44th Parl. 1st Sess.
March 23, 2023 10:00AM
Mr. Speaker, I am reading from the summary of Bill C-26, which would amend the Telecommunications Act to “authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure” our telecommunications security.
Although it is a laudable goal, those are very broad powers to give to a minister. Does my colleague feel it is necessary to give such broad and unfettered authority to one person?
85 words
- Hear!
- Rabble!
- add
- star_border
- share
Madam Speaker, not only would Bill C-26 introduce the new critical cyber systems protection act, or CCSPA, to legally compel designated operators to protect their cyber systems, but it would also amend the Telecommunications Act to enshrine security as a policy objective and bring the sector in line with other critical infrastructure sectors.
Being online and connected is essential to all Canadians. Now more than ever, Canadians rely on the Internet for their daily lives, but it is about more than just conducting business and paying bills. It is also about staying in touch and connected with loved ones from coast to coast to coast and, indeed, around the world. That is also why the Government of Canada is connecting 98% of Canadians to high-speed Internet by 2026 and 100% of Canadians by 2030.
Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems, particularly with the emergence of new technologies such as 5G, which will operate at significantly higher speeds and will provide greater versatility, capability and complexity than previous generations. These technologies certainly create significant economic benefits and opportunities, but they also bring with them new security vulnerabilities that some may be tempted to prey on.
At this time, I want to bring the perspective of my constituents in the riding of Fredericton to this important debate today. Fredericton is home to the Canadian Institute for Cybersecurity at the University of New Brunswick, with a focus on disruptive technology and groundbreaking research. The institute provides hands-on support for community and industry partners as they face emerging threats, with company-specific, cross-disciplinary research.
Led by Dr. Ali Ghorbani, Canada's research chair in cybersecurity, the institute generates datasets to help thwart malicious cyber-attacks and works in tandem with the National Research Council of Canada in an innovative hub model that will lead to discoveries and advancements in cybersecurity, including publications, patents and the commercialization of technology, as well as provide training opportunities for graduate students and post-doctoral fellows.
Innovative cybersecurity research is conducted with a focus on Internet security, artificial intelligence, human-computer interaction and natural-language processing. I was honoured to welcome many ministers to my riding and to connect them with researchers and leaders in the industry to showcase how my community distinguishes itself in this sector. Fredericton is at the forefront of this new age and the challenges it presents, and I could not be more proud.
Even if there is enormous potential for Canadian digital innovation and expertise in cybersecurity, and I am witnessing it every day at home, we also need to face the fact that cyber-threats are growing in sophistication and magnitude. In 2021, close to 200,000 businesses across the country were affected by cybersecurity incidents, and this number continues to grow. Each of those businesses is not merely a business. It is comprises hard-working owners and employees, with families to feed and bills to pay. It is all the more maddening that many of these businesses must spend precious amounts of time and money preventing or fighting back against these incidents, many of which involve stealing money or demanding ransoms.
Canadian businesses have spent billions of dollars over the last years to detect and prevent cybersecurity incidents and, consequently, they have been experiencing downtime and a loss in revenue. Cybercrime is costly, and those who are bearing the brunt of it are Canadian businesses.
We also know that at all levels of government, we have not been immune from these kinds of attacks, even, horribly, hospitals. Earlier this year, the Toronto SickKids hospital was targeted by a ransomware attack affecting its operations. Closer to home, in Atlantic Canada, a ransomware group was behind the 2021 cyber-attack that paralyzed the Newfoundland and Labrador health care system.
Beyond the monetary implications, attacks like these have the real-life potential of impacting the health and safety of the ones we love, and we must do everything in our power as legislators to put in place effective safeguards. The effects on Canadians demonstrate beyond a doubt why we need to strengthen Canada's cybersecurity systems. As lawmakers, the least we can do is ensure that Canada and its institutions and businesses can continue to thrive in the digital economy and that our banks and telecommunications providers can continue to provide Canadians with reliable services.
Bill C-26 would modernize existing legislation to add security to the nine other policy objectives in the act, bringing telecommunications in line with other critical sectors. The bill would also add new authorities to the Telecommunications Act, which would enable the government to take action to promote the security of the Canadian telecommunications system.
As mentioned, in recent years, Canada's cybersecurity status has been tested by a variety of threat campaigns targeting critical infrastructure, businesses and individuals. The increase in digitization has led to the weaponization of digital tools and processes. This results in the disruption of critical systems and causes a lack of confidence in physical, psychological and economic well-being.
I am proud of all the work that has been done to secure Canada's critical telecommunications infrastructure, but I do not want us to lose sight of the work still to be done. The advent of the COVID-19 pandemic was a catalyst for bolstering national and international cyber-defence practices, requiring improved policies, guidance and cyber-intel.
Furthermore, given what is happening in Ukraine with the Russian invasion, we know that there are still military threats in the 21st century. However, we are also dealing with the emergence of new technologies that pose non-military threats.
With rising geopolitical tensions, government-driven hostile cyber-operations are more prevalent now than ever, posing an increased threat level to Canada's national security, economic prosperity and public safety.
In the 21st century, cybersecurity is national security, and it is our government's responsibility to protect Canadians from growing cyber-threats. That is exactly why we have developed Bill C-26.
It contains a multitude of important measures to protect Canadians and Canadian businesses. It is a carefully designed, multipronged approach. Part 2 of this act would enact the critical cyber systems protection act to provide a framework for the protection of the critical cyber systems that are vital to national security and public safety.
It also authorizes the Governor in Council to designate any service or system as a vital service or vital system, and requires designated operators to establish and implement cybersecurity programs, mitigate supply chain and third party risks, report cybersecurity incidents and comply with cybersecurity directions.
Introducing the new critical cyber systems protection act would strengthen baseline cybersecurity and provide a framework for the government to respond to emerging cyber-threats.
It is essential that we keep pace with the rapidly evolving cyber-environment by ensuring we have a robust, legislative framework in place.
In short, Bill C-26 is essential to helping keep Canadians and their data safe. In a world as connected as ours, we cannot take that for granted. Once again, cybersecurity is national security.
I am looking forward to this bill being sent to committee, and I encourage all members to join me in supporting Bill C-26 in subsequent readings.
1213 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, it is always an honour and a privilege to rise in this place, and it is nice to join the debate on the topic at hand.
When we talk about cybersecurity, there are so many different factors that go into it. I recognize that the bill before us largely has to do with telecommunications companies, bigger companies, and perhaps with government institutions as a whole. However, as we are having this conversation, we need to recognize and address the fact that the risk presented through cybersecurity extends much beyond that. With the current generation of kids being raised, kids are heavily involved in using cellphones, video game systems and computer consoles, for example, and are curious by nature. They are more at risk of clicking on a link that they do not know or realize is harmful. We know that is quite often how a lot of bad actors exploit weaknesses in computer systems in businesses or in homes. It is important to have that context out there early as we start the debate on this bill.
I want to get into a few specific parts of the bill at the start. First, it proposes to amend the Telecommunications Act to make sure the security of our Canadian telecommunications system is an official objective of our public policy, which is not a bad idea in and of itself. Second, it would create a new critical cyber systems protection act. The stated goal is to have a framework in place that would allow for better protection of critical cyber-services and cyber systems, which impact national security and public safety.
Some of the proposals include the designation of services or systems deemed to be “vital” for the purposes of this new act, along with designating classes of operators for these services or systems. The designated operators in question could be required to perform certain duties or activities, including the implementation of security programs, the mitigation of risks, reporting security incidents and complying with cybersecurity directions. Most significantly, Bill C-26 would authorize the enforcement of these measures through financial penalties or even imprisonment.
Anybody hearing these few examples listed in the preamble probably thinks this sounds like common sense, and I would generally agree with them. However, there is a problem, especially with the last one, which has to do with directions, because it is quite vague. These points should raise some obvious questions. How are we defining each of them? What are the limits and the accountability for using these new powers? It is fair to have these general concerns when we consider any government, but Canadians have reason to be especially wary with the one currently in power based on the Liberal record itself.
Unfortunately, the most recent and disturbing revelations related to foreign interference in two federal elections, which allegedly included working with an elected official, are not the only things we need to talk about. Here is another example. For a number of years, the Conservatives were demanding that the Liberals ban Huawei from our cellular networks. Despite all the warnings and security concerns, they delayed the decision and left us out of step with our closest partners in the Five Eyes. We had been calling it out for years before they finally decided to make the right decision thanks to pressure from Canadians, experts, our allies and the official opposition.
It was not very long ago, almost a year, when the announcement to ban Huawei came along. As much as it was the right decision, it should have been made much sooner. To say that is not a complaint about some missed opportunity in the past. The delay caused real problems with upfront costs for our telcos, and it created extra uncertainty for consumers.
Prior to becoming a member of Parliament, I worked for a telecommunications company in Saskatchewan. When we look at how big and vast our country is, we start thinking about how much equipment is required for one single telecommunications provider in one province, like SaskTel, the company I worked for. We can think about how much equipment it would have ordered or pre-ordered and potentially would have had to replace based on the government taking so long to make up its mind on whether or not to ban Huawei. If we look at some of the bigger companies out there, it is the same thing. There are the upfront costs they would have had to incur, and then the new costs if they had to replace all their equipment on top of that. This was simply because the government dragged its feet on such a big decision.
We have learned a lot of other things about foreign interference since then that need to be properly addressed and independently investigated. We need a public inquiry, at the very least, into some of these issues. However, once again, the Liberals are refusing to do the right thing for as long as they possibly can. It is clearer than ever before that we need to get a lot more serious about our cybersecurity, because what we are really talking about is our national security as a whole. These two things are closely intertwined, and having this conversation is long overdue.
We are happy to see the issue get more of the attention it deserves. Canadians have a lot of questions and concerns about it that should not be ignored. That is why it is a priority for Conservatives on our side of the House, and we are not going to let it go.
While we work to carefully review Bill C-26 in this place, we want to make sure that it will be effective and accomplish what it is supposed to do. It needs to protect Canadians living in a digital world. At the same time, it should not create any new openings for government to interfere with people's lives or abuse power.
After all, we are waiting for Bill C-11 to return to the House with all the problems it has, including the risk of online censorship. The problem is that whether it is about Huawei or the latest scandal about foreign interference, the Liberal government has failed to act, and it has undermined trust in our institutions. Therefore, it is hard to take it seriously when a bill like this one comes forward. The government's failure in this area is even more frustrating because we should all agree that there is a real need to strengthen cybersecurity. That is what experts and stakeholders have been telling us over many years. Canadians have had to wait for far too long for the government to bring something forward.
Make no mistake: This bill is flawed, and it will require more work to make sure that we get it right. However, the fact that we are talking about the issue right now is a small and necessary step in the right direction.
There are a few points I would like to mention.
Part 1 of this bill will allow the federal government to compel service providers to remove all products provided by a specified person from its networks or facilities. First of all, that puts a lot of companies at risk of having adversarial agreements signed in the future. If I were a company trying to sign an agreement, I would be doing everything I could to make sure that someone is not going to put a clause in there that if the government forces its removal, there is going to be an extra fine levied on the company. The problem with this bill is that it exposes companies to having these bad contracts negotiated, signed and forced on them by bad actors.
Under the new critical cyber systems protection act, the minister would be able to direct and impose any number of things on a service provider without giving them compensation for complying with the orders. Earlier, I was talking about the upfront costs paid by telcos trying to advance their networks to provide the products and services that their clients and customers want and need, especially as the world moves forward in a more digital fashion. The government is going to force them to do something without any compensation or without the ability to have help dealing with these changes. I think this is something that needs to be reconsidered in this bill.
That leaves service providers in a position where they have to pay for complying with potentially arbitrary orders or face legal penalties, such as the ones I mentioned earlier: fines or even imprisonment.
Again, we do have a desperate need to improve our cybersecurity regime, but these problems show that the bill is poorly written. By seeking to implement personal liability for breaches of the act, it will incentivize skilled Canadian cybersecurity professionals to leave Canada to find jobs elsewhere. This phenomenon, commonly known as the brain drain, is emerging as a severe issue for our economy, in some part thanks to the policies of the government.
Thousands of skilled, highly employable Canadians move to the United States thanks to the larger market, higher salaries and lower taxes, while very few Americans move to Canada to do the same. This issue is bigger than just the cybersecurity sector. Thanks to this government, we are losing nurses, doctors and tech workers to the United States. All the while, professionals who immigrate to Canada are being denied the paperwork they need to work in the field they are trained for because of the ridiculous red tape that plagues our immigration. Given that we are already short 25,000 cybersecurity professionals in Canada, is it wise to keep incentivizing them to go to the States?
Another massive problem with this bill is that it opens the door for some extreme violations of individual privacy. It also expands the state's power to use a secret government order to bar individuals or companies from accessing essential services. While we must improve our framework against cybersecurity attacks, drastically expanding what cabinet can do outside the public eye is always a bad idea. Accountability to the people and Parliament has always been an essential part of how we are supposed to do things in Canada. It is, however, not surprising that the current government would advocate for more unaccountable power. After all, government members have been anything but transparent. They have hidden information from Canadians to protect their partisan interests.
Canadians deserve to know what the government is doing. We must always uphold the principle that everyone is innocent until proven guilty. Giving cabinet the right to secretly cut Canadians off from essential services could threaten to erode this fundamental right.
1793 words
- Hear!
- Rabble!
- add
- star_border
- share
Mr. Speaker, I rise today to speak on Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. Cybersecurity is of the utmost importance to Canadians, and I am glad to see the topic debated in the House today.
Bill C-26 would amend the Telecommunications Act. I should note that any time the Telecommunications Act is changed, I am very interested. Not only am I the shadow minister for rural economic development and connectivity, but I also have a bill before Parliament, Bill C-288, that would amend the Telecommunications Act to provide Canadians better information when it comes to the service and quality they pay for.
The dependence on telecommunications throughout our society continues to grow. The uses of Internet and cellular services are foundational to both the social and economic success of Canada, so I appreciate seeing the government move forward with a bill to secure our telecommunications network through Bill C-26. However, I must ask this: What took so long?
It was over two years ago when this House of Commons passed a Conservative motion that called on the Liberal government to ban Huawei from our 5G network. Despite this motion passing in the House of Commons and the director of the Canadian Security Intelligence Service warning the government in 2018, it took years to ban Huawei from Canada's 5G network. Therefore, is Bill C-26 important? It absolutely is. Did it take too long to get here? It absolutely did.
I should note that I recently asked if the University of British Columbia continues to work with Huawei in any form. The response was, “Yes, we do”. The government has been warned about the risks to our national security over and over again, yet we fail to see concrete action.
Analyzing Bill C-26, I have a few questions and concerns.
In its current form, Bill C-26 allows the Minister of Industry to obtain and disclose information without any checks and balances. If passed, Bill C-26 would grant the minister the power to obtain information from the Canadian telecom companies. It could, “by order, direct a telecommunications service provider to do anything or refrain from doing anything...that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.”
There are no specific details on what information can be collected when it comes to personal consumer data, nor is there any clarity on who the minister could share this personal information with. Could the minister share it with other ministers or other departments? As of now, it does not say the minister could not do so.
A recent research report entitled “Cybersecurity Will Not Thrive in Darkness: A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act” stated the following on this matter:
The legislation would authorize the Minister to compel providers to disclose confidential information and then enable the Minister to circulate it widely within the federal government; this information could potentially include either identifiable or de-identified personal information. Moreover, the Minister could share non-confidential information internationally even when doing so could result in regulatory processes or private right of actions against an individual or organization. Should the Minister or [any] other party to whom the Minister shares information unintentionally lose control of the information, there would be no liability attached to the government for the accident.
I think an accident by the current government happens quite a bit.
If Parliament is going to give the minister such powers, it is imperative that checks and balances exist. It is very important that, when we discuss the ability of a government to obtain personal information from Canadians, we ensure that Canadians are protected from the unauthorized use of such information.
I should also add to this conversation the impact Bill C-26 could have on smaller Internet service providers. Small Internet companies are foundational to improving competition within Canada's telecom industry, but they are sometimes left out of the conversation.
Bill C-26 would empower the minister to “prohibit a telecommunications service provider from using any specified product or service in, or in relation to, its telecommunications network or telecommunications facilities, or any part of those networks or facilities” or “direct a telecommunications service provider to remove any specified product from its telecommunications networks or telecommunications facilities, or any part of those networks or facilities”.
We do not know what types of telecom infrastructure and equipment will be deemed a risk to our national security in the coming decades, so imagine that a local Internet service company builds a network using a specific brand of equipment. At the time, no one raises security concerns with the equipment or the manufacturer. The local Internet company is just beginning its operations, investing heavily in equipment to build a network and to compete with larger telecom companies.
Imagine that, five years later, the government deems the equipment the company invested in to be a national security threat, forcing it to remove and dispose of such equipment. The small Internet company trying to compete, which acted in good faith, has just lost a significant amount of capital because of a government decision. There is a strong possibility that this local Internet provider can no longer afford to operate.
I am hopeful this conversation can be had at committee to ensure the government is not unfairly impacting small, local and independent Internet companies. As I said, I am glad the House is debating the issue of cybersecurity, as the discussion is long overdue, but it is imperative that the issues I raised be addressed at committee, it is imperative that the issues my colleagues have raised be addressed at committee and it is imperative that the issues experts have raised be addressed at committee. That is why I will be voting to send Bill C-26 to committee in hopes that these concerns can be addressed.
1017 words
- Hear!
- Rabble!
- add
- star_border
- share
- menumenu
- notificationsnotifications
- home
- mailmail
- searchsearch
