Bill C-26 (Historical)

Madam Speaker, I am pleased to rise and speak to Bill C-8 today. For those watching at home, in the previous Parliament, Bill C-8 was Bill C-26.

I was pleased to sit on the public safety and national security committee, which went over that bill. I want to provide a quick overview, because part of the debate we are having in the House today is about why we are discussing the legislation again when it was discussed and advanced, pretty much to the finish line, in the last Parliament.

Bill C-26 went through committee. There were numerous amendments made by all parties. It came out and went to the Senate. The government asked the House of Commons to fast-track a different bill on foreign interference. In the government's own incompetence, it did not seem to realize that its foreign interference bill contained provisions that nullified the entire second part of Bill C-26. The Senate actually identified this problem. This caused such a delay to the bill that when the Liberal government decided to prorogue Parliament, despite the fact that it had not tested the confidence of the House, it actually resulted in the legislation being killed.

The government has been saying, “The dog ate my homework.” The fact is that the Liberal government was the one that killed the legislation in the last Parliament. That is the reason we are back here today.

Cybersecurity is an issue of critical importance. Cybersecurity has an impact on all aspects of our life. More and more of our daily life is being spent online, and we are becoming dependent on services and infrastructure that are vulnerable to cybersecurity threats. The threats posed by malicious actors are touching every aspect of society. They are touching industry, hospitals, pipelines and individual households.

As we know, with the government's implementation of soft-on-crime bail policies, criminals will always follow the path of least resistance. It is no different in the cybersecurity environment. When a country has poor cybersecurity legislation, it makes itself a target for these malicious actors and encourages that behaviour.

The Liberal government originally introduced Bill C-26 in June 2022, over three years ago. We only started to study the bill two years after it was introduced. We heard repeatedly from the Liberals that cybersecurity has been a high priority and that this is critically important legislation, but here we are, three years later, in an entirely new Parliament, going over the same legislation again.

These delays could have been prevented, but the Liberal government failed. It is unfortunate because we have heard repeatedly that Canada's cybersecurity has been neglected and remains a vulnerable and soft target.

The bill proposes to give sweeping powers to the government, and Conservatives believe that we cannot give the government a blank cheque. We need to study the legislation to ensure that we are creating effective mechanisms for combatting cybercrime without creating unnecessary red tape, bureaucracy or charter rights implications.

The bill has two key objectives. First, it seeks to amend the Telecommunications Act, to give the government the power to secure the telecommunications systems. Basically, the government would have the power to tell the telecommunications companies and others to do things or to not do things, such as removing equipment provided by a hostile foreign power that is being used in our telecommunications systems.

Second, it seeks to create the critical cyber systems protection act; in theory, this would allow the government to impose cybersecurity requirements on federally regulated industries. These industries could include the energy sector, pipelines, nuclear plants, the financial sector, banks, the health sector and other areas.

I believe there are some positive steps towards enhancing public safety in the bill. It is important for Conservatives to point out that there are some serious weaknesses that remain in Canada's cybersecurity posture. In fact, we are the last G7 country without a robust regulatory framework for cybersecurity.

Last summer, the Auditor General released a damning report on the government's capacity to combat cybercrime. I am going to quote her conclusions, because they were scathing:

...the Royal Canadian Mounted Police (RCMP), Communications Security Establishment Canada, and the Canadian Radio-television and Telecommunications Commission (CRTC) did not have the capacity and tools to effectively enforce laws intended to protect Canadians from cyberattacks and address the growing volume and sophistication of cybercrime. We found breakdowns in response, coordination, enforcement, tracking, and analysis between and across the organizations responsible for protecting Canadians from cybercrime.

This raises an important point. We can have all of the laws we want that say all the right things, and we do have some laws on cybersecurity, but it is clear from the Auditor General's report that the government has not invested in the capacity, the resources or the tools to implement the current cybersecurity laws that we have. We need to be assured that, by bringing the legislation forward, the government is not only planning to grant itself these powers but also giving law enforcement the capability to do something with these powers. That is something that it has not really done.

The trend continues to worsen. The Canadian Anti-Fraud Centre projects that losses from cybercrime will surpass over $1 billion annually by 2028. There are actual insurance products being created to protect people from cybercrime. That is not just money being lost to fraud. That is broken lives and ongoing mental health challenges that are devastating our citizens.

We know that coordinated and strategic attacks on our national infrastructure by criminals or foreign adversaries have wreaked havoc, and will continue to wreak havoc, on our society. A cyber-attack on our power grid in the middle of winter would be devastating to hospitals with vulnerable patients or to pipeline infrastructure. Canada has already faced concentrated cyber-attacks against its telecommunication companies since at least 2021, with the Communications Security Establishment saying that it is aware of malicious cyber-activities from People's Republic of China state-sponsored actors.

Canada and our allies have already been the target of cyber-attacks carried out by hostile state-sponsored or aligned groups. In fact, the RCMP, FINTRAC and Global Affairs Canada, just to mention a few, have all been previously breached by cyber-attackers. The seriousness posed by these attacks on our nation's most sensitive information cannot be understated. We need to know that the government is taking action to secure its own systems, not just telling the private sector that it has to secure its systems.

We know that the private sector is taking proactive measures to invest in cyber-defence. With hundreds of thousands of cyber-attacks, and that is not hyperbole, targeting Canada in the first six months of 2025, they have been forced to step up and the government has not.

I hear from constituents on a regular basis that they are concerned that the government's own cybersecurity measures are not up to snuff, particularly in regard to the Canada Revenue Agency. As malicious criminals become more sophisticated, Canadians need to know that their data is being stored in a safe and secure way. Therefore, it is common sense that the Liberal government should hold itself to the same standards that it is holding the private sector to in the legislation.

Bill C-26 was introduced way back in June 2022. This was in the wake of the government's decision to finally, after tremendous political pressure, ban ZTE and Huawei from the Canadian 5G networks. This was long after decisive action had already been taken by all of our Five Eyes partners.

I am pleased to say that I think Bill C-26 left committee in better condition than when it went in, but we have heard from many witnesses who are concerned about the over-centralization of powers that this is giving to cabinet ministers. There is also concern that the bill in its current form gives the government excess executive authority without full proper oversight and guardrails. In Bill C-8, the government has continued to take a “trust us” approach to legislating Canada's cybersecurity, which is alarming to the many Canadians who are concerned that the government may overreach.

Conservatives believe that trust needs to be earned. As a great Conservative politician once said, “Trust, but verify”. Considering the Liberal government's habit of limiting free speech in bills like Bill C-11 and Bill C-18 in the last Parliament, and the illegal use of the Emergencies Act, I believe that many of these concerns are valid and should be addressed. Conservatives need to be able to study the bill, so we can provide amendments and listen to further witness testimony to ensure that accountability and oversight mechanisms are effective and that they are improved.

Another area of concern that was flagged by witnesses was the absence of a special national security-cleared lawyer to act on an applicant's behalf during a judicial review. This is actually a standard practice in other areas of national security when sensitive information is brought forward. Therefore, we find this omission questionable.

Basically, to explain that, part of the provision of the bill is to allow the government to conduct court hearings in secret. When we are dealing with top secret or sensitive information, we can see that there is a justification for that. We need to ensure that anyone who is caught up in that is getting the appropriate legal representation. That is a critically important factor.

Conservatives want to ensure transparency and accountability. We need strong oversight measures, clear retention limits and restrictions on how data can be collected, used and shared, especially with our foreign intelligence partners. We need to define “personal information”. The bill clearly fails to define what personal information is, which leaves the privacy of Canadians vulnerable. We need to ensure that the government is not allowed to keep these orders secret indefinitely without just cause, and we need to ensure there is no overreach of the powers it is giving itself.

Conservatives want to ensure there are appropriate consultations with and involvement of the Privacy Commissioner, the Intelligence Commissioner and other stakeholders in civil society in improving this legislation. We need independent oversight to ensure strong judicial oversight in accessing personal information. We need strong privacy safeguards to ensure that incident reports involving personal information are shared with the Privacy Commissioner. We need limitations so this data is only used in cases of cybersecurity. We need transparency requirements to mandate the disclosure of the secret orders after a reasonable period and consequences for failing to table those reports.

In summary, given the growing geopolitical tensions around the world, we cannot afford to be naive on matters of cybersecurity. We have sensitive research being conducted at our universities. We need to assert our sovereignty in the Arctic. Canada is a target for hostile powers wanting to undermine our country's national interests and go after our citizens.

We know that hostile states like North Korea, China, Russia and Iran have demonstrated the ability to hack into our critical infrastructure and will continue to take hostile action unless we take decisive steps to improve our cyber-defences. While this bill would be a step in securing our telecommunications systems and other federally regulated industries, it is not all-encompassing and there are some gaps. As Canadian society moves increasingly into a digital space, the government needs to remain vigilant and take proactive steps to ensure we are keeping up, because this landscape is always changing.

In conclusion, our Conservative team is looking forward to seeing this bill come back to committee, where we can propose meaningful amendments and listen to key witnesses and the concerns of Canadians so that they are addressed.

While this legislation is important, we need to ensure that we are not giving the government a blank cheque. We need to ensure that the government is held accountable so the powers it would be giving itself would only be used in a justified and proportionate manner.

Madam Speaker, we in the Bloc Québécois already raised our concerns earlier regarding respect for provincial jurisdictions. That is a crucial point. Another important point is the protection of civil liberties.

I was reading the testimony of the Privacy Commissioner who spoke at length when we were studying Bill C-26 about the risks of confidential and personal information unintentionally ending up in the hands of the government as a result of the bill's implementation.

My question for my colleague is this. To what extent will the Liberals take these concerns into account to ensure that information obtained for a legitimate purpose is not used by other federal government departments and agencies?

Madam Speaker, I rise to speak in support of Bill C-8, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.

This legislation is a necessary, measured step to protect systems that Canadians rely on every single day. This bill would help critical infrastructure operators better prepare, prevent and respond to cyber-incidents. It would do what responsible governments must do: It would set clear, enforceable standards for operators in the most critical sectors; it would enable rapid, targeted interventions when threats emerge; and it would ensure that Canada is aligned with international partners that are facing precisely the same challenges. In this era, it is very important that we pass this piece of legislation.

Let me talk about two big things the bill would do. First, it would modernize the Telecommunications Act so that our security agencies and responsible ministers can issue targeted, time-limited directions to defend our networks against serious and evolving threats. Second, it would enact the critical cyber systems protection act, the CCSPA, which would set baseline, legally binding cybersecurity duties for designated operators in federally regulated critical sectors. This would mean cyber-risk management programs, timely incident reporting and accountability up and down the supply chain. Those are not “nice to haves” anymore; they are the basic hygiene that we need for running a critical service in 2025.

Colleagues will recall earlier efforts under Bill C-26. With Bill C-8, our government has brought back a refined, clearer and in some places improved framework because the threat landscape did not pause when Parliament did. Several independent analyses confirm that Bill C-8 substantially revives the Bill C-26 approach while correcting drafting issues and clarifying process where needed, and that is prudent governance.

Why does this matter? For Canada, cyber-risk is now an economic risk, a jobs risk and a public safety risk. A successful attack can freeze payrolls, disable hospitals, shut down pipelines or even take down our 911 lines.

Across London, manufacturers, research labs at Western University, students at Fanshawe College, local clinics and small businesses on our main streets all depend on secure networks. The southwestern Ontario supply chain and the supply chain across Canada, which include major investments in EVs, batteries and advanced manufacturing, cannot function with brittle digital infrastructure. When a single compromised supplier can ripple through an entire regional economy, cyber-resilience becomes a competitiveness strategy.

Essentially, what Bill C-8 would require under the CCSPA is that designated operators, such as those in banking and financial services, telecommunications, energy and transportation, must establish and maintain a cybersecurity program proportional to their risks, report cyber-incidents quickly and consistently, manage third party and supply chain vulnerabilities, and comply with enforceable directions in extraordinary circumstances. There are administrative monetary penalties for non-compliance because rules without consequences are just suggestions. We cannot afford to bring just suggestions forward.

On the telecom side, Bill C-8 would modernize the tool kit so that government can act surgically when credible threats emerge in our networks. These powers are not a blanket. They are tied to concrete risks and are subject to review. In today's environment, speed matters. A 72-hour delay can be the difference between a contained incident and a national outage.

Some civil society groups and legal scholars have raised important concerns about privacy, transparency and due process, especially around how directions are issued and reviewed and how information flows between government and private operators. I want to take the opportunity to acknowledge those concerns, which are clearly on the floor of this House. Some of our colleagues have mentioned them in this debate.

The goal of Bill C-8 is to protect Canadians, not to weaken their rights. As this bill advances to committee, I look forward to seeing the conversations that colleagues from across the aisle will have and the suggestions they will be putting forward. As we did before on Bill C-26, I think we will be able to achieve a consensus on what this bill is going to look like. Essentially, the goal is to protect Canadians.

I also have some thoughts on some of the things we could look at. Number one is that we could look at tightened transparency around reporting, including public statistics on the use of cybersecurity directions wherever national security considerations allow. We can also look at strengthened due process, making judicial review avenues practical and timely, and clarify data handling and retention so information shared for cybersecurity is not used for unrelated purposes and that it is protected with robust safeguards.

I do not sit on the committee, but I do know we have colleagues on it from across the aisle who are going to have robust conversations on how to strengthen the bill as we did in the past. We voted for Bill C-26. It is now back in the House, refined and reframed for all our colleagues to discuss and to propose measures they want to see within the spirit of wanting to protect cybersecurity for all Canadians.

I think these are reasonable and constructive asks that would make for good dialogue and would strengthen the bill. I am sure there will be more suggestions that I look forward to reading from my colleagues. I am sure they will support and pass the bill in a very timely manner, because if we are having a conversation about a cybersecurity bill in 2025, we need to pass it. I think we understand that the bill is not coming forward as a nice-to-have conversation; it is really critical.

Not every critical service is a national giant. Many are medium-sized providers or municipal utilities that keep water flowing and transit moving. For these operators, the question is often capacity. Having the people, the tools and the processes that meet modern standards is really important. I support complementary measures alongside Bill C-8: practical guidance, shared services, threat intel programs that actually reach the front lines, and funding that helps smaller providers implement the basics, such as asset inventories, multi-factor authentication, network segmentation, backup discipline and tabletop exercises.

Standards without support risk becoming paper compliance. What we should be trying to do with our approach is to enable real resilience for Canadians. We also need to be honest about where the real attack surface is today: suppliers, managed service providers, and software dependencies. Bill C-8's supply chain provisions are a step forward, but we must continue to keep pushing for secure-by-design practices. The objective is learning and early warning, not blame-shifting.

I hope that colleagues at committee will have the time to ensure that timelines will also allow the time to consult, that thresholds and formats are clear, and that we streamline duplication with sectoral regulators where possible.

Critical services in indigenous and rural communities face unique constraints.

I do not think I will be able to finish my speech, but I want to say that the legislation is really important for all Canadians. I am happy to speak to and support the bill. I look forward, for all our colleagues who have been speaking to the bill today, to their actually helping us bring it to committee so we can bring amendments that are necessary and we can pass the bill as quickly as possible. They voted for it in the last Parliament under Bill C-26. It is back now, and it is really important we pass it as quickly as possible.

Madam Speaker, Bill C-26 was killed because of the Conservatives' irresponsibility last fall. That is the reason Canadians do not have it.

Let me extend a hand of co-operation to the Conservative Party. At the end of the day, we can all reflect about what came out of the last election. The Government of Canada cannot pass legislation unless it gets the opposition's co-operation. The opposition knows that. If every member of the Conservative caucus is put up to speak to every piece of legislation, we will not be able to pass legislation. That is why Conservative voters need to also be listened to. Everyone wants more co-operation. It is time that we are less political and more at work putting Canadian interests ahead of partisan interests. That is what Canadians of all political stripes want.

Madam Speaker, the private sector in general is ready to protect itself, especially on the cybersecurity front, otherwise it cannot really do business in this world. The government, on the other side, is not ready. It has been dragging its feet since the last Parliament by killing Bill C-26.

Will the hon. member be honest and tell Canadians why the government killed Bill C-26?

Madam Speaker, the answer is no, the government did not intentionally kill Bill C-26. As the member may be aware, there was a Senate-related issue, so it had to come back to the House.

If there had not been as much filibustering as we witnessed last November and December, we would have been trying to see legislation pass that is in the best interest of Canadians. All the member needs to do is look at 80% of the debate, in which we saw Conservative after Conservative stand up on a frivolous privilege issue to try to justify that every member would be able to debate something, not once but twice. That is why they have to put—

Madam Speaker, I find it ironic that the member talked about Conservatives being obstructionist. It is precisely because the government begged us in the last Parliament to fast-track its foreign interference legislation that we are here today. Because that legislation was fast-tracked, it actually nullified provisions in Bill C-26, which caused the unnecessary delays to the bill. That is the reason we are here debating it today.

It is such a debacle that it leads me to ask, did the government kill Bill C-26 purposely, or are the Liberals just incompetent?

The Conservative Party takes the attitude that it is okay for it to significantly change the legislation and that we should just forget about members' being able to speak to it; heaven forbid that. However, when it comes to government legislation, the Conservatives have their politically motivated methods of filibustering.

Let us talk about Bill C-26 and Bill C-8. What is Bill C-8? It is a reflection of Bill C-26, with a couple of relatively minor changes to it. Bill C-26 had second reading debate. It went to committee, had extensive debate there, came back for extensive debate here, and then went to the Senate.

At every stage, it was passed unanimously; everyone supported the legislation, yet the Conservatives look at the bill and say that they have new members. The government caucus has more new members than the Conservatives do, and we have a new Prime Minister. At the end of the day, the Prime Minister has taken a holistic approach in terms of what we need to do inside the House of Commons, and he said that the bill is important legislation. It would have a very real, tangible impact on our businesses and on Canadians.

We are looking for what Canadians mandated not only the Liberal Party to do, but also the Conservative, Bloc and New Democrat members and the leader of the Green Party. They want a higher sense of co-operation on the floor of the House of Commons. Even Conservative voters want more co-operation. We all know the bill is good, sound legislation, at the very least, that can go to the committee stage. If someone senses a little frustration on my part, it is based on other legislation that the government has before us.

Often what it takes is that we have to shame opposition members, particularly the Conservatives, into recognizing legislation is in the best interest of Canadians, and there is nothing wrong with allowing good legislation to, at the very least, go to a standing committee where experts, Canadians and members opposite can debate it, especially when there is a minister who stands up and says that if members have amendments, they should bring them forward. However, we do not see that happening. There is a very clear double standard.

We can look at the legislation itself. Malicious cyber-attacks are a reality. They are taking place today in many sectors, and they are not unique to Canada. They are a threat to the world economy, I would argue. Bill C-8 is a positive step in addressing that issue. It would ensure that we would have more sharing of information between governments, industry and stakeholders. It would establish more accountability, and one would think every member of the House would be in support of something of that nature.

In terms of cyber-threats, think of the critical industries the federal government is responsible for. Finance, communication, energy and transportation all have critical infrastructures, and we need the legislation. When we have a Prime Minister who says we want to build a strong, healthy economy, the best and strongest economy in the G7, in order to protect the interests of that economy, we need this type of legislation passed.

Let us talk about cyber-threats in terms of finance. The finance industry is so critically important to Canada. When I was first elected as a parliamentarian a few decades ago, we did not have things like online banking. We went to the bank and went through long lineups, and there were more banks in our communities.

I can say that changes that have occurred in our financial industry have been overwhelming in many different ways, and legislation needs to be brought forward to protect the interests of Canadians, whether in terms of identity theft or cyber-attacks, which can literally shut down or cause serious financial issues at a banking or credit union institution. What is wrong with legislation that reinforces the need to ensure there is a higher sense of accountability and more information sharing? Then, if a cyber-attack occurs at X, we can learn from that and make sure the industry as a whole is better informed in order to be able to deal with an attack of that nature.

It is very real. Nowadays, our business communities get more payments on credit cards and debit cards than they do in cash transactions. We can go to a mall or a store, anywhere we go where we see financial transactions, let alone the Internet itself. We need to protect and ensure that privacy information is kept private and, where there are bad actors, that the government is in a position to be able take action. That just deals with one component I made reference to as an example, finances.

In telecommunications and cellphones and things of this nature, what makes up the cellphone matters and subcontractors matter. These types of things are in Canadians' best interests. Whether it is energy, transportation, finance or telecommunications, I think it is a very strong, positive and warranted piece of legislation from the national government. That is why, when I started off my comments, it was all about the process. We have had a lot of discussion and debate. I am not saying that it has to pass today, but let us take a look at legislation that is before the House of Commons and be reasonable so we know we will be able to pass legislation and we know—

Madam Speaker, I will be sharing my time with the member for London West.

It was interesting to listen to the last speaker. I would like to take up on some of the comments he put on the record, along with those of my friend from Kamloops—Thompson—Nicola.

They need a reality check. First, let us flash back to December of last year when the Conservatives, the Bloc and the New Democrats, all opposition parties, said that at the first opportunity, they were going to defeat the government. Now the member stands in his place and says that we should not have had the election when we had it and that the government should have prolonged things a little longer. It is amazing the member can say that with a straight face. It is totally amazing.

The member for Kamloops—Thompson—Nicola, the Conservative critic for this bill, last week introduced a private member's bill in the House, Bill C-225. I will quote what the member said: “This bill is a monumental change”, “I ask that the House streamline the passing of this bill as quickly as possible” and “Let us pass this bill right away.” I wonder what would happen if we were to apply the hypocrisy of members' opposite when they talk about us suggesting not that we pass a bill but allow it to go to committee.

With regard to the private member's bill the member was referring to, I agree that there are a lot of substantive changes, but how much time is it going to have at second reading? There will be two hours; that is it, and then it will go to committee. Then there is a time frame for it at committee, and it will come back for another two hours of debate in the House. Then it will head to the Senate. Let us contrast that with the ongoing obstructionist attitude that the Conservative Party has on legislation, period. Let us talk about Bill C-26.

Madam Speaker, it is always a pleasure to rise on behalf of the people from Kamloops—Thompson—Nicola, and it is an honour to contribute in questions and comments to my hon. colleague from the Okanagan. I really appreciate what he had to say. He built on what my colleague from the Bloc had to say.

I have been fairly clear, and I will speak as the chief critic for the Conservative Party. This will go to committee. When it goes to committee, Conservatives will engage in vigorous scrutiny in order to ensure that we have the best bill possible. Just because the bill passed in the form of Bill C-26 does not mean that we rubber-stamp it through in the 45th Parliament. We need to be committed to always making every bill the best it can be. Does my colleague agree?

Madam Speaker, I enjoyed my colleague's speech. He really has a great radio voice and it was a pleasure listening to him.

I might have a brief response for my Liberal colleague. Bill C‑8 was tabled in June. Let us check the current date. This is an important bill, but the Liberals seem to be having a hard time managing their legislative calendar. Now, all of a sudden, they want to fast-track Bill C‑8 because it really is very important.

While this bill is indeed very important, some concerns remained after we debated Bill C‑26. Bill C‑26 passed because we made compromises. We now have another opportunity to improve Bill C‑8.

Does my colleague think there is still room for improvement in Bill C‑8?

Madam Speaker, the Liberals tabled Bill C-26 two years before doing anything with it. This is the very first day that we actually have the ability to discuss Bill C-8, but the government does not like to hear that it is being held accountable. I know that we can improve the legislation, and my constituents have views on it. I would hope the deputy House leader would actually listen and encourage, in a minority government, debate about a very profound piece of legislation that can have an impact on people's lives. This will probably be a once-in-a-generation discussion, so I would hope the member would not simply try to push away that there are concerns with the bill—

Madam Speaker, I am sure the member opposite remembers the efforts on Bill C-26 before the election happened, which he and his colleagues spent two years calling for. He is saying we do not want to have the conversation, and I want to disagree with the member, because we put forward a bill. We put it forward in the last Parliament, and we are putting it forward again. We want to bring it to committee. We want members to bring suggestions and amendments.

We understand the importance of cybersecurity for Canadians, especially in 2025. Why will the member not agree to send this to committee instead of arguing just for the sake of arguing?

Madam Speaker, definitely. It was discussed at the last public safety and national security committee.

We listened to presentations from many witnesses, who told us about the problems with Bill C-26. If the bill goes to the committee again, we would like to hear more from experts, concerned parties and stakeholders on the problems that we have in the bill as presented.