Bill C-26

Madam Speaker, that is one of the parts of the bill that philosophically sounds like a great thing that the bill could work on, but again, we do not have any details. It is a great objective, but we do not really have any strategies or any other information, so that is something that definitely could be asked at the committee as well.

Madam Speaker, while sitting through this debate, I observed that it has been one of the highest in quality since I have been in the House. It has been a substantive discussion of a very important issue. I am proud today, as I always am, to be a member of Parliament and to be sitting in the House of Commons.

Today, we are speaking to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. More broadly, it is a cybersecurity issue.

From the debate and other academic discussions, we can all agree that this is an area of substantial importance where legislation is required. In fact, it is one of my frustrations, which I think is shared by many Canadians, that this government is not agile enough in responding to a world that is quickly changing. We need to be more agile as a legislature, as the government, to reflect the changes that are going on.

We have had a little bit of talk about important changes, such as artificial intelligence, and the exponential speed in which it is changing is unbelievable. Any type of quick Google search will tell us, from many academics, about the great part artificial intelligence can serve in doing much of the hard work that human beings are now doing. However, those observers also say that its ability to do malicious work is equal, which is obviously very challenging. We see these threats, and as we go forward and see more and more powerful artificial intelligence and computing power, the potential for those threats is growing.

We have certainly seen our share, for lack of a better term, of run-of-the-mill cybersecurity threats just in the last couple of years. I was serving as the shadow minister for national revenue when there were substantial CRA breaches of confidential information. One such breach did not actually transmit any information, but it forced the CRA to shut down its entire system, which shut out over 800,000 people from their My Account or log-in system right around tax filing season, which was obviously a tremendous concern for Canadians who were attempting to file their taxes.

The unfortunate reality, as it stands today, is that we are vulnerable to cybersecurity attacks. My colleague for Kildonan—St. Paul spoke recently about a conversation she had with cybersecurity experts from the minister's department just last year. They warned her about the incredible implications of an attack on our critical infrastructure, such as our electrical infrastructure or pipeline technology.

Of course, it is no surprise to many, but maybe to some of my colleagues from British Columba, that we are in a cold country. We can imagine what the impact could be. Our heating infrastructure, our electrical grid and our ability to get natural gas out to some of the coldest places in the world could literally be a matter of life and death. Members can imagine, for example, a cyber attack on one of our nuclear facilities and what that could potentially mean. All this is to highlight in the House today the significance and importance of cybersecurity legislation.

Another example, which I believe has been discussed and debated but I think deserves highlighting again, was in Newfoundland in October 2020 when cybersecurity hackers stole personal information from health care workers and patients in all four regions, as well as social insurance numbers of over 2,500 patients. This is deeply personal information, and as our information increasingly goes on that magical cloud both in the public and private sector, it is increasingly important that we put the appropriate measures to cybersecurity.

As I said, the spirit of the legislation before us is absolutely right. The intent, I believe, is also right. The timing is a little slow, but we need to get it in place.

The member for Winnipeg North did comment on the need for expediency, and I agree with him in one sense. We need cybersecurity legislation, new cybersecurity legislation, in place yesterday. Unfortunately, they brought this legislation in, and it is not complete. There are a series of regulations that we do not know.

This is our job, and I am honestly not trying to be partisan. Instead, this is a substantive criticism that it would have expedited this legislation if they had brought forward the legislation completely baked to show us the regulations and what they want to do.

Of course, I would feel this way about any government as a Canadian citizen. If we are going to grant them wide swaths of power, and maybe even necessarily, we just want to know what exactly those powers are. Do not do as Nancy Pelosi famously said, as the Speaker of the House of Representatives, to pass the bill and then read the bill.

Let us read it first and understand it because, quite frankly, I think the conversation in the House has been at a very high calibre and the more information one can feed us, the more information we can digest to do our job for Canadian citizens by improving the legislation, especially in matters of, as the member from the Liberal Party rightfully said, not just cybersecurity but also national security. We really, in all candour and all honesty, want to do our due diligence here.

As I said, part one of the act:

amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything

This is obviously a very broad power, and that is what we need to look at and work on at committee. Like I said, this legislation, if fully baked, would have meant less work at committee. It would have meant, perhaps, carrying forward with the debate quicker, but as we are left with many questions, those questions deserve to be answered here in the people's House.

The legislation continues:

Part 2 enacts the Critical Cyber Systems Protection Act to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament. It also, among other things,

(a) authorizes the Governor in Council to designate any service or system as a vital service or vital system;

(b) authorizes the Governor in Council to establish classes of operators in respect of a vital service or vital system;

(c) requires designated operators to, among other things, establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions;

(d) provides for the exchange of information between relevant parties; and

(e) authorizes the enforcement of the obligations under the Act and imposes consequences for non-compliance.

I hope that I have highlighted the fact that this is an important piece of information and that there are gaps within the information, so my substantive ask would be for the government to publish some of those regulations, so that we can review them, perhaps even before committee, and come to it in a spirit of collaboration and discussion. This is a matter of national security.

Perhaps, as I am getting a little bit less young these days, I get a little bit more skeptical. I would love to see some accountability mechanisms where the minister reports back to Parliament or otherwise because the question with the government is always who will watch the watcher.

We have seen that all governments are not infallible and each can commit its own share of foibles, errors and mistakes, unintentional or intentional, so I would love to see some greater accountability come committee.

Mr. Speaker, I would agree that this is a very high-level discussion we have been having this afternoon. I think that it has been well placed.

He mentioned the possible impacts of, say, a nuclear facility being attacked. It got me thinking about the military capabilities of Canada. My riding of Fredericton is home to CFB Gagetown, very proudly so. We are also home to the Canadian Institute for Cybersecurity, as I mentioned previously in my speech.

I am wondering if he could comment more generally on this expanding role and the necessity to have cybersecurity education and professionals in our Canadian military.

Mr. Speaker, the short answer is that I agree. The longer answer is that I agree with the comment the member made earlier with respect to modernization. We need to modernize our view on security. The world changed dramatically a year and a half ago, and it continues to change. We need to be adept and agile, and quite frankly, willing to put the resources where they are needed for the future.

Mr. Speaker, my colleague knows that TikTok has been banned from all government devices.

My question is simple. Does my colleague believe that Beijing is using this platform to engage in political interference?

Mr. Speaker, I agree with the government's recommendation or policy to remove TikTok from all government devices. I believe the CEO of TikTok is testifying in front of U.S. Congress today, so we will see what comes from that. I would agree with him that we need to be on guard against foreign interference in all forms.

Mr. Speaker, I acknowledge that today we are having a serious debate about cybersecurity and amendments to the Telecommunications Act.

What strikes me is that as we discuss this issue in Parliament, there is an immense disconnect. Many communities here in our own country have barely any access to the Internet and the wired world that so many of us take for granted.

I am thinking particularly of first nations in my constituency, 11 of which announced a regional state of emergency today. The threat they face is not from the outside; it is from within. It is the threat of drugs, as well as the threat of federal neglect through the housing crisis and the public safety crisis. It is truly an unbelievable set of crises that they are facing in one of the wealthiest countries in the world. As their member of Parliament, I certainly share the concern that Canada is not taking the reality of first nations seriously in this country. There is a disconnect they are facing.

The big question is: What will it take for the Government of Canada to act and deal with the real threats that first nations, particularly the most marginalized here in our country, are facing right now?

Mr. Speaker, I thank the member for bringing forward this important area of discussion with respect to this debate. It always merits taking time on the floor of the House of Commons to discuss these issues.

Unfortunately, my time is very brief. I believe that any child, born on or off reserve, deserves an equal opportunity to be successful in this country. It is my commitment to do that. I have the great privilege of having two first nations within the constituency of Northumberland—Peterborough South, and I am very proud to represent them here in the House of Commons.

Mr. Speaker, my biggest concern with the legislation, as the member brought up, is about the overreaching powers the government is giving itself. We do not know much about what it will be doing with that power or how it can implement that.

Can the member give his opinion on how overreaching these powers are?

Mr. Speaker, there are a series of provisions talking about frameworks and giving the government powers to put itself within the private sectors to direct them without providing specific delineation of how that would happen. Like I said, it is difficult to get this type of legislation through in expedient ways without the government fully explaining what it wants to accomplish in this legislation.

Mr. Speaker, it is always an honour and a privilege to rise in this place, and it is nice to join the debate on the topic at hand.

When we talk about cybersecurity, there are so many different factors that go into it. I recognize that the bill before us largely has to do with telecommunications companies, bigger companies, and perhaps with government institutions as a whole. However, as we are having this conversation, we need to recognize and address the fact that the risk presented through cybersecurity extends much beyond that. With the current generation of kids being raised, kids are heavily involved in using cellphones, video game systems and computer consoles, for example, and are curious by nature. They are more at risk of clicking on a link that they do not know or realize is harmful. We know that is quite often how a lot of bad actors exploit weaknesses in computer systems in businesses or in homes. It is important to have that context out there early as we start the debate on this bill.

I want to get into a few specific parts of the bill at the start. First, it proposes to amend the Telecommunications Act to make sure the security of our Canadian telecommunications system is an official objective of our public policy, which is not a bad idea in and of itself. Second, it would create a new critical cyber systems protection act. The stated goal is to have a framework in place that would allow for better protection of critical cyber-services and cyber systems, which impact national security and public safety.

Some of the proposals include the designation of services or systems deemed to be “vital” for the purposes of this new act, along with designating classes of operators for these services or systems. The designated operators in question could be required to perform certain duties or activities, including the implementation of security programs, the mitigation of risks, reporting security incidents and complying with cybersecurity directions. Most significantly, Bill C-26 would authorize the enforcement of these measures through financial penalties or even imprisonment.

Anybody hearing these few examples listed in the preamble probably thinks this sounds like common sense, and I would generally agree with them. However, there is a problem, especially with the last one, which has to do with directions, because it is quite vague. These points should raise some obvious questions. How are we defining each of them? What are the limits and the accountability for using these new powers? It is fair to have these general concerns when we consider any government, but Canadians have reason to be especially wary with the one currently in power based on the Liberal record itself.

Unfortunately, the most recent and disturbing revelations related to foreign interference in two federal elections, which allegedly included working with an elected official, are not the only things we need to talk about. Here is another example. For a number of years, the Conservatives were demanding that the Liberals ban Huawei from our cellular networks. Despite all the warnings and security concerns, they delayed the decision and left us out of step with our closest partners in the Five Eyes. We had been calling it out for years before they finally decided to make the right decision thanks to pressure from Canadians, experts, our allies and the official opposition.

It was not very long ago, almost a year, when the announcement to ban Huawei came along. As much as it was the right decision, it should have been made much sooner. To say that is not a complaint about some missed opportunity in the past. The delay caused real problems with upfront costs for our telcos, and it created extra uncertainty for consumers.

Prior to becoming a member of Parliament, I worked for a telecommunications company in Saskatchewan. When we look at how big and vast our country is, we start thinking about how much equipment is required for one single telecommunications provider in one province, like SaskTel, the company I worked for. We can think about how much equipment it would have ordered or pre-ordered and potentially would have had to replace based on the government taking so long to make up its mind on whether or not to ban Huawei. If we look at some of the bigger companies out there, it is the same thing. There are the upfront costs they would have had to incur, and then the new costs if they had to replace all their equipment on top of that. This was simply because the government dragged its feet on such a big decision.

We have learned a lot of other things about foreign interference since then that need to be properly addressed and independently investigated. We need a public inquiry, at the very least, into some of these issues. However, once again, the Liberals are refusing to do the right thing for as long as they possibly can. It is clearer than ever before that we need to get a lot more serious about our cybersecurity, because what we are really talking about is our national security as a whole. These two things are closely intertwined, and having this conversation is long overdue.

We are happy to see the issue get more of the attention it deserves. Canadians have a lot of questions and concerns about it that should not be ignored. That is why it is a priority for Conservatives on our side of the House, and we are not going to let it go.

While we work to carefully review Bill C-26 in this place, we want to make sure that it will be effective and accomplish what it is supposed to do. It needs to protect Canadians living in a digital world. At the same time, it should not create any new openings for government to interfere with people's lives or abuse power.

After all, we are waiting for Bill C-11 to return to the House with all the problems it has, including the risk of online censorship. The problem is that whether it is about Huawei or the latest scandal about foreign interference, the Liberal government has failed to act, and it has undermined trust in our institutions. Therefore, it is hard to take it seriously when a bill like this one comes forward. The government's failure in this area is even more frustrating because we should all agree that there is a real need to strengthen cybersecurity. That is what experts and stakeholders have been telling us over many years. Canadians have had to wait for far too long for the government to bring something forward.

Make no mistake: This bill is flawed, and it will require more work to make sure that we get it right. However, the fact that we are talking about the issue right now is a small and necessary step in the right direction.

There are a few points I would like to mention.

Part 1 of this bill will allow the federal government to compel service providers to remove all products provided by a specified person from its networks or facilities. First of all, that puts a lot of companies at risk of having adversarial agreements signed in the future. If I were a company trying to sign an agreement, I would be doing everything I could to make sure that someone is not going to put a clause in there that if the government forces its removal, there is going to be an extra fine levied on the company. The problem with this bill is that it exposes companies to having these bad contracts negotiated, signed and forced on them by bad actors.

Under the new critical cyber systems protection act, the minister would be able to direct and impose any number of things on a service provider without giving them compensation for complying with the orders. Earlier, I was talking about the upfront costs paid by telcos trying to advance their networks to provide the products and services that their clients and customers want and need, especially as the world moves forward in a more digital fashion. The government is going to force them to do something without any compensation or without the ability to have help dealing with these changes. I think this is something that needs to be reconsidered in this bill.

That leaves service providers in a position where they have to pay for complying with potentially arbitrary orders or face legal penalties, such as the ones I mentioned earlier: fines or even imprisonment.

Again, we do have a desperate need to improve our cybersecurity regime, but these problems show that the bill is poorly written. By seeking to implement personal liability for breaches of the act, it will incentivize skilled Canadian cybersecurity professionals to leave Canada to find jobs elsewhere. This phenomenon, commonly known as the brain drain, is emerging as a severe issue for our economy, in some part thanks to the policies of the government.

Thousands of skilled, highly employable Canadians move to the United States thanks to the larger market, higher salaries and lower taxes, while very few Americans move to Canada to do the same. This issue is bigger than just the cybersecurity sector. Thanks to this government, we are losing nurses, doctors and tech workers to the United States. All the while, professionals who immigrate to Canada are being denied the paperwork they need to work in the field they are trained for because of the ridiculous red tape that plagues our immigration. Given that we are already short 25,000 cybersecurity professionals in Canada, is it wise to keep incentivizing them to go to the States?

Another massive problem with this bill is that it opens the door for some extreme violations of individual privacy. It also expands the state's power to use a secret government order to bar individuals or companies from accessing essential services. While we must improve our framework against cybersecurity attacks, drastically expanding what cabinet can do outside the public eye is always a bad idea. Accountability to the people and Parliament has always been an essential part of how we are supposed to do things in Canada. It is, however, not surprising that the current government would advocate for more unaccountable power. After all, government members have been anything but transparent. They have hidden information from Canadians to protect their partisan interests.

Canadians deserve to know what the government is doing. We must always uphold the principle that everyone is innocent until proven guilty. Giving cabinet the right to secretly cut Canadians off from essential services could threaten to erode this fundamental right.

Mr. Speaker, the hon. member seems to be concerned about the enforcement powers in this legislation. However, without those enforcement powers, it would be kind of a useless piece of legislation.

If I am sending an email to him to go over there, somehow or another, his entity may be the weak link. If, in fact, he is concerned about his piece of the infrastructure, the problem is: How would he propose changing that without some sort of significant power on the government's part to make sure that his piece of the cyber-infrastructure is not the weak link in the entire system?

Mr. Speaker, we need the government to talk to businesses, to be transparent in the process, to work with industry and to make sure there is a good process of approval so that equipment or the companies people are buying from are not already compromised. Let us work with them to make sure they know there are good actors out there that provide good equipment. There are many companies out there besides Huawei that provide good equipment. The government could work with those companies, rather than threatening them with fines and imprisonment, to make sure we have the proper equipment in our networks and make sure Canadians have not only the best services, but also the highest level of security they can possibly get.

Mr. Speaker, I sit on the national defence committee, and we are discussing a lot about cybersecurity, which relates to the debate today. Obviously, the armed forces are having quite a recruitment retention issue, but across the board we are seeing this with the labour shortage. One of the questions we were talking about regarding cybersecurity as it relates to national defence was around security clearances and what the government needs to do to attract people to the cybersecurity industry, potentially trying to ensure that people from outside Canada are attracted to this industry. Maybe the member of Parliament could address that a bit. I know it is a little outside our scope, but it certainly gets into how we start to address a lot of the problems we have been discussing all day.