44th Parl. 1st Sess.
December 1, 2022 10:00AM
Madam Speaker, I thank the member for Whitby for sharing his time with me.
It is very important that we talk about such an important piece of legislation that has been brought forward, Bill C-26. The reality is that the changes in technology are happening so incredibly quickly. At times, it seems a daunting task to keep up with them and to make sure that we are always ahead of those actors out there, whether state or non-state, who are trying to engage in activities that could seriously cripple our economy or other aspects of society in Canada.
It seems as though it was just yesterday that we did not have the Internet. I remember vividly when I signed up for my first Internet connection, a dial-up connection, and having access to the Internet. That was when I was a computer engineering student at a local college in Kingston back in 1995 or 1996. Downloading something as simple as a single image sometimes would take two or three minutes to get the full image on the screen.
Mr. Philip Lawrence: What did you download?
Mr. Mark Gerretsen: Madam Speaker, it was not an image of the member opposite who is asking.
The point here is that things are evolving so quickly, and we have come so far in such a short period of time in terms of our ability to utilize, perfect and, for lack of a better term, exploit everything that the Internet has to offer. We have seen it change commerce. We have seen it change how we engage with each other. We have seen it change just about every aspect of our lives. Unfortunately, with that comes new opportunity for people to try to affect what we do in our day-to-day lives. They are trying new forms of fraud, theft, harassment, intimidation and influencing elections, which are all nefarious manners in which people are trying to now utilize the Internet.
Of course, cybersecurity is a huge part of any government operation now, and every government should be seized with doing everything it can to secure it, because when we think about it, everything is connected. There could be a cyber-attack on a utility company, on a functioning parliament, a democracy. There could be an attack on just about every aspect of our lives, and it is critical that we have legislation in place to ensure that we can properly safeguard those things.
I have heard individuals in the House, and in the last two questions, one from the Conservatives and one from the NDP, suggesting that this is taking way too long and that we are behind other countries. I would caution members on that and suggest that it is not entirely accurate. For example, the United Kingdom has a very similar bill to this one that is being studied right now by its members of Parliament, a Conservative government, I might add. They are going through the exact same process as we are now. I think it is always easy to say, and it is one of the things we hear quite a bit from opposition parties, why is this taking so long?
I have my own opinion on why things take so long in this House, but the reality is that I do not believe we are significantly trailing behind other countries. Yes, some countries have done more than us. I am not going to disagree with that, but I disagree that we are significantly behind. I will come back to the United Kingdom where a Conservative government has introduced a very similar piece of legislation to what we have. This brings me to the legislation that we are debating today.
This bill has two primary parts to it. The first part would amend the Telecommunications Act to add the objective of the promotion of cybersecurity of the Canadian telecommunications system to Canadian telecommunications policy.
It also authorizes the Governor in Council and the Minister of Industry to direct telecommunications service providers to secure the Canadian telecommunications system. I think that is incredibly important. In this process, we have to remember that a huge part of what we need to do is work with private partners and the various telecommunications services that are out there. We need, from a policy or government perspective, to put in place some of the things that they need to do.
The reality is that in a competitive business environment where various different telecommunications companies are fighting to be more competitive and more efficient to maximize profit, which we all appreciate is important in the capitalist environment we live in, we have to respect the fact that in order to ensure that some of these safeguards are in place, we are going to need to make sure that the legislation is there to make sure companies are doing what they need to be doing to create those safeguards. Otherwise, it might not happen to the degree it needs to because of the nature of the competitive environment they are in.
The other aspect of this bill is that it enacts the critical cyber systems protection act to provide a framework for the protection of critical cyber systems that are vital to national security and public safety. Of course, this is key because this is what everything else is built on in terms of our national security and the systems that we have. We need to make sure we can properly safeguard those. In that regard, it authorizes the Governor in Council to designate any service or system as a vital service or vital system. Just think about that.
When I was in college studying computer engineering and I went to get my first dial-up connection, who would have thought that a mere 25 years later we would be talking about designating some of these services as being vital to national security or public safety? The reality is that is where we are now. As we rely so heavily on these systems, we rely so heavily on ensuring that we have the systems in place that we do in order to protect our security as it relates to cyber-threats.
I appreciate the opportunity to talk about this very important piece of legislation. I get the sense it is being widely supported in the House. I hope we can move this along so we can get to the next steps, continue to move forward and get what we need into place in order to properly protect our cyber systems from a security perspective.
1099 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, one of the things that has become very clear, particularly since the Russian invasion of Ukraine, is how destabilized our world is and how many bad actors are out there at the state level trying to undermine democracy.
My concern is about the ability of the federal government to withstand cyber-attacks. Earlier today, I talked about 2011 when actors out of China were able to shut down finance and the Treasury Board for days on end with relentless attacks. With the amount of financial information for Canadians that is in those departments, that is very serious.
We know that in the immigration department, which has turned into an absolute nightmare for anybody trying to navigate it, the system is breaking down. Staff in the department cannot access information files because the system is not up to speed. This will require a major investment to protect people, but also to deal with dark forces, whether they are Russians, the Chinese or any other non-state actor.
Has the government put in a credible plan to ensure we get our federal systems up to speed to be able to withstand hackers?
192 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I can attest that this is not the gentleman's first day. It seems like I have spent a year staring into his eyes here.
In the legislation, there is a fair bit of gray area with respect to definitions. Will the government be releasing additional information on such undefined terms as “cyber- incidents”?
58 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour to enter into debate in this place, especially when it comes to issues that are so very pressing in relation to national security and some of the challenges that our nation is facing. I would suggest the whole discussion around cybersecurity is especially relevant, because we are seeing highlighted, each and every day, a drip of new information related to foreign interference in our elections.
It highlights how important the conversation around cybersecurity is. It is often through computer and technological means that these malicious, foreign state actors will attack Canadian infrastructure. It is particularly relevant that I rise to debate Bill C-26, relating to the Liberals' recently introduced bill on cybersecurity, and I would like to highlight a couple of things.
The first thing is about seven years of inaction. I find it interesting, after seven years, how it was heard at the ethics committee from a whole host of experts in the field, including on cybersecurity and a whole range of issues, that the government is missing in action. It is not just about the government's inaction, but it is missing in action when it comes to some of the key issues surrounding things like cybersecurity. It has the direct consequence of creating uncertainty in terms of the technological space in the high-tech sector, which has massive opportunities.
We hear the Ottawa area referred to as silicon valley north. We have the Waterloo sector that has a significant investment in the high-tech sector. In my home province of Alberta, there is tremendous opportunity that has been brought forward through innovation, specifically in the Calgary area where we are seeing massive advancements in technology, but there is uncertainty.
Over the last seven years, the government has not taken action when it should have been providing clear direction so that industry and capital could prosper in our country. That is on the investment and economic side, but likewise, on the trust in government institutions side, we have seen an erosion of trust, such as the years-long delay on the decision regarding Huawei.
I and many Canadians, including experts in the field, as well as many within our Five Eyes security partners, were baffled about the government's delay on taking clear and decisive action against Huawei. Even though our Five Eyes, a group of countries that shares intelligence and has a strong intelligence working relationship, sees how inaction eroded the trust that these other nations had in Canada's ability to respond to cyber-concerns and threats. There is the fact that a company, a state-owned enterprise, has clear connections to a malicious foreign actor.
That delay led to incredible uncertainty in the markets and incredible costs taken on by private enterprise that simply did not have direction. Imagine all the telecoms that may have purchased significant assets of Huawei infrastructure because the government refused to provide them direction. There were years and years of inaction.
I will speak specifically about how important it is to understand the question around Canadian institutions. I would hope that members of the House take seriously the reports tabled in this place, such as from the public safety committee, which in the second session of the last Parliament I had the honour of sitting on. There is a whole host of studies that have been done related to this.
Then there are the CSIS reports tabled in this place containing some astounding revelations about foreign state actors and their incursions and attempts to erode trust in Canadian institutions. Specifically, there was a CSE report for 2021, which I believe is the most recent one tabled, that talks about three to five billion malicious incursions in our federal institutions a day via cyber-means. That is an astounding number and does not include the incursions that would be hacks against individuals or corporations. That is simply federal government institutions. That is three to five billion a day.
There are NSICOP reports as well. The RCMP, military intelligence and a whole host of agencies are hard at work on many of these things. It highlights how absolutely important cybersecurity is.
I find it interesting, because over the last seven years the Liberals have talked tough about many things but have delivered action on very few. Huawei is a great example. Cybersecurity is another. We see a host of other concerns that would veer off the topic of this discussion, so I will make sure that I keep directly focused on Bill C-26 today. The Liberal government is very good at announcing things, but the follow-through often leaves much to be desired.
We see Bill C-26 before us today. There is no question that action is needed. I am thankful we have the opportunity to be able to debate the substance of this bill in this place. I know the hard work that will be done, certainly by Conservatives though I cannot speak for the other parties, at committee to attempt to fix some of the concerns that have been highlighted, and certainly have been highlighted by a number of my colleagues.
The reality is Canadians, more and more, depend on technology. We saw examples, when there are issues with that technology, of the massive economic implications and disruptions that take place across our country. We saw that with the Rogers outage that took place in July. Most Canadians would not have realized that the debit card system, one of the foundational elements of our financial system, was dependent upon the Rogers network. For a number of days, having disruptions in that space had significant economic implications. It just speaks to one of the many ways Canadians depend on technology.
We saw an example in the United States, so not directly in Canada, when the Colonial Pipeline faced a ransomware attack. A major energy pipeline on the eastern seaboard of the United States was shut down through a cyber ransomware attack. It caused massive disruptions.
Another Canadian example that has been reported in talking to some in the sector was Bombardier recreational products. The Quebec company is under a cyber-lockdown because of hostile actions. There are numerous other examples, whether in the federal government or in the provinces, where this has been faced.
There are a number of concerns related to what needs to take place in this bill to ensure that we get it right. It needs to align with the actions that have taken place in our Five Eyes allies. We need to ensure that the civil liberties question is clearly answered.
We have seen the government not take concern over the rights of Canadians to see their rights protected, their freedom of speech, whether that is Bill C-11. I know other parties support this backdoor censorship bill, but these are significant concerns. Canadians have a right to question whether or not there would be a civil liberties impact, to make sure there would not be opportunity for backdoor surveillance, and to ensure there would be appropriate safeguards in place and not give too much power to politicians and bureaucrats as to what the actions of government would be.
As was stated by one stakeholder in writing about this, the lack of guardrails to constrain abuse is very concerning. In Bill C-26, there is vague language. Whenever there is vague language in legislation, it leaves it open to interpretation. We have seen how, in the Emergencies Act discussion and debate, the government created its own definition of some of the things that I would suggest were fairly clearly defined in legislation. We have to make sure it is airtight.
Massive power would be given to the Minister of Industry in relation to many of the measures contained in this bill.
I look forward to taking questions. It is absolutely key we get this right, so Canadians can in fact be protected and have confidence in their cybersecurity regime.
1331 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I thank my colleague for his speech.
I would like my colleague to reassure people who are watching, people in our communities who are worried about a device that is in their hands for much of the day. These people live with this device in their home. They use this device to share anecdotes, conversations and occasionally intimate secrets, believing that it all belongs exclusively to them.
Since our colleague does not seem interested in better control of cyber-attacks, how does he expect to reassure the public without moving toward tighter cybersecurity?
95 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I had the opportunity to sit on the defence committee during my first mandate, and I had the opportunity to work closely with the then minister of national defence on “Strong, Secure, Engaged”. We are going to be reviewing “Strong, Secure, Engaged” in terms of our defence spending, including what we are going to be doing on procurement.
A lot of things have changed in the last seven years in terms of defence, like what is happening across the way in terms of Ukraine and Russia, cyber and how significantly things have changed. We absolutely need to invest in cyber and make sure we get our defence procurement projects completed.
116 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I want to thank the member for that question, because that is one area of our domain awareness that we have not focused on a lot. When we think about the air force, army or navy, we usually talk about those three domains, but we do not talk a lot about cyber. We know that is the fourth domain that we need to focus on.
In terms of our NORAD modernization, I know cyber is top of mind in working with our Five Eyes partners and other partners. We need that modernization to take place so we can make sure this fourth element of our national defence is also included.
112 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour for me to rise at second reading stage of Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
When we consider the opportunities and challenges before us in this area, we see that the theme of collaboration underpins all that we do. Take, for example, the prevalence of cybercrime in an increasingly online world, improving cyber-defence posture in an unstable global environment, deep thinking about what the future holds in a world where innovation and change are exponential, a critical look at whether our policies and laws are up to the task, and the protection of content and intellectual property as data becomes one of the world's most precious resources.
In Canada, being online and connected is essential. Now more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying connected with loved ones across the country and around the world. We should be able to do all these activities safely and securely.
I would like to offer a few words about what we are doing here in Canada to get that balance right. I would like to reinforce the importance of our commitment to protecting the cyber systems that underpin our critical infrastructure.
The emergence of new technologies such as 5G is one clear reason we need to redouble our efforts. Think about our increased reliance on technology in light of the COVID-19 pandemic. Think about international tensions amidst Russia's unprovoked and unjustified invasion of Ukraine, with threats ranging from supply chain disruptions to state and non-state malicious cyber-activity.
Through all of these remarkable events, the government has been working tirelessly to keep Canadians safe. We recognize that, now more than ever before, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. It underpins the delivery of critical services, such as energy production, financial transactions, safe transportation and emergency communications.
As part of his mandate, bestowed by the Prime Minister, the Minister of Public Safety is seized with the opportunity and the challenge of developing a renewed national cybersecurity strategy. We need to make sure we articulate Canada's long-term plan to protect our national security and economy, deter cyber-threat actors, and promote norms-based international behaviour in cyberspace.
The Government of Canada is working to enhance the cybersecurity of the country's critical infrastructure. The work to identify cyber-threats and vulnerabilities, and to respond to cyber-incidents, is ongoing. Unfortunately, we have seen that malicious actors continue to attempt to take advantage of the current environment to exploit certain sectors.
However, we are not starting from scratch in our fight against this threat. Since 2018, the Government of Canada has invested a total of approximately $2.6 billion in cybersecurity. Through the national cyber security strategy, the Government of Canada is taking decisive action to strengthen Canada's defence, preparedness and enforcement against cyber-threats.
The strategy was paired with the largest investment in cybersecurity ever made by the Government of Canada, totalling nearly $800 million in the 2018 and 2019 federal budgets. In the 2021 budget, the government allocated an additional $791 million to improve and defend cyber-networks, enhance data collection and protect taxpayer information.
In the 2022 budget, another $852.9 million was committed to enhance the Communications Security Establishment, or CSE, and its ability to conduct cyber-operations, make critical government systems more resilient, and prevent and respond to cyber-incidents on critical infrastructure.
Under the strategy, two flagship organizations were established. One is the Canadian Centre for Cyber Security, under CSE, and the other is the National Cybercrime Coordination Centre, or NC3, under the RCMP.
The Canadian Centre for Cyber Security is a single, unified team of government cybersecurity technical experts. The centre is the definitive source of technical advice, guidance, services, messaging and support on cybersecurity operational matters for government, critical infrastructure owners and operators, the private sector and the Canadian public.
The NC3 coordinates Canadian police operations against cybercriminals and established a national mechanism for Canadians and businesses to report cybercrime to police.
Public Safety Canada's Canadian cybersecurity tool also helps owners and operators of Canada's critical infrastructure to evaluate their cyber-maturity against established benchmarks and by peer comparison. It offers concrete guidance on how they can become more cyber-resilient.
Public Safety Canada also coordinates and delivers cybersecurity exercises for the critical infrastructure community to test and develop capabilities to respond to and recover from malicious cyber-activities. More broadly, the department, as the federal lead on cybersecurity policy, promotes communication and collaboration to raise awareness of cyber-threats and risks, including with our international partners.
Public Safety Canada works closely with CSE's Canadian Centre for Cyber Security to enhance the resilience of critical infrastructure in Canada. The Canadian Centre for Cyber Security shares valuable cyber-threat information with Canadian critical infrastructure owners and operators, in addition to providing public advisories.
Today, I am very proud to say that we can start debating a new bill to further strengthen what we have built. Today we are starting the debate on Bill C‑26, an act respecting cyber security. The objective of this bill is twofold.
First, it would amend the Telecommunications Act to add security as a policy objective, bringing the telecommunications sector in line with other critical infrastructure sectors. This would allow the government, if necessary, to mandate any action necessary to secure Canada's telecommunications system, including its 5G networks. This includes authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers.
Second, it introduces the new critical cyber systems protection act. This new act will require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to take specific actions to protect their critical cyber systems, and it will also support organizations' ability to prevent and recover from a wide range of malicious cyber-activities, including electronic espionage and ransomware. Cyber-incidents involving a certain threshold will be required to be reported.
The bill will also give the government a new tool allowing it to take action in response to threats and vulnerabilities with respect to—
1068 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I appreciate very much the Bloc's tentative support of the legislation to go to committee, recognizing that this legislation empowers the minister to take direct, specific actions to protect Canadians and businesses. As the member pointed out so accurately, there is a very real cyber-threat out there. It also ensures that there can be financial penalties.
Would the member not agree that this is just one step? We have had literally tens of millions of dollars invested in cyber-threats over the years. We have had all sorts of group discussions and meetings to make sure that the government is keeping up. There are a number of stakeholders with the responsibility of fighting cyber-threats today.
120 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I thank my colleague from Saint‑Hyacinthe—Bagot, who said he wished that we could talk a bit about what is being done proactively, and that is what I intend to do.
As members know, we cannot discover new worlds until we have the courage to not see the shore. Those who know me know that I would rather talk about the “why” than the “how”. I like to clearly define what we are talking about.
Let us start with the word “security”. Security is an absence of worry. It is peace of mind, a form of safety. It is rather easy to define.
Now, what is the definition of the prefix “cyber”? Cybersecurity is a word that is used in all kinds of ways. We want to combat cybercrime with cybersecurity. We want to prevent cyberstalking. Sometimes it can be confusing. What is the meaning of the prefix “cyber” that is used everywhere?
The origin of the word will help us to understand it. It was coined after the Second World War by an American researcher named Norbert Wiener. This brilliant mathematician was hired by the Massachusetts Institute of Technology, or MIT, to work on a research project on new types of weapons. More specifically, he was asked to develop missiles that could take down V‑1s and V‑2s, the unmanned German aircraft filled with explosives that were causing so much damage in England.
To that end, Professor Wiener had to model the behaviour of a pilot who knew he was being chased in order to better understand the decision-making mechanisms of humans in general. We will use the term human so as not to offend anyone. In 1948, Norbert Wiener named this field of research “cybernetics”, a new area of science that studies the mastery of machines. He was inspired by the Greek term kubernao, which means to pilot and from which the terms “government” and “governance” are also derived. It means “to steer”.
In 1949, Wiener's book was deemed one of the most important works of the 20th century. The New York Times praised it and predicted that cybernetics would be a leading branch of science in the future, which has come to pass. This book still contributes practical knowledge to today's world because one of the main concepts underlying this new theory is that of regulation. That is what we are discussing today.
With the Internet, everything becomes cyber, but the societal challenge is huge because in cyberspace we no longer know what is the cause and what is the effect. We are no longer certain who governs and who is governed. We no longer strive to determine if the chicken came before the egg or if the egg came before the chicken. In cyberspace, we cannot make sense of the chickens and the eggs.
When we talk about the Internet, we are talking about space and time. Space and time are concepts that, throughout history, have allowed us to place and understand ourselves. In philosophy it is said that nothing exists without space and time because everything is always somewhere in space and in a given moment, it is situated in time.
However, the Internet is everywhere and nowhere. In fact, when we talk about the web we picture an entanglement of threads without a centre. Humans, with their neurolinguistics, have a hard time placing themselves when there is no centre. We are always looking for the end. The Internet does not have one. In space, there is no centre and time is eternal. The Internet is always, never, and in perpetuity. It is therefore very hard to understand and associate with the cyber point of view.
Bill C‑26 is divided in two parts. In the first part, it says that it seeks to reinforce the security of the Canadian telecommunications system. Then there are indications of how it will change this and how it will change that. In the second, it says it will create the new critical cyber systems protection act to do this or that. I am summarizing the bill.
I noticed when I read Bill C‑26 that there is a lot of “how” and not a lot of “why”. What is the “why” behind Bill C‑26? In my opinion, there is just one reason why and that is to ensure that citizens can trust in the mechanism that protects them in the area of cybernetics and cyberspace.
Trust is complicated because it is not something that is easily granted. I will use the example given by my colleague from Saint‑Hyacinthe—Bagot. I know him and he is conspicuous in his absence, even though I am not allowed to say that. I do not have eyes in the back of my head.
It is pretty easy to build up trust between two individuals. However, trusting an entity, a company or a government is harder. Trust means having peace of mind, without needing supporting evidence. It is difficult to achieve in the public sphere. It is essential, however, and I think that is what Bill C-26 seeks to accomplish.
Trust begins with education and insight. Since this has been explored in speeches throughout the day, I will not dwell on it, but the geopolitical world is changing these days, and the balance of power is shifting. In addition, it is hard to know where the centre is, as I explained a little earlier.
The Canadian government's foreign policy is vague at best. It took years for the government to acknowledge that there was a problem with Huawei. It was the only Five Eyes nation that did not see the inevitable, that did not see the evidence right under its nose.
I am talking about education, but the bill does not contain any provisions for education in cybersecurity. I am talking about education in terms of privacy and facial recognition. Education would help people avoid the temptation to commit the act that we are trying to prohibit here.
We also know that we are stronger together. It is interesting to see who has already thought about these issues. One of our colleagues said that other institutions have thought about this. Yes, there is a concept known as cyber diplomacy, which involves co-operation and dialogue between nations. Moreover, to answer a question that has not been asked, which is the nature of philosophy, the Council of Europe could offer some very interesting answers and solutions in this matter.
This brings me to another question. Despite the many measures, there are quite a few things I do not see in this bill. I do not see measures that would prevent our devices from being taken over by malware, for example, or by a foreign power. Device takeover is something we recently studied at the Standing Committee on Access to Information, Privacy and Ethics. It is not the stuff of science fiction; it is actually happening now.
Also, I do not see how this bill prevents intellectual property infringement. I could name 200 other things I do not see in this bill, but I will mention just one more. I do not see how we are going to regulate what is known as the dark web. However, the bill names six organizations that will have the power to act as regulators.
However, I would like to ask the following question: Do these organizations have the necessary knowledge to do that? It is not always clear. In previous bills on other subjects, we were told, for example, about the CRTC, which was responsible for implementing some provisions. We saw that the CRTC was an outdated organization. The organizations in question now are not much better.
Cybersecurity is not something that is easy to regulate. That is why it is a good idea to look up and try to see a little further. I agree that the bill is well-intentioned, but intention without courage is meaningless.
A poet that I recently met in Montmartre told me that there is no love, only shows of love. It is the same thing here, except that we are talking about shows of courage, and so I hope that the government will show courage with Bill C‑26 and turn its intentions into action.
Let us send Bill C‑26 to committee as soon as possible.
1433 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
