44th Parl. 1st Sess.
December 1, 2022 10:00AM
Madam Speaker, I say good morning to all of my hon. colleagues, and I thank the hon. member for Davenport for her insightful discussion of this bill.
I am thankful for the opportunity to weigh in on Bill C-26, an act respecting cybersecurity, as we continue debate at second reading. Bill C-26 will take great strides to enhance the safety of our cyber systems and will make changes to allow for measures to be taken within our telecommunications system.
There are two parts to this act. Part 1 amends the Telecommunications Act to “promote the security of the Canadian telecommunications system” as a policy objective. An order-making power tied to that objective would be created for the Governor In Council, or GIC, and the Minister of Industry. That power could be used to compel action by Canadian telecommunications service providers if deemed necessary. With these authorities, the government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.
The bill would enable action against a range of vulnerabilities to these critical systems, including natural disasters and human error. The Department of Innovation, Science and Economic Development would exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry. Once amendments to the Telecommunications Act receive royal assent, GIC or ministerial orders could be issued to service providers.
Part 2 of the act would create the critical cyber systems protection act, or the CCSPA. The CCSPA would be implemented collaboratively by six departments and agencies: the departments of Public Safety; Innovation, Science and Economic Development; Transport; Natural Resources; and Finance, as well as the Communications Security Establishment. They will all play a key role. Indeed, across the Government of Canada, there is a recognition that cybersecurity is a horizontal issue, and it should be addressed through a streamlined government response across sectors, all rowing in the same direction.
Schedule 1 of the act would designate services and systems that are vital to the national security or public safety of Canadians. Currently, schedule 1 includes telecommunications service and transportation systems. It also includes, in the finance sector, banking systems and clearing and settlement systems, and, in the energy sector, interprovincial or international pipeline and power line systems and nuclear energy systems.
Schedule 2 of the act would define classes of operators of the vital services and systems identified in schedule 1, as well as the regulator responsible for those classes. Operators captured in a class are designated operators subject to the act.
In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister of Public Safety would have overall responsibility for the legislation and would lead a number of CCSPA-related processes.
Decision-making by GIC under the CCSPA would ensure that a broad range of relevant factors, including national security, economic priorities, trade, competitiveness and international agreements and commitments, are considered when making decisions that have an impact across sectors. The CCSPA would also leverage regulators' expertise and relationships with entities they already regulate under existing legislation.
The Canadian centre for cybersecurity, or the cyber centre, is responsible for technical cybersecurity advice and guidance within Canada, and that would be no different under the CCSPA. It would receive resources to provide advice, guidance and services to designated operators in order to help them protect their critical cyber systems; regulators in support of their duties and functions to monitor and assess compliance; and public safety and lead departments and their ministers, as required, to support them in exercising their powers and duties under the act.
The CCSPA would require designated operators to establish a cybersecurity program that documents how the protection and resilience of their critical cyber systems will be ensured. CSPs must be established by designated operators within 90 days of them becoming subject to the act, that is, when they fall into a class of designated operators published in schedule 2 of the act.
Once established, the CSP must be implemented and maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology. CSPs must include reasonable steps to identify and manage organizational cybersecurity risks, including risks associated with an operator's supply chain, and the use of third party products and services. They must also protect their critical cyber systems from compromise, detect cybersecurity incidents that affect or have the potential to affect CCS and minimize the impact of cybersecurity incidents affecting critical cyber systems.
This legislation would also help confront supply chain issues. With the increasing complexity of supply chains and increased reliance on the use of third party products and services, such as cloud-based data storage and infrastructure as a service, designated operators can be exposed to significant cybersecurity risks from those sources.
When a designated operator, through its CSP, identifies a cybersecurity risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA would require the designated operator to take reasonable steps to mitigate those risks. Taking reasonable steps to mitigate risk is understood to mean reducing the likelihood of the risk materializing by, for example, securing a supply chain by carefully crafting contractual agreements to gain more visibility into equipment manufacturing, or by choosing another equipment supplier. It can also mean reducing the impact of a risk that materializes.
Under the CCSPA, there would also be a new obligation to report cybersecurity incidents affecting or having the potential to affect critical cyber systems to the Communications Security Establishment, for use by the cyber centre. A threshold defining this reporting obligation would be set in regulations. This would provide the government with a reliable source of information about cybersecurity threats to critical cyber systems. The availability of incident reports would enhance visibility into the overall threat for the cyber centre. Findings from the analyses of incident reports would make it possible for the centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and it would help to inform Canadians of cybersecurity risks and trends, allowing one organization's detection to become another's prevention.
The CCSPA would also create a new authority for the government. Under the act, the Governor in Council would be allowed to issue cybersecurity directions when it decides that specific measures should be taken to protect a critical cyber system from a threat or known vulnerability. Directions would apply to specific designated operators or to certain classes of designated operators. They would require those designated operators to take the measures identified and to do so within a specific time frame. Failure to comply with directions could be subject to an administrative monetary penalty or an offence that can lead to fines or imprisonment. The CCSPA would also includes safeguards to ensure that sensitive information, such as information that was obtained in confidence from Canada's international allies, is protected from disclosure.
All of this provides an overview of strong new legislation, which I hope I have adequately described in two distinct parts. I look forward to our continued debate of this landmark bill, and I encourage all colleagues to join me in supporting Bill C-26 today.
1236 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as I am not sure of the specific details the member opposite is referring to in her question, I would have to say, in good faith, that I will get back to her on that after doing a bit more research on why that decision was made.
What I can tell her is that the key provisions in this act really do further the overall objectives of protecting our critical infrastructure. It specifically adds to the Telecommunications Act the objective of the “promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to”—
106 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I thank the member for Whitby for sharing his time with me.
It is very important that we talk about such an important piece of legislation that has been brought forward, Bill C-26. The reality is that the changes in technology are happening so incredibly quickly. At times, it seems a daunting task to keep up with them and to make sure that we are always ahead of those actors out there, whether state or non-state, who are trying to engage in activities that could seriously cripple our economy or other aspects of society in Canada.
It seems as though it was just yesterday that we did not have the Internet. I remember vividly when I signed up for my first Internet connection, a dial-up connection, and having access to the Internet. That was when I was a computer engineering student at a local college in Kingston back in 1995 or 1996. Downloading something as simple as a single image sometimes would take two or three minutes to get the full image on the screen.
Mr. Philip Lawrence: What did you download?
Mr. Mark Gerretsen: Madam Speaker, it was not an image of the member opposite who is asking.
The point here is that things are evolving so quickly, and we have come so far in such a short period of time in terms of our ability to utilize, perfect and, for lack of a better term, exploit everything that the Internet has to offer. We have seen it change commerce. We have seen it change how we engage with each other. We have seen it change just about every aspect of our lives. Unfortunately, with that comes new opportunity for people to try to affect what we do in our day-to-day lives. They are trying new forms of fraud, theft, harassment, intimidation and influencing elections, which are all nefarious manners in which people are trying to now utilize the Internet.
Of course, cybersecurity is a huge part of any government operation now, and every government should be seized with doing everything it can to secure it, because when we think about it, everything is connected. There could be a cyber-attack on a utility company, on a functioning parliament, a democracy. There could be an attack on just about every aspect of our lives, and it is critical that we have legislation in place to ensure that we can properly safeguard those things.
I have heard individuals in the House, and in the last two questions, one from the Conservatives and one from the NDP, suggesting that this is taking way too long and that we are behind other countries. I would caution members on that and suggest that it is not entirely accurate. For example, the United Kingdom has a very similar bill to this one that is being studied right now by its members of Parliament, a Conservative government, I might add. They are going through the exact same process as we are now. I think it is always easy to say, and it is one of the things we hear quite a bit from opposition parties, why is this taking so long?
I have my own opinion on why things take so long in this House, but the reality is that I do not believe we are significantly trailing behind other countries. Yes, some countries have done more than us. I am not going to disagree with that, but I disagree that we are significantly behind. I will come back to the United Kingdom where a Conservative government has introduced a very similar piece of legislation to what we have. This brings me to the legislation that we are debating today.
This bill has two primary parts to it. The first part would amend the Telecommunications Act to add the objective of the promotion of cybersecurity of the Canadian telecommunications system to Canadian telecommunications policy.
It also authorizes the Governor in Council and the Minister of Industry to direct telecommunications service providers to secure the Canadian telecommunications system. I think that is incredibly important. In this process, we have to remember that a huge part of what we need to do is work with private partners and the various telecommunications services that are out there. We need, from a policy or government perspective, to put in place some of the things that they need to do.
The reality is that in a competitive business environment where various different telecommunications companies are fighting to be more competitive and more efficient to maximize profit, which we all appreciate is important in the capitalist environment we live in, we have to respect the fact that in order to ensure that some of these safeguards are in place, we are going to need to make sure that the legislation is there to make sure companies are doing what they need to be doing to create those safeguards. Otherwise, it might not happen to the degree it needs to because of the nature of the competitive environment they are in.
The other aspect of this bill is that it enacts the critical cyber systems protection act to provide a framework for the protection of critical cyber systems that are vital to national security and public safety. Of course, this is key because this is what everything else is built on in terms of our national security and the systems that we have. We need to make sure we can properly safeguard those. In that regard, it authorizes the Governor in Council to designate any service or system as a vital service or vital system. Just think about that.
When I was in college studying computer engineering and I went to get my first dial-up connection, who would have thought that a mere 25 years later we would be talking about designating some of these services as being vital to national security or public safety? The reality is that is where we are now. As we rely so heavily on these systems, we rely so heavily on ensuring that we have the systems in place that we do in order to protect our security as it relates to cyber-threats.
I appreciate the opportunity to talk about this very important piece of legislation. I get the sense it is being widely supported in the House. I hope we can move this along so we can get to the next steps, continue to move forward and get what we need into place in order to properly protect our cyber systems from a security perspective.
1099 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, as I said in my speech, one of the things the bill does is it specifically directs what the various telecommunications providers need to do in order to maintain that security. That is what we do from a policy perspective. We establish what those requirements are that are required of the telecommunications systems in order to ensure that security is there. What we will see coming out of this is that the telecommunications systems, in a unified fashion, will promote these particular policies and safeguards that will be put through those directives.
94 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I will be sharing my time with the fantastic member for Lac-Saint-Louis.
It is with great pleasure that I rise to discuss Bill C-26, an act respecting cybersecurity. I will address elements in the legislation that deal with securing Canada's telecommunications system.
As Canadians rely more and more on digital communications, it is critical that our telecommunications system be secure. Let me assure this House and in listening to the debate today I think we all agree that the issue of cybersecurity is of utmost importance. The Government of Canada takes the security of this system seriously, which is why we conducted a review of 5G technology and the associated security and economic considerations.
It is clear that 5G technology holds lots of promise for Canadians for advanced telemedicine, connected and autonomous vehicles, smart cities, cleaner energy, precision agriculture, smart mining, and a lot more. Our security review also made clear that 5G technology will introduce new security concerns that malicious actors could exploit. Hostile actors have long sought and will continue to seek to exploit vulnerabilities in our telecommunications system.
CSIS, the Canadian Security and Intelligence Service, acknowledged this in its most recent publicly available annual report. The report states:
Canada remains a target for malicious cyber-enabled espionage, sabotage, foreign influence, and terrorism related activities, which pose significant threats to Canada's national security, its interests and its economic stability.
The report states that “[c]yber actors conduct malicious activities to advance their political, economic, military, security, and ideological interests. They seek to compromise government and private sector computer systems by manipulating their users or exploiting security vulnerabilities”.
The CSIS report also highlighted the increasing cyber-threat that ransomware poses. The Communications Security Establishment has similarly raised concerns about threats like ransomware in recent public threat assessments. We have seen how such attacks by criminal actors threaten to publish a victim's data or block access to it unless a ransom is paid. However, it is not just cybercriminals doing this. CSIS warned that state actors are increasingly using these tactics, often through proxies, to advance their objectives and evade attribution.
To be sure, Canadians, industry and government have, to this point, worked hard to defend our telecom system, but we must always be on the alert, always guarding against the next attacks. This has become more important as people now are often working remotely from home office environments.
5G technology is adding to these challenges. In 5G systems, sensitive functions will become increasingly decentralized in order to boost speeds when required.
Cell towers are a familiar sight in our communities and along our highways. The 5G networks will add many smaller access points to increase speeds. As well, the number of devices that the 5G network will connect will also grow exponentially.
Given the greater interconnectedness and interdependence of 5G networks, a breach in this environment could have a more significant impact on the safety of Canadians than with older technology. Bad actors could have more of an impact on our critical infrastructure than before.
The security review we conducted found that in order for Canada to reap the benefits of 5G, the government needs to be properly equipped to promote the security of the telecommunications system. We need to be able to adapt to the changing technological and threat environment. For these reasons, we are proposing amendments to the Telecommunications Act. The amendments will ensure that the security of our telecommunications system remains an overriding objective.
This bill will expand the list of objectives set out in section 7 of the Telecommunications Act. It will add the words “to promote the security of the Canadian telecommunications system”.
It is important for those words to be in the act.
It means government will be able to exercise its powers under the legislation for the purposes of securing Canada's telecommunications system.
The amendments also include authorities to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers in 5G and 4G networks if deemed necessary and after consultation with telecommunications service providers and other stakeholders.
It would also give the government the authority to require telecommunications service providers to take any other actions to promote the security of the telecom networks upon which all critical infrastructure sectors depend.
We have listened to our security experts; we have listened to Canadians; we have listened to our allies and we are following the right path. We will ensure that our networks and our economy are kept secure. A safe and secure cyberspace is important for Canada's competitiveness, economic stability and long-term prosperity.
It is clear that the telecommunications infrastructure has become increasingly essential. It must be secure and it must be resilient. Telecommunications presents an economic opportunity, one that grows our economy and creates jobs. The amendments to the Telecommunications Act accompany the proposed critical cyber systems protection act. This bill will improve the ability of designated organizations to prepare, prevent, respond to and recover from all types of cyber-incidents, including ransomware. It will designate telecommunications as a vital service. Together, this legislative package will strengthen our ability to defend the telecommunications and other critical sectors, such as finance, energy and transportation, that Canadians rely on every single day.
The legislation before us today fits within the Government of Canada's telecommunications reliability agenda. Under this agenda we intend to promote robust networks and systems, strengthen accountability and coordinate planning and preparedness.
Canadians depend on telecommunications services in all aspects of their lives, and the security and reliability of our networks has never been more crucial. These services are fundamental to the safety, prosperity and well-being of Canadians.
We will work tirelessly to keep Canadians safe and able to communicate securely. This legislation is an important tool to enable us to do that. I look forward to working with members in this House to getting this right and making sure that our telecommunications system is as strong as it can be.
1010 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Thank you, Madam Speaker. I see that they are no more interested in what you have to say than what I was saying, so I do not take it personally.
The 5G network is a new communications technology with bandwidth that is 10 to 100 times greater than that of current networks. The technology stands out for more than just its speed. It stands out for its extremely low latency, which is the time it takes for one computer to communicate with another and receive a response.
This opens the door to many possibilities in different areas, but to achieve performance, 5G uses a multitude of pathways. To simplify, let us say that something that is sent from Montreal to a computer in Paris could have a portion pass through New York, another through London, another through Barcelona, and so forth. This makes the technology particularly vulnerable because it becomes difficult to track the path that the data takes.
Huawei has already been implicated in the scandal involving China spying on the African Union headquarters. In 2012, China offered the African Union a fully equipped ultramodern building. Africa is known to be an extremely important location for Chinese investment. China supplied everything: networks, computers and telecommunications systems. After a few years of operation, in 2017, African computer scientists realized that the servers were sending out huge amounts of data at night, when nobody was working in the building. They discovered that the data was going to servers in China, which was spying on all staff and political leaders. Huawei was the main supplier of the network infrastructure. Microphones were also found in the walls and tables.
China passed a new national intelligence law in 2017. One thing is clearly set out in their law. All Chinese companies must absolutely participate in China's intelligence efforts. It is a form of economic and commercial patriotism, and we could also add digital. In other words, all the private players are being mobilized to say that they are going to participate in the construction of the great digital wall of China. This includes military intelligence and civilian intelligence. For instance, a company can be called upon to spy on behalf of another Chinese company in order to place China in an advantageous position on the world stage.
At this very moment, a genomics company called BGI, which works with genes, is still supplying medical equipment to Canadian hospitals. Its machines collect data, and only the company's technicians are authorized to carry out the monthly maintenance. They are the only ones with access. It turns out that this company has close ties to the Chinese military.
There is also Alibaba, a publicly traded Chinese company similar to Amazon that was founded by businessman Jack Ma. It derives its income from online activities, including a public market designed to facilitate transactions between businesses, payment and retail sales platforms, a shopping search engine and cloud computing services.
Another example is Tencent, a company founded in 1998 that specializes in Internet and mobility services and online advertising. Tencent's services include social networks, web portals, e-commerce and multiplayer online games. Tencent manages and operates well-known services, such as messaging services Tencent QQ and WeChat, and the qq.com web portal.
Today, China is the champion of data collection. This rising power requires new practices, new barriers and new ways of doing things. We should not think that the U.S. does not have their own giants that collect data, but just in China there are 800 million Internet users. That is more than the U.S. and India put together and one-quarter of all Internet users in the world. This number of users will give public and private Chinese actors, which have a close relationship, access to large sources of data that they can mine at will.
China has built a formidable digital system. There is a reason why it is constantly increasing its data storage. There is no doubt that the issue of cybersecurity is at the centre of the current international economic war that is engulfing an increasingly multipolar world. We need to acknowledge this. We need to act.
We support this bill because it is well-intentioned, but we have to find a way to put some meat on the bones.
722 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
