Evidence of meeting #119 for Procedure and House Affairs in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A video is available from Parliament.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
That would be in our reporting, in our explicit report. Like I said, we didn't even have the emails, so we would share the key to go find them. They would find them, and then they'd have free rein to go and share that information.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
If you shared.... I think it's important that you come back specifically with what those caveats are, because—
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
The caveats restrict the system owner from sharing anything with their people.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
We're talking about information you shared with them, though. The government has said that it had information about members of Parliament facing threats, including the source of those threats. You've just acknowledged that in the process of sharing that information with the House of Commons, you likely included an expectation that they wouldn't share that information with others without your consent.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
I would reject the premise of that statement.
Conservative
Chief, Communications Security Establishment
Just to be clear, what my colleague was saying is that—
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
I don't know. I'd like to hear what he was saying from him, actually.
What were you saying, sir? Was there a caveat attached, or was there likely a caveat attached, as you said a minute ago, that information couldn't be shared without CSE's agreement?
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
They could always ask us if they wanted to share something specific from the report. Outside of the report, they have access to all of their IT systems and all of the information that they can share that they own.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
Okay, so did they ask you if they could share any information?
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
No, but if they had...and we have done this many times. We've done this many times in the past with HOC—
Conservative
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
Mr. Chair, I raise a point of order: How can the interpreters do their work when there are two conversations at the same time?
Liberal
The Chair Liberal Ben Carr
Thank you, Ms. Gaudreau.
Mr. Genuis, can you do your best? I appreciate that you want to direct your questions where you want to direct them.
I'm not going to take time away from anybody. If there's talking over someone and it's taking away from the clarity of an answer, I'm not going to hold that against anybody, but I do think we have to play it smoothly here in terms of how we're conversing, so that the interpreters can do their job.
I have stopped the clock. Two minutes and 20 seconds remain. I hope that all those who are speaking will afford the time for the person asking the question or responding to it to do so properly.
Thank you.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
This is why this situation is bizarre. I'm here with my colleagues, Blaine and Eric, and I have information that's highly relevant to Eric's life that I should probably share with him, and I say that I'm going to tell Blaine, but I'm going to tell Blaine not to tell anyone else, including Eric, without asking me first. Then, two years later, I come back and say it's not my fault I didn't tell Eric, because I thought Blaine was going to tell him. The simplest thing would have been for me to just tell the person affected, rather than put it through a circuitous game of telephone with, potentially, caveats attached that limit the sharing of that information anyway, and potentially without all the information involved.
Fundamentally, the question is: Why was all of this nonsense interposed in between the people who had the information, which is the Government of Canada, and the people who needed the information, who were members of Parliament under threat who could have taken further preventative action to protect themselves? Why was it so difficult for the government to just tell us directly?
Chief, Communications Security Establishment
As I've mentioned, we take our role very seriously, and we take the privacy of Canadians very seriously. We take the role that we play with service providers like the House of Commons very seriously. We recognize that everybody has a role to play in the process.
Having said that, I recognize that we're going to learn from this incident and hopefully get a better understanding, especially from the study that you'll do, on how we might do something differently.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
Did you clearly tell the House of Commons that APT31 was the source of the threat? When did you tell them that?
Chief, Communications Security Establishment
As per the chronology, since January 2021 we were aware of some activities going on. As was explained by my colleague Rajiv, we progressively started to better understand the threat—
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
I asked a specific question that's not answered by the chronology.
Did you tell the House of Commons that APT31 was the source of the threat and, if so, when?
Chief, Communications Security Establishment
I believe we've answered the question that we did tell the House of Commons, through the various interactions that we had with them, that we believed at that time that the threat was APT31.
Having said that, the member asked me what specific time that was, and I'm not able to tell you exactly on which date that happened—
Conservative
Liberal
The Chair Liberal Ben Carr
I'm sorry, Mr. Genuis. We're already over time here.
We're over to you, Mr. Collins, for five minutes.
Liberal
Chad Collins Liberal Hamilton East—Stoney Creek, ON
Thanks, Mr. Chair.
Ms. Xavier, I think you've painted a picture today that you provide a service to clients, and those clients could be within the government or elsewhere. When you're made aware of information, you provide that information to organizations or departments.
I could probably pose the question, you know, that this is something that could happen to the defence department. We can look at our support for Ukraine and all of the efforts that Russia is doing to those people around this table who still support Ukraine.... Russia has taken many approaches to try to undermine our support on that file.
If this happened in defence, you would provide that information to defence as your client. Would you consider them a client in that instance? You'd provide them with information, and then it would be up to defence to determine internally, with their own security people that they have and their own IT people, what they do.
Is that a fair comparison in terms of how, if this happened somewhere else in the organization, you'd take the same approach?