Procedure and House Affairs Committee on June 6th, 2024

Thank you, Mr. Chair, for the invitation to appear this morning.

My name is Caroline Xavier, as stated. I am the chief of the Communications Security Establishment, also known as CSE. I am joined by Rajiv Gupta, the associate head of CSE's Canadian Centre for Cyber Security, also known as the cyber centre.

I'd like to begin by providing the committee with a brief overview of the evolving threat landscape. Following this, I will speak to the mitigated threat activity that targeted Canadian parliamentarians and how CSE has been working and continues to work to support parliamentarians and protect our democratic institutions more broadly.

Canada’s adversaries are increasingly using cyber-threats to conduct espionage, move their foreign policy objectives forward and influence Canadian public opinion to their advantage.

Although we believe cybercrime continues to be the most likely cyber-threat affecting Canadians and Canadian organizations, the cyber-threat coming mainly from China—as well as from Russia, Iran and other countries—is more strategically significant.

Allow me to be more specific. The cyber-threat emanating from the PRC is significant in its volume and sophistication. PRC-sponsored cyber-threat actors will almost certainly continue targeting industries and technologies in Canada to give the PRC an advantage for its strategic priorities, whether political, economic, in security or in defence.

In parallel, Russia's invasion of Ukraine in February 2022 gave the world a new understanding of how cyber-activity is used to support wartime operations. It has demonstrated how nation states are increasingly willing and able to use misinformation and disinformation to advance their geopolitical interests.

Since 2021, the CSE has also observed that state-sponsored cyber-threat actors with links to Russia and the PRC continue to conduct most of the attributed cyber-threat activities targeting foreign elections. In the fourth iteration of our threats to democratic processes publication, released in December 2023, we outlined examples of cyber-activity against the democratic process that we have observed globally since 2021. These include distributed denial of service attacks, or DDoS, against election authority websites and electronic voting systems, unauthorized access to voter databases to collect private information, and spear phishing attacks against election officials and politicians, among others.

Given this observed activity, in the last few years, the CSE cyber centre has publicly released over eight alerts, four cyber-threat bulletins, and seven joint cybersecurity advisories with allies, all related to Chinese or Russian state-sponsored cyber-activity.

Canada's high degree of global connectivity and technological integration with our allies increases our threat exposure. Furthermore, Canada does not exist in a vacuum, so cyber-activity affecting our allies' democratic processes will also likely have an impact on Canada's.

In relation to the committee's study, I'd now like to provide a brief overview of the CSE's role and relationship with the House of Commons IT team.

The CSE takes its mandate and legal obligations very seriously. Under the cybersecurity and information assurance aspect of our mandate, the CSE acquires, uses and analyzes information from the global information infrastructure, or from other sources, to provide advice, intelligence, guidance and services to help protect electronic information and information infrastructure. Accordingly, pursuant to the CSE Act, the CSE and its cyber centre share intelligence and information with service providers and government clients, including appropriate authorities in Parliament.

In June 2022, the CSE received a report from the FBI, detailing emails targeting individuals around the world, including individuals who have been outspoken on topics relating to activities of the Chinese Community Party. The report included technical details and the names of 19 parliamentarians who had been targeted by this activity. However, from January to April 2021, more than a year earlier, the cyber centre had already shared reports with the House of Commons IT security officials, specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.

Upon receipt of this information, the CSE shared specific and actionable technical information about the activity with the House of Commons IT security officials, as well as with the Canadian Security Intelligence Service, or CSIS. Because of this information, the CSE and the House of Commons worked together to thwart the attempted compromise by this sophisticated actor.

We respect the fact that the House of Commons and the Senate are independent, and its representatives are responsible for determining the timing and the manner in which to communicate directly with MPs and senators. Last week, the committee’s clerk received a complete chronology of events describing measures the Communications Security Establishment took to inform and assist parliamentary officials in their efforts to detect and mitigate cyber-threats. It is important to highlight that the Communications Security Establishment’s engagement with House of Commons IT security stakeholders came well before the aforementioned Federal Bureau of Investigation report.

As the central technical resource for cybersecurity advice, we provide near real-time notifications, including to the House of Commons and Senate IT teams, and we have helped parliamentary IT security officials take quick and appropriate measures within their systems to protect their network and users against this and other threats.

When a cyber-threat is identified, the cyber centre sends out different types of notifications, including cyber flashes, which are urgent notifications delivered via email, daily updates about malware and vulnerabilities on a partner's IP space via the national cyber-threat notification service, and monthly summaries of national threat notification service data, showing how a subscriber's cyber hygiene ranks against anonymized peers in their sector.

When requested, we provide cyber-defence services and maintain an open line of communication to mitigate potential threats. To detect malicious cyber-activity on government networks, systems and cloud infrastructure, the cyber centre uses autonomous sensors, including network-based sensors—

Okay. I apologize for the interruption.

When requested, we provide cyber-defence services and maintain an open line of communication to mitigate potential threats.

To detect malicious cyber-activity on government networks, systems and cloud infrastructure, the cyber centre uses autonomous sensors, including network-based sensors, cloud-based sensors and host-based sensors. These defences protect systems of importance from an average of 6.6 billion attempted malicious actions per day.

CSC continues to monitor Government of Canada networks and systems of importance for cyber-threats. We are working in close coordination with government partners, including relevant security agencies.

We deliver foreign intelligence-informed cyber-defence.

Finally, I would like to call members’ attention to the solutions available to them. Indeed, the Canadian Centre for Cyber Security offers parliamentarians a support service, in addition to holding regular information sessions for political parties on cyber-threats, as well as providing a dedicated point of contact at the centre for accessing cybersecurity support.

Since 2017, the CSE has established four unclassified reports on cyber-threats to Canada's democratic processes, and our “National Cyber Threat Assessment 2023-2024” highlights how online foreign influence activities have become a new normal, with adversaries seeking to influence elections and impact international discourse related to current events.

Since 2014, interdepartmentally, the CSE's cyber centre has worked closely with Elections Canada to ensure that our election systems and infrastructure remain secure. The CSE also continues to work as part of the security and intelligence threats to elections task force, SITE. Cyber-incidents such as ransomware, DDoS and supply chain compromises are becoming more frequent across all industry sectors, and these incidents are negatively impacting our prosperity, privacy and security. That's why Bill C-26 is so important. It would give the government new tools and authorities to better bolster defences, improve security across critical federally regulated industry sectors, and protect Canadians and Canada's critical infrastructure from cyber-threats.

Four sectors are subject to the mandatory cyber-incident reporting in Bill C-26: finance, energy, telecommunications and transportation. These were all prioritized due to their importance to both Canadians and other sectors. They are critical enablers. Bill C-26 will improve our ability to protect ourselves from both the threats we observe today and the threats we will face tomorrow.

The federal government intends to launch its updated national cybersecurity strategy, which will communicate Canada's long-term approach to addressing evolving threats in cyberspace. Central to the new strategy will be a shift in focus towards a whole-of-society approach to Canada's national cyber resilience, where public and private entities and all levels of government work in close partnership to defend against cyber-threats, including threats to our institutions. The government also recently announced the defence policy update, “Our North, Strong and Free”, which proposes a significant new investment in the CSE through budget 2024.

Finally, an important aspect of Canada's whole-of-society approach to our collective security includes practising good cyber hygiene, including safe social media practices, especially in those public roles. The cyber centre has released guidance on ways to protect yourself online. It also has cybersecurity resources for elections authorities, political campaigns and Canadian voters. I really encourage you to take a look at our website, getcybersafe.gc.ca. I would also encourage organizations that have been impacted by cyber-threats to contact the cyber centre, so that it can help share threat-related information with partners to help keep Canada and Canadians safe online.

Further, to make cyber-incident reporting easier for Canadians, the CSE is also working with its federal partners to establish a single-window solution for reporting cyber-incidents, with the ultimate goal being to ensure that Canadians can always find the help they need. This was a key recommendation this week from the Auditor General.

To conclude, the CSE and the cyber centre remain active in their collaboration with all partners, including the House of Commons, to improve Canada's cyber-resilience and protect our democratic institutions. We will continue to monitor any developing cyber-threats and share threat information with our partners and stakeholders, as always.

Once again, thank you for your invitation to appear before you today. We are pleased to be able to contribute to this important discussion and give you an overview of the way the Communications Security Establishment and the Canadian Centre for Cyber Security both work every day to protect Canadians and their democratic institutions.

Thank you for your attention.

I can confirm that when we became aware in 2021 of some anomalies that we were seeing with regard to potential cyber-activities towards the House of Commons, we did, indeed, inform the House of Commons IT security team.

What I can say is that when we were informed in June 2022 by the FBI of all of what we were informed by them about, the list of parliamentarians, we did, indeed, share that list of parliamentarians with the House of Commons IT security team. We also shared it with CSIS.

As mentioned in the chronology that was provided to the clerk, we made it clear that, since January 2021, we've been seeing a sophisticated actor doing cyber-activities towards the House of Commos. We provided 12 reports to the House of Commons. We also held meetings with the House of Commons and CSIS. As part of those various activities—the meetings and reports we provided—we were able to share information that was going to be important in order to continue to mitigate the threat.

Whenever we have a cyber-incident, we work immediately to focus on mitigating the threat. Once we are continuing to address the threat, we, from a CSE perspective, work hard to try to better understand where the threat originated. As we continue to learn that information, we share it with service providers and those who need to know, especially if it's going to be helpful to continue to mitigate the threat.

As part of the various meetings and reports we provided, we were able to share with the House of Commons IT security staff what we believed at that time to be the originating source of the threat.

I believe it would be more appropriate to discuss some elements of the threat during the in camera portion of the meeting.

What I shared was that, when we know the originating source, or when we have a general understanding of the original source, we share that information with service providers and those who need to know. As part of that, we shared over 12 reports with the House of Commons IT staff and held several meetings.

As part of those meetings, we were able to share information linked to the originating element.

As I said, as part of the many meetings we held and the reports we provided to the House of Commons, we provided what was at that time believed to be the originating source.

We now know—because it is 2024 and we have much more information and collective knowledge—that this was an actor by the name of APT31.