Procedure and House Affairs Committee on June 13th, 2024

You've had your chance, Mr. Cooper. It is my time. Thank you.

Colleagues, I want to premise this with my firm belief that you should have been made aware at the time, so I want to make sure that you understand. I completely agree that what happened was inappropriate and that you should have been made aware.

We are trying to get to the bottom of what happened and how we can make recommendations to make sure that such a situation does not occur.

I want to just get clarity from each of you on some specifics.

Mr. Genuis, you mentioned that it was your personal email that was attacked. Is that correct?

That's correct, yes.

Was your parliamentary email as well or just your personal?

I don't believe my parliamentary email was. I think it was only the personal.

On what date did you become aware of the fact that you were a victim of the cyber-attack?

It was earlier this year that I was informed by IPAC. We had a joint briefing and, as I remember the sequence of events, Mr. McKay and I, who are co-chairs of the organization, heard the information first. We had a briefing with members of Parliament later that day. I was let know of the situation very shortly before, in terms of convening those meetings that took place, but it was all within the space of a few days in late April of this year.

Thank you.

Mr. Bezan, which email account was used in the cyber-attack in your case?

Based on the information that we received from IPAC in the IPAC briefing from the FBI, it was our P9s for most of us, and I think that what we were told—although I've never had a conversation with IT services, with the Parliamentary Protective Service or the Sergeant-at-Arms—IT was able to catch it in time, so the firewall worked.

If you look at the case of Mr. Genuis, they were targeting his non-parliamentary account, and that is troubling. In response to what Michael said, I'll just say this—

I don't have time—

—PPS, the Sergeant-at-Arms and House of Commons' IT services all have a role to play in this to make sure that we are informed when these things happen.

I agree.

I'm going to go to Mr. McKay.

Mr. McKay, was it your personal email, your parliamentary email or both?

It was my P9, as far as I know.

You learned about it at the end of April of this year. Is that correct?

Yes.

We've had the CSE, we've had the House of Commons administration, and we've had CSIS come before this committee. It seems to be, as I'm sure you are aware, Mr. Genuis, a sort of “it's not our role to inform MPs”. They all have a little box that they work in, and no one seems to know whose responsibility it is to inform MPs, so part of our study here is to put in place the proper protocols to make sure that, in the event of another situation....

I understand that there was a directive, a ministerial directive, issued to CSIS in May 2023 to inform them that MPs must be made aware.

Would you have any recommendations for this committee in terms of.... I don't want to say a workflow. In the event of a situation such as this occurring again, who would you recommend be the appropriate channel to make sure that MPs are notified immediately?

If I were attempting to write a protocol, I think, first of all, I'd pick up on Mr. Cooper's question that a lot of government authorities all seemed to know, and we didn't. That's unacceptable.

The other point I'd like to make is that we are not the Government of Canada. We are the Parliament of Canada, and we sometimes confuse that. We do interact with government agencies, CSE in this particular instance, so any protocols that should be written should be directed to the House of Commons authorities that look after our security, and I think that's where this committee should focus.

How you arrive at when, if and how I think is extremely difficult. I would hope that the committee focuses its energy on that instead of running around saying that everybody else knew but us.

Can I follow up on that?

I really believe our physical presence here and our physical protection is through the Parliamentary Protective Service under the auspices of both the Sergeant-at-Arms and the RCMP. Ultimately, they should also be the ones who are responsible for protecting us from cyber-attacks. Whether it's a physical attack or a non-physical attack, somebody has to take the lead here. The Parliamentary Protective Service is first and foremost responsible for making sure we're safe. That includes from online cyber-attacks, deepfakes, AI and all these things that now are going to ramp up and become even more dangerous as we go forward as parliamentarians.

Given the fact that in the role we play, we all have personal email accounts—we have them for partisan purposes and so on—would you recommend that some protocol be put in place in terms of also our personal email accounts, given the fact that all of us have those kinds of accounts?

One witness can take 10 seconds, please.

I don't think House of Commons security can be everywhere we are. We're on our personal emails. We're physically in other parts of the country. I think that's where intelligence services have to be taking that macro view. If there's information about a threat to you that may manifest itself on your personal account, in your constituency or when you travel, they need to be informing you, having that broader view of security issues that goes much beyond just what happens in Parliament and with parliamentary devices.

Thank you very much, Ms. Romanado.

Ms. Gaudreau, the floor is now yours for six minutes.

Thank you, Mr. Chair.

Mr. McKay, did you know what APT31 could do to you? What are the mechanics of that?

It was described to us as a pixel attack. I'll give the description I have, because I'm still not quite sure I understand it:

The emails that you received were all from the domain “nropnews.com”. There were various email addresses and names of fake journalists attached to this domain. This kind of attack is known as pixel reconnaissance. It works by embedding a tracking pixel in a photograph or image. When the receiver opens the email, the tracking pixel is able to send back some limited information to whoever has sent the email.

It's kind of like a phishing expedition.

When did you get that information?