Public Safety Committee on Feb. 8th, 2024

I fully agree. We need to get this moving now.

It's never going to be a perfect bill, but we need to make the adjustments we suggested, which are to clarify what is considered a cyber-incident and align it with the U.S.'s definition, and reporting timelines, as well. Clarity is really essential in times of crises, and so we need to do that.

Those are easy fixes. Those are things that we can probably fix with a few modifications. I would fill those gaps, get this passed and continue to work on other elements.

Thank you very much.

Mr. Chair, this is an excellent question. Do we rush the bill through or do we amend it to make it right? My response is, let's do both. Let's rush this bill through, but rush it through while taking into consideration the 14 recommendations that we've made and make the amendments that respond to those 14 recommendations.

Thank you very much.

With respect to the bill not significantly adding to the security, and in fact potentially diverting attention, it is not an issue with the bill itself. It's that the bar has already been raised higher than what's in Bill C-26 as a result of the mandatory standards our sector is already subject to through the North American Electric Reliability Corporation standards regime. That bar has already been set higher.

What has been put in Bill C-26 does not improve upon that. It detracts. It diverts attention to a separate and second parallel reporting structure, as opposed to using those resources to work on a response.

I also co-chair, with the Canadian Chamber, their “Cyber. Right. Now.” council, so—

Forty companies are principal members of the association, from the largest electricity companies in the country, such as Hydro-Québec, down to the municipal utilities in Ontario.

Absolutely. Depending on the size of the organization, of course there would be variability, but all of those that are involved in the bulk power system are covered by the North American Electric Reliability Corporation's mandatory cybersecurity standards. As a result, those companies have very robust and consistent cybersecurity programs.

As has been mentioned already by this panel...not in Canada but in other jurisdictions. We've seen a loss of pipeline in the United States. In Ukraine, in 2015, we saw, for the first time anywhere in the world, a successful cyber-attack resulting in a loss of power to customers. That's not something that's happened here, but those are the potential consequences of cyber-attacks.

When a cyber-event is occurring, do we want our people working on paperwork for regulators or do we want them, at that moment, working on securing the systems? First and foremost, we want to have people working on securing the systems, and then looking at the reporting requirements.

It's a question of easing the reporting and regulatory burden, number one. Number two, my concern is about duplication here. We already have reporting requirements. We're talking about now creating a second reporting regime as well.

It would be, except that if the definitions are going to be different, it means having a separate and different reporting structure and different definitions.

In fact, not entirely joking, I said a number of years ago, when the government was beginning to move along this path, that they potentially could look at the NERC cybersecurity standards and look at replicating those for other Canadian critical infrastructure sectors. That would have made our life easier, certainly, if we'd looked at the existing regime we had and looked at applying it to other sectors.

Absolutely.