Thank you, Mr. Chair.
Aaron and I can be a dog-and-pony show, but I'm not sure how much value I can give you in 2.5 minutes. I'll do my best, but we are really appearing here as individuals.
The story of the APT31 cyber-attack—CSE calls it a cyber-incident—is a complex one, and I hope it might be of some assistance to the committee to provide my perspective on it.
The Canadian public and the members of Parliament first became aware of a cyber-attack, or cyber-incident, by a PRC entity known as APT31 in March 2024 when the United States Department of Justice unsealed an indictment against seven APT operatives. The indictment revealed that the efforts of this PRC group spanned some 14 years and targeted U.S. and foreign critics, businesses and political officials. One of its many targets was the Inter-Parliamentary Alliance on China, IPAC, which experienced an attack in January 2021 that was technical in nature and that was designed to elicit details of a target's IP addresses, browser types and operating systems through spearphishing. Caught up in this reconnaissance attack were a number of Canadian parliamentarians. The attack was understood as being unsuccessful.
CSE and its cyber centre were at the forefront of efforts to identify this cyber-incident—in fact, CSE was first tipped off by a trusted foreign partner—and to work with the House of Commons administration. Collaboration between CSE and the House of Commons administration is regulated, as I think you know, by an MOU first signed in 2016. Testimony at PIFI on September 24 indicated that a new version of the MOU has recently been signed, stimulated by lessons learned from the APT31 case.
Documentation provided to PIFI, including a chronology of events, indicated that information sharing among CSE, the cyber centre and the House of Commons IT security team about the APT31 reconnaissance was neither seamless nor sufficient in 2021.
CSE's mandate and capabilities need to be understood. It has a sophisticated sensor intrusion warning capacity that it deploys on networks and in the cloud to protect federal institutions and other levels of government. Here, I must disagree with my colleague, Mr. Juneau-Katsuya, in terms of understanding Canada's cybersecurity capabilities. The sensor capacity that CSE has developed has won praise from Canada's Five Eyes partners as best in class. It was first deployed to protect Parliament, starting in 2018, and has since been expanded.
According to the most recent annual CSE report, the organization blocks on average 6.6 billion intrusions a day. When CSE becomes aware of a cyber-operation targeting Parliament, it passes technical information about that attack to the IT security staff of the parliamentary administration for further action. CSE does not engage directly with parliamentarians in terms of providing threat warnings, in contrast to the process set in place for CSIS according to a ministerial directive issued in May 2023. CSE is not a domestic security service. However, it does have an assistance mandate under the CSE Act, and it can provide supportive intelligence and technical means to CSIS.
A directive issued by the chief of CSE in September 2023, and provided in an institutional report to PIFI, emphasizes the significance of its assistance mandate, as well as the need to—and I'll quote from that directive—“Ensure the timely dissemination of its products to the appropriate consumers of intelligence", including the House of Commons administration. That important principle must be upheld and continually tested in practice.
Going forward, and I will end on this point, I believe it will be particularly important—