The House of Commons was alerted in early 2021 to cyber threat activity, over a year before the FBI informed Canada about the recently revealed 2021 Chinese cyberattack targeting parliamentarians, a senior spy agency official told MPs.
Caroline Xavier, chief of the Communications Security Establishment (CSE),
one of Canada’s intelligence agencies, made the revelation while
testifying before the House of Commons Standing Committee on Procedure and House Affairs on June 6.
The committee is studying a 2021 incident in which 18 parliamentarians were targeted by a Chinese hacker group, known as APT31. The attack was disclosed in a
U.S. indictment released in March. The indictment laid charges on seven Chinese nationals associated with the hacker group, noting that the group has spent roughly 14 years targeting U.S. and foreign businesses and political officials, as well as critics of Beijing.
Ms. Xavier confirmed that CSE received a report from the FBI in June 2022 about the incident and immediately shared the information with House security officials.
However, she said CSE and the House had already collaborated over a year before that to thwart a cyberattack attempt.
She said that from January to April 2021, CSE’s cyber centre, the Canadian Centre for Cyber Security, “had already shared reports with the House of Commons IT security officials specifically detailing a serious matter of technical indicators of compromise by a sophisticated actor affecting House of Commons IT systems.”
“Upon receipt of this information, CSE shared specific and actionable technical information about the activity with the House of Commons IT security officials, and as well the Canadian Security Intelligence Service (CSIS),” Ms. Xavier said. “Because of this information, CSE and the House of Commons worked together to thwart the attempt to compromise by this sophisticated actor.”
Ms. Xavier said the House of Commons and Senate operate independently from the CSE, and after being informed of the cyberattack against parliamentarians, these chambers were then themselves responsible for determining how and when to communicate directly with MPs and senators.
Information Sharing
Concerning the FBI report to CSE in June 2022, Ms. Xavier said it detailed “emails targeting individuals around the world, including individuals who have been outspoken on topics relating to activities of the Chinese Communist Party.” The report included technical details of the names of Canadian parliamentarians who were targeted by this activity, she said.
She also confirmed that CSE “did indeed share that list of parliamentarians with the House of Commons IT security team as well as we shared it to CSIS.”
However, over a year before that, from the start of January 2021, CSE had already seen some “anomalies of a cyber nature,” Ms. Xavier said. It was that period of time, after further analyses and working together with House of Commons security officials as well as CSIS, that CSE identified that “APT31 was potentially the actor at that time,” she said.
Rajiv Gupta, associate head of the Canadian Centre for Cyber Security, who was testifying alongside Ms. Xavier, said it was “a sophisticated threat actor, which in cybersecurity terms typically means nation state.”
Conservative MP Garnett Genuis, one of the parliamentarians targeted by APT31, asked if the CSE had included caveats when sharing information about the cyberattack with the House of Commons.
Mr. Gupta responded that the agency’s reports typically include a caveat saying “you can’t share this further without the explicit authority of CSE.”
Mr. Genuis described the situation as a “circuitous game of telephone,” asking why the government didn’t directly inform the affected parliamentarians so they could protect themselves.
“Fundamentally, the question is, why was all of this sort of nonsense interposed in between the people who had the information—which was the Government of Canada—and the people who needed the information—which was members of Parliament under threat—who could have taken further preventative action to protect themselves? Why was it so difficult for the government to just tell us directly?” he asked.
Ms. Xavier replied, “I recognize that we’re going to learn from this incident and hopefully get a better understanding, especially from the study that you'll do, on how we might do something differently.”