Bill C-26

Mr. Speaker, it is always an honour to rise in this House on behalf of the people of my riding of Moose Jaw—Lake Centre—Lanigan.

The safety and security of our nation is of paramount importance, and I understand the need to enhance the safety and security of Canadians, both here at home and abroad. This would include many of our international corporations, which are large contributors to our economic base, and of course our own government institutions and interests. Having the opportunity to speak to cybersecurity in Canada gives us an opportunity to enhance or increase our country's ability to protect us from cyber-threats.

A significant concern for all Canadians is security. This concern has increased in recent times, as we see the rise in organized crime and gang-related offences, which have gone up 92%. The question I ask myself when I see this increase is this: Will the Liberal government be led by evidence and act on the evidence that has been reported?

Cybersecurity is extremely important for our nation to protect itself from inside and outside threats. I welcome Bill C-26, but I do have some concerns pertaining to the success of the bill, and one concern is about accountability. This is a question that we in opposition bring up every day in this House and regularly.

Bill C-26 is essentially divided into two different parts. The first part is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system, adding security as a policy objective; to bring the telecommunications sector in line with other infrastructure sectors; and to secure Canada's telecommunications system and prohibit the use of products and services provided by specific telecommunications service providers. This amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure and would remove or terminate 4G equipment by the year 2027. What stands out to me, which has been a concern, is the time that it took the government to react to enforce the ban on Huawei.

The second portion of this bill is to enact the critical cyber systems protection act, or CCSPA, designed to protect critical cyber systems and “systems that are vital to national security or public safety and that are delivered or operated...within the legislative authority of Parliament.” As a report by Norton Rose Fulbright notes, the purpose of the CCSPA is, first, to “[e]nsure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third-party products and services”; second, to “[p]rotect critical cyber systems from being compromised”; third, to “[e]nsure the proper detection of cybersecurity incidents”; and finally, to “[m]inimize the impacts of any cybersecurity incidents on critical cyber systems.”

The impacts of this bill would be far-reaching, and here are the things that need to be considered when this bill is in place. The government would have the power to receive, review, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada; to make mandatory cybersecurity programs for critical industries; and to enforce regulations through regulatory and legal enforcement, with potential financial penalties. With this in place, the Governor in Council and the Minister of Industry would be afforded additional powers.

As the report notes:

If any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services are identified, the operator must take reasonable steps to mitigate those risks. While the Act doesn’t give any indication of what kind of steps will be required from operators, such steps may be prescribed by the regulations [at committee].

It goes on:

The Act also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems touching upon these vital services and systems. No indication is given as to what would constitute interference under the Act. In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the Act does not prescribe any timeline or give other indication as to how “immediately” should be interpreted.

Some deficiencies in Bill C-26, as it is presently drafted, can be listed as follows:

The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.

The secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations.

There is a potential for excessive information sharing within the federal government and with international partners.

The costs associated with compliance with reforms may endanger the viability of smaller providers.

The vague drafting language means that the full contours of the legislation cannot be assessed.

There exists no recognition of privacy or other charter-protected rights as a counterbalance to the proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.

Should these recommendations or ones derived from them not be taken up, the government could be creating legislation that would require the public and telecommunications providers to simply trust that it knows what it is doing and that its actions are in the best interests of everyone.

Is it reaching the right decision to say that no need exists for broader public discussion concerning the kinds of protections that should be in place to protect the cybersecurity of Canada's telecommunications and networks? The government could amend its legislation to ensure its activities conform with Canada's democratic values and norms, as well as transparency and accountability.

If the government is truly focused on security for Canadians, should we not start by reviewing the gang and organized crime evidence showing that our present policies have failed? Should we not look at safety and security in our bail reform to protect innocent Canadians who become victims?

If Bill C-26 is a step in protecting Canada from cybersecurity threats, what is the review process to ensure compliance? What is the review process to ensure effectiveness and goals are met when we look at Bill C-75 regarding bail reform? The NDP-Liberal government is not interested in reviewing bail reform even though the evidence clearly shows that Bill C-75 failed.

Cybersecurity is important to our country's security, as are the victims of crime after their safety and security are violated. I am deeply concerned that the government is struggling with evidence-based information to review Bill C-26, as Bill C-75 and Bill C-5 are not supported by evidence. In fact, offenders and criminals are a higher priority than their victims are. My concern is if Bill C-26 requires amendment or review.

Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start.

In conclusion, I would like to see some clear accountability to ensure the objectives of this bill are met and that a proper review process is conducted that holds individuals, corporations, and most importantly, our government accountable.

Mr. Speaker, I salute my colleague from Avalon. It is true I do not have a good batting average. In three leadership races, I have never backed the right horse. However, I am very happy being a member of the Conservative Party of Canada, and it is where I belong. That is part of democracy.

We are straying from the topic. I invite my colleague to ask me a more specific question about Bill C-26, if he has one.

Mr. Speaker, as the member for Portneuf—Jacques-Cartier, I am pleased to rise today to speak to Bill C-26. I want to say hello to all of the families who are taking advantage of March break to do fun activities in the beautiful riding of Portneuf—Jacques-Cartier.

As I was saying, Bill C‑26 seeks to add the promotion of the security of the Canadian telecommunications system. It also seeks to provide a framework for the protection of the cyber systems that are vital to national security or public safety and create frameworks for the exchange of information.

It goes without saying that these issues are very important to the official opposition, of which I am very proud to be a member. It is no secret that my Conservative Party of Canada colleagues and I are, and always have been, great defenders of public safety. It is part of our DNA.

Industry and experts have asked the government many times to create cybersecurity standards, but it is important to act intelligently.

There is a lot of instability in our modern world, and threats can come from anywhere. Cyber-threats are nothing new. This is not a recent thing. It is clear that this weapon is used as much by foreign governments, which have their own motives, as by individuals or groups seeking to do harm or make money, for God knows what motives. It happens everywhere, on both small and very large scales.

Here are a few examples that illustrate this reality: data stolen from institutions or companies and held for ransom; the leak of personal information that affected millions of Desjardins members or customers in Quebec; and possible election interference from Beijing.

No, we are not going to question the outcome of previous elections here. We do not believe that interference changed the overall outcome of those elections. However, electoral integrity is the foundation of our democracy, and it must be ensured and maintained. As a Canadian, I have the privilege of going abroad, and people recognize that we are concerned about protecting our democracy. We need to put measures in place to continue that.

The fact remains that, over the past eight years, the government has been slow to crack down on cyber-threats. This is yet another example of a foot-dragging government finally coming up with a bill, but it turns out that bill has flaws that call for more thorough study in committee.

I know for a fact that this issue is really important to Canadians. We will do the work to make sure this bill is the one Canadians need and deserve. Yes, people want to be safe. Actually, since I was elected in 2015, my constituents have regularly told me they are increasingly concerned about this issue, especially over the past year.

What it comes down to is that confidence in the government and its ability to provide what people need and to keep its promises is essential. It is hard to have confidence in a government that keeps messing up pretty much everything.

I could go on and on about Bill C-13 as an example of a government that makes promises but does not deliver. The government recognizes the decline of French across the country, even in Quebec, but it is trying to impose a bill that does little to address that decline. I know that that is not the subject today, but everyone knows how much I care about official languages, and I had to pass on the message.

I would like to conclude by sharing a very real situation that occurred in my riding. One of my constituents wrote to me about a serious handling error made by Passport Canada.

I would like to inform the House that this is the first time this situation has been discussed publicly. He sent me a letter, and I would like to read it.

Dear Sir/Madam:

I am taking the time to write you a brief note to let you know about what I would describe as a “serious” security flaw within Passport Canada pertaining to the confidential information of Canadian citizens.

It is very important in terms of a timeline.

In early January, 2023, I applied for passports for my three children at Passport Canada.

On February 1, 2023, I received three envelopes containing our passport applications, which were rejected because we forgot to tick a box.

Inside the envelope I also received the rejected application of a woman from British Columbia. I therefore had in my possession her full identification, her passport and her credit card information. I returned those very sensitive documents by express post with a tracking number to Passport Canada.

I filed a complaint out of principle thinking that, although it was just a mistake, it was still worth reporting through Passport Canada's website, so I followed the official procedure. I got a call back. Passport Canada apologized. Nothing more. They refused to compensate me for the cost of returning the documents belonging to the woman from British Columbia. I was told, however, that our applications would be prioritized.

On February 15, 2023, I received four envelopes. I was quite pleased, as I thought we'd finally received our children's passports, but we have three children, not four. As it turns out, our children's passports weren't inside those envelopes. Instead, there were the passport applications (including full identification, passport, original birth certificates, complete credit card data, etc.) of four people from across Canada. These are four different people who have no connection to one another.

What is not stated in the letter is that these people were from Sherbrooke, Ontario, Manitoba and Alberta. That is incredible.

A few days later, we finally received our three children's passports.

As it is obvious, I don't feel I need to explain in my letter the seriousness of receiving the full identification of these people and information that could be used to carry out fraudulent financial transactions by total strangers.

We can't fathom that such mistakes would be made by a recognized federal organization such as Passport Canada, which manages the personal and financial information of so many Canadians. We can't believe that these are two isolated incidents.

This is a very simple task that requires putting the right documents in the right envelope. That's it.

I no longer trust Passport Canada's administration at all. That is why I am entrusting you with the identity documents, which don't belong to us.

I no longer trust Passport Canada's “internal” complaint process, as it will certainly try to cover up this failure, and will only offer an apology.

I am most pleased to read the following excerpt from the letter:

We trust our MP.

I'm always available to answer any questions.

Yes, cybersecurity matters, but the government also needs to take responsibility for the existing systems. It cannot even handle paper documents, but now it wants to allow a minister to step in and be able to manipulate and control information. I am concerned.

I have shown that we have a problem in Canada. We recognize that. We have a problem when it comes to cybersecurity, but we have a problem on other levels too. I would like to see this government take responsibility.

Like my constituent who gave me the documents mentioned, I had to ask myself, what do I do with these documents now? Do I return them to Passport Canada, or do I give them to the minister responsible here? That is a very important question.

Let us get back to the subject at hand, Bill C-26. I am very interested in having measures in place to protect us. It is important that we have confidence in our systems. As a member of the Conservative Party of Canada, I have a lot of confidence in the Conservative members who sit on the committee, as well as members of the Bloc Québécois, the NDP and even the Liberal Party. Things are normally supposed to be neutral in committee.

I must say that I believe in the future. Having said that, we need to put measures in place to have concrete results. Let us work in committee.

Madam Speaker, it is an honour to rise again in the House to speak to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. My Conservative colleagues and I, as has been indicated, support this legislation being sent to committee for further study, as it needs a lot of further work and amendments.

For those watching this debate, who have not had time to review the legislation, the bill has two main parts, as has been explained throughout the day. The first part would amend the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.

The second part of the bill would enact the critical cyber systems protection act, which is a new act, that attempts to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are designed to operate as part of a work, undertaking or business that is within the legislative authority of Parliament. Services and systems that would initially be designed and designated as vital are telecommunications systems, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems, banking systems, and clearing and settlement systems. Any additions to this list of vital systems can be made and added to by the Governor in Council.

The critical cyber systems protection act would have several components to it. It would authorize the Governor in Council to designate any service or system as a vital service or vital system; it would authorize the Governor in Council to establish classes of operators in respect of a vital service or vital system; it would require designated operators to, among other things, establish and implement cybersecurity programs, mitigate supply-chain and third-party risks, report cybersecurity incidents and comply with cybersecurity directions; it would provide for the exchange of information between relevant parties; and would authorize the enforcement of the obligations under the act and impose consequences for non-compliance. Those would be significant consequences, I might add.

On its face, it seems that the Liberals have finally awoken after eight years of doing absolutely nothing on this file, yet somehow they hastily scrambled to cobble together a proposition for sweeping changes to a regulatory framework, which this legislation would enact.

The Civil Liberties Association said, “The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still.” We understand that a modernization in this field may be required to do so without the caveats of being necessary, proportionate and reasonable to take it one step too far for Canadians to accept.

For support of this argument, the Liberals only need to look at the research report from Citizen Lab, written by Christopher Parsons. The report is called “Cybersecurity Will Not Thrive in Darkness, A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”. That report provides 30 recommendations that clearly lay out common sense changes and how this legislation could be improved to include transparency or at least apply limitations on the government's authoritarian use of power. For the benefit of the careless drafters and my Liberal colleagues across the way who would happily vote on any flawed legislation their leader tells them to without bothering with independent thought or even reading its criticisms, I will take some time and share the flaws.

Citizen Lab also seems to address what appears to be a recurring theme with the government: a lack of transparency and limitations on the government's authoritarian use of power. It too addresses that, “The minister may, by order, direct a telecommunications service provider to do anything or refrain from doing anything...that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.”

That, too, seems a little broad. Amendments need to be applied that include a limitation on the minister's powers, ensuring that actions are necessary, proportionate and reasonable. This government has proven that it cannot be trusted with powers without strict limitations. It is simply unable to self-regulate.

The Canadian Civil Liberties Association and Christopher Parsons agree again on the lack of privacy and broad provisions around information sharing.

The CCLA writes:

Also concerning are the very broad provisions around expanding information sharing with a long list of potential recipients including Ministers of Foreign Affairs and National Defence, the Canadian Security Intelligence Service (CSIS), and also, once an agreement is signed, with provincial governments, foreign governments, or international state organisations, again, at the Minister’s discretion. The Communications Security Establishment (CSE), Canada’s signals intelligence agency is also a key recipient of information.

The Citizen Lab review echos how the government ought to have included provisions that respect information privacy. To any Canadian listening, this does not sound like too much to ask. Specifically, the Citizen Lab report recommends that “information obtained from telecommunications providers should only be used for cybersecurity and information assurance activities".

It also recommends that “government should explain how it will use information and reveal the domestic agencies to which information is disclosed”. The report says “information obtained for telecommunications providers should only be used for cybersecurity information assurance activities”. It should only be used for “data retention periods”, and that it “should be attached to telecommunications provider's data”. Citizen Lab states that “data retention periods should be attached to foreign disclosures of information”. It also indicates that “telecommunications providers should be informed which foreign parties receive their information”, and “legislation should delimit the conditions wherein a private organization's information can be disclosed”.

Why does the government need to be told that its legislation has these fundamental flaws by outside organizations? Many are asking: Do these Liberals have no shame when it comes to the privacy of Canadians?

The CCLA further points out that, although there is an appeal process through judicial review, when the subject of an order finds it to be unreasonable or ungrounded, it suggests that, under Bill C-26, the government overlooks the basic, fair process that even a national security threat would receive. The Citizen Lab, on the other hand, discusses that the government fails to compensate for government intrusion into small business. Mr. Parsons proposes that the legislation should be amended such that telecommunications providers can seek moderation of “certain orders where implementing them would have a material impact on the provider's economic viability”.

In conclusion, while it is notable that the Liberal government has finally awakened to this topic, the legislation has again missed some pretty traditional marks of Liberal legislation. It leaves citizens at risk of major government overreach. It takes the privacy and information of Canadians for granted. It relies on a system of review that falls short of due process, and it leaves businesses susceptible to bearing the costs of an overbearing government. Lastly, this is typical lazy Liberal legislation.

Madam Speaker, I suggest that the member ask the member for Carleton, the Leader of the Opposition, to answer that question because I cannot speak for him other than to state that he has put out a very clear, definitive statement condemning the hashtags that were put on some videos, which he knew nothing about. I will leave my comments at that.

The last time I checked, we are debating Bill C-26, legislation that is needed to protect Canadians. It needs to be improved and debated to get it right so we can deal with threats of political interference from foreign states, such as the Communist Chinese government. That is of utmost importance to Canadians.

Madam Speaker, I will take maybe a different tack today to contribute to this debate on cybersecurity. I am going to tell a story about Tom and how he has been impacted by technological changes over the last couple of decades. Before I tell Tom's story, I have to share Emily's story with technology and why this legislation and changes to cybersecurity in Canada are so important and so needed.

Before I get into that, I think it is important to first lay out in simple terms what this bill is about from my current understanding. There are really two parts to the bill.

The first part is about amending the Telecommunications Act to address and fix the security needed for our Canadian telecommunications system. The bill would do this by addressing it through two means. First, it would “direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” As well, it would establish some monetary penalties tied to those changes.

The second part of the bill is all tied to the critical cyber systems protection act. It would provide the framework for the protection of our critical cyber systems, which are vital to national security and public safety. It would do that through five different aspects. First, it would authorize the government to designate those services that are vital to Canadians, those critical sorts of services, what they are and what systems are tied to them. Second, it would authorize the government to establish who is responsible for maintaining those systems. Third, it has how these cybersecurity incidents would be reported and how Canadians and institutions comply with those changes. Fourth, it lays out how information would be shared and, arguably, needs to be protected. Finally, it gives the “so what” of the enforcement and the consequences for non-compliance with the legislation.

In reality, this bill is quite lengthy and very technical, so I am going to focus most of my speech around two important aspects of the bill. The first aspect is the threats to cybersecurity. The second is information sharing and the need to protect Canadians' privacy rights while highlighting the important need for transparency. How would the government ensure the accountability of any institution affected by this bill, particularly the government itself, with the additional powers this legislation would grant it?

Let us get back to Emily. She is a senior citizen and a retired teacher. She uses a mix of online banking and billing, although she still prefers to handle the majority of her financial transactions right at the bank. She has a fledging social media presence mainly to stay in contact with her grandchildren and friends. She even has a TikTok account at her grandchildren's urging. We will see if she is going to change her mind and delete that sooner than later.

Being online and connected is essential to all Canadians now, more than ever, as a lot of Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. As I have mentioned, we have seen an increased dependency on the Internet, especially for government services. In the last few years, under the Liberal government, it continues to shift more and more government services online, while unfortunately decreasing service delivery for those without access to the Internet at the same time. I will not go into detail on all the shortfalls I see with the current approach, considering that a large portion of rural Canada still do not have access to high-speed or dependable Internet.

What threats does Emily face? She complains about getting emails and phone calls from people alleging to be affiliated with her bank or service providers. She wonders about the advertising that shows up on her social media feeds that align with something she only mentioned in an email to a friend. How is all of this happening?

To quote the director of CSIS from December 4, 2018, over four years ago, during a speech that he gave to Bay Street, which I have extracted from Stephanie Carvin's Stand on Guard, Mr. Vigneault stated that the greatest threat to our prosperity and national interest is “foreign influence and espionage.” While terrorism remains the number one threat to public safety, “other national security threats—such as foreign interference, cyber threats, and espionage—pose greater strategic challenges”.

In her book, Professor Carvin clearly lays out the risks associated with cyber-attacks, whether malware, ransomware, a targeting of critical infrastructure, denials of services or others. She talks about cyberterrorism, cyber-espionage and cybercrime, so how do we deal with this?

We deal with this not only through this legislation, but also, mainly for some of the challenges we have, as my colleague from Selkirk—Interlake—Eastman talked about in much greater detail earlier today in his speech, our Canadian Armed Forces, the Communications Security Establishment and even our federal police services, which have ways to deal with this. My colleague hinted that sometimes the best defence is a good offence.

Offensive cyber-operations are really not the bailiwick of this legislation, although I would offer that there is some overlap, as we look at a lot of these threats Canadians and Canadian institutions are facing are financed through cyber-attacks and more here at home. We need to tackle this and get the balance right.

The bottom line is Emily and Canadians like her being affected by all of these cyber risks. Professor Carvin pointed out that at least 10 million Canadians had their data compromised in 2017 alone. Unfortunately, this number is likely under-reported, and neither the government nor the private sector fully understand the scale of the problem. To sum up, the threats are huge.

Bill C-26 must balance privacy rights while ensuring national security. Increased use of encrypted apps, data being stored in the cloud on servers outside of Canada, IP protection and more factor into the challenges of getting this legislation right. In order to deal with these threats, the legislation would need to enable our security establishments with robust, flexible powers. However, these robust powers must come with clear guidance on how far and when to inform the public. This is essential in rebuilding our trust in our democratic institutions.

The Business Council of Canada has already publicly expressed concerns over the current draft of this legislation. It rightly identified that large companies, and also small- and medium-sized enterprises, are concerned that the sheer amount of red tape tied to this bill is extremely high.

We need to get the balance right. It is vital, and it is going to require significant expert testimony at committee. Although I would argue the legislation is desperately needed, and I would argue even late in coming, it needs to be done right and cannot be rushed through debate or review at the committee stage.

I have some final comments. This legislation is needed to protect Canadians. However, this legislation needs to be reviewed regularly and needs to include safeguards. I know if he gets the chance, the member for Winnipeg North might ask about what amendment we are recommending. There is no annual reporting mechanism in this bill, so the government should have to table an annual report to Parliament outlining the progress on this legislation, and include an updated cyber threat assessment to Canadians and what it has been hearing back from the companies impacted by this legislation.

Sean McFate, in this book The New Rules of War: Victory in the Age of Durable Disorder, wrote, “ Secrets and democracy are not compatible.... Democracy thrives in the light of information and transparency.”

Finally, I will conclude with Tom's story and how he has been impacted by technology. The bottom line is that he has not been. He does not have a cell phone. He does not use the Internet. He only pays in cash and does not have a credit card. The only way he is currently being impacted is when he shows up to try to get some federal services from the government. He cannot do it because he does not have any of that, and he cannot get anybody to show up in an office to work.

Madam Speaker, today I will be talking about the bill we have been discussing for the past few hours, Bill C‑26, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.

From the outset, I would like to mention that in 2019, when I arrived in the House of Commons, the topic on everyone's lips was the data breach at Desjardins. To put things into context, at the time I was a member of the Standing Committee on Access to Information, Privacy and Ethics. I was determined to find out how we might protect privacy and decorrelate the social insurance number that we were using far too readily as a means of identification. My colleagues see where I am going with this.

It took a scandal for the government to do something about this. Now I am no longer a member of the Standing Committee on Access to Information, Privacy and Ethics, I am vice-chair of the Standing Committee on Procedure and House Affairs. Again, it took a scandal being uncovered by the media for the government to truly listen to us.

This is a case of being lax when it comes to the security of the electoral process and national security. I am addressing all those who are listening to us; I hear their concerns. For the past six months, the Standing Committee on Procedure and House Affairs has been looking into Chinese interference in our electoral process. It is likely that there will be an announcement in the near future that will once again demonstrate that we really need to sound the alarm to get things moving. Of course, the Bloc Québécois will always be vigilant. The Bloc Québécois will be there every time it is important to get to the bottom of various allegations or scandals. We will force the government to take action for our constituents, because they deserve it.

In light of all that, it goes without saying that Bill C‑26 is a step in the right direction. The bill introduced by the Minister of Public Safety aims to strengthen the security of Canada's telecommunications system. That said, I want to be honest. I have serious concerns. Over the past few years, my confidence in the government on security issues has been eroded. The government must not stick its head in the sand. Quebeckers need assurances. They need to be assured that this paternalistic and so-called well-intentioned government is doing its job, particularly in its areas of jurisdiction. That is all we ask and all we expect.

We know that China, Iran and Russia can be considered hostile powers that do not wish us well. When someone does not wish us well, we have to protect ourselves. The government absolutely has to come up with systems to guard against what we have seen since the latest scandals. We demand an explanation, and answers are to be expected, yet the government says everything will be fine and we should move on to other things. Unfortunately, our constituents feel betrayed and lack confidence in this government because it is not taking things seriously, as all the numbers indicate.

Regarding what is going on with Beijing specifically, I wonder if there is something we do not know. Why are we taking action so late in the game? Why are we always reacting? I am fed up with all this dissatisfaction. Every time I go back to my riding, my constituents want to talk to me about this, and I get why they are feeling discouraged.

As members know, I will be going to the United Kingdom. We are going to be taking a look at the procedures in different Commonwealth countries so we can implement other countries' best practices with respect to national defence and protection against interference in our elections.

I know that when having discussions with my colleagues, I am going to have to tell them that the process is ongoing even though the British and the Australians understand the situation and have taken action. The Americans, too, understand and are taking action. I am wondering if our closest allies, our Five Eyes partners, still have confidence in us.

For quite some time, the Bloc Québécois maintained that the government needed to tighten control over broadcasting. That is unequivocal. It was part of the discussion on the Huawei and 5G infrastructure file. We continued to call out the government for its indecision, which went on too long. This proves once again that we were right. However, international pressure from our closest allies was needed to make the government take action.

Everything is always so urgent. Urgency seems to be an imperative that really drives this government. We would like to see the government change its ways and become more proactive rather than reactive. With Bill C-26, I think we finally have a starting point. Obviously, there is a lot of work to be done to go further in terms of accountability, in terms of the legitimacy of disclosure on all sides, so we can prevent situations like the one we are in.

I agree that it is a noble goal. Of course I agree with everything about the security of our critical systems. Do we have everything we need right now to deal with both internal and external threats? The answer is no. That is what we have been told and what we continue hearing, at both the Standing Committee on Procedure and House Affairs and the Standing Committee on Access to Information, Privacy and Ethics. We must act. This bill must be quickly sent to committee to be fine-tuned and given some teeth. It is urgent.

I am making a wish and sending it out to the members of the government. I am asking them to always keep in mind our collective security. I trust that they will. We have faith, but we need to be proactive, smart. We also need to talk to our constituents, to speak to people's intelligence. They have suggestions. The G20 countries have good practices that we need to adopt as quickly as possible. We need to set aside partisanship in the interest of our democracy. We need to ensure that the legislation resulting from Bill C-26 really makes people feel safe and lets them know that there is a public, non-partisan institution there to watch out for threats.

The bill names six public organizations that will be given the power to order investigations to make sure things are being done right. I am talking about the Superintendent of Financial Institutions, the Minister of Industry, the Bank of Canada, the Canadian Nuclear Safety Commission, the Canadian Energy Regulator and the Minister of Transport. These are critical sectors of our society and our economy. We must not take threats lightly. Is this enough? We will need experts to tell us whether this is truly legitimate, both for whistle-blowers and for the dissemination of information, because people need to know.

Since I only have about 30 seconds left, I would like to say to those who were just here that the government took action with regard to TikTok because, once again, there was an urgent need to do so. I hope that any future interventions will be undertaken proactively.

Madam Speaker, it is a pleasure to rise on behalf of the good people of Central Okanagan—Similkameen—Nicola.

I welcome this debate because essentially what the government has put forward in the bill is two words: “Trust us”. We should trust the government and give it all these powers for the Telecommunications Act, expanding it drastically. We should trust the government when it comes to designating cybersecurity systems as being of such importance that a whole host of new rules should be put upon them. That is what the government is asking us to do.

This is the same government that took years to answer the question of whether we will allow Huawei in our 5G infrastructure. It is a question that has infuriated our allies because they expect Canada to be a trustworthy party in the Five Eyes' intelligence and sharing. It has also infuriated the companies themselves, as many had hoped to utilize the technology. Now, I was against the use of Huawei, but these enterprises are in a competitive venture and will take any particular opportunity to compete and try to lower their prices. However, this government wasted years for that infrastructure to be procured. I believe this also infuriated many Canadians who wanted a simple yes or no on Huawei.

I think the government went through three public safety ministers who said that an answer was coming. Finally, it said no, answering Conservative calls for “no way to Huawei”. However, now it has put forward a bill that would essentially give the power to the government. For example, the government would be able to bring forward an order that could not be reviewed by Parliament. In fact, the Statutory Instruments Act is being exempted from both the telecommunications component in Bill C-26 and the new cybersecurity part, the critical cyber systems protection act.

I am the co-chair of the Standing Joint Committee for the Scrutiny of Regulations, which is a committee tasked by the House and the other place to ensure that when the government creates an order or regulation, it does not exceed the authority granted to it by Parliament. We are able to make sure that when a department or ministry is charged with a delegated authority that it does so justly, and in light of the legislation, that it does not, ultra vires, exceed it.

However, in the legislation before us, the government is effectively saying that it gets to place secret orders that cannot be reviewed by Parliament. Now, members may say that they can go to a justice to be able to have a case heard in court. Again, who can be designated under this proposed bill is an open question. Someone could go in front of a justice, but guess what, Madam Speaker? The government reserves the right to actually make its accusations in a closed-door fashion where a person or company does not have to be there to defend themselves against the evidence that is brought to the court. There, a person or company may be subject to an order that is so secret that it cannot even be said within a closed hearing with an independent judge.

Now, some may say, “Well, so what? It is for national security.” However, we actually do not know. There are so many different organizations that can make powers here. Everyone from the responsible minister to the appropriate regulator, the minister of foreign affairs, the minister of national defence, the chief of the defence staff, the chief or an employee of the Communications Security Establishment, the director or an employee of the Canadian Security Intelligence Service or any other person or entity that is prescribed in the regulations can exert power.

“Trust us”, says the government. The government wants us to give it this power, and it will choose who can use it on whom; Parliament will never know anything about it. Even if a person or company protests, they will not be able to hear the evidence in court as to why they must comply.

Granted, I believe that, within Canada's interests, we should have the ability to work with providers around concerns, but I have great reservations on this. This bill says, “Trust us.” The government says this repeatedly. When we ask questions about foreign interference or share concerns about Huawei, the answer is, “Trust us.” This is not a respectful way to do it.

Let me tell everyone about a respectful way to do these things. Having brought forward a bill, it would perhaps be respectful to bring it to the committee stage first. There is a process where a committee can have hearings on potential legislation before it comes to this place for second reading. This offers the committee the flexibility to begin hearings and mould whether those powers are going to be broadly met in this House. In a minority setting, that would have been ideal.

However, that is the past; the government has brought forward this bill and we are at second reading. What would have been even better is to look at the example of Australia, which decided to hold a number of different inquiries over a period of years. I know the government is very sore around the subject of inquiries these days, but these commissions were set up and asked what information government should have, as well as how and with what kinds of regulations data should be regulated by government. Essentially, it took the approach that someone's personal data is their own, and they should be able to direct it.

Over a series of commissions, some with 800-page reports, they decided on a process for making changes. They would focus on privacy, deciding what the government could keep and could not keep, and they went through that legislative process. Then they said they were going to regulate industry by industry. We should notice that the proposed critical cyber systems protection act casts such a wide net that it could be anything from pipelines to sewage water treatment plants or air transit systems.

We do not know because the government just says to trust it. However, I know, and I am sure others know as well from experience, that every industry uses different technology. Therefore, a one-size-fits-all, big, bossy government, as the member for Carleton would probably call it, does not have the touchpoints or the understanding. All we know is that these orders can be placed on any industry at any time and that those orders will never be looked at by Parliament. To me, the government is asking for too much.

Again going to the Australian model, Australia said it was going to start with data privacy rights in telecommunications, energy systems and banking. It picked the industry that it was going to focus on and made sure it got it right before putting forward the new rules that allowed for a steady process. Instead of a holus-bolus process where everything gets thrown into Bill C-26 with the government telling Canadians, members of Parliament and members of the other place to just trust it, we could have had smart legislation that would be reviewed at committee. Hearings could be held, and we could find out what is reasonable for each industry and what is not. From a privacy standpoint, we could also ask what the government means when it designates someone under this act. Does it mean a person or a company? What are their rights and responsibilities? Unfortunately, this is all on the government side; it decides, saying, “Trust us.”

My colleagues and I will be seeing this bill go to committee. However, I have to protest in this place that this is not the way to make our systems better and provide more trust in our institutions. “Trust us” is not an argument, and the government should know better by now.

Madam Speaker, six years ago Statistics Canada found that more than one-fifth of all Canadian businesses were impacted by cybersecurity incidents, a sobering statistic in its own right. That was six years ago.

What we need to understand is that cyber-technology moves at a mile a minute. What is groundbreaking one year can become ordinary or obsolete even just a year later. I do not doubt that cyber-defence systems in Canada, both by the government and by private businesses, have become much more sophisticated throughout the last several years, but the technology used for cyber-attacks, whether by foreign or by domestic actors, has developed even more quickly.

We are seeing this play out in real time. Just a month ago, Indigo fell victim to a ransomware attack. Online purchases became impossible. In-store purchases could still happen, but only if one was carrying cash. Most alarming of all, information about the chain's employees was accessed. The situation continues to drag on, Canada's largest bookstore chain held for ransom. The emergency that Indigo finds itself in is terrible, but back in January the Russia-tied group that carried out this attack, LockBit, did something far more cruel when it hacked the SickKids Hospital in Toronto.

Those are just two examples of how cyberwarfare transpires in Canada, amongst thousands of other examples every single year. Today, particularly at a time when we know foreign powers are actively seeking to undermine Canada, its institutions and its critical infrastructure, it is time for the government to step in and put forward a cybersecurity strategy. It almost goes without saying that in this digital age, online systems run just about everything that keeps this nation up and running, including hospitals, banking and the energy that heats our homes.

What the government has failed to realize until now is that as these systems become more digitized, so too do they become more vulnerable. This was on full display when SickKids was hacked. Lab results, imaging results and the hospital's phone lines were wiped out for days before order was finally restored. Just in 2020, CRA was hacked, compromising the accounts of 13,000 Canadians. Bold action is what is needed to fight against attacks of that scale, and it is Parliament's job to provide that action.

When I look at a bill like Bill C-26, I start by thinking about what it would let the government do and whether that would be an improvement on our existing cybersecurity regime. In that regard, there is actually a lot to like here. Now more than ever, cyber-attacks can take place in little more than the blink of an eye. An attacker could dig its claws into a company's online system, inflict all the damage it wants, take all the information it wants, and it might be hours later than the affected company realizes what it is being done to it.

Having a rapid response to those incidents is absolutely critical. It is clear to me that the type of broad, sweeping powers contained in this bill would allow the government to provide that rapid response. It would also bring some much-needed cohesion to the link between the state and telecom providers. Right now, telecoms can decide to work with the government and prepare for a cyber-attack, but this is entirely voluntary. They can share information with the government, but only if they really feel like it.

As far as having a unified cybersecurity strategy goes, ours is laughable. It is about time that we act accordingly and fall in line with our Five Eyes allies. This bill covers such an important policy area, yet in so many ways it just does not get it right. It is another page in that long Liberal book entitled, “Having the right intention and making the wrong move”. I should not have to say this in a room full of parliamentarians, but here we are: the written text of a law actually matters.

A law needs to be clear. It needs direction. It needs guardrails. That is why it is so strange to come across a bill that lets a minister go up to a telecom provider and make them “do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” All the power goes to the minister with nothing in the way of guardrails constraining their power.

When I read this part of the bill, I was reminded of one of my favourite Abraham Lincoln quotes. Abraham Lincoln said, “Nearly all men can stand adversity, but if you want to test a man’s character, give him power.” That is what this section does, it provides immense power to the Minister of Industry, which is not abridged or protected in any way.

There is nothing wrong with a law that gives the government new powers, but in this case, with the cyber-threats that we are currently facing, that type of law is exactly what we need to get right now.

The problem here is that we are debating a bill today where those new powers are not specified and are not restricted whatsoever. Alongside the Canadian Civil Liberties Association, I am seriously concerned about the way that Bill C-26 would infringe on the privacy rights of Canadians.

This bill would allow the government to collect data from telecoms. With guardrails in place, this would actually make a lot of sense. The government might want to see the weak spots in a company's cybersecurity system, for example. With the government being able to get these companies to do anything, we do not have a clue what it will demand to collect.

As it stands now, there is no way of stopping them from collecting personal data and juggling it between various departments. Foreign affairs, defence, CSIS, anyone could take a look if the state decides that it is relevant.

At the minister's discretion, the data could even go to foreign governments. Again, this all comes back to the problem of unchecked power. With zero restraints in place, we can only assume the worst. Like so many bills under the Liberal government, what we are seeing here is a government-knows-best approach.

I am really not sure how it can defend this level of information sharing. “Well, yes, we could share one's personal information, but we definitely will not do that.”

It wants Canadians to give it the benefit of the doubt. The government is well past the point of being given the benefit of the doubt.

The Canadian Civil Liberties Association says that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.

A number of organizations and individuals have raised red flags. The Business Council of Canada wrote to the Minister of Public Safety, expressing the business community's concerns about Bill C-26, including the potential of brain drain, as the result of personal liability and unduly high monetary and criminal penalties.

The council also expressed concerns that information sharing is one-way. Operators are required to provide information to government but receive nothing back from government.

The bill misses the opportunity to implement an information-sharing regime that could benefit all operators subject to the law.

Aaron Shull, managing director of the Centre for International Governance Innovation said that Ottawa should deploy a wide range of strategies, including tax breaks to individual small businesses, to take cybersecurity more seriously.

The Munk School issued a report on Bill C-26 where they itemized a series of deficiencies including that “the breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.”

There are massive, glaring issues in Bill C-26.

What is so unfortunate about this is that I think that enhancing Canada's cybersecurity is something that all parties can get behind. I am willing to see this bill move forward but it is going to need some major amendments in committee, amendments that protect civil liberties and constrain abuse.

There needs to be a threshold test, providing that an order being given by the government is proportionate, reasonable and, above all else, necessary. The minister should have to table reports, annually perhaps. How many orders did they issue in a given year? What kinds of orders, broadly speaking?

If the government mishandles someone's personal information, which it likely will, this bill needs to make it clear that those people will be compensated.

We find ourselves debating another highly important, poorly crafted bill, courtesy of the Liberal government.

I want to see this bill go to committee so that experts, especially those with a focus on civil liberties, can help make this bill work.

To be clear, if the issues in this bill concerning privacy and impacts to businesses are not addressed, the Conservative Party is ready to pull its support immediately and put up a very strong defence to stop this bill from going beyond committee.

After all, if the Liberals cannot manage Canada's cybersecurity, they can just get out of the way and let Conservatives handle it.

Madam Speaker, it is with great pleasure that I rise to discuss Bill C-26, an act respecting cybersecurity. I will be addressing elements of the legislation that deal with securing Canada's telecommunications system.

As Canadians rely more and more on digital communication, it is critical that our telecommunications system is secure. Let me assure the House that the Government of Canada takes the security of that system seriously. That is why we conducted a review of 5G technology and the associated security and economic considerations. It is clear that 5G technology holds lots of promise for Canadians: advanced telemedicine, connected and autonomous vehicles, smart cities, clean energy, precision agriculture, smart mining, and lots more.

However, our security review also made it clear that 5G technology will introduce new security concerns that malicious actors could exploit. Hostile actors have long sought and will continue to seek to exploit vulnerabilities in our telecommunications system. The Canadian Security Intelligence Service recognized this in its most recent public annual report. The report said, “Canada remains a target for malicious cyber-enabled espionage, sabotage, foreign influence, and terrorism related activities, which pose significant threats to Canada’s national security, its interests and its economic stability.”

The report said that cyber-actors conduct malicious activities to advance their political, economic, military, security and ideological interests. These actors seek to compromise government and private sector computer systems by manipulating their users or exploiting security vulnerabilities. The CSIS report also highlighted the increasing cyber-threat that ransomware poses.

The Communications Security Establishment has similarly raised concerns about threats like ransomware in recent public threat assessments. We have seen how such attacks by criminal actors threaten to publish victims' data or block access to it unless a ransom is paid. It is not just cybercriminals doing this. CSIS has warned that state actors are increasingly using these tactics, often through proxies, to advance their objectives and evade attribution.

To be sure, Canadians, industry and government have worked hard to this point to defend our telecom system, but we must always be alert and always be guarding against the next attacks. This has become more important as people are now often working remotely from home office environments, and the challenges are accentuated by the 5G technology. In 5G systems, sensitive functions will become increasingly decentralized to be able to be faster where speed is needed. We all recognize cell towers in our communities and along our highways, and 5G networks will add a multitude of smaller access points in order to increase speeds. The devices the 5G network will connect to will also grow exponentially. Given the greater interconnectedness and interdependence of 5G networks, a breach in this environment could have a more significant impact on the safety of Canadians than with the older technology. Bad actors could have more of an impact on our critical infrastructure than before.

The security review we conducted found that, for Canada to reap the benefits of 5G, the government needs to be properly equipped to promote the security of the telecommunications system. We need to be able to adapt to the changing technology and the threat environment.

Now, for these reasons, we are proposing amendments to the Telecommunications Act. The amendments would ensure that the security of our telecommunications system remains an overriding objective. This bill would add to the list of objectives set out in section 7 of the Telecommunications Act. It would add the words “to promote the security of the Canadian telecommunications system.” It is important to have these words specified in law. It would mean that the government would be able to exercise its power under the legislation for the purposes of securing Canada's telecommunications system.

The amendments also include authorities to prohibit Canadian telecommunication service providers from providing and using products and services from high-risk suppliers in 5G and 4G networks if deemed necessary after consultation with the telecommunications providers and other stakeholders. They would also give the government the authority to require telecommunications service providers to take any other actions to promote the security of the telecom networks, upon which all critical infrastructures depend.

We have listened to our security experts, Canadians and our allies, and we are following the right path. We will ensure that our networks and our economy are kept secure. A safe and secure cyberspace is important for Canadian competitiveness, economic stability and long-term prosperity.

It is clear that the telecommunications infrastructure has become increasingly essential, and it must be secure and resilient. Telecommunications present an economic opportunity, one that grows our economy and creates jobs.

The amendments to the Telecommunications Act accompany the proposed critical cyber systems protection act. This bill will improve designated organizations' ability to prepare, prevent, respond to and recover from all types of cyber incidents, including ransomware. It will designate telecommunications as a vital service.

Together, this legislative package will strengthen our ability to defend telecommunications and other critical sectors, such as finance, energy and transportation, that Canadians rely on every single day.

The legislation before us today fits with the Government of Canada's telecommunications reliability agenda. Under this agenda, we intend to promote robust networks and systems, strengthen accountability and coordinated planning and preparedness.

Canadians depend on telecommunications services in all aspects of their lives, and the security and reliability of the network has never been more crucial. They are fundamental to the safety, prosperity and well-being of Canadians.

We will work tirelessly to keep Canadians safe and able to communicate securely. This legislation is an important tool to enable us to do that.

Madam Speaker, I am proud to rise in the House today to speak to this important legislation on behalf of the good people of Barrie—Springwater—Oro-Medonte. I am pleased to see Bill C-26 come forward in the House. Improving the resiliency of our critical infrastructure is of the utmost importance to our national security and the everyday safety of Canadians.

This legislation consists of two separate parts. The first portion, among other things, would give the Governor in Council powers to order telecommunications providers to secure their systems against threats and to remove malicious actors from our telecommunications infrastructure. The second portion would create the critical cyber systems protection act, which would establish a cybersecurity compliance framework for federally regulated critical infrastructure operators. This would specifically regulate the sectors of finance, telecommunications, energy and transportation.

I believe that in principle, this legislation appears promising. I think we can all agree that we need a robust cybersecurity framework in Canada. However, it is worth noting that under the current government, we have done the least to bolster our resilience to cyber-attacks compared to all other Five Eyes partners. We lag behind our western allies in national security, and as such, Canada has failed to secure our critical infrastructure against complex and ever-evolving cyber-threats in the modern world. Therefore, before I get into the specific merits and deficiencies of this legislation, I want to speak about the emerging threats to our critical infrastructure and the pressing need to protect our national security.

Threats to our critical infrastructure are real and imminent. In fact, Caroline Xavier, chief of the Communications Security Establishment, or CSE, recently testified before the public safety and national security committee and stated, “cybercrime is the most prevalent and most pervasive threat to Canadians and Canadian businesses.” She also noted, “Critical infrastructure operators and large enterprises are some of the most lucrative targets.”

While there are several forms of cyber-attacks that our critical infrastructure operators are vulnerable to, the Canadian Centre for Cyber Security has noted in its most recent annual national cyber-threat assessment that ransomware is the most disruptive form of cybercrime facing Canadians and that critical infrastructure operators are more likely to pay ransoms to cybercriminals to avoid disruption. For example, in 2018, cybercriminals deployed a malicious software and successfully held the city hall of a municipal government in Ontario hostage, which resulted in that government paying $35,000 to the hackers to avoid disruption. However, this is not always an effective strategy. A survey of Canadian businesses found that only 42% of organizations that paid ransoms to cybercriminals had their data completely restored.

In 2021, the CSE stated that it was informed of 304 ransomware incidents against Canadian victims, with over half of them in critical infrastructure. However, it acknowledged that cyber-incidents are significantly under-reported, and the true number of victims is much higher.

The enormous economic toll that these cyber-breaches have on Canadian companies is worth noting. According to IBM, in 2022, the average cost of a data breach, which includes but is not limited to ransomware, to Canadian firms was $7 million. There is currently no framework to ensure that companies report when they are victims of these attacks. I will acknowledge that the legislation before us takes steps to address this pervasive issue that Canadians are facing; however, it is certainly an overdue effort.

We saw the damage a cyber-attack of this magnitude can cause in May 2021, when a U.S. energy company was subject to a ransomware attack carried out by a Russian-based criminal group that successfully extorted roughly $4.3 million in coin-based currency. As members may remember, this attack disrupted the largest fuel line in the U.S. for five days and led to President Biden calling a national state of emergency. In 2021, at the U.S. Senate committee on homeland security, the CEO of that company testified that he had no emergency preparedness plan in place that specifically mentioned “ransom or action to ransom”. This incident underscores the fact that we as a country must enhance preparedness and improve the resiliency of our critical infrastructure in order to avoid similar incidents.

Therefore, I am pleased to see this proposed legislation come forward. However, it is worth noting that this is the first substantive legislative response to this issue during the government’s tenure, despite a steady increase in cyber-threats over the years.

The entirety of our federally regulated critical infrastructure is connected to the Internet in some way, and it is extremely important to prevent malicious actors from setting up on our infrastructure and attacking it. Previously, there has been no mechanism for the government to formally remove a company from our telecommunications networks.

The clearest example of the need for this mechanism would be the controversy surrounding Huawei, a company that was part of the design of our 5G networks despite glaring national security concerns related to its activities and relationship to the Communist Party in Beijing. It is a significant move that this company will be kicked off our servers, but it is a delayed one. We know that under China's national intelligence law, the CCP has the authority to instruct any company to hand over information to support, assist and co-operate with state intelligence work. Accordingly, we ought to be cautious and avoid contracting with companies that could potentially compromise the security of our critical infrastructure.

It is certainly positive that Canada will be able to kick malicious actors such as Huawei off our networks. However, many have noted that we lessened our credibility among the Five Eyes nations due to our delayed response to this issue. Indeed, the United States lobbied Canada for years to exclude Huawei from our 5G mobile networks and warned that it would reconsider intelligence sharing with any countries that use Huawei equipment.

In some respects, this legislation is a positive step toward establishing a baseline standard of care for organizations whose functions are integral to our critical infrastructure. As I have previously mentioned, incidents of cyber-attacks often go unreported or under-reported. This legislation's mandatory reporting mechanism, which specifies that a designated operator must immediately report an incident to the CSE and the appropriate regulator, is a welcome step toward addressing this issue. However, the act does not prescribe any timeline or give any other information as to how “immediately” should be interpreted by an operator.

As I have just laid out, there are aspects of this legislation that my Conservative colleagues and I fully support. However, I have concerns with several elements of the bill.

First and foremost, there is a complete lack of oversight over the sweeping new powers afforded to the cabinet ministers, regulators and government agencies mentioned in this legislation. Alongside a lack of oversight, there is little information on the breadth of what the government might order a telecommunications operator to do.

It is evident that this bill draws on much of Australia's legislative model, which was first introduced in 2018 and eventually amended. However, we did not follow suit in terms of the oversight measures Australia included in its critical infrastructure protection act. Notably, Australia introduced political accountability mechanisms alongside its legislation, including a requirement for regular reporting, an independent review and the production of a written report. The Conservatives would like to see annual reporting from the minister on what actions have been taken and a public disclosure of the orders that the government is making under these newly afforded powers.

In terms of concerns from the public, we have heard from a number of organizations that are concerned that elements of this legislation undermine the privacy rights of Canadians. In September of last year, several privacy rights organizations signed an open letter to the Minister of Public Safety, which laid out their concerns with Bill C-26. For example, they were concerned about the sweeping new powers this legislation would give to the government over access to the personal data of Canadians and the data of companies. They noted that Bill C-26 “may enable the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.”

I think we can all agree that while enacting measures to improve the resilience of our critical infrastructure is of the utmost importance, civil liberties and privacy must be fully respected when drafting those measures. On the other hand, we have heard from stakeholders who are concerned about the regulatory burden this legislation may have on businesses, especially small and medium enterprises.

Many stakeholders have noted that the high costs and business impacts of a cyber-incident already incentivize companies to ensure rigorous cybersecurity protocols. Recent statistics released by Statistics Canada found that in 2021, Canadian businesses spent over $10 billion on cybersecurity, a 41% increase compared to 2019. Many stakeholders have noted that the proposed penalties related to this act, which reach up to $15 million and five years of jail time, are touted as being intended to promote compliance rather than to punish. However, I think we can all agree that a $15-million fine would indeed be unduly punitive on a small business that may be subject to this act. Therefore, we must ensure that fines and compliance costs are distributed evenly so as not to stifle competition and endanger the viability of small and medium enterprises in our critical infrastructure sectors.

Finally, we face a problem related to definitions and the scope of this bill. Various terms are not defined, including what constitutes a cyber-incident, and it is not immediately clear how the government will determine who is subject to this legislation. I look forward to receiving an explanation from the government to demystify some of the vague language found within it.

To conclude, a threat to our critical infrastructure is a threat to our national security. I think all parties agree that the government must take strong and immediate action against cyber-attacks. We support this bill in principle, but we believe that it needs to be amended significantly to ensure greater transparency and accountability from the government and future governments. I look forward to studying and amending this bill at the public safety committee with my colleagues across all parties.

Madam Speaker, I think everybody in the House agrees that we need to up our game in this country to protect Canadians and our society from cyber-attacks.

My specific question has to do with certain specific vulnerable groups. I am thinking of young people, particularly teenagers between the ages, say, of 13 and 19. Even more particularly I am thinking of young girls and women who may be subject to all sorts of cyber-bullying and other offences, as well as seniors who can be victims of cyber-fraud.

I am wondering if my hon. colleague has any thoughts as to how Bill C-26 might impact those particularly vulnerable groups and what suggestions he may have legislatively to help protect them.

Madam Speaker, it took eight long years for the Liberal government to recognize that cybersecurity threats exist in this country and around the world. Congratulations to them for coming to the party a little late.

The Liberals have now presented a bill to try to address issues of cybersecurity in the country. As I said, it took them eight years to get there, but I have to say I am pleased that the Liberals have decided to finally do something. I look forward to this bill being passed so that it can be extensively studied at committee.

There are some things in this bill that are good. I know praising the Liberal government is strange territory for me, but I will say that the bill would give the government some tools to respond quickly to cyber-threats. There is currently no explicit legislative authority in the Telecommunications Act to ensure that telecom providers are suitably prepared for cyber-attacks. This is a good reason why this bill should probably move forward to committee to be studied.

The challenge I have, though, includes a whole number of things. My issue with the government is trust. While I do want this legislation to go to committee, I have extraordinary concerns about this bill. Many of these concerns have been raised by many groups across the country, and I do want to speak to some of those in the probably somewhat whimsical hope that the government will listen and take some of these amendments seriously.

There has been a very bad track record of the government responding to concerns from the opposition or from outside organizations with respect to legislation. There is a view that the Liberals are going to do what they want to do on pieces of legislation and that they really do not care what other people have to say. I am very concerned that the government is not going to listen to the very serious concerns that have been raised about this bill.

I have my own concerns when I look at how the government has behaved with respect to other pieces of legislation. We have to look at Bill C-11. There has been a multitude of organizations that have said the bill needs further amendment. Margaret Atwood has said that she has grave concerns about the legislation, that she supports the intent but has grave concerns about the implementation and how it is going to affect artists and content creators. We have had folks who compete in the YouTube sphere who have raised all kinds of concerns about Bill C-11, and the government's response has been that it does not care what they have to say, and that it is going forward with the legislation as it is.

The Senate has made a number of amendments to Bill C-11. I suspect the government's attitude is going to be the same, which is that it does not care what the amendments are and that it is going to proceed with the bill as it sees fit.

We also have only to look to Bill C-21 as well. We had the minister clearly not aware of what constituted a hunting rifle and a hunting gun. The Liberals introduced amendments at committee, and it took extraordinary push-back from Canadians from coast to coast to coast to get them to wake up and withdraw those amendments that they had put in at the last minute.

What it speaks to is that, despite having at its disposal the entire apparatus of the Canadian government, the Liberals are still unable to get legislation right. It takes an enormous amount of effort and hue and cry across the country saying that this has to stop and that this has to be changed. If there is not a massive uprising, the government tends not to listen to the legitimate concerns of other constituents or other groups when it introduces legislation.

With that context, it is why I have real concerns that the government is not going to listen to some of the serious concerns that have been raised with respect to Bill C-26. I am going to go through some of those.

The Canadian Civil Liberties Association has some very serious concerns. It has issued a joint letter that says that the bill is deeply problematic and needs fixing, because it risks undermining our privacy rights and the principles of accountable governance and judicial due process. This is a big bell that is going off, and I hope the government is listening. As I have said, I do not have a lot of faith, given other pieces of legislation where thoughtful amendments have been put forward and the government decided not to do anything with them.

I want to enumerate a few of the concerns from the Canadian Civil Liberties Association. On increased surveillance, it says that the bill would allow the federal government “to secretly order telecom providers” to “do anything or refrain from doing anything necessary...to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption”.

That is a pretty broad power. Where is the government putting the guardrails in that would limit the effects of this or protect the privacy rights of Canadians? That is something I think is incredibly concerning.

On the termination of essential services, Bill C-26 would allow the government to bar a person or a company from being able to receive specific services and bar any company from offering these services to others by secret government order.

Where are we going to have the checks and safety checks on this? Unfortunately, I am not in a position where I think I can trust the government to do the right thing on these things. We have seen it through vaccine mandates, in the legislation on Bill C-21 and in how the Liberals are trying to push through Bill C-11 without listening to reasoned amendments. If reasonable concerns are raised about Bill C-26, I just do not have faith the Liberals are going to take those concerns seriously and make the amendments that are necessary. I really hope they do.

On undermining privacy, the bill would provide for the collection of data from designated operators, which would potentially allow the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations. When someone takes the de-identified personal information of Canadians and does not say how they are going to deal with it or what protections they have in place to make sure it is not misused, what happens in the event that they take that information and somehow there is a government breach? Where does that information go? These are things I think we should be extraordinarily concerned about.

There was also an analysis provided with respect to this by Christopher Parsons, in a report subtitled “A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”. Parsons raises concerns about vague language. The report notes that key terms in the bill, such as “interference”, “manipulation” and “disruption”, which trigger the government's ability to make orders binding on telecom service providers, are unidentified.

Where are the guardrails in the legislation to prevent government overreach and therefore protect Canadians? This is something that I think all Canadians should be watching and be very concerned about. They should be letting their voices be heard by the government on this.

The report talks about how the minister of industry's scope of power to make orders is also undefined. We would be giving a whole host of undefined powers to the minister and the government that would allow them to have all kinds of sensitive information. These are things that may be necessary, but I do not know. They are highly concerning to me. They should be highly concerning to Canadians, and I hope the government will hear from real experts at committee.

Let us not have a two-day committee study where we think Bill C-26 is perfect as it is and bring it back to the House of Commons, bring in time allocation or closure and pass it through. We have seen that story before, and we do not want to see it with the piece of legislation before us. My really big hope is that the government is going to take the time to really consider the seriousness and breadth of Bill C-26 and make sure we have the ways to protect Canadians.

I just want to add that the Business Council of Canada has released its own letter to the Minister of Public Safety, expressing its incredibly deep concerns with respect to the bill: there is a lack of a risk-based approach, information sharing is one-way and the legal threshold for issuing directions is too low.

There are three reports, right there, that are outlining significant concerns with Bill C-26, and I, for one, just do not believe the government is going to listen or get it right. It does not have the track record of doing so, but I am hoping it will, because cybersecurity is incredibly serious as we move toward a digital economy in so many ways. I really hope the government is going to listen to these things, take them seriously, do the hard work at committee and bring forward whatever amendments need to be brought forward, or, if the amendments are brought forward by the opposition, listen to and implement those amendments.