Mr. Speaker, in some respects, Bill C-26 is quite complicated, but it is also quite simple. It aspires to have the risks of cybersecurity systems identified, managed and addressed so we are at much less risk because of our cyber system.
In the last while, I have had the good fortune to be the chair of the public safety committee in the previous Parliament, and I am now the chair of the defence committee. As such, I have listened to literally hours of testimony from people who are quite well informed on this subject matter. My advice to colleagues here is this: It behooves us all to be quite humble and approach this subject with some humility because it is extremely complex.
The first area of complexity is with respect to the definitions.
For instance, cybersecurity is defined as “the protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information”. Cyber-threat is defined as “an activity intended to compromise the security of an information system”.
Cyber-defence, according to NATO, is defensive actions in the cyber domain. Cyberwarfare generally means damaging or disrupting another nation-state's computers. Cyber-attacks “exploit vulnerabilities in computer systems and networks of computer data”.
Therefore, with respect to the definitions, we can appreciate the complexity of inserting yet another bill and minister into this process.
Let me offer some suggested questions for the members who would be asked to sit on the committee to look at this bill if it passes out of the House. I do recommend that the bill pass out of the House and, if it does, that the committee charged with its review take the appropriate amount of time to inform itself on the complexities of this particular space.
The first question I would ask is this: Who is doing the coordination? There are a number of silos involved here. We have heard testimony after testimony about various entities operating in various silos.
For instance, the Department of Defence has its silo, which is to defend the military infrastructure. It also has some capability to launch cyber-attacks, but it is a silo.
Then there is the public safety silo, which is a very big silo, because it relies on the CSE, CSIS and the RCMP, and has the largest responsibility for the protection of civilian infrastructure.
While the CSE does not have the ability to launch cyber-attacks domestically, it has the ability to launch a cyber-attack in international cyberspace. It is a curious contradiction, and I would encourage members to ask potential witnesses to explain that contradiction, because the more this space expands, the more the distinctions between foreign attacks and domestic attacks become blurred.
The bill would charge the Minister of Innovation, Science and Industry with some responsibility with respect to cybersecurity.
I would ask my colleagues to ask questions about how these three entities, public safety, defence and now the Minister of Innovation, Science and Industry, are going to coordinate so that the silos are operating in a coordinated fashion and sharing information with each other so that Canada presents the best possible posture for the defence of our networks. Again, I offer that as a suggestion of a question to be asked. We cannot afford the luxury of one silo knowing something that the other silo does not know, and this is becoming a very significant issue.
CSIS, for instance, deals in information and intelligence. The RCMP deals in evidence. Most of the information that is coming through all of the cyber-infrastructure would never reach the level of evidence, whether the civil or criminal standard of evidence. This is largely information, largely intelligence, and sometimes it is extremely murky. Again, I am offering that as a question for members to ask of those who come before the committee as proponents of the bill.
The other area I would suggest is to question is how this particular bill would deal with the attributions of an attack. To add to all of the complications I have already put on the floor of the House, there is also a myriad of attackers. There are pure state attackers, hybrid state criminal attackers and flat-out criminals.
For the state attackers, one can basically name the big four: China, Russia, North Korea and Iran. However, there are themes and variations within that. Russia, for instance, frequently uses its rather extensive criminal network to act on behalf of the state. It basically funds itself by with proceeds of its criminal activities, and the Russians do not care. If one is going to cripple a hospital network or a pipeline or any infrastructure on can name, then they do not care whether it happens by pure criminal activity or hybrid activity or state activity. It is all an exercise in disruption and making things difficult for Canadians in particular. We see daily examples of this in Ukraine, where the Russians have used cyber-attacks to really make the lives of Ukrainians vulnerable and also miserable.
The next question I would ask, and if this is not enough, I have plenty more, is on the alphabet soup of various actors. We have NSICOP, CSE, CSIS and the RCMP. I do not know what the acronym for this bill will be, but I am sure that somebody will think of it. How does this particular initiative, which, as I say, is a worthy initiative to be supported here, fit into the overall architecture?
Finally, CAF and the defence department are now doing a review of our defence posture, our defence policy. Cyber is an ever-increasing part of our security environment and, again, I would be asking the question of how Bill C-26 and all of its various actors fit into that defence review.