One of Canada’s spy agencies says it shared details of Chinese state hacking that targeted parliamentarians with officials in the House of Commons and Senate shortly after learning of it in 2022.
Officials in the Commons and Senate on Tuesday declined to say why they never informed MPs and senators but released statements saying they put in place protective measures to guard against such attacks. House Speaker Greg Fergus’s office said in this instance the Commons administration “determined that the risk-mitigation measures in place had successfully prevented any attack.”
The MPs and senators who were targeted said Tuesday it’s unacceptable the federal government never contacted them directly and that they remained ignorant of this threat until last week.
As The Globe and Mail first reported Monday, seven Canadian MPs and senators who belong to a global interparliamentary organization critical of the Chinese government say the FBI recently informed their group that 18 legislators in Canada were targeted in 2021 by hackers linked to Beijing. They, however, were never told of this warning.
Canada’s Communications Security Establishment, which specializes in cybersecurity and intercepting foreign electronic communications, released a statement Tuesday saying it did its job by passing the U.S. information on to parliamentary administrators in June, 2022.
“Once the FBI report was received by Canada’s security agencies, the information that included the names of the targeted parliamentarians was shared immediately,” CSE spokesman Ryan Foreman said. “CSE shared specific, actionable technical information on this threat with House of Commons [HoC] and Senate IT officials, as would be our normal process with other Government of Canada partners when threats are detected.”
The six MPs and one senator who raised concerns about this Sunday remain adamant nobody until last week ever informed them they were under attack because of their affiliation with the Inter-Parliamentary Alliance on China. The Chinese hacking group in question is known as APT31. The U.S. Justice Department has said APT31 is part of a program run by China’s Hubei State Security Department, an arm of China’s Ministry of State Security located in the city of Wuhan.
Conservative MP Garnett Genuis said the Canadian government is ultimately responsible for the lack of warning.
“The government has now admitted that they received information about threats to the security of parliamentarians and that they failed to share that information with parliamentarians,” he said.
A guide to foreign interference and China’s suspected influence in Canada
Senator Marilou McPhedran said in a statement said she checked with the Senate cybersecurity team after learning of the targeting.
“I can confirm that in January, 2021, my office was targeted by a series of communications containing malicious malwares. However, these e-mails were identified promptly by our IT team as potentially malicious/harmful, quarantined, and deleted from our system without compromising our internal networks,” she said, adding she commends the work of the Senate cybersecurity unit.
“Regardless, I remain deeply concerned that I was not informed by appropriate government channels that I was, among other parliamentarians, a deliberate target of foreign-backed hacking attempts.”
A spokesman for Mr. Fergus, the House Speaker, declined to explain why the Commons failed to tell MPs.
“The House of Commons’ administration investigates all incidents brought to its attention by security partners. In this case, it determined that the risk-mitigation measures in place had successfully prevented any attack. There were no cybersecurity impacts to any members or their communications,” spokesman Mathieu Gravel said.
He declined, when pressed, to say why MPs were not informed. “We will not be commenting any further on this security matter,” he said.
Senate officials declined to discuss why they didn’t inform senators.
“All communications between the Senate and cybersecurity partners remain confidential in nature and are not divulged,” Senate spokesperson Alison Korn said in a statement.
“We can confirm that in all instances when the Senate is informed of, or detects a credible cyberthreat, the Senate’s Information Services Directorate takes prompt action to mitigate the risk and address it going forward. The specific way in which internal communications occur varies, as do specific actions taken, and these are not discussed publicly.”
The other five MPs who first went public with their concerns about not being notified said Tuesday they remain very concerned about them. They include Liberal MPs John McKay and Judy Sgro as well as Conservative MPs James Bezan, Stephanie Kusie and Tom Kmiec.
Ms. Sgro said she’s “150 per cent” sure that she was never notified that she was being targeted by APT31 and was the victim of what are called pixel attacks. Ms. Sgro said MPs receive generic warnings from time to time to protect their systems but nobody informed her that her e-mail accounts were the subject of hacking attacks because of her affiliation with IPAC.
Mr. Bezan said he feels the Canadian government needs to retain responsibility for flagging these threats with MPs.
“There was nothing even close to specific about being targeted by the PRC or this incident,” he said of communications from the House of Commons. “If an MP is being targeted by a hostile foreign power and the government has that information, they should warn the MP individually and provide them with the specific information necessary to protect themselves.”
Steven Chase
Robert Fife