Public Safety Committee on Feb. 5th, 2024

I'll go first.

In the time that we have languished, Australia has published a comprehensive cyber strategy in relation to some horrific attacks on their citizens and their personal medical information, Europe has moved forward with legislation, and the United States has moved forward with bold executive and legislative action. We are the easy target left in the west, so we are going to continue to attract an unhealthy amount of attention that is going to steal prosperity from Canadians and risk safety.

So, I would say, soon, because the reality is this: We'll get this legislation passed, and then we're going to end up in at least a year, if not two years, of battling over regulation. That goes back in particular to Ms. Proctor's point about the importance of getting the definitions as clear as possible in legislation so we can get moving on this stuff.

We are way behind. I know Parliament has many issues in front of it, but we live in a digital world and we're acting like we're in the 20th century.

Absolutely.

It is very critical. That's a definite “yes” that we should act in a timely manner.

I would also like to emphasize that we need to get it right and not rush through it in a way that.... I'm a little hesitant to name a time frame because the focus should be on all the challenges we pointed out and addressing these properly.

Comments were made as well on national cybersecurity strategies and plans in other countries and so forth. We don't have our national cybersecurity strategy yet launched. We greatly look forward to what the Canadian Chamber has fed into the submission, because for me and our members it would provide the broader, overarching picture of cybersecurity per se. Bill C-26 would be one part of that strategy. It's a holistic view and a comprehensive approach there.

Lastly, I wanted to make one comment in terms of time and I lost my train of thought there. You had another follow-up question to Mr. Shipley, I think. Could you please remind me what it was?

Yes, I wanted to make one more point that members had mentioned to me.

We had this experience with another bill. If we wait too long, provinces might go ahead and start their own legislation. A few members have mentioned that there is a concern that while we are internationally lagging and maybe also not harmonizing right now in many ways, this could happen on a domestic or provincial level as well. A patchwork always works to the disadvantage of businesses.

Thank you for the question.

To bring both of your questions together, wherein you were asking about the risk of not acting, in IBM we operate with, partner with and strategically advise over 1,700 organizations. Admittedly, they're not all in the direct scope of this, but they would be impacted through the passing of Bill C-26. Many of those organizations struggle. Many of those organizations are focused on Canada. Many of them are focused on multinational. By not acting within Canada, we are, in effect, encouraging those organizations to pause on Canada.

We don't have the regulations. We don't have the definitions. We don't have the laws in place for them to understand the arena they're playing in within Canada. This bill languishing is causing that pause to get larger.

From a collective individual perspective, it also shifts into the mindset of our resources, our teams and our neighbours. Our graduates—our children coming up through education —challenge what Canada's position is on cyber risk and cybersecurity, not just for the critical infrastructure that we need to run and operate, but for the employment opportunities that we have and that our organizations have.

I hope that gives you a bit more perspective on that, so when we lean into the reporting time period, it equally speaks to the risk. One of the best things we do—