Mr. Speaker, it is wonderful to have an opportunity to speak to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.
I think this is such an important topic, and it is something we need to be very aware of, especially in this increasingly digital era. We are seeing more and more attacks on cybersecurity happening here in Canada and around the world. I support the overall concept of the bill, and I want to see it go to committee so that we can have further study, as well as some amendments to alleviate some of the concerns that I, some of my colleagues and different stakeholders have brought forward. However, I have some questions I want to pose and put forward in the hope that the minister will have a plan to address some of them.
One big question I have is that the bill is pretty vague when it comes to the definition of “critical infrastructure”. Coming from northern Alberta, critical infrastructure can look very different from what it would look like in a larger centre in an area further south. One of the things I immediately thought of was whether a pipeline would count as critical infrastructure. Frankly, in northern Alberta, at the very minimum, pipelines not only export our oil but also bring up gasoline and natural gas, which are the ways we heat our homes. Most homes, at least in the Fort McMurray area, are heated with natural gas. In the wintertime, specifically and especially, if somehow a natural gas pipeline were to be the target of a cybersecurity threat, that could actually have devastating consequences and cause thousands of people to freeze.
I think this is the kind of question we have as to what exactly critical infrastructure is.
One of the other big pieces is that critical infrastructure seems to be defined in terms of what small and medium-sized businesses and not necessarily different government actors have. Different layers of government have different pieces of infrastructure that could also be attacked by cybersecurity threats. I think of provincial governments. Some of the big pieces for cybersecurity threats would probably be in hospitals, but it could go far beyond just a hospital, depending on the community. In the case of a specific emergency, like a fire, flood or some other natural disaster, the definition of critical infrastructure might be very different.
While I understand the idea of keeping it broad, a hacker or bad actor could specifically target an area in the case of an emergency or natural disaster because they know we are already in a weaker state. I think it is important to have some pieces in place so there can actually be plans to ensure that is not going to happen. That is something the legislation needs to define, and I would urge us to define it and specifically include pipelines as part of critical infrastructure. This is especially the case because we have gone into this space where so much is digitized.
There is digitization in just about every aspect of our world, so it becomes a question of actually having to define some of these pieces. We cannot just leave this all up to regulation. I think some baselines need to be set out in this piece of legislation in order to make sure we are actually talking about the same things. In this way, we can plan for future pieces of infrastructure we do not currently know are important and part of this plan.
While the legislation would give absolutely broad and sweeping powers to government, it does not seem to have any safeguards in place. I think the lack of safeguards is very concerning. I think back to the floods that were experienced in southern Alberta in 2012. Through the process of those floods, for a number of reasons that were not necessarily well defined, the RCMP decided to go into High River and seize guns. The RCMP made a decision not to seize guns in Calgary or other communities, but in High River, it decided to go in and seize guns.
This is a piece where we need to be very careful and make sure we have some safeguards in place. Then, in the case where there is government overreach in trying to prevent a security threat, there is recourse available that is defined in the legislation. It should not be left to regulation, where it could be changed at the whim of a minister. This is so important.
Another big, important piece that is scary to me is the fact that the government has all this work in place to make sure that small and medium-sized businesses, and other businesses, have security plans, which they must send to the government. However, what work is the government doing specifically to ensure that it is prevented from being part of a security threat? How many times has the federal government been hacked? In recent memory, it has been hacked a number of different times in different ways. This may be our email system or the House of Commons intranet. Some of these pieces are very much at risk. Is it a smart idea, from a security standpoint, to have everything housed in one place? What kinds of safeguards would we have such that information is not accessible should that aspect of the government be hacked? In turn, we want to make sure hackers do not find out all of our security plans so they can get around them or mess with things they identify as unprotected. That is one of the interesting pieces.
The bill also stipulates that businesses are to share with government but not that the government has to share with businesses. While I understand part of why the government would do that, I think having a two-way dialogue when it comes to this information is going to be important. We should be trying to work towards best practices whenever possible. An organization in one part of the country might be doing something that is innovative and substantially safer for all Canadians that prevents security threats compared with another part. Such information should be shared, not just held by government, so we can build on best practices in case there is an emergency at some point.
The other big question I have with respect to this bill is: What has the government done to work with municipalities, provinces and first nations governments to ensure that this is going to respond to their cybersecurity threats and cybersecurity needs? This is a piece where I do not want to let perfect be the enemy of good. Quite frankly, we are not going to know what the next big threat is; however, we need to make sure we are protected and must try to apply as many best practices as possible so that we do not open ourselves up to unintended risks.
This is about making sure we are taking care of all the little links in the chain. We can have a very robust system and an amazing plan in place, but if we have one weak link, it counts for nothing. That is why we need to send the bill to committee now. We need to have some very robust conversations with security experts from around this country and the world to make sure we do not have any weak links in the chain. All it will take is one weak link for this entire pyramid to collapse. It will crumble apart. This is something that, as Canadians, we all need to be prepared for and ready to address, as well as having meaningful and robust conversations around it.
With that, I am thankful for this opportunity.