Procedure and House Affairs Committee on June 13th, 2024

It's interesting that you mentioned the Reform Act—

You have about 30 seconds.

I think Kory is totally and completely wrong about that. Obviously, he can speak for himself in terms of his understanding of the Reform Act.

The Reform Act is very clear about how caucuses make decisions, and I would only say that I wish the Liberal Party had followed the law with respect to the Reform Act and taken those votes at the beginning of Parliament, because it's a concern if that law is not being followed.

Thank you very much, Ms. Mathyssen.

Colleagues, that brings us to the end of our first panel. I want to thank Mr. McKay, Mr. Genuis and Mr. Bezan for joining us here today.

We appreciate your time, gentlemen.

Thank you.

We are going to briefly suspend to set up for the second panel, and we'll get going right away.

Colleagues, we are going to resume our meeting.

We head into the second panel on the same topic.

We'd like to welcome the following members of Parliament, our colleagues who will be joining us for the second panel today. We have Mr. Kmiec of Calgary Shepard, Ms. Stephanie Kusie of Calgary Midnapore and the Honourable Judy Sgro, the member of Parliament for Humber River—Black Creek.

Colleagues, you will each have up to five minutes for an opening statement, and then we will head into a round of questioning no different from any other committee setting.

Witnesses, have you had an opportunity to discuss who may like to go first, or does someone just want to put their hand up?

It's going in the order of the notice of meeting, for sure. That's how it should go. It should go in the order that it is in the notice of meeting.

It can go in a variety of different ways.

I think it's always good to follow the meeting notice.

Mr. Kmiec, go ahead.

That's fine.

Thank you, Chair.

I was trying to be a gentleman.

I've had the opportunity, now, to listen to the testimony given this morning in the first panel. I didn't hand speaking notes to the interpreters, so I'll speak slowly and will pause when I switch to French.

I'm going to repeat what I said in the House of Commons. I believe the Government of Canada had a moral and ethical responsibility to tell those 18 parliamentarians that we were targeted by a PRC special unit for a form of digital surveillance, including me. I'm one of them. I'm a member of IPAC. The Government of Canada failed in its moral and ethical responsibility to tell us.

I have six points I want to make based on testimony I heard. I want to refer to these.

The first part was during the CSE's testimony here about when they became aware. They said:

...from January to April 2021, more than a year earlier, the cyber centre had already shared reports with the House of Commons IT security officials, specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.

Based on this testimony, I have to assume it was APT31. I had no idea this was going on at the time. I also did not know what APT31 was until I was told on April 24—by my two co-chairs and the executive director of IPAC—that I had been one of the targets of this PRC campaign.

Since then, I have not had any type of contact directly from CSE or CSIS. I have heard, though, from the FBI. I had the same May 9 FBI briefing that other members received, detailing exactly what APT31 is.

Later, in testimony provided before the committee, the CSE's Caroline Xavier said, “I can confirm that when we became aware in 2021 of some anomalies”—it's interesting that she called them “anomalies”—“that we were seeing with regard to potential cyber-activities towards the House of Commons, we did, indeed, inform the House of Commons IT security team.”

She went on to detail this, saying:

...we did, indeed, share that list of parliamentarians with the House of Commons IT security team. We also shared it with CSIS.

When I became aware that I had been targeted, they responded to me with a citation on April 25. Here it is, as copied and pasted by the Sergeant-at-Arms: “For your records, we have been involved in investigation of this activity while it was ongoing, well before it was publicly disclosed.”

My staff followed up and asked the question, “Are you saying that the Sergeant-at-Arms office was aware and investigated this activity before, or are you referring to the House IT administration?”

The office of the Sergeant-at-Arms, or SAA, was not aware of this investigation. However, the HoC cybersecurity team, information service, IT administration, stated that they were involved in this investigation while it was ongoing.

I want to draw your attention to another piece of testimony in questioning by Mr. Genuis. In that, Ms. Caroline Xavier said, as part of those actions, “We provided 12 reports to the House of Commons.” This would have been since January 2021. Again, I am not aware of the contents of those reports. I don't have the benefit of the in camera sessions that members of this committee received, so I am at a disadvantage.

In response to a question asked by Marie‑Hélène Gaudreau, Ms. Xavier said:

Since 2019, we've offered parliamentarians the opportunity to get support from the Canadian Centre for Cyber Security, especially if they've had problems after a cybersecurity incident. That is also part of the services we offer, but it is important for parliamentarians to contact us if they want our help.

You can't contact the Canadian Centre for Cyber Security at the Communications Security Establishment if you don't know it exists. This is the first time I've realized that there is such a service for parliamentarians. I was elected in 2015, and this is the first time I have heard about this service, which has been in place since 2019.

In addition, it is impossible to ask the government for help from the Canadian Centre for Cyber Security if you do not know that you are being targeted by a foreign agency as a parliamentarian.

In cross-examination and following up on questions asked by Ms. Mathyssen, Mr. Genuis raised the point that the CSE made the following observation in different rounds of questions: that government institutions need to respect the parliamentarians of the House of Commons. However, it's hard to feel respected by CSIS, the CSE or the House of Commons IT cybersecurity administration when they don't bother to tell us we are the targets of foreign campaigns and they don't bother to tell us we're targeted by foreign agencies.

I do a significant amount of work with diaspora communities among Canadians. I have people often tell me that they cannot be seen in a picture of me that will be posted online, so they jump out of the picture.

In my office I also have a Ukrainian flag signed by many of our UCC interns in past years, so I am sure that Russian Federation officials don't like it.

Lastly, I have protest pictures from Hong Kong brought to me by Albertans who were there. Hong Kongers who come and visit me do not take pictures in front of that with me in it.

Thank you, Chair.

Thank you very much, Mr. Kmiec.

Mrs. Kusie, you have five minutes.

Good morning, colleagues.

On the morning of Thursday, April 25 of this year, I received an urgent message from my colleague indicating the necessity of a call as soon as possible. I was not alone on the thread, so the call was set for later that afternoon. The contents, once shared, were disturbing. Those present on the call had been the target of a cyber-attack by APT31, which is a hacker group set up by the PRC.

To receive this news is unsettling, to say the least. You immediately think of your most intimate transactions. It's impossible not to. Your thinking regresses backward quickly through all communications.

It's no secret that our electronic communications confer the most precious details of our lives: where we are, who we're with and what we're doing. One comes to Jesus quite quickly in these moments, which is rapidly followed by the crushing resentment of “how did this happen and why?”

I've never taken my stations for granted, as a member of Parliament or a former diplomat for Canada. I've recorded, in thorough detail with the authorities in the past, relationships where I questioned the motivation of those forming a bond with me. My triggers were always lavish gifts, suspicious backgrounds and a forced effort to create a closeness.

In 2021, after changing residences, I requested a sweep of my homes for bugs. I was informed by the authorities that these services were not available for those outside of the executive of government. I had a security assessment done in my home and the recommended security system installed, to the remark of a colleague who indicated that they could see who killed me after I was dead.

Do I desire the 24-hour protection of some of my colleagues? I'm very nervous about reaching that level of notoriety. Yes, I've been stopped in the vitamin aisle and in the deli section by those who recognize me, but this is, of course, another level.

The most disturbing aspect of this is having been informed by not even a second but third hand, so I'm very grateful to have run into Luke de Pulford at the inauguration of the Taiwanese president in Taiwan and to have thanked him personally for his intelligence and for sharing with us.

Despite our differences, I've also always had an affection for the United States, having done my master's degree there and having served as the Canadian consul to Dallas from 2010 to 2013. I'm not surprised that it was actually the Federal Bureau of Investigation that surmised this breach and informed IPAC, which then informed my colleague, who then informed me.

This does, however, not dismiss the pervasive and persistent disappointment I have in not being informed directly by the Canadian government. As a consul, I felt a keen guardianship for all Canadians in my host region. I wish the Canadian authorities reflected the same sentiment in informing me about my violators. I can only deduce that they did not.

My sense of disappointment is overwhelming. The fear that consumes you when you think about the possible effects on you and your family, you try to push it out of your head, like a tooth your dentist says needs to be pulled at a later date. As a legislator, you consider what needs to be done to protect you and those around you, as well as your colleagues. You take this path knowing that a part of your life is not your own, but this validates it in a manner far more vast than you would like to consider.

In closing, I believe in evil and not just in the biblical sense. I believe in malice in the hearts of men—those who wish to intentionally inflict harm upon others. One need only refer to Navalny or the 37 murders in the republic of Mexico in the most recent elections. I'm not talking about someone saying I'm hot or not online—I have thicker skin than that—but about the potential for real harm to me or to my loved ones.

This attack appears on the surface to have been minimal in impact, but it indicates a far greater concern that someone is watching. They want to know what I'm doing, who I'm meeting and where I will be.

Evil, when confronted, will always try to realign, but the tactics are always the same: divide, conquer, intimidate and extort. These micro-acts of aggression are the genesis of the foundation of intelligence-gathering. The reality is that what you don't know can hurt you.

Thank you very much.

Thank you very much.

Ms. Sgro, you have five minutes.

I won't take five minutes.

Thank you very much for hosting this study. I'm grateful for your doing it because it's the first time I've talked to anybody about this issue. This is two months later, and that's unacceptable for sure.

Going back, yes, I was furious. I was livid when I got the call from IPAC. We had a joint conversation, as my colleagues have already indicated. The anger left, but then I was left with a huge disappointment, as my colleagues have said. This is not what I would have expected. More importantly, you know, it happened. The firewall held, and because of that, they felt there was no reason to tell us. Well, I want to know.

All of us on this panel do a lot of human rights work, and we take on some pretty hot topics in the House of Commons and outside the House of Commons. I think the intent of a lot of this is to intimidate all of us so that we will stop standing up on behalf of people who don't have a voice. I think that a big, important part of our job is not just to represent our local constituents but also to be a voice for those who are voiceless. It's because of members of Parliament that some of the progress we are seeing in different files is happening, whether it's the Tibet file, the Iran one or the Taiwan one, of course. It's because members of Parliament had the courage to stand up and be counted.

Yes, they did this and we didn't get notified, so let's move on. What did we learn from this? I think I always try to figure out what good comes out of a negative situation. My anger is gone, but my disappointment is still there. My hope is that we are going to use this as an opportunity to put down the when, how and where. My hope is that all of us become much more aware of the threat that we could be under and take more responsibility, ourselves, to make sure that we are protecting our systems. I'm told that turning them off once a week helps to eliminate any viruses or anyone trying to access them. That's a very simple thing. No one's ever told me that in the many years I've been here. However, we need to get serious. We need to, with your help, put a plan in place.

I mean, I didn't even know who to ask about any other damage that might have been.... I had no idea after all the years I've been here. I know the Sergeant-at-Arms is there, but I had no idea where to go, who to ask or how to better protect myself. I think those are things about which we are all or we have been, until now, extremely naive, but based on recent conversation with CSIS and others that I asked for.... There is AI that can clearly reproduce me at another meeting a half an hour from now that I'm not at, but it could look exactly like me with this AI business going on.

I think we are under much more threat now than we've ever been previously, and we need to figure out how to do that. How are we going to protect each other? What's the role and who puts what into place? It needs to be more public. I think our Liaison Committee should also report once a year at minimum, along with all the other reports, on how many cybersecurity issues there have been and that kind of issue. We need to become more knowledgeable, and you have the role of coming up with those suggestions.

I think there needs to be much more emphasis put on parliamentarians being respected, as my colleague mentioned. Thinking that we're dispensable and that, therefore, they won't bother to tell us that there has been something on social media attacking us—that if we don't know ourselves, they're not going to tell us.... Well, their job is to make sure that we are protected. When we talk about trying to get more people to run for public office, if they're going to run for public office, we have the responsibility, at least, to make sure that they have all the tools necessary to be protected so that they and we can do the jobs that we all want to be doing here.

Thank you very much.

Thank you, Ms. Sgro.

Colleagues, we will enter our first round of questioning.

Mr. Duncan, the floor is yours for six minutes.

Thank you, Mr. Chair.

Thank you to our witnesses for being here.

I'll build on what you've said in your intros and the first hour with our other colleagues who were here. Maybe I'll just lay the groundwork here a little bit.

In the aftermath of your becoming aware—and its becoming public knowledge—of the threat and what happened or, frankly, what didn't happen in terms of your being notified, have any of you three on this panel had any conversations or exchanges since this came to light with the PCO, the Prime Minister's Office, the Minister of Public Safety or the department about exactly what happened? Did they ask for your feedback or suggestions on how this situation can be avoided in the future?

I'll ask you to answer if you have been in contact with any of those aforementioned groups or departments.

No, I have not.

I have not, but it stems from having formerly been the shadow minister for democratic institutions. From that time, I fundamentally believe the government wasn't acting enough on foreign interference, which I believe is inextricably tied to our protection and cybersecurity as parliamentarians, and that's after at least six interactions with the former minister of democratic institutions as well as speeches that I gave in the House.

As well, the toothless digital charter was another sticking point for me of 2019.

So, no, but I think it's because, if nothing has been done until now, it just felt pointless to me.

No, I've had no contact whatsoever. The only people who reached out were the FBI in the May 9 briefing.

That is helpful.

Where I want to go with this is that there's a protocol problem, clearly, but I think the bigger issue here is a culture problem. There are protocols in place right now that officials thought would inform parliamentarians, and that hasn't happened. There's a bigger issue here of a culture that comes from the PCO, the PMO and different agencies that just frankly, I felt, were careless in assuming somebody else would look after it, so there was no proper follow-up.

I want to ask each of you for your comments on the culture that's out there of not doing that follow-up and not making sure that people who are actually being threatened are being informed in a timely manner, provided the proper resources and so forth. Then maybe in your response you can talk about what needs to change and who is responsible.

On the disappointment Ms. Sgro mentioned—which you still have—who's that disappointment with in terms of where the responsibility lies?