44th Parl. 1st Sess.
March 6, 2023 11:00AM
Madam Speaker, I will be splitting my time with the member for Kootenay—Columbia.
I am pleased to rise in the House today to speak to Bill C-26, the critical cyber systems protection act, introduced in June 2022 and split into parts 1 and 2. The former aims to amend the Telecommunications Act to include:
the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.
The latter outlines the introduction of the critical cyber systems protection act, which would create a new regulatory regime requiring designated critical infrastructure providers to protect their cyber systems.
I would like to emphasize that the safety and security of our telecom industry, with particular reference to foreign adversaries such as the Beijing Communist Party, has been a broad theme in communications lately. This is especially concerning the controversial Bill C-11, the online streaming act, or, should I say, government censorship, and new revelations from the Canadian Security Intelligence Service, CSIS, flagging election interference from those involved with the Beijing Communist Party.
We Conservatives believe it is of paramount importance to defend the rights and interests of Canadians from coast to coast to coast. Thus, Canada's national security should be strongly well equipped to be prepared for cyberwarfare threats that could be presented by emerging digital technologies, intelligent adversaries or authoritarian artificial intelligence.
The NDP-Liberal government has had a long record of denying Canadians the truth. Instead of protecting their rights and freedoms, the government uses deflection tactics to divide Canadians, pitting them against one another to distract from the real issue: that the NDP-Liberal government has been too slow to address cyber-threats. For this critical lack of action, Canada has seen several serious incidents occur with no substantive legislative response for over seven years. After years of chronic mismanagement and utter failure, it is time for the government to step aside and let the Conservatives turn Canadians' hurt into hope.
We support the stringent and thorough examination of this legislation. We will always defend and secure the security of Canadians, especially with regard to cybersecurity in an increasingly digitized world. There is a pressing demand to ensure the security of Canada's critical cyber-infrastructure against cyber-threats. Let us not forget that these very systems lay the foundation of the country as a whole. It is these cyber systems that run our health care, banking and energy systems, all of which should be guarded against the cybercriminals, hackers and foreign adversaries who want to infiltrate them.
Akin to several other Liberal ideas, a number of aspects of this bill require further review, and it should thus be sent straight to committee where it can be further dissected and refined to ensure that all flaws are addressed. One can only imagine the disaster that a hospital system crash would add to the already horrible wait times in emergency rooms and shortages of medical professionals thanks to the NDP-Liberal government. The results would be disastrous. Furthermore, disruption of critical cyber-infrastructure in health care can bring severe consequences, such as enabling cybercriminals to access confidential patient health care information.
While we understand that it is imperative to provide the resources necessary to effectively defend against cyber-threats, it is still equally important to ensure that the government does not overreach on its specified mandate through Bill C-26. A research report written by Christopher Parsons called “Cybersecurity Will Not Thrive in Darkness” highlights some recommendations to improve Bill C-26. Among these recommendations is an emphasis on drafting legislation to correct accountability deficiencies, while highlighting amendments that would impose some restrictions on the range of powers that the government would be able to wield. These restrictions are critical, especially concerning the sweeping nature of Bill C-26, the critical cyber systems protection act, as outlined in parts 1 and 2, which I have explained in my opening statement.
The sweeping nature of this legislation is not new, particularly for the Liberal government. It even goes back to Bill C-11, the online streaming act, which essentially placed the Liberal government as the online content regulator controlling what Canadians see or listen to online. If members ask me, the government policing what Canadians view online is a cyber-threat in its own way, but I will not get into that right now.
There are other flaws in Bill C-26 that I would like to highlight, which brings us back to having Bill C-26 closely reviewed in committee.
In terms of civil liberties and privacy, some civil liberties groups have flagged serious concerns regarding the scope and lack of oversight around the powers that may be granted to the government under Bill C-26. In September last year, the Canadian Civil Liberties Association, along with other groups, released a joint letter of concern regarding Bill C-26, highlighting that the bill is “deeply problematic”, like several other questionable Liberal policies. They went on to further explain that Bill C-26 “risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.
From an economic perspective, the bill lacks recognition of foreseeable impacted enterprises, such as small and medium-sized businesses, which will undoubtedly bring forth unintended consequences. According to the Business Council of Canada, some concerns include the lack of transparency seen through the one-way sharing of information. This brings about serious concerns. Operators are required to provide information to the NDP-Liberal government, yet those same operators are not entitled to receive any information back from the government or other cyber-operators. This whole information-sharing regime is lacking and, simply put, completely misses an opportunity to implement a transparent information-sharing system that would benefit all parties involved.
There is also concern regarding government overreach. Considering what powers would be granted to the government to order what a telecommunications provider has to do under Bill C-26, I would have expected to see sufficient evidence to support this overreach. However, that was not addressed at all, if not vaguely, in this bill. This, on top of blatant disregard for the recognition of privacy and other charter-protected rights, proves how the government only cares about granting itself more and more power, even in the face of blatant transparency and accountability concerns like election interference or the Bill C-11 censorship bill.
I only highlighted a few of the several highly valid concerns regarding this critically flawed bill. Obviously, it is important to defend national cybersecurity and defend against cybercriminals or foreign threats. However, there is a fine line between upholding the best interests of Canadians and just using another faulty bill as a power grab for the NDP-Liberal government, despite concerns regarding cyber systems, privacy and security infrastructure.
We Conservatives believe that it is of paramount importance to truly defend the rights and interests of Canadians from coast to coast to coast. One of the best ways this can be done is by securing Canada's cyber-infrastructure from attacks. While we welcome the idea of protecting the interests of Canadians in terms of cybersecurity, we want to flag that Bill C-26 has some highly concerning content that should be closely reviewed and discussed in committee to correct flaws and prevent potential overreach from the NDP-Liberal government. In the interest of protecting Canada's cyber-infrastructure, we must also guard against the sweeping government powers outlined in the critical cyber systems protection act.
1294 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am pleased to be able to rise in this place today and speak to Bill C-26, a bill that we as Conservatives are supporting to get to committee.
I have a lot of concerns around the bill itself, in terms of making sure that the government did not make a number of errors in judgment in putting it together. These concerns are based on the feedback we have received from Canadians and from organizations, especially on the issues surrounding privacy and the costs that have been offloaded to the private sector.
I also have to raise my concerns. Here we are, eight long years under the Liberal government, and we know that, when it has come down to cybersecurity, it has been slow in responding. A good case in point was banning Huawei from our critical infrastructure, our 5G network. We know that the Liberals sat on their hands and tried to do nothing for most of the past seven years, before they were finally forced to act after a great deal of pressure was brought upon them by our allies, especially within the Five Eyes.
Cybersecurity and national defence go hand in hand. When we talk about our national defence and national security, we know that hybrid warfare has evolved.
It is now about more than just targeting military assets; it is about targeting the entire government as it is at play. All we have to do is look at what is happening in Ukraine today, as well as what has happened to a number of other allies we have, through NATO, in eastern Europe.
We see the troll farms in St. Petersburg constantly attacking, on Facebook and on Twitter, the military individuals, the soldiers and troops, serving there. They also attack things like critical infrastructure in countries where Canadians are currently deployed, like Latvia. As we have witnessed in Ukraine and Estonia, they have not just gone after them through direct kinetic means to take out critical infrastructure, but they have also gone through cyberwarfare as well.
The Russians have done this very effectively in knocking down financial systems, knocking down transportation systems, and taking out power and water infrastructure in places like Estonia. As a prelude to the war in Ukraine, before they had actually started bombing these civilian targets in Ukraine, they were attacking them on cyber. It is part of hybrid warfare and it is the evolution of war.
There is a responsibility upon the Government of Canada to ensure that we are protecting not just our national infrastructure and the Government of Canada, that we are not just using CSE, or Communications Security Establishment, to protect national defence, but that we are also using a plethora of capabilities to ensure that our infrastructure here in Canada is protected.
That includes preventing our adversaries from going after our soft targets. That is what I think Bill C-26 is trying to accomplish, to ensure that telecommunications companies in Canada are stepping up to do their share to protect Canadians from cyber-attacks. We know that cyber-attackers have gone after things like our health care systems. They have gone after the medical records of Canadians. They have gone after the education records of students at schools and at universities. They go after retailers. They can go in through a retailer's back door, harvest all sorts of personal data, especially credit card information, and then use that for raising money, for transnational criminal gangs or for ransomware, as we have witnessed as well.
We must remember that we have a number of a maligned foreign actors at play here in Canada now and against our allies. It was just reported, again, that the People's Liberation Army was found guilty of hacking into U.S. critical infrastructure.
We know that the People's Liberation Army, under the control of the communist regime in Beijing, continues to attack cybersecurity assets around the world, including trying to break through the Canadian cybersecurity walls of our government and national defence on a daily basis.
As I mentioned, Russia has become very good at this. That does not mean that it is concentrating only on its near sphere of influence, NATO members in eastern Europe like Estonia, Latvia and Lithuania, but it is also targeting Ukraine. We know that it is targeting Moldova. We know that it has gone after countries like Romania, but it also does cyber-attacks here in Canada and in the United States.
Russia continues to be an adversary and we have to stand on guard to protect Canadians from those attacks.
We know that Iran, the regime in Tehran, is continuing to be a government that attacks its neighbours and attacks Israel and Canada through cyber-means. North Korea has developed an entire cybersecurity and cyberwarfare unit and continues not to just wreak havoc with the democratically elected, peaceful South Korea, but has also gone after Japan and the Phillippines, and is going after U.S. infrastructure as well. Therefore, we have to take the necessary steps to make sure we can deal with transnational criminal organizations, with nefarious foreign states and with those who are trying to get rich through ransomware.
Here in Canada just a couple of years ago, we saw a situation in regard to the Royal Military College in Kingston, which the member for Kingston and the Islands is certainly aware of. The Department of National Defence stated that RMC had been a target. It originally called it a mass phishing campaign, but a month after the incident, it was established that the phishing campaign was actually a cyber-attack going after financial information and personal data of cadets. These had been compromised and published on the dark web, and were made available to a lot of people who participate on the dark web to profiteer from that information.
According to several observers who looked at the hack of RMC Kingston, it was attributed to a cybercriminal group called DoppelPaymer that did not seem to be connected to a nation-state actor. There are criminal organizations out there that are going about their criminal activities in such a way as to extract dollars from governments, retailers and private citizens, as well as from other corporations, to line their pockets and continue doing other nefarious things that sometimes go beyond the cyberworld.
I have said in the past, when we have talked about other legislation here dealing with cybersecurity, that we not only need the ability to defend, but also that the government has the responsibility, especially under national defence, to attack using cybersecurity. We cannot just be here deflecting the arrows; sometimes we have to be able to shoot down the archer. The way we do that is by having a very robust cybersecurity system. We need the best capabilities and the best personnel who are able not only to sit here and defend, that is to put up shields and fight off the attacks, but also are able to go out there and take out the adversaries, to knock out their systems, so that we are safer here at home.
With regard to some of the criticisms that have come out, I know that letters have come in from the Canadian Civil Liberties Association, and the Business Council of Canada wrote a very detailed brief, as did the Citizen Lab in looking at the bill. When we read through the documentation, we see that one of the concerns that has been raised, especially by the Business Council of Canada, is that there seems to be an imbalance. We are telling members of corporate Canada to go out there and make sure they have the proper cybersecurity systems in place, but at the same time we realize that it is not just up to them to do the defending. What we see is that the corporations are saying that either they have to do it or we are going to fine them up to $15 million or five years of jail time, and that the individuals who work for them could also be held criminally responsible for not doing enough.
Sometimes resources are not available. Sometimes there are new companies that may not have the ability to put in place the proper security systems. I look at a lot of the Internet service providers that we have, for example. They are covered under the Telecommunications Act, yet, as new start-ups, they may not have the personnel or the equipment to properly defend their networks. Would we go ahead and fine these companies up to $15 million? Then what would we do in regard to jail time and fines for those criminal organizations that are profiteering through cyber-attacks? Where is the balance in this? That is one of the concerns we have and one of the things we have to look at through our study at the industry committee when it brings this forward.
A huge concern has been raised, especially by the Canadian Civil Liberties Association, on how this would be implemented and how it may affect the privacy rights of Canadians at the individual level. Corporations have broader responsibilities and do not necessarily fall under the charter, but their clients who they are going to protect and the information they are going to be required to share with the Government of Canada could very well be violations of their clients' privacy rights.
When we look at section 7 of the Charter of Rights, we have to balance the right to life, liberty and security of a person with section 8 of the charter which says that we have freedom from search and seizure. When we drill down on section 8 and go to some of the legal analysis of our charter, as all the rights and freedoms are laid out, it tells us that the underlying values of freedom from search and seizure when it comes to individual privacy is the value of dignity, integrity and autonomy. Again, I think we are all concerned that when we look at Bill C-26 at committee, we ensure the bill balances those rights of the individual to be both secure and safe from cyber attacks, but do it without compromising privacy rights and charter rights as described in freedom from search and seizure. The way we do that is through warrants.
We know that through National Defence, the Communications Security Establishment, or CSE, which has a long-standing history of defending the Canadian Armed Forces, has to comply with the charter. It has to comply with all Canadian legislation and it cannot do indirectly what it is prohibited doing directly. Therefore, CSE cannot go to the National Security Agency, or NSA, of the United States, say that it is concerned that a Canadian maybe talking to a terrorist organization offshore and ask the agency to spy on that individual because CSE is prohibited from spying on the person and listening in through the Communications Security Establishment. CSE cannot go to the NSA and ask it to violate Canadian law on its behalf to find out what is happening in the same way CSIS cannot go to the FBI or the CIA and ask it to spy on Canadians. It cannot do indirectly what it is prohibited from doing directly under Canadian law. The way to get around that is to apply for warrants.
Judicial appointments are made to have supernumerary justices over these organizations to ensure that charter rights are protected, even when conversations take place inadvertently. In the past, CSE has listened in on people who may have been in Afghanistan funding the Taliban or al Qaeda. They may have family in Canada and were talking back and forth about something that had nothing to do with operations on al Qaeda or the Taliban. However, because it involved a Canadian citizen, it had to go through the proper processes to ensure that his or her charter rights were protected by getting a warrant to listen to those conversations. Whether they were listening electronically or through wire taps, it is all mandated to watch that we do not trip over the rights of Canadians under legislation.
Bill C-26 would not address this like we have under the National Defence Act, under the Criminal Code and under the whole gamut of cybersecurity that has been in place up to date. The privacy rights are paramount.
To come back to Bill C-26, the Supreme Court of Canada said in 1984, as well as in 1988, that privacy was paramount and was “at the heart of liberty in a modern state”. Again, did the Liberal government ensure the bill was tested first to ensure those privacy rights were protected? This is what we will have to find out when we get Bill C-26 in front of committee.
We can look at information that has come from places like the Business Council of Canada. One of the concerns it raises goes back to this whole issue of huge fines on Canadian corporations, as well as the employees of those corporations, if they are found to have been not responsible enough to put in place proper security protocols to protect their clients from cyber attacks. Because it goes against individual employee as well, we will create another brain drain from Canada.
We are unfairly targeting Canadian employees who are going to be working for these cybersecurity firms, working in the telecommunications sector and in our financial institutions. If they are found to have erred, which a lot of times it is by error or by a lack of resources, then they are held criminally responsible and they are fined. The question becomes why they would want to work in Canada when they are afforded better protections in places like the United States, the European Union, the United Kingdom or Australia, which was held up by the Business Council of Canada as the gold standard we should be striving to achieve, and what it has done through their own cybersecurity protocols.
We want to ensure that we protect critical infrastructure, but we do not want to chase away very good Canadian employees and force them, with their skills, to go offshore where they have better protection and probably better pay. We want to ensure we keep the best of the best here. We want to ensure we do not go through a brain drain, as we have witnessed before when the Liberals have targeted professionals in Canada, such as lawyers, accountants, doctors or anyone who set up a private corporation. Now I fear the Liberals are going after individuals again who we need in Canada to protect us here at home, that they are creating a toxic work environment and those individuals will want to leave.
The Citizen Lab wrote a report entitled “Cybersecurity Will Not Thrive in Darkness”. It brought forward a ton of recommendations on how bad this bill was. It suggested that there needed to be 30 changes made to the act itself.
We realize that the government has not done its homework on this. We need to ensure we get experts in front of us who are going to look at everything, such as there is responsibility upon government to help corporate Canada ensure we have the proper security mechanisms in place to prevent cyber attacks. We have to ensure that those corporations are not being coerced into sharing private information with the Government of Canada that could be a violation of private rights, which may be a violation of the Personal Information Protection and Electronic Documents Act, PIPEDA. We want to ensure that privacy rights will be cohesive, but, at the same time, collectively, we need to balance all federal legislation that is in contravention of each other.
We need to bring in the legal experts. The Canadian Civil Liberties Association needs to be before committee. The Citizen Lab, which is very concerned about individual privacy rights, has to be front and centre in the discussion. We need to ensure the Business Council of Canada, the Canadian Chamber of Commerce and others are brought forward, along with the department officials who were responsible for drafting this bill at the direction of the Liberal government.
I will reiterate that I will be voting in favour of the bill to ensure it goes to committee and the committee can do its homework. I would hope that the government will allow the committee to do a thorough investigation, as well as a constructive report with recommendations on how to change and amend the legislation.
Finally, I would remind everyone that the Supreme Court of Canada said, “privacy is at the heart of liberty in a modern society”, and we have to take that to heart to ensure we protect Canadians from cyber attacks, as well as to ensure they have their privacy, dignity, integrity and autonomy respected.
2837 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, six years ago Statistics Canada found that more than one-fifth of all Canadian businesses were impacted by cybersecurity incidents, a sobering statistic in its own right. That was six years ago.
What we need to understand is that cyber-technology moves at a mile a minute. What is groundbreaking one year can become ordinary or obsolete even just a year later. I do not doubt that cyber-defence systems in Canada, both by the government and by private businesses, have become much more sophisticated throughout the last several years, but the technology used for cyber-attacks, whether by foreign or by domestic actors, has developed even more quickly.
We are seeing this play out in real time. Just a month ago, Indigo fell victim to a ransomware attack. Online purchases became impossible. In-store purchases could still happen, but only if one was carrying cash. Most alarming of all, information about the chain's employees was accessed. The situation continues to drag on, Canada's largest bookstore chain held for ransom. The emergency that Indigo finds itself in is terrible, but back in January the Russia-tied group that carried out this attack, LockBit, did something far more cruel when it hacked the SickKids Hospital in Toronto.
Those are just two examples of how cyberwarfare transpires in Canada, amongst thousands of other examples every single year. Today, particularly at a time when we know foreign powers are actively seeking to undermine Canada, its institutions and its critical infrastructure, it is time for the government to step in and put forward a cybersecurity strategy. It almost goes without saying that in this digital age, online systems run just about everything that keeps this nation up and running, including hospitals, banking and the energy that heats our homes.
What the government has failed to realize until now is that as these systems become more digitized, so too do they become more vulnerable. This was on full display when SickKids was hacked. Lab results, imaging results and the hospital's phone lines were wiped out for days before order was finally restored. Just in 2020, CRA was hacked, compromising the accounts of 13,000 Canadians. Bold action is what is needed to fight against attacks of that scale, and it is Parliament's job to provide that action.
When I look at a bill like Bill C-26, I start by thinking about what it would let the government do and whether that would be an improvement on our existing cybersecurity regime. In that regard, there is actually a lot to like here. Now more than ever, cyber-attacks can take place in little more than the blink of an eye. An attacker could dig its claws into a company's online system, inflict all the damage it wants, take all the information it wants, and it might be hours later than the affected company realizes what it is being done to it.
Having a rapid response to those incidents is absolutely critical. It is clear to me that the type of broad, sweeping powers contained in this bill would allow the government to provide that rapid response. It would also bring some much-needed cohesion to the link between the state and telecom providers. Right now, telecoms can decide to work with the government and prepare for a cyber-attack, but this is entirely voluntary. They can share information with the government, but only if they really feel like it.
As far as having a unified cybersecurity strategy goes, ours is laughable. It is about time that we act accordingly and fall in line with our Five Eyes allies. This bill covers such an important policy area, yet in so many ways it just does not get it right. It is another page in that long Liberal book entitled, “Having the right intention and making the wrong move”. I should not have to say this in a room full of parliamentarians, but here we are: the written text of a law actually matters.
A law needs to be clear. It needs direction. It needs guardrails. That is why it is so strange to come across a bill that lets a minister go up to a telecom provider and make them “do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” All the power goes to the minister with nothing in the way of guardrails constraining their power.
When I read this part of the bill, I was reminded of one of my favourite Abraham Lincoln quotes. Abraham Lincoln said, “Nearly all men can stand adversity, but if you want to test a man’s character, give him power.” That is what this section does, it provides immense power to the Minister of Industry, which is not abridged or protected in any way.
There is nothing wrong with a law that gives the government new powers, but in this case, with the cyber-threats that we are currently facing, that type of law is exactly what we need to get right now.
The problem here is that we are debating a bill today where those new powers are not specified and are not restricted whatsoever. Alongside the Canadian Civil Liberties Association, I am seriously concerned about the way that Bill C-26 would infringe on the privacy rights of Canadians.
This bill would allow the government to collect data from telecoms. With guardrails in place, this would actually make a lot of sense. The government might want to see the weak spots in a company's cybersecurity system, for example. With the government being able to get these companies to do anything, we do not have a clue what it will demand to collect.
As it stands now, there is no way of stopping them from collecting personal data and juggling it between various departments. Foreign affairs, defence, CSIS, anyone could take a look if the state decides that it is relevant.
At the minister's discretion, the data could even go to foreign governments. Again, this all comes back to the problem of unchecked power. With zero restraints in place, we can only assume the worst. Like so many bills under the Liberal government, what we are seeing here is a government-knows-best approach.
I am really not sure how it can defend this level of information sharing. “Well, yes, we could share one's personal information, but we definitely will not do that.”
It wants Canadians to give it the benefit of the doubt. The government is well past the point of being given the benefit of the doubt.
The Canadian Civil Liberties Association says that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.
A number of organizations and individuals have raised red flags. The Business Council of Canada wrote to the Minister of Public Safety, expressing the business community's concerns about Bill C-26, including the potential of brain drain, as the result of personal liability and unduly high monetary and criminal penalties.
The council also expressed concerns that information sharing is one-way. Operators are required to provide information to government but receive nothing back from government.
The bill misses the opportunity to implement an information-sharing regime that could benefit all operators subject to the law.
Aaron Shull, managing director of the Centre for International Governance Innovation said that Ottawa should deploy a wide range of strategies, including tax breaks to individual small businesses, to take cybersecurity more seriously.
The Munk School issued a report on Bill C-26 where they itemized a series of deficiencies including that “the breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.”
There are massive, glaring issues in Bill C-26.
What is so unfortunate about this is that I think that enhancing Canada's cybersecurity is something that all parties can get behind. I am willing to see this bill move forward but it is going to need some major amendments in committee, amendments that protect civil liberties and constrain abuse.
There needs to be a threshold test, providing that an order being given by the government is proportionate, reasonable and, above all else, necessary. The minister should have to table reports, annually perhaps. How many orders did they issue in a given year? What kinds of orders, broadly speaking?
If the government mishandles someone's personal information, which it likely will, this bill needs to make it clear that those people will be compensated.
We find ourselves debating another highly important, poorly crafted bill, courtesy of the Liberal government.
I want to see this bill go to committee so that experts, especially those with a focus on civil liberties, can help make this bill work.
To be clear, if the issues in this bill concerning privacy and impacts to businesses are not addressed, the Conservative Party is ready to pull its support immediately and put up a very strong defence to stop this bill from going beyond committee.
After all, if the Liberals cannot manage Canada's cybersecurity, they can just get out of the way and let Conservatives handle it.
1561 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
