Bill C-26

Madam Speaker, we all have to be concerned about the rapid deployment of new technologies and how they can be used nefariously to attack Canadians. This comes back to Bill C-26 as well. Again, the government would be putting all the onus on corporate Canada to protect us, but at the same time, I wonder who will do the R&D, who will step up to ensure our technology and our ability to defend ourselves is deployed across the spectrum, whether it is government agencies, government departments, our provincial and territorial partners or corporate Canada. How are we going to ensure the safety of Canadians when it comes down to their personal information and ID, especially if we are seeing new malware out there that will harvest and hack passwords in a matter of seconds?

We have to be investing in R&D. The government has a responsibility and role to get it done, but we do not see that in Bill C-26.

Madam Speaker, when look at Bill C-26, I want to assure the member that the government has made very clear the importance of privacy rights. In fact, it was a Liberal administration that brought in the Charter of Rights, understanding and appreciating just how important privacy rights were. The legislation, which the Conservative Party is voting in favour of, and I grateful for that, is there to protect the integrity of the system. As we move more and more into that digital world, cyber-threats are very real and can have a profoundly negative impact. That is why we have to bring forward the legislation.

Given the potential threats to things such as the delivery of health care services to interactions on the net by Canadians, would the member not agree that it is important that legislation of this nature continue not only to deal with the threats but to build confidence in the system with Canadians?

Madam Speaker, I am pleased to be able to rise in this place today and speak to Bill C-26, a bill that we as Conservatives are supporting to get to committee.

I have a lot of concerns around the bill itself, in terms of making sure that the government did not make a number of errors in judgment in putting it together. These concerns are based on the feedback we have received from Canadians and from organizations, especially on the issues surrounding privacy and the costs that have been offloaded to the private sector.

I also have to raise my concerns. Here we are, eight long years under the Liberal government, and we know that, when it has come down to cybersecurity, it has been slow in responding. A good case in point was banning Huawei from our critical infrastructure, our 5G network. We know that the Liberals sat on their hands and tried to do nothing for most of the past seven years, before they were finally forced to act after a great deal of pressure was brought upon them by our allies, especially within the Five Eyes.

Cybersecurity and national defence go hand in hand. When we talk about our national defence and national security, we know that hybrid warfare has evolved.

It is now about more than just targeting military assets; it is about targeting the entire government as it is at play. All we have to do is look at what is happening in Ukraine today, as well as what has happened to a number of other allies we have, through NATO, in eastern Europe.

We see the troll farms in St. Petersburg constantly attacking, on Facebook and on Twitter, the military individuals, the soldiers and troops, serving there. They also attack things like critical infrastructure in countries where Canadians are currently deployed, like Latvia. As we have witnessed in Ukraine and Estonia, they have not just gone after them through direct kinetic means to take out critical infrastructure, but they have also gone through cyberwarfare as well.

The Russians have done this very effectively in knocking down financial systems, knocking down transportation systems, and taking out power and water infrastructure in places like Estonia. As a prelude to the war in Ukraine, before they had actually started bombing these civilian targets in Ukraine, they were attacking them on cyber. It is part of hybrid warfare and it is the evolution of war.

There is a responsibility upon the Government of Canada to ensure that we are protecting not just our national infrastructure and the Government of Canada, that we are not just using CSE, or Communications Security Establishment, to protect national defence, but that we are also using a plethora of capabilities to ensure that our infrastructure here in Canada is protected.

That includes preventing our adversaries from going after our soft targets. That is what I think Bill C-26 is trying to accomplish, to ensure that telecommunications companies in Canada are stepping up to do their share to protect Canadians from cyber-attacks. We know that cyber-attackers have gone after things like our health care systems. They have gone after the medical records of Canadians. They have gone after the education records of students at schools and at universities. They go after retailers. They can go in through a retailer's back door, harvest all sorts of personal data, especially credit card information, and then use that for raising money, for transnational criminal gangs or for ransomware, as we have witnessed as well.

We must remember that we have a number of a maligned foreign actors at play here in Canada now and against our allies. It was just reported, again, that the People's Liberation Army was found guilty of hacking into U.S. critical infrastructure.

We know that the People's Liberation Army, under the control of the communist regime in Beijing, continues to attack cybersecurity assets around the world, including trying to break through the Canadian cybersecurity walls of our government and national defence on a daily basis.

As I mentioned, Russia has become very good at this. That does not mean that it is concentrating only on its near sphere of influence, NATO members in eastern Europe like Estonia, Latvia and Lithuania, but it is also targeting Ukraine. We know that it is targeting Moldova. We know that it has gone after countries like Romania, but it also does cyber-attacks here in Canada and in the United States.

Russia continues to be an adversary and we have to stand on guard to protect Canadians from those attacks.

We know that Iran, the regime in Tehran, is continuing to be a government that attacks its neighbours and attacks Israel and Canada through cyber-means. North Korea has developed an entire cybersecurity and cyberwarfare unit and continues not to just wreak havoc with the democratically elected, peaceful South Korea, but has also gone after Japan and the Philippines, and is going after U.S. infrastructure as well. Therefore, we have to take the necessary steps to make sure we can deal with transnational criminal organizations, with nefarious foreign states and with those who are trying to get rich through ransomware.

Here in Canada just a couple of years ago, we saw a situation in regard to the Royal Military College in Kingston, which the member for Kingston and the Islands is certainly aware of. The Department of National Defence stated that RMC had been a target. It originally called it a mass phishing campaign, but a month after the incident, it was established that the phishing campaign was actually a cyber-attack going after financial information and personal data of cadets. These had been compromised and published on the dark web, and were made available to a lot of people who participate on the dark web to profiteer from that information.

According to several observers who looked at the hack of RMC Kingston, it was attributed to a cybercriminal group called DoppelPaymer that did not seem to be connected to a nation-state actor. There are criminal organizations out there that are going about their criminal activities in such a way as to extract dollars from governments, retailers and private citizens, as well as from other corporations, to line their pockets and continue doing other nefarious things that sometimes go beyond the cyberworld.

I have said in the past, when we have talked about other legislation here dealing with cybersecurity, that we not only need the ability to defend, but also that the government has the responsibility, especially under national defence, to attack using cybersecurity. We cannot just be here deflecting the arrows; sometimes we have to be able to shoot down the archer. The way we do that is by having a very robust cybersecurity system. We need the best capabilities and the best personnel who are able not only to sit here and defend, that is to put up shields and fight off the attacks, but also are able to go out there and take out the adversaries, to knock out their systems, so that we are safer here at home.

With regard to some of the criticisms that have come out, I know that letters have come in from the Canadian Civil Liberties Association, and the Business Council of Canada wrote a very detailed brief, as did the Citizen Lab in looking at the bill. When we read through the documentation, we see that one of the concerns that has been raised, especially by the Business Council of Canada, is that there seems to be an imbalance. We are telling members of corporate Canada to go out there and make sure they have the proper cybersecurity systems in place, but at the same time we realize that it is not just up to them to do the defending. What we see is that the corporations are saying that either they have to do it or we are going to fine them up to $15 million or five years of jail time, and that the individuals who work for them could also be held criminally responsible for not doing enough.

Sometimes resources are not available. Sometimes there are new companies that may not have the ability to put in place the proper security systems. I look at a lot of the Internet service providers that we have, for example. They are covered under the Telecommunications Act, yet, as new start-ups, they may not have the personnel or the equipment to properly defend their networks. Would we go ahead and fine these companies up to $15 million? Then what would we do in regard to jail time and fines for those criminal organizations that are profiteering through cyber-attacks? Where is the balance in this? That is one of the concerns we have and one of the things we have to look at through our study at the industry committee when it brings this forward.

A huge concern has been raised, especially by the Canadian Civil Liberties Association, on how this would be implemented and how it may affect the privacy rights of Canadians at the individual level. Corporations have broader responsibilities and do not necessarily fall under the charter, but their clients who they are going to protect and the information they are going to be required to share with the Government of Canada could very well be violations of their clients' privacy rights.

When we look at section 7 of the Charter of Rights, we have to balance the right to life, liberty and security of a person with section 8 of the charter which says that we have freedom from search and seizure. When we drill down on section 8 and go to some of the legal analysis of our charter, as all the rights and freedoms are laid out, it tells us that the underlying values of freedom from search and seizure when it comes to individual privacy is the value of dignity, integrity and autonomy. Again, I think we are all concerned that when we look at Bill C-26 at committee, we ensure the bill balances those rights of the individual to be both secure and safe from cyber attacks, but do it without compromising privacy rights and charter rights as described in freedom from search and seizure. The way we do that is through warrants.

We know that through National Defence, the Communications Security Establishment, or CSE, which has a long-standing history of defending the Canadian Armed Forces, has to comply with the charter. It has to comply with all Canadian legislation and it cannot do indirectly what it is prohibited doing directly. Therefore, CSE cannot go to the National Security Agency, or NSA, of the United States, say that it is concerned that a Canadian maybe talking to a terrorist organization offshore and ask the agency to spy on that individual because CSE is prohibited from spying on the person and listening in through the Communications Security Establishment. CSE cannot go to the NSA and ask it to violate Canadian law on its behalf to find out what is happening in the same way CSIS cannot go to the FBI or the CIA and ask it to spy on Canadians. It cannot do indirectly what it is prohibited from doing directly under Canadian law. The way to get around that is to apply for warrants.

Judicial appointments are made to have supernumerary justices over these organizations to ensure that charter rights are protected, even when conversations take place inadvertently. In the past, CSE has listened in on people who may have been in Afghanistan funding the Taliban or al Qaeda. They may have family in Canada and were talking back and forth about something that had nothing to do with operations on al Qaeda or the Taliban. However, because it involved a Canadian citizen, it had to go through the proper processes to ensure that his or her charter rights were protected by getting a warrant to listen to those conversations. Whether they were listening electronically or through wire taps, it is all mandated to watch that we do not trip over the rights of Canadians under legislation.

Bill C-26 would not address this like we have under the National Defence Act, under the Criminal Code and under the whole gamut of cybersecurity that has been in place up to date. The privacy rights are paramount.

To come back to Bill C-26, the Supreme Court of Canada said in 1984, as well as in 1988, that privacy was paramount and was “at the heart of liberty in a modern state”. Again, did the Liberal government ensure the bill was tested first to ensure those privacy rights were protected? This is what we will have to find out when we get Bill C-26 in front of committee.

We can look at information that has come from places like the Business Council of Canada. One of the concerns it raises goes back to this whole issue of huge fines on Canadian corporations, as well as the employees of those corporations, if they are found to have been not responsible enough to put in place proper security protocols to protect their clients from cyber attacks. Because it goes against individual employee as well, we will create another brain drain from Canada.

We are unfairly targeting Canadian employees who are going to be working for these cybersecurity firms, working in the telecommunications sector and in our financial institutions. If they are found to have erred, which a lot of times it is by error or by a lack of resources, then they are held criminally responsible and they are fined. The question becomes why they would want to work in Canada when they are afforded better protections in places like the United States, the European Union, the United Kingdom or Australia, which was held up by the Business Council of Canada as the gold standard we should be striving to achieve, and what it has done through their own cybersecurity protocols.

We want to ensure that we protect critical infrastructure, but we do not want to chase away very good Canadian employees and force them, with their skills, to go offshore where they have better protection and probably better pay. We want to ensure we keep the best of the best here. We want to ensure we do not go through a brain drain, as we have witnessed before when the Liberals have targeted professionals in Canada, such as lawyers, accountants, doctors or anyone who set up a private corporation. Now I fear the Liberals are going after individuals again who we need in Canada to protect us here at home, that they are creating a toxic work environment and those individuals will want to leave.

The Citizen Lab wrote a report entitled “Cybersecurity Will Not Thrive in Darkness”. It brought forward a ton of recommendations on how bad this bill was. It suggested that there needed to be 30 changes made to the act itself.

We realize that the government has not done its homework on this. We need to ensure we get experts in front of us who are going to look at everything, such as there is responsibility upon government to help corporate Canada ensure we have the proper security mechanisms in place to prevent cyber attacks. We have to ensure that those corporations are not being coerced into sharing private information with the Government of Canada that could be a violation of private rights, which may be a violation of the Personal Information Protection and Electronic Documents Act, PIPEDA. We want to ensure that privacy rights will be cohesive, but, at the same time, collectively, we need to balance all federal legislation that is in contravention of each other.

We need to bring in the legal experts. The Canadian Civil Liberties Association needs to be before committee. The Citizen Lab, which is very concerned about individual privacy rights, has to be front and centre in the discussion. We need to ensure the Business Council of Canada, the Canadian Chamber of Commerce and others are brought forward, along with the department officials who were responsible for drafting this bill at the direction of the Liberal government.

I will reiterate that I will be voting in favour of the bill to ensure it goes to committee and the committee can do its homework. I would hope that the government will allow the committee to do a thorough investigation, as well as a constructive report with recommendations on how to change and amend the legislation.

Finally, I would remind everyone that the Supreme Court of Canada said, “privacy is at the heart of liberty in a modern society”, and we have to take that to heart to ensure we protect Canadians from cyber attacks, as well as to ensure they have their privacy, dignity, integrity and autonomy respected.

Madam Speaker, there have been serious concerns about how, within the telecommunications infrastructure, Bill C-26 would allow Canada's national security and spy agencies to permanently implant themselves within that infrastructure, have access to all kinds of sensitive data and possibly share it.

I do not know what the specifics are at this point. I think the committee will be empowered to look at that. I want to make sure that, everywhere in Bill C-26 where ministers are able to issue these types of orders, or if they are kept secret, there would be accountability mechanisms built into the bill.

Can we give the standing joint committee on regulations the ability to review those orders, since they could be prevented from being published in the Canada Gazette? That is one particular example, but there are many others.

I agree with the premise of the member's question in that there is a lot of work that needs to be done with Bill C-26 at committee.

Madam Speaker, the member for Cowichan—Malahat—Langford shared some concerns in his speech. I am sure he saw the open letter from eight groups, including the Canadian Civil Liberties Association, the National Council of Canadian Muslims and OpenMedia. One of their concerns is power without accountability for the CSE, or Communications Security Establishment, our cybersecurity agency.

Can he share more about what could be done to address this concern in Bill C-26?

Madam Speaker, a 20-minute speech does not give a lot of time to go over the multitude of concerns with Bill C-26. Yes, there are a lot of privacy concerns with this bill. We have had those concerns outlined not only by the Canadian Civil Liberties Association, but also by OpenMedia.

The way we allay those concerns is that we empower committee members on the public safety committee to give this bill a thorough going-over, and to make sure those expert witnesses are brought forward so they can identify the specific clauses of this bill that are problematic. We need to give members of the committee enough time to draft the amendments.

What I ultimately want to see when this bill is reported back to the House is an acknowledgement that there is a very real threat; that the bill would empower the government to counteract that threat; and that the bill would also provide a very important layer of parliamentary oversight and accountability, which I think should include some of our dedicated public servants, like the Privacy Commissioner and others.

Uqaqtittiji, given that there are concerns about our privacy rights being infringed upon and that Bill C-26 is not doing enough to protect our privacy rights, I would like to hear what the member thinks needs to happen to make sure this bill is improved.

Madam Speaker, the hon. member has a point. I would identify the system that deals with our democratic process, including all of the actors involved, as being a critical system. It is probably the most critical system. However, while I do acknowledge there are definitely state actors who are trying to undermine our system, they are trying to undermine democratic systems all over the world. We see evidence of that.

I have a lot of confidence in the public servants who work at Elections Canada and who work for the office of the Commissioner of Canada Elections. They are doing their utmost to protect the sanctity of our democratic system. That being said, we cannot rest on our laurels, and it is up to us, as parliamentarians, to acknowledge these evolving threats and to equip our dedicated public servants with the tools they need to counteract these threats actively.

I would agree with the member's saying that these threats are real. They do need to be acknowledged. We owe it to ourselves to get Bill C-26 right so our public servants have the tools to counteract those threats.

Madam Speaker, in my opinion, based on what I have heard, it is artificial intelligence and its capabilities in the hands of nefarious actors.

We heard from Caroline Xavier, the chief of the Communications Security Establishment, at committee. She identified China, Russia, Iran and North Korea as countries that are actively trying to undermine Canada's national security. If we combine that with what Mr. Jérémie Harris has identified as what AI is capable of now and what it could be capable of, I am very concerned that those countries that are actively trying to undermine Canada's national security interests will use this emerging technology to construct malware, the likes of which we have never seen.

That is why a bill such as Bill C-26 is important, but it is important that we get it right. We absolutely must make sure that our critical systems are beefed up and secured against not only those particular nation states, but also others that are actively trying to undermine our interests.

Madam Speaker, Bill C-26 would assist in empowering our laws and legislators to ensure there is a higher sense of Canadian confidence in the digital world, given the importance of the critical systems that are at work. Whether they are in health care services or consumer purchases, we have witnessed a great deal of advancement over the last number of years in cyberspace.

I am wondering if the member could provide his thoughts on why it is so important that legislation is brought forward to support Canadian confidence and protect privacy at the same time, and deal with the issue of the security of our Internet.

Madam Speaker, I am very pleased to be joining the debate today to offer some of my thoughts and perspective on Bill C-26, a much awaited bill on a cybersecurity infrastructure.

Bill C-26 is a good reminder to members that the Department of Public Safety and its subject matter is so much bigger than just firearms, because, of course, firearms and Bill C-21 have been dominating the news cycle for the last couple of months. That bill, in particular at the public safety committee, has occupied so much time and wasted so many resources. Bill C-26 is a good reminder that with cybersecurity we have so many other agencies that are dedicated to national security under the umbrella of public safety. Cybersecurity is a big subject matter. We also have Bill C-20, which is an important bill on oversight and accountability for both the CBSA and RCMP.

Today, we would not find many members in the House of Commons who are arguing against the need for better cybersecurity. All of the evidence out there points to this being a new and evolving threat. Artificial intelligence systems offer some interesting advantages, but with those advantages come threats and with those threats come actors who are determined to use them in nefarious ways that will harm and have harmed Canada's interests. We need a whole host of options to counter this threat. We need our national security agencies to take these threats with increased importance. We also need legislation to fill in the gaps and make sure that all of Canada's laws are up to date.

I have spent a lot of time on the public safety committee. We did a couple of reports that directly touched on this area. One of our first reports identified violent extremism. Our most recent study looked at the threat posed by Russia. We know that since Russia conducted its invasion of Ukraine, which has recently passed the one-year anniversary, it has also increased the threats that it offers to Canada and to like-minded countries. One of those areas is cybersecurity.

Our committee has not yet tabled its report, which should be tabled in the House of Commons soon so that members of the House and the public can not only see the results of the deliberations, but also see the important recommendations that the committee is going to make. However, we heard a lot of testimony during those committee hearings on the cyber-related threats from Russia. Many witnesses identified that those are among the most serious and relevant for Canada's public safety and national security, particularly in relation to critical infrastructure.

I want to set this table before I get into the nuts and bolts of what Bill C-26 is offering, but also set some of the problems that are in evidence with this first version of the bill.

We have to understand a few basic terms. The Government of Canada refers to critical infrastructure as the “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government”, whether that is the federal government, the provincial governments or our municipal governments. Because so many of those pieces of critical infrastructure are now tied into computer systems that are vulnerable to attack, a bill like this becomes quite necessary.

I could go on and on about all of the critical systems in our modern society and the range of sectors, from our energy production to our food distribution systems to our electricity grid and transportation networks and how our ports and our banking system work. If one were to interrupt any one of those services, it could create absolute havoc within any Canadian community or countrywide.

One of the witnesses we had during our public safety meetings on the topic of the threats posed from Russia, and this was just talking about the cyber-threat more broadly, was Jennifer Quaid, Executive Director of the Canadian Cyber Threat Exchange. She reminded our committee that there are nation-states that are conducting espionage and statecraft through the Internet, but there are also criminals who are engaging in cybercrime for financial gain.

In some cases, those criminal groups and the nation-states are working together. There is evidence of this not only in Russia but in places like North Korea and China, where it is almost like the policy that was in place back in the 1700s and 1600s, where privateers would go out and do a nation-state's bidding. In this modern-day version of that policy, there are criminal organizations that are working hand in glove with some nation-states to give them some plausible deniability, but the systems they are using do pose a very real threat to Canada.

One of our key witnesses during the study was Caroline Xavier, Chief of the Communications Security Establishment. She was not able to go into much detail or specifics, given the very sensitive nature of the topic, but she was able to assure the committee that cybercrime is absolutely the most prevalent and most pervasive threat to Canadians and Canadian businesses. She observed that the state-sponsored cyber programs of China, North Korea, Iran and Russia posed the greatest strategic threat to Canada, and that foreign cyber-threat activities have included attempts to target Canadian critical infrastructure operators, as well as their operational and information technology.

Leaving aside the government, it is important for members to realize that most of Canada's critical infrastructure is, by and large, in the hands of the private sector. This is going to underline some of the important elements of Bill C-26.

We also had testimony from David Shipley, Chief Executive Officer of Beauceron Security. He was relaying the same stuff about Russian criminal organizations working in tandem with the government, and saying that criminal gangs have crippled Canadian municipalities. They have gone after health care organizations. The range of malicious cyber-activity has absolutely extended to many small and medium-sized enterprises.

When we look at the reporting requirements of Bill C-26, one of the biggest gaps that we have in our system is the fact that many businesses, private enterprises, are loath to report the fact that their systems have experienced a cyber-attack. They may be threatened to not do so. There is also a very real concern about the institutional harm that could come from the public release of said information. A large corporation that relays to its customers that it has experienced a cyber-attack may find people are loath to do business with it if they are unsure that its systems are up to par.

I also want to highlight a recent example from 2021, where the Government of Newfoundland and Labrador experienced a health records cyber-attack on October 30. The investigation revealed that over 200,000 files were taken that contained confidential patient information.

One can just imagine that in a province the size of Newfoundland and Labrador the fact that over 200,000 files were taken, that is a shocking theft of personal and confidential information. It really underlines just how important addressing this is.

I also want to touch briefly on the topic of artificial intelligence. I want to read a quote from a recent Hill Times article. This is from Jérémie Harris who is one of the co-founders of Gladstone AI, which is an artificial intelligence safety committee. He says:

But perhaps more concerning are the national security implications of these impressive capabilities. ChatGPT has been used to generate highly effective and unprecedented forms of malware, and the technology behind it can be used to power hyperscaled election interference operations and phishing attacks. These applications—and countless other, equally concerning ones also enabled by new advances in AI—would have been the stuff of science fiction just two years ago.

He goes on to say:

...ChatGPT is a harbinger of an era in which AI will be the single most important source of public safety risk facing Canada. As AI advances at a breakneck pace, the destructive footprint of malicious actors who use it will increase just as fast. Likewise, AI accidents—now widely viewed by AI safety specialists as a source of global catastrophic risk—will take more significant and exotic forms.

Something all members of the House really have to be aware of is how, just in the last two years, AI has advanced so quickly. We can think about what AI will be capable of two years or a decade from now. Just as Mr. Harris said, what it is doing right now was inconceivable just two years ago. The fact that AI is now being used to generate unique code for malware indicates there is no telling what it can be used to do and how it could be used to wreak havoc. That underlies just how important this issue is and how seriously we, as parliamentarians, have to take it as we serve our constituents and do the important work of equipping our nation with the tools it needs to keep Canadians, and the critical infrastructure they depend upon, safe.

When I was a member of the public safety committee, I had a chance to speak with Mr. Harris. I actually put a motion on notice that the committee should be undertaking a study on the range of threats posed to Canada's public safety, national security and critical infrastructure, specifically by AI systems. I hope one day the committee can take that study up, but it is a committee with a very heavy workload. It is still trying to find its way through Bill C-21. It is waiting for Bill C-20 to arrive on its door and, of course, this bill, Bill C-26, would also keep committee members quite busy.

I would like now to turn to the specifics of Bill C-26 and what it is attempting to do. It is separated into two main parts. According to the summary of the bill:

Part 1 amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.

There are a number of orders that the Minister of Industry could issue. For example, he or she could prohibit a TSP from using any specified product or service in its networks or facilities; direct a TSP to remove a specified product from its networks or facilities; impose conditions on a TSP’s use of any product or service; subject a TSP’s networks or facilities, as well as its procurement plans for those networks or facilities, to a specified review process. Those are just a few examples of how the minister's orders could be issued. The bill does require the Governor in Council or the Minister of Industry to publish these orders in the Canada Gazette, but there is an allowance in the bill to allow these provisions to be prohibited, so the government can prevent the disclosure of these orders within the Gazette if they feel they need to be kept secret.

Part 2 would enact a brand new statute of Canada, a critical cyber systems protection act, which would “provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety”. In schedule 1 of the government's bill there is a brief list. Vital systems and services can include telecommunication services, interprovincial or international pipelines and power line systems, and nuclear energy systems. Those are a few examples. A really important point is that the Governor in Council, through this bill, would be able to establish classes of operators and require designated operators to establish and implement cybersecurity programs.

This is where the bill would affect the private sector and make sure those cybersecurity programs are in place, especially when that private sector is involved in critical infrastructure. As a brief outline, with those cybersecurity programs, the expected outcomes would be that they could identify and manage any cyber-risk to the organization, including supply chain risks; prevent their critical cyber systems from being compromised; detect cybersecurity incidents; and limit the damage in the event a cybersecurity incident did occur.

I want to talk about concerns with the bill, because there are a lot of concerns. I have had the chance to speak with a number of organizations, but first and foremost was OpenMedia. I had a great conversation with the people there. There is a section on its website that specifically deals with Bill C-26. OpenMedia absolutely realizes that new cybersecurity protections are needed to protect Canada's infrastructure, but it believes they have to be balanced by appropriate safeguards, and this is to prevent their abuse and misuse.

We rely on these essential services, and their protection is important, but Bill C-26, as it is currently written, would give the executive branch huge sweeping powers. In my reading of the bill, there would not be enough accountability and oversight; there would not be enough review mechanisms for Parliament to check the power of the executive, and I think this is a critical point. I think, in principle, we have a good idea with the bill, but a lot of work will be needed at committee to ensure that this executive power would be checked and that it would fit within the parameters of the law. We absolutely must have that kind of parliamentary oversight.

I also know of the Canadian Civil Liberties Association, which said:

The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still.

I think, at this stage, we want to ensure, with the minister's powers to order or direct service providers, and the requirement to comply with these orders, that these powers are being subjected to the appropriate safeguard mechanisms. They are quite broad, as currently written.

In conclusion, I want to see a bill that protects vulnerable groups from cyber-attacks. So many Canadians rely on these critical systems, and we know so many have been targeted and are being targeted as we speak, and we know these dangers are going to multiply and get worse the longer we go on. We want to make sure they are protected, but we want to make sure that we do not have broad unchecked ministerial powers with no public oversight. That is the balance that must be achieved.

I must express, in my closing minute, my personal frustration with how the Liberals draft their bills. The idea behind Bill C-26 is a good one, but the problem with how the Liberals drafted the bill is that it would give huge sweeping amount of power to the executive branch. I just wish they would have had the foresight to understand that, of course, these provisions would be met with opposition. It seems the Liberals are putting the work on committee members to fix the bill for them, rather than having had the foresight and intuition to understand that these are problematic elements of the bill.

I think a lot more work could have been done on the government's side to have presented a better first draft. I guess we have what we have to work with, but a lot of work is going to be needed to be done at committee, and I look forward to seeing members do that work.

I also look forward to voting for the bill at second reading and sending it to committee. I welcome any questions or comments from my colleagues.

Madam Speaker, in the last several months, we have seen accountability raise its head here in Parliament with Bill C-5, Bill C-75 and Bill C-11. Without accountability, it is as though the government does not actually care what we are doing because with a majority government, the NDP and Liberals can make decisions based on what they think is right and there is no accountability.

With Bill C-5, the evidence is not there. Bill C-21, taking legal guns from legal gun owners, is another non-evidence-based process. With Bill C-26, which we are talking about today, it is time that we start building in some processes for accountability so the government is actually accountable for what it is doing.

Madam Speaker, the member is right. When we get to committee, we can iron out some of the flaws that we have seen in Bill C-26. It is going to be important to focus on accountability and the member did not address that. That is where this bill can either succeed or fail. We need to ensure there is an accountability process for the government, so when it follows through with Bill C-26, we have a process and we can go back and say we need to tweak or change something because cybersecurity changes so fast.

Madam Speaker, it is always an honour to rise in the House, especially when I can talk about safety and security.

I always try to enhance safety and security for Canadians at home and abroad, for our corporations that are major contributors to our economic base, and of course, for government institutions. Today, discussing cybersecurity in Canada is an opportunity to enhance our country's ability to protect us from cyber-threats.

Security is a significant concern for all Canadians. Lately, with the rise in organized crime and gang offences to the tune of a 92% increase in gang crime, I have to wonder when the government will be led by evidence, or in other words, provide evidence-based action. It is extremely important for our country to have cybersecurity to protect itself from threats, and I welcome Bill C-26. However, I am apprehensive about how successful this bill may be since accountability is a question that the opposition brings up every day in this House.

Bill C-26 is basically divided into two parts. The first part aims to amend the Telecommunications Act to promote the security of the Canadian telecommunications system. It aims to do this by adding security as a policy objective to bring the telecommunications sector into line with other infrastructure sectors.

By amending the Telecommunications Act to secure Canada's telecommunications systems and prohibit the use of products and services provided by specific telecommunications service providers, the amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure, as well as the removal and termination of related 4G equipment by 2027. Of concern is the time it took the government to react to enforce the ban on Huawei.

The second part aims to enact the critical cyber systems protection act, the CCSPA, which is designed to protect critical cybersecurity and systems that are vital to national security or public safety or are delivered or operated within the legislative authority of Parliament. The purpose of the CCSPA is to ensure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third party products and services; protect critical cyber systems from being compromised; ensure the proper detection of cybersecurity incidents; and minimize the impacts of any cybersecurity incidents on our critical cyber systems.

The effects of this bill will be far-reaching, and there are some points to consider: The government would have the power to review, receive, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada. There would also be mandatory cybersecurity programs for critical industries, as well as the enforcement of regulations through regulatory and law enforcement with potential financial penalties.

Under both provisions, the Governor in Council and the Minister of Industry would be afforded additional powers.

If any cybersecurity risks associated with the operator's supply chain or its use of third party products and services are identified, the operator must take reasonable steps to mitigate these risks. While the bill does not indicate what steps would be required from the operators, such steps may be prescribed by the regulations during a committee review.

The act also addresses cybersecurity incidents; a cybersecurity incident is defined as an:

incident, including an act, omission or circumstance, that interferes or may interfere with

(a) the continuity or security of a vital service or vital system; or

(b) the confidentiality, integrity or availability of the critical cyber system

touching upon these vital services. It does not indicate what would constitute interference under the act.

In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the act does not prescribe any timeline or indicate how “immediately” should be interpreted. Again, there is an opportunity to address this at committee.

There are some concerns with Bill C-26 as it is presently drafted. What the government might order a telecommunications provider to do is not clearly identified. Moreover, the secrecy and confidentiality provisions of the telecommunications providers to establish law and regulations are not clearly defined.

As has been brought up today, potential exists for information sharing with other federal governments and international partners, but it is just not defined. Costs associated with compliance with reforms may endanger the viability of small providers. Drafting language needs to be in the full contours of legislation, and that could be discussed at committee as well. In addition, there should be recognition that privacy or other charter-protected rights exist as a counterbalance to proposed security requirements, which will ensure that the government is accountable.

Some recommendations, or ones derived from them, should not be taken up, such as that the government should create legislation requiring the public and telecommunication providers to simply trust that the government knows what it is doing. Of course, this is a challenge. Telecommunications networks and the government must enact legislation to ensure its activities support Canada's democratic values and norms of transparency and accountability.

If the government is truly focused on security for Canadians, should we not be reviewing our gang and organized crime evidence? Our present policies have failed. Should we not look at the safety and security of our bail reform in an effort to prevent innocent Canadians from becoming victims?

Bill C-26 is a step in protecting Canada from cybersecurity threats. What is the review process to ensure compliance and effectiveness, as well as that goals are met?

In terms of bail reform, even though the evidence clearly shows that Bill C-75 has failed, we see that the NDP-Liberal government is not interested in reviewing bail reform. Cybersecurity is important to our country's security; so are victims of crime after their safety and security has been violated.

I am concerned that the government is struggling with evidence-based information to review Bill C-26, as it has with Bill C-75 and Bill C-5. These bills are not supported by evidence. In fact, offenders and criminals have a higher priority than victims do. My concern is as follows: If Bill C-26 requires amendments and review, will the government follow up? It is so important to be flexible and to be able to address changes, especially in a cybersecurity world, which changes so rapidly.

Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start. However, since this bill proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security, I would like to see individuals, corporations, and most importantly, the government held accountable. There should also be measures to ensure that the objectives of the bill are met and that there is a proper review process.

As I have stated, government accountability has not been a priority. For the proposed bill to succeed, there have to be processes for review and for updating the critical cyber systems protection act.

The failure of Bill C-75 on bail reform is clear with recent violent acts by murderers and individuals who should never have been out on bail. Today we are debating Bill C-26, and I would hope that there are lessons learned from our failure to review Bill C-75. In addition, we can learn from the failure of Bill C-5, as gang violence and organized crime rates are up 92%. Surely the government will open a door for review and making required changes to Bill C-26 on cybersecurity.

I am thankful for the time to speak on the responsibilities related to cybersecurity.