Public Safety Committee on Feb. 12th, 2024

We are concerned with that number growing. We're tracking it very carefully, and we are eagerly watching to see whether or not the trajectory continues to grow. This is an area of risk for financial institutions. We've outlined it in our annual risk outlook, published on our website, and cyber-risk and cyber-attacks would constitute an element of that.

Thank you, Mr. Chair.

Good evening. As said, my name is Robert Ghiz. I'm the president and CEO of the Canadian Telecommunications Association. I'm joined today by our senior vice-president, Eric Smith.

The Canadian Telecommunications Association is dedicated to building a better future for Canadians through connectivity. Our association includes carriers, manufacturers and other companies that invest in Canada's world‑class telecommunication networks.

We appreciate the opportunity to speak to you today about our association's views on Bill C‑26.

The security of Canada's telecommunications system is of the utmost importance. Our members recognize that their services are critical to the social and economic well-being of Canadians, as well as to their security and safety. Accordingly, our members invest significant resources to safeguard their systems and infrastructure from cyber-attacks and other threats.

Members also actively participate in the Canadian security telecommunications advisory committee, or CSTAC, which facilitates the exchange of information between the private and public sectors, as well as strategic collaboration on current and evolving issues that may affect telecommunications systems, including cybersecurity threats. In addition to providing connectivity services, many of our telecommunications service providers also deliver cybersecurity solutions to businesses across the country, helping them protect their operations against cyber-attacks.

In other words, our industry takes security seriously and is committed to the security of the Canadian telecommunications system. As such, we share the Government of Canada's objective of protecting critical infrastructure from cyber-attacks and other threats.

However, Bill C-26 in its current form raises some concerns. We have outlined our concerns and proposed amendments to the legislation in a written submission to the standing committee. I will mention a few of them, all of which pertain to part 1 of Bill C-26 and the proposed amendments to the Telecommunications Act.

First, the bill gives the minister very broad order-making powers that lack appropriate checks and balances. Given the extremely broad scope and potential impact of these powers, the proposed legislation should be amended to impose conditions on exercising them. Specifically, orders should not only be necessary in the opinion of the minister but also reasonably necessary—in other words, proportionate to the potential harm of the security risk and reasonable in the circumstances. The legislation should also require that orders be made only after the minister has consulted with prescribed experts to ensure they are proportionate to the risk posed, have a limited impact on service availability and are economically and operationally feasible for affected service providers.

Second, while orders made under the bill are subject to judicial review, the legislation provides that a judge can base his or her decision on evidence the applicant is not allowed to see and therefore cannot challenge. This process makes no effort to provide for alternative means of testing the government's evidence, including the appointment of a special advocate with the appropriate level of security clearance.

Third, Bill C-26 does not include a due diligence defence for alleged violations of orders made pursuant to the proposed new sections of the Telecommunications Act, even though a defence of due diligence is available for other violations of the act, as well as for violations of orders by others under the rest of Bill C-26. The absence of a due diligence defence is even more striking given that the legislation seeks to introduce significant monetary penalties. Telecommunications providers should have the right, as afforded to others under Bill C-26, to avail themselves of a due diligence defence in appropriate circumstances by demonstrating they took all reasonable care in the circumstances to avoid the alleged violation.

Lastly, part 1 of Bill C-26 should be amended to make clear that compensation may, at the discretion of the government, be awarded for any financial expenditures, losses and costs resulting from complying with an order.

Thank you for giving us the opportunity to share our views on this key issue. We look forward to answering your questions.

Thank you.

Good evening.

I would like to thank the committee for inviting us here today to provide our views on part 2 of Bill C-26, an act to enact the critical cyber systems protection act.

My name is Angelina Mason, and I am general counsel and SVP of legal and risk at the Canadian Bankers Association. I am joined by my colleague, Charles Docherty, assistant general counsel and vice-president, legal and risk.

The CBA is the voice of more than 60 domestic and foreign banks that help drive Canada's economic growth and prosperity. The CBA advocates for public policies that contribute to a sound, thriving banking system to ensure Canadians can succeed in their financial goals.

Banks in Canada are leaders in cybersecurity and have invested heavily to protect the financial system and the personal information of their customers from cyber-threats. We are also a highly regulated industry and comply with robust requirements from the Office of the Superintendent of Financial Institutions in respect of cybersecurity risk, supply chain and third party risk management, and incident reporting.

The security of Canada's critical infrastructure sectors is essential to protect the safety, security and economic well-being of Canadians. The banking industry counts on other critical infrastructure sectors, such as telecommunications and energy, to deliver financial services for Canadians. We have encouraged the government to leverage and promote common industry cybersecurity standards that would apply to those within the critical infrastructure sectors, and we support the government's efforts to achieve this under the act. We recognize that critical infrastructure, such as energy, crosses jurisdictional boundaries. We have also recommended that the federal government work with provinces and territories to define a cybersecurity framework across all critical infrastructure sectors.

Having consistent, well-defined cybersecurity standards will provide for greater oversight and assurance that these systems are effective and protected. Protecting against state-sponsored and other threat actors requires a coordinated approach between the government and the private sector. The government can play a pivotal role in bringing together critical infrastructure partners and other stakeholders and building upon existing efforts to respond to cyber-threats.

While recognizing the importance of the act, we need to get this right. Some of the proposed provisions need to be better tailored to address operational and other risk concerns, including being able to leverage existing robust requirements of specific sectors, like banks, to mitigate duplicative or inconsistent requirements, providing greater safeguards for the protection of confidential information, and improving the threshold and timing for cybersecurity incident reporting.

In addition, there should be appropriate guardrails for the invocation of the government's very broad powers under the act. Consistent with other legislation, the act should also include safe harbour provisions that provide designated operators immunity from civil and criminal proceedings for good-faith compliance with the act's reporting requirements and cybersecurity directives.

Looking beyond mandatory incident reporting, the act should also support broader voluntary sharing of incidents, cyber-threat information and expertise about cyber-protection with the Communications Security Establishment and among classes of designated operators, while also including safe harbour provisions to enable this sharing without creating additional risk. Effective sharing of this type of information is a critical component to cyber-resiliency and should be fostered through the act.

Finally, we believe it is necessary to allow the CSE and CSIS to share relevant intelligence and information with designated operators of critical cybersecurity infrastructure in Canada to help them effectively prevent and mitigate cybersecurity incidents.

We will be following up to provide the committee with additional written details on these recommendations. We want to work collaboratively with the government and with other sectors to ensure that Canada remains a safe, strong and secure country.

We look forward to your questions.

Thank you, Mr. Chair and committee members.

I am Andrew Clement, a computer scientist and professor emeritus in the faculty of information at the University of Toronto. I co-founded the interdisciplinary Identity, Privacy and Security Institute there.

For the past decade, I have focused on the privacy, security and surveillance aspects of Internet communications. Currently, I co-lead a project with the Canadian Internet Registration Authority on Internet measurement aimed at advancing Canadian cybersecurity, resiliency and sovereignty. The project is funded through Public Safety Canada's cybersecurity co-operation program. Beyond an annual $1,500 honorarium, I receive no funds from either CIRA or Public Safety. While I endorse CIRA's submission to your committee, I am speaking here in a personal capacity.

I strongly endorse the recommendations in the submission by the Citizen Lab and the joint submission by several civil society organizations. Both of these submissions draw heavily on the fine report by Dr. Chris Parsons, “Cybersecurity Will Not Thrive in Darkness”.

There is no debate over whether Canada needs a stronger regime for securing our critical cyber infrastructure. Bill C-26 contributes to establishing a worthy cybersecurity regime. However, it needs substantial amendment to ensure that the sweeping and secretive powers it grants the government do not override other equally vital values, such as privacy, freedom of expression, judicial transparency and government accountability.

For better and worse, the government's leading agency for ensuring cybersecurity is the Communications Security Establishment. It faces a vital and remarkably difficult task. Fortunately, it appears to be staffed by dedicated experts. However, unsurprisingly, given its origins in wartime signals intelligence, CSE operates with an extraordinary degree of secrecy and boundless appetite for data collection. This is quite justified in some areas of its mandate, but as its capabilities have grown to include extensive surveillance of domestic communications, CSE needs to be much more open and publicly accountable.

In 2013, Snowden documents—notably, about CSE's “CASCADE: Joint Cyber Sensor Architecture”—indicated that the agency was embedding extensive interception capabilities within the Internet infrastructure able to capture a very large portion of Canadians' Internet communication.

While CSE is legally prohibited from directing its activities at Canadians, its capabilities of full take of content and metadata, mass surveillance, and the “incidental” bulk collection of personal and even intimate information on every Canadian Internet user pose a significant challenge to privacy rights and democratic governance more generally.

Renowned cybersecurity expert and director of the Citizen Lab, Ron Deibert, noted the following in 2015: “These are awesome [surveillance] powers that should only be granted to the government with enormous trepidation and only with a correspondingly massive investment in equally powerful systems of oversight, review and public accountability”.

Basic questions here are whether the government should make Canadians aware of this mass surveillance, provide them with robust assurances that this bulk collection is necessary, proportionate, and safe, and offer them an opportunity to decide collectively whether such practices are acceptable or not.

As mentioned by previous witnesses, a key concern with Bill C-26 is its failure to restrict the CSE's use of the information it collects under its extensive new Bill C-26 powers. As Kate Robertson made clear earlier, based on NSIRA reporting, if it is not explicitly prohibited from doing so, the CSE will consider itself authorized to use this information across any of its mandates. This accountability deficit must be fixed before granting CSE new powers under Bill C-26.

Privacy is a fundamental human right. It is essential that Bill C-26 be amended to explicitly define personal and de-identified information as confidential and to ensure that the government obtains a court order before requiring its disclosure. The government must not be allowed to use its sweeping new powers to undermine privacy, such as by weakening encryption or communications security. Data retention periods must be attached to the information it collects.

Before closing, I'd like to briefly raise an issue that is missing from Bill C-26, one that your committee has previously considered important—namely, how the government should handle cybersecurity vulnerabilities. Where Bill C-26 requires telecommunications service providers to conduct assessments to identify any vulnerability in their services—

As we mentioned in our opening remarks, we do need appropriate guardrails. You have to introduce the notion of proportionality. Right now, the powers with respect to cybersecurity directives are so broad that we're not even quite certain just how far those directives could go.

We definitely think the legislation needs to build in appropriate guardrails so that all participants can feel comfortable that the government is acting within a reasonable space.

In addition to proportionality, which has been mentioned several times, much greater transparency about the operations of the security agencies and the measures that are being taken is required. At this point, we do not have that kind of transparency.

There have been many recommendations, particularly those within the reports I mentioned earlier, that address greater transparency so Canadians can know what's going on. Those would achieve a much better balance. At this point, Bill C-26 is not balanced in terms of those abilities.

Thank you.

I think, as I said in my opening statement, we all agree that the premise of this bill is important and something that we do need, but when it comes to transparency, accountability and judicial rights, there are some areas that need to be tidied up. I think those are the main areas.

In the submission we sent in, we included specific amendments. I think part of parliamentary democracy is that this committee will have the opportunity to introduce amendments and hopefully send the bill back to the House having been improved from what it was when it arrived.

We're certainly not suggesting that there be judicial oversight over every aspect of the decision-making process before the decision has been made. Certainly, there needs to be judicial oversight for rights of appeal, rights for the targets of an order to be able to question the order and to challenge whether it's proportional and appropriate.

When the Privacy Commissioner was here, he talked about consultation in terms of making sure that privacy rights were respected. Depending on what aspect of the bill we're looking at, the role of the judiciary will vary. It's all part of what most witnesses are saying. Checks and balances need to be there.

One of the things that could be improved—and it was raised by Kate Robertson—is the role that NSIRA, the National Security and Intelligence Review Agency, can play. It's very concerning that it has reported repeatedly that it has not been able to establish that CSE has been operating legally, because it hasn't had access to the information it needs to make that assessment. That's very concerning.

Something in the bill, a recommendation that provides that transparency and that enables NSIRA to get access to that information, would be valuable.

It's providing thresholds of when orders would even be considered.

We're quite concerned, because if you are an operator and you're dealing with your situation, you're doing your darnest to make sure you're bringing it under control and doing the right things. At what point does the government then step in? Is it privy to knowledge that you don't have? What is it asking you to do? Is it reasonable?

To me, there should be thresholds, particularly when the operators themselves are doing their work in trying to manage the situation.