44th Parl. 1st Sess.
March 23, 2023 10:00AM
Madam Speaker, yes, there has to be a lot of different options, and not just in this bill. There are a lot of bills that suggest to give broad powers to one minister, which makes no sense. I do not know how the minister has time to deal with that.
Certainly we are open to a lot of suggestions and some suggestions sound good, like an ombudsman. There have been suggestions of tribunals to make sure we have broad bodies that can oversee this so we do not just give power to one minister. One hundred per cent we support that.
101 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the member talked a bit about silos and the inability for governments to sometimes work in them. I know he has a great background in innovation and business. Maybe he could expand a bit more on the importance of collaboration with respect to cybersecurity and in business in general.
51 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, collaboration from government agencies is key, but those who are really going to solve this, which is the same in the U.S., are Canadian businesses, inventors and entrepreneurs who can develop software and technology for cybersecurity that can be world-leading, help Canada, help Canadians and help the world in combatting this awful thing.
57 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 4:30:59 p.m.
- Watch
Order.
It is my duty pursuant to Standing Order 38 to inform the House that the questions to be raised tonight at the time of adjournment are as follows: the hon. member for South Okanagan—West Kootenay, Climate Change; the hon. member for Victoria, Climate Change; the hon. member for Spadina—Fort York, Democratic Institutions.
57 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, unless I misunderstood, the Bloc Québécois member whose riding escapes me suggested in his question that there are government MPs who may pose a threat to national security.
That is a bit of a stretch from the allegations that have been made. It is unacceptable to suggest that members may pose a threat to national security. I would ask the member to either clarify his comments or apologize.
If I misunderstood, then I apologize, but that is indeed what the member said in his question during the previous debate.
95 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 4:32:06 p.m.
- Watch
I am sorry, but I did not hear the member's specific remarks. We will check the Hansard and come back with a response if required.
26 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, let me start off with the point you were just talking about, because in the 21st century, cybersecurity is national security. It behooves us all as parliamentarians to work as hard as we can to protect our businesses, consumers and institutions from cyber-threats. That is why I am so grateful and delighted to be here today in the House to speak to the second reading debate of Bill C-26, which concerns the important topic of cybersecurity.
Cybersecurity is a matter of great concern to my constituents of all ages. I firmly believe both the public and private sectors need to be able to protect themselves against malicious cyber-activity, including cyber-attacks. As parliamentarians, it is our duty to establish a framework for secure critical infrastructure that we can all rely on.
The past few decades have seen remarkable advancements in computer and Internet technology. Online connectivity has become an integral part of the lives of Canadians and people around the world. The COVID-19 pandemic has shown us how we rely on so much on the Internet for everything we do, from education to conducting business and staying in touch with loved ones. With more and more people depending on the Internet, including young children and seniors, our most vulnerable, it is crucial to ensure that we have a secure and reliable cyber-connectivity.
Our government is committed to improving cybersecurity to safeguard our country's future in cyberspace. However, as technology and cyber systems continue to evolve, our infrastructure is becoming more interconnected and interdependent. This brings new security vulnerabilities.
For instance, personal interactions like banking and credit card transactions are now mainly conducted online, making cybersecurity even more important. According to the Cybersecurity and Infrastructure Security Agency, ransomware attacks were among the most significant cybersecurity threats in recent years.
Cybercriminals continue to use sophisticated tactics to gain access to critical systems, steal sensitive data and extort money from victims. In addition to ransomware attacks, other common cybersecurity threats include phishing attacks, malware, insider threats and distributed denial of service attacks. I know members have all received emails or phone calls with these types of threats. We do not know where they are coming from, but they are trying to crack our system and do criminal activity.
As more organizations adopt cloud computing, like we do here, Internet of Things devices and artificial intelligence, these technologies are also becoming significant targets for these cybercriminals.
Cybersecurity threats can have severe consequences for individuals, businesses, all levels of government. These include financial losses, which we have heard are in the billions, reputational damage, legal liabilities and even physical harm. We have read and heard the stories of those who have taken their lives because of these harmful attacks. It is crucial to take proactive steps to prevent and mitigate cybersecurity risks.
Bill C-26 is a landmark legislation that would amend the Telecommunications Act and other consequential acts to enhance cybersecurity. The bill proposes to add more security as an express policy objective of the telecommunications sector, bringing it in line with other critical infrastructure sectors.
The key objectives of the bill are twofold. First, in part 1, the bill proposes to amend the Telecommunications Act to add security expressly as a policy objective. This amendment aims to align the telecommunications sector with other critical infrastructure sectors.
The changes we are bringing about through this legislation would authorize the Governor in Council and the Minister of Innovation, Science and Industry, after consultation with stakeholders, to establish and implement the policy statement “Securing Canada's Telecommunications System”, which the minister announced in May of 2022. The primary objective is to prevent the use of products and services by high-risk suppliers and their affiliates. This would enable the Canadian government, when necessary, to restrict telecommunications service providers' utilization of products or services from high-risk suppliers.
With such restrictions, consumers would not be exposed to potential security risks. This approach would allow the government to take security measures similar to those of other federal regulators in their respective critical infrastructure sectors.
The second part of Bill C-26 pertains to the introduction of the critical cyber systems protection act, or CCSPA, which mandates designated operators in federally regulated sectors such as finance, telecommunications, energy and transportation to undertake specific measures to safeguard their critical cyber systems. It would include the ability to take action on other vulnerabilities, such as human error or storms causing a risk of outages to these critical services. In addition, the act would facilitate organizations' capacity to prevent and bounce back from various forms of malevolent cyber-activities like electronic espionage and ransomware. Notably, cyber-incidents that surpass a certain threshold will necessitate mandatory reporting.
Both parts 1 and 2 of Bill C-26 are required to ensure the cybersecurity of Canada's federally regulated critical infrastructure, and in turn, protect Canadians and Canadian businesses. The need to intensify our efforts is apparent because of the advent of new technologies we are hearing about like 5G.
The COVID-19 pandemic has highlighted our growing dependence on technology. In addition, in my riding of Mississauga East—Cooksville, there is a growing concern about Russia's unwarranted and unjustified invasion of Ukraine, which has resulted in international tensions and a range of potential threats. Such threats include supply chain disruptions and cyber-attacks from state and non-state actors.
We are not starting from scratch in our fight against this threat, though. Our government is always vigilant when it comes to any type of threat, including cyber-threats. Our government has made several investments in cybersecurity in recent years to improve the country's cyber-resilience and protect Canadians' data and privacy. For example, in 2018, we created the national cybersecurity strategy. This was based on the consultations that we initiated with Canadians in 2016. Our government adopted this strategy to establish a framework aimed at protecting citizens and businesses from cyber-threats while leveraging the economic benefits of digital technology.
Cyber-incidents involve a certain threshold at which reporting would be required. This legislation would give the government a new tool to compel action, if necessary, in response to cybersecurity threats or vulnerabilities.
Canada is working alongside other democratic nations around the globe, both in the context of our Five Eyes relationship and in the G7 alliance. These multilateral forums are intensely focused on devising strategies to counter a range of cyber-threats, such as ransomware attacks; the dissemination of false information, which we have seen too often; and attempts by malicious actors to engage in cyber-espionage.
To facilitate this collaboration, we are emphasizing the importance of sharing information and intelligence, thereby breaking down those silos. This would enable us to more effectively combat efforts made to destabilize our economies and undermine Canadian interests. While we are currently engaged in a debate regarding Bill C-26, we are also taking proactive measures to address the current gaps in our domestic cybersecurity landscape, while simultaneously partnering with like-minded nations to confront these challenges in a comprehensive manner.
We have listened to Canadians, our security experts and our allies, and we are following the right path. We will ensure that our networks and our economy are kept secure. A safe and secure cyberspace is important for Canadian competitiveness, economic stability and long-term prosperity.
Bill C-26 aims to enhance designated organizations' preparedness, prevention, response and recovery abilities—
1248 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 4:42:34 p.m.
- Watch
I am sorry. The hon. member's time is up.
Questions and comments, the hon. member for Northumberland—Peterborough South.
21 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I very much enjoy working on the finance committee with the member and enjoyed his thoughtful remarks.
I hope my question hits the other Liberals' concerns about partisanship, as this is substantive criticism and not partisanship. We have heard concerns from both the NDP and from the Conservative Party that the bill would provide a broad swath of powers to the minister. Is the government open to delineating some of those powers so it gives additional assurances to us and to the other opposition parties?
87 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I very much enjoy working with the hon. member on our finance committee. The member always looks for pragmatic solutions.
For our cybersecurity to work, we have to work right across party lines. We have to work across all levels of government, with all our institutions, the private sector and the public sector. That is the only way that we are going to implement a system that really has an effect and is able to combat these cybercriminals we find and what we are being bombarded with. They are always trying to stay one step ahead, and the only way for us to combat that is to work together.
111 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I too would like to thank the chair of the Standing Committee on Finance, with whom I have the great pleasure of working. I thank him for his speech.
It is important to have a better way of dealing with all cybersecurity issues. Like the Conservative member who raised the issue, we have concerns that this bill gives the government a great deal of power to do this through regulations.
I would like the assurance of the hon. committee chair that proceeding by way of regulations is not a way to circumvent Parliament.
95 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is also great to work with this member on the finance committee. The way that we work on the finance committee is how this bill is being structured and how it would work. The bill talks about ensuring that we work across party lines. This is a non-partisan thing. As parliamentarians, we are all here to protect Canadians in the best way that we possibly can. We know, in our distinctive ridings, that we get many calls, emails and letters from concerned citizens who are being hit by these attacks.
I can say to the member that we will do this in a non-partisan way. We will reach out to stakeholders, again, across all lines. We have too many silos. We heard the member for Scarborough—Guildwood say that we have to break down the silos. I feel that the legislation would be able to do this, and it would strengthen our cybersecurity systems.
160 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I would like to encourage all members to look at the seventh report from the Standing Committee on Public Safety and National Security on Canada's security stance vis-à-vis Russia. A lot of that report covers why a bill like Bill C-26 is necessary.
We can see agreement on the principle of the bill, but like my two colleagues from the Conservative Party and the Bloc, I am going to express some frustration that the Liberals did not anticipate that we in the opposition would have concerns with this first draft of the bill in terms of accountability, oversight and transparency. I wish the Liberals could have anticipated that before releasing this draft of the bill because now it looks like the committee has its work cut out for it to improve those measures. Could my hon. colleague express some comments on that particular part of this?
152 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is what committee work is there for. The committee has the opportunity to dig deep into the bill and look at ways to enhance and better the legislation. That is a very important aspect.
In the end, I believe that this bill is about bringing Canadians and our institutions together. It is about making sure that we break through those silos, as we have just heard, and being able to set up the type of cybersecurity system that we are all looking for. In no way do I see this to be a partisan piece of legislation. It is something that we wholeheartedly feel strongly about in the House and that we can make a significant difference on.
121 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as I rise to speak today, all of us in this place are acutely aware of the deeply concerning realities of foreign interference in Canada’s affairs.
The Government of Canada cannot afford to ignore this troubling trend. While there are many angles from which we must consider how best to protect our national interests, as we examine the content of Bill C-26 we are focused primarily on matters related to cybersecurity. There is no question that Canada’s critical infrastructure must be protected from cyber-threats.
In our modern world, computer systems are integral to the provision of health care, powering our homes and businesses, upholding our financial systems and so much more. While these incredible tools of our time may not be visible to the naked eye, they are tremendously powerful and we cannot afford for these systems to be compromised. The consequences from a criminal's or a foreign adversary’s disruption of medical services in our hospitals or of our electrical grid would be incredibly dangerous and potentially deadly.
In its 2021 “Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”, the National Security and Intelligence Committee of Parliamentarians concisely listed what is at stake when cyber-threats arise: things like the personal information of Canadians; proprietary information, intellectual property and research of Canadian businesses and researchers; government policies and policy-making; security and intelligence information and operations; and the integrity of government systems, to name a few.
I was grateful to hear the Minister of Public Safety, when introducing this bill, say that cybersecurity is national security. It is a simple statement, but it is true. If we truly recognize cybersecurity as an essential element of our national security, we are more likely to give it the attention it deserves.
Bill C-26 is not perfect, as has been stated here, and we must ensure we protect the privacy of Canadians, nor will it be a cure-all for every cybersecurity weakness. However, I am fully behind updating our cybersecurity legislation. I hope the Liberal government is open to improving the bill at committee stage, and I will offer my support to get it to committee.
The objective of this bill is solid: to equip government to quickly respond to cyber-threats. As any expert in the field would tell us, rapid response is critical when a serious attack is under way. However, there are key issues that remain with the bill as it is presented to us today. Make no mistake, this legislation would give the government the ability to insert itself into the operations of companies, and therefore their customers.
As Christopher Parsons of the University of Toronto wrote in a critical analysis of the bill, “There is no recognition of privacy or other Charter-protected rights as a counter-balance to proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.” As with any new power that a government gives itself, there must be extensive checks and balances. There must be transparency. Most of all, there must be oversight. What this legislation does not do is provide those much-needed guardrails. We need the safety oversight.
Giving a minister the power to order a private company “to do anything, or refrain from doing anything”, particularly when it comes to the private information of its customers, is deeply problematic. While I understand that how the minister can wield this new power might be spelled out in future regulations, I believe it must be clearly outlined in the legislation, rather than leaving it up to cabinet to decide at a future date.
We must also have a fulsome airing of what information the government could collect from companies and their customers. Almost every aspect of our lives is interwoven with digital information. From banking to how we do business and how we communicate, numerous companies have that information on each of us.
Therefore, the question that remains is this. If we grant the government access to information from companies, even for the most altruistic reasons or for national security reasons, who is overseeing those government agencies? I can assure members that the government will not be giving new powers to members of Parliament or parliamentary committees to undertake that role. We can look no further than the stonewalling Parliament is receiving on foreign interference in our democracy now. It is absolutely imperative that oversight and guardrails be built into this legislation, and I implore my colleagues on the parliamentary committee that would be tasked with this legislation to do just that.
The fact is that the government has trouble protecting its own sensitive information from cyber-threats. Many examples of cyber-attacks against the government have already been cited during this debate. There was the attack against the Canada Revenue Agency in August 2020, which resulted in 13,000 victimized Canadians. Global Affairs was attacked in January 2022. Canada Post has filed several breach reports after cyber-incidents, according to records from the Privacy Commissioner. If the government is unable to protect itself from cyber-threats, how can it be expected to protect the sensitive cybersecurity plans of private companies? The Liberal government would do well to lead by example before it can truly ask private companies to beef up their own cybersecurity practices. The weaknesses of the government’s own cybersecurity have been flagged over and over again.
In September 2020, the National Security and Intelligence Committee of Parliamentarians announced its review of the government’s framework and activities to defend its systems and networks from cyber-attack. The review resulted in a number of findings, which deserve mention.
First, the committee found that cyber-threats to government systems and networks “are a significant risk to national security and the continuity of government operations.” It also noted that nation-states “are the most sophisticated threat actors”, although the threats do not come from nation-states alone. Second, the committee found that while the government has implemented a framework to defend itself from cyber-attacks, “[t]he strength of this framework is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services.” In plain language, the report found that not all federal organizations receive cyber-defence protection. The committee review identified that, while Shared Services Canada provides some cyber-defence services to 160 of 169 federal organizations, only 43 of those organizations actually receive the full complement of its services.
Given these findings, the committee recommended that the government “continue to strengthen its framework for defending government networks from cyber attack” and apply and extend cyber-defence policies and practices equally across government. At the time, the Liberal government agreed with the recommendations that were put forward. While this was an important step toward acknowledging the issue, taking action is another thing entirely.
Just days ago, a Globe and Mail headline read, “Ottawa makes little progress shoring up Crown corporations' cybersecurity”. The report noted that this is despite 18 months passing since the National Security and Intelligence Committee of Parliamentarians raised concerns about the possibility that Crown corporations, which are still not subject to the government’s cyber-defence policies, could inadvertently serve as gateways into the federal government’s well-protected systems.
The public safety minister did not mention the NSICOP report and recommendations when introducing this bill, but I hope that the work of this committee, made up of parliamentarians from across party lines, can be helpful in enhancing the government’s own cybersecurity defences. As NSICOP has underscored, “The data of organizations not protected by the government cyber defence framework is at significant risk. Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole.”
In closing, the government is aware of these risks, but it has been slow to rectify the issue. While Bill C-26 covers another angle of this discussion, it does not address the problem of the government's own house. As I said already, cybersecurity laws need to be updated here in Canada. Bill C-26—
1405 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 4:58:23 p.m.
- Watch
I am sorry, but the hon. member's time is up.
Questions and comments, the hon. parliamentary secretary to the government House leader.
23 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is interesting listening to the Conservatives speak to the legislation, because this morning they did not want to debate the legislation, and I think it is because they support it. It would be nice to see the Conservative Party actually allow the legislation to pass, come to a conclusion in debate and put it to a committee that would be able to deal with many of the issues they are talking about.
Does the member believe that there is any onus of responsibility whatsoever for the Conservative Party, once they recognize and support legislation, to at least give consideration to its passing to committee in a timely fashion so that we can see legislation being discussed at committee? Ultimately, if the Conservative Party wanted to, they could drag every piece of legislation out until 2025.
138 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I appreciate the interjection and question from my colleague for Winnipeg North. He and I are used to debating each other from our days in the Manitoba legislature, but not too much, because we were both in opposition in those days. However, we did teach him how to speak. When we had the opportunity to filibuster, we were always short a person to speak in the Manitoba legislature, but we could go to my colleague for Winnipeg North and ask him if he wanted a chance to speak. He was the only Liberal in the house at the time, and so he never refused us. I think he learned his lesson on how to carry on well. However, I will not try to do that.
The big thing here is that Canadians need to know that the minister still has extreme powers in the bill, which is why we are making sure that we put it on the record that there need to be some amendments coming forward at committee. The government is listening to that, and I would hope that it would be willing to look at some of those amendments when the time comes, and the bill will get to committee.
205 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, in this modern age, in 2023, we are finally about to pass a cybersecurity bill. We do not oppose the spirit of this bill, but some criticisms have been raised since the bill was introduced.
University of Toronto professor Christopher Parsons has made 29 recommendations to strengthen the transparency and accountability of the measures proposed in this bill. In his view, the bill is so flawed that it would allow authoritarian governments around the world to cite it to justify their own repressive laws.
I have met with groups that support these recommendations and have concerns. They think this bill might give the minister too much power. There may also be some privacy issues for citizens.
I would like to know if my colleague shares those concerns, if he has heard about them and if he is willing to work on this bill in committee with us.
149 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I thank my colleague for her excellent question in regard to trying to move the bill forward.
I have indicated that I do want to see the bill go to committee, and I will support it to go to committee. I did refer to a couple of remarks that Christopher Parsons, from the University of Toronto, had made, in a very critical analysis of the bill when it was brought forward. His report states, “No recognition of privacy or other Charter-protected rights exists as a counterbalance to proposed security requirements”. He was very clear on the improvements that could be made to the bill. That is why we want to see it go to the committee, so that we can actually put some of those amendments forward, unless the government brings them forward.
138 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
