SoVote

Decentralized Democracy

House Hansard - 139

44th Parl. 1st Sess.
December 1, 2022 10:00AM
Context: House Hansard - 139 - Dec/1/22
Mr. Daniel Blaikie
  • Dec/1/22 12:05:41 p.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, at the very least there has to be some kind of accounting for and public disclosure of the number of orders the government is making under these new powers. That is just one example, a very minimum reporting threshold. The idea that any number of these orders could be made and Canadians would not even know they have been made or how many have been made is not acceptable. There has to be some reporting of the extent to which these powers are used, or there will be no factual basis upon which to evaluate whether the powers have been appropriate or adequate, or whether they need to change in the future.
114 words
  • Hear!
  • Rabble!
  • star_border
Mr. Brian Masse (Windsor West, NDP)
  • Dec/1/22 12:06:37 p.m.
  • Watch
  • Re: Bill C-26 
Mr. Speaker, I am please to speak today to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. It is really important to acknowledge that we are severely behind with regard to our protections in this matter. I am going to quote from myself, from when I once engaged the government and asked them this. “I am very concerned that we are not doing enough in Canada to protect the digital privacy of Canadians and am calling on the government to develop stronger frameworks and guidelines to improve cyber security in Canada. These are critical issues that must be addressed”. They must be addressed for the benefit of Canada, as our economy and commerce are currently under threat, as is our personal privacy. When did I do that? That was in 2016. From 2016 to today, with the digital changes we have had, is a lifetime of change. I got a response from the government at that time, basically saying it would refer matters and let them play themselves out in court. One of the most famous cases that came forward at the time involved the University of Calgary, which had reportedly paid $20,000 in compensation to a group of organizations we do not know to protect the breach they had. What has taken place over several different cases and also in our current laws has shown that it is okay to pay out crime and it is okay to pay out these types of requests for extortion and not even refer that matter back to the people whose privacy has been breached. We do not even have to report it as a crime to law enforcement agencies. It is very disturbing, to say the least. Getting this legislation is something, but it is still a long way off. As New Democrats, we recognize very much that there needs to be balance in this. This is why I also wrote at that time to the then privacy commissioner of Canada, Jennifer Stoddart, about the cyber-attacks and data breaches. There is concern about the amount of data and one's rights and one's protections and the knowledge one should have as an individual in a democracy. I do not think it is a conspiracy theory to have those kinds of concerns. I would point to a simple famous case. As New Democrats are well aware, and I think other Canadians are as well, our number one Canadian champion of health care, Tommy Douglas, was spied upon by his own RCMP at that same time. That was in relation to bringing in Medicare. This is very well documented. We still do not have all the records. We still do not have all the information, and it is a very famous case. Bringing in our number one treasured jewel, health care, led to a case where our own system was spying on an elected representative who was actually declared Canada's greatest Canadian by the public. We do not want to forget about those things because, when we are introducing laws like this, there is a real concern about one's ability to protect oneself and one's privacy, as well as the expansive conditions that are going to change, often with regard to personal privacy. What also took place after that was that I was very pleased, in 2020, to put a motion forward at the House of Commons industry committee, where we studied, for the first time in Canadian history, fraud calls in Canada. There are a lot of cyber-attacks through this type of operating system, and we need to remind ourselves that using this type of system, being our Internet service providers and the telecoms sector, is something that is done by giving up the public infrastructure and a regulated system of industry. We have built a beast, in many ways, that has a low degree of accountability, and we are finally getting some of that restored. There are also some new programs coming in, like STIR/SHAKEN and other types of reporting that is required. I want to point out that since we have done that, we have another report that will be tabled, or at least a letter. We have not decided yet, and there is still work going on, but we have had a couple more meetings in the industry committee about it and we have really heard lots of testimony that showed that there is more work that can and should be done. A good example from the previous report that we did was recommendation number five, which went through sharing information between the RCMP and the CRTC. We have not seen the government act on it. It is important to note that with this bill there has been a lot of talk about the types of things we can do internationally, as well. One of the things I would point out that I have been very vocal on, because I have had Ukrainian interns in my office for a number of years, is that we could use a lot of our leverage in terms of cybersecurity and training to help them to deal with the Russian hacking and other nefarious international players. That would not only help Ukraine right now in the war with Russia. It would also help with the other activity that comes out of this subsequently, which would help the world economies by having trained, solid professionals who are able to use their expertise and battle this with regard to the current state of affairs and also the future. This would be helpful, not only for the Ukrainian population but also for the European Union, Canada, North America and others, who will continue to battle more complex artificial intelligence and other cyber-attacks that take place. One of the things I want to note is that in the bill, a proposed new section 15.2 of the act would give the Minister of Industry and the Minister of Public Safety the authority to make several types of orders. It relates to guiding TSPs to stop providing services if necessary. This is a strong power that we are pleased to see in this type of legislation. What we are really concerned about, as the member for Elmwood—Transcona noted, is that there is no general oversight of the type that we would normally see on other types of legislation. Scrutiny of regulations was the one referred to. For those who are not familiar with the back halls and dark corners of Parliament, there is a committee that I was one of the vice-chairs of at one point in time. The scrutiny of regulations committee oversees all legislation passed in the House of Commons and ensures that the bureaucratic and governmental arms, including that of ministers, whatever political colour they will be of at that time, follow through with the laws of the legislation that is passed. Making this bill not have to go through that type of a process is wrong. I would actually say it is reckless, because the committee has to do a lot of work just to get regulatory things followed on a regular basis. It can be quite a long period, but there is that check and balance that takes place, and it is a joint Senate and House of Commons committee. It is unfortunate that the legislation tries to leave that out. The legislation also does not have the requirement to gazette information in terms of making it public for the different types of institutions. That is an issue, and it also has a lot of holes when it comes to information that can be withheld and shared. Why is that important with regard to confidence in the bill? It all comes down to the fact that many of the institutions at risk of being targeted involve not only the private sector, where we have seen not only abuse of customers themselves, or businesses with lax policies that do not protect privacy very well, but also others that have used abusive techniques and processes. Even right now, it is amazing when we think about the information in the process that is going on in the United States. The U.S. Senate is going to oversee the issue with regard to Taylor Swift tickets and Ticketmaster again. That is another one that has had a nefarious past with regard to privacy, information and how it runs its business. People can go back to look at that one, with Live Nation and so forth. At any rate, the U.S. is also involved in this. I raised those things because it also comes from the soft things like that, which are very serious with respect to credit cards and to people's personal information that is shared. However, across the world and in Canada we also have municipal infrastructure and government institutions that are constantly under attack. That is very important, because it is not just the external elements with regard to consumer protection and business losses, which are quite significant and into the billions of dollars. It is also everything from water treatment facilities to health care facilities in terms of hospitals and utilities for power and hydro. All those elements can be used as targets to undermine a civilian population as well, and one of the things we would like to see is more accountability when it comes to those elements. There is definitely more to do. One of the things I do not quite understand, and which I am pleased to see the government at least bring to committee, is what we could do to educate the population. Our first intervention on this bill as New Democrats was several years ago, and it is sad that it is just coming to fruition now.
1653 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Ms. Marilyn Gladu (Sarnia—Lambton, CPC)
  • Dec/1/22 12:16:36 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I am a little concerned with some of the elements in Bill C-26 that seem overly broad. They give the government powers to secretly order providers to do things or refrain from doing things, without any transparency. Does the member share my concern?
46 words
  • Hear!
  • Rabble!
  • star_border
Mr. Brian Masse
  • Dec/1/22 12:16:55 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I do. For us to get fully engaged in this, we want full accountability, clarity and a playbook so everybody understands the rules. We want to deal with some of the stuff and provide some leverage for law enforcement and investigations to take place, but there has to be a set of rules and that needs to be backstopped by parliamentary oversight. Where it stands right now, it is not backstopped by parliamentary oversight.
76 words
  • Hear!
  • Rabble!
  • star_border
Mr. Kevin Lamoureux (Parliamentary Secretary to the Leader of the Government in the House of Commons, Lib.)
  • Dec/1/22 12:17:28 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I would like to follow up on that question. When the minister is called upon to instruct a provider to take a specific action, that would often be required because something has happened in the environment. If the minister does not have that authority, then the opposition might be somewhat critical of the minister not taking action. I wonder if the member feels that it is necessary in the legislation, or does he believe we should have it, but we need to amend it in some fashion to ensure it is not abused. Is that what I am hearing from the member?
104 words
  • Hear!
  • Rabble!
  • star_border
Mr. Brian Masse
  • Dec/1/22 12:18:18 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, absolutely, but if we are going to give some flexibility in power for the minister to act, it has to be responsibly met with oversight, and that has to be heavy oversight. That will provide the confidence. That is why I wrote to the Privacy Commissioner right after I challenged the government back in 2016 to act on this. We have seen how long it has taken for it to act on this now, so we need to have that confidence. It is a two-way street. If we have the confidence of privacy and protection for people, with oversight, then I think people will be more willing to accept that there could be some changes with respect to how investigations take place.
125 words
  • Hear!
  • Rabble!
  • star_border
Mr. Mike Morrice (Kitchener Centre, GP)
  • Dec/1/22 12:19:08 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, a group of organizations, including the Canadian Civil Liberties Association, OpenMedia and Leadnow, have written an open letter calling for improvements to Bill C-26. One of the items they call out is that secrecy undermines accountability and due process. The member for Windsor West spoke a bit about this in his speech. Could he share more about the suggested improvements that would ensure better public reporting as part of Bill C-26?
75 words
  • Hear!
  • Rabble!
  • star_border
Mr. Brian Masse
  • Dec/1/22 12:19:39 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I have a book that we use for privacy protection and it is available to everybody. It was written by Kevin Cosgrove. It is a playbook for people on how to protect themselves and their families from a whole bunch of different issues, whether it be WiFi, online banking, shopping, social media, a whole series of things. The reason I use that as a specific example is that a ton of education has to be done. That has to be done for this bill as well. There needs to be a defined playbook of accountability, like going to the Standing Joint Committee for the Scrutiny of Regulations and ensuring there is oversight for the minister. All those things have to be really enhanced to build the confidence so we all buy into this.
135 words
  • Hear!
  • Rabble!
  • star_border
Ms. Bonita Zarrillo (Port Moody—Coquitlam, NDP)
  • Dec/1/22 12:20:23 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I want to thank the member for Windsor West for all his hard work on this. Definitely, when it comes to protecting Canadians, he is the right person to do it. I wonder if he would expand on clause 15.2 with respect to no general oversight and what the risk is to Canadians if that is not in place.
62 words
  • Hear!
  • Rabble!
  • star_border
Mr. Brian Masse
  • Dec/1/22 12:20:44 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, It has been fun to work with my colleague on some of these issues. We need a lot of public education related to this going forward. That section again is just too weak. It provides too many holes. There should be a way to get back to a process of ensuring the minister is held to account. That is one of the things where we are looking to expand powers, but, again, we really need a lot more public education with respect to cybersecurity. I know it is one of those issues that when we hear it, our eyes fog up, or they roll back in our heads and we think it is just too complicated for us, that there is always something happening, but we really need to engage Canadians on this. That includes engaging the government to ensure it understands that it has to teach residents about the bill and its repercussions as it goes forward.
160 words
  • Hear!
  • Rabble!
  • star_border
Ms. Julie Dzerowicz (Davenport, Lib.)
  • Dec/1/22 12:21:40 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I will be sharing my time with the hon. member for Vaughan—Woodbridge. It is a true privilege for me to add my voice to the debate on Bill C-26, an act respecting cybersecurity, on behalf of the residents of my riding of Davenport, many of whom have written to me through the years about their concern around cybersecurity and the need for additional protections at all levels of government. This bill represents the latest step in the government's constant work to ensure our systems, rules and regulations are strong and as up-to-date as possible. That is especially important when dealing with a topic as fluid and rapidly evolving as cyber-technology. We have known for quite some time we would need to be constantly vigilant on this issue. In 2013, the government established the security review program operated by the Communications Security Establishment. In 2016, we conducted public consultations on cybersecurity. In 2018, we released the national cybersecurity strategy. In 2019, we allocated $144.9 million through budget 2019 to develop a critical cyber systems framework. In 2021, we completed an interdepartmental 5G security examination, which recommended an updated security framework to safeguard Canada's telecommunications system. A cornerstone of the updated framework is an evolution of the security review program. It would allow for continued engagement with Canadian telecommunications service providers and equipment suppliers to ensure the security of Canadian telecommunications networks, including 5G. As a result of this multi-year work, to address these identified concerns and improve Canada's cybersecurity posture, including in 5G technology, we introduced Bill C-26. The bill is intended to promote cybersecurity across four federally regulated critical infrastructure sectors: finance, telecommunications, energy and transportation. Bill C-26 consists of two very distinct parts. Part 1 introduces amendments to the Telecommunications Act that would add security as a policy objective and create a framework that would allow the federal government to take measures to secure the telecommunications system. Part 2 introduces the critical cyber systems protection act, which would create a regulatory regime requiring designated operators in the finance, telecommunications, energy and transportation sectors to protect their critical cyber systems. As I mentioned, 5G has the potential to be a transformative technology for Canadians. It promises to bring lightning-fast Internet speeds that are unlike anything we have experienced so far. The benefits of instant and real-time connectivity will be immediate and far-reaching for Canadians and Canadian businesses. The COVID-19 global pandemic has underlined the importance of this connectivity, whether it is for virtual classrooms, work from home or keeping in touch with loved ones, but we need to be absolutely sure this technology is safe and secure as the technology is rolled out in Canada. Canada already has a system in place to mitigate cybersecurity risks in our existing 3G and 4G LTE wireless telecommunications network. Since 2013, the Communications Security Establishment's security review program has helped mitigate risks stemming from designated equipment and services under consideration for use in Canadian 3G, 4G LTE telecommunications networks from cyber-threats. Like previous generations, 5G technology will have new risks and vulnerabilities that will need to be addressed so Canadians can realize its full potential. 5G is considered more sensitive than 4G because it will be deeply integrated into Canada's critical infrastructure and economy, and will connect many more devices through a complex architecture. The deep integration, greater interconnection and complexity increase both the likelihood and potential impact of threats. That is why an examination of emerging 5G technology and the associated security and economic considerations continues to be very important. The technical agencies of the Government of Canada, within the Department of Innovation, Science and Economic Development, and the safety and security agencies that fall within the Public Safety portfolio, Global Affairs Canada, National Defence and others, are all involved in the federal government's efforts to develop a made-in-Canada approach to ensuring the secure rollout of 5G wireless technology. Moving this bill forward will further that vital work. In the meantime, our world-class national security and intelligence agencies continue to protect our country from a wide range of threats. As we know, those threats include a growing number of targeted attacks from state and non-state actors, including cybercriminals. Canada's two main national security organizations, CSIS and CSE, which is short for Communications Security Establishment, are working tirelessly to mitigate these threats. CSIS provides analysis to assist the federal government in understanding cyber-threats and the intentions and capabilities of cyber actors operating in Canada and abroad who pose a threat to our security. This intelligence helps the government to improve its overall situational awareness, better identify cyber vulnerabilities, prevent cyber espionage or other cyber-threat activity and take action to secure critical infrastructure. For its part, the CSE is always monitoring for threats that may be directed against Canada and Canadians. The CSE is home to the Canadian centre for cybersecurity, which was established as a flagship initiative of the 2018 national cybersecurity strategy. With the cyber centre, Canadians have a clear and trusted place to turn to for cybersecurity issues. It is Canada's authority on technical and operational cybersecurity issues, a single, unified source of expert advice, guidance, services and support for the federal government, critical infrastructure for owners and operations, the private sector and the Canadian public. It helps to protect and defend Canada's valuable cyber assets and works side by side with the private and public sectors to solve Canada's most complex cyber issues. For example, the cyber centre has partnered with the Canadian Internet Registration Authority on the CIRA Canadian Shield. The shield is a free protected DNS service that prevents users from connecting to malicious websites that might infect their devices or steal personal information. With the passage of the National Security Act in 2019, Canada's national security and intelligence laws have been modernized and enhanced. As a result, CSIS and the Communications Security Establishment now have authorities they need to address emerging national security threats, while ensuring that the charter rights of Canadians are protected. These updates are in line with CSIS's mandate of collecting and analyzing threat-related information concerning the security of Canada in areas including terrorism, espionage, weapons of mass destruction, cybersecurity and critical infrastructure protection. The passage of the National Security Act also established stand-alone legislation for the CSE for the first time ever. With the Communications Security Establishment Act, the CSE retained its previous authorities and received permission to perform additional activities. For example, the CSE is now permitted to use more advanced methods and techniques to gather intelligence from foreign targets. Under the CSE Act, CSE is mandated to degrade, disrupt, influence, respond to and interfere with the capabilities of those who aspire to exploit our systems and to take action online to defend Canadian networks and proactively stop cyber-threats before they reach our systems. It is also permitted to assist DND and the Canadian Armed Forces with cyber operations. As Canada's national police force, the RCMP also plays a very important cybersecurity role. It leads the investigative response to suspected criminal cyber incidents, including those related to national security. Cybercrime investigations are complex and technical in nature. They require specialized investigative skills and a coordinated effort. That is why, as part of Canada's 2018 national cybersecurity strategy and as a second flagship initiative, the RCMP has established the national cybercrime coordination centre, or NC3. The NC3 has been up and running for over a year now. It serves all Canadian law enforcement agencies, and its staff includes RCMP officers and civilians from many backgrounds. Working with law enforcement agencies, government and private sector partners, the NC3 performs a number of roles, including coordinating cybercrime investigations in Canada. All of this is backed up by significant new investments in the two most recent budgets. In budget 2019, we provided $144.9 million to support the protection of critical cyber systems and we later invested almost $400 million in creating the Canadian centre for cybersecurity, the national cybercrime coordination unit and increased RCMP enforcement capacity. Whether it is nationally or internationally, I have full confidence in the abilities of all those in our national security and intelligence agencies who are working hard day and night to safeguard our cybersecurity and protect us from harm online. I am confident that Bill C-26 will go a long way to continue doing that.
1427 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Mr. Eric Melillo (Kenora, CPC)
  • Dec/1/22 12:31:43 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I appreciate the comments from the government member across the way. In the debate today, a number of concerns have been brought forward around some of the ministerial powers included in Bill C-26, as well as the lack of accountability mechanisms. I think we have heard from all parties about the desire to bring forward amendments and improvements at the committee stage. Does the member opposite have a willingness to work with members of the House to ensure that we improve this bill and make sure it achieves the results it intends to?
96 words
  • Hear!
  • Rabble!
  • star_border
Ms. Julie Dzerowicz
  • Dec/1/22 12:32:24 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I think our Minister of Public Safety was very clear this morning. Without question, every time the government takes additional, decisive action and puts additional measures in place, there has to be corresponding transparency and accountability. We absolutely need to make sure there is enough of that in Bill C-26 so we have the confidence not only of the House but of Canadians with regard to having the proper accountability and transparency in place.
77 words
  • Hear!
  • Rabble!
  • star_border
Ms. Louise Chabot (Thérèse-De Blainville, BQ)
  • Dec/1/22 12:33:02 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I thank my colleague for her speech. This bill still raises some serious concerns. The Bloc Québécois is prepared to support it so that we can examine and improve it in committee. In 2021, in Canada alone, one in four businesses reported being the victim of a cyber-attack. We are the G7 country that has done the least in this regard. We spent $80 million over four years for research and development, which is not much. Canada is lagging behind in that department. Cyber-attacks on businesses can be sudden and unexpected, and not every business has the money to invest in cybersecurity or protection mechanisms. What will this bill actually do to help with and improve cybersecurity?
126 words
  • Hear!
  • Rabble!
  • star_border
Ms. Julie Dzerowicz
  • Dec/1/22 12:34:11 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I want to point out that we have been providing significant investment in critical cyber systems and cybersecurity. We did this in budget 2019 by providing $144.9 million for the protection of our critical cyber systems in the areas of finance, telecommunications, energy and transport. We also invested almost $400 million in the Canadian centre for cybersecurity, in the creation of the national cybercrime coordination unit and to increase our RCMP enforcement capacity. The hon. member did a wonderful job in asking how we are going to make sure we work with the public and private sectors. The Minister of Public Safety was very clear this morning: This legislation is about filling in the gaps and providing a bridge for all of the different actors, both in the private sector and in the public sector, so we can work together to create more resiliency against any cyber-attacks in the future.
154 words
  • Hear!
  • Rabble!
  • star_border
Mr. Gord Johns (Courtenay—Alberni, NDP)
  • Dec/1/22 12:35:22 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I think we all agree that the protection of Canada's cybersecurity needs to be improved. However, as we are hearing from the opposition, there are concerns around the broad powers the minister would have through this bill and concerns about everyday Canadians possibly being surveilled by their own government. We have not heard assurances from the government as to how it will address that to ensure Canadians do not feel they will be victims of government overreach through powers given to the minister.
86 words
  • Hear!
  • Rabble!
  • star_border
Ms. Julie Dzerowicz
  • Dec/1/22 12:35:59 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, this question has come up all morning. I think it is a very big concern, not only for the opposition but for this side of the House. We want to make sure we get this right. We must ensure that we have very strong protections against cyber-attacks and have cyber-attack resiliency in this country. We also have to be very transparent about the additional powers and how they will be used.
75 words
  • Hear!
  • Rabble!
  • star_border
Mr. Francesco Sorbara (Vaughan—Woodbridge, Lib.)
  • Dec/1/22 12:36:35 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I say good morning to all of my hon. colleagues, and I thank the hon. member for Davenport for her insightful discussion of this bill. I am thankful for the opportunity to weigh in on Bill C-26, an act respecting cybersecurity, as we continue debate at second reading. Bill C-26 will take great strides to enhance the safety of our cyber systems and will make changes to allow for measures to be taken within our telecommunications system. There are two parts to this act. Part 1 amends the Telecommunications Act to “promote the security of the Canadian telecommunications system” as a policy objective. An order-making power tied to that objective would be created for the Governor In Council, or GIC, and the Minister of Industry. That power could be used to compel action by Canadian telecommunications service providers if deemed necessary. With these authorities, the government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors. The bill would enable action against a range of vulnerabilities to these critical systems, including natural disasters and human error. The Department of Innovation, Science and Economic Development would exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry. Once amendments to the Telecommunications Act receive royal assent, GIC or ministerial orders could be issued to service providers. Part 2 of the act would create the critical cyber systems protection act, or the CCSPA. The CCSPA would be implemented collaboratively by six departments and agencies: the departments of Public Safety; Innovation, Science and Economic Development; Transport; Natural Resources; and Finance, as well as the Communications Security Establishment. They will all play a key role. Indeed, across the Government of Canada, there is a recognition that cybersecurity is a horizontal issue, and it should be addressed through a streamlined government response across sectors, all rowing in the same direction. Schedule 1 of the act would designate services and systems that are vital to the national security or public safety of Canadians. Currently, schedule 1 includes telecommunications service and transportation systems. It also includes, in the finance sector, banking systems and clearing and settlement systems, and, in the energy sector, interprovincial or international pipeline and power line systems and nuclear energy systems. Schedule 2 of the act would define classes of operators of the vital services and systems identified in schedule 1, as well as the regulator responsible for those classes. Operators captured in a class are designated operators subject to the act. In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister of Public Safety would have overall responsibility for the legislation and would lead a number of CCSPA-related processes. Decision-making by GIC under the CCSPA would ensure that a broad range of relevant factors, including national security, economic priorities, trade, competitiveness and international agreements and commitments, are considered when making decisions that have an impact across sectors. The CCSPA would also leverage regulators' expertise and relationships with entities they already regulate under existing legislation. The Canadian centre for cybersecurity, or the cyber centre, is responsible for technical cybersecurity advice and guidance within Canada, and that would be no different under the CCSPA. It would receive resources to provide advice, guidance and services to designated operators in order to help them protect their critical cyber systems; regulators in support of their duties and functions to monitor and assess compliance; and public safety and lead departments and their ministers, as required, to support them in exercising their powers and duties under the act. The CCSPA would require designated operators to establish a cybersecurity program that documents how the protection and resilience of their critical cyber systems will be ensured. CSPs must be established by designated operators within 90 days of them becoming subject to the act, that is, when they fall into a class of designated operators published in schedule 2 of the act. Once established, the CSP must be implemented and maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology. CSPs must include reasonable steps to identify and manage organizational cybersecurity risks, including risks associated with an operator's supply chain, and the use of third party products and services. They must also protect their critical cyber systems from compromise, detect cybersecurity incidents that affect or have the potential to affect CCS and minimize the impact of cybersecurity incidents affecting critical cyber systems. This legislation would also help confront supply chain issues. With the increasing complexity of supply chains and increased reliance on the use of third party products and services, such as cloud-based data storage and infrastructure as a service, designated operators can be exposed to significant cybersecurity risks from those sources. When a designated operator, through its CSP, identifies a cybersecurity risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA would require the designated operator to take reasonable steps to mitigate those risks. Taking reasonable steps to mitigate risk is understood to mean reducing the likelihood of the risk materializing by, for example, securing a supply chain by carefully crafting contractual agreements to gain more visibility into equipment manufacturing, or by choosing another equipment supplier. It can also mean reducing the impact of a risk that materializes. Under the CCSPA, there would also be a new obligation to report cybersecurity incidents affecting or having the potential to affect critical cyber systems to the Communications Security Establishment, for use by the cyber centre. A threshold defining this reporting obligation would be set in regulations. This would provide the government with a reliable source of information about cybersecurity threats to critical cyber systems. The availability of incident reports would enhance visibility into the overall threat for the cyber centre. Findings from the analyses of incident reports would make it possible for the centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and it would help to inform Canadians of cybersecurity risks and trends, allowing one organization's detection to become another's prevention. The CCSPA would also create a new authority for the government. Under the act, the Governor in Council would be allowed to issue cybersecurity directions when it decides that specific measures should be taken to protect a critical cyber system from a threat or known vulnerability. Directions would apply to specific designated operators or to certain classes of designated operators. They would require those designated operators to take the measures identified and to do so within a specific time frame. Failure to comply with directions could be subject to an administrative monetary penalty or an offence that can lead to fines or imprisonment. The CCSPA would also includes safeguards to ensure that sensitive information, such as information that was obtained in confidence from Canada's international allies, is protected from disclosure. All of this provides an overview of strong new legislation, which I hope I have adequately described in two distinct parts. I look forward to our continued debate of this landmark bill, and I encourage all colleagues to join me in supporting Bill C-26 today.
1236 words
All Topics
  • Hear!
  • Rabble!
  • star_border
Ms. Marilyn Gladu (Sarnia—Lambton, CPC)
  • Dec/1/22 12:45:16 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, I certainly agree that something needs to be done about cybersecurity in this country, but I am increasingly alarmed when I see that the bills continually coming from the Liberal government say ministers would have all powers to do whatever they want. There is no transparency because there is no public record. Then they say not to worry about what the government is really going to do because the Governor in Council, which is really cabinet, will decide afterward with no parliamentary oversight what will be done. Does the member agree that the government needs to have parliamentary oversight and at least have this subject to the scrutiny of committees?
112 words
  • Hear!
  • Rabble!
  • star_border
Mr. Francesco Sorbara
  • Dec/1/22 12:45:59 p.m.
  • Watch
  • Re: Bill C-26 
Madam Speaker, of course, fundamentally I believe in the oversight of government and ensuring that there are checks and balances. When bills proceed to committee, obviously members within the pertinent committee should bring forth ideas to strengthen them, and that includes Bill C-26. Our main priority as MPs is to bring forth good legislation, to improve it and to protect the security of Canadians, whether it is their cybersecurity or health and safety. Bill C-26 would take us down that path.
83 words
  • Hear!
  • Rabble!
  • star_border