44th Parl. 1st Sess.
March 23, 2023 10:00AM
Mr. Speaker, the hon. colleague mentioned the growing importance of protecting Canadians and Canada from state-sponsored activities with respect to cybersecurity. State actors are very active in exploiting advanced technologies to create disruption and to erode trust in our systems and institutions, so that is one of the major objectives of our government in proposing this bill.
58 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I would like to invite my hon. colleague to take a higher-level view of an important issue because we are dealing here with cybersecurity and the need for protections, but we are also looking at a realm of artificial intelligence and things like that. These are things that can happen. People can 3D-print a gun that cannot be picked up by airport security. There is a lot of technology out there that could be purposefully harmful to individuals or to our whole society. In that regard, given some of the other conversations we have had about gatekeepers, would the member care to put a frame around the kind of gatekeeping that he and his party see as essential and necessary for the purpose of protecting Canadians?
130 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 2:32:50 p.m.
- Watch
Mr. Speaker, we take the allegations of foreign interference very seriously, which is why we have ensured that our national security agencies have all of the powers and authorities, but with the corresponding transparency required to reinforce the confidence of Canadians in our institutions
At every stage, Canadians can be confident we are protecting our institutions. Canadians can be confident we are protecting our elections.
Above all, Canadians can be assured of the fact that this government worked 24-7 to ensure the return of the two Michaels to Canada. That is something we did.
95 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, absolutely. We are seriously concerned in an ever-evolving world about national security, cybersecurity, infrastructure and investment security, protecting Canadian interests in IP and making sure we have fair, open and honest inquiries. If there are breaches and interference in our democracy, they should be tackled openly and honestly. We are certainly asking for that every day, and when it comes to the bill before us, it is no different.
We are at war with joysticks and software that threaten our infrastructure and the very livelihoods of Canadians and Canadian businesses. Let us get this right. Let us work together openly and honestly and make sure that we pass a good bill that protects Canadians.
117 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as I rise to speak today, all of us in this place are acutely aware of the deeply concerning realities of foreign interference in Canada’s affairs.
The Government of Canada cannot afford to ignore this troubling trend. While there are many angles from which we must consider how best to protect our national interests, as we examine the content of Bill C-26 we are focused primarily on matters related to cybersecurity. There is no question that Canada’s critical infrastructure must be protected from cyber-threats.
In our modern world, computer systems are integral to the provision of health care, powering our homes and businesses, upholding our financial systems and so much more. While these incredible tools of our time may not be visible to the naked eye, they are tremendously powerful and we cannot afford for these systems to be compromised. The consequences from a criminal's or a foreign adversary’s disruption of medical services in our hospitals or of our electrical grid would be incredibly dangerous and potentially deadly.
In its 2021 “Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”, the National Security and Intelligence Committee of Parliamentarians concisely listed what is at stake when cyber-threats arise: things like the personal information of Canadians; proprietary information, intellectual property and research of Canadian businesses and researchers; government policies and policy-making; security and intelligence information and operations; and the integrity of government systems, to name a few.
I was grateful to hear the Minister of Public Safety, when introducing this bill, say that cybersecurity is national security. It is a simple statement, but it is true. If we truly recognize cybersecurity as an essential element of our national security, we are more likely to give it the attention it deserves.
Bill C-26 is not perfect, as has been stated here, and we must ensure we protect the privacy of Canadians, nor will it be a cure-all for every cybersecurity weakness. However, I am fully behind updating our cybersecurity legislation. I hope the Liberal government is open to improving the bill at committee stage, and I will offer my support to get it to committee.
The objective of this bill is solid: to equip government to quickly respond to cyber-threats. As any expert in the field would tell us, rapid response is critical when a serious attack is under way. However, there are key issues that remain with the bill as it is presented to us today. Make no mistake, this legislation would give the government the ability to insert itself into the operations of companies, and therefore their customers.
As Christopher Parsons of the University of Toronto wrote in a critical analysis of the bill, “There is no recognition of privacy or other Charter-protected rights as a counter-balance to proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.” As with any new power that a government gives itself, there must be extensive checks and balances. There must be transparency. Most of all, there must be oversight. What this legislation does not do is provide those much-needed guardrails. We need the safety oversight.
Giving a minister the power to order a private company “to do anything, or refrain from doing anything”, particularly when it comes to the private information of its customers, is deeply problematic. While I understand that how the minister can wield this new power might be spelled out in future regulations, I believe it must be clearly outlined in the legislation, rather than leaving it up to cabinet to decide at a future date.
We must also have a fulsome airing of what information the government could collect from companies and their customers. Almost every aspect of our lives is interwoven with digital information. From banking to how we do business and how we communicate, numerous companies have that information on each of us.
Therefore, the question that remains is this. If we grant the government access to information from companies, even for the most altruistic reasons or for national security reasons, who is overseeing those government agencies? I can assure members that the government will not be giving new powers to members of Parliament or parliamentary committees to undertake that role. We can look no further than the stonewalling Parliament is receiving on foreign interference in our democracy now. It is absolutely imperative that oversight and guardrails be built into this legislation, and I implore my colleagues on the parliamentary committee that would be tasked with this legislation to do just that.
The fact is that the government has trouble protecting its own sensitive information from cyber-threats. Many examples of cyber-attacks against the government have already been cited during this debate. There was the attack against the Canada Revenue Agency in August 2020, which resulted in 13,000 victimized Canadians. Global Affairs was attacked in January 2022. Canada Post has filed several breach reports after cyber-incidents, according to records from the Privacy Commissioner. If the government is unable to protect itself from cyber-threats, how can it be expected to protect the sensitive cybersecurity plans of private companies? The Liberal government would do well to lead by example before it can truly ask private companies to beef up their own cybersecurity practices. The weaknesses of the government’s own cybersecurity have been flagged over and over again.
In September 2020, the National Security and Intelligence Committee of Parliamentarians announced its review of the government’s framework and activities to defend its systems and networks from cyber-attack. The review resulted in a number of findings, which deserve mention.
First, the committee found that cyber-threats to government systems and networks “are a significant risk to national security and the continuity of government operations.” It also noted that nation-states “are the most sophisticated threat actors”, although the threats do not come from nation-states alone. Second, the committee found that while the government has implemented a framework to defend itself from cyber-attacks, “[t]he strength of this framework is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services.” In plain language, the report found that not all federal organizations receive cyber-defence protection. The committee review identified that, while Shared Services Canada provides some cyber-defence services to 160 of 169 federal organizations, only 43 of those organizations actually receive the full complement of its services.
Given these findings, the committee recommended that the government “continue to strengthen its framework for defending government networks from cyber attack” and apply and extend cyber-defence policies and practices equally across government. At the time, the Liberal government agreed with the recommendations that were put forward. While this was an important step toward acknowledging the issue, taking action is another thing entirely.
Just days ago, a Globe and Mail headline read, “Ottawa makes little progress shoring up Crown corporations' cybersecurity”. The report noted that this is despite 18 months passing since the National Security and Intelligence Committee of Parliamentarians raised concerns about the possibility that Crown corporations, which are still not subject to the government’s cyber-defence policies, could inadvertently serve as gateways into the federal government’s well-protected systems.
The public safety minister did not mention the NSICOP report and recommendations when introducing this bill, but I hope that the work of this committee, made up of parliamentarians from across party lines, can be helpful in enhancing the government’s own cybersecurity defences. As NSICOP has underscored, “The data of organizations not protected by the government cyber defence framework is at significant risk. Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole.”
In closing, the government is aware of these risks, but it has been slow to rectify the issue. While Bill C-26 covers another angle of this discussion, it does not address the problem of the government's own house. As I said already, cybersecurity laws need to be updated here in Canada. Bill C-26—
1405 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I do not have a technical response for the very technical question that the member asked. We have to consider the importance of protecting our electrical grids. New Brunswick relies heavily on our partners in Quebec, so it would certainly have implications for my constituents.
These are questions that we need to ask and hopefully consider during the committee stage, and hear testimony from witnesses that would be able to address those concerns.
75 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour to speak today in the House on Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.
With every passing year, Canadians are increasingly moving their lives online. They communicate with loved ones through email, messaging, photo sharing, video calls and more. They can order their entire grocery orders, rent cars for the weekend and book appointments with a click in an app.
As more and more Canadians choose to put more of their lives online, it falls to us, as members of Parliament, to ensure our cybersecurity laws are as protective of their personal and private information as possible.
The next generation of Canadians are increasingly building their professional and personal lives online. At the same time, they face mounting threats from foreign actors, ranging from scammers to state actors. These actors have shown they would use any tactic, from identity theft to cyber-attacks, to exploit Canadians and attack our institutions.
That is why the legislation we have before us today is essential, and why getting it right the first time is even more important. In particular, it must protect our online information while not crushing our small business start-ups under mountains of red tape.
On this side of the House, my Conservative colleagues and I believe that, as currently constructed, Bill C-26 fails to account for the welfare of small business start-ups by adding more red tape and placing burdensome costs on our homegrown technology sector. As constructed, this bill would directly affect start-ups by adding further bureaucracy that would drive up their starting costs. It would overburden with regulation the small telecommunications providers, the companies that provide our families and businesses with access to a global market online.
Wrapping them in red tape could risk our access to competing on the world stage. The Liberal government has already made it hard enough for start-ups, and the Liberal record on small business has been one committed to mazes of bureaucracy, punitive fines and penalties, and rising inflation. A Liberal economy of high tax and wasteful spending has already made it hard enough for start-ups.
Through the overarching premise of this cybersecurity bill, we know that it is needed. We absolutely need to update our cybersecurity laws, while at the same time we cannot allow Bill C-26 to add unnecessary burdens to business, especially small businesses.
I am particularly concerned about how this bill's regulations would also apply to businesses “irrespective of their cyber security maturity”, implying that providers who already have advanced electronic protection measures would still have to comply with the new regulations of the bill. This means that businesses could not continue using their current, possibly more robust, cybersecurity systems. Instead, they would have to disregard their current cybersecurity measures and replace them with the newly proposed government model.
Even Canadian businesses that have already worked hard to protect their customer security at accepted global standards would still incur more cost despite their robust electronic security measures. They would need to invest in government-regulated security measures, incurring costs such as inspection, extra time, installation and further training. They may have to completely overturn their superior standards for the government's preference.
The thing is, we do not know what the regulations would be or how they would affect businesses, because the actual regulations have not been developed. That is how the government does a lot of its bills. There are great titles, with few details. We are expected to just trust the Liberals to figure it all out later, behind closed doors, with no opportunity to study them at committee with expert witnesses.
Imagine if this regulatory framework were applied to any other business. Suppose we were regulating changes in the banking security industry. We would require that every Canadian bank and credit union tear its building down to the ground, brick by brick, and then rebuild itself from scratch. That really does not make sense.
Now is the time when we should be encouraging competition and bringing in more telecommunications companies. We know Canada has some of the highest telecommunications costs in the world. As more and more Canadians move their lives online, whether for banking, social media or work, adding more tape in this bill, as mentioned, would make this transition far more difficult. Costs never remain in the businesses' ledgers forever; they are inevitably always passed on to the consumer.
As a government, we should encourage the next generation of Canadian entrepreneurs who are innovating.
I will mention, as a sidebar, that I was formerly on the industry committee and we did a quantum computing study, which was, frankly, terrifying. It was about how Canada could be exposed to bad actors, which could affect every part of our online lives. As these technological advances develop, we have to be aware of risks and be able to stay ahead of technology.
These enterprises, businesses and telecommunications providers do not need more red tape; they need a stable market without uncompetitive government interference. We know very well how easy it can be for the government to build regulations that only the largest providers of an industry can shoulder. Without attention to scale, a single fault of noncompliance could instantly wipe out a smaller company. The legislation would allow ministers and bureaucrats to levy fines as high as $15 million without special consideration, such as the size of a company's user base.
Nonspecific details like that are music to the ears of our largest telecommunications providers. Monopolization of our telecommunications sector is something Canadians are already concerned about. We must always proceed cautiously, so as not to turn away innovation and new businesses entering the market, which creates healthy competition. For example, these fines could also be enacted under the vague term of “protecting a critical cyber system”. This vague terminology can leave a lot of leeway for government ministers to injure Canadian businesses with rampant fines.
There is already a shortage of online and electronic security professionals in Canada. According to the Business Council of Canada, an estimated 25,000 personnel are needed in the cybersecurity industry. Instead of dissuading these crucial professionals from joining this industry and helping keep Canada safe from domestic and foreign cyber-threats, let us provide a better framework and encourage them to build new businesses in this essential industry. Let us not scare them off with red tape and penalties.
As members can see, the legislation proposed for Bill C-26 has some significant concerns that require amendments at committee. Regulations being made with a lack of transparency behind closed doors, after the bill passes, is a concern. Conservatives will be looking to make amendments to the bill at committee as we hear from experts.
As I mentioned earlier, my Conservative colleagues and I encourage and support new, updated and secure cybersecurity measures being put in place, especially as more and more Canadians move their lives online. However, by placing more and more red tape on small and start-up businesses and providers that have already been in the industry for years, the bill would effectively dissuade businesses from entering this market and providing more services for Canadians. Large and mature businesses can handle the related costs of Bill C-26, but the associated expenses could crush small businesses.
I have worked, for much of my career, around various regulated industries and have seen, all too often, red tape and regulations making it too hard for small businesses to even start or to stay afloat without being acquired by larger firms, as small companies just cannot keep up with the regulatory compliance.
Cybersecurity threats affect all our communities. In January, an international ransomware group claimed responsibility for an Okanagan College cyber-attack in my region. Let us keep Canada safe by building clear online security measures that would encourage start-up professionals and businesses to help build up our cybersecurity infrastructure to a world-class standard. We will not accomplish this goal if we continue to add burdensome fines, penalties and red tape.
1363 words
- Hear!
- Rabble!
- add
- star_border
- share
Uqaqtittiji, this bill would create tools for governments to support Canadian business and organizations in securing their networks and protecting personal and private information. I wonder if the member could share her thoughts on how this bill could better ensure that businesses are better protected.
45 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
