Public Safety Committee on Feb. 8th, 2024

Evidence of meeting #93 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.

A video is available from Parliament.

On the agenda

An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts

MPs speaking

Also speaking

John de Boer Senior Director, Government Affairs and Public Policy, Canada, BlackBerry

Jennifer Quaid Executive Director, Canadian Cyber Threat Exchange

Francis Bradley President and Chief Executive Officer, Electricity Canada

Chris Loewen Executive Vice-President, Regulatory, Canada Energy Regulator

Leila Wright Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission

Christopher Finley Director, Emergency Management and Security, Canada Energy Regulator

Steven Harroun Chief Compliance and Enforcement Officer, Canadian Radio-television and Telecommunications Commission

Anthony McIntyre General Counsel and Deputy Executive Director, Legal Services, Canadian Radio-television and Telecommunications Commission

8:15 a.m.

Liberal

The Chair Liberal Heath MacDonald

I call this meeting to order.

Welcome to meeting number 93 of the House of Commons Standing Committee on Public Safety and National Security. Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. Members are attending in person in the room and remotely using the Zoom application.

I would like to make a few comments for the benefit of witnesses and members.

Please wait until I recognize you by name before speaking.

To prevent disruptive audio feedback incidents during our meeting, we kindly ask that all participants keep their earpieces away from any microphone. Audio feedback incidents can seriously injure interpreters and disrupt our proceedings.

All comments should be addressed through the chair.

Pursuant to the order of reference of Monday, March 27, 2023, the committee resumes its study of Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.

I would like to welcome our witnesses for the first panel.

From Blackberry, we have John de Boer, senior director, government affairs and public policy, Canada. From the Canadian Cyber Threat Exchange, we have Jennifer Quaid, executive director. From Electricity Canada, we have Francis Bradley, president and chief executive officer.

Up to five minutes will be given for opening remarks, after which we will proceed with rounds of questions.

Welcome to all of you.

I invite Mr. de Boer to make an opening statement, please.

8:15 a.m.

Dr. John de Boer Senior Director, Government Affairs and Public Policy, Canada, BlackBerry

Thank you, Mr. Chair.

On behalf of BlackBerry, I'm delighted to speak with committee members today.

For over 35 years, BlackBerry has invented and built trusted solutions to give people, governments and businesses the ability to stay secure and productive.

Today, we are a leader in cybersecurity software and services. We protect more than 500 million systems worldwide. Our customers include all G7 governments, NATO, 45 of the Fortune 100 companies, nine of the top 10 global banks and numerous critical infrastructure entities.

Critical infrastructure is a prime target for cybercriminals and state-sponsored actors. At BlackBerry, we know this first-hand. Between September and December 2023, we stopped more than 5.2 million cyber-attacks, and 62% of those targeted critical infrastructure.

Just yesterday, the Canadian Centre for Cyber Security, along with Five Eyes partners, issued an advisory confirming that PRC state-sponsored cyber-actors had compromised entities across multiple critical infrastructure sectors in the United States, including communications, energy, transportation, and water and waste-water infrastructure.

The director of the U.S. Cybersecurity and Infrastructure Security Agency fears that this is “likely the tip of the iceberg.” Canada's cyber centre assesses that, “should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration.”

In addition to delivering essential services, critical infrastructure entities house large amounts of sensitive information, including intellectual property, technical designs and personal information that are attractive targets for cyber-threat actors.

Currently, apart from PIPEDA-related obligations, Canada has no legislation in place to govern, much less obligate, critical infrastructure entities to report, prepare for and prevent cybersecurity incidents.

The critical cyber systems protection act will help drive necessary investment to improve cyber resilience and help ensure that critical infrastructure entities can operate through disruption and recover rapidly.

Stepping back to a larger comparative picture, Canada is falling behind our G7 peers in cybersecurity. U.S. and European governments have already taken regulatory measures that raise the bar on critical infrastructure cybersecurity. In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which requires covered critical infrastructure entities to report cybersecurity incidents to government within 72 hours, and ransomware payments within 24 hours. In October 2022, the European Union approved legislation requiring operators of essential services to implement baseline cybersecurity measures and notify national authorities of serious cybersecurity events within 72 hours.

Canada is currently out of step with our closest allies on cybersecurity. This legislation will help close the gap. Cyber-incident reporting will help government and private sector entities quickly share relevant information, warn and protect other potential victims and rapidly deploy resources and assistance to contain damage from cyber-incidents.

As the committee considers this legislation, BlackBerry would like to offer three recommendations to strengthen the law.

First, harmonize cyber-incident reporting requirements with our key allies, notably the United States. Doing so will help minimize the unnecessary burden on reporting entities and help ensure that the resources of entities facing an incident are dedicated to mitigating the effects of cyber-incidents. Second, provide guarantees that cyber-information reported by the covered entities is protected from liability, based on the information they report. Third, ensure that entities covered by the cyber-incident reporting requirements are not punished by punitive measures for good-faith efforts to comply with the law.

In conclusion, this law will help close the gap in our country's ability to prevent cyber-attacks, improve situational awareness, foster rapid and effective response and help create a culture of proactive, prevention-first cybersecurity at scale.

BlackBerry stands ready to work with this committee to strengthen Canada's cyber-resilience.

Thank you.

8:20 a.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you, Mr. de Boer.

Ms. Quaid, you're next, please.

8:20 a.m.

Jennifer Quaid Executive Director, Canadian Cyber Threat Exchange

Good morning, Mr. Chair.

Thank you, all.

I have the honour of being here today representing the Canadian Cyber Threat Exchange, which is an organization created by Canadian companies to provide a safe environment for members to share cyber-threat information and collaborate by sharing best practices and ideas. The goal is to build cyber-resilience and create a stronger economic environment for all. With 170 members, representing 15 sectors and more than 1.5 million employees, our members are actively sharing cyber-threat information to help build awareness and resilience in others and to prevent breaches, as well as the corresponding need to report.

Many of our members represent the critical infrastructure sectors impacted by this legislation, while others make up their supply chain. Many of them are small and medium businesses, like so much of the Canadian economy.

I applaud the government for focusing its attention on creating legislation that will help strengthen Canada's critical infrastructure sector. I believe that with a few small modifications, there is an opportunity with this legislation to do more to support resilience among Canadian businesses and to strengthen the Canadian economy beyond the confines of the six critical infrastructure sectors referenced.

Others have spoken eloquently about privacy issues and about the real risks of attributing liability to our CISOs. All are very good points, which we support.

I want to talk about three cost-effective suggestions that are easily implemented and will have a significant impact on cyber-resilience throughout Canada.

First, the legislation should be amended to include language that encourages all organizations to voluntarily share cyber-threat information and to collaborate with others to build resilience. This can be done with the addition of language in the preamble and two small related changes. I'd be happy to provide the committee with some of the proposed text later.

The second change is to make membership in a Canadian cyber-threat information-sharing association an allowable expense for government programs. For example, Canada's industrial and technological benefits policy does not permit membership in an organization as an allowable inclusion. This change would incentivize companies to participate in a sharing and collaborative organization to raise their cyber-awareness and resilience in an ongoing way. It would be a small change with a significant impact at no cost to the government.

Third, this legislation requires only specified organizations to share cyber-incident information with their regulators or with the government. We have an opportunity here to create a legal environment that enables all companies, including those specified, to share information beyond what they are required to by law. The CCTX has Canadian members and Canadian companies whose American extensions are currently sharing information in the U.S. that they can't share in Canada because they are not protected by legislation. They are concerned about civil liability if they voluntarily share information that could help others prevent an incident.

The objective of Bill C-26 is to prevent further cyber-incidents. Mandated reporting of incidents is not enough. It will not protect enough organizations quickly enough. By adding protection from civil liability, this legislation could fix that. You could enable companies to share beyond what is strictly necessary to become compliant and improve the cybersecurity and resilience of the economy as a whole in a cost-effective, meaningful way. Without this protection, critical information will continue to be shared with organizations outside of Canada.

In creating and supporting the CCTX, Canada's business community continuously demonstrates its willingness and desire to share cyber-threat information and to share its expertise and experience to support Canadian businesses. Help it do more. Enable it to do more. If enacted as part of this legislation, these three changes will ensure a more secure supply chain for critical infrastructure, which is the focus of this bill, and for all Canadian businesses, large and small.

Thank you.

8:25 a.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you, Ms. Quaid. You're right on time.

Mr. Bradley, you'll go next, please.

February 8th, 2024 / 8:25 a.m.

Francis Bradley President and Chief Executive Officer, Electricity Canada

Thank you, Mr. Chair.

I'm CEO of Electricity Canada, formerly known as the Canadian Electricity Association. Our members are companies that generate, transmit and distribute electricity in every province and territory in Canada.

My comments today will focus on part 2 of Bill C‑26, which enacts the Critical Cyber Systems Protection Act.

Before I proceed, I want to acknowledge the efforts of federal departments in drafting Bill C-26 and the time spent engaging stakeholders over the past two years. The problems that the bill is trying to solve are hard ones, with lots of moving pieces and far-reaching implications against the backdrop of a constantly evolving threat landscape.

While I commend the efforts, I must add my voice to the witnesses you've already heard from who emphasized the importance of getting this legislation right. While we acknowledge the urgency to pass this type of legislation, it is crucial to carefully consider amendments and resist the pressure to rush through the review the bill.

Mandatory security requirements can help strengthen our overall security posture, but the approach taken by Bill C-26 risks having the opposite effect, adding very little security to our sector and redundantly adding additional layers of regulatory requirements. Today, I will highlight three areas where the legislation falls short and requires improvement.

First, the bill must align with existing regulatory frameworks. The electricity sector is unique in that the assets targeted by Bill C-26 are already regulated by the North American Electric Reliability Corporation, or NERC. This poses a risk of regulatory conflicts, increases the burden on operators and introduces compliance confusion and ambiguity, ultimately impeding the goal of Bill C-26 to enhance the safety of our critical system.

A witness last week recommended that the bill should take a risk-based approach and impose fewer requirements on those with already strong cybersecurity programs. Under this approach, mature organizations could spend more resources on incident prevention instead of compliance activities, and regulators could better focus their time on high-risk operators. Given our sector's strong security posture and the existing NERC standards, we feel that a risk-based approach to Bill C-26 would be a step in the right direction.

Another area needing improvement in the bill is its reporting requirements. The reference to the immediate reporting of cyber-incidents should be revised. Reporting obligations should not divert critical infrastructure operators from their response and recovery efforts during and post incident. Reporting requirements should be well defined and consistent and have a reporting timeline that is flexible enough to allow the effective use of limited resources during incident response and recovery.

Still on the topic of reporting requirements, the goals of the legislation would be better served if it included legal protection for operators. Safe harbour provisions are an important part of promoting information sharing between industry and government, ensuring the successful implementation of the new reporting requirements and promoting voluntary information sharing.

The final aspect I wish to address is the unintended impact of the bill on the existing industry-government collaboration. Imposing mandatory requirements may create a chilling effect on the industry's relationship with government departments and agencies. Without appropriate safeguards, operators would likely receive legal advice to share just enough information to comply with the act and nothing more.

This is counterproductive to the goals of the legislation, but there are a couple of things you could do to mitigate those risks. First, put clear limits on how the government can use the information collected by way of this act. Several provisions in the bill would allow for information sharing among a range of persons and entities, and it does not explicitly limit how recipients use the collected information.

Second, the cyber centre should be carved out from the legislation and exempt from obligations to report information obtained by way of the act to other entities. Critical infrastructure operators currently enjoy a positive and collaborative relationship with the cyber centre. This is grounded in the confidence that the cyber centre does not disclose operators' information to regulators, enforcement agencies or other departments. Protecting the cyber centre from information-sharing obligations is crucial to maintaining this collaborative relationship.

Many other aspects of Bill C‑26 also deserve our attention, but my time's up for this morning.

However, I encourage you to take a look at our brief, which contains 14 recommendations on how to improve Bill C‑26.

Thank you.

8:30 a.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you, Mr. Bradley.

I thank all of you.

We're going to move right into the rounds of questions. The first round will be six minutes, and we're starting with Mr. Lloyd, please.

8:30 a.m.

Conservative

Dane Lloyd Conservative Sturgeon River—Parkland, AB

Thank you, Mr. Chair.

I want to thank all the witnesses for coming today, and for their testimony. We're taking notes, and we'll be taking everything you've said under advisement in our consideration of this bill.

Going forward, though, we do have another urgent issue that we're facing in this country, and it is the issue of auto theft. In the interests of allowing this committee to continue working on Bill C-26, but also to walk and chew gum at the same time and deal with the urgent issue of auto thefts in this country, I plan to be moving my motion that I put on notice at the last committee meeting to discuss. However, given that there have been some discussions with the other parties present, we have come forward with proposed amendments to this motion so that we can program this committee to work simultaneously on Bill C-26 while also working on the very important issue of auto theft.

We know that in 2022, the latest year that auto theft insurance statistics were made available, $1.2 billion in auto theft claims were made. We know that over 100,000 vehicles were stolen in Canada last year. This is a growing issue. It has increased, year over year, 50% in the provinces of Ontario and Quebec. It's a cross-Canada issue. Alberta is the third highest on the auto theft issue. This is a very important issue in my riding and I am very concerned.

We do need education to help people know what tools are available to them to help protect their vehicles from auto theft. However, at the same time, if the federal government does not take action to secure our ports and to put these repeat offenders behind bars, I fear that we are going to see an increase in the brazenness of these criminal acts, including violence committed against our citizens, if we don't take action to immediately put a chokehold on this unprecedented flow of Canadians' vehicles out of, particularly, the port of Montreal.

I understand, Mr. Chair, that my colleague, Larry Brock, is on the speaking list and will be next to speak. In the interests of ensuring that this committee can continue with its very important study of Bill C-26, but also continue and accelerate the study that was already agreed upon by this committee on October 23, on the motion put forward by our colleague in the Bloc Québécois, Ms. Michaud, I will cede the floor to my colleague, Mr. Brock, so that he can move the appropriate amendment.

Thank you, Mr. Chair.

8:35 a.m.

Liberal

The Chair Liberal Heath MacDonald

Mr. Brock.

8:35 a.m.

Conservative

Larry Brock Conservative Brantford—Brant, ON

Thank you, Chair.

The amendment now being proposed reads as follows: That all the words after the word “committee” in the first paragraph—

8:35 a.m.

NDP

Peter Julian NDP New Westminster—Burnaby, BC

Mr. Chair, I have a point of order.

8:35 a.m.

Liberal

The Chair Liberal Heath MacDonald

Mr. Julian.

8:35 a.m.

NDP

Peter Julian NDP New Westminster—Burnaby, BC

We don't have the motion. There's no motion, so you can't move an amendment if there's no motion.

8:35 a.m.

Conservative

Dane Lloyd Conservative Sturgeon River—Parkland, AB

I moved the motion in my speech just now.

8:35 a.m.

Liberal

The Chair Liberal Heath MacDonald

Did you move the motion?

8:35 a.m.

NDP

Peter Julian NDP New Westminster—Burnaby, BC

He did not.

8:35 a.m.

Conservative

Dane Lloyd Conservative Sturgeon River—Parkland, AB

The motion has been circulated to the committee. It was circulated on Wednesday.

8:35 a.m.

NDP

Peter Julian NDP New Westminster—Burnaby, BC

The motion has not been moved.

8:35 a.m.

Liberal

The Chair Liberal Heath MacDonald

Can you read the motion, Mr. Lloyd?

8:35 a.m.

Conservative

Dane Lloyd Conservative Sturgeon River—Parkland, AB

Yes, Mr. Chair.

8:35 a.m.

Liberal

The Chair Liberal Heath MacDonald

Thank you.

8:35 a.m.

Conservative

Dane Lloyd Conservative Sturgeon River—Parkland, AB

Mr. Chair, the original motion reads as follows:

That the committee report to the House its acknowledgment that convening a National Summit of politicians and insiders to discuss auto theft will not prevent such theft. It also recognizes that preventing auto theft falls squarely under the federal responsibility of the Canada Border Services Agency (CBSA), the Royal Canadian Mounted Police (RCMP), Transport Canada, and Public Safety Canada.

And recommend to the House that the government:

A) Immediately reverse changes to Bill C-5, which allows car-stealing criminals to be on house arrest instead of serving jail time.

B) Strengthen Criminal Code provisions to ensure that repeat car-stealing criminals remain in jail.

C) Provide CBSA and our ports with the necessary resources to prevent stolen cars from leaving the country.

That is my motion, Mr. Chair.

8:35 a.m.

NDP

Peter Julian NDP New Westminster—Burnaby, BC

I have a point of order.

8:35 a.m.

Liberal

The Chair Liberal Heath MacDonald

Yes, Mr. Julian.

8:35 a.m.

NDP

Peter Julian NDP New Westminster—Burnaby, BC

Mr. Chair, I would suggest that this is out of order, for two reasons.

In terms of what the House has already considered, the House considered yesterday a substantially similar motion, and Parliament, the House of Commons, decided not to proceed with that motion. As you know, this is a very rare occurrence, Mr. Chair. Ultimately, when a bill is defeated, you can't, the next day, suggest at a committee that the bill be considered. In this case, it was an opposition motion, and it was defeated. Now the Conservatives are proposing substantially the same motion today at committee.

This is something that doesn't have precedent, Mr. Chair. It's shameless that, when Parliament decides something, members of the committee would try to come back with what is substantially the same consideration. It is true that if this was three or four years from now, you could say, “Well, things have substantially changed since Parliament considered this issue, so we should have more discussion and debate on the issue.” In this case, it was yesterday; it was last night, 14 hours ago, when Parliament decided that the motion was inadequate.

I moved an amendment on behalf of the NDP, as you'll recall, Mr. Chair, talking about cracking down on organized crime, cracking down on money laundering, and restoring the cuts to the crime prevention programs that the Harper government put in place. The Conservatives rejected that, so the motion that was offered yesterday in the House was profoundly weak and contained a lot of disinformation. That's why Parliament defeated it. We can't come back the next day and consider substantially the same motion.

As you note, Mr. Chair, the intention would be to “recommend to the House”. The House made the decision yesterday. The intent of the motion today is to recommend to the House the same thing. There is an issue of repetition that is, in all our procedural manuals, something that is very clearly prohibited. You can't keep bringing up the same issue in the same form.

Second, I would suggest that, because it recommends to the House, it is trying to do indirectly what is prohibited directly. In other words, it's trying to use a committee to reconsider something that was considered yesterday by the House of Commons.