p.m.

NDP

Rachel Blaney NDP North Island—Powell River, BC

I want to thank all the panellists for being here with us today as we discuss this very important matter.

I would like to bring the first question to Mr. Jourdan. We are hearing from some of our witnesses today and heard in our last report that the security of virtual Parliament operations is not purely technological. There are human considerations that need to be accounted for.

Do you think members and staff should be involved in the development of a remote voting solution? What kinds of training and protocols need to be in place for the human element of remote electronic voting to be done safely and securely?

1:15 p.m.

Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual

Dr. Guy-Vincent Jourdan

Yes, absolutely. I come to this debate as a technologist, so I have a technological point of view, but there is absolutely no question that a good system is going to involve non-technical people and users in the first place. So yes, I absolutely agree that this is not something that should be done just by IT folks.

I was just saying that in terms of training, of course, it would be fundamental to have regular training and updates. Such a system is going to be.... We uncover problems all the time, so a system like that would have to be agile. They would have to give upgrades regularly, and that means that people would have to be retrained constantly. That has to be taken into account. That has to be part of the plan.

1:15 p.m.

NDP

Rachel Blaney NDP North Island—Powell River, BC

I couldn't agree more.

Mr. Ghorbani, do you have anything to add to that?

1:15 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

Sure. I think what is important to recognize here is that when we talk about training, it is not that IT people are always being trained or that they have to be front of people to train them. We need to bring people with all sorts of expertise into the conversation, such as groups from business, law, education and the humanities, including sociology and psychology. They are all important elements when we talk about an awareness programs in cyberspace. If there is a training program and it's going to be an ongoing kind of program, you want to involve these kinds of expertise as part of developing the contents and delivering the finished project.

1:20 p.m.

NDP

Rachel Blaney NDP North Island—Powell River, BC

One of the concerns I've had through this process is that we have a very large country, and connectivity in some of our ridings is a concern. I think addressing that issue is really important. Part of having all MPs participate, especially those of us who are in more remote ridings, is that it simply makes sense. We'll be able to identify any gaps.

I'm wondering if you have any suggestions on who we need to include and whether all MPs should be included in the process.

1:20 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

To my mind, if you're asking me, all MPs should be included in this process.

A couple of years ago, we were in front of a few MPs to show them how easily they could be attacked or hacked through their phones or their laptops. It's important that all MPs get the training, and also continuously get the training. As we know, we are continuously getting new types of attacks. There are new types of phishing and new ways of manipulating and spoofing and so on.

It's important to have everyone involved.

1:20 p.m.

NDP

Rachel Blaney NDP North Island—Powell River, BC

Thank you.

Mr. Ghorbani, and then Mr. Jourdan, comparing the digital security of different methods of recorded or roll call votes, how would you compare video voting through a video conference platform with remote electronic voting on a House of Commons-managed device? Are they both safe?

1:20 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

To me, they are as safe as they can be right now. They are safe, but as I said, the only thing I'm concerned about is the verifiability issue. There has to be a plan in place by the House in order to verify the total tally, the details of the tally, and also the availability issue. As you mentioned, for many people who are in different ridings and who may not have good connectivity, a small-scale denial-of-service attack could actually easily prevent people from voting.

Both technologies do suffer from both items that I mentioned: verifiability and availability.

1:20 p.m.

NDP

Rachel Blaney NDP North Island—Powell River, BC

Mr. Jourdan, do you have anything to add to that?

1:20 p.m.

Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual

Dr. Guy-Vincent Jourdan

Yes. I would like to go back to your point about bandwidth. I think there is one difference between those two approaches. That is, in the system we're talking about with a dedicated messaging system, a dedicated voting system and a dedicated video conference system, the one that is hungry for bandwidth is the video system. So I would be a bit worried about putting the vote part onto that. It's the one that's most likely to break if you have poor bandwidth.

I would also echo my colleague's comments regarding the availability. In terms of security, if I had to identify what would be of topmost concern to me, because of the context of these votes, I think availability would be of most concern. It would be quite difficult to change someone's vote so that no one saw that, but it would probably be easier to prevent the voting in the first place.

That probably would be a good place to focus the attention.

1:20 p.m.

Liberal

The Chair Liberal Ruby Sahota

Thank you so much, Dr. Jourdan.

Next, from the Conservatives, we have Garnett....

How do you pronounce your last name? I still hear it pronounced a couple of different ways.

June 11th, 2020 / 1:20 p.m.

Conservative

Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB

It's “Jen-us”, typically. It's an unfortunate anglicization from the original Maltese. You know, “Jen-o-eez” is the original Maltese. I hope this doesn't cut into my time, but I could explain the origin of my last name.

1:20 p.m.

Liberal

The Chair Liberal Ruby Sahota

Next time.

1:20 p.m.

Conservative

Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB

Next time we have one of the longer sessions that we have from time to time in PROC, I will go into more detail on that.

1:20 p.m.

Liberal

The Chair Liberal Ruby Sahota

Absolutely.

Mr. Genuis, you have five minutes, please.

1:25 p.m.

Conservative

Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB

Okay. I'll be briefer than usual.

Mr. Vickery, it was interesting to hear your discussion of a method that would work for voting that would be secure. Of course, here we're concerned about two possible kinds of vulnerability. One is the issue of foreign interference, of hacking. You explained how that risk is mitigated with the method that you've proposed.

There is another kind of risk, however, and that's MPs effectively giving up what is supposed to be their responsibility for voting. They might hand over the device you've discussed to a member of their staff or a member of the whip's staff. They might say, “I'm going on vacation for the next couple of days. Just vote the party line.” This sort of thing theoretically would involve the active co-operation of the member, but would still be something that would be very inappropriate. We'd want to make sure there was a system to prevent that from happening, because it's the responsibility of members to vote, to be seen to vote, and to vote themselves, whatever influences are taken into consideration.

Does your proposed method of a prescribed piece of technology do anything to address that possible risk of someone giving the device to somebody else to vote for them, forwarding email codes and those kinds of things?

1:25 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Absolutely. In order to have that happen, the proxy person, or whoever, would have to physically be in the residence in order to have the IP address that it is sent from and known ahead of time to be received from. That validates, at least from a physical perspective, that where that IP address is located is at their home. Then you would have them confirm via a phone call, using their own voice, within a specific window of time. You know their phone number. Their number can't theoretically be spoofed. That's illegal, I would assume, in Canada as it is in the U.S. So, you not only have voice, phone number and specific IP address, you can add in other identifiers that are specific and unique.

1:25 p.m.

Conservative

Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB

Just so I understand, then, you're saying that basically the only way to go forward with this is to have those multiple levels of redundancy. You have the direct piece of technology. That has to be tied to a location as well as some kind of voice verification. All of those levels of checking would be necessary to achieve the result that you're talking about.

1:25 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I would summarize it as a second band of confirmation, some sort of non-connected secondary confirmation method that is out of the original network.

1:25 p.m.

Conservative

Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB

It's interesting because we're already doing some of this. We have supposedly in-camera meetings of PROC that have happened on the Zoom platform with nothing resembling that level of background here. It seems that, based on your testimony, the systems that we have in place are so far behind in terms of essentially assuming that we can just use Zoom and call it in camera and everything would be fine.

1:25 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

It may work. But over time, it will head south as far as integrity and belief in the system go. It will only degrade.

1:25 p.m.

Conservative

Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB

Some people out there might be wondering: Is this actually really a concern that people want to interfere with these kinds of meetings? It's worth members looking at the 2019 report of the intelligence committee of parliamentarians, which shows that there are major, growing issues of foreign-state interference and that Canada is, frankly, way behind on being aware of and responding to and coordinating these issues.

Could you maybe just underline whether it a realistic concern that there are actors, foreign states, trying to interfere in our democracy that would have an interest in identifying these security vulnerabilities and exploiting them?