Public Safety Committee on Feb. 5th, 2024

I'm sorry. Can you repeat the question, Mr. McKinnon?

We will make sure to get back to you with proposed amendments and examples of what we see as frameworks to achieve.

Perhaps I can clarify that as well. My apologies if, during my opening statement, I indicated otherwise. Adherence isn't necessarily the encouragement that we would be offering. It's more that a number of aspects of Bill C-26 are much more far-reaching than established international standards for mature cybersecurity regimes, of our allies in particular.

It's not necessarily adherence to them, but more a recognition that we don't necessarily need to go beyond what they're already working towards in their private and public partnership and enablement of the industry.

I hope that gives a little bit of clarification. It's not necessarily an alignment to international standards, but a “not going farther than”, as we try to work together to bolster our critical infrastructure.

That's a good way to put it.

I draw your attention to April 2023, when a Russian-linked hacking group successfully penetrated a Canadian natural gas pipeline provider and was “able to increase valve pressure, disable alarms, and make emergency shutdowns.” By the way, this Russian hacking team wasn't even their best, so that's what we're risking when we fiddle while Rome burns on cyber-legislation.

I'm not saying we're going to have a Hollywoodesque total society shutdown. I'm saying people could get killed. I'm saying businesses could be negatively impacted economically. I'm saying there are people who want to throw a punch and hit us right in the nose. We are sticking our face up, without an ability to defend ourselves, and it's going to hurt.

Mr. Shipley started with one example.

If you think about cyber incidents and threats, I don't think we can even keep up with any records and reporting in terms of how many there are a day. MP O'Connell, you mentioned Atlantic Canada, the Newfoundland health care infrastructure that was impacted as well. It's a snowball effect. If one portion of critical infrastructure gets impacted, it impacts our economy and society, and it also impacts how foreign direct investment will happen in the future. How do foreign entities see us? Do they want to settle in Canada? Do they want to build a future here as businesses, as communities and as talent?

I see it as a two-way.... While we have trouble in front of our own door, within the country, it is also on a global level. How do we get perceived and how do we best align ourselves and ensure that we are...? This is the cyber tag line right now: Lead the global cybersecurity future and be the most secure country on the planet. Canada can be that, and I think Bill C-26 is a step forward, but we need to speed it up a little, as it has already been in discussion for quite some time.

Thank you.

There are two aspects to this. The first is the implementation of the bill and the regulatory framework. We all want the bill to be applied in the best way possible, of course. However, we find that some definitions leave room for interpretation. In cases where it's a major issue, we would prefer that the framework be much clearer so that people can comply with it more easily. Terms like “major incident” or “cybersecurity breach” are quite broad and generic. We find ourselves at an impasse. We think it's much simpler to clarify these terms now than to wait until the regulatory stage to establish definitions and end up in a bit of a mess when it comes to determining what to do. It's always better to clarify things right from the start.

The second aspect concerns government intervention. To be clear, we are committed to seeing the essence of the bill come to fruition, since cybersecurity breaches are a major issue. At IBM, we produce an annual report, and we've determined that the cost of a cybersecurity breach is $7 million per affected company, which increases to $12 million when the financial sector is involved. As a result, it's important to take action, and the government must show leadership in this regard. Its actions must also be well regulated, codified and predictable for the players in the system.

Thank you for the question.

I apologize, my French isn't very good, so I'll answer in English.

The due diligence defence to the administrative monetary penalties is the first thing that becomes a positive thing. If I showed that we were in the spirit, trying to defend our organization, that we were doing what we should, that's a positive step that encourages me to invest, so I can show that. That's why it's so important that this gets addressed in the Telecommunications Act.

To be very clear, the Canadian private sector already spends $9 billion a year on cybersecurity, so we're not coming to Parliament and looking for a handout, for government to solve all problems. However, what's interesting is that this legislation deals specifically with very large enterprises and critical infrastructure. It does not deal with 98% of Canadian businesses, which are small businesses, 50% of which spend nothing on cybersecurity today, so they absolutely need help. As parliamentarians, you've heard the story of the impact of COVID-19 on small businesses, the debt load and more. They cannot afford yet another thing. Let's be very clear: The bill for cybersecurity for small businesses and large enterprises is because, at a national level, we fail to protect them from other countries and from criminals, so yes, I highly encourage other measures.

My point about the speed with which we need to move this legislation.... This is just the first step for laws you need to consider, and we need to get it right.

I'll be honest. Where Canadians are being hurt, and hurt badly, right now is in health care. You have five hospitals in Ontario right now that are still recovering from an ransomware attack. We still don't know what happened in Newfoundland and why it happened, nor have we learned from it. We know, from non-peer-reviewed research study in the U.S.—

—that 40 to 60 Americans have died because of ransomware attacks against hospitals there, so yes, we need help. We need to get this law done first, and the first thing to make it better, from a positive side, is to have a due diligence defence.