Procedure and House Affairs Committee on Sept. 26th, 2024

Ms. Mathyssen, that's a very difficult question. I guess my first response is that I'm not sure governments have the primary responsibility in this regard. I think it's up to all Canadians to be educated about the nature of these kinds of threats and to exercise good judgment to the extent possible.

Regulating social media companies, particularly foreign giants, is a complex task. There are things that can be asked of social media platforms in terms of their own self-monitoring of malicious information and making more transparent the nature of their business enterprise so that we all understand what we're being subjected to. That would be helpful.

It's not consistent around the world, but generally the approach has been, so far, to try to work in partnership with social media companies. Perhaps we'll find that it's not going to work entirely satisfactorily, but it's going to be a difficult business, because they are giants.

There's a counter-discourse that needs to be developed from the government—

I totally agree that social media is currently weaponized, and with the arrival of artificial intelligence, this is going to be even worse. We definitely need to pay attention.

When it comes to cybersecurity and the element of Parliament, what is currently happening is that there's a lot of radicalization taking place, because some foreign countries are using social media to influence certain groups. The polarization that is taking place turns onto our streets, where we have MPs being assaulted by people, and that is happening in cyberspace as well.

That's the reason why we need to pay attention and to develop a stronger discourse—a counter-discourse to what's currently happening.

Thank you for your question, Mr. Cooper.

We do not know, because we don't have evidence of that. I put that question directly to the FBI, and this is what they said: “We have no data showing whether the APT group took any additional targeting actions after sending the initial tracking link emails, but based on our cumulative knowledge, it would be assumed there would have been follow-on efforts by the cyber-actors to target those accounts.”

We don't have evidence of it, but I'll give you the timeline. They were successfully compromised two months after the progressive attack had begun—the pixel reconnaissance attack in January 2021.

Yes, absolutely. I would like to say, very quickly, that people from all parties in Canada were attacked in this attack. The attackers didn't care which parties they were from.

However, I do not believe it is correct to say that the attack was unsuccessful. In fact, we've already heard from one of the other witnesses today that because they do not know what happened with Mr. Genuis's personal account, they cannot assure us that the attack was unsuccessful. It is simply not possible to say that.

Not only that, but, technically speaking, it's very difficult to ensure that anyway, for the following reasons: Many parliamentarians around the world were told these were low-level, unsuccessful attacks, like marketing emails. That in itself is not incorrect. Pixel embedding or pixel tracking is very common. However, in the hands of a state-sponsored hacking group like APT31, it's very different.

Very briefly—I know I don't have much time—what they can do is triangulate where that person is from. They can find a vulnerable router, and then easily hack that on the basis of the information they gathered from pixel reconnaissance emails, or much worse. We have a member whose emails were compromised and given to a political opponent for kompromat, so this is rather serious. It ought not to be described as a low-level, unsuccessful attack.

It does very little good. If you do not share information about what's going on or learn from the experience of others, you're not going to get ahead of the bad guys. The bad guys will always win. We need to be capable of a bit more transparency. We also need to have accountability. That's one of the things that are lacking. A lot of people, including those in the private sector, will try to hide as much as possible.

Back in 2010, there was a successful attack on the Treasury Board of Canada that went through a law firm in Toronto. They went through the private sector to enter the Canadian.... To this day, we're not able to assess whether we have cleaned the entire Treasury Board system. The Treasury Board was shut down to outside communication for three weeks in that period of time.

It is very important to work in co-operation and share information and experiences in order to defend ourselves.

Mr. Chair, I didn't hear what he said.

We are learning. Everybody is learning. There's definitely.... In my 40 years of experience in the intelligence world, what I've seen in the government is a constant attempt to hide as much as possible those “failures”. But that's not the right way to do it. We need to be capable of sharing and learning from one another so we can get stronger and better at our job.

To control and to be capable of raising awareness with a third party is a very difficult task, because you don't necessarily have control over what they do, how they do it, whom they train and stuff like that.

Again, it returns to general public awareness and being informed, but there's another element as well that should be taken. Sometimes you don't have control. As you pointed out, your email address is publicly known. People might take it and simply use it for their own purpose, and only at the end are you going to see that they used your address. However, when you do business with people, you should be able to ask them for certain standards. The Canadian government should be capable of imposing those standards as well, just like Public Works imposes certain standards when people contract with the government.

Somewhere, somehow, there's this kind of new business culture that I'm talking about. It still needs to be defined in its details, but somewhere, somehow, there's a general awareness and education that needs to start to percolate more to the general public.