Mr. Chair and committee members, thank you for the opportunity to take part in your study of Bill C-26.
Founded in 1976, the Business Council of Canada is composed of approximately 170 chief executive officers who run Canada's most innovative and successful businesses. Our organization represents a broad cross-section of Canada's critical infrastructure sectors.
Today I will restrict my comments to part 2 of the bill, which is the proposed critical cyber systems protection act.
I'll begin my substantive remarks by underlining that Canada's leading businesses are committed to maintaining a strong and resilient security posture in the face of growing cyber-attacks. Indeed, in a survey of our members, every single chief executive officer indicated that cybersecurity was either a high or very high priority for their business.
Our members are backing their commitment to cybersecurity with significant resources. In critical infrastructure sectors, most of our member companies each invest well over $100 million in Canada per year on measures to prevent, detect and respond to cybersecurity incidents. A plurality of these same members invest over $500 million individually in the same measures.
As cybersecurity risks to the country grow, so too do the resources that our members plan to devote to protecting Canadians. Over the next two years, over two-thirds of our members plan to increase both their cybersecurity spending and their personnel staffing by at least 25%.
However, we cannot lose sight of the fact that defending Canadians against cyber-attacks is very much a team sport, requiring close coordination between government and industry.
That is why the Business Council of Canada supports the objectives of recent government cybersecurity initiatives. This includes part 2, which, if properly drafted and implemented, can improve the overall cyber-resiliency of the Canadian economy by establishing a baseline of cybersecurity across critical sectors.
It's also important to note that the enactment of part 2 would bring Canada's cybersecurity framework in line with the best practices among our closest security partners. In a period of growing global tensions, Canada must move in lockstep with its closest allies and strengthen its cyber-resiliency; otherwise, Canada risks being perceived as a weak link, which could have severe consequences for Canadians' future security and prosperity.
Of course, no public or private sector initiative is perfect. It should therefore be no surprise that Canada's business leaders would like to see targeted amendments to part 2. In the interest of time, I will highlight just three of the most common suggestions for improvements that I've heard from our members.
First, part 2 should be amended to adopt a risk-based methodology that would impose regulatory requirements on designated operators proportionate to their level of risk. Imposing fewer and less onerous obligations on low-risk operators that have well-established cybersecurity programs would allow them to spend more of their finite resources on incident prevention activities. Regulators, on the other hand, could dedicate more of their finite resources toward the high-risk operators that pose the largest threat to Canadians.
Second, part 2 should be amended to place fair and reasonable limitations on the cabinet's power to issue cybersecurity directions. In the absence of statutory safeguards, part 2 would allow cabinet to issue any direction, regardless of whether such a measure would be effective in reducing a risk to a critical system. Directions could also be issued without cabinet first consulting with impacted provinces and territories, negotiating in good faith with designated operators or considering relevant factors, such as the potential cost of a direction, whether reasonable alternatives exist to issuing a direction and the potential consequences of a direction on competition, services or customers.
Third and last, part 2 should be amended to define key terms more precisely, such as “cyber security incident” and “critical cyber system”. The current definitions of these terms are overly broad. This would likely result in reporting inconsistencies, as well as the over-reporting of immaterial incidents, which could overwhelm government authorities.
I'll conclude by noting that part 2 is just one of several national security reforms that are urgently needed to protect Canadians. As a priority, the Business Council of Canada urges that lawmakers also amend the CSIS Act to enable CSIS to proactively share threat intelligence with Canadian companies when it's in the public interest, subject to all necessary safeguards and oversight.
This and nearly 40 other much-needed reforms are included in the Business Council of Canada's most recent report, “Economic Security is National Security”. That report is publicly available on our website.
Thank you for the opportunity to speak. I look forward to your questions.