Public Safety Committee on Feb. 12th, 2024

Are you talking about the confidentiality of the order, or the confidentiality of information supplied?

That's a good question. We're definitely sensitive to that. Definitely, there are circumstances where there may be legitimate reasons why portions of an order or in some cases the entire order needs to be kept secret.

The way we look at it is that secrecy should be the exception rather than the norm. That's where I think it's appropriate to have.... Any judgment or requirement to keep an order confidential should be tested. It should go to a judge in order for the government to provide the evidence of why it should be kept confidential, so that there's the opportunity to test that assumption.

There already are existing mechanisms in situations or court hearings where there is confidential or secret information that can't be made public or shared with the target. A special advocate who has the required security clearance can question the government, test the evidence and test the assumptions that were made. It's not a perfect situation, but it at least provides some mechanism by which the government's evidence can be tested.

Certainly. Right now, the way it's worded is that, if the minister believes it's necessary to do or not do something.... I think it's important to require that the order be made only after consulting prescribed expert bodies. That could be a C-stack, for example. It could be other cybersecurity bodies within the government. It's to determine not only whether there's a security threat, but whether the order is proportionate and balanced.

Let's face it, our communications systems are very complex. It may seem easy to say to remove this equipment or do something, but we want to make sure that experts, including the targets of the orders, if appropriate, can advise the government of what some unintended consequences could be to the system, or even the viability of some of the smaller providers who are asked to comply with those orders. That's a very important requirement that should be in the legislation.

We're not saying that they should be indemnified. It could be just a drafting issue, but the legislation right now says that providers are not entitled to compensation. That's open to interpretation. Does that just mean they don't have a right at law of compensation, or does that mean they cannot be compensated?

What we're suggesting is that there should be discretion for the minister or the Governor in Council to award compensation on a case-by-case basis and that providers who are impacted by those orders should be able to make representations as to whether or why they should receive compensation.

For example, in the United States, the government set up a multi-billion dollar fund to help a certain class of providers remove Chinese-supplied equipment from their infrastructure.

Sure. It's kind of a puzzling thing for us in the legislation, because all other affected parties in the legislation are able to show.... If they're alleged to have committed a violation, a defence could be that they've done everything reasonably possible to avoid making that violation. It could be, for example, that the government says that you must replace this equipment in your infrastructure with equipment from somewhere else, and it's not even available on the market.

For whatever reason, the legislation says that we're the only parties that are not entitled to make that defence.

It's a very good question.

One of the things is that our members have very robust cybersecurity processes already, and, as Mr. Ghiz mentioned in his remarks, they already collaborate deeply with government. Many of the things that could come about as a result of Bill C-26 are things that the industry is already doing. There is CSTAC, the Canadian security communications advisory committee, which puts out best practices and guidance, etc., for all the telecommunication service providers. Bill C-26 could allow the minister to actually order specific practices, for example input.

In terms of the regulatory burden, I don't know of any industry that welcomes additional regulations, as it does add some burden. Again, our members already have robust practices, so I think the additional burden is mostly around things like the reporting requirement. That's where the legislation could require some improvements. It says that we must “immediately report” an incident. Well, “immediately” is right away, and you wouldn't have enough information to even know if you'd had an incident. Some of those things can be improved.

I hope that has answered your question.

I will confirm the view given by the Office of the Superintendent of Financial Institutions, that we do treat the reporting as mandatory.

I want to clarify a couple of things. One is that the reporting that goes to OSFI is for technology and cyber. If there's a technology incident, even if it's not cyber-related, or if you think of some sort of infiltration into your system, that is reported, because what OSFI is very concerned about is the resilience of our systems in being able not just to secure but also to deliver our services.

When you look at that type of reporting, it's intended to help identify areas of potential concern so that can then be shared back and people can have stronger systems. That's now being done within silos. We do that with OSFI.

The whole point of this legislation is to identify the critical sectors and say that the major players in these sectors, because of what they represent to the security of our whole ecosystem, should be reporting to one central location, so that you're not only hearing what's happening here but you're hearing what's happening in that sector, and we can identify if there's a shared concern, if there are learnings there and if somehow what's going on is connected.

A key part of this legislation is really to improve the available information to help combat cyber-threats. That's definitely a positive that we see, and that's why we've encouraged you to go even broader and allow voluntary sharing at all levels within the ecosystem. That's very positive. Also, there's the fact that we do our cybersecurity planning, and others do their cybersecurity planning, and now that will be validated and centralized so that, again, we can look for learnings about different things in different jurisdictions.

Unlike the financial individual who was on earlier, we're not a regulator and we're not privy to the private information of our members. Unfortunately, I don't have that information.

In terms of private, personal business within, no, we're not privy to the information.

They do that with themselves and with government through CSTAC. It's not through our association that this would happen.