Procedure and House Affairs Committee on June 6th, 2024

As I said before, we are very careful not to collect Canadians’ information. That means when Canadians or parliamentarians contact the Canadian Centre for Cyber Security for support, it is very important for everything to go well, so that we can offer the support required for managing an incident without going into their private lives.

I do not want to answer for the House of Commons administration, so it would be better to ask them the question directly.

That said, as Mr. Gupta noted, we have a very good relationship with the House of Commons administration. We’ve worked with them since 2012, and the relationship is constantly improving. In 2016, we implemented a memorandum of understanding to properly maintain this relationship.

I will ask Mr. Gupta to answer you, because as I said, he was very involved at the time, in 2021. I think he may be able to give you a better answer.

I think, to be able to understand the implications, as I mentioned, we shared a series of reports over the first few weeks that would help us pull the thread and understand what was going on. This was in 2021. This was pre-vaccine COVID, so it was very difficult to get people into rooms. We were working, but not necessarily everyone was in the office, so we booked a classified meeting to make sure that the full implications were met. We can talk about that maybe in the in camera session, but that's how we go about it. We share the information we can, and then we try to book classified meetings to make sure that all the full context is well understood.

Thank you for the question.

I’m very proud of our organization. We have extraordinary people who work very hard for Canadians. The additional funds included in the 2022 budget helped us move our cybersecurity activities forward and fulfill our mandate. The additional funds proposed in the 2024 budget would give us additional resources to do our work for Canadians. For us, that’s a vote of confidence from the government regarding our ability, and we are very proud of it. We are committed to meeting the demand.

Thank you very much for the question.

One thing that's worth mentioning here is that we work really hard to try to ensure we inform Canadians and businesses as much as possible with the various publications that we put out. As mentioned, since 2017 we've put out three updates on “Cyber Threats To Canada's Democratic Process” and, in addition to that, four editions of the “National Cyber Threat Assessment”. Those are documents that help highlight some of the threats we're seeing and observing based on a whole bunch of research as well as the observations that have occurred in Canadian systems as well.

With that, one thing we also do is that we actually hold quite a number of information sessions, and we've held some with parliamentarians, supported by others like the service and the RCMP. We're very happy to be able to do joint information sessions with whoever would like us to be present, to educate them on the cybersecurity domain in particular, because the more people are aware of what the threats are, the more resilient we become as a country and as individuals.

The issue, though, is that we really are respectful of the independence of the House of Commons and the Senate, and we're really respectful of the role that the House of Commons administration plays in supporting parliamentarians. This is why we go through them, as we do for many service providers and other institutions that we deal with. We go through them, and we're at their service if they would like to have more support from us. We would be more than happy to continue to hold sessions with parliamentarians should the House of Commons administration want our assistance to do a joint session. We're definitely available to do that.

As a matter of fact, the public safety department has been in touch with the Sergeant-at-Arms, and there are three sessions currently scheduled for caucus that we'll be part of, for example, with Public Safety as well as the RCMP and the service. This is to show you that these are services that we are prepared to do, but we are just trying to continue to be very respectful of the processes that are in place and, more importantly, the independence of the House of Commons in this role.

Thank you very much for the question and the clarification.

We are an organization that considers itself very much a learning organization, so we continue to look for ways to improve. This is part of that learning, to be able to see where we can improve our processes, in addition to all the external review bodies and various reports that are going on with regard to other issues, like foreign interference.

We will continue to learn from this to improve those processes and work with the House of Commons to identify a better way forward.

In general, though, when it comes to identifying an individual who may be impacted by a cyber-incident because we learned of it from a foreign source, we pass on that information in general to the service, as I mentioned earlier, for the reason that then it becomes a domestic issue and is not within our wheelhouse. It is also not the way in which we function with respect to our act. Sometimes the RCMP will be engaged, especially if it's going to be something that requires a law enforcement lens. In this case, we did pass it on to the House of Commons as well as to CSIS, so that they could pass on the information to the necessary MPs.

Our understanding, or, yes, I guess my expectation would be that if I'm passing on information to a partner, a partner will do what is necessary to address the content of the information that is provided—

When we pass information on, the expectation is that it will be of use to others. The expectation would be that, given that we shared a list of names, somebody will act on it, whether it's to CSIS or, in this case, the House of Commons.