Evidence of meeting #133 for Procedure and House Affairs in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was documents.
A recording is available from Parliament.
Conservative
Michael Cooper Conservative St. Albert—Edmonton, AB
It was represented in evidence that the attack was stopped in January 2021. Can you confirm that was the case, and there wasn't a subsequent attack by ATP31 in 2022 or at any other later point in time beyond January 2021?
Chief Information Officer, House of Commons
I can confirm that the date ranges in the initial bulletin were wrong, and we confirmed that these were related to the 2021 attack. It was confirmed by our partners that the date ranges should have indicated in the bulletin that it was the 2021 attack.
Liberal
The Chair Liberal Ben Carr
Thanks very much, Mr. Cooper.
Ms. Fortier, you have the floor for six minutes.
November 19th, 2024 / 11:15 a.m.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
Thank you, Mr. Chair.
I find it very surprising that we're trying to change the topic today, when it was the opposition that requested an extra hour to discuss this very topic. If my colleagues ever want to put an end to the filibustering that's taking place in the House of Commons, all they have to do is refer the matter to our committee. That has been suggested for some time.
I would now like to go back to our current study and get your comments on the following question: What is the House of Commons doing to encourage and protect members of Parliament in this era of new technology, as well as to protect information that is transmitted electronically? What is its role in those efforts?
Clerk of the House of Commons
I'll let my colleague Mr. Aubé answer that question.
Stéphan Aubé Chief Executive Administrator, House of Commons
When it comes to information services, our role is always to protect MPs, first of all, and to ensure that their information is secure and is not accessible to people who shouldn't have access to it.
Second, our role is to ensure that the infrastructure on Parliament Hill is always available to support parliamentary activities.
Essentially, we play a role in protecting members of Parliament as well as parliamentary operations.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
It was determined that it was not necessary to inform members of Parliament of all the cyber-attacks that were taking place, but where do you draw the line? What determines whether a cyber-attack is serious enough for you to inform members of Parliament?
Chief Executive Administrator, House of Commons
I believe the committee is already aware, but committee members should know that our infrastructure is targeted by over 500 million cyber-attacks a year. As a result, we can't disclose information on all the attacks we face on a daily basis.
However, when a particular MP is targeted, when it has been confirmed that the attack could not have been prevented and that it poses a risk to their information and to the activities of Parliament, we contact them immediately so that they fully understand the attack. That's our first line of communication. We also assess the situation to ensure that there are no other risks and that the risk is mitigated. We then check to see if other people were affected by those attacks.
That's our approach, basically.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
In the future, how could we inform MPs, so that we don't see a repeat of unfortunate situations like the ones that have occurred?
Chief Information Officer, House of Commons
Thank you for the question, Ms. Fortier.
I think it starts with access to information, as was mentioned earlier. One of the first things we did after the incident was to review the memoranda of understanding with our security partners, so as to improve communication between security agencies and us regarding incidents related to Parliament and, in particular, to members of Parliament. One of the first things we need is access to relevant information.
We also need to have clear recommendations based on a risk mitigation strategy or on specific risks associated with a certain infrastructure or user account.
So the first step is really to have the right information to be able to communicate earlier when it's necessary to do so. As Mr. Aubé just said, we are the target of an enormous number of attacks. Consequently, we have to be able to distinguish between an attack that was successful and an attack that wasn't.
Response protocols need to be much more targeted to situations where there is a risk associated with a particular individual or infrastructure.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
I have one last question.
Do you have the necessary resources? Are there things that you are missing or that could be added so that you can continue to do your work in the current situation? Do you have any needs that you would like to share with the committee?
Chief Information Officer, House of Commons
As you saw recently, the Board of Internal Economy was seized with a case concerning someone's physical safety, and resources were added. My colleague could talk more about the physical safety aspect.
When it comes to cybersecurity, there are always new threats. Every day, we continue to face new attack vectors, especially with artificial intelligence and the current global situation. We always try to anticipate attacks and strengthen our analytical methods to do the necessary surveillance and to be able to act more effectively.
Currently, we have the resources we need to operate. Partnership with security agencies is important in order to get the necessary information quickly. As far as cybersecurity is concerned, things are looking good right now. We continue to invest in cybersecurity, and we will continue to do so to protect Parliament.
Liberal
The Chair Liberal Ben Carr
Thank you, Ms. Fortier.
Ms. Gaudreau, you have the floor for six minutes.
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
Thank you very much, Mr. Chair.
This is a very topical subject. Gentlemen, first of all, thank you for appearing before the committee once again. We've received so many documents that I must admit I haven't read them all. However, it made me realize the huge progress we have made in the past five months.
In that regard, I'm pleased that my colleague Ms. Fortier asked the questions I wanted to ask, since that will allow me to press on.
I took part in a mission last week, and this topic was broached during our discussions. We realized that because of built-in timelines and the legislative process in our democratic systems, we are unfortunately unable to react fast enough to properly respond to the events we're experiencing. That's my concern.
However, I was reassured earlier when I heard you gentlemen talk about how far we've come in terms of physical resources, as well as the monitoring you're able to do now. Indeed, a number of elections have been held in various jurisdictions over the past year, and we can draw inspiration from those experiences.
That said, in 2024, can't we find a better way to deal with this kind of situation? We understand that partisanship as well as prescribed timelines and processes make it impossible for us to do that. It's still difficult from a privacy perspective, and it's not a question of resources. We also have to think about the process that must be followed to introduce a bill. France, for example, was able to pass a bill in June targeting foreign interference.
Haven't we reached the point, in 2024, when we should be determining which issues are extremely urgent and reviewing our priorities? That work can be done here, in committee, to help you put in place what you need to counter cyber-attacks and other nefarious activities.
What do you think? You are the people directly affected.
Clerk of the House of Commons
I'll answer your question first, and my colleagues can provide more comments.
This may be more of a political question than a procedural question.
As Mr. Dicaire just mentioned, for the time being, we have enough resources. Protocols have been put in place with our security partners. I think that, for the time being, things are as they should be.
As to whether other things could be done through legislation, I think that is, once again, a political question.
Mr. Bédard, do you want to add anything?
Law Clerk and Parliamentary Counsel, House of Commons
I will echo the words of the clerk in saying that this is often a political issue. When the political will is there, the legislative process can be used very quickly. We saw an example of that with Bill C‑70.
When it comes to House of Commons resources and the programs and services put in place, the relevant authority is often the Board of Internal Economy. I can assure you that, even though there may be prescribed timelines, it's relatively faster to go through the Board of Internal Economy than to go through the entire legislative process.
I would say that every situation is different and that measures have to be taken on a case-by-case basis.
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
I was expecting that kind of answer.
That said, I'm thinking of many other issues, technological challenges or global changes that a number of countries have decided to include in their priorities. You're going to tell me that it's a matter of political will and that in certain cases, consensus can allow us to fast-track measures. However, I want to know what you think.
Are there certain issues like this one that we, as legislators, should prioritize? What could help us and you?
Chief Information Officer, House of Commons
I will answer that question, Ms. Gaudreau.
I think the biggest emerging issue at the moment, and we're seeing it as a global phenomenon, is artificial intelligence.
Several years ago, the burning issue was privacy. Several privacy laws have been passed, both in the United States and in Europe. The legislative framework in this area has evolved in recent years and is now more advanced.
Today, we see artificial intelligence as the next big issue. We will need benchmarks to measure ethical compliance in using this type of technology. We're also going to have to put in place a schedule that would make it possible to have certain controls in place.
Bloc
Marie-Hélène Gaudreau Bloc Laurentides—Labelle, QC
Thank you very much for your candour. That point was made as well in our discussions with our Five Eyes colleagues, for example. This is worrisome from an ethical standpoint.
I will close by talking about the reports. I'm sure you've read them. In your opinion, what are the most important points that I will learn on the measures we've requested over the past five months once I have read all the documents?
I have only 45 seconds left in my speaking time, so I would ask you for a brief answer.
Clerk of the House of Commons
I can tell you very quickly that, if what happened in 2021 happened today, our reaction and that of our partners would be very different. Everyone learned from that. We have better measures and better resources in place, so it would be a very different approach.
Bloc
Liberal
The Chair Liberal Ben Carr
Thank you, Ms. Gaudreau. I'm glad you knew you had 45 seconds left. That's very telling.
Ms. Mathyssen, the floor is yours for six minutes.
NDP
Lindsay Mathyssen NDP London—Fanshawe, ON
Thank you, Mr. Chair. Thank you to the witnesses for appearing again today.
I'm glad to know that the thresholds have been established, the procedure has been changed, things are working appropriately as they should. We could see from the information that we did receive in the last bit of documentation that there was frustration between CSE, CSIS, and the House administration in terms of the formers' lack of understanding of how we're different, that the House of Commons is a different entity from another department. In the context of understanding that relationship, if a public servant within a department is hacked or there's some information divulged, that department can take back that device, look through it, see what's needed. However, that's not the case with members of Parliament.
Can we be assured that that relationship is fully understood now by those security institutions?
Chief Information Officer, House of Commons
I think we've spent quite a bit of time with our security partners in hardening and deepening our collaboration when it comes to either intelligence sharing or the incident management process, and we've introduced an escalation process that we didn't have in the past. I'm happy to report that the relationship is continuing, but it's continuing in the right direction in enhancing the communication protocols.
NDP
Lindsay Mathyssen NDP London—Fanshawe, ON
Regarding the uniqueness of this question of privilege and the fact that the attack was targeted against Mr. Genuis' personal account—not his parliamentary account—from looking at the documents and figuring out those protocols and what have you, it seems that this is a major differentiation. Our parliamentary accounts are confirmed to be within this protocol, within this set of procedures. However, I am concerned and want to ask about the historic importance of why we are not allowing this to be extended to personal devices or personal communication tools.