An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts


Marco Mendicino  Liberal


In committee (House), as of March 27, 2023

Subscribe to a feed (what's a feed?) of speeches and votes in the House related to Bill C-26.


This is from the published bill. The Library of Parliament often publishes better independent summaries.

Part 1 amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system. It also establishes an administrative monetary penalty scheme to promote compliance with orders and regulations made by the Governor in Council and the Minister of Industry to secure the Canadian telecommunications system as well as rules for judicial review of those orders and regulations.
This Part also makes a consequential amendment to the Canada Evidence Act .
Part 2 enacts the Critical Cyber Systems Protection Act to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament. It also, among other things,
(a) authorizes the Governor in Council to designate any service or system as a vital service or vital system;
(b) authorizes the Governor in Council to establish classes of operators in respect of a vital service or vital system;
(c) requires designated operators to, among other things, establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions;
(d) provides for the exchange of information between relevant parties; and
(e) authorizes the enforcement of the obligations under the Act and imposes consequences for non-compliance.
This Part also makes consequential amendments to certain Acts.


All sorts of information on this bill is available at LEGISinfo, an excellent resource from the Library of Parliament. You can also read the full text of the bill.


March 27, 2023 Passed 2nd reading of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:25 a.m.
See context

Eglinton—Lawrence Ontario


Marco Mendicino LiberalMinister of Public Safety

moved that Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, be read the second time and referred to a committee.

Mr. Speaker, it is an honour to help kick off second reading debate of Bill C-26, an act respecting cybersecurity. I know this chamber has been anxiously awaiting the chance to advance discourse on this important legislation.

I will begin by saying that cybersecurity is national security. We need to make sure that our defences meet all of the challenges that are reflected today, and we need to make sure that both the public sector and the private sector are able to better protect themselves against malicious cyber-activity, including cyber-attacks. It is about defending Canada and the critical infrastructure we rely on, and we know that this will not be the last we hear of this issue.

What we decide now in the cybersecurity realm will help us form a launching pad for the way forward, because we know that our actions in the cybersphere are always a work in progress. We know that meeting the moment means that our actions must continually, effectively and safely provide a foundation for the way Canadians thrive in the 21st century.

Being online and connected is essential to all Canadians. Now, more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying in touch and connected with loved one from coast to coast to coast and indeed around the world. Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems, particularly with the emergency of new technologies such as 5G, which will operate at significantly higher speeds and will provide greater versatility, capability and complexity than previous generations.

These technologies certainly create significant economic benefits and opportunities, but they also bring with them new security vulnerabilities that some may be tempted to prey on.

The COVID-19 pandemic showed how important it is for Canadians to have secure and reliable connectivity. The government is determined to boost security for Canada's cyberfuture.

We also know about the inherent threats to our safety and security. Cyber-threats remain a significant national and economic security issue that can threaten that safety. The Canadian centre for cybersecurity's “National Cyber Threat Assessment 2023-2024” found this:

State-sponsored and financially motivated cyber threat activity is increasingly likely to affect Canadians....

Cybercriminals exploit critical infrastructure because downtime can be harmful to their industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position in case of future hostilities, and as a form of power projection and intimidation.

These activities will not cease. Malicious actors could take advantage of increased connectivity to trigger malicious events that could also potentially have severe effects on our public safety and national security.

Large corporations and critical infrastructure providers are targeted by actors probing for vulnerabilities and opportunities for penetration, theft and ransomware attacks.

Like its allies, Canada has made efforts to address these vulnerabilities and to ensure the security of Canadians and Canadian businesses.

Canada has long recognized the importance of securing our cyber systems. In 2013, Canada established a collaborative risk mitigation framework, the Communications Security Establishment's security review program. This program has helped to mitigate risks stemming from designated equipment and services under consideration for use in Canadian 3G, 4G and LTE telecommunications networks.

Furthermore, consultations with Canadians in 2016 informed the 2018 national cybersecurity strategy. This strategy established a framework to guide the Government of Canada in helping to protect citizens and businesses from cyber-threats and to take advantage of the economic opportunities afforded by digital technology.

In 2019, the government paid $144.9 million to develop a framework for the protection of critical cyber systems.

In 2021, the government completed its interdepartmental review of 5G telecommunications security. The findings included a recommendation to work with the industry on moving forward with the current risk mitigation framework for the products and services intended for Canadian telecommunications networks.

All this work done over many years to address these known problems and to improve Canada's cybersecurity posture, including with 5G technology, brings us to the bill before us today.

The objectives of Bill C-26 are twofold. One, it proposes to amend the Telecommunications Act to add security, expressly as a policy objective. This would bring the telecommunications sector in line with other critical infrastructure sectors.

The changes to the legislation would authorize the Governor in Council and the Minister of Innovation, Science and Industry to establish and implement, after consulting with the stakeholders, the policy statement entitled “Securing Canada’s Telecommunications System”, which I announced on May19, 2022, together with my colleague, the Minister of Innovation, Science and Industry.

As we announced at the time, the intent is to prohibit the use of products and services by two high-risk suppliers and their affiliates. This would allow the government, when necessary, to prohibit Canadian telecommunications service providers from using products or services from high-risk suppliers, meaning these risks would not be passed on to users. It would allow the government to take security-related measures, much like other federal regulators do in their respective critical infrastructure sectors.

The second part of Bill C-26 introduces the new critical cyber systems protection act, or CCSPA. This new act would require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to protect their critical cyber systems. To this end, designated operators would be obligated to establish a cybersecurity program, mitigate supply chain third party services or product risks, report cybersecurity incidents to the cyber centre and, finally, implement cybersecurity directions.

It would include the ability to take action on other vulnerabilities, such as human error or storms that can cause a risk of outages to these critical services. Once implemented, it would support organizations' abilities to prevent and recover from a wide range of malicious cyber-activities, including cyber-attacks, electronic espionage and ransomware.

The rollout of 5G technology in Canada is well under way. This technology will allow Canadians to move more data faster. It will bring benefits for Canadians and our economy, but with these benefits comes increased risk. Canada's updated framework, established in part 1, aligns with actions taken by our Five Eyes partners, particularly in the United Kingdom. I will add that I recently met with our counterparts in Washington, D.C., not too long ago.

It would allow Canada to take action against threats to the security of our telecommunications sector if necessary. Legislative measures would provide the government with a clear and explicit legal authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers, such as Huawei and ZTE, if required and after consultation.

Once these amendments receive royal assent, the government will be in a position to apply these new order-making powers to the Telecommunications Act.

The CCSPA established in part 2 is also consistent with critical infrastructure cybersecurity legislation established by our Five Eyes partners and would provide a consistent cross-sectoral approach to cybersecurity for Canadian critical infrastructure.

Designated operators would be required to protect their critical cyber systems through the establishment of a cybersecurity program and to mitigate any cybersecurity risks associated with supply chain or third party products and services.

Cyber-incidents involve a certain threshold that would be required to be reported, and legislation would give the government a new tool to compel action, if necessary, in response to cybersecurity threats or vulnerabilities. Both parts 1 and 2 of Bill C-26 are required to ensure the cybersecurity of Canada's federally regulated critical infrastructure and, in turn, protect Canadians and Canadian businesses.

Overall, Bill C-26 demonstrates the government's commitment to increasing the cybersecurity baseline across Canada and to help ensure the national security and public safety of all Canadians.

Cybersecurity is also essential in the context of our economic recovery after the COVID‑19 pandemic. In our increasingly connected world, we must implement the measures required to guarantee the security of our data and ensure that data is not exploited by actors, state-sponsored or not, who constantly seek to exploit our systems.

Recovery from cybersecurity incidents is both costly and time-consuming. Accordingly, when it comes to improving cybersecurity, the interests of government and private industry are aligned. Nevertheless, an administrative monetary penalty scheme and offence provisions would be established within both parts of the bill to promote compliance with orders and regulations, where necessary.

All of the actions I highlighted today form a key part of our ongoing commitment to invest in cybersecurity, including to protect Canadians from cybercrime and to help defend critical private sector systems. Like our allies, Canada has been working to address these vulnerabilities to keep Canadians and Canadian businesses safe. However, we have to be sure that we are ready for the threats that lie on the landscape.

For example, unlike laws governing other critical infrastructure sectors, the Telecommunications Act does not include any official legislative authority to advance the security of Canada's telecommunications system. Despite the existence of multiple programs and platforms enabling public and private collaboration in the telecommunications sector, participation is voluntary.

In addition, across Canada's highly interconnected and interdependent critical infrastructure sectors, there are varying levels of cybersecurity preparedness and no requirement to share information on cyber-incidents currently. Moreover, the government has no legal mechanism to compel action to protect these systems at this time. These are important gaps that the legislation introduced today seeks to address. That is why the government is establishing a strong and modern cybersecurity framework to keep pace with the evolving threats in our environment.

In short, the legislation would form the foundation for securing Canada's critical infrastructure against fast-evolving cyber-threats while spurring growth and innovation to support our economy. Cyber systems are understandably complex and increasingly interdependent with other critical infrastructure. This means the consequences of security breaches are far-reaching. It is also the reason that a consistent, cross-sectoral approach to cybersecurity is built into this legislation.

Bill C-21, which we have tabled and are now debating, would protect Canadians and the cyber systems they depend on well into the future. Significantly, this legislation can serve as a model for provinces, territories and municipalities to help secure critical infrastructure outside of federal jurisdiction. It is an essential addition to Canada's already robust arsenal, which is there to protect us and our economy against cyber-threats. It would allow us to continue taking even stronger action against threats to the security of our telecommunications sector and ensure Canada remains secure, competitive and connected.

I encourage all members to join me in supporting this landmark cybersecurity legislation, Bill C-26, today.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:35 a.m.
See context


Raquel Dancho Conservative Kildonan—St. Paul, MB

Mr. Speaker, I thank the Minister of Public Safety for his speech.

I have a question about the impact of this bill on Crown corporations that are considered to be critical infrastructure companies. What impact will this bill have on Crown corporations?

What are the impacts of this bill on provincial Crown corporations?

I am referring to Hydro-Québec and Manitoba Hydro, for example. What impact will this bill have on Crown corporations?

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:40 a.m.
See context


Marco Mendicino Liberal Eglinton—Lawrence, ON

Mr. Speaker, I would like to thank my colleague for her very important question.

The goal of Bill C-21 is to build a bridge, a collaborative effort between the government, critical infrastructure sectors and the private sector. We developed an approach that includes excellent lines of communication in order to effectively identify the cyber-threats to critical infrastructure that might jeopardize national security and the economy.

In answer to my colleague’s question, we will work with all federal regulators to create a system to protect all critical infrastructure sectors against all cyber-threats.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:40 a.m.
See context


Simon-Pierre Savard-Tremblay Bloc Saint-Hyacinthe—Bagot, QC

Mr. Speaker, I think we are happy to see the government finally tackle the issue of cybersecurity. I am not necessarily saying that it is too little, too late, but I can say that we have waited a long time. We applaud the idea of forcing Internet providers to adopt better practices, and to that we say kudos. We all agree on that.

However, why does the federal government always have to react rather than be proactive?

We have been talking about 5G and Huawei for years. Hydro-Québec has been fending off daily computer attacks for years. We have known for years that China has been gaining power and interfering more and more. In short, we have known for years that Canada is extremely vulnerable in terms of cybersecurity.

How is it that, in this postnational system, everything always happens reactively, not proactively?

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:40 a.m.
See context


Marco Mendicino Liberal Eglinton—Lawrence, ON

Mr. Speaker, with all due respect for my colleague, I would like to point out that the government is always vigilant when it comes to any type of threat, including cyber-threats.

For example, in 2018, we created the national cyber security strategy. That is what I was talking about in my speech. The pillars of this strategy, which is used to respond to all risks, include resilient security systems, an innovative cyber ecosystem and Canadian leadership here and around the world.

We have taken concrete action to protect against the risks posed by certain actors that are not aligned with Canadian interests. We are now prepared to take the next step by introducing this bill to better protect our critical infrastructure. This excellent and effective measure will be implemented in collaboration with all federal regulators and the private sector.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:40 a.m.
See context


Daniel Blaikie NDP Elmwood—Transcona, MB

Mr. Speaker, folks would find that it is pretty easy to get agreement here on the idea that there is more to do in respect of cybersecurity. Where some of us may part ways is on the extent to which the government, while increasing its power to act, has not built into the bill corresponding checks and balances on its authority. Indeed, many of the orders it would give itself the power to issue under this act are secret orders. It has exempted itself from some of the normal reporting requirements.

I want to test the minister today on his openness to amending the bill at committee to ensure that there are appropriate checks and balances commensurate with the new and quite wide-ranging powers the government is proposing to grant itself in Bill C-26.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:40 a.m.
See context


Marco Mendicino Liberal Eglinton—Lawrence, ON

Mr. Speaker, I look forward to collaborating with the hon. member and other parliamentarians on the debate of this important bill, including at committee stage. Without question, whenever the government takes decisive action to meet the threats posed in the realm of cybersecurity, there does need to be corresponding transparency and an articulation of the reasons we are taking that action.

He is quite right to underline that there would be new authorities contained in this bill. However, those new authorities we would propose to create are in direct response to the gaps that currently exist, as I outlined in my speech. We need to do both in lockstep: address the gaps posed on the landscape of national security in the context of cybersecurity but also be transparent about that.

I point out that there are independent bodies, for example NSICOP and NSIRA, so that where the government is taking steps that implicate national security, there can be accountability. This is the way we can achieve both objectives. It would ensure the confidence of all Canadians that this is an appropriate measure to seize the opportunities there, as well as to manage the risks manifested in our landscape.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:45 a.m.
See context

Winnipeg North Manitoba


Kevin Lamoureux LiberalParliamentary Secretary to the Leader of the Government in the House of Commons

Mr. Speaker, I wonder if the minister can provide additional comments on the importance of the Five Eyes nations, the countries we work closely with, and give a different perspective on what he believes and why he believes it is important that we walk in step with those Five Eyes nations.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:45 a.m.
See context


Marco Mendicino Liberal Eglinton—Lawrence, ON

Mr. Speaker, this question allows me to highlight how Canada is co-operating with like-minded democracies around the world, both in the context of the Five Eyes relationship as well as the G7. I had a chance to meet with both counterparts very recently, one in Washington, D.C., and then, about two weeks ago, in Germany. It is without doubt that all the democracies within these multilateral forums are thinking very hard about how to manage threats in cyber, including ransomware, including the spread of disinformation and including the efforts of hostile actors to engage in cyber-espionage and the like.

The way we are advancing that collaboration is through information and intelligence sharing as much as possible, so that we can push back against efforts to attack our economies and to attack Canadian interests, etc.

Even as we present Bill C-26 for debate, to take decisive action here at home domestically by addressing the current gaps within our cyber-realm, we are also collaborating very robustly with partners around the world who are like-minded in managing these threats.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:45 a.m.
See context


Alex Ruff Conservative Bruce—Grey—Owen Sound, ON

Mr. Speaker, I just have a couple of quick points.

First, I would correct the minister. He referred to it as Bill C-21 a couple of times earlier in his speech. I think that maybe it is on his mind. He knows that there are great changes that need to be made or scrapped out of that bill.

As for the references he talked about in his speech, to Huawei and 5G, obviously the government finally decided to ban Huawei from our 5G network just in May.

Why did it take the government so long? It was tabled here. A motion was passed in the House a year and a half prior to its making that decision.

I am just interested to know why it took the government so long to make such a critical national security decision.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:45 a.m.
See context


Marco Mendicino Liberal Eglinton—Lawrence, ON

Mr. Speaker, I embrace the urgency of my hon. colleague's question. I also want to thank him for the legislative title correction. Obviously, I am managing a number of priorities, as he well knows.

There is no dispute that we need to advance this debate and to do so thoughtfully and deliberately and urgently. As he will know, we took very decisive action against the risks posed by Huawei and ZTE as they relate to 5G, 4G and 3G networks, and we are going to continue to be vigilant about them.

If he shares that sense of urgency in moving forward, he really ought to study the bill along with his colleagues in the Conservative Party and support it.

At the end of the day, this bill would address those gaps and potential vulnerabilities so that we can manage the risks and, at the same time, leverage the innovative opportunities that lie in wait when it comes to technology.

Telecommunications ActGovernment Orders

December 1st, 2022 / 10:45 a.m.
See context


Raquel Dancho Conservative Kildonan—St. Paul, MB

Mr. Speaker, it is an honour to speak today in the House about Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making other consequential amendments.

This is a critical bill, and I am very happy to see the debate being undertaken today in the House. I do know that cybersecurity is important to the Minister of Public Safety, so I will give him credit for bringing this bill forward. It should be something that is important to all government ministers of every level of government. It is very important that we are having this debate today.

I was provided a briefing from cybersecurity experts from the minister's department just under a year ago. It was very informative about the risk Canada faces in terms of cybersecurity. Just to speak simply, I asked them what would be, in the worst case scenario, sort of a Pearl Harbor moment for Canada. They responded that it would be a cybersecurity attack on our electrical infrastructure or our pipeline infrastructure in the middle of winter. If there were a cyber-attack or a ransomware attack on the infrastructure that keeps Canadians warm in the middle of winter, that would be absolutely devastating, specifically in our coldest provinces, regions and territories in Canada.

Just to give Canadians an idea of the gravity of what we are talking about today and how important it is, not only that we bring forward cybersecurity legislation that builds capacity, but also that it be done right. There was a series of questions before my remarks that outlined a number of the issues in this bill.

I will just outline a number of recent cybersecurity attacks in Canada and also in the United States of late. We know that the Canada Revenue Agency was attacked in August 2020, impacting nearly 13,000 Canadians who were victims of that. There was also a hospital in Newfoundland, in October 2020, where the cybersecurity hackers stole personal information from health care employees and patients in all four health regions, as well as social insurance numbers belonging to over 2,500 patients. Very deeply personal and private data from these hospitals was stolen by cybersecurity hackers.

Global Affairs also most recently was attacked in January 2022, right around the time that Russia engaged in the illegal invasion of Ukraine. It was reported that it may have been Russian, or Russian state-sponsored, actors who were responsible for the cyber-attack on Global Affairs.

That was a very serious attack on another government department. The government is certainly not immune to these types of cybersecurity attacks.

Most famously, I would say, there was a ransomware attack on critical infrastructure in the United States back in May 2021. Pipeline infrastructure was attacked. President Biden issued a state of emergency. Seventeen states issued these states of emergency. It was very serious, and it just shows the capabilities of some of these cyber-threat actors, and the threat they pose to Canadians in their everyday lives and to Canada as a whole, as well as the threat to our allies.

This bill is coming forward in light of the government announcing most recently, in the past year, that it would ban Huawei from our 5G infrastructure. Conservatives and the House of Commons, in fact, have been calling on the government to do that for quite for some time. This legislation would help enable the practical implications of that ban. Again, it is certainly a very long time coming. Had this been done years ago, it would have saved our telecommunications and thereby the everyday users of our telecommunications companies, a lot of pain and a lot of money. I am concerned about the financial impact, although this is critical, that waiting so long to bring it forward would have on everyday Canadians and their cellphone bills, just as an example.

I am the vice-chair of the public safety and national security committee. I championed a study we are undertaking, which is in the process of being finalized right now, of Canada's security posture in relation to Russian aggression. A large part of that study was about cybersecurity. The experts we brought in repeatedly sounded the alarm that cybersecurity is of the utmost importance. It is something that the Government of Canada, the private sector, provincial governments and, frankly, municipal governments must take extremely seriously. It is rapidly evolving. I am going to give some quotes from a few of the experts to the lay the stage of what we are facing as Canadians.

Professor Robert Huebert of the University of Calgary said:

With regard to other cyber threats, we also know the Russians have shown an increasing capability of being able to interfere in various electronic systems and cyber systems of other states. We've seen this with their ability to influence the Ukrainian electrical system prior to the onset of the war in 2014.

This is the other war it engaged in over the last number of years. He also said that we are seeing this in other locations across the globe.

He went on to state:

Once again, it's hard to know exactly how well-defended [Canada has] become in being able to harden that part of cyberwarfare. There's no question, whatsoever, that the attention the Russians and the Chinese are giving this is increasing....

He compared that to the reports we are hearing from our American and British friends and allies who are saying the Chinese and Russians are extremely active on the issue of cybersecurity and involving state-sponsored actors launching attacks against countries like Canada and the United States.

We also had a woman named Jennifer Quaid, who is the executive director of the Canadian Cyber Threat Exchange, which is a private company that supports various companies to help boost their cybersecurity. She talked a lot about cybercriminals. This is an important piece. Even the minister talked about this as well.

First and foremost, she flagged that the Minister of National Defence of the current government said, “Cyber security is one of the most serious economic and national security challenges we face.” Therefore, it is quite a serious issue we are talking about today.

Ms. Quaid went on to say, “cyber-threats are becoming more sophisticated and are increasingly pervasive. Driven by the growth and global adoption of innovative technologies, cybercrime pays.”

She meant that cyber-threat actors can be grouped roughly into two categories, nation states conducting espionage and statecraft through the Internet, and criminals engaging in cybercrime for financial gain.

She went on to say, “It's this criminal element that has commercialized cybercrime”, meaning that cybercriminals and cybercrime have now become a thriving industry. She pointed out that the barriers to entry, the technical expertise needed to be a hacker, so to speak, is increasingly low. She said that several countries now are allowing cybercriminal groups to operate within their borders.

She also named something called a “hacktivist”, an activist hacker, of all things. We may have someone, in the name of social justice, hacking into a fossil fuel company, for example. Imagine if that happened in Canada in the middle of winter to our gas pipeline infrastructure. It would be devastating and deadly, so we have to keep an eye out for hacktivists, as she said.

She also pointed out that 25% of organizations in Canada have reported a cyber-breach. One in four. That is pretty significant. She said that the small and medium-sized enterprises that make up 98% of our economy are also being impacted. Almost 100% of our economy is being attacked in some form or another.

This is really important when we think of big banks and big, wealthy corporations that have pretty good cybersecurity infrastructure and have the money to do so. What feeds them is third party suppliers that may provide the various components or various mechanisms to undertake their important parts of the industry that company is engaged in. They are also at risk. Therefore, if a lower third-party provider of a major telecom is attacked, for example, that may seriously impact the ability of that telecom to deliver its services adequately to Canadians.

She mentioned that 44% of SMEs, small and medium-sized enterprises, do not have any defence. Almost half of our small and medium-sized enterprises, which dominate our economy, do not have any sort of defence and are not even thinking about cybersecurity. That is why today's discussion and this bill are important to be debated and have experts weigh in.

I will also quote Dr. Ken Barker, who is a professor at the Institute for Security, Privacy and Information Assurance at the University of Calgary. He talked a lot about the impact of cybersecurity on critical infrastructure. He mentioned that, in general, it is very vulnerable because it is built on legacy systems that, in essence, predate the Internet. As our legacy systems are getting online, this creates, as he explained, some gaps that hackers can take advantage of, which again puts our critical infrastructure at risk. That came up over and over at committee. He pointed out that our large private companies and our banks are investing a lot in cybersecurity, but again, as he and Ms. Quaid pointed out, it is their SMEs that are the most vulnerable.

I will conclude my quotations here with Caroline Xavier, who is the director of the Communications Security Establishment, which falls under the Department of National Defence. It is the part of government responsible for cybersecurity. Therefore, that she is the head of government cybersecurity is a simple way to look at it.

She said, “cybercrime is the most prevalent and most pervasive threat to Canadians and Canadian businesses. Cybercriminals trying to probe Canadian systems have been found in Russia, Iran and China, among others. [They] use various techniques such as ransomware”. They are specifically focusing on our critical infrastructure, and they certainly pose, as she said, “the greatest strategic threat to Canada.”

The bill before us would do a number of things. It is quite a large bill, so I will not go into every detail of what it would do, but in essence there are two parts. One would amend our existing Telecommunications Act. Of particular importance, it would give very broad and sweeping powers to the minister of industry to do a number of things. What has been criticized by a number of organizations is a specific part of the bill, which is in the summary, that says it would allow the minister and the Governor in Council to “direct telecommunications service providers to do anything, or refrain from doing anything”.

Those are very broad powers to be given to one minister, so that should immediately put up red flags for all of us. No one should have such vast sweeping powers over our telecoms. Again, I have built the case that we need better cybersecurity, but there is a big question mark here of whether we are giving too much power to one minister, one person, in all of Canada.

The bill also has a whole financial issue involved in it. To do anything, as it said, could have massive financial implications. Big companies such as Telus may be able to afford that, but our small telecoms may not be able to so much. It might bankrupt them. That is not great news, and there would be no financial component, in terms of compensation, for any of these losses, so there is a big question mark there as well.

Also, something of importance I find quite concerning is the way the bill is structured would result in a significant exchange of a lot of information from telecoms to the minister, which he could pass on to various ministers and government agencies. Is that very confidential information? It is certainly the cybersecurity plans. Does that include state secrets? Is it safe that we would be asking our telecoms this?

The second part of the bill involves all critical infrastructure companies in Canada, as was outlined by the minister, including provincial and Crown corporations, and the like, so the bill would really establish the process that all of these companies would have to provide their cybersecurity plans, and there would be a very strict reporting mechanism. We are talking about days, if not a few weeks, to get together these plans and provide them to the minister. There would be annual updates required. If a big company were to change a third-party provider, it would have to, in essence, immediately report that to the minister of industry.

There is a whole host of very cumbersome reporting mechanisms, and I do believe we need some of these, but a question remains, as I have outlined earlier, and the government is not immune to being hacked by cybercriminals. I just outlined three or four incidents when that happened. The bill would take all of our critical infrastructure, and all of companies' cyber-defence plans, along with countless other pieces of personal data of Canadians and others, and we would give that to the government. An argument could be made that this is needed, but where are the protections for that? Where is the defence of government to ensure that this would not end up in the wrong hands or that information is not hacked by cyber-actors?

That is a significant threat that needs to be addressed by the minister, and I was not assured from his remarks that this is something that is front and centre in his objective through the bill.

I would also say that there is a number of civil liberty organizations that have raised serious alarm as well. There was an open letter written to the minister from the Canadian Civil Liberties Association, the Canadian Constitution Foundation, the International Civil Liberties Monitoring Group, Leadnow, Ligue des droits et libertés, OpenMedia, and the Privacy and Access Council of Canada. All of the leaders of research and discussion of our civil liberties, all such major organizations in Canada, were quite alarmed by the bill in many ways and wrote an open letter to the minister that outlined a number of things.

In essence, they said the bill would grant the government sweeping new powers, not only over vast swathes of the Canadian economy, but also in intruding on the private lives of Canadians. To sum it up, and I think they said really quite well, “with great power must come great accountability.” There is great power in the bill, but the accountability side is lacking.

Before I go on to detail some of their concerns, I do want to outline what some other countries are doing. If we look at the U.S. and the EU, they have established similar bills in the past year or so. The EU actually has greater and more significant fines in many ways, and the U.S. provides more prescriptive and strict reporting mechanisms, such as, if a U.S. critical infrastructure company has a ransomware attack, the legislation outlines the company must report it to the government within 24 hours.

That actually might be something we may want to consider for the bill. If we are going to go there, we might as well have it in line with our American allies and make it tight. I do think that a reporting mechanism is one of the most important parts of this bill.

I want to go back to the civil liberties issue. With the government's track record on Internet regulation bills, such as Bill C-11 and others, a lot of people have their backs up about their personal freedoms online and their data, rightfully so. The civil liberties associations are raising some of the concerns that have not been assuaged thus far by the government or the Minister of Public Safety.

In the open letter, they mention that this, “Opens the door to new surveillance obligations”, which is quite concerning. In their view, and this has not been proven, “Bill C-26 empowers the government to secretly order telecom providers ‘to do anything or refrain from doing anything’”, as I mentioned. They believe that, if there was an abuse of this extreme power, it could be utilized by a government with ill intent, not to say that is the Liberal government's intent, but it could be utilized to survey Canadian citizens. It is quite concerning.

They go on in that realm to outline that the powers in this bill allow the administrative industry to terminate who telecoms work for, for example. They believe that could also be applied to individual citizens. They are looking at this and thinking, if a government wanted to punish a group of people, it could call up Telus, and this is very blunt and not overly academic in the way I am explaining it, to direct Telus it cannot do business with these people, cut off their access to the Internet and cut off their cell phones.

It is an extreme worst-case scenario, but it is worth flagging that there may be a bit of a backdoor in this bill that would allow that, should an evil government ever come along that is looking to abuse the civil liberties of Canadians. I would like to see that addressed and have safeguards put in place to prevent that type of abuse, should it ever happen in an extreme circumstance.

They also talk about how it “Undermines privacy” and that there are “No guardrails to constraint abuse”. Again, I think this is an area where opposition parties, in particular, and hopefully government members on the committee, can come together to ensure that there is an ombudsman put in place or an oversight body. We need something where the rights of companies, and more importantly of citizens, are protected from the abuses I have outlined, and there are many others.

There were also a lot of concerns from the Business Council of Canada. It wrote an open letter to the minister on behalf of large companies, and also small and medium-sized enterprises. In essence, what we are seeing is the red tape is extremely high, so we are worried that will impact our small and medium enterprises.

The business community, in general, has said that it seems that this bill, to sum it up bluntly, is all stick and no carrot. It is all hard-hitting. It is going to be super hard on us, and we better comply. I can hopefully go into more details about that in the question part of this debate, but there is no incentive structure built in.

There is no incentive to have companies share best practices with each other. I think the government should be a leader in encouraging the open sharing of best practices and experiences that protect the confidentiality of companies but allow them to share information, so other companies can be better equipped, and we can all work together as one big happy, cyber-secure family.

The Conservative Party of Canada is, first and foremost, concerned about national security and ensuring the federal government takes that leadership role in ensuring that Canada, as a whole, is secure against any possible threat, every eventuality, as the Minister of National Defence likes to say.

We are seeing serious gaps in our military. We can have stronger alliances in our Five Eyes intelligence sharing and other agreements. Certainly, that involves cybersecurity. Canada is vulnerable, like many countries in the world. In fact, most countries are dealing with these problems. The Conservative Party of Canada wants to see a more robust framework to incentivize and enforce reporting mechanisms to ensure our cybersecurity is protected, and to make sure there is not a ransomware attack on our pipelines in the middle of winter, which could kill thousands of Canadians from the cold, for example.

We will be looking to support this bill in going to committee, but I want to make it very clear that, if the issues in this bill, and I have outlined a few of them concerning privacy and impacts to business, are not addressed, the Conservative Party is ready to pull its support immediately and put up a very strong defence to stop this bill from going beyond committee. I want to make that very clear to the minister and the Liberal government.

We will get this to committee to hear from experts because we believe that is important, but it must be fixed. There are serious issues that need to be addressed and amendments that need to be made. I would ask Liberal members on the committee to get to work with us, so we can make this bill what it needs to be and make it better to ensure cybersecurity is protected in Canada today and for years to come.

Telecommunications ActGovernment Orders

December 1st, 2022 / 11:05 a.m.
See context

Winnipeg North Manitoba


Kevin Lamoureux LiberalParliamentary Secretary to the Leader of the Government in the House of Commons

Mr. Speaker, I do not think there is anyone in society who does not recognize the potential harm of cybersecurity. The issue is how do we ensure we are well positioned to address vital threats to our critical infrastructure. The member opposite says her concern is that we are giving too much power to one individual.

Does the Conservative Party have an alternative to ensure that particular issue is addressed in the form of an amendment? Does the member have any suggestions on that point?

Telecommunications ActGovernment Orders

December 1st, 2022 / 11:10 a.m.
See context


Raquel Dancho Conservative Kildonan—St. Paul, MB

Mr. Speaker, the member is also from Winnipeg, so he is a fellow Manitoban.

As I outlined it in my remarks, it is not just the Conservative Party. We were alerted to this by every major civil liberties organization in the country. They wrote quite an in-depth open letter with over two dozen different concerns that they had, give or take, so we are using the information we are getting from the organizations specifically tasked with protecting civil liberties and privacy and freedoms of Canadians. That is who alerted us to it.

We would like to bring them before committee to make their recommendations. They have made recommendations in open letters. Various organizations with technical expertise have also recommended various amendments to this bill. Again, I am not an expert in cybersecurity, but I do understand Canadians' need to protect their privacy. Therefore, at the committee stage, we will be bringing forward these experts to help us craft amendments. I mentioned in my remarks that perhaps there could be an ombudsman or a specific oversight committee that is built into this.

One last thing is that there is no annual reporting mechanism in this bill, where government would be responsible for tabling a report to Parliament that would outline and give Canadians an idea of what the government has been doing with this bill and what the threat assessment of Canada in the impacts of what the bill has done and what it has seen in the reporting mechanisms from companies. I would say it needs annual reports to Parliament, and we have to craft those amendments with expert witnesses' testimony at committee. I look forward to those discussions.

Telecommunications ActGovernment Orders

December 1st, 2022 / 11:10 a.m.
See context


Julie Vignola Bloc Beauport—Limoilou, QC

Mr. Speaker, I have so many questions.

We agree on the principle of the bill, but I do have to wonder about the precautionary principle. Since 2017, the Chinese government has required Chinese companies to hand over any information they collect to its intelligence service. Despite this, the federal government continues to award contracts to Chinese companies like Nuctech, for example.

That was a very important contract, I might add. Nuctech was being asked to install x-ray machines in embassies, precisely where our information must be protected. Information from the embassy could have easily been passed on.

My question for my colleague is this. We currently have an interesting bill before us, although it needs improvement. Should the precautionary principle not be applied more systematically, along with the recommendations made by the Standing Committee on Government Operations and Estimates in its June 2021 report?