Evidence of meeting #20 for Public Safety and National Security in the 45th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was c-8.
A video is available from Parliament.
Conservative
Dane Lloyd Conservative Parkland, AB
That's confirming that Bill C-8 would give government the legislative authority it currently lacks to order telecoms to remove or to prevent the installation in the future of hardware that could threaten our telecommunications system.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
Yes, that's correct. The legislation is just a framework. It is not specific to any one country. It's agnostic to the types of threats that threaten the underlying infrastructure. Yes, it would give the authority to manage supply chain risks, including high-risk vendor equipment.
Conservative
Dane Lloyd Conservative Parkland, AB
Do you understand and remember the context in which Bill C-26 was first brought in? Do you acknowledge that the context of that legislation was to give the government the legislative authority to remove Huawei specifically from the telecommunications system?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
That was a substantial factor, but it was far from the only one.
Conservative
Dane Lloyd Conservative Parkland, AB
I agree. It wasn't the only factor.
Now, as far as you know, is it still the government's objective to order the removal of any remaining Huawei infrastructure from the telecommunications systems, if it does remain after this legislation is brought into force?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
The 2022 policy still stands. There's been absolutely no change to that.
The tedious bureaucratic addition to that is that ultimately any legal removal via an order in council, via the Governor in Council, can only be considered after royal assent. Also, the provisions of the law in question require consultation, and the government has been consistent, including in its 2022 policy, that it will consult before finalizing any rules.
Conservative
Dane Lloyd Conservative Parkland, AB
Given the Prime Minister's recent trip to China and the reset of relationships, are you aware of any...? You said that there's currently no change from the 2022 policy. Are there any proposed changes in relation to China's hardware and our telecommunications systems coming out of the recent meetings in Beijing?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
I am not aware of any changes to the government's 2022 policy. Also, any rules, should Bill C-8 receive royal assent, will be subject to consultation.
Conservative
Dane Lloyd Conservative Parkland, AB
Thank you for that.
In reference to the bill's previous iteration, the intelligence commissioner, whom we had at committee—and I think he was actually sitting beside you at the time—testified that he thinks there's a “glaring absentee” in this bill, and that is “the Canadian public”. The information that is collected is Canadians' personal information.
He went on to say that in every case he's seen as the intelligence commissioner, a warrant is needed. You can obtain it from a justice of the peace, from the Federal Court or from a quasi-judicial officer. In the present bill, there doesn't seem to be a requirement for such a warrant. Why is that not in Bill C-8?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
The scoping of Bill C-8—colloquially, but this is how it's actually drafted—is regarding the regulation of the underlying telecommunications systems. Therefore, information collected from the private sector can only be collected if it's relevant to protecting those systems. Someone's personal information is not germane to that activity.
Conservative
Dane Lloyd Conservative Parkland, AB
However, the intelligence commissioner said that, in every case he'd seen, personal information was included in all of the reports that crossed his desk.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
If there has been a cyber-breach and information has been accessed, for instance, that may be one circumstance where personal information is involved. However, if I want to establish a rule that requires a regular installation of software patches and underlying network infrastructure, I don't need anyone's personal information, and it's not—
Conservative
Dane Lloyd Conservative Parkland, AB
You said that it's not germane, so are you saying that people's personal information would not be included in Bill C-8 and that there wouldn't be situations where people's personal information would be shared under Bill C-8?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
We have not been able to think of a scenario where that would be necessary.
The powers in Bill C-8 are modelled on existing powers for non-security reasons in the Telecommunications Act and in the Radiocommunication Act. There are similar authorities in the Insurance Companies Act and in nuclear safety.
They are scoped by the fact that what is relevant is regulating the ongoing conduct of these network industries, and someone's personal information doesn't have bearing on that. The network infrastructure doesn't care about the content of the information. It's all zeros and ones, and—
Conservative
Dane Lloyd Conservative Parkland, AB
Concerning these threats to the cybersecurity system, maybe we're talking about natural disaster threats, but the threats that I think we're talking about have people behind those threats. Wouldn't there be context provided that so-and-so or such-and-such an entity that contains these people is planning to do something that could threaten the integrity of the telecommunications systems? Would that not be a scenario where personal information could be included?
Liberal
The Chair Liberal Jean-Yves Duclos
Could we have a very short answer, please? We may be able to come back to that.
Director General, Telecommunications and Internet Policy Branch, Department of Industry
The information can only be collected when it's relevant to an order-making authority. This is about the management of the underlying infrastructure. That is the circumstance already scoped by which that can be done, not for law enforcement or criminal investigations.
Liberal
Liberal
Sima Acan Liberal Oakville West, ON
Thank you, Mr. Chair.
It has been repeatedly noted in this committee's studies that Canada is currently the only G7 country without mandatory cyber-incident reporting or legislation explicitly protecting critical infrastructure. Could you explain how Bill C-8 will address this gap, ensure that our vital systems are secure and align Canada's regulatory posture with Five Eyes partners like the U.S. or Australia, particularly with respect to the speed of response when threat actors are already prepositioned?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
Part 1 of the bill concerns amendments to the Telecommunications Act. That is a long-standing piece of legislation. This would ensure that there is a new policy objective that gives explicit authority to regulate in advance of the security of the telecommunications system, along with associated authorities to issue rules to collect information and to ensure compliance.
This allows the government to take action to ensure that companies have the appropriate security and response plans in place so that they are preventing threats and responding to them, and installing vital systems to ensure that their networks are as reliable as practical under the circumstance. It also allows the government to collect information on the threats to that infrastructure as a mechanism of continuous improvement, to issue the new sets of rules, but they're limited to the management of the infrastructure itself.
Part 2, led by the Minister of Public Safety, has a set of baseline cybersecurity protections across federally regulated sectors, and that's to ensure a level of consistency, given the interdependent nature of cybersecurity threats that affect different aspects of critical infrastructure.
Liberal
Sima Acan Liberal Oakville West, ON
Thank you very much.
I'll get into the national security portion and the economic threats to our industries in a little bit more depth.
We've heard concerns about the financial burden of rip and replace orders for high-risk equipment; however, Public Safety Canada has indicated that a single data breach costs Canadian business—as the minister confirmed—nearly $7 million on average, with the total economic impact of cyber-incidents reaching $5 billion annually.
In your view, how does Bill C-8 provide a necessary framework for long-term economic stability and for preventing the catastrophic loss of productivity and reputational damage associated with a critical infrastructure failure? Could you please also explain the implications for the industry and how this would also damage our economy and our national security?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
Certainly, the damage from cyber-incidents is substantial, as the minister outlined, and dwarfs the extent of costs in terms of protection up front. It's a cliché, but an ounce of protection is worth a pound of cure. It's much better to have protections built in as part of your ongoing business activities, so when you buy that next generation of equipment—we're on 5G now, but 6G is going to be the next thing—you have security principles built into your procurement and planning up front.
Certainly, when we contemplate rules under our current authorities—for example, for spectrum management planning, when we are thinking about spectrum auctions and that type of thing—we design the rules with the life-cycle considerations for industry, to minimize the impact on that industry so that they can build that planning into their normal procurement cycles.
Liberal
Sima Acan Liberal Oakville West, ON
Thank you very much.
You mentioned 5G and 6G technologies. Experts have also noted that the legacy mobile networks were often insecure by design. As we transition to 5G and 6G infrastructure, which rely heavily on software-defined networking, the attack surface for state-aligned actors increases. Can you elaborate on how the new order-making powers will allow the government to proactively mandate vulnerability assessments and secure-by-design principles, rather than relying on the private sector to bolt on security after the breach has already occurred?
Director General, Telecommunications and Internet Policy Branch, Department of Industry
The department has an ongoing dialogue with industry, but it's purely on a voluntary basis at this time in terms of trying to socialize and encourage best practices.
I think the authorities enabled by Bill C-8, first, would allow for clearer information on the nature of those threats, to allow for prioritization of actions. It also moves beyond the purely voluntary toward being able to establish rules in terms of the procurement of the equipment or services that are going into the network.
With cybersecurity and response plans, the first objective is to prevent an incident, but the reality is that you're going to have one. That's unavoidable. You're going to have a hurricane or you're going to have a cyber-attack. Those exist. A core aspect of resilience is having a response mechanism so that when there is an incident, you can address it, manage it and secure the network as quickly as possible after the fact.
Liberal
The Chair Liberal Jean-Yves Duclos
Thank you very much, Ms. Acan.
Mrs. DeBellefeuille, you have the floor for six minutes.