House Standing Committee on Procedure and House Affairs (PROC): June 6, 2024

From: Canadian Centre for Cyber Security

Table of contents

Appearance details

Date: June 6, 2024

Location: TBC

Time: 11 am – 1 pm

Appearing:

  • Caroline Xavier,
    Chief, Communications Security Establishment (CSE)
  • Rajiv Gupta,
    Associate Head, Canadian Centre for Cyber Security (CCCS)
Details: Full text of motion below.

That, in relation to its Order of Reference of Thursday, May 9, 2024, regarding the prima facie contempt concerning the People's Republic of China’s cyber attack against members of Parliament, the committee:

  1. make use, for the purposes of this study:
    1. the evidence received during its study on foreign election interference;
    2. the evidence received during its study of the prima facie contempt concerning the intimidation campaign orchestrated by Wei Zhao against the Member for Wellington—Halton Hills and other Members; and
    3. the evidence received by the Standing Committee on Access to Information, Privacy and Ethics during its study on foreign interference, provided that it shall not limit the witnesses who may appear before the committee or the questions which may be asked of them;
  2. deem the public evidence, including testimony and documents, publicly available on the website of the Public Inquiry into Foreign Interference in Federal Electoral Processes and Democratic Institutions and pertaining to cyberattacks to have been received by this committee and may be used in its reports, provided that it shall not limit the witnesses who may appear before the committee or the questions which may be asked of them or the documents which may be requested or ordered to be produced by the committee;
  3. invite the following witnesses to appear:
    1. the Honourable Dominic LeBlanc, Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs;
    2. the Honourable Bill Blair, Minister of National Defence and former Minister of Public Safety and Emergency Preparedness;
    3. the Honourable Harjit Sajjan, former Minister of National Defence;
    4. the Honourable Anita Anand, former Minister of National Defence;
    5. panels of impacted Canadian members of the Inter-Parliamentary Alliance on China who wish to appear, provided that no more than three members shall appear on each panel, for one hour per panel;
    6. Eric Janse, the Clerk of the House of Commons, by himself, for one hour, to discuss parliamentary privilege considerations;
    7. Michel Bédard, the Law Clerk and Parliamentary Counsel of the House of Commons, by himself, for one hour, to discuss parliamentary privilege considerations and the production of documents;
    8. officials of the House of Commons Administration, by themselves, for two hours, to discuss information technology and cybersecurity considerations, provided that one hour shall be in camera;
    9. the Sergeant-at-Arms of the House of Commons;
    10. officials of the Communications Security Establishment, by themselves, for two hours, provided that one hour shall be in camera;
    11. officials of the Canadian Security Intelligence Service, by themselves, for two hours, provided that one hour shall be in camera;
    12. Nathalie Drouin, Deputy Clerk of the Privy Council and National Security and Intelligence Advisor to the Prime Minister;
    13. Vincent Rigby, former National Security and Intelligence Advisor to the Prime Minister;
    14. David Morrison, former Acting National Security and Intelligence Advisor to the Prime Minister;
    15. Jody Thomas, former National Security and Intelligence Advisor to the Prime Minister;
    16. officials of the Federal Bureau of Investigation, by themselves, for two hours, provided that one hour shall be in camera;
    17. officials of the Secretariat of the Inter-Parliamentary Alliance on China, by themselves, for one hour; and
    18. academics, information technology and cybersecurity experts, and other witnesses requested by the committee, provided that the parties shall file their preliminary lists of witnesses within 10 days of the adoption of this motion;
  4. order the production of all Canadian memoranda, briefing notes, e-mails, records of conversations, and any other relevant documents, including any drafts, which are in the possession of any government department or agency between January 2021 and December 2022, including the Security and Intelligence Threats to Elections Task Force, the Critical Election Incident Protocol Panel, relevant minister’s office, or the House of Commons Administration, containing information concerning cyberattacks and efforts to conduct cyberattacks against Members of the House of Commons by Advanced Persistent Threat 31 (APT 31) and related entities, provided that:
    1. the departments and agencies tasked with gathering these documents apply redactions according to the Access to Information and Privacy Act;
    2. these redacted documents be deposited as soon as possible, but not later than Friday, August 9, 2024, with the clerk of the committee to be distributed to all members of the committee in both official languages;
  5. report its findings to the House not later than Friday, December 13, 2024 and that pursuant to Standing Order 109, the government table a comprehensive response to the report.
Top of page

Key highlights and prep material

Opening Remarks

Standing Committee on Procedure and House Affairs (PROC) Question of Privilege Related to Cyber Attacks Targeting Members of Parliament

Caroline Xavier

Chief, Communications Security Establishment (CSE)

Introduction

Good afternoon, Chair, and members. Thank you for the invitation to appear today.

My name is Caroline Xavier, and I am the Chief of the Communications Security Establishment, known as CSE.

I am joined by Rajiv Gupta, Associate Head of CSE's Canadian Centre for Cyber Security, known as the Cyber Centre.

I’d like to begin by providing the Committee with a brief overview of the evolving cyber threat landscape. Following this, I will speak to the mitigated cyber threat activity which targeted Canadian parliamentarians and how CSE has been working and continues to work to support parliamentarians and protect our democratic institutions more broadly.

Cyber Threat Landscape

Increasingly, Canada’s adversaries are using cyber threats to conduct espionage, further their foreign policy objectives, and influence Canadian public opinion.

Although we believe that cybercrime remains the most likely cyber threat to impact Canadians and Canadian organizations, the cyber threat coming from China—as well as from Russia, Iran and other countries—is the most strategically significant. 

Allow me to be more specific. The cyber threat emanating from the PRC is significant in volume and sophistication. PRC-sponsored cyber threat actors will almost certainly continue targeting industries and technologies in Canada to give the PRC advantage for their strategic priorities whether political, economic, security or defence.

In parallel, Russia’s invasion of Ukraine in February 2022, gave the world a new understanding of how cyber activity is used to support wartime operations and has demonstrated how nation states are increasingly willing, and able, to use misinformation and disinformation to advance their geopolitical interests.

Since 2021, CSE has also observed that state-sponsored cyber threat actors with links to Russia and the PRC continue to conduct most of the attributed cyber threat activity targeting foreign elections.

In our fourth iteration of our Threats to Democratic Processes publication released in December 2023, we outlined examples of cyber activity against the democratic process that we have observed globally since 2021 include:

  • distributed denial of service (DDoS) attacks against election authority websites and electronic voting systems;
  • unauthorized access to voter databases to collect private information; and,
  • spear phishing attacks against elections officials and politicians, among others.

Given this observed activity, in the last few years, CSE’s Cyber Centre has publicly released over 8 alerts, 4 cyber threat bulletins, and 7 joint cyber security advisories with allies all related to Chinese or Russian state-sponsored cyber activity.

Canada’s high degree of global connectivity and technological integration with our allies increases our threat exposure. Furthermore, Canada does not exist in a vacuum and, therefore, cyber activity affecting our allies’ democratic processes will also likely have an impact on Canada.

Cyber Attack Targeting Members of Parliament

In relation to the committee’s study, I’d now like to provide a brief overview of CSE’s role and relationship with the House of Commons IT team.

CSE takes its mandate and its legal obligations very seriously. Under the cyber security and information assurance aspect of our mandate, CSE acquires, uses, and analyzes information from the global information infrastructure, or from other sources, to provide advice, intelligence, guidance, and services to help protect electronic information and information infrastructures.

Accordingly, pursuant to the CSE Act, CSE and its Cyber Centre share intelligence and information with service providers and government clients, including appropriate authorities in Parliament.

In June 2022, CSE received a report from the Federal Bureau of Investigation (FBI) detailing emails targeting individuals around the world, including individuals who have been outspoken on topics relating to the activities of the Chinese Communist Party. The report included technical details and the names of 19 parliamentarians who were targeted by this activity.

However, from January to April 2021 – more than a year earlier - the Cyber Centre had already shared reports with House of Commons IT security officials specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.

Upon receipt of this information, CSE shared specific and actionable technical information about the activity with House of Commons IT security officials and the Canadian Security Intelligence Service (CSIS). Because of this information, CSE and the House of Commons worked together to thwart the attempted compromise by this sophisticated actor.

We respect the fact that the House of Commons and the Senate are independent and that their representatives are responsible for deciding when and how to communicate directly with members of Parliament and senators.

Last week, the committee’s clerk received a complete timeline of events describing the measures that the Cyber Centre took to inform and assist parliamentary officials in their efforts to detect and mitigate cyber threats.

It is important to note that CSE’s engagement with House of Commons IT security stakeholders occurred well before the aforementioned FBI report.

As the central technical resource for cyber security advice, we provide near real-time notifications, including to the House of Commons and Senate IT teams, and have helped Parliamentary IT security officials take quick and appropriate measures within their systems to protect their network and users against this, and other threats.

When a cyber threat has been identified, the Cyber Centre sends out different types of notifications, including:

  • Cyber Flashes, which are urgent notifications delivered via email;
  • daily updates about malware and vulnerabilities on a partner’s IP space via the National Cyber Threat Notification Service (NCTNS); and
  • monthly summaries of NCTNS data showing how a subscriber’s cyber hygiene ranks against anonymized peers in their sector.

When requested, we provide cyber defensive services and maintain an open line of communication to mitigate potential threats. To detect malicious cyber activity on government networks, systems, and cloud infrastructure, the Cyber Centre uses autonomous sensors – including network-based sensors, cloud-based sensors, and host-based sensors. These defences protect systems of importance from an average of 6.6 billion attempted malicious actions a day.

CSE continues to monitor Government of Canada networks and systems of importance for cyber threats, and we are working in close coordination with government partners, including relevant security agencies.  We deliver foreign intelligence, informed cyber defence.

Supporting Parliamentarians and Protecting Democratic Institutions

I want to highlight to members the support that is available to them. To support parliamentarians, the Cyber Centre offers support services and holds regular information sessions for political parties on cyber threats. The Cyber Centre has also provided a dedicated point of contact for accessing cybersecurity support.

Since 2017, CSE has published four unclassified reports on Cyber Threats to Canada’s Democratic Process and our 2023-2024 National Cyber Threat Assessment (NCTA) highlights how online foreign influence activities have become a new normal, with adversaries seeking to influence elections and impact international discourse related to current events.

Since 2014, interdepartmentally, CSE’s Cyber Centre works closely with Elections Canada to ensure our election systems and infrastructure remain secure. CSE also continues to work as part of the Security and Intelligence Threats to Elections Task Force (SITE).

Cyber incidents such as ransomware, DDoS attacks, and supply chain compromises are becoming more frequent across all industry sectors, and these incidents are negatively impacting our prosperity, privacy, and security.  

That’s why Bill C-26: An Act Respecting Cyber Security – currently in the committee stage - is so important because it would give the government new tools and authorities to better bolster defences, improve security across critical federally regulated industry sectors, and protect Canadians and Canada’s critical infrastructure from cyber threats.

Four sectors are subject to the mandatory cyber incident reporting in Bill C-26: Finance, Energy, Telecommunications, and Transportation. These were prioritized due to their importance to both Canadians and to other sectors.  They are critical enablers.

Bill C-26 will improve our ability to protect ourselves both from the threats we observe today, as well as the threats we will face tomorrow. Increased focus on the security of supply chains and interconnected systems is critical as threat actors leverage methods that are increasingly difficult to detect, such as “living off the land” where a threat actor takes advantage of existing tools to move through systems and evade detection.

The federal government intends to launch its updated National Cyber Security Strategy, which will communicate Canada's long-term approach to addressing evolving threats in cyberspace.

Central to the new Strategy will be a shift in focus toward a whole-of-society approach to Canada's national cyber resilience, where public and private entities, and all levels of government work in closer partnership to defend against cyber threats, including threats to our institutions.

The Government also recently announced its Defence Policy Update (DPU), Our North Strong and Free which proposes significant new investments in CSE, through Budget 2024, to support foreign cyber operations and enhanced foreign intelligence capabilities.

Finally, an important aspect of Canada’s whole-of-society approach to our collective security includes practicing good cyber hygiene including safe social media practices, especially for those in public roles.

The Cyber Centre has released guidance on ways to protect yourself online. It also has cyber security resources for elections authorities, political campaigns, and Canadian voters. I encourage those who are looking for easy-to-follow tips on cyber security to visit our website, “Get Cyber Safe.ca”.

I would also encourage organizations that have been impacted by cyber threats to contact the Cyber Centre so that it can help share threat-related information with partners to help keep Canada and Canadians safe online.

Further, to make cyber incident reporting easier for Canadians, CSE is also working with its federal partners to establish a Single Window solution for reporting cyber incidents with the ultimate goal to ensure Canadians can always find the help they need.  This was a key recommendation this week from the Auditor General. 

Conclusion

To conclude, CSE and the Cyber Centre remain active in our collaboration with all partners, including the House of Commons, to improve Canada’s cyber resilience and protect our democratic institutions. We will continue to monitor for any developing cyber threats and share threat information with our partners and stakeholders as always.

Once again, thank you for inviting me to appear before you today. We are pleased to be able to contribute to this important discussion and to provide an overview of how CSE and the Cyber Centre work every day to protect Canadians and their democratic institutions.

Thank you.

Top of page

Cyber Threats to Canada’s Democratic Process – 2023 Update

  • 1. What supports do CSE and the Cyber Centre provide to Parliamentarians?

    • To support Parliamentarians, the Cyber Centre provides direct support in the event of a cyber incident. The Cyber Centre has also provided cyber threat briefings to political parties and has provided them with a dedicated point of contact at the Cyber Centre for help with cyber security matters.
    • Since 2017, CSE has also published four unclassified reports on Cyber Threats to Canada’s Democratic Process and our 2023-2024 National Cyber Threat Assessment (NCTA) highlights how online foreign influence activities have become a new normal, with adversaries seeking to influence elections and impact international discourse related to current events.
    • Though it may not always be public, CSE and the Cyber Centre remain active in our collaboration with all partners, including the House of Commons, to improve Canada’s cyber resilience and protect our democratic institutions.
    • We will continue to monitor for any developing cyber threats and share threat information with our partners and stakeholders as always.

  • 2. What can Members of Parliament and of the Senate do to protect themselves online?

    • An important aspect of Canada’s whole-of-society approach to our collective security includes practicing good cyber hygiene, including safe social media practices, especially for those in public roles.
    • CSE recommends a number of best practices which can be implemented by all Canadians, including MPs and Senators, to protect themselves online:
      • Create strong passwords and use two-step verification;
      • Utilize Virtual Private Networks (VPNs);
      • Review the privacy settings on your social media applications. Look for security features the application includes such as encryption and two step verification;
      • Have a secure data storage and backup, such as data encryption. Backup your data and know how to recover it (e.g. ransomware); and,
      • Apply updates to your devices, operating systems, and applications as they become available.
    • More broadly, the Cyber Centre has released guidance on ways to protect yourself online. It also has cyber security resources for elections authorities, political campaigns, and Canadian voters. I encourage those who are looking for easy-to-follow tips on cyber security to visit our website, “Get Cyber Safe.ca”.

  • 3. When did CSE first learn of this cyber attack against Canadian parliamentarians?

    • In June 2022, CSE received a report from the Federal Bureau of Investigation (FBI) detailing emails targeting individuals around the world, including individuals who have been outspoken on topics relating to the activities of the Chinese Communist Party. The report included technical details and the names of 19 parliamentarians who were targeted by this activity.
    • However, from January to April 2021 – more than a year earlier - the Cyber Centre had already shared reports with House of Commons IT security officials specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.
    • Upon receipt of this information, CSE shared specific and actionable technical information about the activity with House of Commons IT security officials and the Canadian Security Intelligence Service (CSIS). Because of this information, CSE and the House of Commons worked together to thwart the attempted compromise by this sophisticated actor.
    • Our full chronology of events, outlining actions taken by the Cyber Centre to notify and aid Parliamentary officials in their detection and mitigation efforts, was submitted to the Clerk of the Committee in advance of today’s meeting.

  • 4. If CSE knew about the attacks since 2022, why did they not advocate for MPs to be informed?

    • In June 2022, CSE received a report from the Federal Bureau of Investigation (FBI) detailing emails targeting individuals around the world, including individuals who have been outspoken on topics relating to the activities of the Chinese Communist Party. The report included technical details and the names of 19 parliamentarians who were targeted by this activity.
    • However, from January to April 2021 – more than a year earlier - the Cyber Centre had already shared reports with House of Commons IT security officials specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.
    • Upon receipt of this information, CSE shared specific and actionable technical information about the activity with House of Commons IT security officials and the Canadian Security Intelligence Service (CSIS). Because of this information, CSE and the House of Commons worked together to thwart the attempted compromise by this sophisticated actor.
    • We respect that the House of Commons and Senate are independent, and its officials are responsible for determining when and how to directly engage with Members of Parliament and Senators.

Protecting Democratic Institutions

5. How did CSE protect the integrity of the 2019 and 2021 general elections?

  • Since 2014, interdepartmentally, CSE’s Cyber Centre has worked closely with Elections Canada to ensure our election systems and infrastructure remain secure. CSE has also worked closely with interdepartmental partners as part of the Security and Intelligence Threats to Elections Task Force (SITE).
  • Prior to the 2019 and 2021 federal elections, the Minister of National Defence authorized CSE to conduct defensive cyber operations (DCO) to protect Canada’s election infrastructure from malicious cyber activity if needed.
  • More broadly, CSE helps to protect Canada’s democratic process by:
    • providing foreign signals intelligence to Government of Canada decision makers about the intentions, capabilities, and activities of foreign-based threat actors;
    • defending Canada’s federal elections infrastructure from malicious cyber activity;
    • proactively helping democratic institutions improve their cyber security;
    • sharing unclassified threat assessments with the public; and,
    • sharing information to help Canadians identify disinformation.

6. Are you aware of foreign cyber threat activities targeting Canadian democratic institutions or processes?

  • Since 2017, CSE has published four unclassified reports on Cyber Threats to Canada’s Democratic Process and our 2023-2024 National Cyber Threat Assessment (NCTA) highlights how online foreign influence activities have become a new normal, with adversaries seeking to influence elections and impact international discourse related to current events.
  • In CSE’s most recent report on Cyber Threats to Canada’s Democratic Process, we assessed that state-sponsored actors with ties to Russia and China, are responsible for most of the cyber threat activity against democratic processes worldwide.
  • These reports are intended to raise awareness and draw further attention to known state-sponsored cyber threat activity, including the tactics, techniques and procedures used to target Canada’s democratic processes.

7. Are Chinese or Russian state-sponsored actors attempting to disrupt Canadian democratic institutions or processes?

  • CSE has assessed that both China and Russia are responsible for the majority of cyber threat activity against democratic processes worldwide.
  • Since 2015, over 90 percent of the cyber threat activity against democratic processes we’ve observed has been perpetrated by Russia and China targeting states and regions of strategic significance to them.
  • State-sponsored actors have taken advantage of domestic groups and movements in target countries, using the messages and reach of these domestic groups to influence voters in a way that would be favourable to the state-sponsored actor.
  • Adopting cybersecurity best practices goes a long way to offsetting risks of exploitation by cyber threat actors.

8. The National Cyber Threat Assessment points to the state-sponsored activities of China and Russia, as well as a few other countries. What is CSE doing to protect Government of Canada networks from these threats?

  • CSE has the mandate and authorities to defend the Government of Canada’s networks, as well as systems of importance, from cyber threats.
    • This includes CSE’s authorities to conduct foreign cyber operations (active and defensive) to protect Canada’s democratic process and institutions from any foreign threats.
  • Moreover, CSE is a central resource for Government of Canada departments in support of their roles within their sectors. We are the primary centralized voice and resource for senior leadership in the Government on cyber security operational matters, including incident management, situational awareness, and technical advice and guidance.
  • While Canada’s democratic institutions and processes are strong and resilient, CSE will continue to actively work to ensure their continued protection. 

9. CSE received funding in Budget 2022 for Protecting Democracy – how are you utilizing this funding?

  • The Government of Canada is investing resources to acquire greater insights on strategic priorities related to hostile threat actors. Hostile threat actors affect global events contrary to Canada's interests, making them priority enduring intelligence targets for Canada.
  • The critical foreign intelligence acquired by CSE, in accordance with the Government of Canada’s priorities, enables the Government to promote Canada’s economic prosperity, protect Canada’s digital infrastructure from malicious cyber activity, and defend Canada’s national security from threats such as foreign espionage.

10. Could you tell us a bit more about the work that CSE has undertaken to protect Canada’s democratic institutions and processes?

  • The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.
  • Our security and intelligence agencies coordinated integrated government efforts by raising awareness, monitoring, and reporting on threats, and providing advice to protect our democracy.
  • Security and Intelligence Threats to Elections Task Force (SITE) partners will continue to work within their respective mandates to detect and counter possible foreign threats to Canada and its democratic institutions.
  • While Canada’s democratic institutions and processes are strong and resilient, CSE will continue to actively work to ensure their continued protection. 

11. What lessons have been learned about state-sponsored cyber threat actors' cyber tactics, such as election interference, and how to counter them?

  • Some trends noted in CSE’s most recent Cyber Threats to Canada’s Democratic Process Report, include:
    • The vast majority of cyber threat activity affecting democratic processes can be attributed to state-sponsored cyber threat actors, namely Russia, China, and Iran;
    • Cyber threat actors most often target some combination of voters, political parties, and election infrastructure;
    • This kind of activity included online foreign influence activity as well as more traditional cyber threat activities, like information theft or denying access to important websites; and
    • The world response to COVID-19, such as incorporating new technology into the voting process, almost certainly increased the cyber threat surface of democratic processes.
    • In the lead up to and during the 2019 and 2021 Federal Elections, CSE, the Canadian Security Intelligence Service, Global Affairs Canada, and the Royal Canadian Mounted Police worked together closely as part of the Security and Intelligence Threats to Elections Task Force (SITE).
    • The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.
    • State-sponsored threats actors, such as China and Russia, have sophisticated cyber capabilities and has demonstrated a willingness to use them.

12. You mentioned that China is Canada’s greatest strategic cyber threat. Does CSE have the resources and capabilities necessary to counter emerging threats?

  • Over the years, CSE has experienced continued and sustained growth that has enabled us to adapt and address the growing cybersecurity landscape.
  • Recruiting skilled employees in the high-tech field remains challenging and highly competitive. At CSE, the same is true due to the specific technical competencies required for many positions within the organization.
  • The investments earmarked through the Defense Policy Update, Our North Strong and Free: A Renewed Vision for Canada’s Defence, as well as through the National CyberSecurity Strategy will strengthen CSE’s ability to fulfill its mandate and protect critical infrastructure and Canadians from cyber threats.
  • However, as we have previously said, the cyberthreat landscape is constantly changing and evolving. While we have welcomed much-needed investments, to effectively adapt in such an ever-changing environment requires a robust and capable workforce and resources.
  • It will be imperative that CSE receive the proper resourcing to be able to enhance its response to emerging technologies such as artificial intelligence; strengthen resilience through new tools and guidance to counter disinformation and expand awareness campaigns, including in non-official languages; as well as to be able to provide enhanced briefings to parliamentarians and political parties.

13. What were the main takeaways of the report?

  • Foreign adversaries are increasingly using cyber tools to target democratic processes around the world. Disinformation has become ubiquitous in national elections, and adversaries are now using generative artificial intelligence (AI) to create and spread fake content.
  • CSE observes that state-sponsored cyber threat actors with links to Russia and China continue to conduct most of the attributed cyber threat activity targeting foreign elections since 2021.
  • The report outlines four main global trends,specifically:
    • Increase in targeting of democratic processes;
    • Russia and China continue to conduct most of the attributed cyber threat activity targeting foreign elections;
    • The majority of cyber threat activity targeting elections is unattributed; and
    • Generative AI is increasingly being used to influence elections.

Cyber Threats to Canada’s Democratic Process – 2023 Update

14. Have state-sponsored cyberthreat trends changed since the July 2021 update?

  • State-sponsored cyber threat activity against Canada is a constant, ongoing threat that is often a subset of larger, global campaigns undertaken by adversaries. During periods of heightened bilateral tensions, cyber threat actors can be called upon to conduct cyber activity or influence operations targeting events of national importance,including elections.
  • CSE assesses that increased tensions or antagonism between Canada and a hostile state is very likely to result in cyber threat actors aligned with that state targeting Canada’s democratic processes or disrupting Canada’s online information ecosystem ahead of a national election.

15. Which foreign state actors continue to conduct most of the attributed cyber threat activity targeting elections?

  • Since 2021, CSE has observed that state-sponsored cyber threat actors with links to Russia and the PRC continue to conduct most of the attributed cyber threat activity targeting foreign elections.
  • As outlined in our fourth iteration of our Threats to Democratic Processes publication, examples of cyberactivity against the democratic process that we have observed globally since 2021 include:
    • distributed denial of service (DDoS) attacks against election authority websites and electronic voting systems;
    • unauthorized access to voter databases to collect private information; and,
    • spearphishing attacks against elections officials and politicians, among others.
  • Given this observed activity,in the last few years, CSE’s Cyber Centre has publicly released over 8 alerts,4 cyber threat bulletins, and 7 joint cyber security advisories with allies all related to Chinese or Russian state-sponsored cyber activity.
  • It very likely that Russia and China will continue to be responsible for most of the attributed cyber threat activity targeting foreign elections in the next two years and will focus on targeting countries of strategic significance to them.

16. Given the rapid advancements in artificial intelligence, how will these tools be used to interfere with elections and, in general, disrupt social discourse?

  • CSE observed that cyber threat actors are already using this technology to pursue strategic political objectives abroad.
  • Foreign adversaries and hacktivists are likely to weaponize generative AI within the next two years to create deepfake videos and images depicting politicians and government officials and to further amplify and automate inauthentic social botnets using text and image generators.

PIFI and Foreign Interference

17. What role does CSE play as it relates to combatting and safeguarding against foreign interference?

  • If CSE were to become aware of a cyber threat,including those directed at a provincial electoral process, we would take appropriate action to address the threat.
  • More broadly, since 2017, CSE has published four unclassified reports on Cyber Threats to Canada’s Democratic Process and our 2023-2024 National Cyber Threat Assessment (NCTA) highlights how online foreign influence activities have become a new normal,with adversaries seeking to influence elections and impact international discourse related to current events.
  • Since 2014, interdepartmentally, CSE’s CyberCentre works closely with Elections Canada to ensure our election systems and infrastructure remain secure. CSE also continues to work as part of the Security and Intelligence Threats to Elections Task Force (SITE).
  • CSE’s role on the task force includes providing intelligence and cyber assessment on the intentions, activities, and capabilities of foreign threat actors; protecting government systems and networks related to elections through cyber defence measure; and providing cyber security advance and guidance to those involved in democratic processes.

18. What has CSE done to support the Public Inquiry into Foreign Interference (PIFI)

  • CSE fully supports the Public Inquiry on Foreign Interference, and we thank the commission for the important work they are doing.
  • We welcome the commission’s interim findings,and we will be reviewing every recommendation that applies to CSE, our work,and our mandate.
  • CSE is dedicated to protecting Canada, Canadians and our democratic institutions, and welcome the commission’s insight on how we can improve our processes.

PRC Cyber Threat Bulletin

19. What is the scope of the cyber threat posed by the People’s Republic of China (PRC)?

  • The cyber threat emanating from the PRC is significant in volume and sophistication. PRC-sponsored cyber threat actors will almost certainly continue targeting industries and technologies in Canada to give the PRC advantage for their strategic priorities whether political, economic,security or defence.
  • We are aware of – and have mitigated – at least 20 different instances where Government networks were affected by malicious PRC cyber activity over the last four years.
  • The Government of Canada is not the only target – all levels of Government, academia,organizations that have close working relationships with the Government, the science and technology sector, and even individuals the PRC deems a threat area a higher risk of being targeted.

20. How is CSE working to ensure Canadians are informed of the cyber threat posed by the PRC?

  • Just this week, the Canadian Centre for Cyber Security (Cyber Centre), a part of CSE,released a cyber bulletin warning Canadians and Canadian organizations about the cyber threat posed by the PRC.
  • This is not the first time we have warned Canadians against the threat posed by the PRC:
  • We strongly urge all Canadians and Canadian organizations to read our CyberBulletin, familiarize themselves with this threat, and how to protect themselves and their organizations from it.
  • I would also encourage organizations that have been impacted by cyber threats to contact the Cyber Centre toll free at 1-833-CYBER-88 (1-833-292-3788) or by email at contact@cyber.gc.ca so that it can help share threat-related information with partners to help keep Canada and Canadians safe online.

2024 Reports 5 to 7 of the Auditor General of Canada to the Parliament of Canada

21. How does CSE protect Canadians from cyberattacks and address the growing volume and sophistication of cybercrime?

  • CSE welcomes the release of the OAG’s performance audit report on combatting cybercrime and agrees with its recommendation on cybercrime reporting.
  • Cybercrime continues to be the cyber threat activity that is most likely to affect Canadians and Canadian organizations.
  • While CSE does not have the authority to investigate cybercrime, CSE works very closely with its federal partners to ensure that all reported incidents of cybercrime are actioned quickly, and by the right agency. 
  • CSE recognizes that when a cyber incident is initially reported, it may not be immediately apparent that the incident is related to cybercrime. However, CSE works within its mandate and in coordination with other federal partners, including law enforcement, to counter cybercrime in Canada.
  • Between 2021 and 2023, almost half of the 10,850 reports we received were out of our mandate because they related to individual Canadians and not to organizations.
  • Under existing policy, we require explicit permission from victims in order to share their information with another government department or agency. This has limited our ability to proactively share reports with our partners, such as the RCMP.  To remedy this, work has already begun to create a “single window” for reporting cyber incidents that will help ensure Canadians can always find the help they need.
  • CSE’s Canadian Centre for Cyber Security was stood up in 2018 as the single, unified source of expert advice, guidance and services to support on cyber security in Canada.
  • Since then, the Cyber Centre has continuously worked to improve its support to Canadians and Canadian businesses that report cyber incidents and cybercrime through its online Cyber Portal. This reporting portal includes tools to help Canadians in identifying the right organization to assist.
Top of page

NSIRA Special Report on Foreign Interference

22. How does CSE work with NSIRA and other government counterparts to mitigate the threat of foreign interference?

  • CSE values independent and external review of its activities and is committed to a positive and ongoing relationship with the National Security and Intelligence Review Agency (NSIRA).
  • CSE agrees with the consensus view of Canada’s security and intelligence community that political foreign interference is a significant threat to Canada, and that the People’s Republic of China is a major perpetrator of this threat at all levels of government.
  • CSE welcomes any opportunity to raise awareness about the threat of foreign interference, and political foreign interference as a sub-set of that threat.
  • One of the best ways that we can counter the threat of foreign interference is by raising awareness and drawing attention to it. The more that Canadians understand about this issue, the better prepared we will be to defend against the threat. 
  • CSE supports the work of NSIRA, NSICOP, and the Hogue Commission to review the effects of this threaten our democratic institutions and values their insight. CSE also welcomes opportunities to ensure that the security and intelligence community is effectively and robustly supporting policy makers and elected officials to respond to this threat.

23. How did CSE support NSIRA in the conduct of its new Special Report on Foreign Interference in Canada's Democratic Processes and Institutions?

  • In support of this NSIRA review, CSE responded to 5requests for information, that contained a total of 28 questions, 1 briefing request, 1 interview request, and the production of a large volume of CSE’s classified records.
  • For the purposes of this review, NSIRA had direct access to CSE’s foreign intelligence reporting database and official information repository.

24. How is CSE responding to the findings and recommendations in NSIRA’s report?

  • CSE agrees with the consensus view of Canada’s security and intelligence community that political foreign interference is a significant threat to Canada, and that the People’s Republic of China is a major perpetrator of this threat at all levels of government.
  • While CSE was not the focus of NSIRA’s 10 findings and 8 recommendations, CSE is supporting partners in the security and intelligence community in the development of a government response to NSIRA’s report.

NSICOP Special Report on Foreign Interference

25. How does CSE work with NSICOP and other government counterparts to mitigate the threat of foreign interference?

  • CSE values the independent and external review of its activities and is committed to a positive and ongoing relationship with the National Security and Intelligence Committee of Parliamentarians(NSICOP).
  • CSE will continue to work closely with its government counterparts and international partners to stop the threat of foreign interference. In that work, CSE will ensure its activities are complimentary with mandates of other members of Canada’s Security and Intelligence Community, and when appropriate – in close consultation. 
  • CSE welcomes any opportunity to raise awareness about the threat of foreign interference. One of the best ways that we can counter the threat of foreign interference is by raising awareness and drawing attention to it. The more that Canadians understand about this issue, the better prepared we will be to defend against the threat. 
  • CSE supports the work of NSIRA, NSICOP, and the Hogue Commission to review the effects of this threat on our democratic institutions and values their insight.
  • CSE also welcomes opportunities to ensure that the security and intelligence community is effectively and robustly supporting policy makers and elected officials to respond to this threat.

26. How did CSE support NSICOP in the conduct of its new Special Report on Foreign Interference in Canada's Democratic Processes and Institutions?

  • In support of this NSICOP review, CSE responded to two requests for information that contained a total of 16 questions, provided 1 briefing to the Committee as well as 2 informational briefings to the NSICOP Secretariat. In addition, CSE supported NSICOP in the dissemination of the classified version of its report to the security and intelligence community for factual accuracy and redaction consultations.
  • For the purposes of this review, NSICOP had access to CSE’s foreign intelligence reporting database and official information repository.

27. How is CSE responding to the findings and recommendations in NSICOP’s report?

  • CSE agrees with NSICOP’s assessment that foreign states conduct sophisticated and pervasive foreign interference specifically targeting Canada’s democratic processes and institutions, and that these activities continue to pose a significant threat to national security, and to the overall integrity of Canada’s democracy.
  • While CSE was not the focus of the NSICOP’s 8 findings and 6 recommendations, CSE is supporting partners in the security and intelligence community in the development of a government response to NSICOP’s report.
Top of page

Guidance for Older Canadians

28. What should older Canadians be on the lookout for?How do you identify a potential cyber threat?

  • Canadians are sharing more personal information online than ever before, which means there’s a lot more for cyber criminals to steal. Never click on a suspicious message or share personal information with someone that you do not know. Be cautious about the information that is shared online.
  • Phishing is one of the most common tactics that cyber criminals use to steal information. Phishing messages are often sent as emails, text messages (known as smishing) or phone calls. In some cases, a cyber criminal may already know something about you to make the message or phone call sound more legitimate.
  • Malware is a common method that cyber criminals use to infect your devices and steal information and can be hidden in attachments, downloads and links either found on the web or in messages. You may even find malware in phishing messages.
  • To protect yourself, delete messages that look suspicious and following up with the organization sending the message to confirm authenticity of the message.

29. What should Canadians be doing to protect themselves online?

  • One of the easiest ways to protect yourself online is to install and use anti-virus software. Anti-virus software scans your device’s files and software to detect and remove malware. Ultimately, be cautious about what is downloaded.
  • Use a passphrase - a series of at least four words and 15 characters in length - when determining a password. Use a different password for every account and share your passwords with anyone.
  • Enable multi-factor authentication (MFA). This involves two or more different ways of verifying that you are who you say you are to add an extra layer of protection for your accounts and devices. Some different types of authentication factors include:
    • Proof of who you are, like fingerprint scanners or facial recognition;
    • Proof of what you know, like a security question or password; and,
    • Proof of what you own, like an app or text notification on your phone.
  • If you receive a suspicious email, phone call or text (even if it seems like it’s from a familiar company or a friend) here’s what to do:
    • Don’t open any links or attachments you’re unsure of. Reach out to the sender in a different way, like by phone, to confirm.
    • Consider your internet history. Unless you requested it, any message asking you to reset your password or update your account info is likely fake.
    • Delete any messages that seem too good to be true, like winning a contest you didn’t enter.
  • Combating cyber threats requires a whole-of-society approach and this includes ensuring all Canadians are well informed about potential threats and how to avoid being targeted. The CyberCentre routinely releases updated guidance on how to safely operate online and what to look out for.
  • We always encourage Canadians to familiarize themselves with the guidance documents published online at getcybersafe.gc.ca.

Issue notes

Cyber attack against Parliamentarians

  • The Government of Canada takes its responsibility to safeguard Canada’s democratic institutions very seriously.
  • Pursuant to the CSE Act, the Communications Security Establishment (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) share intelligence and information with government clients, including appropriate authorities in Parliament.
  • The House of Commons and Senate are independent, and its officials are responsible for determining when and how to directly engage with MPs and Senators in situations like this.
  • CSE continues to monitor GC networks and systems of importance for cyber threats. We are working in close coordination with government partners, including relevant security agencies. 

Cyber security incident timeline:

  • In this specific case, CSE and other security agencies received the report from the FBI in June 2022.
  • CSE immediately shared the information, including the names of the targeted parliamentarians, with the House of Commons IT officials.
  • This was specific, actionable technical information on this threat, shared with House of Commons IT officials.
  • This is the normal process with other Government of Canada partners when threats are detected.
  • CSE’s engagement with the House of Commons started well before receiving the FBI report in question, as we had been tracking and helping them to take quick and appropriate measures within their systems to protect their network and users against this, and other threats.
  • It’s important to add that, though it may not always be public, CSE has and will continue to take a range of measures to protect MPs and Senators, including remaining in regular contact with the House of Commons and Senate IT officials.

Background

How CSE protects the democratic process:

  • CSE helps to protect Canada’s democratic process by:
    • providing foreign signals intelligence to Government of Canada decision makers about the intentions, capabilities, and activities of foreign-based threat actors
    • defending Canada’s federal elections infrastructure from malicious cyber activity
    • proactively helping democratic institutions improve their cyber security
    • sharing unclassified threat assessments with the public
    • sharing information to help Canadians identify disinformation
  • To support Parliamentarians, the Cyber Centre, part of CSE provides a 24/7 hotline service offering direct support in the event of a cyber incident. The Cyber Centre has provided cyber threat briefings to political parties as well as a dedicated point of contact at the Cyber Centre for assistance with cyber security matters.
  • In the run-up to both the 2019 and 2021 federal elections, the Minister of National Defence authorized CSE to conduct defensive cyber operations (DCO) to protect Canada’s election infrastructure from malicious cyber activity if needed. In the event, no activities took place that would have required a DCO response.
  • CSE’s Canadian Centre for Cyber Security works closely with Elections Canada, elections authorities and political parties on cyber security preparedness. This includes offering briefings, training resources, consultations, tailored advice and cyber security services.
  • The Cyber Centre has an ongoing relationship with Elections Canada, which includes:
    • monitoring services to detect cyber threats
    • working with them to secure their computer networks
    • incident response assistance, if necessary
  • Provincial and territorial elections authorities can take advantage of services the Cyber Centre provides to critical infrastructure partners, such as:
    • cyber alerts (including mitigation steps)
    • malware analysis
    • cyber incident advice and support
  • In the event a federal election is called, the Cyber Centre is ready to stand up a dedicated hotline for federal political parties offering 24/7 cyber security technical support. (Outside of election periods, the Cyber Centre has a dedicated point of contact political parties can reach out to on cyber security matters.) Elections Canada will be able to rely on existing channels of communication with the Cyber Centre’s democratic institutions team.
Top of page

State-sponsored Actors Targeting Parliamentarians (APT31)

  • 18 Canadian members of the Inter-Parliamentary Alliance on China (IPAC) were notified by the Executive Director in April 2024 they were targeted by a Chinese state-sponsored cyber actor. This was information was based on a FBI report that assessed IPAC members were targeted by Advanced Persistent Threat actor (APT) 31.
  • The FBI report was received by Canada’s security agencies, and the information that included the names of the targeted parliamentarians was shared in 2022.
  • CSE shared specific, actionable technical information on this threat with House of Commons (HoC) officials, as would be our normal process with other Government of Canada partners when threats are detected.
  • This engagement with the HoC started well before receiving the FBI report in question, as we had been tracking and helping them to take quick and appropriate measures within their systems to protect their network and users against this, and other threats. Questions related to how MPs are engaged on situations like this would be best addressed by HoC officials.
Top of page

Foreign interference and the democratic process

  • The Government of Canada takes seriously its responsibility to protect Canadians from foreign interference, regardless of the source.
  • CSE’s 2023-24 National Cyber Threat Assessment (NCTA) highlights how online foreign influence activities have become a new normal, with adversaries seeking to influence elections and impact international discourse related to current events.
  • In the lead up to and during the 2021 Federal Election, the Communications Security Establishment (CSE), the Canadian Security Intelligence Service (CSIS), Global Affairs Canada (GAC), and the Royal Canadian Mounted Police (RCMP) worked together closely as part of the Security and Intelligence Threats to Elections Task Force (SITE).
  • Our security and intelligence agencies coordinated integrated government efforts by raising awareness, monitoring, and reporting on threats, and providing advice to protect our democracy.
  • CSE’s Canadian Center for Cyber Security (Cyber Centre) also worked with Elections Canada to help secure election systems and infrastructure.
  • SITE Task Force partners continue to work within their respective mandates to detect and counter possible foreign threats to Canada and its democratic institutions.
  • Canada’s democratic institutions and processes are strong and resilient and CSE continues to support their continued protection.

Background

Legislation

  • On May 6, 2024, Dominic LeBlanc, Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs, tabled Bill C-70 An Act respecting countering foreign interference.

Reviews of foreign interference

  • In March 2023, the Prime Minister announced measures to strengthen trust in Canada’s democracy.
  • This included requesting NSICOP and NSIRA to review the impact of foreign interference in the 2019 and 2021 federal elections, and how Canada’s national security agencies handled the threat. NSIRA and NSICOP launched their reviews in March, with CSE receiving the first requests for information in April.
  • The Prime Minister appointed an Independent Special Rapporteur (ISR) on Foreign Interference who published the first report and interim recommendations on May 23, 2023.
  • The report:
    • Reaffirmed that the 2019 and 2021 federal elections were free and fair.
    • Acknowledges that foreign interference is a serious threat and makes recommendations to detect, deter, and counter it.
    • Found that there are shortcomings in the way intelligence is communicated and processed from security agencies through to government.
    • Concluded that a further public process is required to address issues relating to foreign interference, but there should not and need not be a separate Public Inquiry.
  • In September 2023, the Government of Canada launched a Public Inquiry into Foreign Interference in Federal Electoral Processes and Democratic Institutions. The Public Inquiry began its public hearings in January 2024.
    • On February 1, 2024, Alia Tayyeb, Deputy Chief of Signals Intelligence, CSE appeared alongside David Vigneault, Director, CSIS; and, Dan Rogers, Deputy National Security and Intelligence Advisor, PCO.
    • CSE has an excellent record with regard to respecting its mandate, securing information, and engaging positively with review bodies.  CSE’s support to the inquiry is paramount in ensuring accountability, instilling confidence and trust by the public, and maintaining the resiliency of Canada’s democracy.
  • CSE welcomes these external reviews into foreign interference in Canada’s elections and will continue to support them and Parliament moving forward.

Cyber defence of Government of Canada

  • The Government of Canada deals with ongoing and persistent cyber risks and threats every day. These threats are real, they are sophisticated, and they continue to evolve.
  • CSE is always monitoring for cyber threats and as the threat landscape changes and will continue to assess its requirements.
  • Although CSE generally does not comment on cyber incidents, I can assure the committee members that we are working with our federal partners, including smaller departments and agencies, to make them aware of the threats and remind them of cyber security best practices.
  • The government has systems and tools in place to monitor threats, and CSE continues to use all the resources at its disposal to protect the GC from these evolving threats.
  • For example, CSE’s Cyber Centre uses sensors, which are software tools installed in partner IT systems, to detect malicious cyber activity on government networks, systems, and cloud infrastructure.
    • Last year, our automated defences protected the Government of Canada from 2.3 trillion malicious actions, an average of 6 billion a day.
  • CSE works with departments including SSC, TBS, Public Safety, the RCMP, CSIS), and the Department of National Defence (DND) on a number of cyber security issues.
  • Cyber defence is the responsibility of all GC departments and agencies. We continue to work together to ensure we can detect and investigate potential threats, and take active measures as required.

Email Tracking Link Campaign Targeting Canadian Parliamentarians

The Communications Security Establishment Canada (CSE) has determined that cyber threat activity by the People’s Republic of China (PRC) outpaces cyber threats from other nation states in volume, sophistication and breadth of targeting. The Canadian Centre for Cyber Security (Cyber Centre), a part of CSE, has observed widespread targeting by the PRC. This activity poses a serious threat to Canadian entities across a range of sectors and has targeted:  

  • all branches of government
  • non-government organizations, academia and research institutions
  • critical infrastructure 
  • industry, including the Canadian research and development sector  

When the Cyber Centre identifies cyber threat activity targeting a Canadian or a Canadian organization, it shares this information with the system owner to assist them in identifying and mitigating the threat and notifying affected users, as required.

In January 2021, the Cyber Centre informed House of Commons (HoC) IT security officials of spear-phishing activity targeting parliamentary email accounts. These spear-phishing emails try to get the recipient to open an email that contains an embedded image (i.e., tracking link) that connects to a threat actor–controlled server. This allows the threat actor to confirm the validity of the targeted email addresses and gather preliminary data about the users, such as basic device and local network information. These emails can be a precursor to follow-on activity from the threat actor.  

From January to April 2021, the Cyber Centre and the Canadian Security Intelligence Service (CSIS) met
with HoC IT security and CSE shared at least 12 reports that contained technical indicators of compromise
affecting HoC IT systems. In November 2021, CSIS issued a classified Analytical Brief to 35 GC clients on the topic of APT31’s tracking link campaign targeting members of the Inter-Parliamentary Alliance on China (IPAC). In June 2022, the Federal Bureau of Investigation (FBI) released a report to CSE and CSIS detailing a PRC tracking link campaign, which included this HoC activity.

Below is the chronology of actions taken by the Cyber Centre and CSIS to notify and aid HoC officials in their detection and mitigation efforts.

Note: The Cyber Centre has shared reporting related to tracking links targeting parliamentarians with the HoC and CSIS since at least late 2018.

Top of page

January – April 2021 Chronology of Events 

January 2021

January 22

  • The Cyber Centre Incident Handler issues a report to the HoC IT Security Mailbox, indicating that emails containing tracking links were sent to users with @parl.gc.ca and @sen.parl.gc.ca email addresses.
  • Only technical details associated with the network traffic were available.

January 25

  • The HoC Senior IT Security Analyst acknowledges receipt of the January 22 report.
  • The HoC did not provide any additional feedback.

January 29

  • The Cyber Centre Incident Handler follows up with the HoC IT Security Mailbox to request feedback on the January 22 report.

February 2021

February 3

  • The Cyber Centre Incident Handler follows up to request feedback on January 22 report.
  • The HoC Senior IT Security Analyst responded to the Cyber Centre Incident Handler and indicated that the issue was handled internally.

February 17

  • The Cyber Centre Incident Handler issues a second report to the HoC IT Security Mailbox, indicating that sophisticated actors were conducting network reconnaissance of devices known to connect to the HoC virtual private network (VPN).
  • On March 1, HoC Director, IT Security, informed the Cyber Centre Incident Handler that at least one IP address (that had been provided by CCCS for analysis?)was associated with the home network of an undisclosed HoC user and that the HoC was able to obtain two devices for analysis.
  • On March 5, the Cyber Centre Incident Handler made a request to HoC Director, IT Security, to perform a forensic analysis on the devices to validate that no malicious activity occurred. The HoC did not provide the devices to the Cyber Centre.

February 17

  • HoC Director, IT Security, and representatives from CSIS and the Cyber Centre meet to discuss further collaboration on the incident.
  • HoC Director, IT Security, provided the Cyber Centre’s Incident Management team with a printed document containing a sample malicious email and the names of eight MPs who were intended recipients of malicious emails.
  • According to the document, the HoC assessed at the time that the emails did not reach the intended HoC recipients. However, the HoC indicated that some recipients may have received similar messages on their personal email addresses.

February 18

  • A Cyber Triage Unit (CTU) meeting is held between CSIS and the Cyber Centre to discuss the combined response efforts of each organization.
  • It was decided that CSIS would engage with the HoC. The Cyber Centre Incident Management team provided CSIS with a list of technical questions to aid in analyzing the suspicious activity.

February 18

  • The Cyber Centre Incident Handler issues a third report to the HoC, identifying further network domain name system (DNS) traffic of concern.

February 19

  • CSIS and the Cyber Centre meet with HoC Director, IT Security, to discuss the scope of the incident and possible forensic analysis.

February 23

  • A CTU meeting is held between CSIS and the Cyber Centre.
  • Following the meeting, the Cyber Centre Incident Handler provided further follow-up questions for CSIS to relay to the HoC to help with the investigation.

February 24

  • A CTU meeting is held between CSIS and the Cyber Centre to establish a framework for joint engagements with the HoC. 
  • Following the meeting, the Cyber Centre Incident Handler provided their investigative follow-up questions from February 23 directly to HoC Director, IT Security, and requested copies of the actual emails identified in the list. HoC Director, IT Security, did not provide the emails.

February 24

  • The Cyber Centre Incident Handler issues a fourth report to the HoC IT Security Mailbox, indicating that sophisticated actors were scanning IP addresses that may be associated with HoC devices.
  • The Cyber Centre issues a fifth report to the HoC, indicating that between February 23 and 24, 2021, network DNS traffic was observed going to a previously reported domain at HoC. 

February 26

  • The Cyber Centre Incident Handler receives an email from HoC Director, IT Security, indicating that more emails and shared metadata for 41 emails had been sent to 13 MPs between January 21 and 28, 2021. Of those emails, 31 were either read or inadvertently opened.
  • Of the 13 MPs named in this email, 7 were also named in the report shared by HoC Director, IT Security, at the February 17 meeting, bringing the total number of MPs known to have received malicious emails to 14.
  • In this same email, HoC Director, IT Security, noted that, on February 10, 2021, the Senate provided information on a malicious email they received (no additional information).

March 2021

March 1

  • In response to a Cyber Centre request for clarification on the number of Senate users who may have received these emails, HoC Director, IT Security, indicates that they identified two suspicious emails that had been sent to Senate clients.
  • Upon receiving notification from the HoC, the Senate provided the HoC with a sample email and reported that the “emails themselves were permanently deleted by vigilant clients who received them.”

March 3

  • The Cyber Centre Incident Handler issues a sixth report to the HoC, containing suspicious IP addresses connecting to HoC email servers.

March 9

  • The Cyber Centre Incident Handler issues a seventh report to the HoC IT Security Mailbox, indicating that infrastructure used by a sophisticated actor was connecting to mail servers belonging to both the Senate and the HoC.

March 17

  • The Cyber Centre Incident Handler issues an eighth report to the HoC IT Security Mailbox, indicating that on March 11, 2021, a device at the HoC connected to suspected malicious command and control (C2) infrastructure. 
  • The HoC IT Security Analyst responded that the implicated device was a personal device on a portion of HoC’s network intended for personal devices, and that the device had not been detected inside the office network.
  • On March 29, the Cyber Centre Incident Handler asked the HoC IT Security Analyst for further technical and contextual information to better assess the situation. The HoC IT Security Analyst acknowledged the request, but never provided the requested information, despite an additional follow-up from the Cyber Centre Incident Handler on April 8. 

March 23

  • The Cyber Centre Incident Handler issues a ninth report to the HoC IT Security Mailbox, indicating that the Cyber Centre detected suspicious connections to HoC web portals. 
  • HoC acknowledged receipt the same day.

March 30

  • The Cyber Centre Incident Handler issues a tenth report to the HoC, identifying malicious network activity at HoC. 
  • HoC acknowledged receipt the same day.

April 2021 

April 19 

  • The Cyber Centre Incident Handler issues an eleventh report to the HoC IT Security Mailbox, indicating that the Cyber Centre detected new activity, consisting of several IP addresses connecting to web portals at the HoC. 
  • HoC acknowledged receipt the same day and requested additional technical context which was provided by Cyber Centre on April 20th

April 22

  • The Cyber Centre Incident Handler issues a twelfth report to the HoC IT Security Mailbox, indicating that the same device identified in the Cyber Centre’s report from March 17, 2021, was suspected to be infected with malware and was connecting to suspected malicious C2 infrastructure. 
  • HoC confirmed receipt and indicated they were investigating the issue; however no additional feedback was received.

June 2022

 June 29

  • The Cyber Centre and CSIS receive an FBI report detailing a PRC tracking link campaign, which the FBI attributed to APT31, targeting 406 unique email addresses of individuals around the world, including individuals who have been outspoken on topics relating to the activities of the Chinese Communist Party. 
  • The report included 20 email addresses believed to have been targeted in January 2022, 19 of which were @parl.gc.ca or @sen.parl.gc.ca email addresses.
  • Of the 19 email addresses identified, 14 had been disclosed to the Cyber Centre by HoC Director, IT Security, on February 17, 2021 February 26, 2021.

June 30

  • The Cyber Centre Incident Handler shares the details of the FBI report with the HoC IT Security Mailbox, following deconfliction with CSIS.
  • The Cyber Centre noted that the activity was associated with a sophisticated threat actor and included a description of the techniques that had been used, the malicious indicators, the named MPs and senators, and advice on technical mitigation.
  • On July 4, 2022, the HoC IT Security Analyst responded to the Cyber Centre Incident Handler and indicated that the only activity they had found dated back to January 2021.
  • On July 21, 2022, the FBI confirmed to the Cyber Centre Incident Management Team that the activity noted in their June 2022 report had occurred in January 2021. This indicated that the FBI report described the same activity that CSIS and the Cyber Centre reported on and shared with the HoC in January 2021.  

CSE Cyber Defence Tools for HoC Systems

2016

  • Initial discussions between CSE and the HoC begin on the full suite of specialized cyber defence tools that CSE offers to Government of Canada departments and agencies.

2018

  • The HoC adopts the Cyber Centre’s network-based protections.

2020

  • The HoC implements the full suite of Cyber Centre tools.
  • These tools were and remain a vital component in protecting the Government of Canada’s IT systems.

2022

  • In October, the HoC expands Cyber Centre suite of tools coverage
Date modified: