44th Parl. 1st Sess.
March 23, 2023 10:00AM
Mr. Speaker, I rise today to speak to Bill C-26, an act about cybersecurity. In the 21st century, cybersecurity is national security, and it is our responsibility to protect Canadians from growing cyber-threats. We have to take the necessary steps to protect Canadians and our telecommunications infrastructure. Canadians must have confidence in the integrity, authenticity and security of the products and services they use every day.
This bill reflects the values of Canadians and is in line with our closest allies, including our Five Eyes partners. That is why we are investing in cybersecurity, ensuring respect for the privacy of Canadians and supporting responsible innovation. We will continue to protect Canadians from cyber-threats in an increasingly digital world. As said in our international cybersecurity overview, a free, open and secure cyberspace is critical to Canada’s economy, social activity, democracy and national security.
Canada faces cybersecurity risks from both state and non-state actors. Protecting Canada’s and Canadians’ cyber-infrastructure from malicious actors is a serious challenge and a never-ending task. Canada works with allies and partners to improve cybersecurity at home and to counter threats from abroad. This includes identifying cyber-threats or vulnerabilities and developing capabilities to respond to a range of cyber-incidents.
A few years back, we put forward the national cybersecurity strategy, a vision for security and prosperity in the digital age. As mentioned there, virtually everything Canadians do is touched by technology in some way. We are heavily interconnected and networked, a fact that not only enhances our quality of life but also creates vulnerabilities. From commercial supply chains to the critical infrastructure that underpins our economy and our society, the risks in the cyberworld have multiplied, accelerated and grown increasingly malicious.
Major corporations, industries and our international allies and partners are engaged in the global cyber-challenge, but many others are not and that represents a significant risk. The strategy's core goals were reflected in budget 2018, where $500 million was invested in cybersecurity. Part of the funding was for the new Canadian Centre for Cyber Security, which is Canada’s technical authority on cybersecurity. It is part of the Communications Security Establishment, and it is the single, unified source of expert advice, guidance, services and support on cybersecurity for Canadians and Canadian organizations.
It regularly publishes the “National Cyber Threat Assessment”, and I would like to quote from their latest one for 2023-24. It states:
Canadians use the Internet for financial transactions, to connect with friends and family, attend medical appointments and work. As Canadians spend more time and do more on the Internet, the opportunities grow for cyber threat activity to impact their daily lives. There’s been a rise in the amount of personal, business and financial data available online, making it a target for cyber threat actors. This trend towards connecting important systems to the Internet increases the threat of service disruption from cyber threat activity. Meanwhile, nation states and cybercriminals are continuing to develop their cyber capabilities. State-sponsored and financially motivated cyber threat activity is increasingly likely to affect Canadians.
In the latest assessment, they chose to focus on five cyber-threat narratives that they judge are the most dynamic and impactful.
First, ransomware is a persistent threat to Canadian organizations. Cybercrime continues to be the cyber-threat activity most likely to affect Canadians and Canadian organizations. Due to its impact on an organization’s ability to function, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. Cybercriminals deploying ransomware have evolved in a growing and sophisticated cybercrime ecosystem and will continue to adapt to maximize profits.
Second, critical infrastructure is increasingly at risk from cyber-threat activity. Cybercriminals exploit critical infrastructure because downtime can be harmful to industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position themselves in case of future hostilities and as a form of power projection and intimidation.
Third, state-sponsored cyber-threat activity is impacting Canadians. State-sponsored cyber-threat activity against Canada is a constant, ongoing threat that is often a subset of larger, global campaigns undertaken by these states. State actors can target diaspora populations and activists in Canada, Canadian organizations and their intellectual property for espionage, and even Canadian individuals and organizations for financial gain.
Fourth, cyber-threat actors are attempting to influence Canadians, degrading trust in online spaces. Cyber-threat actors' use of misinformation, disinformation and malinformation, collectively referred to as MDM, has evolved over the past two years. Machine learning-enabled technologies are making fake content easier to manufacture and harder to detect. Further, nation-states are increasingly willing and able to use MDM to advance their geopolitical interests.
Fifth, disruptive technologies bring new opportunities and new threats. Digital assets, such as cryptocurrencies and decentralized finance, are both targets and tools for cyber-threat actors to enable malicious cyber-threat activity. Machine learning has become commonplace in consumer services and data analysis, but cyber-threat actors can deceive and exploit this technology. Quantum computing has the potential to threaten our current systems of maintaining trust and confidentiality online. Encrypted information stolen by threat actors today can be held and decrypted when quantum computers become available.
Simply put, cyber-threats pose a growing risk to all Canadians and institutions. We are confronting this threat head-on. Our government regularly engages with domestic and international cybersecurity partners to protect Canada’s critical infrastructure and the systems that underpin essential services. We are working closely with critical infrastructure stakeholders and partners to ensure that they are better prepared to face cyber-based threats.
Our cybersecurity framework continues to detect, deter and disrupt state and non-state actors attempting to take advantage of the Canadian cyber-landscape. Our government is, and will always be, ready to respond to any malicious cyber-acts that threaten Canadian interests.
To conclude, the purpose of this act is to help protect critical cyber systems in order to support the continuity and security of vital services and vital systems by ensuring that, first, any cybersecurity risks with respect to critical cyber systems are identified and managed; second, critical cyber systems are protected from being compromised; third, any cybersecurity incidents affecting, or having the potential to affect, critical cyber systems are detected; and finally, the impacts of cybersecurity incidents affecting critical cyber systems are minimized.
1079 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I agree with the member that small businesses are the backbone of Canada and the Canadian economy, with the majority of Canadians working in small and medium-sized businesses.
Related to this bill is the fact that this issue affects small-sized businesses disproportionately more, because they do not have enough resources to protect themselves from cyber-threats. In fact, as I mentioned in my speech, the new Canadian Centre for Cyber Security, which is part of the Communications Security Establishment, is there to provide expert advice, guidance, and service and support on cyber-threats and cybersecurity to Canadian organizations.
102 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I would like to invite my hon. colleague to take a higher-level view of an important issue because we are dealing here with cybersecurity and the need for protections, but we are also looking at a realm of artificial intelligence and things like that. These are things that can happen. People can 3D-print a gun that cannot be picked up by airport security. There is a lot of technology out there that could be purposefully harmful to individuals or to our whole society. In that regard, given some of the other conversations we have had about gatekeepers, would the member care to put a frame around the kind of gatekeeping that he and his party see as essential and necessary for the purpose of protecting Canadians?
130 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I want to ask some questions of the hon. member that are more related. I know it is a bit away from this bill, but he mentioned in his speech the work we are doing in our defence committee on cyber-defence and cybersecurity. I have two questions.
There have been calls for the International Criminal Court to declare cyberwarfare an actual war crime. What does the member think about that?
There is also the fact that we heard that Canada and its security institutions actually overclassify information by about 90%, and that if we could declassify a lot of that information, this would significantly help those security organizations deal with the specific threats we are seeing. I want to hear the member's opinion on that.
129 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, my colleague has pinpointed some very serious problems. The reality is that technology progresses at such a rapid pace that it is really difficult to have legislation in place to address the next steps.
It is crucial to have the best experts analyzing the flexibility of our legislation to ensure the protection and security of future technologies that will be implemented. This means not just for now, but for the future as well.
75 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, my colleague actually highlights a very important issue here. While having security is critical for our cybersecurity system, we must also make sure that we are balancing this with civil liberties and not allowing personalized data to be shared in an unfettered way. We need safeguards in place so we are able to respond. In certain circumstances, we might have to have a bit of flexibility.
We also need to have safeguards in place, as well as ramifications, for when governments or businesses go beyond that space. We owe it to Canadians and to the world. We need to be safe, but we also need to protect one another. I do not think any member would like to have their personal telephone number shared with everyone across the country.
Without adequate safeguards, that information could possibly be shared, and these are the kinds of pieces that could create a lot of harm to each and every one of us. We have to have serious conversations about them.
169 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 2:32:50 p.m.
- Watch
Mr. Speaker, we take the allegations of foreign interference very seriously, which is why we have ensured that our national security agencies have all of the powers and authorities, but with the corresponding transparency required to reinforce the confidence of Canadians in our institutions
At every stage, Canadians can be confident we are protecting our institutions. Canadians can be confident we are protecting our elections.
Above all, Canadians can be assured of the fact that this government worked 24-7 to ensure the return of the two Michaels to Canada. That is something we did.
95 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 3:01:56 p.m.
- Watch
Mr. Speaker, the government always takes foreign interference issues very seriously.
That is why we have already given all the power necessary to our agencies that deal with matters of national security, and we have done so transparently. We created a committee of parliamentarians and the National Security and Intelligence Review Agency Secretariat, and we have now appointed Mr. Johnston, who will make recommendations. The government will abide by Mr. Johnston's recommendations.
73 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 3:05:32 p.m.
- Watch
Mr. Speaker, this is why we do not play with national security using partisan theatre. The member just stood in his place, as we have heard many times, and talked about allegations as if they are fact. He said that things must be true and they know things that, of course, they could not possibly know.
What we have said throughout this process is that when we are dealing with national security and foreign autocracies trying to undermine our democracy, we need to have the maturity to allow our institutions and process to answer these questions as opposed to playing this out in partisan theatre.
105 words
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/23/23 3:11:09 p.m.
- Watch
Mr. Speaker, there have been consultations, and I hope that if you seek it, you will find consent for the following:
I move:
That this House acknowledge the need to improve and enhance security measures on Parliament Hill within a framework that affirms the Parliamentary privilege of Members that are deemed necessary for the House of Commons, as an institution, and its members, as representatives of the electorate, to fulfill their functions, including their freedom from obstruction, interference and intimidation.
80 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, in some respects, Bill C-26 is quite complicated, but it is also quite simple. It aspires to have the risks of cybersecurity systems identified, managed and addressed so we are at much less risk because of our cyber system.
In the last while, I have had the good fortune to be the chair of the public safety committee in the previous Parliament, and I am now the chair of the defence committee. As such, I have listened to literally hours of testimony from people who are quite well informed on this subject matter. My advice to colleagues here is this: It behooves us all to be quite humble and approach this subject with some humility because it is extremely complex.
The first area of complexity is with respect to the definitions.
For instance, cybersecurity is defined as “the protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information”. Cyber-threat is defined as “an activity intended to compromise the security of an information system”.
Cyber-defence, according to NATO, is defensive actions in the cyber domain. Cyberwarfare generally means damaging or disrupting another nation-state's computers. Cyber-attacks “exploit vulnerabilities in computer systems and networks of computer data”.
Therefore, with respect to the definitions, we can appreciate the complexity of inserting yet another bill and minister into this process.
Let me offer some suggested questions for the members who would be asked to sit on the committee to look at this bill if it passes out of the House. I do recommend that the bill pass out of the House and, if it does, that the committee charged with its review take the appropriate amount of time to inform itself on the complexities of this particular space.
The first question I would ask is this: Who is doing the coordination? There are a number of silos involved here. We have heard testimony after testimony about various entities operating in various silos.
For instance, the Department of Defence has its silo, which is to defend the military infrastructure. It also has some capability to launch cyber-attacks, but it is a silo.
Then there is the public safety silo, which is a very big silo, because it relies on the CSE, CSIS and the RCMP, and has the largest responsibility for the protection of civilian infrastructure.
While the CSE does not have the ability to launch cyber-attacks domestically, it has the ability to launch a cyber-attack in international cyberspace. It is a curious contradiction, and I would encourage members to ask potential witnesses to explain that contradiction, because the more this space expands, the more the distinctions between foreign attacks and domestic attacks become blurred.
The bill would charge the Minister of Innovation, Science and Industry with some responsibility with respect to cybersecurity.
I would ask my colleagues to ask questions about how these three entities, public safety, defence and now the Minister of Innovation, Science and Industry, are going to coordinate so that the silos are operating in a coordinated fashion and sharing information with each other so that Canada presents the best possible posture for the defence of our networks. Again, I offer that as a suggestion of a question to be asked. We cannot afford the luxury of one silo knowing something that the other silo does not know, and this is becoming a very significant issue.
CSIS, for instance, deals in information and intelligence. The RCMP deals in evidence. Most of the information that is coming through all of the cyber-infrastructure would never reach the level of evidence, whether the civil or criminal standard of evidence. This is largely information, largely intelligence, and sometimes it is extremely murky. Again, I am offering that as a question for members to ask of those who come before the committee as proponents of the bill.
The other area I would suggest is to question is how this particular bill would deal with the attributions of an attack. To add to all of the complications I have already put on the floor of the House, there is also a myriad of attackers. There are pure state attackers, hybrid state criminal attackers and flat-out criminals.
For the state attackers, one can basically name the big four: China, Russia, North Korea and Iran. However, there are themes and variations within that. Russia, for instance, frequently uses its rather extensive criminal network to act on behalf of the state. It basically funds itself by with proceeds of its criminal activities, and the Russians do not care. If one is going to cripple a hospital network or a pipeline or any infrastructure on can name, then they do not care whether it happens by pure criminal activity or hybrid activity or state activity. It is all an exercise in disruption and making things difficult for Canadians in particular. We see daily examples of this in Ukraine, where the Russians have used cyber-attacks to really make the lives of Ukrainians vulnerable and also miserable.
The next question I would ask, and if this is not enough, I have plenty more, is on the alphabet soup of various actors. We have NSICOP, CSE, CSIS and the RCMP. I do not know what the acronym for this bill will be, but I am sure that somebody will think of it. How does this particular initiative, which, as I say, is a worthy initiative to be supported here, fit into the overall architecture?
Finally, CAF and the defence department are now doing a review of our defence posture, our defence policy. Cyber is an ever-increasing part of our security environment and, again, I would be asking the question of how Bill C-26 and all of its various actors fit into that defence review.
978 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, that is two impossible questions in a row, and I congratulate the member for them.
The first was whether cyberwarfare should be declared an act of war. To my mind, an attack is an attack. If someone is running cars off the road, or interfering with pipelines or hospitals, they are putting people's lives at risk and sometimes even killing them. That does strike me as an act of war.
The second issue, and the member was probably there when I raised that question with one of our witnesses, was our levels of classification for information. The question I put to one of the witnesses was as follows: I have been in on some of the security briefings, and I am sitting there wondering whether I read it two weeks ago in The Globe and Mail. We seem to have a very high threshold of classifications, and maybe this could be an opportunity to reduce that threshold.
160 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, unless I misunderstood, the Bloc Québécois member whose riding escapes me suggested in his question that there are government MPs who may pose a threat to national security.
That is a bit of a stretch from the allegations that have been made. It is unacceptable to suggest that members may pose a threat to national security. I would ask the member to either clarify his comments or apologize.
If I misunderstood, then I apologize, but that is indeed what the member said in his question during the previous debate.
95 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, let me start off with the point you were just talking about, because in the 21st century, cybersecurity is national security. It behooves us all as parliamentarians to work as hard as we can to protect our businesses, consumers and institutions from cyber-threats. That is why I am so grateful and delighted to be here today in the House to speak to the second reading debate of Bill C-26, which concerns the important topic of cybersecurity.
Cybersecurity is a matter of great concern to my constituents of all ages. I firmly believe both the public and private sectors need to be able to protect themselves against malicious cyber-activity, including cyber-attacks. As parliamentarians, it is our duty to establish a framework for secure critical infrastructure that we can all rely on.
The past few decades have seen remarkable advancements in computer and Internet technology. Online connectivity has become an integral part of the lives of Canadians and people around the world. The COVID-19 pandemic has shown us how we rely on so much on the Internet for everything we do, from education to conducting business and staying in touch with loved ones. With more and more people depending on the Internet, including young children and seniors, our most vulnerable, it is crucial to ensure that we have a secure and reliable cyber-connectivity.
Our government is committed to improving cybersecurity to safeguard our country's future in cyberspace. However, as technology and cyber systems continue to evolve, our infrastructure is becoming more interconnected and interdependent. This brings new security vulnerabilities.
For instance, personal interactions like banking and credit card transactions are now mainly conducted online, making cybersecurity even more important. According to the Cybersecurity and Infrastructure Security Agency, ransomware attacks were among the most significant cybersecurity threats in recent years.
Cybercriminals continue to use sophisticated tactics to gain access to critical systems, steal sensitive data and extort money from victims. In addition to ransomware attacks, other common cybersecurity threats include phishing attacks, malware, insider threats and distributed denial of service attacks. I know members have all received emails or phone calls with these types of threats. We do not know where they are coming from, but they are trying to crack our system and do criminal activity.
As more organizations adopt cloud computing, like we do here, Internet of Things devices and artificial intelligence, these technologies are also becoming significant targets for these cybercriminals.
Cybersecurity threats can have severe consequences for individuals, businesses, all levels of government. These include financial losses, which we have heard are in the billions, reputational damage, legal liabilities and even physical harm. We have read and heard the stories of those who have taken their lives because of these harmful attacks. It is crucial to take proactive steps to prevent and mitigate cybersecurity risks.
Bill C-26 is a landmark legislation that would amend the Telecommunications Act and other consequential acts to enhance cybersecurity. The bill proposes to add more security as an express policy objective of the telecommunications sector, bringing it in line with other critical infrastructure sectors.
The key objectives of the bill are twofold. First, in part 1, the bill proposes to amend the Telecommunications Act to add security expressly as a policy objective. This amendment aims to align the telecommunications sector with other critical infrastructure sectors.
The changes we are bringing about through this legislation would authorize the Governor in Council and the Minister of Innovation, Science and Industry, after consultation with stakeholders, to establish and implement the policy statement “Securing Canada's Telecommunications System”, which the minister announced in May of 2022. The primary objective is to prevent the use of products and services by high-risk suppliers and their affiliates. This would enable the Canadian government, when necessary, to restrict telecommunications service providers' utilization of products or services from high-risk suppliers.
With such restrictions, consumers would not be exposed to potential security risks. This approach would allow the government to take security measures similar to those of other federal regulators in their respective critical infrastructure sectors.
The second part of Bill C-26 pertains to the introduction of the critical cyber systems protection act, or CCSPA, which mandates designated operators in federally regulated sectors such as finance, telecommunications, energy and transportation to undertake specific measures to safeguard their critical cyber systems. It would include the ability to take action on other vulnerabilities, such as human error or storms causing a risk of outages to these critical services. In addition, the act would facilitate organizations' capacity to prevent and bounce back from various forms of malevolent cyber-activities like electronic espionage and ransomware. Notably, cyber-incidents that surpass a certain threshold will necessitate mandatory reporting.
Both parts 1 and 2 of Bill C-26 are required to ensure the cybersecurity of Canada's federally regulated critical infrastructure, and in turn, protect Canadians and Canadian businesses. The need to intensify our efforts is apparent because of the advent of new technologies we are hearing about like 5G.
The COVID-19 pandemic has highlighted our growing dependence on technology. In addition, in my riding of Mississauga East—Cooksville, there is a growing concern about Russia's unwarranted and unjustified invasion of Ukraine, which has resulted in international tensions and a range of potential threats. Such threats include supply chain disruptions and cyber-attacks from state and non-state actors.
We are not starting from scratch in our fight against this threat, though. Our government is always vigilant when it comes to any type of threat, including cyber-threats. Our government has made several investments in cybersecurity in recent years to improve the country's cyber-resilience and protect Canadians' data and privacy. For example, in 2018, we created the national cybersecurity strategy. This was based on the consultations that we initiated with Canadians in 2016. Our government adopted this strategy to establish a framework aimed at protecting citizens and businesses from cyber-threats while leveraging the economic benefits of digital technology.
Cyber-incidents involve a certain threshold at which reporting would be required. This legislation would give the government a new tool to compel action, if necessary, in response to cybersecurity threats or vulnerabilities.
Canada is working alongside other democratic nations around the globe, both in the context of our Five Eyes relationship and in the G7 alliance. These multilateral forums are intensely focused on devising strategies to counter a range of cyber-threats, such as ransomware attacks; the dissemination of false information, which we have seen too often; and attempts by malicious actors to engage in cyber-espionage.
To facilitate this collaboration, we are emphasizing the importance of sharing information and intelligence, thereby breaking down those silos. This would enable us to more effectively combat efforts made to destabilize our economies and undermine Canadian interests. While we are currently engaged in a debate regarding Bill C-26, we are also taking proactive measures to address the current gaps in our domestic cybersecurity landscape, while simultaneously partnering with like-minded nations to confront these challenges in a comprehensive manner.
We have listened to Canadians, our security experts and our allies, and we are following the right path. We will ensure that our networks and our economy are kept secure. A safe and secure cyberspace is important for Canadian competitiveness, economic stability and long-term prosperity.
Bill C-26 aims to enhance designated organizations' preparedness, prevention, response and recovery abilities—
1248 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as I rise to speak today, all of us in this place are acutely aware of the deeply concerning realities of foreign interference in Canada’s affairs.
The Government of Canada cannot afford to ignore this troubling trend. While there are many angles from which we must consider how best to protect our national interests, as we examine the content of Bill C-26 we are focused primarily on matters related to cybersecurity. There is no question that Canada’s critical infrastructure must be protected from cyber-threats.
In our modern world, computer systems are integral to the provision of health care, powering our homes and businesses, upholding our financial systems and so much more. While these incredible tools of our time may not be visible to the naked eye, they are tremendously powerful and we cannot afford for these systems to be compromised. The consequences from a criminal's or a foreign adversary’s disruption of medical services in our hospitals or of our electrical grid would be incredibly dangerous and potentially deadly.
In its 2021 “Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”, the National Security and Intelligence Committee of Parliamentarians concisely listed what is at stake when cyber-threats arise: things like the personal information of Canadians; proprietary information, intellectual property and research of Canadian businesses and researchers; government policies and policy-making; security and intelligence information and operations; and the integrity of government systems, to name a few.
I was grateful to hear the Minister of Public Safety, when introducing this bill, say that cybersecurity is national security. It is a simple statement, but it is true. If we truly recognize cybersecurity as an essential element of our national security, we are more likely to give it the attention it deserves.
Bill C-26 is not perfect, as has been stated here, and we must ensure we protect the privacy of Canadians, nor will it be a cure-all for every cybersecurity weakness. However, I am fully behind updating our cybersecurity legislation. I hope the Liberal government is open to improving the bill at committee stage, and I will offer my support to get it to committee.
The objective of this bill is solid: to equip government to quickly respond to cyber-threats. As any expert in the field would tell us, rapid response is critical when a serious attack is under way. However, there are key issues that remain with the bill as it is presented to us today. Make no mistake, this legislation would give the government the ability to insert itself into the operations of companies, and therefore their customers.
As Christopher Parsons of the University of Toronto wrote in a critical analysis of the bill, “There is no recognition of privacy or other Charter-protected rights as a counter-balance to proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.” As with any new power that a government gives itself, there must be extensive checks and balances. There must be transparency. Most of all, there must be oversight. What this legislation does not do is provide those much-needed guardrails. We need the safety oversight.
Giving a minister the power to order a private company “to do anything, or refrain from doing anything”, particularly when it comes to the private information of its customers, is deeply problematic. While I understand that how the minister can wield this new power might be spelled out in future regulations, I believe it must be clearly outlined in the legislation, rather than leaving it up to cabinet to decide at a future date.
We must also have a fulsome airing of what information the government could collect from companies and their customers. Almost every aspect of our lives is interwoven with digital information. From banking to how we do business and how we communicate, numerous companies have that information on each of us.
Therefore, the question that remains is this. If we grant the government access to information from companies, even for the most altruistic reasons or for national security reasons, who is overseeing those government agencies? I can assure members that the government will not be giving new powers to members of Parliament or parliamentary committees to undertake that role. We can look no further than the stonewalling Parliament is receiving on foreign interference in our democracy now. It is absolutely imperative that oversight and guardrails be built into this legislation, and I implore my colleagues on the parliamentary committee that would be tasked with this legislation to do just that.
The fact is that the government has trouble protecting its own sensitive information from cyber-threats. Many examples of cyber-attacks against the government have already been cited during this debate. There was the attack against the Canada Revenue Agency in August 2020, which resulted in 13,000 victimized Canadians. Global Affairs was attacked in January 2022. Canada Post has filed several breach reports after cyber-incidents, according to records from the Privacy Commissioner. If the government is unable to protect itself from cyber-threats, how can it be expected to protect the sensitive cybersecurity plans of private companies? The Liberal government would do well to lead by example before it can truly ask private companies to beef up their own cybersecurity practices. The weaknesses of the government’s own cybersecurity have been flagged over and over again.
In September 2020, the National Security and Intelligence Committee of Parliamentarians announced its review of the government’s framework and activities to defend its systems and networks from cyber-attack. The review resulted in a number of findings, which deserve mention.
First, the committee found that cyber-threats to government systems and networks “are a significant risk to national security and the continuity of government operations.” It also noted that nation-states “are the most sophisticated threat actors”, although the threats do not come from nation-states alone. Second, the committee found that while the government has implemented a framework to defend itself from cyber-attacks, “[t]he strength of this framework is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services.” In plain language, the report found that not all federal organizations receive cyber-defence protection. The committee review identified that, while Shared Services Canada provides some cyber-defence services to 160 of 169 federal organizations, only 43 of those organizations actually receive the full complement of its services.
Given these findings, the committee recommended that the government “continue to strengthen its framework for defending government networks from cyber attack” and apply and extend cyber-defence policies and practices equally across government. At the time, the Liberal government agreed with the recommendations that were put forward. While this was an important step toward acknowledging the issue, taking action is another thing entirely.
Just days ago, a Globe and Mail headline read, “Ottawa makes little progress shoring up Crown corporations' cybersecurity”. The report noted that this is despite 18 months passing since the National Security and Intelligence Committee of Parliamentarians raised concerns about the possibility that Crown corporations, which are still not subject to the government’s cyber-defence policies, could inadvertently serve as gateways into the federal government’s well-protected systems.
The public safety minister did not mention the NSICOP report and recommendations when introducing this bill, but I hope that the work of this committee, made up of parliamentarians from across party lines, can be helpful in enhancing the government’s own cybersecurity defences. As NSICOP has underscored, “The data of organizations not protected by the government cyber defence framework is at significant risk. Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole.”
In closing, the government is aware of these risks, but it has been slow to rectify the issue. While Bill C-26 covers another angle of this discussion, it does not address the problem of the government's own house. As I said already, cybersecurity laws need to be updated here in Canada. Bill C-26—
1405 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am pleased to join the debate on second reading of Bill C-26, an act respecting cybersecurity.
Several of my colleagues have already spoken at length about the importance of the bill and the details therein, but it bears repeating that Bill C-26 is critical to our country's national security, our public safety and our economy.
Not only would Bill C-26 introduce the new critical cyber systems protection act or—
77 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour to speak today in the House on Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.
With every passing year, Canadians are increasingly moving their lives online. They communicate with loved ones through email, messaging, photo sharing, video calls and more. They can order their entire grocery orders, rent cars for the weekend and book appointments with a click in an app.
As more and more Canadians choose to put more of their lives online, it falls to us, as members of Parliament, to ensure our cybersecurity laws are as protective of their personal and private information as possible.
The next generation of Canadians are increasingly building their professional and personal lives online. At the same time, they face mounting threats from foreign actors, ranging from scammers to state actors. These actors have shown they would use any tactic, from identity theft to cyber-attacks, to exploit Canadians and attack our institutions.
That is why the legislation we have before us today is essential, and why getting it right the first time is even more important. In particular, it must protect our online information while not crushing our small business start-ups under mountains of red tape.
On this side of the House, my Conservative colleagues and I believe that, as currently constructed, Bill C-26 fails to account for the welfare of small business start-ups by adding more red tape and placing burdensome costs on our homegrown technology sector. As constructed, this bill would directly affect start-ups by adding further bureaucracy that would drive up their starting costs. It would overburden with regulation the small telecommunications providers, the companies that provide our families and businesses with access to a global market online.
Wrapping them in red tape could risk our access to competing on the world stage. The Liberal government has already made it hard enough for start-ups, and the Liberal record on small business has been one committed to mazes of bureaucracy, punitive fines and penalties, and rising inflation. A Liberal economy of high tax and wasteful spending has already made it hard enough for start-ups.
Through the overarching premise of this cybersecurity bill, we know that it is needed. We absolutely need to update our cybersecurity laws, while at the same time we cannot allow Bill C-26 to add unnecessary burdens to business, especially small businesses.
I am particularly concerned about how this bill's regulations would also apply to businesses “irrespective of their cyber security maturity”, implying that providers who already have advanced electronic protection measures would still have to comply with the new regulations of the bill. This means that businesses could not continue using their current, possibly more robust, cybersecurity systems. Instead, they would have to disregard their current cybersecurity measures and replace them with the newly proposed government model.
Even Canadian businesses that have already worked hard to protect their customer security at accepted global standards would still incur more cost despite their robust electronic security measures. They would need to invest in government-regulated security measures, incurring costs such as inspection, extra time, installation and further training. They may have to completely overturn their superior standards for the government's preference.
The thing is, we do not know what the regulations would be or how they would affect businesses, because the actual regulations have not been developed. That is how the government does a lot of its bills. There are great titles, with few details. We are expected to just trust the Liberals to figure it all out later, behind closed doors, with no opportunity to study them at committee with expert witnesses.
Imagine if this regulatory framework were applied to any other business. Suppose we were regulating changes in the banking security industry. We would require that every Canadian bank and credit union tear its building down to the ground, brick by brick, and then rebuild itself from scratch. That really does not make sense.
Now is the time when we should be encouraging competition and bringing in more telecommunications companies. We know Canada has some of the highest telecommunications costs in the world. As more and more Canadians move their lives online, whether for banking, social media or work, adding more tape in this bill, as mentioned, would make this transition far more difficult. Costs never remain in the businesses' ledgers forever; they are inevitably always passed on to the consumer.
As a government, we should encourage the next generation of Canadian entrepreneurs who are innovating.
I will mention, as a sidebar, that I was formerly on the industry committee and we did a quantum computing study, which was, frankly, terrifying. It was about how Canada could be exposed to bad actors, which could affect every part of our online lives. As these technological advances develop, we have to be aware of risks and be able to stay ahead of technology.
These enterprises, businesses and telecommunications providers do not need more red tape; they need a stable market without uncompetitive government interference. We know very well how easy it can be for the government to build regulations that only the largest providers of an industry can shoulder. Without attention to scale, a single fault of noncompliance could instantly wipe out a smaller company. The legislation would allow ministers and bureaucrats to levy fines as high as $15 million without special consideration, such as the size of a company's user base.
Nonspecific details like that are music to the ears of our largest telecommunications providers. Monopolization of our telecommunications sector is something Canadians are already concerned about. We must always proceed cautiously, so as not to turn away innovation and new businesses entering the market, which creates healthy competition. For example, these fines could also be enacted under the vague term of “protecting a critical cyber system”. This vague terminology can leave a lot of leeway for government ministers to injure Canadian businesses with rampant fines.
There is already a shortage of online and electronic security professionals in Canada. According to the Business Council of Canada, an estimated 25,000 personnel are needed in the cybersecurity industry. Instead of dissuading these crucial professionals from joining this industry and helping keep Canada safe from domestic and foreign cyber-threats, let us provide a better framework and encourage them to build new businesses in this essential industry. Let us not scare them off with red tape and penalties.
As members can see, the legislation proposed for Bill C-26 has some significant concerns that require amendments at committee. Regulations being made with a lack of transparency behind closed doors, after the bill passes, is a concern. Conservatives will be looking to make amendments to the bill at committee as we hear from experts.
As I mentioned earlier, my Conservative colleagues and I encourage and support new, updated and secure cybersecurity measures being put in place, especially as more and more Canadians move their lives online. However, by placing more and more red tape on small and start-up businesses and providers that have already been in the industry for years, the bill would effectively dissuade businesses from entering this market and providing more services for Canadians. Large and mature businesses can handle the related costs of Bill C-26, but the associated expenses could crush small businesses.
I have worked, for much of my career, around various regulated industries and have seen, all too often, red tape and regulations making it too hard for small businesses to even start or to stay afloat without being acquired by larger firms, as small companies just cannot keep up with the regulatory compliance.
Cybersecurity threats affect all our communities. In January, an international ransomware group claimed responsibility for an Okanagan College cyber-attack in my region. Let us keep Canada safe by building clear online security measures that would encourage start-up professionals and businesses to help build up our cybersecurity infrastructure to a world-class standard. We will not accomplish this goal if we continue to add burdensome fines, penalties and red tape.
1363 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I appreciate my colleague's comments, particularly about not wanting to add more bureaucracy and more red tape to small and medium-sized enterprises, especially small start-ups. I am looking at a study from the public safety committee about Canada's security posture in relation to Russia. I will just read one of the committee's recommendations. Recommendation number 4 states:
That the Government of Canada instruct the Communications Security Establishment to broaden the tools used to educate small- and medium-sized enterprises about the need to adopt cyber security standards.
Therefore, it is about making education tools available versus adding more red tape. I would like my colleague's comments on that.
116 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, the short answer is that I agree. The longer answer is that I agree with the comment the member made earlier with respect to modernization. We need to modernize our view on security. The world changed dramatically a year and a half ago, and it continues to change. We need to be adept and agile, and quite frankly, willing to put the resources where they are needed for the future.
72 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is always an honour and a privilege to rise in this place, and it is nice to join the debate on the topic at hand.
When we talk about cybersecurity, there are so many different factors that go into it. I recognize that the bill before us largely has to do with telecommunications companies, bigger companies, and perhaps with government institutions as a whole. However, as we are having this conversation, we need to recognize and address the fact that the risk presented through cybersecurity extends much beyond that. With the current generation of kids being raised, kids are heavily involved in using cellphones, video game systems and computer consoles, for example, and are curious by nature. They are more at risk of clicking on a link that they do not know or realize is harmful. We know that is quite often how a lot of bad actors exploit weaknesses in computer systems in businesses or in homes. It is important to have that context out there early as we start the debate on this bill.
I want to get into a few specific parts of the bill at the start. First, it proposes to amend the Telecommunications Act to make sure the security of our Canadian telecommunications system is an official objective of our public policy, which is not a bad idea in and of itself. Second, it would create a new critical cyber systems protection act. The stated goal is to have a framework in place that would allow for better protection of critical cyber-services and cyber systems, which impact national security and public safety.
Some of the proposals include the designation of services or systems deemed to be “vital” for the purposes of this new act, along with designating classes of operators for these services or systems. The designated operators in question could be required to perform certain duties or activities, including the implementation of security programs, the mitigation of risks, reporting security incidents and complying with cybersecurity directions. Most significantly, Bill C-26 would authorize the enforcement of these measures through financial penalties or even imprisonment.
Anybody hearing these few examples listed in the preamble probably thinks this sounds like common sense, and I would generally agree with them. However, there is a problem, especially with the last one, which has to do with directions, because it is quite vague. These points should raise some obvious questions. How are we defining each of them? What are the limits and the accountability for using these new powers? It is fair to have these general concerns when we consider any government, but Canadians have reason to be especially wary with the one currently in power based on the Liberal record itself.
Unfortunately, the most recent and disturbing revelations related to foreign interference in two federal elections, which allegedly included working with an elected official, are not the only things we need to talk about. Here is another example. For a number of years, the Conservatives were demanding that the Liberals ban Huawei from our cellular networks. Despite all the warnings and security concerns, they delayed the decision and left us out of step with our closest partners in the Five Eyes. We had been calling it out for years before they finally decided to make the right decision thanks to pressure from Canadians, experts, our allies and the official opposition.
It was not very long ago, almost a year, when the announcement to ban Huawei came along. As much as it was the right decision, it should have been made much sooner. To say that is not a complaint about some missed opportunity in the past. The delay caused real problems with upfront costs for our telcos, and it created extra uncertainty for consumers.
Prior to becoming a member of Parliament, I worked for a telecommunications company in Saskatchewan. When we look at how big and vast our country is, we start thinking about how much equipment is required for one single telecommunications provider in one province, like SaskTel, the company I worked for. We can think about how much equipment it would have ordered or pre-ordered and potentially would have had to replace based on the government taking so long to make up its mind on whether or not to ban Huawei. If we look at some of the bigger companies out there, it is the same thing. There are the upfront costs they would have had to incur, and then the new costs if they had to replace all their equipment on top of that. This was simply because the government dragged its feet on such a big decision.
We have learned a lot of other things about foreign interference since then that need to be properly addressed and independently investigated. We need a public inquiry, at the very least, into some of these issues. However, once again, the Liberals are refusing to do the right thing for as long as they possibly can. It is clearer than ever before that we need to get a lot more serious about our cybersecurity, because what we are really talking about is our national security as a whole. These two things are closely intertwined, and having this conversation is long overdue.
We are happy to see the issue get more of the attention it deserves. Canadians have a lot of questions and concerns about it that should not be ignored. That is why it is a priority for Conservatives on our side of the House, and we are not going to let it go.
While we work to carefully review Bill C-26 in this place, we want to make sure that it will be effective and accomplish what it is supposed to do. It needs to protect Canadians living in a digital world. At the same time, it should not create any new openings for government to interfere with people's lives or abuse power.
After all, we are waiting for Bill C-11 to return to the House with all the problems it has, including the risk of online censorship. The problem is that whether it is about Huawei or the latest scandal about foreign interference, the Liberal government has failed to act, and it has undermined trust in our institutions. Therefore, it is hard to take it seriously when a bill like this one comes forward. The government's failure in this area is even more frustrating because we should all agree that there is a real need to strengthen cybersecurity. That is what experts and stakeholders have been telling us over many years. Canadians have had to wait for far too long for the government to bring something forward.
Make no mistake: This bill is flawed, and it will require more work to make sure that we get it right. However, the fact that we are talking about the issue right now is a small and necessary step in the right direction.
There are a few points I would like to mention.
Part 1 of this bill will allow the federal government to compel service providers to remove all products provided by a specified person from its networks or facilities. First of all, that puts a lot of companies at risk of having adversarial agreements signed in the future. If I were a company trying to sign an agreement, I would be doing everything I could to make sure that someone is not going to put a clause in there that if the government forces its removal, there is going to be an extra fine levied on the company. The problem with this bill is that it exposes companies to having these bad contracts negotiated, signed and forced on them by bad actors.
Under the new critical cyber systems protection act, the minister would be able to direct and impose any number of things on a service provider without giving them compensation for complying with the orders. Earlier, I was talking about the upfront costs paid by telcos trying to advance their networks to provide the products and services that their clients and customers want and need, especially as the world moves forward in a more digital fashion. The government is going to force them to do something without any compensation or without the ability to have help dealing with these changes. I think this is something that needs to be reconsidered in this bill.
That leaves service providers in a position where they have to pay for complying with potentially arbitrary orders or face legal penalties, such as the ones I mentioned earlier: fines or even imprisonment.
Again, we do have a desperate need to improve our cybersecurity regime, but these problems show that the bill is poorly written. By seeking to implement personal liability for breaches of the act, it will incentivize skilled Canadian cybersecurity professionals to leave Canada to find jobs elsewhere. This phenomenon, commonly known as the brain drain, is emerging as a severe issue for our economy, in some part thanks to the policies of the government.
Thousands of skilled, highly employable Canadians move to the United States thanks to the larger market, higher salaries and lower taxes, while very few Americans move to Canada to do the same. This issue is bigger than just the cybersecurity sector. Thanks to this government, we are losing nurses, doctors and tech workers to the United States. All the while, professionals who immigrate to Canada are being denied the paperwork they need to work in the field they are trained for because of the ridiculous red tape that plagues our immigration. Given that we are already short 25,000 cybersecurity professionals in Canada, is it wise to keep incentivizing them to go to the States?
Another massive problem with this bill is that it opens the door for some extreme violations of individual privacy. It also expands the state's power to use a secret government order to bar individuals or companies from accessing essential services. While we must improve our framework against cybersecurity attacks, drastically expanding what cabinet can do outside the public eye is always a bad idea. Accountability to the people and Parliament has always been an essential part of how we are supposed to do things in Canada. It is, however, not surprising that the current government would advocate for more unaccountable power. After all, government members have been anything but transparent. They have hidden information from Canadians to protect their partisan interests.
Canadians deserve to know what the government is doing. We must always uphold the principle that everyone is innocent until proven guilty. Giving cabinet the right to secretly cut Canadians off from essential services could threaten to erode this fundamental right.
1793 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
