Evidence of meeting #92 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site.) The winning word was cybersecurity.
A recording is available from Parliament.
4:05 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Chair.
I just want to clarify again in the blues. When we were talking about whether it was a suspension or an adjournment, I had the floor on the motion. I said, “I did not move a motion. I'm agreeing with him [Mr. Julian] to get to Bill C-26 for the remainder of our meeting today and I'll pick this up at the next meeting.” That's what I said. Then the chair said, “Is it the agreement of the committee?” Then the motion was agreed to.
As I understand the rules, that motion, the conversation about that motion and the debate on that motion were suspended from the last meeting, and we went on to the witnesses.
Now, today, in order to wrap up that motion, I have a couple of comments I wish to make that should take no longer than 15 minutes or so. Then we have other speakers on that list. If they wish to continue to speak, then that's certainly their choice. As I understand the situation from the last meeting, we were into a suspension on the motion, and because of Mr. Julian's intervention, I agreed to let those witnesses at that time.... I gave up the floor on a suspension to deal with that.
Thank you, Chair.
4:05 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Thank you.
If we had gone right into your comments, we'd probably be wrapping up right now and moving on.
Mr. McKinnon, you have the floor.
4:05 p.m.
Liberal
Ron McKinnon Liberal Coquitlam—Port Coquitlam, BC
I don't know what was in the mind of the chair as he made these preliminary schedules, but I think he had a hard think about what went on and decided this was more appropriate.
I think that whether or not we suspended or adjourned that motion or that discussion becomes moot if we realize that Mr. Motz or someone else could move the motion again when the time comes, but I wonder if we could have an agreement to hear from the witnesses first and have at least one round of questions for the witnesses before we do so.
That would be a suggestion to Mr. Motz.
4:05 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
It sounds like probably a good compromise to me, but we'll see what Ms. O'Connell says.
4:05 p.m.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
Mr. Chair, I move that we move to the business of Bill C-26.
4:05 p.m.
Conservative
4:05 p.m.
Liberal
Jennifer O'Connell Liberal Pickering—Uxbridge, ON
I move my motion that we move to the business of Bill C-26.
4:05 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
I'll ask the clerk for a recorded vote on that, please.
(Motion agreed to: yeas 6; nays 4)
We will start with Bill C-26.
I have a nice preamble here to introduce everybody. To save some time and to give you folks a little bit more time, maybe you could—I know this is very informal—say your name at the beginning of your five minutes, and that will hopefully give you guys a little bit more time, because we've already lost some time going into this.
We will start with our witnesses.
Mr. Shipley, do you want to go first? It rolls off the tongue nicely, doesn't it, Mr. Shipley?
February 5th, 2024 / 4:05 p.m.
David Shipley Chief Executive Officer, Beauceron Security
Good afternoon.
My name is David Shipley, and I'm the chief executive officer and co-founder of Beauceron Security Inc. I'm also the co-chair of the Canadian Chamber of Commerce's cyber council. I'm a proud Canadian Forces veteran, having served with the Canadian Army Reserve in the 8th Canadian Hussars.
I'm not a computer scientist. My expertise and perspective today are based on my experience as CEO and co-founder of Beauceron. I do not see cybersecurity as a technological issue. It's a people and business risk issue.
I founded Beauceron Security in 2016. We now serve more than 750 organizations in Canada, the United States, Europe and Africa. We have helped more than 650,000 people learn how to spot, stop and report cyber-attacks. Beauceron Security has demonstrably reduced individual and organizational cyber risk. Our made-in-Canada solution is used by global banks, national telecommunications carriers, educational institutions, health care facilities, government and small business.
We live in a world where North Korean hackers steal billions of dollars of cryptocurrency to fund their nuclear weapons programs. Something that 25 years ago would have sounded too far-fetched to be even the plot of a James Bond movie is an all-too-real reality and is contributing to global instability today. It's also a world where a Canadian federal government IT worker by day becomes one of the most successful ransomware affiliates by night, making millions of dollars as a digital extortionist for an international criminal gang.
I share these real-life examples because they highlight the first point I want to make. When it comes to cyber, anything, even the bizarre, is not just possible but it is the norm. The challenge of managing cyber risk is to balance the incredible creativity of humans with the unpredictability of complex digital systems.
I know that for many this topic can be overwhelming. Many feel that they do not have the technical background to think about these issues. You may also feel, as legislators, that it is difficult to wrestle with this law.
However, please, this is not a technology issue. Throughout my career in cybersecurity and as a CEO of Beauceron, the root cause of every single cyber incident our customers and we have ever helped investigate has always been traced back to a combination of people, process, culture and technology. Cybersecurity has never been about technology alone, and it can never be solved by technology alone. The story is, has always been and will continue to be about the relationship between technology, people and control—which is, by the way, the actual meaning of the word “cyber”.
Reducing cyber risk to Canadians will require legislation and a regulatory regime tailored and developed collaboratively with industry. These regulations and directives must look at people, process, culture and technology-based risk controls.
I support the need for this legislation. We need this law now more than ever. We are far behind our allies, and we are risking the safety and prosperity of Canadians every day we delay. This legislation and the accompanying regulatory regime must ensure that a proactive, positive security culture is instilled and maintained within Canada's critical infrastructure firms. With some fine-tuning, I believe it can accomplish these goals.
I support the recommendations put forward by the Canadian Chamber of Commerce to improve the bill to ensure fairness, effectiveness and proportionality of the proposed legislation. In addition to their recommendation, I urge this committee to look at the following issues.
Number one, add due diligence defences to the proposed administrative monetary penalties. We need to create positive reasons to invest in security and compliance with legislation, and not just negative consequences for failure.
Number two, remove personal liability for individuals. At a time when the cybersecurity labour shortage is most acute, and when as many as 75% of the most senior cybersecurity leaders are considering a career change out of cybersecurity, adding a target on their heads will only make things worse and subvert the objectives of this legislation.
Number three, ensure regulators charged with creating industry-specific cybersecurity directives have the skills required to do so effectively. While regulators such as the Office of the Superintendent of Financial Institutions are experienced, others are being given responsibility for cyber for the first time. This legislation should require government collaboration with industry, such as what has already been done with the Canadian security telecommunications advisory committee.
Lastly, considering the recent news about Global Affairs, this legislation should limit the amount of sensitive data collected by regulators about cybersecurity defences of Canadian critical infrastructure, lest we inadvertently create a one-stop shop for hostile nation-states and criminals to learn how to cripple these vital sectors and firms.
The opportunity before you with Bill C-26 is to ensure that the Canadian people—
4:15 p.m.
Conservative
4:15 p.m.
Chief Executive Officer, Beauceron Security
I'm just about wrapped up.
It's to ensure that the Canadian people, through Parliament, are in control of the technologies they rely on for the functioning of our society—not the technology itself, not the technology companies, and certainly not our adversaries.
Thank you.
4:15 p.m.
Conservative
4:15 p.m.
Ulrike Bahr-Gedalia Senior Director, Digital Economy, Technology and Innovation, Canadian Chamber of Commerce
Mr. Chair and members of the committee, good afternoon. My name is Ulrike Bahr-Gedalia, and I'm the senior director of digital economy, technology and innovation at the Canadian Chamber of Commerce. I'm also the Canadian Chamber's architect and policy lead for the digital economy committee's future of artificial intelligence council and the “Cyber. Right. Now.” council.
As Canada's largest and most activated business network, representing over 400 chambers of commerce and boards of trade and more than 200,000 businesses of all sizes from all sectors of the economy and from every part of the country, the Canadian Chamber is pleased to have this opportunity to provide feedback on Bill C-26.
Our “Cyber. Right. Now.” council has been calling on government to prioritize cybersecurity and focus on a prevention-first approach and improved information sharing for close to three years. Today I'd like to share a few key recommendations and why cybersecurity is important to the Canadian Chamber and our members within the Canadian economy.
Over 98% of Canadian businesses are small or medium-sized enterprises. SMEs need greater cybersecurity threat awareness, protection and training to utilize the full suite of tools at their disposal and to keep Canadians safe from bad actors. Like other countries, Canada is facing an increasingly complex and risk-prone digital landscape. With a cybersecurity skills gap of some four million people globally, and an ever-increasing number of connected devices—at least 67 billion and counting—the challenges and costs associated with securing our digitally enabled world are increasing. But while every organization of every size and in every sector is at risk of a cyber breach, few carry the same real-world risk of a crippling cyber-attack as those in the critical infrastructure sector. This threat will only grow as our critical infrastructure increasingly relies on software and connected technology to power and support its operation.
We are pleased to see Bill C-26 proceed to committee study, and we support the bill overall. However, certain amendments are needed to ensure that the bill reaches its full potential. More specifically, our telecommunication members have expressed their concerns with respect to a few provisions in the Telecommunications Act, such as the lack of a due diligence defence for violations under section 15 in part 1, resulting in monetary penalties, and the extent of ministerial order-making powers. I will note that this defence is present elsewhere in Bill C-26, such as in relation to cyber directions in part 2, the CCSPA, as well as full due process for and parliamentary oversight of ministerial orders. I encourage the committee to reach out to the telecommunication providers, as it's important to hear from them first-hand.
With respect to the CCSPA, our members are seeking the following improvements.
The first is a clearer definition of a reportable cybersecurity incident. This will ensure that industry isn't forced to report events that do not pose a material threat to a vital system. Failure to clearly define the parameters for a reportable incident will undermine the purpose of Bill C-26 and overwhelm government authorities, who will have to process and assess each cyber incident reported.
The second is allowing for a 72-hour reporting period for cybersecurity incidents, as opposed to immediate reporting. Allowing for reporting within 72 hours provides organizations the time to investigate, and will harmonize with existing regimes, such as in the United States, one of our key trading partners.
Finally, two-way information sharing is crucial. As currently drafted, the CCSPA only contemplates one-way information sharing from designated operators to the government. We believe this is a missed opportunity and a potential weakness, and it underscores the prevention-first approach I noted earlier. The more information we have, the more we can work together and the better we can help prevent incidents.
Thank you for listening and for the opportunity to participate in the study of Bill C-26.
4:20 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Thank you for that.
Next we will go to IBM Canada. We have Ms. Daina Proctor and Mr. Tiéoulé Traoré.
Whoever wants to go, you have five minutes.
4:20 p.m.
Tiéoulé Traoré Government and Regulatory Affairs Executive, IBM Canada
Thank you, Mr. Chair.
I'm Tiéoulé Traoré. I'm the head of government and regulatory affairs for IBM Canada. On behalf of IBM Canada, I would like to thank this committee for the opportunity to testify on Bill C-26, and more specifically on part 2, the focus of our testimony.
The digitization of the global economy has increased the need for government and businesses to protect themselves from constantly evolving cyber-threats. Strong cybersecurity protocols should be viewed as digital foundations for all entities seeking to maximize the power of tools such as cloud, AI, and quantum computing.
IBM Canada fully supports the principles of Bill C‑26.
Indeed, Canada must ensure that its critical infrastructure is properly protected from cyberthreats. The skyrocketing number of cyber‑attacks is a global phenomenon that does not spare our country, so action is crucial.
However, to maximize the real impact of Bill C‑26, we argue that it should be amended by this committee. The focus should be on three points: clarifying definitions, aligning the bill with international standards and avoiding potential excesses.
My colleague Daina Proctor will now go through each recommendation.
4:20 p.m.
Daina Proctor CyberSecurity Service Line Executive, IBM Canada
Thank you.
My name is Daina Proctor. I'm the Canadian cybersecurity executive with IBM Canada, and it's a pleasure to be with you today speaking on the topic of Bill C-26.
There are three items that I would like to talk about with you today.
The first one is clarifying the core definitions within Bill C-26. Currently, Bill C-26 leaves much of the scope of the legislation to regulations. We believe it's critical to clarify the scope and the definitions in the legislation itself rather than delegate to the regulatory processes. Key terms used in the proposed law, such as “designated operators”, “confidential information” and “security incident”, are either too broadly described or not adequately articulated. We believe this committee should aim to address these definitions as much as possible, as this will enable a common understanding, increase enforceability and speed up the review when it comes time to draft the ensuing regulations.
Second is alignment with international standards. Canada's strategy and approach should be inserted into the collective efforts of our international community. As drafted, Bill C-26 carries various provisions that are not aligned with other mature cybersecurity regimes. The legislation does not differentiate between security levels of breaches. Furthermore, it includes potential incidents within the scope of its incident-reporting obligations, which could serve to overwhelm regulators with unnecessary and unhelpful information and place an unnecessary burden on industry.
The legislation's “immediate” reporting of cyber incidents, without a formal definition as to what would constitute “immediate”, is also problematic. Most jurisdictions allow for a 72-hour reporting window to allow injured parties to understand what has transpired, which in turn ensures that regulators receive a comprehensive report about actual findings.
The court has unfettered and overly broad jurisdiction when, under an act, it can impose criminal conviction, imprisonment terms, uncapped fines and personal liability, with administrative monetary penalties in the amount of $15 million that can accrue. This represents an entirely new regime and significant penalties far above those under other comparable pieces of legislation. The severity of such penalties and the enforcement action that may be taken will invariably create a chilling effect. Respectfully, the enforcement action that may be taken against individuals should be removed, or to the extent that such liability is considered necessary and proportionate, at a minimum there should be a defined standard to demonstrate the objective and substantiated culpability.
Last is avoiding government overreach. While IBM recognizes the need for compliance oversight, we specifically suggest clarification and refinement of the authorized powers belonging to the regulatory authority or persons who have the ability to enforce the provisions: namely, the ability to attend facilities, examine documents and records, and mandate internal audits, as well as unilateral broad discretion to impose remedial actions—all of these. We strongly encourage that these regulatory authorities and government access rights be limited in their scope and limited to certain critical situations that meet specific non-compliance thresholds.
In conclusion, IBM believes that the clarity around key definitions, enhanced harmonization with international standards and clear safeguards from potential government overreach would strengthen Bill C-26's mandate.
Thank you for your time. We welcome and look forward to addressing your questions.
4:25 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Thank you for that.
You must have been practising a little bit because that was almost exactly five minutes. Good job.
We'll start off with questions.
Mr. Motz, I believe you're up first.
4:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you very much.
Thank you to the witnesses for their testimony and for being here today.
One thing that you probably noticed at the front of this meeting is that we have been seized with the decision from the Federal Court, where the Federal Court found that the Trudeau government's use of the Emergencies Act was illegal and unconstitutional. As a result, we have been having that conversation here.
I know this might derail the questions to the witnesses, but I'd like to move a motion, Mr. Chair, please, that is duly on record and presented to the committee.
I move:
That, in light of the recent Federal Court ruling which found that the government's use of the Emergencies Act in February 2022 to have been illegal and that the special criminal laws subsequently created by the Liberal Cabinet to have been an unconstitutional breach of Canadians' Charter rights, the Committee undertake a study of 7 meetings, pursuant to Standing Order 108(2), of the Department of Justice’s role in supporting the government’s illegal and unconstitutional decisions concerning the Emergencies Act, together with the consequences which follow the Court’s decision, provided that
(a) the Committee invite the following to appear, separately, as witnesses, for at least one hour each:
(i) the Honourable David Lametti, the Minister of Justice and Attorney General of Canada at the time,
(ii) the Honourable Marco Mendicino, the Minister of Public Safety at the time,
(iii) the Honourable Arif Virani, the Minister of Justice and Attorney General of Canada,
(iv) representatives of the Canadian Civil Liberties Association, and
(v) representatives of the Canadian Constitution Foundation; and
(b) an order do issue for all legal opinions which the government relied upon in determining that
(i) the threshold of “threats to security of Canada”, as defined by section 2 of the Canadian Security Intelligence Service Act, required by section 16 of the Emergencies Act, had been met;
(ii) the thresholds required by paragraphs 3(a) or (b) of the Emergencies Act, concerning a “national emergency” had been met;
(iii) the situation could not “be effectively dealt with under any other law of Canada”, as required by section 3 of the Emergencies Act;
(iv) the Emergency Measures Regulations were compliant with the Canadian Charter of Rights and Freedoms, including the analysis relied upon by the Minister of Justice in discharging his responsibilities under section 4.1 of the Department of Justice Act, and
(v) the Emergency Economic Measures Order was compliant with the Canadian Charter of Rights and Freedoms, including the analysis relied upon by the Minister of Justice in discharging his responsibilities under section 4.1 of the Department of Justice Act,
provided that these documents shall be deposited with the Clerk of the Committee, without redaction and in both official languages, within seven days of the adoption of this order.
Mr. Chair, I think it's important that Canadians at least have a brief summary—
4:25 p.m.
Liberal
4:25 p.m.
Liberal
Ron McKinnon Liberal Coquitlam—Port Coquitlam, BC
With apologies to Mr. Motz, I would renew my concern, as expressed when this was last moved, that this exceeds the powers of this committee. I understand that this matter was taken under advisement and will be reported back at some time once wiser heads have been able to wrestle with it.
I would like to put that on the record.
4:25 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Since we have different chairs today, I'm not sure where he is on that decision.
We'll let Mr. Motz continue now.
Thank you.
4:25 p.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you, Mr. Chair.
As I was saying, I think it's important that Canadians at least have a brief overview of this particular order—