Public Safety Committee on Feb. 15th, 2024

I do not, but what I think Minister LeBlanc and I can commit to this committee is to ask our colleagues to follow exactly the same kind of procedure we will undertake, to confirm to the committee—

I suspect not, but again, we will endeavour to get back to the committee.

I'd like to give the rest of my time to Mr. Motz.

Thank you, Mr. Chair.

Thank you very much, Chair.

The national strategy for critical infrastructure lists 10 areas that are critical to the security of our infrastructure, yet this bill only talks about five or six of them.

Is there a reason we've left health, food, water, manufacturing and those sorts of things out of this bill, which are critically important to sustaining the safety of Canadians?

Obviously this legislation can only apply to federally regulated sectors. We as a government want to collaborate with partners in provinces and territories that, for example, would manage health systems. I identified that as a vulnerability. We can't legislate in that particular area. We would seek to sign agreements where possible with other partners.

What efforts have you or Mr. Champagne undertaken with provinces, territories, municipal governments and first nations governments to deal with these issues that are critically important so that they, too, are adequately secured from a cyber perspective in this case?

That's a very good question that you're asking, and as Minister LeBlanc said, we are in consultation with them.

I would say that those we have identified are also the backbone; the telecom system is an enabler of a lot of these other sectors of the economy. We initially targeted those that are providing systemic sustainment to some other field. At the end of the day, cybersecurity could cover a very wide area because, as I said, Canadians are impacted; SMEs are impacted, but those we have targeted in federal jurisdictions are kind of the backbone.

As Minister LeBlanc said, we are in discussions to see how we can do that, and we're certainly always looking to make sure that every sector that could be impacted by cybersecurity has adequate protection.

Thank you.

Mr. Gaheer, please.

You're right. This would set up a system, a regime of mandatory reporting. We recognize that it is a burden or a circumstance that we're imposing on private businesses, but for the reasons my colleague identified, these private businesses are increasingly the backbone of basic services that Canadians rely upon for the Canadian economy, for the safety and security of people in their homes, driving their cars.

While many will want to voluntarily report, the obligation to have mandatory reporting will, to Mr. Julian's point, give us data on exactly the nature and the number of these threats, but it will allow us to work with other businesses to better protect them as a particular defect is identified or a particular threat or activity is successful.

The objective will be to quickly work with other players in that sector or similar sectors to ensure that they have the best resiliency and the best protection possible.

Mr. Champagne had something he wanted to add to that.

I would like to say, to colleagues of the committee, think about the interconnectivity of that. When some telecom networks have gone down, in the case of natural disasters, it was related to a power outage. I think you cannot look at that in silos.

You have to take a systemic view. For example, if you had an attack on one system in the electricity network, that could well have an impact then on the telecom network because, without power and backup power, we may not be able to continue to function on the telecom network.

I think that's why you see this information that allows us to act very quickly to prevent a more systemic damage to interconnected networks. As I said, when you look at telecom, when you look at power, they are very connected. In all the disasters that we have had, and particularly in eastern Canada, when I talk to premiers, one of the things they mention is always power, because without power, the towers are not operational, even with backup power.

If we were to see an attack, a cyber-attack on the electric grid, we would want to know very quickly what impact that could have on the telecom network as well. Think about 5G with the Internet of things. If you have an attack on power, that could have a spillover effect in so many other ways. Colleagues were mentioning health, hospital functioning and equipment in hospitals. This is a systemic view of how to protect Canadians.

Thank you.

During the course of this committee, we've heard a lot about the transparency of the powers that are included in this bill on the use of those powers. Would the government be open to some sort of reporting of the number of orders that are issued under this bill for transparency, while protecting security details?

That again is a good suggestion. We would want to take the advice from the chief of the CSE or the director of CSIS or other senior officials who have in many cases under law the responsibility to protect this information.

This is a discussion we're having with the foreign interference judicial inquiry: What's the best way to share with Canadians the nature of the threat of foreign interference? To use a similar example, cyber-attacks, many of them originating from foreign state actors, hostile state actors, might be a similar context.

The necessity to protect this information is precisely not to enable other hostile actors to have a nice road map into how to infect an electricity delivery system in Montreal or a health care system in some province. I have confidence in the officials who will do this work to respect the Charter of Rights and to respect the Privacy Act.

Again, at this committee, I'm happy to make officials available to work with you to understand the nature of that reporting requirement, but if there were sort of an aggregate report that x number of orders were issued in a particular year.... I would be happy to work with the committee, but I'm not an expert.

There's something called the “mosaic effect”, as I've learned from the director of CSIS. Sometimes if you release certain pieces of information it appears innocuous in one particular context, but a hostile state actor, who may be deciding to do something very dangerous to Canadians, is in a position to piece together various pieces of public information and come to a conclusion—even if it's the wrong conclusion—and may not necessarily be bound by the responsibility to get beyond a reasonable doubt.

I just want to make sure that it's not interconnected and we're not committing to something that would be dangerous, but I'm happy to work with the committee.

Thank you.

We're moving now to the third round.

We're starting with Mr. Motz, please.

Thank you very much, Chair.

Again, Ministers, we've heard from various witnesses here at committee through their written submissions that there are many flaws with this bill as written and tabled: overreach, lack of accountability and transparency.

Did you consult others on this bill? Obviously, it appears that maybe you didn't listen to the consultations.

There was a wide consultation, and I would say, Mr. Motz, think about the danger of inaction as well. I respect the views of everyone, but the threats we've been talking about are in the telecom sector, the energy sector, financial services and transportation. If you look at our peers in the world, I think it's the responsible thing to do for Canadians to have these powers.

Like I said, in the telecom sector, as you will recall, we've been able to get a voluntary commitment, but I think that Canadians watching at home would want to make sure that government would have powers to compel the right thing to do to protect systemic failure that could happen to our fibre networks—

Thank you, Minister. I apologize.

I'm going to turn my remaining time over to Mr. Lloyd.

Thank you.

The Auditor General, in her recent ArriveCAN report, has made some damning revelations about cybersecurity related to your department, as follows: “There were deficiencies in the testing of the ArriveCAN application” and “Cybersecurity testing completed by resources” that were “not security-cleared or identified on task authorizations”. Further, the Auditor General found that some of the “resources that were involved in the security assessments” did not have the proper “security clearance”.

Minister, how can we be assured that your government has the security of Canadians as their highest priority when companies that are being contracted to provide cybersecurity on your priorities are not even being cleared for security clearance? Can you guarantee to Canadians that none of their personal information using the ArriveCAN app was compromised by these companies that did not have security clearance?

We obviously were concerned with those Auditor General findings. My discussions with the president of the Border Services Agency have reassured me that she—before the Auditor General's report, as you know, the procurement ombudsperson also looked at this—has put into place a series of measures that will not allow that circumstance to happen.

I appreciate that going forward, Minister, but can you guarantee that Canadians' personal information was not compromised by these companies that did not have security classifications to provide cybersecurity testing on the ArriveCAN app? Can you tell Canadians that their information was not compromised?

What I can tell Canadians is that our government and organizations like the CSE, which would have an overarching responsibility around the protection of federal IT systems, are very effective at doing everything we possibly can to protect all systems that would contain the personal data of Canadians.

None of this work is perfect, and that's precisely why we work with allies around the world, the Five Eyes. That's precisely why this mandatory reporting will be an important—

Minister, are you investigating whether this possible information was compromised?

All of the circumstances around the ArriveCAN app, the development of that and the role of some private contractors, are being investigated. Also, as I say, I have every confidence that those incidents identified by the Auditor General have been corrected.

I'm reminding the committee that in the context of those first months of COVID, there was, across governments across the country, provincial governments—I was the Minister of Intergovernmental Affairs—a rush to do what was necessary—

There's no excuse when Canadians' private information is put at risk.

Thank you.

We're moving on to Mr. Bittle for four minutes.