Evidence of meeting #92 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site.) The winning word was cybersecurity.
A recording is available from Parliament.
5:15 p.m.
NDP
5:15 p.m.
Senior Director, Digital Economy, Technology and Innovation, Canadian Chamber of Commerce
I can only echo those sentiments, because everything pretty much has been pointed out and said in that regard. I always like to remind everybody as well, though, to put it into a Canadian context while looking for alignment and harmonization with other jurisdictions.
Thank you.
5:15 p.m.
Chief Executive Officer, Beauceron Security
Our business is with the United States, in terms of the amount of trade we do. We'd best make sure that we're aligned with our largest trading partner.
5:15 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Thank you, Mr. Shipley.
We are out of time.
Thank you to the witnesses. Thank you for enduring today.
Folks, we are limited on time. Let's take a short, five-minute recess, and we'll get set up for the second part.
Thank you, everyone.
5:20 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
I think we're good to start again.
I just want to remind everybody that we have resources until 6:00. I also want to mention that that clock is not the clock we go by. As Mr. McKinnon would know, it's never accurate. It's 5:24 right now, but we do have a hard stop at 6:00, so we have about 35 minutes.
Thank you to the witnesses for being here today. From Bruce Power, we have Todd Warnell, chief information security officer. From Citizen Lab, we have Kate Robertson, senior research associate, Munk School of Global Affairs and Public Policy, University of Toronto. By video conference, we have, from OpenMedia, Matthew Hatfield, executive director.
Thank you, all, for being here. We'll give you five minutes each.
We'll start with Mr. Warnell.
5:25 p.m.
Todd Warnell Chief Information Security Officer, Bruce Power
Thank you, Mr. Chair and members of the committee.
My name is Todd Warnell and I am the chief information security officer at Bruce Power.
Established in 2001, Bruce Power is Canada's only private sector nuclear generator, annually producing about one-third of Ontario's power, as well as life-saving medical isotopes used around the globe to fight cancer and sterilize medical equipment.
I'm grateful for the invitation to participate in your review of Bill C-26. Today, I will focus my comments on part 2 of the bill, namely, the critical cyber systems protection act.
I'm here before the committee to provide a perspective that proceeding with the implementation of Bill C-26 is of vital importance to the safety and security of all Canadians. Canada has prospered over the last four decades through a period of relatively stable and predictable global relations. However, that period of stability and predictability is changing amidst a backdrop of global geopolitical tensions and changing global dynamics. Ensuring the safe and reliable delivery of critical services that Canadians depend upon every day is not, and cannot be, a political issue.
Within Canada's nuclear industry, we have seen and demonstrated that through collaboration with governments, regulators, industry, academia, and individual Canadians, we can be successful in establishing and regulating cyber systems that are important to the safe and reliable operation of critical services.
The critical cyber systems protection act would introduce a broad framework from which all critical sectors, in collaboration with government and regulators, can develop and implement risk-informed and performance-based regulation to enhance the reliability and resilience of critical services. The committee should consider ways of ensuring that appropriate checks and balances are in place for any directives issued to address a risk or threat to Canada's critical cyber systems.
Harmonizing Canada's cybersecurity framework across critical sectors through Bill C-26 would also align our approach with our closest allies and avoid our being left behind as our allies move forward with enhancing their respective national cyber resilience programs and driving innovation that can enhance our collective capabilities in protecting ourselves and detecting and responding to a changing threat landscape.
In conjunction with Bill C-26, we urge lawmakers to review and consider the amendments to the CSIS Act, to enable Canada's intelligence community to exchange and co-operate on cyber-threat intelligence with Canada's public and private sector operators in both a proactive and preventative manner.
Thank you for the opportunity to address the committee today.
I look forward to your questions.
5:25 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Thank you, Mr. Warnell.
Up next, we have Ms. Robertson, please.
February 5th, 2024 / 5:25 p.m.
Kate Robertson Senior Research Associate, Munk School of Global Affairs and Public Policy, University of Toronto, Citizen Lab
Good afternoon.
My name is Kate Robertson. I am a researcher at the Citizen Lab, which is based at the University of Toronto's Munk School.
My comments today draw on the Citizen Lab's research on cybersecurity and telecommunications policy, data security, and transparency and accountability mechanisms that are applicable to the relationship between governments and telecommunications providers. My brief, which was submitted to this committee, was written with Lina Li of McGill Law and provides a charter analysis of Bill C-26. Part three of our brief sets out our recommended amendments, building on a report on Bill C-26 written by my former colleague Dr. Christopher Parsons.
There are key recommended amendments that would act as constitutional safeguards in the legislation. This is not to state that they're exhaustively read here.
To protect the rule of law and free expression, orders issued under the legislation must be published in the Canada Gazette. Any exceptional circumstances that might justify confidentiality of those orders should be expressly and strictly defined in the legislation, and should be time-limited.
For privacy rights, the legislation needs explicit protections for personal information, notice requirements, and tighter controls surrounding the sharing and use of personal and confidential information. You'll find proposed terms for those amendments under recommendations 13, 14, 16, 19, 28 and 29 in our brief.
We also reiterate, as others have, that orders issued must be proportionate and reasonable. In particular, the legislation should make explicit that an order compelling the adoption of particular standards cannot be used to compromise the integrity of a telecommunications service, such as by compromising encryption standards. The terms for those amendments are in recommendations one and five of our brief.
It is notable that these amendments are compatible with the government's objective to play an assertive role in protecting Canada's networks. This is not a tug-of-war between competing public interests. This is important, because the courts do not tend to find it reasonable if constitutional rights are infringed upon in a way that is unnecessary. The desire for expediency through Parliament is understandable, but if these issues aren't fixed now by legislators, then the legislation may well be held up in court litigation for years, which ultimately requires additional legislative time to fix.
Amendments to limit secrecy and to require proportionality also reinforce the government's objective of protecting our networks. I agree that, as was said last week, cybersecurity is a team sport, and I agree with Mr. Warnell's comments on the same subject. Effective cybersecurity integrates expertise from across a range of sources, including regulators, industry, civil society, academic and security researchers, and data journalists.
Dr. Parsons' report on Bill C-26 last year, as well as this committee process itself, illustrates how industry and independent expertise can provide a path forward for improving the legislation without detracting from the bill's core mandate. Public transparency will be an effective way to garner expertise from these sources as the legislation is implemented over time.
The Citizen Lab's recent report, “Finding You”, which is appendix C to our brief, underscores how secrecy at the regulatory level has led to serious “geolocation-related threats associated with contemporary networks”. The report documents persistent vulnerabilities at the heart of the world's mobile communications networks. It notes, “The failure of effective regulation, accountability, and transparency has been a boon for network-based geolocation surveillance.” In other words, when network standards and regulations are shrouded in unnecessary secrecy, this enables network insecurity to fester.
Similarly, without proportionality and transparency, Bill C-26, unamended, could enable successive governments to actually undermine network security, and ultimately human security, through orders that would drill holes in encryption standards in telecommunications networks.
5:30 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Ms. Robertson, can I ask you to wrap this up? Your time is up.
Do you have much more to go, or are you just about done?
5:30 p.m.
Senior Research Associate, Munk School of Global Affairs and Public Policy, University of Toronto, Citizen Lab
My clock is slower than yours. I had 20 seconds, but I will leave the remainder of my comments for questions.
5:30 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
I'm sorry about that. Thank you.
Up next, we have Mr. Hatfield, by video conference.
5:30 p.m.
Matthew Hatfield Executive Director, OpenMedia
Hi there. I'm Matt Hatfield, and I'm the executive director of OpenMedia, a grassroots community of 230,000 people in Canada who work together for an open, accessible and surveillance-free Internet. I'm joining you from the unceded territory of the Sto:lo, Tsleil-Waututh, Squamish and Musqueam nations.
I’d like to ask us all a question: What does cybersecurity mean to you as an individual, as a family member and as a citizen? For me, and for many people across Canada, our cybersecurity is inseparable from our privacy, as so much of our everyday lives is conducted online—much more so since COVID—and none of us feel secure with the thought of being spied on in our everyday lives, whether by hackers, hostile states or our own government. For most Canadians, our cybersecurity is very much about that sense of personal security.
The draft of Bill C-26 you have in front of you threatens that security. It poses enormous risks to our personal privacy, without basic accountability and oversight to ensure that the people given these powers don't abuse them against us. You must fix this.
Exhibit A is proposed section 15.2 of the Telecommunications Act, which grants the government the power to order telcos “to do anything or refrain from doing anything”. There are no limits here, no tests for necessity, proportionality and reasonableness, and no requirement for consultation. The government could use these powers to order telcos to break the encryption we need to keep ourselves safe from hackers, fraudsters and thieves. They could even use these powers to disconnect ordinary people indefinitely from the Internet, maybe because our smart toaster or an old phone we gave our kids gets hijacked by a hostile botnet. Without a requirement that these orders be proportional or time-limited, these are real risks.
It gets worse. The government would be allowed to keep even the existence of these orders—never mind their content—top secret indefinitely, and even if these orders are challenged by judicial review, the minister could bring secret evidence before secret hearings, which flies in the face of basic judicial transparency.
There's no excuse for this. Our close allies in Australia and the U.K. have shown how cybersecurity can be strengthened without compromising fundamental rights. Why do Canadians deserve lesser protections?
All this comes when Parliament is working on strengthening our privacy laws through Bill C-27. I have to ask, does one hand of our government even know what the other is working on?
We recognize that there are very real problems, though, that Bill C-26 is trying to solve. When we read the government's stated objectives, we're on board. Should we protect the digital infrastructure? Sure. Should we remove risky equipment from hostile states? Of course. Should we force big banks and telcos to better protect their customers? Of course. However, we can fulfill these objectives without sacrificing our rights or balanced, effective governance. Let's talk about how.
First, the government's new powers must be constrained. Robust necessity, proportionality and reasonableness tests are an absolute must. An unbreakable encryption is the fundamental baseline that all of our personal privacy depends on, so there must be an absolute prohibition on the government using these powers to break encryption.
Second, privacy rights must be entrenched. Personal information must be clearly defined as confidential and forbidden from being shared with foreign states, which are not subject to Bill C-26's checks and balances.
Third, the government must not be allowed to conceal the use of its new powers under a permanent veil of secrecy.
Fourth, when the use of those powers is challenged in court, there must be no secret evidence. Special advocates should be appointed to ensure all evidence is duly tested.
Fifth, any information the Canadian Security Establishment obtains about Canadians under Bill C-26 should be used exclusively for the defensive cybersecurity part of their mandate. I hope you all remember that NSIRA, the body explicitly established by Parliament to oversee CSE, has complained for years about CSE not being accountable to them. Knowing how difficult it's proved to keep them accountable for their existing powers, please don't grant them broad new powers without tight and clear use and reporting mechanisms.
As other people have said, when cybersecurity works, it's a team sport. It requires buy-in from all of us. We all have to be on team Canada, and we all have to trust in the regulatory framework that governs it. There's zero chance of that happening with Bill C-26 as is. Adequate transparency, proportionality and independent verification are the necessary baseline that this bill has to earn for it to work.
We're going to be delivering a petition signed by nearly 10,000 Canadians to you shortly, folks who are calling for that baseline protection. We urge you to listen to these voters and adopt the amendments package that civil society has suggested to you to get this legislation where it needs to be.
Thanks. I look forward to your questions.
5:35 p.m.
Conservative
The Vice-Chair Conservative Doug Shipley
Thank you to all the witnesses.
We will start for six minutes with Mr. Lloyd.
5:35 p.m.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
Thank you, Mr. Chair.
Thank you to all the witnesses for being here today.
My line of questioning will be mostly for Ms. Robertson and Mr. Hatfield.
I'm very concerned by the testimony you've shared with me today, in light of the fact that the government itself certainly has been victim of hacking. I recall that Global Affairs was the victim of a recent hack.
I think this is one of the dilemmas of increasing centralization of information, as Bill C-26 purports to do in collecting information on the cybersecurity plans of the designated operators. Is there any guarantee that, when government collects all of this very confidential and powerful information, it is better equipped than some of the best companies in the world to protect that information from hackers?
5:35 p.m.
Senior Research Associate, Munk School of Global Affairs and Public Policy, University of Toronto, Citizen Lab
The amassing of data in any database brings with it attendant security risks. The extent of them I cannot comment on.
I would indicate that your concerns are connected to amendments that we have raised in our brief regarding the handling of data. Right now, the information-sharing powers within the Canadian government that would be enabled by Bill C-26, if passed unamended, are extremely broad.
One limit that we recommended, for example, is that the use of the information being shared should be constrained to cybersecurity objectives, and not piggybacked objectives that are layered on after the fact. Retention limits should be strictly defined to address the very concern that you're raising.
In that way, while there is understandably a need for some examination of critical information to enable that mandate to be fulfilled, it should be very strictly defined within the legislation itself.
5:35 p.m.
Conservative
5:35 p.m.
Executive Director, OpenMedia
I would reinforce what Ms. Robertson said.
I think transparency is actually the ally of effective cybersecurity. A lot of mistakes get made when things are stored in the dark. Rather than allowing our security establishments to hoover up the maximum possible amount of information and sit on all of it, I think putting some limits in terms of retaining only information that is strictly necessary and deleting other information at a certain point helps minimize the risk of that information transfer.
5:40 p.m.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
Are you confident that the legislation as written, coming before this committee unamended, will protect the privacy of Canadians and the safety of our cybersecurity sector?
5:40 p.m.
Executive Director, OpenMedia
I think this legislation makes our privacy much worse, actually.
5:40 p.m.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
That's very concerning.
Of course, you listed some amendments that you've put forward. What do you think would be the most powerful amendments to ensure that Canadians' privacy rights and the security of all this information that the government is purporting to gather are protected?
5:40 p.m.
Executive Director, OpenMedia
I think the necessity and proportionality tests that we've applied are a really important piece here to make sure information is being collected only for appropriate purposes. I think getting those kinds of fixes, which are similar to what Australia has done, will greatly mitigate some of the potential harms of the legislation.
5:40 p.m.
Conservative
5:40 p.m.
Senior Research Associate, Munk School of Global Affairs and Public Policy, University of Toronto, Citizen Lab
Ultimately, under the Constitution, the courts look to an effective mechanism of accountability and review. In this case, it's hard to pinpoint one particular amendment when what the courts look for when protecting privacy is an interlocking system that enables effective review.
I identified in my opening remarks a number of amendments that would assist that review mechanism, not one of which could be functional on its own. For example, we've identified notice requirements as an important mechanism. This is a way to enable individuals whose personal and confidential information has been shared to know that this has happened, so it could be effectively challenged in court.
That's just one example of the amendments we have identified in the report for that reason.
5:40 p.m.
Conservative
Dane Lloyd Conservative Sturgeon River—Parkland, AB
Thank you.
Mr. Hatfield, something you said in your remarks also greatly disturbed me.
In response to cybersecurity incidents, we've seen the government putting forward legislation to give itself massive new powers. We have seen recent examples of government using the legislative powers at its disposal to freeze people's bank accounts.
I have deep concerns that if we don't put in the necessary checks and balances that you are talking about, we can be giving the government extraordinary powers to shut people out of the Internet, which, as we know, has become so essential in the 21st century to participating in our democratic society and in our economy, to be connected with loved ones, and to work. I have serious concerns. I want to pass along that we share your concerns and we'll be looking into this further.
Mr. Chair, I would like to split my time with my colleague, Mr. Motz.
Thank you.
