Debates of March 23rd, 2023

Madam Speaker, I very much enjoy working on the finance committee with the member and enjoyed his thoughtful remarks.

I hope my question hits the other Liberals' concerns about partisanship, as this is substantive criticism and not partisanship. We have heard concerns from both the NDP and from the Conservative Party that the bill would provide a broad swath of powers to the minister. Is the government open to delineating some of those powers so it gives additional assurances to us and to the other opposition parties?

Madam Speaker, I very much enjoy working with the hon. member on our finance committee. The member always looks for pragmatic solutions.

For our cybersecurity to work, we have to work right across party lines. We have to work across all levels of government, with all our institutions, the private sector and the public sector. That is the only way that we are going to implement a system that really has an effect and is able to combat these cybercriminals we find and what we are being bombarded with. They are always trying to stay one step ahead, and the only way for us to combat that is to work together.

Madam Speaker, I too would like to thank the chair of the Standing Committee on Finance, with whom I have the great pleasure of working. I thank him for his speech.

It is important to have a better way of dealing with all cybersecurity issues. Like the Conservative member who raised the issue, we have concerns that this bill gives the government a great deal of power to do this through regulations.

I would like the assurance of the hon. committee chair that proceeding by way of regulations is not a way to circumvent Parliament.

Madam Speaker, it is also great to work with this member on the finance committee. The way that we work on the finance committee is how this bill is being structured and how it would work. The bill talks about ensuring that we work across party lines. This is a non-partisan thing. As parliamentarians, we are all here to protect Canadians in the best way that we possibly can. We know, in our distinctive ridings, that we get many calls, emails and letters from concerned citizens who are being hit by these attacks.

I can say to the member that we will do this in a non-partisan way. We will reach out to stakeholders, again, across all lines. We have too many silos. We heard the member for Scarborough—Guildwood say that we have to break down the silos. I feel that the legislation would be able to do this, and it would strengthen our cybersecurity systems.

Madam Speaker, I would like to encourage all members to look at the seventh report from the Standing Committee on Public Safety and National Security on Canada's security stance vis-à-vis Russia. A lot of that report covers why a bill like Bill C-26 is necessary.

We can see agreement on the principle of the bill, but like my two colleagues from the Conservative Party and the Bloc, I am going to express some frustration that the Liberals did not anticipate that we in the opposition would have concerns with this first draft of the bill in terms of accountability, oversight and transparency. I wish the Liberals could have anticipated that before releasing this draft of the bill because now it looks like the committee has its work cut out for it to improve those measures. Could my hon. colleague express some comments on that particular part of this?

Madam Speaker, that is what committee work is there for. The committee has the opportunity to dig deep into the bill and look at ways to enhance and better the legislation. That is a very important aspect.

In the end, I believe that this bill is about bringing Canadians and our institutions together. It is about making sure that we break through those silos, as we have just heard, and being able to set up the type of cybersecurity system that we are all looking for. In no way do I see this to be a partisan piece of legislation. It is something that we wholeheartedly feel strongly about in the House and that we can make a significant difference on.

Madam Speaker, as I rise to speak today, all of us in this place are acutely aware of the deeply concerning realities of foreign interference in Canada’s affairs.

The Government of Canada cannot afford to ignore this troubling trend. While there are many angles from which we must consider how best to protect our national interests, as we examine the content of Bill C-26 we are focused primarily on matters related to cybersecurity. There is no question that Canada’s critical infrastructure must be protected from cyber-threats.

In our modern world, computer systems are integral to the provision of health care, powering our homes and businesses, upholding our financial systems and so much more. While these incredible tools of our time may not be visible to the naked eye, they are tremendously powerful and we cannot afford for these systems to be compromised. The consequences from a criminal's or a foreign adversary’s disruption of medical services in our hospitals or of our electrical grid would be incredibly dangerous and potentially deadly.

In its 2021 “Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack”, the National Security and Intelligence Committee of Parliamentarians concisely listed what is at stake when cyber-threats arise: things like the personal information of Canadians; proprietary information, intellectual property and research of Canadian businesses and researchers; government policies and policy-making; security and intelligence information and operations; and the integrity of government systems, to name a few.

I was grateful to hear the Minister of Public Safety, when introducing this bill, say that cybersecurity is national security. It is a simple statement, but it is true. If we truly recognize cybersecurity as an essential element of our national security, we are more likely to give it the attention it deserves.

Bill C-26 is not perfect, as has been stated here, and we must ensure we protect the privacy of Canadians, nor will it be a cure-all for every cybersecurity weakness. However, I am fully behind updating our cybersecurity legislation. I hope the Liberal government is open to improving the bill at committee stage, and I will offer my support to get it to committee.

The objective of this bill is solid: to equip government to quickly respond to cyber-threats. As any expert in the field would tell us, rapid response is critical when a serious attack is under way. However, there are key issues that remain with the bill as it is presented to us today. Make no mistake, this legislation would give the government the ability to insert itself into the operations of companies, and therefore their customers.

As Christopher Parsons of the University of Toronto wrote in a critical analysis of the bill, “There is no recognition of privacy or other Charter-protected rights as a counter-balance to proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.” As with any new power that a government gives itself, there must be extensive checks and balances. There must be transparency. Most of all, there must be oversight. What this legislation does not do is provide those much-needed guardrails. We need the safety oversight.

Giving a minister the power to order a private company “to do anything, or refrain from doing anything”, particularly when it comes to the private information of its customers, is deeply problematic. While I understand that how the minister can wield this new power might be spelled out in future regulations, I believe it must be clearly outlined in the legislation, rather than leaving it up to cabinet to decide at a future date.

We must also have a fulsome airing of what information the government could collect from companies and their customers. Almost every aspect of our lives is interwoven with digital information. From banking to how we do business and how we communicate, numerous companies have that information on each of us.

Therefore, the question that remains is this. If we grant the government access to information from companies, even for the most altruistic reasons or for national security reasons, who is overseeing those government agencies? I can assure members that the government will not be giving new powers to members of Parliament or parliamentary committees to undertake that role. We can look no further than the stonewalling Parliament is receiving on foreign interference in our democracy now. It is absolutely imperative that oversight and guardrails be built into this legislation, and I implore my colleagues on the parliamentary committee that would be tasked with this legislation to do just that.

The fact is that the government has trouble protecting its own sensitive information from cyber-threats. Many examples of cyber-attacks against the government have already been cited during this debate. There was the attack against the Canada Revenue Agency in August 2020, which resulted in 13,000 victimized Canadians. Global Affairs was attacked in January 2022. Canada Post has filed several breach reports after cyber-incidents, according to records from the Privacy Commissioner. If the government is unable to protect itself from cyber-threats, how can it be expected to protect the sensitive cybersecurity plans of private companies? The Liberal government would do well to lead by example before it can truly ask private companies to beef up their own cybersecurity practices. The weaknesses of the government’s own cybersecurity have been flagged over and over again.

In September 2020, the National Security and Intelligence Committee of Parliamentarians announced its review of the government’s framework and activities to defend its systems and networks from cyber-attack. The review resulted in a number of findings, which deserve mention.

First, the committee found that cyber-threats to government systems and networks “are a significant risk to national security and the continuity of government operations.” It also noted that nation-states “are the most sophisticated threat actors”, although the threats do not come from nation-states alone. Second, the committee found that while the government has implemented a framework to defend itself from cyber-attacks, “[t]he strength of this framework is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services.” In plain language, the report found that not all federal organizations receive cyber-defence protection. The committee review identified that, while Shared Services Canada provides some cyber-defence services to 160 of 169 federal organizations, only 43 of those organizations actually receive the full complement of its services.

Given these findings, the committee recommended that the government “continue to strengthen its framework for defending government networks from cyber attack” and apply and extend cyber-defence policies and practices equally across government. At the time, the Liberal government agreed with the recommendations that were put forward. While this was an important step toward acknowledging the issue, taking action is another thing entirely.

Just days ago, a Globe and Mail headline read, “Ottawa makes little progress shoring up Crown corporations' cybersecurity”. The report noted that this is despite 18 months passing since the National Security and Intelligence Committee of Parliamentarians raised concerns about the possibility that Crown corporations, which are still not subject to the government’s cyber-defence policies, could inadvertently serve as gateways into the federal government’s well-protected systems.

The public safety minister did not mention the NSICOP report and recommendations when introducing this bill, but I hope that the work of this committee, made up of parliamentarians from across party lines, can be helpful in enhancing the government’s own cybersecurity defences. As NSICOP has underscored, “The data of organizations not protected by the government cyber defence framework is at significant risk. Moreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole.”

In closing, the government is aware of these risks, but it has been slow to rectify the issue. While Bill C-26 covers another angle of this discussion, it does not address the problem of the government's own house. As I said already, cybersecurity laws need to be updated here in Canada. Bill C-26—

I am sorry, but the hon. member's time is up.

Questions and comments, the hon. parliamentary secretary to the government House leader.

Madam Speaker, it is interesting listening to the Conservatives speak to the legislation, because this morning they did not want to debate the legislation, and I think it is because they support it. It would be nice to see the Conservative Party actually allow the legislation to pass, come to a conclusion in debate and put it to a committee that would be able to deal with many of the issues they are talking about.

Does the member believe that there is any onus of responsibility whatsoever for the Conservative Party, once they recognize and support legislation, to at least give consideration to its passing to committee in a timely fashion so that we can see legislation being discussed at committee? Ultimately, if the Conservative Party wanted to, they could drag every piece of legislation out until 2025.

Madam Speaker, I appreciate the interjection and question from my colleague for Winnipeg North. He and I are used to debating each other from our days in the Manitoba legislature, but not too much, because we were both in opposition in those days. However, we did teach him how to speak. When we had the opportunity to filibuster, we were always short a person to speak in the Manitoba legislature, but we could go to my colleague for Winnipeg North and ask him if he wanted a chance to speak. He was the only Liberal in the house at the time, and so he never refused us. I think he learned his lesson on how to carry on well. However, I will not try to do that.

The big thing here is that Canadians need to know that the minister still has extreme powers in the bill, which is why we are making sure that we put it on the record that there need to be some amendments coming forward at committee. The government is listening to that, and I would hope that it would be willing to look at some of those amendments when the time comes, and the bill will get to committee.

Madam Speaker, in this modern age, in 2023, we are finally about to pass a cybersecurity bill. We do not oppose the spirit of this bill, but some criticisms have been raised since the bill was introduced.

University of Toronto professor Christopher Parsons has made 29 recommendations to strengthen the transparency and accountability of the measures proposed in this bill. In his view, the bill is so flawed that it would allow authoritarian governments around the world to cite it to justify their own repressive laws.

I have met with groups that support these recommendations and have concerns. They think this bill might give the minister too much power. There may also be some privacy issues for citizens.

I would like to know if my colleague shares those concerns, if he has heard about them and if he is willing to work on this bill in committee with us.

Madam Speaker, I thank my colleague for her excellent question in regard to trying to move the bill forward.

I have indicated that I do want to see the bill go to committee, and I will support it to go to committee. I did refer to a couple of remarks that Christopher Parsons, from the University of Toronto, had made, in a very critical analysis of the bill when it was brought forward. His report states, “No recognition of privacy or other Charter-protected rights exists as a counterbalance to proposed security requirements”. He was very clear on the improvements that could be made to the bill. That is why we want to see it go to the committee, so that we can actually put some of those amendments forward, unless the government brings them forward.

Madam Speaker, the intervention just before the last one was unusual, where the member for Winnipeg North said that any time a Conservative debates a bill, we are somehow obstructing it from getting to committee. However, right before the minister's speech, a Liberal member spoke. Therefore, when Liberals speak, they are debating, but when Conservatives speak, they are obstructing.

The debate on the bill may well collapse soon, but it is important to debate it. I would like the member, with the time he has left, to talk again about the serious concerns that people have with the bill and what we can look forward to at committee.

Madam Speaker, it is my expectation that we will send this bill to committee not to give it a quick rubber stamp, but instead to carefully examine it, amend it where it is needed and improve it in order to ensure that Canada's cyber-defences are the best they can be. That was the last paragraph of my speech that I did not get to present.

That would indicate to the Liberals a clearer analysis of what needs to be done.

Madam Speaker, I am pleased to join the debate on second reading of Bill C-26, an act respecting cybersecurity.

Several of my colleagues have already spoken at length about the importance of the bill and the details therein, but it bears repeating that Bill C-26 is critical to our country's national security, our public safety and our economy.

Not only would Bill C-26 introduce the new critical cyber systems protection act or—

I am going to bring the House to order a little bit. There are conversations. I would ask the members to maybe step out to have those conversations, to allow the hon. member for Fredericton to have the respect that she deserves during her speech.

The hon. member for Fredericton.

Madam Speaker, not only would Bill C-26 introduce the new critical cyber systems protection act, or CCSPA, to legally compel designated operators to protect their cyber systems, but it would also amend the Telecommunications Act to enshrine security as a policy objective and bring the sector in line with other critical infrastructure sectors.

Being online and connected is essential to all Canadians. Now more than ever, Canadians rely on the Internet for their daily lives, but it is about more than just conducting business and paying bills. It is also about staying in touch and connected with loved ones from coast to coast to coast and, indeed, around the world. That is also why the Government of Canada is connecting 98% of Canadians to high-speed Internet by 2026 and 100% of Canadians by 2030.

Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems, particularly with the emergence of new technologies such as 5G, which will operate at significantly higher speeds and will provide greater versatility, capability and complexity than previous generations. These technologies certainly create significant economic benefits and opportunities, but they also bring with them new security vulnerabilities that some may be tempted to prey on.

At this time, I want to bring the perspective of my constituents in the riding of Fredericton to this important debate today. Fredericton is home to the Canadian Institute for Cybersecurity at the University of New Brunswick, with a focus on disruptive technology and groundbreaking research. The institute provides hands-on support for community and industry partners as they face emerging threats, with company-specific, cross-disciplinary research.

Led by Dr. Ali Ghorbani, Canada's research chair in cybersecurity, the institute generates datasets to help thwart malicious cyber-attacks and works in tandem with the National Research Council of Canada in an innovative hub model that will lead to discoveries and advancements in cybersecurity, including publications, patents and the commercialization of technology, as well as provide training opportunities for graduate students and post-doctoral fellows.

Innovative cybersecurity research is conducted with a focus on Internet security, artificial intelligence, human-computer interaction and natural-language processing. I was honoured to welcome many ministers to my riding and to connect them with researchers and leaders in the industry to showcase how my community distinguishes itself in this sector. Fredericton is at the forefront of this new age and the challenges it presents, and I could not be more proud.

Even if there is enormous potential for Canadian digital innovation and expertise in cybersecurity, and I am witnessing it every day at home, we also need to face the fact that cyber-threats are growing in sophistication and magnitude. In 2021, close to 200,000 businesses across the country were affected by cybersecurity incidents, and this number continues to grow. Each of those businesses is not merely a business. It is comprises hard-working owners and employees, with families to feed and bills to pay. It is all the more maddening that many of these businesses must spend precious amounts of time and money preventing or fighting back against these incidents, many of which involve stealing money or demanding ransoms.

Canadian businesses have spent billions of dollars over the last years to detect and prevent cybersecurity incidents and, consequently, they have been experiencing downtime and a loss in revenue. Cybercrime is costly, and those who are bearing the brunt of it are Canadian businesses.

We also know that at all levels of government, we have not been immune from these kinds of attacks, even, horribly, hospitals. Earlier this year, the Toronto SickKids hospital was targeted by a ransomware attack affecting its operations. Closer to home, in Atlantic Canada, a ransomware group was behind the 2021 cyber-attack that paralyzed the Newfoundland and Labrador health care system.

Beyond the monetary implications, attacks like these have the real-life potential of impacting the health and safety of the ones we love, and we must do everything in our power as legislators to put in place effective safeguards. The effects on Canadians demonstrate beyond a doubt why we need to strengthen Canada's cybersecurity systems. As lawmakers, the least we can do is ensure that Canada and its institutions and businesses can continue to thrive in the digital economy and that our banks and telecommunications providers can continue to provide Canadians with reliable services.

Bill C-26 would modernize existing legislation to add security to the nine other policy objectives in the act, bringing telecommunications in line with other critical sectors. The bill would also add new authorities to the Telecommunications Act, which would enable the government to take action to promote the security of the Canadian telecommunications system.

As mentioned, in recent years, Canada's cybersecurity status has been tested by a variety of threat campaigns targeting critical infrastructure, businesses and individuals. The increase in digitization has led to the weaponization of digital tools and processes. This results in the disruption of critical systems and causes a lack of confidence in physical, psychological and economic well-being.

I am proud of all the work that has been done to secure Canada's critical telecommunications infrastructure, but I do not want us to lose sight of the work still to be done. The advent of the COVID-19 pandemic was a catalyst for bolstering national and international cyber-defence practices, requiring improved policies, guidance and cyber-intel.

Furthermore, given what is happening in Ukraine with the Russian invasion, we know that there are still military threats in the 21st century. However, we are also dealing with the emergence of new technologies that pose non-military threats.

With rising geopolitical tensions, government-driven hostile cyber-operations are more prevalent now than ever, posing an increased threat level to Canada's national security, economic prosperity and public safety.

In the 21st century, cybersecurity is national security, and it is our government's responsibility to protect Canadians from growing cyber-threats. That is exactly why we have developed Bill C-26.

It contains a multitude of important measures to protect Canadians and Canadian businesses. It is a carefully designed, multipronged approach. Part 2 of this act would enact the critical cyber systems protection act to provide a framework for the protection of the critical cyber systems that are vital to national security and public safety.

It also authorizes the Governor in Council to designate any service or system as a vital service or vital system, and requires designated operators to establish and implement cybersecurity programs, mitigate supply chain and third party risks, report cybersecurity incidents and comply with cybersecurity directions.

Introducing the new critical cyber systems protection act would strengthen baseline cybersecurity and provide a framework for the government to respond to emerging cyber-threats.

It is essential that we keep pace with the rapidly evolving cyber-environment by ensuring we have a robust, legislative framework in place.

In short, Bill C-26 is essential to helping keep Canadians and their data safe. In a world as connected as ours, we cannot take that for granted. Once again, cybersecurity is national security.

I am looking forward to this bill being sent to committee, and I encourage all members to join me in supporting Bill C-26 in subsequent readings.

Madam Speaker, it is great to see my fellow 2019 member in the House.

My question is with respect to a theme from all the opposition parties. We generally support the idea of cybersecurity legislation and it is actually well overdue. The challenge is that many of the powers are not sufficiently delineated, and it gives the government quite a bit of power. Without being partisan and talking about particular failures, I think giving any government that much power without delineating it would pose concerns for any opposition party.

Is the government open to making amendments?

Madam Speaker, my hon. colleague and I are part of the class of 2019.

That is why a bill works its way through the House. Hopefully this is something that could be discussed at the committee phase, once it has passed through.

It also speaks to the important role of the official opposition in questioning these kinds of powers and holding the government to account. Certainly, I think we are open to these discussions continuing. Any way we can strengthen the bill is a win for Canadians.

Madam Speaker, I have a bit of a technical question for my hon. colleague. We are wondering how such legislation would apply, for example, to Hydro-Québec, the public utility in Quebec that generates electricity, since the legislation designates interprovincial power lines as a vital service and a vital system.

Does my hon. colleague have any idea what this could mean for Hydro-Québec, a public utility?

Madam Speaker, I do not have a technical response for the very technical question that the member asked. We have to consider the importance of protecting our electrical grids. New Brunswick relies heavily on our partners in Quebec, so it would certainly have implications for my constituents.

These are questions that we need to ask and hopefully consider during the committee stage, and hear testimony from witnesses that would be able to address those concerns.

Madam Speaker, I am pleased to hear from my Liberal colleague that the Liberals are open to much-needed amendments to this bill to increase the oversight, transparency and accountability on the executive branch.

I just want to read a quote from Jérémie Harris, who is the co-founder of Gladstone AI. He said, “ChatGPT is a harbinger of an era in which AI will be the single most important source of public safety risk facing Canada. As AI advances at a breakneck pace, the destructive footprint of malicious actors who use it will increase just as fast.”

Does my hon. colleague have any comments on how fast this technology is advancing, and how important it is that we equip all of our agencies to keep those vital systems safe?

Madam Speaker, I have a lot of concerns about how fast technologies are developing, particularly around artificial intelligence and facial recognition technology. All these moving pieces have incredible implications, especially for vulnerable people in our communities. It deserves a hard look by all members of the House, particularly in the committee that would be studying this legislation, but I think beyond that as well.

We are in a new, unpredictable time. I mentioned, in my speech, a lot about geopolitical factors and a lot of threats that are coming in. We do not know what we do not know at this point, and I think that causes a lot of fear. This is a conversation that is long overdue, and I thank the member for allowing me the opportunity to enter into that space. I really hope we have more fulsome discussions around those aspects in particular.

Madam Speaker, I would be interested in the hon. member's thoughts on how we protect rights without going down the rights rabbit hole that leads to paralysis with respect to a space that is going so fast that very few of us can actually comprehend how fast it is moving.