Procedure and House Affairs Committee on June 6th, 2024

Thank you, Mr. Chair, for the invitation to appear this morning.

My name is Caroline Xavier, as stated. I am the chief of the Communications Security Establishment, also known as CSE. I am joined by Rajiv Gupta, the associate head of CSE's Canadian Centre for Cyber Security, also known as the cyber centre.

I'd like to begin by providing the committee with a brief overview of the evolving threat landscape. Following this, I will speak to the mitigated threat activity that targeted Canadian parliamentarians and how CSE has been working and continues to work to support parliamentarians and protect our democratic institutions more broadly.

Canada’s adversaries are increasingly using cyber-threats to conduct espionage, move their foreign policy objectives forward and influence Canadian public opinion to their advantage.

Although we believe cybercrime continues to be the most likely cyber-threat affecting Canadians and Canadian organizations, the cyber-threat coming mainly from China—as well as from Russia, Iran and other countries—is more strategically significant.

Allow me to be more specific. The cyber-threat emanating from the PRC is significant in its volume and sophistication. PRC-sponsored cyber-threat actors will almost certainly continue targeting industries and technologies in Canada to give the PRC an advantage for its strategic priorities, whether political, economic, in security or in defence.

In parallel, Russia's invasion of Ukraine in February 2022 gave the world a new understanding of how cyber-activity is used to support wartime operations. It has demonstrated how nation states are increasingly willing and able to use misinformation and disinformation to advance their geopolitical interests.

Since 2021, the CSE has also observed that state-sponsored cyber-threat actors with links to Russia and the PRC continue to conduct most of the attributed cyber-threat activities targeting foreign elections. In the fourth iteration of our threats to democratic processes publication, released in December 2023, we outlined examples of cyber-activity against the democratic process that we have observed globally since 2021. These include distributed denial of service attacks, or DDoS, against election authority websites and electronic voting systems, unauthorized access to voter databases to collect private information, and spear phishing attacks against election officials and politicians, among others.

Given this observed activity, in the last few years, the CSE cyber centre has publicly released over eight alerts, four cyber-threat bulletins, and seven joint cybersecurity advisories with allies, all related to Chinese or Russian state-sponsored cyber-activity.

Canada's high degree of global connectivity and technological integration with our allies increases our threat exposure. Furthermore, Canada does not exist in a vacuum, so cyber-activity affecting our allies' democratic processes will also likely have an impact on Canada's.

In relation to the committee's study, I'd now like to provide a brief overview of the CSE's role and relationship with the House of Commons IT team.

The CSE takes its mandate and legal obligations very seriously. Under the cybersecurity and information assurance aspect of our mandate, the CSE acquires, uses and analyzes information from the global information infrastructure, or from other sources, to provide advice, intelligence, guidance and services to help protect electronic information and information infrastructure. Accordingly, pursuant to the CSE Act, the CSE and its cyber centre share intelligence and information with service providers and government clients, including appropriate authorities in Parliament.

In June 2022, the CSE received a report from the FBI, detailing emails targeting individuals around the world, including individuals who have been outspoken on topics relating to activities of the Chinese Community Party. The report included technical details and the names of 19 parliamentarians who had been targeted by this activity. However, from January to April 2021, more than a year earlier, the cyber centre had already shared reports with the House of Commons IT security officials, specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.

Upon receipt of this information, the CSE shared specific and actionable technical information about the activity with the House of Commons IT security officials, as well as with the Canadian Security Intelligence Service, or CSIS. Because of this information, the CSE and the House of Commons worked together to thwart the attempted compromise by this sophisticated actor.

We respect the fact that the House of Commons and the Senate are independent, and its representatives are responsible for determining the timing and the manner in which to communicate directly with MPs and senators. Last week, the committee’s clerk received a complete chronology of events describing measures the Communications Security Establishment took to inform and assist parliamentary officials in their efforts to detect and mitigate cyber-threats. It is important to highlight that the Communications Security Establishment’s engagement with House of Commons IT security stakeholders came well before the aforementioned Federal Bureau of Investigation report.

As the central technical resource for cybersecurity advice, we provide near real-time notifications, including to the House of Commons and Senate IT teams, and we have helped parliamentary IT security officials take quick and appropriate measures within their systems to protect their network and users against this and other threats.

When a cyber-threat is identified, the cyber centre sends out different types of notifications, including cyber flashes, which are urgent notifications delivered via email, daily updates about malware and vulnerabilities on a partner's IP space via the national cyber-threat notification service, and monthly summaries of national threat notification service data, showing how a subscriber's cyber hygiene ranks against anonymized peers in their sector.

When requested, we provide cyber-defence services and maintain an open line of communication to mitigate potential threats. To detect malicious cyber-activity on government networks, systems and cloud infrastructure, the cyber centre uses autonomous sensors, including network-based sensors—

Okay. I apologize for the interruption.

When requested, we provide cyber-defence services and maintain an open line of communication to mitigate potential threats.

To detect malicious cyber-activity on government networks, systems and cloud infrastructure, the cyber centre uses autonomous sensors, including network-based sensors, cloud-based sensors and host-based sensors. These defences protect systems of importance from an average of 6.6 billion attempted malicious actions per day.

CSC continues to monitor Government of Canada networks and systems of importance for cyber-threats. We are working in close coordination with government partners, including relevant security agencies.

We deliver foreign intelligence-informed cyber-defence.

Finally, I would like to call members’ attention to the solutions available to them. Indeed, the Canadian Centre for Cyber Security offers parliamentarians a support service, in addition to holding regular information sessions for political parties on cyber-threats, as well as providing a dedicated point of contact at the centre for accessing cybersecurity support.

Since 2017, the CSE has established four unclassified reports on cyber-threats to Canada's democratic processes, and our “National Cyber Threat Assessment 2023-2024” highlights how online foreign influence activities have become a new normal, with adversaries seeking to influence elections and impact international discourse related to current events.

Since 2014, interdepartmentally, the CSE's cyber centre has worked closely with Elections Canada to ensure that our election systems and infrastructure remain secure. The CSE also continues to work as part of the security and intelligence threats to elections task force, SITE. Cyber-incidents such as ransomware, DDoS and supply chain compromises are becoming more frequent across all industry sectors, and these incidents are negatively impacting our prosperity, privacy and security. That's why Bill C-26 is so important. It would give the government new tools and authorities to better bolster defences, improve security across critical federally regulated industry sectors, and protect Canadians and Canada's critical infrastructure from cyber-threats.

Four sectors are subject to the mandatory cyber-incident reporting in Bill C-26: finance, energy, telecommunications and transportation. These were all prioritized due to their importance to both Canadians and other sectors. They are critical enablers. Bill C-26 will improve our ability to protect ourselves from both the threats we observe today and the threats we will face tomorrow.

The federal government intends to launch its updated national cybersecurity strategy, which will communicate Canada's long-term approach to addressing evolving threats in cyberspace. Central to the new strategy will be a shift in focus towards a whole-of-society approach to Canada's national cyber resilience, where public and private entities and all levels of government work in close partnership to defend against cyber-threats, including threats to our institutions. The government also recently announced the defence policy update, “Our North, Strong and Free”, which proposes a significant new investment in the CSE through budget 2024.

Finally, an important aspect of Canada's whole-of-society approach to our collective security includes practising good cyber hygiene, including safe social media practices, especially in those public roles. The cyber centre has released guidance on ways to protect yourself online. It also has cybersecurity resources for elections authorities, political campaigns and Canadian voters. I really encourage you to take a look at our website, getcybersafe.gc.ca. I would also encourage organizations that have been impacted by cyber-threats to contact the cyber centre, so that it can help share threat-related information with partners to help keep Canada and Canadians safe online.

Further, to make cyber-incident reporting easier for Canadians, the CSE is also working with its federal partners to establish a single-window solution for reporting cyber-incidents, with the ultimate goal being to ensure that Canadians can always find the help they need. This was a key recommendation this week from the Auditor General.

To conclude, the CSE and the cyber centre remain active in their collaboration with all partners, including the House of Commons, to improve Canada's cyber-resilience and protect our democratic institutions. We will continue to monitor any developing cyber-threats and share threat information with our partners and stakeholders, as always.

Once again, thank you for your invitation to appear before you today. We are pleased to be able to contribute to this important discussion and give you an overview of the way the Communications Security Establishment and the Canadian Centre for Cyber Security both work every day to protect Canadians and their democratic institutions.

Thank you for your attention.

I can confirm that when we became aware in 2021 of some anomalies that we were seeing with regard to potential cyber-activities towards the House of Commons, we did, indeed, inform the House of Commons IT security team.

What I can say is that when we were informed in June 2022 by the FBI of all of what we were informed by them about, the list of parliamentarians, we did, indeed, share that list of parliamentarians with the House of Commons IT security team. We also shared it with CSIS.

As mentioned in the chronology that was provided to the clerk, we made it clear that, since January 2021, we've been seeing a sophisticated actor doing cyber-activities towards the House of Commos. We provided 12 reports to the House of Commons. We also held meetings with the House of Commons and CSIS. As part of those various activities—the meetings and reports we provided—we were able to share information that was going to be important in order to continue to mitigate the threat.

Whenever we have a cyber-incident, we work immediately to focus on mitigating the threat. Once we are continuing to address the threat, we, from a CSE perspective, work hard to try to better understand where the threat originated. As we continue to learn that information, we share it with service providers and those who need to know, especially if it's going to be helpful to continue to mitigate the threat.

As part of the various meetings and reports we provided, we were able to share with the House of Commons IT security staff what we believed at that time to be the originating source of the threat.

I believe it would be more appropriate to discuss some elements of the threat during the in camera portion of the meeting.

What I shared was that, when we know the originating source, or when we have a general understanding of the original source, we share that information with service providers and those who need to know. As part of that, we shared over 12 reports with the House of Commons IT staff and held several meetings.

As part of those meetings, we were able to share information linked to the originating element.

As I said, as part of the many meetings we held and the reports we provided to the House of Commons, we provided what was at that time believed to be the originating source.

We now know—because it is 2024 and we have much more information and collective knowledge—that this was an actor by the name of APT31.

From January 2021 all the way until.... I forget the exact date, because I don't have the chronology in front of me, but it was almost a year in advance of the time in 2022 when we got the FBI report. We were aware that APT31 was of concern for us from January 2021. As part of the conversations we had with the House of Commons, the presentations we made to them and the reports we shared, we identified APT31 as, potentially, the actor at that time.

I think, Mr. Chair, that I've answered the question.

Thank you very much for the question.

As I said before, since the start of January 2021, we observed anomalies, troubling cyber-activities. We then contacted the House of Commons cybersecurity analysts to advise them of our concerns on a technical level. As we gained understanding of what was happening, we submitted 12 reports to them, met with them and also met with our colleagues from the Canadian Security Intelligence Service, or CSIS. We participated in conversations and advised the House of Commons that a nation-state actor was involved, and that it was in fact ATP 31.

It happened between January 22, 2021, and—

Yes, that’s right.

We send a great deal of information, as much as we can, especially when it is not classified. Sometimes, we declassify information if sending it is useful.

I will ask Mr. Gupta, who was present during some of those conversations, to shed a bit more light on the type of information we send.

Thank you, Mr. Chair.

When you have classified intelligence reporting, there's a lot of context and information, and then there's often a tear line, so there is another set of information that you can provide to an incident responder or to another organization to enable it to take immediate action in resolving an incident. In the lead-up to the incident, we would be sharing tear-line information: “Here is a sophisticated threat actor,” which, in cybersecurity terms, typically means a nation-state and is super important. It definitely reinforces the seriousness and the importance of the event.

However, all we're allowed to share, because of the intelligence, are the technical indicators. We didn't have the email addresses, so we would share the things that would be needed to find the email addresses. That's what we shared with the House of Commons, and we worked with the House of Commons collaboratively to figure out exactly what was going on, because typically you have a thread you need to pull.

We started the thread-pulling by saying, “Hey, this is what we know. You can go find your emails.” We didn't have the emails. We had the thing to look for the emails with. They would go and look for that. That's what they did, and then they came back with that information. Every time we found something new, they understood the scope of the incident. That's how we work collaboratively with the House of Commons, and we've worked collaboratively with the House of Commons for a decade or more.

Thank you very much for the question.

We take our role very seriously. For us, it’s important not to keep Canadians’ private information with CSE data, because our role plays out on the international stage. When we understand that the origin of the threat to Canada is coming from abroad, it’s very natural for us to pass the torch to CSIS, because it has the mandate to act within Canada. We therefore take very seriously the fact that we do not intervene, and we are careful not to manage personal information. The reason why we passed the torch to CSIS in that situation was because the incident had to be managed here, in Canada.

As my colleague Mr. Gupta said, when we manage an incident involving an institution, we maintain a continuous relationship in order to better understand the threat. It also provides us with information.

With the exception of the House of Commons, an institution could manage everything internally and inform us of the incident only after it is resolved. It’s also possible that it will not inform us at all.

Thank you for your question.

Yes, our mandate involves protecting Canada’s government systems and critical infrastructure, but we also have an international mandate. Even if our mandate does not involve protecting individuals directly, you will find information on our website about ways to improve individual cyber-hygiene.

Our first mandate is to protect Canada and Canadians, especially government systems, industry, critical infrastructure and government communication sectors, among others.

Yes, they are. Since 2019, we’ve offered parliamentarians the opportunity to get support from the Canadian Centre for Cyber Security, especially if they’ve had problems after a cybersecurity incident. That is also part of the services we offer, but it is important for parliamentarians to contact us if they want our help.

As I said before, we are very careful not to collect Canadians’ information. That means when Canadians or parliamentarians contact the Canadian Centre for Cyber Security for support, it is very important for everything to go well, so that we can offer the support required for managing an incident without going into their private lives.

I do not want to answer for the House of Commons administration, so it would be better to ask them the question directly.

That said, as Mr. Gupta noted, we have a very good relationship with the House of Commons administration. We’ve worked with them since 2012, and the relationship is constantly improving. In 2016, we implemented a memorandum of understanding to properly maintain this relationship.

I will ask Mr. Gupta to answer you, because as I said, he was very involved at the time, in 2021. I think he may be able to give you a better answer.

I think, to be able to understand the implications, as I mentioned, we shared a series of reports over the first few weeks that would help us pull the thread and understand what was going on. This was in 2021. This was pre-vaccine COVID, so it was very difficult to get people into rooms. We were working, but not necessarily everyone was in the office, so we booked a classified meeting to make sure that the full implications were met. We can talk about that maybe in the in camera session, but that's how we go about it. We share the information we can, and then we try to book classified meetings to make sure that all the full context is well understood.

Thank you for the question.

I’m very proud of our organization. We have extraordinary people who work very hard for Canadians. The additional funds included in the 2022 budget helped us move our cybersecurity activities forward and fulfill our mandate. The additional funds proposed in the 2024 budget would give us additional resources to do our work for Canadians. For us, that’s a vote of confidence from the government regarding our ability, and we are very proud of it. We are committed to meeting the demand.

Thank you very much for the question.

One thing that's worth mentioning here is that we work really hard to try to ensure we inform Canadians and businesses as much as possible with the various publications that we put out. As mentioned, since 2017 we've put out three updates on “Cyber Threats To Canada's Democratic Process” and, in addition to that, four editions of the “National Cyber Threat Assessment”. Those are documents that help highlight some of the threats we're seeing and observing based on a whole bunch of research as well as the observations that have occurred in Canadian systems as well.

With that, one thing we also do is that we actually hold quite a number of information sessions, and we've held some with parliamentarians, supported by others like the service and the RCMP. We're very happy to be able to do joint information sessions with whoever would like us to be present, to educate them on the cybersecurity domain in particular, because the more people are aware of what the threats are, the more resilient we become as a country and as individuals.

The issue, though, is that we really are respectful of the independence of the House of Commons and the Senate, and we're really respectful of the role that the House of Commons administration plays in supporting parliamentarians. This is why we go through them, as we do for many service providers and other institutions that we deal with. We go through them, and we're at their service if they would like to have more support from us. We would be more than happy to continue to hold sessions with parliamentarians should the House of Commons administration want our assistance to do a joint session. We're definitely available to do that.

As a matter of fact, the public safety department has been in touch with the Sergeant-at-Arms, and there are three sessions currently scheduled for caucus that we'll be part of, for example, with Public Safety as well as the RCMP and the service. This is to show you that these are services that we are prepared to do, but we are just trying to continue to be very respectful of the processes that are in place and, more importantly, the independence of the House of Commons in this role.

Thank you very much for the question and the clarification.

We are an organization that considers itself very much a learning organization, so we continue to look for ways to improve. This is part of that learning, to be able to see where we can improve our processes, in addition to all the external review bodies and various reports that are going on with regard to other issues, like foreign interference.

We will continue to learn from this to improve those processes and work with the House of Commons to identify a better way forward.

In general, though, when it comes to identifying an individual who may be impacted by a cyber-incident because we learned of it from a foreign source, we pass on that information in general to the service, as I mentioned earlier, for the reason that then it becomes a domestic issue and is not within our wheelhouse. It is also not the way in which we function with respect to our act. Sometimes the RCMP will be engaged, especially if it's going to be something that requires a law enforcement lens. In this case, we did pass it on to the House of Commons as well as to CSIS, so that they could pass on the information to the necessary MPs.

Our understanding, or, yes, I guess my expectation would be that if I'm passing on information to a partner, a partner will do what is necessary to address the content of the information that is provided—

When we pass information on, the expectation is that it will be of use to others. The expectation would be that, given that we shared a list of names, somebody will act on it, whether it's to CSIS or, in this case, the House of Commons.

I'm going to pass on the information and ask if Rajiv would like to answer, given that, as I said, he was present at the time and would have a better understanding of what the expectation was.

It's because I wasn't personally present. My expectation is that, yes, if I'm passing some information on to an institution or the House of Commons, they are acting on it, and that they're taking that information and passing it on—

When we passed on the information, including the names, when we became aware of the names in June 2022, our expectation was that we gave them the information, as well as actions that could be taken to mitigate it, and they would act on it.

If one of the actions was to brief parliamentarians, then the expectation is that, yes, they would have done that.

I was not present at the discussion. However, I have worked with HOC in the past. Expectations are based on—

In working with the HOC, they have stressed from day one over the decade plus that we've worked with them, that the independence of the HOC is super important. They understand their clients.

We've worked with them many times. My understanding is that, having worked with them in the past on incidents and seeing what has happened, we have discussed this with them, and they have gone and done that job.

Based on past evidence, my expectation was that we would have that same discussion, and that based on their understanding of thresholds.... I don't know the threshold for when the HOC's Sergeant-at-Arms will go and actually brief a person—

We communicate the threat and the context, so understanding that this is the exact threat—

An expectation to go and brief.... We wouldn't tell them to go and brief, as in, “You have to go brief now.” We would tell them, “This is really important, and your members are at risk.” These are the types of things we would say. We don't say, “Go and brief.”

I will ask Rajiv to answer that question.

Thank you very much.

From our understanding.... You can see the chronology; the timeline is laid out.

We were reaching out for information. We don't know what happened on the other side in terms of how long it takes to get that information. As I said, it's a collaboration. We've worked well with the HOC in the past and have tons of respect for their folk.

I think that when we did get together to meet, information was shared. There was that sharing of information. You can see on the timeline when that occurred.

I would add that it's not abnormal in any cyber-incident that we deal with, especially with critical information or a private sector company, that the information is perceived as one way, because they are managing their issue. They're living it. It's not abnormal for them to take the time they need to eventually get back to us or possibly not tell us. This is how that sometimes happens.

One item I'd like to add is that this was a very sophisticated threat actor on HOC networks. We found the very early stages. The tracking links are the first stage. The next stage would be a dropper. The next stage would be actual exploitation software, which would have been very serious.

We would like to reinforce that the steps taken between HOC and ourselves prevented a compromise of HOC networks by this sophisticated threat actor.

When we're going to be doing work with an entity that is in Canada in particular, or any entity with whom data may be exchanged that we may need to collect to be able to do some analysis to identify the threat in a better way and better understand the origins, a memorandum of understanding or an instrument of some sort is often put in place to really clearly outline how and why the information will be shared.

This is linked back to the fact that our mandate works really hard to protect the privacy of Canadians and not infringe on those rights. In particular, especially as an organization may take on some of the services we offer—host-based sensors, network-based sensors and cloud-based sensors—depending on the services that an organization takes on, that is the other reason an MOU would be put in place. It's the exchange of information that is happening or possible support to a monitoring element, so that we can continue to educate, learn from it, and clearly outline how the data is being managed.

Thank you for the question.

I’m not sure which CBC article you’re referring to. However, I can tell you that, during an interview with Ms. Bureau, if memory serves, we talked about the resources and skills the Communications Security Establishment needs and is looking for.

In that interview, I said that the Canadian Centre for Cyber Security and the Communications Security Establishment were not the only ones looking for those skills. In fact, those skills are very sought after throughout Canada and the world, because everything is becoming digital.

I think it’s worth mentioning that there is immense interest in the Communications Security Establishment. That is why we feel very capable in distributing our resources, based on the budget allocated to us.

Thank you.

As I said, as an organization, we like to keep learning and do things better. During your study, you will develop some recommendations. From there, we may be able to do better. The Communications Security Establishment does not set policy. In fact, we are given actions to execute, and we do our best to do so.

Yes. As mentioned, a cyber-incident is usually a moment of crisis for an organization. As a result, our job is to be there as a support. Sometimes we're the ones contacting an organization to say to them that we are seeing something that is of concern. Sometimes they have identified the cyber-incident, and we call them and ask if there is anything we can do to help. Sometimes we do have that regular, ongoing, two-way communication.

However, sometimes a company might choose to have an external service provider provide them the support, so then we're just more in monitoring and wait and see....

It's not automatic that an organization will come to us or continue to want to engage with us. It's not because they're not wanting to. Sometimes, especially when dealing with cybercrime, we're dealing with ransomware. We don't encourage the payment of ransomware, and sometimes that's another reason a company might not want to deal with us, as a government entity. They're afraid that it could mean something.

Although we are not all law enforcement—we're not a regulator—we work hard to build trusting relationships, and I feel that we do that on a daily basis. However, I don't want to mislead anybody to think that means that we know all the elements of cyber-incidents that happen in the private sector, for example, or with critical infrastructure.

We actually do continue to follow up with the entities. We continue to call them or work with them, and I don't want to leave anybody with the impression that there aren't relationships that exist. On the contrary, we have very great relationships with critical infrastructure, especially the energy sector, the telcos and the banks, where we meet with them regularly to talk about threats and to learn from each other about the threats they're facing. There are great relationships and governance bodies that exist to be able to work through understanding.

Having said that, though, we will continue to support and offer our support, but we can't force them. This is where, as I said in my opening remarks, Bill C-26 is really important in the four critical infrastructure sectors that have been identified as part of that bill, because they're really important to Canadians in the critical infrastructure space.

Typically on our reports there is a caveat that will say that you can't share this further without the explicit authority of CSE. That would probably be the caveat. I'd have to look at the reports.

All of the information belongs to them. If it's their information, that belongs to them under whatever authority: the FAA, for example, for the rest of the departments.

That would be in our reporting, in our explicit report. Like I said, we didn't even have the emails, so we would share the key to go find them. They would find them, and then they'd have free rein to go and share that information.

The caveats restrict the system owner from sharing anything with their people.

I would reject the premise of that statement.

Just to be clear, what my colleague was saying is that—

They could always ask us if they wanted to share something specific from the report. Outside of the report, they have access to all of their IT systems and all of the information that they can share that they own.

No, but if they had...and we have done this many times. We've done this many times in the past with HOC—

As I've mentioned, we take our role very seriously, and we take the privacy of Canadians very seriously. We take the role that we play with service providers like the House of Commons very seriously. We recognize that everybody has a role to play in the process.

Having said that, I recognize that we're going to learn from this incident and hopefully get a better understanding, especially from the study that you'll do, on how we might do something differently.

As per the chronology, since January 2021 we were aware of some activities going on. As was explained by my colleague Rajiv, we progressively started to better understand the threat—

I believe we've answered the question that we did tell the House of Commons, through the various interactions that we had with them, that we believed at that time that the threat was APT31.

Having said that, the member asked me what specific time that was, and I'm not able to tell you exactly on which date that happened—

That is correct. That is exactly how we function.

We are very much like a service, as you mentioned. When we are made aware of an incident or when we see something through the tools we have, the intent, our goal, is as much as possible to get the information to the right people, to enable them to act and mitigate the threat first. On what happens in a case like a Government of Canada system, deputies, for example, are the ones accountable within each of the departments, and then they have accountability to a minister.

When we pass on that information to an IT department within a government organization, they are the ones who are going to take the necessary steps, with our support as well as, for example, that of Shared Services Canada. It depends on the department.

In an industry as well, it's the same: We'll contact the IT organizations and tell them we've seen something and they are to act on behalf of their organization. Often there will be this back-and-forth that we talked about before in terms of gathering more information for them to act on.

We do this actually quite regularly, because we do this in a pre-notification ransomware initiative that we have put in place with our U.S. partners, for example. Over 500 organizations have been contacted by us at what we call a “CISO level” to be able to thwart an attack before it happens, saving them millions of dollars.

I don't want to mislead the committee, so I'll have to go back and reconfirm the contents of the MOU. I can't say that I read it before coming before this committee this morning—

Again, we expect to learn from this incident and to work in collaboration with the House of Commons to identify the best way forward so this incident is not repeated.