Evidence of meeting #118 for Procedure and House Affairs in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A video is available from Parliament.
11:35 a.m.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
Thank you, Chair.
When it comes to protecting the security of our democracy, I'm concerned that this government in particular is trying to pass the buck and avoid responsibility.
House of Commons IT, as I understand it, has a very specific and narrow mandate, which is to protect the IT systems of the House of Commons. Is that correct?
11:35 a.m.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
We've received unclassified information regarding conversations that happened between the government, government representatives and the House of Commons. They suggest that the government provided information to House of Commons IT of a largely technical nature and said they were aware of these attacks. They gave some information that IT could use in the context of protecting members from those attacks, insofar as they related to the House of Commons IT system. Is that correct?
11:35 a.m.
Acting Chief Information Officer, Digital Services and Real Property, House of Commons
That's correct.
11:35 a.m.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
The government has said, as an excuse for not informing members, that they thought it was up to the House of Commons to do it. It seems to stretch any evaluation of reasonableness to think that the technical information given to House of Commons IT would lead to those IT professionals saying they're going to leave their cubicles, go upstairs and start talking to members of Parliament about these threats. That doesn't seem, to me, to be the job of House of Commons IT professionals. Would you agree with that?
11:40 a.m.
Acting Chief Information Officer, Digital Services and Real Property, House of Commons
We action everything that is sent to us depending on risks and those elements.
I think we can probably provide more information about specific information that we received through this unclassified briefing in the in camera portion, but publicly, I can say that these types of interventions are kind of like piecing a puzzle together. It is not that we specifically provide you with information about the following—
11:40 a.m.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
Well, yes. I guess what I'm trying to get at is who's generally responsible for what because we don't want buck-passing when it comes to security. We want people to take responsibility for the things they're responsible for.
Maybe I'm stereotyping, maybe I'm wrong, but it doesn't seem to me that it's likely the job of IT professionals at the House of Commons, who are given technical information for responding to threats, to take that information and go around the halls saying they need to let members of Parliament know. That seems like a function for security experts in the government to be evaluating, not technical IT folks in the House of Commons.
Am I right about that? I see folks nodding.
11:40 a.m.
Chief Executive Administrator, House of Commons
That is the case, Mr. Genuis. We take the threats that are identified for us. We hunt for them, and then once we've hunted for them, if we find them, we address them. If they're impacting members, we will do that. However, as to the threat actor who's coming to us and their intention, we're not aware of this. We're just dealing with the actual threat.
11:40 a.m.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
Right.
The Government of Canada, in its communications around this, has tried to blame you for its failures to communicate with members of Parliament about threats. It has tried to say that the people with a very narrow and specific mandate around the House of Commons IT system should have taken it upon themselves to assess and measure the threat and to inform members. What you're confirming is that you have a specific mandate for protecting the House of Commons IT system. It doesn't include my personal email, and it also doesn't include broader assessments of security threats and of what is or is not in the public interest to inform members of.
If you're comfortable, answer this question: What is your response to the government's communications that seem to want to direct the blame to you instead of taking responsibility for the decision to not inform members?
11:40 a.m.
Chief Executive Administrator, House of Commons
It would be best to deal with that in camera, sir.
11:40 a.m.
Conservative
Garnett Genuis Conservative Sherwood Park—Fort Saskatchewan, AB
Okay. You are fully protected with regard to whatever you say before this committee, but I don't want to put you in more of an uncomfortable position than the government already has. I have a great deal of respect for the work done by House of Commons employees, but expecting someone to do something that's not their job isn't fair or reasonable.
As has been said, you're not tracking my personal emails. You're not addressing my security in those kinds of situations, and you're not our security agencies. The House of Commons is not a security agency. It's the government's responsibility to communicate with members about these matters, and it failed to do that.
11:40 a.m.
Liberal
The Chair Liberal Ben Carr
Thank you very much, Mr. Genuis.
Ms. Fortier, the floor is yours for five minutes.
June 4th, 2024 / 11:40 a.m.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
Thank you very much, Mr. Chair.
Thanks to the witnesses for being here today to answer committee members' questions.
The purpose of my first question is to understand the situation.
Apart from the members of the Institute of Public Administration of Canada, or IPAC, who were targeted, do you know of any other parliamentarians outside that organization who were also targeted during that period?
11:40 a.m.
Acting Chief Information Officer, Digital Services and Real Property, House of Commons
Just to clarify matters, are you referring to Canadian parliamentarians?
11:40 a.m.
Liberal
11:40 a.m.
Acting Chief Information Officer, Digital Services and Real Property, House of Commons
No, no other Canadian parliamentarians were targeted. There's no additional information on the matter apart from what's been mentioned.
However, parliamentarians from other countries were targeted.
11:40 a.m.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
Great. Thank you very much.
As a member of Parliament, I'm obviously very concerned about what occurred during that period and what may still be happening.
What should MPs do if they receive a disturbing email?
11:40 a.m.
Acting Chief Information Officer, Digital Services and Real Property, House of Commons
I want to thank the member for her question, Mr. Chair.
That's a good question, Ms. Fortier. Protocols have been established and put in place. I'll focus specifically on those regarding emails since you mentioned them.
We have many services in place, including cybersecurity services, which are accessible 24 hours a day, 7 days a week, and which anyone can call to have a specific email analyzed. We've also organized several awareness campaigns on the subject.
I don't know if you saw it, but you can select the “phishing” icon in the email app when you want to flag a suspicious one.
11:45 a.m.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
As you know, this issue was raised a few years ago. Since then, we've received a departmental directive requiring MPs to be immediately informed when a threat is detected.
First, has that directive improved the information flow to the House of Commons? Are MPs now better informed?
Second, do you think the result would have been different if this had occurred after the directive was issued?
11:45 a.m.
Chief Executive Administrator, House of Commons
Mr. Chair, here's the answer that I can give you.
When we're informed of a risk, we do our duty and communicate with the MP.
Most of the time when we're contacted, we have to approach the case as a technical threat, without knowing who's behind the attack against the parliamentarian.
I can't comment on the question as to whether it's an intergovernmental influence risk because that's not the focus of my work. We don't know those things.
11:45 a.m.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
Mr. Dicaire, earlier you discussed threat levels and seemed to be talking about a grid.
Would you please explain the reasons why you encourage communication with the member or parliamentarian?
11:45 a.m.
Acting Chief Information Officer, Digital Services and Real Property, House of Commons
The information that's communicated to us is highly technical in every case. In a way, it's an analysis issue where we have to determine whether someone in particular has been targeted or if a group of individuals or a specific infrastructure has been targeted. The intervention level is then determined based on the risk level of the situation.
As Mr. Aubé said, if the information shows that someone is being targeted by a threat that's defined in the policy on acceptable network use, we will directly inform the MP's office of that threat. I could cite you examples of direct actions that the cybersecurity team takes. In one of those cases, one of the members of that team telephoned the MP's office to validate specific aspects of the information that was received.
That's more or less what the protocol associated with that type of situation looks like. We examine the effectiveness of the defence mechanisms. Then, if there's still a residual risk, we inform the MP's office directly.
11:45 a.m.
Liberal
Mona Fortier Liberal Ottawa—Vanier, ON
I'm going to ask a fairly simple question. When a situation requires you to contact an MP's office, do you contact the MP first before reaching that individual's team?
Would you please explain your approach? I think that would help clarify certain aspects regarding the MP's team.
11:45 a.m.
Liberal
11:45 a.m.
Chief Executive Administrator, House of Commons
Thank you, Mr. Chair.
When a specific MP is attacked, our first reaction is to contact that person. If we're unable to do so, we speak to the MP's chief of staff. If we can't reach the chief of staff, we talk to someone on the team. Then we ask that someone contact the member to have him or her contact us.
We discuss these matters directly with the members. That's our approach.