MPs, senator ask why government didn't warn them they were targeted by China-backed hackers
Conservative MP Garnett Genuis says 18 Canadians were targeted in all
Canadian parliamentarians say they were warned recently that they had been targeted by China-affiliated hackers — and now they're wondering why that warning didn't come from the federal government or any of Canada's security services.
"It is unacceptable that we were not informed," Conservative MP Garnett Genuis told the House of Commons Monday, after rising on a question of privilege.
Genuis said the FBI told the Inter-Parliamentary Alliance on China (IPAC) that members of the international organization had been hit with a pixel reconnaissance cyberattack launched by a suspected Beijing-controlled entity in 2021.
He and other Canadian IPAC members only found out last week, he said.
"This was part of a coordinated attack," Genuis said.
"This was identified as a progressive reconnaissance attack — an attack aimed at gathering useful information to be used for subsequent escalating attacks against us."
Liberal MP John McKay, another targeted member of IPAC, told CBC News he received a verbal briefing from the group's executive director warning him that the hacking group Advanced Persistent Threat 31 (APT31) was behind the attack and had access to members' computers. The U.K. and U.S. allege the group is an arm of China's Ministry of State Security.
"The problem is that this attack is vague. And it's not clear to me how any information could be accessed or could be used," McKay said.
"It's a bit disconcerting."
The story was first reported by the Globe and Mail Monday morning.
"The way I understand it, it's either something or it's nothing," said McKay.
"I would like to be informed as to whether I should be concerned and, if so, how concerned? And if so, what remedies can I take to protect myself?"
FBI told countries 'several years ago'
Genuis said 18 Canadians in all were targeted by the attack and not all are comfortable with coming forward with their names.
In a statement released earlier on Monday, Liberal MP Judy Sgro, Conservative MPs James Bezan, Stephanie Kusie and Tom Kmiec, and Sen. Marilou McPhedran confirmed they were affected by the attack and joined Genuis and McKay in demanding to know why they weren't informed sooner.
"I can't see a good reason for not telling people that they're being targeted, especially when those people are parliamentarians," said McPhedran.
"I think it's a very important time for us to take this very seriously and to understand that this is part of the assault on democracy."
Genuis said the FBI told IPAC it was prevented from informing non-U.S. legislators directly due to their "rules regarding sovereignty."
In a statement issued to CBC News Monday, the FBI said it notified governments "several years ago" about this alleged cyber activity.
"The FBI notified host government partners of the existence, nature of, and attribution for the targeting activity several years ago, as soon as it was discovered by the FBI," said the statement.
The Canadian Security Intelligence Service referred CBC news to the Communications Security Establishment, the agency responsible for foreign signals intelligence, cyber operations and cyber security.
The CSE said it does not comment on specific cyber incidents or affected organizations, but in a media statement it did say it "has provided cyber threat briefings to political parties and provided them with a dedicated point of contact at the Cyber Centre for assistance with cyber security matters."
"The Communications Security Establishment Canada takes its mandate and legal obligations very seriously," says the statement.
"Intelligence and information is shared with government clients, including appropriate authorities in Parliament and any appropriate authorities and partners."
A spokesperson for Public Safety Minister Dominic LeBlanc did not answer CBC's questions about timing.
"Democracies around the world are grappling with the threat of foreign interference from state actors such as China," said Jean-Sebastian Comeau.
"We are taking action, as we have done for the last number of years, to protect our democracy and our democratic institutions — and that is exactly what we will continue to do, in concert with our allies."
Pixel attacks help hackers in the long run: expert
Genuis said the affected parliamentarians would have taken steps to protect themselves if they had specific information.
"We could have worked with the appropriate authorities to take steps to protect ourselves and ensure the security and functioning of our parliamentary and personal email accounts, but we were not able to because we were not informed," said
"This affected the security of our work as parliamentarians and potentially allowed a foreign entity to have greater awareness of and to seek to counter our efforts."
Former intelligence analyst Stephanie Carvin, who now teaches at Carleton University, said a pixel attack uses malware embedded in an image to send information back to the attacker about what sites the target is visiting and basic information about the kind of computer network systems they use.
"We all send pictures back and forth. It could be like out here, this is a picture from an event in your riding. This is something you should see and you click on the picture," she said.
"This pixel attack may not give a lot of information to begin with, but it really does set attackers up for much more damaging attacks and persistent spying and espionage campaigns as they go along."
Steve Waterhouse, a former information system security officer with the Department of National Defence, said he has a hard time believing Canadian representatives were only recently alerted to this type of malicious attack.
Government agencies typically produce advisories and awareness sessions for "everyone who wants to know about this," he said.
"It's been known for a while that some politicians do not want to know about problems happening outside of their realm of competency and they're just going to be ignoring the risk," said Waterhouse, now a lecturer at University of Sherbrooke.
Speaker Greg Fergus said he will rule quickly on Genuis's question of privilege.
CSIS directed to share more info
This is not the first time the Canadian government and its intelligence agencies have been called out for not informing MPs and senators of foreign interference threats.
Last year, the Liberal government directed CSIS to share more information directly with Parliamentarians under threat, and to create a direct line to the minister of public safety.
That directive came in response to the backlash that followed after it was revealed that China was targeting the family Conservative MP Michael Chong, in retaliation for his sponsorship of a motion condemning China's treatment of the Uyghur minority as genocide.
According to the federal government's directive, CSIS "will seek wherever possible within the law, and while protecting the security and integrity of national security and intelligence operations and investigations, to ensure that parliamentarians are informed of threats to the security of Canada directed at them."
The question of how intelligence and security is shared at the federal level is a key focus of the foreign interference inquiry investigating allegations of election meddling.
Commissioner Marie-Josée Hogue, who is running the inquiry, is set to present an interim report on Friday.
"Who knew what when? That is at the heart of so many of these issues," said Carvin.
Last month, the U.S. and U.K. imposed sanctions on individuals and groups they say targeted politicians, journalists and critics of Beijing in an extensive cyber espionage campaign. Authorities on both sides of the Atlantic accused APT31 of being behind those attacks.
At the time, CSE confirmed that APT31 also targeted Canada but did not confirm when Canada was targeted, how many people were hit and what the impact was.
LeBlanc said he met with representatives of the Five Eyes, the intelligence-sharing alliance made up of the U.S., the U.K., Canada, Australia and New Zealand.
No country is immune to the threat of cyberattacks, he said at the time.
With files from Ashley Burke