Evidence of meeting #93 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
8:50 a.m.
Liberal
Chris Bittle Liberal St. Catharines, ON
The bill currently includes a regime aimed at protecting confidential information. What are your thoughts on this regime found within the bill?
February 8th, 2024 / 8:50 a.m.
President and Chief Executive Officer, Electricity Canada
Our concerns are more with respect to treating different entities within the Government of Canada differently when it comes to the protection and the use of information, specifically with respect to the Canadian cyber centre. That's where our area focuses with respect to the use of the information itself.
8:50 a.m.
Liberal
8:50 a.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you, Mr. Chair.
I also want to thank all the witnesses for their participation, which is greatly appreciated.
I'll start with Mr. Bradley.
You spoke about the risk of regulatory duplication with the North American Electric Reliability Corporation. I was wondering whether this risk of duplication comes into play at other levels. I know that you had discussions, particularly with Hydro‑Québec, before you came to give your presentation. Were these types of concerns raised with regard to Quebec's privacy regulations, for example?
Is there a risk of not just duplication, but triplication in certain aspects of the regulations?
8:50 a.m.
President and Chief Executive Officer, Electricity Canada
Thank you.
That is absolutely an excellent question.
My remarks and our brief focus specifically on that interface between the bill and our NERC requirements, which are quite onerous. The member is absolutely correct. There are other requirements that come into play at the different levels of government, as well, and also internationally. It isn't solely a matter of Bill C-26 coming into conflict with NERC. There are other levels, as well.
Our particular area of concern, where we see the potential for a significantly increased burden, is that lack of alignment between the NERC requirements, which have been in existence for many years, and what is being proposed in Bill C-26.
8:50 a.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you. This brings me to a question for Mr. de Boer.
You also spoke about alignment. I would like you to talk about the Five Eyes and the global alignment of incident reporting.
There are standards at a number of levels, and the issue becomes extremely complicated. At which level should alignment be a priority, and why?
8:50 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
My recommendation would be to align with the United States.
As I mentioned earlier, even the Canadian Centre for Cyber Security has mentioned that an incident affecting critical infrastructure in the United States would affect Canada. Much of our critical infrastructure—whether it be energy, rail, transport or, in some cases, telecommunications—crosses borders. We need to align with them. That would be mine: a 72-hour reporting requirement.
The other thing is aligning our definitions of what a cyber-incident is. Currently, the United States is undertaking a study through CISA to define “cyber-incident” and what is reportable. They have 52 different regimes of reporting in the United States. Imagine an entity dealing with a cybersecurity incident and being required to report to 10 or 15 different entities with different types of cyber-incidents.
If it's not aligned, this legislation will actually add to the problem, not resolve it.
8:55 a.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you.
Ms. Quaid, you recommended that the bill be expanded to include voluntary collaboration among companies. However, this would mean a greater need for workers to implement Bill C‑26.
Was this part of your thought process? Is the widespread labour shortage a potential issue? I put this question to the committee earlier, and to the Communications Security Establishment, or CSE. I was told that this could be an issue.
I want to know whether this is an issue for you too, and if so, whether you have any possible solutions.
8:55 a.m.
Executive Director, Canadian Cyber Threat Exchange
Thank you for the question. I'm very glad we can address the labour shortage here.
What I suggested was enabling organizations in Canada to report, speak publicly and share information about threats, attacks and incidents without fear of liability. In doing that, we're minimizing the labour impact. We're enabling companies to share information so they don't all need to have specialists doing exactly the same thing. We're enabling companies to share information so the smaller organizations with less sophisticated teams have an opportunity to learn from the larger organizations to protect themselves in advance of an attack.
What I'm hoping is that, by opening up the ability to collaborate not just with government but also broadly without fear of liability, we will, in fact, have a positive impact without adding to labour force requirements.
8:55 a.m.
Bloc
Christine Normandin Bloc Saint-Jean, QC
Thank you.
I would like to hear from anyone who wants to address the responsibility issue, even if it means a second round.
I'm concerned that, if we completely remove the responsibility of large companies, which could have a team to do the job properly, they may somehow avoid feeling the need to comply with Bill C‑26.
Is there a risk of completely removing the idea of responsibility?
8:55 a.m.
Executive Director, Canadian Cyber Threat Exchange
I think my colleague Francis Bradley talked about safe harbour legislation, which is what they call it in the U.S. It's what they have in the U.S. Through the effective drafting of something like what they have in the U.S., we can create that fine balance, and that's what we would always aim to do. You never want to remove all responsibility, but certainly remove personal liability from our CISOs, who are in very short supply, and one of the speakers last week mentioned that they're leaving at a rate of 75% right now.
We are at risk, but I think that, with effective drafting of this legislation, we can create balance so that we are not removing all liability but we are protecting organizations from liability when they are trying to share information to help others.
8:55 a.m.
Liberal
The Chair Liberal Heath MacDonald
Thank you, Ms. Normandin.
Mr. Julian, go ahead, please, for six minutes.
8:55 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Thank you very much, Mr. Chair.
Thanks to our witnesses. You've given us a lot of food for thought. I have a lot of questions. I hope that there are no further disruptions because, quite frankly, my Conservative colleagues haven't asked a single question on Bill C-26 to date, and I think that has to change. This is important legislation.
I have two questions for all three of you.
First, Ms. Quaid, you mentioned that further delays would cause loss of the faith of our partners. The government introduced this in June 2022. We're now in February 2024. We're seeing delays and disruption from the official opposition in trying to process this legislation. Beyond losing the faith of our partners, what are the other consequences? We've had previous witnesses say that, basically, Canada is increasingly becoming a target because we don't have legislation in place. What are the consequences of further delay? That is for all three of you.
My second question is based on your excellent brief, Mr. Bradley, talking about doing consultation during the regulatory process. To what extent has the industry been consulted by the government in the legislation to date? To what extent was there input so that we get this bill right?
I'll start with Mr. Bradley and then go to Mr. de Boer and Ms. Quaid.
8:55 a.m.
President and Chief Executive Officer, Electricity Canada
Thank you very much. Those are two very good questions.
On the first question, with respect to the consequences of delay—and this relates to your second question as well—we've been engaged in discussions about this gap, given that we're a sector that has had mandatory reliability and mandatory critical infrastructure protection standards for a decade and a half. We have been asking the question, “What about those other sectors upon which we rely?”, because the sectors are interdependent. Some sectors have robust programs and, as for others, we just don't know, frankly.
We've been in favour of seeing something broader across different critical infrastructures, those other infrastructures that we depend on. We have a very high level of confidence in the regime that we have, because it is mandatory and enforceable. We would like to see something in place, and this has been the conversation that we've been having with the government for a very long time about other sectors upon which we rely.
I think Bill C-26 does fill that gap. It overlaps—and I did talk about that in my comments—but, with respect to consultation, in terms of agencies and departments of the government, we have been talking about this for more than a decade. This is something that we've been consulted on extensively, certainly, but it is something that has been a gap for quite some time.
9 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
Yes, I would echo previous comments.
Critical infrastructure is called critical infrastructure because it's essential to our daily lives and the functioning of our economy. That's critical, but there are other elements to this. If the public believes that government has not acted to protect that critical infrastructure and secure our lives, it's the very trust in our government that could be eroded.
Affordability is another potential impact. Cyber-attacks increase costs. Currently, there are countries—the U.K., notably—where insurers will refuse to provide insurance costs to actors who have been attacked by a state-sponsored actor. All those costs are passed on to consumers, so that could also be—
9 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Can I interrupt to ask you this? Do any of the three of you have figures that you could provide us with in terms of costs, increasing costs, because of the lack of action at this point?
9 a.m.
Senior Director, Government Affairs and Public Policy, Canada, BlackBerry
I can get back to you on that in terms of certainly increasing insurance premium costs, as well as increasing costs in terms of affordability. I can get back to the committee on some of those figures.
There's a tremendous series of consequences that are fundamental to our economy. You just need to look at, for instance, Ukraine. Their electrical grid was shut down. Look at Oldsmar, Florida, where a cyber-attack almost poisoned their water system. You can go to catastrophic ends.
In terms of consultation, there has been consultation. Our frustration is that this has moved far too slowly. It needs to be considered also in conjunction with the critical infrastructure strategy, which has not been updated since 2009. What is defined as critical infrastructure needs to be aligned with the critical infrastructure entities outlined in this legislation, and that's all Public Safety's responsibility.
9 a.m.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Ms. Quaid, I'll come back to you, but you'll be cut off, unfortunately.
9 a.m.
Executive Director, Canadian Cyber Threat Exchange
Okay. I'll keep it very short.
What are the impacts if this legislation doesn't pass? Well, look at what happened with the Colonial gas pipeline. There is at least one death confirmed to be attributed to that. What's the impact? Death. Let's be simple. If gas doesn't flow, if phone systems don't work, people will not survive.
There are also the additional impacts, as Mr. de Boer was saying, such as insurance premiums. It's increasingly difficult to get insurance. My own cyber-insurance has gone up exponentially, which means costs associated. I will have to pass that on to customers. There's the increased cost of doing business. Businesses will go down. Small and mid-size businesses cannot afford a cyber-attack. The cost of remediation is usually in the millions of dollars. Those costs have to go somewhere.
In terms of collaboration, if I can—
9 a.m.
Liberal
The Chair Liberal Heath MacDonald
I'm sure you'll have another opportunity.
That's round one. We're moving into round two now.
Mr. Motz, you're up for five minutes.
9 a.m.
Conservative
Glen Motz Conservative Medicine Hat—Cardston—Warner, AB
Thank you very much, Chair.
Thank you to our witnesses for being here.
I know it's been stated, the rush to get this through. We've waited since June 2022, when it was put on the books, and we're still doing a little dance.
I've heard witnesses say, so far, that we need to ask ourselves what's more important, rushing this bill through even though it's faulty or trying to at least fix it so that it's workable to get some things right moving forward. That's something I'll ask all of you to respond to.
I want to also include in that response.... There has also been a concern by witnesses that the bill is vague in many areas, and the regulations are going to try to fix the gaps. The recommendation has been that there should be more definitions, that there should be other language that provides clarity in the bill rather than in the regulations, because regulations could take another couple of years to finish. That's the concern we all have.
I'd like to get your thoughts on those. I'll start with you, Ms. Quaid.