Procedure and House Affairs Committee on June 13th, 2024

I believe it was April 24 when this was shared through IPAC to us as members of IPAC.

Perhaps I can add that, aside from the technical pieces, I think the key practical aspect of what Mr. McKay is describing is that this is the early stage of a likely broader attack. It's where an actor is trying to get some information, which they would then use as part of subsequent attacks.

We've now been briefed by the FBI on particular techniques that we can use to protect ourselves in the context of this escalation. This is why informing us is critically important. When you know that you're potentially at the early stage of a reconnaissance attack, you can then put in place those mechanisms to better protect yourself. We weren't told, so we weren't able to protect ourselves.

What astounds and upsets me is that we've been studying this for months, wondering about it and wanting to prevent it. Personally, I'm not in the intelligence service, but on December 15, 2021, I found a document on the web about the APT31 attack campaign.

Honestly, I would have expected the Communications Security Establishment, or CSE, to give us the details and the techniques. The newspaper Le Monde describes how APT31 works. That's why, for me, it's important to know when you knew, but also whether the techniques were clear. You can find out by doing the research yourself.

The CSE could have corrected the situation. Are you satisfied with the service provided at this time, in an emergency situation?

No.

I would say we wouldn't be here if.... We're all very disappointed.

CSE is a great organization. They are well respected within the Five Eyes. We talk about who's ultimately responsible. PPS is responsible for parliamentary protection, and they have a role to play in this. Definitely, CSIS and CSE are the outward-looking agencies—our intelligence agencies with the ability to handle cyber-attacks. They are the ones that have to make sure those within the House of Commons are in the know. Again, it comes down to the sharing of information and how we classify it, and ensuring proper measures are taken so we can take corrective actions to protect ourselves.

We are our own independent parliamentary offices. At the same time, we have a collective weakness: our emails and online communications.

There are about 30 seconds between you.

Let me just say this: You have three members of the defence committee here. They all agree we overclassify everything. That is a settled view on the defence committee.

Having said that, yes, whenever those rules were written, it was way too late. They did not contemplate this kind of issue. This committee would do a wonderful service by updating how we deal with things like phishing attacks.

In just 10 seconds, I'll say that sharing information is a critical way of fighting foreign interference. Telling people about these attacks is a big part. It's not the only way and it doesn't work for everybody, but it's a critical part of how we fight back against these threats.

Thank you, Ms. Gaudreau.

Ms. Mathyssen, the floor is yours for six minutes.

Thank you, Mr. Chair.

Thank you for appearing today. It's interesting to see us in this different set-up, as opposed to in committee together.

I want to go back to what you said, Mr. McKay, in terms of the when, the if and the how.

It's difficult. As we all know, in the House of Commons, our emails are fairly semi-public at this stage. People crack the code all the time. There are millions of attacks daily upon the House of Commons. This particular APT31 attack was thwarted. Therefore, as it's been told to us, you were not informed.

How, in your opinion, should we go forward in terms of that when, if and how, when there are so many? How do you expect the House of Commons to move forward within such incredible complexity and that sheer number?

If I had an answer to that, I would mail it in. I might even charge you for it.

This is the critical issue in front of this committee. I'm not quite sure about the how, because the volume is immense. The level of threat is variable. The trouble is that the level of threat is not only variable from a national security standpoint but also from an individual parliamentarian standpoint. What I may perceive to be a threat James or Garnett may think of differently.

I wish I could answer your question.

Would it be more based upon the one doing the phishing?

That would be one of the things. Even if you say, “Well, it's a Chinese threat”, okay, that's one level of threat. An Iranian threat is another level of threat. Some guy in his basement in Moose Jaw is another level of threat—no disrespect to Moose Jaw.

I'm expecting that AI is going to be used to amplify and expand the number of cyber-attacks we all face. I think the one side of this is what's happening collectively. We need to know when it's very targeted. APT31 was very targeted at the 18 of us.

That, I think, is where you need to start saying, okay, you guys need to start watching your personal accounts. You need to be watching what you're doing on your iPhones and in other apps and how your passwords are protected. You know, those types of pieces are what you start sharing with individuals.

If it's just a broad-based attack going after all the P9s, all A1s, all our individual staff or all staff collectively, I think then we just leave it up to IT and CSE to thwart that. When they're targeting us as individuals or going after those of us on the national defence committee, we should know.

I can add to that.

I don't think it's that complicated at the level of principle to say that, if there are general phishing attempts that are of the sort that target all accounts and come in on a regular basis and are more or less sophisticated, then that's in a different category from your being targeted, Ms. Mathyssen, by a particular foreign state as a result of their not liking a motion you put before the House or a committee. I think in such a case you as an individual would want to know that you were being targeted by a particular actor for something you'd done. That situation might require you to take particular additional steps to protect yourself that are different from what is required by other members of Parliament.

I think that should clearly flip a trigger that says there's a conversation that needs to happen between security agencies and you that's a bit different from what's being done generally with all members of Parliament.

At some point later in this Parliament, this committee will be studying the “need to know” legislation that's been proposed by Mr. Ruff, Bill C-377. We've had many conversations about this in our defence committee as well in terms of what level of security clearance certain members could have, should have and what have you. How important do you think that is?

As it relates to this conversation, how do members of Parliament navigate that in terms of what they do know and what they have access to in this greater-risk threat environment?

There's about one minute remaining, witnesses.

I support Mr. Ruff's bill completely. I think it's the right way to go to provide classifications to us—whether they're secret, top secret or higher, based upon the rules we have. We definitely have to go through the clearances that are required and background checks. I'm not expecting just a free-for-all, that as soon as you get elected you get a top secret clearance. I do think there is a proper process.

I think this is even a little more different. I agree with Garnett that, as we know more about foreign interference and more about cyber-attacks happening to us on the Hill here, we can share that with the public. We can restore confidence in our democratic institutions.

One of the ways in which we can handle this in a broader way is that Parliament, in general, should be issuing an annual report on the cyber-attacks that we're facing and how we've been able to deal with them. I think it's a way to provide some accountability and also a greater understanding of the evolving cybersecurity threat we're in.

Thanks very much, Ms. Mathyssen.

Mr. Cooper, the floor is yours for five minutes.

Thank you very much, Mr. Chair.

Members, do you accept the government's contention that this all fell on the House of Commons administration and, as it turns out, House of Commons IT services to brief members of Parliament about a cyber-attack of this nature?

I'll start, Chair.

No, I don't. I made, I think, five distinct points in my opening comments about why I don't. It was, in my case, a personal account. There are gaps in terms of what we know about what the House was even told. The government misunderstands the nature and expectations of IT professionals, the potential for caveats and the fact that members of Parliament are not creatures of the House. We have rights of our own.

Mr. Cooper, just to follow up on your previous comments, we can talk about systemic failure, systems not doing the things we would expect of them. Then we can talk about individual accountability, people not making the choice to ensure that the information got there.

I think it's important to talk about systems, but also we can't miss the accountability piece that you've pointed out, which is that people had this information and made a choice not to take the steps necessary to get that information to those who were being targeted. I don't think we should use a discussion of systems to detract from the fact that individuals in those systems made choices, and those choices led to members of Parliament being more vulnerable to foreign threats.

I'm not quite so enthusiastic about blaming the government for everything. I think this is more a failure of protocols. Apparently, as the FBI released the information to various governments, some governments had exactly the same protocol Canada had. Other governments' were much more detailed. I tend to think that at this stage, two years on, those protocols need to be changed.

I don't want to take all the time. You want to get James back in there.

Yes.