SoVote

Decentralized Democracy

House Hansard - 139

44th Parl. 1st Sess.
December 1, 2022 10:00AM
Context: House Hansard - 139 - Dec/1/22
Hon. Marco Mendicino (Minister of Public Safety, Lib.)
  • Dec/1/22 10:26:09 a.m.
  • Watch
  • Re: Bill C-26 
moved that Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, be read the second time and referred to a committee. He said: Mr. Speaker, it is an honour to help kick off second reading debate of Bill C-26, an act respecting cybersecurity. I know this chamber has been anxiously awaiting the chance to advance discourse on this important legislation. I will begin by saying that cybersecurity is national security. We need to make sure that our defences meet all of the challenges that are reflected today, and we need to make sure that both the public sector and the private sector are able to better protect themselves against malicious cyber-activity, including cyber-attacks. It is about defending Canada and the critical infrastructure we rely on, and we know that this will not be the last we hear of this issue. What we decide now in the cybersecurity realm will help us form a launching pad for the way forward, because we know that our actions in the cybersphere are always a work in progress. We know that meeting the moment means that our actions must continually, effectively and safely provide a foundation for the way Canadians thrive in the 21st century. Being online and connected is essential to all Canadians. Now, more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying in touch and connected with loved one from coast to coast to coast and indeed around the world. Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems, particularly with the emergency of new technologies such as 5G, which will operate at significantly higher speeds and will provide greater versatility, capability and complexity than previous generations. These technologies certainly create significant economic benefits and opportunities, but they also bring with them new security vulnerabilities that some may be tempted to prey on. The COVID-19 pandemic showed how important it is for Canadians to have secure and reliable connectivity. The government is determined to boost security for Canada's cyberfuture. We also know about the inherent threats to our safety and security. Cyber-threats remain a significant national and economic security issue that can threaten that safety. The Canadian centre for cybersecurity's “National Cyber Threat Assessment 2023-2024” found this: State-sponsored and financially motivated cyber threat activity is increasingly likely to affect Canadians.... Cybercriminals exploit critical infrastructure because downtime can be harmful to their industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position in case of future hostilities, and as a form of power projection and intimidation. These activities will not cease. Malicious actors could take advantage of increased connectivity to trigger malicious events that could also potentially have severe effects on our public safety and national security. Large corporations and critical infrastructure providers are targeted by actors probing for vulnerabilities and opportunities for penetration, theft and ransomware attacks. Like its allies, Canada has made efforts to address these vulnerabilities and to ensure the security of Canadians and Canadian businesses. Canada has long recognized the importance of securing our cyber systems. In 2013, Canada established a collaborative risk mitigation framework, the Communications Security Establishment's security review program. This program has helped to mitigate risks stemming from designated equipment and services under consideration for use in Canadian 3G, 4G and LTE telecommunications networks. Furthermore, consultations with Canadians in 2016 informed the 2018 national cybersecurity strategy. This strategy established a framework to guide the Government of Canada in helping to protect citizens and businesses from cyber-threats and to take advantage of the economic opportunities afforded by digital technology. In 2019, the government paid $144.9 million to develop a framework for the protection of critical cyber systems. In 2021, the government completed its interdepartmental review of 5G telecommunications security. The findings included a recommendation to work with the industry on moving forward with the current risk mitigation framework for the products and services intended for Canadian telecommunications networks. All this work done over many years to address these known problems and to improve Canada's cybersecurity posture, including with 5G technology, brings us to the bill before us today. The objectives of Bill C-26 are twofold. One, it proposes to amend the Telecommunications Act to add security, expressly as a policy objective. This would bring the telecommunications sector in line with other critical infrastructure sectors. The changes to the legislation would authorize the Governor in Council and the Minister of Innovation, Science and Industry to establish and implement, after consulting with the stakeholders, the policy statement entitled “Securing Canada’s Telecommunications System”, which I announced on May19, 2022, together with my colleague, the Minister of Innovation, Science and Industry. As we announced at the time, the intent is to prohibit the use of products and services by two high-risk suppliers and their affiliates. This would allow the government, when necessary, to prohibit Canadian telecommunications service providers from using products or services from high-risk suppliers, meaning these risks would not be passed on to users. It would allow the government to take security-related measures, much like other federal regulators do in their respective critical infrastructure sectors. The second part of Bill C-26 introduces the new critical cyber systems protection act, or CCSPA. This new act would require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to protect their critical cyber systems. To this end, designated operators would be obligated to establish a cybersecurity program, mitigate supply chain third party services or product risks, report cybersecurity incidents to the cyber centre and, finally, implement cybersecurity directions. It would include the ability to take action on other vulnerabilities, such as human error or storms that can cause a risk of outages to these critical services. Once implemented, it would support organizations' abilities to prevent and recover from a wide range of malicious cyber-activities, including cyber-attacks, electronic espionage and ransomware. The rollout of 5G technology in Canada is well under way. This technology will allow Canadians to move more data faster. It will bring benefits for Canadians and our economy, but with these benefits comes increased risk. Canada's updated framework, established in part 1, aligns with actions taken by our Five Eyes partners, particularly in the United Kingdom. I will add that I recently met with our counterparts in Washington, D.C., not too long ago. It would allow Canada to take action against threats to the security of our telecommunications sector if necessary. Legislative measures would provide the government with a clear and explicit legal authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers, such as Huawei and ZTE, if required and after consultation. Once these amendments receive royal assent, the government will be in a position to apply these new order-making powers to the Telecommunications Act. The CCSPA established in part 2 is also consistent with critical infrastructure cybersecurity legislation established by our Five Eyes partners and would provide a consistent cross-sectoral approach to cybersecurity for Canadian critical infrastructure. Designated operators would be required to protect their critical cyber systems through the establishment of a cybersecurity program and to mitigate any cybersecurity risks associated with supply chain or third party products and services. Cyber-incidents involve a certain threshold that would be required to be reported, and legislation would give the government a new tool to compel action, if necessary, in response to cybersecurity threats or vulnerabilities. Both parts 1 and 2 of Bill C-26 are required to ensure the cybersecurity of Canada's federally regulated critical infrastructure and, in turn, protect Canadians and Canadian businesses. Overall, Bill C-26 demonstrates the government's commitment to increasing the cybersecurity baseline across Canada and to help ensure the national security and public safety of all Canadians. Cybersecurity is also essential in the context of our economic recovery after the COVID‑19 pandemic. In our increasingly connected world, we must implement the measures required to guarantee the security of our data and ensure that data is not exploited by actors, state-sponsored or not, who constantly seek to exploit our systems. Recovery from cybersecurity incidents is both costly and time-consuming. Accordingly, when it comes to improving cybersecurity, the interests of government and private industry are aligned. Nevertheless, an administrative monetary penalty scheme and offence provisions would be established within both parts of the bill to promote compliance with orders and regulations, where necessary. All of the actions I highlighted today form a key part of our ongoing commitment to invest in cybersecurity, including to protect Canadians from cybercrime and to help defend critical private sector systems. Like our allies, Canada has been working to address these vulnerabilities to keep Canadians and Canadian businesses safe. However, we have to be sure that we are ready for the threats that lie on the landscape. For example, unlike laws governing other critical infrastructure sectors, the Telecommunications Act does not include any official legislative authority to advance the security of Canada's telecommunications system. Despite the existence of multiple programs and platforms enabling public and private collaboration in the telecommunications sector, participation is voluntary. In addition, across Canada's highly interconnected and interdependent critical infrastructure sectors, there are varying levels of cybersecurity preparedness and no requirement to share information on cyber-incidents currently. Moreover, the government has no legal mechanism to compel action to protect these systems at this time. These are important gaps that the legislation introduced today seeks to address. That is why the government is establishing a strong and modern cybersecurity framework to keep pace with the evolving threats in our environment. In short, the legislation would form the foundation for securing Canada's critical infrastructure against fast-evolving cyber-threats while spurring growth and innovation to support our economy. Cyber systems are understandably complex and increasingly interdependent with other critical infrastructure. This means the consequences of security breaches are far-reaching. It is also the reason that a consistent, cross-sectoral approach to cybersecurity is built into this legislation. Bill C-21, which we have tabled and are now debating, would protect Canadians and the cyber systems they depend on well into the future. Significantly, this legislation can serve as a model for provinces, territories and municipalities to help secure critical infrastructure outside of federal jurisdiction. It is an essential addition to Canada's already robust arsenal, which is there to protect us and our economy against cyber-threats. It would allow us to continue taking even stronger action against threats to the security of our telecommunications sector and ensure Canada remains secure, competitive and connected. I encourage all members to join me in supporting this landmark cybersecurity legislation, Bill C-26, today.
1839 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Hon. Marco Mendicino
  • Dec/1/22 10:40:38 a.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, I would like to thank my colleague for her very important question. The goal of Bill C-21 is to build a bridge, a collaborative effort between the government, critical infrastructure sectors and the private sector. We developed an approach that includes excellent lines of communication in order to effectively identify the cyber-threats to critical infrastructure that might jeopardize national security and the economy. In answer to my colleague’s question, we will work with all federal regulators to create a system to protect all critical infrastructure sectors against all cyber-threats.
96 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Hon. Marco Mendicino
  • Dec/1/22 10:46:40 a.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, this question allows me to highlight how Canada is co-operating with like-minded democracies around the world, both in the context of the Five Eyes relationship as well as the G7. I had a chance to meet with both counterparts very recently, one in Washington, D.C., and then, about two weeks ago, in Germany. It is without doubt that all the democracies within these multilateral forums are thinking very hard about how to manage threats in cyber, including ransomware, including the spread of disinformation and including the efforts of hostile actors to engage in cyber-espionage and the like. The way we are advancing that collaboration is through information and intelligence sharing as much as possible, so that we can push back against efforts to attack our economies and to attack Canadian interests, etc. Even as we present Bill C-26 for debate, to take decisive action here at home domestically by addressing the current gaps within our cyber-realm, we are also collaborating very robustly with partners around the world who are like-minded in managing these threats.
183 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Alexis Brunelle-Duceppe (Lac-Saint-Jean, BQ)
  • Dec/1/22 11:18:53 a.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, we are talking about cybersecurity. This means that there is a lot of foreign interference conducted through cyber-attacks. Speaking of foreign interference, is my colleague not concerned that, in 2016, after giving a Chinese bank a business licence, the Prime Minister received $70,000 in donations to his riding of Papineau within 48 hours? Is that not interference? In 48 hours, he received donations from outside his riding, specifically from Toronto and British Columbia. Is that not evidence of foreign interference?
84 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Kevin Lamoureux
  • Dec/1/22 11:43:30 a.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, I think Bloc members are hanging around the Conservatives too much. It is usually the Conservatives who go under all the rocks and have conspiracy theories. I, for one, see the legislation for what it is. It is an attempt by the government to ensure that we can effectively deal with the threat of cyber-activities, whether they are state-sponsored or from individuals. That is a very strong positive and is absolutely not unique, as other countries around the world are doing likewise in bringing forward legislation of this nature. In terms of the member's conspiracy theory, I will leave that for another member on another day.
111 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Kevin Lamoureux
  • Dec/1/22 11:48:43 a.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, as the member highlights, when we talk about infrastructure, the whole digital economy and what government does, it would be negligent not to recognize the significance of the private sector and how the private sector feeds into it. In fact, it is a major player of 80% plus. That is why, when we talk about the government's role, ensuring that the national infrastructure is safeguarded against cyber-threats is of the utmost importance. That is the essence of the legislation, along with ensuring that Canadians', business's and governments' interests are well served.
96 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Daniel Blaikie
  • Dec/1/22 11:51:23 a.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, with thanks to the chamber, I am pleased to rise today to speak to Bill C-26. Cybersecurity is a topic that is very much on the minds of many Canadians. It is something that many of us have had experience with in our personal lives, or we know somebody who has. Certainly, as MPs, we hear from folks who have fallen prey to various kinds of cyber-attacks online. We know it is a burgeoning criminal industry to take advantage of people online, grab their information and impersonate their identities. Canadians deserve to be protected from this kind of crime. We also heard about the impact that cybersecurity attacks have had on our commercial industries. One of the examples that stands out in my mind of particular concern was the 2017 cyber-attack on Equifax, where the personal and financial information of thousands of Canadians was obtained illegally. It is an obvious concern for folks when they find out that a company they trusted with their personal information has been subject to this kind of attack. We also know that our government has not been immune from these kinds of attacks. Hospitals and Global Affairs Canada have been the object of successful cyber-attacks. Earlier this fall, the House of Commons had a cyber-attack. MPs were warned about changing their email passwords for fear of information in their work accounts being exposed to outside eyes and ears that would find out what was going on in those accounts. There is no question that it is a real issue. There is also no question, when we talk to experts on the file, that Canada is a laggard in respect to cybersecurity. There have been many debates in this place about the role of Huawei, for instance, in our 5G infrastructure. The government did finally take a decision on Huawei, I think the right decision, although late in the game with respect to our other Five Eyes allies. The idea with this legislation is that the government needs more legal authority in order to implement that decision. Of course, there are a number of ways it can do that. The bill, as it stands, is not ready to go, but New Democrats are happy to send it to committee where we can hear from experts and try to improve it. When I say it is not ready to go, in my view, it is that for as long as it took for the government to reach a decision on Huawei, it clearly was not doing any work alongside its deliberations on Huawei to prepare for banning it. This legislation would largely give a broad, sweeping power to the Minister of Industry to decide later what exactly the government will have to do in order to ban Huawei and respond to other kinds of cyber-threats. There is not a lot of detail in the legislation, and that is something we have seen from the government on other fronts. We have seen it on unrelated items, like the Canada disability benefit. It drafted a bill that had no content on the program. The attitude is “trust us and we will get it right later”. However, we also see a litany of problems with the way the government manages its business, whether we go all the way back to the SNC-Lavalin affair and the question of deferred prosecution agreements or other ethical issues that have come up in the context of this government. I think Canadians are right to have a certain distrust of the government. The answer lies in mechanisms that impose accountability on the government, and those are very clearly absent from this legislation. In fact, not only are they absent from the legislation but the government also very explicitly exempts itself from some of the current types of accountability that do exist. For instance, it exempts itself from the Statutory Instruments Act, which would make it possible for the parliamentary regulations committee to review orders that the minister may issue under the new authority granted to him in this act. Therefore, not only would there be no new accountability measures commensurate with the new powers the government would be giving itself, but it would also be exempting itself from some of the accountability mechanisms already there. The government is also explicitly letting Canadians know its intention in the legislation to give itself the legal authority to keep those orders secret. Therefore, we have to contemplate the idea that there will be a whole branch of secret orders and laws that govern the telecommunications industry that Canadians will not know about, and the telecommunications companies may not have an adequate awareness of them. Where I would like to go with this is to talk a bit more broadly about the Internet and about privacy rights on the Internet. When the new Canada-U.S.-Mexico trade agreement was signed, there was a number of provisions in that agreement that went too far in shoring up the rights of companies to keep their algorithms secret, for instance. There are other kinds of IP protections, or protections that are sold as IP but really mean that it is harder to get a transparent accounting of how companies operate on the Internet and of the artificial intelligence they use to navigate the Internet. There is a way of dealing with the Internet that prioritizes secrecy for commercial purposes, but that same secrecy also breeds more opportunity for malignant actors on the web to go about their business and not have to worry they will have to expose what it is they are doing. Whereas, if we look to the European Union as another model, for privacy and conducting business on the Internet, there are a lot more robust protections there for the private information of consumers on the Internet, and there are a lot more reporting requirements for actors on the Internet. The problem with the bill as it is written here is that it would be trying to fight secrecy with secrecy. When firefighters show up to a house that is on fire, they do not usually show up with a flamethrower. They show up with something else that can fight the fire instead of accelerating it. I do not think Canadians, who are concerned about malignant actors on the Internet and the ways that they are able to exploit the dark corners of the Internet and the back doors of software, also think that the way to fight that is to let the government do it in secret without any reporting. Canadians are not thinking that, with less information available about actors within the digital space or government actions against cybersecurity threats, they are better off if they do not know what the actors on the Internet are doing, and they do not know what the government is doing about it. The problem with the bill as written is that it would double down on the approach that we saw in CUSMA. It was about privacy for actors on the Internet and privacy for the government in how it deals with it. Instead, it could take a more open-source approach to say that the way forward on the Internet has to be that digital actors have to be upfront about the kind of business they are conducting on the Internet, the ways they do it and the algorithms they use. Governments, likewise, could then be pretty transparent about how they would deal with people who were non-compliant or who were breaking the rules. New Democrats are concerned to see, along those broad lines, an approach to the Internet that says transparency and accountability, both for private actors and for public actors, is the way forward. Digital consumers deserve to have this information at their fingertips, so they understand what people are going to be doing with the information they enter on their computer, whether that is to purchase a book, get a loan or whatever kind of business they are doing on the Internet. They should have more rights to know how that information is handled, and the role of the government in keeping that information secure, rather than being told not to worry about it, because commercial interests have their best interest at heart, the government has their best interest at heart, and they do not need to know what is going on. That is why the bill should go to committee, to be sure, because Canada does need its government to have the authority to implement the decision on Huawei and to do better in respect of cybersecurity. There is a lot of good work for committee members to do there, and a lot of amendments that ought to be made to the bill in order for it to pass in subsequent readings.
1481 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Brian Masse (Windsor West, NDP)
  • Dec/1/22 12:06:37 p.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, I am please to speak today to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. It is really important to acknowledge that we are severely behind with regard to our protections in this matter. I am going to quote from myself, from when I once engaged the government and asked them this. “I am very concerned that we are not doing enough in Canada to protect the digital privacy of Canadians and am calling on the government to develop stronger frameworks and guidelines to improve cyber security in Canada. These are critical issues that must be addressed”. They must be addressed for the benefit of Canada, as our economy and commerce are currently under threat, as is our personal privacy. When did I do that? That was in 2016. From 2016 to today, with the digital changes we have had, is a lifetime of change. I got a response from the government at that time, basically saying it would refer matters and let them play themselves out in court. One of the most famous cases that came forward at the time involved the University of Calgary, which had reportedly paid $20,000 in compensation to a group of organizations we do not know to protect the breach they had. What has taken place over several different cases and also in our current laws has shown that it is okay to pay out crime and it is okay to pay out these types of requests for extortion and not even refer that matter back to the people whose privacy has been breached. We do not even have to report it as a crime to law enforcement agencies. It is very disturbing, to say the least. Getting this legislation is something, but it is still a long way off. As New Democrats, we recognize very much that there needs to be balance in this. This is why I also wrote at that time to the then privacy commissioner of Canada, Jennifer Stoddart, about the cyber-attacks and data breaches. There is concern about the amount of data and one's rights and one's protections and the knowledge one should have as an individual in a democracy. I do not think it is a conspiracy theory to have those kinds of concerns. I would point to a simple famous case. As New Democrats are well aware, and I think other Canadians are as well, our number one Canadian champion of health care, Tommy Douglas, was spied upon by his own RCMP at that same time. That was in relation to bringing in Medicare. This is very well documented. We still do not have all the records. We still do not have all the information, and it is a very famous case. Bringing in our number one treasured jewel, health care, led to a case where our own system was spying on an elected representative who was actually declared Canada's greatest Canadian by the public. We do not want to forget about those things because, when we are introducing laws like this, there is a real concern about one's ability to protect oneself and one's privacy, as well as the expansive conditions that are going to change, often with regard to personal privacy. What also took place after that was that I was very pleased, in 2020, to put a motion forward at the House of Commons industry committee, where we studied, for the first time in Canadian history, fraud calls in Canada. There are a lot of cyber-attacks through this type of operating system, and we need to remind ourselves that using this type of system, being our Internet service providers and the telecoms sector, is something that is done by giving up the public infrastructure and a regulated system of industry. We have built a beast, in many ways, that has a low degree of accountability, and we are finally getting some of that restored. There are also some new programs coming in, like STIR/SHAKEN and other types of reporting that is required. I want to point out that since we have done that, we have another report that will be tabled, or at least a letter. We have not decided yet, and there is still work going on, but we have had a couple more meetings in the industry committee about it and we have really heard lots of testimony that showed that there is more work that can and should be done. A good example from the previous report that we did was recommendation number five, which went through sharing information between the RCMP and the CRTC. We have not seen the government act on it. It is important to note that with this bill there has been a lot of talk about the types of things we can do internationally, as well. One of the things I would point out that I have been very vocal on, because I have had Ukrainian interns in my office for a number of years, is that we could use a lot of our leverage in terms of cybersecurity and training to help them to deal with the Russian hacking and other nefarious international players. That would not only help Ukraine right now in the war with Russia. It would also help with the other activity that comes out of this subsequently, which would help the world economies by having trained, solid professionals who are able to use their expertise and battle this with regard to the current state of affairs and also the future. This would be helpful, not only for the Ukrainian population but also for the European Union, Canada, North America and others, who will continue to battle more complex artificial intelligence and other cyber-attacks that take place. One of the things I want to note is that in the bill, a proposed new section 15.2 of the act would give the Minister of Industry and the Minister of Public Safety the authority to make several types of orders. It relates to guiding TSPs to stop providing services if necessary. This is a strong power that we are pleased to see in this type of legislation. What we are really concerned about, as the member for Elmwood—Transcona noted, is that there is no general oversight of the type that we would normally see on other types of legislation. Scrutiny of regulations was the one referred to. For those who are not familiar with the back halls and dark corners of Parliament, there is a committee that I was one of the vice-chairs of at one point in time. The scrutiny of regulations committee oversees all legislation passed in the House of Commons and ensures that the bureaucratic and governmental arms, including that of ministers, whatever political colour they will be of at that time, follow through with the laws of the legislation that is passed. Making this bill not have to go through that type of a process is wrong. I would actually say it is reckless, because the committee has to do a lot of work just to get regulatory things followed on a regular basis. It can be quite a long period, but there is that check and balance that takes place, and it is a joint Senate and House of Commons committee. It is unfortunate that the legislation tries to leave that out. The legislation also does not have the requirement to gazette information in terms of making it public for the different types of institutions. That is an issue, and it also has a lot of holes when it comes to information that can be withheld and shared. Why is that important with regard to confidence in the bill? It all comes down to the fact that many of the institutions at risk of being targeted involve not only the private sector, where we have seen not only abuse of customers themselves, or businesses with lax policies that do not protect privacy very well, but also others that have used abusive techniques and processes. Even right now, it is amazing when we think about the information in the process that is going on in the United States. The U.S. Senate is going to oversee the issue with regard to Taylor Swift tickets and Ticketmaster again. That is another one that has had a nefarious past with regard to privacy, information and how it runs its business. People can go back to look at that one, with Live Nation and so forth. At any rate, the U.S. is also involved in this. I raised those things because it also comes from the soft things like that, which are very serious with respect to credit cards and to people's personal information that is shared. However, across the world and in Canada we also have municipal infrastructure and government institutions that are constantly under attack. That is very important, because it is not just the external elements with regard to consumer protection and business losses, which are quite significant and into the billions of dollars. It is also everything from water treatment facilities to health care facilities in terms of hospitals and utilities for power and hydro. All those elements can be used as targets to undermine a civilian population as well, and one of the things we would like to see is more accountability when it comes to those elements. There is definitely more to do. One of the things I do not quite understand, and which I am pleased to see the government at least bring to committee, is what we could do to educate the population. Our first intervention on this bill as New Democrats was several years ago, and it is sad that it is just coming to fruition now.
1653 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Ms. Julie Dzerowicz (Davenport, Lib.)
  • Dec/1/22 12:21:40 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I will be sharing my time with the hon. member for Vaughan—Woodbridge. It is a true privilege for me to add my voice to the debate on Bill C-26, an act respecting cybersecurity, on behalf of the residents of my riding of Davenport, many of whom have written to me through the years about their concern around cybersecurity and the need for additional protections at all levels of government. This bill represents the latest step in the government's constant work to ensure our systems, rules and regulations are strong and as up-to-date as possible. That is especially important when dealing with a topic as fluid and rapidly evolving as cyber-technology. We have known for quite some time we would need to be constantly vigilant on this issue. In 2013, the government established the security review program operated by the Communications Security Establishment. In 2016, we conducted public consultations on cybersecurity. In 2018, we released the national cybersecurity strategy. In 2019, we allocated $144.9 million through budget 2019 to develop a critical cyber systems framework. In 2021, we completed an interdepartmental 5G security examination, which recommended an updated security framework to safeguard Canada's telecommunications system. A cornerstone of the updated framework is an evolution of the security review program. It would allow for continued engagement with Canadian telecommunications service providers and equipment suppliers to ensure the security of Canadian telecommunications networks, including 5G. As a result of this multi-year work, to address these identified concerns and improve Canada's cybersecurity posture, including in 5G technology, we introduced Bill C-26. The bill is intended to promote cybersecurity across four federally regulated critical infrastructure sectors: finance, telecommunications, energy and transportation. Bill C-26 consists of two very distinct parts. Part 1 introduces amendments to the Telecommunications Act that would add security as a policy objective and create a framework that would allow the federal government to take measures to secure the telecommunications system. Part 2 introduces the critical cyber systems protection act, which would create a regulatory regime requiring designated operators in the finance, telecommunications, energy and transportation sectors to protect their critical cyber systems. As I mentioned, 5G has the potential to be a transformative technology for Canadians. It promises to bring lightning-fast Internet speeds that are unlike anything we have experienced so far. The benefits of instant and real-time connectivity will be immediate and far-reaching for Canadians and Canadian businesses. The COVID-19 global pandemic has underlined the importance of this connectivity, whether it is for virtual classrooms, work from home or keeping in touch with loved ones, but we need to be absolutely sure this technology is safe and secure as the technology is rolled out in Canada. Canada already has a system in place to mitigate cybersecurity risks in our existing 3G and 4G LTE wireless telecommunications network. Since 2013, the Communications Security Establishment's security review program has helped mitigate risks stemming from designated equipment and services under consideration for use in Canadian 3G, 4G LTE telecommunications networks from cyber-threats. Like previous generations, 5G technology will have new risks and vulnerabilities that will need to be addressed so Canadians can realize its full potential. 5G is considered more sensitive than 4G because it will be deeply integrated into Canada's critical infrastructure and economy, and will connect many more devices through a complex architecture. The deep integration, greater interconnection and complexity increase both the likelihood and potential impact of threats. That is why an examination of emerging 5G technology and the associated security and economic considerations continues to be very important. The technical agencies of the Government of Canada, within the Department of Innovation, Science and Economic Development, and the safety and security agencies that fall within the Public Safety portfolio, Global Affairs Canada, National Defence and others, are all involved in the federal government's efforts to develop a made-in-Canada approach to ensuring the secure rollout of 5G wireless technology. Moving this bill forward will further that vital work. In the meantime, our world-class national security and intelligence agencies continue to protect our country from a wide range of threats. As we know, those threats include a growing number of targeted attacks from state and non-state actors, including cybercriminals. Canada's two main national security organizations, CSIS and CSE, which is short for Communications Security Establishment, are working tirelessly to mitigate these threats. CSIS provides analysis to assist the federal government in understanding cyber-threats and the intentions and capabilities of cyber actors operating in Canada and abroad who pose a threat to our security. This intelligence helps the government to improve its overall situational awareness, better identify cyber vulnerabilities, prevent cyber espionage or other cyber-threat activity and take action to secure critical infrastructure. For its part, the CSE is always monitoring for threats that may be directed against Canada and Canadians. The CSE is home to the Canadian centre for cybersecurity, which was established as a flagship initiative of the 2018 national cybersecurity strategy. With the cyber centre, Canadians have a clear and trusted place to turn to for cybersecurity issues. It is Canada's authority on technical and operational cybersecurity issues, a single, unified source of expert advice, guidance, services and support for the federal government, critical infrastructure for owners and operations, the private sector and the Canadian public. It helps to protect and defend Canada's valuable cyber assets and works side by side with the private and public sectors to solve Canada's most complex cyber issues. For example, the cyber centre has partnered with the Canadian Internet Registration Authority on the CIRA Canadian Shield. The shield is a free protected DNS service that prevents users from connecting to malicious websites that might infect their devices or steal personal information. With the passage of the National Security Act in 2019, Canada's national security and intelligence laws have been modernized and enhanced. As a result, CSIS and the Communications Security Establishment now have authorities they need to address emerging national security threats, while ensuring that the charter rights of Canadians are protected. These updates are in line with CSIS's mandate of collecting and analyzing threat-related information concerning the security of Canada in areas including terrorism, espionage, weapons of mass destruction, cybersecurity and critical infrastructure protection. The passage of the National Security Act also established stand-alone legislation for the CSE for the first time ever. With the Communications Security Establishment Act, the CSE retained its previous authorities and received permission to perform additional activities. For example, the CSE is now permitted to use more advanced methods and techniques to gather intelligence from foreign targets. Under the CSE Act, CSE is mandated to degrade, disrupt, influence, respond to and interfere with the capabilities of those who aspire to exploit our systems and to take action online to defend Canadian networks and proactively stop cyber-threats before they reach our systems. It is also permitted to assist DND and the Canadian Armed Forces with cyber operations. As Canada's national police force, the RCMP also plays a very important cybersecurity role. It leads the investigative response to suspected criminal cyber incidents, including those related to national security. Cybercrime investigations are complex and technical in nature. They require specialized investigative skills and a coordinated effort. That is why, as part of Canada's 2018 national cybersecurity strategy and as a second flagship initiative, the RCMP has established the national cybercrime coordination centre, or NC3. The NC3 has been up and running for over a year now. It serves all Canadian law enforcement agencies, and its staff includes RCMP officers and civilians from many backgrounds. Working with law enforcement agencies, government and private sector partners, the NC3 performs a number of roles, including coordinating cybercrime investigations in Canada. All of this is backed up by significant new investments in the two most recent budgets. In budget 2019, we provided $144.9 million to support the protection of critical cyber systems and we later invested almost $400 million in creating the Canadian centre for cybersecurity, the national cybercrime coordination unit and increased RCMP enforcement capacity. Whether it is nationally or internationally, I have full confidence in the abilities of all those in our national security and intelligence agencies who are working hard day and night to safeguard our cybersecurity and protect us from harm online. I am confident that Bill C-26 will go a long way to continue doing that.
1427 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Ms. Louise Chabot (Thérèse-De Blainville, BQ)
  • Dec/1/22 12:33:02 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I thank my colleague for her speech. This bill still raises some serious concerns. The Bloc Québécois is prepared to support it so that we can examine and improve it in committee. In 2021, in Canada alone, one in four businesses reported being the victim of a cyber-attack. We are the G7 country that has done the least in this regard. We spent $80 million over four years for research and development, which is not much. Canada is lagging behind in that department. Cyber-attacks on businesses can be sudden and unexpected, and not every business has the money to invest in cybersecurity or protection mechanisms. What will this bill actually do to help with and improve cybersecurity?
126 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Ms. Julie Dzerowicz
  • Dec/1/22 12:35:59 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, this question has come up all morning. I think it is a very big concern, not only for the opposition but for this side of the House. We want to make sure we get this right. We must ensure that we have very strong protections against cyber-attacks and have cyber-attack resiliency in this country. We also have to be very transparent about the additional powers and how they will be used.
75 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Kevin Lamoureux (Parliamentary Secretary to the Leader of the Government in the House of Commons, Lib.)
  • Dec/1/22 1:00:12 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I am glad the member will be voting in favour of the legislation going to committee. Hopefully many of the concerns he raises on the issues surrounding the worthiness of the legislation, will be addressed at that stage. The legislation would empower the minister to be able to take actions. It would allow for financial penalties. It would allow for us to deal with cyber-attacks from a legislative perspective. That does not necessarily mean that this is the only thing we have done over the last number of years. There has been a great number of financial resources, individuals, committees and so forth ensuring our industries are protected. This is yet another step forward in dealing with cyber-attacks, keeping us consistent with other allied countries. I am wondering if the member would acknowledge the importance of moving forward with allied countries in dealing with things, such as cyber-attacks?
153 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Kevin Lamoureux (Parliamentary Secretary to the Leader of the Government in the House of Commons, Lib.)
  • Dec/1/22 1:15:13 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I would just correct the member. Yes, this legislation is very important and we hope to see it get to the committee stage where it will no doubt be well discussed and debated. There will be presentations where members can digest information and see if there are ways in which we can improve upon the legislation. However, to try to give an impression that this is the only thing the government has done on the issue of cyber-threats is a bit of a false impression. Not only have we been seeing a great deal of dialogue and actions from different departments to date in the form of formalized advisory groups, but we have seen literally tens of millions of dollars, not to mention the other incentive programs that were there, for the private sector, for example. I wonder if the member would not agree that this issue is not new and this is just one very important aspect in taking a step forward.
166 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Ms. Kristina Michaud
  • Dec/1/22 1:33:49 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, indeed, the committee has heard from several experts on this subject. They told us that there is currently nothing to force companies, whether they are federally regulated or not, to report when they are victims of cyber-attacks, for example. They can just not report it and try to work through it on their own, even though there are authorities in place to help them through these kinds of events. The experts were telling us that it might be worth having a framework that forces companies to work with the government or cybersecurity bodies to report and help prevent attacks so that a solution can be found. My understanding of the bill is that it would create a framework to compel federally regulated companies to do exactly that. I think that is a very good idea. It follows through on what the experts were proposing in committee.
149 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Kevin Lamoureux (Parliamentary Secretary to the Leader of the Government in the House of Commons, Lib.)
  • Dec/1/22 1:44:17 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, it is encouraging when we get support for legislation. This legislation goes a long way in recognizing that cyber-threats are something on which we do need legislation to come forward and be voted upon. This legislation would allow for financial penalties and for the minister to take direct action. I wonder if the member could provide his thoughts on the importance, once we get into committee stage, of listening to what presenters have to say. I understand there are some concerns with regard to the legislation.
89 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Ms. Marilyn Gladu (Sarnia—Lambton, CPC)
  • Dec/1/22 1:49:09 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, it is a pleasure to rise today to speak to Bill C-26 on cybersecurity. I will be sharing my time today with the member for Edmonton Manning. Canadians recognize that we need to do something in the area of cybersecurity. We have all experienced hackers. Myself, when I have bought something online, the next thing I know is my credit card is hacked and then all the pre-authorized transactions need to be changed. It is very time-consuming. I have been hacked numerous times on Facebook, as I am sure many have, as well as on Instagram and other places. Those are small examples that Canadians are seeing. Let us think about the more serious cyber-hacking we are seeing, whereby government systems are hacked and breaches of information are happening. Businesses are experiencing this. I have a friend who is an anti-cyber hacker. For $2,500 a day, he goes around the world, helping companies that have been hacked to improve their protections. Something needs to be done. I would like to talk today about what needs to be done, and then how the bill does or does not meet that need. First, we have to identify what the critical systems are. What are the things we want to protect? If somebody hacks my Netflix account, it is not earth-shattering. However, there are things that are important, and I think everyone would agree that databases that protect our identity or have information about our identity are critical. Financial institutions and people's financial information are critical. On our medical information, we have spent a lot of time on legislation and regulations on protecting medical privacy. Those, to me, would be three of them, but certainly, the critical systems need to be identified. We need to make sure there are adequate protections in place. Not every business and level of government has the same amount of protections and technology in place. There is a journey of defining what adequate protection is and helping people get there. In the case of breaches and having them investigated and addressed, the bill gives very broad powers to the minister. It allows the federal government to secretly order telecom providers to “do anything or refrain from doing anything...necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.” Those three terms are not well defined, so I think there is some work to be done to define those better, but I do not really believe we want to give the government power to do anything it wants. Certainly, shutting down a system for protection is important when there is an actual threat and not just a potential future threat or a possible threat. In the case of a threat, the government needs the ability to act, but certainly we have to tighten up the language in the bill on that. After there has been a breach, there needs to be preventive and corrective action. Preventive action would be additional technology walls or additional controls that are put in place to ensure that we have enhanced protection in the future. Corrective action is fixing the holes that people got into in the first place and punishing the hackers. It does not seem like any of that is happening today. The bill does not address that, but there should be some measures there to take corrective action. I talked about the overarching powers and my concern with them. We cannot have the government continually coming up with bills in which it has not really defined what it is going to do but it tells us not to worry about it because the Governor in Council, after the fact and without any parliamentary oversight, will determine what we are going to do. The Governor in Council means the Liberal cabinet ministers. I think we are at a place where people have lost trust in the government because there is no transparency. The bill allows the government to make orders in secret, without telling people what is done. The public cannot see it and is suspicious, because people have seen numerous examples of the government hiding things. We have just come through a $19-million emergency measures act situation in which the Liberal cabinet ministers and the Prime Minister knew they were never going to disclose the documents that would prove or disprove whether they met the threshold, because they were going to hide behind solicitor-client privilege. They have done it before, hiding behind cabinet confidence, like on the Winnipeg lab issue. Look at the documents we tried to get hold of there. The Liberals even sued the Speaker in order to hide that information from Canadians. In the SNC-Lavalin scandal, we saw them hiding behind cabinet confidence. In the WE Charity scandal, we saw them hiding behind cabinet confidence. I am a little concerned, then, to find that in this cybersecurity bill, the Liberals are saying the government can make secret orders that the public is not going to ever know about. I think that is very dangerous. This is one of the reasons we are seeing an erosion of trust in Canada. A recent poll posted by The Canadian Press showed that if we look at the trust index in Canada, only 22% of Canadians trust the government or politicians. That means four out of five Canadians do not trust the government or politicians, and it is partly because of what has gone on before, when things have been done such as people's banks accounts frozen and drones surveilling citizens. People have lost trust, so I do not think they are going to be willing to give a blank cheque to the government to do whatever it wants for cybersecurity, to control enterprises outside the government to get them to stop operating, for example. The riverbanks need to be much tighter on that. People are concerned about their civil liberties, and I know there has been a lot of conversation about the lack of privacy protection in this country. We have regulations like PIPA and PIPEDA. My doctor cannot reveal my medical information; my employer cannot reveal my medical information, but various levels of government in the pandemic made it so that every barmaid and restaurant owner could know my private medical information and keep a list of it, which is totally against the law. Therefore, when it comes to cybersecurity we are going to have to make sure the privacy of Canadians' information is better protected, and I do not see that element here in the bill—
1110 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Kevin Lamoureux (Parliamentary Secretary to the Leader of the Government in the House of Commons, Lib.)
  • Dec/1/22 3:42:09 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, within the legislation there is consideration given to how financial penalties would empower the minister to take strong action to ensure that providers are keeping up with what they need to keep up with. My question to the member is this. Would he agree that when we take a look at the issue of cyber-attacks, they are not something unique to Canada? It is happening around the world. We are working with allied countries and others. This is one part. It does not stop here. There is a need to continue, as we have for the last number of years, investing tens of millions of dollars and putting people to the task of protecting us against cyber-threats. Could the member just provide his thoughts in terms of the broader picture of cyber-threats?
137 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Charlie Angus (Timmins—James Bay, NDP)
  • Dec/1/22 3:45:21 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, cyber-threats are not new. In 2011, Canada's two main financial centres in government, Finance and the Treasury Board, were pushed off-line for days by hacks from Chinese operators, yet the Harper government did nothing about that. It did not want to talk about it because it was busy selling off sections of the oil sands and Nexen to Chinese state-owned operators and then signing a free trade deal with China, the deal that would allow it to take on Canada outside of the court system. I find it kind of special that the Conservatives are suddenly concerned about cybercrime now, when they did nothing to take on China's state threats to Canada under Harper.
121 words
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Ryan Turnbull (Whitby, Lib.)
  • Dec/1/22 3:46:33 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, before I begin, I will just say that I will be splitting my time with the member for Kingston and the Islands. It is an honour to rise today in the House to debate the second reading of Bill C-26, an act respecting cybersecurity. To me, cybersecurity is essential, and it certainly relates directly to our national security. When we consider the challenges and opportunities we face in this field, the theme of collaboration underpins and needs to underpin all that we do. The prevalence of cybercrime in an increasingly online world, improving cyber-defence posture in an unstable global environment, deep thinking about what the future holds in a world where innovation and change are exponential, a critical look at whether our policies and laws are up to the task, and the protection of content and intellectual property as data becomes one of the world's most precious resources: These are just some of the reflections that we have to have when considering this bill. In Canada, being online and connected is essential. Now, more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying connected with loved ones across the country and around the world. We should be able to do all these activities safely and securely. I would like to offer a few words about what we are doing here in Canada to get that balance right, and I would like to reinforce the importance of our commitment to protecting the cyber systems that underpin our critical infrastructure. We can take the emergence of new technologies, such as 5G, as one clear reason we need to redouble our efforts. We think about our increased reliance on technology in light of the COVID-19 pandemic. We think about international tensions amidst Russia’s unprovoked and unjustified ongoing invasion of Ukraine, with threats ranging from supply chain disruptions to state and non-state malicious cyber-activity. Through all of these remarkable events, the government has been working tirelessly to keep Canadians safe. We recognize that, now more than ever, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. It underpins the delivery of critical services, such as energy production, financial transactions, safe transportation and emergency communications. As part of his mandate, bestowed by Prime Minister Trudeau, the Minister of Public Safety is seized with the opportunity and challenge of developing a renewed national—
424 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Context: House Hansard - 139 - Dec/1/22
Mr. Denis Trudel (Longueuil—Saint-Hubert, BQ)
  • Dec/1/22 3:57:17 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I am not a cybersecurity expert either. A few weeks ago, I attended a demonstration in Montreal with 10,000 people to support the people who are fighting for their freedom in Iran, which, as we know, is not a democratic state. I have also strongly supported people from the Uighur community, who I have met with many times here in Ottawa. We know that they are facing genocide in China. The small white square that I am wearing is a sign of support for people who, at this time, are rising up against the health measures in China, as well as the people in Russia who are protesting against the war in Ukraine. I want to know if there are concrete measures in Bill C‑26 that would prevent Iran, China and Russia from carrying out cyber-attacks on social networks and, for example, hacking my account and interfering in my life as an MP? I would like my colleague to clarify that.
167 words
All Topics
  • Hear!
  • Rabble!
  • star_border