Procedure and House Affairs Committee on June 13th, 2024

It was my House of Commons account altogether.

Can I just take it somewhere else, following on the earlier question of what we can do?

You know, this is June, and we're learning a whole lot. I would hope that, when the House comes back in September, there is a very significant presentation on security issues to all parliamentarians, and one so that we would start the session with—

I'm going to stop you there, because my time is limited.

In fact, I don't know about you, but our caucus was briefed by the Canadian Security Intelligence Service. It is becoming a necessity, but yes, I'm very concerned about parliamentary prevention.

Were you in the same situation?

More or less, I'd say. I have three accounts. The first is stephaniekusie.mp; the second is my MP personal account, my .p9 address; and the third is a Gmail address. In my case, it was the account with the least sensitive information, but it was a window to accessing the other accounts. That's what bothers me the most.

That's correct.

I have another question. Earlier, I was explaining my annoyance with the fact that I, someone with no qualifications in espionage, found an article on the web on December 15, 2021, explaining the APT31 attack campaign. There are newspaper articles, including the one from May 12, describing what was requested during the visit from representatives of the Communications Security Establishment, who gave us nothing in the way of information. We've learned nothing.

That being said, and I'll close with this, there's an MP—it's in Le Monde—who said she intended to file a legal complaint, because she's experienced exactly what you have. On that, in your situation, where do you stand on this? Are you angry enough to get things moving?

Personally, I wasn't angry when I found out that I was the target of this type of attack by a foreign agency. I was disappointed that my government didn't think it was worth telling me or protecting me.

Okay.

Thank you very much.

Ms. Mathyssen, the floor is yours for six minutes.

Thank you, Chair.

Thank you to all three of you as well for joining us today and sharing this experience with us.

In the last round, I was talking about the fact that this institution and parliamentarians overall would get millions of hits. I'm a little concerned and I worry about how, when CSIS and CSE were here, they talked about the fact that—and I think House of Commons administration said—they regularly provide parliamentarians with general warnings and that they thought that was enough in terms of understanding what foreign interference or a cyber-attack would be. We also talked about personal responsibility and what that means to the individual MP. We just talked about the fact that we were briefed by CSIS this week at caucuses.

Ms. Sgro, you were talking about the need for those briefings. What do you want to see far beyond that in general? I know it would probably be overwhelming for members of Parliament if they were briefed on every single attack that was put forward, but what do you see those briefings looking like? Would they be quarterly, because that information changes so quickly?

Just give me an idea of what you're thinking on that.

I think we have to stop not talking about it, and we have to start learning more about it and how many threats there are. Again, it depends on the category of threat that is there as well.

More knowledge needs to be shared. Things are moving so quickly that, even if we had a briefing a year ago or six months ago, by the fall, things will have moved again very quickly. We have to make sure we are staying on top of it. We're all busy. I don't even look at the social media. I don't go on it. I don't care what they say. Let them do what they want, because I'm going to do what I need to do.

However, when the category of threat reaches a certain point, I rely on somebody getting in touch with me and saying, “You know, what you said last week has generated this particular threat.” Just let me know. I will handle it accordingly. I think it needs to be frequent. With the way things are moving so quickly, I don't think doing this once a year or once every three years at the beginning of a new Parliament is enough.

I've had the pleasure of visiting the majority of threatened democracies in the world, except Ukraine. That's the one that stands out. When I was in South Korea, they had a digital map of cyber-threats in real time. In this day and age, I don't see why we can't be informed about this in a daily report or even an attack report. The technology is there, in my opinion, and we are able to intercept or to view and intercept the attacks. I believe we should be receiving far more information because the technology is there. I think we have a right to know.

As I said, those of us who are more involved in pro-democratic, pro-human rights activities will certainly have more. I think the government has a responsibility to protect us when we are doing that work.

Thank you for the question.

My view is that these generic briefings or emails we receive that tell us not to open an obvious phishing scam by email, and there's that “phishing” button.... I have never used that button in 20 years of using Outlook, so I can't tell you what it does. I just know not to open the email. It's obvious to me.

I know my colleagues here. I know that Mrs. Kusie is very involved with Cuban exiles who are fighting for freedom in Cuba. I know that Ms. Sgro shares my interest in a free Iran and she leads one of the different parliamentary groups. When there are specific attacks on us by foreign governments or foreign groups, we should be told in the moment, instead of getting these generic quarterly briefs or as they happen when there's a phishing attack on Parliament Hill on our emails. That's not useful.

I will praise one group: the ParlVoyage people, who give us the burner phones and inform us on what to do and on the security-level threats. When I travelled to Iraq last year with a parliamentary delegation, they were excellent. They told us exactly what was reasonable, what was unreasonable and how to be digitally secure as you're travelling through different airports.

Outside of that, like I said, nobody from CSIS, CSE or any of the other alphabet soup agencies has come to talk to me, except for the FBI, to tell me and to explain to me what I could do to be safer and to provide actual, technical, usable things.

Thank you.

You have one minute.

Ms. Sgro, I wanted to focus on you and thank you for being a chair for the Canada-Taiwan Friendship Group and all your work on that. I travelled to Taiwan as well. We heard their perspective in terms of how they deal with millions of hits by China every day as well.

They have put forward a specific minister of digital affairs. Is that something that Canada should replicate? Do you have other ideas from your many trips and learning from them where we could go?

I found it fascinating to see the thousands and thousands of hits they get on disinformation every single day. They have four people whose job, 24 hours a day, is to monitor the system—that's all they do—and put out corrections to the disinformation that is being fed into the networks that are out there. I think we have a lot to learn from them in that particular area where they're dispelling disinformation.

I think cybersecurity—the whole thing—needs to be taken much more seriously as we move forward.

Thank you very much, Ms. Mathyssen.

Mr. Calkins, the floor is yours for five minutes.

Thank you, Chair.

I want to differentiate because I think there have been attempts to conflate so many attacks with the incident that happened in this particular case. We're dealing with phishing here. This is a different thing altogether. This is not a denial-of-service attack. This is not a cyber-attack. A phishing attack is a personal attack, because the vulnerability is at the human level.

I'm fully convinced that our technical experts.... I actually did IT work in a previous life. I'm so outdated now that I wouldn't know some of the new things they're doing.

The difference here is that it involves a human being making an error. That's how they do it. We can actually thwart most of the cyber-stuff. We can thwart denial-of-service attacks. We can thwart all of these things that attack the technology. However, this is an attack whereby the vulnerability is one of us clicking on something that we ought not be clicking on.

The difference in this particular case is that it was serious enough.... It was not just somebody looking to try to scam us out of some money. It's not the Nigerian prince type of question. This was serious enough because it was from a hostile foreign state actor, or considered to be a potentially hostile foreign state actor, directly targeting a group of us—18 of our colleagues—with this attack.

The frustrating part for me is that our job and our primary responsibility.... We're not in the sausage grinding of government. We're actually very nimble people. We're much more nimble than Monday to Friday, nine to five. If we're going to be able to do our jobs, we need to know what's going on. If we're not informed....

I think it's absolutely embarrassing for a country that 18 parliamentarians basically found out because the FBI released this. It is different from a cyber-attack. It's different from all the other random stuff that our emails might get hit with. This is hostile activity meant to do something subversive or damaging to individual members of Parliament and, thereby, the entire institution and our democracy at the root level.

If we're not told about something this specific.... The FBI thought it was important enough. It seems to be able to sort out cyber-attacks, denial-of-service attacks, other infrastructure attacks and other random phishing or malware attacks. Why can't Canada do this?

How are we supposed to hold our government to account if we don't even know that something is happening?

I'm looking to you three to say something that would give this committee some direction about this. What do you think would have been, to the best of your knowledge, a more appropriate way for you to find out? What would have been a more appropriate timeline for you to find out in?

The only reason we're talking about this is because somebody else tipped us off.

Mr. Calkins, you have about 90 seconds left for the witnesses.

I'll leave it at that. I know it's a very open-ended, general question, but....

If IPAC hadn't told us, we wouldn't know today. It took that organization, which has nothing to do with Canada, to reach out to us and let us know, or we wouldn't have known.

I go back to the disappointment. We, parliamentarians, need to know when there's been a threat levelled against us. We need to know. That doesn't mean six months from now. If I got a threat today, based on what I said yesterday, I wouldn't even know where to go. I know I'm going to go to the Sergeant-at-Arms, but then what?

We need to know what to do when we receive something that we think is a serious threat, what not to do and where to go.

Thank you for the question.

I'll add that the Government of Canada needs to treat our digital security like the House of Commons treats our physical security. I feel safe around the parliamentary precinct because I know there are enough PPS officers around, who are actively managing the security of the area.

On digital security, I'm sure they can shut down our emails and keep our files safe, whatever device that they're on, but when the CSE found out that this was APT31.... These aren't basement goons. These are men and women for whom there is a $10-million reward by the U.S. State Department for information leading to their arrests. This is an active foreign intelligence unit that was used.

As soon as that was found out, there should have been a positive responsibility on the part of CSIS, the CSE and all of the alphabet soup agencies. Don't send me an email. Call my office. Contact me directly. Tell me I'm a target. Tell me why I'm a target, if they know, because I would like to know.

On the phishing stuff, I entirely agree with you. People go through that in their private life and businesses, but being targeted by a foreign intelligence service is new.

Thanks very much.

Mr. Hardie, the floor is yours for five minutes.

Absolutely, I think that's the first step. I think that they should be divulged to the world, as the position of my party and my leader as well. It absolutely should be divulged to them. I know I constantly do an inventory—

We'll ask for a fairly short answer to that one, because I have a lot of questions.