Mr. Chair and members of the committee, good afternoon. My name is Ulrike Bahr-Gedalia, and I'm the senior director of digital economy, technology and innovation at the Canadian Chamber of Commerce. I'm also the Canadian Chamber's architect and policy lead for the digital economy committee's future of artificial intelligence council and the “Cyber. Right. Now.” council.
As Canada's largest and most activated business network, representing over 400 chambers of commerce and boards of trade and more than 200,000 businesses of all sizes from all sectors of the economy and from every part of the country, the Canadian Chamber is pleased to have this opportunity to provide feedback on Bill C-26.
Our “Cyber. Right. Now.” council has been calling on government to prioritize cybersecurity and focus on a prevention-first approach and improved information sharing for close to three years. Today I'd like to share a few key recommendations and why cybersecurity is important to the Canadian Chamber and our members within the Canadian economy.
Over 98% of Canadian businesses are small or medium-sized enterprises. SMEs need greater cybersecurity threat awareness, protection and training to utilize the full suite of tools at their disposal and to keep Canadians safe from bad actors. Like other countries, Canada is facing an increasingly complex and risk-prone digital landscape. With a cybersecurity skills gap of some four million people globally, and an ever-increasing number of connected devices—at least 67 billion and counting—the challenges and costs associated with securing our digitally enabled world are increasing. But while every organization of every size and in every sector is at risk of a cyber breach, few carry the same real-world risk of a crippling cyber-attack as those in the critical infrastructure sector. This threat will only grow as our critical infrastructure increasingly relies on software and connected technology to power and support its operation.
We are pleased to see Bill C-26 proceed to committee study, and we support the bill overall. However, certain amendments are needed to ensure that the bill reaches its full potential. More specifically, our telecommunication members have expressed their concerns with respect to a few provisions in the Telecommunications Act, such as the lack of a due diligence defence for violations under section 15 in part 1, resulting in monetary penalties, and the extent of ministerial order-making powers. I will note that this defence is present elsewhere in Bill C-26, such as in relation to cyber directions in part 2, the CCSPA, as well as full due process for and parliamentary oversight of ministerial orders. I encourage the committee to reach out to the telecommunication providers, as it's important to hear from them first-hand.
With respect to the CCSPA, our members are seeking the following improvements.
The first is a clearer definition of a reportable cybersecurity incident. This will ensure that industry isn't forced to report events that do not pose a material threat to a vital system. Failure to clearly define the parameters for a reportable incident will undermine the purpose of Bill C-26 and overwhelm government authorities, who will have to process and assess each cyber incident reported.
The second is allowing for a 72-hour reporting period for cybersecurity incidents, as opposed to immediate reporting. Allowing for reporting within 72 hours provides organizations the time to investigate, and will harmonize with existing regimes, such as in the United States, one of our key trading partners.
Finally, two-way information sharing is crucial. As currently drafted, the CCSPA only contemplates one-way information sharing from designated operators to the government. We believe this is a missed opportunity and a potential weakness, and it underscores the prevention-first approach I noted earlier. The more information we have, the more we can work together and the better we can help prevent incidents.
Thank you for listening and for the opportunity to participate in the study of Bill C-26.