Public Safety Committee on Feb. 8th, 2024

Thank you, Mr. Chair.

On behalf of BlackBerry, I'm delighted to speak with committee members today.

For over 35 years, BlackBerry has invented and built trusted solutions to give people, governments and businesses the ability to stay secure and productive.

Today, we are a leader in cybersecurity software and services. We protect more than 500 million systems worldwide. Our customers include all G7 governments, NATO, 45 of the Fortune 100 companies, nine of the top 10 global banks and numerous critical infrastructure entities.

Critical infrastructure is a prime target for cybercriminals and state-sponsored actors. At BlackBerry, we know this first-hand. Between September and December 2023, we stopped more than 5.2 million cyber-attacks, and 62% of those targeted critical infrastructure.

Just yesterday, the Canadian Centre for Cyber Security, along with Five Eyes partners, issued an advisory confirming that PRC state-sponsored cyber-actors had compromised entities across multiple critical infrastructure sectors in the United States, including communications, energy, transportation, and water and waste-water infrastructure.

The director of the U.S. Cybersecurity and Infrastructure Security Agency fears that this is “likely the tip of the iceberg.” Canada's cyber centre assesses that, “should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration.”

In addition to delivering essential services, critical infrastructure entities house large amounts of sensitive information, including intellectual property, technical designs and personal information that are attractive targets for cyber-threat actors.

Currently, apart from PIPEDA-related obligations, Canada has no legislation in place to govern, much less obligate, critical infrastructure entities to report, prepare for and prevent cybersecurity incidents.

The critical cyber systems protection act will help drive necessary investment to improve cyber resilience and help ensure that critical infrastructure entities can operate through disruption and recover rapidly.

Stepping back to a larger comparative picture, Canada is falling behind our G7 peers in cybersecurity. U.S. and European governments have already taken regulatory measures that raise the bar on critical infrastructure cybersecurity. In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which requires covered critical infrastructure entities to report cybersecurity incidents to government within 72 hours, and ransomware payments within 24 hours. In October 2022, the European Union approved legislation requiring operators of essential services to implement baseline cybersecurity measures and notify national authorities of serious cybersecurity events within 72 hours.

Canada is currently out of step with our closest allies on cybersecurity. This legislation will help close the gap. Cyber-incident reporting will help government and private sector entities quickly share relevant information, warn and protect other potential victims and rapidly deploy resources and assistance to contain damage from cyber-incidents.

As the committee considers this legislation, BlackBerry would like to offer three recommendations to strengthen the law.

First, harmonize cyber-incident reporting requirements with our key allies, notably the United States. Doing so will help minimize the unnecessary burden on reporting entities and help ensure that the resources of entities facing an incident are dedicated to mitigating the effects of cyber-incidents. Second, provide guarantees that cyber-information reported by the covered entities is protected from liability, based on the information they report. Third, ensure that entities covered by the cyber-incident reporting requirements are not punished by punitive measures for good-faith efforts to comply with the law.

In conclusion, this law will help close the gap in our country's ability to prevent cyber-attacks, improve situational awareness, foster rapid and effective response and help create a culture of proactive, prevention-first cybersecurity at scale.

BlackBerry stands ready to work with this committee to strengthen Canada's cyber-resilience.

Thank you.

Good morning, Mr. Chair.

Thank you, all.

I have the honour of being here today representing the Canadian Cyber Threat Exchange, which is an organization created by Canadian companies to provide a safe environment for members to share cyber-threat information and collaborate by sharing best practices and ideas. The goal is to build cyber-resilience and create a stronger economic environment for all. With 170 members, representing 15 sectors and more than 1.5 million employees, our members are actively sharing cyber-threat information to help build awareness and resilience in others and to prevent breaches, as well as the corresponding need to report.

Many of our members represent the critical infrastructure sectors impacted by this legislation, while others make up their supply chain. Many of them are small and medium businesses, like so much of the Canadian economy.

I applaud the government for focusing its attention on creating legislation that will help strengthen Canada's critical infrastructure sector. I believe that with a few small modifications, there is an opportunity with this legislation to do more to support resilience among Canadian businesses and to strengthen the Canadian economy beyond the confines of the six critical infrastructure sectors referenced.

Others have spoken eloquently about privacy issues and about the real risks of attributing liability to our CISOs. All are very good points, which we support.

I want to talk about three cost-effective suggestions that are easily implemented and will have a significant impact on cyber-resilience throughout Canada.

First, the legislation should be amended to include language that encourages all organizations to voluntarily share cyber-threat information and to collaborate with others to build resilience. This can be done with the addition of language in the preamble and two small related changes. I'd be happy to provide the committee with some of the proposed text later.

The second change is to make membership in a Canadian cyber-threat information-sharing association an allowable expense for government programs. For example, Canada's industrial and technological benefits policy does not permit membership in an organization as an allowable inclusion. This change would incentivize companies to participate in a sharing and collaborative organization to raise their cyber-awareness and resilience in an ongoing way. It would be a small change with a significant impact at no cost to the government.

Third, this legislation requires only specified organizations to share cyber-incident information with their regulators or with the government. We have an opportunity here to create a legal environment that enables all companies, including those specified, to share information beyond what they are required to by law. The CCTX has Canadian members and Canadian companies whose American extensions are currently sharing information in the U.S. that they can't share in Canada because they are not protected by legislation. They are concerned about civil liability if they voluntarily share information that could help others prevent an incident.

The objective of Bill C-26 is to prevent further cyber-incidents. Mandated reporting of incidents is not enough. It will not protect enough organizations quickly enough. By adding protection from civil liability, this legislation could fix that. You could enable companies to share beyond what is strictly necessary to become compliant and improve the cybersecurity and resilience of the economy as a whole in a cost-effective, meaningful way. Without this protection, critical information will continue to be shared with organizations outside of Canada.

In creating and supporting the CCTX, Canada's business community continuously demonstrates its willingness and desire to share cyber-threat information and to share its expertise and experience to support Canadian businesses. Help it do more. Enable it to do more. If enacted as part of this legislation, these three changes will ensure a more secure supply chain for critical infrastructure, which is the focus of this bill, and for all Canadian businesses, large and small.

Thank you.

Thank you, Mr. Chair.

I'm CEO of Electricity Canada, formerly known as the Canadian Electricity Association. Our members are companies that generate, transmit and distribute electricity in every province and territory in Canada.

My comments today will focus on part 2 of Bill C‑26, which enacts the Critical Cyber Systems Protection Act.

Before I proceed, I want to acknowledge the efforts of federal departments in drafting Bill C-26 and the time spent engaging stakeholders over the past two years. The problems that the bill is trying to solve are hard ones, with lots of moving pieces and far-reaching implications against the backdrop of a constantly evolving threat landscape.

While I commend the efforts, I must add my voice to the witnesses you've already heard from who emphasized the importance of getting this legislation right. While we acknowledge the urgency to pass this type of legislation, it is crucial to carefully consider amendments and resist the pressure to rush through the review the bill.

Mandatory security requirements can help strengthen our overall security posture, but the approach taken by Bill C-26 risks having the opposite effect, adding very little security to our sector and redundantly adding additional layers of regulatory requirements. Today, I will highlight three areas where the legislation falls short and requires improvement.

First, the bill must align with existing regulatory frameworks. The electricity sector is unique in that the assets targeted by Bill C-26 are already regulated by the North American Electric Reliability Corporation, or NERC. This poses a risk of regulatory conflicts, increases the burden on operators and introduces compliance confusion and ambiguity, ultimately impeding the goal of Bill C-26 to enhance the safety of our critical system.

A witness last week recommended that the bill should take a risk-based approach and impose fewer requirements on those with already strong cybersecurity programs. Under this approach, mature organizations could spend more resources on incident prevention instead of compliance activities, and regulators could better focus their time on high-risk operators. Given our sector's strong security posture and the existing NERC standards, we feel that a risk-based approach to Bill C-26 would be a step in the right direction.

Another area needing improvement in the bill is its reporting requirements. The reference to the immediate reporting of cyber-incidents should be revised. Reporting obligations should not divert critical infrastructure operators from their response and recovery efforts during and post incident. Reporting requirements should be well defined and consistent and have a reporting timeline that is flexible enough to allow the effective use of limited resources during incident response and recovery.

Still on the topic of reporting requirements, the goals of the legislation would be better served if it included legal protection for operators. Safe harbour provisions are an important part of promoting information sharing between industry and government, ensuring the successful implementation of the new reporting requirements and promoting voluntary information sharing.

The final aspect I wish to address is the unintended impact of the bill on the existing industry-government collaboration. Imposing mandatory requirements may create a chilling effect on the industry's relationship with government departments and agencies. Without appropriate safeguards, operators would likely receive legal advice to share just enough information to comply with the act and nothing more.

This is counterproductive to the goals of the legislation, but there are a couple of things you could do to mitigate those risks. First, put clear limits on how the government can use the information collected by way of this act. Several provisions in the bill would allow for information sharing among a range of persons and entities, and it does not explicitly limit how recipients use the collected information.

Second, the cyber centre should be carved out from the legislation and exempt from obligations to report information obtained by way of the act to other entities. Critical infrastructure operators currently enjoy a positive and collaborative relationship with the cyber centre. This is grounded in the confidence that the cyber centre does not disclose operators' information to regulators, enforcement agencies or other departments. Protecting the cyber centre from information-sharing obligations is crucial to maintaining this collaborative relationship.

Many other aspects of Bill C‑26 also deserve our attention, but my time's up for this morning.

However, I encourage you to take a look at our brief, which contains 14 recommendations on how to improve Bill C‑26.

Thank you.