Evidence of meeting #93 for Public Safety and National Security in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A video is available from Parliament.
Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission
The CRTC's role is to implement the legislation that is adopted by Parliament. Our role is not to comment on proposed legislation that is before Parliament, so unfortunately I'm not able to respond to your question.
Conservative
Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON
Thank you.
Would you support provisions that require the government to table an annual report that would include the number of times government orders or regulations have prevailed over CRTC decisions?
Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission
I would respectfully say that this would be a question for ISED.
Conservative
Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission
That would be a question that should be posed to our colleagues at ISED.
Conservative
Liberal
The Chair Liberal Heath MacDonald
Thank you, Mr. Shipley.
We're moving on to Mr. Schiefke, please, for six minutes.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
Thank you very much, Mr. Chair.
I'd like to thank our witnesses for being here in person and virtually.
I'll begin my line of questioning with Mr. Loewen.
Mr. Loewen, in layman's terms, for Canadians who are interested in and affected by this topic, what would be the consequences of a successful cyber-attack against a critical infrastructure operator in the energy sector?
Executive Vice-President, Regulatory, Canada Energy Regulator
Thank you for that question.
The consequences could potentially vary greatly and depend on the nature of the attack, obviously.
In the cyber centre's assessment, the main threat to Canada's energy sector is from financially motivated cybercriminals primarily using things like ransomware, as I noted earlier. Those attacks most typically affect information technology networks, although it is possible for them to target operational technology. The ransomware on an IT network will cost a regulated company money in potentially paying the ransom, but certainly in lost time and in recovering their infrastructure.
Ransomware on an old T-network or operational technology network such as a SCADA system, while rare, could be far more disruptive to pipeline operations. Although this would be unlikely to create unsafe operating conditions, as my colleague noted earlier, we have no evidence. We haven't heard reports of any such breach of an operational technology system in a CER-regulated industry.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
I'll follow up on that.
Given the interconnectedness of the energy sector in Canada and that of our largest trading partner and ally, the United States, how important is it, in Bill C-26, for Canada to strengthen our cybersecurity protection?
Executive Vice-President, Regulatory, Canada Energy Regulator
I would respond by saying that the energy sector is targeted by nation-state cyber-espionage activities that don't recognize borders. These are primarily a threat to intellectual property, such as research and business plans. Because the energy sector is a strategically important critical infrastructure and is transborder, as you noted, it is also a likely target for adversarial nation-states to sabotage, if possible, operational technology.
The impact on that would be significant.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
One of the main focuses in this committee is on improving the bill and looking for things that are not included in it but that we could include to strengthen it.
Is there anything our trading partner and ally, the United States, is doing that we are not doing and that is not included in Bill C-26 but that you believe should be included?
Executive Vice-President, Regulatory, Canada Energy Regulator
You know, we're not the lead on this particular legislation, but we did provide advice. In my view, it's very well aligned already with what we have in place at the CER.
I might turn it over to my colleague Mr. Chris Finley, as he is more familiar with some of the activities that are taking place in the United States.
Director, Emergency Management and Security, Canada Energy Regulator
Thank you.
We work closely with the Transportation Security Administration and the PHMSA—the Pipeline and Hazardous Materials Safety Administration. Primarily, within Canada, we work very closely with the Communications Security Establishment and their cyber centre to make sure we're in alignment internally.
We believe, as my colleague said, that the robustness of our regulatory environment, currently, is solid. However, we see a real benefit in the mandatory reporting requirements as set out in proposed sections 17, 18 and 19. We can take that information and implement it across our pipeline network to make it safer.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
Thank you, both.
I'll now turn my questioning to Ms. Wright.
Ms. Wright, thank you for being here.
A priority for all of us here, regardless of political party, is protecting the privacy of Canadians. Some witnesses have warned that this bill may result in the government accessing, collecting and misusing personal information, including personal cellphone information. In your reading of this bill, and based on your experience and position, do you see that happening?
February 8th, 2024 / 9:45 a.m.
Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission
Again, unfortunately, I'm not able to respond to that question.
Our role is to implement the provisions that touch upon the CRTC's work. I've outlined those provisions. They're quite narrow, so I'm not able to respond to that question.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
Would you be able to comment on how Bill C-26 will intersect with the Privacy Act? Is there anything in the bill that affects the applicability of the act?
Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission
Unfortunately, I'm not able to respond to that question.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
Okay.
I guess I'll ask you one last question before my time is up.
Is there anything that is not in Bill C-26, Ms. Wright, that you would like to see that could provide greater support for the work you're doing?
Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission
Again, our role is to implement legislation adopted by Parliament, rather than comment on proposed legislation before the committee.
Liberal
Peter Schiefke Liberal Vaudreuil—Soulanges, QC
Okay. Thank you, Ms. Wright.
That's all, Mr. Chair. Thank you.
NDP
Peter Julian NDP New Westminster—Burnaby, BC
Mr. Chair, I'll ask a question on behalf of Mrs. Normandin. I would appreciate some flexibility with my speaking time. If you don't mind, I'll ask her question first and then move on to my own questions.
Ms. Wright, my question concerns the recommendation that the committee received from Citizen Lab, which suggested that we provide relief for smaller telecommunications providers.
Should Bill C‑26's regulatory framework be implemented in a manner that takes into account its impact on smaller telecommunications providers? Should the implementation of this regulatory framework be flexible enough to ensure that smaller companies can easily comply with the components of the bill?
Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission
Thank you for the question, and I apologize if my response is frustrating to the committee.
Our role is to implement legislation that is adopted by Parliament. When it comes to the proposed legislation before the committee today, we can speak to the proposed amendments to the Telecommunications Act that touch on the CRTC's work, and also speak to how similar provisions are currently applied by the CRTC. However, I am not able to respond to your question.