Evidence of meeting #124 for Procedure and House Affairs in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was ballots.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Stéphane Perrault  Chief Electoral Officer, Office of the Chief Electoral Officer
Michel Juneau-Katsuya  Former Chief of the Asia-Pacific Desk, Canadian Security Intelligence Service, As an Individual
Wesley Wark  Senior Fellow, Centre for International Governance Innovation
Aaron Shull  Managing Director and General Counsel, Centre for International Governance Innovation
Luke de Pulford  Executive Director, Inter-Parliamentary Alliance on China

1 p.m.

Managing Director and General Counsel, Centre for International Governance Innovation

Aaron Shull

I'll just respond to your question, which, if I understood it correctly, was about email addresses. You don't need to hack a database to get your email address. You can get it off the Internet.

There are really three questions that are germane to this committee's work. One, when does CSE notify your IT department, and what do they do as a consequence of that notification? Two, when do notifications go to members themselves, under what circumstances and who is indeed the lead? Is it CSIS? Is it CSE? Is it your IT department? That's what landed us in this discussion today. Three, what do you do as an individual member of Parliament when you leave here and pick up your personal device, because while your day job might stop for the day, threat actors are still looking at you as a person?

1 p.m.

Liberal

Sherry Romanado Liberal Longueuil—Charles-LeMoyne, QC

Thank you.

Mr. de Pulford, you wanted to add some additional recommendations. I think you only had two of them for us, but if you'd like to add to that, please do.

The Chair Liberal Ben Carr

You have about 45 seconds, sir. We're running over time. Thank you.

September 26th, 2024 / 1:05 p.m.

Executive Director, Inter-Parliamentary Alliance on China

Luke de Pulford

Thank you for the opportunity.

There need to be more resources for parliamentary security. This is a David versus Goliath fight, unfortunately. That's the case not just in Canada but really across the world. There needs to be threat modelling for every MP and staff. It's very important. Staff are exposed too, because of who they work for, and are very often an easy way in to a member of Parliament. Staff need to be included in training processes. In some places, mystery shopper phishing has been done by parliamentary security in order to work out whether or not parliamentarians are up to standard. That could also be recommended.

Finally, those responsible should be sanctioned. In the United Kingdom and the United States, APT31, confirmed to have imposed this attack, was sanctioned. Well, 18 Canadians were attacked as well. Surely a similar remedy ought to be appropriate for them.

Thank you.

The Chair Liberal Ben Carr

Thank you very much.

Ms. Gaudreau, you have two and a half minutes.

Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC

It will be difficult, Mr. Chair, but I've found a solution.

Gentlemen, you no doubt have pages and pages of information to answer my initial questions. In particular, they deal with the consequences of being lax. We haven't discussed the consequences for the economy, but we have talked about the strategic position of countries in the world, and about countries that could serve as models. Obviously, there are still many recommendations I'd like to hear about.

Mr. Shull, before I talk to you about my solution, I have a question for you about my password.

You said your password was 20 characters long. Mine is 16. Is that enough?

1:05 p.m.

Managing Director and General Counsel, Centre for International Governance Innovation

Aaron Shull

That's pretty good.

Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC

That reassures me. I was told that it could take 100 years to find a good password.

What I wanted to talk to you about today is the CSE, which appeared before the committee.

I'll spare you the details, since you're well acquainted with the matter. However, as someone who isn't at all in the field, I found information on the APT28 attack campaigns since 2021 on the website of France's national cybersecurity agency.

In the end, I didn't need to ask you any questions because I found the entire procedure in a summary. That information is public on that site. In any case, you aren't answering questions, and you don't want to inform us.

My understanding is that we have a lot of work to do.

Mr. Juneau‑Katsuya, why hide?

1:05 p.m.

Former Chief of the Asia-Pacific Desk, Canadian Security Intelligence Service, As an Individual

Michel Juneau-Katsuya

That's the killer question.

Why hide from foreign interference and national security breaches? Why hide when we have weaknesses and can reveal them? Why hide the successes we've also had? There have been successes, not just failures.

This culture of silence in national security has been killing us for years.

Is it a bad British legacy? I don't know. I couldn't say exactly, but we've had this kind of culture for too long. We have to abandon it, we have to change, we have to be much more transparent now.

Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC

Mr. Chair, this has to change.

Thank you.

The Chair Liberal Ben Carr

Thank you, Ms. Gaudreau.

Ms. Mathyssen, you have the final questions. You have the floor for two and a half minutes.

Lindsay Mathyssen NDP London—Fanshawe, ON

I love it when I get the end bit.

Mr. Juneau-Katsuya, I'd love clarification from you on what you said in your opening remarks about cyber-offensive powers. You listed several countries. Can you just repeat them for us here?

1:05 p.m.

Former Chief of the Asia-Pacific Desk, Canadian Security Intelligence Service, As an Individual

Michel Juneau-Katsuya

Yes. They're China, Russia, Iran, Saudi Arabia and Israel, and we could go on. In 2015, the CSIS director, Mr. Michel Coulombe, testified in front of a Senate committee and referenced that 115 countries were practising cyber-offences or cyber-attacks. That was 115 countries back in 2015, according to the estimation of CSIS. That's more than half the countries.

It's very easy to be very offensive. Take a nerd who is good with computers, give him two Red Bulls and a computer, and he's good. That's it. That's all. He's gone. He's capable of doing a lot of damage.

What we need to understand—and Madame Gaudreau's question is so important—is the consequences, because we don't talk enough about the consequences, only to raise awareness and the level of urgency to start working on it. We're not necessarily able to curb the consequences right away, but we need to be capable of raising awareness, to pay more attention to what's going on and to realize that it will be worse before it gets better.

Lindsay Mathyssen NDP London—Fanshawe, ON

On this list, there are 115. Obviously, there are the countries we're not on good terms with, and there are the countries we are on good terms with. Is Canada doing enough with the countries we're supposed to be allies with on those fronts to make a dent?

1:10 p.m.

Former Chief of the Asia-Pacific Desk, Canadian Security Intelligence Service, As an Individual

Michel Juneau-Katsuya

These allies disappeared with the end of the Cold War. We moved from a military confrontation to an economic confrontation when the Soviet bloc disappeared. Now it's everybody for themselves.

What we're talking about now is national security going through solid economic viability for your countries. Everybody competes for the same market share, for the same contracts and for the same sort of competition economically, and that economic war has transferred itself into cyber.

The Chair Liberal Ben Carr

Thank you very much, Ms. Mathyssen.

Colleagues, that brings us to the end of the meeting.

Thank you very much, witnesses, for being with us.

Colleagues, this is a friendly reminder that we will be extending our next two meetings. We'll be beginning at 10:30 and ending at 1:30.

The meeting is adjourned.