44th Parl. 1st Sess.
March 6, 2023 11:00AM
Madam Speaker, I will be splitting my time with the member for Kootenay—Columbia.
I am pleased to rise in the House today to speak to Bill C-26, the critical cyber systems protection act, introduced in June 2022 and split into parts 1 and 2. The former aims to amend the Telecommunications Act to include:
the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.
The latter outlines the introduction of the critical cyber systems protection act, which would create a new regulatory regime requiring designated critical infrastructure providers to protect their cyber systems.
I would like to emphasize that the safety and security of our telecom industry, with particular reference to foreign adversaries such as the Beijing Communist Party, has been a broad theme in communications lately. This is especially concerning the controversial Bill C-11, the online streaming act, or, should I say, government censorship, and new revelations from the Canadian Security Intelligence Service, CSIS, flagging election interference from those involved with the Beijing Communist Party.
We Conservatives believe it is of paramount importance to defend the rights and interests of Canadians from coast to coast to coast. Thus, Canada's national security should be strongly well equipped to be prepared for cyberwarfare threats that could be presented by emerging digital technologies, intelligent adversaries or authoritarian artificial intelligence.
The NDP-Liberal government has had a long record of denying Canadians the truth. Instead of protecting their rights and freedoms, the government uses deflection tactics to divide Canadians, pitting them against one another to distract from the real issue: that the NDP-Liberal government has been too slow to address cyber-threats. For this critical lack of action, Canada has seen several serious incidents occur with no substantive legislative response for over seven years. After years of chronic mismanagement and utter failure, it is time for the government to step aside and let the Conservatives turn Canadians' hurt into hope.
We support the stringent and thorough examination of this legislation. We will always defend and secure the security of Canadians, especially with regard to cybersecurity in an increasingly digitized world. There is a pressing demand to ensure the security of Canada's critical cyber-infrastructure against cyber-threats. Let us not forget that these very systems lay the foundation of the country as a whole. It is these cyber systems that run our health care, banking and energy systems, all of which should be guarded against the cybercriminals, hackers and foreign adversaries who want to infiltrate them.
Akin to several other Liberal ideas, a number of aspects of this bill require further review, and it should thus be sent straight to committee where it can be further dissected and refined to ensure that all flaws are addressed. One can only imagine the disaster that a hospital system crash would add to the already horrible wait times in emergency rooms and shortages of medical professionals thanks to the NDP-Liberal government. The results would be disastrous. Furthermore, disruption of critical cyber-infrastructure in health care can bring severe consequences, such as enabling cybercriminals to access confidential patient health care information.
While we understand that it is imperative to provide the resources necessary to effectively defend against cyber-threats, it is still equally important to ensure that the government does not overreach on its specified mandate through Bill C-26. A research report written by Christopher Parsons called “Cybersecurity Will Not Thrive in Darkness” highlights some recommendations to improve Bill C-26. Among these recommendations is an emphasis on drafting legislation to correct accountability deficiencies, while highlighting amendments that would impose some restrictions on the range of powers that the government would be able to wield. These restrictions are critical, especially concerning the sweeping nature of Bill C-26, the critical cyber systems protection act, as outlined in parts 1 and 2, which I have explained in my opening statement.
The sweeping nature of this legislation is not new, particularly for the Liberal government. It even goes back to Bill C-11, the online streaming act, which essentially placed the Liberal government as the online content regulator controlling what Canadians see or listen to online. If members ask me, the government policing what Canadians view online is a cyber-threat in its own way, but I will not get into that right now.
There are other flaws in Bill C-26 that I would like to highlight, which brings us back to having Bill C-26 closely reviewed in committee.
In terms of civil liberties and privacy, some civil liberties groups have flagged serious concerns regarding the scope and lack of oversight around the powers that may be granted to the government under Bill C-26. In September last year, the Canadian Civil Liberties Association, along with other groups, released a joint letter of concern regarding Bill C-26, highlighting that the bill is “deeply problematic”, like several other questionable Liberal policies. They went on to further explain that Bill C-26 “risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.
From an economic perspective, the bill lacks recognition of foreseeable impacted enterprises, such as small and medium-sized businesses, which will undoubtedly bring forth unintended consequences. According to the Business Council of Canada, some concerns include the lack of transparency seen through the one-way sharing of information. This brings about serious concerns. Operators are required to provide information to the NDP-Liberal government, yet those same operators are not entitled to receive any information back from the government or other cyber-operators. This whole information-sharing regime is lacking and, simply put, completely misses an opportunity to implement a transparent information-sharing system that would benefit all parties involved.
There is also concern regarding government overreach. Considering what powers would be granted to the government to order what a telecommunications provider has to do under Bill C-26, I would have expected to see sufficient evidence to support this overreach. However, that was not addressed at all, if not vaguely, in this bill. This, on top of blatant disregard for the recognition of privacy and other charter-protected rights, proves how the government only cares about granting itself more and more power, even in the face of blatant transparency and accountability concerns like election interference or the Bill C-11 censorship bill.
I only highlighted a few of the several highly valid concerns regarding this critically flawed bill. Obviously, it is important to defend national cybersecurity and defend against cybercriminals or foreign threats. However, there is a fine line between upholding the best interests of Canadians and just using another faulty bill as a power grab for the NDP-Liberal government, despite concerns regarding cyber systems, privacy and security infrastructure.
We Conservatives believe that it is of paramount importance to truly defend the rights and interests of Canadians from coast to coast to coast. One of the best ways this can be done is by securing Canada's cyber-infrastructure from attacks. While we welcome the idea of protecting the interests of Canadians in terms of cybersecurity, we want to flag that Bill C-26 has some highly concerning content that should be closely reviewed and discussed in committee to correct flaws and prevent potential overreach from the NDP-Liberal government. In the interest of protecting Canada's cyber-infrastructure, we must also guard against the sweeping government powers outlined in the critical cyber systems protection act.
1294 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, yes, I think we will be voting in favour of the bill. The problem is that although the bill would address the fact of cybersecurity as a very important thing we need to deal with, it seems like every type of legislation the Liberal government puts forward would also take away our rights and freedoms as Canadians. The Liberals always try to make sure the government is in charge, controlling what we can or cannot do. I think that is quite evident in this legislation when they start talking about one-way sharing of information.
97 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that was probably the briefest time I have ever heard the member speak in the House; it is shocking. I will do my best as well.
When we start talking about information sharing, all these companies have to provide information as to what they are doing to make cybersecurity safe in Canada. However, the government is not reaching out to the same companies and people to say what it is hearing about and what it is understanding. That is one of the biggest problems; it would not be a two-way sharing system but only a one-way sharing system. Once again, the government is trying to control what Canadians can or cannot do.
116 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is always an honour to rise in the House, especially when I can talk about safety and security.
I always try to enhance safety and security for Canadians at home and abroad, for our corporations that are major contributors to our economic base, and of course, for government institutions. Today, discussing cybersecurity in Canada is an opportunity to enhance our country's ability to protect us from cyber-threats.
Security is a significant concern for all Canadians. Lately, with the rise in organized crime and gang offences to the tune of a 92% increase in gang crime, I have to wonder when the government will be led by evidence, or in other words, provide evidence-based action. It is extremely important for our country to have cybersecurity to protect itself from threats, and I welcome Bill C-26. However, I am apprehensive about how successful this bill may be since accountability is a question that the opposition brings up every day in this House.
Bill C-26 is basically divided into two parts. The first part aims to amend the Telecommunications Act to promote the security of the Canadian telecommunications system. It aims to do this by adding security as a policy objective to bring the telecommunications sector into line with other infrastructure sectors.
By amending the Telecommunications Act to secure Canada's telecommunications systems and prohibit the use of products and services provided by specific telecommunications service providers, the amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure, as well as the removal and termination of related 4G equipment by 2027. Of concern is the time it took the government to react to enforce the ban on Huawei.
The second part aims to enact the critical cyber systems protection act, the CCSPA, which is designed to protect critical cybersecurity and systems that are vital to national security or public safety or are delivered or operated within the legislative authority of Parliament. The purpose of the CCSPA is to ensure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third party products and services; protect critical cyber systems from being compromised; ensure the proper detection of cybersecurity incidents; and minimize the impacts of any cybersecurity incidents on our critical cyber systems.
The effects of this bill will be far-reaching, and there are some points to consider: The government would have the power to review, receive, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada. There would also be mandatory cybersecurity programs for critical industries, as well as the enforcement of regulations through regulatory and law enforcement with potential financial penalties.
Under both provisions, the Governor in Council and the Minister of Industry would be afforded additional powers.
If any cybersecurity risks associated with the operator's supply chain or its use of third party products and services are identified, the operator must take reasonable steps to mitigate these risks. While the bill does not indicate what steps would be required from the operators, such steps may be prescribed by the regulations during a committee review.
The act also addresses cybersecurity incidents; a cybersecurity incident is defined as an:
incident, including an act, omission or circumstance, that interferes or may interfere with
(a) the continuity or security of a vital service or vital system; or
(b) the confidentiality, integrity or availability of the critical cyber system
touching upon these vital services. It does not indicate what would constitute interference under the act.
In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the act does not prescribe any timeline or indicate how “immediately” should be interpreted. Again, there is an opportunity to address this at committee.
There are some concerns with Bill C-26 as it is presently drafted. What the government might order a telecommunications provider to do is not clearly identified. Moreover, the secrecy and confidentiality provisions of the telecommunications providers to establish law and regulations are not clearly defined.
As has been brought up today, potential exists for information sharing with other federal governments and international partners, but it is just not defined. Costs associated with compliance with reforms may endanger the viability of small providers. Drafting language needs to be in the full contours of legislation, and that could be discussed at committee as well. In addition, there should be recognition that privacy or other charter-protected rights exist as a counterbalance to proposed security requirements, which will ensure that the government is accountable.
Some recommendations, or ones derived from them, should not be taken up, such as that the government should create legislation requiring the public and telecommunication providers to simply trust that the government knows what it is doing. Of course, this is a challenge. Telecommunications networks and the government must enact legislation to ensure its activities support Canada's democratic values and norms of transparency and accountability.
If the government is truly focused on security for Canadians, should we not be reviewing our gang and organized crime evidence? Our present policies have failed. Should we not look at the safety and security of our bail reform in an effort to prevent innocent Canadians from becoming victims?
Bill C-26 is a step in protecting Canada from cybersecurity threats. What is the review process to ensure compliance and effectiveness, as well as that goals are met?
In terms of bail reform, even though the evidence clearly shows that Bill C-75 has failed, we see that the NDP-Liberal government is not interested in reviewing bail reform. Cybersecurity is important to our country's security; so are victims of crime after their safety and security has been violated.
I am concerned that the government is struggling with evidence-based information to review Bill C-26, as it has with Bill C-75 and Bill C-5. These bills are not supported by evidence. In fact, offenders and criminals have a higher priority than victims do. My concern is as follows: If Bill C-26 requires amendments and review, will the government follow up? It is so important to be flexible and to be able to address changes, especially in a cybersecurity world, which changes so rapidly.
Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start. However, since this bill proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security, I would like to see individuals, corporations, and most importantly, the government held accountable. There should also be measures to ensure that the objectives of the bill are met and that there is a proper review process.
As I have stated, government accountability has not been a priority. For the proposed bill to succeed, there have to be processes for review and for updating the critical cyber systems protection act.
The failure of Bill C-75 on bail reform is clear with recent violent acts by murderers and individuals who should never have been out on bail. Today we are debating Bill C-26, and I would hope that there are lessons learned from our failure to review Bill C-75. In addition, we can learn from the failure of Bill C-5, as gang violence and organized crime rates are up 92%. Surely the government will open a door for review and making required changes to Bill C-26 on cybersecurity.
I am thankful for the time to speak on the responsibilities related to cybersecurity.
1289 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, we have seen an explosion in the impact of the digital world around the globe. Here in Canada, our systems are very complex, and we have some that are absolutely critical, which need to have the proposed protection.
We have a progressive government that is looking at this in a very serious manner. This is why we are bringing forward this legislation and recognizing the impact of cybersecurity threats. The opposition seems to support the principle of the legislation.
The member has recognized a number of areas in which he would like to see better definition and more details. I would suggest to the member that much of what he is looking for could best be had at the committee stage. If we get the bill to committee, could we look at what he is talking about in more detail? What are his thoughts on that?
148 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member is right. When we get to committee, we can iron out some of the flaws that we have seen in Bill C-26. It is going to be important to focus on accountability and the member did not address that. That is where this bill can either succeed or fail. We need to ensure there is an accountability process for the government, so when it follows through with Bill C-26, we have a process and we can go back and say we need to tweak or change something because cybersecurity changes so fast.
98 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am very pleased to be joining the debate today to offer some of my thoughts and perspective on Bill C-26, a much awaited bill on a cybersecurity infrastructure.
Bill C-26 is a good reminder to members that the Department of Public Safety and its subject matter is so much bigger than just firearms, because, of course, firearms and Bill C-21 have been dominating the news cycle for the last couple of months. That bill, in particular at the public safety committee, has occupied so much time and wasted so many resources. Bill C-26 is a good reminder that with cybersecurity we have so many other agencies that are dedicated to national security under the umbrella of public safety. Cybersecurity is a big subject matter. We also have Bill C-20, which is an important bill on oversight and accountability for both the CBSA and RCMP.
Today, we would not find many members in the House of Commons who are arguing against the need for better cybersecurity. All of the evidence out there points to this being a new and evolving threat. Artificial intelligence systems offer some interesting advantages, but with those advantages come threats and with those threats come actors who are determined to use them in nefarious ways that will harm and have harmed Canada's interests. We need a whole host of options to counter this threat. We need our national security agencies to take these threats with increased importance. We also need legislation to fill in the gaps and make sure that all of Canada's laws are up to date.
I have spent a lot of time on the public safety committee. We did a couple of reports that directly touched on this area. One of our first reports identified violent extremism. Our most recent study looked at the threat posed by Russia. We know that since Russia conducted its invasion of Ukraine, which has recently passed the one-year anniversary, it has also increased the threats that it offers to Canada and to like-minded countries. One of those areas is cybersecurity.
Our committee has not yet tabled its report, which should be tabled in the House of Commons soon so that members of the House and the public can not only see the results of the deliberations, but also see the important recommendations that the committee is going to make. However, we heard a lot of testimony during those committee hearings on the cyber-related threats from Russia. Many witnesses identified that those are among the most serious and relevant for Canada's public safety and national security, particularly in relation to critical infrastructure.
I want to set this table before I get into the nuts and bolts of what Bill C-26 is offering, but also set some of the problems that are in evidence with this first version of the bill.
We have to understand a few basic terms. The Government of Canada refers to critical infrastructure as the “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government”, whether that is the federal government, the provincial governments or our municipal governments. Because so many of those pieces of critical infrastructure are now tied into computer systems that are vulnerable to attack, a bill like this becomes quite necessary.
I could go on and on about all of the critical systems in our modern society and the range of sectors, from our energy production to our food distribution systems to our electricity grid and transportation networks and how our ports and our banking system work. If one were to interrupt any one of those services, it could create absolute havoc within any Canadian community or countrywide.
One of the witnesses we had during our public safety meetings on the topic of the threats posed from Russia, and this was just talking about the cyber-threat more broadly, was Jennifer Quaid, Executive Director of the Canadian Cyber Threat Exchange. She reminded our committee that there are nation-states that are conducting espionage and statecraft through the Internet, but there are also criminals who are engaging in cybercrime for financial gain.
In some cases, those criminal groups and the nation-states are working together. There is evidence of this not only in Russia but in places like North Korea and China, where it is almost like the policy that was in place back in the 1700s and 1600s, where privateers would go out and do a nation-state's bidding. In this modern-day version of that policy, there are criminal organizations that are working hand in glove with some nation-states to give them some plausible deniability, but the systems they are using do pose a very real threat to Canada.
One of our key witnesses during the study was Caroline Xavier, Chief of the Communications Security Establishment. She was not able to go into much detail or specifics, given the very sensitive nature of the topic, but she was able to assure the committee that cybercrime is absolutely the most prevalent and most pervasive threat to Canadians and Canadian businesses. She observed that the state-sponsored cyber programs of China, North Korea, Iran and Russia posed the greatest strategic threat to Canada, and that foreign cyber-threat activities have included attempts to target Canadian critical infrastructure operators, as well as their operational and information technology.
Leaving aside the government, it is important for members to realize that most of Canada's critical infrastructure is, by and large, in the hands of the private sector. This is going to underline some of the important elements of Bill C-26.
We also had testimony from David Shipley, Chief Executive Officer of Beauceron Security. He was relaying the same stuff about Russian criminal organizations working in tandem with the government, and saying that criminal gangs have crippled Canadian municipalities. They have gone after health care organizations. The range of malicious cyber-activity has absolutely extended to many small and medium-sized enterprises.
When we look at the reporting requirements of Bill C-26, one of the biggest gaps that we have in our system is the fact that many businesses, private enterprises, are loath to report the fact that their systems have experienced a cyber-attack. They may be threatened to not do so. There is also a very real concern about the institutional harm that could come from the public release of said information. A large corporation that relays to its customers that it has experienced a cyber-attack may find people are loath to do business with it if they are unsure that its systems are up to par.
I also want to highlight a recent example from 2021, where the Government of Newfoundland and Labrador experienced a health records cyber-attack on October 30. The investigation revealed that over 200,000 files were taken that contained confidential patient information.
One can just imagine that in a province the size of Newfoundland and Labrador the fact that over 200,000 files were taken, that is a shocking theft of personal and confidential information. It really underlines just how important addressing this is.
I also want to touch briefly on the topic of artificial intelligence. I want to read a quote from a recent Hill Times article. This is from Jérémie Harris who is one of the co-founders of Gladstone AI, which is an artificial intelligence safety committee. He says:
But perhaps more concerning are the national security implications of these impressive capabilities. ChatGPT has been used to generate highly effective and unprecedented forms of malware, and the technology behind it can be used to power hyperscaled election interference operations and phishing attacks. These applications—and countless other, equally concerning ones also enabled by new advances in AI—would have been the stuff of science fiction just two years ago.
He goes on to say:
...ChatGPT is a harbinger of an era in which AI will be the single most important source of public safety risk facing Canada. As AI advances at a breakneck pace, the destructive footprint of malicious actors who use it will increase just as fast. Likewise, AI accidents—now widely viewed by AI safety specialists as a source of global catastrophic risk—will take more significant and exotic forms.
Something all members of the House really have to be aware of is how, just in the last two years, AI has advanced so quickly. We can think about what AI will be capable of two years or a decade from now. Just as Mr. Harris said, what it is doing right now was inconceivable just two years ago. The fact that AI is now being used to generate unique code for malware indicates there is no telling what it can be used to do and how it could be used to wreak havoc. That underlies just how important this issue is and how seriously we, as parliamentarians, have to take it as we serve our constituents and do the important work of equipping our nation with the tools it needs to keep Canadians, and the critical infrastructure they depend upon, safe.
When I was a member of the public safety committee, I had a chance to speak with Mr. Harris. I actually put a motion on notice that the committee should be undertaking a study on the range of threats posed to Canada's public safety, national security and critical infrastructure, specifically by AI systems. I hope one day the committee can take that study up, but it is a committee with a very heavy workload. It is still trying to find its way through Bill C-21. It is waiting for Bill C-20 to arrive on its door and, of course, this bill, Bill C-26, would also keep committee members quite busy.
I would like now to turn to the specifics of Bill C-26 and what it is attempting to do. It is separated into two main parts. According to the summary of the bill:
Part 1 amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.
There are a number of orders that the Minister of Industry could issue. For example, he or she could prohibit a TSP from using any specified product or service in its networks or facilities; direct a TSP to remove a specified product from its networks or facilities; impose conditions on a TSP’s use of any product or service; subject a TSP’s networks or facilities, as well as its procurement plans for those networks or facilities, to a specified review process. Those are just a few examples of how the minister's orders could be issued. The bill does require the Governor in Council or the Minister of Industry to publish these orders in the Canada Gazette, but there is an allowance in the bill to allow these provisions to be prohibited, so the government can prevent the disclosure of these orders within the Gazette if they feel they need to be kept secret.
Part 2 would enact a brand new statute of Canada, a critical cyber systems protection act, which would “provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety”. In schedule 1 of the government's bill there is a brief list. Vital systems and services can include telecommunication services, interprovincial or international pipelines and power line systems, and nuclear energy systems. Those are a few examples. A really important point is that the Governor in Council, through this bill, would be able to establish classes of operators and require designated operators to establish and implement cybersecurity programs.
This is where the bill would affect the private sector and make sure those cybersecurity programs are in place, especially when that private sector is involved in critical infrastructure. As a brief outline, with those cybersecurity programs, the expected outcomes would be that they could identify and manage any cyber-risk to the organization, including supply chain risks; prevent their critical cyber systems from being compromised; detect cybersecurity incidents; and limit the damage in the event a cybersecurity incident did occur.
I want to talk about concerns with the bill, because there are a lot of concerns. I have had the chance to speak with a number of organizations, but first and foremost was OpenMedia. I had a great conversation with the people there. There is a section on its website that specifically deals with Bill C-26. OpenMedia absolutely realizes that new cybersecurity protections are needed to protect Canada's infrastructure, but it believes they have to be balanced by appropriate safeguards, and this is to prevent their abuse and misuse.
We rely on these essential services, and their protection is important, but Bill C-26, as it is currently written, would give the executive branch huge sweeping powers. In my reading of the bill, there would not be enough accountability and oversight; there would not be enough review mechanisms for Parliament to check the power of the executive, and I think this is a critical point. I think, in principle, we have a good idea with the bill, but a lot of work will be needed at committee to ensure that this executive power would be checked and that it would fit within the parameters of the law. We absolutely must have that kind of parliamentary oversight.
I also know of the Canadian Civil Liberties Association, which said:
The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still.
I think, at this stage, we want to ensure, with the minister's powers to order or direct service providers, and the requirement to comply with these orders, that these powers are being subjected to the appropriate safeguard mechanisms. They are quite broad, as currently written.
In conclusion, I want to see a bill that protects vulnerable groups from cyber-attacks. So many Canadians rely on these critical systems, and we know so many have been targeted and are being targeted as we speak, and we know these dangers are going to multiply and get worse the longer we go on. We want to make sure they are protected, but we want to make sure that we do not have broad unchecked ministerial powers with no public oversight. That is the balance that must be achieved.
I must express, in my closing minute, my personal frustration with how the Liberals draft their bills. The idea behind Bill C-26 is a good one, but the problem with how the Liberals drafted the bill is that it would give huge sweeping amount of power to the executive branch. I just wish they would have had the foresight to understand that, of course, these provisions would be met with opposition. It seems the Liberals are putting the work on committee members to fix the bill for them, rather than having had the foresight and intuition to understand that these are problematic elements of the bill.
I think a lot more work could have been done on the government's side to have presented a better first draft. I guess we have what we have to work with, but a lot of work is going to be needed to be done at committee, and I look forward to seeing members do that work.
I also look forward to voting for the bill at second reading and sending it to committee. I welcome any questions or comments from my colleagues.
2718 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am pleased to be able to rise in this place today and speak to Bill C-26, a bill that we as Conservatives are supporting to get to committee.
I have a lot of concerns around the bill itself, in terms of making sure that the government did not make a number of errors in judgment in putting it together. These concerns are based on the feedback we have received from Canadians and from organizations, especially on the issues surrounding privacy and the costs that have been offloaded to the private sector.
I also have to raise my concerns. Here we are, eight long years under the Liberal government, and we know that, when it has come down to cybersecurity, it has been slow in responding. A good case in point was banning Huawei from our critical infrastructure, our 5G network. We know that the Liberals sat on their hands and tried to do nothing for most of the past seven years, before they were finally forced to act after a great deal of pressure was brought upon them by our allies, especially within the Five Eyes.
Cybersecurity and national defence go hand in hand. When we talk about our national defence and national security, we know that hybrid warfare has evolved.
It is now about more than just targeting military assets; it is about targeting the entire government as it is at play. All we have to do is look at what is happening in Ukraine today, as well as what has happened to a number of other allies we have, through NATO, in eastern Europe.
We see the troll farms in St. Petersburg constantly attacking, on Facebook and on Twitter, the military individuals, the soldiers and troops, serving there. They also attack things like critical infrastructure in countries where Canadians are currently deployed, like Latvia. As we have witnessed in Ukraine and Estonia, they have not just gone after them through direct kinetic means to take out critical infrastructure, but they have also gone through cyberwarfare as well.
The Russians have done this very effectively in knocking down financial systems, knocking down transportation systems, and taking out power and water infrastructure in places like Estonia. As a prelude to the war in Ukraine, before they had actually started bombing these civilian targets in Ukraine, they were attacking them on cyber. It is part of hybrid warfare and it is the evolution of war.
There is a responsibility upon the Government of Canada to ensure that we are protecting not just our national infrastructure and the Government of Canada, that we are not just using CSE, or Communications Security Establishment, to protect national defence, but that we are also using a plethora of capabilities to ensure that our infrastructure here in Canada is protected.
That includes preventing our adversaries from going after our soft targets. That is what I think Bill C-26 is trying to accomplish, to ensure that telecommunications companies in Canada are stepping up to do their share to protect Canadians from cyber-attacks. We know that cyber-attackers have gone after things like our health care systems. They have gone after the medical records of Canadians. They have gone after the education records of students at schools and at universities. They go after retailers. They can go in through a retailer's back door, harvest all sorts of personal data, especially credit card information, and then use that for raising money, for transnational criminal gangs or for ransomware, as we have witnessed as well.
We must remember that we have a number of a maligned foreign actors at play here in Canada now and against our allies. It was just reported, again, that the People's Liberation Army was found guilty of hacking into U.S. critical infrastructure.
We know that the People's Liberation Army, under the control of the communist regime in Beijing, continues to attack cybersecurity assets around the world, including trying to break through the Canadian cybersecurity walls of our government and national defence on a daily basis.
As I mentioned, Russia has become very good at this. That does not mean that it is concentrating only on its near sphere of influence, NATO members in eastern Europe like Estonia, Latvia and Lithuania, but it is also targeting Ukraine. We know that it is targeting Moldova. We know that it has gone after countries like Romania, but it also does cyber-attacks here in Canada and in the United States.
Russia continues to be an adversary and we have to stand on guard to protect Canadians from those attacks.
We know that Iran, the regime in Tehran, is continuing to be a government that attacks its neighbours and attacks Israel and Canada through cyber-means. North Korea has developed an entire cybersecurity and cyberwarfare unit and continues not to just wreak havoc with the democratically elected, peaceful South Korea, but has also gone after Japan and the Phillippines, and is going after U.S. infrastructure as well. Therefore, we have to take the necessary steps to make sure we can deal with transnational criminal organizations, with nefarious foreign states and with those who are trying to get rich through ransomware.
Here in Canada just a couple of years ago, we saw a situation in regard to the Royal Military College in Kingston, which the member for Kingston and the Islands is certainly aware of. The Department of National Defence stated that RMC had been a target. It originally called it a mass phishing campaign, but a month after the incident, it was established that the phishing campaign was actually a cyber-attack going after financial information and personal data of cadets. These had been compromised and published on the dark web, and were made available to a lot of people who participate on the dark web to profiteer from that information.
According to several observers who looked at the hack of RMC Kingston, it was attributed to a cybercriminal group called DoppelPaymer that did not seem to be connected to a nation-state actor. There are criminal organizations out there that are going about their criminal activities in such a way as to extract dollars from governments, retailers and private citizens, as well as from other corporations, to line their pockets and continue doing other nefarious things that sometimes go beyond the cyberworld.
I have said in the past, when we have talked about other legislation here dealing with cybersecurity, that we not only need the ability to defend, but also that the government has the responsibility, especially under national defence, to attack using cybersecurity. We cannot just be here deflecting the arrows; sometimes we have to be able to shoot down the archer. The way we do that is by having a very robust cybersecurity system. We need the best capabilities and the best personnel who are able not only to sit here and defend, that is to put up shields and fight off the attacks, but also are able to go out there and take out the adversaries, to knock out their systems, so that we are safer here at home.
With regard to some of the criticisms that have come out, I know that letters have come in from the Canadian Civil Liberties Association, and the Business Council of Canada wrote a very detailed brief, as did the Citizen Lab in looking at the bill. When we read through the documentation, we see that one of the concerns that has been raised, especially by the Business Council of Canada, is that there seems to be an imbalance. We are telling members of corporate Canada to go out there and make sure they have the proper cybersecurity systems in place, but at the same time we realize that it is not just up to them to do the defending. What we see is that the corporations are saying that either they have to do it or we are going to fine them up to $15 million or five years of jail time, and that the individuals who work for them could also be held criminally responsible for not doing enough.
Sometimes resources are not available. Sometimes there are new companies that may not have the ability to put in place the proper security systems. I look at a lot of the Internet service providers that we have, for example. They are covered under the Telecommunications Act, yet, as new start-ups, they may not have the personnel or the equipment to properly defend their networks. Would we go ahead and fine these companies up to $15 million? Then what would we do in regard to jail time and fines for those criminal organizations that are profiteering through cyber-attacks? Where is the balance in this? That is one of the concerns we have and one of the things we have to look at through our study at the industry committee when it brings this forward.
A huge concern has been raised, especially by the Canadian Civil Liberties Association, on how this would be implemented and how it may affect the privacy rights of Canadians at the individual level. Corporations have broader responsibilities and do not necessarily fall under the charter, but their clients who they are going to protect and the information they are going to be required to share with the Government of Canada could very well be violations of their clients' privacy rights.
When we look at section 7 of the Charter of Rights, we have to balance the right to life, liberty and security of a person with section 8 of the charter which says that we have freedom from search and seizure. When we drill down on section 8 and go to some of the legal analysis of our charter, as all the rights and freedoms are laid out, it tells us that the underlying values of freedom from search and seizure when it comes to individual privacy is the value of dignity, integrity and autonomy. Again, I think we are all concerned that when we look at Bill C-26 at committee, we ensure the bill balances those rights of the individual to be both secure and safe from cyber attacks, but do it without compromising privacy rights and charter rights as described in freedom from search and seizure. The way we do that is through warrants.
We know that through National Defence, the Communications Security Establishment, or CSE, which has a long-standing history of defending the Canadian Armed Forces, has to comply with the charter. It has to comply with all Canadian legislation and it cannot do indirectly what it is prohibited doing directly. Therefore, CSE cannot go to the National Security Agency, or NSA, of the United States, say that it is concerned that a Canadian maybe talking to a terrorist organization offshore and ask the agency to spy on that individual because CSE is prohibited from spying on the person and listening in through the Communications Security Establishment. CSE cannot go to the NSA and ask it to violate Canadian law on its behalf to find out what is happening in the same way CSIS cannot go to the FBI or the CIA and ask it to spy on Canadians. It cannot do indirectly what it is prohibited from doing directly under Canadian law. The way to get around that is to apply for warrants.
Judicial appointments are made to have supernumerary justices over these organizations to ensure that charter rights are protected, even when conversations take place inadvertently. In the past, CSE has listened in on people who may have been in Afghanistan funding the Taliban or al Qaeda. They may have family in Canada and were talking back and forth about something that had nothing to do with operations on al Qaeda or the Taliban. However, because it involved a Canadian citizen, it had to go through the proper processes to ensure that his or her charter rights were protected by getting a warrant to listen to those conversations. Whether they were listening electronically or through wire taps, it is all mandated to watch that we do not trip over the rights of Canadians under legislation.
Bill C-26 would not address this like we have under the National Defence Act, under the Criminal Code and under the whole gamut of cybersecurity that has been in place up to date. The privacy rights are paramount.
To come back to Bill C-26, the Supreme Court of Canada said in 1984, as well as in 1988, that privacy was paramount and was “at the heart of liberty in a modern state”. Again, did the Liberal government ensure the bill was tested first to ensure those privacy rights were protected? This is what we will have to find out when we get Bill C-26 in front of committee.
We can look at information that has come from places like the Business Council of Canada. One of the concerns it raises goes back to this whole issue of huge fines on Canadian corporations, as well as the employees of those corporations, if they are found to have been not responsible enough to put in place proper security protocols to protect their clients from cyber attacks. Because it goes against individual employee as well, we will create another brain drain from Canada.
We are unfairly targeting Canadian employees who are going to be working for these cybersecurity firms, working in the telecommunications sector and in our financial institutions. If they are found to have erred, which a lot of times it is by error or by a lack of resources, then they are held criminally responsible and they are fined. The question becomes why they would want to work in Canada when they are afforded better protections in places like the United States, the European Union, the United Kingdom or Australia, which was held up by the Business Council of Canada as the gold standard we should be striving to achieve, and what it has done through their own cybersecurity protocols.
We want to ensure that we protect critical infrastructure, but we do not want to chase away very good Canadian employees and force them, with their skills, to go offshore where they have better protection and probably better pay. We want to ensure we keep the best of the best here. We want to ensure we do not go through a brain drain, as we have witnessed before when the Liberals have targeted professionals in Canada, such as lawyers, accountants, doctors or anyone who set up a private corporation. Now I fear the Liberals are going after individuals again who we need in Canada to protect us here at home, that they are creating a toxic work environment and those individuals will want to leave.
The Citizen Lab wrote a report entitled “Cybersecurity Will Not Thrive in Darkness”. It brought forward a ton of recommendations on how bad this bill was. It suggested that there needed to be 30 changes made to the act itself.
We realize that the government has not done its homework on this. We need to ensure we get experts in front of us who are going to look at everything, such as there is responsibility upon government to help corporate Canada ensure we have the proper security mechanisms in place to prevent cyber attacks. We have to ensure that those corporations are not being coerced into sharing private information with the Government of Canada that could be a violation of private rights, which may be a violation of the Personal Information Protection and Electronic Documents Act, PIPEDA. We want to ensure that privacy rights will be cohesive, but, at the same time, collectively, we need to balance all federal legislation that is in contravention of each other.
We need to bring in the legal experts. The Canadian Civil Liberties Association needs to be before committee. The Citizen Lab, which is very concerned about individual privacy rights, has to be front and centre in the discussion. We need to ensure the Business Council of Canada, the Canadian Chamber of Commerce and others are brought forward, along with the department officials who were responsible for drafting this bill at the direction of the Liberal government.
I will reiterate that I will be voting in favour of the bill to ensure it goes to committee and the committee can do its homework. I would hope that the government will allow the committee to do a thorough investigation, as well as a constructive report with recommendations on how to change and amend the legislation.
Finally, I would remind everyone that the Supreme Court of Canada said, “privacy is at the heart of liberty in a modern society”, and we have to take that to heart to ensure we protect Canadians from cyber attacks, as well as to ensure they have their privacy, dignity, integrity and autonomy respected.
2837 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, my colleague is dead right that the People’s Liberation Army in Beijing has established a number of different cybersecurity units and that their whole goal is to cyber-attack. Canada is not an ally of China, so we have been attacked by the regime in Beijing. It will continue to attack us here and attack NORAD, as we just witnessed with the high-altitude balloons going around doing surveillance on military installations across North America.
We have to be ready, and the cybersecurity command we have here in Canada has been slow to get off the ground under the leadership of the Liberals. We need more resources. We need to use our reserves to find the right type of personnel out there, who are currently working in the private sector. Maybe we can also put them to work part time to defend Canada's interests so that both the corporate world and our national defence will be under better control and better command, with ultimately better protection for all Canadians.
174 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, this is an important question. Some time ago, I did a term on the National Security and Intelligence Committee of Parliamentarians, and what I learned there was that we have phenomenal security agencies in this country. One of those is the CSE, the Communications Security Establishment, which monitors cybersecurity. It does phenomenal work.
I was coming back from a meeting one day, driving down the highway. It happened to be a Friday, and I noticed vehicles pulling campers and boats, with roof racks and bicycles attached to their bumpers. I thought, is it not wonderful that we live in a country where we have absolutely no idea about the existential cyber-threats that are out there? Why is that? It is because our security agencies are doing a phenomenal job at keeping us safe and providing this kind of environment.
The obligation of the government, when it gets advice from our security agencies, is to act on it.
160 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, unfortunately, we have seen that, when it comes to everything that affects all citizens, the government is ignoring security issues and the threats that foreign interference can pose. We are seeing partisanship everywhere. We are talking here about cybersecurity. We want our electoral system to be airtight. We also do not want democracy to be affected.
Is this the right time for this bill? Is it designed well enough that we can do the same as our Five Eyes colleagues who took the bull by the horns far in advance?
92 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, this is a very relevant question. Is it the right time for a bill like this? I would like to give a very brief answer: Yes, it is absolutely the right time for this. Is it the right bill yet? No, it is a good starting point. That is how we can look at this bill. I am happy to vote in favour of this bill, to get it to committee. I am hopeful, from the comments I have heard from members of the Bloc and the NDP, that they are eager to give this bill a robust study and make the necessary amendments that will address the cybersecurity requirements in our country to keep critical infrastructure and our citizens safe, but also to respect the privacy of Canadians. Those are equally important elements. I am looking forward to the study on this bill.
146 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour, as it always is, to rise in the House of Commons of the Canadian people and speak to Bill C-26, an act respecting cybersecurity, which seeks to amend the Telecommunications Act and make subsequent amendments to others acts.
I want to say from the outset that cybersecurity is a critically important issue. For those of us who have been watching the news, we have even seen bookstores like Indigo impacted by ransomware, and we know that no Canadian, business or government agency is immune to cybersecurity threats. As Conservatives, we obviously support taking robust action on cybersecurity and we look forward to the bill going to committee, where we can hear from stakeholders who have expressed uncertainty about what the impact of the bill is going to be. Certainly, I hope we can work across lines to make a better piece of legislation and address the very real challenges we are facing in this cybersecurity age, in this cyber age that we are facing.
I am going to go into a bit of background on the bill, because my constituents might not have heard of this legislation. For their benefit, I am going to give a bit of summary of what I understand the changes to be.
The threat of malware in our telecommunications sector and critical infrastructure does pose a serious threat to Canada. It is important that we respond to these threats proactively, in light of the inevitable future attacks that will happen in our cyberspace. As I said, Conservatives will support legislation to defend our telecommunications sector and our other critical infrastructure from threats, the likes of which, as I stated earlier, have been levied against Canadian individuals, corporations and government agencies repeatedly.
In order to evaluate this legislation, I would like to take some time to consider how the proposed bill might impact our economy, our national security and our commitment to protecting the civil rights of Canadians. Although legislation relating to cybersecurity threats is now long overdue, we should remain vigilant to protect the rights of Canadians and our domestic corporate actors, who could be seriously impacted by the unintended consequences of this legislation. Notably, I am somewhat concerned by the sweeping discretionary powers that are granted to the minister and the Governor in Council in this legislation. I would also like to talk about some of the objectives of the bill and then describe how this current proposed legislation could fail in achieving its intended purpose.
The bill is presented in two parts. The first would amend the Telecommunications Act to promote the security of the Canadian telecommunications sector, and the second part of the act would enact the critical cyber systems protection act. The amendments to the Telecommunications Act are intended to protect against ongoing threats of malware, which poses a threat to the Canadian telecommunications system, and the critical cyber systems protection act aims to strengthen the cybersecurity systems that are so vital to our national security and public safety, and it would allow the government to respond to these cyber-threats.
The aim of this legislation would implicate operators in a broad variety of fields, including the finance, telecommunications, energy and transportation sectors, just to name a few, all critical parts of our infrastructure. With these aims in mind, it is important to consider how expansive the government powers being talked about here are, new powers to the government, how these new powers will affect all these sectors that affect our day-to-day lives, and whether these new measures are proportionate and necessary to be implemented.
To begin, the powers afforded to the minister present economic and financial risk for critical systems operators and telecommunication system providers. The first consideration is the minister's ability to direct telecommunication service providers to comply with an order to prohibit a provider from using or providing certain products or services to a specific individual or entity. Those are pretty broad powers. The bill would implicate the operations of private telecommunications organizations, and therefore the legislation requires safeguards to protect the economic viability of these companies. The bill would also allow the minister to compel telecommunications companies to obey government directives or face the consequences of significant monetary penalties.
In giving the minister such expansive powers, the government may have failed to consider the potential economic impact of these unchecked provisions on service provisions. Telecommunications revenues contribute over $50 billion to Canada's GDP, yet the government has not provided clear and adequate safeguards in this legislation to limit the extent to which or the frequency with which it might use these service provisions and how they might be restricted under the instance of even a minor cyber-threat.
Large, medium and small regional market players would be impacted by this legislation if appropriate safeguards are not adopted in the amendment stage. Large telecommunications service providers make up about 90% of the market share, and any directive to suspend a service by these large market players could impact a significant amount of the Canadian population. Although we hope that such orders will seldom be issued, the vagueness of the language in the bill does not guarantee this.
Meanwhile, we see small and medium-sized players who disproportionately service under-serviced areas in Canada; I am thinking of rural and remote communities. These small and medium-sized players often have trouble dealing with the regulatory complexity and the financial investments needed to meet regulatory thresholds, and we could see these small and medium-sized players just fold up or get bought out at a fraction of what their value would have been. We would really see this as a consequence for rural and remote communities, which are struggling, even today, to get access to basic services like high-speed Internet.
For these reasons, the overbroad provisions in the bill do not lend themselves to a standard of proportionality.
A stakeholder group, Citizen Lab, released a research report on Bill C-26 from the Munk School, authored by Dr. Christopher Parsons. The report outlines, in its recommendations, that the legislation should be amended to allow telecommunications service providers to obtain forbearance and/or compensation for orders that would have “a deleterious effect on a telecommunications provider’s economic viability”.
The Business Council of Canada is likewise concerned about the CCSPA requiring that all critical systems operators undertake the same precautionary actions to protect themselves from cyber-threats. The Business Council of Canada notes that the legislation would require a singular standard of all service providers “irrespective of their cyber security maturity”. We know that there are highly funded firms with a lot of resources that have highly superior cybersecurity systems, and then we have our more infant, junior tech companies that are trying to grow so that they can attract capital. These regulatory requirements of holding them to the same standard could have a negative effect on growing the tech ecosystem here in Canada.
Moreover, the Business Council of Canada notes that the legal threshold for issuing the directives is too low. The low threshold to issue these orders to an operator would allow the possibility of lost revenue for operators because of an absence of due diligence on the part of the government, a government that has had its own cybersecurity problems. I have serious reservations that a government that is unable to run its own IT systems will have a better capability of telling private companies how to run their IT systems.
The council further notes that the monetary penalties are unduly high and are not proportionate, given the benefits of compliance in the event of a perceived or actual cyber-threat. These companies in Canada want to live by the rules. They want to work with the Canadian government. Their reputations are at stake, yet the government is treating them like they are bad actors by putting these fines in place, when maybe we should be looking at working and engaging more with our telecom sector to have a more friendly relationship on this issue.
Another group, Norton Rose Fulbright, noted that there is still considerable uncertainty as to how detailed the cybersecurity plans must be and how it would alter industries' existing policies and agreements. Clearly, there is a lot of uncertainty about this, but it is too important to let it go aside, so I am looking forward to this coming to committee, where we can have some of these stakeholder witnesses come and talk about things so that we can clear up the uncertainty and we can have targeted cybersecurity measures that actually result in benefits to Canadians.
Other technical experts, academics and civil liberties groups have serious concerns about the size, scope and lack of oversight around the powers that the government would gain under this bill. Civil liberties groups are particularly concerned about the government's ability to direct telecommunications providers to do anything needed by secret order. While the legislation lists what might be included by the minister or Governor in Council, the ambiguity of the wording leaves open the possibility of compelling a telecommunications company to do more than is officially stated. This is particularly noteworthy because of the significant monetary penalties that can be levied against these companies, to the tune of up to $10 million a day.
Liberals, in many cases, have perhaps neglected to consider the privacy of Canadians through this legislation.
Bill C-26 would allow the government to bar any person or company from receiving specific services, which raises concerns about the discretion the government has in making these decisions. Again, it is very unclear. This is too important. We should bring the bill to committee and vote on it, but there are lot of things we need to get right in the legislation. We look forward to looking at that.
1652 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it took eight long years for the Liberal government to recognize that cybersecurity threats exist in this country and around the world. Congratulations to them for coming to the party a little late.
The Liberals have now presented a bill to try to address issues of cybersecurity in the country. As I said, it took them eight years to get there, but I have to say I am pleased that the Liberals have decided to finally do something. I look forward to this bill being passed so that it can be extensively studied at committee.
There are some things in this bill that are good. I know praising the Liberal government is strange territory for me, but I will say that the bill would give the government some tools to respond quickly to cyber-threats. There is currently no explicit legislative authority in the Telecommunications Act to ensure that telecom providers are suitably prepared for cyber-attacks. This is a good reason why this bill should probably move forward to committee to be studied.
The challenge I have, though, includes a whole number of things. My issue with the government is trust. While I do want this legislation to go to committee, I have extraordinary concerns about this bill. Many of these concerns have been raised by many groups across the country, and I do want to speak to some of those in the probably somewhat whimsical hope that the government will listen and take some of these amendments seriously.
There has been a very bad track record of the government responding to concerns from the opposition or from outside organizations with respect to legislation. There is a view that the Liberals are going to do what they want to do on pieces of legislation and that they really do not care what other people have to say. I am very concerned that the government is not going to listen to the very serious concerns that have been raised about this bill.
I have my own concerns when I look at how the government has behaved with respect to other pieces of legislation. We have to look at Bill C-11. There has been a multitude of organizations that have said the bill needs further amendment. Margaret Atwood has said that she has grave concerns about the legislation, that she supports the intent but has grave concerns about the implementation and how it is going to affect artists and content creators. We have had folks who compete in the YouTube sphere who have raised all kinds of concerns about Bill C-11, and the government's response has been that it does not care what they have to say, and that it is going forward with the legislation as it is.
The Senate has made a number of amendments to Bill C-11. I suspect the government's attitude is going to be the same, which is that it does not care what the amendments are and that it is going to proceed with the bill as it sees fit.
We also have only to look to Bill C-21 as well. We had the minister clearly not aware of what constituted a hunting rifle and a hunting gun. The Liberals introduced amendments at committee, and it took extraordinary push-back from Canadians from coast to coast to coast to get them to wake up and withdraw those amendments that they had put in at the last minute.
What it speaks to is that, despite having at its disposal the entire apparatus of the Canadian government, the Liberals are still unable to get legislation right. It takes an enormous amount of effort and hue and cry across the country saying that this has to stop and that this has to be changed. If there is not a massive uprising, the government tends not to listen to the legitimate concerns of other constituents or other groups when it introduces legislation.
With that context, it is why I have real concerns that the government is not going to listen to some of the serious concerns that have been raised with respect to Bill C-26. I am going to go through some of those.
The Canadian Civil Liberties Association has some very serious concerns. It has issued a joint letter that says that the bill is deeply problematic and needs fixing, because it risks undermining our privacy rights and the principles of accountable governance and judicial due process. This is a big bell that is going off, and I hope the government is listening. As I have said, I do not have a lot of faith, given other pieces of legislation where thoughtful amendments have been put forward and the government decided not to do anything with them.
I want to enumerate a few of the concerns from the Canadian Civil Liberties Association. On increased surveillance, it says that the bill would allow the federal government “to secretly order telecom providers” to “do anything or refrain from doing anything necessary...to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption”.
That is a pretty broad power. Where is the government putting the guardrails in that would limit the effects of this or protect the privacy rights of Canadians? That is something I think is incredibly concerning.
On the termination of essential services, Bill C-26 would allow the government to bar a person or a company from being able to receive specific services and bar any company from offering these services to others by secret government order.
Where are we going to have the checks and safety checks on this? Unfortunately, I am not in a position where I think I can trust the government to do the right thing on these things. We have seen it through vaccine mandates, in the legislation on Bill C-21 and in how the Liberals are trying to push through Bill C-11 without listening to reasoned amendments. If reasonable concerns are raised about Bill C-26, I just do not have faith the Liberals are going to take those concerns seriously and make the amendments that are necessary. I really hope they do.
On undermining privacy, the bill would provide for the collection of data from designated operators, which would potentially allow the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations. When someone takes the de-identified personal information of Canadians and does not say how they are going to deal with it or what protections they have in place to make sure it is not misused, what happens in the event that they take that information and somehow there is a government breach? Where does that information go? These are things I think we should be extraordinarily concerned about.
There was also an analysis provided with respect to this by Christopher Parsons, in a report subtitled “A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”. Parsons raises concerns about vague language. The report notes that key terms in the bill, such as “interference”, “manipulation” and “disruption”, which trigger the government's ability to make orders binding on telecom service providers, are unidentified.
Where are the guardrails in the legislation to prevent government overreach and therefore protect Canadians? This is something that I think all Canadians should be watching and be very concerned about. They should be letting their voices be heard by the government on this.
The report talks about how the minister of industry's scope of power to make orders is also undefined. We would be giving a whole host of undefined powers to the minister and the government that would allow them to have all kinds of sensitive information. These are things that may be necessary, but I do not know. They are highly concerning to me. They should be highly concerning to Canadians, and I hope the government will hear from real experts at committee.
Let us not have a two-day committee study where we think Bill C-26 is perfect as it is and bring it back to the House of Commons, bring in time allocation or closure and pass it through. We have seen that story before, and we do not want to see it with the piece of legislation before us. My really big hope is that the government is going to take the time to really consider the seriousness and breadth of Bill C-26 and make sure we have the ways to protect Canadians.
I just want to add that the Business Council of Canada has released its own letter to the Minister of Public Safety, expressing its incredibly deep concerns with respect to the bill: there is a lack of a risk-based approach, information sharing is one-way and the legal threshold for issuing directions is too low.
There are three reports, right there, that are outlining significant concerns with Bill C-26, and I, for one, just do not believe the government is going to listen or get it right. It does not have the track record of doing so, but I am hoping it will, because cybersecurity is incredibly serious as we move toward a digital economy in so many ways. I really hope the government is going to listen to these things, take them seriously, do the hard work at committee and bring forward whatever amendments need to be brought forward, or, if the amendments are brought forward by the opposition, listen to and implement those amendments.
1614 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, one of the things I have heard in talking to universities and different groups is that one of the faults of this piece of legislation is that they have to share this information with the government when they have been attacked, but it is a one-way street. When they see an attack happen, they share it with the government, but there is no information given to other businesses to help them protect against attacks similar to that in nature.
Could the member talk about why it is important and what it means to companies when they are attacked and how it can hurt not only their bottom line? Indigo, for instance, would be a good example of what happens when there is a cybersecurity attack.
128 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am proud to rise in the House today to speak to this important legislation on behalf of the good people of Barrie—Springwater—Oro-Medonte. I am pleased to see Bill C-26 come forward in the House. Improving the resiliency of our critical infrastructure is of the utmost importance to our national security and the everyday safety of Canadians.
This legislation consists of two separate parts. The first portion, among other things, would give the Governor in Council powers to order telecommunications providers to secure their systems against threats and to remove malicious actors from our telecommunications infrastructure. The second portion would create the critical cyber systems protection act, which would establish a cybersecurity compliance framework for federally regulated critical infrastructure operators. This would specifically regulate the sectors of finance, telecommunications, energy and transportation.
I believe that in principle, this legislation appears promising. I think we can all agree that we need a robust cybersecurity framework in Canada. However, it is worth noting that under the current government, we have done the least to bolster our resilience to cyber-attacks compared to all other Five Eyes partners. We lag behind our western allies in national security, and as such, Canada has failed to secure our critical infrastructure against complex and ever-evolving cyber-threats in the modern world. Therefore, before I get into the specific merits and deficiencies of this legislation, I want to speak about the emerging threats to our critical infrastructure and the pressing need to protect our national security.
Threats to our critical infrastructure are real and imminent. In fact, Caroline Xavier, chief of the Communications Security Establishment, or CSE, recently testified before the public safety and national security committee and stated, “cybercrime is the most prevalent and most pervasive threat to Canadians and Canadian businesses.” She also noted, “Critical infrastructure operators and large enterprises are some of the most lucrative targets.”
While there are several forms of cyber-attacks that our critical infrastructure operators are vulnerable to, the Canadian Centre for Cyber Security has noted in its most recent annual national cyber-threat assessment that ransomware is the most disruptive form of cybercrime facing Canadians and that critical infrastructure operators are more likely to pay ransoms to cybercriminals to avoid disruption. For example, in 2018, cybercriminals deployed a malicious software and successfully held the city hall of a municipal government in Ontario hostage, which resulted in that government paying $35,000 to the hackers to avoid disruption. However, this is not always an effective strategy. A survey of Canadian businesses found that only 42% of organizations that paid ransoms to cybercriminals had their data completely restored.
In 2021, the CSE stated that it was informed of 304 ransomware incidents against Canadian victims, with over half of them in critical infrastructure. However, it acknowledged that cyber-incidents are significantly under-reported, and the true number of victims is much higher.
The enormous economic toll that these cyber-breaches have on Canadian companies is worth noting. According to IBM, in 2022, the average cost of a data breach, which includes but is not limited to ransomware, to Canadian firms was $7 million. There is currently no framework to ensure that companies report when they are victims of these attacks. I will acknowledge that the legislation before us takes steps to address this pervasive issue that Canadians are facing; however, it is certainly an overdue effort.
We saw the damage a cyber-attack of this magnitude can cause in May 2021, when a U.S. energy company was subject to a ransomware attack carried out by a Russian-based criminal group that successfully extorted roughly $4.3 million in coin-based currency. As members may remember, this attack disrupted the largest fuel line in the U.S. for five days and led to President Biden calling a national state of emergency. In 2021, at the U.S. Senate committee on homeland security, the CEO of that company testified that he had no emergency preparedness plan in place that specifically mentioned “ransom or action to ransom”. This incident underscores the fact that we as a country must enhance preparedness and improve the resiliency of our critical infrastructure in order to avoid similar incidents.
Therefore, I am pleased to see this proposed legislation come forward. However, it is worth noting that this is the first substantive legislative response to this issue during the government’s tenure, despite a steady increase in cyber-threats over the years.
The entirety of our federally regulated critical infrastructure is connected to the Internet in some way, and it is extremely important to prevent malicious actors from setting up on our infrastructure and attacking it. Previously, there has been no mechanism for the government to formally remove a company from our telecommunications networks.
The clearest example of the need for this mechanism would be the controversy surrounding Huawei, a company that was part of the design of our 5G networks despite glaring national security concerns related to its activities and relationship to the Communist Party in Beijing. It is a significant move that this company will be kicked off our servers, but it is a delayed one. We know that under China's national intelligence law, the CCP has the authority to instruct any company to hand over information to support, assist and co-operate with state intelligence work. Accordingly, we ought to be cautious and avoid contracting with companies that could potentially compromise the security of our critical infrastructure.
It is certainly positive that Canada will be able to kick malicious actors such as Huawei off our networks. However, many have noted that we lessened our credibility among the Five Eyes nations due to our delayed response to this issue. Indeed, the United States lobbied Canada for years to exclude Huawei from our 5G mobile networks and warned that it would reconsider intelligence sharing with any countries that use Huawei equipment.
In some respects, this legislation is a positive step toward establishing a baseline standard of care for organizations whose functions are integral to our critical infrastructure. As I have previously mentioned, incidents of cyber-attacks often go unreported or under-reported. This legislation's mandatory reporting mechanism, which specifies that a designated operator must immediately report an incident to the CSE and the appropriate regulator, is a welcome step toward addressing this issue. However, the act does not prescribe any timeline or give any other information as to how “immediately” should be interpreted by an operator.
As I have just laid out, there are aspects of this legislation that my Conservative colleagues and I fully support. However, I have concerns with several elements of the bill.
First and foremost, there is a complete lack of oversight over the sweeping new powers afforded to the cabinet ministers, regulators and government agencies mentioned in this legislation. Alongside a lack of oversight, there is little information on the breadth of what the government might order a telecommunications operator to do.
It is evident that this bill draws on much of Australia's legislative model, which was first introduced in 2018 and eventually amended. However, we did not follow suit in terms of the oversight measures Australia included in its critical infrastructure protection act. Notably, Australia introduced political accountability mechanisms alongside its legislation, including a requirement for regular reporting, an independent review and the production of a written report. The Conservatives would like to see annual reporting from the minister on what actions have been taken and a public disclosure of the orders that the government is making under these newly afforded powers.
In terms of concerns from the public, we have heard from a number of organizations that are concerned that elements of this legislation undermine the privacy rights of Canadians. In September of last year, several privacy rights organizations signed an open letter to the Minister of Public Safety, which laid out their concerns with Bill C-26. For example, they were concerned about the sweeping new powers this legislation would give to the government over access to the personal data of Canadians and the data of companies. They noted that Bill C-26 “may enable the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.”
I think we can all agree that while enacting measures to improve the resilience of our critical infrastructure is of the utmost importance, civil liberties and privacy must be fully respected when drafting those measures. On the other hand, we have heard from stakeholders who are concerned about the regulatory burden this legislation may have on businesses, especially small and medium enterprises.
Many stakeholders have noted that the high costs and business impacts of a cyber-incident already incentivize companies to ensure rigorous cybersecurity protocols. Recent statistics released by Statistics Canada found that in 2021, Canadian businesses spent over $10 billion on cybersecurity, a 41% increase compared to 2019. Many stakeholders have noted that the proposed penalties related to this act, which reach up to $15 million and five years of jail time, are touted as being intended to promote compliance rather than to punish. However, I think we can all agree that a $15-million fine would indeed be unduly punitive on a small business that may be subject to this act. Therefore, we must ensure that fines and compliance costs are distributed evenly so as not to stifle competition and endanger the viability of small and medium enterprises in our critical infrastructure sectors.
Finally, we face a problem related to definitions and the scope of this bill. Various terms are not defined, including what constitutes a cyber-incident, and it is not immediately clear how the government will determine who is subject to this legislation. I look forward to receiving an explanation from the government to demystify some of the vague language found within it.
To conclude, a threat to our critical infrastructure is a threat to our national security. I think all parties agree that the government must take strong and immediate action against cyber-attacks. We support this bill in principle, but we believe that it needs to be amended significantly to ensure greater transparency and accountability from the government and future governments. I look forward to studying and amending this bill at the public safety committee with my colleagues across all parties.
1744 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I want to continue the line of questioning of other members on balancing the need to address cybersecurity and privacy at the same time.
One group that has shared some concerns is the Citizen Lab. It has put together a report called “Cybersecurity Will Not Thrive in Darkness” and has offered 30 recommendations for the governing party to consider at committee.
I wonder if the member has seen this report and if there are any recommendations in the report that he sees worthy of going ahead with. He may not see them all as worthy of going ahead with, but are there some recommendations that he thinks we should pursue?
114 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, six years ago Statistics Canada found that more than one-fifth of all Canadian businesses were impacted by cybersecurity incidents, a sobering statistic in its own right. That was six years ago.
What we need to understand is that cyber-technology moves at a mile a minute. What is groundbreaking one year can become ordinary or obsolete even just a year later. I do not doubt that cyber-defence systems in Canada, both by the government and by private businesses, have become much more sophisticated throughout the last several years, but the technology used for cyber-attacks, whether by foreign or by domestic actors, has developed even more quickly.
We are seeing this play out in real time. Just a month ago, Indigo fell victim to a ransomware attack. Online purchases became impossible. In-store purchases could still happen, but only if one was carrying cash. Most alarming of all, information about the chain's employees was accessed. The situation continues to drag on, Canada's largest bookstore chain held for ransom. The emergency that Indigo finds itself in is terrible, but back in January the Russia-tied group that carried out this attack, LockBit, did something far more cruel when it hacked the SickKids Hospital in Toronto.
Those are just two examples of how cyberwarfare transpires in Canada, amongst thousands of other examples every single year. Today, particularly at a time when we know foreign powers are actively seeking to undermine Canada, its institutions and its critical infrastructure, it is time for the government to step in and put forward a cybersecurity strategy. It almost goes without saying that in this digital age, online systems run just about everything that keeps this nation up and running, including hospitals, banking and the energy that heats our homes.
What the government has failed to realize until now is that as these systems become more digitized, so too do they become more vulnerable. This was on full display when SickKids was hacked. Lab results, imaging results and the hospital's phone lines were wiped out for days before order was finally restored. Just in 2020, CRA was hacked, compromising the accounts of 13,000 Canadians. Bold action is what is needed to fight against attacks of that scale, and it is Parliament's job to provide that action.
When I look at a bill like Bill C-26, I start by thinking about what it would let the government do and whether that would be an improvement on our existing cybersecurity regime. In that regard, there is actually a lot to like here. Now more than ever, cyber-attacks can take place in little more than the blink of an eye. An attacker could dig its claws into a company's online system, inflict all the damage it wants, take all the information it wants, and it might be hours later than the affected company realizes what it is being done to it.
Having a rapid response to those incidents is absolutely critical. It is clear to me that the type of broad, sweeping powers contained in this bill would allow the government to provide that rapid response. It would also bring some much-needed cohesion to the link between the state and telecom providers. Right now, telecoms can decide to work with the government and prepare for a cyber-attack, but this is entirely voluntary. They can share information with the government, but only if they really feel like it.
As far as having a unified cybersecurity strategy goes, ours is laughable. It is about time that we act accordingly and fall in line with our Five Eyes allies. This bill covers such an important policy area, yet in so many ways it just does not get it right. It is another page in that long Liberal book entitled, “Having the right intention and making the wrong move”. I should not have to say this in a room full of parliamentarians, but here we are: the written text of a law actually matters.
A law needs to be clear. It needs direction. It needs guardrails. That is why it is so strange to come across a bill that lets a minister go up to a telecom provider and make them “do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” All the power goes to the minister with nothing in the way of guardrails constraining their power.
When I read this part of the bill, I was reminded of one of my favourite Abraham Lincoln quotes. Abraham Lincoln said, “Nearly all men can stand adversity, but if you want to test a man’s character, give him power.” That is what this section does, it provides immense power to the Minister of Industry, which is not abridged or protected in any way.
There is nothing wrong with a law that gives the government new powers, but in this case, with the cyber-threats that we are currently facing, that type of law is exactly what we need to get right now.
The problem here is that we are debating a bill today where those new powers are not specified and are not restricted whatsoever. Alongside the Canadian Civil Liberties Association, I am seriously concerned about the way that Bill C-26 would infringe on the privacy rights of Canadians.
This bill would allow the government to collect data from telecoms. With guardrails in place, this would actually make a lot of sense. The government might want to see the weak spots in a company's cybersecurity system, for example. With the government being able to get these companies to do anything, we do not have a clue what it will demand to collect.
As it stands now, there is no way of stopping them from collecting personal data and juggling it between various departments. Foreign affairs, defence, CSIS, anyone could take a look if the state decides that it is relevant.
At the minister's discretion, the data could even go to foreign governments. Again, this all comes back to the problem of unchecked power. With zero restraints in place, we can only assume the worst. Like so many bills under the Liberal government, what we are seeing here is a government-knows-best approach.
I am really not sure how it can defend this level of information sharing. “Well, yes, we could share one's personal information, but we definitely will not do that.”
It wants Canadians to give it the benefit of the doubt. The government is well past the point of being given the benefit of the doubt.
The Canadian Civil Liberties Association says that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.
A number of organizations and individuals have raised red flags. The Business Council of Canada wrote to the Minister of Public Safety, expressing the business community's concerns about Bill C-26, including the potential of brain drain, as the result of personal liability and unduly high monetary and criminal penalties.
The council also expressed concerns that information sharing is one-way. Operators are required to provide information to government but receive nothing back from government.
The bill misses the opportunity to implement an information-sharing regime that could benefit all operators subject to the law.
Aaron Shull, managing director of the Centre for International Governance Innovation said that Ottawa should deploy a wide range of strategies, including tax breaks to individual small businesses, to take cybersecurity more seriously.
The Munk School issued a report on Bill C-26 where they itemized a series of deficiencies including that “the breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.”
There are massive, glaring issues in Bill C-26.
What is so unfortunate about this is that I think that enhancing Canada's cybersecurity is something that all parties can get behind. I am willing to see this bill move forward but it is going to need some major amendments in committee, amendments that protect civil liberties and constrain abuse.
There needs to be a threshold test, providing that an order being given by the government is proportionate, reasonable and, above all else, necessary. The minister should have to table reports, annually perhaps. How many orders did they issue in a given year? What kinds of orders, broadly speaking?
If the government mishandles someone's personal information, which it likely will, this bill needs to make it clear that those people will be compensated.
We find ourselves debating another highly important, poorly crafted bill, courtesy of the Liberal government.
I want to see this bill go to committee so that experts, especially those with a focus on civil liberties, can help make this bill work.
To be clear, if the issues in this bill concerning privacy and impacts to businesses are not addressed, the Conservative Party is ready to pull its support immediately and put up a very strong defence to stop this bill from going beyond committee.
After all, if the Liberals cannot manage Canada's cybersecurity, they can just get out of the way and let Conservatives handle it.
1561 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I understand that the Conservative Party is going to actually be voting in favour of the legislation. I am glad to hear that because we recognize that it does not matter which political party one is of, the issue of cybersecurity is something that we all need to take seriously.
Listening to the debate today, Conservatives come up and say, yes, they support the bill and it is a bill that they want to see go to committee.
Given the member's comments, does the Conservative Party actually have any amendments that it is prepared to share, through the House of Commons, with Canadians? What tangible amendments would they like to see made to the legislation that he could share with us prior to it going to committee?
130 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is a very interesting question. Here is what I would say in response. If my colleague and I were to switch places, I would say that one of the truly urgent and useful things we could do would be to fine-tune and improve the bill to show that the government really cares about cybersecurity and wants to make sure it protects Canadians from all cyber-attacks and any potential interference while strengthening transparency.
If I were in government, which will never happen, I would make sure I handed over everything if someone asked me for information. I would not hide anything to avoid a potential scandal a year from now. I would take it that far with this bill. That would be the first step in a constructive process.
133 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
