44th Parl. 1st Sess.
March 6, 2023 11:00AM
Madam Speaker, I am very pleased to be joining the debate today to offer some of my thoughts and perspective on Bill C-26, a much awaited bill on a cybersecurity infrastructure.
Bill C-26 is a good reminder to members that the Department of Public Safety and its subject matter is so much bigger than just firearms, because, of course, firearms and Bill C-21 have been dominating the news cycle for the last couple of months. That bill, in particular at the public safety committee, has occupied so much time and wasted so many resources. Bill C-26 is a good reminder that with cybersecurity we have so many other agencies that are dedicated to national security under the umbrella of public safety. Cybersecurity is a big subject matter. We also have Bill C-20, which is an important bill on oversight and accountability for both the CBSA and RCMP.
Today, we would not find many members in the House of Commons who are arguing against the need for better cybersecurity. All of the evidence out there points to this being a new and evolving threat. Artificial intelligence systems offer some interesting advantages, but with those advantages come threats and with those threats come actors who are determined to use them in nefarious ways that will harm and have harmed Canada's interests. We need a whole host of options to counter this threat. We need our national security agencies to take these threats with increased importance. We also need legislation to fill in the gaps and make sure that all of Canada's laws are up to date.
I have spent a lot of time on the public safety committee. We did a couple of reports that directly touched on this area. One of our first reports identified violent extremism. Our most recent study looked at the threat posed by Russia. We know that since Russia conducted its invasion of Ukraine, which has recently passed the one-year anniversary, it has also increased the threats that it offers to Canada and to like-minded countries. One of those areas is cybersecurity.
Our committee has not yet tabled its report, which should be tabled in the House of Commons soon so that members of the House and the public can not only see the results of the deliberations, but also see the important recommendations that the committee is going to make. However, we heard a lot of testimony during those committee hearings on the cyber-related threats from Russia. Many witnesses identified that those are among the most serious and relevant for Canada's public safety and national security, particularly in relation to critical infrastructure.
I want to set this table before I get into the nuts and bolts of what Bill C-26 is offering, but also set some of the problems that are in evidence with this first version of the bill.
We have to understand a few basic terms. The Government of Canada refers to critical infrastructure as the “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government”, whether that is the federal government, the provincial governments or our municipal governments. Because so many of those pieces of critical infrastructure are now tied into computer systems that are vulnerable to attack, a bill like this becomes quite necessary.
I could go on and on about all of the critical systems in our modern society and the range of sectors, from our energy production to our food distribution systems to our electricity grid and transportation networks and how our ports and our banking system work. If one were to interrupt any one of those services, it could create absolute havoc within any Canadian community or countrywide.
One of the witnesses we had during our public safety meetings on the topic of the threats posed from Russia, and this was just talking about the cyber-threat more broadly, was Jennifer Quaid, Executive Director of the Canadian Cyber Threat Exchange. She reminded our committee that there are nation-states that are conducting espionage and statecraft through the Internet, but there are also criminals who are engaging in cybercrime for financial gain.
In some cases, those criminal groups and the nation-states are working together. There is evidence of this not only in Russia but in places like North Korea and China, where it is almost like the policy that was in place back in the 1700s and 1600s, where privateers would go out and do a nation-state's bidding. In this modern-day version of that policy, there are criminal organizations that are working hand in glove with some nation-states to give them some plausible deniability, but the systems they are using do pose a very real threat to Canada.
One of our key witnesses during the study was Caroline Xavier, Chief of the Communications Security Establishment. She was not able to go into much detail or specifics, given the very sensitive nature of the topic, but she was able to assure the committee that cybercrime is absolutely the most prevalent and most pervasive threat to Canadians and Canadian businesses. She observed that the state-sponsored cyber programs of China, North Korea, Iran and Russia posed the greatest strategic threat to Canada, and that foreign cyber-threat activities have included attempts to target Canadian critical infrastructure operators, as well as their operational and information technology.
Leaving aside the government, it is important for members to realize that most of Canada's critical infrastructure is, by and large, in the hands of the private sector. This is going to underline some of the important elements of Bill C-26.
We also had testimony from David Shipley, Chief Executive Officer of Beauceron Security. He was relaying the same stuff about Russian criminal organizations working in tandem with the government, and saying that criminal gangs have crippled Canadian municipalities. They have gone after health care organizations. The range of malicious cyber-activity has absolutely extended to many small and medium-sized enterprises.
When we look at the reporting requirements of Bill C-26, one of the biggest gaps that we have in our system is the fact that many businesses, private enterprises, are loath to report the fact that their systems have experienced a cyber-attack. They may be threatened to not do so. There is also a very real concern about the institutional harm that could come from the public release of said information. A large corporation that relays to its customers that it has experienced a cyber-attack may find people are loath to do business with it if they are unsure that its systems are up to par.
I also want to highlight a recent example from 2021, where the Government of Newfoundland and Labrador experienced a health records cyber-attack on October 30. The investigation revealed that over 200,000 files were taken that contained confidential patient information.
One can just imagine that in a province the size of Newfoundland and Labrador the fact that over 200,000 files were taken, that is a shocking theft of personal and confidential information. It really underlines just how important addressing this is.
I also want to touch briefly on the topic of artificial intelligence. I want to read a quote from a recent Hill Times article. This is from Jérémie Harris who is one of the co-founders of Gladstone AI, which is an artificial intelligence safety committee. He says:
But perhaps more concerning are the national security implications of these impressive capabilities. ChatGPT has been used to generate highly effective and unprecedented forms of malware, and the technology behind it can be used to power hyperscaled election interference operations and phishing attacks. These applications—and countless other, equally concerning ones also enabled by new advances in AI—would have been the stuff of science fiction just two years ago.
He goes on to say:
...ChatGPT is a harbinger of an era in which AI will be the single most important source of public safety risk facing Canada. As AI advances at a breakneck pace, the destructive footprint of malicious actors who use it will increase just as fast. Likewise, AI accidents—now widely viewed by AI safety specialists as a source of global catastrophic risk—will take more significant and exotic forms.
Something all members of the House really have to be aware of is how, just in the last two years, AI has advanced so quickly. We can think about what AI will be capable of two years or a decade from now. Just as Mr. Harris said, what it is doing right now was inconceivable just two years ago. The fact that AI is now being used to generate unique code for malware indicates there is no telling what it can be used to do and how it could be used to wreak havoc. That underlies just how important this issue is and how seriously we, as parliamentarians, have to take it as we serve our constituents and do the important work of equipping our nation with the tools it needs to keep Canadians, and the critical infrastructure they depend upon, safe.
When I was a member of the public safety committee, I had a chance to speak with Mr. Harris. I actually put a motion on notice that the committee should be undertaking a study on the range of threats posed to Canada's public safety, national security and critical infrastructure, specifically by AI systems. I hope one day the committee can take that study up, but it is a committee with a very heavy workload. It is still trying to find its way through Bill C-21. It is waiting for Bill C-20 to arrive on its door and, of course, this bill, Bill C-26, would also keep committee members quite busy.
I would like now to turn to the specifics of Bill C-26 and what it is attempting to do. It is separated into two main parts. According to the summary of the bill:
Part 1 amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.
There are a number of orders that the Minister of Industry could issue. For example, he or she could prohibit a TSP from using any specified product or service in its networks or facilities; direct a TSP to remove a specified product from its networks or facilities; impose conditions on a TSP’s use of any product or service; subject a TSP’s networks or facilities, as well as its procurement plans for those networks or facilities, to a specified review process. Those are just a few examples of how the minister's orders could be issued. The bill does require the Governor in Council or the Minister of Industry to publish these orders in the Canada Gazette, but there is an allowance in the bill to allow these provisions to be prohibited, so the government can prevent the disclosure of these orders within the Gazette if they feel they need to be kept secret.
Part 2 would enact a brand new statute of Canada, a critical cyber systems protection act, which would “provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety”. In schedule 1 of the government's bill there is a brief list. Vital systems and services can include telecommunication services, interprovincial or international pipelines and power line systems, and nuclear energy systems. Those are a few examples. A really important point is that the Governor in Council, through this bill, would be able to establish classes of operators and require designated operators to establish and implement cybersecurity programs.
This is where the bill would affect the private sector and make sure those cybersecurity programs are in place, especially when that private sector is involved in critical infrastructure. As a brief outline, with those cybersecurity programs, the expected outcomes would be that they could identify and manage any cyber-risk to the organization, including supply chain risks; prevent their critical cyber systems from being compromised; detect cybersecurity incidents; and limit the damage in the event a cybersecurity incident did occur.
I want to talk about concerns with the bill, because there are a lot of concerns. I have had the chance to speak with a number of organizations, but first and foremost was OpenMedia. I had a great conversation with the people there. There is a section on its website that specifically deals with Bill C-26. OpenMedia absolutely realizes that new cybersecurity protections are needed to protect Canada's infrastructure, but it believes they have to be balanced by appropriate safeguards, and this is to prevent their abuse and misuse.
We rely on these essential services, and their protection is important, but Bill C-26, as it is currently written, would give the executive branch huge sweeping powers. In my reading of the bill, there would not be enough accountability and oversight; there would not be enough review mechanisms for Parliament to check the power of the executive, and I think this is a critical point. I think, in principle, we have a good idea with the bill, but a lot of work will be needed at committee to ensure that this executive power would be checked and that it would fit within the parameters of the law. We absolutely must have that kind of parliamentary oversight.
I also know of the Canadian Civil Liberties Association, which said:
The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still.
I think, at this stage, we want to ensure, with the minister's powers to order or direct service providers, and the requirement to comply with these orders, that these powers are being subjected to the appropriate safeguard mechanisms. They are quite broad, as currently written.
In conclusion, I want to see a bill that protects vulnerable groups from cyber-attacks. So many Canadians rely on these critical systems, and we know so many have been targeted and are being targeted as we speak, and we know these dangers are going to multiply and get worse the longer we go on. We want to make sure they are protected, but we want to make sure that we do not have broad unchecked ministerial powers with no public oversight. That is the balance that must be achieved.
I must express, in my closing minute, my personal frustration with how the Liberals draft their bills. The idea behind Bill C-26 is a good one, but the problem with how the Liberals drafted the bill is that it would give huge sweeping amount of power to the executive branch. I just wish they would have had the foresight to understand that, of course, these provisions would be met with opposition. It seems the Liberals are putting the work on committee members to fix the bill for them, rather than having had the foresight and intuition to understand that these are problematic elements of the bill.
I think a lot more work could have been done on the government's side to have presented a better first draft. I guess we have what we have to work with, but a lot of work is going to be needed to be done at committee, and I look forward to seeing members do that work.
I also look forward to voting for the bill at second reading and sending it to committee. I welcome any questions or comments from my colleagues.
2718 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is quite clear that legislative gaps exist. Many of my remarks were focused on detailing the threat landscape out there.
The good people who work at CSIS, CSE and Public Safety Canada are dedicated professionals who treat this threat very seriously. Every day they go to work, they are determined to keep Canadians safe. The problem lies in the fact that so much of our critical infrastructure, those systems that our society relies on every single day, lies in the private realm. We want to ensure that the government is there as a partner to help them beef up their cyber systems so that, if any one of them is attacked, we can pool resources, address the threat and also learn from it to prevent ones in the future.
There is a need there, but again the crux of my comments is that we have a good idea in this bill. There is a need. It is just the details and specifics that need to be hammered out.
171 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, in my opinion, based on what I have heard, it is artificial intelligence and its capabilities in the hands of nefarious actors.
We heard from Caroline Xavier, the chief of the Communications Security Establishment, at committee. She identified China, Russia, Iran and North Korea as countries that are actively trying to undermine Canada's national security. If we combine that with what Mr. Jérémie Harris has identified as what AI is capable of now and what it could be capable of, I am very concerned that those countries that are actively trying to undermine Canada's national security interests will use this emerging technology to construct malware, the likes of which we have never seen.
That is why a bill such as Bill C-26 is important, but it is important that we get it right. We absolutely must make sure that our critical systems are beefed up and secured against not only those particular nation states, but also others that are actively trying to undermine our interests.
174 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, the hon. member has a point. I would identify the system that deals with our democratic process, including all of the actors involved, as being a critical system. It is probably the most critical system. However, while I do acknowledge there are definitely state actors who are trying to undermine our system, they are trying to undermine democratic systems all over the world. We see evidence of that.
I have a lot of confidence in the public servants who work at Elections Canada and who work for the office of the Commissioner of Canada Elections. They are doing their utmost to protect the sanctity of our democratic system. That being said, we cannot rest on our laurels, and it is up to us, as parliamentarians, to acknowledge these evolving threats and to equip our dedicated public servants with the tools they need to counteract these threats actively.
I would agree with the member's saying that these threats are real. They do need to be acknowledged. We owe it to ourselves to get Bill C-26 right so our public servants have the tools to counteract those threats.
190 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, a 20-minute speech does not give a lot of time to go over the multitude of concerns with Bill C-26. Yes, there are a lot of privacy concerns with this bill. We have had those concerns outlined not only by the Canadian Civil Liberties Association, but also by OpenMedia.
The way we allay those concerns is that we empower committee members on the public safety committee to give this bill a thorough going-over, and to make sure those expert witnesses are brought forward so they can identify the specific clauses of this bill that are problematic. We need to give members of the committee enough time to draft the amendments.
What I ultimately want to see when this bill is reported back to the House is an acknowledgement that there is a very real threat; that the bill would empower the government to counteract that threat; and that the bill would also provide a very important layer of parliamentary oversight and accountability, which I think should include some of our dedicated public servants, like the Privacy Commissioner and others.
184 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, there have been serious concerns about how, within the telecommunications infrastructure, Bill C-26 would allow Canada's national security and spy agencies to permanently implant themselves within that infrastructure, have access to all kinds of sensitive data and possibly share it.
I do not know what the specifics are at this point. I think the committee will be empowered to look at that. I want to make sure that, everywhere in Bill C-26 where ministers are able to issue these types of orders, or if they are kept secret, there would be accountability mechanisms built into the bill.
Can we give the standing joint committee on regulations the ability to review those orders, since they could be prevented from being published in the Canada Gazette? That is one particular example, but there are many others.
I agree with the premise of the member's question in that there is a lot of work that needs to be done with Bill C-26 at committee.
168 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
- Mar/6/23 2:50:13 p.m.
- Watch
Mr. Speaker, Canadians are really worried about keeping up with the high cost of their groceries, and the prices just keep going up.
While people are stretching their budgets to handle growing costs, rich corporations and grocery chains are making massive profits. Last week, the European Central Bank expressed concerns that CEOs are using the cost of living crisis and inflation to hike their prices, and the Bank of Canada is admitting to having the same fears.
Will the Liberals finally admit that rich CEOs and corporate greed are helping drive up food prices, and will they make them pay what they owe?
103 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
