44th Parl. 1st Sess.
March 6, 2023 11:00AM
Madam Speaker, I will ask a question I asked earlier of another member. In this member's opinion, what does she view as the greatest threat to Canada's cybersecurity? Is it state actors? Is it cybercrime and cyber-technology? Specifically, what does the member think is the greatest threat that we face as a nation around cybersecurity?
58 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I will take maybe a different tack today to contribute to this debate on cybersecurity. I am going to tell a story about Tom and how he has been impacted by technological changes over the last couple of decades. Before I tell Tom's story, I have to share Emily's story with technology and why this legislation and changes to cybersecurity in Canada are so important and so needed.
Before I get into that, I think it is important to first lay out in simple terms what this bill is about from my current understanding. There are really two parts to the bill.
The first part is about amending the Telecommunications Act to address and fix the security needed for our Canadian telecommunications system. The bill would do this by addressing it through two means. First, it would “direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” As well, it would establish some monetary penalties tied to those changes.
The second part of the bill is all tied to the critical cyber systems protection act. It would provide the framework for the protection of our critical cyber systems, which are vital to national security and public safety. It would do that through five different aspects. First, it would authorize the government to designate those services that are vital to Canadians, those critical sorts of services, what they are and what systems are tied to them. Second, it would authorize the government to establish who is responsible for maintaining those systems. Third, it has how these cybersecurity incidents would be reported and how Canadians and institutions comply with those changes. Fourth, it lays out how information would be shared and, arguably, needs to be protected. Finally, it gives the “so what” of the enforcement and the consequences for non-compliance with the legislation.
In reality, this bill is quite lengthy and very technical, so I am going to focus most of my speech around two important aspects of the bill. The first aspect is the threats to cybersecurity. The second is information sharing and the need to protect Canadians' privacy rights while highlighting the important need for transparency. How would the government ensure the accountability of any institution affected by this bill, particularly the government itself, with the additional powers this legislation would grant it?
Let us get back to Emily. She is a senior citizen and a retired teacher. She uses a mix of online banking and billing, although she still prefers to handle the majority of her financial transactions right at the bank. She has a fledging social media presence mainly to stay in contact with her grandchildren and friends. She even has a TikTok account at her grandchildren's urging. We will see if she is going to change her mind and delete that sooner than later.
Being online and connected is essential to all Canadians now, more than ever, as a lot of Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. As I have mentioned, we have seen an increased dependency on the Internet, especially for government services. In the last few years, under the Liberal government, it continues to shift more and more government services online, while unfortunately decreasing service delivery for those without access to the Internet at the same time. I will not go into detail on all the shortfalls I see with the current approach, considering that a large portion of rural Canada still do not have access to high-speed or dependable Internet.
What threats does Emily face? She complains about getting emails and phone calls from people alleging to be affiliated with her bank or service providers. She wonders about the advertising that shows up on her social media feeds that align with something she only mentioned in an email to a friend. How is all of this happening?
To quote the director of CSIS from December 4, 2018, over four years ago, during a speech that he gave to Bay Street, which I have extracted from Stephanie Carvin's Stand on Guard, Mr. Vigneault stated that the greatest threat to our prosperity and national interest is “foreign influence and espionage.” While terrorism remains the number one threat to public safety, “other national security threats—such as foreign interference, cyber threats, and espionage—pose greater strategic challenges”.
In her book, Professor Carvin clearly lays out the risks associated with cyber-attacks, whether malware, ransomware, a targeting of critical infrastructure, denials of services or others. She talks about cyberterrorism, cyber-espionage and cybercrime, so how do we deal with this?
We deal with this not only through this legislation, but also, mainly for some of the challenges we have, as my colleague from Selkirk—Interlake—Eastman talked about in much greater detail earlier today in his speech, our Canadian Armed Forces, the Communications Security Establishment and even our federal police services, which have ways to deal with this. My colleague hinted that sometimes the best defence is a good offence.
Offensive cyber-operations are really not the bailiwick of this legislation, although I would offer that there is some overlap, as we look at a lot of these threats Canadians and Canadian institutions are facing are financed through cyber-attacks and more here at home. We need to tackle this and get the balance right.
The bottom line is Emily and Canadians like her being affected by all of these cyber risks. Professor Carvin pointed out that at least 10 million Canadians had their data compromised in 2017 alone. Unfortunately, this number is likely under-reported, and neither the government nor the private sector fully understand the scale of the problem. To sum up, the threats are huge.
Bill C-26 must balance privacy rights while ensuring national security. Increased use of encrypted apps, data being stored in the cloud on servers outside of Canada, IP protection and more factor into the challenges of getting this legislation right. In order to deal with these threats, the legislation would need to enable our security establishments with robust, flexible powers. However, these robust powers must come with clear guidance on how far and when to inform the public. This is essential in rebuilding our trust in our democratic institutions.
The Business Council of Canada has already publicly expressed concerns over the current draft of this legislation. It rightly identified that large companies, and also small- and medium-sized enterprises, are concerned that the sheer amount of red tape tied to this bill is extremely high.
We need to get the balance right. It is vital, and it is going to require significant expert testimony at committee. Although I would argue the legislation is desperately needed, and I would argue even late in coming, it needs to be done right and cannot be rushed through debate or review at the committee stage.
I have some final comments. This legislation is needed to protect Canadians. However, this legislation needs to be reviewed regularly and needs to include safeguards. I know if he gets the chance, the member for Winnipeg North might ask about what amendment we are recommending. There is no annual reporting mechanism in this bill, so the government should have to table an annual report to Parliament outlining the progress on this legislation, and include an updated cyber threat assessment to Canadians and what it has been hearing back from the companies impacted by this legislation.
Sean McFate, in this book The New Rules of War: Victory in the Age of Durable Disorder, wrote, “ Secrets and democracy are not compatible.... Democracy thrives in the light of information and transparency.”
Finally, I will conclude with Tom's story and how he has been impacted by technology. The bottom line is that he has not been. He does not have a cell phone. He does not use the Internet. He only pays in cash and does not have a credit card. The only way he is currently being impacted is when he shows up to try to get some federal services from the government. He cannot do it because he does not have any of that, and he cannot get anybody to show up in an office to work.
1404 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I listened carefully to my colleague's speech.
The Bloc Québécois has often supported the need for the government to tighten cybersecurity controls. I am curious about the Conservative Party and I have a question for my colleague. There has been a lot of doubt and uncertainty concerning cyber-attacks and companies like Huawei. We know and people know that a former candidate for the Conservative leadership worked with Huawei.
I would like my colleague to explain to me what credibility the Conservative Party has today, as we talk about cybersecurity and Chinese interference, because one of its own members, who was a leadership candidate, worked with a company like Huawei. The giants in this world, the Five Eyes in particular, have stopped doing business with this company. Today, we are once again asking how that party can lecture everyone else about cybersecurity.
149 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour to rise again in the House to speak to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. My Conservative colleagues and I, as has been indicated, support this legislation being sent to committee for further study, as it needs a lot of further work and amendments.
For those watching this debate, who have not had time to review the legislation, the bill has two main parts, as has been explained throughout the day. The first part would amend the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.
The second part of the bill would enact the critical cyber systems protection act, which is a new act, that attempts to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are designed to operate as part of a work, undertaking or business that is within the legislative authority of Parliament. Services and systems that would initially be designed and designated as vital are telecommunications systems, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems, banking systems, and clearing and settlement systems. Any additions to this list of vital systems can be made and added to by the Governor in Council.
The critical cyber systems protection act would have several components to it. It would authorize the Governor in Council to designate any service or system as a vital service or vital system; it would authorize the Governor in Council to establish classes of operators in respect of a vital service or vital system; it would require designated operators to, among other things, establish and implement cybersecurity programs, mitigate supply-chain and third-party risks, report cybersecurity incidents and comply with cybersecurity directions; it would provide for the exchange of information between relevant parties; and would authorize the enforcement of the obligations under the act and impose consequences for non-compliance. Those would be significant consequences, I might add.
On its face, it seems that the Liberals have finally awoken after eight years of doing absolutely nothing on this file, yet somehow they hastily scrambled to cobble together a proposition for sweeping changes to a regulatory framework, which this legislation would enact.
The Civil Liberties Association said, “The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still.” We understand that a modernization in this field may be required to do so without the caveats of being necessary, proportionate and reasonable to take it one step too far for Canadians to accept.
For support of this argument, the Liberals only need to look at the research report from Citizen Lab, written by Christopher Parsons. The report is called “Cybersecurity Will Not Thrive in Darkness, A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”. That report provides 30 recommendations that clearly lay out common sense changes and how this legislation could be improved to include transparency or at least apply limitations on the government's authoritarian use of power. For the benefit of the careless drafters and my Liberal colleagues across the way who would happily vote on any flawed legislation their leader tells them to without bothering with independent thought or even reading its criticisms, I will take some time and share the flaws.
Citizen Lab also seems to address what appears to be a recurring theme with the government: a lack of transparency and limitations on the government's authoritarian use of power. It too addresses that, “The minister may, by order, direct a telecommunications service provider to do anything or refrain from doing anything...that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.”
That, too, seems a little broad. Amendments need to be applied that include a limitation on the minister's powers, ensuring that actions are necessary, proportionate and reasonable. This government has proven that it cannot be trusted with powers without strict limitations. It is simply unable to self-regulate.
The Canadian Civil Liberties Association and Christopher Parsons agree again on the lack of privacy and broad provisions around information sharing.
The CCLA writes:
Also concerning are the very broad provisions around expanding information sharing with a long list of potential recipients including Ministers of Foreign Affairs and National Defence, the Canadian Security Intelligence Service (CSIS), and also, once an agreement is signed, with provincial governments, foreign governments, or international state organisations, again, at the Minister’s discretion. The Communications Security Establishment (CSE), Canada’s signals intelligence agency is also a key recipient of information.
The Citizen Lab review echos how the government ought to have included provisions that respect information privacy. To any Canadian listening, this does not sound like too much to ask. Specifically, the Citizen Lab report recommends that “information obtained from telecommunications providers should only be used for cybersecurity and information assurance activities".
It also recommends that “government should explain how it will use information and reveal the domestic agencies to which information is disclosed”. The report says “information obtained for telecommunications providers should only be used for cybersecurity information assurance activities”. It should only be used for “data retention periods”, and that it “should be attached to telecommunications provider's data”. Citizen Lab states that “data retention periods should be attached to foreign disclosures of information”. It also indicates that “telecommunications providers should be informed which foreign parties receive their information”, and “legislation should delimit the conditions wherein a private organization's information can be disclosed”.
Why does the government need to be told that its legislation has these fundamental flaws by outside organizations? Many are asking: Do these Liberals have no shame when it comes to the privacy of Canadians?
The CCLA further points out that, although there is an appeal process through judicial review, when the subject of an order finds it to be unreasonable or ungrounded, it suggests that, under Bill C-26, the government overlooks the basic, fair process that even a national security threat would receive. The Citizen Lab, on the other hand, discusses that the government fails to compensate for government intrusion into small business. Mr. Parsons proposes that the legislation should be amended such that telecommunications providers can seek moderation of “certain orders where implementing them would have a material impact on the provider's economic viability”.
In conclusion, while it is notable that the Liberal government has finally awakened to this topic, the legislation has again missed some pretty traditional marks of Liberal legislation. It leaves citizens at risk of major government overreach. It takes the privacy and information of Canadians for granted. It relies on a system of review that falls short of due process, and it leaves businesses susceptible to bearing the costs of an overbearing government. Lastly, this is typical lazy Liberal legislation.
1278 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, we all know that cybersecurity issues are a fast-moving target and how they change almost monthly. One thing that I can be confident in is our national security agencies that deal with some of these issues on cybersecurity. They are working diligently on our behalf. I would agree that there would be very few of us in the House who would have the technical capacity to understand much of what we ask our defence agencies, our national security agencies and our cybersecurity agencies to do for us on behalf of our country.
I would encourage the government, as was indicated by my colleague, to enlighten the House and to provide briefings by those technical experts in government and from our public servants. We would all benefit, not only from the study of this bill but also from the ability to answer our constituents who have cybersecurity questions. We could answer them more intelligently.
156 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, as the member for Portneuf—Jacques-Cartier, I am pleased to rise today to speak to Bill C-26. I want to say hello to all of the families who are taking advantage of March break to do fun activities in the beautiful riding of Portneuf—Jacques-Cartier.
As I was saying, Bill C‑26 seeks to add the promotion of the security of the Canadian telecommunications system. It also seeks to provide a framework for the protection of the cyber systems that are vital to national security or public safety and create frameworks for the exchange of information.
It goes without saying that these issues are very important to the official opposition, of which I am very proud to be a member. It is no secret that my Conservative Party of Canada colleagues and I are, and always have been, great defenders of public safety. It is part of our DNA.
Industry and experts have asked the government many times to create cybersecurity standards, but it is important to act intelligently.
There is a lot of instability in our modern world, and threats can come from anywhere. Cyber-threats are nothing new. This is not a recent thing. It is clear that this weapon is used as much by foreign governments, which have their own motives, as by individuals or groups seeking to do harm or make money, for God knows what motives. It happens everywhere, on both small and very large scales.
Here are a few examples that illustrate this reality: data stolen from institutions or companies and held for ransom; the leak of personal information that affected millions of Desjardins members or customers in Quebec; and possible election interference from Beijing.
No, we are not going to question the outcome of previous elections here. We do not believe that interference changed the overall outcome of those elections. However, electoral integrity is the foundation of our democracy, and it must be ensured and maintained. As a Canadian, I have the privilege of going abroad, and people recognize that we are concerned about protecting our democracy. We need to put measures in place to continue that.
The fact remains that, over the past eight years, the government has been slow to crack down on cyber-threats. This is yet another example of a foot-dragging government finally coming up with a bill, but it turns out that bill has flaws that call for more thorough study in committee.
I know for a fact that this issue is really important to Canadians. We will do the work to make sure this bill is the one Canadians need and deserve. Yes, people want to be safe. Actually, since I was elected in 2015, my constituents have regularly told me they are increasingly concerned about this issue, especially over the past year.
What it comes down to is that confidence in the government and its ability to provide what people need and to keep its promises is essential. It is hard to have confidence in a government that keeps messing up pretty much everything.
I could go on and on about Bill C-13 as an example of a government that makes promises but does not deliver. The government recognizes the decline of French across the country, even in Quebec, but it is trying to impose a bill that does little to address that decline. I know that that is not the subject today, but everyone knows how much I care about official languages, and I had to pass on the message.
I would like to conclude by sharing a very real situation that occurred in my riding. One of my constituents wrote to me about a serious handling error made by Passport Canada.
I would like to inform the House that this is the first time this situation has been discussed publicly. He sent me a letter, and I would like to read it.
Dear Sir/Madam:
I am taking the time to write you a brief note to let you know about what I would describe as a “serious” security flaw within Passport Canada pertaining to the confidential information of Canadian citizens.
It is very important in terms of a timeline.
In early January, 2023, I applied for passports for my three children at Passport Canada.
On February 1, 2023, I received three envelopes containing our passport applications, which were rejected because we forgot to tick a box.
Inside the envelope I also received the rejected application of a woman from British Columbia. I therefore had in my possession her full identification, her passport and her credit card information. I returned those very sensitive documents by express post with a tracking number to Passport Canada.
I filed a complaint out of principle thinking that, although it was just a mistake, it was still worth reporting through Passport Canada's website, so I followed the official procedure. I got a call back. Passport Canada apologized. Nothing more. They refused to compensate me for the cost of returning the documents belonging to the woman from British Columbia. I was told, however, that our applications would be prioritized.
On February 15, 2023, I received four envelopes. I was quite pleased, as I thought we'd finally received our children's passports, but we have three children, not four. As it turns out, our children's passports weren't inside those envelopes. Instead, there were the passport applications (including full identification, passport, original birth certificates, complete credit card data, etc.) of four people from across Canada. These are four different people who have no connection to one another.
What is not stated in the letter is that these people were from Sherbrooke, Ontario, Manitoba and Alberta. That is incredible.
A few days later, we finally received our three children's passports.
As it is obvious, I don't feel I need to explain in my letter the seriousness of receiving the full identification of these people and information that could be used to carry out fraudulent financial transactions by total strangers.
We can't fathom that such mistakes would be made by a recognized federal organization such as Passport Canada, which manages the personal and financial information of so many Canadians. We can't believe that these are two isolated incidents.
This is a very simple task that requires putting the right documents in the right envelope. That's it.
I no longer trust Passport Canada's administration at all. That is why I am entrusting you with the identity documents, which don't belong to us.
I no longer trust Passport Canada's “internal” complaint process, as it will certainly try to cover up this failure, and will only offer an apology.
I am most pleased to read the following excerpt from the letter:
We trust our MP.
I'm always available to answer any questions.
Yes, cybersecurity matters, but the government also needs to take responsibility for the existing systems. It cannot even handle paper documents, but now it wants to allow a minister to step in and be able to manipulate and control information. I am concerned.
I have shown that we have a problem in Canada. We recognize that. We have a problem when it comes to cybersecurity, but we have a problem on other levels too. I would like to see this government take responsibility.
Like my constituent who gave me the documents mentioned, I had to ask myself, what do I do with these documents now? Do I return them to Passport Canada, or do I give them to the minister responsible here? That is a very important question.
Let us get back to the subject at hand, Bill C-26. I am very interested in having measures in place to protect us. It is important that we have confidence in our systems. As a member of the Conservative Party of Canada, I have a lot of confidence in the Conservative members who sit on the committee, as well as members of the Bloc Québécois, the NDP and even the Liberal Party. Things are normally supposed to be neutral in committee.
I must say that I believe in the future. Having said that, we need to put measures in place to have concrete results. Let us work in committee.
1398 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I listened closely to the speech by my colleague from Portneuf—Jacques-Cartier. The first thing he mentioned is that the Conservative Party of Canada was a great defender of cybersecurity. I want to remind him of the following.
First, the member for Portneuf—Jacques-Cartier supported Jean Charest as a candidate in the Conservative leadership race. Jean Charest worked with the company that was complicit in China's interference. So much for credibility and being a great defender.
Second, a quick Google search shows that the CPC App that the Conservative Party of Canada used during the 2019 election is a version of the uCampaign app, which is used in the United States and requires access to contacts and geolocation, things that relate to privacy. Cybersecurity researchers were actually advising against using that app.
When it comes to credibility and being great defenders, are the people in the Conservative Party of Canada really people we can trust?
162 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is always an honour to rise in this House on behalf of the people of my riding of Moose Jaw—Lake Centre—Lanigan.
The safety and security of our nation is of paramount importance, and I understand the need to enhance the safety and security of Canadians, both here at home and abroad. This would include many of our international corporations, which are large contributors to our economic base, and of course our own government institutions and interests. Having the opportunity to speak to cybersecurity in Canada gives us an opportunity to enhance or increase our country's ability to protect us from cyber-threats.
A significant concern for all Canadians is security. This concern has increased in recent times, as we see the rise in organized crime and gang-related offences, which have gone up 92%. The question I ask myself when I see this increase is this: Will the Liberal government be led by evidence and act on the evidence that has been reported?
Cybersecurity is extremely important for our nation to protect itself from inside and outside threats. I welcome Bill C-26, but I do have some concerns pertaining to the success of the bill, and one concern is about accountability. This is a question that we in opposition bring up every day in this House and regularly.
Bill C-26 is essentially divided into two different parts. The first part is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system, adding security as a policy objective; to bring the telecommunications sector in line with other infrastructure sectors; and to secure Canada's telecommunications system and prohibit the use of products and services provided by specific telecommunications service providers. This amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure and would remove or terminate 4G equipment by the year 2027. What stands out to me, which has been a concern, is the time that it took the government to react to enforce the ban on Huawei.
The second portion of this bill is to enact the critical cyber systems protection act, or CCSPA, designed to protect critical cyber systems and “systems that are vital to national security or public safety and that are delivered or operated...within the legislative authority of Parliament.” As a report by Norton Rose Fulbright notes, the purpose of the CCSPA is, first, to “[e]nsure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third-party products and services”; second, to “[p]rotect critical cyber systems from being compromised”; third, to “[e]nsure the proper detection of cybersecurity incidents”; and finally, to “[m]inimize the impacts of any cybersecurity incidents on critical cyber systems.”
The impacts of this bill would be far-reaching, and here are the things that need to be considered when this bill is in place. The government would have the power to receive, review, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada; to make mandatory cybersecurity programs for critical industries; and to enforce regulations through regulatory and legal enforcement, with potential financial penalties. With this in place, the Governor in Council and the Minister of Industry would be afforded additional powers.
As the report notes:
If any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services are identified, the operator must take reasonable steps to mitigate those risks. While the Act doesn’t give any indication of what kind of steps will be required from operators, such steps may be prescribed by the regulations [at committee].
It goes on:
The Act also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems touching upon these vital services and systems. No indication is given as to what would constitute interference under the Act. In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the Act does not prescribe any timeline or give other indication as to how “immediately” should be interpreted.
Some deficiencies in Bill C-26, as it is presently drafted, can be listed as follows:
The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.
The secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations.
There is a potential for excessive information sharing within the federal government and with international partners.
The costs associated with compliance with reforms may endanger the viability of smaller providers.
The vague drafting language means that the full contours of the legislation cannot be assessed.
There exists no recognition of privacy or other charter-protected rights as a counterbalance to the proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.
Should these recommendations or ones derived from them not be taken up, the government could be creating legislation that would require the public and telecommunications providers to simply trust that it knows what it is doing and that its actions are in the best interests of everyone.
Is it reaching the right decision to say that no need exists for broader public discussion concerning the kinds of protections that should be in place to protect the cybersecurity of Canada's telecommunications and networks? The government could amend its legislation to ensure its activities conform with Canada's democratic values and norms, as well as transparency and accountability.
If the government is truly focused on security for Canadians, should we not start by reviewing the gang and organized crime evidence showing that our present policies have failed? Should we not look at safety and security in our bail reform to protect innocent Canadians who become victims?
If Bill C-26 is a step in protecting Canada from cybersecurity threats, what is the review process to ensure compliance? What is the review process to ensure effectiveness and goals are met when we look at Bill C-75 regarding bail reform? The NDP-Liberal government is not interested in reviewing bail reform even though the evidence clearly shows that Bill C-75 failed.
Cybersecurity is important to our country's security, as are the victims of crime after their safety and security are violated. I am deeply concerned that the government is struggling with evidence-based information to review Bill C-26, as Bill C-75 and Bill C-5 are not supported by evidence. In fact, offenders and criminals are a higher priority than their victims are. My concern is if Bill C-26 requires amendment or review.
Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start.
In conclusion, I would like to see some clear accountability to ensure the objectives of this bill are met and that a proper review process is conducted that holds individuals, corporations, and most importantly, our government accountable.
1232 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I am hearing some contradictions from my Conservative colleagues today. My colleagues in the Bloc have perhaps done a better job than me of explaining the importance of banning Huawei and the fact that Canada has been slow to do so. My Conservative colleague also mentioned it, but one of the Conservative leadership candidates actually worked for Huawei, so one wonders which way the Conservatives are leaning.
I met with an interdisciplinary cybersecurity research group and learned some fascinating things. Canada's bureaucracy is really slow when it comes to cybersecurity. The research chair at the Université de Sherbrooke criticized the fact that the cybersecurity issue was allowed to drag on under the pretext that it was not yet an election issue. Now it is finally becoming one. That is exactly what we are seeing right now with China's interference.
The Conservatives were not very quick either, because we are behind many other countries. The first RCMP report on cybercrime was not released until 2014, and the report was criticized at the time for containing no numbers, no statistics. The comments were general and predictable, and there were no forecasts. Things have not happened fast enough.
Here we are in 2023, and we really have a lot of ground to make up compared to many other countries, especially European countries. I think it is time to turn this over to the committee, make up for lost time, and pick up the pace on this bill.
250 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, there is a pressing need to secure Canada's critical infrastructure against cyber-threats.
Computer systems, which run our health care, energy and financial systems, are targets for criminals and foreign adversaries to attack. Disruption of medical services at a hospital or electricity through a grid would have severe consequences, possibly including injury or death.
This is exactly what happened on October 30, 2021, in my province of Newfoundland and Labrador. My hon. colleague across the way agrees with what I am saying because he, his family members or his friends, I am sure, had some of their personal information breached in that attack.
Personal information belonging to thousands of patients and employees was obtained through a cyber-attack on Eastern Health. In fact, over 200,000 files were taken from a network drive in Eastern Health's IT environment. Over 58,000 patients and almost 300 staff and former staff had their personal data breached.
The information taken included health records, medicare plan numbers, dates of birth, names and addresses. In fact, some even had their social insurance numbers taken. The immediate result was that a complete shutdown of the health care system took place throughout the entire province.
Patients who had waited through the pandemic found that critical care for such things as cancer and heart disease were put on hold. Many had to wait weeks or even months to have their appointments rescheduled. Some of these folks had poor outcomes. In fact, people's lives were shortened in some cases as a result of the cyber-induced shutdown of the health care system in Newfoundland and Labrador.
This is very serious stuff. This was not the first time such a cyber-attack happened in Canadian health care. In October of 2019, three hospitals in Ontario were victimized in a similar fashion.
On another note, a pipeline company in the United States fell victim to hackers in 2021. This led to diesel and jet fuel shortages, disrupting most of the economy of the eastern seaboard of our neighbour to the south.
These are just a few examples of catastrophic outcomes resulting from cyber-attacks in recent years. Canadians need protection from these types of attacks. This legislation is intended to align with the actions of our allies in the Five Eyes. This bill would give clear legislative authority to the government to prohibit high-risk entities, such as Huawei, from assuming critical roles in our cyber-infrastructure.
This legislation is filled with good intentions. Currently, a cybersecurity incident is defined as:
an incident, including an act, omission or circumstance, that interferes or may interfere with
(a) the continuity or security of a vital service or vital system; or
(b) the confidentiality, integrity or availability of the critical cyber system.
There is no indication given as to what would constitute interference under the bill. Does this mean that the cyber-attack on Newfoundland and Labrador health care would not be classified as interference?
In addition, there is no timeline specified in this bill for the reporting of cybersecurity incidents to the CSE and the appropriate regulator. The bill says that reporting must be immediate. “Immediate” is not interpreted in this bill. Is it one hour, one day or one week? This is something we need to know.
In terms of civil liberties and privacy, technical experts, academics and civil liberties groups have serious concerns about the size, scope and lack of oversight of the powers that the government would gain under the bill.
In late September 2022, the Canadian Civil Liberties Association, the International Civil Liberties Monitoring Group and the Privacy and Access Council of Canada, as well as several other groups and academics, released their joint letter of concern regarding Bill C-26.
While stating the collective's agreement with the goal of improving cybersecurity, the joint letter goes on to state that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.
The joint letter outlines several areas of concern, including increased surveillance. The bill would allow the federal government “to secretly order telecom providers to ‘do anything, or refrain from doing anything’” necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.
While this portion of the bill goes on to list several examples of what “doing anything” might entail, including, for example, prohibiting telecom providers from using specific products or services from certain vendors or requiring certain providers to develop security plans, the collective expresses the concern that the power to order a telecom to do anything “opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards”.
Bill C-26 would allow the government to “bar a person or company from being able to receive specific services, and bar any company from offering these services to others, by secret government order”, which raises the risk of “companies or individuals being cut off from essential services without explanation”.
The bill would provide for a collection of data from designated operators, which could potentially allow the government “to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.”
There is a lack of “guardrails to constrain abuse”. The bill would allow the government to act without first being required to perform “proportionality, privacy, or equity assessments” to hedge against abuse. This is concerning to the collective, given the severity of the penalties available under the statute.
There is the potential for abuse by the Communications Security Establishment, the federal agency responsible for cybersecurity but, more prominently, signal intelligence. The CCSPA would grant the CSE access to large volumes of sensitive data. However, it would not constrain its use of such data to its cybersecurity mandate.
The civil liberties of Canadians are already under attack. Bill C-26 does not accurately enough define how our civil liberties would be protected. Given the need for protection from cyber-attacks, a bill like this is quite necessary, no doubt.
In its current form, with so many unknowns for Canadians, I will not be able to support it. However, I do support sending it to committee for some input from Canadians and for some fine tuning, to turn it into an instrument to protect us all from cyber-attacks.
1093 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
