Evidence of meeting #18 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-8.
A recording is available from Parliament.
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
In your presentation, you told us about your concerns with proposed section 15.2 of the bill. The section could be used to create back doors and ultimately weaken encryption standards. I am not a computer scientist, but I understand that it is currently difficult to break into the systems, since the encryption standard is very high. Lowering that standard could be a security risk.
Have I understood your argument correctly?
Senior Research Associate, Citizen Lab, University of Toronto, As an Individual
Yes, you understood it very well. The only clarification I would make is that traditional telecommunication technology was insecure by design, and with legacy mobile communication networks we still see persisting vulnerabilities that make people vulnerable to cyber-fraud and other types of malicious surveillance, such as corporate espionage, for example, and espionage of government officials.
We have security features, including encryption, available for 5G and 6G technology, but we know, for example, that in Europe there has been some lobbying by law enforcement to disable these privacy-enhancing technologies in order to enable easier forms of law enforcement surveillance, which of course is the exact opposite of what we want and what we desperately need to make sure our systems are secure by design and not insecure by design.
We need to be fixing as many holes as possible. as opposed to drilling new holes, and that's why I take it that government officials have agreed that this bill is not about surveillance and not about encryption-breaking, but we can only know that if we have that encoded in the law itself, which is a gap that we urgently recommend be filled.
Senior Research Associate, Citizen Lab, University of Toronto, As an Individual
The issue is that there are multiple interpretations about how these orders may be issued, and we would like them to be as transparent and accountable as possible, because some may view encryption-breaking as a way to make Canada more secure, but we know that's not the case.
The combination right now of interpretive ambiguity and a potential that these orders are issued in secret makes it particularly worrisome that these new security features will be compromised by potentially—
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
I'm sorry to interrupt you, Ms. Roberston, but it seems that there is no longer any interpretation.
This is extremely distressing for both of us.
The Clerk
I just want to test again that the French interpreter is back on the French channel.
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
It's working now.
I apologize for that little constraint on us, Ms. Robertson. It's because the interpreters are working remotely. That's an additional obstacle to interpreting your remarks.
You may now continue.
Senior Research Associate, Citizen Lab, University of Toronto, As an Individual
Yes, I was testifying that with the combination of secrecy and lack of clarity these orders could be used to compromise encryption, and that is a problem.
I would also note that it's not difficult to foresee that these orders might be used for surveillance capabilities. The Ministry of Public Safety has introduced legislation for this exact purpose of installing new capabilities in telecommunications systems, but of course that should be under its own legislation if it's going to happen and attached to very different sets of safeguards. This bill is about cybersecurity, and not about surveillance, as we are told, which is why we need to ensure these types of compromises aren't coming in through Bill C-8 itself.
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
Thank you, Ms. Robertson.
Colleagues, since we started the meeting late, we have a decision to make. The first option would be to start the next round as planned by giving the floor to Mr. Au, Mr. Ehsassi and me, but Mr. Caputo and Mr. Powlowski would not have their turn to speak. The other option would be to agree to adjourn the meeting later to allow committee members to speak in the usual order.
Do you want to add 15 to 20 minutes to the meeting or do you want to reduce the time you have to ask your questions?
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
I see you agree that the meeting should adjourn around 1:20 p.m. It would adjourn at 1:17, to be precise.
We'll now go to the second round.
Mr. Au, you have the floor for five minutes.
Conservative
Chak Au Conservative Richmond Centre—Marpole, BC
Thank you very much.
I want to direct my questions to Mr. de Boer.
I agree with you one 100% when you say that trust is important in the sense of being secure and reliable. You also mentioned that we are the only G7 country lagging behind, so my first question is, in comparison to other G7 countries, how far behind are we, and what is the significance of that kind of lagging behind?
Vice-President, Government Relations, BlackBerry
The United States passed a similar law in 2022, so almost four years ago. In Europe, an NIS2 directive was enacted last October, while Japan enacted one in April and Australia did so last year, so we're at least one to four years behind our peers, essentially, and that makes us vulnerable.
Conservative
Chak Au Conservative Richmond Centre—Marpole, BC
In that case, do you think the lagging behind is intentional, or is it negligence?
Vice-President, Government Relations, BlackBerry
I wouldn't say it's intentional. I know the government has tried to work on this bill and pass this bill for a while. It's taking time to get it right.
Also, our federal system makes things difficult, but I would stress that the urgency is now. We need to get this done. Cybersecurity is probably one of the most prevalent threats we face today.
Conservative
Chak Au Conservative Richmond Centre—Marpole, BC
Very good.
To follow up, sometimes I hate to hear the words, “This is a step in the right direction” or “This is a good first step.”
How many steps do we have to take in order to get to the destination we want to arrive at? What is your recommendation? How can we approach the destination faster?
Vice-President, Government Relations, BlackBerry
I see this as a first step because, first of all, it deals with four critical infrastructure sectors. We have many more than that. Even the notion of what is critical infrastructure is changing. It's taken Public Safety Canada years to come up with a new critical infrastructure strategy.
This is going to be an ever-evolving assessment. It's really important that we continue to expand applicability of these kinds of requirements beyond just the four sectors. There also needs to be a harmonized approach with provinces and territories.
Unfortunately, threat actors are finding new ways to attack our critical infrastructure. We need to adapt and be ready to adapt.
Conservative
Chak Au Conservative Richmond Centre—Marpole, BC
In other words, how can we be more proactive instead of always trying to catch up? What do you recommend?
Vice-President, Government Relations, BlackBerry
One core thing I can recommend is to strengthen public-private partnerships. Work more closely with companies like BlackBerry and other companies that have a lot more knowledge, in some cases, of the threat actors that are attacking critical infrastructure. We see them day in and day out. The Canadian government can only do so much.
One initiative that the Canadian government is moving forward is called the Canadian cyber-defence collective, which is a good initiative that will bring together public and private sector entities to deal with immediate crises and medium-term crises.
That's a good first step.
Conservative
Chak Au Conservative Richmond Centre—Marpole, BC
It's another good first step.
In your report, you mentioned a large volume of cyber-attacks—five million cyber-attacks in three months—so it's a serious problem.
Do you feel that the current Bill C-8 would help you and your company to address those cyber-attacks?
Vice-President, Government Relations, BlackBerry
Information sharing is really important. Understanding how the threat is evolving, what the trends are and what kinds of tactics and procedures threat actors are using help you build defences down the road.
Part of what Bill C-8 does is mandate information sharing in a confidential way. If you know what the enemy is doing or what rogue actors are doing, you can better prepare, so yes, the short answer to your question is it will help BlackBerry and it will help our customers. It will help us evolve our technology to higher encryption standards, etc.
It's very important.
Bloc
The Vice-Chair Bloc Claude DeBellefeuille
Thank you, Mr. de Boer.
I now give the floor to Mr. Ehsassi for five minutes.
December 4th, 2025 / 11:45 a.m.
Liberal
Ali Ehsassi Liberal Willowdale, ON
Thank you, Madam Chair.
Thank you to our witnesses. This has been very helpful.
I'll start off with Mr. de Boer.
You have emphasized the need for private-public partnerships on several occasions today, and you've also noted that we're behind our Five Eyes partners.
Do any of the other Five Eyes partners use private-public partnerships?
Vice-President, Government Relations, BlackBerry
Yes. In the United States about three years ago, they came out with the joint cyber-defence collective, which brings together private industry and public industry. In the U.K. they've had that for over five years, and the same in Australia. The good news is that Canada has also joined something called the International Counter Ransomware Initiative, which BlackBerry co-chairs in a public-private partnership.
These steps of working closely with the private sector have now begun in earnest. It does exist in other countries.