Procedure and House Affairs Committee on Sept. 26th, 2024

Honestly, Mr. Genuis, I think that's a bit above my pay grade in the realms of diplomacy.

Certainly the information that the FBI gave us was exceptionally useful, and we're very grateful to them for it.

Yes, there is definitely more effort performed by our Five Eyes allies when it comes to warning, training and raising awareness. In security, the human factor is always the weakest link. Contrary to maybe the academic comfort that Mr. Wark has put into the technology, it's not enough. Just take an example, a very benign example. Just this week, it was reported in the newspaper that a city councillor in Gatineau went to Russia with his equipment without even thinking that he could be compromised or something like that. This is naive to borderline stupid. In that perspective, it is the human being that is the weak element, not the technology.

We have phenomenal technology. CSE does a fantastic job. It's also supported by the private sector like Bell Canada and other groups that co-operate to try to protect us, but at the end of the day, common sense needs to be injected as well. From that perspective, from an operational point of view, we need to be capable of warning more and training more—with continuous training, not only the training you get when you get sworn in and when you arrive as a new member of Parliament, and then we forget about you for the next five years. No, we need to constantly repeat this, particularly with staff. It was mentioned during the Hogue commission that 11 candidates and 13 staff members were on the payroll of the Chinese consulate in Toronto. You can see that not only members of Parliament will be targeted, but their staff as well.

Thank you very much.

I'd just like to say that the fact that Mr. Genuis's personal email was compromised is horrible. It was because of his job as a parliamentarian, so I thought I'd offer some concrete advice to this committee that I hope will be helpful.

First, allocate a parliamentary budget for personal cybersecurity protection. I'll tell you how I protect myself. I'll bet you that I'm probably better positioned than everyone in this room, and I'm just some guy. I'm not in the public eye and I'm not being targeted the same way you are. I use an encrypted multi-hop VPN for my data. I use biometric and cryptographically locked password managers. Each of my passwords is over 20 characters long and reads like gobbledygook. If you tried to brute-force my passwords, you'd have to really, really want to. I use the most sophisticated malware protection on the commercial market. I use a hardware multi-factor authentication for my most sensitive accounts. If you wanted to hack me, it would require a state-level actor who really wanted to get in. Then, for my most sensitive stuff, you'd have to get the keys out of my pocket.

For all of that we're talking hundreds of dollars, not thousands of dollars. Let's allocate some budget for that. Let's make sure that members of Parliament can be part of their own defence. If they're going after your personal accounts, it's not because of your personality; it's because of your day job.

I'll give a quick statistic. A few years ago, I participated in research that was done by Telus. They interviewed 600 Canadian companies to try to find out where the weak link was within companies. They found that the greatest number of security breaches was done by the executive.

Oh, oh!

There are several models, but they're not all infallible. I repeat that, at present, there is certainly a lack of collaboration between parliamentarians and intelligence agencies.

For a very long time, the Canadian Security Intelligence Service, or CSIS, and the Communications Security Establishment, or CSE, weren't even allowed to inform anyone except the prime minister or the Minister of Public Safety. Bill C‑70 looks set to change all that. It remains to be seen how this will play out in practice.

One thing is certain: prevention is needed. Equipment can't do everything, and it can't stop everything. We need to develop a new business culture. I'm not talking about spyware or James Bond, but a business culture. We need to acquire new reflexes, because we're still very vulnerable. If we create a breach, we're literally letting everyone into the house.

The TikTok app has been cited as an example. Why is TikTok problematic? If someone blindly signs the terms and conditions and gives access to his or her phone, contact list, camera and microphone, which can be activated remotely, it becomes nothing less than clandestine wiretapping equipment.

Let's say I'm a teenager going to CEGEP or school. I'm not necessarily the target of cyber-attacks, but my contact list may contain information about my uncle, who works for the Department of National Defence, my mother, who works for the government, or my sister, who works for a very important strategic company. So we've just given a foreign power, like China, access to all this information.

The consequences are that we are losing our strategic position on the international stage. We're losing the confidence of our allies, who are now looking at us and saying that Canada isn't serious. From this perspective, there's a whole section of our population that is poorly protected, that is vulnerable and that will be used.

According to experts, Canada has literally millions of zombie computers. These are computers that hackers have managed to get into, which are used to bounce from one computer to another. We lose track of them.

We're very ill-informed at the moment. In my statement, I said that Canada was lagging behind the G7 countries. We're not investing enough in the fight against cyber-attacks, and we're not doing enough to raise awareness among the population, particularly parliamentarians, who are the primary target.

As the effectiveness of foreign interference has been reduced on the ground, in the years to come, many more covert means will be used. Computer attacks are a case in point.

Thank you for the question. I will say this cyber-weapon is a very formidable one, and it has downed various vectors, as the professionals often refer to it. How did it become so formidable? I think there are really two answers to that.

One is a general answer. It's the nature of the digital lives that we all lead, which creates great openings and vulnerabilities, particularly for sophisticated foreign state actors to try to gain access to our data for all kinds of manipulative purposes.

The other answer is that it's a very significant threat. The other way in which cyber has become so significant is that it has created an entirely new kind of tool for foreign states to conduct espionage operations against adversaries or countries of interest. The foreign espionage aspect of cyber capabilities is one that I think we perhaps do not pay enough attention to in the context of all the discussions we've had about foreign interference.

Thank you.

What will be targeted are the people of strategic importance. Parliamentarians are definitely people of strategic importance. Critical infrastructure is definitely of strategic importance.

There is a very easy technical term that everybody knows, called a “ping”. Every day they try. They ping. They knock at the door and see if the door is open. They try the handle. We don't necessarily need to know that because, yes, indeed, there are hundreds of thousands, if not millions, of attacks every day. From that perspective, we cannot....

When somebody is particularly targeted repeatedly because of what they do in their work, what they promote, what they challenge or what they denounce—like transnational oppression and things like that—they should be warned. They should receive better attention. They should also be receiving training to a certain extent, like I said, to develop a new business culture and a new way of being aware, because awareness is the only true defence that we have. The technical can only do so much.

Did you want me to come in on this?

In preparation for this, I went through all of the other witnesses' testimony. If I were to offer advice to remedy what I saw in the previous evidence, I'd offer you three pieces of advice.

The first is, get your information-sharing house in order. It was one of those kinds of things where everyone didn't really know who was sharing what with whom, when, and why. There was a recognition that this was a problem. As my colleague Mr. Wark has indicated, the MOU has been updated. If you haven't seen that, I would encourage you to take a hard look at that and just make sure that it's tight. Also, treat this like a dress rehearsal. This is going to happen again and again. Just make sure you know who's on first with respect to the sharing of information, what happens and what that threshold is.

The second, as I had already indicated, is to have some personal money to protect yourselves. While the evidence indicated that the threat was stopped, we don't know—I'm sorry, Mr. Genuis—about your personal account, because that wouldn't have fallen within the IT department of Parliament.

The third is training, but not just cyber training. It's general awareness so that you can be your own best partner in your defence.