Procedure and House Affairs Committee on Sept. 26th, 2024

A couple of seconds more.... I remember when it used to be 10 minutes, Mr. Chair.

Going forward, I believe—and I'll just end on this point—that it will be particularly important for parliamentarians to be informed when appropriate and to inform themselves about threats posed by cyber-attacks. Parliamentarians cannot be mere passive consumers of warnings. While cyber-attacks come in multiple nefarious forms, online information operations deploying disinformation and malinformation may ultimately prove to be the greatest threat to the activities of parliamentarians and to the trust Canadians place in Parliament.

Thank you, Mr. Chair.

No, that's fine. We'll pick it up in the questions, Mr. Chair.

[Technical difficulty—Editor]

Thank you very much, Mr. Chair.

I hope.... Is it okay?

Thank you, Mr. Chair and members of the committee, and thank you to the staff of your committee for facilitating my participation.

As has been described, I'm the executive director of the Inter-Parliamentary Alliance on China, or IPAC. Around March 23, 2024, I learned that the U.K. government was preparing to make an announcement regarding a PRC state-sponsored cyber-attack against certain U.K. politicians. I was involved in some of the journalism leading up to it.

On the morning of the 25th of that month, the announcement was given from the dispatch box by then deputy prime minister Oliver Dowden, who did not mention the Inter-Parliamentary Alliance on China, IPAC.

Later that day, the United States Department of Justice unsealed an indictment that said the following: “the Conspirators registered and used ten Conspirator-created accounts on an identified mass email and mail merge system to send more than 1,000 emails to more than 400 unique accounts of individuals associated with IPAC.” According to the U.S. government, then, this was clearly an attack. It was targeting IPAC.

For this and other reasons, on April 4, 2024, 42 IPAC members from around the world wrote to Secretary Blinken, saying, “We were very concerned to learn that the APT31 pixel-reconnaissance effort had focused principally on the IPAC membership.... We were further alarmed that no IPAC legislators appear to have been warned by their own security or intelligence services.” The letter precipitated some correspondence with the U.S. State Department.

During this time, the FBI, through the State Department, kindly offered to take our distribution list and cross-reference it with their list of 400 emails associated with IPAC. They agreed to inform us of emails appearing on both lists.

On April 19, we got back a list of hits—121 hits, to be exact. On April 22, I sent a second list to see whether more emails were attacked than we had sent from our list, as 121 is nowhere near the 400 that were claimed to have been targeted by the FBI. Later, I got four more hits on May 3.

As a result, I was able to confirm via the FBI that members of IPAC from 18 Parliaments had been attacked: 120 parliamentarian members, 116 of these using parliamentary emails, and four using non-parliamentary emails. One of those four, by the way, was Canadian, and I believe he is in the committee today. In total, there were 18 Canadian politicians. That number included five staff around the world.

I sought then to brief every person targeted on what had happened, as I did not consider it ethical to refuse to disclose such information to those targeted. As a very gentle corrective to Mr. Wark, who has just spoken, Canadian MPs did not learn from the United States Department of Justice that they had been targeted. They learned principally from me and from IPAC.

I have very little time, so here are a few issues to highlight that may provoke discussion.

First, we have high confidence that the attackers had obtained IPAC's distribution list, which included personal email addresses of politicians, including one Canadian.

Two, we have confirmed that two targeted countries were informed in 2021, before the FBI had contacted governments in 2022.

Three, in 2022, the FBI communicated to host governments that this was intended to be part of a progressive attack.

Four, two IPAC members, a French senator and one other whom I can't name as an investigation is ongoing, were successfully compromised in or around March 2021, two months subsequent to being attacked by APT31.

Five, there will be many more email addresses targeted than those I've confirmed. All I have is the correspondence between my list and the FBI's list.

Six, the response of various parliamentary security services was highly variable around the world.

For the committee's consideration, my arguments would be as follows, and I'm very happy to discuss these.

First, we believe that failing to inform parliamentarians meant that they could not protect themselves or the sensitive information to which they had access from a progressive cyber-attack, including high-risk transnational repression cases, which many of our parliamentarians handle.

Second, telling parliamentarians that this attack was not successful or not serious is questionable at best and misleading at worst. There is a marked disparity between briefings given on this by the FBI and other government agencies, especially regarding the severity of these attacks.

Regarding other recommendations, hopefully I'll have time to cover those in questions.

Thank you very much, Chair.

The PRC doesn't like dissent abroad. It doesn't like people challenging its consensus. I tend to believe that where governments find themselves—because of economic dependency or because so many are rather diplomatically cowed by the assertiveness of the People's Republic of China—governments are less willing to speak out than parliamentarians can.

IPAC creates a space for parliamentarians to speak out and try to defend the rules-based order, which is under pressure from China. That's why it matters, and that's why China doesn't like it.

Yes, this is at least the second breach that we have suffered. Before we went to Taipei recently for our annual summit, somehow the People's Republic of China obtained our delegates list and targeted members in at least nine countries to try to prevent them from coming. This involved phoning up, in a very undiplomatic way, legislators in Colombia, in north Macedonia, in Slovenia, in various countries, to try to tempt them to go to China instead of Taiwan or to tell them that they might face consequences if they did come.

Unfortunately, IPAC has been in the sights of the PRC for some years, but it seems to be getting more severe, not less.

Thank you. I think that's a very important question.

The reason we have high confidence that they obtained our distribution list is that the list of hits that came back from the FBI included exactly the same personal email addresses that we used to contact various MPs. Most of the other email addresses on that list were just parliamentary email addresses, which are public domain. But the very ones that we used to contact people on personal addresses, sometimes Gmail addresses or Proton Mail addresses—which, as you know, Mr. Genuis, included yours—were exactly the ones that the attackers had also used.

I do not know how they obtained that, but I do have one possible theory.

Unfortunately, somebody who used to volunteer for us, a man named Andy Li, was arrested in China under the national security law. He is in prison in Hong Kong, and he awaits sentencing for national security law crimes, some of which are associated with IPAC. We know that they breached his system, and they may have gotten our distribution list from him. Very disturbingly, when he was apprehended, he was taken to Shenzhen prison in China and reportedly tortured. This is something the UN rapporteur on torture has actually raised formally, so this isn't just idle speculation. Very unfortunately, in fact very tragically, we believe that that might have been the way they obtained our list.

In my opinion, unless there is a very good intelligence reason not to inform parliamentarians, I can't see a good reason why elected representatives wouldn't be told they've been targeted in a progressive cyber-attack. They don't have the ability to defend themselves in such circumstances or to raise their security game. That would be my fundamental answer.

To your point about the other countries, I know that in Switzerland and Lithuania parliamentarians were warned. In fact, they were possibly even warned before the FBI had done its foreign dissemination requests, which is the mechanism through which it tells other countries stuff that they might want to tell their own parliamentarians because, obviously, the FBI can't contact you directly. That would be a violation of diplomatic norms.

In those countries, in Switzerland and in Lithuania, they briefed their MPs because they knew they'd been attacked. Clearly, they didn't see a big intelligence problem with telling them. They wanted them to be able to protect themselves and to know that they were a target.

My understanding is that they were briefed by both. Very often in different countries parliamentary security and various intelligence services operate in lockstep anyway, so I—