Procedure and House Affairs Committee on June 11th, 2020

Good morning and thank you, Chair.

Thank you for this opportunity to speak to the committee.

As I was preparing for this statement, my son reminded me that a group of owls is called a parliament, so let me say what a hoot it is to be here this morning.

My name is Aleksander Essex. I'm an associate professor of software engineering at Western University. My research is in cybersecurity and cryptography, but my expertise is in the cybersecurity of elections.

I've studied cybersecurity issues of online voting extensively in Canada and abroad. I frequently share these findings with election agencies and commissions, municipal councils and associations. I co-authored the 2013 cybersecurity analysis of vendor proposals for the City of Toronto regarding their online voting RFP. I led a cybersecurity study of online voting use in the 2018 Ontario municipal election. In February I spoke at the New South Wales parliamentary committee on electoral matters about their online voting system. Next month I'll be speaking to a Northwest Territories legislative committee about their new online voting system.

More recently, I've been working with Dr. Goodman—who's speaking next—to try to advance the cause of cybersecurity standards for online voting in Canada. Our country actually has one of the highest rates of online voting use in the world, but somehow we have no standards for any of it. As you can imagine, this has led to a number of troubling incidents and, in my opinion, a very intolerably high cyber-risk exposure.

I've seen a lot of bad voting technology in my time, so back in March, when Dr. Goodman and I heard that Parliament was studying the issue of remote legislative voting, we wanted to get out in front of any potentially dubious proposals, such as the EU Parliament’s idea to use email for voting. We wrote an article in Policy Options to try to provide some food for thought. It was interesting, because although the article was about how to do remote legislative voting in a safe, cyber-conscious way, all the feedback we received revolved around the importance of parliamentary tradition.

I agree that parliamentary tradition is really important, but our present circumstance isn't exactly traditional. The Globe reported this week that there have been 38 regular sittings of the House in the past 12 months. That's not tradition. There were 30 members voting on historic spending measures. That's not tradition. All the members were meeting in a kind of supercommittee but not actually voting. That's not tradition either.

Here we are. What are we going to do?

The good news is that remote legislative voting happens to be a way easier technical problem than online voting for general elections. There are a couple of good reasons for that. One is that unlike a general election, Parliament can support MPs with secure technology and training. Most importantly, legislative votes are not secret. They're a matter of public record. That means you can go back and check what was recorded. It means you can actually detect when things go wrong.

Here's where we have to be careful: It's not enough to be able to check. You need to actually do it, and you need to have procedures in place so that you know what to do when things go wrong.

This might seem like a totally obvious statement, but it's actually not. I mean, it should be, but our experience has demonstrated, time and again, a kind of bias in the election world to, frankly, only prepare for disasters after they've already happened. We're saying let's not wait. Let's anticipate. Let's build it right from the beginning.

Let me give you an example. Six months before the 2018 Ontario municipal election, I did a story with CBC about how I was worried that the cities that were doing online voting didn't seem to have a cyber-incident response plan. Imagine the Internet goes down on election night; what are you going to do? What's your game plan? CBC then went and interviewed a number of city clerks. Several of them admitted that they actually didn't have a plan. One even literally said that they were hoping nothing happened.

What do you think happened? One of the online voting vendors accidentally didn't provide enough bandwidth. The online voting websites of 43 different cities, accounting for almost a million voters, went down on election night, and 35 of those cities used emergency measures to extend the voting period by 24 hours. It wasn't just that these cities didn't have a plan in place. It's that they didn't think it was enough of a risk to even have a plan for it.

You might think that this was just a fluke, but a similar situation happened in New South Wales last year, which is why I was testifying there. I was telling them about what happened in Ontario because it was related. Their registration went down on the eve of the election. You might think that this is all good, that this all applies to general elections, that legislative voting is different. However, just last week in Sarnia, Ontario, a city council vote actually passed by mistake. It turns out that the world “disagree” sounds exactly like the word “agree” if the first syllable drops out in a glitchy Zoom connection.

Fortunately, the staff was on the ball, and they caught it this time, but what about next time? Obviously, we need procedures to make this kind of checking repeatable and, by the way, part of the ultimate eventual tradition.

We have only touched on accidents and mistakes, but we're also worried about deliberate efforts from advanced persistent threat actors like nation states. We have seen these kinds of advanced threat actors living in the IT infrastructure of our cities. If they're willing to spend months mapping out a system for a few thousand dollars of potential ransom money, imagine what they could do to an election. Then, why even hack an election when you could just hack the law itself?

Let me conclude by summarizing a few takeaways. Secure, remote online voting for non-secret parliamentary divisions is doable, but it has to be done right. There have to be procedures for detecting errors, whether they are due to hacking or accidents or disasters. Someone has to be responsible for checking that an MP's vote was correctly recorded. There have to be procedures for granting opportunity to recover from that error, and we have to confront our temptation to think that nothing is going to happen.

I heard that people were talking about tornadoes last night and windows blowing open, and these sorts of things don't happen until one day they do.

Madam Chair, thank you for letting me share these thoughts with you. It would be an honour to answer any questions the committee may have.

Thank you.

Good morning. I’d like to begin by thanking the chair and members of the committee for the invitation and the opportunity to speak today and share my research and thoughts.

I've spent the past 11 years working in the area of electronic voting, both within Canada and internationally. This work has involved leading and coleading projects to examine the effects of remote online voting in the context of municipal elections, indigenous elections and a range of political party votes. Beyond social and political effects, I have been looking at the cybersecurity of digital voting from a policy perspective and exploring regulatory possibilities. Much of this work has involved collaboration with my colleague Dr. Essex.

Today I’d like to make four specific points: one, why online voting works for legislative voting; two, the types of remote electronic voting that could work in a legislative context and which one is best for Canada’s House of Commons at this time; three, how this work could make the legislature more flexible and accessible in the future; and four, some opportunities for thought leadership.

To begin, I’d like to provide the committee with some context about the core debate surrounding voting remotely over the Internet.

There are two primary sides of the debate, which usually focus on deployment in public elections. On the one hand, there are arguments for the benefits of online voting, such as enhanced accessibility, convenience and increased turnout. These benefits have been documented in municipalities and first nations in Canada. On the other hand, however, there are concerns about the cybersecurity and privacy of the vote. In some instances, online voting trials supporting public elections have been halted or cancelled due to security concerns or the detection of vulnerabilities. Two examples include a system in Switzerland and one in New South Wales, Australia.

This debate is relevant for the committee’s consideration because remote online voting can support Parliament to continue during the pandemic without sacrificing representation and the inclusion of members. At the same time, there are unique characteristics about legislative voting that make remote online voting possible and the cybersecurity more solvable than in public elections. As my colleague mentioned, the reasons for this are outlined in our brief to PROC: An MP’s vote is a matter of public record, and the federal government has the resources and capacity to support the cybersecurity infrastructure and implement necessary policy and procedures.

Based on our review, there are four main types of electronic voting that could enable remote voting for MPs. There's email voting, where members receive a ballot form electronically via email and submit their votes via email. This approach is being used in the EU Parliament. There's web-based voting, which is used in public elections and party votes in Canada. This involves ballots being accessed and cast via a website. An example of this is the U.K. House of Commons' MemberHub system. There's application-based voting, where members download an application to access and cast ballots. The Chamber of Deputies in Brazil has taken this approach. There's also video voting, where members vote via video by a show of hands or by voice. This is being used by local councils across Canada. Belgium, for example, is also using this for its committee votes.

All of these approaches have benefits and challenges, with email voting being the least secure and posing the greatest risk. In a legislative context, video voting presents probably the best or most usable solution for regular non-anonymous parliamentary votes. There are some benefits to this approach: It poses less risk, although there are still risks that need to be managed; it is the easiest to deploy and requires less technology; and it interfaces more closely with the parliamentary tradition of standing in the House.

Implementing video-based voting would require establishing some procedures. Here are some examples.

One is establishing whose responsibility it is to watch and record a vote. This could include staff members, MPs, party whip offices or perhaps a special segment of staff who support digital House matters. One consideration here is to think about putting a process in place where votes are double verified either by two individuals or across two different areas.

Another example would be mandating neutral backgrounds in video conferences to ensure that there are no images in the background that could send messages or carry a partisan tone that couldn’t be visually signalled in the legislature.

A third example would be allowing the Speaker to call for a revote in the case of technical errors. This was a procedural change introduced in the U.K., for example.

This does not mean video voting is without challenges or would work in all contexts. Anonymous votes, for example, would not replicate well on Zoom.

My third point has to do with making the legislature more flexible and accessible. Enabling a system for remote online voting could have future benefits in keeping legislative business moving in times of crisis, such as with COVID-19, climate change and future viruses, and in the context of accessibility for individual MPs.

The option of remote online voting could provide MPs with improved access to voting under special circumstances, such as in situations of maternity leave or parental leave following the birth of a child; in times when an MP's constituency is faced with a specific crisis, and they are torn between being in their community or advocating for their constituents' interests in Ottawa; or in cases of sickness where a member is not able to physically attend the legislature.

This committee considered proxy voting and electronic voting in 2016 as part of a study on how to make the legislature more family-friendly. However, no recommendations were made at that time. Other legislatures, like the U.K. House of Commons and Australia's House of Representatives allow for proxy voting for new parents, while Canada's House of Commons currently requires a member to be present in the chamber to have their vote recorded.

I understand that witnesses have been unanimous that the committee consider these changes for the pandemic only. However, thinking about how such a system could enhance the participation, representation and inclusion of members in certain circumstances is part of modernizing the legislature.

In closing, while the committee does not have to engage in a typical online voting debate, we see with regard to public elections, it does have to engage in its own debate about maintaining parliamentary tradition versus modernizing to become agile in uncertain times.

Finally, there are two opportunities for thought leadership. The committee's work in this area on policies and procedures for remote voting could not only benefit the House of Commons in the future but also other legislatures across Canada and abroad.

There is currently no regulation of remote online voting in Canada, so as we think about the adoption of voting technologies in the legislature, we might also reflect on how this conversation could later benefit electoral integrity in the context of public elections.

Thank you.

Thank you very much, Madam Chair and members of the committee, for inviting me to participate.

I will start with a bit about me. I have worked in cybersecurity, facing the most advanced cyber-attacks in the world for the past 20 years, both within government and as an entrepreneur. I am currently leading Arc4dia, where we are providing services, acting as the last line of defence to detect intrusions by leveraging our proprietary software. We have been operating remotely and decentralized since I founded Arc4dia 10 years ago. I also participate within the Bitcoin community, both publicly and within invitation-only fora, as a think tank in security and game theory in the ecosystem.

I came with a few points to share with this committee from listening to the previous meetings. Although I only listened to a few, I do have some observations.

I observed a resistance to change that is driven by a desire to keep what works well, and that, due to past errors, hurts collegiality. It is true that change is a threat vector that can be exploited by others. However, being static is also a weakness that can be exploited to prevent us from fixing what we have broken in the past or what needs to change in order for us to adapt. With the world changing around us, and very fast, with the rise of artificial intelligence combined with cyber-domain attacks and social engineering driven by artificial intelligence, I believe we need to change and adapt and, even better, be ahead of the curve.

To do so, and to dwarf non-genuine influences, we need to strengthen collegiality. It is by knowing each other more intimately that we will detect and see attacks against us and have the agility and the speed necessary to react before damage is done. For example, limiting or reducing face-to-face interaction has been brought up by many during the hearings as a change that will have negative outcomes for the effectiveness of our democracy. These are the kinds of changes where we need to be agile and be able to bring back collegiality. I heard that some get-together dinners were removed from the tradition of the House of Commons, where opposing parties had held discussions in a more relaxed and convivial atmosphere. I would advise you that such sittings are very important in our defence against cyber-domain attacks.

Understanding the nuances of our interpersonal and professional communications is essential in detecting subtle attacks against us. Our adversaries will look for ways to interfere with all forms of communication, and not just the written kind in email, texts and online postings. For example, during video-based presentations they will or could disrupt images and the tone of voice in an effort to inject or alter messages of body language, facial expressions and the intentions of our elected officials. Without our collective understanding of what right looks like, we will fail to see the subtle attacks that will eventually lead to more brazen and flagrant attacks.

I also observed concern with e-voting. E-voting and the use of technology should complement and reinforce one vote. Make sure your voice can be heard and make sure it is accurate. The way I see technology and software is that they augment our reliability and agility in our voting process, and perhaps even make it antifragile. We need to move away from using a single platform to vote, in favour of adding technological compatibilities to strengthen the reliability and the resiliency of voting. Perhaps we should vote on video, as well as signing our votes with dedicated, secure hardware. We can then audit that our votes are correct. Perhaps we could time-stamp our votes with a Bitcoin blockchain, making them forever verifiable.

In short, diversity—one might say multifactor authentication—in our methods of conducting business face to face, by voice and electronically will make it more difficult for our adversaries to achieve their desired outcomes and improves our opportunities to detect their attacks. These ideas and improvements should come gradually, holistically and in an agile process. If not already in place, I would recommend that the House of Commons put in place such processes, supported with permanently ongoing threat and risk assessment, versus the typical static evaluation that ends up on the shelves collecting dust to check some accreditation marks.

In closing, the three observations I have described are woven together by a common thread; that is to say, defending ourselves is more than simply a technology issue. To protect the integrity of the House of Commons and the parliamentary process so that legislation, policies and directives of the Government of Canada truly represent the intentions of the electorate, we need to provide the electorate with the highest level of confidence that the actions of the House of Commons are truly what they are supposed to be.

Regardless of the method of operation, whether it is in person or virtual, the importance of this cannot be overstated.

We require defensive measures, assessed and developed in a holistic and continuous threat-risk managed manner that address all forms of attacks, such as political attacks on infrastructure and people, attacks that attempt to compromise the integrity and loyalty of our people, attacks that attempt to compromise or disrupt the integrity of our supply chains, attacks aimed at disrupting our ability to determine truth from fiction, and of course, attacks that attempt to disrupt or compromise our IT systems. There is no higher calling than to protect our democratic institutions and our country.

I thank you, and I look forward to your questions.

Thank you, Madam Chair, and thanks so much to the members of the committee for this opportunity to address you.

My name is Michael Morden. I'm the research director of the Samara Centre for Democracy. The Samara Centre is an independent, non-partisan charity that is dedicated to strengthening Canadian democracy through research and programming.

We want to thank the committee for undertaking this study. Given the scope of the crisis, the scale of the government's response and the enormous uncertainty that exists, Parliament is not optional at this time. The only question to address ourselves to is how to make it work. Arriving at a solution that commands some measure of cross-partisan support is a solemn responsibility that falls to you.

I understand that our presentation comes perhaps somewhat late in your deliberation. Nevertheless, I think it's useful to consider questions of politics and principle at the same time as technical ones, to remember why we're pursuing this, and not to miss the forest for the trees.

The Samara Centre supports a move in the immediate term to hybrid virtual and in-person sittings of the House of Commons, with remote voting for those who are unable to attend in person. We think the hybrid virtual model is the best among imperfect options.

To be clear, the best of all versions of the House of Commons is the one in which 338 individuals share a room, and there are a lot of reasons for that. We've been a consistent voice in calling for members to spend more time together in Ottawa, to facilitate collegiality and to build informal relationships between members, parties and chambers. However, given the limits imposed through physical distancing, and credible concerns about travel, in our assessment, that option just isn't on the table. We need a full-service Parliament now and, in our view, through the summer.

I hope the option of a full, in-person convening of the Commons will return soon, but we're clearly in a state of deep uncertainty. As the second-largest country on earth, we may find that we're uniquely challenged to get back to full physical national sittings of Parliament. It's a necessary step in the immediate term and a prudent step for the middle term to institute the capacity to resume full parliamentary business with remote participation.

I want to foreground the values that lead us to that conclusion. In times of uncertainty, it's often worthwhile to return to first principles. Parliament exists for scrutiny, to enable the passage of legislation and also for democratic representation. The most desirable pandemic Parliament is one that strikes an appropriate balance between all of those functions. We feel that the current approach, employing a handful of day-long sittings in addition to committee work, is not sufficient to deliver the level of scrutiny, productivity and representation that's required.

We also take issue with any approach that would convene the Commons but exclude most of its members, for example, by operating on the basis of a skeleton crew of 40 or 50 MPs. That approach facilitates some scrutiny and enables the passage of legislation, but in our view, it comes at the expense of democratic representation. Some 18 million Canadians voted last fall to send individual representatives from each of their communities to Ottawa, and it's no small thing to render the vast majority of those communities unrepresented in the Commons while these momentous decisions are being taken.

For that reason, we think the best balance between scrutiny, productivity and representation is struck with a hybrid Parliament permitting remote participation, including remote voting. The technical challenges posed by such an approach are not insurmountable. Many other jurisdictions have walked this road. There are different models available to us, as Dr. Goodman described, and the House of Commons administration deserves particular praise, in our view, for adapting and adding capacity with alacrity.

In our view, there's no question that remote voting is feasible. It's feasible to do it securely, and it only awaits a decision by parliamentarians.

In the early stages of the pandemic, we supported the notion of incremental adaptation. Moving to a hybrid virtual Parliament was never going to be as simple as flipping a switch. We now have proof of concept, both in the experience of other jurisdictions and also in Parliament's own experience of authorizing the virtual conduct of some business activity. At this point, we hope that the committee will provide the Commons with a strong prompt to move as quickly as is feasible to resume full parliamentary business with remote participation.

We believe that legislative business should not be limited to the pandemic response alone. We welcome the granting of committees the opportunity to discuss other issues. We would like to see that reflected in legislative work as well. There are a range of issues that were urgent in January and February of this year that are no less urgent now. Just as doctors warn about the possibility of secondary health crises that are a consequence of delaying treatment for non-COVID-19-related illness, Canada may also become vulnerable to multiple crises during and after the pandemic if we can't attend to the policy needs that existed before it.

We also believe that the hybrid virtual Parliament's business should include opposition days and private members' business. No one has all the answers right now, so this is a really good time for multiple inputs.

In closing, I want to mention briefly that the Samara Centre periodically surveys MPs, and we're doing so now precisely on the question of how the pandemic has affected and should affect parliamentary work. We're always keen to develop an accurate picture of members' views on this issue and develop a body of evidence, and we encourage all members to make use of this anonymous platform to share your expertise.

Thank you very much.

Obviously, the ability to engage in parliamentary debate is central. It speaks to the scrutiny function that Mr. Morden spoke to about presenting motions.

My testimony focused more on the voting aspects, like you said, but that's not to negate the importance of those functions. I don't think they can be replicated in an online setting the way that they take place in the legislature, and I certainly wasn't advocating for that, but I think we need to be able to find a workaround in the interim to keep representation moving and ensure that we're not having these modified sittings with a few MPs where representation is compromised.

I definitely think this is a solution for emergency situations, definitely times of crisis. My point was that we have a crisis now, unfortunately, which presents challenges but also presents opportunities. That's not to say we won't have a crisis in the future.

Government too often is reactive instead of proactive, so let's use this time to develop a thorough, robust solution for emergency situations, because there could be another virus, there could be a revisitation of the COVID rates increasing and there could be an issue of climate change.

My only point about considering modernizing the legislature was specifically enabling remote voting or considering enabling remote voting for specific circumstances that individual MPs may be in, but I definitely am part of the camp that believes that Parliament functions best when members are in the House actively debating and engaging.

What I have received from these deliberations is near-universal consensus that these should be temporary measures. I think it's important that members bear in mind the potential negative consequences. We don't want to diminish the costs, which we think are real, but this isn't, in my view, about modernization. It's really more a radical adaptation for a radical time, which we hope won't persist.

I think we can feel relatively comfortable. I reject the notion of a slippery slope in that I'm fairly confident, based on the deliberation I have heard from members, that they are able to distinguish these times from normal times and would prefer to return to a normal Parliament as soon as possible. I think we have to do what we've done in so many sectors, which is to embrace choices that wouldn't be acceptable in a normal time.

Right. Without going into that we cannot really replace the beer time and get-together time, the social angle of the debate, technically I think it will be possible.

I don't know that it is at the moment, but at the speed that artificial intelligence is going, if we're not careful, it would be possible, eventually, to do deepfakes during video conferencing, potentially.

There was a bit of editing that went on after the fact, but what I am simply here to say is that, compared to the cybersecurity risks of online voting for general elections, online voting for legislative or parliamentary divisions doesn't pose the same sort of basket of threats. It is possible to do with careful design.

Yes. I would echo what my colleague, Mr. Essex, articulated, which is that there are obviously challenges that cybersecurity experts and the cybersecurity community raise with respect to secret ballots in public elections. Because it is an open public vote, we're able to overcome some of those in a legislative context.

When we said that, we were speaking as members of the public looking inside at what is ultimately a mostly opaque infrastructure—the intelligence community, the CSE. We don't really know exactly what they do, but we do know that they're there and we do know that they have a mandate to provide security services for government.

I don't think, if you were a municipal council, you would have access to that level of assistance—

I never say something is secure until I have an opportunity to examine it. I don't really know what Parliament does, but my expectation is that as a Five Eyes member, we would have top world-class cybersecurity. I've spoken to the CSE before. They are very capable, but again, as a member of the public...you know.

Absolutely. I believe when we wrote the article, we were framing it in the context of perhaps web-based or application voting, where you would go on a website and click. Maybe the intent is signalled a little bit more easily there, but upon reflection, I do think that video voting would work better for Parliament, for the reasons outlined.

That is an excellent, excellent question. Just really briefly, with respect to procedures, for any remote online voting system that Parliament were to adopt, we would require procedures.

With respect to the article, we were really talking about cognitive biases and ensuring that the proper procedures were in place so that MPs could check their vote and ensure that that was how they intended to vote. As you heard from Alex, even in the case of Sarnia, where there's video voting, there was a glitch that flipped the vote the other way.

I'd like to see a voting system in place even before then. I think there's a strong argument for a summer sitting.

I understand there are technical steps to be taken, but I've taken confidence from the comments of the Speaker and others. It seems as though the House administration has adapted very quickly. I would expect those actors to sound a strong note of caution if they didn't feel confident they could deliver remote divisions, because if it all went haywire, they'd be the ones blamed.

So I would like to see even faster progress than that. I think it's important that Parliament make up for lost time and start to move a broad agenda of parliamentary business forward in order to keep up with history, which is moving very quickly right now, and to resume the issues that were important.

Yes, Ms. Normandin, that sounds good to me. As I was saying in my opening remarks, redundancy is likely the most important aspect of vote reliability, as is the flexibility you have in voting.

What is more, I think you have applications that use authentication mechanisms. The House of Commons technical team is very competent, and I have faith in it. When given a problem to solve, it generally has the resources it needs to achieve good results.

Yes. As Mr. Morden was saying, it is a matter of flexibility. We have to act quickly to remain efficient and hold parliamentary meetings. What is important is that nothing prevents us from making adjustments after the initial implementation.

Thank you. I'll try to tackle this question.

There is strength in simplicity, especially when we're talking about cybersecurity and technology.

One of the reasons Dr. Goodman and I have gravitated more towards video voting as an approach is that it does have a certain simplicity to it. It's a lot easier to match a person's face and a voice—deepfakes notwithstanding—whereas when you are voting through an app, what the system is recording is not that you voted, but rather that somebody with your credentials voted. This is exactly what we saw in the Ontario municipal election. People were receiving PINs for their children who were in university, spouses were voting on behalf of each other, and so forth.

Video voting does provide a nice way to see the authenticity of the person there, subject to a number of other questions involving some of the issues discussed, but whatever you gravitate towards, I would encourage you to look for an elegant and simple option.

If I could borrow a line from the chair, whom I have been watching during these committee proceedings, I suppose that would be for the members to decide for themselves.

I can tell you that in the Ontario municipal election we saw this sort of hybrid model in many Ontario cities. Some people would go to an in-person place to cast a paper ballot, some people would vote online and some people would vote via the telephone.

A voice vote? You mean online.

I have some hesitations about the hybrid model based on what I've seen. I think we want to be careful. I definitely see the value in it and I know that other jurisdictions around the world are adopting it. I'd like to watch how that plays out.

I think we have to be careful to make sure that we're not creating two tiers here, where some MPs have better access, for example, if it's not just a vote but also debate, including some in-person debate in the legislature and some debate online. We need to be sure we're not creating two tiers of classes here, but that all MPs have equal access to speak and to ensure representation.

With respect to the voice vote specifically, I think it depends on the nature of the vote, but as I understand it, when you call a vote, there would be the yeas and the nays.

You could have a system where you could go through the yeas first, then the nays. Everyone who is voting yea would raise their hands and you would go through them and count them; and then you could have the nays and go through and count them. This is really where I think it speaks to the importance of also double-checking and having more than one actor verifying the vote.

I think that's important. In fact, I think that's also a discussion for the in-person Parliament when it resumes. It's incumbent on government to adapt its approach to how it wants to manage parliamentary business in order not to exploit this adaptation to alter the power balance or to acquire greater control over parliamentary business.

I don't have a technical fix for that. It's something that deserves scrutiny and certainly something that should be provided to the limited extent we're able to, but I think it's an important caution and something that this committee could reasonably seek assurances from the government on.

I will approach this question from my experience in general elections. Predictability is right at the core of the democratic principles that you might have for an election, and the predictability would feed into the notion of fairness and that everyone has an opportunity to vote.

Unpredictability has, of course, very detrimental consequences to the democratic process. One example from the other day was the curfew in Washington, D.C. at the same time as people were voting, so there was interference there between the police curfew and the actual voting. There was some exemption given to voters, but then law enforcement wasn't quite adhering to that, so it created a very unpredictable environment. Of course, that's deeply concerning.

Yes, predictability in votes, whether they're in a general or legislative context, is an absolute must.

Having been running a decentralized business for 10 years, I know that we need to meet as often as possible as a whole team to build up that collegiality.

In the case of Parliament, what I see you needing to do to avoid future big problems.... I don't think it's a problem at the moment, but there are subtle attacks that could be made. For example, someone could lower the quality of video and connectivity of people temporarily when they're actively debating until it frustrates them and they disconnect. There are very subtle and different levels of attacks that we will be facing in the future.

Thank you very much, MP Brassard, for allowing me the opportunity to clarify.

With respect to the birth of a new child, there's precedent there in other legislatures with proxy voting, and there's a good argument to be made there for extending that to electronic voting.

With respect to individual MPs, I wasn't necessarily thinking of busy schedules, I was thinking more of crises. For example, say there were some kind of flood in an MP's community and that MP needed to be there, or there was a big fire or some other kind of crisis. With COVID now we think of ourselves as having a macro-crisis, but I'm thinking of a micro-crisis in a constituency, “micro” being small because it affects a particular area. That could be very well defined so that it wouldn't be taken advantage of.

With respect to sickness, no example comes to mind right now, but I have seen or heard of situations where a member was battling cancer and either wasn't able to attend a vote, to participate, or some members have come while they are very ill to vote just once. In cases of sickness like that, the member could stay in the hospital or at home and rest and be able to participate. I'm thinking of extenuating circumstances, not just busy schedules.

Thank you. That's a good question.

With regard to the costs, I will go in reverse order. They could be kept to a minimum if we played the cards of redundancy, where we have two or three voting mechanisms and make sure that a vote makes it through and is reliable. That way we could use a less costly solution.

In Eastern European countries, they have SIM cards in their cell phones they use for signing transactions and documents, or things like that. They're effectively really cheap, and the cost of implementation is relatively cheap as well.

Technologically, for voting, it's fairly inexpensive to implement and very efficient.

I'm not sure. I guess the answer is no.

No.

Yes.

I believe that was in the title of the article, so yes.

Under the right conditions and with careful design, yes.

Yes, with the right security software.

Yes, with outside consultation with experts who have done this before.

Yes.

Upon reflection, I think video voting would work best, so I would put in verification to double verify parties within the legislature.

Yes. That would be more for application- or web-based voting, but obviously we would need infrastructure to facilitate the video voting.

I think Dr. Essex might be good to chime in here, but I know that with the web-based and application-based, for example, it's easier to capture intent. It can be clearer, but there are other issues. I think in terms of security it would be email at the bottom, then web-based and application-based, but I think Dr. Essex should probably speak to that.

Yes. The big positive for application and web is I think intent. Also, they can be very user-friendly. It depends on how they're designed. They work very well. In Estonia, for example, and Switzerland, they have worked well, but there are additional cybersecurity challenges.

I'm not opposed to proxy voting. However, after some consideration, and reviewing remote electronic voting and proxy voting, I do feel that the remote electronic voting enables representation and inclusiveness more fully.

Proxy voting in a general election has a lot of problems. I know that they allowed it in Toronto and there were instances of abuse. I don't think that would be as easy to abuse in a legislative context where the voting would sort of be in many cases along party lines—

Well, I—

I'm not implying that an MP is a function of a party. I'm a cybersecurity expert. I am aware of the notion of a whipped vote, which in that case would imply that there would be a sort of an understanding ahead of time on how members would vote, but setting that aside, in proxy voting, there of course would need to be time for a member to communicate their intention to their proxy.

Thank you so much for the question. I think I share your concern, if I understand it, in that we see MPs as individuals and as unique representatives of their communities. We prefer a model like a virtual roll call, in which there is that moment of accountability when the members themselves visibly commit their vote.

That's right. Yes.

From a technical point of view, I don't have a problem with it. I think it's more of a function problem, as the others have outlined.

Who's the question addressed to?

We're distinguishing between a vote that might be input via a web-based interface using a browser, in which you sign in on a laptop or a computer, versus an application that might be on a smartphone. The network connection and security and so forth are managed slightly differently—the credentials and all of that sort of stuff. There are subtle differences I could tell you all about if you're interested, but—

Yes, absolutely, and I certainly remember that time with those close votes.

The issue that you're raising about bandwidth and dropping is actually a bit of a concern, especially if there is a threat actor who has the capability of cause the member's vote to drop at a specific time.

Just Goodman.

I have a Ph.D., but either is fine.

It's a great question. Thank you.

You could go by party. You could go alphabetically. You—

Absolutely, I would agree that there are challenges. Just between the voice vote and the show of hands, I am more supportive of the show of hands, but I'd just like to make a quick point on the web and application-based voting.

To comment very quickly on web- versus application-based voting, it's not that I'm opposed to those options. I recognize that for the U.K. House of Commons, they built this voting app software—

I can't give a blanket answer to that, because—

Definitely, at the moment, I would use video and voice over apps.

No.

Email is not encrypted end to end.

There are a number of ways you could go about it. These would be procedural matters. The core procedure that needs to be in place is something to handle both, (a), when somebody doesn't have an opportunity to vote because of some kind of network issue, such as when the website goes down and you need to be able to recover from it; and (b), if it is detected that a member's vote was changed by accident, error, or otherwise. There needs to be a method to recover from both of those.

It certainly seems that you may want to have at least some kind of tiered or staged announcement of the vote outcome, a sort of preliminary and then final vote. You can be optimistic about it and announce a preliminary result, subject to the CSE or whatever. IT security might want to apply to it afterwards.

Who would be issuing that certificate?

I am not sure I understand.

I don't think such a certificate exists. However, we can have a measure of certainty.

I think time and predictability should be primary, first-order principles of a virtual parliament.

May I ask which question of the many I was asked?

Those were concerns about email verification.

Well, there has to be some avenue to verify or identify that a vote was correctly recorded. That could be via a website or some other channel. The issue we have with email is that it's not encrypted end to end. It's not a suitable technology for this purpose.

To clarify Mr. Gerretsen's question, he was asking if the way the U.K. Parliament is doing it at the moment is pretty good. I find the way he described it—I'm not familiar with it—sounded good where you vote by video, and then there's validation through email. That's what I understood.

That sounds like a pretty decent and probably one of the best and easiest implementations we can do at the moment.

The reason is that even though deepfake is on the table, it's still one of the hardest attacks to pull off at the moment versus attacks on applications or some data in the database. Those are two different worlds of attacks. That's why I think voting with video confirmation, and then confirming with another method, either email or application, has high value.

Honourable members of the Standing Committee on Procedure and House Affairs, thank you for inviting the Canadian Institute for Cybersecurity at the University of New Brunswick to speak today about cybersecurity considerations relating to the establishment of a hybrid Parliament.

My name is Ali Ghorbani. I am a professor of computer science, a tier one Canada research chair in cybersecurity, and the founder and director of the Canadian Institute for Cybersecurity.

Cybersecurity and privacy, once issues only for technology experts, have become widespread concerns in business and society. Cybersecurity is no longer just an IT problem; it's a business problem; it's everyone's problem. The weakest link in cybersecurity is now people, not devices. Here at the Canadian Institute for Cybersecurity, we think that the human factor is considered the biggest threat to cybersafety, and we strongly believe that cybersecurity requires multidisciplinary and human-centric solutions.

The Canadian Institute for Cybersecurity is one of the first institutions to bring together researchers from across the academic spectrum to share innovative ideas and carry out groundbreaking research into the most pressing cybersecurity challenges of our time. We have been doing research and development and entrepreneurial activities in this area non-stop for over two decades. We have developed multiple practical network security solutions, and our research has led to the establishment of several companies. Currently, the institute has a team of 60 researchers, technical staff and graduate students, and a state-of-the-art architecture and infrastructure.

The science of cybersecurity is about managing risks and avoiding surprises. There will be security risks with any online communication platform. In the “Virtual Chamber” report of May 7, 2020, it is written:

Members who wish to participate remotely will connect using a videoconferencing platform integrated into existing on-premise technologies.

Let me briefly highlight the security and privacy issues in relation to the proposed platform from two perspectives: users and organizers.

On the user side, the first issue is awareness of cybersecurity. The remote participants who use the platform for virtual sittings must be aware of the security risks associated with the use of online video conferencing platforms or, if not, must be trained for such. The goal is to avoid issues such as installing platform software from an unofficial site, which can be malware; phishing scams asking to join video conferences, which steal credentials; and overprivileged video conferencing application by using the web version, which sits in a sandbox in the browser when possible, instead of installing an application.

The second issue is technical issues for remote access. The remote participants who use the platform for virtual sittings must have satisfactory assets for remote access or, if not, must be provided with such. The goal is to avoid issues such as hardware shutdown during connection due to power outage, which can be considered as an availability issue; slow connection and breaking during meeting, which can be considered as an availability and/or integrity issue; and vulnerable webcams, which can be accessed by unauthorized users and can be considered as confidentiality and privacy issues.

On the organizer side, the first issue is trusted computing based on trusted hardware. With regard to the proposed integration of a multimedia system with video conferencing and a voting system, it is known that a system is as secure as its weakest link.

Furthermore, computing hardware has security issues, such as branch direction prediction attacked by Spectre.variant 1. Therefore, it raises the need to use trusted hardware such as trusted platform module, TPM, also known as ISO/IEC 11889, which is a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

The second issue is verifiable software. The software integrated in the virtual chamber must be verified, or if not, it must be open sourced, such as Helios for online elections system, or openly reviewed such as a Zoom proposal for end-to-end encryption for video conferencing.

The goal is to avoid software vulnerabilities, such as meeting bombing when an unauthorized person joins a meeting; client application chat issues, malicious links and arbitrary file write; and security risks related to operating systems of the video conferencing platform and user management system.

Last but not least, the third issue is secure cloud and networking technologies. The network integrated to the virtual chamber must be private, or if not, it must be secured. The goal is to avoid cloud and network vulnerabilities, such as security risks related to streaming video, such as stream grabbing and uploading; and security risks related to data routing, such as route manipulation and route hijacking, which requires that the integrated platform must offer the ability to choose through which region of the world their data would be routed.

With that, thank you again for inviting me to be with you today. I look forward to your questions.

Madam Chair, ladies and gentlemen members of the committee, thank you for inviting me to appear before you.

My name is Guy-Vincent Jourdan. I am a professor of computer science at the University of Ottawa's Faculty of Engineering. My research topics include software security and cybersecurity. Over the past few years, I have worked specifically on cybercrime and cybersecurity, in collaboration with IBM.

Is there a reasonably secure way to implement a hybrid Parliament in Canada, including a remote electronic voting system based on the report produced in May here titled “Virtual Sittings of the House of Commons”? I think so, as long as we are given the means to do so.

Of course, it is difficult to be very specific without an in-depth preliminary study whose conclusions would not fit into seven minutes anyway, but here are a few important points, in my opinion.

Concerning parliamentary discussions and debates, a number of key elements facilitate the process. First, our Parliament has an existing and effective security structure, recognized as such, and competent staff we can count on. Secure communications among members, secure infrastructure, control of devices used remotely and the software installed on those devices have all existed for a long time.

In addition, the situation we are facing is global and the needs are similar everywhere else. For example, I know that Brazil, Spain, the United Kingdom, Wales and the European Parliament have all set up forms of virtual Parliament, some with a remote electronic vote. So it is feasible, and we can, therefore, also benefit from the feedback and lessons learned around the world.

The idea of virtual sittings and remote votes may be relatively new for many parliaments and governments, but we shouldn't forget that those systems have been used for a long time in the private sector to handle daily business, organize confidential meetings and boards of directors or to vote at shareholder meetings.

Video conference software, in particular, has been the subject of security analyses for a long time. For instance, the NSA recently published and has been updating a document containing the important points on selecting and using that software, such as end-to-end encryption, multifactor authentication or the use of certified and controlled devices.

In that report, a number of solutions are positively assessed, such as the solutions provided by Microsoft or Cisco, or the Zoom software, which we are using now.

However, there is more to the issue than choosing a video conferencing software. Parliament certainly needs to be able to debate, but it also needs to be able to call for a vote, vote and have confidence in the result of the vote. It must be possible to respect the rules and adapt them as needed.

The Internet vote is an issue in itself. I think that we can generally say that the IT security community is not favourable to it, as the challenges are too great, the risks too high and the benefits dubious. That said, once again, we have to look at what we are talking about. The parliamentary vote is not the same thing as the Internet vote in general.

One of the fundamental differences, first and foremost, is that it is a public ballot, which, of course, considerably facilitates the problem resolution. The result can be widely disseminated, and everyone can know how the votes were counted.

Moreover, the electorate is very small, and every member is known. The devices used for the vote are controlled and managed by the parliamentary technical staff. Members can also be provided with tailored training and support. Finally, the benefit of such a vote seems clear, at least right now.

We can imagine that the system will be a combination of an accredited video conferencing system, a secure communication system and a voting system, possibly integrated into one of the two systems, but not necessarily.

During normal proceedings, the member will be asked to vote through a secure communications system. During the vote, a biometric authentication will take place, and a number of receipt orders will be published immediately. Procedures will have to be implemented to manage abnormal situations, such as connectivity losses and handling errors.

To maximize the likelihood of success, it must first be ensured that the devices used are managed and controlled by the technical team, as well as verified, certified, updated, secured, and so on. As far as I understand, that is already the case.

Next, it must be ensured that the software used comes from a certified supply chain, that it has been verified by independent teams and continues to be verified regularly, that it has adequate certifications—such as FIPS-140—and that it is kept up to date. Once again, my understanding is that this is also currently the case.

The system will need to be integrated into the existing parliamentary infrastructure: multifactor authentication mechanisms, a virtual private network, cloud architecture, and so on.

What is more, registries will have to be produced and maintained in a secure manner at every possible level to be able to respond to and remedy any real or perceived issues. Clear and effective procedures will have to be implemented to define the steps to follow in case of problems and to ensure that the sitting can continue.

Finally, the proposed solution will have to be reviewed and critiqued regularly by independent specialists from the private and academic sectors. Ideally, the solution will be made public.

None of this seems out of reach to me.

Thank you.

Hello, and thank you for inviting me to provide my thoughts and to answer questions on this very important and very interesting time we are in.

The solution that I have worked out, I believe, is minimal on effort required and maximal on trust. I think that with a parliament-style vote where there are only a few hundred people, it is definitely possible to be absolutely confident in the result that is shown, and here is how you do it.

I am not in favour of web-app-based solutions, video voting, or things that require a phone display, primarily because those things can be programmed to lie and display things that are not true to both sides. It's just something that is not going to be overcome any time soon. Even if the implementation is secure and safe, the fact is people who use their phones for other things are going to be continually taken advantage of in the general public, and we're going to see report after report in the general sense about phones being insecure. That will degrade the integrity of these official votes that are being done through phones, even if they're being done in a secure way. That is something that is also not going to be overcome.

What I would suggest as a solution involves a separate physical piece of hardware that is plugged in and requires no training whatsoever. I have an example of one right here. You plug it in with the regular ethernet to any member's home, whatever, and it is set with software that already exists to transmit but not receive.

The benefits of this are that an adversary would have to know the precise window of time that the vote is happening. They would have to compromise the ISP transmission. They would have to have the decryption capability already figured out and the preloaded key known in advance. They would have to be able to change or modify the packet that is sent instantaneously. That can be checked, because there are time stamps on the transmissions. You calculate how long it took for a transmission to go from a member's location to the official place of the vote being received. Through math, logic and physics, we can figure out if it was physically possible that it made it that quickly or if that transmission was unreasonably slow, which would suggest that it had been intercepted and modified, repackaged and sent. You can get an average heartbeat signal going, and as long as it arrives within that specific time frame and reasonability, you can be fairly sure of the result.

The important other factor is a secondary outside band confirmation. I would suggest that you then have the member on their telephone call a specific line to verify, validate or confirm what their vote is, so anybody trying to alter a vote or manipulate things would have to have all that previous knowledge and be able to instantaneously change something in a way that requires calculation and time. They would also have to compromise the phone carrier and impersonate the member at the exact window of voting on that confirmation call.

All of this requires zero training on the part of the voting member. It is maximally and logically verifiable, and it is minimal on cost. The technology already exists to do it.

Thank you.

These comments are good for any similar commercial offering, not necessarily specific to Zoom but including Zoom. I would not do anything secret over Zoom or any other similar platform. You cannot be certain that there are not going to be adversaries listening or intercepting, or even changing packets and communications, because you don't know who is the third party contractor who may have access either overtly or covertly to something that widespread. It is just not trustworthy for anything of a high security nature.

I will say similarly that Zoom is not unique in terms of security flaws. Any video conferencing platform would have issues. Zoom became famous with the Zoom bombing, etc., that happened recently, but they at least have openly reviewed a proposal for end-to-end encryption that would be sufficient for at least the integrity of the data moving between the two ends.

In the end, I think your guess is as good as anyone else's. You could say Microsoft Teams has better security. At least they advertise it as having better security, and it appears to have good security in place, but all in all I think they are all going to be in the same group as being vulnerable to any third party type of attacks, networking, etc.

I did mention at the end of my seven-minute opening statement that the routing of the data is awfully important. Definitely Parliament should make sure how the data is routed and which part of the network the data actually ends up travelling through.

I absolutely still stand by that statement. The context was in a nationwide election with millions of people involved. If you're dealing with 200 to 300 elected officials, it is feasible to have them vote, and to confirm those votes, and to do so in a secure enough way that you can be confident in the result being accurate. It is much different when you're doing it with millions of private citizens.

Well, this little thing right here is actually outdated. That's what I'm using as an example. It's a Packet Squirrel. It costs $30 commercially to buy one of them. I'm sure you could get a whole bunch of them at a bulk rate. It is sold online. I have no financial ties to it. I don't stand to benefit from it whatsoever.

I'm saying basically it is a network tap type of device. You just plug it in and it is connected to the network. It has software that runs on it that is configurable by you. You can set it to communicate with only one specific IP address, and set it to communicate in a way that it does not receive commands and only sends them.

First, I think the issue of awareness has to be a continuous agenda within Parliament to make sure that every so often the members are aware and trained about the new issues and problems that come up. It's not one-time training and you're done with it.

Second, I would disagree to some extent that it really doesn't matter when it comes to general election online voting or parliamentary online voting. The two main issues in online voting are verifiability and availability, or you don't end up having a case where people cannot vote, or you want to verify their vote. It was mentioned also that maybe a phone call afterwards should be used to verify. The size is not important here; it's more that you want to make sure that a vote is done properly and is verifiable in the end.

Again, I want to emphasize your point. I'm a big proponent of the awareness issue of programs within different departments in the government, and Parliament would be no different.

Yes, that's correct.

Yes.

Yes. A way to mitigate the risk of a catastrophic event and single points of failure is to intertwine competing platforms within it. This means if you are sending a vote over the Internet, have it go to not only one cloud routing centre before it gets to the official site, but also send a mirrored, exact duplicate to the competing next company that is fighting with the first company for revenue. Have them receive it and perhaps hold it or even transmit it or let it be viewable to the receiving side, and if they don't match, you have problems. They should match.

Neither one of these companies wants to be known as the company that was compromised and votes were changed. They have a defined interest and a competitive interest in being correct, accurate and as ethical and well-regarded as possible, because otherwise the competitor is going to eat their lunch.

I would like to second what was said.

In order to make sure that we do have a secure, verifiable and available system, we need to work on diversity, basically. We could end up having two systems marrying each other so if one were closed down, the other one could actually hold on.

Diversity would be a core in terms of making sure that you have everything available at any time for voting to go on.

Yes, obviously, the—

No.

Yes. To my knowledge, some companies just use Zoom, where everyone takes their turn speaking and raises their hand. I think it all depends on the number of voters.

I don't know whether such a system exists, but it can clearly be prepared and implemented.

Okay. I will send you the document, which is in English.

It is difficult for me to answer. I know that you have a very good base.

As far as I understand, the infrastructure is in place. I think the ability to keep registries also already exists, as there is really nothing exceptional to that.

Do you need to hire more people? I cannot speak to that, but I would not be surprised if you did. However, I don't think that you need to make massive hirings, as you already have a solid team.

The answer is, yes, it could be used to send.... However, I would advise against relying on a visual or video-type of vote. You are going to have problems as technology advances with abilities to forge and manipulate those types of things. It is a losing battle and it is not future-proof.

Yes, that is actually a very good idea, and it could be used as a layer on top. That would also deter bad actors, because if something shows up anomalously, you're going to know where to start investigating.

Fundamentally, this probably would be the case where the person does not use the proper equipment or system and software, so a third party could get in between, and the data in transit could be altered or changed, etc. That's how I can see it from the human perspective: an error to allow a vote to be altered and changed. It also makes a good understanding from the perspective of a person to be educated about encryption and how, from her end, data can be encrypted and sent to the other end so that the data in transit will not be altered, changed or grabbed. That's how I see it from the human perspective: errors that could be made.

Yes, absolutely. I come to this debate as a technologist, so I have a technological point of view, but there is absolutely no question that a good system is going to involve non-technical people and users in the first place. So yes, I absolutely agree that this is not something that should be done just by IT folks.

I was just saying that in terms of training, of course, it would be fundamental to have regular training and updates. Such a system is going to be.... We uncover problems all the time, so a system like that would have to be agile. They would have to give upgrades regularly, and that means that people would have to be retrained constantly. That has to be taken into account. That has to be part of the plan.

Sure. I think what is important to recognize here is that when we talk about training, it is not that IT people are always being trained or that they have to be front of people to train them. We need to bring people with all sorts of expertise into the conversation, such as groups from business, law, education and the humanities, including sociology and psychology. They are all important elements when we talk about an awareness programs in cyberspace. If there is a training program and it's going to be an ongoing kind of program, you want to involve these kinds of expertise as part of developing the contents and delivering the finished project.

To my mind, if you're asking me, all MPs should be included in this process.

A couple of years ago, we were in front of a few MPs to show them how easily they could be attacked or hacked through their phones or their laptops. It's important that all MPs get the training, and also continuously get the training. As we know, we are continuously getting new types of attacks. There are new types of phishing and new ways of manipulating and spoofing and so on.

It's important to have everyone involved.

To me, they are as safe as they can be right now. They are safe, but as I said, the only thing I'm concerned about is the verifiability issue. There has to be a plan in place by the House in order to verify the total tally, the details of the tally, and also the availability issue. As you mentioned, for many people who are in different ridings and who may not have good connectivity, a small-scale denial-of-service attack could actually easily prevent people from voting.

Both technologies do suffer from both items that I mentioned: verifiability and availability.

Yes. I would like to go back to your point about bandwidth. I think there is one difference between those two approaches. That is, in the system we're talking about with a dedicated messaging system, a dedicated voting system and a dedicated video conference system, the one that is hungry for bandwidth is the video system. So I would be a bit worried about putting the vote part onto that. It's the one that's most likely to break if you have poor bandwidth.

I would also echo my colleague's comments regarding the availability. In terms of security, if I had to identify what would be of topmost concern to me, because of the context of these votes, I think availability would be of most concern. It would be quite difficult to change someone's vote so that no one saw that, but it would probably be easier to prevent the voting in the first place.

That probably would be a good place to focus the attention.

Absolutely. In order to have that happen, the proxy person, or whoever, would have to physically be in the residence in order to have the IP address that it is sent from and known ahead of time to be received from. That validates, at least from a physical perspective, that where that IP address is located is at their home. Then you would have them confirm via a phone call, using their own voice, within a specific window of time. You know their phone number. Their number can't theoretically be spoofed. That's illegal, I would assume, in Canada as it is in the U.S. So, you not only have voice, phone number and specific IP address, you can add in other identifiers that are specific and unique.

I would summarize it as a second band of confirmation, some sort of non-connected secondary confirmation method that is out of the original network.

It may work. But over time, it will head south as far as integrity and belief in the system go. It will only degrade.

Absolutely. I steadfastly believe there is an undeclared world war, practically occurring as we speak, against democracy and everything that it stands for. So yes, there are lots of people, both for profit and for political ideology purposes, around the world actively, 24 hours a day, trying to cause harm to Canada, as well as to others.

Thank you very much, and hello to you from New Brunswick.

Yes, the cyber-incident response plan is an integral part of any plan you must have in your organization when it comes to cyberspace and cybersecurity, that's for sure, but we also have to recognize that we have a fairly advanced group of people and infrastructure within the Communications Security Establishment that provide these kinds of services, and they're also in charge of CyberSecure Canada. So, yes, a collaboration between Parliament and CSE would make sure Parliament does have a cyber-incident response plan in place for things that might happen as a result of a breach in cyberspace.

Yes, I will second what Mr. Ghorbani just said. We obviously need that. In Canada we have the kind of knowledge to gather this kind of plan and have it in place to end all that.

I would simply state the obvious, which is that it's not related to what we are talking about right now. It has to be in place right now, because you are already using technology to do all kinds of things. I think we want to look at the proposal on the table today in the context of what we have. We are not changing or introducing something crazy here, compared to what is already happening. I expect that plan to be in place right now, and I think we should maintain it and have it address this new situation.

The plan I would have in place, and if you do not, you need to get it in place, is one to immediately mitigate the compromise. Don't necessarily turn everything off, because you can lose valuable forensics that way, but segment and mitigate it. Have defined roles ahead of time so people know their job in an incident response situation, and they're not left guessing or checking with somebody else to see if they need to do this, that or the other.

If critical infrastructure is involved, communicate with federal-level authorities early on, very quickly, to see if you need to do anything to help their investigation. If they are investigating an advanced, persistent state actor, and you were to turn off systems immediately and lose some valuable forensics, it would be a tragedy.

I would do those things.

Verify it in the end, but, yes, we do.

Absolutely. It just has to be done correctly.

Yes, and it's inherent that it has to be done correctly.

Could you summarize it?

I recall that.

I would not be talking about anything secret on this type of communication, because it's a public, open knowledge type of forum. It's probably okay, but I would not translate anything that needs to be kept confidential over this platform or any other commercial generic offering out there.

The Chinese side of things is a state-level concern, so it is elevated. I wouldn't say that they are the highest level of concern out there, but it is an elevated concern.

Mr. Richards just moved a motion. Generally at this point the committee would open the floor for debate until such time as debate is over, and then the committee would make a decision on the motion Mr. Richards just moved. The committee can also decide to continue with the questioning and then come back to Mr. Richards' motion afterward, if that is acceptable to the committee. It's really in the hands of the committee. It would take the consent of the committee to agree to do that.

Otherwise, the normal course of things would be that once a motion is moved and proposed, debate would follow, followed by a decision once debate is finished.

As I said, the system that is going to be the most hungry for bandwidth is a video system, so anything that is not video-based would be better.

That is correct. However, keep in mind the aspect of a necessary second or third band of confirmation, which is not involved with the video system. This could be added as a way to validate it or make it good enough. You have to have that other validation.

It does tend to help; however, the degradation in people's belief in the system being accurate, the very existence of the possibility that somebody could, even temporarily, be recorded in the wrong way tends to harm that system overall—

—and people's understanding that there are multiple layers of confirmation that always exist is a good thing.

I would say the worst thing that could happen is that somebody's individual device is compromised and the audio is being manipulated to make it sound like they said “no” when they meant to say or did say “yes”.

That is absolutely a concern, and that's why multiple layers of validation are important.

I will begin.

I think this is an important issue to raise. The voter can be identified in ways other than through the video. If we just want to make sure that the correct person voted, a biometric identification through the device can be done at the time of the vote. Presumably, you all have in your pocket a telephone that knows how to do that. It knows how to recognize your face, your fingerprint or something like that. That can be done locally, and it is related to your identity.

Your actual identity is not sent to the server. For example, we can easily imagine a very simple application that, at the time of the vote, would ask you to select yes or no and to confirm your identity by putting your finger on the telephone or by looking at it. That makes it possible to link your identity to your vote without having to send a video in real time.

I really don't. It's important to recognize that authentication to multiple layers, including biometrics, would add more security to the operation. As mentioned by Guy-Vincent, it's easy to implement it. In short, yes, this might be a good thing to consider, using biometrics to authenticate people.

Off the top of my head, I don't see any particular security issue linked to the time of voting. I think that's what you mentioned here about family being around. Some obvious points would be not to share the device with the family and to make sure that you use only dedicated hardware and a secure link if you can. However, I don't see any obvious reason why we should worry about a particular time of voting.

Again, I would stress the fact that.... I think if the Chinese want to do something to us, they are not going to do that, try to change your vote from yes to no from time to time, because you will see that right away. No, I would not be too concerned about that.

I do not have much of a concern except that, of course, we are giving the malicious people a schedule, so they actually know and can be prepared. To some extent, if it is public and it is getting into the hands of everyone, those who are malicious are better prepared at the scheduled or planned time when the voting would happen. Other than that, it's not going to be a big deal.

I think that can be improved upon and is workable. If you have, for example, a period of one hour on a Tuesday every week when you take these votes, you can assign windows of time, so that during these five minutes of that hour, X, Y and Z members can send their votes in. That's not publicly broadcast; that's just decided in the moment. Then the bad guys will know the window overall, but they will not be able to predict these specific windows of a few minutes when it is valid for certain members to send their votes in.

Thank you.

Madam Chair, I just want to point out to the committee that a deadline of July 10 would actually enable the committee, if that were the will of the committee in terms of the consideration of a draft report, to have meetings on June 16, 18, 23 and 25, and then in the additional week, on July 7 and 9. Some of those dates, especially in the run-up to July 10, would obviously be needed for production purposes and translation purposes, to finalize the report and have it fully ready to be sent to the office of the Clerk of the House.

There may be some difficulty with meetings in the week of July 7 and 9, depending on outstanding production work that would be needed to finish off the report.

Thank you, Madam Chair.

To use a phrase that's been used maybe too much today, it is really the will of the committee as to how long the extension would be and how many more meetings you'd like to have.

A portion of the draft report has gone to translation. It might actually be translated by now. I'm writing a portion of Tuesday's meeting as we speak, and when I leave this meeting, I'm going to try to complete another portion, which will all be ready for Monday. Today's meeting will not be ready for the Tuesday meeting, just because it is practically impossible.

That is the update from my end. I hope that's enough to go on.

It would be ready for Thursday, hopefully. Sorry, let me get that exactly correct. That would be the 18th.

In terms of additional time, we do have a witness tomorrow for a one-hour meeting. We could put on the meeting notice another opportunity for committee business. It would again be fairly brief.

Seeing as the committee is moving towards an idea of some type of extension, next Tuesday, June 16, we will have a full three-hour meeting and there could be an opportunity right off the top, at the beginning of the meeting, for some additional committee business. If tomorrow's opportunity doesn't allow you to finish off the discussion and reach a decision, there might be an opportunity at the beginning of the Tuesday meeting to do that. There would still be a chunk of time in the balance of that meeting, if that is what the committee ultimately wants to do, to start in on at least a portion of the draft report as Andre currently has it.

Madam Chair, I could provide some clarity on that.

Essentially, the House motion of May 26 was a motion of instruction asking the committee to do a study on possible Standing Orders changes, incremental steps towards a hybrid Parliament, including remote voting. They had a reporting deadline of June 23 in that. The committee would be under some sort of obligation to report something back by June 23.

As I've indicated before, the nature of that report could be a recommendation to extend the deadline to some future point, for example. That's why ultimately the committee needs a specific hard deadline to make a determination on that. Whether it's July 10 or some other date down the road, there would be a need to do that. If the committee makes that type of decision, that could be the report that gets sent back to the Clerk of the House.

Of course, before a deadline can be made formal or official, the House needs to concur in it. Because we don't have the sittings in the usual way where a motion can be moved for a concurrence to the committee report during routine proceedings, some other mechanism would need to be in place that would permit the House to essentially give its approval to your recommendation to move the reporting deadline to some other date.

There are different ways of doing that. Special motions have been done in the House before, and we've seen that since the beginning of the pandemic. It could be done that way. There is a special provision from one of those motions, from April 23, where if the four House leaders of the recognized parties agree to a recommendation in a PROC report, such as a recommendation to extend the deadline, that could give effect to it as well. Simply your deciding to move it to another date does not necessarily guarantee that a new deadline will be officially made or officially set.

The first step, obviously, is to make a decision, if that is what you want, to ask for a deadline extension, and then of course determine what that specific date would be. Whether it's soon or whether it's later, that's up to you.

Madam Chair, the meeting notice for tomorrow will be published after today's meeting. It should be coming out in the next hour or so.

That's correct.

Mr. Richards is right. They're on debate right now on that motion.