Bill C-26

Madam Speaker, indeed, the committee has heard from several experts on this subject. They told us that there is currently nothing to force companies, whether they are federally regulated or not, to report when they are victims of cyber-attacks, for example. They can just not report it and try to work through it on their own, even though there are authorities in place to help them through these kinds of events.

The experts were telling us that it might be worth having a framework that forces companies to work with the government or cybersecurity bodies to report and help prevent attacks so that a solution can be found. My understanding of the bill is that it would create a framework to compel federally regulated companies to do exactly that. I think that is a very good idea. It follows through on what the experts were proposing in committee.

Madam Speaker, I am pleased to rise to speak to Bill C-26, which will strengthen the security of critical infrastructure and Canada's telecommunications system.

Since June, many experts have been working to learn more about the provisions of this act and assess the value of what the government is proposing.

First, this bill is not structured in the usual way. I see that the urgent need to manage cybersecurity has been taken into account. This bill would give the minister new responsibilities, but the Governor in Council would also be able to act. The law is essentially a regulatory framework that will enable the government to make regulations to ensure the security of critical cyber systems.

I want to focus on the second part of the bill, because passing it will create a new law, the critical cyber systems protection act, which will provide a framework for the protection of critical cyber-infrastructure or businesses under federal jurisdiction. The affected sectors of our economy are identified as designated operators. It is easy to determine which businesses and organizations are affected.

The government has done well to specify who will must comply with the obligations: persons, partnerships or unincorporated organizations that belong to any class of operators set out in schedule 2 of the new law. Those classes will be identified by order.

Each class of operators will be assigned a corresponding regulator, such as the Minister of Innovation, Science and Industry, the Minister of Transport, the Office of the Superintendent of Financial Institutions, the Canadian Energy Regulator, the Bank of Canada or the Canadian Nuclear Safety Commission.

Schedule 1 of the new act sets out the vital services and vital systems that will form the basis of these designations, which may be added at a later date: telecommunications services, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems that are within the legislative authority of Parliament, banking systems, and clearing and settlement systems.

I would like to draw my colleagues' attention to Hydro-Québec. An important part of the bill that has the Bloc Québécois concerned is the part on vital services and vital systems, which could potentially involve interprovincial power lines and distribution networks. It is of paramount importance that this section of the bill be studied and clarified in committee to assess whether this will affect Hydro-Québec and, if so, how.

However, we are not against the underlying principles and objectives of securing and protecting interprovincial infrastructure. Hydro-Québec reportedly suffers more than 500 cyber-attacks a year, or roughly 41 attacks a month. That is more than one attack a day. This could jeopardize our power grid, putting the life and economic health of every Quebecker at risk. It could also jeopardize customers' personal information, although that is generally a secondary target in any attack against a publicly owned energy corporation.

Although Hydro-Québec has managed to fend off these cyber-attacks and protect itself by investing in systems, firewalls and employee training, why should we not take proactive measures? Not only is it very time-consuming for businesses like Hydro-Québec and Desjardins to protect themselves and react to the constant onslaught of cybersecurity attacks, but it is also very expensive. Hopefully, this bill will help prevent or limit these attacks by taking a proactive approach and regulating and promoting new cybersecurity frameworks among Internet service providers. This is particularly important in light of the increased threat to our infrastructure from bad state actors such as Russia or China.

Hopefully, unlike today, businesses will have resources they can consult for information about cyber-attacks.

This is also a national security issue. These states have become emboldened not just by the Canadian government's passive reaction, but also by the regulatory void. We need only think of Huawei and the threat it represents, as well as the damage it has caused to the national security of countries around the world, especially in Africa. The examples are quite striking. China has passed a law forcing all businesses to contribute to the advancement of the objectives of Chinese intelligence services, which is particularly alarming when we consider that this country uses coercive diplomacy, blatantly disregarding international standards.

Even though the federal government has finally banned Huawei technology, the decision was preceded by many years of uncertainty because of the pressure, power and influence that China could unfortunately bring to bear on us.

This decision showed how vulnerable we are to malicious actors on the world stage. That is why we need a regulatory framework, a way to respond to cybersecurity threats, particularly from foreign powers that are in a position of power and use the weakness of others to advance their own positions.

I met this morning with representatives from Shakepay, a Quebec-based financial technology company that operates a platform dedicated entirely to bitcoin, with over one million Canadian customers. One of the things that struck me in that meeting was the importance they place on security and customer protection. Of course, I had Bill C‑26 in mind. They told me that all customer funds are held in a trust at a ratio of 1:1 with Canadian financial institutions and leading cryptocurrency depositories. I learned that they are continually working to improve and promote the implementation of cybersecurity measures to protect their systems.

In preparing for my remarks today on Bill C‑26, I started thinking that we need to examine how we can build on the security standards of Quebec companies like Shakepay and that we need to determine whether the bitcoin and cryptocurrency industry should also be considered in Bill C‑26. Whether we like it or not, technology and customer habits may be leading us in that direction.

I would like to discuss cyber-resilience. I understand that the bill will not be studied by the Standing Committee on Industry and Technology, on which I sit. However, I see issues that affect industries that are in that niche of protecting systems from cyber-attacks. There are two things to keep in mind here: The attackers go after data using methods that were previously unimaginable, and they tend to favour methods that significantly delay the ability to resume operations. The desired consequences are financial and reputational damage.

The inherent complexity of the systems currently in place requires increasingly specialized resources. Innovation, research and development must be encouraged, in short, the entire ecosystem of this industry that works on the cyber-resilience of very high-risk systems. We need to ensure to attract the best talent in the world. The government must carry out its responsibilities at the same pace as it introduces these changes. Let us not forget, as the opportunities for cyber-attacks keep increasing, that we are always one incident away from our continuity of operations being disrupted.

Is there an urgent need for action? Yes, clearly. Is the government on the same page as the people involved in this industry? Unfortunately, it has fallen behind.

For the past year, the Standing Committee on Industry and Technology has been studying topics that enabled it to get to the heart of the advanced technologies used in the industries covered by this bill. The inherent complexity of the environments in which those industries operate expose critical data and system configurations to greater risks than ever before, so much so that we are no longer assessing the likelihood of a successful cyber-attack, but instead how to recover. In fact, as IT infrastructure has become increasingly complex, cyber-attacks have become increasingly sophisticated too.

I dare not imagine what will happen in the coming years, when AI reaches its full potential and quantum computing becomes available. What I am hearing is that hundreds of pieces of users' electronic data are stored each day on international servers. They cannot be thoroughly processed using currently available technology, but what will happen when quantum computers are able to process those data? Maybe we will be very vulnerable as a result of actions we take today by casually agreeing to things in an app or allowing our data to be collected. In short, in five years' time, we may be paying for what we are giving away today.

In conclusion, the Bloc Québécois supports the bill. We want it to be sent to committee to be studied in detail, as my colleague from Avignon—La Mitis—Matane—Matapédia said. I also welcome forthcoming opportunities for specialists in Quebec industries who are renowned for their expertise.

Madam Speaker, it is encouraging when we get support for legislation. This legislation goes a long way in recognizing that cyber-threats are something on which we do need legislation to come forward and be voted upon. This legislation would allow for financial penalties and for the minister to take direct action. I wonder if the member could provide his thoughts on the importance, once we get into committee stage, of listening to what presenters have to say. I understand there are some concerns with regard to the legislation.

Madam Speaker, that is indeed essential, and it is also essential that the act have more teeth. In my opinion, it is vital that the act provide for a mechanism for issuing sanctions or fines in order to enforce compliance with orders and regulations aimed at securing telecommunications.

Let me give an example. We have learned that China maybe funding elections, meaning that there must be a network out there that is a threat to our country. Our national security and our ability to decide for ourselves who will lead our country are being influenced by foreign money. That is something that really worries me.

As a result, our systems need to be strengthened and penalties need to be imposed. Before that, however, we must know what happened, diagnose the problem accurately and be transparent. That is just one example of many, but that is how the problems should be resolved, particularly with respect to cybersecurity.

Madam Speaker, I want to thank my colleague for a very thoughtful speech. He was very good at pointing out some of the issues with this that we have heard from stakeholders. We have heard from privacy and civil liberties groups about the secrecy that could impair accountability, due process and public regulation.

The government orders issued under this bill may be made in secret without public reporting requirements, making it impossible for rights groups and the public to monitor and challenge how power is exercised under the bill. The secrecy of this could be very concerning.

I wonder if the member and the Bloc had any thoughts, once this goes to committee, about anything that could be added to improve the required balance between civil liberties and secrecy.

Sorry for the delay, Madam Speaker. I was waiting for the interpreter to finish. In passing, I want to thank the interpretation team. The fact that we can count on excellent interpreters when we are working on complex bills like this one is a strength of our democracy. I want to thank them.

Ultimately, we are here to protect the people we represent. I am very concerned about this, but I do not profess to be an expert. However, as intermediaries and legislators, we have access to the real experts. It is essential that they appear in committee to tell us how we can strengthen these bills. It is very clear that we need to make decisions today that will protect us against future attacks, which will come in forms that we cannot even fathom right now.

As I said, we have no way of knowing right now how much quantum computing will change our lives, by allowing the attacks to become increasingly sophisticated and rendering our existing defence systems obsolete.

Madam Speaker, because it is the holiday season I will not slight the government for taking so long to bring legislation like this forward. We know that France and the U.K. are far ahead of us in terms of addressing cybersecurity issues. I will give credit to the minister for at least starting to move this process forward.

Our shared concern with the Bloc is that the minister is going to have these extra powers. We are disappointed that this legislation has come forward without ensuring that Canadians will not be unjustly examined or that this is not going to be applied to ordinary Canadians.

Maybe my colleague could speak about how important it is, when government brings forward legislation, that these things are presented in the initial piece of legislation, rather than assuming it will go to committee and get improved upon there. There should be some effort from the government to address these areas at the beginning.

Madam Speaker, I will simply say that I agree with my colleague.

Madam Speaker, it is a pleasure to rise today to speak to Bill C-26 on cybersecurity. I will be sharing my time today with the member for Edmonton Manning.

Canadians recognize that we need to do something in the area of cybersecurity. We have all experienced hackers. Myself, when I have bought something online, the next thing I know is my credit card is hacked and then all the pre-authorized transactions need to be changed. It is very time-consuming. I have been hacked numerous times on Facebook, as I am sure many have, as well as on Instagram and other places. Those are small examples that Canadians are seeing.

Let us think about the more serious cyber-hacking we are seeing, whereby government systems are hacked and breaches of information are happening. Businesses are experiencing this. I have a friend who is an anti-cyber hacker. For $2,500 a day, he goes around the world, helping companies that have been hacked to improve their protections.

Something needs to be done. I would like to talk today about what needs to be done, and then how the bill does or does not meet that need.

First, we have to identify what the critical systems are. What are the things we want to protect? If somebody hacks my Netflix account, it is not earth-shattering. However, there are things that are important, and I think everyone would agree that databases that protect our identity or have information about our identity are critical.

Financial institutions and people's financial information are critical. On our medical information, we have spent a lot of time on legislation and regulations on protecting medical privacy. Those, to me, would be three of them, but certainly, the critical systems need to be identified.

We need to make sure there are adequate protections in place. Not every business and level of government has the same amount of protections and technology in place. There is a journey of defining what adequate protection is and helping people get there.

In the case of breaches and having them investigated and addressed, the bill gives very broad powers to the minister. It allows the federal government to secretly order telecom providers to “do anything or refrain from doing anything...necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.”

Those three terms are not well defined, so I think there is some work to be done to define those better, but I do not really believe we want to give the government power to do anything it wants. Certainly, shutting down a system for protection is important when there is an actual threat and not just a potential future threat or a possible threat. In the case of a threat, the government needs the ability to act, but certainly we have to tighten up the language in the bill on that.

After there has been a breach, there needs to be preventive and corrective action. Preventive action would be additional technology walls or additional controls that are put in place to ensure that we have enhanced protection in the future. Corrective action is fixing the holes that people got into in the first place and punishing the hackers. It does not seem like any of that is happening today. The bill does not address that, but there should be some measures there to take corrective action.

I talked about the overarching powers and my concern with them. We cannot have the government continually coming up with bills in which it has not really defined what it is going to do but it tells us not to worry about it because the Governor in Council, after the fact and without any parliamentary oversight, will determine what we are going to do.

The Governor in Council means the Liberal cabinet ministers. I think we are at a place where people have lost trust in the government because there is no transparency. The bill allows the government to make orders in secret, without telling people what is done. The public cannot see it and is suspicious, because people have seen numerous examples of the government hiding things.

We have just come through a $19-million emergency measures act situation in which the Liberal cabinet ministers and the Prime Minister knew they were never going to disclose the documents that would prove or disprove whether they met the threshold, because they were going to hide behind solicitor-client privilege.

They have done it before, hiding behind cabinet confidence, like on the Winnipeg lab issue. Look at the documents we tried to get hold of there. The Liberals even sued the Speaker in order to hide that information from Canadians.

In the SNC-Lavalin scandal, we saw them hiding behind cabinet confidence. In the WE Charity scandal, we saw them hiding behind cabinet confidence. I am a little concerned, then, to find that in this cybersecurity bill, the Liberals are saying the government can make secret orders that the public is not going to ever know about. I think that is very dangerous. This is one of the reasons we are seeing an erosion of trust in Canada.

A recent poll posted by The Canadian Press showed that if we look at the trust index in Canada, only 22% of Canadians trust the government or politicians. That means four out of five Canadians do not trust the government or politicians, and it is partly because of what has gone on before, when things have been done such as people's banks accounts frozen and drones surveilling citizens. People have lost trust, so I do not think they are going to be willing to give a blank cheque to the government to do whatever it wants for cybersecurity, to control enterprises outside the government to get them to stop operating, for example. The riverbanks need to be much tighter on that.

People are concerned about their civil liberties, and I know there has been a lot of conversation about the lack of privacy protection in this country. We have regulations like PIPA and PIPEDA. My doctor cannot reveal my medical information; my employer cannot reveal my medical information, but various levels of government in the pandemic made it so that every barmaid and restaurant owner could know my private medical information and keep a list of it, which is totally against the law. Therefore, when it comes to cybersecurity we are going to have to make sure the privacy of Canadians' information is better protected, and I do not see that element here in the bill—

I have a point of order from the hon. member for Timmins—James Bay.

Madam Speaker, it is important that we not use disinformation in the House. The member mentioned that restaurant waitresses were breaking the law by asking for vaccine information. That is a falsehood. Could the member correct that?

I would say that the information the hon. member is trying to share is more of a point of debate.

The hon. member for Sarnia—Lambton has just under three minutes.

Madam Speaker, I have no problem clarifying. Several of the places I went into were following provincial orders, to be clear, and they were to record who showed up and whether or not they were vaccinated. That is what was done, and that is against PIPA and PIPEDA.

I will turn to the government's record on protecting us in terms of cybersecurity, and talk about Huawei.

In 2018, our Five Eyes partners were concerned about Huawei's connection to the Chinese communist government, and they were not going to allow Huawei into their networks. However, the Canadian government delayed a decision for four years. The Liberals waited until 2022 to ban Huawei. Why did they do that? It was so Bell and TELUS could implement Huawei technology, 4G technology, across the country. That is hardly a protection from a cybersecurity point of view, and it again speaks to why Canadians have lost trust in the government.

However, I will support the bill to go to committee. I have said that we need to do something for cybersecurity, and I have outlined what I think we need to do. I do not think we can leave these huge gaps that have been cited by numerous institutions.

The University of Toronto has written letters to the government, talking about what is wrong with the bill and what it would like to see. If members have not seen the report it did with the Munk School, called “Cybersecurity Will Not Thrive in Darkness”, there are a number of recommendations in the report that talk about what needs to be done to Bill C-26 to fix it. I would encourage the government to look at that, and I would expect it to become the substance of amendments that would be brought at committee.

Also, we should look at what the constitutional and civil liberties lawyers are saying. They are very concerned about the parts of the bill that would surveil Canadians, so I think we need to make sure we listen to what they have to say. They have written an open letter to the government, and I would recommend that the government take a look at that as well.

Finally, on accountability, due process and public regulation, there is potential for abuse. I would encourage the government to take a look.

I look forward to more discussion at committee.