Evidence of meeting #90 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was stolen.
A recording is available from Parliament.
5:20 p.m.
Liberal
5:20 p.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
Thank you so much, Mr. Chair.
Again we see Conservatives filibustering. They talk a big game when it comes to public safety, but we have before us officials who are here on cybersecurity, something that the Conservatives pretend to care about but will filibuster at the same time. They don't want to hear from witnesses. They don't want to hear from experts. They come to ask for a motion. A different version has already been adopted—Madame Michaud's motion with respect to auto theft—by members, understanding that this is an area of concern. That has been adopted. That's something we want to go forward on. But no, let's burn half a meeting. That's the Conservative viewpoint on this. They don't care. It's just about chaos at this point.
We see Mr. Brock throwing municipal police services under the bus. He knows that the federal government isn't responsible for the resourcing of municipal police services. Mr. Motz promotes American-style laws and at the same time says they don't work. I guess when you just go on and talk about nothing in an attempt to filibuster, that's the type of stuff you'll get.
It's truly shocking, Mr. Chair, but that's what we've seen the Conservative Party come to. When there is an issue of security before the committee, an issue of national security and cybersecurity—we spent months talking about it in question period, and here it is, legislation to take action on it—it's delay, delay, delay.
They're right that auto theft is a concern. It was adopted by this committee, I believe unanimously, that we study this. The best way to get to that study, the quickest, is to get through debate on Bill C-26 so that we can get to a study that we all want to get to, but the Conservatives want to delay.
Mr. Chair, I move that we adjourn debate on this subject so that we can get back to the witnesses.
5:25 p.m.
Liberal
The Acting Chair Liberal Ron McKinnon
Thank you, Mr. Bittle.
The motion to adjourn debate on this is on the floor.
(Motion agreed to: yeas 6; nays 5)
5:25 p.m.
Liberal
The Acting Chair Liberal Ron McKinnon
The debate is now adjourned.
Mr. Gaheer, please go ahead for six minutes.
5:25 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Thank you. It's great to return to the business of the committee.
My question is for the panel. There is a framework being brought in in terms of security programs that operators need to have. What does an average security program entail?
5:25 p.m.
Colin MacSween Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness
Thank you very much for the question.
In developing a cybersecurity program—perhaps my colleague can help me out with a bit more detail here—what we'd be looking for in that cybersecurity program is essentially just a layout of what the designated operators are doing to protect their critical cyber systems, the specific measures they're putting in place. There are technical elements that will be built in, which they can do, of course, in consultation with our colleagues at the cyber centre. That service will be available to them to help them put in that information.
Is there anything further?
5:25 p.m.
Kelly-Anne Gibson Director, Cyber Protection Policy Division, Department of Public Safety and Emergency Preparedness
I don't have too much extra to add, beyond saying that the cybersecurity program is one of the obligations that we'd be looking to flesh out in regulation, in consultation with our stakeholders and the cyber centre with the expertise in that area.
The idea is that the cybersecurity program would be something that continues to be an iterative program, so that as we bring in information and understand the threat we need to face, those cybersecurity programs can evolve over time. It's almost a virtuous circle whereby we're learning and continuing to be able to adapt to the threat before us.
5:25 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Great. Thank you.
It also says that designated operators will be obliged to take “reasonable steps” to mitigate supply chain and third party service or product risks. Can you speak a bit more about what that is?
5:25 p.m.
Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness
Put incredibly simply, it's reasonable steps to decrease the likelihood of the risk materializing and to decrease the impact of a risk materializing. Again, as my colleague pointed out, the details of that will be fleshed out in regulation.
5:25 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
During the consultation phase, you obviously spoke to several different individuals, parties and stakeholders. Did you notice there were similar themes that arose, which you need to tackle or incorporate?
5:25 p.m.
Director General, National Cyber Security Directorate, Department of Public Safety and Emergency Preparedness
In talking with stakeholders, one of the key things we heard was general support for the legislation. As was pointed out, and you've seen in your reports, several had different views, depending on the stakeholders. We heard some of them today. There's probably more information required on the privacy protections in place and questions around the ministerial powers that are included. Those tended to be the key themes that came up.
5:30 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
What about the protection of confidential information? What have you heard from stakeholders on that, because that's always of key concern?
5:30 p.m.
Director, Cyber Protection Policy Division, Department of Public Safety and Emergency Preparedness
We've heard that it is a key consideration. It's one that I think we have acknowledged going into the drafting of this legislation.
What we've generally spoken to is the idea that the protection of confidential information underpins this legislation, because if companies and designated operators don't feel that we are going to protect that information, they're not going to share it.
What you see in the legislation are specific provisions to define confidential information and protect it, and there are consequences if we or others don't protect that confidential information. It was something that we heard from stakeholders, and we spoke about the provisions that exist within the act.
5:30 p.m.
Liberal
Iqwinder Gaheer Liberal Mississauga—Malton, ON
Okay.
What new authorities will the government receive under Bill C‑26?
5:30 p.m.
Director, Cyber Protection Policy Division, Department of Public Safety and Emergency Preparedness
Under part 2, the government would get the ability to issue a cybersecurity directive. That would be a GIC order.
Andre, do you want to take part 1?
5:30 p.m.
Andre Arbour Director General, Telecommunications and Internet Policy Branch, Department of Industry
Certainly.
Under part 1, for the amendments to the Telecommunications Act, there would be new authorities to issue an order in council regarding high-risk vendor equipment and for telecommunications service providers to remove or put restrictions on that equipment.
It would also include a ministerial order power regarding secondary issues around the security of telecommunications networks. That would include direction to telecommunications service providers—providers of Internet or cellular services—to protect their networks against a range of different threats. Those could include cyber-risks, but also physical threats. For instance, you'd collect information or take certain actions to make sure that their networks are more resilient. They'd have multiple paths within their networks so that if there happens to be a failure, there's resiliency in the network to deal with that.
There are certain authorities that stem from that, which go into more implementation issues. There's collecting information from the carriers to inform those order-making powers, as well as inspection and enforcement powers, including administrative monetary penalty authorities.
5:30 p.m.
Liberal
5:30 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you very much, Mr. Chair.
I thank the witnesses for being here.
I’d like to ask a question about the current context of labour shortages. That subject, among other things, was raised at the Standing Committee on National Defence. Often, we might have a good bill, but its implementation is a problem if, for instance, we don’t have sufficient resources to apply cybersecurity directives to certain businesses.
While the private sector currently seems to have an easier time recruiting staff than the public sector, are you concerned that a lack of staff would make implementing Bill C‑26 difficult, given the additional burden the cybersecurity directives represent?
January 29th, 2024 / 5:30 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
We have a partnership program with the private sector that is rather well developed. Our teams work 24/7 to create these critical infrastructure partnerships, and the teams continue to grow. We are currently recruiting more people and our turnover rate is less than 4%, which is a rather impressive number.
Of course, with the new bill, we will be able to recruit even more people. We are trying to be proactive and determine where we are going to find these people in Canada. It won’t necessarily be in Ottawa. We will also look for staff in Montreal. We are even starting to talk about a pilot project to open a small office in Montreal.
5:35 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
I understand that certain businesses can be designated as owners or operators of critical cyber systems covered by the bill. However, others will fall into a grey zone, meaning it will be unclear if they own or operate this type of infrastructure. According to the way Bill C‑26 is drafted, will it be enough to push some undesignated businesses into complying independently and voluntarily with the cybersecurity directions outlined in the bill?
If applicable, is there any opportunity for smaller businesses that fall into a grey zone to take advantage of the essence of Bill C‑26? Again, it brings us back to the labour shortage issue; if ever there’s a kind of appetite for this, is there a plan to be able to respond?
5:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for the question.
Regarding the designation of businesses under the bill, I will ask my colleagues from the Department of Public Safety and Emergency Preparedness to answer you, because this will be done through their process.
At the Centre, we help anyone who asks. Whether businesses are designated or not, we will be there to respond to their cybersecurity needs and support them as their cybersecurity plan evolves. Even if businesses fall into a grey area, that does not prevent us from having talks and helping them develop their cybersecurity plan.
5:35 p.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
If I may, I would like to keep the ball rolling.
Would it be worthwhile to take steps and encourage businesses to use your services? When businesses are the victims of a cyber attack, there is an impression that they tend to shy away from admitting they were caught in that trap. Should additional work be done in this area to encourage businesses not designated as owners or operators of critical cyber systems to use your services?
In a context where cybersecurity is everywhere, with the internet of things and all that, it’s not just designated businesses that could become critical: everyone will be. Should we offer businesses more financial incentives, for example, so that they use the Communications Security Establishment’s services?
5:35 p.m.
Daniel Couillard Director General, Partnerships and Risk Mitigation at the Canadian Centre for Cyber Security, Communications Security Establishment
Thank you for your excellent question.
It touches somewhat on a major dilemma we are currently facing in cybersecurity: on the one hand, reporting can have value; but on the other, it represents risk for reputations or business processes.
I think Bill C‑26 tries to show the advantages of reporting. Indeed, one of the Canadian Centre for Cyber Security’s roles is to help a business in a given sector solve its problem when it reports. This also helps us to know what happened, develop indicators of compromise and quickly send information on an ad hoc basis to the entire sector and all sectors in Canada.
I think one of the very important aspects of the bill is that it will allow us to collect this information, help the victim and help the entire sector and other sectors in Canada benefit from it, as well as small and medium businesses, and even the entire Canadian economy.