Evidence of meeting #101 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you.
This amendment removes the reference to “reasonable steps” in proposed section 15. This would allow for the availability of the due diligence defence and provide more clarity to the intention of this bill. However, based on feedback, we want to put in some language that would ease some of those concerns.
Liberal
The Chair Liberal Heath MacDonald
Is there any discussion?
(Amendment agreed to [See Minutes of Proceedings])
We're now on BQ-13.
Ms. Michaud, go ahead, please.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
Thank you, Mr. Chair.
BQ‑13 is pretty straightforward.
A number of stakeholders asked us to better protect the information in question or the sharing of that information. The purpose of the amendment is simply to increase confidence around the sharing of the information and to strengthen the conditions applicable to how the information is used.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Ms. Michaud.
If BQ-13 is moved, CPC-19 cannot be moved, as they are identical.
I should have read that out before you did your comments. My apologies.
Go ahead, Mr. Motz.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
I'm just wondering if the officials have any comment on BQ-13 and its potential for limiting CSE in using information only for cybersecurity purposes.
Stephen Bolton Director General, Strategic Policy, Communications Security Establishment
First off, I think it is important to note that CSE would not receive any new authorities under the act. It would leverage our existing mandate under the Communications Security Establishment Act. Section 16 of the act is for cybersecurity and information assurance to provide technical advice, guidance and services, both to designated operators and to Government of Canada partners.
Information collected by CSE pursuant to one aspect of its mandate can be used by CSE under another aspect of the mandate as long as it meets specific conditions set out in the CSE Act. Information related to security programs will enable CSE and its cyber centre to gain a better understanding of the supply chain risk of designated operators as well as the intentions of a foreign entity via its penetration into respective sectors.
Without being able to leverage CSE's mandate as a whole, CSE's understanding of foreign actors' intentions against our critical infrastructure and the proper strategic mitigations would be greatly diminished. Any limitation would also reduce CSE's collaboration with our Five Eyes partners.
I would therefore suggest that this amendment may not be necessary.
Liberal
Liberal
Ron McKinnon Liberal Coquitlam—Port Coquitlam, BC
I'm not in the room, so I can't really tell how the votes are going. I don't know if CPC-12 carried or not. I wonder if you could be sure to announce the results each time. That would helpful.
Thank you.
Liberal
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you.
For members' benefit, I will say on this amendment that while I understand the rationale, we also agree in the sense that any collection of data should not be used for surveillance purposes. I just want to point members to our changes in G-9.1 and eventually G-14.2, which will reiterate that.
We won't be supporting this amendment, but we do agree and want to put the point home that this legislation, as the officials have pointed out, is not to create a new surveillance mandate. That's why we won't be supporting it, but I think it's important that we point to those other amendments.
Thank you.
Liberal
The Chair Liberal Heath MacDonald
Is there any further discussion?
(Amendment negatived [See Minutes of Proceedings])
We're now moving on to NDP-10.
If NDP-10 is moved, BQ-14 and CPC-20 cannot be moved, as they are identical. Also, if NDP-10 is adopted, G-13 cannot be moved due to a line conflict.
Go ahead, Mr. Julian.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you very much, Mr. Chair.
This is regarding the issue of Bill C-26 and to ask whether it needs operators to immediately report a cybersecurity incident.
The reality is that we heard testimony from the Canadian Chamber of Commerce and other witnesses about a 72-hour reporting period, with “immediate” being defined as 72 hours.
It's important to note that in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act also talks about a 72-hour reporting time frame.
Our witnesses said very clearly that “immediately” made it potentially difficult for them to resolve the issue and to respond to the cyber-attack, because they would be concerned about the impacts of not reporting in that immediate time frame. A 72-hour window would provide the ability to combat the cybersecurity incident and do the reporting in a very timely way.
I'd like to move what we heard from witnesses and move NDP-10 to essentially provide an amendment such that the designated operator must report the cybersecurity incident within 72 hours from the time the operator reasonably believes the incident occurred.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Mr. Julian.
Are there any further discussions?
Ms. O'Connell, go ahead, please.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you, Chair.
I think that all parties have submitted something in terms of dealing with the time frame. I think we all are in agreement on the intent and removing “immediately”, as it is not clear enough.
We still prefer G-13, which creates a “period prescribed by the regulations” that could also address industry differences, but I'm open to hearing the conversation, because we're obviously not on G-13 yet.
Perhaps through the chair to officials, what happens if the 72-hour period is adopted and, in some industries...? For example, banking might be able to comply quite easily, but for telecom, by the time they track down what the issue might be, is that going to be a problem? Is this too prescriptive or not prescriptive enough?
I want to get a sense of what we think will be achieved with this. Also, given that all parties are concerned about the initial drafting of the language, how do we come to a better consensus of what it should be replaced with?
Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness
On the timeline for the mandatory reporting, probably one of the benefits of moving it into regulations, as you mentioned, is that it does allow for more flexibility, not just in consideration of the different sectors and their abilities but also in terms of changes down the road.
If we codify it in legislation, we would have to go through the legislative process to amend it at any point, whereas if there were a need to change it in three, five or 10 years, doing that in the regulations would be a more straightforward process, I suppose.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Mr. Chair, with that being said, I agree that if things change, if things happen faster and need more time, I would like to be able to do it through regulations instead of opening up the legislation.
I won't support this amendment, but I look forward to, hopefully, G-13, unless there is something discussed here. I don't know where my other colleagues stand on the differences.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you.
I'm not generally a fan of hiding everything in regulations, but it makes total sense to have some flexibility with respect to the different aspects we're dealing with here. It's not just one stream; we're dealing with a lot of different players. I think it makes sense, in this case, to put it in regulations.
I won't be supporting this one, but I will be supporting G-13.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
I'm going to push back against the coalition a bit, in the sense that, first off, we have, within the idea of a 72-hour reporting period, harmonization with existing regimes, such as the United States. The reporting mechanism is already in place in the United States and well understood.
It is also, I think, incumbent on us to listen to the witnesses who came forward and talked about the 72-hour reporting period.
As my friend Mr. Motz pointed out, it's less transparent when it's in regulations. The reality is that governments of the day are able to tweak legislation if, 10 years down the road, it is something that requires some tweaking. There are a variety of ways of doing that.
I would suggest that the 72-hour reporting mechanism is reasonable and an improvement on what currently exists in the bill. It is in keeping with our major trading partner—which has exactly that same legislation in place—and it responds to what we repeatedly heard from witnesses, which was that a 72-hour reporting period was reasonable and something they believed would allow the bill to be effective and would allow entities to respond in a timely way to the urgency of a cyber-attack.
With that, Mr. Chair, I'll turn it over to the committee to decide.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
I'm sorry. I have a couple of points.
First, even if we don't pass this amendment and go with G-13, there's nothing to say that a 72-hour reporting time wouldn't be a thing determined based on a particular sector. I hear Mr. Julian's point about consistency with our allies—I don't disagree—but I think that can be determined through consultations and regulations as well.
However, that being said, I forgot to ask this earlier: It's not just about the 72 hours. Through the chair to our officials, the other line I have some concerns about in this amendment is “from the time the operator reasonably believes the incident occurred.” I have some concerns about relying on when the determining operator starts that clock. I don't know if I'm alone in that.
Could we perhaps get some commentary on that line in the amendment as well?
Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness
Yes, I think that's a valid point.
When we reviewed the draft wording, that was one of the unintended consequences that was raised. It could leave crucial aspects of Canada's cybersecurity and the timeliness of cyber-incident reporting up to the discretion of the operators themselves.
In a scenario based on previous amendments.... Even in a scenario where this wasn't the case, if there was some concern about the operators, the due diligence offence would still apply.
To make a long story short, I think your concern is quite valid.