44th Parl. 1st Sess.
December 1, 2022 10:00AM
Madam Speaker, we must always protect the civil liberties and rights of Canadians. Any legislation brought to the House needs to pass that means test, if I can call it that.
With reference to Bill C-26, it is definitely required that we update our cybersecurity laws to reflect the ongoing changes in technology that have happened over the last number of years and the increasing use of cybersecurity, cyber-threats, increasing digitization that has been going on in the world, and the fact that Canadians are increasingly interconnected in this world.
We need to maintain checks and balances within the system and ensure that individual rights of Canadians are protected.
111 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am hopeful that this bill would get us in line with other countries from around the world because, increasingly, Canada is left out of the discussions around cybersecurity.
We are no longer invited to some of the many important forums that do take place in battling this. If that is what this bill is attempting to do, to bring us in line with some of these other countries, I hope that is the case. However, I would note, I was talking to my friend with the Calgary Police Service who said that Canada is increasingly not the jurisdiction where they pursue these prosecutions because we are so lacking in good legislation to protect our cybersecurity.
118 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I appreciate the opportunity to speak in the House today to a very serious subject, cybersecurity and the security of our country in general.
I will say, on a lighter note, that my friend from Peace River—Westlock spoke about snowmobiling companies and cyber-attacks. I have some personal experience with snowmobiling at his house, and I would say that the government's approach to security is the equivalent of driving a snowmobile over a four-foot retaining wall, which may or may not have happened the last time I tried to drive one of those machines.
The situation of security in this country is very much worth the House taking note of. For much of the time that I have been engaging with and following politics, the primary area of security we would talk about would be concerns about our readiness for and our response to the threat of terrorism. However, it is important to take stock of how things have changed and the fact that, while there are still concerns about terrorism and how we respond to potential acts of terrorism, the primary security threat we face as a country, and indeed that the western world faces, is the threat of foreign state-backed and directed interference in our national affairs. Our abiding concern should be the reality that various foreign states are trying to shape and interfere with our democratic life to try to bend not only our government institutions, but also our civil society institutions, toward their desired objective.
Members of the government have said that the purpose of this interference is to cause total chaos and confusion. We should acknowledge that there are some cases of foreign interference that are aimed at causing chaos, but very often it is about simply trying to subvert and control the direction of institutions toward the will and the interests of that particular foreign power. We have discussed how the Chinese Communist Party is the biggest player when it comes to foreign state-backed interference, but it is far from the only player.
We have seen reports about Chinese government interference in our elections. There have also been recent reports about death threats from the Iranian regime targeting individuals in Canada. There are various other countries that CSIS and other organizations have identified as being involved in this activity of trying to interfere with, subvert and direct Canadian institutions, government really at all levels, as well as civil society organizations, universities and the like, toward their objective.
This kind of invisible, or sometimes a little more visible but often hard to detect, interference in the direction of our national life toward objectives that are not consistent with the objectives Canadians have established is a great threat to our security and our sovereignty. It is something that we should all be seized with and working to respond to.
Part of the context as well is that we are in what some analysts have described as a second cold war. Of course, there are many features of the current conflict between democratic and authoritarian values that are different from the last Cold War, but we have this reality of intensifying global competition between two different value systems that are represented by different countries at different times, and we have countries that are in the middle that are being pulled in different directions.
I tend to think that kind of cold war frame is a reasonably useful way of understanding the current tensions we face in the world. In the context of those tensions, we see how powers with political values that are fundamentally different from ours, where governments are trying to protect their own position, are trying to project their influence around the world. Again, this requires vigilance. It requires a strong response from Canada.
I have been struck by some of the recent comments from the Prime Minister on these matters. I think he has been showing a real lack of transparency around acknowledging what he knew when, and refusing to answer direct questions from the opposition about foreign interference, but he has also stated quite openly the reality that we have a serious problem with foreign interference. This is a reality that opposition members, in particular in the Conservative Party, have been raising for years. We have been asking the government to do more. We have been calling for strong legislative frameworks to respond to the problem of foreign state-backed interference.
We have also sought to elevate the voices of victims of foreign interference, people who have faced threats and intimidation from foreign state actors to try to silence their advocacy, which those foreign state actors see as contrary to their interests. It has been widely reported some of these victims really struggle to actually get proper support. They often get the runaround.
They go to their local police force, which does not necessarily have the capacity to handle a foreign state-backed organized campaign of threats and intimidation. Do they go to Global Affairs? Do they go to CSIS? Do they go to the RCMP? There can be a bit of confusion and passing of the buck concerning support for these victims of foreign state-backed interference.
We have a lot of work to do in legislation and policy, and our preparedness in general and our understanding of these issues. It is critical that we step up to strengthen our understanding of and response to the threats facing our country.
One thing we need to see more from the Prime Minister and the government is transparency because being transparent about this reality can help to counter the impact of that foreign interference. If we know it is happening, if we know what it is directed toward, then we can respond more effectively.
This is not only a responsibility of the federal government to respond to. Provincial and municipal governments need to be aware of the issues of foreign interference. Our universities need to step up as well. Private companies need to be aware of the risks around interference, theft of technology and the ways in which certain things may have a dual military use. There needs to be a broader awareness of this threat to the national interest, a threat to our values across all sectors of society, and a broader response to it.
The government has an important role to play in leading the response and making changes at the national level. We have been far behind, as far the national government goes, in responding to these threats. The Conservative opposition has been calling for a response to foreign interference for years. Now we are seeing the government start to talk about it a bit more.
I noted in some of the language in the Indo-Pacific strategy, for example, the government is starting, or trying, to sound a bit more like Conservatives in the way it talks about some of the challenges confronting us and the steps we need to take in the Indo-Pacific region. While the government is adopting some of that language, it is failing to substantively adjust its approach.
We have a bill in front of us today that deals with one avenue where we need to be engaged with and responding to the problem of foreign state-backed interference, and that is the issue of cybersecurity. I will be supporting this legislation at this stage to see it go to committee, mainly because we clearly need a new cybersecurity bill. We clearly need a new framework. The committee study will identify some of the significant gaps we see in the legislation right now, the ways the legislation needs to be improved and possibly the many additional steps required. I will just note that it is far past due that we have some kind of proposal for a framework on cybersecurity that, in a way, gives the committee the opportunity to add to and build on what the government has initially put forward.
This is really the first time we see any kind of legislation proposed by the government that substantively touches on this emergent problem of foreign state-backed interference. We need a much broader range of responses from the government. We need so much more to be done to counter this major security threat.
This is about preserving our country. It is about preserving the integrity of our institutions. It is about defending the principle that the direction of our democracy and the direction of our society should be shaped through the open deliberation of Canadians, not by foreign powers who have particular interests that may be contrary to our interests who are trying to push and pull that discussion in their preferred direction.
Having this framework that opens the door for the committee to discuss further, fill in some of the gaps and try to push the government to have greater specificity in the framework around what they are going to do provides us with the opportunity to do that. This is late, lacking in detail and really a small piece of the much broader picture that is required.
The government has been so delayed. I mentioned the decision around Huawei. We were way behind all of our allies in making the decision. It is important now, finally, at this late stage where the government is starting to mention the problem, that we actually see concrete action. Conservatives will be pushing the government to act in line with some of the words it has been saying.
1591 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member asked what we would do if we were in government. We would make the right decision on every one of those.
With respect to the particulars the member raises with respect to what powers the federal government would have in intervening with provinces, this is an important issue for the committee to look at. I am supporting this legislation because we need to have a cybersecurity framework in Canada. It is important that this goes through to the committee and that those issues be looked at there.
I did not have time to go into it, but there are a significant number of problems in the legislation that do have to be worked out by the committee. No doubt there has to be a role for federal leadership around security, but it has to be a constructive, collaborative relationship, because there are steps for other levels of government. We see foreign interference at the very granular local level, so that collaboration across levels of government is really important.
172 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is an excellent point. I did not have a chance in my remarks to talk specifically about the transparency issues. Again, we need to support this bill through the second reading stage out of agreement with the general principle that we need to do more on cybersecurity, recognizing how far behind the government has been.
However, there are significant issues with respect to ensuring transparency. There are significant issues on whether the bill is clear and specific enough about the steps that are required, instead of just leaving it, as we see often with the government and legislation, and giving an open-ended blank cheque to the government.
There are definitely issues. This requires a detailed committee study. I hope Conservative proposals will be adopted and we will be able to strengthen the bill as a result.
140 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I will begin by saying that I will be sharing my time with the hon. member for Abitibi—Témiscamingue.
I am pleased to speak to this bill, which, I must say, was eagerly awaited by my party.
The Standing Committee on Public Safety and National Security had the opportunity to study the issue of cyber security. We heard from experts in this field, who told us what they think about Canada's cyber security preparedness or posture. The idea came from my Conservative colleagues, and it was a very good one.
Given what is happening in Ukraine with the Russian invasion, we know that there are still military threats in the 21st century. However, we are also dealing with the emergence of new technologies that pose non-military threats. I had the opportunity to talk about these non-military threats at the Organization for Security and Co-operation in Europe Parliamentary Assembly last week in Warsaw, Poland. I discussed non-military threats and how different countries must prepare for or guard against them.
What the Standing Committee on Public Safety and National Security heard is how difficult it is to prepare for these threats, because they are evolving so quickly. No one had anything particularly positive to say about Canada's preparedness.
I think that the willingness is there, and that is what the experts told us: Canada is trying to prepare for and guard against potential cyber-attacks. I said “potential” cyber-attacks, but they are already happening. We know there have been cyber-attacks on various infrastructure and companies in Quebec and Canada, especially in the private sector, in the past. Canada is not as prepared as it could be to face these attacks, but we were told that it may never be totally prepared. The same is true for all countries because, as I said, the technology is changing so rapidly.
For this reason, I think that adopting a cybersecurity framework is an extremely positive step. That is what the government promised. In its national cyber security strategy, it pledged to better regulate cyber systems in the federally regulated private sector. The 2019 budget earmarked $144.9 million to develop a new framework to protect critical infrastructure. That is exactly what the two main parts of this bill do. They are aimed at strengthening the security of the Canadian telecommunications system.
Part 1 of the bill amends the Telecommunications Act to add the promotion of security, authorizing the government to direct Internet service providers to do anything, or refrain from doing anything, that is necessary to secure Canada's telecommunications system. Part 2 enacts the new critical cyber systems protection act to provide a framework for the protection of critical cyber-infrastructure and companies under federal jurisdiction.
The act is essentially a regulatory framework. As my colleague from Abitibi—Témiscamingue mentioned earlier in his question to our Conservative colleague, we will have to see what impact this bill could have on Quebec, especially companies and organizations like Hydro-Québec, since it designates interprovincial power line systems as vital services and vital systems. More on that later.
We will also have to see in committee whether the vast regulation-making powers provided for in Bill C-26 are justified or whether they bypass Parliament for no reason. Certain groups that raised concerns in the media have contacted us as well. Their concerns about this bill are well founded. I will get back to this a little later on.
I would say that it is important to proceed carefully and properly with this bill. Any amendments made to the bill will have a direct impact on every transmission facility in Quebec, including those that will soon be built in my riding to offer adequate cell service to those who are still waiting. Some Canadian ridings are unfortunately still without cell service in 2022. Since my riding is one of them, the bill will have a significant impact.
Local telephone service providers, IP-based voice services, Internet service providers, long distance providers and wireless services will be subject to the amendments to the act.
This means that the amendments would allow authorities to secure the system if there is reason to believe that the security of the telecommunications system is under threat of interference, manipulation or disruption. In that case, telecommunication service providers could be prohibited from using or supplying certain goods or services.
As I understand the wording of the bill, which is rather complex, telecommunication service providers could even be prohibited from supplying services to a specific individual. It is important to realize that these are vast powers, and I hope that, when the bill is sent to committee for study, it will be detailed enough to include the factors that will be taken into account before such powers are granted.
As I was saying earlier, the act will make it possible to designate certain systems and services under federal jurisdiction as critical to national security or public safety. The new Critical Cyber Systems Protection Act will protect critical cyber systems in the private sector.
What, then, is a critical cyber system? I found it difficult to find a clear definition in French of what a critical cyber system is, but the government defines the term itself in the bill. It appears that it is a “system that, if...compromised, could affect the continuity or security of a vital service or vital system.”
The bills lists six vital services and systems in its schedule. These obviously include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems that are under federal jurisdiction, banking systems, and clearing and settlement systems.
These are the areas this bill addresses. That is a lot to verify, and several actors are involved. Several ministers will be involved in the regulatory process after that, so it is important to study the bill carefully.
At this stage, a number of questions arise. For example, what impact will the bill have on certain interprovincial infrastructures, such as power lines and power grids? The act could impact Hydro-Québec and other non-federal infrastructures, such as aluminum smelters. As I understand it, the bill itself would designate interprovincial power lines as a vital service. That could have an impact.
In principle, the bill is not a problem for my party. When we call experts to testify before the committee, we will be able to determine whether or not it will have a positive impact. I think it could be very positive, but we need to look at its scope.
The Bloc Québécois has often supported the government in its efforts to ensure stricter control of broadcasting for certain vital infrastructures that could be in the crosshairs of foreign nations. Let us consider China and Russia, as I mentioned earlier. There is the Huawei saga and the development of the 5G network. The government's indecision for so many years proves that it would have been better to act beforehand rather than to react to the current situation. China's increasing power and its attempts at interference on several occasions, as well as Canada's vulnerabilities in terms of cybersecurity, are real. For example, we know that Hydro-Québec has been a potential target for Chinese espionage. The same could happen directly in our infrastructures. I think that this bill is relevant. We are very happy that the government introduced it. That is why the Bloc Québécois will vote in favour of sending the bill to a parliamentary committee so that we can hear what the experts have to say.
I would like to take these final moments to talk about the concerns voiced by certain groups. Professor Christopher Parsons of the University of Toronto said that the bill was so imperfect that authoritarian governments around the world could cite it to justify their own repressive laws. That is a worrisome statement. I will elaborate during questions and comments.
1353 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, indeed, the committee has heard from several experts on this subject. They told us that there is currently nothing to force companies, whether they are federally regulated or not, to report when they are victims of cyber-attacks, for example. They can just not report it and try to work through it on their own, even though there are authorities in place to help them through these kinds of events.
The experts were telling us that it might be worth having a framework that forces companies to work with the government or cybersecurity bodies to report and help prevent attacks so that a solution can be found. My understanding of the bill is that it would create a framework to compel federally regulated companies to do exactly that. I think that is a very good idea. It follows through on what the experts were proposing in committee.
149 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am pleased to rise to speak to Bill C-26, which will strengthen the security of critical infrastructure and Canada's telecommunications system.
Since June, many experts have been working to learn more about the provisions of this act and assess the value of what the government is proposing.
First, this bill is not structured in the usual way. I see that the urgent need to manage cybersecurity has been taken into account. This bill would give the minister new responsibilities, but the Governor in Council would also be able to act. The law is essentially a regulatory framework that will enable the government to make regulations to ensure the security of critical cyber systems.
I want to focus on the second part of the bill, because passing it will create a new law, the critical cyber systems protection act, which will provide a framework for the protection of critical cyber-infrastructure or businesses under federal jurisdiction. The affected sectors of our economy are identified as designated operators. It is easy to determine which businesses and organizations are affected.
The government has done well to specify who will must comply with the obligations: persons, partnerships or unincorporated organizations that belong to any class of operators set out in schedule 2 of the new law. Those classes will be identified by order.
Each class of operators will be assigned a corresponding regulator, such as the Minister of Innovation, Science and Industry, the Minister of Transport, the Office of the Superintendent of Financial Institutions, the Canadian Energy Regulator, the Bank of Canada or the Canadian Nuclear Safety Commission.
Schedule 1 of the new act sets out the vital services and vital systems that will form the basis of these designations, which may be added at a later date: telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems that are within the legislative authority of Parliament, banking systems, and clearing and settlement systems.
I would like to draw my colleagues' attention to Hydro-Québec. An important part of the bill that has the Bloc Québécois concerned is the part on vital services and vital systems, which could potentially involve interprovincial power lines and distribution networks. It is of paramount importance that this section of the bill be studied and clarified in committee to assess whether this will affect Hydro-Québec and, if so, how.
However, we are not against the underlying principles and objectives of securing and protecting interprovincial infrastructure. Hydro-Québec reportedly suffers more than 500 cyber-attacks a year, or roughly 41 attacks a month. That is more than one attack a day. This could jeopardize our power grid, putting the life and economic health of every Quebecker at risk. It could also jeopardize customers' personal information, although that is generally a secondary target in any attack against a publicly owned energy corporation.
Although Hydro-Québec has managed to fend off these cyber-attacks and protect itself by investing in systems, firewalls and employee training, why should we not take proactive measures? Not only is it very time-consuming for businesses like Hydro-Québec and Desjardins to protect themselves and react to the constant onslaught of cybersecurity attacks, but it is also very expensive. Hopefully, this bill will help prevent or limit these attacks by taking a proactive approach and regulating and promoting new cybersecurity frameworks among Internet service providers. This is particularly important in light of the increased threat to our infrastructure from bad state actors such as Russia or China.
Hopefully, unlike today, businesses will have resources they can consult for information about cyber-attacks.
This is also a national security issue. These states have become emboldened not just by the Canadian government's passive reaction, but also by the regulatory void. We need only think of Huawei and the threat it represents, as well as the damage it has caused to the national security of countries around the world, especially in Africa. The examples are quite striking. China has passed a law forcing all businesses to contribute to the advancement of the objectives of Chinese intelligence services, which is particularly alarming when we consider that this country uses coercive diplomacy, blatantly disregarding international standards.
Even though the federal government has finally banned Huawei technology, the decision was preceded by many years of uncertainty because of the pressure, power and influence that China could unfortunately bring to bear on us.
This decision showed how vulnerable we are to malicious actors on the world stage. That is why we need a regulatory framework, a way to respond to cybersecurity threats, particularly from foreign powers that are in a position of power and use the weakness of others to advance their own positions.
I met this morning with representatives from Shakepay, a Quebec-based financial technology company that operates a platform dedicated entirely to bitcoin, with over one million Canadian customers. One of the things that struck me in that meeting was the importance they place on security and customer protection. Of course, I had Bill C‑26 in mind. They told me that all customer funds are held in a trust at a ratio of 1:1 with Canadian financial institutions and leading cryptocurrency depositories. I learned that they are continually working to improve and promote the implementation of cybersecurity measures to protect their systems.
In preparing for my remarks today on Bill C‑26, I started thinking that we need to examine how we can build on the security standards of Quebec companies like Shakepay and that we need to determine whether the bitcoin and cryptocurrency industry should also be considered in Bill C‑26. Whether we like it or not, technology and customer habits may be leading us in that direction.
I would like to discuss cyber-resilience. I understand that the bill will not be studied by the Standing Committee on Industry and Technology, on which I sit. However, I see issues that affect industries that are in that niche of protecting systems from cyber-attacks. There are two things to keep in mind here: The attackers go after data using methods that were previously unimaginable, and they tend to favour methods that significantly delay the ability to resume operations. The desired consequences are financial and reputational damage.
The inherent complexity of the systems currently in place requires increasingly specialized resources. Innovation, research and development must be encouraged, in short, the entire ecosystem of this industry that works on the cyber-resilience of very high-risk systems. We need to ensure to attract the best talent in the world. The government must carry out its responsibilities at the same pace as it introduces these changes. Let us not forget, as the opportunities for cyber-attacks keep increasing, that we are always one incident away from our continuity of operations being disrupted.
Is there an urgent need for action? Yes, clearly. Is the government on the same page as the people involved in this industry? Unfortunately, it has fallen behind.
For the past year, the Standing Committee on Industry and Technology has been studying topics that enabled it to get to the heart of the advanced technologies used in the industries covered by this bill. The inherent complexity of the environments in which those industries operate expose critical data and system configurations to greater risks than ever before, so much so that we are no longer assessing the likelihood of a successful cyber-attack, but instead how to recover. In fact, as IT infrastructure has become increasingly complex, cyber-attacks have become increasingly sophisticated too.
I dare not imagine what will happen in the coming years, when AI reaches its full potential and quantum computing becomes available. What I am hearing is that hundreds of pieces of users' electronic data are stored each day on international servers. They cannot be thoroughly processed using currently available technology, but what will happen when quantum computers are able to process those data? Maybe we will be very vulnerable as a result of actions we take today by casually agreeing to things in an app or allowing our data to be collected. In short, in five years' time, we may be paying for what we are giving away today.
In conclusion, the Bloc Québécois supports the bill. We want it to be sent to committee to be studied in detail, as my colleague from Avignon—La Mitis—Matane—Matapédia said. I also welcome forthcoming opportunities for specialists in Quebec industries who are renowned for their expertise.
1452 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is indeed essential, and it is also essential that the act have more teeth. In my opinion, it is vital that the act provide for a mechanism for issuing sanctions or fines in order to enforce compliance with orders and regulations aimed at securing telecommunications.
Let me give an example. We have learned that China maybe funding elections, meaning that there must be a network out there that is a threat to our country. Our national security and our ability to decide for ourselves who will lead our country are being influenced by foreign money. That is something that really worries me.
As a result, our systems need to be strengthened and penalties need to be imposed. Before that, however, we must know what happened, diagnose the problem accurately and be transparent. That is just one example of many, but that is how the problems should be resolved, particularly with respect to cybersecurity.
156 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, because it is the holiday season I will not slight the government for taking so long to bring legislation like this forward. We know that France and the U.K. are far ahead of us in terms of addressing cybersecurity issues. I will give credit to the minister for at least starting to move this process forward.
Our shared concern with the Bloc is that the minister is going to have these extra powers. We are disappointed that this legislation has come forward without ensuring that Canadians will not be unjustly examined or that this is not going to be applied to ordinary Canadians.
Maybe my colleague could speak about how important it is, when government brings forward legislation, that these things are presented in the initial piece of legislation, rather than assuming it will go to committee and get improved upon there. There should be some effort from the government to address these areas at the beginning.
160 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is a pleasure to rise today to speak to Bill C-26 on cybersecurity. I will be sharing my time today with the member for Edmonton Manning.
Canadians recognize that we need to do something in the area of cybersecurity. We have all experienced hackers. Myself, when I have bought something online, the next thing I know is my credit card is hacked and then all the pre-authorized transactions need to be changed. It is very time-consuming. I have been hacked numerous times on Facebook, as I am sure many have, as well as on Instagram and other places. Those are small examples that Canadians are seeing.
Let us think about the more serious cyber-hacking we are seeing, whereby government systems are hacked and breaches of information are happening. Businesses are experiencing this. I have a friend who is an anti-cyber hacker. For $2,500 a day, he goes around the world, helping companies that have been hacked to improve their protections.
Something needs to be done. I would like to talk today about what needs to be done, and then how the bill does or does not meet that need.
First, we have to identify what the critical systems are. What are the things we want to protect? If somebody hacks my Netflix account, it is not earth-shattering. However, there are things that are important, and I think everyone would agree that databases that protect our identity or have information about our identity are critical.
Financial institutions and people's financial information are critical. On our medical information, we have spent a lot of time on legislation and regulations on protecting medical privacy. Those, to me, would be three of them, but certainly, the critical systems need to be identified.
We need to make sure there are adequate protections in place. Not every business and level of government has the same amount of protections and technology in place. There is a journey of defining what adequate protection is and helping people get there.
In the case of breaches and having them investigated and addressed, the bill gives very broad powers to the minister. It allows the federal government to secretly order telecom providers to “do anything or refrain from doing anything...necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.”
Those three terms are not well defined, so I think there is some work to be done to define those better, but I do not really believe we want to give the government power to do anything it wants. Certainly, shutting down a system for protection is important when there is an actual threat and not just a potential future threat or a possible threat. In the case of a threat, the government needs the ability to act, but certainly we have to tighten up the language in the bill on that.
After there has been a breach, there needs to be preventive and corrective action. Preventive action would be additional technology walls or additional controls that are put in place to ensure that we have enhanced protection in the future. Corrective action is fixing the holes that people got into in the first place and punishing the hackers. It does not seem like any of that is happening today. The bill does not address that, but there should be some measures there to take corrective action.
I talked about the overarching powers and my concern with them. We cannot have the government continually coming up with bills in which it has not really defined what it is going to do but it tells us not to worry about it because the Governor in Council, after the fact and without any parliamentary oversight, will determine what we are going to do.
The Governor in Council means the Liberal cabinet ministers. I think we are at a place where people have lost trust in the government because there is no transparency. The bill allows the government to make orders in secret, without telling people what is done. The public cannot see it and is suspicious, because people have seen numerous examples of the government hiding things.
We have just come through a $19-million emergency measures act situation in which the Liberal cabinet ministers and the Prime Minister knew they were never going to disclose the documents that would prove or disprove whether they met the threshold, because they were going to hide behind solicitor-client privilege.
They have done it before, hiding behind cabinet confidence, like on the Winnipeg lab issue. Look at the documents we tried to get hold of there. The Liberals even sued the Speaker in order to hide that information from Canadians.
In the SNC-Lavalin scandal, we saw them hiding behind cabinet confidence. In the WE Charity scandal, we saw them hiding behind cabinet confidence. I am a little concerned, then, to find that in this cybersecurity bill, the Liberals are saying the government can make secret orders that the public is not going to ever know about. I think that is very dangerous. This is one of the reasons we are seeing an erosion of trust in Canada.
A recent poll posted by The Canadian Press showed that if we look at the trust index in Canada, only 22% of Canadians trust the government or politicians. That means four out of five Canadians do not trust the government or politicians, and it is partly because of what has gone on before, when things have been done such as people's banks accounts frozen and drones surveilling citizens. People have lost trust, so I do not think they are going to be willing to give a blank cheque to the government to do whatever it wants for cybersecurity, to control enterprises outside the government to get them to stop operating, for example. The riverbanks need to be much tighter on that.
People are concerned about their civil liberties, and I know there has been a lot of conversation about the lack of privacy protection in this country. We have regulations like PIPA and PIPEDA. My doctor cannot reveal my medical information; my employer cannot reveal my medical information, but various levels of government in the pandemic made it so that every barmaid and restaurant owner could know my private medical information and keep a list of it, which is totally against the law. Therefore, when it comes to cybersecurity we are going to have to make sure the privacy of Canadians' information is better protected, and I do not see that element here in the bill—
1110 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I have no problem clarifying. Several of the places I went into were following provincial orders, to be clear, and they were to record who showed up and whether or not they were vaccinated. That is what was done, and that is against PIPA and PIPEDA.
I will turn to the government's record on protecting us in terms of cybersecurity, and talk about Huawei.
In 2018, our Five Eyes partners were concerned about Huawei's connection to the Chinese communist government, and they were not going to allow Huawei into their networks. However, the Canadian government delayed a decision for four years. The Liberals waited until 2022 to ban Huawei. Why did they do that? It was so Bell and TELUS could implement Huawei technology, 4G technology, across the country. That is hardly a protection from a cybersecurity point of view, and it again speaks to why Canadians have lost trust in the government.
However, I will support the bill to go to committee. I have said that we need to do something for cybersecurity, and I have outlined what I think we need to do. I do not think we can leave these huge gaps that have been cited by numerous institutions.
The University of Toronto has written letters to the government, talking about what is wrong with the bill and what it would like to see. If members have not seen the report it did with the Munk School, called “Cybersecurity Will Not Thrive in Darkness”, there are a number of recommendations in the report that talk about what needs to be done to Bill C-26 to fix it. I would encourage the government to look at that, and I would expect it to become the substance of amendments that would be brought at committee.
Also, we should look at what the constitutional and civil liberties lawyers are saying. They are very concerned about the parts of the bill that would surveil Canadians, so I think we need to make sure we listen to what they have to say. They have written an open letter to the government, and I would recommend that the government take a look at that as well.
Finally, on accountability, due process and public regulation, there is potential for abuse. I would encourage the government to take a look.
I look forward to more discussion at committee.
400 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, we live in a world where every person is increasingly concerned with cybersecurity. So much of our lives is stored on our personal devices, protected by passwords and multi-factor authentication in the hopes of keeping our most private information secure.
Corporations are increasingly at risk. It seems as if every day we hear a new report of companies’ computer systems being hacked and their data held for ransom by thieves who have managed digital anonymity. Law enforcement officials say many such cybercrimes go unreported, with companies paying quietly and privately so as to avoid publicity.
Our public institutions are not immune either. Hospitals have had their computer systems attacked by intruders, putting patients' lives at risk. Emergency services have been attacked, as have the parliamentary computer systems.
Cyber-threats remain a national security and economic issue that threatens the safety and security of Canadians. Government and industry alike have highlighted the need for regulation in cybersecurity. There has been a lot of talk, but not much else.
Currently the Canadian government does not have a legal mechanism to compel action to address cyber-threats or vulnerabilities in the telecommunications sector, yet cybersecurity has become one of the primary issues each person and institution has to address. I am pleased that the government has introduced this legislation to allow us in the House to examine the cybersecurity concerns and needs of our nation.
Bill C-26 would amend the Telecommunications Act as well as other related acts. The intention would be to amend the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything that is necessary to secure the Canadian telecommunications system.
I do not think there is anyone in the House, indeed in the country, who would disagree with the objective. As I have already pointed out, there is a problem with cybersecurity in our society, and government has an important role to play in protecting Canadian individuals and institutions. Some may wonder about giving such power to the Governor in Council and the Minister of Industry, but there are rules for the judicial review of those orders and applications. This is not a granting of absolute power, but of limited power subject to the checks and balances needed in a democracy.
The bill would also enact the critical cyber systems protection act to provide a framework for the protection of the cyber systems of services and systems vital to national security or public safety. This, among other things, would authorize the Governor in Council to designate any service or system as a vital service or vital system. It would require designated operators to establish and implement cybersecurity programs, mitigate supply chain and third party risks, report cybersecurity incidents and comply with cybersecurity directions.
One would think that such cybersecurity measures should be common sense and not need to be mandated by government. Is it right to compel private corporations and organizations to use their own resources to invest in cybersecurity? It would seem to me that well-run businesses would put cybersecurity first. Not every aspect of a business generates income, and smart business managers and owners know that. As the cliché goes, they have to spend money to make money.
Implementing cybersecurity measures comes with a cost. There is no doubt about that. It would seem to me, though, that the cost would be considerably less than the cost of dealing with criminals holding their data for ransom after they have invaded their computer system and locked them out of it.
Cybersecurity makes common sense for business. However, given that implementing cybersecurity measures comes with a financial cost with no corresponding revenue, do we really want to rely on those who might put short-term profits first, or does it make more sense in this case for government to step in to save some business owners from themselves?
As someone who has spent most of his life working as a businessman, I am reluctant to suggest that business owners need to be saved from themselves, but as a Canadian I know that sometimes such action is necessary.
We have only to look at the history of one of Canada's most successful companies: Nortel. It is a company that might still exist if those running it had taken cybersecurity more seriously. With more than 94,000 employees worldwide, Nortel was a high-tech leader until its headquarters were bugged, its computer systems breached and its intellectual property stolen. Now it is just a memory. We will never know for sure, but perhaps if cybersecurity had been a higher priority at Nortel, it would still be providing jobs, products and services for Canadian people. If anyone ever asks why we would take cybersecurity seriously, the one-word answer is “Nortel”.
Though I am a little uneasy that this bill would almost certainly increase regulations and red tape, maybe there are ways that some of the excessive paperwork that seems to be beloved by the Liberals can be made reasonable. Certainly there is a need to ensure a level playing field of regulatory burdens for small and medium-sized businesses and organizations. If there is not, then I can see companies being forced into bankruptcy by the cost of implementing government-mandated cybersecurity procedures. I know that is not the government's intention, but as we have seen in the past, sometimes not all the impacts of government rule-making are foreseen. The Minister of Industry especially needs to ensure that the rules are workable and provide protection against attacks by criminals and malicious states.
Indeed, it is perhaps malicious states that we should be concerned about the most. The interconnectedness of computer systems and their use in controlling and maintaining our infrastructures mean we are increasingly vulnerable to a devastating attack. An enemy that could seize control of our electricity grid or our banking system could bring our nation to its knees without firing a shot. The nature of warfare has changed, and as a result we must change our defences.
Canada's national security requires being prepared for the security warfare threats that we face. The government has been slow to address cyber-threats and has seen a number of serious incidents occur, with no substantive legislative response for seven years. I am pleased that the government has finally chosen to act, and I am hopeful that we in the House can help improve this legislation. Cybersecurity is of paramount importance in the modern world. Canada cannot neglect it.
1125 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I want to congratulate my colleague on his speech.
Cybersecurity is essential, and it is also a race against time because hackers are becoming better and better organized. They are fast, equipped, cunning and, on top of that, dishonest. That gives them an advantage over us presumably honest people.
The government has been slow to act, legislate and get aggressive with cybersecurity.
Does my colleague think that there is still time to take the lead in this race, or are we going to continue to fall behind international hacker organizations?
92 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I mentioned at the end of my speech that the government was very late in putting forward such a bill. It is a very tough question to answer as to whether or not we can catch up. We know the existing wars and challenges and future wars are mostly around cybersecurity. It will be important in this motion of the House, with this bill, to assess how prepared Canada is for facing future threats.
76 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I will answer the end of the question and go back to the beginning of what the hon. member asked.
We are still not there in terms of assessing our preparedness and our cybersecurity position. I do not know if we have enough understanding of those challenges, what our position is and how prepared we are. That is a very important task for the government.
As far as financial penalties on businesses, I mentioned in my speech that such things could put some businesses into bankruptcy, because they would not be able to afford the services that would provide the protection needed for them not to end up in such a disastrous situation.
Therefore, a balance is needed, and this has to be done by working together with the industry. If we are truly prepared, the financial penalties should be less, because the government should have done more in the last seven years, or even the years before that, in terms of looking to the future.
It all remains in the hands of the government that is putting this bill forward. We hope to get some answers.
189 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that was a very interesting intervention. I am not a specialist in cybersecurity, so I am finding this debate very informative.
I guess one of the questions I have is about how we balance the need for cybersecurity with the need for transparency. That is really what the big question is for this. How do we make it effective but also adhere to the Canadian values of transparency, human rights and whatnot?
I wonder if the member has anything to say about the fact—
87 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, before I begin, I will just say that I will be splitting my time with the member for Kingston and the Islands.
It is an honour to rise today in the House to debate the second reading of Bill C-26, an act respecting cybersecurity. To me, cybersecurity is essential, and it certainly relates directly to our national security.
When we consider the challenges and opportunities we face in this field, the theme of collaboration underpins and needs to underpin all that we do.
The prevalence of cybercrime in an increasingly online world, improving cyber-defence posture in an unstable global environment, deep thinking about what the future holds in a world where innovation and change are exponential, a critical look at whether our policies and laws are up to the task, and the protection of content and intellectual property as data becomes one of the world's most precious resources: These are just some of the reflections that we have to have when considering this bill.
In Canada, being online and connected is essential. Now, more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying connected with loved ones across the country and around the world. We should be able to do all these activities safely and securely.
I would like to offer a few words about what we are doing here in Canada to get that balance right, and I would like to reinforce the importance of our commitment to protecting the cyber systems that underpin our critical infrastructure.
We can take the emergence of new technologies, such as 5G, as one clear reason we need to redouble our efforts. We think about our increased reliance on technology in light of the COVID-19 pandemic. We think about international tensions amidst Russia’s unprovoked and unjustified ongoing invasion of Ukraine, with threats ranging from supply chain disruptions to state and non-state malicious cyber-activity.
Through all of these remarkable events, the government has been working tirelessly to keep Canadians safe. We recognize that, now more than ever, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. It underpins the delivery of critical services, such as energy production, financial transactions, safe transportation and emergency communications.
As part of his mandate, bestowed by Prime Minister Trudeau, the Minister of Public Safety is seized with the opportunity and challenge of developing a renewed national—
424 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as part of the mandate bestowed upon him by the Prime Minister, the Minister of Public Safety is seized with the opportunity and challenge of developing a renewed cybersecurity strategy. We need to make sure we articulate Canada’s long-term plan to protect our national security and economy, deter cyber-threat actors, and promote norms-based international behaviour in cyberspace.
The Government of Canada is working to enhance the cybersecurity of the country’s critical infrastructure. The work to identify cyber-threats and vulnerabilities, and to respond to cyber-incidents, is around the clock and ongoing. Unfortunately, we have seen that malicious actors continue to attempt to take advantage of the current environment to exploit certain sectors. I would like to use one example that is relevant for my riding and the region I come from.
My riding is the riding of Whitby, and Durham District School Board is the public school board in our area. On Friday, November 25, just very recently, there was a cyber-incident at the Durham District School Board. It resulted in online classes being cancelled. They were forced to postpone scheduled literacy tests. They have had phone lines down and email service down. They even do not have access to emergency contacts, and they are trying to limit this incident so it does not impact payroll for the over 14,000 Durham District School Board employees. There are 75,000 students who go to school across our region.
They have notified police of the attack. Their investigation is said to be very complex and time consuming, and they will be assessing the privacy impacts, but we can just imagine how this has impacted students and employees at Durham District School Board.
This is a really serious topic. I think we all need to give it the weight it deserves, and this legislation is trying to ensure we do our utmost to protect against these cyber-threats in the future.
However, we are not starting from scratch to tackle these threats. Since 2018, the Government of Canada has invested a total of approximately $4.8 billion in cybersecurity. Through the national cybersecurity strategy, the Government of Canada would be taking decisive action to strengthen Canada’s defence, preparedness and enforcement against cyber-threats. The strategy was paired with the largest investment in cybersecurity ever made by the Government of Canada, totalling close to $800 million in the 2018 and 2019 federal budgets.
In the 2021 budget, the government allocated an additional $791 million to improve and defend cyber-networks, enhance data collection and protect taxpayer information, and in the 2022 budget, another $852.9 million was committed to enhance the Communications Security Establishment and its ability to conduct cyber-operations, make critical government systems more resilient, and prevent and respond to cyber-incidents on critical infrastructure.
Under the strategy, two flagship organizations were established. One is the Canadian centre for cybersecurity, otherwise known as the cyber centre, under CSE, and the other is the national cybercrime coordination centre under the RCMP.
The cyber centre is a single, unified team of government cybersecurity technical experts. The centre is the definitive source of unique technical advice, guidance, services, messaging and support on cybersecurity operational matters for government, critical infrastructure owners and operators, the private sector, and the Canadian public.
The NC3 coordinates Canadian police operations against cybercriminals and established a national mechanism for Canadians and businesses to report cybercrime to police. In the example I mentioned in my riding of the Durham District School Board, it would report the cybercrime to the local police, and that would go up through NC3 as well.
Public Safety Canada’s Canadian cybersecurity tool also helps owners and operators of Canada’s critical infrastructure to evaluate their cyber-maturity against established benchmarks and by peer comparison. It offers concrete guidance on how they can become more cyber-resilient.
Public Safety Canada also coordinates and delivers cyber-based exercises for the critical infrastructure community to test and develop capabilities to respond to and recover from malicious cyber-activities. More broadly, the department, as the federal lead on cybersecurity policy, promotes communication and collaboration to raise awareness of cyber-threats and risks, including with our international partners. Public Safety Canada works closely with the Communications Security Establishment’s Canadian centre for cybersecurity to enhance the resilience of critical infrastructure in Canada. The cyber centre, in addition to providing public advisories, shares valuable cyber-threat information with Canadian critical infrastructure owners and operators.
Today I am very proud to say that we can begin to debate a new piece of legislation to further strengthen what we have built as a government. Today we are debating Bill C-26 for the second reading, and this legislation's objective is twofold.
The first part proposes to make amendments to the Telecommunications Act, which include adding security as a policy objective, adding implementation authorities and bringing the telecommunications sector in line with other critical infrastructure sectors. This would allow the government, when necessary, to mandate any action necessary to secure Canada’s telecommunications system, including its 5G networks. This would include authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers.
The second part introduces the critical cyber systems protection act, or CCSPA. This new act would require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to take specific actions to protect their critical cyber-systems, and it would support organizations' ability to prevent and recover from a wide range of malicious cyber-activities, including malicious electronic espionage and ransomware.
944 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am not a cybersecurity expert either.
A few weeks ago, I attended a demonstration in Montreal with 10,000 people to support the people who are fighting for their freedom in Iran, which, as we know, is not a democratic state. I have also strongly supported people from the Uighur community, who I have met with many times here in Ottawa. We know that they are facing genocide in China. The small white square that I am wearing is a sign of support for people who, at this time, are rising up against the health measures in China, as well as the people in Russia who are protesting against the war in Ukraine.
I want to know if there are concrete measures in Bill C‑26 that would prevent Iran, China and Russia from carrying out cyber-attacks on social networks and, for example, hacking my account and interfering in my life as an MP? I would like my colleague to clarify that.
167 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
