Procedure and House Affairs Committee on June 13th, 2024

Thank you, Mr. Chair.

The material facts of this case have already been laid out in the House. I am happy to repeat them in response to questions, but I'll use my opening statement to instead make some specific arguments about what we can learn from this situation.

Generally speaking, we expect a high level of secrecy when it comes to national security. While, in a free democracy, people should generally have access to information about what the government is up to, information pertaining to national security is closely guarded because it could be used against us by adversaries.

On the other hand, it is a well-established principle of national security that information must be shared with citizens if they need that information to defend themselves. For example, if we were at war and a particular area faced imminent bombardment—

Mr. Genuis, I'm sorry to interrupt. I'm just hearing from the interpreters that your pace is a little bit quick, so if you could just slow it down.... I'll be generous in terms of making sure that if it costs 30 seconds for the well-being of interpreters to be adhered to, we will offer that to you.

Go ahead, Mrs. Romanado.

On that same note, I understand that Mr. Duncan requested that witnesses provide their speaking points in advance of the meeting. Were they provided to us? I'm not sure if the interpreters have them.

I don't know the answer to that, Mrs. Romanado.

Mine were.

They were—okay.

Thank you, Mr. Genuis. I stopped the clock. You have four minutes and 15 seconds remaining.

Thank you, Chair. I appreciate your indulgence.

On the other hand, it is a well-established principle of national security that information must be shared with citizens if they need that information to defend themselves. For example, if we were at war and a particular area faced imminent bombardment, we would expect the government to warn citizens of the attack so they could shelter themselves. We would not expect government to keep that information secret, obviously. If a terrorist planted a bomb in a building, we would expect the building to be immediately evacuated and not for the government to keep that information secret simply because it involved security.

What is obviously true of physical attacks should, based on an extension of the same principle, also apply in the more benign cases of cyber and other kinds of foreign attacks. The principle remains that the victim or potential victim has a natural right to know, so they can defend themselves.

Moreover, foreign interference is a particular case where exposure is a central part of the solution. The impact of foreign disinformation is significantly reduced when people become aware of the source. In this way, it is exposed as propaganda and loses its persuasive power. The impact of foreign takeovers of institutions can be undone simply through exposure, and politicians identified as foreign collaborators are less likely to be re-elected. When people are aware that the source of something is a hostile foreign state, that awareness may dissolve the impact of the threat.

The current government has used national security as an excuse for keeping secret information related to foreign interference that it would be in the national interest to expose, or where exposing that information would protect victims and reduce the overall impact. Three known examples of this phenomenon are the secrecy that long surrounded the Winnipeg lab documents affair, the failure to inform members of Parliament of threats against them or their families—which resulted in two separate questions of privilege recognized by the Speaker—and the current insistence of the government on keeping secret the names of parliamentarians who have intentionally collaborated with hostile foreign states. It is hard to see how the public interest is served by secrecy in any of these cases.

When it comes to foreign interference, we should be strategically declassifying certain information precisely as a tool to fight against interference. The government's defence of their failure to inform me of threats against me was that they told the House of Commons about these threats, and that they respect the role of the House of Commons as an institution separate from the executive.

In response to this, I will make five observations.

Firstly, as you know, I was targeted at my personal email. House of Commons IT were informed about attacks on parliamentary accounts. I suspect the administration here wasn't even informed of the attack on me, because that had nothing to do with their jobs.

Secondly, we have still not heard clear testimony regarding what information exactly was shared with House IT and when—whether it was merely a few technical details or the full robust picture that was shared with our intelligence services by the FBI. Without the full picture, it would have been hard for us to be briefed.

Thirdly, the government's argument seems to badly misunderstand the nature of the work expected of IT professionals. House of Commons IT are not an intelligence or communications service. They work on IT. It would seem strange, in principle, for those IT professionals to have decided of their own accord to walk around the building and talk to parliamentarians about the threats they face.

Fourthly, CSE acknowledged in their testimony that there were likely caveats associated with the information shared that prevented House of Commons employees from resharing the information without permission. I would suggest that the committee send for further and clearer information about what exactly was shared with House of Commons IT services—when and with what caveats.

Finally, the underlying logic of the government's argument for secrecy is deeply flawed, because the rights and privileges of members of Parliament are vested in them as members of Parliament. Those rights are what enable us to do our jobs for our constituents. Those rights can be given up or modified by the agreement of the House, but they are not held, controlled or modifiable by House administration. The way to respect the rights and independence of members of Parliament is to give them the tools and information they need. The government's argument here implies that the House administration is the holder of our rights, as opposed to members themselves. That is, of course, dead wrong.

Chair, that's my opening statement. I look forward to questions.

Thank you very much, Mr. Genuis.

Is it Mr. Bezan or Mr. McKay?

Mr. Bezan, the floor is yours, sir, for five minutes.

Thank you, Mr. Chair.

Good morning, colleagues.

I am also one of the 18 members of Parliament and senators who are members of the Inter-Parliamentary Alliance on China. APT31 targeted us way back in 2021 and 2022.

Now, what is shocking is that as parliamentarians we were never informed that we were the subject matter of a hack attempt or cyber-attack by the Communist regime in China. By letting us know, we could have then, as parliamentarians, taken protective and corrective actions, but we couldn't because we were never told. We were not informed of this by the House of Commons IT services. We were not informed of it by the RCMP. We were not briefed by CSIS, nor did CSE reach out to us, which ultimately found out through the FBI and informed the House of Commons IT services.

All of us did get briefed on May 9 by the FBI. That, I think, is embarrassing. That was the way we were finally told about how the attack occurred and how we could protect ourselves.

Now, I have to say that the Sergeant-at-Arms in the past has...and was offering a briefing to us this afternoon. It's unclassified, but it's on how we protect ourselves from cybersecurity attacks and what types of measures we take. CSE has briefed me in the past and also others who were targeted on social media by misinformation and disinformation from the PRC.

Also, of course, all of us who have travelled and have been given burner phones by the House of Commons, Global Affairs or the Department of National Defence in our parliamentary activities have received those briefings for travel. I may have a bit better understanding than others of the cybersecurity threats that are out there, but that doesn't make acceptable the actions that were taken by the House of Commons and those in charge, because this isn't an isolated incident. This is happening all the time, and we need to be better informed.

The PRC has been spying on me for a while. I have activities. I'm a patron of Hong Kong Watch. I'm a member of the parliamentary Canada-Taiwan Friendship Group, along with many of you. A number of us at this table travelled to Taiwan as recently as last year.

Iran is also named in the NSICOP report. I'm a co-founder of Canadian Parliamentarians for Human Rights and Democracy in Iran. As you know, I was very big on the charge to get the Quds Force listed as a terrorist organization in 2012. In government, I led the shutdown of the Iranian embassy and consulates here in Canada, and I've been recognized by the Persian community for my advocacy.

Of course, the Russian Federation has been targeting me on social media with trolls, not with bots, for a long time. I was one of the first group of 13 that was banned from Russia back in 2014. I'm vice-president of the Canada-Ukraine Parliamentary Friendship Group. I've been outspoken in my support of Ukraine and, of course, Russia is going to take actions against any of us who are advocates for Ukraine. I brought forward the Sergei Magnitsky Law.

Why does all that matter, all my activities that are beyond what many would say is my scope as a parliamentarian and my day-to-day activities? Modern espionage, intimidation and foreign interference tactics are violating our collective rights and our privileges, but also our privileges as individuals, and this is the new norm.

In Bosc and Gagnon, the Speaker's ruling as referenced on pages 107 and 108 says that we have to make sure that:

...Members should be able to go about their parliamentary business undisturbed. Assaulting, threatening, or insulting a Member during a proceeding of Parliament, or while the Member is circulating within the...Precinct, is a violation of the rights of Parliament.

It also says, on page 111:

A Member may also be obstructed or interfered with in the performance of his or her parliamentary functions by non-physical means.

We have to modernize our efforts to protect our privilege from cyber-attacks. It's no different from a physical obstruction or interference in performing our duties. That particularly is concerning to me. I'm the Conservative shadow minister for national defence. I'm vice-chair of the Standing Committee on National Defence, and John is the chair. We serve on these committees. We talk about information. I provide advice to our leader. We develop policy and platform ideas.

If I'm being targeted by those who try to hack into my emails and my communications, Mr. Chair—and I know I'm getting close on time—then we have to take corrective measures. The laissez-faire and “we don't care” culture coming from the PMO and PCO has infiltrated through the rest of our departments and the way we operate up here. We have to make sure that we are more aggressive in how we protect each and every one of us from these cyber-attacks. That means that we need to know when we have to reclassify how information is shared.

Thank you.

Thanks very much, Mr. Bezan.

Mr. McKay, the floor is yours for up to five minutes.

Thank you, Mr. Chair.

I'll just pick up where James left off, with the core issue that is in front of this committee, which is when members should be informed of these attacks. These attacks are simply a fact of life. They are massive, and they will increase.

I'm rather hoping this committee will grapple with how, when and where we are to be notified of these attacks, because, frankly, I'm given to understand that there are something like a million attacks a day on this organization, the Parliament of Canada. I don't think every member wants to be informed of every one.

In some respects, we're in a fortunate position in that the evidence at this point shows that we didn't actually suffer any damage. There was no breach and the firewalls held. Having said that, it is—and I adopt my friends' views—kind of embarrassing to learn from a foreign security service that we've had an attack. Frankly, I don't think that's quite acceptable.

The FBI tells the CSE, the CSE tells our security services, our security services are satisfied that the breach does not occur and we're in the dark. We're in the dark for two years, and we only find out about these attacks by virtue of the unsealing of an FBI document.

When we were briefed by the FBI, the FBI representative told us they felt outgunned—I think that's the word he used—50:1. These attacks are massive, and the FBI feels overwhelmed.

This committee needs, in my view, to start wrestling with our protocols. Clearly, the current protocols are not acceptable. For two years, the three of us, plus all of our other colleagues, were quite vulnerable.

I'm rather hoping this committee actually gets to the nub of it. I'm not interested in the blame game. I'm not interested in “we should have done this or done that.” Protocols need to be established, because everyone at this table, every one of our colleagues, is vulnerable. I'm rather hoping you take this example of vulnerability—which I don't think has entered into any kind of damage—and give instructions to those whom we ask to protect us.

We are all engaged—and, again, I adopt James's view—in multiple activities that create a vulnerability and are within our privileges as members of Parliament.

I support Garnett's motion, but I want this committee to focus on the protocols that would be appropriate.

Thank you.

Thank you very much, Mr. McKay.

Colleagues, we will head into the first round of questions.

Mr. Cooper, the floor is yours for six minutes.

Thank you very much, Mr. Chair.

Thank you, colleagues.

The committee received a chronology of events from the CSE. The chronology states that CSIS issued a briefing on the Beijing-directed APT31 cyber-attack to 35 Government of Canada clients as early as November 2021.

I asked the director of CSIS who received this briefing, and he has undertaken to provide this committee with a list. However, he did say that, as a general rule, “such a product would indeed be distributed to the Privy Council Office, and that would include the national security and intelligence adviser” to the Prime Minister.

What does it say to you—the fact that, as early as November 2021, 35 Government of Canada clients, likely including the Prime Minister's own department, the PCO, were briefed about this cyber-attack, but you and every other member of Parliament who was a target were kept in the dark?

Whoever wishes to—

I'm happy to respond to that.

Mr. Cooper, I think you've hit the core issue. We were not on the distribution list, shall we say. The protocols at that time—two years ago—are frankly found to be inadequate.

I'm hoping this committee will actually address that issue because it's not acceptable that we were in the dark for the last two years.

I'll just jump in on this.

You have information shared to government officials. The national security adviser, as we read in the NSICOP report, withheld information from people who should be informed. That information should have been shared with us, as individuals, as to the matter of the attack.

When you look at the culture that exists within the Government of Canada on how they classify information and how they share information, especially when it comes down to foreign intimidation—and APT31 is nothing more than foreign intimidation—we have to be taking on new protocols for how we deal with it. The national security adviser has to be a lot more aggressive in making sure that information percolates through the system and not just to the Prime Minister.

In this situation, where it's involving members of Parliament, that information should be distributed or individuals contacted directly, whether it's through caucus leaders or caucus chairs. We need to make sure we don't repeat these mistakes. I think that is paramount to our ability to do our jobs.

Mr. Genuis.

I agree with what my colleagues have said.

Thank you for an important question, Mr. Cooper.

I have just one point to add in terms of the dissemination of information.

In the previous hearings with previous witnesses, we have tried to get at what exact information was disseminated, in particular what information was disseminated to House of Commons administration. The government's communication on this has said that “the information”—implying all the information—was given to House of Commons administration.

I pursued this matter with Ms. Xavier, from CSE. I asked her if the House of Commons administration was informed that the source of the threat was APT31.

She chose her words very carefully. I didn't actually notice what she was doing until I read over the testimony afterwards. She said, in response to one of my questions, “As part of the various meetings and the reports we provided, we were able to share with the House of Commons IT security staff what we believed at the time to be the originating source of the threat.”

Then I followed up that she had shared with them that it was APT31 and at that point she refused to answer. She said we should go in camera and various other points.

She said she shared what they thought was the source of the threat, but she never actually said they shared that the source of the threat was APT31, so there are big questions. I think there's a little bit of sleight of hand being attempted by officials about what information was actually shared, especially with House of Commons administration.

Thank you for that.

While I completely agree with Mr. McKay that we need to look at solutions to ensure that what happened doesn't happen again, there does have to be some level of accountability. To that end, the government has essentially washed its hands clean insofar as they have tried to place the blame squarely on House of Commons administration.

Then, when we begin to probe House of Commons administration, it seems to have fallen all on House of Commons IT, yet 35 Government of Canada clients, including likely the Prime Minister's department, the PCO, were briefed in November 2021. That's more than a year and a half before you were finally briefed, thanks to the FBI.

Again, the notion that it should be left to IT services, which was dealing with the technical matter of ensuring the integrity of IT systems in the House of Commons, to inform members of Parliament seems to be completely untenable. Wouldn't you agree?

Shouldn't there be some level of responsibility if, in fact, the PCO and the national security and intelligence adviser were informed in November 2021 and said nothing and did nothing for a year and a half, and would not have done anything but for the FBI?

Mr. Cooper, unfortunately, that's all the time. Certainly, in the next round, you're welcome to raise that.

If I could get a simple answer—

Unfortunately, your preamble—

I think it's very interesting that you're cutting me off on that important point.

I'm not cutting you off, sir. I'm simply applying the rules fairly. You will have another opportunity to ask questions of our colleagues.

Ms. Romanado, the floor is yours.

Thank you very much, Mr. Chair, and through you, I'd like to thank the witnesses for being here today.

I'd like to start my....

Mr. Chair, I have the floor. If Mr. Cooper would like to please stop interrupting me, that would be—