44th Parl. 1st Sess.
March 23, 2023 10:00AM
Mr. Speaker, I rise today to speak to Bill C-26, an act about cybersecurity. In the 21st century, cybersecurity is national security, and it is our responsibility to protect Canadians from growing cyber-threats. We have to take the necessary steps to protect Canadians and our telecommunications infrastructure. Canadians must have confidence in the integrity, authenticity and security of the products and services they use every day.
This bill reflects the values of Canadians and is in line with our closest allies, including our Five Eyes partners. That is why we are investing in cybersecurity, ensuring respect for the privacy of Canadians and supporting responsible innovation. We will continue to protect Canadians from cyber-threats in an increasingly digital world. As said in our international cybersecurity overview, a free, open and secure cyberspace is critical to Canada’s economy, social activity, democracy and national security.
Canada faces cybersecurity risks from both state and non-state actors. Protecting Canada’s and Canadians’ cyber-infrastructure from malicious actors is a serious challenge and a never-ending task. Canada works with allies and partners to improve cybersecurity at home and to counter threats from abroad. This includes identifying cyber-threats or vulnerabilities and developing capabilities to respond to a range of cyber-incidents.
A few years back, we put forward the national cybersecurity strategy, a vision for security and prosperity in the digital age. As mentioned there, virtually everything Canadians do is touched by technology in some way. We are heavily interconnected and networked, a fact that not only enhances our quality of life but also creates vulnerabilities. From commercial supply chains to the critical infrastructure that underpins our economy and our society, the risks in the cyberworld have multiplied, accelerated and grown increasingly malicious.
Major corporations, industries and our international allies and partners are engaged in the global cyber-challenge, but many others are not and that represents a significant risk. The strategy's core goals were reflected in budget 2018, where $500 million was invested in cybersecurity. Part of the funding was for the new Canadian Centre for Cyber Security, which is Canada’s technical authority on cybersecurity. It is part of the Communications Security Establishment, and it is the single, unified source of expert advice, guidance, services and support on cybersecurity for Canadians and Canadian organizations.
It regularly publishes the “National Cyber Threat Assessment”, and I would like to quote from their latest one for 2023-24. It states:
Canadians use the Internet for financial transactions, to connect with friends and family, attend medical appointments and work. As Canadians spend more time and do more on the Internet, the opportunities grow for cyber threat activity to impact their daily lives. There’s been a rise in the amount of personal, business and financial data available online, making it a target for cyber threat actors. This trend towards connecting important systems to the Internet increases the threat of service disruption from cyber threat activity. Meanwhile, nation states and cybercriminals are continuing to develop their cyber capabilities. State-sponsored and financially motivated cyber threat activity is increasingly likely to affect Canadians.
In the latest assessment, they chose to focus on five cyber-threat narratives that they judge are the most dynamic and impactful.
First, ransomware is a persistent threat to Canadian organizations. Cybercrime continues to be the cyber-threat activity most likely to affect Canadians and Canadian organizations. Due to its impact on an organization’s ability to function, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. Cybercriminals deploying ransomware have evolved in a growing and sophisticated cybercrime ecosystem and will continue to adapt to maximize profits.
Second, critical infrastructure is increasingly at risk from cyber-threat activity. Cybercriminals exploit critical infrastructure because downtime can be harmful to industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position themselves in case of future hostilities and as a form of power projection and intimidation.
Third, state-sponsored cyber-threat activity is impacting Canadians. State-sponsored cyber-threat activity against Canada is a constant, ongoing threat that is often a subset of larger, global campaigns undertaken by these states. State actors can target diaspora populations and activists in Canada, Canadian organizations and their intellectual property for espionage, and even Canadian individuals and organizations for financial gain.
Fourth, cyber-threat actors are attempting to influence Canadians, degrading trust in online spaces. Cyber-threat actors' use of misinformation, disinformation and malinformation, collectively referred to as MDM, has evolved over the past two years. Machine learning-enabled technologies are making fake content easier to manufacture and harder to detect. Further, nation-states are increasingly willing and able to use MDM to advance their geopolitical interests.
Fifth, disruptive technologies bring new opportunities and new threats. Digital assets, such as cryptocurrencies and decentralized finance, are both targets and tools for cyber-threat actors to enable malicious cyber-threat activity. Machine learning has become commonplace in consumer services and data analysis, but cyber-threat actors can deceive and exploit this technology. Quantum computing has the potential to threaten our current systems of maintaining trust and confidentiality online. Encrypted information stolen by threat actors today can be held and decrypted when quantum computers become available.
Simply put, cyber-threats pose a growing risk to all Canadians and institutions. We are confronting this threat head-on. Our government regularly engages with domestic and international cybersecurity partners to protect Canada’s critical infrastructure and the systems that underpin essential services. We are working closely with critical infrastructure stakeholders and partners to ensure that they are better prepared to face cyber-based threats.
Our cybersecurity framework continues to detect, deter and disrupt state and non-state actors attempting to take advantage of the Canadian cyber-landscape. Our government is, and will always be, ready to respond to any malicious cyber-acts that threaten Canadian interests.
To conclude, the purpose of this act is to help protect critical cyber systems in order to support the continuity and security of vital services and vital systems by ensuring that, first, any cybersecurity risks with respect to critical cyber systems are identified and managed; second, critical cyber systems are protected from being compromised; third, any cybersecurity incidents affecting, or having the potential to affect, critical cyber systems are detected; and finally, the impacts of cybersecurity incidents affecting critical cyber systems are minimized.
1079 words
All Topics
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I agree with the member that small businesses are the backbone of Canada and the Canadian economy, with the majority of Canadians working in small and medium-sized businesses.
Related to this bill is the fact that this issue affects small-sized businesses disproportionately more, because they do not have enough resources to protect themselves from cyber-threats. In fact, as I mentioned in my speech, the new Canadian Centre for Cyber Security, which is part of the Communications Security Establishment, is there to provide expert advice, guidance, and service and support on cyber-threats and cybersecurity to Canadian organizations.
102 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is a pleasure to rise and join the debate this morning in the House of Commons. I will be sharing my time with the member for Fort McMurray—Cold Lake.
Bill C-26 is a bill that addresses an important and growing topic. Cybersecurity is very important, very timely. I am glad that, in calling this bill today, the government sees this as a priority. I struggle with trying to figure out the priorities of the government from time to time. There were other bills it had declared as absolute must-pass bills before Christmas that it is not calling. However, it is good to be talking about this instead of Bill C-21, Bill C-11 or some of the other bills that the Liberals have lots of problems with on their own benches.
Cybersecurity is something that affects all Canadians. It is, no doubt, an exceptionally important issue that the government needs to address. Cybersecurity, as the previous speaker said, is national security. It is critical to the safety and security of all of our infrastructure. It underpins every aspect of our lives. We have seen how infrastructure can be vulnerable to cyber-attacks. Throughout the world, we have seen how energy infrastructure is vulnerable, like cyber-attacks that affect the ability to operate pipelines. We have seen how cyber-attacks can jeopardize the functioning of an electrical grid.
At the local level, we have experienced how weather events that bring down power infrastructure can devastate a community and can actually endanger people's health and safety. One can only imagine what a nationwide or pervasive cyber-attack that managed to cripple a national electrical grid would do to people's ability to live their lives in safety and comfort.
Cyberwarfare is emerging as a critical component of every country's national defence system, both offensively and defensively. The battlefield success of any military force has always depended on communication. We know now just how dependent military forces are on the security of their cyber-communication. We see this unfolding in Ukraine, resulting from the horrific, criminal invasion of that country by Putin. We see the vital role that communication plays with respect to the ability of a country to defend itself from a foreign adversary, in terms of cybersecurity.
I might point out that there is a study on this going on at the national defence committee. We have heard expert testimony about how important cybersecurity is to the Canadian Armed Forces. We look forward to getting that report eventually put together and tabled, with recommendations to the government here in the House of Commons in Canada.
We know that critical sectors of the Canadian economy and our public services are highly vulnerable to cyber-attack. Organized crime and foreign governments do target information contained within health care systems and within our financial system. The potential for a ransom attack, large and small, is a threat to Canadians. Imagine a hostile regime or a criminal enterprise hacking a public health care system and holding an entire province or an entire country hostage with the threat to destroy or leak or hopelessly corrupt the health data of millions of citizens. Sadly, criminal organizations and hostile governments seek to do this and are busy creating the technology to enable them to do exactly this.
The Standing Committee on Access to Information, Privacy and Ethics conducted three different studies while I was chair of that committee that were tied to cybersecurity in various ways. We talked about and learned about the important ways in which cybersecurity and privacy protection intersect and sometimes conflict. We saw how this government contracted with the company Clearview AI, a company whose business is to scrape billions of images from the Internet, identify these images and sell the identified images back to governments and, in the case of Canada, to the RCMP.
We heard chilling testimony at that committee about the capabilities of sophisticated investigative tools, spyware, used by hostile regimes and by organized crime but also by our own government, which used sophisticated investigative tools to access Canadians' cellphones without their knowledge or consent. In Canada, this was limited. It was surprising to learn that this happened, but it happened under judicial warrant and in limited situations by the RCMP. However, the RCMP did not notify or consult the Privacy Commissioner, which is required under Treasury Board rules. This conflict between protecting Canadians by enforcing our laws and protecting Canadians' privacy is difficult for governments, and when government institutions like the RCMP disregard Treasury Board edicts or ignore the Privacy Commissioner or the Privacy Act, especially when they set aside or ignore a ruling from the Privacy Commissioner, it is quite concerning.
This bill is important. It is worthy of support, unlike the government's somewhat related bill, Bill C-27, the so-called digital charter. However, this bill, make no mistake, has significant new powers for the government. It amends the Telecommunications Act to give extraordinary powers to the minister over industry. It is part of a pattern we are seeing with this government, where it introduces bills that grant significant powers to the minister and to the bureaucrats who will ultimately create regulations.
Parliament is really not going to see this fleshed out unless there is significant work done at committee to improve transparency around this bill and to add more clarity around what this bill would actually do and how these powers will be granted. There have been many concerns raised in the business community about how this bill may chase investment, jobs and capital from Canada. The prospect of extraordinary fines, without this bill being fleshed out very well, creates enormous liability for companies, which may choose not to invest in Canada, not fully understanding the ramifications of this bill.
There is always the capture. We have seen this time and time again with the government. It seems to write up a bill for maybe three or four big companies or industries, only a small number of players in Canada, and yet the bill will capture other enterprises, small businesses that do not have armies of lobbyists to engage the government and get regulations that will give them loopholes, or lawyers to litigate a conflict that may arise as a result of it. I am always concerned about the small businesses and the way they may be captured, either deliberately or not, by a bill like this.
I will conclude by saying that I support the objective. I agree with the concern that the bill tries to address. I am very concerned about a number of areas that are ambiguous within the bill. I hope that it is studied vigorously at committee and that strong recommendations are brought back from committee and incorporated into whatever the bill might finally look like when it comes back for third reading.
1152 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, in some respects, Bill C-26 is quite complicated, but it is also quite simple. It aspires to have the risks of cybersecurity systems identified, managed and addressed so we are at much less risk because of our cyber system.
In the last while, I have had the good fortune to be the chair of the public safety committee in the previous Parliament, and I am now the chair of the defence committee. As such, I have listened to literally hours of testimony from people who are quite well informed on this subject matter. My advice to colleagues here is this: It behooves us all to be quite humble and approach this subject with some humility because it is extremely complex.
The first area of complexity is with respect to the definitions.
For instance, cybersecurity is defined as “the protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information”. Cyber-threat is defined as “an activity intended to compromise the security of an information system”.
Cyber-defence, according to NATO, is defensive actions in the cyber domain. Cyberwarfare generally means damaging or disrupting another nation-state's computers. Cyber-attacks “exploit vulnerabilities in computer systems and networks of computer data”.
Therefore, with respect to the definitions, we can appreciate the complexity of inserting yet another bill and minister into this process.
Let me offer some suggested questions for the members who would be asked to sit on the committee to look at this bill if it passes out of the House. I do recommend that the bill pass out of the House and, if it does, that the committee charged with its review take the appropriate amount of time to inform itself on the complexities of this particular space.
The first question I would ask is this: Who is doing the coordination? There are a number of silos involved here. We have heard testimony after testimony about various entities operating in various silos.
For instance, the Department of Defence has its silo, which is to defend the military infrastructure. It also has some capability to launch cyber-attacks, but it is a silo.
Then there is the public safety silo, which is a very big silo, because it relies on the CSE, CSIS and the RCMP, and has the largest responsibility for the protection of civilian infrastructure.
While the CSE does not have the ability to launch cyber-attacks domestically, it has the ability to launch a cyber-attack in international cyberspace. It is a curious contradiction, and I would encourage members to ask potential witnesses to explain that contradiction, because the more this space expands, the more the distinctions between foreign attacks and domestic attacks become blurred.
The bill would charge the Minister of Innovation, Science and Industry with some responsibility with respect to cybersecurity.
I would ask my colleagues to ask questions about how these three entities, public safety, defence and now the Minister of Innovation, Science and Industry, are going to coordinate so that the silos are operating in a coordinated fashion and sharing information with each other so that Canada presents the best possible posture for the defence of our networks. Again, I offer that as a suggestion of a question to be asked. We cannot afford the luxury of one silo knowing something that the other silo does not know, and this is becoming a very significant issue.
CSIS, for instance, deals in information and intelligence. The RCMP deals in evidence. Most of the information that is coming through all of the cyber-infrastructure would never reach the level of evidence, whether the civil or criminal standard of evidence. This is largely information, largely intelligence, and sometimes it is extremely murky. Again, I am offering that as a question for members to ask of those who come before the committee as proponents of the bill.
The other area I would suggest is to question is how this particular bill would deal with the attributions of an attack. To add to all of the complications I have already put on the floor of the House, there is also a myriad of attackers. There are pure state attackers, hybrid state criminal attackers and flat-out criminals.
For the state attackers, one can basically name the big four: China, Russia, North Korea and Iran. However, there are themes and variations within that. Russia, for instance, frequently uses its rather extensive criminal network to act on behalf of the state. It basically funds itself by with proceeds of its criminal activities, and the Russians do not care. If one is going to cripple a hospital network or a pipeline or any infrastructure on can name, then they do not care whether it happens by pure criminal activity or hybrid activity or state activity. It is all an exercise in disruption and making things difficult for Canadians in particular. We see daily examples of this in Ukraine, where the Russians have used cyber-attacks to really make the lives of Ukrainians vulnerable and also miserable.
The next question I would ask, and if this is not enough, I have plenty more, is on the alphabet soup of various actors. We have NSICOP, CSE, CSIS and the RCMP. I do not know what the acronym for this bill will be, but I am sure that somebody will think of it. How does this particular initiative, which, as I say, is a worthy initiative to be supported here, fit into the overall architecture?
Finally, CAF and the defence department are now doing a review of our defence posture, our defence policy. Cyber is an ever-increasing part of our security environment and, again, I would be asking the question of how Bill C-26 and all of its various actors fit into that defence review.
978 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I want to thank my hon. colleague for his speech and his series of responses. I also want to thank him for being the chair of the defence committee.
I know this is a little outside the topic of the bill, but I had asked a another colleague from the same committee two questions that have come forward during our study of cybersecurity. The first was on his thoughts and ponderings on international calls for the International Criminal Court to consider cyber warfare an act of war. The additional thought was that 90% of what the Canadian government sees as classified information could actually be declassified, and the ability to help our organizations sort through a lot of these cyber-attacks and information, when in fact we could eliminate and limit the amount we classify.
137 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, let me start off with the point you were just talking about, because in the 21st century, cybersecurity is national security. It behooves us all as parliamentarians to work as hard as we can to protect our businesses, consumers and institutions from cyber-threats. That is why I am so grateful and delighted to be here today in the House to speak to the second reading debate of Bill C-26, which concerns the important topic of cybersecurity.
Cybersecurity is a matter of great concern to my constituents of all ages. I firmly believe both the public and private sectors need to be able to protect themselves against malicious cyber-activity, including cyber-attacks. As parliamentarians, it is our duty to establish a framework for secure critical infrastructure that we can all rely on.
The past few decades have seen remarkable advancements in computer and Internet technology. Online connectivity has become an integral part of the lives of Canadians and people around the world. The COVID-19 pandemic has shown us how we rely on so much on the Internet for everything we do, from education to conducting business and staying in touch with loved ones. With more and more people depending on the Internet, including young children and seniors, our most vulnerable, it is crucial to ensure that we have a secure and reliable cyber-connectivity.
Our government is committed to improving cybersecurity to safeguard our country's future in cyberspace. However, as technology and cyber systems continue to evolve, our infrastructure is becoming more interconnected and interdependent. This brings new security vulnerabilities.
For instance, personal interactions like banking and credit card transactions are now mainly conducted online, making cybersecurity even more important. According to the Cybersecurity and Infrastructure Security Agency, ransomware attacks were among the most significant cybersecurity threats in recent years.
Cybercriminals continue to use sophisticated tactics to gain access to critical systems, steal sensitive data and extort money from victims. In addition to ransomware attacks, other common cybersecurity threats include phishing attacks, malware, insider threats and distributed denial of service attacks. I know members have all received emails or phone calls with these types of threats. We do not know where they are coming from, but they are trying to crack our system and do criminal activity.
As more organizations adopt cloud computing, like we do here, Internet of Things devices and artificial intelligence, these technologies are also becoming significant targets for these cybercriminals.
Cybersecurity threats can have severe consequences for individuals, businesses, all levels of government. These include financial losses, which we have heard are in the billions, reputational damage, legal liabilities and even physical harm. We have read and heard the stories of those who have taken their lives because of these harmful attacks. It is crucial to take proactive steps to prevent and mitigate cybersecurity risks.
Bill C-26 is a landmark legislation that would amend the Telecommunications Act and other consequential acts to enhance cybersecurity. The bill proposes to add more security as an express policy objective of the telecommunications sector, bringing it in line with other critical infrastructure sectors.
The key objectives of the bill are twofold. First, in part 1, the bill proposes to amend the Telecommunications Act to add security expressly as a policy objective. This amendment aims to align the telecommunications sector with other critical infrastructure sectors.
The changes we are bringing about through this legislation would authorize the Governor in Council and the Minister of Innovation, Science and Industry, after consultation with stakeholders, to establish and implement the policy statement “Securing Canada's Telecommunications System”, which the minister announced in May of 2022. The primary objective is to prevent the use of products and services by high-risk suppliers and their affiliates. This would enable the Canadian government, when necessary, to restrict telecommunications service providers' utilization of products or services from high-risk suppliers.
With such restrictions, consumers would not be exposed to potential security risks. This approach would allow the government to take security measures similar to those of other federal regulators in their respective critical infrastructure sectors.
The second part of Bill C-26 pertains to the introduction of the critical cyber systems protection act, or CCSPA, which mandates designated operators in federally regulated sectors such as finance, telecommunications, energy and transportation to undertake specific measures to safeguard their critical cyber systems. It would include the ability to take action on other vulnerabilities, such as human error or storms causing a risk of outages to these critical services. In addition, the act would facilitate organizations' capacity to prevent and bounce back from various forms of malevolent cyber-activities like electronic espionage and ransomware. Notably, cyber-incidents that surpass a certain threshold will necessitate mandatory reporting.
Both parts 1 and 2 of Bill C-26 are required to ensure the cybersecurity of Canada's federally regulated critical infrastructure, and in turn, protect Canadians and Canadian businesses. The need to intensify our efforts is apparent because of the advent of new technologies we are hearing about like 5G.
The COVID-19 pandemic has highlighted our growing dependence on technology. In addition, in my riding of Mississauga East—Cooksville, there is a growing concern about Russia's unwarranted and unjustified invasion of Ukraine, which has resulted in international tensions and a range of potential threats. Such threats include supply chain disruptions and cyber-attacks from state and non-state actors.
We are not starting from scratch in our fight against this threat, though. Our government is always vigilant when it comes to any type of threat, including cyber-threats. Our government has made several investments in cybersecurity in recent years to improve the country's cyber-resilience and protect Canadians' data and privacy. For example, in 2018, we created the national cybersecurity strategy. This was based on the consultations that we initiated with Canadians in 2016. Our government adopted this strategy to establish a framework aimed at protecting citizens and businesses from cyber-threats while leveraging the economic benefits of digital technology.
Cyber-incidents involve a certain threshold at which reporting would be required. This legislation would give the government a new tool to compel action, if necessary, in response to cybersecurity threats or vulnerabilities.
Canada is working alongside other democratic nations around the globe, both in the context of our Five Eyes relationship and in the G7 alliance. These multilateral forums are intensely focused on devising strategies to counter a range of cyber-threats, such as ransomware attacks; the dissemination of false information, which we have seen too often; and attempts by malicious actors to engage in cyber-espionage.
To facilitate this collaboration, we are emphasizing the importance of sharing information and intelligence, thereby breaking down those silos. This would enable us to more effectively combat efforts made to destabilize our economies and undermine Canadian interests. While we are currently engaged in a debate regarding Bill C-26, we are also taking proactive measures to address the current gaps in our domestic cybersecurity landscape, while simultaneously partnering with like-minded nations to confront these challenges in a comprehensive manner.
We have listened to Canadians, our security experts and our allies, and we are following the right path. We will ensure that our networks and our economy are kept secure. A safe and secure cyberspace is important for Canadian competitiveness, economic stability and long-term prosperity.
Bill C-26 aims to enhance designated organizations' preparedness, prevention, response and recovery abilities—
1248 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is my expectation that we will send this bill to committee not to give it a quick rubber stamp, but instead to carefully examine it, amend it where it is needed and improve it in order to ensure that Canada's cyber-defences are the best they can be. That was the last paragraph of my speech that I did not get to present.
That would indicate to the Liberals a clearer analysis of what needs to be done.
82 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, I am pleased to join the debate on second reading of Bill C-26, an act respecting cybersecurity.
Several of my colleagues have already spoken at length about the importance of the bill and the details therein, but it bears repeating that Bill C-26 is critical to our country's national security, our public safety and our economy.
Not only would Bill C-26 introduce the new critical cyber systems protection act or—
77 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, not only would Bill C-26 introduce the new critical cyber systems protection act, or CCSPA, to legally compel designated operators to protect their cyber systems, but it would also amend the Telecommunications Act to enshrine security as a policy objective and bring the sector in line with other critical infrastructure sectors.
Being online and connected is essential to all Canadians. Now more than ever, Canadians rely on the Internet for their daily lives, but it is about more than just conducting business and paying bills. It is also about staying in touch and connected with loved ones from coast to coast to coast and, indeed, around the world. That is also why the Government of Canada is connecting 98% of Canadians to high-speed Internet by 2026 and 100% of Canadians by 2030.
Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems, particularly with the emergence of new technologies such as 5G, which will operate at significantly higher speeds and will provide greater versatility, capability and complexity than previous generations. These technologies certainly create significant economic benefits and opportunities, but they also bring with them new security vulnerabilities that some may be tempted to prey on.
At this time, I want to bring the perspective of my constituents in the riding of Fredericton to this important debate today. Fredericton is home to the Canadian Institute for Cybersecurity at the University of New Brunswick, with a focus on disruptive technology and groundbreaking research. The institute provides hands-on support for community and industry partners as they face emerging threats, with company-specific, cross-disciplinary research.
Led by Dr. Ali Ghorbani, Canada's research chair in cybersecurity, the institute generates datasets to help thwart malicious cyber-attacks and works in tandem with the National Research Council of Canada in an innovative hub model that will lead to discoveries and advancements in cybersecurity, including publications, patents and the commercialization of technology, as well as provide training opportunities for graduate students and post-doctoral fellows.
Innovative cybersecurity research is conducted with a focus on Internet security, artificial intelligence, human-computer interaction and natural-language processing. I was honoured to welcome many ministers to my riding and to connect them with researchers and leaders in the industry to showcase how my community distinguishes itself in this sector. Fredericton is at the forefront of this new age and the challenges it presents, and I could not be more proud.
Even if there is enormous potential for Canadian digital innovation and expertise in cybersecurity, and I am witnessing it every day at home, we also need to face the fact that cyber-threats are growing in sophistication and magnitude. In 2021, close to 200,000 businesses across the country were affected by cybersecurity incidents, and this number continues to grow. Each of those businesses is not merely a business. It is comprises hard-working owners and employees, with families to feed and bills to pay. It is all the more maddening that many of these businesses must spend precious amounts of time and money preventing or fighting back against these incidents, many of which involve stealing money or demanding ransoms.
Canadian businesses have spent billions of dollars over the last years to detect and prevent cybersecurity incidents and, consequently, they have been experiencing downtime and a loss in revenue. Cybercrime is costly, and those who are bearing the brunt of it are Canadian businesses.
We also know that at all levels of government, we have not been immune from these kinds of attacks, even, horribly, hospitals. Earlier this year, the Toronto SickKids hospital was targeted by a ransomware attack affecting its operations. Closer to home, in Atlantic Canada, a ransomware group was behind the 2021 cyber-attack that paralyzed the Newfoundland and Labrador health care system.
Beyond the monetary implications, attacks like these have the real-life potential of impacting the health and safety of the ones we love, and we must do everything in our power as legislators to put in place effective safeguards. The effects on Canadians demonstrate beyond a doubt why we need to strengthen Canada's cybersecurity systems. As lawmakers, the least we can do is ensure that Canada and its institutions and businesses can continue to thrive in the digital economy and that our banks and telecommunications providers can continue to provide Canadians with reliable services.
Bill C-26 would modernize existing legislation to add security to the nine other policy objectives in the act, bringing telecommunications in line with other critical sectors. The bill would also add new authorities to the Telecommunications Act, which would enable the government to take action to promote the security of the Canadian telecommunications system.
As mentioned, in recent years, Canada's cybersecurity status has been tested by a variety of threat campaigns targeting critical infrastructure, businesses and individuals. The increase in digitization has led to the weaponization of digital tools and processes. This results in the disruption of critical systems and causes a lack of confidence in physical, psychological and economic well-being.
I am proud of all the work that has been done to secure Canada's critical telecommunications infrastructure, but I do not want us to lose sight of the work still to be done. The advent of the COVID-19 pandemic was a catalyst for bolstering national and international cyber-defence practices, requiring improved policies, guidance and cyber-intel.
Furthermore, given what is happening in Ukraine with the Russian invasion, we know that there are still military threats in the 21st century. However, we are also dealing with the emergence of new technologies that pose non-military threats.
With rising geopolitical tensions, government-driven hostile cyber-operations are more prevalent now than ever, posing an increased threat level to Canada's national security, economic prosperity and public safety.
In the 21st century, cybersecurity is national security, and it is our government's responsibility to protect Canadians from growing cyber-threats. That is exactly why we have developed Bill C-26.
It contains a multitude of important measures to protect Canadians and Canadian businesses. It is a carefully designed, multipronged approach. Part 2 of this act would enact the critical cyber systems protection act to provide a framework for the protection of the critical cyber systems that are vital to national security and public safety.
It also authorizes the Governor in Council to designate any service or system as a vital service or vital system, and requires designated operators to establish and implement cybersecurity programs, mitigate supply chain and third party risks, report cybersecurity incidents and comply with cybersecurity directions.
Introducing the new critical cyber systems protection act would strengthen baseline cybersecurity and provide a framework for the government to respond to emerging cyber-threats.
It is essential that we keep pace with the rapidly evolving cyber-environment by ensuring we have a robust, legislative framework in place.
In short, Bill C-26 is essential to helping keep Canadians and their data safe. In a world as connected as ours, we cannot take that for granted. Once again, cybersecurity is national security.
I am looking forward to this bill being sent to committee, and I encourage all members to join me in supporting Bill C-26 in subsequent readings.
1213 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, it is an honour to speak today in the House on Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.
With every passing year, Canadians are increasingly moving their lives online. They communicate with loved ones through email, messaging, photo sharing, video calls and more. They can order their entire grocery orders, rent cars for the weekend and book appointments with a click in an app.
As more and more Canadians choose to put more of their lives online, it falls to us, as members of Parliament, to ensure our cybersecurity laws are as protective of their personal and private information as possible.
The next generation of Canadians are increasingly building their professional and personal lives online. At the same time, they face mounting threats from foreign actors, ranging from scammers to state actors. These actors have shown they would use any tactic, from identity theft to cyber-attacks, to exploit Canadians and attack our institutions.
That is why the legislation we have before us today is essential, and why getting it right the first time is even more important. In particular, it must protect our online information while not crushing our small business start-ups under mountains of red tape.
On this side of the House, my Conservative colleagues and I believe that, as currently constructed, Bill C-26 fails to account for the welfare of small business start-ups by adding more red tape and placing burdensome costs on our homegrown technology sector. As constructed, this bill would directly affect start-ups by adding further bureaucracy that would drive up their starting costs. It would overburden with regulation the small telecommunications providers, the companies that provide our families and businesses with access to a global market online.
Wrapping them in red tape could risk our access to competing on the world stage. The Liberal government has already made it hard enough for start-ups, and the Liberal record on small business has been one committed to mazes of bureaucracy, punitive fines and penalties, and rising inflation. A Liberal economy of high tax and wasteful spending has already made it hard enough for start-ups.
Through the overarching premise of this cybersecurity bill, we know that it is needed. We absolutely need to update our cybersecurity laws, while at the same time we cannot allow Bill C-26 to add unnecessary burdens to business, especially small businesses.
I am particularly concerned about how this bill's regulations would also apply to businesses “irrespective of their cyber security maturity”, implying that providers who already have advanced electronic protection measures would still have to comply with the new regulations of the bill. This means that businesses could not continue using their current, possibly more robust, cybersecurity systems. Instead, they would have to disregard their current cybersecurity measures and replace them with the newly proposed government model.
Even Canadian businesses that have already worked hard to protect their customer security at accepted global standards would still incur more cost despite their robust electronic security measures. They would need to invest in government-regulated security measures, incurring costs such as inspection, extra time, installation and further training. They may have to completely overturn their superior standards for the government's preference.
The thing is, we do not know what the regulations would be or how they would affect businesses, because the actual regulations have not been developed. That is how the government does a lot of its bills. There are great titles, with few details. We are expected to just trust the Liberals to figure it all out later, behind closed doors, with no opportunity to study them at committee with expert witnesses.
Imagine if this regulatory framework were applied to any other business. Suppose we were regulating changes in the banking security industry. We would require that every Canadian bank and credit union tear its building down to the ground, brick by brick, and then rebuild itself from scratch. That really does not make sense.
Now is the time when we should be encouraging competition and bringing in more telecommunications companies. We know Canada has some of the highest telecommunications costs in the world. As more and more Canadians move their lives online, whether for banking, social media or work, adding more tape in this bill, as mentioned, would make this transition far more difficult. Costs never remain in the businesses' ledgers forever; they are inevitably always passed on to the consumer.
As a government, we should encourage the next generation of Canadian entrepreneurs who are innovating.
I will mention, as a sidebar, that I was formerly on the industry committee and we did a quantum computing study, which was, frankly, terrifying. It was about how Canada could be exposed to bad actors, which could affect every part of our online lives. As these technological advances develop, we have to be aware of risks and be able to stay ahead of technology.
These enterprises, businesses and telecommunications providers do not need more red tape; they need a stable market without uncompetitive government interference. We know very well how easy it can be for the government to build regulations that only the largest providers of an industry can shoulder. Without attention to scale, a single fault of noncompliance could instantly wipe out a smaller company. The legislation would allow ministers and bureaucrats to levy fines as high as $15 million without special consideration, such as the size of a company's user base.
Nonspecific details like that are music to the ears of our largest telecommunications providers. Monopolization of our telecommunications sector is something Canadians are already concerned about. We must always proceed cautiously, so as not to turn away innovation and new businesses entering the market, which creates healthy competition. For example, these fines could also be enacted under the vague term of “protecting a critical cyber system”. This vague terminology can leave a lot of leeway for government ministers to injure Canadian businesses with rampant fines.
There is already a shortage of online and electronic security professionals in Canada. According to the Business Council of Canada, an estimated 25,000 personnel are needed in the cybersecurity industry. Instead of dissuading these crucial professionals from joining this industry and helping keep Canada safe from domestic and foreign cyber-threats, let us provide a better framework and encourage them to build new businesses in this essential industry. Let us not scare them off with red tape and penalties.
As members can see, the legislation proposed for Bill C-26 has some significant concerns that require amendments at committee. Regulations being made with a lack of transparency behind closed doors, after the bill passes, is a concern. Conservatives will be looking to make amendments to the bill at committee as we hear from experts.
As I mentioned earlier, my Conservative colleagues and I encourage and support new, updated and secure cybersecurity measures being put in place, especially as more and more Canadians move their lives online. However, by placing more and more red tape on small and start-up businesses and providers that have already been in the industry for years, the bill would effectively dissuade businesses from entering this market and providing more services for Canadians. Large and mature businesses can handle the related costs of Bill C-26, but the associated expenses could crush small businesses.
I have worked, for much of my career, around various regulated industries and have seen, all too often, red tape and regulations making it too hard for small businesses to even start or to stay afloat without being acquired by larger firms, as small companies just cannot keep up with the regulatory compliance.
Cybersecurity threats affect all our communities. In January, an international ransomware group claimed responsibility for an Okanagan College cyber-attack in my region. Let us keep Canada safe by building clear online security measures that would encourage start-up professionals and businesses to help build up our cybersecurity infrastructure to a world-class standard. We will not accomplish this goal if we continue to add burdensome fines, penalties and red tape.
1363 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is always an honour and a privilege to rise in this place, and it is nice to join the debate on the topic at hand.
When we talk about cybersecurity, there are so many different factors that go into it. I recognize that the bill before us largely has to do with telecommunications companies, bigger companies, and perhaps with government institutions as a whole. However, as we are having this conversation, we need to recognize and address the fact that the risk presented through cybersecurity extends much beyond that. With the current generation of kids being raised, kids are heavily involved in using cellphones, video game systems and computer consoles, for example, and are curious by nature. They are more at risk of clicking on a link that they do not know or realize is harmful. We know that is quite often how a lot of bad actors exploit weaknesses in computer systems in businesses or in homes. It is important to have that context out there early as we start the debate on this bill.
I want to get into a few specific parts of the bill at the start. First, it proposes to amend the Telecommunications Act to make sure the security of our Canadian telecommunications system is an official objective of our public policy, which is not a bad idea in and of itself. Second, it would create a new critical cyber systems protection act. The stated goal is to have a framework in place that would allow for better protection of critical cyber-services and cyber systems, which impact national security and public safety.
Some of the proposals include the designation of services or systems deemed to be “vital” for the purposes of this new act, along with designating classes of operators for these services or systems. The designated operators in question could be required to perform certain duties or activities, including the implementation of security programs, the mitigation of risks, reporting security incidents and complying with cybersecurity directions. Most significantly, Bill C-26 would authorize the enforcement of these measures through financial penalties or even imprisonment.
Anybody hearing these few examples listed in the preamble probably thinks this sounds like common sense, and I would generally agree with them. However, there is a problem, especially with the last one, which has to do with directions, because it is quite vague. These points should raise some obvious questions. How are we defining each of them? What are the limits and the accountability for using these new powers? It is fair to have these general concerns when we consider any government, but Canadians have reason to be especially wary with the one currently in power based on the Liberal record itself.
Unfortunately, the most recent and disturbing revelations related to foreign interference in two federal elections, which allegedly included working with an elected official, are not the only things we need to talk about. Here is another example. For a number of years, the Conservatives were demanding that the Liberals ban Huawei from our cellular networks. Despite all the warnings and security concerns, they delayed the decision and left us out of step with our closest partners in the Five Eyes. We had been calling it out for years before they finally decided to make the right decision thanks to pressure from Canadians, experts, our allies and the official opposition.
It was not very long ago, almost a year, when the announcement to ban Huawei came along. As much as it was the right decision, it should have been made much sooner. To say that is not a complaint about some missed opportunity in the past. The delay caused real problems with upfront costs for our telcos, and it created extra uncertainty for consumers.
Prior to becoming a member of Parliament, I worked for a telecommunications company in Saskatchewan. When we look at how big and vast our country is, we start thinking about how much equipment is required for one single telecommunications provider in one province, like SaskTel, the company I worked for. We can think about how much equipment it would have ordered or pre-ordered and potentially would have had to replace based on the government taking so long to make up its mind on whether or not to ban Huawei. If we look at some of the bigger companies out there, it is the same thing. There are the upfront costs they would have had to incur, and then the new costs if they had to replace all their equipment on top of that. This was simply because the government dragged its feet on such a big decision.
We have learned a lot of other things about foreign interference since then that need to be properly addressed and independently investigated. We need a public inquiry, at the very least, into some of these issues. However, once again, the Liberals are refusing to do the right thing for as long as they possibly can. It is clearer than ever before that we need to get a lot more serious about our cybersecurity, because what we are really talking about is our national security as a whole. These two things are closely intertwined, and having this conversation is long overdue.
We are happy to see the issue get more of the attention it deserves. Canadians have a lot of questions and concerns about it that should not be ignored. That is why it is a priority for Conservatives on our side of the House, and we are not going to let it go.
While we work to carefully review Bill C-26 in this place, we want to make sure that it will be effective and accomplish what it is supposed to do. It needs to protect Canadians living in a digital world. At the same time, it should not create any new openings for government to interfere with people's lives or abuse power.
After all, we are waiting for Bill C-11 to return to the House with all the problems it has, including the risk of online censorship. The problem is that whether it is about Huawei or the latest scandal about foreign interference, the Liberal government has failed to act, and it has undermined trust in our institutions. Therefore, it is hard to take it seriously when a bill like this one comes forward. The government's failure in this area is even more frustrating because we should all agree that there is a real need to strengthen cybersecurity. That is what experts and stakeholders have been telling us over many years. Canadians have had to wait for far too long for the government to bring something forward.
Make no mistake: This bill is flawed, and it will require more work to make sure that we get it right. However, the fact that we are talking about the issue right now is a small and necessary step in the right direction.
There are a few points I would like to mention.
Part 1 of this bill will allow the federal government to compel service providers to remove all products provided by a specified person from its networks or facilities. First of all, that puts a lot of companies at risk of having adversarial agreements signed in the future. If I were a company trying to sign an agreement, I would be doing everything I could to make sure that someone is not going to put a clause in there that if the government forces its removal, there is going to be an extra fine levied on the company. The problem with this bill is that it exposes companies to having these bad contracts negotiated, signed and forced on them by bad actors.
Under the new critical cyber systems protection act, the minister would be able to direct and impose any number of things on a service provider without giving them compensation for complying with the orders. Earlier, I was talking about the upfront costs paid by telcos trying to advance their networks to provide the products and services that their clients and customers want and need, especially as the world moves forward in a more digital fashion. The government is going to force them to do something without any compensation or without the ability to have help dealing with these changes. I think this is something that needs to be reconsidered in this bill.
That leaves service providers in a position where they have to pay for complying with potentially arbitrary orders or face legal penalties, such as the ones I mentioned earlier: fines or even imprisonment.
Again, we do have a desperate need to improve our cybersecurity regime, but these problems show that the bill is poorly written. By seeking to implement personal liability for breaches of the act, it will incentivize skilled Canadian cybersecurity professionals to leave Canada to find jobs elsewhere. This phenomenon, commonly known as the brain drain, is emerging as a severe issue for our economy, in some part thanks to the policies of the government.
Thousands of skilled, highly employable Canadians move to the United States thanks to the larger market, higher salaries and lower taxes, while very few Americans move to Canada to do the same. This issue is bigger than just the cybersecurity sector. Thanks to this government, we are losing nurses, doctors and tech workers to the United States. All the while, professionals who immigrate to Canada are being denied the paperwork they need to work in the field they are trained for because of the ridiculous red tape that plagues our immigration. Given that we are already short 25,000 cybersecurity professionals in Canada, is it wise to keep incentivizing them to go to the States?
Another massive problem with this bill is that it opens the door for some extreme violations of individual privacy. It also expands the state's power to use a secret government order to bar individuals or companies from accessing essential services. While we must improve our framework against cybersecurity attacks, drastically expanding what cabinet can do outside the public eye is always a bad idea. Accountability to the people and Parliament has always been an essential part of how we are supposed to do things in Canada. It is, however, not surprising that the current government would advocate for more unaccountable power. After all, government members have been anything but transparent. They have hidden information from Canadians to protect their partisan interests.
Canadians deserve to know what the government is doing. We must always uphold the principle that everyone is innocent until proven guilty. Giving cabinet the right to secretly cut Canadians off from essential services could threaten to erode this fundamental right.
1793 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
