Evidence of meeting #18 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-8.

A recording is available from Parliament.

On the agenda

Members speaking

Before the committee

Robertson  Senior Research Associate, Citizen Lab, University of Toronto, As an Individual
de Boer  Vice-President, Government Relations, BlackBerry
Hatfield  Executive Director, OpenMedia
Warnell  Chief Information Security Officer, Bruce Power
Bradley  President and Chief Executive Officer, Electricity Canada

The Clerk

Mr. Hatfield, can you just speak for a few seconds? I want to see if there's an issue with the room sound.

Noon

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

Mr. Hatfield, could you please repeat what your answer was? After that, Professor Robertson and Mr. de Boer, you can offer any thoughts, please.

Noon

Executive Director, OpenMedia

Matthew Hatfield

[Technical difficulty—Editor] with the sunset clause currently is that MPs aren't being provided with the information that you will need to judge the operation three or five years from now. The government is holding too much secret information or just having the minister say what it believes to be reasonable. You need far more information to be able to make a meaningful decision there.

Noon

Conservative

Frank Caputo Conservative Kamloops—Thompson—Nicola, BC

Professor, do you have any thoughts?

Noon

Senior Research Associate, Citizen Lab, University of Toronto, As an Individual

Kate Robertson

I'm a lawyer and researcher at the University of Toronto, but I don't hold the title of professor, so I'll just clarify that.

In my view, we've had the unique opportunity to hear from a former Federal Court judge who's been very explicit, if I could put it that way, in saying that there is a constitutional vulnerability here for which she sees no justification.

Of course, I agree with that assessment from my own perspective, but when you have the clarity of the issues put in such a crystallized—

The Vice-Chair Bloc Claude DeBellefeuille

I'm very sorry, but I have to interrupt you here.

That is the end of this round of questions for the witnesses.

No, it's true, you still have your turn, Dr. Powlowski. I was forgetting you. I apologize profusely. Can you forgive your young, almost 62‑year-old chair for the omission?

Marcus Powlowski Liberal Thunder Bay—Rainy River, ON

It's no problem.

The Vice-Chair Bloc Claude DeBellefeuille

It's over to you, Dr. Powlowski, for five minutes.

Noon

Liberal

Marcus Powlowski Liberal Thunder Bay—Rainy River, ON

Maybe you're going to be disappointed with the quality of my questions. I'm certainly no expert in this. I'm new to Bill C-8 and new to this committee. I have a general question and then maybe I'll pass it on to Mr. Ehsassi.

It seems to me that the purpose of this legislation is to be able to detect and rapidly respond to cybersecurity incidents when bad actors like the Russians or Chinese are trying to interfere with some vital sectors within our society, which certainly seems to be happening. It seems to be a modern part of international warfare.

I would think, Ms. Robertson and Mr. Hatfield, that your concerns are over adequate protections of various people in society, but is there not a compromise that you're looking for here in terms of...we have to respond rapidly, as Mr. de Boer has said, when there is a cyber-incident. If we clutter this up with a lot of.... Perhaps that's not a good word. If the requirements and protections for civil society are too onerous, does that not potentially compromise our ability to react quickly to cyber-threats? Wouldn't this be exactly what Mr. Putin would like—to put so many different layers of protection in there that it takes days to actually be given the legal ability to respond to this?

I see a hand up. Ms. Robertson, you look like you're eager to respond to this, too. Why don't you start and then we'll go to Mr. Hatfield.

12:05 p.m.

Senior Research Associate, Citizen Lab, University of Toronto, As an Individual

Kate Robertson

We have an interpretive disagreement. I understand government officials agree that we shouldn't be breaking encryption, but what we're recommending be changed is that we confirm this explicitly. In some ways, this is about interpretation and not procedure and due process.

Even if you take my example of Federal Court authorization of the collection of personal information and de-identified information, those authorization procedures always include an exigent circumstance, as a clause, when there is an emergency that needs to be addressed. That's why I say my recommendations—

Marcus Powlowski Liberal Thunder Bay—Rainy River, ON

I'm sorry, but could you explain the exigence clause? What exactly is that?

12:05 p.m.

Senior Research Associate, Citizen Lab, University of Toronto, As an Individual

Kate Robertson

It means that if the government normally has to obtain authorization from a judge to obtain information, that's the subject of a reasonable expectation of privacy, as pretty much all information in the possession of telecommunications providers is personal information. That authorization isn't necessary when there's an emergency: “Exigent circumstances” is a legal term for, “It's an emergency, and we need this information now.” That, however, shouldn't be the default rule, so that's why we say that authorization should be required. It would be not at all thwarting the ability of the government to rapidly respond, when required.

Marcus Powlowski Liberal Thunder Bay—Rainy River, ON

Go ahead, Mr. Hatfield.

12:05 p.m.

Executive Director, OpenMedia

Matthew Hatfield

We're looking for review after the fact, when emergency orders are necessary. It's possible that something happens immediately, and the minister has to respond and get something done right away. Sure, that's fine. Review, in that case, should occur within 30 or 60 days, so that a judge and technical expert can take a look to make sure the order was reasonable and, potentially, should continue longer than just that emergency term. A common expression in privacy and security is, “Trust, but verify.” We're looking for some initial extension of trust to the minister but then verification that the purpose of the bill is being followed.

Marcus Powlowski Liberal Thunder Bay—Rainy River, ON

Ali, go ahead.

Ali Ehsassi Liberal Willowdale, ON

Thank you.

I want to ask a follow-up question to Ms. Robertson. Ms. Robertson, you talked about how there is interpretive ambiguity. It seems to me that interpretive ambiguity is always there until regulations are adopted with greater specificity. Would you not agree with that?

12:05 p.m.

Senior Research Associate, Citizen Lab, University of Toronto, As an Individual

Kate Robertson

I don't agree with that. The failure of a piece of legislation to adequately circumscribe surveillance or information collection capabilities of a broad scope is actually cause, in and of itself, for the courts to strike it down, and that's exactly the problem we have right now. The government has indicated, in response, that it doesn't intend to use the legislation in a certain way. However, assurances are not an appropriate basis to delimit legislation. I cite the 2024 special report of NSIRA, which actually pointed out, in one of the last examples of national security laws being overhauled, that one of the national security agencies had testified, in a study committee, that—

The Vice-Chair Bloc Claude DeBellefeuille

Thank you, Ms. Robertson. I'm sorry for interrupting, but Mr. Ehsassi's time is now up.

If I'm not mistaken, this is now the right time to thank you for your testimony. It will help all committee members study the bill in greater depth.

Mr. de Boer, thank you for coming to be with us in person.

We will now suspend the meeting to welcome the next panel of witnesses.

The Vice-Chair Bloc Claude DeBellefeuille

We are resuming the meeting.

We welcome the witnesses. I would like to thank them very much for having travelled here to take part in the meeting in person.

First of all, we have Todd Warnell, who is chief information security officer at Bruce Power.

From Electricity Canada, we have Francis Bradley, president and chief executive officer.

Welcome.

You will each have five minutes for your opening remarks.

We'll start with Todd Warnell.

Todd Warnell Chief Information Security Officer, Bruce Power

Thank you, Madam Chair and members of the committee. My name is Todd Warnell. I am chief information security officer at Bruce Power, Canada's only private sector nuclear operator. Since 2001, Bruce Power has delivered about one-third of Ontario's electricity, and it produces life-saving medical isotopes used around the world to fight cancer.

I appreciate the opportunity to participate in your review of Bill C-8. Today I will focus on why it is imperative to proceed with this legislation, particularly part 2, the critical cyber systems protection act.

Canada's critical infrastructure is facing unprecedented cyber-threats that put the safety, reliability and daily lives of Canadians at risk. Bill C-8 is a pivotal first step to strengthening our collective resilience and securing essential services. This legislation is more than policy; it is a commitment to protect the backbone of our economy and national security in a rapidly evolving global threat landscape.

Within Canada's nuclear industry, we have demonstrated that through collaboration with government, regulators, industry, academia and individual Canadians, we can successfully establish and regulate cyber systems that are crucial to the safe and reliable operation of critical services.

Bill C-8 aims to secure essential systems, encourage proactive risk management and enable responsible government intervention in cases of significant cyber-threat.

The critical cyber systems protection act will introduce a broad framework from which all critical sectors, in collaboration with government and the regulators, can develop and implement risk-informed and performance-based regulations to enhance the reliability and resilience of critical services.

Recent publicly released information about Canadian and allied intelligence agencies has made it very clear that nation states and cybercriminal organizations are actively pre-positioning within critical infrastructure in Canada and beyond. These threat actors are preparing for disruptive and potentially destructive actions targeting essential services that Canadians rely upon daily. The Canadian centre for cybersecurity, as well as allied agencies such as the United Kingdom's national cybersecurity centre have issued stark public warnings about the increasing sophistication and persistence of these threats. The urgency to act is underscored by real-world incidents and ongoing campaigns that demonstrate both the capability and intent of adversaries to disrupt or damage critical infrastructure.

I will review a few key points on the benefits of moving forward on Bill C-8.

Number one is strengthening national security and safety. Bill C-8 is crucial for protecting national security by requiring private and public organizations within critical infrastructure to adopt robust cybersecurity practices. As cyber-threats evolve and become more sophisticated, securing critical infrastructure and services is paramount to national security and public safety.

Number two is enhanced risk management. By enforcing mandatory risk management practices, the bill would help organizations move away from a reactive posture to a proactive approach that minimizes risks before they escalate into actual incidents.

Number three is government authority in high-risk scenarios. Bill C-8 would give government the authority to act swiftly during severe threats to critical infrastructure, protecting essential services and public trust. To further strengthen the effectiveness of the approach, it would be beneficial for Bill C-8 to provide greater clarity and distinction between the role of the Canadian Centre for Cyber Security as the technical authority and the responsibilities of sector regulators. Clear separation of these roles will help ensure coordinated, efficient and expert-led responses to cyber-threats across Canada's critical infrastructure sectors.

Number four is alignment with our global allies. Our allies are implementing or have already implemented similar cybersecurity laws. Bill C-8 would allow Canada to align with international partners and make it easier for Canadian companies to operate globally within secure frameworks.

Last is economic security. Cyber-attacks on critical sectors have far-reaching economic implications. By ensuring that key industries and services are protected, Canada would also safeguard its economic stability, helping to prevent cascading consequences that could arise from disrupted services and infrastructure.

In conclusion, Bill C-8 is a well-intentioned and urgently needed step to address the pressing issue of cybersecurity in Canada and in Canada's critical infrastructure sectors. The threat environment has dramatically evolved, and the threats are no longer theoretical. Action is required now to protect Canadians and our allies.

Thank you for the opportunity to address the committee. I look forward to your questions.

The Vice-Chair Bloc Claude DeBellefeuille

Thank you, Mr. Warnell.

I now give the floor to Mr. Bradley for five minutes.

Francis Bradley President and Chief Executive Officer, Electricity Canada

Thank you.

My name is Francis Bradley, and I’m the president and chief executive officer of Electricity Canada.

Electricity Canada is the national voice for electricity in the country.

The Vice-Chair Bloc Claude DeBellefeuille

Excuse me, Mr. Bradley. It seems there's a problem with the interpretation.

Sima Acan Liberal Oakville West, ON

There are something like three other English voices on the same channel.

The Clerk

We're going to do a test. Can you hear me only in English on the English channel?