Transport Committee on Dec. 13th, 2023

I'd like to proceed with the business of the committee so that we can complete this night on a friendly tone. If not, I will continue interrupting.

Thank you, Mr. Iacono.

Mr. Kurek, go ahead once again.

Thank you, Chair. I appreciate that and certainly when it comes to the respect I have for all members—they're duly elected—I find very curious the tone that this conversation has all of a sudden taken.

When it comes to the very direct relevance, I will quickly finish reading this because I know my colleagues want to have an opportunity to intervene as well. Let me jump back to where I was, Chair, and look forward to the relevance of this to the matter at hand.

The CCLA goes on to say,

Secrecy undermines accountability and due process: Bill C-26 enables the government to shroud its orders in secrecy, with no mandatory public reporting requirements. While there is an understandable need for some degree of confidentiality in this sphere, the public needs to have a sense of how these powers are being exercised...and to what effect, if decision-makers are to be held to account. Individuals and services collaterally impacted by Bill C-26 must also be given an opportunity to challenge Security Orders.

The next point is “Unknowable orders trump public regulation”.

Bill C-26 tilts the balance so far towards secrecy, its orders and regulations may take precedence over decisions previously issued by regulatory agencies, risking confusion where such regulatory decisions are public while the Security Orders are not. This threatens the integrity and accessibility of Canada's regulatory frameworks, and renders the security-related rules currently in effect unknowable for members of the public.

They go on to say in the next point, “Secret evidence in Court” that:

Even if Security Orders are subjected to judicial review, Bill C-26 could restrict applicants' access to evidence. The legislation does not include any consideration of security-cleared advocates to be appointed on applicants' behalf, as happens in other national security cases. While such provisions are an imperfect solution for due process, they do provide at least a minimal level of protection for applicants' rights. C-26 even empowers judges to make rulings based on secret evidence that is not provided, even in summary form, to applicants or their legal team. It also places the onus on the target of Security Orders to bring legal proceedings, with the associated cost burden.

Next is “Power without accountability for the CSE:”

The CCSPA would let the Communications Security Establishment—Canada's signal intelligence and cybersecurity agency—obtain and analyze security-related data from companies that Canadians entrust with their most sensitive personal information. This would include federally-regulated banks and credit unions, telecommunications and energy providers, and even some transit agencies. The CSE's use of this information is not constrained to the cybersecurity aspect of its mandate, and any uses would be largely subject to after-the-fact review rather than real-time oversight, resulting in a significant deficit in democratic accountability.

Their final point states that there's a lack of justification.

Although the government claims that such sweeping and secretive new powers are required it has not published any sufficiently comprehensive data establishing the necessity and proportionality of the proposed powers.

They conclude by saying:

In sum, cybersecurity is important and we need to get it right: All residents of Canada can agree on the need for cybersecurity. However, civil liberties, privacy, and confidence in the rule of law and accountable governance are foundational for that sense of security. It is imperative that in its efforts to deliver strong cybersecurity for people in Canada, the government also ensures accountability and upholds basic rights.

I have a point of order, Chair. I'd like to know what the speakers list is.

We have Dr. Lewis next, then Mr. Muys, followed by Mr. Bachrach, followed by Mr. Patzer and then once again Mr. Strahl.

Mr. Kurek, please go ahead.

Thank you very much, Chair. I appreciate that very timely intervention because I am concluding this letter. I would ask to be put back on the list because I'm sure there will be further interventions that are required later.

This provides valuable insight into some of the connections that exist between the bill that we have here before us and another bill that is before the public safety committee, and certainly finding that correct tension that exists to ensure that we can protect physical transportation infrastructure, the critical nature of that in our country, and to ensure that when it comes to this clause.... The connection it has with the cyber element of that is very closely connected.

Chair, I thank you, and I appreciate the committee's indulgence. I know that sometimes debate can be heated.

I would take this opportunity to wish all members a very merry Christmas. I do appreciate the opportunity to engage on such an important issue.

Just to reassure members of the committee of my engagement on the subject, I ensure you that I take my role very seriously as a representative of that swath of east central Alberta of about 110,000 people I have the honour to represent in this place, many of whom, I would note, put their confidence in me and the work that I do here.

I know there is a Christmas greeting coming their way shortly, but I wish a very merry Christmas to everyone else around this table and offer a big thanks to the clerks, the translators and everyone else who enables the work we do here on Parliament Hill, including those who sometimes aren't recognized. I wish them a big thank you for helping make democracy work.

I look forward to hearing what Dr. Lewis has to say.

Again, Chair, just to note, I'd like to be put back at the end of the speaking list.

Thank you.

Thank you, Mr. Kurek.

Dr. Lewis, the floor is yours.

Mr. Chair, I have a point of order.

The floor is yours, Mr. Iacono.

I apologize for interrupting our colleague, but I am having trouble hearing the French interpretation of her remarks. I don't know whether she is wearing her electronic devices properly.

Thank you, Mr. Iacono. We will check.

Dr. Lewis, are you wearing the government-issued headset?

Yes, I am.

Okay, we're getting the thumbs-up from Mr. Iacono.

My apologies, Dr. Lewis. The floor is yours.

As I was saying, what is very concerning is that Canada is one of the few G20 nations without a firm regulatory framework around cybersecurity. It's essential at this point, when we're looking at Bill C-33 and Bill C-26, that we keep in mind the need for Canada to act to protect the nation's critical infrastructure and the interconnectedness of these two bills.

We also know that in 2016, member states of the EU passed what was called the most comprehensive cybersecurity bill in the history of the EU. The bill was called the NIS Directive. The EU cybersecurity rules, which were introduced in 2016, were updated and later ratified in 2023. They continue to modernize and create this legal framework, which I think is quite instructive in the Canadian context. It keeps up and it increases the digitization...and the evolving cybersecurity threat, which is something we are attempting to grapple with in the present bills we are contemplating.

Expanding the scope of cybersecurity rules in the new sectors and entities further improves the resilience. We have dealt with resilience in the infrastructure context in this committee. This is also a very important part of what we're talking about in Bill C-33.

We have seen the problems that a huge infrastructure gap can cause, and one of the problems is the ongoing lack of transparency. We have seen, in our situation with the taxpayer-funded Canada Infrastructure Bank, an unacceptable performance over the last seven years. We want to build mechanisms into Bill C-33 to make sure we're not falling into the same traps and shortcomings we've had with other legislation.

Moreover, we have provisions in Bill C-33 that also raise concerns on cybersecurity and response capabilities of the public and private sector entities and competent authorities. In the case that I was discussing before, the EU as a whole can be used as an example of a model that Canada could adopt. When we're contemplating this bill, I think we should look at enabling legislation from different jurisdictions.

We know that most G7 member states are under the umbrella of the EU. The U.S. and the U.K. and Japan have separately implemented cybersecurity regulations to differing degrees, which I think are also instructive in how we confuse Bill C-33 with Bill C-26.

We also have to look at Canadian businesses and how they continue to be impacted by malicious cybersecurity and cyber-activity. This ranges from cyber-attacks to ransomware, and even things that we are exposed to on an everyday basis.

Many of these attacks include those on critical infrastructure. That accounts for nearly half of the attacks, and many of those go unreported.

This is very concerning. The Canadian Centre for Cyber Security has identified attacks on operations networks. They've also identified attacks on how it would impact the physical safety of Canadians. That was published in their biennial publication, the “National Cyber Threat Assessment”.

Now, in this context, when we look at the Ministry of Public Safety, we know that they acted to introduce new legislation, Bill C-26, an act respecting cyber security. I believe it was at the first stage in Parliament sometime in November 2022, and it went through second reading, I think, on March 27, 2023. Bill C-26 currently sits in committee. I believe it's going into law, if it hasn't done so already. When we look at where it is, going through the committee stage, and we look at the fact that Bill C-33 is contemplating sections of this bill, we know that it's very important for us to focus on it, because it may have the capacity of adding teeth to the governance and compliance structure of cybersecurity in Bill C-33.

It's very important that we look at the interconnectedness of these two bills, especially inasmuch as is needed in the area of operational technology where critical infrastructure lies.

Although we don't know how the bill is going to necessarily impact on Bill C-33, between the absence of similar legislation in Canada.... We don't know what the impact is going to be, because this is new. This is untested territory, but we know there is an increasing trend toward increased cybersecurity regulation among our international peers.

Having practised international law for a number of years, I can see the importance of Canadian businesses being prepared. Contemplation of this aspect of the bill and how it will be infused in Bill C-33 is very important at this time.

Canada does not have an overarching governing cybersecurity legislation, let alone require the reporting of vulnerabilities in critical infrastructure breaches, which is extremely problematic. Bill C-26 would empower some regulators to impose fines or issue some summary convictions to ensure governance and compliance. This is something that my colleague, Mr. Kurek, spoke about. It's critical to turn our minds to that, especially as we contemplate this bill.

Now I'll go back to Bill C-26. In its current form it includes four critical infrastructure sections, which I think are related to the transportation aspect of Bill C-33. When we look at the transportation corridors that are contemplated in Bill C-33, we see, in Bill C-26, that it's very important to look at these four critical infrastructure sectors: telecommunications, finance, energy and transportation.

The requirements for organizations in these sections are threefold.

First is to implement, maintain and report on the cybersecurity program, which will essentially address the risks across organizations. It will address the risk in third party services. It will address the risk in supply chain—

Accept my sincere apologies, Dr. Lewis. It looks like we've reached our limit for this evening.

I want to take this moment on behalf of the committee to thank our witnesses, who joined us in person and online. Of course, for the extended hours they provided as well, our thanks go to our clerks, our support staff and our interpreters, who also stayed late and gave us seven hours today.

I also want to take a moment, finally, to thank all of the members of this committee for some good work that I think we did this fall session. I look forward to the good work that awaits us in the new year.

With that, this meeting is adjourned.