Good morning, Mr. Chair.
Thank you, all.
I have the honour of being here today representing the Canadian Cyber Threat Exchange, which is an organization created by Canadian companies to provide a safe environment for members to share cyber-threat information and collaborate by sharing best practices and ideas. The goal is to build cyber-resilience and create a stronger economic environment for all. With 170 members, representing 15 sectors and more than 1.5 million employees, our members are actively sharing cyber-threat information to help build awareness and resilience in others and to prevent breaches, as well as the corresponding need to report.
Many of our members represent the critical infrastructure sectors impacted by this legislation, while others make up their supply chain. Many of them are small and medium businesses, like so much of the Canadian economy.
I applaud the government for focusing its attention on creating legislation that will help strengthen Canada's critical infrastructure sector. I believe that with a few small modifications, there is an opportunity with this legislation to do more to support resilience among Canadian businesses and to strengthen the Canadian economy beyond the confines of the six critical infrastructure sectors referenced.
Others have spoken eloquently about privacy issues and about the real risks of attributing liability to our CISOs. All are very good points, which we support.
I want to talk about three cost-effective suggestions that are easily implemented and will have a significant impact on cyber-resilience throughout Canada.
First, the legislation should be amended to include language that encourages all organizations to voluntarily share cyber-threat information and to collaborate with others to build resilience. This can be done with the addition of language in the preamble and two small related changes. I'd be happy to provide the committee with some of the proposed text later.
The second change is to make membership in a Canadian cyber-threat information-sharing association an allowable expense for government programs. For example, Canada's industrial and technological benefits policy does not permit membership in an organization as an allowable inclusion. This change would incentivize companies to participate in a sharing and collaborative organization to raise their cyber-awareness and resilience in an ongoing way. It would be a small change with a significant impact at no cost to the government.
Third, this legislation requires only specified organizations to share cyber-incident information with their regulators or with the government. We have an opportunity here to create a legal environment that enables all companies, including those specified, to share information beyond what they are required to by law. The CCTX has Canadian members and Canadian companies whose American extensions are currently sharing information in the U.S. that they can't share in Canada because they are not protected by legislation. They are concerned about civil liability if they voluntarily share information that could help others prevent an incident.
The objective of Bill C-26 is to prevent further cyber-incidents. Mandated reporting of incidents is not enough. It will not protect enough organizations quickly enough. By adding protection from civil liability, this legislation could fix that. You could enable companies to share beyond what is strictly necessary to become compliant and improve the cybersecurity and resilience of the economy as a whole in a cost-effective, meaningful way. Without this protection, critical information will continue to be shared with organizations outside of Canada.
In creating and supporting the CCTX, Canada's business community continuously demonstrates its willingness and desire to share cyber-threat information and to share its expertise and experience to support Canadian businesses. Help it do more. Enable it to do more. If enacted as part of this legislation, these three changes will ensure a more secure supply chain for critical infrastructure, which is the focus of this bill, and for all Canadian businesses, large and small.
Thank you.