Evidence of meeting #10 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was privacy.
A recording is available from Parliament.
Liberal
The Chair Liberal Jean-Yves Duclos
Yes, but we agree that we can't compel a minister to appear. However, we can invite a minister to come. To do so, we need to amend the motion.
Bloc
Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC
Mr. Chair, sorry, but I would like you to follow the committee procedures. I just drafted an amendment. Normally, we should debate it and make a decision.
Bloc
Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC
I formally move the following: “That the motion be amended by adding after the words “Minister of Public Safety” the following: “and the Minister of Industry”.”
I want this added to the motion. I don't think that it will cause any issues.
Mr. Chair, could you please open the floor for discussion so that the committee can decide on this matter?
Liberal
The Chair Liberal Jean-Yves Duclos
Okay.
There are two things. First, we clarified the fact that the current motion doesn't include an invitation for the Minister of Industry. Second, Mrs. DeBellefeuille is moving an amendment to this motion to invite the Minister of Industry, in addition to inviting the Minister of Public Safety.
This amendment is ruled in order.
Mr. Ramsay or Mr. Caputo, do you have any comments on this?
Conservative
Liberal
The Chair Liberal Jean-Yves Duclos
Yes. Translation and interpretation obviously make it more complicated in some cases, so let me try to summarize that in English. The motion stays the same—
Bloc
Claude DeBellefeuille Bloc Beauharnois—Salaberry—Soulanges—Huntingdon, QC
The interpreters are telling me that they haven't received the text of the motion. This is a basic requirement. If they could have the text, it would be easier to interpret.
Liberal
The Chair Liberal Jean-Yves Duclos
Okay.
We'll take a short break to make sure that the interpreters have a copy of the motion.
We're moving along, but not as fast as some people thought we would.
I would like to inform the various team members that the parties haven't reached a clear agreement on the motion regarding Bill C‑8. This means that we must postpone the discussion until a bit later, since we have important witnesses to hear from.
That's what will happen.
This brings me to perhaps something a bit more timely, which is the fact that we're now going to greet four important witnesses.
I'll start by welcoming all our witnesses.
From Canadian Cyber Threat Exchange, we're joined by Jennifer Quaid, executive director.
From ISC2, Inc., we're joined by Philip Stupak, senior director of advocacy.
From the Office of the Intelligence Commissioner, we're joined by the Honourable Simon Noël, Intelligence Commissioner, and Justin Dubois, executive director and general counsel.
Lastly, from the Office of the Privacy Commissioner of Canada, we're joined by Philippe Dufresne, Privacy Commissioner of Canada, and Marc Chénier, deputy commissioner and senior general counsel.
You have five minutes for your remarks.
Ms. Quaid, the floor is yours.
Jennifer Quaid Executive Director, Canadian Cyber Threat Exchange
Thank you very much, Mr. Chair, and good morning.
Let me start by saying that Bill C-8 represents a major step in modernizing Canada's cybersecurity framework by addressing weaknesses in our cyber-defence strategy. It advances both organizational accountability and national resilience, and it puts Canada in line with other nations.
It's my privilege to be here today representing the Canadian Cyber Threat Exchange, an organization created by Canadian companies for the sole purpose of building cyber-resilience through collaboration. With more than 200 members representing 15 sectors and more than 1.5 million employees, many of our members represent the critical infrastructure sectors impacted by this legislation, while—
Liberal
The Chair Liberal Jean-Yves Duclos
Ms. Quaid, unfortunately there's a technical issue with the sound.
We'll suspend the meeting for a few minutes so that we can resolve the issue as quickly as possible.
Okay. It seems to have been sorted out.
Ms. Quaid, you have the floor.
Executive Director, Canadian Cyber Threat Exchange
With more than 200 members representing 15 sectors and more than 1.5 million employees, many of our members represent the critical infrastructure sectors impacted by this legislation, while others make up their supply chain—large and small businesses alike. Members join the CCTX because they want to actively share cyber-threat information to help build awareness and resilience in others, to get ahead of the threat and to prevent breaches and the corresponding need to report, which this bill governs. However, they are limited in what they can share.
As Canada advances its national cybersecurity posture, one policy concept merits greater attention: safe harbour legislation. While overlooked in the current proposed legislation, it plays a critical role in fostering transparency, co-operation and resilience across our digital ecosystem. When we talk about cybersecurity, we often focus on technology—firewalls, encryption and artificial intelligence—yet one of the most powerful tools we have to strengthen our defences isn't technological at all. It's collaboration. It's the sharing of cyber-threat information to enable others to better protect themselves and to prevent a breach from happening.
This requires protection by legislation. Safe harbour protection is about creating a climate of trust. We need to ensure that organizations that are trying to do the right thing by sharing useful information about cyber-attackers and their techniques are not punished. Safe harbour protection helps others to not be the victim of a breach.
Mandatory reporting is done after the fact. We are interested in prevention. Without safe harbour protections, too many organizations hesitate to talk about breaches or vulnerabilities that fall below the threshold of reporting to regulators. They fear lawsuits, reputational damage or regulatory penalties. As a result, critical information stays hidden. The same attacks can then impact others across sectors and borders. Attackers will keep using the same techniques over and over again. We have seen this numerous times in the last year. Safe harbour changes that. It empowers companies to share threat intelligence with government and with each other, knowing they're protected when acting responsibly and without fear of legal consequence.
It's not about excusing negligence or shielding bad actors. It's about enabling responsible behaviour, which creates the legal certainty needed for transparency and co-operation to flourish. Ultimately, safe harbour protection strengthens our collective resilience. It allows us to learn from each other and collaborate across sectors to build the trust needed to defend Canadians and Canadian organizations. If we embed safe harbour legislation in our cybersecurity policies and legislative frameworks, we can build a culture where reporting, learning and collaboration are seen not as risks but as responsibilities. That is how we move from reactive cybersecurity to a truly resilient digital Canada.
In cybersecurity, silence is the real threat. Safe harbour ensures that speaking up is safe and that doing the right thing protects us all.
Thank you.
Liberal
Marianne Dandurand Liberal Compton—Stanstead, QC
Thank you, Mr. Chair.
I'm watching the time go by. I find this panel quite compelling. However, we've taken up a great deal of the witnesses' time with our previous discussions.
Would it be possible to split the remaining time between the two panels of witnesses to give them 45 minutes each, so that we have more of a chance to hear from the witnesses on the first panel? Otherwise, I don't think that we can hear from everyone.
Liberal
The Chair Liberal Jean-Yves Duclos
The idea, just so that people can anticipate what's coming, is to split the remaining one hour and a half into two pieces. There would be 45 minutes for this panel and 45 for minutes for the other panel. I suppose there would be no objection to that.
With that, thank you, Madam Quaid.
Mr. Stupak, you have five minutes.
Philip Stupak Senior Director of Advocacy, ISC2, Inc.
Good morning, Mr. Chair and honourable members of the committee. My name is Philip Stupak. I serve as the senior director of advocacy at ISC2, the professional member association for cybersecurity professionals. Prior to joining ISC2, I had the privilege of serving in the Biden-Harris administration as the assistant national cyber director at the White House.
ISC2 is the world's largest association dedicated to cybersecurity professionals, representing more than 265,000 members and associates globally. Our second-largest membership base is right here in Canada, with over 14,000 members. We offer nine professional certifications, the most recognized of which is the certified information systems security professional, or CISSP, widely regarded by employers as the gold standard for cybersecurity expertise.
I appear today on behalf of our global membership to express the cybersecurity profession's strong support for Bill C‑8, an act respecting cybersecurity. We live in a period of extraordinary uncertainty. For much of our shared history, Canada and the United States benefited from geography as a natural deterrent. The vastness of the Atlantic and Pacific oceans provided a measure of protection our adversaries could not easily overcome. That era is over.
The 2010 Stuxnet cyber-attack against Iranian centrifuges demonstrated, for the first time, that the boundary between the digital and physical worlds can be breached with tangible, real-world consequences. Today, 15 nations possess blue-water navies capable of projecting power across oceans. Eight possess nuclear weapons, and 170 nations have cyber-capabilities. We have already seen the effects of cyber-attacks here in Canada. Patients in hospitals across southwestern Ontario were forced to reschedule surgeries and appointments, costing millions of dollars and delaying care. While 516,000 patients had their private health information compromised, we know that cyber-attacks can cause even greater damage at a broader scale.
It may take a navy a week to cross the Pacific or minutes for a missile to reach its target, but a cyber-attack could return hospital systems to the age of torchlight and hacksaws, and communication to horseback dispatches, without warning and without attribution. This is not speculation. This is preparation.
Our adversaries are actively working to undermine critical infrastructure. Even a minor activation of pre-positioned digital weapons or malware across essential sectors could result in service disruptions, communication collapse, power outages, water shortages and transportation paralysis at a time and place of an adversarial actor's choosing. In the worst case, it could return modern societies to conditions resembling the pre-industrial era.
However, I want to be clear: Our adversaries are not invincible. With foresight, coordination and policy action, we can and must defend ourselves. Bill C‑8 is an essential step toward ensuring that those defences are in place before they are needed. The amendments to the Telecommunications Act are particularly significant. By prohibiting high-risk suppliers, removing compromised equipment and requiring pre-approval for certain technologies, the bill strengthens the sector that underpins every other sector. Vulnerabilities in telecommunications are vulnerabilities everywhere.
The creation of the critical cyber systems protection act is likewise prudent. It establishes minimum cybersecurity baselines across Canada's most essential sectors. I would respectfully encourage the committee to consider adding federally regulated water systems to that list, given their foundational importance to national health and safety. I likewise encourage the federal government to work with provincial, territorial and municipal partners to ensure that critical infrastructure under their jurisdictions achieves the same level of cyber-protection envisioned by Bill C‑8. A qualified workforce is essential to executing the functions of this act. Every day, ISC2 is training and certifying the government and critical infrastructure professionals who will be needed to implement Bill C‑8.
We cannot afford to assume that threats to the Canadian way of life are distant or hypothetical. They are real, they are present and they demand decisive action. The responsibility for defending against these threats rests in part with this committee. Bill C‑8 represents a thoughtful, measured and necessary step toward that defence.
Thank you.
Simon Noël Intelligence Commissioner, Office of the Intelligence Commissioner
Thank you, Mr. Chair.
I also want to thank the members for inviting me.
I'm joined today by Justin Dubois, executive director and general counsel at the Office of the Intelligence Commissioner.
To place my comments on this bill into context, it's useful to briefly explain what my role as the intelligence commissioner is all about.
My role is to approve or not approve certain national security and intelligence activities proposed by the Communications Security Establishment, or CSE, and Canadian Security Intelligence Service. These activities are authorized respectively by the Minister of National Defence and the Minister of Public Safety.
My independent approval is necessary because the activities the ministers authorize may be contrary to the law or breach the reasonable expectation of privacy of Canadians. Only with my approval can activities proceed.
The commissioner position that I hold was created in 2019. The mandate given to the commissioner by Parliament at that time is of particular relevance to the study of this bill. It includes enabling CSE to effectively respond to cyber incidents that affect federal systems and systems designated as important to the Government of Canada. One of my specific duties is to review ministerial authorizations that allow CSE to conduct cybersecurity activities on those systems.
My approval is also necessary because the cybersecurity activities conducted by the CSE lead to the collection of vast amounts of information, including information for which Canadians have a reasonable expectation of privacy. To be effective in conducting cybersecurity, the CSE needs to collect this information.
I only approve ministerial authorization when I'm satisfied that the minister has struck a reasonable balance between the security of Canada and the privacy of Canadians. This includes ensuring that appropriate measures are in place to protect the privacy interests of Canadians.
I noted that through my work as Information Commissioner, I see the tremendous value of a national approach to cybersecurity. Canada must have the necessary tools to protect our critical electronic systems. However, these tools must be accompanied by the appropriate safeguards and independent oversight.
In my view, there are elements of this bill where independent oversight would improve the protection of these privacy interests. I will raise one that relates closely to my role as IC. This bill aims to protect our critical cyber-systems. The CSE is our national expert on cybersecurity and will, through this bill, receive information on cyber-incidents.
In my experience as IC—with over three years and 45 decisions rendered—for the CSE to analyze and understand a cyber-incident, it must have access to information about the incident. There may be situations where this information is only technical in nature and sharing it with the CSE raises no privacy concerns, as you were told when you met with other witnesses. However, to fully understand the cyber-incident, other situations may require the CSE to have access to information, including technical information, for which Canadians have a reasonable expectation of privacy. I've seen it.
Technology and cyber-threats evolve faster than legislation. The bill should provide the flexibility to adapt accordingly and allow for the sharing of this information with appropriate oversight.
In the current system, prior to collecting this information, CSE is required to obtain a ministerial authorization and approval from the Information Commissioner. Parliament chose to implement this process in 2019, but not in 2025.
The mechanism proposed consists of adopting a regulation setting out what information about cyber-incidents is to be shared with the CSE and how it is to be shared. As you know, there is no independent oversight of the regulation. One possible simple and effective oversight measure would be to annually require ministerial authorization establishing a framework for how the CSE uses and shares the information, which would then be subject to review and approval by the intelligence commissioner.
Effective cybersecurity is essential for Canadians. CSE must have access to the information it needs to conduct its excellent work—with the necessary oversight to allow for that access.
I support the bill's intent but believe that targeted, additional safeguards that do not impose a heavy administrative burden on our agencies would increase Canadians' confidence that these measures intended to protect them do not themselves unnecessarily intrude on their privacy.
Liberal
The Chair Liberal Jean-Yves Duclos
I'm sorry to cut you off so abruptly. Thank you for those remarks.
Mr. Dufresne, you have the floor.
Philippe Dufresne Privacy Commissioner of Canada, Offices of the Information and Privacy Commissioners of Canada
Thank you. Mr. Chair.
Thank you for the invitation to appear before you today to offer my views on the implications of Bill C‑8, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.
I am accompanied by Marc Chénier, deputy commissioner and senior general counsel.
There is no doubt that we continue to face a challenging cyber-threat landscape in which the consequences of cyber-incidents are increasingly disruptive and widespread.
Breaches of critical infrastructure, such as the one that affected Nova Scotia Power in May of this year, are particularly concerning as they can compromise systems and services that are essential to the health, safety, security and economic prosperity of Canadians. Such incidents may result in unauthorized access to or disclosure of personal information, potentially leading to major privacy implications and a real risk of significant harm to affected individuals.
It is for these reasons that I support the objective of Bill C-8 to protect systems and services that are vital to national security or public safety from cybersecurity threats and vulnerabilities.
Like its predecessor Bill C-26, Bill C-8 recognizes that steps must be taken to protect critical infrastructure against cyber-threats, which are continuing to evolve in sophistication and complexity. This is necessary from a security standpoint and from a privacy standpoint.
While stronger cybersecurity protections can help to reduce the likelihood and impact of privacy breaches, it is also essential to ensure that new powers that are created to improve cybersecurity contain the necessary limits and that they do not have unintended impacts on privacy.
I am pleased to see that Bill C‑8 incorporates a number of improvements compared to its predecessor, Bill C‑26, including additional guardrails on the proposed order-making powers, and new notification and reporting obligations.
These will help to achieve a better balance between the bill's cybersecurity objectives and privacy rights and interests.
However, some privacy risks remain, including lower thresholds for the exercise of certain powers and authorities with potential privacy implications, the absence of a mechanism to ensure that my office is notified of major cybersecurity breaches that impact the privacy of Canadians, and insufficient minimum privacy requirements for the sharing of information with foreign governments.
To address these risks and achieve the necessary balance between security and privacy, I would recommend, first, that the legislation impose a uniform standard requiring that any collection, use or disclosure of personal information be both necessary in the circumstances to achieve the stated purpose and proportional to the benefits to be gained.
Second, I would recommend that information-sharing agreements entered into under the legislation provide for minimum privacy safeguards in order to strengthen governance and accountability and to ensure a consistent standard of privacy protection when information is exchanged outside of Canada.
Third, I would recommend that the relevant government institutions, including the Communications Security Establishment, CSE, be required to notify my office when they're made aware of cybersecurity incidents involving a material privacy breach so that we can together collaborate and coordinate our efforts in protecting Canadians’ privacy.
While this is not specific to Bill C‑8, I would also reiterate my overarching recommendation that government institutions be legally required to conduct privacy impact assessments and to consult my office when developing any new programs or initiatives with privacy implications for Canadians.
Thank you for the opportunity to present my views on this bill. I would now be pleased to answer your questions.
Liberal
The Chair Liberal Jean-Yves Duclos
Thank you, Mr. Dufresne.
We will now give the floor to committee members. Mr. Caputo, you have the floor for six minutes.
