Bill C-26

Madam Speaker, it is an honour for me to rise at second reading stage of Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

When we consider the opportunities and challenges before us in this area, we see that the theme of collaboration underpins all that we do. Take, for example, the prevalence of cybercrime in an increasingly online world, improving cyber-defence posture in an unstable global environment, deep thinking about what the future holds in a world where innovation and change are exponential, a critical look at whether our policies and laws are up to the task, and the protection of content and intellectual property as data becomes one of the world's most precious resources.

In Canada, being online and connected is essential. Now more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying connected with loved ones across the country and around the world. We should be able to do all these activities safely and securely.

I would like to offer a few words about what we are doing here in Canada to get that balance right. I would like to reinforce the importance of our commitment to protecting the cyber systems that underpin our critical infrastructure.

The emergence of new technologies such as 5G is one clear reason we need to redouble our efforts. Think about our increased reliance on technology in light of the COVID-19 pandemic. Think about international tensions amidst Russia's unprovoked and unjustified invasion of Ukraine, with threats ranging from supply chain disruptions to state and non-state malicious cyber-activity.

Through all of these remarkable events, the government has been working tirelessly to keep Canadians safe. We recognize that, now more than ever before, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. It underpins the delivery of critical services, such as energy production, financial transactions, safe transportation and emergency communications.

As part of his mandate, bestowed by the Prime Minister, the Minister of Public Safety is seized with the opportunity and the challenge of developing a renewed national cybersecurity strategy. We need to make sure we articulate Canada's long-term plan to protect our national security and economy, deter cyber-threat actors, and promote norms-based international behaviour in cyberspace.

The Government of Canada is working to enhance the cybersecurity of the country's critical infrastructure. The work to identify cyber-threats and vulnerabilities, and to respond to cyber-incidents, is ongoing. Unfortunately, we have seen that malicious actors continue to attempt to take advantage of the current environment to exploit certain sectors.

However, we are not starting from scratch in our fight against this threat. Since 2018, the Government of Canada has invested a total of approximately $2.6 billion in cybersecurity. Through the national cyber security strategy, the Government of Canada is taking decisive action to strengthen Canada's defence, preparedness and enforcement against cyber-threats.

The strategy was paired with the largest investment in cybersecurity ever made by the Government of Canada, totalling nearly $800 million in the 2018 and 2019 federal budgets. In the 2021 budget, the government allocated an additional $791 million to improve and defend cyber-networks, enhance data collection and protect taxpayer information.

In the 2022 budget, another $852.9 million was committed to enhance the Communications Security Establishment, or CSE, and its ability to conduct cyber-operations, make critical government systems more resilient, and prevent and respond to cyber-incidents on critical infrastructure.

Under the strategy, two flagship organizations were established. One is the Canadian Centre for Cyber Security, under CSE, and the other is the National Cybercrime Coordination Centre, or NC3, under the RCMP.

The Canadian Centre for Cyber Security is a single, unified team of government cybersecurity technical experts. The centre is the definitive source of technical advice, guidance, services, messaging and support on cybersecurity operational matters for government, critical infrastructure owners and operators, the private sector and the Canadian public.

The NC3 coordinates Canadian police operations against cybercriminals and established a national mechanism for Canadians and businesses to report cybercrime to police.

Public Safety Canada's Canadian cybersecurity tool also helps owners and operators of Canada's critical infrastructure to evaluate their cyber-maturity against established benchmarks and by peer comparison. It offers concrete guidance on how they can become more cyber-resilient.

Public Safety Canada also coordinates and delivers cybersecurity exercises for the critical infrastructure community to test and develop capabilities to respond to and recover from malicious cyber-activities. More broadly, the department, as the federal lead on cybersecurity policy, promotes communication and collaboration to raise awareness of cyber-threats and risks, including with our international partners.

Public Safety Canada works closely with CSE's Canadian Centre for Cyber Security to enhance the resilience of critical infrastructure in Canada. The Canadian Centre for Cyber Security shares valuable cyber-threat information with Canadian critical infrastructure owners and operators, in addition to providing public advisories.

Today, I am very proud to say that we can start debating a new bill to further strengthen what we have built. Today we are starting the debate on Bill C‑26, an act respecting cyber security. The objective of this bill is twofold.

First, it would amend the Telecommunications Act to add security as a policy objective, bringing the telecommunications sector in line with other critical infrastructure sectors. This would allow the government, if necessary, to mandate any action necessary to secure Canada's telecommunications system, including its 5G networks. This includes authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers.

Second, it introduces the new critical cyber systems protection act. This new act will require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to take specific actions to protect their critical cyber systems, and it will also support organizations' ability to prevent and recover from a wide range of malicious cyber-activities, including electronic espionage and ransomware. Cyber-incidents involving a certain threshold will be required to be reported.

The bill will also give the government a new tool allowing it to take action in response to threats and vulnerabilities with respect to—

Madam Speaker, I will be sharing my time with the fantastic member for Lac-Saint-Louis.

It is with great pleasure that I rise to discuss Bill C-26, an act respecting cybersecurity. I will address elements in the legislation that deal with securing Canada's telecommunications system.

As Canadians rely more and more on digital communications, it is critical that our telecommunications system be secure. Let me assure this House and in listening to the debate today I think we all agree that the issue of cybersecurity is of utmost importance. The Government of Canada takes the security of this system seriously, which is why we conducted a review of 5G technology and the associated security and economic considerations.

It is clear that 5G technology holds lots of promise for Canadians for advanced telemedicine, connected and autonomous vehicles, smart cities, cleaner energy, precision agriculture, smart mining, and a lot more. Our security review also made clear that 5G technology will introduce new security concerns that malicious actors could exploit. Hostile actors have long sought and will continue to seek to exploit vulnerabilities in our telecommunications system.

CSIS, the Canadian Security and Intelligence Service, acknowledged this in its most recent publicly available annual report. The report states:

Canada remains a target for malicious cyber-enabled espionage, sabotage, foreign influence, and terrorism related activities, which pose significant threats to Canada's national security, its interests and its economic stability.

The report states that “[c]yber actors conduct malicious activities to advance their political, economic, military, security, and ideological interests. They seek to compromise government and private sector computer systems by manipulating their users or exploiting security vulnerabilities”.

The CSIS report also highlighted the increasing cyber-threat that ransomware poses. The Communications Security Establishment has similarly raised concerns about threats like ransomware in recent public threat assessments. We have seen how such attacks by criminal actors threaten to publish a victim's data or block access to it unless a ransom is paid. However, it is not just cybercriminals doing this. CSIS warned that state actors are increasingly using these tactics, often through proxies, to advance their objectives and evade attribution.

To be sure, Canadians, industry and government have, to this point, worked hard to defend our telecom system, but we must always be on the alert, always guarding against the next attacks. This has become more important as people now are often working remotely from home office environments.

5G technology is adding to these challenges. In 5G systems, sensitive functions will become increasingly decentralized in order to boost speeds when required.

Cell towers are a familiar sight in our communities and along our highways. The 5G networks will add many smaller access points to increase speeds. As well, the number of devices that the 5G network will connect will also grow exponentially.

Given the greater interconnectedness and interdependence of 5G networks, a breach in this environment could have a more significant impact on the safety of Canadians than with older technology. Bad actors could have more of an impact on our critical infrastructure than before.

The security review we conducted found that in order for Canada to reap the benefits of 5G, the government needs to be properly equipped to promote the security of the telecommunications system. We need to be able to adapt to the changing technological and threat environment. For these reasons, we are proposing amendments to the Telecommunications Act. The amendments will ensure that the security of our telecommunications system remains an overriding objective.

This bill will expand the list of objectives set out in section 7 of the Telecommunications Act. It will add the words “to promote the security of the Canadian telecommunications system”.

It is important for those words to be in the act.

It means government will be able to exercise its powers under the legislation for the purposes of securing Canada's telecommunications system.

The amendments also include authorities to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers in 5G and 4G networks if deemed necessary and after consultation with telecommunications service providers and other stakeholders.

It would also give the government the authority to require telecommunications service providers to take any other actions to promote the security of the telecom networks upon which all critical infrastructure sectors depend.

We have listened to our security experts; we have listened to Canadians; we have listened to our allies and we are following the right path. We will ensure that our networks and our economy are kept secure. A safe and secure cyberspace is important for Canada's competitiveness, economic stability and long-term prosperity.

It is clear that the telecommunications infrastructure has become increasingly essential. It must be secure and it must be resilient. Telecommunications presents an economic opportunity, one that grows our economy and creates jobs. The amendments to the Telecommunications Act accompany the proposed critical cyber systems protection act. This bill will improve the ability of designated organizations to prepare, prevent, respond to and recover from all types of cyber-incidents, including ransomware. It will designate telecommunications as a vital service. Together, this legislative package will strengthen our ability to defend the telecommunications and other critical sectors, such as finance, energy and transportation, that Canadians rely on every single day.

The legislation before us today fits within the Government of Canada's telecommunications reliability agenda. Under this agenda we intend to promote robust networks and systems, strengthen accountability and coordinate planning and preparedness.

Canadians depend on telecommunications services in all aspects of their lives, and the security and reliability of our networks has never been more crucial. These services are fundamental to the safety, prosperity and well-being of Canadians.

We will work tirelessly to keep Canadians safe and able to communicate securely. This legislation is an important tool to enable us to do that. I look forward to working with members in this House to getting this right and making sure that our telecommunications system is as strong as it can be.

Madam Speaker, the right to access is absolutely key. We have seen some incredible technological advancements that have helped those who face disabilities in a wide variety of things. Outside of the context of what Bill C-26 directly addresses in terms of cybersecurity, there is a particular connection, because if we do not have things like secure networks, if we do not ensure that our telecoms have consistent and stable networks that we can trust as a country, then access becomes a real issue. Malicious foreign-state actors could take advantage of that, which would disadvantage all Canadians, but specifically those who depend on technology to mitigate things like disabilities.

Madam Speaker, it is an honour to enter into debate in this place, especially when it comes to issues that are so very pressing in relation to national security and some of the challenges that our nation is facing. I would suggest the whole discussion around cybersecurity is especially relevant, because we are seeing highlighted, each and every day, a drip of new information related to foreign interference in our elections.

It highlights how important the conversation around cybersecurity is. It is often through computer and technological means that these malicious, foreign state actors will attack Canadian infrastructure. It is particularly relevant that I rise to debate Bill C-26, relating to the Liberals' recently introduced bill on cybersecurity, and I would like to highlight a couple of things.

The first thing is about seven years of inaction. I find it interesting, after seven years, how it was heard at the ethics committee from a whole host of experts in the field, including on cybersecurity and a whole range of issues, that the government is missing in action. It is not just about the government's inaction, but it is missing in action when it comes to some of the key issues surrounding things like cybersecurity. It has the direct consequence of creating uncertainty in terms of the technological space in the high-tech sector, which has massive opportunities.

We hear the Ottawa area referred to as silicon valley north. We have the Waterloo sector that has a significant investment in the high-tech sector. In my home province of Alberta, there is tremendous opportunity that has been brought forward through innovation, specifically in the Calgary area where we are seeing massive advancements in technology, but there is uncertainty.

Over the last seven years, the government has not taken action when it should have been providing clear direction so that industry and capital could prosper in our country. That is on the investment and economic side, but likewise, on the trust in government institutions side, we have seen an erosion of trust, such as the years-long delay on the decision regarding Huawei.

I and many Canadians, including experts in the field, as well as many within our Five Eyes security partners, were baffled about the government's delay on taking clear and decisive action against Huawei. Even though our Five Eyes, a group of countries that shares intelligence and has a strong intelligence working relationship, sees how inaction eroded the trust that these other nations had in Canada's ability to respond to cyber-concerns and threats. There is the fact that a company, a state-owned enterprise, has clear connections to a malicious foreign actor.

That delay led to incredible uncertainty in the markets and incredible costs taken on by private enterprise that simply did not have direction. Imagine all the telecoms that may have purchased significant assets of Huawei infrastructure because the government refused to provide them direction. There were years and years of inaction.

I will speak specifically about how important it is to understand the question around Canadian institutions. I would hope that members of the House take seriously the reports tabled in this place, such as from the public safety committee, which in the second session of the last Parliament I had the honour of sitting on. There is a whole host of studies that have been done related to this.

Then there are the CSIS reports tabled in this place containing some astounding revelations about foreign state actors and their incursions and attempts to erode trust in Canadian institutions. Specifically, there was a CSE report for 2021, which I believe is the most recent one tabled, that talks about three to five billion malicious incursions in our federal institutions a day via cyber-means. That is an astounding number and does not include the incursions that would be hacks against individuals or corporations. That is simply federal government institutions. That is three to five billion a day.

There are NSICOP reports as well. The RCMP, military intelligence and a whole host of agencies are hard at work on many of these things. It highlights how absolutely important cybersecurity is.

I find it interesting, because over the last seven years the Liberals have talked tough about many things but have delivered action on very few. Huawei is a great example. Cybersecurity is another. We see a host of other concerns that would veer off the topic of this discussion, so I will make sure that I keep directly focused on Bill C-26 today. The Liberal government is very good at announcing things, but the follow-through often leaves much to be desired.

We see Bill C-26 before us today. There is no question that action is needed. I am thankful we have the opportunity to be able to debate the substance of this bill in this place. I know the hard work that will be done, certainly by Conservatives though I cannot speak for the other parties, at committee to attempt to fix some of the concerns that have been highlighted, and certainly have been highlighted by a number of my colleagues.

The reality is Canadians, more and more, depend on technology. We saw examples, when there are issues with that technology, of the massive economic implications and disruptions that take place across our country. We saw that with the Rogers outage that took place in July. Most Canadians would not have realized that the debit card system, one of the foundational elements of our financial system, was dependent upon the Rogers network. For a number of days, having disruptions in that space had significant economic implications. It just speaks to one of the many ways Canadians depend on technology.

We saw an example in the United States, so not directly in Canada, when the Colonial Pipeline faced a ransomware attack. A major energy pipeline on the eastern seaboard of the United States was shut down through a cyber ransomware attack. It caused massive disruptions.

Another Canadian example that has been reported in talking to some in the sector was Bombardier recreational products. The Quebec company is under a cyber-lockdown because of hostile actions. There are numerous other examples, whether in the federal government or in the provinces, where this has been faced.

There are a number of concerns related to what needs to take place in this bill to ensure that we get it right. It needs to align with the actions that have taken place in our Five Eyes allies. We need to ensure that the civil liberties question is clearly answered.

We have seen the government not take concern over the rights of Canadians to see their rights protected, their freedom of speech, whether that is Bill C-11. I know other parties support this backdoor censorship bill, but these are significant concerns. Canadians have a right to question whether or not there would be a civil liberties impact, to make sure there would not be opportunity for backdoor surveillance, and to ensure there would be appropriate safeguards in place and not give too much power to politicians and bureaucrats as to what the actions of government would be.

As was stated by one stakeholder in writing about this, the lack of guardrails to constrain abuse is very concerning. In Bill C-26, there is vague language. Whenever there is vague language in legislation, it leaves it open to interpretation. We have seen how, in the Emergencies Act discussion and debate, the government created its own definition of some of the things that I would suggest were fairly clearly defined in legislation. We have to make sure it is airtight.

Massive power would be given to the Minister of Industry in relation to many of the measures contained in this bill.

I look forward to taking questions. It is absolutely key we get this right, so Canadians can in fact be protected and have confidence in their cybersecurity regime.

Madam Speaker, I will be sharing my time with the member for Battle River—Crowfoot.

I am proud to rise on behalf of my constituents in the not-quite-fully-connected riding of Renfrew—Nipissing—Pembroke. As the longest-serving member of the national defence committee, I fully appreciate the need for Canada to secure critical cyber systems.

For too long, the government remained indifferent while Canada's telecom companies were being infiltrated, robbed of intellectual property and sabotaged. It took the collective pressure of our Five Eyes allies before the government put up any resistance to the Huawei expansion throughout Canada’s telecom infrastructure.

Only after having been thoroughly shamed and threatened with being cut off from critical security intelligence has the government finally responded with legislation. However, as is so often the case with all governments, having finally been shamed into action, the executive branch overreacted. It now falls upon Parliament to moderate the executive overreach.

Cybersecurity is not a partisan issue. No party ran on a platform to make Canada insecure again. The Conservatives support sending this bill to committee for carefully considered amendments. I hope my colleagues across the aisle will be open to working in a collegial way to ensure that we as parliamentarians strike the right balance. This legislation must balance security with privacy and transparency. It must balance expeditiousness with efficiency and effectiveness.

I appreciate that the members opposite will place greater trust in this government than most Canadians will, but what about the next government or the one after that? Our duty as parliamentarians is to keep in check not just this government but future governments as well. To that end, I encourage all parties to work together at committee and bring back a bill that we can all support.

There are four main issues that need high-level scrutiny. However, as we saw with the invocation of the Emergencies Act, even when Parliament gives clear definitions, the executive branch believes it can extrapolate or simply opt for an overly broad interpretation. While the government has been forced to defend its decision on the use of the Emergencies Act in a public inquiry, Bill C-26 lacks any significant accountability measures while granting even more extraordinary powers, including issuing secret orders.

It should not fall upon the operators of critical cyber systems to guess what the government means by “immediately”. The bill currently grants the government the power to order telecom providers to do anything necessary to secure the telecommunications system. Granting the executive the power to do anything would be a dereliction of our duty as parliamentarians. To give the government the power to do anything while enabling those things to remain secret would be an outright betrayal of our duty.

It is understandable and reasonable that some secrecy is required to combat foreign espionage, but there must be clearly defined limits. There must be avenues for operators to appeal and for Parliament to scrutinize the government’s actions. By “Parliament” I mean Parliament. I do not mean some government committee of parliamentarians but a parliamentary committee.

This bill grants the government the power to deny services to any company or person by secret order. Had this law already been in place, there would be nothing to stop a government from cancelling the Internet and phone service of protesters the government disagrees with.

Granting the government the power to deny services to individuals using secret orders clearly violates the legal rights of Canadians. I do not want to trust the government with that kind of power. I expect my Liberal colleagues would not trust that kind of power when the Conservatives form government, hopefully very soon.

To paraphrase a great comic character, with great power must come great accountability. There are serious cyber-threats and those threats are growing. The government must have the tools to respond quickly and decisively, yet when governments move quickly, mistakes are made. That is why it is all the more important for there to be a robust set of measures to review their actions and ensure accountability when the government makes a mistake.

This legislation takes the extraordinary step of placing personal liability on individual employees of critical infrastructure operators. We threaten people with jail time to ensure they are accountable for their companies' cybersecurity, yet we do not hold government employees or ministers to the same standard. Just as the House must find the appropriate balance between security, secrecy and accountability, so too must we find the balance between privacy and transparency.

The government learned first-hand the public’s reaction to its undisclosed use of mobility data from millions of cellphone users. Canadians had demonstrated a willingness to abide by public safety measures, even extraordinary measures, but the minute the government started tracking our cellphones, even for a public health purpose, Canadians reacted strongly. Even Canadians who supported forced vaccination and punishing the unvaccinated drew a line at cellphone tracking.

The legislation before us would grant even more power to collect data from telecom providers with no restrictions on distributing it to other departments. Even if this data was held by the CRTC, Canadians would be concerned about their privacy. However, it would not be the CRTC doing the data scoop; it would be the Communications Security Establishment.

I appreciate the government feels the CSE is best equipped for countering cyber-threats, but the main purpose of the CSE is collecting intelligence from abroad. The CSE does not report to the public safety minister, who is responsible for keeping Canadians secure. The CSE does not report to the industry minister, who is responsible for telecoms regulations. The CSE reports to the defence minister. It is a fundamentally different type of organization from CSIS or the CRTC.

The legislation would fail to place sufficient limits on what the CSE can do with the data it can secretly order telecoms to provide. In no way is this meant to disparage the work done by the CSE, but as we expand the powers of the CSE, we must also constrain the scope of what it can do with those powers.

These are just some of the trade-offs we must consider when the bill goes to committee. Groups such as the Canadian Civil Liberties Association, the Citizen Lab and the Business Council of Canada have raised several more. However, the one area none of these groups have touched on, at least to my knowledge, is the role private citizens can play in securing Canada against cybersecurity threats. Parliamentarians have studied this both at the defence committee and with our fellow legislators at the NATO Parliamentary Assembly. Canada can take a lead role internationally in cybersecurity by enlisting the aid of ethical hackers, commonly referred to as “white hats”.

White hat hackers represent an untapped resource for a country as large as ours. Our critical infrastructure spans a continent. The job of securing it exceeds the capacity of the federal government and infrastructure operators. If we can develop a framework that protects and incentivizes white hat hackers, we may have a solution. As with the measures already in the legislation, such a framework would involve trade-offs. Even an ethical hacker could unwittingly cause significant cyber-disruption and damage, but they can just as easily expose flaws and gaps.

Regardless of whether the government acknowledges the existence of ethical hackers, they will continue to operate, and it is better for critical infrastructure operators, public servants and the Canadian public if we find a way to incorporate them into our defence strategy. We need to enlist ethical hackers because we simply do not have the resources as a nation to confront the threats.

Globally, cybercrime costs reached over $600 billion U.S. in 2021. Investments in cybersecurity were only $220 billion U.S. last year. Between criminals, terrorists and authoritarian states, the potential for significant damage is accelerating. Our enemies are going to match the best cyber-defences in the world. We do not have the resources to match the United States or the EU. That is why we must be even smarter than our adversaries and our allies.

The legislation is all stick and no carrot. Governments are quick to punish because it is easy. If company X fails to properly secure a critical system, they get a fine, but what if the company innovates and not only prevents an intrusion into their system but detects the source? The bill would require companies to immediately report intrusions, but what about failed attacks? If Bell, Telus and Rogers were to all successfully fend off an attack on the same day, would that not be something we would want the CSE to know about? Punishing failure is an important deterrent, but rewarding success is a powerful incentive.

In this cyber age, we need data to flow both ways. We can enhance our cybersecurity by taking both a carrot and a stick approach. We must pass robust cybersecurity legislation, but it must not compromise the rights of Canadians. We need a cyber-shield and a cyber-sword. As a vast, underpopulated nation full of remote critical infrastructure, we must be smart and creative in how we utilize every possible resource available, including enlisting white hats.

Madam Speaker, I thank my colleague from Kingston and the Islands for his speech, which was informative as always.

However, I would like to know how this bill will enhance public trust in the Internet. What mechanism in Bill C‑26 will help guarantee public trust?

Madam Speaker, I thank the member for Whitby for sharing his time with me.

It is very important that we talk about such an important piece of legislation that has been brought forward, Bill C-26. The reality is that the changes in technology are happening so incredibly quickly. At times, it seems a daunting task to keep up with them and to make sure that we are always ahead of those actors out there, whether state or non-state, who are trying to engage in activities that could seriously cripple our economy or other aspects of society in Canada.

It seems as though it was just yesterday that we did not have the Internet. I remember vividly when I signed up for my first Internet connection, a dial-up connection, and having access to the Internet. That was when I was a computer engineering student at a local college in Kingston back in 1995 or 1996. Downloading something as simple as a single image sometimes would take two or three minutes to get the full image on the screen.

Madam Speaker, I am not a cybersecurity expert either.

A few weeks ago, I attended a demonstration in Montreal with 10,000 people to support the people who are fighting for their freedom in Iran, which, as we know, is not a democratic state. I have also strongly supported people from the Uighur community, who I have met with many times here in Ottawa. We know that they are facing genocide in China. The small white square that I am wearing is a sign of support for people who, at this time, are rising up against the health measures in China, as well as the people in Russia who are protesting against the war in Ukraine.

I want to know if there are concrete measures in Bill C‑26 that would prevent Iran, China and Russia from carrying out cyber-attacks on social networks and, for example, hacking my account and interfering in my life as an MP? I would like my colleague to clarify that.

Madam Speaker, as part of the mandate bestowed upon him by the Prime Minister, the Minister of Public Safety is seized with the opportunity and challenge of developing a renewed cybersecurity strategy. We need to make sure we articulate Canada’s long-term plan to protect our national security and economy, deter cyber-threat actors, and promote norms-based international behaviour in cyberspace.

The Government of Canada is working to enhance the cybersecurity of the country’s critical infrastructure. The work to identify cyber-threats and vulnerabilities, and to respond to cyber-incidents, is around the clock and ongoing. Unfortunately, we have seen that malicious actors continue to attempt to take advantage of the current environment to exploit certain sectors. I would like to use one example that is relevant for my riding and the region I come from.

My riding is the riding of Whitby, and Durham District School Board is the public school board in our area. On Friday, November 25, just very recently, there was a cyber-incident at the Durham District School Board. It resulted in online classes being cancelled. They were forced to postpone scheduled literacy tests. They have had phone lines down and email service down. They even do not have access to emergency contacts, and they are trying to limit this incident so it does not impact payroll for the over 14,000 Durham District School Board employees. There are 75,000 students who go to school across our region.

They have notified police of the attack. Their investigation is said to be very complex and time consuming, and they will be assessing the privacy impacts, but we can just imagine how this has impacted students and employees at Durham District School Board.

This is a really serious topic. I think we all need to give it the weight it deserves, and this legislation is trying to ensure we do our utmost to protect against these cyber-threats in the future.

However, we are not starting from scratch to tackle these threats. Since 2018, the Government of Canada has invested a total of approximately $4.8 billion in cybersecurity. Through the national cybersecurity strategy, the Government of Canada would be taking decisive action to strengthen Canada’s defence, preparedness and enforcement against cyber-threats. The strategy was paired with the largest investment in cybersecurity ever made by the Government of Canada, totalling close to $800 million in the 2018 and 2019 federal budgets.

In the 2021 budget, the government allocated an additional $791 million to improve and defend cyber-networks, enhance data collection and protect taxpayer information, and in the 2022 budget, another $852.9 million was committed to enhance the Communications Security Establishment and its ability to conduct cyber-operations, make critical government systems more resilient, and prevent and respond to cyber-incidents on critical infrastructure.

Under the strategy, two flagship organizations were established. One is the Canadian centre for cybersecurity, otherwise known as the cyber centre, under CSE, and the other is the national cybercrime coordination centre under the RCMP.

The cyber centre is a single, unified team of government cybersecurity technical experts. The centre is the definitive source of unique technical advice, guidance, services, messaging and support on cybersecurity operational matters for government, critical infrastructure owners and operators, the private sector, and the Canadian public.

The NC3 coordinates Canadian police operations against cybercriminals and established a national mechanism for Canadians and businesses to report cybercrime to police. In the example I mentioned in my riding of the Durham District School Board, it would report the cybercrime to the local police, and that would go up through NC3 as well.

Public Safety Canada’s Canadian cybersecurity tool also helps owners and operators of Canada’s critical infrastructure to evaluate their cyber-maturity against established benchmarks and by peer comparison. It offers concrete guidance on how they can become more cyber-resilient.

Public Safety Canada also coordinates and delivers cyber-based exercises for the critical infrastructure community to test and develop capabilities to respond to and recover from malicious cyber-activities. More broadly, the department, as the federal lead on cybersecurity policy, promotes communication and collaboration to raise awareness of cyber-threats and risks, including with our international partners. Public Safety Canada works closely with the Communications Security Establishment’s Canadian centre for cybersecurity to enhance the resilience of critical infrastructure in Canada. The cyber centre, in addition to providing public advisories, shares valuable cyber-threat information with Canadian critical infrastructure owners and operators.

Today I am very proud to say that we can begin to debate a new piece of legislation to further strengthen what we have built as a government. Today we are debating Bill C-26 for the second reading, and this legislation's objective is twofold.

The first part proposes to make amendments to the Telecommunications Act, which include adding security as a policy objective, adding implementation authorities and bringing the telecommunications sector in line with other critical infrastructure sectors. This would allow the government, when necessary, to mandate any action necessary to secure Canada’s telecommunications system, including its 5G networks. This would include authority to prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers.

The second part introduces the critical cyber systems protection act, or CCSPA. This new act would require designated operators in the federally regulated sectors of finance, telecommunications, energy and transportation to take specific actions to protect their critical cyber-systems, and it would support organizations' ability to prevent and recover from a wide range of malicious cyber-activities, including malicious electronic espionage and ransomware.

Madam Speaker, before I begin, I will just say that I will be splitting my time with the member for Kingston and the Islands.

It is an honour to rise today in the House to debate the second reading of Bill C-26, an act respecting cybersecurity. To me, cybersecurity is essential, and it certainly relates directly to our national security.

When we consider the challenges and opportunities we face in this field, the theme of collaboration underpins and needs to underpin all that we do.

The prevalence of cybercrime in an increasingly online world, improving cyber-defence posture in an unstable global environment, deep thinking about what the future holds in a world where innovation and change are exponential, a critical look at whether our policies and laws are up to the task, and the protection of content and intellectual property as data becomes one of the world's most precious resources: These are just some of the reflections that we have to have when considering this bill.

In Canada, being online and connected is essential. Now, more than ever, Canadians rely on the Internet for their daily lives. It is about more than just conducting business and paying bills. It is also about staying connected with loved ones across the country and around the world. We should be able to do all these activities safely and securely.

I would like to offer a few words about what we are doing here in Canada to get that balance right, and I would like to reinforce the importance of our commitment to protecting the cyber systems that underpin our critical infrastructure.

We can take the emergence of new technologies, such as 5G, as one clear reason we need to redouble our efforts. We think about our increased reliance on technology in light of the COVID-19 pandemic. We think about international tensions amidst Russia’s unprovoked and unjustified ongoing invasion of Ukraine, with threats ranging from supply chain disruptions to state and non-state malicious cyber-activity.

Through all of these remarkable events, the government has been working tirelessly to keep Canadians safe. We recognize that, now more than ever, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. It underpins the delivery of critical services, such as energy production, financial transactions, safe transportation and emergency communications.

As part of his mandate, bestowed by Prime Minister Trudeau, the Minister of Public Safety is seized with the opportunity and challenge of developing a renewed national—

Mr. Speaker, we live in a world where every person is increasingly concerned with cybersecurity. So much of our lives is stored on our personal devices, protected by passwords and multi-factor authentication in the hopes of keeping our most private information secure.

Corporations are increasingly at risk. It seems as if every day we hear a new report of companies’ computer systems being hacked and their data held for ransom by thieves who have managed digital anonymity. Law enforcement officials say many such cybercrimes go unreported, with companies paying quietly and privately so as to avoid publicity.

Our public institutions are not immune either. Hospitals have had their computer systems attacked by intruders, putting patients' lives at risk. Emergency services have been attacked, as have the parliamentary computer systems.

Cyber-threats remain a national security and economic issue that threatens the safety and security of Canadians. Government and industry alike have highlighted the need for regulation in cybersecurity. There has been a lot of talk, but not much else.

Currently the Canadian government does not have a legal mechanism to compel action to address cyber-threats or vulnerabilities in the telecommunications sector, yet cybersecurity has become one of the primary issues each person and institution has to address. I am pleased that the government has introduced this legislation to allow us in the House to examine the cybersecurity concerns and needs of our nation.

Bill C-26 would amend the Telecommunications Act as well as other related acts. The intention would be to amend the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything that is necessary to secure the Canadian telecommunications system.

I do not think there is anyone in the House, indeed in the country, who would disagree with the objective. As I have already pointed out, there is a problem with cybersecurity in our society, and government has an important role to play in protecting Canadian individuals and institutions. Some may wonder about giving such power to the Governor in Council and the Minister of Industry, but there are rules for the judicial review of those orders and applications. This is not a granting of absolute power, but of limited power subject to the checks and balances needed in a democracy.

The bill would also enact the critical cyber systems protection act to provide a framework for the protection of the cyber systems of services and systems vital to national security or public safety. This, among other things, would authorize the Governor in Council to designate any service or system as a vital service or vital system. It would require designated operators to establish and implement cybersecurity programs, mitigate supply chain and third party risks, report cybersecurity incidents and comply with cybersecurity directions.

One would think that such cybersecurity measures should be common sense and not need to be mandated by government. Is it right to compel private corporations and organizations to use their own resources to invest in cybersecurity? It would seem to me that well-run businesses would put cybersecurity first. Not every aspect of a business generates income, and smart business managers and owners know that. As the cliché goes, they have to spend money to make money.

Implementing cybersecurity measures comes with a cost. There is no doubt about that. It would seem to me, though, that the cost would be considerably less than the cost of dealing with criminals holding their data for ransom after they have invaded their computer system and locked them out of it.

Cybersecurity makes common sense for business. However, given that implementing cybersecurity measures comes with a financial cost with no corresponding revenue, do we really want to rely on those who might put short-term profits first, or does it make more sense in this case for government to step in to save some business owners from themselves?

As someone who has spent most of his life working as a businessman, I am reluctant to suggest that business owners need to be saved from themselves, but as a Canadian I know that sometimes such action is necessary.

We have only to look at the history of one of Canada's most successful companies: Nortel. It is a company that might still exist if those running it had taken cybersecurity more seriously. With more than 94,000 employees worldwide, Nortel was a high-tech leader until its headquarters were bugged, its computer systems breached and its intellectual property stolen. Now it is just a memory. We will never know for sure, but perhaps if cybersecurity had been a higher priority at Nortel, it would still be providing jobs, products and services for Canadian people. If anyone ever asks why we would take cybersecurity seriously, the one-word answer is “Nortel”.

Though I am a little uneasy that this bill would almost certainly increase regulations and red tape, maybe there are ways that some of the excessive paperwork that seems to be beloved by the Liberals can be made reasonable. Certainly there is a need to ensure a level playing field of regulatory burdens for small and medium-sized businesses and organizations. If there is not, then I can see companies being forced into bankruptcy by the cost of implementing government-mandated cybersecurity procedures. I know that is not the government's intention, but as we have seen in the past, sometimes not all the impacts of government rule-making are foreseen. The Minister of Industry especially needs to ensure that the rules are workable and provide protection against attacks by criminals and malicious states.

Indeed, it is perhaps malicious states that we should be concerned about the most. The interconnectedness of computer systems and their use in controlling and maintaining our infrastructures mean we are increasingly vulnerable to a devastating attack. An enemy that could seize control of our electricity grid or our banking system could bring our nation to its knees without firing a shot. The nature of warfare has changed, and as a result we must change our defences.

Canada's national security requires being prepared for the security warfare threats that we face. The government has been slow to address cyber-threats and has seen a number of serious incidents occur, with no substantive legislative response for seven years. I am pleased that the government has finally chosen to act, and I am hopeful that we in the House can help improve this legislation. Cybersecurity is of paramount importance in the modern world. Canada cannot neglect it.

Mr. Speaker, we will need to wait for the unanimous consent motion to see what will happen. I will wait for that. There is good news for the member opposite in that he has the opportunity, at committee of course, to review those guns and make any suggestions his members would like. I am sure, as a long-serving member, he would be aware of that opportunity, but I just remind him of that.

The Speaker will be pleased to know we will continue with debate at second reading of Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts. Tomorrow we will begin debate at second reading of Bill C-23, the historic places of Canada act.

On Monday, we will begin debate at report stage and third reading on Bill C-32, the fall economic statement implementation act, 2022. Thursday will be the final allotted day of the current supply period. For the rest of the week, priority should be given to Bill C-32.

I would also like to indicate that on Tuesday there will be a statement by the minister on the commemoration of the Polytechnique massacre.

Madam Speaker, I have no problem clarifying. Several of the places I went into were following provincial orders, to be clear, and they were to record who showed up and whether or not they were vaccinated. That is what was done, and that is against PIPA and PIPEDA.

I will turn to the government's record on protecting us in terms of cybersecurity, and talk about Huawei.

In 2018, our Five Eyes partners were concerned about Huawei's connection to the Chinese communist government, and they were not going to allow Huawei into their networks. However, the Canadian government delayed a decision for four years. The Liberals waited until 2022 to ban Huawei. Why did they do that? It was so Bell and TELUS could implement Huawei technology, 4G technology, across the country. That is hardly a protection from a cybersecurity point of view, and it again speaks to why Canadians have lost trust in the government.

However, I will support the bill to go to committee. I have said that we need to do something for cybersecurity, and I have outlined what I think we need to do. I do not think we can leave these huge gaps that have been cited by numerous institutions.

The University of Toronto has written letters to the government, talking about what is wrong with the bill and what it would like to see. If members have not seen the report it did with the Munk School, called “Cybersecurity Will Not Thrive in Darkness”, there are a number of recommendations in the report that talk about what needs to be done to Bill C-26 to fix it. I would encourage the government to look at that, and I would expect it to become the substance of amendments that would be brought at committee.

Also, we should look at what the constitutional and civil liberties lawyers are saying. They are very concerned about the parts of the bill that would surveil Canadians, so I think we need to make sure we listen to what they have to say. They have written an open letter to the government, and I would recommend that the government take a look at that as well.

Finally, on accountability, due process and public regulation, there is potential for abuse. I would encourage the government to take a look.

I look forward to more discussion at committee.