Evidence of meeting #101 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A recording is available from Parliament.
4:30 p.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
I'm a little confused by the Conservative amendment. Perhaps Mr. Shipley could explain a bit more the discrepancy between the 72 hours we were speaking of earlier and the 24 hours targeted by their amendment.
4:30 p.m.
Liberal
4:30 p.m.
Conservative
Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON
After Mr. Motz's amendment, we're going to ask for UC to withdraw CPC-21. I'm sorry about that, everyone.
4:30 p.m.
Some hon. members
Agreed.
4:30 p.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you, Mr. Chair.
As we go along, I'm going to be withdrawing a number of NDP amendments just in the interest of moving forward, but in this particular case, we would be deleting “on request” for a designated operator to report to the appropriate regulator. It shouldn't be “on request”; it should be mandatory. That's why I'm proposing this amendment.
4:30 p.m.
Liberal
4:30 p.m.
Some hon. members
Agreed.
4:30 p.m.
Liberal
The Chair Liberal Heath MacDonald
(Amendment agreed to [See Minutes of Proceedings])
We're on CPC-21.1.
4:30 p.m.
Conservative
Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON
Thank you, Chair. This one, we will be moving.
CPC-21.1 would require operators to report ransomware payments to the CSE. There is currently no requirement in the legislation to report payments to the CSE.
The CSE has often remarked that ransomware payments are under-reported. This will align with the United States' version of this bill.
4:30 p.m.
Liberal
4:30 p.m.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you, Chair. Through you, I would like to ask our two officials about the impacts of this language and if this is not already covered.
My rationale and thinking are that if a sector is already required to report, then whether or not they pay ransomware, the request or the breach would trigger the reporting, in my understanding of it, but I would like to know if I'm wrong.
4:30 p.m.
Director General, Strategic Policy, Communications Security Establishment
Indeed, the act seeks to prevent any and all types of cybersecurity incidents, including but not limited to ransomware. The legislation as written would already capture ransomware incidents, because ransomware is simply a form of malicious code that is used for a particular purpose. Often, it's extortion.
The act already gives the government the ability to collect technical information to prevent, respond to and recover from ransomware incidents. If we stop the malicious code from getting into our systems in the first place, then malicious actors won't have the opportunity to hold us to ransom.
4:30 p.m.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
That said, Mr. Chair, I think the intention makes a lot of sense, but if this is already covered within the rest of the act, what the amendment proposes is to create a 24-hour rule for a specific type of attack, which is ransomware, versus what we just discussed about having an overall regulation around the timing of reporting for all activities.
If we start breaking up these cyber-incidents and create different standards for reporting, I think it will become confusing, and that confusion could even cause sectors to not know when or what to report.
For clarity's sake, I feel comfortable that a ransomware attack would be covered in the reporting side of the rest of this legislation. We don't need to isolate and create a specific new reporting time frame just for ransomware.
4:35 p.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you.
Mr. Shipley, is there anything further?
(Amendment negatived [See Minutes of Proceedings])
Next is BQ-15.
4:35 p.m.
Bloc
Kristina Michaud Bloc Avignon—La Mitis—Matane—Matapédia, QC
I won't be moving the amendment, Mr. Chair, given the discussion we had regarding the test for reasonableness and proportionality during the first part of our study of the bill.
4:35 p.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you. The amendment is withdrawn.
Next is G-14. If G-14 is adopted, CPC-22 cannot be moved due to a line conflict.
Is there any discussion?
Go ahead, Ms. O'Connell.
4:35 p.m.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you.
This amendment just creates a bit more clarity to keep in line with the intent of the legislation. We heard concerns, for sure, about creating guardrails and about transparency. This amendment provides additional language to make sure that there are reasonable grounds for an order, and it lists some of the factors that might be considered.
Again, it's just in relation to providing clarity in the legislation, which we always believed was the intent of the law, to give some reassurance to those who raised some concerns.
4:35 p.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you.
If there's no further discussion, shall G-14 carry?
(Amendment agreed to [See Minutes of Proceedings])
Next is G-14.1.
Go ahead, Ms. O'Connell.
4:35 p.m.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thanks.
I think we spoke about this in the first half of the bill. It creates the obligation to notify NSICOP and NSIRA within 90 days of issuing a cybersecurity directive.
Just to refresh everyone's memory, what was of some concern was how anyone would know if a secret order was made while still maintaining national security protections. As well, I'm sure certain sectors don't necessarily want competitors to know of any gaps.
We felt this was a reasonable opportunity to provide notice to NSICOP and NSIRA. They are the masters of what they study, but this would allow for that pre-emptive acknowledgement, if an order was actually issued, to ensure that somebody knows to look for it and could look deeper into it with the protections that NSICOP and NSIRA have in dealing with sensitive information.
4:35 p.m.
Liberal
The Chair Liberal Heath MacDonald
Shall G-14.1 carry?
(Amendment agreed to [See Minutes of Proceedings])
We'll move to G-14.2.
Ms. O'Connell, go ahead, please.
4:35 p.m.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Thank you.
This goes to the earlier point I made about not expanding surveillance purposes but providing greater clarity around the language that the Governor in Council is not permitted to order any designated operator or class of operators to intercept a private communication. It goes on to list these things. Again, it's just making clear that the intention of the bill is to collect data and not to create or expand any sort of surveillance powers.
4:40 p.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Ms. O'Connell.
Seeing no further discussion, shall G-14.2 carry?
(Amendment agreed to [See Minutes of Proceedings])
On NDP-12, if NDP-12 is moved, CPC-23 cannot be moved because they are identical. Also, if NDP-12 is adopted, BQ-16 cannot be moved due to a line conflict.
Go ahead, Mr. Julian.