44th Parl. 1st Sess.
December 1, 2022 10:00AM
moved that Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, be read the second time and referred to a committee.
He said: Mr. Speaker, it is an honour to help kick off second reading debate of Bill C-26, an act respecting cybersecurity. I know this chamber has been anxiously awaiting the chance to advance discourse on this important legislation.
I will begin by saying that cybersecurity is national security. We need to make sure that our defences meet all of the challenges that are reflected today, and we need to make sure that both the public sector and the private sector are able to better protect themselves against malicious cyber-activity, including cyber-attacks. It is about defending Canada and the critical infrastructure we rely on, and we know that this will not be the last we hear of this issue.
What we decide now in the cybersecurity realm will help us form a launching pad for the way forward, because we know that our actions in the cybersphere are always a work in progress. We know that meeting the moment means that our actions must continually, effectively and safely provide a foundation for the way Canadians thrive in the 21st century.
Being online and connected is essential to all Canadians. Now, more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying in touch and connected with loved one from coast to coast to coast and indeed around the world. Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems, particularly with the emergency of new technologies such as 5G, which will operate at significantly higher speeds and will provide greater versatility, capability and complexity than previous generations.
These technologies certainly create significant economic benefits and opportunities, but they also bring with them new security vulnerabilities that some may be tempted to prey on.
The COVID-19 pandemic showed how important it is for Canadians to have secure and reliable connectivity. The government is determined to boost security for Canada's cyberfuture.
We also know about the inherent threats to our safety and security. Cyber-threats remain a significant national and economic security issue that can threaten that safety. The Canadian centre for cybersecurity's “National Cyber Threat Assessment 2023-2024” found this:
State-sponsored and financially motivated cyber threat activity is increasingly likely to affect Canadians....
Cybercriminals exploit critical infrastructure because downtime can be harmful to their industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position in case of future hostilities, and as a form of power projection and intimidation.
These activities will not cease. Malicious actors could take advantage of increased connectivity to trigger malicious events that could also potentially have severe effects on our public safety and national security.
Large corporations and critical infrastructure providers are targeted by actors probing for vulnerabilities and opportunities for penetration, theft and ransomware attacks.
Like its allies, Canada has made efforts to address these vulnerabilities and to ensure the security of Canadians and Canadian businesses.
Canada has long recognized the importance of securing our cyber systems. In 2013, Canada established a collaborative risk mitigation framework, the Communications Security Establishment's security review program. This program has helped to mitigate risks stemming from designated equipment and services under consideration for use in Canadian 3G, 4G and LTE telecommunications networks.
Furthermore, consultations with Canadians in 2016 informed the 2018 national cybersecurity strategy. This strategy established a framework to guide the Government of Canada in helping to protect citizens and businesses from cyber-threats and to take advantage of the economic opportunities afforded by digital technology.
In 2019, the government paid $144.9 million to develop a framework for the protection of critical cyber systems.
In 2021, the government completed its interdepartmental review of 5G telecommunications security. The findings included a recommendation to work with the industry on moving forward with the current risk mitigation framework for the products and services intended for Canadian telecommunications networks.
All this work done over many years to address these known problems and to improve Canada's cybersecurity posture, including with 5G technology, brings us to the bill before us today.
The objectives of Bill C-26 are twofold. One, it proposes to amend the Telecommunications Act to add security, expressly as a policy objective. This would bring the telecommunications sector in line with other critical infrastructure sectors.
The changes to the legislation would authorize the Governor in Council and the Minister of Innovation, Science and Industry to establish and implement, after consulting with the stakeholders, the policy statement entitled “Securing Canada’s Telecommunications System”, which I announced on May19, 2022, together with my colleague, the Minister of Innovation, Science and Industry.
As we announced at the time, the intent is to prohibit the use of products and services by two high-risk suppliers and their affiliates. This would allow the government, when necessary, to prohibit Canadian telecommunications service providers from using products or services from high-risk suppliers, meaning these risks would not be passed on to users. It would allow the government to take security-related measures, much like other federal regulators do in their respective critical infrastructure sectors.
The second part of Bill C-26 introduces the new critical cyber systems protection act, or CCSPA. This new act would require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to protect their critical cyber systems. To this end, designated operators would be obligated to establish a cybersecurity program, mitigate supply chain third party services or product risks, report cybersecurity incidents to the cyber centre and, finally, implement cybersecurity directions.
It would include the ability to take action on other vulnerabilities, such as human error or storms that can cause a risk of outages to these critical services. Once implemented, it would support organizations' abilities to prevent and recover from a wide range of malicious cyber-activities, including cyber-attacks, electronic espionage and ransomware.
The rollout of 5G technology in Canada is well under way. This technology will allow Canadians to move more data faster. It will bring benefits for Canadians and our economy, but with these benefits comes increased risk. Canada's updated framework, established in part 1, aligns with actions taken by our Five Eyes partners, particularly in the United Kingdom. I will add that I recently met with our counterparts in Washington, D.C., not too long ago.
It would allow Canada to take action against threats to the security of our telecommunications sector if necessary. Legislative measures would provide the government with a clear and explicit legal authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers, such as Huawei and ZTE, if required and after consultation.
Once these amendments receive royal assent, the government will be in a position to apply these new order-making powers to the Telecommunications Act.
The CCSPA established in part 2 is also consistent with critical infrastructure cybersecurity legislation established by our Five Eyes partners and would provide a consistent cross-sectoral approach to cybersecurity for Canadian critical infrastructure.
Designated operators would be required to protect their critical cyber systems through the establishment of a cybersecurity program and to mitigate any cybersecurity risks associated with supply chain or third party products and services.
Cyber-incidents involve a certain threshold that would be required to be reported, and legislation would give the government a new tool to compel action, if necessary, in response to cybersecurity threats or vulnerabilities. Both parts 1 and 2 of Bill C-26 are required to ensure the cybersecurity of Canada's federally regulated critical infrastructure and, in turn, protect Canadians and Canadian businesses.
Overall, Bill C-26 demonstrates the government's commitment to increasing the cybersecurity baseline across Canada and to help ensure the national security and public safety of all Canadians.
Cybersecurity is also essential in the context of our economic recovery after the COVID‑19 pandemic. In our increasingly connected world, we must implement the measures required to guarantee the security of our data and ensure that data is not exploited by actors, state-sponsored or not, who constantly seek to exploit our systems.
Recovery from cybersecurity incidents is both costly and time-consuming. Accordingly, when it comes to improving cybersecurity, the interests of government and private industry are aligned. Nevertheless, an administrative monetary penalty scheme and offence provisions would be established within both parts of the bill to promote compliance with orders and regulations, where necessary.
All of the actions I highlighted today form a key part of our ongoing commitment to invest in cybersecurity, including to protect Canadians from cybercrime and to help defend critical private sector systems. Like our allies, Canada has been working to address these vulnerabilities to keep Canadians and Canadian businesses safe. However, we have to be sure that we are ready for the threats that lie on the landscape.
For example, unlike laws governing other critical infrastructure sectors, the Telecommunications Act does not include any official legislative authority to advance the security of Canada's telecommunications system. Despite the existence of multiple programs and platforms enabling public and private collaboration in the telecommunications sector, participation is voluntary.
In addition, across Canada's highly interconnected and interdependent critical infrastructure sectors, there are varying levels of cybersecurity preparedness and no requirement to share information on cyber-incidents currently. Moreover, the government has no legal mechanism to compel action to protect these systems at this time. These are important gaps that the legislation introduced today seeks to address. That is why the government is establishing a strong and modern cybersecurity framework to keep pace with the evolving threats in our environment.
In short, the legislation would form the foundation for securing Canada's critical infrastructure against fast-evolving cyber-threats while spurring growth and innovation to support our economy. Cyber systems are understandably complex and increasingly interdependent with other critical infrastructure. This means the consequences of security breaches are far-reaching. It is also the reason that a consistent, cross-sectoral approach to cybersecurity is built into this legislation.
Bill C-21, which we have tabled and are now debating, would protect Canadians and the cyber systems they depend on well into the future. Significantly, this legislation can serve as a model for provinces, territories and municipalities to help secure critical infrastructure outside of federal jurisdiction. It is an essential addition to Canada's already robust arsenal, which is there to protect us and our economy against cyber-threats. It would allow us to continue taking even stronger action against threats to the security of our telecommunications sector and ensure Canada remains secure, competitive and connected.
I encourage all members to join me in supporting this landmark cybersecurity legislation, Bill C-26, today.
1839 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I would like to thank my colleague for her very important question.
The goal of Bill C-21 is to build a bridge, a collaborative effort between the government, critical infrastructure sectors and the private sector. We developed an approach that includes excellent lines of communication in order to effectively identify the cyber-threats to critical infrastructure that might jeopardize national security and the economy.
In answer to my colleague’s question, we will work with all federal regulators to create a system to protect all critical infrastructure sectors against all cyber-threats.
96 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I look forward to collaborating with the hon. member and other parliamentarians on the debate of this important bill, including at committee stage. Without question, whenever the government takes decisive action to meet the threats posed in the realm of cybersecurity, there does need to be corresponding transparency and an articulation of the reasons we are taking that action.
He is quite right to underline that there would be new authorities contained in this bill. However, those new authorities we would propose to create are in direct response to the gaps that currently exist, as I outlined in my speech. We need to do both in lockstep: address the gaps posed on the landscape of national security in the context of cybersecurity but also be transparent about that.
I point out that there are independent bodies, for example NSICOP and NSIRA, so that where the government is taking steps that implicate national security, there can be accountability. This is the way we can achieve both objectives. It would ensure the confidence of all Canadians that this is an appropriate measure to seize the opportunities there, as well as to manage the risks manifested in our landscape.
198 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is an honour to speak today in the House about Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making other consequential amendments.
This is a critical bill, and I am very happy to see the debate being undertaken today in the House. I do know that cybersecurity is important to the Minister of Public Safety, so I will give him credit for bringing this bill forward. It should be something that is important to all government ministers of every level of government. It is very important that we are having this debate today.
I was provided a briefing from cybersecurity experts from the minister's department just under a year ago. It was very informative about the risk Canada faces in terms of cybersecurity. Just to speak simply, I asked them what would be, in the worst case scenario, sort of a Pearl Harbor moment for Canada. They responded that it would be a cybersecurity attack on our electrical infrastructure or our pipeline infrastructure in the middle of winter. If there were a cyber-attack or a ransomware attack on the infrastructure that keeps Canadians warm in the middle of winter, that would be absolutely devastating, specifically in our coldest provinces, regions and territories in Canada.
Just to give Canadians an idea of the gravity of what we are talking about today and how important it is, not only that we bring forward cybersecurity legislation that builds capacity, but also that it be done right. There was a series of questions before my remarks that outlined a number of the issues in this bill.
I will just outline a number of recent cybersecurity attacks in Canada and also in the United States of late. We know that the Canada Revenue Agency was attacked in August 2020, impacting nearly 13,000 Canadians who were victims of that. There was also a hospital in Newfoundland, in October 2020, where the cybersecurity hackers stole personal information from health care employees and patients in all four health regions, as well as social insurance numbers belonging to over 2,500 patients. Very deeply personal and private data from these hospitals was stolen by cybersecurity hackers.
Global Affairs also most recently was attacked in January 2022, right around the time that Russia engaged in the illegal invasion of Ukraine. It was reported that it may have been Russian, or Russian state-sponsored, actors who were responsible for the cyber-attack on Global Affairs.
That was a very serious attack on another government department. The government is certainly not immune to these types of cybersecurity attacks.
Most famously, I would say, there was a ransomware attack on critical infrastructure in the United States back in May 2021. Pipeline infrastructure was attacked. President Biden issued a state of emergency. Seventeen states issued these states of emergency. It was very serious, and it just shows the capabilities of some of these cyber-threat actors, and the threat they pose to Canadians in their everyday lives and to Canada as a whole, as well as the threat to our allies.
This bill is coming forward in light of the government announcing most recently, in the past year, that it would ban Huawei from our 5G infrastructure. Conservatives and the House of Commons, in fact, have been calling on the government to do that for quite for some time. This legislation would help enable the practical implications of that ban. Again, it is certainly a very long time coming. Had this been done years ago, it would have saved our telecommunications and thereby the everyday users of our telecommunications companies, a lot of pain and a lot of money. I am concerned about the financial impact, although this is critical, that waiting so long to bring it forward would have on everyday Canadians and their cellphone bills, just as an example.
I am the vice-chair of the public safety and national security committee. I championed a study we are undertaking, which is in the process of being finalized right now, of Canada's security posture in relation to Russian aggression. A large part of that study was about cybersecurity. The experts we brought in repeatedly sounded the alarm that cybersecurity is of the utmost importance. It is something that the Government of Canada, the private sector, provincial governments and, frankly, municipal governments must take extremely seriously. It is rapidly evolving. I am going to give some quotes from a few of the experts to the lay the stage of what we are facing as Canadians.
Professor Robert Huebert of the University of Calgary said:
With regard to other cyber threats, we also know the Russians have shown an increasing capability of being able to interfere in various electronic systems and cyber systems of other states. We've seen this with their ability to influence the Ukrainian electrical system prior to the onset of the war in 2014.
This is the other war it engaged in over the last number of years. He also said that we are seeing this in other locations across the globe.
He went on to state:
Once again, it's hard to know exactly how well-defended [Canada has] become in being able to harden that part of cyberwarfare. There's no question, whatsoever, that the attention the Russians and the Chinese are giving this is increasing....
He compared that to the reports we are hearing from our American and British friends and allies who are saying the Chinese and Russians are extremely active on the issue of cybersecurity and involving state-sponsored actors launching attacks against countries like Canada and the United States.
We also had a woman named Jennifer Quaid, who is the executive director of the Canadian Cyber Threat Exchange, which is a private company that supports various companies to help boost their cybersecurity. She talked a lot about cybercriminals. This is an important piece. Even the minister talked about this as well.
First and foremost, she flagged that the Minister of National Defence of the current government said, “Cyber security is one of the most serious economic and national security challenges we face.” Therefore, it is quite a serious issue we are talking about today.
Ms. Quaid went on to say, “cyber-threats are becoming more sophisticated and are increasingly pervasive. Driven by the growth and global adoption of innovative technologies, cybercrime pays.”
She meant that cyber-threat actors can be grouped roughly into two categories, nation states conducting espionage and statecraft through the Internet, and criminals engaging in cybercrime for financial gain.
She went on to say, “It's this criminal element that has commercialized cybercrime”, meaning that cybercriminals and cybercrime have now become a thriving industry. She pointed out that the barriers to entry, the technical expertise needed to be a hacker, so to speak, is increasingly low. She said that several countries now are allowing cybercriminal groups to operate within their borders.
She also named something called a “hacktivist”, an activist hacker, of all things. We may have someone, in the name of social justice, hacking into a fossil fuel company, for example. Imagine if that happened in Canada in the middle of winter to our gas pipeline infrastructure. It would be devastating and deadly, so we have to keep an eye out for hacktivists, as she said.
She also pointed out that 25% of organizations in Canada have reported a cyber-breach. One in four. That is pretty significant. She said that the small and medium-sized enterprises that make up 98% of our economy are also being impacted. Almost 100% of our economy is being attacked in some form or another.
This is really important when we think of big banks and big, wealthy corporations that have pretty good cybersecurity infrastructure and have the money to do so. What feeds them is third party suppliers that may provide the various components or various mechanisms to undertake their important parts of the industry that company is engaged in. They are also at risk. Therefore, if a lower third-party provider of a major telecom is attacked, for example, that may seriously impact the ability of that telecom to deliver its services adequately to Canadians.
She mentioned that 44% of SMEs, small and medium-sized enterprises, do not have any defence. Almost half of our small and medium-sized enterprises, which dominate our economy, do not have any sort of defence and are not even thinking about cybersecurity. That is why today's discussion and this bill are important to be debated and have experts weigh in.
I will also quote Dr. Ken Barker, who is a professor at the Institute for Security, Privacy and Information Assurance at the University of Calgary. He talked a lot about the impact of cybersecurity on critical infrastructure. He mentioned that, in general, it is very vulnerable because it is built on legacy systems that, in essence, predate the Internet. As our legacy systems are getting online, this creates, as he explained, some gaps that hackers can take advantage of, which again puts our critical infrastructure at risk. That came up over and over at committee. He pointed out that our large private companies and our banks are investing a lot in cybersecurity, but again, as he and Ms. Quaid pointed out, it is their SMEs that are the most vulnerable.
I will conclude my quotations here with Caroline Xavier, who is the director of the Communications Security Establishment, which falls under the Department of National Defence. It is the part of government responsible for cybersecurity. Therefore, that she is the head of government cybersecurity is a simple way to look at it.
She said, “cybercrime is the most prevalent and most pervasive threat to Canadians and Canadian businesses. Cybercriminals trying to probe Canadian systems have been found in Russia, Iran and China, among others. [They] use various techniques such as ransomware”. They are specifically focusing on our critical infrastructure, and they certainly pose, as she said, “the greatest strategic threat to Canada.”
The bill before us would do a number of things. It is quite a large bill, so I will not go into every detail of what it would do, but in essence there are two parts. One would amend our existing Telecommunications Act. Of particular importance, it would give very broad and sweeping powers to the minister of industry to do a number of things. What has been criticized by a number of organizations is a specific part of the bill, which is in the summary, that says it would allow the minister and the Governor in Council to “direct telecommunications service providers to do anything, or refrain from doing anything”.
Those are very broad powers to be given to one minister, so that should immediately put up red flags for all of us. No one should have such vast sweeping powers over our telecoms. Again, I have built the case that we need better cybersecurity, but there is a big question mark here of whether we are giving too much power to one minister, one person, in all of Canada.
The bill also has a whole financial issue involved in it. To do anything, as it said, could have massive financial implications. Big companies such as Telus may be able to afford that, but our small telecoms may not be able to so much. It might bankrupt them. That is not great news, and there would be no financial component, in terms of compensation, for any of these losses, so there is a big question mark there as well.
Also, something of importance I find quite concerning is the way the bill is structured would result in a significant exchange of a lot of information from telecoms to the minister, which he could pass on to various ministers and government agencies. Is that very confidential information? It is certainly the cybersecurity plans. Does that include state secrets? Is it safe that we would be asking our telecoms this?
The second part of the bill involves all critical infrastructure companies in Canada, as was outlined by the minister, including provincial and Crown corporations, and the like, so the bill would really establish the process that all of these companies would have to provide their cybersecurity plans, and there would be a very strict reporting mechanism. We are talking about days, if not a few weeks, to get together these plans and provide them to the minister. There would be annual updates required. If a big company were to change a third-party provider, it would have to, in essence, immediately report that to the minister of industry.
There is a whole host of very cumbersome reporting mechanisms, and I do believe we need some of these, but a question remains, as I have outlined earlier, and the government is not immune to being hacked by cybercriminals. I just outlined three or four incidents when that happened. The bill would take all of our critical infrastructure, and all of companies' cyber-defence plans, along with countless other pieces of personal data of Canadians and others, and we would give that to the government. An argument could be made that this is needed, but where are the protections for that? Where is the defence of government to ensure that this would not end up in the wrong hands or that information is not hacked by cyber-actors?
That is a significant threat that needs to be addressed by the minister, and I was not assured from his remarks that this is something that is front and centre in his objective through the bill.
I would also say that there is a number of civil liberty organizations that have raised serious alarm as well. There was an open letter written to the minister from the Canadian Civil Liberties Association, the Canadian Constitution Foundation, the International Civil Liberties Monitoring Group, Leadnow, Ligue des droits et libertés, OpenMedia, and the Privacy and Access Council of Canada. All of the leaders of research and discussion of our civil liberties, all such major organizations in Canada, were quite alarmed by the bill in many ways and wrote an open letter to the minister that outlined a number of things.
In essence, they said the bill would grant the government sweeping new powers, not only over vast swathes of the Canadian economy, but also in intruding on the private lives of Canadians. To sum it up, and I think they said really quite well, “with great power must come great accountability.” There is great power in the bill, but the accountability side is lacking.
Before I go on to detail some of their concerns, I do want to outline what some other countries are doing. If we look at the U.S. and the EU, they have established similar bills in the past year or so. The EU actually has greater and more significant fines in many ways, and the U.S. provides more prescriptive and strict reporting mechanisms, such as, if a U.S. critical infrastructure company has a ransomware attack, the legislation outlines the company must report it to the government within 24 hours.
That actually might be something we may want to consider for the bill. If we are going to go there, we might as well have it in line with our American allies and make it tight. I do think that a reporting mechanism is one of the most important parts of this bill.
I want to go back to the civil liberties issue. With the government's track record on Internet regulation bills, such as Bill C-11 and others, a lot of people have their backs up about their personal freedoms online and their data, rightfully so. The civil liberties associations are raising some of the concerns that have not been assuaged thus far by the government or the Minister of Public Safety.
In the open letter, they mention that this, “Opens the door to new surveillance obligations”, which is quite concerning. In their view, and this has not been proven, “Bill C-26 empowers the government to secretly order telecom providers ‘to do anything or refrain from doing anything’”, as I mentioned. They believe that, if there was an abuse of this extreme power, it could be utilized by a government with ill intent, not to say that is the Liberal government's intent, but it could be utilized to survey Canadian citizens. It is quite concerning.
They go on in that realm to outline that the powers in this bill allow the administrative industry to terminate who telecoms work for, for example. They believe that could also be applied to individual citizens. They are looking at this and thinking, if a government wanted to punish a group of people, it could call up Telus, and this is very blunt and not overly academic in the way I am explaining it, to direct Telus it cannot do business with these people, cut off their access to the Internet and cut off their cell phones.
It is an extreme worst-case scenario, but it is worth flagging that there may be a bit of a backdoor in this bill that would allow that, should an evil government ever come along that is looking to abuse the civil liberties of Canadians. I would like to see that addressed and have safeguards put in place to prevent that type of abuse, should it ever happen in an extreme circumstance.
They also talk about how it “Undermines privacy” and that there are “No guardrails to constraint abuse”. Again, I think this is an area where opposition parties, in particular, and hopefully government members on the committee, can come together to ensure that there is an ombudsman put in place or an oversight body. We need something where the rights of companies, and more importantly of citizens, are protected from the abuses I have outlined, and there are many others.
There were also a lot of concerns from the Business Council of Canada. It wrote an open letter to the minister on behalf of large companies, and also small and medium-sized enterprises. In essence, what we are seeing is the red tape is extremely high, so we are worried that will impact our small and medium enterprises.
The business community, in general, has said that it seems that this bill, to sum it up bluntly, is all stick and no carrot. It is all hard-hitting. It is going to be super hard on us, and we better comply. I can hopefully go into more details about that in the question part of this debate, but there is no incentive structure built in.
There is no incentive to have companies share best practices with each other. I think the government should be a leader in encouraging the open sharing of best practices and experiences that protect the confidentiality of companies but allow them to share information, so other companies can be better equipped, and we can all work together as one big happy, cyber-secure family.
The Conservative Party of Canada is, first and foremost, concerned about national security and ensuring the federal government takes that leadership role in ensuring that Canada, as a whole, is secure against any possible threat, every eventuality, as the Minister of National Defence likes to say.
We are seeing serious gaps in our military. We can have stronger alliances in our Five Eyes intelligence sharing and other agreements. Certainly, that involves cybersecurity. Canada is vulnerable, like many countries in the world. In fact, most countries are dealing with these problems. The Conservative Party of Canada wants to see a more robust framework to incentivize and enforce reporting mechanisms to ensure our cybersecurity is protected, and to make sure there is not a ransomware attack on our pipelines in the middle of winter, which could kill thousands of Canadians from the cold, for example.
We will be looking to support this bill in going to committee, but I want to make it very clear that, if the issues in this bill, and I have outlined a few of them concerning privacy and impacts to business, are not addressed, the Conservative Party is ready to pull its support immediately and put up a very strong defence to stop this bill from going beyond committee. I want to make that very clear to the minister and the Liberal government.
We will get this to committee to hear from experts because we believe that is important, but it must be fixed. There are serious issues that need to be addressed and amendments that need to be made. I would ask Liberal members on the committee to get to work with us, so we can make this bill what it needs to be and make it better to ensure cybersecurity is protected in Canada today and for years to come.
3523 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, the member's question is quite a technical one. The member does mention China and what it has done. I am deeply concerned about Chinese state-sponsored actors who are conducting espionage and looking to steal data and very important national security information from various government departments and individual citizens. That is the reason that all of our Five Eyes allies, with Canada being last, banned Huawei from our 5G infrastructure, because of any possible back-door element.
Because, with all companies that are owned by China, there is, to put it bluntly, an ability for them to direct, for example, Huawei to take all their information. That is why Five Eyes allies, put quite simply, called on Huawei to be banned. They did that before us, and we took a very long time.
I will look more into the specifics. The member was not too familiar with what she talking about. Suffice it to say, the Conservative Party of Canada has been very clear: We need to be very clear-eyed on China, in particular when crafting this bill. It needs to be crafted in a way that offers the most defence for Canadian critical infrastructure against Chinese sponsors, state actors or others.
206 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, there is a lot to think about in what the member for Kildonan—St. Paul had to say, and I agree with many things she said, including her concern about the oversharing of Canadians' personal information between government departments. I know that was a significant issue in the 41st Parliament with Bill C-51, when the government of the day introduced security legislation at that time.
I wonder if the Conservative Party today is in a mood to actually protect Canadians against the oversharing of information between government departments and if we might try to find an opportunity in the course of this bill's passage through the House to correct, as we go, some of the defects in that legislation from many years ago.
128 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I am enjoying this Manitoba debate. There are a couple of things I would say.
The government, in the last budget of 2021-22, announced about $700 million for cybersecurity. It seems that it is all going to the Communications Security Establishment, which, as I mentioned in my speech, is the government's sort of cybersecurity agency under the Minister of National Defence. It is great. We do need more resources at the government level for CSE. However, I asked the minister if any of that funding was being provided for our small and medium-sized enterprises so they could boost their cybersecurity. The minister never did get a response to my email.
Again, when we are looking at small companies, it is easy for Telus, big banks and others to afford some of these things. However, if we are looking at small telecom providers, like a small Internet provider in northern B.C., the cost to meet the red tape in the bill might put them out of business. Why not take a little of that funding the government has announced and provide it to our SMEs to help them get to the level we need them to be to protect our critical infrastructure? Perhaps we can get a bit creative and look at our tax system to see if there is some sort of capital expense tax write-off or something we can provide our SMEs to help them get there, because we really need to, as I made the case in my remarks, as I am sure others will as well.
I have not heard a response to that. The government is spending the money anyway. It is spending more money than any government in history. Why not provide a little of that to our SMEs to ensure that critical infrastructure is up to par?
310 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I do not necessarily know the details of the case the member has referenced, but what I can say is that even the Conservative critic acknowledged that certain aspects of the legislation would ensure there are financial penalties and opportunities for the minister to virtually stop an action from taking place. Am I concerned that there is overreach? I do not personally believe there is, but I think there is some merit in having that discussion at the committee stage.
I posed a question to the member: If the concern is that there is too much power for the minister, what would the Conservatives do differently? I recognize the fact that in a cyber-attack, often it is necessary to take fairly strong action in an immediate fashion. I think all members recognize that fact. The issue is whether there is something the Conservatives would like to see to provide an additional sense of security.
157 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I am please to speak today to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.
It is really important to acknowledge that we are severely behind with regard to our protections in this matter. I am going to quote from myself, from when I once engaged the government and asked them this. “I am very concerned that we are not doing enough in Canada to protect the digital privacy of Canadians and am calling on the government to develop stronger frameworks and guidelines to improve cyber security in Canada. These are critical issues that must be addressed”. They must be addressed for the benefit of Canada, as our economy and commerce are currently under threat, as is our personal privacy.
When did I do that? That was in 2016. From 2016 to today, with the digital changes we have had, is a lifetime of change.
I got a response from the government at that time, basically saying it would refer matters and let them play themselves out in court.
One of the most famous cases that came forward at the time involved the University of Calgary, which had reportedly paid $20,000 in compensation to a group of organizations we do not know to protect the breach they had.
What has taken place over several different cases and also in our current laws has shown that it is okay to pay out crime and it is okay to pay out these types of requests for extortion and not even refer that matter back to the people whose privacy has been breached. We do not even have to report it as a crime to law enforcement agencies. It is very disturbing, to say the least. Getting this legislation is something, but it is still a long way off.
As New Democrats, we recognize very much that there needs to be balance in this. This is why I also wrote at that time to the then privacy commissioner of Canada, Jennifer Stoddart, about the cyber-attacks and data breaches.
There is concern about the amount of data and one's rights and one's protections and the knowledge one should have as an individual in a democracy. I do not think it is a conspiracy theory to have those kinds of concerns.
I would point to a simple famous case. As New Democrats are well aware, and I think other Canadians are as well, our number one Canadian champion of health care, Tommy Douglas, was spied upon by his own RCMP at that same time. That was in relation to bringing in Medicare. This is very well documented. We still do not have all the records. We still do not have all the information, and it is a very famous case.
Bringing in our number one treasured jewel, health care, led to a case where our own system was spying on an elected representative who was actually declared Canada's greatest Canadian by the public. We do not want to forget about those things because, when we are introducing laws like this, there is a real concern about one's ability to protect oneself and one's privacy, as well as the expansive conditions that are going to change, often with regard to personal privacy.
What also took place after that was that I was very pleased, in 2020, to put a motion forward at the House of Commons industry committee, where we studied, for the first time in Canadian history, fraud calls in Canada.
There are a lot of cyber-attacks through this type of operating system, and we need to remind ourselves that using this type of system, being our Internet service providers and the telecoms sector, is something that is done by giving up the public infrastructure and a regulated system of industry.
We have built a beast, in many ways, that has a low degree of accountability, and we are finally getting some of that restored. There are also some new programs coming in, like STIR/SHAKEN and other types of reporting that is required.
I want to point out that since we have done that, we have another report that will be tabled, or at least a letter. We have not decided yet, and there is still work going on, but we have had a couple more meetings in the industry committee about it and we have really heard lots of testimony that showed that there is more work that can and should be done.
A good example from the previous report that we did was recommendation number five, which went through sharing information between the RCMP and the CRTC. We have not seen the government act on it.
It is important to note that with this bill there has been a lot of talk about the types of things we can do internationally, as well. One of the things I would point out that I have been very vocal on, because I have had Ukrainian interns in my office for a number of years, is that we could use a lot of our leverage in terms of cybersecurity and training to help them to deal with the Russian hacking and other nefarious international players. That would not only help Ukraine right now in the war with Russia. It would also help with the other activity that comes out of this subsequently, which would help the world economies by having trained, solid professionals who are able to use their expertise and battle this with regard to the current state of affairs and also the future. This would be helpful, not only for the Ukrainian population but also for the European Union, Canada, North America and others, who will continue to battle more complex artificial intelligence and other cyber-attacks that take place.
One of the things I want to note is that in the bill, a proposed new section 15.2 of the act would give the Minister of Industry and the Minister of Public Safety the authority to make several types of orders. It relates to guiding TSPs to stop providing services if necessary. This is a strong power that we are pleased to see in this type of legislation.
What we are really concerned about, as the member for Elmwood—Transcona noted, is that there is no general oversight of the type that we would normally see on other types of legislation. Scrutiny of regulations was the one referred to. For those who are not familiar with the back halls and dark corners of Parliament, there is a committee that I was one of the vice-chairs of at one point in time. The scrutiny of regulations committee oversees all legislation passed in the House of Commons and ensures that the bureaucratic and governmental arms, including that of ministers, whatever political colour they will be of at that time, follow through with the laws of the legislation that is passed. Making this bill not have to go through that type of a process is wrong. I would actually say it is reckless, because the committee has to do a lot of work just to get regulatory things followed on a regular basis. It can be quite a long period, but there is that check and balance that takes place, and it is a joint Senate and House of Commons committee. It is unfortunate that the legislation tries to leave that out.
The legislation also does not have the requirement to gazette information in terms of making it public for the different types of institutions. That is an issue, and it also has a lot of holes when it comes to information that can be withheld and shared.
Why is that important with regard to confidence in the bill? It all comes down to the fact that many of the institutions at risk of being targeted involve not only the private sector, where we have seen not only abuse of customers themselves, or businesses with lax policies that do not protect privacy very well, but also others that have used abusive techniques and processes. Even right now, it is amazing when we think about the information in the process that is going on in the United States. The U.S. Senate is going to oversee the issue with regard to Taylor Swift tickets and Ticketmaster again. That is another one that has had a nefarious past with regard to privacy, information and how it runs its business. People can go back to look at that one, with Live Nation and so forth. At any rate, the U.S. is also involved in this.
I raised those things because it also comes from the soft things like that, which are very serious with respect to credit cards and to people's personal information that is shared. However, across the world and in Canada we also have municipal infrastructure and government institutions that are constantly under attack. That is very important, because it is not just the external elements with regard to consumer protection and business losses, which are quite significant and into the billions of dollars. It is also everything from water treatment facilities to health care facilities in terms of hospitals and utilities for power and hydro. All those elements can be used as targets to undermine a civilian population as well, and one of the things we would like to see is more accountability when it comes to those elements. There is definitely more to do.
One of the things I do not quite understand, and which I am pleased to see the government at least bring to committee, is what we could do to educate the population.
Our first intervention on this bill as New Democrats was several years ago, and it is sad that it is just coming to fruition now.
1653 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I will be sharing my time with the hon. member for Vaughan—Woodbridge.
It is a true privilege for me to add my voice to the debate on Bill C-26, an act respecting cybersecurity, on behalf of the residents of my riding of Davenport, many of whom have written to me through the years about their concern around cybersecurity and the need for additional protections at all levels of government.
This bill represents the latest step in the government's constant work to ensure our systems, rules and regulations are strong and as up-to-date as possible. That is especially important when dealing with a topic as fluid and rapidly evolving as cyber-technology. We have known for quite some time we would need to be constantly vigilant on this issue.
In 2013, the government established the security review program operated by the Communications Security Establishment. In 2016, we conducted public consultations on cybersecurity. In 2018, we released the national cybersecurity strategy. In 2019, we allocated $144.9 million through budget 2019 to develop a critical cyber systems framework. In 2021, we completed an interdepartmental 5G security examination, which recommended an updated security framework to safeguard Canada's telecommunications system.
A cornerstone of the updated framework is an evolution of the security review program. It would allow for continued engagement with Canadian telecommunications service providers and equipment suppliers to ensure the security of Canadian telecommunications networks, including 5G. As a result of this multi-year work, to address these identified concerns and improve Canada's cybersecurity posture, including in 5G technology, we introduced Bill C-26.
The bill is intended to promote cybersecurity across four federally regulated critical infrastructure sectors: finance, telecommunications, energy and transportation.
Bill C-26 consists of two very distinct parts. Part 1 introduces amendments to the Telecommunications Act that would add security as a policy objective and create a framework that would allow the federal government to take measures to secure the telecommunications system. Part 2 introduces the critical cyber systems protection act, which would create a regulatory regime requiring designated operators in the finance, telecommunications, energy and transportation sectors to protect their critical cyber systems.
As I mentioned, 5G has the potential to be a transformative technology for Canadians. It promises to bring lightning-fast Internet speeds that are unlike anything we have experienced so far. The benefits of instant and real-time connectivity will be immediate and far-reaching for Canadians and Canadian businesses.
The COVID-19 global pandemic has underlined the importance of this connectivity, whether it is for virtual classrooms, work from home or keeping in touch with loved ones, but we need to be absolutely sure this technology is safe and secure as the technology is rolled out in Canada.
Canada already has a system in place to mitigate cybersecurity risks in our existing 3G and 4G LTE wireless telecommunications network. Since 2013, the Communications Security Establishment's security review program has helped mitigate risks stemming from designated equipment and services under consideration for use in Canadian 3G, 4G LTE telecommunications networks from cyber-threats.
Like previous generations, 5G technology will have new risks and vulnerabilities that will need to be addressed so Canadians can realize its full potential. 5G is considered more sensitive than 4G because it will be deeply integrated into Canada's critical infrastructure and economy, and will connect many more devices through a complex architecture. The deep integration, greater interconnection and complexity increase both the likelihood and potential impact of threats. That is why an examination of emerging 5G technology and the associated security and economic considerations continues to be very important.
The technical agencies of the Government of Canada, within the Department of Innovation, Science and Economic Development, and the safety and security agencies that fall within the Public Safety portfolio, Global Affairs Canada, National Defence and others, are all involved in the federal government's efforts to develop a made-in-Canada approach to ensuring the secure rollout of 5G wireless technology. Moving this bill forward will further that vital work.
In the meantime, our world-class national security and intelligence agencies continue to protect our country from a wide range of threats. As we know, those threats include a growing number of targeted attacks from state and non-state actors, including cybercriminals.
Canada's two main national security organizations, CSIS and CSE, which is short for Communications Security Establishment, are working tirelessly to mitigate these threats.
CSIS provides analysis to assist the federal government in understanding cyber-threats and the intentions and capabilities of cyber actors operating in Canada and abroad who pose a threat to our security. This intelligence helps the government to improve its overall situational awareness, better identify cyber vulnerabilities, prevent cyber espionage or other cyber-threat activity and take action to secure critical infrastructure.
For its part, the CSE is always monitoring for threats that may be directed against Canada and Canadians. The CSE is home to the Canadian centre for cybersecurity, which was established as a flagship initiative of the 2018 national cybersecurity strategy. With the cyber centre, Canadians have a clear and trusted place to turn to for cybersecurity issues. It is Canada's authority on technical and operational cybersecurity issues, a single, unified source of expert advice, guidance, services and support for the federal government, critical infrastructure for owners and operations, the private sector and the Canadian public. It helps to protect and defend Canada's valuable cyber assets and works side by side with the private and public sectors to solve Canada's most complex cyber issues.
For example, the cyber centre has partnered with the Canadian Internet Registration Authority on the CIRA Canadian Shield. The shield is a free protected DNS service that prevents users from connecting to malicious websites that might infect their devices or steal personal information. With the passage of the National Security Act in 2019, Canada's national security and intelligence laws have been modernized and enhanced.
As a result, CSIS and the Communications Security Establishment now have authorities they need to address emerging national security threats, while ensuring that the charter rights of Canadians are protected.
These updates are in line with CSIS's mandate of collecting and analyzing threat-related information concerning the security of Canada in areas including terrorism, espionage, weapons of mass destruction, cybersecurity and critical infrastructure protection.
The passage of the National Security Act also established stand-alone legislation for the CSE for the first time ever. With the Communications Security Establishment Act, the CSE retained its previous authorities and received permission to perform additional activities.
For example, the CSE is now permitted to use more advanced methods and techniques to gather intelligence from foreign targets. Under the CSE Act, CSE is mandated to degrade, disrupt, influence, respond to and interfere with the capabilities of those who aspire to exploit our systems and to take action online to defend Canadian networks and proactively stop cyber-threats before they reach our systems. It is also permitted to assist DND and the Canadian Armed Forces with cyber operations.
As Canada's national police force, the RCMP also plays a very important cybersecurity role. It leads the investigative response to suspected criminal cyber incidents, including those related to national security.
Cybercrime investigations are complex and technical in nature. They require specialized investigative skills and a coordinated effort. That is why, as part of Canada's 2018 national cybersecurity strategy and as a second flagship initiative, the RCMP has established the national cybercrime coordination centre, or NC3.
The NC3 has been up and running for over a year now. It serves all Canadian law enforcement agencies, and its staff includes RCMP officers and civilians from many backgrounds. Working with law enforcement agencies, government and private sector partners, the NC3 performs a number of roles, including coordinating cybercrime investigations in Canada.
All of this is backed up by significant new investments in the two most recent budgets. In budget 2019, we provided $144.9 million to support the protection of critical cyber systems and we later invested almost $400 million in creating the Canadian centre for cybersecurity, the national cybercrime coordination unit and increased RCMP enforcement capacity.
Whether it is nationally or internationally, I have full confidence in the abilities of all those in our national security and intelligence agencies who are working hard day and night to safeguard our cybersecurity and protect us from harm online. I am confident that Bill C-26 will go a long way to continue doing that.
1427 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I say good morning to all of my hon. colleagues, and I thank the hon. member for Davenport for her insightful discussion of this bill.
I am thankful for the opportunity to weigh in on Bill C-26, an act respecting cybersecurity, as we continue debate at second reading. Bill C-26 will take great strides to enhance the safety of our cyber systems and will make changes to allow for measures to be taken within our telecommunications system.
There are two parts to this act. Part 1 amends the Telecommunications Act to “promote the security of the Canadian telecommunications system” as a policy objective. An order-making power tied to that objective would be created for the Governor In Council, or GIC, and the Minister of Industry. That power could be used to compel action by Canadian telecommunications service providers if deemed necessary. With these authorities, the government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.
The bill would enable action against a range of vulnerabilities to these critical systems, including natural disasters and human error. The Department of Innovation, Science and Economic Development would exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry. Once amendments to the Telecommunications Act receive royal assent, GIC or ministerial orders could be issued to service providers.
Part 2 of the act would create the critical cyber systems protection act, or the CCSPA. The CCSPA would be implemented collaboratively by six departments and agencies: the departments of Public Safety; Innovation, Science and Economic Development; Transport; Natural Resources; and Finance, as well as the Communications Security Establishment. They will all play a key role. Indeed, across the Government of Canada, there is a recognition that cybersecurity is a horizontal issue, and it should be addressed through a streamlined government response across sectors, all rowing in the same direction.
Schedule 1 of the act would designate services and systems that are vital to the national security or public safety of Canadians. Currently, schedule 1 includes telecommunications service and transportation systems. It also includes, in the finance sector, banking systems and clearing and settlement systems, and, in the energy sector, interprovincial or international pipeline and power line systems and nuclear energy systems.
Schedule 2 of the act would define classes of operators of the vital services and systems identified in schedule 1, as well as the regulator responsible for those classes. Operators captured in a class are designated operators subject to the act.
In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister of Public Safety would have overall responsibility for the legislation and would lead a number of CCSPA-related processes.
Decision-making by GIC under the CCSPA would ensure that a broad range of relevant factors, including national security, economic priorities, trade, competitiveness and international agreements and commitments, are considered when making decisions that have an impact across sectors. The CCSPA would also leverage regulators' expertise and relationships with entities they already regulate under existing legislation.
The Canadian centre for cybersecurity, or the cyber centre, is responsible for technical cybersecurity advice and guidance within Canada, and that would be no different under the CCSPA. It would receive resources to provide advice, guidance and services to designated operators in order to help them protect their critical cyber systems; regulators in support of their duties and functions to monitor and assess compliance; and public safety and lead departments and their ministers, as required, to support them in exercising their powers and duties under the act.
The CCSPA would require designated operators to establish a cybersecurity program that documents how the protection and resilience of their critical cyber systems will be ensured. CSPs must be established by designated operators within 90 days of them becoming subject to the act, that is, when they fall into a class of designated operators published in schedule 2 of the act.
Once established, the CSP must be implemented and maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology. CSPs must include reasonable steps to identify and manage organizational cybersecurity risks, including risks associated with an operator's supply chain, and the use of third party products and services. They must also protect their critical cyber systems from compromise, detect cybersecurity incidents that affect or have the potential to affect CCS and minimize the impact of cybersecurity incidents affecting critical cyber systems.
This legislation would also help confront supply chain issues. With the increasing complexity of supply chains and increased reliance on the use of third party products and services, such as cloud-based data storage and infrastructure as a service, designated operators can be exposed to significant cybersecurity risks from those sources.
When a designated operator, through its CSP, identifies a cybersecurity risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA would require the designated operator to take reasonable steps to mitigate those risks. Taking reasonable steps to mitigate risk is understood to mean reducing the likelihood of the risk materializing by, for example, securing a supply chain by carefully crafting contractual agreements to gain more visibility into equipment manufacturing, or by choosing another equipment supplier. It can also mean reducing the impact of a risk that materializes.
Under the CCSPA, there would also be a new obligation to report cybersecurity incidents affecting or having the potential to affect critical cyber systems to the Communications Security Establishment, for use by the cyber centre. A threshold defining this reporting obligation would be set in regulations. This would provide the government with a reliable source of information about cybersecurity threats to critical cyber systems. The availability of incident reports would enhance visibility into the overall threat for the cyber centre. Findings from the analyses of incident reports would make it possible for the centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and it would help to inform Canadians of cybersecurity risks and trends, allowing one organization's detection to become another's prevention.
The CCSPA would also create a new authority for the government. Under the act, the Governor in Council would be allowed to issue cybersecurity directions when it decides that specific measures should be taken to protect a critical cyber system from a threat or known vulnerability. Directions would apply to specific designated operators or to certain classes of designated operators. They would require those designated operators to take the measures identified and to do so within a specific time frame. Failure to comply with directions could be subject to an administrative monetary penalty or an offence that can lead to fines or imprisonment. The CCSPA would also includes safeguards to ensure that sensitive information, such as information that was obtained in confidence from Canada's international allies, is protected from disclosure.
All of this provides an overview of strong new legislation, which I hope I have adequately described in two distinct parts. I look forward to our continued debate of this landmark bill, and I encourage all colleagues to join me in supporting Bill C-26 today.
1236 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I appreciate the opportunity to speak in the House today to a very serious subject, cybersecurity and the security of our country in general.
I will say, on a lighter note, that my friend from Peace River—Westlock spoke about snowmobiling companies and cyber-attacks. I have some personal experience with snowmobiling at his house, and I would say that the government's approach to security is the equivalent of driving a snowmobile over a four-foot retaining wall, which may or may not have happened the last time I tried to drive one of those machines.
The situation of security in this country is very much worth the House taking note of. For much of the time that I have been engaging with and following politics, the primary area of security we would talk about would be concerns about our readiness for and our response to the threat of terrorism. However, it is important to take stock of how things have changed and the fact that, while there are still concerns about terrorism and how we respond to potential acts of terrorism, the primary security threat we face as a country, and indeed that the western world faces, is the threat of foreign state-backed and directed interference in our national affairs. Our abiding concern should be the reality that various foreign states are trying to shape and interfere with our democratic life to try to bend not only our government institutions, but also our civil society institutions, toward their desired objective.
Members of the government have said that the purpose of this interference is to cause total chaos and confusion. We should acknowledge that there are some cases of foreign interference that are aimed at causing chaos, but very often it is about simply trying to subvert and control the direction of institutions toward the will and the interests of that particular foreign power. We have discussed how the Chinese Communist Party is the biggest player when it comes to foreign state-backed interference, but it is far from the only player.
We have seen reports about Chinese government interference in our elections. There have also been recent reports about death threats from the Iranian regime targeting individuals in Canada. There are various other countries that CSIS and other organizations have identified as being involved in this activity of trying to interfere with, subvert and direct Canadian institutions, government really at all levels, as well as civil society organizations, universities and the like, toward their objective.
This kind of invisible, or sometimes a little more visible but often hard to detect, interference in the direction of our national life toward objectives that are not consistent with the objectives Canadians have established is a great threat to our security and our sovereignty. It is something that we should all be seized with and working to respond to.
Part of the context as well is that we are in what some analysts have described as a second cold war. Of course, there are many features of the current conflict between democratic and authoritarian values that are different from the last Cold War, but we have this reality of intensifying global competition between two different value systems that are represented by different countries at different times, and we have countries that are in the middle that are being pulled in different directions.
I tend to think that kind of cold war frame is a reasonably useful way of understanding the current tensions we face in the world. In the context of those tensions, we see how powers with political values that are fundamentally different from ours, where governments are trying to protect their own position, are trying to project their influence around the world. Again, this requires vigilance. It requires a strong response from Canada.
I have been struck by some of the recent comments from the Prime Minister on these matters. I think he has been showing a real lack of transparency around acknowledging what he knew when, and refusing to answer direct questions from the opposition about foreign interference, but he has also stated quite openly the reality that we have a serious problem with foreign interference. This is a reality that opposition members, in particular in the Conservative Party, have been raising for years. We have been asking the government to do more. We have been calling for strong legislative frameworks to respond to the problem of foreign state-backed interference.
We have also sought to elevate the voices of victims of foreign interference, people who have faced threats and intimidation from foreign state actors to try to silence their advocacy, which those foreign state actors see as contrary to their interests. It has been widely reported some of these victims really struggle to actually get proper support. They often get the runaround.
They go to their local police force, which does not necessarily have the capacity to handle a foreign state-backed organized campaign of threats and intimidation. Do they go to Global Affairs? Do they go to CSIS? Do they go to the RCMP? There can be a bit of confusion and passing of the buck concerning support for these victims of foreign state-backed interference.
We have a lot of work to do in legislation and policy, and our preparedness in general and our understanding of these issues. It is critical that we step up to strengthen our understanding of and response to the threats facing our country.
One thing we need to see more from the Prime Minister and the government is transparency because being transparent about this reality can help to counter the impact of that foreign interference. If we know it is happening, if we know what it is directed toward, then we can respond more effectively.
This is not only a responsibility of the federal government to respond to. Provincial and municipal governments need to be aware of the issues of foreign interference. Our universities need to step up as well. Private companies need to be aware of the risks around interference, theft of technology and the ways in which certain things may have a dual military use. There needs to be a broader awareness of this threat to the national interest, a threat to our values across all sectors of society, and a broader response to it.
The government has an important role to play in leading the response and making changes at the national level. We have been far behind, as far the national government goes, in responding to these threats. The Conservative opposition has been calling for a response to foreign interference for years. Now we are seeing the government start to talk about it a bit more.
I noted in some of the language in the Indo-Pacific strategy, for example, the government is starting, or trying, to sound a bit more like Conservatives in the way it talks about some of the challenges confronting us and the steps we need to take in the Indo-Pacific region. While the government is adopting some of that language, it is failing to substantively adjust its approach.
We have a bill in front of us today that deals with one avenue where we need to be engaged with and responding to the problem of foreign state-backed interference, and that is the issue of cybersecurity. I will be supporting this legislation at this stage to see it go to committee, mainly because we clearly need a new cybersecurity bill. We clearly need a new framework. The committee study will identify some of the significant gaps we see in the legislation right now, the ways the legislation needs to be improved and possibly the many additional steps required. I will just note that it is far past due that we have some kind of proposal for a framework on cybersecurity that, in a way, gives the committee the opportunity to add to and build on what the government has initially put forward.
This is really the first time we see any kind of legislation proposed by the government that substantively touches on this emergent problem of foreign state-backed interference. We need a much broader range of responses from the government. We need so much more to be done to counter this major security threat.
This is about preserving our country. It is about preserving the integrity of our institutions. It is about defending the principle that the direction of our democracy and the direction of our society should be shaped through the open deliberation of Canadians, not by foreign powers who have particular interests that may be contrary to our interests who are trying to push and pull that discussion in their preferred direction.
Having this framework that opens the door for the committee to discuss further, fill in some of the gaps and try to push the government to have greater specificity in the framework around what they are going to do provides us with the opportunity to do that. This is late, lacking in detail and really a small piece of the much broader picture that is required.
The government has been so delayed. I mentioned the decision around Huawei. We were way behind all of our allies in making the decision. It is important now, finally, at this late stage where the government is starting to mention the problem, that we actually see concrete action. Conservatives will be pushing the government to act in line with some of the words it has been saying.
1591 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member is correct that this is not a new issue. That is precisely why I think the government is very late in coming to the table. The issue of foreign interference, which is part of the context of the cyber-threats we face, is also not a new issue. Again, we have been calling for action from the government, but we have not seen other action from it. The member says that the Liberals have done all these other things, such as maybe giving some money over here or over there, but he evidently could not articulate specific measures that the government had taken.
We are behind when it comes to defending our security. We are behind what we should have known much earlier. We are behind our allies. We were the last of the Five Eyes and very late to step up on recognizing the risks associated with Huawei.
When it comes to foreign interference, I will challenge the government on one point: Why has the government not expelled foreign diplomats involved in interference and intimidation in Canada? That would be a simple step and the government has not taken it.
195 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member asked what we would do if we were in government. We would make the right decision on every one of those.
With respect to the particulars the member raises with respect to what powers the federal government would have in intervening with provinces, this is an important issue for the committee to look at. I am supporting this legislation because we need to have a cybersecurity framework in Canada. It is important that this goes through to the committee and that those issues be looked at there.
I did not have time to go into it, but there are a significant number of problems in the legislation that do have to be worked out by the committee. No doubt there has to be a role for federal leadership around security, but it has to be a constructive, collaborative relationship, because there are steps for other levels of government. We see foreign interference at the very granular local level, so that collaboration across levels of government is really important.
172 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I will begin by saying that I will be sharing my time with the hon. member for Abitibi—Témiscamingue.
I am pleased to speak to this bill, which, I must say, was eagerly awaited by my party.
The Standing Committee on Public Safety and National Security had the opportunity to study the issue of cyber security. We heard from experts in this field, who told us what they think about Canada's cyber security preparedness or posture. The idea came from my Conservative colleagues, and it was a very good one.
Given what is happening in Ukraine with the Russian invasion, we know that there are still military threats in the 21st century. However, we are also dealing with the emergence of new technologies that pose non-military threats. I had the opportunity to talk about these non-military threats at the Organization for Security and Co-operation in Europe Parliamentary Assembly last week in Warsaw, Poland. I discussed non-military threats and how different countries must prepare for or guard against them.
What the Standing Committee on Public Safety and National Security heard is how difficult it is to prepare for these threats, because they are evolving so quickly. No one had anything particularly positive to say about Canada's preparedness.
I think that the willingness is there, and that is what the experts told us: Canada is trying to prepare for and guard against potential cyber-attacks. I said “potential” cyber-attacks, but they are already happening. We know there have been cyber-attacks on various infrastructure and companies in Quebec and Canada, especially in the private sector, in the past. Canada is not as prepared as it could be to face these attacks, but we were told that it may never be totally prepared. The same is true for all countries because, as I said, the technology is changing so rapidly.
For this reason, I think that adopting a cybersecurity framework is an extremely positive step. That is what the government promised. In its national cyber security strategy, it pledged to better regulate cyber systems in the federally regulated private sector. The 2019 budget earmarked $144.9 million to develop a new framework to protect critical infrastructure. That is exactly what the two main parts of this bill do. They are aimed at strengthening the security of the Canadian telecommunications system.
Part 1 of the bill amends the Telecommunications Act to add the promotion of security, authorizing the government to direct Internet service providers to do anything, or refrain from doing anything, that is necessary to secure Canada's telecommunications system. Part 2 enacts the new critical cyber systems protection act to provide a framework for the protection of critical cyber-infrastructure and companies under federal jurisdiction.
The act is essentially a regulatory framework. As my colleague from Abitibi—Témiscamingue mentioned earlier in his question to our Conservative colleague, we will have to see what impact this bill could have on Quebec, especially companies and organizations like Hydro-Québec, since it designates interprovincial power line systems as vital services and vital systems. More on that later.
We will also have to see in committee whether the vast regulation-making powers provided for in Bill C-26 are justified or whether they bypass Parliament for no reason. Certain groups that raised concerns in the media have contacted us as well. Their concerns about this bill are well founded. I will get back to this a little later on.
I would say that it is important to proceed carefully and properly with this bill. Any amendments made to the bill will have a direct impact on every transmission facility in Quebec, including those that will soon be built in my riding to offer adequate cell service to those who are still waiting. Some Canadian ridings are unfortunately still without cell service in 2022. Since my riding is one of them, the bill will have a significant impact.
Local telephone service providers, IP-based voice services, Internet service providers, long distance providers and wireless services will be subject to the amendments to the act.
This means that the amendments would allow authorities to secure the system if there is reason to believe that the security of the telecommunications system is under threat of interference, manipulation or disruption. In that case, telecommunication service providers could be prohibited from using or supplying certain goods or services.
As I understand the wording of the bill, which is rather complex, telecommunication service providers could even be prohibited from supplying services to a specific individual. It is important to realize that these are vast powers, and I hope that, when the bill is sent to committee for study, it will be detailed enough to include the factors that will be taken into account before such powers are granted.
As I was saying earlier, the act will make it possible to designate certain systems and services under federal jurisdiction as critical to national security or public safety. The new Critical Cyber Systems Protection Act will protect critical cyber systems in the private sector.
What, then, is a critical cyber system? I found it difficult to find a clear definition in French of what a critical cyber system is, but the government defines the term itself in the bill. It appears that it is a “system that, if...compromised, could affect the continuity or security of a vital service or vital system.”
The bills lists six vital services and systems in its schedule. These obviously include telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems that are under federal jurisdiction, banking systems, and clearing and settlement systems.
These are the areas this bill addresses. That is a lot to verify, and several actors are involved. Several ministers will be involved in the regulatory process after that, so it is important to study the bill carefully.
At this stage, a number of questions arise. For example, what impact will the bill have on certain interprovincial infrastructures, such as power lines and power grids? The act could impact Hydro-Québec and other non-federal infrastructures, such as aluminum smelters. As I understand it, the bill itself would designate interprovincial power lines as a vital service. That could have an impact.
In principle, the bill is not a problem for my party. When we call experts to testify before the committee, we will be able to determine whether or not it will have a positive impact. I think it could be very positive, but we need to look at its scope.
The Bloc Québécois has often supported the government in its efforts to ensure stricter control of broadcasting for certain vital infrastructures that could be in the crosshairs of foreign nations. Let us consider China and Russia, as I mentioned earlier. There is the Huawei saga and the development of the 5G network. The government's indecision for so many years proves that it would have been better to act beforehand rather than to react to the current situation. China's increasing power and its attempts at interference on several occasions, as well as Canada's vulnerabilities in terms of cybersecurity, are real. For example, we know that Hydro-Québec has been a potential target for Chinese espionage. The same could happen directly in our infrastructures. I think that this bill is relevant. We are very happy that the government introduced it. That is why the Bloc Québécois will vote in favour of sending the bill to a parliamentary committee so that we can hear what the experts have to say.
I would like to take these final moments to talk about the concerns voiced by certain groups. Professor Christopher Parsons of the University of Toronto said that the bill was so imperfect that authoritarian governments around the world could cite it to justify their own repressive laws. That is a worrisome statement. I will elaborate during questions and comments.
1353 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I thank my colleague for her excellent speech. Her understanding of all these things is much greater than mine.
The member talked about interference and disrupting essential infrastructure, of course, as well as cyber-attacks from other countries or even individuals. My colleague also shared what experts told the committee. To hear them tell it, Canada's security system is a long way from being secure.
I would like my colleague to comment on that.
77 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is indeed essential, and it is also essential that the act have more teeth. In my opinion, it is vital that the act provide for a mechanism for issuing sanctions or fines in order to enforce compliance with orders and regulations aimed at securing telecommunications.
Let me give an example. We have learned that China maybe funding elections, meaning that there must be a network out there that is a threat to our country. Our national security and our ability to decide for ourselves who will lead our country are being influenced by foreign money. That is something that really worries me.
As a result, our systems need to be strengthened and penalties need to be imposed. Before that, however, we must know what happened, diagnose the problem accurately and be transparent. That is just one example of many, but that is how the problems should be resolved, particularly with respect to cybersecurity.
156 words
- Hear!
- Rabble!
- add
- star_border
- share
- Dec/1/22 2:27:39 p.m.
- Watch
Mr. Speaker, our government takes all allegations of threats of foreign interference very seriously. That is why we established two panels to review all allegations. The panels confirmed the integrity of the 2019 and 2021 elections.
We will continue to provide all the tools that the national security community needs to protect our democratic institutions.
55 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
- Dec/1/22 2:55:18 p.m.
- Watch
Mr. Speaker, let us talk facts. I have a note here from the director of our national security agency concerning a top secret briefing for the Prime Minister that says: “Canada could make good use of an open and transparent policy that would draw attention to the fact that [foreign interference] must be made public”. Yesterday, the Prime Minister himself said, “I know the member opposite, who sat in a cabinet, understands the importance of respecting national security guidelines.”
Why does the Prime Minister refuse to follow our national security agency's instructions? Why continue to withhold information from Canadians?
104 words
- Hear!
- Rabble!
- add
- star_border
- share
- Dec/1/22 2:55:58 p.m.
- Watch
Mr. Speaker, on this side of the House, we have put in place a number of measures to increase transparency about threats of foreign interference. For example, we have the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency, independent bodies that have issued two reports confirming that the 2019 and 2021 elections were free and fair. We will improve transparency because it is a value that protects our democratic institutions.
77 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
