44th Parl. 1st Sess.
December 1, 2022 10:00AM
Mr. Speaker, I thank the Minister of Public Safety for his speech.
I have a question about the impact of this bill on Crown corporations that are considered to be critical infrastructure companies. What impact will this bill have on Crown corporations?
What are the impacts of this bill on provincial Crown corporations?
I am referring to Hydro-Québec and Manitoba Hydro, for example. What impact will this bill have on Crown corporations?
75 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I would like to thank my colleague for her very important question.
The goal of Bill C-21 is to build a bridge, a collaborative effort between the government, critical infrastructure sectors and the private sector. We developed an approach that includes excellent lines of communication in order to effectively identify the cyber-threats to critical infrastructure that might jeopardize national security and the economy.
In answer to my colleague’s question, we will work with all federal regulators to create a system to protect all critical infrastructure sectors against all cyber-threats.
96 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, with all due respect for my colleague, I would like to point out that the government is always vigilant when it comes to any type of threat, including cyber-threats.
For example, in 2018, we created the national cyber security strategy. That is what I was talking about in my speech. The pillars of this strategy, which is used to respond to all risks, include resilient security systems, an innovative cyber ecosystem and Canadian leadership here and around the world.
We have taken concrete action to protect against the risks posed by certain actors that are not aligned with Canadian interests. We are now prepared to take the next step by introducing this bill to better protect our critical infrastructure. This excellent and effective measure will be implemented in collaboration with all federal regulators and the private sector.
140 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I am enjoying this Manitoba debate. There are a couple of things I would say.
The government, in the last budget of 2021-22, announced about $700 million for cybersecurity. It seems that it is all going to the Communications Security Establishment, which, as I mentioned in my speech, is the government's sort of cybersecurity agency under the Minister of National Defence. It is great. We do need more resources at the government level for CSE. However, I asked the minister if any of that funding was being provided for our small and medium-sized enterprises so they could boost their cybersecurity. The minister never did get a response to my email.
Again, when we are looking at small companies, it is easy for Telus, big banks and others to afford some of these things. However, if we are looking at small telecom providers, like a small Internet provider in northern B.C., the cost to meet the red tape in the bill might put them out of business. Why not take a little of that funding the government has announced and provide it to our SMEs to help them get to the level we need them to be to protect our critical infrastructure? Perhaps we can get a bit creative and look at our tax system to see if there is some sort of capital expense tax write-off or something we can provide our SMEs to help them get there, because we really need to, as I made the case in my remarks, as I am sure others will as well.
I have not heard a response to that. The government is spending the money anyway. It is spending more money than any government in history. Why not provide a little of that to our SMEs to ensure that critical infrastructure is up to par?
310 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, 85% of Canada's critical infrastructure is owned by the private sector, provinces and non-governmental agencies.
Does my colleague think Bill C-26 will help standardize cybersecurity practices to better protect systems and services pertinent to Canada's cybersecurity?
42 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, as the member highlights, when we talk about infrastructure, the whole digital economy and what government does, it would be negligent not to recognize the significance of the private sector and how the private sector feeds into it. In fact, it is a major player of 80% plus. That is why, when we talk about the government's role, ensuring that the national infrastructure is safeguarded against cyber-threats is of the utmost importance. That is the essence of the legislation, along with ensuring that Canadians', business's and governments' interests are well served.
96 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I say good morning to all of my hon. colleagues, and I thank the hon. member for Davenport for her insightful discussion of this bill.
I am thankful for the opportunity to weigh in on Bill C-26, an act respecting cybersecurity, as we continue debate at second reading. Bill C-26 will take great strides to enhance the safety of our cyber systems and will make changes to allow for measures to be taken within our telecommunications system.
There are two parts to this act. Part 1 amends the Telecommunications Act to “promote the security of the Canadian telecommunications system” as a policy objective. An order-making power tied to that objective would be created for the Governor In Council, or GIC, and the Minister of Industry. That power could be used to compel action by Canadian telecommunications service providers if deemed necessary. With these authorities, the government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.
The bill would enable action against a range of vulnerabilities to these critical systems, including natural disasters and human error. The Department of Innovation, Science and Economic Development would exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry. Once amendments to the Telecommunications Act receive royal assent, GIC or ministerial orders could be issued to service providers.
Part 2 of the act would create the critical cyber systems protection act, or the CCSPA. The CCSPA would be implemented collaboratively by six departments and agencies: the departments of Public Safety; Innovation, Science and Economic Development; Transport; Natural Resources; and Finance, as well as the Communications Security Establishment. They will all play a key role. Indeed, across the Government of Canada, there is a recognition that cybersecurity is a horizontal issue, and it should be addressed through a streamlined government response across sectors, all rowing in the same direction.
Schedule 1 of the act would designate services and systems that are vital to the national security or public safety of Canadians. Currently, schedule 1 includes telecommunications service and transportation systems. It also includes, in the finance sector, banking systems and clearing and settlement systems, and, in the energy sector, interprovincial or international pipeline and power line systems and nuclear energy systems.
Schedule 2 of the act would define classes of operators of the vital services and systems identified in schedule 1, as well as the regulator responsible for those classes. Operators captured in a class are designated operators subject to the act.
In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister of Public Safety would have overall responsibility for the legislation and would lead a number of CCSPA-related processes.
Decision-making by GIC under the CCSPA would ensure that a broad range of relevant factors, including national security, economic priorities, trade, competitiveness and international agreements and commitments, are considered when making decisions that have an impact across sectors. The CCSPA would also leverage regulators' expertise and relationships with entities they already regulate under existing legislation.
The Canadian centre for cybersecurity, or the cyber centre, is responsible for technical cybersecurity advice and guidance within Canada, and that would be no different under the CCSPA. It would receive resources to provide advice, guidance and services to designated operators in order to help them protect their critical cyber systems; regulators in support of their duties and functions to monitor and assess compliance; and public safety and lead departments and their ministers, as required, to support them in exercising their powers and duties under the act.
The CCSPA would require designated operators to establish a cybersecurity program that documents how the protection and resilience of their critical cyber systems will be ensured. CSPs must be established by designated operators within 90 days of them becoming subject to the act, that is, when they fall into a class of designated operators published in schedule 2 of the act.
Once established, the CSP must be implemented and maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology. CSPs must include reasonable steps to identify and manage organizational cybersecurity risks, including risks associated with an operator's supply chain, and the use of third party products and services. They must also protect their critical cyber systems from compromise, detect cybersecurity incidents that affect or have the potential to affect CCS and minimize the impact of cybersecurity incidents affecting critical cyber systems.
This legislation would also help confront supply chain issues. With the increasing complexity of supply chains and increased reliance on the use of third party products and services, such as cloud-based data storage and infrastructure as a service, designated operators can be exposed to significant cybersecurity risks from those sources.
When a designated operator, through its CSP, identifies a cybersecurity risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA would require the designated operator to take reasonable steps to mitigate those risks. Taking reasonable steps to mitigate risk is understood to mean reducing the likelihood of the risk materializing by, for example, securing a supply chain by carefully crafting contractual agreements to gain more visibility into equipment manufacturing, or by choosing another equipment supplier. It can also mean reducing the impact of a risk that materializes.
Under the CCSPA, there would also be a new obligation to report cybersecurity incidents affecting or having the potential to affect critical cyber systems to the Communications Security Establishment, for use by the cyber centre. A threshold defining this reporting obligation would be set in regulations. This would provide the government with a reliable source of information about cybersecurity threats to critical cyber systems. The availability of incident reports would enhance visibility into the overall threat for the cyber centre. Findings from the analyses of incident reports would make it possible for the centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and it would help to inform Canadians of cybersecurity risks and trends, allowing one organization's detection to become another's prevention.
The CCSPA would also create a new authority for the government. Under the act, the Governor in Council would be allowed to issue cybersecurity directions when it decides that specific measures should be taken to protect a critical cyber system from a threat or known vulnerability. Directions would apply to specific designated operators or to certain classes of designated operators. They would require those designated operators to take the measures identified and to do so within a specific time frame. Failure to comply with directions could be subject to an administrative monetary penalty or an offence that can lead to fines or imprisonment. The CCSPA would also includes safeguards to ensure that sensitive information, such as information that was obtained in confidence from Canada's international allies, is protected from disclosure.
All of this provides an overview of strong new legislation, which I hope I have adequately described in two distinct parts. I look forward to our continued debate of this landmark bill, and I encourage all colleagues to join me in supporting Bill C-26 today.
1236 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the bill before us seeks to reinforce our security systems and may affect critical infrastructure in Quebec such as Hydro-Québec. I always think about the Conservatives and their famous great energy corridor. That is the type of project in which the federal government could appropriate provincial responsibilities and critical infrastructure in the name of national security. This sets off major alarm bells in my mind.
Can the member reassure me about the Conservatives' intentions? Can he assure me that if they come to power some day, they would not misuse legislation like this piece of legislation?
101 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, yes, that is a concern.
It was mentioned by the University of Toronto professor I cited earlier and certain groups that seek to protect individual freedoms. This bill may give too much power to the minister. We will have to properly study it in committee.
We must bear in mind that this bill seeks to secure and protect Canada's critical infrastructure. I believe that the government is acting in good faith. It is prepared to authorize the circulation of some information so we can help one another and safeguard businesses from potential cyber-attacks. I believe it is a good objective. We will have to ensure that there is nothing sinister about wanting more information.
118 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I thank my colleague for her excellent speech. Her understanding of all these things is much greater than mine.
The member talked about interference and disrupting essential infrastructure, of course, as well as cyber-attacks from other countries or even individuals. My colleague also shared what experts told the committee. To hear them tell it, Canada's security system is a long way from being secure.
I would like my colleague to comment on that.
77 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am not really sure how we get these types of critical remarks coming from the opposite side of the House given that in my speech I gave very tangible examples of two agencies that have been set up and some pretty significant investments that have been made since 2018. The $4.8 billion for cybersecurity is no small amount. We are making investments and setting up the systems and tools.
I have been briefed, as a member of the procedure and House affairs committee, on our House of Commons cyber-infrastructure and cybersecurity. Although those briefings were in camera, I know full well that very strong and resilient systems have been set up to identify and neutralize threats ahead of time to ensure our critical infrastructure in the House of Commons is protected. I think that extends right across Canada with the work that our government has been doing.
152 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I know that the Huawei case has been studied extensively with the involvement of our security agencies. I would like to think that the government and security agencies have learned a great deal. They have learned lessons that they can apply in the future to better protect Canadian businesses and critical infrastructure.
In terms of catching up, yes, technology moves so fast that often governments and society have to react, but it is better to react than to do nothing.
82 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
