Public Safety Committee on Feb. 8th, 2024

I think there still needs to be clarity in terms of some of the definition issues. For equilibrium in terms of, for instance, sanctioning and fines, etc., there needs to be some level of consequence for negligence—for failure to implement a baseline cybersecurity standard.

There also needs to be encouragement for large critical infrastructure entities to ensure that their supply chain is secure. That means working closely with the small and medium-sized businesses.

The other thing I would add is that in the United States, the U.S. government has created a grant program to enable critical infrastructure entities to put in place certain baseline cybersecurity requirements. That could be another suggestion.

The last thing I would mention in terms of the right equilibrium is that this law pushes a prevention-first approach. We know that in medicine, prevention is oftentimes better than the cure. Let's get people to invest up front.

If I can pick up on what Mr. de Boer was saying in terms of incentives for those small and medium organizations, if we enable the larger organizations to share openly, truthfully and fully with the small and medium organizations about what they're seeing and doing, and support them so that they don't get hit with the same attack, the prevention is better than the cure. That will help.

Another approach we could take is to incentivize businesses that are not necessarily the ones covered by this legislation—that's a separate piece—but the supply chain. We can incentivize the supply chain to reach a level of cyber-maturity through tax incentives or through insurance breaks, if they have certifications.

I'll take the last question first, which is the reference to joining the CCTX.

In fact, I said a Canadian cyber-collaboration organization—not necessarily ours, although that would be wonderful. When I said there's no cost, it's that there's no cost to the government for that because it would be part of the ITB program. Any of the organizations or companies that are working through or impacted by the ITB program could join a threat-sharing association, so that they can be more aware of what's going on in the cyber-ecosystem, such as what the attack vectors are likely to be, and remediation and resiliency solutions.

That's the first one. There's no cost to the government. There is a cost for us, but it's nominal for small businesses. It's really small.

I believe the other question you had earlier was on consultation.

There was certainly an opportunity for consultation several years ago. We participated in that with our members, as well, because we reached out to them. It became a trickle-down process, but it would be nice to see something like Bill C-26 running in concert with a national cyber-strategy.

The consultation was several years ago and is now two years behind. I see that coming down the pipeline.

What was the third question?

That may be harsh. Canada is increasingly a target because it pays ransom. There are countries that organizations intentionally don't attack because they don't pay ransom. Canada generally pays ransom—

Good morning.

My name is Chris Loewen. I am the executive vice-president, regulatory, at the Canada Energy Regulator. I'm joined today by Mr. Chris Finley, director of emergency management and security.

Thank you for inviting the Canada Energy Regulator to appear before the committee today to discuss Bill C-26.

We join you today from Calgary. I would like to take this opportunity to acknowledge the traditional territories of the people of the Treaty 7 region of southern Alberta.

I'll start by outlining the mandate of the Canada Energy Regulator, or CER.

The CER regulates infrastructure to ensure the safe and efficient delivery of energy to Canadians and the world. It regulates pipelines, power lines, energy resource development and energy trade on behalf of Canadians in a way that protects the public and the environment while supporting efficient markets.

Safety is at the core of our work. We regulate to prevent harm in all forms, and we understand that this includes the cybersecurity threats that Bill C-26 is seeking to address. The CER takes the matter of cybersecurity threats to Canada's energy supply seriously.

The CER oversees roughly 71,000 kilometres of the oil and gas pipelines in Canada. We regulate pipelines that cross provincial boundaries or the Canada-U.S. border. CER-regulated pipeline companies are required to have proactive measures in place to protect this critical infrastructure from cybersecurity threats.

Regulated companies must have a security management program that anticipates, prevents, manages and mitigates conditions that could adversely affect people, property or the environment. In addition to the physical threats to infrastructure, companies must consider cybersecurity threats in their security management program and implement appropriate mitigation based on the results of a security risk assessment process. These requirements are laid out in the Canadian Standards Association's Z246.1 standard, which is included in the CER Act's onshore pipeline regulations by reference.

Cybersecurity measures must reflect the criticality of cyber-assets, as well as the results of regular assessments of threats, vulnerabilities and overall security risk.

The regulation of electricity generation, transmission and distribution rests primarily within the jurisdiction of provinces and territories. However, the CER regulates approximately 1,500 kilometres of international power lines. The Canadian public rightfully expects us to hold the pipeline and international powerline companies we regulate accountable for the safe operation of CER-regulated energy infrastructure.

The CER is well positioned to administer the obligations of Bill C-26, in particular those that apply to companies we regulate, and, given these obligations, align with those already found in the Canadian Energy Regulator Act.

For example, the bill provides the CER with the ability to issue orders and to take necessary enforcement actions to bring a company back into compliance, so that critical cyber systems are protected.

The CER already uses similar tools. For example, it issues notices of non‑compliance, inspection officer orders and administrative monetary penalties, as needed, to bring companies back into compliance and ensure that they operate safely.

The CER also verifies that companies are meeting requirements through inspections, audits, compliance meetings and emergency response exercises.

The CER uses an integrated government approach. It works with federal, territorial, provincial and international agencies, as well as regulated industry, to ensure that proactive measures are taken to protect federally regulated energy infrastructure from cyber-related risks or attacks.

Thank you very much for the opportunity to speak with you today about this important issue. We look forward to your questions.

Good morning, and thank you for inviting us to speak with you this morning.

Before I begin my remarks, I would like to acknowledge that we are gathered on the traditional unceded territory of the Anishinabe people.

My name is Leila Wright, and I am the executive director of telecommunications at the CRTC. I am joined today by my colleagues Steven Harroun, chief compliance and enforcement officer, and Anthony McIntyre, general counsel.

The CRTC is an independent and quasi‑judicial tribunal that operates at arm's length from the government. We hold public hearings on telecommunications and broadcasting matters. We make decisions based on the public record.

In the telecommunications industry, our work focuses on increasing competition for Internet and cellphone services. We do this by promoting greater choice and affordability for Canadians, encouraging investment in reliable and high-quality networks, and improving access to telecommunications services in indigenous, rural and remote communities. We also have a team that helps protect Canadians from unwanted emails, texts and online scams.

The CRTC plays a small part in the federal government's effort to protect the security of Canada's telecommunications system.

Other organizations that contribute to this effort include the Communications Security Establishment, the Canadian Security Intelligence Service, Innovation, Science and Economic Development Canada, the Canadian security telecommunications advisory committee and many others.

The CRTC does not have a role to play within the proposed critical cyber systems protection act. Additionally, many of the proposed amendments to the Telecommunications Act establish new authorities exclusively for the Governor in Council and the Minister of Industry, and do not modify the CRTC's regulatory mandate under the act.

However, a few changes would be relevant to the CRTC's work. I'll focus on three changes in particular.

First, the proposed amendment to section 7 of the Telecommunications Act would add a new policy objective focused on promoting the security of the Canadian telecommunications systems. As with other policy objectives set out in the act, this addition would allow the CRTC to expressly consider how its decisions could further this new objective.

Second, the addition of proposed section 15.6 would facilitate information sharing between a broad group of security-focused government departments and agencies and the CRTC. This would be for the purpose of ensuring compliance with orders and regulations made by the Governor in Council and the minister.

Third, section 47 would require the CRTC to take into account any orders or regulations made by the Governor in Council and the minister in its decision‑making.

Should Parliament adopt Bill C-26, the CRTC will be ready to implement the amendments made to the Telecommunications Act that affect our work.

Thank you again for inviting us to speak today. We look forward to your questions.

Thank you very much for the question.

I would have to say that it's one of the reasons why reporting is going to be very important with respect to the proposed legislation. We currently rely on reporting from companies that provides us with an understanding of the magnitude but not the actual specific number of cyber-threats or cyber-attacks that are occurring with respect to our companies. Regulated industry is targeted by a number of threats from domestic and state actors. I would say that they vary from password theft and document theft all the way up to ransomware and other types of malware.

I might just turn to my colleague, Mr. Chris Finley. He might be able to provide you with a better sense of the volume.

Thank you for the question.

To date, the Canada Energy Regulator has no evidence of any cybersecurity incidents suffered by regulated companies that have affected the operation of a pipeline—in other words, their operational technology network. Admittedly, we also have had no reported incidents that have caused a cybersecurity event. There is a series of reportable incidents in our regulations. There has been nothing reported to date.

In terms of our regulated industries, of course, they are always under threat. Many of those attacks are below the bar, and we certainly wouldn't hear about those. As well, there is voluntary reporting currently to the Canadian cyber centre.

The proposed legislation is well aligned with the CER's oversight mandate. We already have a fairly robust regulatory framework in place that requires companies to identify and anticipate threats and risks to their systems, processes and operations and to have programs in place that prevent and mitigate those events. We also have in place inspection officers with the ability to issue non-compliance inspection officer orders and, where necessary, administrative monetary penalties.

You can see that the elements of the proposed legislation closely mirror what we currently have in place. In addition to that, it enhances reporting and information sharing, which I think can only lead to a much stronger oversight of cyber-threats within our industry.