Evidence of meeting #93 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
8:35 a.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Mr. Julian.
We're going to suspend for a couple of minutes so that I can confer with the clerk.
8:40 a.m.
Liberal
The Chair Liberal Heath MacDonald
I call the meeting back to order.
I take into consideration your comments, Mr. Julian.
After speaking with the clerk, I will say that the motion hasn't been put before the committee prior to.... I don't have the other motion in front of me right now to compare it to, so our authority is basically saying that we're going to continue with the motion and allow it to stand at this time.
8:40 a.m.
Liberal
8:40 a.m.
Liberal
8:40 a.m.
Liberal
The Chair Liberal Heath MacDonald
Mr. Julian, do you want to speak after that? I gave you the opportunity there. You were both at about the same time.
8:40 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
I hope we can vote on this.
Our witnesses have given us a tremendous amount of content, and I have tons of questions. Quite frankly, I'm a little frustrated with all the disruption that the Conservatives have caused over the last few meetings on another subject that they have then decided to drop to try to do this subject.
It's time to start questioning the witnesses.
8:40 a.m.
Conservative
8:40 a.m.
Liberal
The Chair Liberal Heath MacDonald
We're challenging the chair's ruling. We'll have a recorded vote.
(Ruling of the chair overturned: nays 6; yeas 5)
The ruling of the chair has been defeated.
We move on now to—
8:45 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Mr. Chair, I move that we use this time to question the witnesses, who have given us such important testimony.
8:45 a.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
That's excellent. Thank you so much.
Thank you so much to the witnesses for being here.
It's truly disappointing to see, on issues of such importance, the Conservatives attempting to hijack this once again when they stand up and pretend to care about security.
Mr. de Boer, you mentioned mandatory reporting, not only here but with respect to the executive order in the United States. Bill C-26 requires mandatory reporting for affected sectors when there is a cybersecurity incident. Do you believe that this is important, and if so, why?
8:45 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
Through the chair, thank you for the question.
Yes, it is very important. As well as the executive order, the United States also passed a separate law in 2022 requiring it. The reason it's important is that critical infrastructure entities affect the lives of every single Canadian. We depend on it. Our economy depends on it. This is about our economic security and our national security, and requiring entities to report those incidents within a reasonable time—and I would suggest aligning it to the United States and the EU, which have 72 hours—would be an important idea. It is fundamental.
8:45 a.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
Mr. de Boer, Mr. Bradley raised some concerns about reporting. Do you share those concerns?
8:45 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
Absolutely. I share the concerns about there needing to be protection for liability, absolutely. There also needs to be a due diligence requirement. In essence, if there were good-faith attempts to report or to put in place cyber-protections to prevent cybersecurity events, that needs to be respected.
We're dealing with highly sophisticated actors. The report that came out yesterday from the U.S. government talked about a Chinese-backed actor that had been in critical infrastructure for nine months. These are highly sophisticated.
We need to act as a team. I support those amendments as well.
8:45 a.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
Thank you so much.
Ms. Quaid, what safeguards are currently in place to ensure that our critical infrastructure providers are taking action to ensure their systems are sufficient to repel cyber-attacks launched by criminal organizations and international adversaries?
8:45 a.m.
Executive Director, Canadian Cyber Threat Exchange
Our critical infrastructure sectors are perhaps some of the most sophisticated. They have some of the most sophisticated cyber-defences in all of Canada and are very much aligned with the same sectors in other countries, particularly on the electricity side because of the cross-border side, as well in as finance and telcos.
What systems are in place to ensure that? They have regulators that are extraordinarily diligent—that would perhaps be a good word—in ensuring they are aligned and they have strong defences in place.
There's really nothing that we can add to what the regulators have suggested, but this regulation is important because, to further what John was saying, reporting is one of the biggest challenges we have. We don't have good numbers. We don't know how big the problem is in this country, because the reporting is different. What is defined as a cyber-incident in different reports comes across differently: who has to report, when they have to report and what is reported. We don't have reliable numbers, and that's part of the problem we have.
8:45 a.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
What risks, if any, do you see if this legislation is not passed or if we delay it too long?
8:50 a.m.
Executive Director, Canadian Cyber Threat Exchange
There are huge risks. These are risks that start with how we will lose the faith of our Five Eyes partners. We will lose the faith and trust of the cross-border relationships that we have through NERC and FERC and all the other ones. We will also lose resources and revenue.
8:50 a.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
Thank you so much.
Do you think this legislation strikes the right balance in capturing only those firms deemed vital to national security?
8:50 a.m.
Executive Director, Canadian Cyber Threat Exchange
In my remarks, I did comment on the rest of the economy.
The truth is, the rest of the economy largely supports these six sectors: the supply chain, which this legislation does cover. Critical infrastructure is now required to be aware of and responsible for the reporting of their supply chain. It does go down the chain. It's a very good start.
8:50 a.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
Thank you.
Mr. Bradley, in order for this regime to be successful, I hope you all agree that designated operators must be confident that the proprietary and commercially sensitive information they provide to the government is handled appropriately. Would you agree?
February 8th, 2024 / 8:50 a.m.
President and Chief Executive Officer, Electricity Canada
Yes.
