Thank you, Mr. Chair.
I'm CEO of Electricity Canada, formerly known as the Canadian Electricity Association. Our members are companies that generate, transmit and distribute electricity in every province and territory in Canada.
My comments today will focus on part 2 of Bill C‑26, which enacts the Critical Cyber Systems Protection Act.
Before I proceed, I want to acknowledge the efforts of federal departments in drafting Bill C-26 and the time spent engaging stakeholders over the past two years. The problems that the bill is trying to solve are hard ones, with lots of moving pieces and far-reaching implications against the backdrop of a constantly evolving threat landscape.
While I commend the efforts, I must add my voice to the witnesses you've already heard from who emphasized the importance of getting this legislation right. While we acknowledge the urgency to pass this type of legislation, it is crucial to carefully consider amendments and resist the pressure to rush through the review the bill.
Mandatory security requirements can help strengthen our overall security posture, but the approach taken by Bill C-26 risks having the opposite effect, adding very little security to our sector and redundantly adding additional layers of regulatory requirements. Today, I will highlight three areas where the legislation falls short and requires improvement.
First, the bill must align with existing regulatory frameworks. The electricity sector is unique in that the assets targeted by Bill C-26 are already regulated by the North American Electric Reliability Corporation, or NERC. This poses a risk of regulatory conflicts, increases the burden on operators and introduces compliance confusion and ambiguity, ultimately impeding the goal of Bill C-26 to enhance the safety of our critical system.
A witness last week recommended that the bill should take a risk-based approach and impose fewer requirements on those with already strong cybersecurity programs. Under this approach, mature organizations could spend more resources on incident prevention instead of compliance activities, and regulators could better focus their time on high-risk operators. Given our sector's strong security posture and the existing NERC standards, we feel that a risk-based approach to Bill C-26 would be a step in the right direction.
Another area needing improvement in the bill is its reporting requirements. The reference to the immediate reporting of cyber-incidents should be revised. Reporting obligations should not divert critical infrastructure operators from their response and recovery efforts during and post incident. Reporting requirements should be well defined and consistent and have a reporting timeline that is flexible enough to allow the effective use of limited resources during incident response and recovery.
Still on the topic of reporting requirements, the goals of the legislation would be better served if it included legal protection for operators. Safe harbour provisions are an important part of promoting information sharing between industry and government, ensuring the successful implementation of the new reporting requirements and promoting voluntary information sharing.
The final aspect I wish to address is the unintended impact of the bill on the existing industry-government collaboration. Imposing mandatory requirements may create a chilling effect on the industry's relationship with government departments and agencies. Without appropriate safeguards, operators would likely receive legal advice to share just enough information to comply with the act and nothing more.
This is counterproductive to the goals of the legislation, but there are a couple of things you could do to mitigate those risks. First, put clear limits on how the government can use the information collected by way of this act. Several provisions in the bill would allow for information sharing among a range of persons and entities, and it does not explicitly limit how recipients use the collected information.
Second, the cyber centre should be carved out from the legislation and exempt from obligations to report information obtained by way of the act to other entities. Critical infrastructure operators currently enjoy a positive and collaborative relationship with the cyber centre. This is grounded in the confidence that the cyber centre does not disclose operators' information to regulators, enforcement agencies or other departments. Protecting the cyber centre from information-sharing obligations is crucial to maintaining this collaborative relationship.
Many other aspects of Bill C‑26 also deserve our attention, but my time's up for this morning.
However, I encourage you to take a look at our brief, which contains 14 recommendations on how to improve Bill C‑26.
Thank you.