44th Parl. 1st Sess.
March 6, 2023 11:00AM
Mr. Speaker, there is a pressing need to secure Canada's critical infrastructure against cyber-threats.
Computer systems, which run our health care, energy and financial systems, are targets for criminals and foreign adversaries to attack. Disruption of medical services at a hospital or electricity through a grid would have severe consequences, possibly including injury or death.
This is exactly what happened on October 30, 2021, in my province of Newfoundland and Labrador. My hon. colleague across the way agrees with what I am saying because he, his family members or his friends, I am sure, had some of their personal information breached in that attack.
Personal information belonging to thousands of patients and employees was obtained through a cyber-attack on Eastern Health. In fact, over 200,000 files were taken from a network drive in Eastern Health's IT environment. Over 58,000 patients and almost 300 staff and former staff had their personal data breached.
The information taken included health records, medicare plan numbers, dates of birth, names and addresses. In fact, some even had their social insurance numbers taken. The immediate result was that a complete shutdown of the health care system took place throughout the entire province.
Patients who had waited through the pandemic found that critical care for such things as cancer and heart disease were put on hold. Many had to wait weeks or even months to have their appointments rescheduled. Some of these folks had poor outcomes. In fact, people's lives were shortened in some cases as a result of the cyber-induced shutdown of the health care system in Newfoundland and Labrador.
This is very serious stuff. This was not the first time such a cyber-attack happened in Canadian health care. In October of 2019, three hospitals in Ontario were victimized in a similar fashion.
On another note, a pipeline company in the United States fell victim to hackers in 2021. This led to diesel and jet fuel shortages, disrupting most of the economy of the eastern seaboard of our neighbour to the south.
These are just a few examples of catastrophic outcomes resulting from cyber-attacks in recent years. Canadians need protection from these types of attacks. This legislation is intended to align with the actions of our allies in the Five Eyes. This bill would give clear legislative authority to the government to prohibit high-risk entities, such as Huawei, from assuming critical roles in our cyber-infrastructure.
This legislation is filled with good intentions. Currently, a cybersecurity incident is defined as:
an incident, including an act, omission or circumstance, that interferes or may interfere with
(a) the continuity or security of a vital service or vital system; or
(b) the confidentiality, integrity or availability of the critical cyber system.
There is no indication given as to what would constitute interference under the bill. Does this mean that the cyber-attack on Newfoundland and Labrador health care would not be classified as interference?
In addition, there is no timeline specified in this bill for the reporting of cybersecurity incidents to the CSE and the appropriate regulator. The bill says that reporting must be immediate. “Immediate” is not interpreted in this bill. Is it one hour, one day or one week? This is something we need to know.
In terms of civil liberties and privacy, technical experts, academics and civil liberties groups have serious concerns about the size, scope and lack of oversight of the powers that the government would gain under the bill.
In late September 2022, the Canadian Civil Liberties Association, the International Civil Liberties Monitoring Group and the Privacy and Access Council of Canada, as well as several other groups and academics, released their joint letter of concern regarding Bill C-26.
While stating the collective's agreement with the goal of improving cybersecurity, the joint letter goes on to state that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.
The joint letter outlines several areas of concern, including increased surveillance. The bill would allow the federal government “to secretly order telecom providers to ‘do anything, or refrain from doing anything’” necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.
While this portion of the bill goes on to list several examples of what “doing anything” might entail, including, for example, prohibiting telecom providers from using specific products or services from certain vendors or requiring certain providers to develop security plans, the collective expresses the concern that the power to order a telecom to do anything “opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards”.
Bill C-26 would allow the government to “bar a person or company from being able to receive specific services, and bar any company from offering these services to others, by secret government order”, which raises the risk of “companies or individuals being cut off from essential services without explanation”.
The bill would provide for a collection of data from designated operators, which could potentially allow the government “to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.”
There is a lack of “guardrails to constrain abuse”. The bill would allow the government to act without first being required to perform “proportionality, privacy, or equity assessments” to hedge against abuse. This is concerning to the collective, given the severity of the penalties available under the statute.
There is the potential for abuse by the Communications Security Establishment, the federal agency responsible for cybersecurity but, more prominently, signal intelligence. The CCSPA would grant the CSE access to large volumes of sensitive data. However, it would not constrain its use of such data to its cybersecurity mandate.
The civil liberties of Canadians are already under attack. Bill C-26 does not accurately enough define how our civil liberties would be protected. Given the need for protection from cyber-attacks, a bill like this is quite necessary, no doubt.
In its current form, with so many unknowns for Canadians, I will not be able to support it. However, I do support sending it to committee for some input from Canadians and for some fine tuning, to turn it into an instrument to protect us all from cyber-attacks.
1093 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I am sure that sending this bill to committee will make some improvements. It is unfortunate that my bill, Bill C-251, did not get the opportunity to get to committee and get improved. My hon. colleague is quite aware of the ill consequences of not allowing legislation to get to committee and to be improved, to seal the deal and have positive outcomes for all Canadians.
69 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is great to take a question from my colleague, who has constituents who have had hard times due to cyber-attacks. I hope this bill can stop that from happening. I also hope that my hon. colleague can bring some of these people who were affected by a cyber-attack to committee and let them have their input as the bill is being debated and amended.
I am sure this bill is going to need quite a lot of amendments if it is anything like most of the legislation that has come from the government.
98 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I cannot really concentrate. My hon. colleague came up with that word that I cannot even make sense of. That reminds me of the Prime Minister's dad with his famous “fuddle duddle”. What does “fuddle duddle” mean? I do not know what “rapporteur” is. I am hoping that this bill addresses some of my hon. colleague's concerns.
67 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
