Good morning, Mr. Chairman. It's a pleasure to be here today.
It is a pleasure to join you to discuss this very important issue. I am accompanied by two of my department heads. Louis Bard is the Chief Information Officer of the House of Commons.
He is responsible for the Information Services Directorate. The Sergeant-at-Arms, Kevin Vickers, is responsible, among many other things, for security, through the security services of the House of Commons, for providing the physical security of the parliamentary precinct and of course of members.
I don't really have an opening statement as such, but I have a few opening remarks, perhaps, to situate this discussion in terms of how we view things.
I'm very pleased that you chose to invite the Sergeant-at-Arms and the CIO, because I see very important parallels in the way each of these service heads operates in order to ensure the security of the precinct.
The first thing that I want to say is the security posture here at the House of Commons is always intelligence-led. There's a parallel between the physical security that's provided through the Sergeant-at-Arms and the House of Commons security services—and their partners—and the IT security provided through the chief information officer and the House of Commons information services team.
I'll explore that a little just to give you an idea of how we approach this. Obviously I'm not an expert in security. These are the experts I rely on, and I am really very confident that the House and members are in very good hands.
Let me first of all turn to something that's perhaps less foreign or less difficult to understand. This is what the Sergeant-at-Arms does. On a daily basis, the sergeant and his director of security are in touch with our security partners—the RCMP, the Ottawa Police, CSIS, etc.—to discuss the threat-level assessment for that day, for the precinct and for members. This goes on on a regular basis. It's a regular conversation they have.
If for whatever reason there is an elevated threat level, whether it be for the precinct because of a particular demonstration that's going on related to a summit that's happening somewhere else in the world, or something like that, or whether it's, for whatever reason, an interest in a particular member or a minister, or something like that, then the outside partners who are responsible for this continuing monitoring of the threat level will tell us what they recommend as the threat-level posture. If the threat level is such that it is elevated, for whatever these reasons might be, we then adjust our posture appropriately here in order to respond to that and to be able to do our part in the seamless protection of the precinct and of members.
Obviously, no details of those kinds of adjustments are discussed publicly. The consultations are not even discussed publicly. In the interest of good security, you keep this basically quiet, and you get on with the business of protecting the precinct and members.
In a very similar way, and on a regular basis, the chief information officer and his team are in constant contact with CSE, the Communications Security Establishment, to monitor cyber-threats. One of the things we are all trying to adjust to is the fact that the Internet, for all of the wonderful access that it provides, is nonetheless something we're all coming to grips with in various ways. The new and ever-expanding use of social media means that there are all kinds of things happening out there in cyberspace. We have to be aware of what's going on there; but at the same time, we have to make our peace with the idea that we can't control it.
It used to be that demonstrations for or against a particular issue or position, or whatever, were fairly straightforward. People had placards, they gathered on Parliament Hill, on the lawn, they shouted slogans, they heard people, they applauded, and then they went home. And that was fine. Some of that still occurs, and that's fine too. But increasingly there are now organized campaigns for and against various issues, advocating positions and so forth, that take place using the Internet and using social media. Those, of course, with the usual range of human behaviour, range from the conscientious and the serious, right through to the anarchic, and the perhaps more threatening, as in the case, for example, of this Anonymous group.
The difficulty one has there, in a way that perhaps other organizations don't entirely face—I'm thinking of businesses and the like—is that when we create a parliamentary network here, the campus network for information technology, it is built to what we believe is an appropriate security level and we monitor that constantly. But the important thing to remember is that from our point of view—and I believe from the point of view of members, since the network exists to serve members in the first instance—it has to be accessible to people who want to reach you. The communication going both ways, from here out and from out in, is the bedrock of political conversation in this country. We can't protect a situation to such an extent that access becomes so cumbersome and so difficult as to become an irritant, or worse yet, God forbid, an obstruction to this free flow of information and communication.
At the same time, I think we have to realize that regardless of how one might want to create a network, a situation that is hacker-proof is simply not possible. The WikiLeaks business that happened, which garnered headlines some months ago, is a perfect indication of that. There really is no such thing as a perfect network. If you say that, you issue a challenge, and somewhere out there there will be somebody who is bound and determined to break in just basically because that's how they pass their time. I think we have to make our peace with that.
What we have to do—and this is something I'm confident we are doing—is take very seriously the idea that we need a protected network, that we need a secure network, in order for parliamentarians to do their work. We do that by monitoring very carefully the activity on the network on an ongoing basis so that anything that seems unusual is something that immediately jumps out. We do that in various ways through the security measures that are in place. When we see some kind of unusual activity, we take appropriate action to address that activity, whether it's isolating a particular computer or whatever. All of this of course goes on with our partners at CSE and the stakeholders there.
We have various ways—and I won't get into the details of them, not least of all because I don't think I could explain them adequately—and various themes, I think, under which our operations fall. There is the idea, for instance, of protection. We have firewalls around the parliamentary network. We have filtering gateways. We have encryption software. In terms of detecting unusual activity, we have the usual types of software, the anti-spam and anti-virus software that's out there, which is constantly being upgraded and monitored as systems and technology develop.
Access control is certainly very important. I remember testifying before you on a different case in which we said that a network is only as secure at the weakest person using it. So whoever is using it,
It is very important to know who has access, who has the passwords and all of that. There are very important protocols that govern the use of the network.
The other aspect is the physical security of the different pieces of equipment we have, naturally.
So that's the physical security, whether it be laptops or whatever.
In communications between the network here and the network in your constituencies, that is possible through the creation of what's called a VPN, or a virtual private network. It allows for secure communication within the network environment.
Administratively, we have awareness campaigns in security that are run by the Sergeant-at-Arms and the CIO. We have appropriate policies, from the wearing of badges to the appropriate use of technology.
We try to sensitize people to the dangers out there, without overreacting in such a way as to give more attention than is merited to various troublemakers who ask for nothing more than a chance to make headlines.
We work very closely with CSE and with CSIS. I have here an extract, a statement from CSIS, which I think is useful. It says:
||The threat of attacks on critical information systems and the infrastructures that depend on them will, in the foreseeable future, be almost impossible to eliminate entirely, owing to the fact that attack tools, networks and network control systems are constantly evolving. As new technologies develop, so too will new attack tools along with the sophistication of the perpetrators who use them.
I don't want to leave the impression that the situation the Minister of Public Security suffered was anything that we condone. It was nothing short of appalling. But at the same time, I think we have to put that in the context of what is happening in the world today. It should not engender unwarranted anxiety about the thoroughness of our security posture.
That's about all I had to say.
We're in your hands for answering questions, and my two experts are of course at your disposal.
My thanks to Madam O'Brien, Monsieur Bard, and Mr. Vickers for being here.
What most of us will be concentrating on, I think, is information you can provide on cyber-threats to the computer side of things. We're going to be talking to some law enforcement agencies over the course of the next few meetings to assess the threat Anonymous might pose beyond the precinct here in Parliament. So most of my comments will be directed to Monsieur Bard, although I would invite commentary from all of you.
Thank you, Madam O'Brien, for answering some of the questions I had in your opening statements.
First, given that no one can put security protocols or provisions in place that would render a system completely bullet-proof, I'd like to know right now, in your considered opinion, how vulnerable are we? How vulnerable are we if Anonymous wants to hack in? Secondly, do you have any plans to increase security provisions beyond what we currently have in the parliamentary precinct? Lastly, would you have any recommendations for our systems beyond the parliamentary precinct? I'm thinking specifically about our constituency offices.
One at a time, please, give us your assessment of how vulnerable we are right now, and then tell us what security provisions might be put in place.
Those are very good questions. There's no doubt that the House of Commons as a symbol of Parliament is regularly identified in potential security threats. Every threat you can find out there, Parliament is noted somewhere because of the symbol of Parliament.
We are, as mentioned by Madam O'Brien, working very closely with all kinds of partners, such as CSE. We're working with RCMP. We are working also with the industry. We've highlighted a number of scenarios, technologies, and layers that we have to protect the environment, and we rely on the industry in terms of also bringing a third dimension to the threats, what's going on, and what we should be preparing ourselves for. Therefore, as Kevin does on physical security, every day we assess those threats, every day we evaluate the situation.
Around three or four years ago the board approved the creation of an IT security team, which we have implemented. We have put in place a lot of new technologies and mechanisms to secure the environment.
For us, when something happens like it did two or three weeks ago, there's no doubt that at that point we strengthen our monitoring activities based on the threats. We have a lot of alarms. We follow up on alarms. We follow up on notices. We make sure that we reinforce our security measures. We make sure that we make adjustments to our protocols of the day. A good example of that is the major spoofing that happened to the Treasury Board last year. Immediately, we were ahead of the game to analyze this, and there was actually no incident to Parliament Hill following that incident.
We also adjusted our BCM strategies, such as how to deal with international threats, as an example. If need be, I can export my website somewhere else to protect the campus. There are all kinds of strategies behind the scenes that are possible, and we can act very rapidly. There's no doubt we always maintain a very close meeting with our other officials, with CSE and others, to make sure we can inspire ourselves on everything that is possible to minimize the impact.
The bottom line for me, however, is the way we make decisions. My job is to provide access to services to all members of Parliament, to provide transparency, and to make sure I eliminate all those stresses. We reject 70%, I would say, of all e-mails sent to Parliament before they enter Parliament Hill. And beyond that, we provide members with tools to identify spam, to try to filter that, and to put rules in place. At the end of the day, I still believe I need to leave the members with the flexibility that they need to operate.
Concerning the riding offices, there's no doubt that in Ottawa it's a secure environment. It's well protected. We provide all kinds of tools to members in their ridings. However, in your ridings, you've made the decision. You've set up your environment and how you want to work. Therefore, I can only be there to help, to advise, to suggest that you use a secure tool we provide you with. I have not a lot of control when you are in your constituency, but we always remain available to help you this way.
In term of the recommendation, there's no doubt that the acceptable use policy gives you a good framework in the ways you operate. There's no doubt about it in terms of how to better use the IT resource on Parliament Hill. But the same things can apply with your staff in your riding and how you behave yourself in your riding. They're good guidelines. At the same time, as we always say, it's so essential to separate your job as a member from your personal life. Very often we try as much to keep that totally separate—how you set up your house, your families, how you decide to create other Internet access, having your own private e-mail accessibilities, outside of the environment of the House of Commons. It's also a strong recommendation. It's exactly what I do for myself.
However, security is evolving every day. It's a question of every day we need to make.... It's like peeling an onion. There's always something new to discover. The strength that we have is the ability to react. I think we have proved that several times. And there's the board has supported us and this committee on all of the investments we've made in security technology over the last ten years.
The question that you ask really goes to the heart of the work of the committee on this issue. It's certainly not an easy task, partly because, as Ms. Charlton has said, this is an unprecedented situation, in that the attacks in question come from an unknown entity. The name Anonymous is there. As I understand it, that particular title or brand is out there; the various loose grouping of people who operate under its banner encourage the use of that title for people who are protesting in various ways.
If I may be very blunt, I don't see much to be gained by trying to identify the culprit as such. I think that this exercise—and in this sense I'm very happy that this isn't an in camera meeting and that we can talk this way—is a very useful educational opportunity for everyone to realize that for all of the advantages and for all of the extraordinary.... I remember reading somewhere somebody comparing the Internet to having at your disposal the library at Alexandria.
For all that this is the case, there's also a sort of darker side to it, an ability for people who want to make mischief or who want in fact to engage in activities, as the Anonymous group do in the threats they have uttered.... That's also a possibility there.
The Sergeant-at-Arms and I were discussing this question this morning when the three of us were meeting prior to coming before you, and he was reminding me that it's a criminal offence to threaten a public official. One can assume that the Minister of Public Security has talked to the authorities with regard to whatever appropriate inquiry is to be made at a policing level.
With regard to this committee, frankly I'm not sure that seeking out a culprit as such wouldn't be a giant waste of time, because I think that the nature of these attacks, as I understand it and from the reading that I've done, is that they're extremely fluid. It is not even that you have—as you might have, for example in the Wikileaks situation, wherein you have Julian Assange saying he's the head of this and wherein he has taken ownership of a particular approach to information and so forth.... This is really a set of people whose way of protesting, I gather, is basically to cause difficulties for various institutions. It has a whole anarchic side that is very dark indeed.
At the same time, I think that what is important for this committee to recognize and to applaud is the many ways in which informed citizens are using the Internet and using social media to have conversations about political issues and to take sides and to advocate in one way or another. The engagement—and the engagement over space and time—that the Internet permits is something that is to be applauded. We shouldn't let the people who want to use this for evil, for lack of a less simplistic way of putting it, carry the day. That's one thing.
In terms of remedies, I think really awareness is the most important thing, awareness that if you're using Wi-Fi in a cafe somewhere and are on the Internet, you're more likely to be open to attacks than if you're just sort of looking at new sites and so forth.
I don't know that this answers your question fully, but that would be my take on it.
I would also like to thank the guests who are with us today.
In short, the Speaker recognized that there was, on the surface, a question of privilege. I am certainly not calling into question the decision that was made. It led to the following motion:
||That the matter of threats to, interference with, and attempted intimidation of, the honourable Member for Provencher be referred to the Standing Committee on Procedure and House Affairs.
Frankly, I have been scratching my head since March 6, since the decision. I most certainly respect it. When I spoke, I said that it was important for the RCMP to be involved immediately because there had clearly been a threat. We all recognize that it is criminal and despicable. I've been wondering what else we can do.
You may have summarized the situation well by saying that being threatened from time to time is inherent to our profession. The Prime Minister, for example, is always physically surrounded for his protection.
We also know that on occasion ministers have had to be provided with protection because of a particular bill. It's in the nature of our business, and I believe I tried to make that point when I intervened before the decision was made. It goes with the job, in a sense, and it's something that we, and particularly cabinet ministers who bring forward laws, have to be aware of and accept.
So what can we do in these circumstances? You suggested awareness that these things can happen to us, and protecting access to our Internet materials, and that kind of thing.
By the way, I was hacked yesterday on my Twitter account. I must have been tired, but I was pulled in by probably a very old trick and realized that people are out there doing this kind of thing. That is something we should be more aware of; there's no question about it.
It seems to me that you are also saying we can react to individual cases and see what we can do and what the appropriate measures are. But at the same time, to some extent this goes with the job; while we want to protect members of Parliament as much as possible, we cannot provide a magic bullet here.
If Anonymous, for some miraculous reason—and I doubt that this will be the occasion—were to be caught and disbanded, there will be others. There are the OpenMedias and the Leadnows that make you aware that they are not in agreement with what a government decides, but they do so democratically; then there are the Anonymouses. But there will be lots of them, and that's the 21st century.
So what can we do—I'm asking the same question everybody else has asked—other than educate ourselves and be very careful?
Oh, Mr. Chair, I'm not sure I can guarantee that, having worked with Mr. Comartin.
Thank you, Mr. Chair, and thank you to our witnesses for being here.
As I try to review this and get a handle on it, it seems to me there are three levels of concern. One is the parliamentary precinct.
Mr. Bard, thank you for assuring us that many of the e-mails that would arrive here don't arrive, as they would simply be problematic.
The second layer is the constituency office. As I recall, when we set up our constituency office we received a very good package of material, with good information, good instruction. In fact, I think there were some pretty clearly proscribed practices we were not allowed to engage in. I think that's healthy.
I have a concern now, after hearing you today: is that being monitored on an ongoing basis, or should I be proactive, as an individual member of Parliament, in asking for help in my constituency office to be sure that it's on an ongoing basis, and as safe as it was when we started?
My third question—I'll get them all out, and you can maybe touch on all of them—has to do with another area of concern that I think all of us around the table would share. What about our personal computers? What about our families' computers? What about our staff members' personal computers? Are there things we should be aware of in terms of preventive measures that we should be taking as individuals? And if in fact that is true, are you available for counsel for us on those issues as well?
Voices: Oh, oh!
Mr. Harold Albrecht: Now I've crossed the line.
First of all, thank you for the very useful information.
I have a question specifically for Ms. O'Brien about breaches of privilege, as was the case here.
I read in your excellent document that in a case in which—and this has happened in the past—it is recognized that there was a breach of privilege, but there's no way of identifying the source, nothing more can be done. A breach of privilege is recognized, and that's all.
In this case, it is quite clear that there was a breach of privilege, given that the minister received threats specifically related to his work. In fact, he was being asked to withdraw the bill. That being said, I think that Anonymous, as was said earlier, is something intangible. We can't even say it is an organization, because anyone can claim to be Anonymous and put that label on their actions. It is not an organized group taking concerted actions or something like that.
In this case, are we not in a situation where, because we won't be able to find the source, it will be impossible to take action?
Mr. Chair, I think Ms. Latendresse is entirely correct. I can't see how you could identify a person or persons responsible for the threats against the minister.
As you say so well, because it is not even an organized group, anyone can use the name Anonymous, which is even encouraged by the people marketing it. In my opinion, there isn't much we can do about that.
However, I am dedicated to the institution of Parliament. Based on this morning's discussion, everyone seems to believe, as I was saying earlier to Mr. Garneau, that a line was crossed by Anonymous. Threats were used, which is unacceptable.
One of the things I learned this morning is that the group apparently sponsors certain malicious websites. If you oppose a bill, you are given instructions to express your opposition. In fact, they don't really help you send an email to the minister to express your disagreement; instead, they have you send something else that, suddenly, triggers a malicious process. Some people who are opposed to a bill, who may be of good faith and who would like to voice their opposition, may unfortunately find themselves on such sites.
I will say again that there needs to be education. It would be important for a report by the committee to indicate to citizens that we want them to be engaged and to participate in the political debate, but that they mustn't be fooled by things they may not understand. You have to be careful. Signing petitions and sending emails is fine. However, it is not always that simple.
I would like to clarify the following point. Mr. Bard said that 70% of emails are not sent to parliamentarians. It is important to specify what an email campaign is; they are done in certain ridings or regions and are perfectly legitimate. I'm talking about emails that have an address: that is acceptable. However, when an address is not identifiable, we have a case that is part of the 70%. I wouldn't want people to think that many emails on a given subject will not arrive because someone decided to clean up.