Procedure and House Affairs Committee on June 4th, 2024

Evidence of meeting #118 for Procedure and House Affairs in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.

A video is available from Parliament.

On the agenda

Question of Privilege Related to Cyber Attacks Targeting Members of Parliament

MPs speaking

Ben Carr
Garnett Genuis
Sherry Romanado
Marie-Hélène Gaudreau
Lindsay Mathyssen
Mona Fortier
Eric Duncan
Chad Collins

Also speaking

Eric Janse  Clerk of the House of Commons
Benoit Dicaire  Acting Chief Information Officer, Digital Services and Real Property, House of Commons
Stéphan Aubé  Chief Executive Administrator, House of Commons
Michel Bédard  Law Clerk and Parliamentary Counsel, House of Commons
Patrick McDonell  Sergeant-at-Arms and Corporate Security Officer, House of Commons

11:55 a.m.

Law Clerk and Parliamentary Counsel, House of Commons

Michel Bédard

Sir, respectfully, when committees adopt production orders, we have to interpret them. When we read the order, the way it was written.... It's not unusual in an act of Parliament that the House of Commons is deemed to be a department for a very specific purpose, but in general and because of the separation of powers, very clearly the House of Commons is not a department. How we read the production order is that we were assimilated into a department for the purpose of the order, so we were to suggest redactions to the committee.

The production order refers to acts of Parliament. That's not clear, because it refers to the “Access to Information and Privacy Act”. Those are two separate acts. When dealing with production orders, we always have to interpret them when there's ambiguity. If there's any need for you to consult the administration and our office when drafting such a production order, we'll be happy to assist to make sure the intention of the committee is reflected in the order.

11:55 a.m.

Liberal

The Chair Liberal Ben Carr

Mr. Duncan, I'm afraid that's all the time allotted to you in this round.

Mr. Collins, I have you for the final five minutes before we suspend briefly.

It's over to you, Mr. Collins, for five minutes.

June 4th, 2024 / 11:55 a.m.

Liberal

Chad Collins Liberal Hamilton East—Stoney Creek, ON

Thanks, Mr. Chair.

Let me start with what the threshold is when we understand that a member has been attacked in any shape or form. We read in the report that these instances happen quite often, probably on a daily basis, with actors who are seeking to undermine our efforts in moving our business forward.

What is the threshold from the “team”? I heard the word “teamwork” today. What's the threshold from the team as it relates to notifying members? What's considered a minor threat? What's considered a threat that raises a red flag internally for you to say that a member needs to be informed?

Noon

Acting Chief Information Officer, Digital Services and Real Property, House of Commons

Benoit Dicaire

I can speak briefly about the cyber portion, and then my colleague can probably speak about the risk around physical threats.

Anything touching members' data, members' information, is deemed to be critical, so we see if there is anything around those parameters. Sometimes it's about targeting digital identities instead of infrastructure, a service or an application specifically. If there's anything around a member's data, we would contact the member's office directly.

Other categories boil down to the risk factor or residual risk. Are protection mechanisms in place and able to protect the infrastructure to ensure the continuity of operations? That lessens the risk in our ability to protect ourselves, but should something be of risk, residual risk, then we would contact the member's office.

Noon

Liberal

Chad Collins Liberal Hamilton East—Stoney Creek, ON

Did the 2014 protocol that was referenced earlier meet the threshold?

Noon

Chief Executive Administrator, House of Commons

Stéphan Aubé

I would prefer to deal with that in camera, sir. I need to talk about the incidents to give that answer.

Noon

Liberal

Chad Collins Liberal Hamilton East—Stoney Creek, ON

Okay, fair enough.

This is a large organization, and someone in one of their answers referenced teamwork. Of course, the report references all the areas that are involved when there's a sharing of information. There's a lot of collaboration and a lot of hands on the steering wheel at that point. For us, I think it's important to understand who's driving.

Can you talk about the hierarchy of shared responsibilities that all areas have? Can you talk about the relationships you have? When one area asks for information from another and it's not provided, who steps in to sort those things out?

Noon

Clerk of the House of Commons

Eric Janse

That's a very interesting question, Mr. Collins. It is absolutely a collaboration. I don't know if there's a hierarchy per se, but it's a collaboration with different groups that have specific mandates. I think it's a question of sharing information and then often collectively deciding what should be the actions and what should be done as a result thereof.

Noon

Liberal

Chad Collins Liberal Hamilton East—Stoney Creek, ON

In terms of the collaboration that occurred, we've read that in some instances information was asked for and either there were delays or the information wasn't shared. In those instances, who steps in to resolve that? I don't want to call them conflicts, but something has broken down in the collaboration you've talked about. What happens in those instances? Who within the hierarchy—because there is a hierarchy within the organization—is responsible for sorting out that kind of issue when the collaboration or communication breaks down?

Noon

Acting Chief Information Officer, Digital Services and Real Property, House of Commons

Benoit Dicaire

I think collaboration is really strong in the partnerships. I can attest to that. We have protocols in place associated with the sharing of information. As Stéphan referenced when it comes to sharing members' data, we are not doing that explicitly without your consent. Sometimes there are requests to share data that require consent. At that particular time, we don't necessarily share it unless there's a risk associated with it and consent is given by the member's office.

It also depends on the type of activity. We talked about the threat landscape earlier. A lot of investigation work needs to happen, and it's about piecing the puzzle together. Sometimes the relevancy of the information is not clear at the time of the request, so we have to clarify with the information we have at the time.

Noon

Liberal

Chad Collins Liberal Hamilton East—Stoney Creek, ON

I'm not necessarily talking about—

Noon

Liberal

The Chair Liberal Ben Carr

Mr. Collins, there are just a couple of seconds left. If you want to get a quick final question in, I'll permit it.

Noon

Liberal

Chad Collins Liberal Hamilton East—Stoney Creek, ON

Sure.

I think the issue is internally—not with the member—when information is asked for. Let's say CSE asks House of Commons IT security staff for information and it doesn't come. Someone has asked for that information for a reason. They're trying to get to the bottom of things, so to speak.

Can we find out in camera or in our open session why that information wasn't shared by someone?

12:05 p.m.

Liberal

The Chair Liberal Ben Carr

Please be very concise.

12:05 p.m.

Acting Chief Information Officer, Digital Services and Real Property, House of Commons

Benoit Dicaire

We'll do this in camera, sir.

12:05 p.m.

Liberal

The Chair Liberal Ben Carr

That is nice and concise. Thank you.

Colleagues, we will suspend for a couple of moments and then go in camera.

Just as a friendly reminder, when we go in camera, only authorized staff, members and witnesses can be present in the room. I'll have a couple more brief things to say about that, but we'll take a very brief pause to set up for our next panel.

Ms. Mathyssen, I believe you will have to sign in with a new link. We'll have the clerk assist you with that.

Colleagues, this was another productive hour. It was meaningful, informative and efficient. Thank you for your co-operation. We'll see you back in a couple of minutes.

[Proceedings continue in camera]