Bill C-26

I understand the member for Saint‑Hyacinthe—Bagot's request.

The hon. parliamentary secretary.

Mr. Speaker, I will withdraw the comment.

Mr. Speaker, 85% of Canada's critical infrastructure is owned by the private sector, provinces and non-governmental agencies.

Does my colleague think Bill C-26 will help standardize cybersecurity practices to better protect systems and services pertinent to Canada's cybersecurity?

Mr. Speaker, as the member highlights, when we talk about infrastructure, the whole digital economy and what government does, it would be negligent not to recognize the significance of the private sector and how the private sector feeds into it. In fact, it is a major player of 80% plus. That is why, when we talk about the government's role, ensuring that the national infrastructure is safeguarded against cyber-threats is of the utmost importance. That is the essence of the legislation, along with ensuring that Canadians', business's and governments' interests are well served.

Mr. Speaker, in regard to my colleague from Kildonan—St. Paul's speech, she talked about how the government has brought this bill forward with a lot of sticks in it and no carrots. I am looking for incentives that would improve it.

Is the government open to amendments on this particular bill? If so, what would be its theme to bring forward some issues to improve the bill's transparency?

Mr. Speaker, I have made reference to the idea, and I hope it will be discussed at committee stage in terms of a reporting mechanism. I get the sense, based on questions for both me and the minister, that there is some concern related to that. We will have to wait and see if that comes forward through committee.

At the end of the day, I think it would be nice to see the legislation pass at some point, where the committee is given the opportunity to provide its recommendations and thoughts on the legislation.

Mr. Speaker, before I begin my remarks, I request that you seek unanimous consent for me to split my time with the member for Windsor West.

Is there agreement for the member to split his time?

The hon. member for Elmwood—Transcona.

Mr. Speaker, with thanks to the chamber, I am pleased to rise today to speak to Bill C-26.

Cybersecurity is a topic that is very much on the minds of many Canadians. It is something that many of us have had experience with in our personal lives, or we know somebody who has. Certainly, as MPs, we hear from folks who have fallen prey to various kinds of cyber-attacks online. We know it is a burgeoning criminal industry to take advantage of people online, grab their information and impersonate their identities. Canadians deserve to be protected from this kind of crime.

We also heard about the impact that cybersecurity attacks have had on our commercial industries. One of the examples that stands out in my mind of particular concern was the 2017 cyber-attack on Equifax, where the personal and financial information of thousands of Canadians was obtained illegally. It is an obvious concern for folks when they find out that a company they trusted with their personal information has been subject to this kind of attack.

We also know that our government has not been immune from these kinds of attacks. Hospitals and Global Affairs Canada have been the object of successful cyber-attacks. Earlier this fall, the House of Commons had a cyber-attack. MPs were warned about changing their email passwords for fear of information in their work accounts being exposed to outside eyes and ears that would find out what was going on in those accounts.

There is no question that it is a real issue. There is also no question, when we talk to experts on the file, that Canada is a laggard in respect to cybersecurity. There have been many debates in this place about the role of Huawei, for instance, in our 5G infrastructure. The government did finally take a decision on Huawei, I think the right decision, although late in the game with respect to our other Five Eyes allies. The idea with this legislation is that the government needs more legal authority in order to implement that decision. Of course, there are a number of ways it can do that.

The bill, as it stands, is not ready to go, but New Democrats are happy to send it to committee where we can hear from experts and try to improve it. When I say it is not ready to go, in my view, it is that for as long as it took for the government to reach a decision on Huawei, it clearly was not doing any work alongside its deliberations on Huawei to prepare for banning it. This legislation would largely give a broad, sweeping power to the Minister of Industry to decide later what exactly the government will have to do in order to ban Huawei and respond to other kinds of cyber-threats.

There is not a lot of detail in the legislation, and that is something we have seen from the government on other fronts. We have seen it on unrelated items, like the Canada disability benefit. It drafted a bill that had no content on the program. The attitude is “trust us and we will get it right later”. However, we also see a litany of problems with the way the government manages its business, whether we go all the way back to the SNC-Lavalin affair and the question of deferred prosecution agreements or other ethical issues that have come up in the context of this government.

I think Canadians are right to have a certain distrust of the government. The answer lies in mechanisms that impose accountability on the government, and those are very clearly absent from this legislation. In fact, not only are they absent from the legislation but the government also very explicitly exempts itself from some of the current types of accountability that do exist.

For instance, it exempts itself from the Statutory Instruments Act, which would make it possible for the parliamentary regulations committee to review orders that the minister may issue under the new authority granted to him in this act.

Therefore, not only would there be no new accountability measures commensurate with the new powers the government would be giving itself, but it would also be exempting itself from some of the accountability mechanisms already there. The government is also explicitly letting Canadians know its intention in the legislation to give itself the legal authority to keep those orders secret. Therefore, we have to contemplate the idea that there will be a whole branch of secret orders and laws that govern the telecommunications industry that Canadians will not know about, and the telecommunications companies may not have an adequate awareness of them.

Where I would like to go with this is to talk a bit more broadly about the Internet and about privacy rights on the Internet. When the new Canada-U.S.-Mexico trade agreement was signed, there was a number of provisions in that agreement that went too far in shoring up the rights of companies to keep their algorithms secret, for instance. There are other kinds of IP protections, or protections that are sold as IP but really mean that it is harder to get a transparent accounting of how companies operate on the Internet and of the artificial intelligence they use to navigate the Internet.

There is a way of dealing with the Internet that prioritizes secrecy for commercial purposes, but that same secrecy also breeds more opportunity for malignant actors on the web to go about their business and not have to worry they will have to expose what it is they are doing. Whereas, if we look to the European Union as another model, for privacy and conducting business on the Internet, there are a lot more robust protections there for the private information of consumers on the Internet, and there are a lot more reporting requirements for actors on the Internet.

The problem with the bill as it is written here is that it would be trying to fight secrecy with secrecy. When firefighters show up to a house that is on fire, they do not usually show up with a flamethrower. They show up with something else that can fight the fire instead of accelerating it.

I do not think Canadians, who are concerned about malignant actors on the Internet and the ways that they are able to exploit the dark corners of the Internet and the back doors of software, also think that the way to fight that is to let the government do it in secret without any reporting. Canadians are not thinking that, with less information available about actors within the digital space or government actions against cybersecurity threats, they are better off if they do not know what the actors on the Internet are doing, and they do not know what the government is doing about it.

The problem with the bill as written is that it would double down on the approach that we saw in CUSMA. It was about privacy for actors on the Internet and privacy for the government in how it deals with it. Instead, it could take a more open-source approach to say that the way forward on the Internet has to be that digital actors have to be upfront about the kind of business they are conducting on the Internet, the ways they do it and the algorithms they use. Governments, likewise, could then be pretty transparent about how they would deal with people who were non-compliant or who were breaking the rules.

New Democrats are concerned to see, along those broad lines, an approach to the Internet that says transparency and accountability, both for private actors and for public actors, is the way forward. Digital consumers deserve to have this information at their fingertips, so they understand what people are going to be doing with the information they enter on their computer, whether that is to purchase a book, get a loan or whatever kind of business they are doing on the Internet. They should have more rights to know how that information is handled, and the role of the government in keeping that information secure, rather than being told not to worry about it, because commercial interests have their best interest at heart, the government has their best interest at heart, and they do not need to know what is going on.

That is why the bill should go to committee, to be sure, because Canada does need its government to have the authority to implement the decision on Huawei and to do better in respect of cybersecurity. There is a lot of good work for committee members to do there, and a lot of amendments that ought to be made to the bill in order for it to pass in subsequent readings.

Mr. Speaker, I share a number of the hon. member's concerns, but I want to ask him about some of the major threats we have seen in cybersecurity. I am frustrated because the government has a lot of the tools already at its disposal to go after people who are threatening our cybersecurity. We have seen the shutdown of pipelines and major companies across this country. Rogers Communications was shut down.

Is the member not at all concerned about the lack of ability of law enforcement to chase down the bad actors that are pursuing some of this stuff?

Mr. Speaker, there are only so many things that can be fixed with legislation. Legislation is a necessary component of the solution, but it is not sufficient on its own. We see that in many areas. Despite the fact that we have made good laws in this place against certain kinds of crime, nevertheless, those kinds of crimes persist, so of course enforcement is an important part of that question and requires the attention of and resources from government. When those resources are not made available, it matters very little the kinds of laws we pass in this place, because the other necessary component is on the enforcement side.

I share the member's concern for proper enforcement of the laws we pass in this place.

Mr. Speaker, we are talking about Bill C‑26, which deals with national security, and discussions about national security inevitably include the issue of interference from elsewhere, from other countries. Security threats can be internal as well as external.

With respect to external threats, there is a lot of talk right now about the possibility that China interfered in our elections. Earlier, some of our colleagues mentioned that, a few years ago, the Prime Minister received nearly $70,000 in donations immediately after a bank that offers services specifically to Chinese Canadians set up shop in Canada. The donations, which were mostly from people with Chinese names, were made on the same day and within hours of the bank being authorized to open.

Does my colleague find that strange? Is he concerned that there might have been some kind of interference? It is hard to believe that this happened by accident and that it was all just a fluke.