Public Safety Committee on Feb. 15th, 2024

I will with pleasure, Mr. Chair—with a lot of pleasure.

Thank you, Mr. Chair.

Thank you, colleagues, for inviting me to speak about Bill C‑26, which pertains to cyber security.

I am pleased to be here with my colleague François Philippe Champagne and the other officials kindly named by the Chair.

Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems. Canada's critical infrastructure plays a vital role in the delivery of essential services and the necessities of daily life. In order to safeguard our economic and national security, we need to take a more complete picture of the cybersecurity threats facing Canadians. We believe that Bill C-26 would be an important step in accomplishing that task.

This proposed legislation will protect Canadians and bolster cybersecurity across the federally regulated financial, telecommunications, energy and transportation sectors. These sectors are all critical contributors to both Canada's economy and the security of Canadians. Because of their vitality, they are also, obviously, attractive targets for malicious cyber-enabled activity, such as espionage, data and intellectual property theft, and of course sabotage itself.

These concerns are not just hypothetical. Recently the Canadian Centre for Cyber Security joined Five Eyes' operational partners in warning that People's Republic of China state-sponsored cyber-actors are seeking to pre-position themselves for disruptive or destructive cyber-attacks against the United States' critical infrastructure in the event of a major crisis or conflict with our neighbour to the south.

Cyber incidents are happening in our critical infrastructure sectors on almost a daily basis. In January 2023, CBC News reported that a territorial and Crown corporation, and the sole energy distributor in Nunavut, fell victim to a cyber-attack. In June of last year, the Calgary Herald reported that Canadian energy company Suncor suffered a serious cyber incident that shut down debit and credit processing at Petro-Canada gas stations across the country. We all remember the cyber incidents that paralyzed the Newfoundland and Labrador health care system in 2021.

Bill C-26 would help to defend our critical infrastructure and the essential services that Canadians and Canadian businesses rely on every day. This new act would increase collaboration and information sharing between industry and government and would require designated operators to report cybersecurity incidents to the Communications Security Establishment, which, as colleagues know, is an agency within the Department of National Defence.

By improving the government's awareness of the cyber-threat landscape in these critical, federally regulated sectors, we can warn operators of potential threats and vulnerabilities so they can take action to protect their systems and to protect Canadians as well.

However, the government can’t do it alone. That’s why we’re committed to working closely with our industry partners, through the formal regulatory process, to create a clear, consistent and harmonized regulatory regime across all provinces and territories.

We must and we will work alongside our allies, in particular the United States, to make sure that our interconnected critical infrastructure is protected.

This legislation is consistent with the cybersecurity approaches of our allies, and we have been engaging with international partners to identify opportunities for further collaboration. As recently as Tuesday of this week I participated in a Five Eyes ministerial call, during which Secretary Mayorkas, the U.S. Homeland Security secretary, raised many of the issues we're going to talk about this morning.

We found that stakeholders broadly support the intent of the bill and agree that we must work together to protect our critical infrastructure from cyber threats. However, some expressed concerns about certain aspects of the bill. We have, of course, listened carefully to the points raised by our colleagues in the House of Commons and others concerning transparency, accountability and the protection of Canadians’ privacy.

Fundamentally, this bill will help protect the privacy of Canadians’ personal information. Canada’s critical infrastructure systems, while secure, are not impenetrable. By requiring Canada’s critical infrastructure operators to maintain high levels of cyber security, we are also reducing the likelihood of personal data breaches on their systems.

I look forward to working with you, Mr. Chair, and Committee members, on all these issues. Of course, if the Committee deems it necessary, we are prepared to consider amendments that could strengthen the bill. In addition, we look forward to working with you to ensure that this bill is passed and that Canada remains a safe, competitive and connected country in a more secure environment.

Thank you.

I look forward to hearing what my colleague Mr. Champagne has to say—which is why I’m here this morning—and to answering questions from Committee members.

Thank you.

Mr. Champagne, go ahead, please.

Thank you, Mr. Chair.

It is a great privilege to appear before you today. It’s been over eight years since I had the privilege of becoming a Member of Parliament and testifying before committees. This morning is particularly important, especially as I have the privilege of testifying with Minister LeBlanc. For the people watching us, Canadians from across the country, it demonstrates the significance of the issue.

We should first ask ourselves why we are here this morning. Minister LeBlanc outlined the reasons. People should be reassured to see Minister LeBlanc, and his department, working in concert with the Department of Industry on an issue that affects not only all Canadians, but Canadian businesses across the country.

The issue of cyber security affects our small and medium-sized enterprises, or SMEs, families, all institutions across the country and even internationally. I can tell you that in the various international forums I’ve attended, the issue of cybersecurity is of paramount importance, especially when you add in everything to do with quantum technologies and artificial intelligence. That’s why I’m proud to testify today with Minister LeBlanc, a great friend who also sees the importance of our two teams working hand in hand to accomplish this today.

As I was saying, I’m pleased to be able to discuss a legislative text of paramount importance with you, dear colleagues. People across the country expect us to respond quickly to a situation that is evolving just as quickly.

One of the most important things we can do as legislators is to protect our critical infrastructure across the country.

As Minister of Innovation, Science and Industry, I take a particular interest in securing Canada's telecommunications system. Telecommunications networks are vital to the safety, prosperity and well-being of Canadians. When you've seen disasters striking around the nation, citizens expect their telecom networks to work. That's why adding, as we would be doing in this law, the concept of security as an objective under the Telecommunications Act is so crucial. It's not only about cybersecurity, but it's about protecting Canadians in the times they need it most. That's why we are committed to protecting the telecommunications system that underpins much of our critical infrastructure in the country.

Take the emergence of new technologies, such as 5G, as one clear reason we need to redouble that focus. As you know, 5G is going to have a network that is far more decentralized. You're talking about the Internet of things, you're talking about connecting almost everything. The object will become intelligent and connected. If you think about the impact of cybersecurity you'll understand the size of the problem, and not only the emergency powers we need but also the duty to act we all have as parliamentarians.

The threats targeting these technologies and systems are increasing in number. I’m talking, among other things, about threats to our supply chains and cyber security threats from state and non-state actors, of course.

With these threats in mind, the government undertook a thorough review of 5G technology. In fact, I’d like to thank all the Ministry of Industry officials and the Ministry of Public Safety and Emergency Preparedness officials who are here today. They carried out extensive consultations with stakeholders across the country.

We carefully examined the issue from a technical and economic standpoint, as my colleague Minister LeBlanc said, as well as from a national security standpoint.

It is clear that while this technology will bring significant benefits, it will also introduce new security concerns that malicious actors could exploit, as 5G networks are more interconnected than ever. Therefore, threats will have a more significant impact on the safety and security of Canadians, including our critical infrastructures, than in previous network generations.

It is in light of this security examination that the Government of Canada found serious concerns about suppliers such as Huawei and ZTE. You will recall that in May 2022 we announced the intention to prohibit Canadian telecommunications service providers from using Huawei and ZTE products and services in their 5G and 4G networks.

Our statement specified that the proposed measures would be subject to consultation.

However, the risks associated with telecommunications go far beyond cybersecurity, as I was saying. We took action in May 2022, when we made this announcement.

Canadians watching will remember the famous Rogers outage in the summer of 2022, which probably impacted 12 million Canadians for a number of hours. With the after-effects of Hurricane Lee in Atlantic Canada in September 2023, my colleague, Minister LeBlanc, was really involved in restoring the services that people need.

I want colleagues to understand that this is not just about national security, but the role of the industry minister is to ensure resiliency. If you think about hurricanes, if you think about the network outage we had, in the case of Rogers we were successful in getting a voluntary undertaking in the memorandum we signed with them in September, but I think Canadians will be reassured that the minister would have legislative power to compel companies to do what's right.

We know that these risks are not something the market can solve on its own, that's why we need rules for industry, rules that protect Canadians, our networks, our businesses and our data.

Bill C‑26, which we are discussing today, is designed to address those risks and evolving threats. It will enable the government to act quickly, if necessary, to ensure network security.

In my opinion, the powers granted to the Minister of Industry would enable him to act quickly. In an emergency, temporary measures must be adopted, but it must be done quickly to prevent bigger problems across the entire network.

The second part of Bill C‑26 will also strengthen the protection of our critical cyber systems. I believe Minister LeBlanc was heavily involved in that portion.

Our telecommunication network is probably the backbone of infrastructure. I know people at home may think of infrastructure as bridges that we need to protect, they may think about nuclear power stations, but the telecom network, which is basically enabling everything else, is one of the key networks that we need to protect.

Mr. Chair, we want to make sure we get it right. As Minister LeBlanc said, that's why we listened carefully to the debates in the House of Commons and comments from stakeholders and colleagues, who are here because, when it comes to national security, that's not a partisan issue. That's why we are committed to making sure that we do that in the best possible way.

I am happy to see that there seems to be broad support for the bill and the objective of securing our telecom network.

We want to work constructively to get the best possible bill, but I must add that action is urgently needed. People who would like to inflict harm on Canada are obviously seeking potential loopholes in the system. So it’s urgent to provide the government with the powers it needs to do things right. That’s important.

I therefore eagerly await the passage of Bill C‑26 to better protect our critical infrastructures.

Mr. Chair, my colleague Minister LeBlanc and I will be pleased to answer our colleagues' questions.

Thank you.

Thank you to both of you for your comments.

We're going to move right into questions.

I'm going to start with Mr. Shipley, please, for six minutes.

Thank you, Chair.

Thank you to the ministers and the officials for being here this morning.

We are definitely talking about a very serious issue here with cybersecurity and Bill C-26.

Minister LeBlanc, Public Safety Canada recognizes 10 critical infrastructure sectors, one of which is government. A recent NSICOP report noted that several departments and Crown corporations are not subject to Treasury Board policies related to cyber-defence or they apply those cyber-defence policies to their departments inconsistently. This leaves them vulnerable to cyber-attacks. In fact, just recently it was revealed that Global Affairs Canada was suffering from a massive data security breach.

Minister LeBlanc, why is your own government not adhering to the same cybersecurity standards as the designated operators listed in this bill whose confidential business and personal information you're planning to collect and store?

Obviously, we took note of the work done by NSICOP. These are, for our government and for our department, important road maps to better public policy and better legislation.

I'm aware of procurement initiatives under way across the government to improve many information systems that are either outdated or arriving at the end of their useful life and needing to be reinforced. It's something that industry and businesses do every week and every month. The government has the same obligation

The premise of your question is whether we have, in the Government of Canada, an obligation to hold ourselves to at least the standard we would expect of private industry, and the answer is, of course, and we're actively looking at ways. You mentioned the foreign affairs department, and I'm aware that, in the Public Safety portfolio, we're actively investing in modernizing systems and are constantly looking for good ideas and better solutions, including with our allies.

Thank you.

We heard almost unanimously that this is an important bill, but this is also a poorly drafted bill. Business groups, civil liberties groups and cybersecurity firms are all united in the fact that Bill C-26 gives the government too much power with almost zero oversight. There's no requirement for regular reporting, no independent review and no requirements for production of written reports. In fact, most of the powers in this bill would be exercised in secret.

Do you think that the sweeping powers that you're attempting to give yourself have enough oversight mechanisms attached to them?

We've obviously taken note of the concerns expressed by the people our colleague referred to. We would expect that, in the work of this committee, if there are amendments that, in your view, answer some of these concerns, of course we would be open to working with the committee and to ensuring that collectively we get the best legislation we can.

We recognize that these are extraordinary powers in many ways that require, as you noted, the appropriate oversight. There is an element of judicial oversight, but we also recognize that the threat landscape is evolving as well and evolving very quickly. According to some of the briefings I have from security officials, including at CSIS, the threat actors, including malicious state actors, are seeking to do some of the damage and disrupt some of these systems that we talked about. We require the ability to move quickly, and we require the ability to help identify potential risks and hopefully prevent incidents from happening. That's why there are these powers, but we recognize that these powers come with an obligation of transparency in every case possible and the appropriate reviews, including judicial reviews.

François-Philippe, you had a point on the judicial review.

If I may, Mr. Chair, I just want to add that, obviously, it's an important question, and we believe in oversight, as I said, the judicial review and also the concept of proportionality.

I just want to remind colleagues that, when we had major storms, particularly on the east coast, I had premiers calling and asking us to take action. As I said, in the telecom area, although now we have the memorandum we signed voluntarily with the telcos, I think that Canadians and members of Parliament would want any future minister of Industry to also have the power to take action very quickly.

You may recall that, in some instances, we were asked to direct the telcos to do certain things. I can assure you that, when you don't have access to 911 and you're facing an emergency, Canadians are very worried about that. For us to be able to take remedial action or compel telecom companies to do certain things—now they've done it voluntarily—I think it's a good thing—

Thank you.

I don't think Canadians would want to rely on a voluntary basis.

Thank you.

I'm almost out of time, but I have one last question for you, Mr. Champagne.

Many stakeholders have noted that the proposed penalties related to this act that would reach up to $15 million and five years of jail time are touted as being intended to promote compliance rather than to punish; however, I think that we can all agree that a penalty of this nature would be very challenging for a small business to absorb.

Has any consideration been made about the impact that these large fines would have on small and medium enterprises?

I would say respectfully to the committee that it's always a matter of balance. I would also say respectfully to members of the committee to have a fine that is proportionate, because obviously you're referring to small and medium-sized businesses. Let's be clear that the systemic risk to our network with very large players is the danger of going too low, and colleagues would agree that, if the fine is of that nature when you're talking about the big telcos, it's kind of irrelevant. I'm not sure that this would give power where the Minister of Industry would have to compel them to take action.

I don't suggest they do that, but they could do a cost-benefit analysis and decide to ignore the minister because, at the end of the day, the fine is so low that it's just business as usual.

In cases of emergency, I can tell you that, the Rogers outage touched 12 million Canadians. In this case, you need a kind of stick to make sure that people will comply, because you're talking on behalf of millions of people.

Thank you.

We're moving on now to Mr. Schiefke, please.

That’s an excellent question, Mr. Schiefke.

We never want to be perceived by state and non-state actors as the weakest link in the chain, the one that attracts these kinds of malicious acts, which can harm Canadian companies or even critical systems. Intelligence and public safety specialists can tell you that.

I always try to compare ourselves to the G7 countries and the Organisation for Economic Co-operation and Development, or OECD. As Canadians, we want to be among the best and have modern tools. To me, it’s about modernization. When I saw, for example, that the Telecommunications Act did not include security as an objective, I thought it a glaring omission. Among our allies, I don’t think there’s a country where the Minister of Industry or the person in charge of a network as important as telecommunications doesn’t have security as an objective. Today, it’s essential. People know we need this.

The bill we are proposing will enable us to live up to the expectations of our economic partners. You’re right, it’s a step in the right direction.

Thank you very much, Minister.

Mr. Leblanc, the same question is for you.

I'm glad that you mentioned our Five Eyes partners. With the interconnectedness of our economy growing day by day, how important is it for Canada to do our part to advance our cybersecurity protection efforts, specifically with relation to Bill C-26?

This legislation is consistent with measures that are in place with our Five Eyes partners. As I've said, the Five Eyes public safety ministers had a virtual meeting this week. This is always a sort of standing item—what we can do to deal with threats in the cybersecurity domain. The nature and the evolving threat landscape is such that I would suggest one country alone won't be able to have all of the good ideas and all of the best practices. That's why, as François-Philippe said...the ability to work with G7 countries, particularly in the security context with our Five Eyes partners.... MI5 and MI6 in the U.K. have done a lot of research in this area.

One thing that obviously our American allies worry about is the rise of disinformation. They're in an election year. There's the chance that malicious state actors can either encrypt or paralyze cyber-systems in the United States and insert disinformation and malware. The very basic tenets of a democracy are reliant, as François-Philippe said, on a series of private sector and government actors in the basic transmission of information.

In our perspective, the Government of Canada thinks the adoption of this legislation will put us in a similar position to our five allies. If we're not able to, in this Parliament, adopt this legislation, I think it would conversely send a signal to our allies—particularly to the United States. I refer to that, because the interconnectedness of our economies and industries, which my colleague knows better than I do, means that basic services to Canadians, which we rely on for daily life, would be, in our view, subject to a threat that can be mitigated and can be contained.

Thank you.

My last question in the minute and a half that I have left is for you, Minister Champagne.

The bill is often talked about in terms of cybersecurity, but part 1 is also very important. It's about creating authorities to secure the network, which has applications beyond cyber-threats, including how we respond during natural disasters.

It's important for my community of Vaudreuil—Soulanges and many others across the country. In my particular case, last year, when we had our ice storm in Quebec, I could not actually pick up the phone and call the mayors and my provincial counterparts to coordinate a response to help support those who had no power and were stuck at home—seniors particularly.

Can you speak to how important that is for us to be able to respond and better support Canadians in their time of need?

Yes, I would say one word: resiliency.

The purpose of this act is to ensure resiliency of the telecom network in particular. Like you said, natural disasters come more frequently, they seem to be more violent, and they seem to come in different forms. Therefore, from forest fires, to hailstorms we had in Quebec, to floods in Atlantic Canada, we should not just look at this bill in terms of security, but also, when it comes to many of these crucial networks, as resiliency.

You would want a future minister of industry to have some power. Like I said, last time, in light of that, we signed this memorandum of understanding. Basically I gathered the CEOs, and I said we need to do better—you need to do better to protect Canadians. We did it.

I think it is wise, I would say, for a nation like Canada to have statutes in the book to be able to compel...not only relying on the goodwill of actors, which they did. Like you said, for people in times of need, these systems become critical. When you can't access the phone line and you're subject to a flood or another natural disaster, these powers would at least compel us to take certain actions. Obviously, it would be for the service provider to take these actions. At least you would have a kind of power, not just a soft power to convene and ask. Then you could compel others to do things.

Thank you, Ministers Champagne and LeBlanc.

We're now moving on to Ms. Michaud, please.

Thank you, Mr. Chair.

Thank you, Ministers, for being with us this morning.

First, I want to talk to you about an article published in La Presse entitled “Quand Ottawa veut jouer au gérant d’estrade”. The article appeared in 2022, shortly after you tabled Bill C‑26. The bill was tabled some time ago—over eighteen months. One wonders if cyber security is indeed a priority for the Canadian government.

The article was written by Ms. Célia Pinto Moreira, a public policy analyst at the Montreal Economic Institute.

She begins her article as follows: “Imagine a referee at a Habs game approaching a player to explain how to shoot the puck into the net. He’d likely lose his job: it’s neither among his duties nor his field of expertise.”

She goes on to say that this is what Ottawa is doing with Bill C‑26. She says, “Instead of minding its own business, the federal government wants to interfere in the implementation of companies’ digital security plans.”

She adds, “In digital security, things move at breakneck speed. When a company discovers a flaw in its system, it knows full well that it has every incentive to fix it quickly; otherwise it exposes itself to significant legal, reputational and financial risks […]”

She goes on to say that the federal government is slow or inefficient, citing the passport saga.

We remember that saga. It’s been a while. Other examples include Phoenix, Canada Life, the border. I think the government has been slow and inefficient in those situations.

All in all, it seems likely that Canadian companies are currently well prepared. They already have to deal with cyber security incidents. It’s said that in 2021, Canadian companies invested over $10 billion to prepare for this type of breach. So they’re already doing the work.

In practical terms, what will Bill C‑26 change for Canadian companies?

Thank you for the question, Ms. Michaud, and thank you to the author of the article.

Let me give you an example that I think will answer your question.

You know that preventing harm is also part of the government’s role. Remember the Rogers case. Twelve million Canadians lost access to telecommunications services, which even prevented them from making payments, since Interac services were connected to the Rogers network.

In this instance, the government was swift to act. I believe I was in Japan, but I spoke to the president and CEO, or CEO, of Rogers within hours, asking him to take very concrete action. On the one hand, one could say that Rogers is a large company that probably invests hundreds of millions of dollars in cyber security, but on the other hand, 12 million Canadians were without telecom services for hours.

At that point, I challenged not just the CEO of Rogers, but all the CEOs of the major telecom companies, telling them that they all had to deploy their teams that day to help Rogers. It was no longer a matter of competition, but an emergency, because Canadians were unable to go to the grocery store or put gas in their car. Their payment cards were no longer working.

You’re going to argue that there should be resilience within the system. But in subsequent hearings, we realized that, curiously, there wasn’t as much resilience or redundancy in the system as we thought. Yet everyone was saying that the Interac card operator obviously had to have a back-up system.

I think the facts have shown that things needed to be improved. I also think it’s the government’s role to protect the public interest.

You’re right that most companies do it well, but I think the Rogers case is a great example of the role government plays. At the time, we did it voluntarily. For that matter, I’d like to thank the various companies for their willingness to help. They even signed a memorandum of understanding on the subject. The number of pages it contains proves that there was a great deal to be done.

I think that, for future such emergencies, having powers at our disposal and the ability to tell companies that they haven’t done their job and that it’s hurt Canadians, would be a good thing. I think it’s justified.

Thank you, Minister. I know you can speak at length on a subject you’re passionate about, but we don’t have much time.

What stands out for me in this bill is that it confers enormous powers on the Governor in Council and the Minister of Industry, meaning you. You strike me as a trustworthy man. If you do all this secretly, things may go quite well, but some Canadians and Quebecers are worried. Transparency issues are being raised.

Can you explain why all this has to happen in absolute secrecy and what this could mean for small or medium-sized businesses?

You mentioned large companies, such as Bell and Rogers, who can afford to be fined a few million dollars by the government if they don’t comply with requirements.

But what does that mean for a small Quebec company? You know how important small and medium-sized businesses are to the Quebec economy.

What does this mean for a small telecom company with a few hundred or a few thousand subscribers, offering its services only in part of the territory?

What about the company that doesn’t have the workforce to implement a security plan that complies with your plan? Will it be fined a few million dollars?

What powers can you wield? People tell us they read in the legislative summary that the Minister of Industry can make orders and decrees, but they don’t know what they are.

Can you explain all this to us?