Public Safety Committee on Feb. 15th, 2024

That's very much at the heart of the exercise that I think all of us are trying to achieve in Bill C-26.

Our federation gives our partners in provinces and territories jurisdiction over things as important as health care systems and highway infrastructure. We're all thinking of examples where these particular critical infrastructure sectors can be subject to these cyber-attacks. I've spoken to mayors of cities. Saint John, New Brunswick, it was reported—a small Canadian city—was subject to a pretty concerning cyber-attack.

The only way we're able to do that work is in partnership with provinces and territories and, of course, they are responsible in the case of municipalities as well. We would be wide open to signing agreements with provinces and territories. We think Bill C-26, if it's adopted and receives royal assent, can be a model for some other provincial legislation that should be companion pieces to this federal legislation.

As colleagues would want, we're always looking to respect provincial jurisdiction.

This is certainly a priority for us. However, we won't shy away from being a partner and a leader or from sharing information, as long as it's safe to do so. We'll be signing agreements with the provinces specifically to enable us to share information.

That said, we acknowledge that urgent situations arise in areas of provincial jurisdiction. That's why I gave the example of Newfoundland and Labrador. At the time, the premier of Newfoundland and Labrador told us that the province was completely overwhelmed in terms of resources. He asked the Government of Canada to step in. Of course, we did everything possible at the time to help them resolve the situation.

Thank you very much.

Either of you might like to answer this question.

This bill is one piece of Canada's effort to improve cybersecurity. Can you comment on the pressing need to ensure we have programs and legislation in place to keep Canadians' information and critical infrastructure secure and what else, if anything, we're doing on that front?

Actually when we look back, we've been doing a lot. The work of this government started back in 2013 with the establishment of the security review program. Then in 2018 we released the national cybersecurity strategy. In 2019 we saw significant investment, north of $100 million, to develop a critical cyber-systems framework. In 2021 we did the interdepartmental 5G security examination.

I would say what is very compelling is that in May of 2022 we indicated very clearly that it would no longer be Huawei or ZTE equipment in one of our most important networks, which is the telecom network in this country.

I think you've seen, at every step of way that, along with the Department of Public Safety, we have been trying to stay ahead of the game, because in matters of cybersecurity, malicious actors will always try to catch up, one way or another. We have been working with our Five Eyes partners, working with our G7 partners and working with allies around the world to make sure we identify the threat, we disrupt these malicious actors and we protect our critical network.

The piece we have in front of us is essential for Canadian businesses, particularly for the sectors that are being protected. I would come back again to the point that the telecom network is one of those, because with the Internet of things and 5G, this is going to be everywhere. That's why the work of the committee is so important today.

Thank you.

We'll move to Ms. Michaud.

Go ahead, please.

Thank you, Mr. Chair.

The issues that often came up during the consultations held here in the committee obviously concerned transparency and privacy.

Some colleagues have already addressed these issues. According to the Office of the Privacy Commissioner of Canada, it might be a good idea for the government to consult the office before making any decisions on Bill C‑26. Perhaps this would reassure Quebeckers and Canadians.

Obviously, Bill C‑26 currently doesn't set out a time frame from when the government accesses personal information held by companies, for example, to when it deletes this information under the bill. We also know that there are many data leaks, and that the government isn't necessarily immune to these leaks either.

How can we strike a balance between the right to privacy and the highly confidential power grabs and orders?

Where does the balance lie in all this? How can you reassure Quebeckers, Canadians and SMEs?

First, the powers granted are meant to ensure the security of designated systems. The objective is clear, and it's security. In the event of a cyber attack, which could affect everything from telecommunications and banking to the country's transportation network, you'll understand the urgent need to act.

It's just as urgent to take action when natural disasters strike or, to use the example of Rogers again, when 12 million Canadians don't have access to any payment system in the country.

For all these reasons, we're looking for the right balance. I understand the desire for consultation. Take the example of a cyber attack on 5G technology, which could affect all systems. If we were to publicize the details of the failure involving a player in the industry, this could encourage bad people to pounce on the breach. This would increase the systemic risk.

I think that we're trying to strike this balance. The proposed powers are tied to a clear security objective. Administrative law applies, along with judicial review and the Canadian Charter of Rights and Freedoms, for example.

Thank you.

Mr. Julian, go ahead, please.

Thank you, Mr. Chair.

The Auditor General's report on the ArriveCAN application speaks specifically about this bad practice for handling confidential information.

This is something we need to learn from.

On Bill C-26 we've had testimony from The Citizen Lab at the University of Toronto. One of the recommendations was that relief should be available if the government mishandles confidential, personal or de-identified information, and that the legislation should be amended to enable individuals and telecommunications providers to seek relief if the government has mishandled that information.

I'll direct this question to Minister LeBlanc.

Do you believe that it's appropriate that we incorporate into that legislation lessons learned from ArriveCAN?

It is absolutely, because I, like all my colleagues and I think all Canadians, have taken notice of the Auditor General's findings. I was also briefed on other internal review processes before the Auditor General's report, and all of that makes me think that this is an opportunity to avoid exactly some of those concerns. We have explained the context in which these things were developed. It in no way justifies the financial circumstances around that or perhaps more importantly the protection of the personal information of Canadians.

If the committee has suggestions around an appropriate way to ensure there is a positive obligation on the Government of Canada to ensure that those circumstances identified by the Auditor General are never repeated, we would welcome exactly that kind of work.

We also had a recommendation to prohibit the disclosure of personal or de-identified information to foreign organizations. That came from the coalition.

Is that a recommendation you support?

I also took note of that recommendation. I would want to hear from some of the heads of our security agencies such as CSIS or the Communications Security Establishment on, as we said in a number of answers to colleagues' questions, the ability to effectively partner with allies, particularly the United States in this context. They have amongst the most sophisticated cyber-defence systems in the world. We need to learn from them. That does not mean we're callous or that we mishandle the personal information of Canadians. It would have to be subject to applicable laws and the Charter of Rights.

If the committee wants to look at that, I would make myself available. The committee will make its own decisions in terms of amendments of course. I am not an expert in determining the appropriate balance of sharing with foreign partners. I think we have to allow for some of that. We have to ensure that it's properly framed and that the right protections are there for the private data of Canadians. I think if we're going to undertake this effort successfully in terms of securing critical infrastructure, it will come full circle, because to some extent we're also securing the private data of Canadians that is held by private sector actors right now. I think of what my bank would have in terms of financial information on me or on any of us. They take that very seriously of course, but is there a way for the Government of Canada to partner with them?

It comes full circle. I'm looking at Mr. Julian, whom I've known for a long time. He will be concerned about the balance in that work, as am I. If the committee wants to find the right way to ensure that we get that balance, I'd be happy to work with the committee and to make sure experts who may have views much more informed than my own would be able to provide that perspective.

Thank you.

Before we suspend, I would ask you to bear with us, witnesses. I appreciate you coming in here today with your teams.

Members, up next we do have witnesses, some of whom we have seen for a technical briefing and have asked questions to. We do have some committee business that the clerk needs to have verified by us as a committee. If you feel we've had enough questions relevant to this today with the ministers, I would ask for unanimous consent to allow the ministers and the next witnesses to leave so we can do our committee business and move on.

Is everybody okay with that?

Mr. Chair, I would like to get just one quick round in with the witnesses. Then we can move onto committee business quickly.

All right. We'll suspend for five minutes.

Thank you.

I would like to welcome the additional officials who have joined us.

From the Department of Industry, we have Wen Kwan, senior director, spectrum and telecommunications sector; and Andre Arbour, director general, strategy and innovation policy sector.

We're going to go to about three minutes each, if we can. If we need to shorten it up, we will.

I will start with Mr. Lloyd, please.

Thank you, Mr. Chair. I'll keep this really quick.

Thank you, officials, for coming.

There's been some concern by some of the witnesses that this legislation, while increasing costs to prevent cyber-attacks and preserve their cyber-infrastructure, will lead to a drastic increase in compliance costs.

If you know what the estimated increase in compliance costs for all the industries affected by this bill will be, can you tell this committee today? If not, I'd like to get a commitment that you would send that information to this committee before we start our clause-by-clause consideration.

But you don't have that answer right now.

I understand.

I just want to know what those estimated costs are—

On a point of order, Mr. Chair, in all fairness, at this committee the questioner asks a question, and you give a chance for the witness to answer. It's not right to cut them off.

Mr. Lloyd.

A yes or no question doesn't require that much time, Mr. Chair.

To the witnesses, I'd also like it if you could provide this committee with information on any estimates on the net increase in full-time equivalents that the government would possibly need to hire in order to administer the provisions under this legislation.

Do you have that information on you now? If not, can you commit to this committee to get us that information?

Thank you. That's my last question.