Bill C-26

Mr. Speaker, I am hearing some contradictions from my Conservative colleagues today. My colleagues in the Bloc have perhaps done a better job than me of explaining the importance of banning Huawei and the fact that Canada has been slow to do so. My Conservative colleague also mentioned it, but one of the Conservative leadership candidates actually worked for Huawei, so one wonders which way the Conservatives are leaning.

I met with an interdisciplinary cybersecurity research group and learned some fascinating things. Canada's bureaucracy is really slow when it comes to cybersecurity. The research chair at the Université de Sherbrooke criticized the fact that the cybersecurity issue was allowed to drag on under the pretext that it was not yet an election issue. Now it is finally becoming one. That is exactly what we are seeing right now with China's interference.

The Conservatives were not very quick either, because we are behind many other countries. The first RCMP report on cybercrime was not released until 2014, and the report was criticized at the time for containing no numbers, no statistics. The comments were general and predictable, and there were no forecasts. Things have not happened fast enough.

Here we are in 2023, and we really have a lot of ground to make up compared to many other countries, especially European countries. I think it is time to turn this over to the committee, make up for lost time, and pick up the pace on this bill.

Mr. Speaker, I agree with the member that when the bill is in committee, this issue has to be really focused on. Obviously, we want it to move swiftly but not at the expense of overlooking some of the potential pitfalls that will impact Canadians. I think we have to trust the committee to actually make good amendments on this.

Mr. Speaker, I would ask the member about the secrecy and lack of transparency. Does the member believe that the committee can solve this, or is this bill just too shallow for it to go forward?

Mr. Speaker, we always give loaded questions.

I would have to say that, obviously, when one is a member of Parliament, one's honour is on the line all the time. I would hope that our ability to restore honour in our profession always depends on our own moral compass. Sometimes we see that fail, and it is disappointing. However, I really hope this committee can get its act together and get this sorted out.

Mr. Speaker, there is a pressing need to secure Canada's critical infrastructure against cyber-threats.

Computer systems, which run our health care, energy and financial systems, are targets for criminals and foreign adversaries to attack. Disruption of medical services at a hospital or electricity through a grid would have severe consequences, possibly including injury or death.

This is exactly what happened on October 30, 2021, in my province of Newfoundland and Labrador. My hon. colleague across the way agrees with what I am saying because he, his family members or his friends, I am sure, had some of their personal information breached in that attack.

Personal information belonging to thousands of patients and employees was obtained through a cyber-attack on Eastern Health. In fact, over 200,000 files were taken from a network drive in Eastern Health's IT environment. Over 58,000 patients and almost 300 staff and former staff had their personal data breached.

The information taken included health records, medicare plan numbers, dates of birth, names and addresses. In fact, some even had their social insurance numbers taken. The immediate result was that a complete shutdown of the health care system took place throughout the entire province.

Patients who had waited through the pandemic found that critical care for such things as cancer and heart disease were put on hold. Many had to wait weeks or even months to have their appointments rescheduled. Some of these folks had poor outcomes. In fact, people's lives were shortened in some cases as a result of the cyber-induced shutdown of the health care system in Newfoundland and Labrador.

This is very serious stuff. This was not the first time such a cyber-attack happened in Canadian health care. In October of 2019, three hospitals in Ontario were victimized in a similar fashion.

On another note, a pipeline company in the United States fell victim to hackers in 2021. This led to diesel and jet fuel shortages, disrupting most of the economy of the eastern seaboard of our neighbour to the south.

These are just a few examples of catastrophic outcomes resulting from cyber-attacks in recent years. Canadians need protection from these types of attacks. This legislation is intended to align with the actions of our allies in the Five Eyes. This bill would give clear legislative authority to the government to prohibit high-risk entities, such as Huawei, from assuming critical roles in our cyber-infrastructure.

This legislation is filled with good intentions. Currently, a cybersecurity incident is defined as:

an incident, including an act, omission or circumstance, that interferes or may interfere with

(a) the continuity or security of a vital service or vital system; or

(b) the confidentiality, integrity or availability of the critical cyber system.

There is no indication given as to what would constitute interference under the bill. Does this mean that the cyber-attack on Newfoundland and Labrador health care would not be classified as interference?

In addition, there is no timeline specified in this bill for the reporting of cybersecurity incidents to the CSE and the appropriate regulator. The bill says that reporting must be immediate. “Immediate” is not interpreted in this bill. Is it one hour, one day or one week? This is something we need to know.

In terms of civil liberties and privacy, technical experts, academics and civil liberties groups have serious concerns about the size, scope and lack of oversight of the powers that the government would gain under the bill.

In late September 2022, the Canadian Civil Liberties Association, the International Civil Liberties Monitoring Group and the Privacy and Access Council of Canada, as well as several other groups and academics, released their joint letter of concern regarding Bill C-26.

While stating the collective's agreement with the goal of improving cybersecurity, the joint letter goes on to state that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.

The joint letter outlines several areas of concern, including increased surveillance. The bill would allow the federal government “to secretly order telecom providers to ‘do anything, or refrain from doing anything’” necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.

While this portion of the bill goes on to list several examples of what “doing anything” might entail, including, for example, prohibiting telecom providers from using specific products or services from certain vendors or requiring certain providers to develop security plans, the collective expresses the concern that the power to order a telecom to do anything “opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards”.

Bill C-26 would allow the government to “bar a person or company from being able to receive specific services, and bar any company from offering these services to others, by secret government order”, which raises the risk of “companies or individuals being cut off from essential services without explanation”.

The bill would provide for a collection of data from designated operators, which could potentially allow the government “to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.”

There is a lack of “guardrails to constrain abuse”. The bill would allow the government to act without first being required to perform “proportionality, privacy, or equity assessments” to hedge against abuse. This is concerning to the collective, given the severity of the penalties available under the statute.

There is the potential for abuse by the Communications Security Establishment, the federal agency responsible for cybersecurity but, more prominently, signal intelligence. The CCSPA would grant the CSE access to large volumes of sensitive data. However, it would not constrain its use of such data to its cybersecurity mandate.

The civil liberties of Canadians are already under attack. Bill C-26 does not accurately enough define how our civil liberties would be protected. Given the need for protection from cyber-attacks, a bill like this is quite necessary, no doubt.

In its current form, with so many unknowns for Canadians, I will not be able to support it. However, I do support sending it to committee for some input from Canadians and for some fine tuning, to turn it into an instrument to protect us all from cyber-attacks.

Mr. Speaker, it seems that the Conservative Party keeps pointing out the flaws or weaknesses in this bill as it is put forward. However, I wonder, if it goes to committee and gets amended, does the member think it would prevent the so-called robocall scam that happened a few years back, when the Conservative Party was found guilty of using it during an election?

Mr. Speaker, I am sure that sending this bill to committee will make some improvements. It is unfortunate that my bill, Bill C-251, did not get the opportunity to get to committee and get improved. My hon. colleague is quite aware of the ill consequences of not allowing legislation to get to committee and to be improved, to seal the deal and have positive outcomes for all Canadians.

Mr. Speaker, it is a pleasure to take this debate from coast to coast. I live on the west coast, and I thank the member for Coast of Bays—Central—Notre Dame for presenting from the east coast.

Recently, we had a cyber-attack on Okanagan College in my riding of North Okanagan—Shuswap. It is always an honour to rise as the representative from that area.

Does my colleague for Coast of Bays—Central—Notre Dame think that this bill will address the concerns that were obviously brought to light there, when the college was basically shut down for weeks after the Christmas break? Students could not access their files. Basically, the entire college system was shut down.

If this bill is needed, I wonder if the member has a comment as to why it has taken the government seven and a half years to address this, when our party brought to its attention the potential issues with Huawei and its activities in Canada. Maybe the member would like to comment on that.

Mr. Speaker, it is great to take a question from my colleague, who has constituents who have had hard times due to cyber-attacks. I hope this bill can stop that from happening. I also hope that my hon. colleague can bring some of these people who were affected by a cyber-attack to committee and let them have their input as the bill is being debated and amended.

I am sure this bill is going to need quite a lot of amendments if it is anything like most of the legislation that has come from the government.

Mr. Speaker, I get the impression on this side of the House that the Liberals only come forward with measures to do anything when their feet are put to the fire. We had an example of that today, with the Prime Minister announcing the appointment of a rapporteur, which is a good French word. How many Canadians even know what the word means? He is throwing these measures out to make it look like he is doing something. It is not happening. It is simply not happening. It is to make it look like they are doing something. Canadians see through this.

I wonder if the member could talk about one of the half-measures that the Liberals are doing with this bill.

Mr. Speaker, I cannot really concentrate. My hon. colleague came up with that word that I cannot even make sense of. That reminds me of the Prime Minister's dad with his famous “fuddle duddle”. What does “fuddle duddle” mean? I do not know what “rapporteur” is. I am hoping that this bill addresses some of my hon. colleague's concerns.

Mr. Speaker, I appreciate the fact that we have the ability to have this debate in the House of Commons today. It has been lively, and I have enjoyed it, but I am going to remind Canadians, who might be watching at home, and my colleagues who are here, just how rapidly technology has advanced in the course of our lifetimes.

One of the last jobs that I did prior to becoming a member of Parliament here in the chamber was as a tenured faculty member at Red Deer College in Red Deer, Alberta, where I was a member of the computer systems technology department. I taught computing systems to students there for a number of years. It was a great job with brilliant minds of the young people who had come to that college.

I learned all about computing when I was an adult. I did not have the privilege of growing up inside a computer. Those of us in the room who are old enough to know, back in the mid-1990s, an old IBM 386DX used to cost hundreds, if not thousands of dollars, for computing power that right now would not even match an outdated, obsolete iPhone.

I would remind the people watching what the significance of this debate is and why the legislation we are discussing, and hopefully sending to committee, is so important.

If we go back to the 1960s, the development of ARPANET is where the foundations of the Internet started. The transmission rate of data at ARPANET, which was a military defence network, and as I said, the founder of the Internet, was 56 kilobytes per second. Now, in 2022, we are at 5U, which is 100 megabits per second. This is an absolutely astounding rate of growth in the ability to move information from point A to point B.

The growth since 1983 is based on Nielsen's Law on bandwidth. Basically, every year we increase the capacity to send information over a network by 50%, which is an exponential number that keeps going up. It is not 50% of where we started from. It is 50% from now. If we could do compound interest in the financial system that would give us a 50% compound interest return, we would be doing quite well. However, this is how fast the network processing, or the bandwidth, is growing in the world.

If we take a look at Moore's law, when it comes to the ability of microchip processing, transistors on a microchip double every two years, which is what they said back in the mid-1960s. In 1970, there were just over 1,000 transistors on a microchip. Now, there are 50 billion transistors on a single microchip. That is an insane amount of computational power, and coupled with the bandwidth that I just talked about, leaves us in a situation where parliamentarians and politicians need to be cognizant of the scale of the capacity of what we are talking about.

Let us go back to the early 1990s and a computer at that point in time. We measure computational power in things like FLOPS, or floating point operations per second, and MIPS, or million instructions per second. A computer back in the early 1990s could do under 1,000 calculations per second. Today, we are well over a billion computations per second, and that is floating point operations, which are more complicated than even just the millions of instructions per second. We can just take a look at that efficiency.

When we talk about going back to original computers, we talk about the Harvard Mark II, which I think weighed 23 tonnes. Now, with today's technology, the demand of energy per unit of processing or unit of computing power has actually been cut in half every 18 months, which means that every 18 months, the amount of energy and power that it took to do the same job is now half of what it was. This is allowing for massive growth. We see things springing up all the time. We have Bitcoin mining operations using massive amounts of electricity. Can members imagine if we tried to use that much electricity using older computers? It would have been absolutely astounding.

On storage, I am not talking about memory in the computer, and I already talked about the microchip storage. However, when I was teaching at Red Deer College, we got these hard drives that came in so that we could play around with a hard drive. Now, I am mostly a software guy. I was a programmer and database administrator, but I had to learn a little bit about the hardware.

We had a 420-gigabyte hard drive. It might have been a megabyte, but I think it was a gigabyte, but oh my goodness. I remember we had 20-gigabyte hard drives. Who can remember when they were excited about having a 20-gigabyte hard drive?

In the 1950s, if we go back to early computing, the cost to store one terabyte of data, using that technology and working backwards on the cost of a unit of storage and the evolution of computing, it would have cost over $100 trillion. Today, for less than $100, people can go to a computer store and buy a hard drive or a disk for their computer that contains well over a terabyte of data.

Why is this history lesson so important? It is because we are moving into an age of artificial intelligence. Some of my colleagues have expanded upon the importance of artificial intelligence in their speeches earlier. I listened with great anticipation to what they said.

What does the requirement for computational power and bandwidth require for artificial intelligence? Today's computers, looking at artificial intelligence, are actually using something called petaFLOPS, that is 10 to the 15th, a quadrillion floating point operations per second. That computational power exists in our networks that are out there that are now hooked up with 5G networks that can operate at 100 megabits per second.

The amount of technology and the availability of technology and the ability of that technology in today's standards are absolutely amazing. In fact, because of these advances in technology, we now have some pretty amazing facts. A television today, a software game, any of our intelligence toys, anything that requires computing is 35% lower in cost relative to income than it was just 20 years ago. Meanwhile, college tuition, education and so on have gone up over 150% in the same time frame. That tells us the vast amount of research and technology that has been put in place on the development of this technology.

That is why it is so important. Artificial intelligence is a conversation that we should be having in this House, and cybersecurity is certainly a part of that. Everybody knows, we are watching the news, and we see some great potential uses. That is the thing; everything that is designed to make our lives better, more efficient and more productive could also be used for evil.

I am not accusing anybody of using it for evil. That is not the point I am making. However, everything we want to use for good, somebody else could use with malicious intent.

I will just give a couple of examples. We have had the conversation today about the amount of personal information that has been lost, hacked and held hostage through various cyber-attacks. We know that the People's Liberation Army in China has tens of thousands of people working, just in their cyber-attack divisions alone. Just to keep in mind, for the people who are watching at home, Canada's entire military hovers between 60,000 and 70,000 people. The People's Liberation Army, just in their cyber-intelligence division alone, would have more people than the entire Canadian Armed Forces across all three of our divisions.

These are the folks, coupled with our security establishment, who need to have the tools to defend us, our networks, our infrastructure and all the critical things that we do. We are talking about hospitals, electricity grids and all these things. Imagine something as simple as a driverless or autonomous vehicle. An autonomous vehicle can now drive itself, and the reason it can do it is because we have that 5G technology, and we have the cameras and the ability for that car to make intelligent, informed decisions at the calculation rate, because of the advances in computers that I just talked about. Imagine what somebody with malicious intent could do with an autonomous car, if they wanted to.

That is why we have to get the cybersecurity question right in this debate. If we leave our systems vulnerable, if we leave ourselves open to the possibility, and we are never going to be perfect, and for everything we do, somebody with malicious intent could find a workaround for it, so we have to keep it up to speed.

With all the facts I just talked about, the doubling of technology and computing power and the halving of electricity requirements, we need to be very clear. This is the one piece of advice that I will offer to my friends across the way in the government, because this is too important not to be working together on this. The technology is growing and developing at such a rapid pace that I really do hope that we and the government have the ability to put in some clauses to review this, because it is just so important that we get this right and constantly review our cyber defences and cybersecurity in this country.

Mr. Speaker, I rise today to speak to Bill C-26, an act about cybersecurity. In the 21st century, cybersecurity is national security, and it is our responsibility to protect Canadians from growing cyber-threats. We have to take the necessary steps to protect Canadians and our telecommunications infrastructure. Canadians must have confidence in the integrity, authenticity and security of the products and services they use every day.

This bill reflects the values of Canadians and is in line with our closest allies, including our Five Eyes partners. That is why we are investing in cybersecurity, ensuring respect for the privacy of Canadians and supporting responsible innovation. We will continue to protect Canadians from cyber-threats in an increasingly digital world. As said in our international cybersecurity overview, a free, open and secure cyberspace is critical to Canada’s economy, social activity, democracy and national security.

Canada faces cybersecurity risks from both state and non-state actors. Protecting Canada’s and Canadians’ cyber-infrastructure from malicious actors is a serious challenge and a never-ending task. Canada works with allies and partners to improve cybersecurity at home and to counter threats from abroad. This includes identifying cyber-threats or vulnerabilities and developing capabilities to respond to a range of cyber-incidents.

A few years back, we put forward the national cybersecurity strategy, a vision for security and prosperity in the digital age. As mentioned there, virtually everything Canadians do is touched by technology in some way. We are heavily interconnected and networked, a fact that not only enhances our quality of life but also creates vulnerabilities. From commercial supply chains to the critical infrastructure that underpins our economy and our society, the risks in the cyberworld have multiplied, accelerated and grown increasingly malicious.

Major corporations, industries and our international allies and partners are engaged in the global cyber-challenge, but many others are not and that represents a significant risk. The strategy's core goals were reflected in budget 2018, where $500 million was invested in cybersecurity. Part of the funding was for the new Canadian Centre for Cyber Security, which is Canada’s technical authority on cybersecurity. It is part of the Communications Security Establishment, and it is the single, unified source of expert advice, guidance, services and support on cybersecurity for Canadians and Canadian organizations.

It regularly publishes the “National Cyber Threat Assessment”, and I would like to quote from their latest one for 2023-24. It states:

Canadians use the Internet for financial transactions, to connect with friends and family, attend medical appointments and work. As Canadians spend more time and do more on the Internet, the opportunities grow for cyber threat activity to impact their daily lives. There’s been a rise in the amount of personal, business and financial data available online, making it a target for cyber threat actors. This trend towards connecting important systems to the Internet increases the threat of service disruption from cyber threat activity. Meanwhile, nation states and cybercriminals are continuing to develop their cyber capabilities. State-sponsored and financially motivated cyber threat activity is increasingly likely to affect Canadians.

In the latest assessment, they chose to focus on five cyber-threat narratives that they judge are the most dynamic and impactful.

First, ransomware is a persistent threat to Canadian organizations. Cybercrime continues to be the cyber-threat activity most likely to affect Canadians and Canadian organizations. Due to its impact on an organization’s ability to function, ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. Cybercriminals deploying ransomware have evolved in a growing and sophisticated cybercrime ecosystem and will continue to adapt to maximize profits.

Second, critical infrastructure is increasingly at risk from cyber-threat activity. Cybercriminals exploit critical infrastructure because downtime can be harmful to industrial processes and the customers they serve. State-sponsored actors target critical infrastructure to collect information through espionage, to pre-position themselves in case of future hostilities and as a form of power projection and intimidation.

Third, state-sponsored cyber-threat activity is impacting Canadians. State-sponsored cyber-threat activity against Canada is a constant, ongoing threat that is often a subset of larger, global campaigns undertaken by these states. State actors can target diaspora populations and activists in Canada, Canadian organizations and their intellectual property for espionage, and even Canadian individuals and organizations for financial gain.

Fourth, cyber-threat actors are attempting to influence Canadians, degrading trust in online spaces. Cyber-threat actors' use of misinformation, disinformation and malinformation, collectively referred to as MDM, has evolved over the past two years. Machine learning-enabled technologies are making fake content easier to manufacture and harder to detect. Further, nation-states are increasingly willing and able to use MDM to advance their geopolitical interests.

Fifth, disruptive technologies bring new opportunities and new threats. Digital assets, such as cryptocurrencies and decentralized finance, are both targets and tools for cyber-threat actors to enable malicious cyber-threat activity. Machine learning has become commonplace in consumer services and data analysis, but cyber-threat actors can deceive and exploit this technology. Quantum computing has the potential to threaten our current systems of maintaining trust and confidentiality online. Encrypted information stolen by threat actors today can be held and decrypted when quantum computers become available.

Simply put, cyber-threats pose a growing risk to all Canadians and institutions. We are confronting this threat head-on. Our government regularly engages with domestic and international cybersecurity partners to protect Canada’s critical infrastructure and the systems that underpin essential services. We are working closely with critical infrastructure stakeholders and partners to ensure that they are better prepared to face cyber-based threats.

Our cybersecurity framework continues to detect, deter and disrupt state and non-state actors attempting to take advantage of the Canadian cyber-landscape. Our government is, and will always be, ready to respond to any malicious cyber-acts that threaten Canadian interests.

To conclude, the purpose of this act is to help protect critical cyber systems in order to support the continuity and security of vital services and vital systems by ensuring that, first, any cybersecurity risks with respect to critical cyber systems are identified and managed; second, critical cyber systems are protected from being compromised; third, any cybersecurity incidents affecting, or having the potential to affect, critical cyber systems are detected; and finally, the impacts of cybersecurity incidents affecting critical cyber systems are minimized.