Bill C-26

Madam Speaker, I want to point out that we have been providing significant investment in critical cyber systems and cybersecurity. We did this in budget 2019 by providing $144.9 million for the protection of our critical cyber systems in the areas of finance, telecommunications, energy and transport. We also invested almost $400 million in the Canadian centre for cybersecurity, in the creation of the national cybercrime coordination unit and to increase our RCMP enforcement capacity.

The hon. member did a wonderful job in asking how we are going to make sure we work with the public and private sectors. The Minister of Public Safety was very clear this morning: This legislation is about filling in the gaps and providing a bridge for all of the different actors, both in the private sector and in the public sector, so we can work together to create more resiliency against any cyber-attacks in the future.

Madam Speaker, I think we all agree that the protection of Canada's cybersecurity needs to be improved. However, as we are hearing from the opposition, there are concerns around the broad powers the minister would have through this bill and concerns about everyday Canadians possibly being surveilled by their own government.

We have not heard assurances from the government as to how it will address that to ensure Canadians do not feel they will be victims of government overreach through powers given to the minister.

Madam Speaker, this question has come up all morning. I think it is a very big concern, not only for the opposition but for this side of the House.

We want to make sure we get this right. We must ensure that we have very strong protections against cyber-attacks and have cyber-attack resiliency in this country. We also have to be very transparent about the additional powers and how they will be used.

Madam Speaker, I say good morning to all of my hon. colleagues, and I thank the hon. member for Davenport for her insightful discussion of this bill.

I am thankful for the opportunity to weigh in on Bill C-26, an act respecting cybersecurity, as we continue debate at second reading. Bill C-26 will take great strides to enhance the safety of our cyber systems and will make changes to allow for measures to be taken within our telecommunications system.

There are two parts to this act. Part 1 amends the Telecommunications Act to “promote the security of the Canadian telecommunications system” as a policy objective. An order-making power tied to that objective would be created for the Governor In Council, or GIC, and the Minister of Industry. That power could be used to compel action by Canadian telecommunications service providers if deemed necessary. With these authorities, the government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.

The bill would enable action against a range of vulnerabilities to these critical systems, including natural disasters and human error. The Department of Innovation, Science and Economic Development would exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry. Once amendments to the Telecommunications Act receive royal assent, GIC or ministerial orders could be issued to service providers.

Part 2 of the act would create the critical cyber systems protection act, or the CCSPA. The CCSPA would be implemented collaboratively by six departments and agencies: the departments of Public Safety; Innovation, Science and Economic Development; Transport; Natural Resources; and Finance, as well as the Communications Security Establishment. They will all play a key role. Indeed, across the Government of Canada, there is a recognition that cybersecurity is a horizontal issue, and it should be addressed through a streamlined government response across sectors, all rowing in the same direction.

Schedule 1 of the act would designate services and systems that are vital to the national security or public safety of Canadians. Currently, schedule 1 includes telecommunications service and transportation systems. It also includes, in the finance sector, banking systems and clearing and settlement systems, and, in the energy sector, interprovincial or international pipeline and power line systems and nuclear energy systems.

Schedule 2 of the act would define classes of operators of the vital services and systems identified in schedule 1, as well as the regulator responsible for those classes. Operators captured in a class are designated operators subject to the act.

In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister of Public Safety would have overall responsibility for the legislation and would lead a number of CCSPA-related processes.

Decision-making by GIC under the CCSPA would ensure that a broad range of relevant factors, including national security, economic priorities, trade, competitiveness and international agreements and commitments, are considered when making decisions that have an impact across sectors. The CCSPA would also leverage regulators' expertise and relationships with entities they already regulate under existing legislation.

The Canadian centre for cybersecurity, or the cyber centre, is responsible for technical cybersecurity advice and guidance within Canada, and that would be no different under the CCSPA. It would receive resources to provide advice, guidance and services to designated operators in order to help them protect their critical cyber systems; regulators in support of their duties and functions to monitor and assess compliance; and public safety and lead departments and their ministers, as required, to support them in exercising their powers and duties under the act.

The CCSPA would require designated operators to establish a cybersecurity program that documents how the protection and resilience of their critical cyber systems will be ensured. CSPs must be established by designated operators within 90 days of them becoming subject to the act, that is, when they fall into a class of designated operators published in schedule 2 of the act.

Once established, the CSP must be implemented and maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology. CSPs must include reasonable steps to identify and manage organizational cybersecurity risks, including risks associated with an operator's supply chain, and the use of third party products and services. They must also protect their critical cyber systems from compromise, detect cybersecurity incidents that affect or have the potential to affect CCS and minimize the impact of cybersecurity incidents affecting critical cyber systems.

This legislation would also help confront supply chain issues. With the increasing complexity of supply chains and increased reliance on the use of third party products and services, such as cloud-based data storage and infrastructure as a service, designated operators can be exposed to significant cybersecurity risks from those sources.

When a designated operator, through its CSP, identifies a cybersecurity risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA would require the designated operator to take reasonable steps to mitigate those risks. Taking reasonable steps to mitigate risk is understood to mean reducing the likelihood of the risk materializing by, for example, securing a supply chain by carefully crafting contractual agreements to gain more visibility into equipment manufacturing, or by choosing another equipment supplier. It can also mean reducing the impact of a risk that materializes.

Under the CCSPA, there would also be a new obligation to report cybersecurity incidents affecting or having the potential to affect critical cyber systems to the Communications Security Establishment, for use by the cyber centre. A threshold defining this reporting obligation would be set in regulations. This would provide the government with a reliable source of information about cybersecurity threats to critical cyber systems. The availability of incident reports would enhance visibility into the overall threat for the cyber centre. Findings from the analyses of incident reports would make it possible for the centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and it would help to inform Canadians of cybersecurity risks and trends, allowing one organization's detection to become another's prevention.

The CCSPA would also create a new authority for the government. Under the act, the Governor in Council would be allowed to issue cybersecurity directions when it decides that specific measures should be taken to protect a critical cyber system from a threat or known vulnerability. Directions would apply to specific designated operators or to certain classes of designated operators. They would require those designated operators to take the measures identified and to do so within a specific time frame. Failure to comply with directions could be subject to an administrative monetary penalty or an offence that can lead to fines or imprisonment. The CCSPA would also includes safeguards to ensure that sensitive information, such as information that was obtained in confidence from Canada's international allies, is protected from disclosure.

All of this provides an overview of strong new legislation, which I hope I have adequately described in two distinct parts. I look forward to our continued debate of this landmark bill, and I encourage all colleagues to join me in supporting Bill C-26 today.

Madam Speaker, I certainly agree that something needs to be done about cybersecurity in this country, but I am increasingly alarmed when I see that the bills continually coming from the Liberal government say ministers would have all powers to do whatever they want. There is no transparency because there is no public record. Then they say not to worry about what the government is really going to do because the Governor in Council, which is really cabinet, will decide afterward with no parliamentary oversight what will be done.

Does the member agree that the government needs to have parliamentary oversight and at least have this subject to the scrutiny of committees?

Madam Speaker, of course, fundamentally I believe in the oversight of government and ensuring that there are checks and balances.

When bills proceed to committee, obviously members within the pertinent committee should bring forth ideas to strengthen them, and that includes Bill C-26. Our main priority as MPs is to bring forth good legislation, to improve it and to protect the security of Canadians, whether it is their cybersecurity or health and safety. Bill C-26 would take us down that path.

Madam Speaker, clause 2 of the bill would enable the government to issue orders to force users of telecommunications services to use products or services that do not come from certain providers, including Huawei.

Does that mean that a person who has already bought a Huawei cellphone, because that is a product, will not be able to use it anymore and will have to buy a new phone much sooner than they expected?

What is more, since decisions will be made by order, does that mean that, under this bill, the government will be using orders to govern in this area instead of going through parliamentarians?

Madam Speaker, I thank my colleague from Quebec for her question.

In the preliminary version of the Library of Parliament's assessment of the bill, there is a reference that the bill specifies that no one would be entitled to any compensation from the federal government for any financial losses resulting from these orders. I am not certain if these orders pertain to exactly what the member was speaking to, but I do believe so. I would have to get back to the member on that specific question, because it is a pertinent question.

Madam Speaker, we are all in agreement here. We know that Canada needs to strengthen protections when it comes to cybersecurity to protect Canadians and Canadian businesses.

One thing we are all unified on over on this side in the opposition parties is that we need to have some assurances for everyday Canadians that these sweeping powers, broad powers that are going to be given to the minister, are not going to be applied to everyday Canadians in terms of surveillance.

I know we keep hearing from Liberal colleagues that they will get it to committee and will answer these questions. However, does my colleague not agree that the minister failed in bringing forward this legislation without addressing some of these concerns at all? This is fairly substantial legislation, and the Liberals have not been able to address any of the concerns we brought forward today around these very real concerns.

Madam Speaker, we must always protect the civil liberties and rights of Canadians. Any legislation brought to the House needs to pass that means test, if I can call it that.

With reference to Bill C-26, it is definitely required that we update our cybersecurity laws to reflect the ongoing changes in technology that have happened over the last number of years and the increasing use of cybersecurity, cyber-threats, increasing digitization that has been going on in the world, and the fact that Canadians are increasingly interconnected in this world.

We need to maintain checks and balances within the system and ensure that individual rights of Canadians are protected.

Madam Speaker, I will be splitting my time with the member for Sherwood Park—Fort Saskatchewan, a good friend of mine.

Today I get to address Bill C-26, and right off the top I will say that I think this is dumb legislation. Why do I say that? I say that because I do not think that it has attempted to do what it has stated it would do. Generally I find that this is another piece of legislation, probably the third or fourth that I have spoken on in this session of Parliament, where I am frustrated with the government in that it does not seem to do the hard work of governing.

Governing is a matter of balancing the interests and coming up with a statement or something that is clear. On the rule of law, we would anticipate the public and anticipate what the rules ought to be and then look at the law, read the law somewhere and say, “Oh, that is what we are supposed to be doing.”

Again, here we have a piece of legislation where there is a clear, identifiable problem. Canadians have seen a number of issues around the country and around the world where cybersecurity is under threat. Canadians are asking the government to govern, to set some parameters and guidelines as to what the expectations are around who gets to participate in cyberspace and how we ought to operate in cyberspace.

We see in this piece of legislation the classic attitude of “We're the government. We're here to help. Trust us. We got this.” We do not trust the government. Particularly, the Conservatives do not trust the government to do the things it needs to do. We have seen it try to hand out billions of dollars to its friends. I mentioned the WE scandal. We have seen it hand out money to its friends over at Baylis Medical. We have ample evidence of why we should not trust the government.

When it comes to cybersecurity, it is also an area where I do not trust the government. The government has been in power for seven years, and we have watched it drag its feet with an inability to come to a decision, for a whole host of reasons, around the Huawei situation. Was a particular company allowed to participate in the building of the infrastructure of our Internet architecture?

This is a major issue. We told the government that we don't think this Chinese Communist Party government-controlled company should be able to participate in the Canadian Internet infrastructure. We called on the government to ban the use of Huawei technology in our Internet infrastructure, yet it could not do it. It took the government years of dragging its feet, wringing its hands and doing a whole host of things. When the Liberals come forward with a bill like Bill C-26 and say to trust the minister and that they will get this right, I am sorry, but we do not trust the minister to get this right.

We have seen a number of security threats challenging our basic infrastructure. One we should really take note of, which was fairly recent, is the shutdown of a particular pipeline. We saw a dramatic spike in fuel prices across North America because the cybersecurity of a particular piece of pipeline infrastructure was not to the state that it should have been. This, again, comes to the fact around trusting the government to do its job, particularly this government.

One of the key roles of government in Canada and anywhere is the maintaining of peace and security, and we have a military, a police force and a judicial system for that. A growing area where we need to be concerned about peace and security is in cyberspace.

We should be able to feel that our property should not go missing. We should be able to own property, and it should be able to be maintained by us, all of these kinds of things. We expect the government to put forward registries so we can register our property, so that, if it goes missing, the government has a registry of it and we can use that to get our property back. It cannot just be expropriated from us, all of these kinds of things.

In the same way, that is increasingly a part of cybersecurity. The ownership of things in cyberspace, the ownership of websites and the ownership of even our own Twitter handles, for example, are increasingly things that are deemed to be cybersecurity.

The government seems to be lacking in the ability to protect Canadians' cybersecurity.

There is an iconic Canadian company, Ski-Doo. I do not know if people are snowmobilers, but I do enjoy snowmobiling, and Ski-Doo is an iconic Canadian company.

I do not know if people know this but, recently, Ski-Doo has been the victim of a cyber-attack and has lost control of its entire dealership network. Its own computer system has gone down. It has not been able to get it back. Somebody else has control of it now and it has not been able to get it back.

These are the types of things that I think are crucial. When one is going to bring in a bill that talks about cybersecurity, these are the kinds of things the government should be trying to keep secure. This is Canadian property. These are Canadian identities. These are Canadian brands. These are the things we need to ensure we can prosecute, that we can track these people down who are doing this kind of thing and that we can ensure cybersecurity.

I guess that is where I get a little frustrated with a bill like this. It says a lot of nice things at the top of it. The government comes here with a blanket statement around how it is going to defend cybersecurity, how cybersecurity is important and how we should all vote in favour of this particular bill. I imagine that we will.

However, the bill does not necessarily tell us what we are going to do. The banning of Huawei is not necessarily laid out in this. There are no criteria as to what the expectations are for companies to operate in this space, in terms of what they can be tied to and what they should not be tied to. It is just, “Trust us. We are the government and we are here to help.”

In addition, we have seen over the last number of years the opportunities for the government to put resources into law enforcement's ability to track some of this down. We can see changes to the Criminal Code, to ensure that some of these malware attacks or ransomware attacks could be tracked down and prosecuted here in Canada. This is a major concern for companies looking at investing in the world. They look at a country's ability to protect them from a cyber-attack but then also to prosecute those cyber-attacks.

I have a friend who works for the Calgary city police. He works in cybercrimes. He often works with police forces from around the world to track down folks who are using ransomware on Canadian companies.

He tells me they rarely, if ever, prosecute in Canada because our laws are so non-distinct around this that it is impossible to prosecute. Because these are multi-jurisdictional crimes, they will often take the prosecution of this to a jurisdiction that has better laws. He says he will work with 23 law enforcement organizations and they will bring a case in Europe, in eastern Europe or in Israel, because those places have much better laws to protect cybersecurity.

Madam Speaker, I am glad the member will be voting in favour of the legislation going to committee. Hopefully many of the concerns he raises on the issues surrounding the worthiness of the legislation, will be addressed at that stage.

The legislation would empower the minister to be able to take actions. It would allow for financial penalties. It would allow for us to deal with cyber-attacks from a legislative perspective. That does not necessarily mean that this is the only thing we have done over the last number of years. There has been a great number of financial resources, individuals, committees and so forth ensuring our industries are protected.

This is yet another step forward in dealing with cyber-attacks, keeping us consistent with other allied countries. I am wondering if the member would acknowledge the importance of moving forward with allied countries in dealing with things, such as cyber-attacks?

Madam Speaker, I am hopeful that this bill would get us in line with other countries from around the world because, increasingly, Canada is left out of the discussions around cybersecurity.

We are no longer invited to some of the many important forums that do take place in battling this. If that is what this bill is attempting to do, to bring us in line with some of these other countries, I hope that is the case. However, I would note, I was talking to my friend with the Calgary Police Service who said that Canada is increasingly not the jurisdiction where they pursue these prosecutions because we are so lacking in good legislation to protect our cybersecurity.

Madam Speaker, I thank my colleague for his speech.

He talked about trust in the government or perhaps a lack of trust. In the current global context, there is interference by countries like China. We know that the RCMP has launched investigations into 11 electoral candidates. In fact, we also know that on July 7, 2016, the Prime Minister authorized a Chinese bank to do business on Canadian soil. At the same time, on July 6 and 7, 2016, the Papineau Federal Liberal Association received more than $70,000 in donations in 48 hours.

Is that not a reason to lose trust in the Prime Minister and the government?