Procedure and House Affairs Committee on June 4th, 2024

Thank you very much, Mr. Chair. It's a pleasure to be back before the committee, this time on a different topic than last week's and with a slightly different cast of characters before you.

We are appearing today regarding the prima facie contempt arising from the cyber-attacks by a foreign-backed entity called Advanced Persistent Threat 31, allegedly supported by the People's Republic of China and targeting members of Parliament. We trust that our testimony today will assist the committee in its consideration of this important question.

In his May 8, 2024, ruling, the Speaker broke down the question of privilege into two distinctive parts. The first was the issue of the lack of notification of members regarding the cyber-attack, and the second was the attack itself.

In his ruling, the Speaker noted that, since the attack, processes and protocols regarding the notification of members had evolved. The Speaker, notably, referred to the May 2023 direction from the former minister of public safety respecting threats to the security of Canada directed at Parliament and parliamentarians. He also mentioned this committee's recommendation, contained in its 63rd report, that members of Parliament be notified by CSIS of the foreign interference threats targeting them.

In the second part of his ruling—that is, the cyber-attack itself—the Speaker found the matter to be an attempt to interfere with the work of parliamentarians, and he ruled that the matter was a prima facie question of privilege.

In reaching his conclusion, the Speaker referred to the prima facie question of privilege raised by the member for Wellington—Halton Hills, which was the subject of a ruling from the Speaker’s predecessor on May 8, 2023. In that case, the member was the subject of threats of reprisal by foreign actors for positions he had taken during debates.

In his ruling finding a prima facie case of privilege, the Speaker stated that the matter raised by the member squarely touches upon the privileges and immunities that underpin the collective ability to carry out parliamentary duties unimpeded.

At the culmination of its study on this prima facie question of privilege, this committee presented its 63rd report to the House on April 10, 2024. While the report is not yet concurred in, it contains many recommendations. As the committee considers this latest question of privilege, it may seek to build upon the conclusions of that report and provide further recommendations to the House.

Three of the recommendations in the 63rd report were directed at the House administration.

The first suggested that training on foreign interference be developed and offered as part of the members' orientation program and on a continual basis. This had been in development for some time, and I am pleased to say it is currently being offered to caucuses and will be part of the next orientation program.

The second sought a contact person to be assigned by the House administration to liaise with members on all matters related to foreign interference threats. The third, related recommendation suggested that a protocol be developed to inform the whips about foreign interference threats.

I note that agreements with our security partners relevant to these recommendations are already in place. We will be happy to provide further information about these later on during the meeting.

This new question of privilege provides the committee with the opportunity to consider some additional elements that were brought to light regarding cyber-attacks toward members individually and to the House as a whole.

Cyber-attacks have several objectives, one of the most obvious being to disturb our technical systems, and as such impacting the ability of members to do their work. They can attempt to steal confidential information, impacting members’ ability to work on sensitive files. These attacks might also be seen as attempts to intimidate members, therefore also interfering with the business of the House. When individual members are the subject of various forms of obstruction, the House as a whole can be impeded.

As indicated by the Speaker in his ruling, these types of attacks are more and more common. The issue raised by the member for Sherwood Park—Fort Saskatchewan related to cyber-attacks by a foreign entity targeting emails, but other modern technology may be used to disturb parliamentary proceedings. In some cases, the entities behind the attacks can be identified, and in other cases they cannot.

Another element to consider is the difficulty for the House to assert its rights when a foreign entity is the sponsor of reprehensible actions. Furthermore, if the House can, to a certain extent, mitigate the impact and risks when attacks target its own systems, when other systems, such as personal emails, are used by members to fulfill their duties, the House's ability is limited. Members can currently use various tools to fulfill their parliamentary functions, some supported by the House's IT services and others not.

When examining a question of privilege, the committee typically avails itself of the usual powers as it would when conducting any study. In terms of privilege, it will seek to establish the facts. It can propose remedies and proposals by way of recommendations in a report presented to the House.

I will now ask my colleague, Benoit Dicaire, acting chief information officer, to provide further information on cybersecurity at the House of Commons.

Thank you, Mr. Clerk.

Thank you, Mr. Chair.

I’m here today to talk to you about cybersecurity in the House of Commons, specifically to give you information on our evolving cybersecurity posture and the House administration’s commitment to protecting the institution and its users from cyber-threats.

The cyber-threat landscape is constantly evolving and becoming increasingly complex and challenging. The proliferation of technologies in this new digital reality is introducing significant growth in new threat vectors. In addition, the sophistication of threat actors is driving the House of Commons administration to continuously evolve and adapt our cybersecurity program to reduce emerging risks.

The House administration IT security team has a specific mandate to strengthen Parliament's cyber-resilience against a continuously evolving digital threat environment. Its role is specifically to protect the availability of IT resources, to ensure the continuity of parliamentary operations and to protect the confidentiality and integrity of the infrastructure system and its users, including members of Parliament and their data, whether in Ottawa, in constituencies or while travelling or working remotely. The House administration IT security team's mandate is for parliamentary information and devices only. Our role does not extend outside of members' legislative functions.

Parliament’s cyber-resilience relies on an integrated approach based on proactive measures such as ongoing monitoring, intelligence, threat hunting, vulnerability management, the development of incident response guides and regular exercises.

It is equally important to take reactive measures to ensure our ability to effectively detect incidents, threats and security breaches, to respond quickly when they are detected and to rely on them as they occur.

This approach is inspired by internationally recognized standards and best practices, such as the ISO 27000 series, the NIST cybersecurity framework, ITSG-22 and ITSG-33. It ensures that security controls and processes are in place to mitigate cyber-risk and to respond adequately to cyber-incidents.

In addition, this integrated approach is supported by various critical partnerships to effectively collaborate, share information and strengthen our cybersecurity posture. I will share more information about these partnerships in the in camera portion of this meeting.

That concludes the public portion of our introduction. We would be happy to take questions or answer any concerns.

Thank you.

Thank you for the question, Mr. Genuis.

Indeed there were exchanges between security partners and the House administration at that time. We can perhaps provide some more details during the in camera portion, Mr. Genuis.

I think what was pointed out during the report—and certainly we can confirm from our end, and our security partners can on their end—was that if a similar situation were to occur today, things would be done differently from how they were when this incident occurred.

I hate to do this, Mr. Genuis, but I'd like to suggest that perhaps this can be addressed in the in camera portion.

It's a fair point. Again, in order to provide a truly fulsome response to your question, we would prefer to do so during the in camera portion.

I can confirm that the House administration does not in any way monitor personal emails.

I'll give a high-level answer, but I can get into a bit more detail in the in camera portion.

Indeed, there would be quicker communication with members than in the past, but there is still an issue of threshold. As my notes and the Speaker's decision alluded to, there are an awful lot of attacks, unfortunately, on the House. We wouldn't want CSIS to have a satellite office at the House, because giving constant representations to members would be required.

If this were the case today, as opposed to two or three years ago, it would be handled differently.

I hate to do this, but we can get into that during the in camera portion. I can give you a more fulsome response.

Thank you for the question, Mrs. Romanado.

It doesn't happen often with partners on the cyber front because they understand our mandate when it comes to specific threats regarding the personal identity of members. It's not coming from a lot of instances because usually our interactions with partners are through our mandate specifically. As you know, some of these agencies have specific mandates, and they only interact with us when it matters to Parliament specifically.

We take information from various partnerships. When we speak in the in camera portion, I can allude to this more. Any information coming to the parliamentary cybersecurity team would be triaged and handled. We would look at the level of risk tied to the threat specifically. If it is a physical threat, we would liaise with my colleague the Sergeant-at-Arms. If it is foreign interference or that type of scenario, we would go to our Sergeant-at-Arms specifically.

Most of our relationships, from my perspective, are on the technology side. When it comes to technology elements, we very rarely get an interaction specifically targeting someone. It's mostly targeting infrastructure—these types of scenarios.

In general, that's probably the best answer I can give in public. Maybe Stéphan can add something.

Through the board in 2014, we modified the acceptable use policy to clearly articulate the process if ever a member's personal information was targeted. With the cybersecurity group, in all cases when a member's information is put at risk, the discussion first happens with the member's office and directly with the member. This is the process that is documented and was approved by the Board of Internal Economy for specific threats to members.

If ever we need to access content—and the content would not be shared from the members to the House administration because we need your authorization to do so—then after that we can escalate this to the House officers. If we feel that the House infrastructure is at risk and we need to protect the institution, we will then get into that discussion.

The document we follow for incidents pertaining to members is the acceptable use policy of 2014.

Our mandate from an IT security perspective focuses on Parliament and the legislative role of the member. We are not engaged currently in the personal protection of a member's information. In the case of such an event, if I don't have access to the information, I can't follow the protocol. Members whose House infrastructure was affected would have been notified.