- Member of Parliament
- Liberal
- Scarborough—Guildwood
- Ontario
- Voting Attendance: 62%
- Expenses Last Quarter: $111,926.23
- Government Page
- May/2/24 11:36:12 a.m.
- Watch
Mr. Speaker, I am rising on a question of privilege that was raised by the member for Sherwood Park—Fort Saskatchewan on Monday. He and I, and my hon. colleague here, belong to a group called IPAC. It is an international group, the Inter-Parliamentary Alliance on China, and it appears we have attracted some unwanted attention.
Last Wednesday, the member and I were on a call with IPAC in London and were advised of this form of cyber-attack. I am at an age and stage when I do not pretend to understand exactly what they were talking about, but I am given to understand that a group called APT31, or Advanced Persistent Threat 31, was conducting cyber-attacks against some colleagues here and indeed around the world.
The only reason we found out about it was that the FBI was conducting a surveillance operation a couple of years ago, and we were caught up in that surveillance operation. That was a couple of years ago, so the question becomes this: Why did we not know about it? IPAC contacted the U.S. Department of Justice and asked why we did not know about it.
The U.S. Department of Justice did notify the relevant nations, sovereignty to sovereignty. IPAC then compared the FBI list with its own list, and the member for Sherwood Park—Fort Saskatchewan, myself and my colleague here were on that list. The question becomes this: How come we did not know about it?
Since then, we have been advised that the FBI did notify the Canada Security Establishment, or CSE, and CSE, in turn, notified Parliament, or the IT service that runs Parliament. A security check was run in a timely fashion, and the good news is that the system we have here was not breached. In that respect, it worked.
However, at that point, a decision was made to not notify the affected members of Parliament and the affected senators; I think there are about 13 of us in total. That is a bit more problematic, so this is why I support the member's privilege question because I do think this needs to be investigated.
I am given to understand that there are literally hundreds of thousands of attacks on our IT system on a daily basis, literally a massive volume, and it becomes difficult to know, when attacks are unsuccessful, when and how and if members should be notified because our inboxes could be literally filled on a daily basis with notifications of attacks.
On the other hand, if I, as a member who is interested in security matters and defence matters, have an unusual volume of attacks or if other members, for other reasons, have unusual volumes or patterns of attacks, then that seems to be quite relevant to the interests of those individual members.
The reason I am supporting the hon. member's question of privilege is that we need to start to review these protocols, and do it sooner rather than later. I want to make the point that this is not a government issue; this is a Parliament issue.
The government did its job, so to speak, in that CSE reported it to our security services and the people who run them. However, I believe that PROC needs to look at this. It needs to review the sequence of events to make sure that, as I am describing it to the House, they were correct; to examine the decisions that were made when the information became available to Canadian authorities; and to review whether this is the kind of information that should be shared with members and, if so, in what format, how frequently, etc.
I do not think we can take this very lightly. The analogy I have drawn in the past has been that it is like somebody looking at one's mail in the post office. I think we would all be pretty upset with somebody examining our mail. It is a bit of an exaggeration to say that, but it gives the sense in which the emails that are coming into our offices need to have security not only for ourselves but also for our correspondents and our constituents. These are significant volumes of emails.
I just want to raise what I believe is a question of privilege. I hope the Speaker finds it to be a question of privilege and asks the member for Sherwood Park—Fort Saskatchewan to move the relevant motion.
As I said, this is a significant issue. The chamber needs to deal with it in a timely sort of way; I hope PROC ultimately does as well.
782 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is two impossible questions in a row, and I congratulate the member for them.
The first was whether cyberwarfare should be declared an act of war. To my mind, an attack is an attack. If someone is running cars off the road, or interfering with pipelines or hospitals, they are putting people's lives at risk and sometimes even killing them. That does strike me as an act of war.
The second issue, and the member was probably there when I raised that question with one of our witnesses, was our levels of classification for information. The question I put to one of the witnesses was as follows: I have been in on some of the security briefings, and I am sitting there wondering whether I read it two weeks ago in The Globe and Mail. We seem to have a very high threshold of classifications, and maybe this could be an opportunity to reduce that threshold.
160 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, in some respects, Bill C-26 is quite complicated, but it is also quite simple. It aspires to have the risks of cybersecurity systems identified, managed and addressed so we are at much less risk because of our cyber system.
In the last while, I have had the good fortune to be the chair of the public safety committee in the previous Parliament, and I am now the chair of the defence committee. As such, I have listened to literally hours of testimony from people who are quite well informed on this subject matter. My advice to colleagues here is this: It behooves us all to be quite humble and approach this subject with some humility because it is extremely complex.
The first area of complexity is with respect to the definitions.
For instance, cybersecurity is defined as “the protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information”. Cyber-threat is defined as “an activity intended to compromise the security of an information system”.
Cyber-defence, according to NATO, is defensive actions in the cyber domain. Cyberwarfare generally means damaging or disrupting another nation-state's computers. Cyber-attacks “exploit vulnerabilities in computer systems and networks of computer data”.
Therefore, with respect to the definitions, we can appreciate the complexity of inserting yet another bill and minister into this process.
Let me offer some suggested questions for the members who would be asked to sit on the committee to look at this bill if it passes out of the House. I do recommend that the bill pass out of the House and, if it does, that the committee charged with its review take the appropriate amount of time to inform itself on the complexities of this particular space.
The first question I would ask is this: Who is doing the coordination? There are a number of silos involved here. We have heard testimony after testimony about various entities operating in various silos.
For instance, the Department of Defence has its silo, which is to defend the military infrastructure. It also has some capability to launch cyber-attacks, but it is a silo.
Then there is the public safety silo, which is a very big silo, because it relies on the CSE, CSIS and the RCMP, and has the largest responsibility for the protection of civilian infrastructure.
While the CSE does not have the ability to launch cyber-attacks domestically, it has the ability to launch a cyber-attack in international cyberspace. It is a curious contradiction, and I would encourage members to ask potential witnesses to explain that contradiction, because the more this space expands, the more the distinctions between foreign attacks and domestic attacks become blurred.
The bill would charge the Minister of Innovation, Science and Industry with some responsibility with respect to cybersecurity.
I would ask my colleagues to ask questions about how these three entities, public safety, defence and now the Minister of Innovation, Science and Industry, are going to coordinate so that the silos are operating in a coordinated fashion and sharing information with each other so that Canada presents the best possible posture for the defence of our networks. Again, I offer that as a suggestion of a question to be asked. We cannot afford the luxury of one silo knowing something that the other silo does not know, and this is becoming a very significant issue.
CSIS, for instance, deals in information and intelligence. The RCMP deals in evidence. Most of the information that is coming through all of the cyber-infrastructure would never reach the level of evidence, whether the civil or criminal standard of evidence. This is largely information, largely intelligence, and sometimes it is extremely murky. Again, I am offering that as a question for members to ask of those who come before the committee as proponents of the bill.
The other area I would suggest is to question is how this particular bill would deal with the attributions of an attack. To add to all of the complications I have already put on the floor of the House, there is also a myriad of attackers. There are pure state attackers, hybrid state criminal attackers and flat-out criminals.
For the state attackers, one can basically name the big four: China, Russia, North Korea and Iran. However, there are themes and variations within that. Russia, for instance, frequently uses its rather extensive criminal network to act on behalf of the state. It basically funds itself by with proceeds of its criminal activities, and the Russians do not care. If one is going to cripple a hospital network or a pipeline or any infrastructure on can name, then they do not care whether it happens by pure criminal activity or hybrid activity or state activity. It is all an exercise in disruption and making things difficult for Canadians in particular. We see daily examples of this in Ukraine, where the Russians have used cyber-attacks to really make the lives of Ukrainians vulnerable and also miserable.
The next question I would ask, and if this is not enough, I have plenty more, is on the alphabet soup of various actors. We have NSICOP, CSE, CSIS and the RCMP. I do not know what the acronym for this bill will be, but I am sure that somebody will think of it. How does this particular initiative, which, as I say, is a worthy initiative to be supported here, fit into the overall architecture?
Finally, CAF and the defence department are now doing a review of our defence posture, our defence policy. Cyber is an ever-increasing part of our security environment and, again, I would be asking the question of how Bill C-26 and all of its various actors fit into that defence review.
978 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
