Public Safety Committee on Feb. 5th, 2024

I'm sorry. Can you repeat the question, Mr. McKinnon?

We will make sure to get back to you with proposed amendments and examples of what we see as frameworks to achieve.

Perhaps I can clarify that as well. My apologies if, during my opening statement, I indicated otherwise. Adherence isn't necessarily the encouragement that we would be offering. It's more that a number of aspects of Bill C-26 are much more far-reaching than established international standards for mature cybersecurity regimes, of our allies in particular.

It's not necessarily adherence to them, but more a recognition that we don't necessarily need to go beyond what they're already working towards in their private and public partnership and enablement of the industry.

I hope that gives a little bit of clarification. It's not necessarily an alignment to international standards, but a “not going farther than”, as we try to work together to bolster our critical infrastructure.

That's a good way to put it.

I draw your attention to April 2023, when a Russian-linked hacking group successfully penetrated a Canadian natural gas pipeline provider and was “able to increase valve pressure, disable alarms, and make emergency shutdowns.” By the way, this Russian hacking team wasn't even their best, so that's what we're risking when we fiddle while Rome burns on cyber-legislation.

I'm not saying we're going to have a Hollywoodesque total society shutdown. I'm saying people could get killed. I'm saying businesses could be negatively impacted economically. I'm saying there are people who want to throw a punch and hit us right in the nose. We are sticking our face up, without an ability to defend ourselves, and it's going to hurt.

First, we have to walk before we can run. Let me put this into very clear terms: Canada is not even crawling when it comes to defending itself. If you want to look at a leader right now, look at Australia. We are lagging, and it's not going to be business that pays the price. It's going to be everyday Canadians.

Every time there's a cyber incident, it contributes to the cost of living crisis in this country. We need to get moving on this, and we need to get it right. The flaws in this legislation that have been pointed out are significant. They will set us back. Instead of making things better, we're going to make them worse.

There are two aspects to this. The first is the implementation of the bill and the regulatory framework. We all want the bill to be applied in the best way possible, of course. However, we find that some definitions leave room for interpretation. In cases where it's a major issue, we would prefer that the framework be much clearer so that people can comply with it more easily. Terms like “major incident” or “cybersecurity breach” are quite broad and generic. We find ourselves at an impasse. We think it's much simpler to clarify these terms now than to wait until the regulatory stage to establish definitions and end up in a bit of a mess when it comes to determining what to do. It's always better to clarify things right from the start.

The second aspect concerns government intervention. To be clear, we are committed to seeing the essence of the bill come to fruition, since cybersecurity breaches are a major issue. At IBM, we produce an annual report, and we've determined that the cost of a cybersecurity breach is $7 million per affected company, which increases to $12 million when the financial sector is involved. As a result, it's important to take action, and the government must show leadership in this regard. Its actions must also be well regulated, codified and predictable for the players in the system.

Thank you for the question.

I apologize, my French isn't very good, so I'll answer in English.

The due diligence defence to the administrative monetary penalties is the first thing that becomes a positive thing. If I showed that we were in the spirit, trying to defend our organization, that we were doing what we should, that's a positive step that encourages me to invest, so I can show that. That's why it's so important that this gets addressed in the Telecommunications Act.

To be very clear, the Canadian private sector already spends $9 billion a year on cybersecurity, so we're not coming to Parliament and looking for a handout, for government to solve all problems. However, what's interesting is that this legislation deals specifically with very large enterprises and critical infrastructure. It does not deal with 98% of Canadian businesses, which are small businesses, 50% of which spend nothing on cybersecurity today, so they absolutely need help. As parliamentarians, you've heard the story of the impact of COVID-19 on small businesses, the debt load and more. They cannot afford yet another thing. Let's be very clear: The bill for cybersecurity for small businesses and large enterprises is because, at a national level, we fail to protect them from other countries and from criminals, so yes, I highly encourage other measures.

My point about the speed with which we need to move this legislation.... This is just the first step for laws you need to consider, and we need to get it right.

I'll be honest. Where Canadians are being hurt, and hurt badly, right now is in health care. You have five hospitals in Ontario right now that are still recovering from an ransomware attack. We still don't know what happened in Newfoundland and why it happened, nor have we learned from it. We know, from non-peer-reviewed research study in the U.S.—

—that 40 to 60 Americans have died because of ransomware attacks against hospitals there, so yes, we need help. We need to get this law done first, and the first thing to make it better, from a positive side, is to have a due diligence defence.