Bill C-26

Perhaps I can clarify that as well. My apologies if, during my opening statement, I indicated otherwise. Adherence isn't necessarily the encouragement that we would be offering. It's more that a number of aspects of Bill C-26 are much more far-reaching than established international standards for mature cybersecurity regimes, of our allies in particular.

It's not necessarily adherence to them, but more a recognition that we don't necessarily need to go beyond what they're already working towards in their private and public partnership and enablement of the industry.

I hope that gives a little bit of clarification. It's not necessarily an alignment to international standards, but a “not going farther than”, as we try to work together to bolster our critical infrastructure.

Thank you.

My name is Daina Proctor. I'm the Canadian cybersecurity executive with IBM Canada, and it's a pleasure to be with you today speaking on the topic of Bill C-26.

There are three items that I would like to talk about with you today.

The first one is clarifying the core definitions within Bill C-26. Currently, Bill C-26 leaves much of the scope of the legislation to regulations. We believe it's critical to clarify the scope and the definitions in the legislation itself rather than delegate to the regulatory processes. Key terms used in the proposed law, such as “designated operators”, “confidential information” and “security incident”, are either too broadly described or not adequately articulated. We believe this committee should aim to address these definitions as much as possible, as this will enable a common understanding, increase enforceability and speed up the review when it comes time to draft the ensuing regulations.

Second is alignment with international standards. Canada's strategy and approach should be inserted into the collective efforts of our international community. As drafted, Bill C-26 carries various provisions that are not aligned with other mature cybersecurity regimes. The legislation does not differentiate between security levels of breaches. Furthermore, it includes potential incidents within the scope of its incident-reporting obligations, which could serve to overwhelm regulators with unnecessary and unhelpful information and place an unnecessary burden on industry.

The legislation's “immediate” reporting of cyber incidents, without a formal definition as to what would constitute “immediate”, is also problematic. Most jurisdictions allow for a 72-hour reporting window to allow injured parties to understand what has transpired, which in turn ensures that regulators receive a comprehensive report about actual findings.

The court has unfettered and overly broad jurisdiction when, under an act, it can impose criminal conviction, imprisonment terms, uncapped fines and personal liability, with administrative monetary penalties in the amount of $15 million that can accrue. This represents an entirely new regime and significant penalties far above those under other comparable pieces of legislation. The severity of such penalties and the enforcement action that may be taken will invariably create a chilling effect. Respectfully, the enforcement action that may be taken against individuals should be removed, or to the extent that such liability is considered necessary and proportionate, at a minimum there should be a defined standard to demonstrate the objective and substantiated culpability.

Last is avoiding government overreach. While IBM recognizes the need for compliance oversight, we specifically suggest clarification and refinement of the authorized powers belonging to the regulatory authority or persons who have the ability to enforce the provisions: namely, the ability to attend facilities, examine documents and records, and mandate internal audits, as well as unilateral broad discretion to impose remedial actions—all of these. We strongly encourage that these regulatory authorities and government access rights be limited in their scope and limited to certain critical situations that meet specific non-compliance thresholds.

In conclusion, IBM believes that the clarity around key definitions, enhanced harmonization with international standards and clear safeguards from potential government overreach would strengthen Bill C-26's mandate.

Thank you for your time. We welcome and look forward to addressing your questions.

Thank you, Mr. Chair.

I'm Tiéoulé Traoré. I'm the head of government and regulatory affairs for IBM Canada. On behalf of IBM Canada, I would like to thank this committee for the opportunity to testify on Bill C-26, and more specifically on part 2, the focus of our testimony.

The digitization of the global economy has increased the need for government and businesses to protect themselves from constantly evolving cyber-threats. Strong cybersecurity protocols should be viewed as digital foundations for all entities seeking to maximize the power of tools such as cloud, AI, and quantum computing.

IBM Canada fully supports the principles of Bill C‑26.

Indeed, Canada must ensure that its critical infrastructure is properly protected from cyberthreats. The skyrocketing number of cyber‑attacks is a global phenomenon that does not spare our country, so action is crucial.

However, to maximize the real impact of Bill C‑26, we argue that it should be amended by this committee. The focus should be on three points: clarifying definitions, aligning the bill with international standards and avoiding potential excesses.

My colleague Daina Proctor will now go through each recommendation.

Mr. Chair and members of the committee, good afternoon. My name is Ulrike Bahr-Gedalia, and I'm the senior director of digital economy, technology and innovation at the Canadian Chamber of Commerce. I'm also the Canadian Chamber's architect and policy lead for the digital economy committee's future of artificial intelligence council and the “Cyber. Right. Now.” council.

As Canada's largest and most activated business network, representing over 400 chambers of commerce and boards of trade and more than 200,000 businesses of all sizes from all sectors of the economy and from every part of the country, the Canadian Chamber is pleased to have this opportunity to provide feedback on Bill C-26.

Our “Cyber. Right. Now.” council has been calling on government to prioritize cybersecurity and focus on a prevention-first approach and improved information sharing for close to three years. Today I'd like to share a few key recommendations and why cybersecurity is important to the Canadian Chamber and our members within the Canadian economy.

Over 98% of Canadian businesses are small or medium-sized enterprises. SMEs need greater cybersecurity threat awareness, protection and training to utilize the full suite of tools at their disposal and to keep Canadians safe from bad actors. Like other countries, Canada is facing an increasingly complex and risk-prone digital landscape. With a cybersecurity skills gap of some four million people globally, and an ever-increasing number of connected devices—at least 67 billion and counting—the challenges and costs associated with securing our digitally enabled world are increasing. But while every organization of every size and in every sector is at risk of a cyber breach, few carry the same real-world risk of a crippling cyber-attack as those in the critical infrastructure sector. This threat will only grow as our critical infrastructure increasingly relies on software and connected technology to power and support its operation.

We are pleased to see Bill C-26 proceed to committee study, and we support the bill overall. However, certain amendments are needed to ensure that the bill reaches its full potential. More specifically, our telecommunication members have expressed their concerns with respect to a few provisions in the Telecommunications Act, such as the lack of a due diligence defence for violations under section 15 in part 1, resulting in monetary penalties, and the extent of ministerial order-making powers. I will note that this defence is present elsewhere in Bill C-26, such as in relation to cyber directions in part 2, the CCSPA, as well as full due process for and parliamentary oversight of ministerial orders. I encourage the committee to reach out to the telecommunication providers, as it's important to hear from them first-hand.

With respect to the CCSPA, our members are seeking the following improvements.

The first is a clearer definition of a reportable cybersecurity incident. This will ensure that industry isn't forced to report events that do not pose a material threat to a vital system. Failure to clearly define the parameters for a reportable incident will undermine the purpose of Bill C-26 and overwhelm government authorities, who will have to process and assess each cyber incident reported.

The second is allowing for a 72-hour reporting period for cybersecurity incidents, as opposed to immediate reporting. Allowing for reporting within 72 hours provides organizations the time to investigate, and will harmonize with existing regimes, such as in the United States, one of our key trading partners.

Finally, two-way information sharing is crucial. As currently drafted, the CCSPA only contemplates one-way information sharing from designated operators to the government. We believe this is a missed opportunity and a potential weakness, and it underscores the prevention-first approach I noted earlier. The more information we have, the more we can work together and the better we can help prevent incidents.

Thank you for listening and for the opportunity to participate in the study of Bill C-26.

Good afternoon.

My name is David Shipley, and I'm the chief executive officer and co-founder of Beauceron Security Inc. I'm also the co-chair of the Canadian Chamber of Commerce's cyber council. I'm a proud Canadian Forces veteran, having served with the Canadian Army Reserve in the 8th Canadian Hussars.

I'm not a computer scientist. My expertise and perspective today are based on my experience as CEO and co-founder of Beauceron. I do not see cybersecurity as a technological issue. It's a people and business risk issue.

I founded Beauceron Security in 2016. We now serve more than 750 organizations in Canada, the United States, Europe and Africa. We have helped more than 650,000 people learn how to spot, stop and report cyber-attacks. Beauceron Security has demonstrably reduced individual and organizational cyber risk. Our made-in-Canada solution is used by global banks, national telecommunications carriers, educational institutions, health care facilities, government and small business.

We live in a world where North Korean hackers steal billions of dollars of cryptocurrency to fund their nuclear weapons programs. Something that 25 years ago would have sounded too far-fetched to be even the plot of a James Bond movie is an all-too-real reality and is contributing to global instability today. It's also a world where a Canadian federal government IT worker by day becomes one of the most successful ransomware affiliates by night, making millions of dollars as a digital extortionist for an international criminal gang.

I share these real-life examples because they highlight the first point I want to make. When it comes to cyber, anything, even the bizarre, is not just possible but it is the norm. The challenge of managing cyber risk is to balance the incredible creativity of humans with the unpredictability of complex digital systems.

I know that for many this topic can be overwhelming. Many feel that they do not have the technical background to think about these issues. You may also feel, as legislators, that it is difficult to wrestle with this law.

However, please, this is not a technology issue. Throughout my career in cybersecurity and as a CEO of Beauceron, the root cause of every single cyber incident our customers and we have ever helped investigate has always been traced back to a combination of people, process, culture and technology. Cybersecurity has never been about technology alone, and it can never be solved by technology alone. The story is, has always been and will continue to be about the relationship between technology, people and control—which is, by the way, the actual meaning of the word “cyber”.

Reducing cyber risk to Canadians will require legislation and a regulatory regime tailored and developed collaboratively with industry. These regulations and directives must look at people, process, culture and technology-based risk controls.

I support the need for this legislation. We need this law now more than ever. We are far behind our allies, and we are risking the safety and prosperity of Canadians every day we delay. This legislation and the accompanying regulatory regime must ensure that a proactive, positive security culture is instilled and maintained within Canada's critical infrastructure firms. With some fine-tuning, I believe it can accomplish these goals.

I support the recommendations put forward by the Canadian Chamber of Commerce to improve the bill to ensure fairness, effectiveness and proportionality of the proposed legislation. In addition to their recommendation, I urge this committee to look at the following issues.

Number one, add due diligence defences to the proposed administrative monetary penalties. We need to create positive reasons to invest in security and compliance with legislation, and not just negative consequences for failure.

Number two, remove personal liability for individuals. At a time when the cybersecurity labour shortage is most acute, and when as many as 75% of the most senior cybersecurity leaders are considering a career change out of cybersecurity, adding a target on their heads will only make things worse and subvert the objectives of this legislation.

Number three, ensure regulators charged with creating industry-specific cybersecurity directives have the skills required to do so effectively. While regulators such as the Office of the Superintendent of Financial Institutions are experienced, others are being given responsibility for cyber for the first time. This legislation should require government collaboration with industry, such as what has already been done with the Canadian security telecommunications advisory committee.

Lastly, considering the recent news about Global Affairs, this legislation should limit the amount of sensitive data collected by regulators about cybersecurity defences of Canadian critical infrastructure, lest we inadvertently create a one-stop shop for hostile nation-states and criminals to learn how to cripple these vital sectors and firms.

The opportunity before you with Bill C-26 is to ensure that the Canadian people—