44th Parl. 1st Sess.
December 1, 2022 10:00AM
Mr. Speaker, with all due respect for my colleague, I would like to point out that the government is always vigilant when it comes to any type of threat, including cyber-threats.
For example, in 2018, we created the national cyber security strategy. That is what I was talking about in my speech. The pillars of this strategy, which is used to respond to all risks, include resilient security systems, an innovative cyber ecosystem and Canadian leadership here and around the world.
We have taken concrete action to protect against the risks posed by certain actors that are not aligned with Canadian interests. We are now prepared to take the next step by introducing this bill to better protect our critical infrastructure. This excellent and effective measure will be implemented in collaboration with all federal regulators and the private sector.
140 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I do not think there is anyone in society who does not recognize the potential harm of cybersecurity. The issue is how do we ensure we are well positioned to address vital threats to our critical infrastructure. The member opposite says her concern is that we are giving too much power to one individual.
Does the Conservative Party have an alternative to ensure that particular issue is addressed in the form of an amendment? Does the member have any suggestions on that point?
85 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I think we all agree that Canada is ill-prepared to deal with cybersecurity threats. I am comforted to hear that we are all on the same page. However, we are falling far behind other similar jurisdictions, such as France and the U.K. Their ability to intercept and respond to cybersecurity threats is much more enhanced to protect their countries.
Again, we are glad to see this moving forward, but I am a bit concerned about the government granting ministers so much broad power, especially the Minister of Public Safety and the Minister of Industry. I just want an assurance for Canadians that these powers would not be applied unjustly to them. Also, would the member and his party be willing to work with the NDP to bring forward amendments at committee to make sure there are protections for everyday Canadians?
144 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, with thanks to the chamber, I am pleased to rise today to speak to Bill C-26.
Cybersecurity is a topic that is very much on the minds of many Canadians. It is something that many of us have had experience with in our personal lives, or we know somebody who has. Certainly, as MPs, we hear from folks who have fallen prey to various kinds of cyber-attacks online. We know it is a burgeoning criminal industry to take advantage of people online, grab their information and impersonate their identities. Canadians deserve to be protected from this kind of crime.
We also heard about the impact that cybersecurity attacks have had on our commercial industries. One of the examples that stands out in my mind of particular concern was the 2017 cyber-attack on Equifax, where the personal and financial information of thousands of Canadians was obtained illegally. It is an obvious concern for folks when they find out that a company they trusted with their personal information has been subject to this kind of attack.
We also know that our government has not been immune from these kinds of attacks. Hospitals and Global Affairs Canada have been the object of successful cyber-attacks. Earlier this fall, the House of Commons had a cyber-attack. MPs were warned about changing their email passwords for fear of information in their work accounts being exposed to outside eyes and ears that would find out what was going on in those accounts.
There is no question that it is a real issue. There is also no question, when we talk to experts on the file, that Canada is a laggard in respect to cybersecurity. There have been many debates in this place about the role of Huawei, for instance, in our 5G infrastructure. The government did finally take a decision on Huawei, I think the right decision, although late in the game with respect to our other Five Eyes allies. The idea with this legislation is that the government needs more legal authority in order to implement that decision. Of course, there are a number of ways it can do that.
The bill, as it stands, is not ready to go, but New Democrats are happy to send it to committee where we can hear from experts and try to improve it. When I say it is not ready to go, in my view, it is that for as long as it took for the government to reach a decision on Huawei, it clearly was not doing any work alongside its deliberations on Huawei to prepare for banning it. This legislation would largely give a broad, sweeping power to the Minister of Industry to decide later what exactly the government will have to do in order to ban Huawei and respond to other kinds of cyber-threats.
There is not a lot of detail in the legislation, and that is something we have seen from the government on other fronts. We have seen it on unrelated items, like the Canada disability benefit. It drafted a bill that had no content on the program. The attitude is “trust us and we will get it right later”. However, we also see a litany of problems with the way the government manages its business, whether we go all the way back to the SNC-Lavalin affair and the question of deferred prosecution agreements or other ethical issues that have come up in the context of this government.
I think Canadians are right to have a certain distrust of the government. The answer lies in mechanisms that impose accountability on the government, and those are very clearly absent from this legislation. In fact, not only are they absent from the legislation but the government also very explicitly exempts itself from some of the current types of accountability that do exist.
For instance, it exempts itself from the Statutory Instruments Act, which would make it possible for the parliamentary regulations committee to review orders that the minister may issue under the new authority granted to him in this act.
Therefore, not only would there be no new accountability measures commensurate with the new powers the government would be giving itself, but it would also be exempting itself from some of the accountability mechanisms already there. The government is also explicitly letting Canadians know its intention in the legislation to give itself the legal authority to keep those orders secret. Therefore, we have to contemplate the idea that there will be a whole branch of secret orders and laws that govern the telecommunications industry that Canadians will not know about, and the telecommunications companies may not have an adequate awareness of them.
Where I would like to go with this is to talk a bit more broadly about the Internet and about privacy rights on the Internet. When the new Canada-U.S.-Mexico trade agreement was signed, there was a number of provisions in that agreement that went too far in shoring up the rights of companies to keep their algorithms secret, for instance. There are other kinds of IP protections, or protections that are sold as IP but really mean that it is harder to get a transparent accounting of how companies operate on the Internet and of the artificial intelligence they use to navigate the Internet.
There is a way of dealing with the Internet that prioritizes secrecy for commercial purposes, but that same secrecy also breeds more opportunity for malignant actors on the web to go about their business and not have to worry they will have to expose what it is they are doing. Whereas, if we look to the European Union as another model, for privacy and conducting business on the Internet, there are a lot more robust protections there for the private information of consumers on the Internet, and there are a lot more reporting requirements for actors on the Internet.
The problem with the bill as it is written here is that it would be trying to fight secrecy with secrecy. When firefighters show up to a house that is on fire, they do not usually show up with a flamethrower. They show up with something else that can fight the fire instead of accelerating it.
I do not think Canadians, who are concerned about malignant actors on the Internet and the ways that they are able to exploit the dark corners of the Internet and the back doors of software, also think that the way to fight that is to let the government do it in secret without any reporting. Canadians are not thinking that, with less information available about actors within the digital space or government actions against cybersecurity threats, they are better off if they do not know what the actors on the Internet are doing, and they do not know what the government is doing about it.
The problem with the bill as written is that it would double down on the approach that we saw in CUSMA. It was about privacy for actors on the Internet and privacy for the government in how it deals with it. Instead, it could take a more open-source approach to say that the way forward on the Internet has to be that digital actors have to be upfront about the kind of business they are conducting on the Internet, the ways they do it and the algorithms they use. Governments, likewise, could then be pretty transparent about how they would deal with people who were non-compliant or who were breaking the rules.
New Democrats are concerned to see, along those broad lines, an approach to the Internet that says transparency and accountability, both for private actors and for public actors, is the way forward. Digital consumers deserve to have this information at their fingertips, so they understand what people are going to be doing with the information they enter on their computer, whether that is to purchase a book, get a loan or whatever kind of business they are doing on the Internet. They should have more rights to know how that information is handled, and the role of the government in keeping that information secure, rather than being told not to worry about it, because commercial interests have their best interest at heart, the government has their best interest at heart, and they do not need to know what is going on.
That is why the bill should go to committee, to be sure, because Canada does need its government to have the authority to implement the decision on Huawei and to do better in respect of cybersecurity. There is a lot of good work for committee members to do there, and a lot of amendments that ought to be made to the bill in order for it to pass in subsequent readings.
1481 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I share a number of the hon. member's concerns, but I want to ask him about some of the major threats we have seen in cybersecurity. I am frustrated because the government has a lot of the tools already at its disposal to go after people who are threatening our cybersecurity. We have seen the shutdown of pipelines and major companies across this country. Rogers Communications was shut down.
Is the member not at all concerned about the lack of ability of law enforcement to chase down the bad actors that are pursuing some of this stuff?
100 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I would just correct the member. Yes, this legislation is very important and we hope to see it get to the committee stage where it will no doubt be well discussed and debated. There will be presentations where members can digest information and see if there are ways in which we can improve upon the legislation. However, to try to give an impression that this is the only thing the government has done on the issue of cyber-threats is a bit of a false impression.
Not only have we been seeing a great deal of dialogue and actions from different departments to date in the form of formalized advisory groups, but we have seen literally tens of millions of dollars, not to mention the other incentive programs that were there, for the private sector, for example.
I wonder if the member would not agree that this issue is not new and this is just one very important aspect in taking a step forward.
166 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member is correct that this is not a new issue. That is precisely why I think the government is very late in coming to the table. The issue of foreign interference, which is part of the context of the cyber-threats we face, is also not a new issue. Again, we have been calling for action from the government, but we have not seen other action from it. The member says that the Liberals have done all these other things, such as maybe giving some money over here or over there, but he evidently could not articulate specific measures that the government had taken.
We are behind when it comes to defending our security. We are behind what we should have known much earlier. We are behind our allies. We were the last of the Five Eyes and very late to step up on recognizing the risks associated with Huawei.
When it comes to foreign interference, I will challenge the government on one point: Why has the government not expelled foreign diplomats involved in interference and intimidation in Canada? That would be a simple step and the government has not taken it.
195 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I will begin by saying that I will be sharing my time with the hon. member for Abitibi—Témiscamingue.
I am pleased to speak to this bill, which, I must say, was eagerly awaited by my party.
The Standing Committee on Public Safety and National Security had the opportunity to study the issue of cyber security. We heard from experts in this field, who told us what they think about Canada's cyber security preparedness or posture. The idea came from my Conservative colleagues, and it was a very good one.
Given what is happening in Ukraine with the Russian invasion, we know that there are still military threats in the 21st century. However, we are also dealing with the emergence of new technologies that pose non-military threats. I had the opportunity to talk about these non-military threats at the Organization for Security and Co-operation in Europe Parliamentary Assembly last week in Warsaw, Poland. I discussed non-military threats and how different countries must prepare for or guard against them.
What the Standing Committee on Public Safety and National Security heard is how difficult it is to prepare for these threats, because they are evolving so quickly. No one had anything particularly positive to say about Canada's preparedness.
I think that the willingness is there, and that is what the experts told us: Canada is trying to prepare for and guard against potential cyber-attacks. I said “potential” cyber-attacks, but they are already happening. We know there have been cyber-attacks on various infrastructure and companies in Quebec and Canada, especially in the private sector, in the past. Canada is not as prepared as it could be to face these attacks, but we were told that it may never be totally prepared. The same is true for all countries because, as I said, the technology is changing so rapidly.
For this reason, I think that adopting a cybersecurity framework is an extremely positive step. That is what the government promised. In its national cyber security strategy, it pledged to better regulate cyber systems in the federally regulated private sector. The 2019 budget earmarked $144.9 million to develop a new framework to protect critical infrastructure. That is exactly what the two main parts of this bill do. They are aimed at strengthening the security of the Canadian telecommunications system.
Part 1 of the bill amends the Telecommunications Act to add the promotion of security, authorizing the government to direct Internet service providers to do anything, or refrain from doing anything, that is necessary to secure Canada's telecommunications system. Part 2 enacts the new critical cyber systems protection act to provide a framework for the protection of critical cyber-infrastructure and companies under federal jurisdiction.
The act is essentially a regulatory framework. As my colleague from Abitibi—Témiscamingue mentioned earlier in his question to our Conservative colleague, we will have to see what impact this bill could have on Quebec, especially companies and organizations like Hydro-Québec, since it designates interprovincial power line systems as vital services and vital systems. More on that later.
We will also have to see in committee whether the vast regulation-making powers provided for in Bill C-26 are justified or whether they bypass Parliament for no reason. Certain groups that raised concerns in the media have contacted us as well. Their concerns about this bill are well founded. I will get back to this a little later on.
I would say that it is important to proceed carefully and properly with this bill. Any amendments made to the bill will have a direct impact on every transmission facility in Quebec, including those that will soon be built in my riding to offer adequate cell service to those who are still waiting. Some Canadian ridings are unfortunately still without cell service in 2022. Since my riding is one of them, the bill will have a significant impact.
Local telephone service providers, IP-based voice services, Internet service providers, long distance providers and wireless services will be subject to the amendments to the act.
This means that the amendments would allow authorities to secure the system if there is reason to believe that the security of the telecommunications system is under threat of interference, manipulation or disruption. In that case, telecommunication service providers could be prohibited from using or supplying certain goods or services.
As I understand the wording of the bill, which is rather complex, telecommunication service providers could even be prohibited from supplying services to a specific individual. It is important to realize that these are vast powers, and I hope that, when the bill is sent to committee for study, it will be detailed enough to include the factors that will be taken into account before such powers are granted.
As I was saying earlier, the act will make it possible to designate certain systems and services under federal jurisdiction as critical to national security or public safety. The new Critical Cyber Systems Protection Act will protect critical cyber systems in the private sector.
What, then, is a critical cyber system? I found it difficult to find a clear definition in French of what a critical cyber system is, but the government defines the term itself in the bill. It appears that it is a “system that, if...compromised, could affect the continuity or security of a vital service or vital system.”
The bills lists six vital services and systems in its schedule. These obviously include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems that are under federal jurisdiction, banking systems, and clearing and settlement systems.
These are the areas this bill addresses. That is a lot to verify, and several actors are involved. Several ministers will be involved in the regulatory process after that, so it is important to study the bill carefully.
At this stage, a number of questions arise. For example, what impact will the bill have on certain interprovincial infrastructures, such as power lines and power grids? The act could impact Hydro-Québec and other non-federal infrastructures, such as aluminum smelters. As I understand it, the bill itself would designate interprovincial power lines as a vital service. That could have an impact.
In principle, the bill is not a problem for my party. When we call experts to testify before the committee, we will be able to determine whether or not it will have a positive impact. I think it could be very positive, but we need to look at its scope.
The Bloc Québécois has often supported the government in its efforts to ensure stricter control of broadcasting for certain vital infrastructures that could be in the crosshairs of foreign nations. Let us consider China and Russia, as I mentioned earlier. There is the Huawei saga and the development of the 5G network. The government's indecision for so many years proves that it would have been better to act beforehand rather than to react to the current situation. China's increasing power and its attempts at interference on several occasions, as well as Canada's vulnerabilities in terms of cybersecurity, are real. For example, we know that Hydro-Québec has been a potential target for Chinese espionage. The same could happen directly in our infrastructures. I think that this bill is relevant. We are very happy that the government introduced it. That is why the Bloc Québécois will vote in favour of sending the bill to a parliamentary committee so that we can hear what the experts have to say.
I would like to take these final moments to talk about the concerns voiced by certain groups. Professor Christopher Parsons of the University of Toronto said that the bill was so imperfect that authoritarian governments around the world could cite it to justify their own repressive laws. That is a worrisome statement. I will elaborate during questions and comments.
1353 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is encouraging when we get support for legislation. This legislation goes a long way in recognizing that cyber-threats are something on which we do need legislation to come forward and be voted upon. This legislation would allow for financial penalties and for the minister to take direct action. I wonder if the member could provide his thoughts on the importance, once we get into committee stage, of listening to what presenters have to say. I understand there are some concerns with regard to the legislation.
89 words
- Hear!
- Rabble!
- add
- star_border
- share
- Dec/1/22 2:27:39 p.m.
- Watch
Mr. Speaker, our government takes all allegations of threats of foreign interference very seriously. That is why we established two panels to review all allegations. The panels confirmed the integrity of the 2019 and 2021 elections.
We will continue to provide all the tools that the national security community needs to protect our democratic institutions.
55 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I mentioned at the end of my speech that the government was very late in putting forward such a bill. It is a very tough question to answer as to whether or not we can catch up. We know the existing wars and challenges and future wars are mostly around cybersecurity. It will be important in this motion of the House, with this bill, to assess how prepared Canada is for facing future threats.
76 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, within the legislation there is consideration given to how financial penalties would empower the minister to take strong action to ensure that providers are keeping up with what they need to keep up with.
My question to the member is this. Would he agree that when we take a look at the issue of cyber-attacks, they are not something unique to Canada? It is happening around the world. We are working with allied countries and others. This is one part. It does not stop here. There is a need to continue, as we have for the last number of years, investing tens of millions of dollars and putting people to the task of protecting us against cyber-threats.
Could the member just provide his thoughts in terms of the broader picture of cyber-threats?
137 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, cyber-threats are not new. In 2011, Canada's two main financial centres in government, Finance and the Treasury Board, were pushed off-line for days by hacks from Chinese operators, yet the Harper government did nothing about that. It did not want to talk about it because it was busy selling off sections of the oil sands and Nexen to Chinese state-owned operators and then signing a free trade deal with China, the deal that would allow it to take on Canada outside of the court system.
I find it kind of special that the Conservatives are suddenly concerned about cybercrime now, when they did nothing to take on China's state threats to Canada under Harper.
121 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as part of the mandate bestowed upon him by the Prime Minister, the Minister of Public Safety is seized with the opportunity and challenge of developing a renewed cybersecurity strategy. We need to make sure we articulate Canada’s long-term plan to protect our national security and economy, deter cyber-threat actors, and promote norms-based international behaviour in cyberspace.
The Government of Canada is working to enhance the cybersecurity of the country’s critical infrastructure. The work to identify cyber-threats and vulnerabilities, and to respond to cyber-incidents, is around the clock and ongoing. Unfortunately, we have seen that malicious actors continue to attempt to take advantage of the current environment to exploit certain sectors. I would like to use one example that is relevant for my riding and the region I come from.
My riding is the riding of Whitby, and Durham District School Board is the public school board in our area. On Friday, November 25, just very recently, there was a cyber-incident at the Durham District School Board. It resulted in online classes being cancelled. They were forced to postpone scheduled literacy tests. They have had phone lines down and email service down. They even do not have access to emergency contacts, and they are trying to limit this incident so it does not impact payroll for the over 14,000 Durham District School Board employees. There are 75,000 students who go to school across our region.
They have notified police of the attack. Their investigation is said to be very complex and time consuming, and they will be assessing the privacy impacts, but we can just imagine how this has impacted students and employees at Durham District School Board.
This is a really serious topic. I think we all need to give it the weight it deserves, and this legislation is trying to ensure we do our utmost to protect against these cyber-threats in the future.
However, we are not starting from scratch to tackle these threats. Since 2018, the Government of Canada has invested a total of approximately $4.8 billion in cybersecurity. Through the national cybersecurity strategy, the Government of Canada would be taking decisive action to strengthen Canada’s defence, preparedness and enforcement against cyber-threats. The strategy was paired with the largest investment in cybersecurity ever made by the Government of Canada, totalling close to $800 million in the 2018 and 2019 federal budgets.
In the 2021 budget, the government allocated an additional $791 million to improve and defend cyber-networks, enhance data collection and protect taxpayer information, and in the 2022 budget, another $852.9 million was committed to enhance the Communications Security Establishment and its ability to conduct cyber-operations, make critical government systems more resilient, and prevent and respond to cyber-incidents on critical infrastructure.
Under the strategy, two flagship organizations were established. One is the Canadian centre for cybersecurity, otherwise known as the cyber centre, under CSE, and the other is the national cybercrime coordination centre under the RCMP.
The cyber centre is a single, unified team of government cybersecurity technical experts. The centre is the definitive source of unique technical advice, guidance, services, messaging and support on cybersecurity operational matters for government, critical infrastructure owners and operators, the private sector, and the Canadian public.
The NC3 coordinates Canadian police operations against cybercriminals and established a national mechanism for Canadians and businesses to report cybercrime to police. In the example I mentioned in my riding of the Durham District School Board, it would report the cybercrime to the local police, and that would go up through NC3 as well.
Public Safety Canada’s Canadian cybersecurity tool also helps owners and operators of Canada’s critical infrastructure to evaluate their cyber-maturity against established benchmarks and by peer comparison. It offers concrete guidance on how they can become more cyber-resilient.
Public Safety Canada also coordinates and delivers cyber-based exercises for the critical infrastructure community to test and develop capabilities to respond to and recover from malicious cyber-activities. More broadly, the department, as the federal lead on cybersecurity policy, promotes communication and collaboration to raise awareness of cyber-threats and risks, including with our international partners. Public Safety Canada works closely with the Communications Security Establishment’s Canadian centre for cybersecurity to enhance the resilience of critical infrastructure in Canada. The cyber centre, in addition to providing public advisories, shares valuable cyber-threat information with Canadian critical infrastructure owners and operators.
Today I am very proud to say that we can begin to debate a new piece of legislation to further strengthen what we have built as a government. Today we are debating Bill C-26 for the second reading, and this legislation's objective is twofold.
The first part proposes to make amendments to the Telecommunications Act, which include adding security as a policy objective, adding implementation authorities and bringing the telecommunications sector in line with other critical infrastructure sectors. This would allow the government, when necessary, to mandate any action necessary to secure Canada’s telecommunications system, including its 5G networks. This would include authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers.
The second part introduces the critical cyber systems protection act, or CCSPA. This new act would require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to take specific actions to protect their critical cyber-systems, and it would support organizations' ability to prevent and recover from a wide range of malicious cyber-activities, including malicious electronic espionage and ransomware.
944 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am not really sure how we get these types of critical remarks coming from the opposite side of the House given that in my speech I gave very tangible examples of two agencies that have been set up and some pretty significant investments that have been made since 2018. The $4.8 billion for cybersecurity is no small amount. We are making investments and setting up the systems and tools.
I have been briefed, as a member of the procedure and House affairs committee, on our House of Commons cyber-infrastructure and cybersecurity. Although those briefings were in camera, I know full well that very strong and resilient systems have been set up to identify and neutralize threats ahead of time to ensure our critical infrastructure in the House of Commons is protected. I think that extends right across Canada with the work that our government has been doing.
152 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I appreciate very much the Bloc's tentative support of the legislation to go to committee, recognizing that this legislation empowers the minister to take direct, specific actions to protect Canadians and businesses. As the member pointed out so accurately, there is a very real cyber-threat out there. It also ensures that there can be financial penalties.
Would the member not agree that this is just one step? We have had literally tens of millions of dollars invested in cyber-threats over the years. We have had all sorts of group discussions and meetings to make sure that the government is keeping up. There are a number of stakeholders with the responsibility of fighting cyber-threats today.
120 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
