Bill C-26

Good morning, and thank you for inviting us to speak with you this morning.

Before I begin my remarks, I would like to acknowledge that we are gathered on the traditional unceded territory of the Anishinabe people.

My name is Leila Wright, and I am the executive director of telecommunications at the CRTC. I am joined today by my colleagues Steven Harroun, chief compliance and enforcement officer, and Anthony McIntyre, general counsel.

The CRTC is an independent and quasi‑judicial tribunal that operates at arm's length from the government. We hold public hearings on telecommunications and broadcasting matters. We make decisions based on the public record.

In the telecommunications industry, our work focuses on increasing competition for Internet and cellphone services. We do this by promoting greater choice and affordability for Canadians, encouraging investment in reliable and high-quality networks, and improving access to telecommunications services in indigenous, rural and remote communities. We also have a team that helps protect Canadians from unwanted emails, texts and online scams.

The CRTC plays a small part in the federal government's effort to protect the security of Canada's telecommunications system.

Other organizations that contribute to this effort include the Communications Security Establishment, the Canadian Security Intelligence Service, Innovation, Science and Economic Development Canada, the Canadian security telecommunications advisory committee and many others.

The CRTC does not have a role to play within the proposed critical cyber systems protection act. Additionally, many of the proposed amendments to the Telecommunications Act establish new authorities exclusively for the Governor in Council and the Minister of Industry, and do not modify the CRTC's regulatory mandate under the act.

However, a few changes would be relevant to the CRTC's work. I'll focus on three changes in particular.

First, the proposed amendment to section 7 of the Telecommunications Act would add a new policy objective focused on promoting the security of the Canadian telecommunications systems. As with other policy objectives set out in the act, this addition would allow the CRTC to expressly consider how its decisions could further this new objective.

Second, the addition of proposed section 15.6 would facilitate information sharing between a broad group of security-focused government departments and agencies and the CRTC. This would be for the purpose of ensuring compliance with orders and regulations made by the Governor in Council and the minister.

Third, section 47 would require the CRTC to take into account any orders or regulations made by the Governor in Council and the minister in its decision‑making.

Should Parliament adopt Bill C-26, the CRTC will be ready to implement the amendments made to the Telecommunications Act that affect our work.

Thank you again for inviting us to speak today. We look forward to your questions.

Good morning.

My name is Chris Loewen. I am the executive vice-president, regulatory, at the Canada Energy Regulator. I'm joined today by Mr. Chris Finley, director of emergency management and security.

Thank you for inviting the Canada Energy Regulator to appear before the committee today to discuss Bill C-26.

We join you today from Calgary. I would like to take this opportunity to acknowledge the traditional territories of the people of the Treaty 7 region of southern Alberta.

I'll start by outlining the mandate of the Canada Energy Regulator, or CER.

The CER regulates infrastructure to ensure the safe and efficient delivery of energy to Canadians and the world. It regulates pipelines, power lines, energy resource development and energy trade on behalf of Canadians in a way that protects the public and the environment while supporting efficient markets.

Safety is at the core of our work. We regulate to prevent harm in all forms, and we understand that this includes the cybersecurity threats that Bill C-26 is seeking to address. The CER takes the matter of cybersecurity threats to Canada's energy supply seriously.

The CER oversees roughly 71,000 kilometres of the oil and gas pipelines in Canada. We regulate pipelines that cross provincial boundaries or the Canada-U.S. border. CER-regulated pipeline companies are required to have proactive measures in place to protect this critical infrastructure from cybersecurity threats.

Regulated companies must have a security management program that anticipates, prevents, manages and mitigates conditions that could adversely affect people, property or the environment. In addition to the physical threats to infrastructure, companies must consider cybersecurity threats in their security management program and implement appropriate mitigation based on the results of a security risk assessment process. These requirements are laid out in the Canadian Standards Association's Z246.1 standard, which is included in the CER Act's onshore pipeline regulations by reference.

Cybersecurity measures must reflect the criticality of cyber-assets, as well as the results of regular assessments of threats, vulnerabilities and overall security risk.

The regulation of electricity generation, transmission and distribution rests primarily within the jurisdiction of provinces and territories. However, the CER regulates approximately 1,500 kilometres of international power lines. The Canadian public rightfully expects us to hold the pipeline and international powerline companies we regulate accountable for the safe operation of CER-regulated energy infrastructure.

The CER is well positioned to administer the obligations of Bill C-26, in particular those that apply to companies we regulate, and, given these obligations, align with those already found in the Canadian Energy Regulator Act.

For example, the bill provides the CER with the ability to issue orders and to take necessary enforcement actions to bring a company back into compliance, so that critical cyber systems are protected.

The CER already uses similar tools. For example, it issues notices of non‑compliance, inspection officer orders and administrative monetary penalties, as needed, to bring companies back into compliance and ensure that they operate safely.

The CER also verifies that companies are meeting requirements through inspections, audits, compliance meetings and emergency response exercises.

The CER uses an integrated government approach. It works with federal, territorial, provincial and international agencies, as well as regulated industry, to ensure that proactive measures are taken to protect federally regulated energy infrastructure from cyber-related risks or attacks.

Thank you very much for the opportunity to speak with you today about this important issue. We look forward to your questions.

There was certainly an opportunity for consultation several years ago. We participated in that with our members, as well, because we reached out to them. It became a trickle-down process, but it would be nice to see something like Bill C-26 running in concert with a national cyber-strategy.

The consultation was several years ago and is now two years behind. I see that coming down the pipeline.

What was the third question?