SoVote

Mr. Rob Morrison (Kootenay—Columbia, CPC)

Mar/6/23 12:19:11 p.m.
Watch
Re: Bill C-26

Madam Speaker, it is always an honour to rise in the House, especially when I can talk about safety and security. I always try to enhance safety and security for Canadians at home and abroad, for our corporations that are major contributors to our economic base, and of course, for government institutions. Today, discussing cybersecurity in Canada is an opportunity to enhance our country's ability to protect us from cyber-threats. Security is a significant concern for all Canadians. Lately, with the rise in organized crime and gang offences to the tune of a 92% increase in gang crime, I have to wonder when the government will be led by evidence, or in other words, provide evidence-based action. It is extremely important for our country to have cybersecurity to protect itself from threats, and I welcome Bill C-26. However, I am apprehensive about how successful this bill may be since accountability is a question that the opposition brings up every day in this House. Bill C-26 is basically divided into two parts. The first part aims to amend the Telecommunications Act to promote the security of the Canadian telecommunications system. It aims to do this by adding security as a policy objective to bring the telecommunications sector into line with other infrastructure sectors. By amending the Telecommunications Act to secure Canada's telecommunications systems and prohibit the use of products and services provided by specific telecommunications service providers, the amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure, as well as the removal and termination of related 4G equipment by 2027. Of concern is the time it took the government to react to enforce the ban on Huawei. The second part aims to enact the critical cyber systems protection act, the CCSPA, which is designed to protect critical cybersecurity and systems that are vital to national security or public safety or are delivered or operated within the legislative authority of Parliament. The purpose of the CCSPA is to ensure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third party products and services; protect critical cyber systems from being compromised; ensure the proper detection of cybersecurity incidents; and minimize the impacts of any cybersecurity incidents on our critical cyber systems. The effects of this bill will be far-reaching, and there are some points to consider: The government would have the power to review, receive, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada. There would also be mandatory cybersecurity programs for critical industries, as well as the enforcement of regulations through regulatory and law enforcement with potential financial penalties. Under both provisions, the Governor in Council and the Minister of Industry would be afforded additional powers. If any cybersecurity risks associated with the operator's supply chain or its use of third party products and services are identified, the operator must take reasonable steps to mitigate these risks. While the bill does not indicate what steps would be required from the operators, such steps may be prescribed by the regulations during a committee review. The act also addresses cybersecurity incidents; a cybersecurity incident is defined as an: incident, including an act, omission or circumstance, that interferes or may interfere with (a) the continuity or security of a vital service or vital system; or (b) the confidentiality, integrity or availability of the critical cyber system touching upon these vital services. It does not indicate what would constitute interference under the act. In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the act does not prescribe any timeline or indicate how “immediately” should be interpreted. Again, there is an opportunity to address this at committee. There are some concerns with Bill C-26 as it is presently drafted. What the government might order a telecommunications provider to do is not clearly identified. Moreover, the secrecy and confidentiality provisions of the telecommunications providers to establish law and regulations are not clearly defined. As has been brought up today, potential exists for information sharing with other federal governments and international partners, but it is just not defined. Costs associated with compliance with reforms may endanger the viability of small providers. Drafting language needs to be in the full contours of legislation, and that could be discussed at committee as well. In addition, there should be recognition that privacy or other charter-protected rights exist as a counterbalance to proposed security requirements, which will ensure that the government is accountable. Some recommendations, or ones derived from them, should not be taken up, such as that the government should create legislation requiring the public and telecommunication providers to simply trust that the government knows what it is doing. Of course, this is a challenge. Telecommunications networks and the government must enact legislation to ensure its activities support Canada's democratic values and norms of transparency and accountability. If the government is truly focused on security for Canadians, should we not be reviewing our gang and organized crime evidence? Our present policies have failed. Should we not look at the safety and security of our bail reform in an effort to prevent innocent Canadians from becoming victims? Bill C-26 is a step in protecting Canada from cybersecurity threats. What is the review process to ensure compliance and effectiveness, as well as that goals are met? In terms of bail reform, even though the evidence clearly shows that Bill C-75 has failed, we see that the NDP-Liberal government is not interested in reviewing bail reform. Cybersecurity is important to our country's security; so are victims of crime after their safety and security has been violated. I am concerned that the government is struggling with evidence-based information to review Bill C-26, as it has with Bill C-75 and Bill C-5. These bills are not supported by evidence. In fact, offenders and criminals have a higher priority than victims do. My concern is as follows: If Bill C-26 requires amendments and review, will the government follow up? It is so important to be flexible and to be able to address changes, especially in a cybersecurity world, which changes so rapidly. Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start. However, since this bill proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security, I would like to see individuals, corporations, and most importantly, the government held accountable. There should also be measures to ensure that the objectives of the bill are met and that there is a proper review process. As I have stated, government accountability has not been a priority. For the proposed bill to succeed, there have to be processes for review and for updating the critical cyber systems protection act. The failure of Bill C-75 on bail reform is clear with recent violent acts by murderers and individuals who should never have been out on bail. Today we are debating Bill C-26, and I would hope that there are lessons learned from our failure to review Bill C-75. In addition, we can learn from the failure of Bill C-5, as gang violence and organized crime rates are up 92%. Surely the government will open a door for review and making required changes to Bill C-26 on cybersecurity. I am thankful for the time to speak on the responsibilities related to cybersecurity.

1289 words

All Topics

Context: House Hansard - 164 - Mar/6/23

Mr. James Bezan (Selkirk—Interlake—Eastman, CPC)

Mar/6/23 1:02:49 p.m.
Watch
Re: Bill C-26

Madam Speaker, I am pleased to be able to rise in this place today and speak to Bill C-26, a bill that we as Conservatives are supporting to get to committee. I have a lot of concerns around the bill itself, in terms of making sure that the government did not make a number of errors in judgment in putting it together. These concerns are based on the feedback we have received from Canadians and from organizations, especially on the issues surrounding privacy and the costs that have been offloaded to the private sector. I also have to raise my concerns. Here we are, eight long years under the Liberal government, and we know that, when it has come down to cybersecurity, it has been slow in responding. A good case in point was banning Huawei from our critical infrastructure, our 5G network. We know that the Liberals sat on their hands and tried to do nothing for most of the past seven years, before they were finally forced to act after a great deal of pressure was brought upon them by our allies, especially within the Five Eyes. Cybersecurity and national defence go hand in hand. When we talk about our national defence and national security, we know that hybrid warfare has evolved. It is now about more than just targeting military assets; it is about targeting the entire government as it is at play. All we have to do is look at what is happening in Ukraine today, as well as what has happened to a number of other allies we have, through NATO, in eastern Europe. We see the troll farms in St. Petersburg constantly attacking, on Facebook and on Twitter, the military individuals, the soldiers and troops, serving there. They also attack things like critical infrastructure in countries where Canadians are currently deployed, like Latvia. As we have witnessed in Ukraine and Estonia, they have not just gone after them through direct kinetic means to take out critical infrastructure, but they have also gone through cyberwarfare as well. The Russians have done this very effectively in knocking down financial systems, knocking down transportation systems, and taking out power and water infrastructure in places like Estonia. As a prelude to the war in Ukraine, before they had actually started bombing these civilian targets in Ukraine, they were attacking them on cyber. It is part of hybrid warfare and it is the evolution of war. There is a responsibility upon the Government of Canada to ensure that we are protecting not just our national infrastructure and the Government of Canada, that we are not just using CSE, or Communications Security Establishment, to protect national defence, but that we are also using a plethora of capabilities to ensure that our infrastructure here in Canada is protected. That includes preventing our adversaries from going after our soft targets. That is what I think Bill C-26 is trying to accomplish, to ensure that telecommunications companies in Canada are stepping up to do their share to protect Canadians from cyber-attacks. We know that cyber-attackers have gone after things like our health care systems. They have gone after the medical records of Canadians. They have gone after the education records of students at schools and at universities. They go after retailers. They can go in through a retailer's back door, harvest all sorts of personal data, especially credit card information, and then use that for raising money, for transnational criminal gangs or for ransomware, as we have witnessed as well. We must remember that we have a number of a maligned foreign actors at play here in Canada now and against our allies. It was just reported, again, that the People's Liberation Army was found guilty of hacking into U.S. critical infrastructure. We know that the People's Liberation Army, under the control of the communist regime in Beijing, continues to attack cybersecurity assets around the world, including trying to break through the Canadian cybersecurity walls of our government and national defence on a daily basis. As I mentioned, Russia has become very good at this. That does not mean that it is concentrating only on its near sphere of influence, NATO members in eastern Europe like Estonia, Latvia and Lithuania, but it is also targeting Ukraine. We know that it is targeting Moldova. We know that it has gone after countries like Romania, but it also does cyber-attacks here in Canada and in the United States. Russia continues to be an adversary and we have to stand on guard to protect Canadians from those attacks. We know that Iran, the regime in Tehran, is continuing to be a government that attacks its neighbours and attacks Israel and Canada through cyber-means. North Korea has developed an entire cybersecurity and cyberwarfare unit and continues not to just wreak havoc with the democratically elected, peaceful South Korea, but has also gone after Japan and the Phillippines, and is going after U.S. infrastructure as well. Therefore, we have to take the necessary steps to make sure we can deal with transnational criminal organizations, with nefarious foreign states and with those who are trying to get rich through ransomware. Here in Canada just a couple of years ago, we saw a situation in regard to the Royal Military College in Kingston, which the member for Kingston and the Islands is certainly aware of. The Department of National Defence stated that RMC had been a target. It originally called it a mass phishing campaign, but a month after the incident, it was established that the phishing campaign was actually a cyber-attack going after financial information and personal data of cadets. These had been compromised and published on the dark web, and were made available to a lot of people who participate on the dark web to profiteer from that information. According to several observers who looked at the hack of RMC Kingston, it was attributed to a cybercriminal group called DoppelPaymer that did not seem to be connected to a nation-state actor. There are criminal organizations out there that are going about their criminal activities in such a way as to extract dollars from governments, retailers and private citizens, as well as from other corporations, to line their pockets and continue doing other nefarious things that sometimes go beyond the cyberworld. I have said in the past, when we have talked about other legislation here dealing with cybersecurity, that we not only need the ability to defend, but also that the government has the responsibility, especially under national defence, to attack using cybersecurity. We cannot just be here deflecting the arrows; sometimes we have to be able to shoot down the archer. The way we do that is by having a very robust cybersecurity system. We need the best capabilities and the best personnel who are able not only to sit here and defend, that is to put up shields and fight off the attacks, but also are able to go out there and take out the adversaries, to knock out their systems, so that we are safer here at home. With regard to some of the criticisms that have come out, I know that letters have come in from the Canadian Civil Liberties Association, and the Business Council of Canada wrote a very detailed brief, as did the Citizen Lab in looking at the bill. When we read through the documentation, we see that one of the concerns that has been raised, especially by the Business Council of Canada, is that there seems to be an imbalance. We are telling members of corporate Canada to go out there and make sure they have the proper cybersecurity systems in place, but at the same time we realize that it is not just up to them to do the defending. What we see is that the corporations are saying that either they have to do it or we are going to fine them up to $15 million or five years of jail time, and that the individuals who work for them could also be held criminally responsible for not doing enough. Sometimes resources are not available. Sometimes there are new companies that may not have the ability to put in place the proper security systems. I look at a lot of the Internet service providers that we have, for example. They are covered under the Telecommunications Act, yet, as new start-ups, they may not have the personnel or the equipment to properly defend their networks. Would we go ahead and fine these companies up to $15 million? Then what would we do in regard to jail time and fines for those criminal organizations that are profiteering through cyber-attacks? Where is the balance in this? That is one of the concerns we have and one of the things we have to look at through our study at the industry committee when it brings this forward. A huge concern has been raised, especially by the Canadian Civil Liberties Association, on how this would be implemented and how it may affect the privacy rights of Canadians at the individual level. Corporations have broader responsibilities and do not necessarily fall under the charter, but their clients who they are going to protect and the information they are going to be required to share with the Government of Canada could very well be violations of their clients' privacy rights. When we look at section 7 of the Charter of Rights, we have to balance the right to life, liberty and security of a person with section 8 of the charter which says that we have freedom from search and seizure. When we drill down on section 8 and go to some of the legal analysis of our charter, as all the rights and freedoms are laid out, it tells us that the underlying values of freedom from search and seizure when it comes to individual privacy is the value of dignity, integrity and autonomy. Again, I think we are all concerned that when we look at Bill C-26 at committee, we ensure the bill balances those rights of the individual to be both secure and safe from cyber attacks, but do it without compromising privacy rights and charter rights as described in freedom from search and seizure. The way we do that is through warrants. We know that through National Defence, the Communications Security Establishment, or CSE, which has a long-standing history of defending the Canadian Armed Forces, has to comply with the charter. It has to comply with all Canadian legislation and it cannot do indirectly what it is prohibited doing directly. Therefore, CSE cannot go to the National Security Agency, or NSA, of the United States, say that it is concerned that a Canadian maybe talking to a terrorist organization offshore and ask the agency to spy on that individual because CSE is prohibited from spying on the person and listening in through the Communications Security Establishment. CSE cannot go to the NSA and ask it to violate Canadian law on its behalf to find out what is happening in the same way CSIS cannot go to the FBI or the CIA and ask it to spy on Canadians. It cannot do indirectly what it is prohibited from doing directly under Canadian law. The way to get around that is to apply for warrants. Judicial appointments are made to have supernumerary justices over these organizations to ensure that charter rights are protected, even when conversations take place inadvertently. In the past, CSE has listened in on people who may have been in Afghanistan funding the Taliban or al Qaeda. They may have family in Canada and were talking back and forth about something that had nothing to do with operations on al Qaeda or the Taliban. However, because it involved a Canadian citizen, it had to go through the proper processes to ensure that his or her charter rights were protected by getting a warrant to listen to those conversations. Whether they were listening electronically or through wire taps, it is all mandated to watch that we do not trip over the rights of Canadians under legislation. Bill C-26 would not address this like we have under the National Defence Act, under the Criminal Code and under the whole gamut of cybersecurity that has been in place up to date. The privacy rights are paramount. To come back to Bill C-26, the Supreme Court of Canada said in 1984, as well as in 1988, that privacy was paramount and was “at the heart of liberty in a modern state”. Again, did the Liberal government ensure the bill was tested first to ensure those privacy rights were protected? This is what we will have to find out when we get Bill C-26 in front of committee. We can look at information that has come from places like the Business Council of Canada. One of the concerns it raises goes back to this whole issue of huge fines on Canadian corporations, as well as the employees of those corporations, if they are found to have been not responsible enough to put in place proper security protocols to protect their clients from cyber attacks. Because it goes against individual employee as well, we will create another brain drain from Canada. We are unfairly targeting Canadian employees who are going to be working for these cybersecurity firms, working in the telecommunications sector and in our financial institutions. If they are found to have erred, which a lot of times it is by error or by a lack of resources, then they are held criminally responsible and they are fined. The question becomes why they would want to work in Canada when they are afforded better protections in places like the United States, the European Union, the United Kingdom or Australia, which was held up by the Business Council of Canada as the gold standard we should be striving to achieve, and what it has done through their own cybersecurity protocols. We want to ensure that we protect critical infrastructure, but we do not want to chase away very good Canadian employees and force them, with their skills, to go offshore where they have better protection and probably better pay. We want to ensure we keep the best of the best here. We want to ensure we do not go through a brain drain, as we have witnessed before when the Liberals have targeted professionals in Canada, such as lawyers, accountants, doctors or anyone who set up a private corporation. Now I fear the Liberals are going after individuals again who we need in Canada to protect us here at home, that they are creating a toxic work environment and those individuals will want to leave. The Citizen Lab wrote a report entitled “Cybersecurity Will Not Thrive in Darkness”. It brought forward a ton of recommendations on how bad this bill was. It suggested that there needed to be 30 changes made to the act itself. We realize that the government has not done its homework on this. We need to ensure we get experts in front of us who are going to look at everything, such as there is responsibility upon government to help corporate Canada ensure we have the proper security mechanisms in place to prevent cyber attacks. We have to ensure that those corporations are not being coerced into sharing private information with the Government of Canada that could be a violation of private rights, which may be a violation of the Personal Information Protection and Electronic Documents Act, PIPEDA. We want to ensure that privacy rights will be cohesive, but, at the same time, collectively, we need to balance all federal legislation that is in contravention of each other. We need to bring in the legal experts. The Canadian Civil Liberties Association needs to be before committee. The Citizen Lab, which is very concerned about individual privacy rights, has to be front and centre in the discussion. We need to ensure the Business Council of Canada, the Canadian Chamber of Commerce and others are brought forward, along with the department officials who were responsible for drafting this bill at the direction of the Liberal government. I will reiterate that I will be voting in favour of the bill to ensure it goes to committee and the committee can do its homework. I would hope that the government will allow the committee to do a thorough investigation, as well as a constructive report with recommendations on how to change and amend the legislation. Finally, I would remind everyone that the Supreme Court of Canada said, “privacy is at the heart of liberty in a modern society”, and we have to take that to heart to ensure we protect Canadians from cyber attacks, as well as to ensure they have their privacy, dignity, integrity and autonomy respected.

2837 words

All Topics

Context: House Hansard - 164 - Mar/6/23

Hon. Marco Mendicino (Minister of Public Safety, Lib.)

Mar/6/23 2:34:05 p.m.
Watch

Mr. Speaker, as my hon. colleague, the Minister of Intergovernmental Affairs, has said, we take the threat of foreign interference very seriously, which is why we have taken concrete action, like putting in place threat reduction measures for CSIS and cracking down on foreign funding which could interfere with our domestic elections. With corresponding transparency through the creation of bodies like the National Security and Intelligence Committee of Parliamentarians to ensure that we are up front with Canadians, all members should be united in protecting our elections. They are sacrosanct. Canadians, and Canadians alone, determine them.

96 words

Context: House Hansard - 164 - Mar/6/23

Mr. Joël Godin (Portneuf—Jacques-Cartier, CPC)

Mar/6/23 5:39:52 p.m.
Watch
Re: Bill C-26 Bill C-13

Mr. Speaker, as the member for Portneuf—Jacques-Cartier, I am pleased to rise today to speak to Bill C-26. I want to say hello to all of the families who are taking advantage of March break to do fun activities in the beautiful riding of Portneuf—Jacques-Cartier. As I was saying, Bill C‑26 seeks to add the promotion of the security of the Canadian telecommunications system. It also seeks to provide a framework for the protection of the cyber systems that are vital to national security or public safety and create frameworks for the exchange of information. It goes without saying that these issues are very important to the official opposition, of which I am very proud to be a member. It is no secret that my Conservative Party of Canada colleagues and I are, and always have been, great defenders of public safety. It is part of our DNA. Industry and experts have asked the government many times to create cybersecurity standards, but it is important to act intelligently. There is a lot of instability in our modern world, and threats can come from anywhere. Cyber-threats are nothing new. This is not a recent thing. It is clear that this weapon is used as much by foreign governments, which have their own motives, as by individuals or groups seeking to do harm or make money, for God knows what motives. It happens everywhere, on both small and very large scales. Here are a few examples that illustrate this reality: data stolen from institutions or companies and held for ransom; the leak of personal information that affected millions of Desjardins members or customers in Quebec; and possible election interference from Beijing. No, we are not going to question the outcome of previous elections here. We do not believe that interference changed the overall outcome of those elections. However, electoral integrity is the foundation of our democracy, and it must be ensured and maintained. As a Canadian, I have the privilege of going abroad, and people recognize that we are concerned about protecting our democracy. We need to put measures in place to continue that. The fact remains that, over the past eight years, the government has been slow to crack down on cyber-threats. This is yet another example of a foot-dragging government finally coming up with a bill, but it turns out that bill has flaws that call for more thorough study in committee. I know for a fact that this issue is really important to Canadians. We will do the work to make sure this bill is the one Canadians need and deserve. Yes, people want to be safe. Actually, since I was elected in 2015, my constituents have regularly told me they are increasingly concerned about this issue, especially over the past year. What it comes down to is that confidence in the government and its ability to provide what people need and to keep its promises is essential. It is hard to have confidence in a government that keeps messing up pretty much everything. I could go on and on about Bill C-13 as an example of a government that makes promises but does not deliver. The government recognizes the decline of French across the country, even in Quebec, but it is trying to impose a bill that does little to address that decline. I know that that is not the subject today, but everyone knows how much I care about official languages, and I had to pass on the message. I would like to conclude by sharing a very real situation that occurred in my riding. One of my constituents wrote to me about a serious handling error made by Passport Canada. I would like to inform the House that this is the first time this situation has been discussed publicly. He sent me a letter, and I would like to read it. Dear Sir/Madam: I am taking the time to write you a brief note to let you know about what I would describe as a “serious” security flaw within Passport Canada pertaining to the confidential information of Canadian citizens. It is very important in terms of a timeline. In early January, 2023, I applied for passports for my three children at Passport Canada. On February 1, 2023, I received three envelopes containing our passport applications, which were rejected because we forgot to tick a box. Inside the envelope I also received the rejected application of a woman from British Columbia. I therefore had in my possession her full identification, her passport and her credit card information. I returned those very sensitive documents by express post with a tracking number to Passport Canada. I filed a complaint out of principle thinking that, although it was just a mistake, it was still worth reporting through Passport Canada's website, so I followed the official procedure. I got a call back. Passport Canada apologized. Nothing more. They refused to compensate me for the cost of returning the documents belonging to the woman from British Columbia. I was told, however, that our applications would be prioritized. On February 15, 2023, I received four envelopes. I was quite pleased, as I thought we'd finally received our children's passports, but we have three children, not four. As it turns out, our children's passports weren't inside those envelopes. Instead, there were the passport applications (including full identification, passport, original birth certificates, complete credit card data, etc.) of four people from across Canada. These are four different people who have no connection to one another. What is not stated in the letter is that these people were from Sherbrooke, Ontario, Manitoba and Alberta. That is incredible. A few days later, we finally received our three children's passports. As it is obvious, I don't feel I need to explain in my letter the seriousness of receiving the full identification of these people and information that could be used to carry out fraudulent financial transactions by total strangers. We can't fathom that such mistakes would be made by a recognized federal organization such as Passport Canada, which manages the personal and financial information of so many Canadians. We can't believe that these are two isolated incidents. This is a very simple task that requires putting the right documents in the right envelope. That's it. I no longer trust Passport Canada's administration at all. That is why I am entrusting you with the identity documents, which don't belong to us. I no longer trust Passport Canada's “internal” complaint process, as it will certainly try to cover up this failure, and will only offer an apology. I am most pleased to read the following excerpt from the letter: We trust our MP. I'm always available to answer any questions. Yes, cybersecurity matters, but the government also needs to take responsibility for the existing systems. It cannot even handle paper documents, but now it wants to allow a minister to step in and be able to manipulate and control information. I am concerned. I have shown that we have a problem in Canada. We recognize that. We have a problem when it comes to cybersecurity, but we have a problem on other levels too. I would like to see this government take responsibility. Like my constituent who gave me the documents mentioned, I had to ask myself, what do I do with these documents now? Do I return them to Passport Canada, or do I give them to the minister responsible here? That is a very important question. Let us get back to the subject at hand, Bill C-26. I am very interested in having measures in place to protect us. It is important that we have confidence in our systems. As a member of the Conservative Party of Canada, I have a lot of confidence in the Conservative members who sit on the committee, as well as members of the Bloc Québécois, the NDP and even the Liberal Party. Things are normally supposed to be neutral in committee. I must say that I believe in the future. Having said that, we need to put measures in place to have concrete results. Let us work in committee.

1398 words

Context: House Hansard - 164 - Mar/6/23

Mr. Fraser Tolmie (Moose Jaw—Lake Centre—Lanigan, CPC)

Mar/6/23 6:02:55 p.m.
Watch
Re: Bill C-5 Bill C-26

Mr. Speaker, it is always an honour to rise in this House on behalf of the people of my riding of Moose Jaw—Lake Centre—Lanigan. The safety and security of our nation is of paramount importance, and I understand the need to enhance the safety and security of Canadians, both here at home and abroad. This would include many of our international corporations, which are large contributors to our economic base, and of course our own government institutions and interests. Having the opportunity to speak to cybersecurity in Canada gives us an opportunity to enhance or increase our country's ability to protect us from cyber-threats. A significant concern for all Canadians is security. This concern has increased in recent times, as we see the rise in organized crime and gang-related offences, which have gone up 92%. The question I ask myself when I see this increase is this: Will the Liberal government be led by evidence and act on the evidence that has been reported? Cybersecurity is extremely important for our nation to protect itself from inside and outside threats. I welcome Bill C-26, but I do have some concerns pertaining to the success of the bill, and one concern is about accountability. This is a question that we in opposition bring up every day in this House and regularly. Bill C-26 is essentially divided into two different parts. The first part is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system, adding security as a policy objective; to bring the telecommunications sector in line with other infrastructure sectors; and to secure Canada's telecommunications system and prohibit the use of products and services provided by specific telecommunications service providers. This amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure and would remove or terminate 4G equipment by the year 2027. What stands out to me, which has been a concern, is the time that it took the government to react to enforce the ban on Huawei. The second portion of this bill is to enact the critical cyber systems protection act, or CCSPA, designed to protect critical cyber systems and “systems that are vital to national security or public safety and that are delivered or operated...within the legislative authority of Parliament.” As a report by Norton Rose Fulbright notes, the purpose of the CCSPA is, first, to “[e]nsure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third-party products and services”; second, to “[p]rotect critical cyber systems from being compromised”; third, to “[e]nsure the proper detection of cybersecurity incidents”; and finally, to “[m]inimize the impacts of any cybersecurity incidents on critical cyber systems.” The impacts of this bill would be far-reaching, and here are the things that need to be considered when this bill is in place. The government would have the power to receive, review, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada; to make mandatory cybersecurity programs for critical industries; and to enforce regulations through regulatory and legal enforcement, with potential financial penalties. With this in place, the Governor in Council and the Minister of Industry would be afforded additional powers. As the report notes: If any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services are identified, the operator must take reasonable steps to mitigate those risks. While the Act doesn’t give any indication of what kind of steps will be required from operators, such steps may be prescribed by the regulations [at committee]. It goes on: The Act also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems touching upon these vital services and systems. No indication is given as to what would constitute interference under the Act. In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the Act does not prescribe any timeline or give other indication as to how “immediately” should be interpreted. Some deficiencies in Bill C-26, as it is presently drafted, can be listed as follows: The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded. The secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations. There is a potential for excessive information sharing within the federal government and with international partners. The costs associated with compliance with reforms may endanger the viability of smaller providers. The vague drafting language means that the full contours of the legislation cannot be assessed. There exists no recognition of privacy or other charter-protected rights as a counterbalance to the proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government. Should these recommendations or ones derived from them not be taken up, the government could be creating legislation that would require the public and telecommunications providers to simply trust that it knows what it is doing and that its actions are in the best interests of everyone. Is it reaching the right decision to say that no need exists for broader public discussion concerning the kinds of protections that should be in place to protect the cybersecurity of Canada's telecommunications and networks? The government could amend its legislation to ensure its activities conform with Canada's democratic values and norms, as well as transparency and accountability. If the government is truly focused on security for Canadians, should we not start by reviewing the gang and organized crime evidence showing that our present policies have failed? Should we not look at safety and security in our bail reform to protect innocent Canadians who become victims? If Bill C-26 is a step in protecting Canada from cybersecurity threats, what is the review process to ensure compliance? What is the review process to ensure effectiveness and goals are met when we look at Bill C-75 regarding bail reform? The NDP-Liberal government is not interested in reviewing bail reform even though the evidence clearly shows that Bill C-75 failed. Cybersecurity is important to our country's security, as are the victims of crime after their safety and security are violated. I am deeply concerned that the government is struggling with evidence-based information to review Bill C-26, as Bill C-75 and Bill C-5 are not supported by evidence. In fact, offenders and criminals are a higher priority than their victims are. My concern is if Bill C-26 requires amendment or review. Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start. In conclusion, I would like to see some clear accountability to ensure the objectives of this bill are met and that a proper review process is conducted that holds individuals, corporations, and most importantly, our government accountable.

1232 words

All Topics

Context: House Hansard - 164 - Mar/6/23

Mr. Blaine Calkins (Red Deer—Lacombe, CPC)

Mar/6/23 6:12:14 p.m.
Watch
Re: Bill C-26

Mr. Speaker, I really appreciate the debate and the questions my colleague posed. I think most Canadians back home watching this are wondering what the technical nuances are of everything we are discussing with respect to this legislation. We have even had some members of Parliament stand up here and say that they do not feel properly equipped to have this conversation. I think one thing that everybody back home can relate to is seeing something on the news stating that the credit card information of a million people has been stolen or the data of some businesses that might have their personal information is now being held hostage in a ransomware attack. That is why this is a very important debate. I will be speaking about this a bit later. I think the bill is missing the component of protecting the personal information of Canadians. Can my colleague tell us his thoughts on the bill in this regard? My speech will focus on the advances in technology and network infrastructure, as well as the rapid pace of technological development. With this bill, would we actually be able to keep up with the threats we are facing?

197 words