Evidence of meeting #18 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-8.

A recording is available from Parliament.

On the agenda

Members speaking

Before the committee

Robertson  Senior Research Associate, Citizen Lab, University of Toronto, As an Individual
de Boer  Vice-President, Government Relations, BlackBerry
Hatfield  Executive Director, OpenMedia
Warnell  Chief Information Security Officer, Bruce Power
Bradley  President and Chief Executive Officer, Electricity Canada

12:25 p.m.

Conservative

Dane Lloyd Conservative Parkland, AB

What is it like within Canada?

12:25 p.m.

President and Chief Executive Officer, Electricity Canada

Francis Bradley

On the one hand, officers of corporations are ultimately those who are responsible for the actions of those entities to begin with.

On the other hand, there's also directors' and officers' liability insurance, which our organization and many others make sure we have.

Dane Lloyd Conservative Parkland, AB

Do you share the concerns of other industry stakeholders that the criteria with which we define a designated operator are unclear?

12:25 p.m.

President and Chief Executive Officer, Electricity Canada

Francis Bradley

I have not seen enough detail on that. Those are the sorts of things I think will be clarified when we get to the regulation stage. I don't think I could pass an opinion on that, because the regulations are not in existence yet.

12:30 p.m.

Conservative

Dane Lloyd Conservative Parkland, AB

Some people have said they think the legislation is very unclear about who will be a designated operator and that this could capture a great number of small and medium-sized enterprises.

Thank you for your time.

The Vice-Chair Bloc Claude DeBellefeuille

You still have 50 seconds, Mr. Lloyd.

12:30 p.m.

Conservative

Dane Lloyd Conservative Parkland, AB

Oh, I thought you were telling me I was done.

The Vice-Chair Bloc Claude DeBellefeuille

No, I gave you the one-minute signal.

12:30 p.m.

Conservative

Dane Lloyd Conservative Parkland, AB

Mr. Warnell, do you have any comments on any of those questions I asked?

12:30 p.m.

Chief Information Security Officer, Bruce Power

Todd Warnell

The monetary penalties in this legislation are equivalent to the same liability that officers hold for the safety of their workers.

Cybersecurity is not a stand-alone domain. It is about safe operations of your operator, whatever you happen to be. That approach is already in legislation elsewhere. Its equivalency is actually very beneficial to ensuring the importance of cybersecurity as a core operating practice.

12:30 p.m.

Conservative

Dane Lloyd Conservative Parkland, AB

Do you think this legislation will help protect our electrical system from the threat of solar flares and coronal events?

12:30 p.m.

Chief Information Security Officer, Bruce Power

Todd Warnell

No, this is definitely not doing anything around enhancing natural protections. There are other works in other areas that could further that.

The Vice-Chair Bloc Claude DeBellefeuille

I apologize for stopping you there, Mr. Warnell. Perhaps you'll have a chance to finish your answer in another round.

I now give the floor to Mr. Ramsay for six minutes.

Jacques Ramsay Liberal La Prairie—Atateken, QC

Thank you, Madam Chair.

I'd like to thank the witnesses for their presentations.

We heard from the previous panel about privacy risks. Whether this is valid remains to be seen, as we heard from a previous panel that the protections in the bill were sufficient. However, I think that it is important to look at the advantages and disadvantages of this bill, as we must do for every bill.

In connection with that, I'd like you to tell us what the dangers are and what the consequences of cyber threats are for your respective industries. How serious could these potential attacks be? What does it mean for the average person?

12:30 p.m.

President and Chief Executive Officer, Electricity Canada

Francis Bradley

Perhaps I can begin. In terms of what the potential impact for cyber-attacks is, I believe that the sector has been very effective in terms of its cyber protection, but if you want to understand what the potential impacts could be, you'd have to go back to 2015, when we saw, for the first time, electricity service to end customers impacted by the cyber-attack by Russia in Ukraine, which actually turned off the lights for customers.

That is not something we've seen here in Canada. If you want to understand what the worst-case scenario potential risk is, it's loss of service. Of course, electricity is, in our view, the key infrastructure that every other critical infrastructure in the country depends upon. That is one of the reasons we've worked to develop and have been subject to mandatory cybersecurity standards for close to 20 years now through the work we've done with NERC.

We do have protections in place, because the potential impacts would be so severe if a successful cyber-attack took out power to customers.

12:30 p.m.

Chief Information Security Officer, Bruce Power

Todd Warnell

To echo Mr. Bradley's comments, the broadness of the potential action, both disruptive and destructive, that could be before us is actually incredibly terrifying. The ability for threat actors, both nation-state and cybercriminal actors, to infiltrate networks and cause downtime unexpectedly that cascades into the day-to-day lives of Canadians, whether it's for delivery of health services, water or financial services, because electricity is disrupted, is real. These are no longer hypothetical scenarios, when in previous conversations through the evolution of this bill, I think there was lots of understanding that this was fearmongering.

If you go back to the actual releases from our intelligence partners here in Canada and our allied nations, those realities have been declassified. The reality is that threat actors are pre-positioned, in the event of larger-scale kinetic conflicts or other geopolitical challenges that may decide that this type of action is warranted.

We've moved beyond people with tinfoil hats worried about what could happen to, “It's real.” Responding to the threat is necessary, and this is a good first step forward on that.

Jacques Ramsay Liberal La Prairie—Atateken, QC

Mr. Bradley, you alluded to a duplication of regulations. In another meeting, it was clearly explained that it was mainly a matter of providing guidelines and regulations, and that there was, in fact, an agreement to avoid an overlap of services.

Now, as for the incidents that should be reported, I understand that there can be quite a lot of them. I understand that we're going to somewhat clarify what needs to be reported and what is not worth reporting.

Near misses and close calls are not covered in the bill. Could even incidents that ultimately did not occur be so serious that reporting them would be warranted? If so, should that be provided for in the bill?

12:35 p.m.

President and Chief Executive Officer, Electricity Canada

Francis Bradley

I would start off by saying that, with respect to the potential duplication, this would be addressed in the regulatory process. That is what we were told during Bill C-26 as well. It's not that I doubt the officials involved, but until we actually see the regulation.... Frankly, our experience with the development of regulations following legislation has not always been positive. It has not always resulted in the kinds of regulations that we had been expecting, so we continue to have concerns on that side.

With respect to exactly what will be reported, I might defer part of that to my colleague, Mr. Warnell, as he is a CISO, so he's working at the coal face of cybersecurity.

The concept of having to report near misses.... I'm not sure how one would do that. That one is pretty clear in the area of health and safety, for example. However, I'm not sure what a “near miss” means when we're talking about cybersecurity. I don't know how you would interpret or capture that.

12:35 p.m.

Chief Information Security Officer, Bruce Power

Todd Warnell

I'm happy to—

The Vice-Chair Bloc Claude DeBellefeuille

I'm sorry to interrupt you, Mr. Warnell, but Mr. Ramsay's time is up. I can't let you continue your answer, but you may have a chance to finish it in another round.

Thank you, Mr. Ramsay.

It is now my six-minute turn to ask the witnesses questions.

Mr. Bradley, we are concerned about the whole issue of regulations overlapping with NERC standards.

Can you shed some light on NERC's role in Canada's electricity sector and the risks such an overlap could pose? It's important to understand that.

12:35 p.m.

President and Chief Executive Officer, Electricity Canada

Francis Bradley

Thank you.

I'd be happy to talk a bit about that NERC relationship, because it is critically important.

We feel that the government has not really grasped or understood the regulatory reality in our sector.

NERC creates reliability standards. The provinces adopt the standards and apply them.

I've been involved, for decades, with engagement at NERC. It is an organization that is North American in scope, so this is not a case of some organization that is headquartered in the United States telling us what to do. There are two Canadians on the board of trustees at NERC. There are five Canadians on the members' representatives committee of NERC. We are involved in the development of those standards. This is, clearly, something that has been in existence for a couple of decades. It understands and recognizes the kinds of realities we have, and it has regulatory backstop by Canadian regulators. The NERC standards do have backstops by every regulator in all of the provinces that are part of the bulk power system.

What happens when there is an overlap? It leads to higher costs and confusion. Fewer resources are allocated to security and more resources are required for us to respond to different levels and types of regulations.

The Vice-Chair Bloc Claude DeBellefeuille

I have a second question.

As my colleague Jacques Ramsay pointed out, we heard from government officials that their goal was not to create regulatory overlap, but that they would work with your sector to make sure that didn't happen.

Does that reassure you? Personally, I'm still a little concerned. Is that really enough, or should amendments to Bill C‑8 be considered to mitigate the risk?

12:40 p.m.

President and Chief Executive Officer, Electricity Canada

Francis Bradley

Thank you for the question. I was asked the same question a year ago, when we were working on Bill C‑26.

We don't doubt the good intentions of our federal government colleagues, but there is no legal obligation in the bill to avoid overlap. We want guarantees in the legislation, rather than waiting for regulations.

What might the solutions be? The provision about compatibility with existing regimes could be strengthened. Instead of being a suggestion, it should be an obligation. I think that's pretty clear. Equivalence should also be recognized. For example, compliance with NERC standards for the protection of critical infrastructure should be considered equal.

As I mentioned previously, our experience, when told, “Don't worry, we'll take care of that in the regulation,” has not always been a positive one. When there are clear fixes that should be in the legislation itself, then let's put it in the legislation itself.

If we clearly want to say, “Let's recognize equivalency,” as opposed to, “That will be an optional thing that can be looked at in the future,” and we know that it's the right way to go, it should be a legislative option as opposed to a regulatory option. In my view, this is something that our legislators should be directing, as opposed to leaving it in the hands of officials who will be writing the regs and implementing them.

The Vice-Chair Bloc Claude DeBellefeuille

I have a minute and a half left and I have one last question for you.

Could you send us proposed amendments that would reflect, for example, your desire for better oversight of this whole issue? Could you send them to us? That way, we could familiarize ourselves with them and get a better understanding of the intent you want to see in the bill.

12:40 p.m.

President and Chief Executive Officer, Electricity Canada

Francis Bradley

Absolutely, we are actively working on that.

That will be something we will provide specific recommendations on in terms of the specific clauses that we think should be amended that would be able to address this.