Evidence of meeting #22 for Procedure and House Affairs in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was vote.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Aleksander Essex  Associate Professor, University of Western Ontario, As an Individual
Nicole Goodman  Assistant Professor, Brock University, As an Individual
Pierre Roberge  President, Arc4dia
Michael Morden  Research Director, Samara Centre for Democracy
Ali Ghorbani  Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual
Guy-Vincent Jourdan  Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual
Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual
Clerk of the Committee  Mr. Justin Vaive
Andre Barnes  Committee Researcher

1:25 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Absolutely. I steadfastly believe there is an undeclared world war, practically occurring as we speak, against democracy and everything that it stands for. So yes, there are lots of people, both for profit and for political ideology purposes, around the world actively, 24 hours a day, trying to cause harm to Canada, as well as to others.

1:25 p.m.

Conservative

Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB

You talked about how those vulnerabilities exist on multiple different platforms. Is it a particular concern that we're using right now a platform that is under the potential influence of the Chinese government, with what we've seen in terms of back doors for technology with Huawei? There was a situation where the Chinese government built a building for the African Union that was found to be full of listening devices. There are so many different cases of influence. Is this a particular concern for you that you think we should be sensitive to?

1:30 p.m.

Liberal

The Chair Liberal Ruby Sahota

We're over time.

Next up, we have Madam Petitpas Taylor.

June 11th, 2020 / 1:30 p.m.

Liberal

Ginette Petitpas Taylor Liberal Moncton—Riverview—Dieppe, NB

Thank you so much, Madam Chair.

I also would like to take an opportunity to thank our witnesses who are with us today, with a special greeting and shout-out to Dr. Ghorbani, who is a fellow New Brunswicker as well.

First of all, this morning we heard from an esteemed panel group as well, and the representatives spoke to us about the importance of developing a cyber-incident response plan in the event that we had a threat that had been identified in an attempt to disrupt or compromise our systems. I am not an IT expert at all. I'm wondering whether all three of you could provide us with the elements that should be included in a cyber-incident response plan to ensure that we can better understand what that would entail.

Maybe I'll start with Dr. Ghorbani.

1:30 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

Thank you very much, and hello to you from New Brunswick.

Yes, the cyber-incident response plan is an integral part of any plan you must have in your organization when it comes to cyberspace and cybersecurity, that's for sure, but we also have to recognize that we have a fairly advanced group of people and infrastructure within the Communications Security Establishment that provide these kinds of services, and they're also in charge of CyberSecure Canada. So, yes, a collaboration between Parliament and CSE would make sure Parliament does have a cyber-incident response plan in place for things that might happen as a result of a breach in cyberspace.

1:30 p.m.

Liberal

Ginette Petitpas Taylor Liberal Moncton—Riverview—Dieppe, NB

Thank you.

Monsieur Jourdan.

1:30 p.m.

Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual

Dr. Guy-Vincent Jourdan

Yes, I will second what Mr. Ghorbani just said. We obviously need that. In Canada we have the kind of knowledge to gather this kind of plan and have it in place to end all that.

I would simply state the obvious, which is that it's not related to what we are talking about right now. It has to be in place right now, because you are already using technology to do all kinds of things. I think we want to look at the proposal on the table today in the context of what we have. We are not changing or introducing something crazy here, compared to what is already happening. I expect that plan to be in place right now, and I think we should maintain it and have it address this new situation.

1:30 p.m.

Liberal

Ginette Petitpas Taylor Liberal Moncton—Riverview—Dieppe, NB

Thank you, Mr. Jourdan.

Mr. Vickery.

1:30 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

The plan I would have in place, and if you do not, you need to get it in place, is one to immediately mitigate the compromise. Don't necessarily turn everything off, because you can lose valuable forensics that way, but segment and mitigate it. Have defined roles ahead of time so people know their job in an incident response situation, and they're not left guessing or checking with somebody else to see if they need to do this, that or the other.

If critical infrastructure is involved, communicate with federal-level authorities early on, very quickly, to see if you need to do anything to help their investigation. If they are investigating an advanced, persistent state actor, and you were to turn off systems immediately and lose some valuable forensics, it would be a tragedy.

I would do those things.

1:35 p.m.

Liberal

Ginette Petitpas Taylor Liberal Moncton—Riverview—Dieppe, NB

Thank you.

I have a very quick question. I know I only have about 30 seconds, so perhaps I'll get a yes or no answer from all three panellists.

We're not looking at creating anything very complicated. We're looking at moving forward with a voting system with respect to legislative votes that have already been done in public, that are being done publicly, and also looking at a hybrid system when we're debating in Parliament. Again, everything is public, nothing is confidential. Do you feel we have the technology available to do that securely?

Mr. Ghorbani.

1:35 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

Verify it in the end, but, yes, we do.

1:35 p.m.

Liberal

Ginette Petitpas Taylor Liberal Moncton—Riverview—Dieppe, NB

Mr. Vickery.

1:35 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Absolutely. It just has to be done correctly.

1:35 p.m.

Liberal

Ginette Petitpas Taylor Liberal Moncton—Riverview—Dieppe, NB

Mr. Jourdan.

1:35 p.m.

Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual

Dr. Guy-Vincent Jourdan

Yes, and it's inherent that it has to be done correctly.

1:35 p.m.

Liberal

The Chair Liberal Ruby Sahota

Thank you. That's all the time we have.

Mr. Richards, please go ahead for five minutes.

1:35 p.m.

Conservative

Blake Richards Conservative Banff—Airdrie, AB

Thank you.

Mr. Vickery, Mr. Genuis asked you a question and, unfortunately, time ran out. I'd like to give you an opportunity to respond to that question. Do you need me to restate it?

1:35 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Could you summarize it?

1:35 p.m.

Conservative

Blake Richards Conservative Banff—Airdrie, AB

Sure, I can do my best, and, Mr. Genuis, feel free to pipe up if you think I've mischaracterized it.

Essentially, what he was asking you about was the fact that we are using a platform right now where obviously there is a significant amount of control by state-owned Chinese involvement.

1:35 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I recall that.

1:35 p.m.

Conservative

Blake Richards Conservative Banff—Airdrie, AB

I'm wondering if you had any thoughts on whether that's something we should be cautious about and whether you would have concerns about that.

1:35 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I would not be talking about anything secret on this type of communication, because it's a public, open knowledge type of forum. It's probably okay, but I would not translate anything that needs to be kept confidential over this platform or any other commercial generic offering out there.

The Chinese side of things is a state-level concern, so it is elevated. I wouldn't say that they are the highest level of concern out there, but it is an elevated concern.

1:35 p.m.

Conservative

Blake Richards Conservative Banff—Airdrie, AB

Thank you. I appreciate that.

Given some of the testimony that we've heard here, some of the responses we've heard today—Mr. Brassard, I think, pointed to a report that we're seeing about some rather interesting things that have happened with Zoom—and the fact that some of the members of this committee have tried to get answers to this from the administration previously as well as from Zoom, I want to move a motion.

I'll read it slowly because then translation can keep up, so that it is in both languages.

I move:

That the committee order the House of Commons Administration to produce, no later than Monday, June 15, 2020, all contracts, master service agreements, licensing agreements and terms and conditions, including and in respect of data collection, use and disclosure of personal information and third party contractual arrangements that it has entered into with Zoom Video Communications, Inc. and any of its subsidiaries, affiliates or agents.

1:35 p.m.

Liberal

The Chair Liberal Ruby Sahota

All right.

You still have time on your questioning.

1:35 p.m.

Conservative

Blake Richards Conservative Banff—Airdrie, AB

I'm recognizing the fact that we don't have a lot of time with these witnesses and I don't want to use a lot of the time. I would like to see a vote on this motion, so perhaps we could proceed if there is any debate or proceed with the motion, because I would like to make sure that we don't steal any more time from witnesses.