Evidence of meeting #22 for Procedure and House Affairs in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was vote.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Aleksander Essex  Associate Professor, University of Western Ontario, As an Individual
Nicole Goodman  Assistant Professor, Brock University, As an Individual
Pierre Roberge  President, Arc4dia
Michael Morden  Research Director, Samara Centre for Democracy
Ali Ghorbani  Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual
Guy-Vincent Jourdan  Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual
Chris Vickery  Director of Cyber Risk Research, UpGuard, As an Individual
Clerk of the Committee  Mr. Justin Vaive
Andre Barnes  Committee Researcher

12:25 p.m.

NDP

Rachel Blaney NDP North Island—Powell River, BC

Thank you.

I believe that's my time.

12:25 p.m.

Liberal

The Chair Liberal Ruby Sahota

Thank you, Ms. Blaney.

Thank you to all of our witnesses today. We have heard very insightful information from the professors and both of the organizations that have come before us today. We are very grateful.

I think this panel has got us down to the core of what we are trying to study, so it was extremely helpful for us in putting together the report.

We will take about five minutes or so to clear these witnesses, and then bring in our new witnesses, and do some checks for them.

12:35 p.m.

Liberal

The Chair Liberal Ruby Sahota

Welcome back. We're going to get started. I would just like to ensure that everyone is in the gallery view at the top right-hand corner. You can switch between speaker view and gallery view. We'd prefer if you stayed on gallery view so you can see all of the members in the committee meeting.

I'd like to make a few comments for the benefit of the new witnesses before us.

Before speaking, please wait until I recognize you by name. When you are ready to speak, you can click on the microphone icon to activate your mike. Please let us know if you're not familiar with the Zoom application, and we can walk you through some of the features.

I remind everyone that all comments should be addressed through the chair.

Interpretation works just as it does in a regular meeting, if you have appeared before a committee before. You'll have a choice at the bottom of your screen of floor, English or French. As you are speaking, please select the language you are speaking in.

We have simultaneous interpretation. Please make sure, in order to make the lives of the interpreters a little bit easier, that you're speaking slowly and clearly and that you have the right language selected at the bottom of your screen.

Also, please ensure that your mike is on mute when you are not speaking. For quicker interactions later on, when we get to the question-and-answer portion of the panel, you can use your space bar to unmute your mike. Pressing down on the space bar unmutes the mike temporarily. That would be for quicker interactions. However, for your opening statements, I would suggest that you unmute using the icon.

I think you've all been told about headsets. They do improve the quality of the sound, especially for the interpreters, who have to concentrate quite a bit in order to provide the interpretation, so if you have a headset, please wear it.

I'd like to welcome the witnesses before us today. We have academics, and it's really great. Even in the previous panel we got a lot of valuable information from the professors who came before us.

We have Mr. Ghorbani, professor and director at the Canadian Institute of Cybersecurity, University of New Brunswick. We have Mr. Jourdan, professor of computer science, faculty of engineering, University of Ottawa. We have Chris Vickery, director of cyber risk research at Upguard.

Welcome, everyone. Thank you so much for being here today.

We'll have seven-minute opening statements from each of the witnesses, starting with Dr. Ghorbani.

Go ahead, please.

12:40 p.m.

Ali Ghorbani Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Honourable members of the Standing Committee on Procedure and House Affairs, thank you for inviting the Canadian Institute for Cybersecurity at the University of New Brunswick to speak today about cybersecurity considerations relating to the establishment of a hybrid Parliament.

My name is Ali Ghorbani. I am a professor of computer science, a tier one Canada research chair in cybersecurity, and the founder and director of the Canadian Institute for Cybersecurity.

Cybersecurity and privacy, once issues only for technology experts, have become widespread concerns in business and society. Cybersecurity is no longer just an IT problem; it's a business problem; it's everyone's problem. The weakest link in cybersecurity is now people, not devices. Here at the Canadian Institute for Cybersecurity, we think that the human factor is considered the biggest threat to cybersafety, and we strongly believe that cybersecurity requires multidisciplinary and human-centric solutions.

The Canadian Institute for Cybersecurity is one of the first institutions to bring together researchers from across the academic spectrum to share innovative ideas and carry out groundbreaking research into the most pressing cybersecurity challenges of our time. We have been doing research and development and entrepreneurial activities in this area non-stop for over two decades. We have developed multiple practical network security solutions, and our research has led to the establishment of several companies. Currently, the institute has a team of 60 researchers, technical staff and graduate students, and a state-of-the-art architecture and infrastructure.

The science of cybersecurity is about managing risks and avoiding surprises. There will be security risks with any online communication platform. In the “Virtual Chamber” report of May 7, 2020, it is written:

Members who wish to participate remotely will connect using a videoconferencing platform integrated into existing on-premise technologies.

Let me briefly highlight the security and privacy issues in relation to the proposed platform from two perspectives: users and organizers.

On the user side, the first issue is awareness of cybersecurity. The remote participants who use the platform for virtual sittings must be aware of the security risks associated with the use of online video conferencing platforms or, if not, must be trained for such. The goal is to avoid issues such as installing platform software from an unofficial site, which can be malware; phishing scams asking to join video conferences, which steal credentials; and overprivileged video conferencing application by using the web version, which sits in a sandbox in the browser when possible, instead of installing an application.

The second issue is technical issues for remote access. The remote participants who use the platform for virtual sittings must have satisfactory assets for remote access or, if not, must be provided with such. The goal is to avoid issues such as hardware shutdown during connection due to power outage, which can be considered as an availability issue; slow connection and breaking during meeting, which can be considered as an availability and/or integrity issue; and vulnerable webcams, which can be accessed by unauthorized users and can be considered as confidentiality and privacy issues.

On the organizer side, the first issue is trusted computing based on trusted hardware. With regard to the proposed integration of a multimedia system with video conferencing and a voting system, it is known that a system is as secure as its weakest link.

Furthermore, computing hardware has security issues, such as branch direction prediction attacked by Spectre.variant 1. Therefore, it raises the need to use trusted hardware such as trusted platform module, TPM, also known as ISO/IEC 11889, which is a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

The second issue is verifiable software. The software integrated in the virtual chamber must be verified, or if not, it must be open sourced, such as Helios for online elections system, or openly reviewed such as a Zoom proposal for end-to-end encryption for video conferencing.

The goal is to avoid software vulnerabilities, such as meeting bombing when an unauthorized person joins a meeting; client application chat issues, malicious links and arbitrary file write; and security risks related to operating systems of the video conferencing platform and user management system.

Last but not least, the third issue is secure cloud and networking technologies. The network integrated to the virtual chamber must be private, or if not, it must be secured. The goal is to avoid cloud and network vulnerabilities, such as security risks related to streaming video, such as stream grabbing and uploading; and security risks related to data routing, such as route manipulation and route hijacking, which requires that the integrated platform must offer the ability to choose through which region of the world their data would be routed.

With that, thank you again for inviting me to be with you today. I look forward to your questions.

12:45 p.m.

Liberal

The Chair Liberal Ruby Sahota

Thank you, Dr. Ghorbani.

Next we have Mr. Jourdan.

June 11th, 2020 / 12:45 p.m.

Guy-Vincent Jourdan Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual

Madam Chair, ladies and gentlemen members of the committee, thank you for inviting me to appear before you.

My name is Guy-Vincent Jourdan. I am a professor of computer science at the University of Ottawa's Faculty of Engineering. My research topics include software security and cybersecurity. Over the past few years, I have worked specifically on cybercrime and cybersecurity, in collaboration with IBM.

Is there a reasonably secure way to implement a hybrid Parliament in Canada, including a remote electronic voting system based on the report produced in May here titled “Virtual Sittings of the House of Commons”? I think so, as long as we are given the means to do so.

Of course, it is difficult to be very specific without an in-depth preliminary study whose conclusions would not fit into seven minutes anyway, but here are a few important points, in my opinion.

Concerning parliamentary discussions and debates, a number of key elements facilitate the process. First, our Parliament has an existing and effective security structure, recognized as such, and competent staff we can count on. Secure communications among members, secure infrastructure, control of devices used remotely and the software installed on those devices have all existed for a long time.

In addition, the situation we are facing is global and the needs are similar everywhere else. For example, I know that Brazil, Spain, the United Kingdom, Wales and the European Parliament have all set up forms of virtual Parliament, some with a remote electronic vote. So it is feasible, and we can, therefore, also benefit from the feedback and lessons learned around the world.

The idea of virtual sittings and remote votes may be relatively new for many parliaments and governments, but we shouldn't forget that those systems have been used for a long time in the private sector to handle daily business, organize confidential meetings and boards of directors or to vote at shareholder meetings.

Video conference software, in particular, has been the subject of security analyses for a long time. For instance, the NSA recently published and has been updating a document containing the important points on selecting and using that software, such as end-to-end encryption, multifactor authentication or the use of certified and controlled devices.

In that report, a number of solutions are positively assessed, such as the solutions provided by Microsoft or Cisco, or the Zoom software, which we are using now.

However, there is more to the issue than choosing a video conferencing software. Parliament certainly needs to be able to debate, but it also needs to be able to call for a vote, vote and have confidence in the result of the vote. It must be possible to respect the rules and adapt them as needed.

The Internet vote is an issue in itself. I think that we can generally say that the IT security community is not favourable to it, as the challenges are too great, the risks too high and the benefits dubious. That said, once again, we have to look at what we are talking about. The parliamentary vote is not the same thing as the Internet vote in general.

One of the fundamental differences, first and foremost, is that it is a public ballot, which, of course, considerably facilitates the problem resolution. The result can be widely disseminated, and everyone can know how the votes were counted.

Moreover, the electorate is very small, and every member is known. The devices used for the vote are controlled and managed by the parliamentary technical staff. Members can also be provided with tailored training and support. Finally, the benefit of such a vote seems clear, at least right now.

We can imagine that the system will be a combination of an accredited video conferencing system, a secure communication system and a voting system, possibly integrated into one of the two systems, but not necessarily.

During normal proceedings, the member will be asked to vote through a secure communications system. During the vote, a biometric authentication will take place, and a number of receipt orders will be published immediately. Procedures will have to be implemented to manage abnormal situations, such as connectivity losses and handling errors.

To maximize the likelihood of success, it must first be ensured that the devices used are managed and controlled by the technical team, as well as verified, certified, updated, secured, and so on. As far as I understand, that is already the case.

Next, it must be ensured that the software used comes from a certified supply chain, that it has been verified by independent teams and continues to be verified regularly, that it has adequate certifications—such as FIPS-140—and that it is kept up to date. Once again, my understanding is that this is also currently the case.

The system will need to be integrated into the existing parliamentary infrastructure: multifactor authentication mechanisms, a virtual private network, cloud architecture, and so on.

What is more, registries will have to be produced and maintained in a secure manner at every possible level to be able to respond to and remedy any real or perceived issues. Clear and effective procedures will have to be implemented to define the steps to follow in case of problems and to ensure that the sitting can continue.

Finally, the proposed solution will have to be reviewed and critiqued regularly by independent specialists from the private and academic sectors. Ideally, the solution will be made public.

None of this seems out of reach to me.

Thank you.

12:50 p.m.

Liberal

The Chair Liberal Ruby Sahota

Thank you.

Mr. Vickery.

12:50 p.m.

Chris Vickery Director of Cyber Risk Research, UpGuard, As an Individual

Hello, and thank you for inviting me to provide my thoughts and to answer questions on this very important and very interesting time we are in.

The solution that I have worked out, I believe, is minimal on effort required and maximal on trust. I think that with a parliament-style vote where there are only a few hundred people, it is definitely possible to be absolutely confident in the result that is shown, and here is how you do it.

I am not in favour of web-app-based solutions, video voting, or things that require a phone display, primarily because those things can be programmed to lie and display things that are not true to both sides. It's just something that is not going to be overcome any time soon. Even if the implementation is secure and safe, the fact is people who use their phones for other things are going to be continually taken advantage of in the general public, and we're going to see report after report in the general sense about phones being insecure. That will degrade the integrity of these official votes that are being done through phones, even if they're being done in a secure way. That is something that is also not going to be overcome.

What I would suggest as a solution involves a separate physical piece of hardware that is plugged in and requires no training whatsoever. I have an example of one right here. You plug it in with the regular ethernet to any member's home, whatever, and it is set with software that already exists to transmit but not receive.

The benefits of this are that an adversary would have to know the precise window of time that the vote is happening. They would have to compromise the ISP transmission. They would have to have the decryption capability already figured out and the preloaded key known in advance. They would have to be able to change or modify the packet that is sent instantaneously. That can be checked, because there are time stamps on the transmissions. You calculate how long it took for a transmission to go from a member's location to the official place of the vote being received. Through math, logic and physics, we can figure out if it was physically possible that it made it that quickly or if that transmission was unreasonably slow, which would suggest that it had been intercepted and modified, repackaged and sent. You can get an average heartbeat signal going, and as long as it arrives within that specific time frame and reasonability, you can be fairly sure of the result.

The important other factor is a secondary outside band confirmation. I would suggest that you then have the member on their telephone call a specific line to verify, validate or confirm what their vote is, so anybody trying to alter a vote or manipulate things would have to have all that previous knowledge and be able to instantaneously change something in a way that requires calculation and time. They would also have to compromise the phone carrier and impersonate the member at the exact window of voting on that confirmation call.

All of this requires zero training on the part of the voting member. It is maximally and logically verifiable, and it is minimal on cost. The technology already exists to do it.

Thank you.

12:55 p.m.

Liberal

The Chair Liberal Ruby Sahota

Thank you, Mr. Vickery.

We're going to head into the question portion of the panel.

We'll begin with Mr. Brassard for six minutes, please.

12:55 p.m.

Conservative

John Brassard Conservative Barrie—Innisfil, ON

Thank you, Madam Chair.

First of all, thank you to all the panellists today. You've given us very interesting information.

I want to get your opinion on the Zoom platform. Parliament has gone all in, as have a lot of other businesses, with this particular platform. As it relates to not just voting, but overall security of the platform, we're hearing today in a story from the Associated Press about censorship issues with China.

In the previous study we did, we were told that a lot of the data transmits through servers in Vancouver and Toronto, at least for business that's done in Canada, but there's seemingly no guarantee that that can happen. When the company was asked about what happened with respect to Hong Kong, it refused to comment on that.

Mr. Vickery, I'll start with you on the Zoom platform and your confidence. Obviously, a G7 country is a valuable target for state actors and non-state actors as well, so I'm just interested in your comments on the Zoom platform.

12:55 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

These comments are good for any similar commercial offering, not necessarily specific to Zoom but including Zoom. I would not do anything secret over Zoom or any other similar platform. You cannot be certain that there are not going to be adversaries listening or intercepting, or even changing packets and communications, because you don't know who is the third party contractor who may have access either overtly or covertly to something that widespread. It is just not trustworthy for anything of a high security nature.

1 p.m.

Conservative

John Brassard Conservative Barrie—Innisfil, ON

Mr. Ghorbani, do you have comments in regard to that?

1 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

I will say similarly that Zoom is not unique in terms of security flaws. Any video conferencing platform would have issues. Zoom became famous with the Zoom bombing, etc., that happened recently, but they at least have openly reviewed a proposal for end-to-end encryption that would be sufficient for at least the integrity of the data moving between the two ends.

In the end, I think your guess is as good as anyone else's. You could say Microsoft Teams has better security. At least they advertise it as having better security, and it appears to have good security in place, but all in all I think they are all going to be in the same group as being vulnerable to any third party type of attacks, networking, etc.

I did mention at the end of my seven-minute opening statement that the routing of the data is awfully important. Definitely Parliament should make sure how the data is routed and which part of the network the data actually ends up travelling through.

1 p.m.

Conservative

John Brassard Conservative Barrie—Innisfil, ON

Thank you, Mr. Ghorbani.

Mr. Vickery, there are a couple of points I would like to make.

I'm very interested in the separate physical piece of hardware, the component you spoke about. I'm interested in how you see that potentially working.

I also want to bring you back to 2018. You talked about the idea of phone and Internet elections, and I will quote from when you were before the ethics committee:

Stay away from that. Use paper ballots with audit trails. As long as you're using paper ballots with audit trails, you're relatively on the right track.

Do you still stand by that view? Would your concern also extend to legislative voting in Parliament as well? There are two points there I would like you to address.

1 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

I absolutely still stand by that statement. The context was in a nationwide election with millions of people involved. If you're dealing with 200 to 300 elected officials, it is feasible to have them vote, and to confirm those votes, and to do so in a secure enough way that you can be confident in the result being accurate. It is much different when you're doing it with millions of private citizens.

1 p.m.

Conservative

John Brassard Conservative Barrie—Innisfil, ON

On the issue of the separate physical piece of hardware that you referred to, what type of hardware would you be using? Would it involve an application? What's the potential cost?

I assume it's in development somewhere, but what would be the actual cost to implement that type of program? Can you expand further on that, please?

1 p.m.

Director of Cyber Risk Research, UpGuard, As an Individual

Chris Vickery

Well, this little thing right here is actually outdated. That's what I'm using as an example. It's a Packet Squirrel. It costs $30 commercially to buy one of them. I'm sure you could get a whole bunch of them at a bulk rate. It is sold online. I have no financial ties to it. I don't stand to benefit from it whatsoever.

I'm saying basically it is a network tap type of device. You just plug it in and it is connected to the network. It has software that runs on it that is configurable by you. You can set it to communicate with only one specific IP address, and set it to communicate in a way that it does not receive commands and only sends them.

1 p.m.

Conservative

John Brassard Conservative Barrie—Innisfil, ON

Okay.

The other issue you spoke about as well is the delay in a response to the actual vote. Can you provide a clearer—

1 p.m.

Liberal

The Chair Liberal Ruby Sahota

Unfortunately, that's all the time we have.

Do you want to get out the rest of your question? Maybe it could be responded to later.

1 p.m.

Conservative

John Brassard Conservative Barrie—Innisfil, ON

How could the delay be measured? What examples would our security team or IT team on the parliamentary side be looking for more specifically when it came back to them?

Thank you, Madam Chair.

1:05 p.m.

Liberal

The Chair Liberal Ruby Sahota

Maybe one of your colleagues can pick that up as well.

Mr. Turnbull.

1:05 p.m.

Liberal

Ryan Turnbull Liberal Whitby, ON

Thank you, Madam Chair.

Thanks to all the witnesses. I really appreciate the expertise you bring to this panel.

I want to start by mentioning the two doctors, Dr. Essex and Dr. Goodman, whom we had on this morning's panel. They made a very clear distinction between general election online voting and parliamentary online voting. They pointed to the fact that parliamentary online voting is a matter of public record. It relies on the federal government's cybersecurity infrastructure and the capacity our federal government has for training MPs.

Mr. Ghorbani, you mentioned in your opening remarks that people are the weakest link, and you stressed the importance of training MPs in any online or virtual proceedings so people are aware of the risks. Do you want to talk further about how we should do that moving forward, assuming we move forward with some form of online voting?

1:05 p.m.

Professor and Director, Canadian Institute for Cybersecurity, University of New Brunswick, As an Individual

Ali Ghorbani

First, I think the issue of awareness has to be a continuous agenda within Parliament to make sure that every so often the members are aware and trained about the new issues and problems that come up. It's not one-time training and you're done with it.

Second, I would disagree to some extent that it really doesn't matter when it comes to general election online voting or parliamentary online voting. The two main issues in online voting are verifiability and availability, or you don't end up having a case where people cannot vote, or you want to verify their vote. It was mentioned also that maybe a phone call afterwards should be used to verify. The size is not important here; it's more that you want to make sure that a vote is done properly and is verifiable in the end.

Again, I want to emphasize your point. I'm a big proponent of the awareness issue of programs within different departments in the government, and Parliament would be no different.

1:05 p.m.

Liberal

Ryan Turnbull Liberal Whitby, ON

Thank you.

Mr. Jourdan, you outlined quite an important list of points. I tried to write them all down, and I'm not sure if I got them all, but it sounded like you were very firmly in the camp that says this online voting is doable, based on what you know of much of the IT infrastructure, the cybersecurity infrastructure, that we have currently. Would you say that's true?

1:05 p.m.

Professor of Computer Science, Faculty of Engineering, University of Ottawa, As an Individual

Dr. Guy-Vincent Jourdan

Yes, that's correct.