Debates of March 6th, 2023

Madam Speaker, it is an honour to rise again in the House to speak to Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts. My Conservative colleagues and I, as has been indicated, support this legislation being sent to committee for further study, as it needs a lot of further work and amendments.

For those watching this debate, who have not had time to review the legislation, the bill has two main parts, as has been explained throughout the day. The first part would amend the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.

The second part of the bill would enact the critical cyber systems protection act, which is a new act, that attempts to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are designed to operate as part of a work, undertaking or business that is within the legislative authority of Parliament. Services and systems that would initially be designed and designated as vital are telecommunications systems, interprovincial or international pipeline and power line systems, nuclear energy systems, transportation systems, banking systems, and clearing and settlement systems. Any additions to this list of vital systems can be made and added to by the Governor in Council.

The critical cyber systems protection act would have several components to it. It would authorize the Governor in Council to designate any service or system as a vital service or vital system; it would authorize the Governor in Council to establish classes of operators in respect of a vital service or vital system; it would require designated operators to, among other things, establish and implement cybersecurity programs, mitigate supply-chain and third-party risks, report cybersecurity incidents and comply with cybersecurity directions; it would provide for the exchange of information between relevant parties; and would authorize the enforcement of the obligations under the act and impose consequences for non-compliance. Those would be significant consequences, I might add.

On its face, it seems that the Liberals have finally awoken after eight years of doing absolutely nothing on this file, yet somehow they hastily scrambled to cobble together a proposition for sweeping changes to a regulatory framework, which this legislation would enact.

The Civil Liberties Association said, “The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still.” We understand that a modernization in this field may be required to do so without the caveats of being necessary, proportionate and reasonable to take it one step too far for Canadians to accept.

For support of this argument, the Liberals only need to look at the research report from Citizen Lab, written by Christopher Parsons. The report is called “Cybersecurity Will Not Thrive in Darkness, A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”. That report provides 30 recommendations that clearly lay out common sense changes and how this legislation could be improved to include transparency or at least apply limitations on the government's authoritarian use of power. For the benefit of the careless drafters and my Liberal colleagues across the way who would happily vote on any flawed legislation their leader tells them to without bothering with independent thought or even reading its criticisms, I will take some time and share the flaws.

Citizen Lab also seems to address what appears to be a recurring theme with the government: a lack of transparency and limitations on the government's authoritarian use of power. It too addresses that, “The minister may, by order, direct a telecommunications service provider to do anything or refrain from doing anything...that is, in the Minister’s opinion, necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.”

That, too, seems a little broad. Amendments need to be applied that include a limitation on the minister's powers, ensuring that actions are necessary, proportionate and reasonable. This government has proven that it cannot be trusted with powers without strict limitations. It is simply unable to self-regulate.

The Canadian Civil Liberties Association and Christopher Parsons agree again on the lack of privacy and broad provisions around information sharing.

The CCLA writes:

Also concerning are the very broad provisions around expanding information sharing with a long list of potential recipients including Ministers of Foreign Affairs and National Defence, the Canadian Security Intelligence Service (CSIS), and also, once an agreement is signed, with provincial governments, foreign governments, or international state organisations, again, at the Minister’s discretion. The Communications Security Establishment (CSE), Canada’s signals intelligence agency is also a key recipient of information.

The Citizen Lab review echos how the government ought to have included provisions that respect information privacy. To any Canadian listening, this does not sound like too much to ask. Specifically, the Citizen Lab report recommends that “information obtained from telecommunications providers should only be used for cybersecurity and information assurance activities".

It also recommends that “government should explain how it will use information and reveal the domestic agencies to which information is disclosed”. The report says “information obtained for telecommunications providers should only be used for cybersecurity information assurance activities”. It should only be used for “data retention periods”, and that it “should be attached to telecommunications provider's data”. Citizen Lab states that “data retention periods should be attached to foreign disclosures of information”. It also indicates that “telecommunications providers should be informed which foreign parties receive their information”, and “legislation should delimit the conditions wherein a private organization's information can be disclosed”.

Why does the government need to be told that its legislation has these fundamental flaws by outside organizations? Many are asking: Do these Liberals have no shame when it comes to the privacy of Canadians?

The CCLA further points out that, although there is an appeal process through judicial review, when the subject of an order finds it to be unreasonable or ungrounded, it suggests that, under Bill C-26, the government overlooks the basic, fair process that even a national security threat would receive. The Citizen Lab, on the other hand, discusses that the government fails to compensate for government intrusion into small business. Mr. Parsons proposes that the legislation should be amended such that telecommunications providers can seek moderation of “certain orders where implementing them would have a material impact on the provider's economic viability”.

In conclusion, while it is notable that the Liberal government has finally awakened to this topic, the legislation has again missed some pretty traditional marks of Liberal legislation. It leaves citizens at risk of major government overreach. It takes the privacy and information of Canadians for granted. It relies on a system of review that falls short of due process, and it leaves businesses susceptible to bearing the costs of an overbearing government. Lastly, this is typical lazy Liberal legislation.

Mr. Speaker, let us look at the bungling that has gone on in recent years. Ottawa arrested Meng Wanzhou, not for a common law crime, but for failing to comply with an American embargo. It kowtowed to the Americans on an embargo that Canada does not even share.

There is also Ottawa's refusal to follow the leadership and initiative of the U.S., which acted very quickly with regard to Huawei. Does that not demonstrate a glaring lack of vision?

Mr. Speaker, I think many Canadians are wondering why the government took so long to act on Huawei. Our Five Eyes allies have certainly put pressure on Canada and acted previously to ensure that their 5G systems were not compromised, which had been found to be the case with the Huawei technology. That is why, in my statement, I made some comments that this government is finally waking up, after all this time, to deal with some of these issues we are facing as a country.

Mr. Speaker, I will say it again: It does not feel like the Liberals are taking due care in presenting legislation. In listening to the debate today, I am really concerned, not only as a Canadian but also as a parliamentarian, that there is not enough knowledge in the House to be even having this discussion. I would like to know from the member whether there have been adequate technical briefings from the Liberal government in regard to this legislation, because it seems like this is a lot more serious than what this debate is holding to today.

Mr. Speaker, we all know that cybersecurity issues are a fast-moving target and how they change almost monthly. One thing that I can be confident in is our national security agencies that deal with some of these issues on cybersecurity. They are working diligently on our behalf. I would agree that there would be very few of us in the House who would have the technical capacity to understand much of what we ask our defence agencies, our national security agencies and our cybersecurity agencies to do for us on behalf of our country.

I would encourage the government, as was indicated by my colleague, to enlighten the House and to provide briefings by those technical experts in government and from our public servants. We would all benefit, not only from the study of this bill but also from the ability to answer our constituents who have cybersecurity questions. We could answer them more intelligently.

Mr. Speaker, I appreciated the speech by my colleague from just south of my constituency. Certainly, this is an incredibly complex and important series of issues. They are not just related to this particular bill but a whole host of larger security and cybersecurity issues. I wonder if the member could provide further comments, specifically on the lack of leadership that Canada has shown on the world stage over the last eight years that this Prime Minister has been in charge, and has it impacted Canada's reputation globally?

Mr. Speaker, it is disconcerting, as Canadians, when we look at the history of the Liberals since they have been in for seven years and five months. Inflation brings it to eight years.

One of the things that is important is we have lost face, if one wants to use that term, with our global partners and our Five Eyes agencies that have now gone and done things without us. That is because we have not been at the table. We have been slow to react to the very legitimate concerns about the cybersecurity and the national security of this country and of our allies.

Mr. Speaker, as the member for Portneuf—Jacques-Cartier, I am pleased to rise today to speak to Bill C-26. I want to say hello to all of the families who are taking advantage of March break to do fun activities in the beautiful riding of Portneuf—Jacques-Cartier.

As I was saying, Bill C‑26 seeks to add the promotion of the security of the Canadian telecommunications system. It also seeks to provide a framework for the protection of the cyber systems that are vital to national security or public safety and create frameworks for the exchange of information.

It goes without saying that these issues are very important to the official opposition, of which I am very proud to be a member. It is no secret that my Conservative Party of Canada colleagues and I are, and always have been, great defenders of public safety. It is part of our DNA.

Industry and experts have asked the government many times to create cybersecurity standards, but it is important to act intelligently.

There is a lot of instability in our modern world, and threats can come from anywhere. Cyber-threats are nothing new. This is not a recent thing. It is clear that this weapon is used as much by foreign governments, which have their own motives, as by individuals or groups seeking to do harm or make money, for God knows what motives. It happens everywhere, on both small and very large scales.

Here are a few examples that illustrate this reality: data stolen from institutions or companies and held for ransom; the leak of personal information that affected millions of Desjardins members or customers in Quebec; and possible election interference from Beijing.

No, we are not going to question the outcome of previous elections here. We do not believe that interference changed the overall outcome of those elections. However, electoral integrity is the foundation of our democracy, and it must be ensured and maintained. As a Canadian, I have the privilege of going abroad, and people recognize that we are concerned about protecting our democracy. We need to put measures in place to continue that.

The fact remains that, over the past eight years, the government has been slow to crack down on cyber-threats. This is yet another example of a foot-dragging government finally coming up with a bill, but it turns out that bill has flaws that call for more thorough study in committee.

I know for a fact that this issue is really important to Canadians. We will do the work to make sure this bill is the one Canadians need and deserve. Yes, people want to be safe. Actually, since I was elected in 2015, my constituents have regularly told me they are increasingly concerned about this issue, especially over the past year.

What it comes down to is that confidence in the government and its ability to provide what people need and to keep its promises is essential. It is hard to have confidence in a government that keeps messing up pretty much everything.

I could go on and on about Bill C-13 as an example of a government that makes promises but does not deliver. The government recognizes the decline of French across the country, even in Quebec, but it is trying to impose a bill that does little to address that decline. I know that that is not the subject today, but everyone knows how much I care about official languages, and I had to pass on the message.

I would like to conclude by sharing a very real situation that occurred in my riding. One of my constituents wrote to me about a serious handling error made by Passport Canada.

I would like to inform the House that this is the first time this situation has been discussed publicly. He sent me a letter, and I would like to read it.

Dear Sir/Madam:

I am taking the time to write you a brief note to let you know about what I would describe as a “serious” security flaw within Passport Canada pertaining to the confidential information of Canadian citizens.

It is very important in terms of a timeline.

In early January, 2023, I applied for passports for my three children at Passport Canada.

On February 1, 2023, I received three envelopes containing our passport applications, which were rejected because we forgot to tick a box.

Inside the envelope I also received the rejected application of a woman from British Columbia. I therefore had in my possession her full identification, her passport and her credit card information. I returned those very sensitive documents by express post with a tracking number to Passport Canada.

I filed a complaint out of principle thinking that, although it was just a mistake, it was still worth reporting through Passport Canada's website, so I followed the official procedure. I got a call back. Passport Canada apologized. Nothing more. They refused to compensate me for the cost of returning the documents belonging to the woman from British Columbia. I was told, however, that our applications would be prioritized.

On February 15, 2023, I received four envelopes. I was quite pleased, as I thought we'd finally received our children's passports, but we have three children, not four. As it turns out, our children's passports weren't inside those envelopes. Instead, there were the passport applications (including full identification, passport, original birth certificates, complete credit card data, etc.) of four people from across Canada. These are four different people who have no connection to one another.

What is not stated in the letter is that these people were from Sherbrooke, Ontario, Manitoba and Alberta. That is incredible.

A few days later, we finally received our three children's passports.

As it is obvious, I don't feel I need to explain in my letter the seriousness of receiving the full identification of these people and information that could be used to carry out fraudulent financial transactions by total strangers.

We can't fathom that such mistakes would be made by a recognized federal organization such as Passport Canada, which manages the personal and financial information of so many Canadians. We can't believe that these are two isolated incidents.

This is a very simple task that requires putting the right documents in the right envelope. That's it.

I no longer trust Passport Canada's administration at all. That is why I am entrusting you with the identity documents, which don't belong to us.

I no longer trust Passport Canada's “internal” complaint process, as it will certainly try to cover up this failure, and will only offer an apology.

I am most pleased to read the following excerpt from the letter:

We trust our MP.

I'm always available to answer any questions.

Yes, cybersecurity matters, but the government also needs to take responsibility for the existing systems. It cannot even handle paper documents, but now it wants to allow a minister to step in and be able to manipulate and control information. I am concerned.

I have shown that we have a problem in Canada. We recognize that. We have a problem when it comes to cybersecurity, but we have a problem on other levels too. I would like to see this government take responsibility.

Like my constituent who gave me the documents mentioned, I had to ask myself, what do I do with these documents now? Do I return them to Passport Canada, or do I give them to the minister responsible here? That is a very important question.

Let us get back to the subject at hand, Bill C-26. I am very interested in having measures in place to protect us. It is important that we have confidence in our systems. As a member of the Conservative Party of Canada, I have a lot of confidence in the Conservative members who sit on the committee, as well as members of the Bloc Québécois, the NDP and even the Liberal Party. Things are normally supposed to be neutral in committee.

I must say that I believe in the future. Having said that, we need to put measures in place to have concrete results. Let us work in committee.

Mr. Speaker, I listened closely to the speech by my colleague from Portneuf—Jacques-Cartier. The first thing he mentioned is that the Conservative Party of Canada was a great defender of cybersecurity. I want to remind him of the following.

First, the member for Portneuf—Jacques-Cartier supported Jean Charest as a candidate in the Conservative leadership race. Jean Charest worked with the company that was complicit in China's interference. So much for credibility and being a great defender.

Second, a quick Google search shows that the CPC App that the Conservative Party of Canada used during the 2019 election is a version of the uCampaign app, which is used in the United States and requires access to contacts and geolocation, things that relate to privacy. Cybersecurity researchers were actually advising against using that app.

When it comes to credibility and being great defenders, are the people in the Conservative Party of Canada really people we can trust?

Mr. Speaker, I just want to point out that people in the Conservative Party of Canada lined up for a chance to become the leader of a national party, whereas the Bloc Québécois has to pick from a grab bag that does not have much in it and has trouble finding a real leader. I think the Bloc members need to ask themselves some questions when it comes to the availability of leaders.

Now, to answer my colleague, there was nothing illegal being done on our side. However, if I turn and look over at the government side, there is a long list of illegal activities that occurred there. I would encourage my colleague to direct his questions to the right party, because we, on this side, obeyed the law.

Mr. Speaker, I could not help but notice an answer that the member just gave to the member from the Bloc on leadership and picking a leader to be the next prime minister. I wonder if he could explain how that has worked out for him since 2015.

Mr. Speaker, I salute my colleague from Avalon. It is true I do not have a good batting average. In three leadership races, I have never backed the right horse. However, I am very happy being a member of the Conservative Party of Canada, and it is where I belong. That is part of democracy.

We are straying from the topic. I invite my colleague to ask me a more specific question about Bill C-26, if he has one.

Mr. Speaker, since the member told us that there has always been a long list of Conservative leadership hopefuls, I would just like to quote his own words.

He said, “I will resign, or join another party in the House of Commons, or sit as an independent, or help form another party.”

This was in reference to the winner of the recent Conservative Party leadership race. The options did not include remaining a Conservative, which is what he ended up doing.

Mr. Speaker, one thing my colleague from Saint‑Hyacinthe—Bagot did not mention is that, when there is a change in leadership, it makes perfect sense to reflect on one's political future.

I invite the Bloc Québécois members to reflect on that when they choose a new leader, as they too have done regularly in the past.

The thing is that, when we think about it, there are options. One very important option is the status quo. We may have to check the record to see what my colleague said. I have a very clear recollection of what I said: status quo, reflection, departure, new party.

I am very happy. I feel very comfortable in the Conservative Party of Canada, and it is the only party I can work with to defend Canadians' interests.

Mr. Speaker, that was a great speech from my colleague. I think we would like to see him go on and on, because he has done such a great job.

It has been interesting to be here in the House today, as we listen to the different members from parties talk about the legislation and how important it is. I think there is recognition from all parties within this House that the bill will go to committee and that the committee will have some serious work in front of it, to take a bill that is kind of so-so and put some teeth into it, and make it into something that will work for all Canadians.

I am going to focus mainly on the critical infrastructure part of the legislation. It is so important that we get this right and make sure we have our critical infrastructure protected going forward and make sure we have the tools to keep it protected.

There is a war going on in Europe right now, in Ukraine. We saw that when Putin attacked Ukraine, one of the first things he did was attack certain facilities through cyber-attacks. Ukraine did not have proper protections in place and did not have the tools in place. All of a sudden Putin was able to turn the power off and do things to destabilize local governments. This allowed him to take advantage of the scenario, to move in, take advantage of the territories and conquer those territories. That is just one example of many around the world where cyber-attacks have been used ahead of brutal land attacks. We can see this being used in other ways to influence Canadian politics, or politics around the world, just by how they go about conducting that type of cyber-attack.

It would be really interesting, but it would not be interesting, as I do not ever want to see it, where all of a sudden the natural gas pipelines shut down in the middle of 40-below weather in Saskatchewan. That would be a huge hit to people in Saskatchewan. That would be a hit to our economy. It would be very serious to our seniors and people living without any other means of heating. All of a sudden we could have a cyber-attack, and the gas line would be off, and furnaces would not be working for 12 hours, 18 hours or 24 hours. Our houses would freeze up and our water pipes would break. These are the types of things that could happen with a cyber-attack.

What if our power grid were under attack? What would that mean to Ontario and Toronto, for getting people to and from work? What would it mean to our electric cars, if all of a sudden we did not have any ability to charge them or get them from A to B? What would that mean for people in hospitals, where the hospitals would need a generator to run the emergency services? If someone was getting surgery or was in an accident, they might not get the medical treatment that is required.

These are reasons we need to make sure we are doing everything we can to protect ourselves from cyber-attacks. These are some very simple reasons.

The committee is going to have some very interesting things to do to deal with the legislation. I think that is a good thing. I think we have identified here today some of the flaws in the piece of legislation: some of the oversight flaws, some of the flaws in regard to the sharing of information and why they are important to be addressed as we go forward.

We can look at, for example, the sharing of information. I was at the University of New Brunswick in 2017, and they said one of the issues they had with cybersecurity attacks was that somebody might be attacked, but might not share the information on what the attack was and how it happened for fear of liability. For example, in such a situation, if a hospital was attacked, it may not necessarily want to share that information with anybody else for fear of liability, if all of a sudden the records of patients had been confiscated by somebody part of the attack.

In the legislation before us, if we get it right, they should be able to share that information. They should be able to share it with a variety of different critical infrastructure facilities to make sure they put the appropriate patches into their software so that same person who attacked that hospital cannot attack another hospital, attack the electrical grid or use malware, or whatever means they used to attack that hospital, and so it does not happen anywhere else.

That would be a good thing. We have to make sure the legislation can reflect that and allow that information to flow between different parties, so we can keep protecting ourselves in a fluid situation. I think that is something we will see in the legislation, if it is done properly.

We know oversight is very important. Canadians have to trust that the oversight bodies and the people who are putting in these regulations and monitoring these regulations have accountability and that they are accountable back to Parliament. It cannot be just to the minister. We have seen situations in the past with the current government where accountability goes to the minister, and Parliament never really finds out what actually went on and what goes on, and Canadians are in the dark.

We can look at SNC-Lavalin. There is a classic example where we did not see all the details of what was going on in a situation. We can look at what was announced today, how the government is going to leave the investigation into Chinese election interference to NSICOP. That is something the Chinese would do. They would create a committee and say they were going to investigate themselves in their own committee and then make sure it is never public. That sounds rather Chinese to me, but that is happening here in Canada, and Canadians do not accept that. That is why it is very important that there be public oversight and that there be the ability to make sure these bodies and the government are acting in a fair and responsible way.

Some of the civil liberties groups have said that there are some serious concerns with this legislation. They should be brought in front of the committee and listened to, and then the committee should try to figure out how to address those concerns, to make a better piece of legislation.

We have seen the Liberal government react and react and react, in so many situations. To me, this looks like another example where it is reacting. It is basically just doing lip service and then it will throw it to the committee to do the work. This should have been done a long time ago. For eight years, we have been vulnerable. What could have happened in those eight years could have been life-changing for a lot of Canadians, because of the lack of forethought or good policy out of the Liberal government.

If we think about it, it is a talking point that the Liberals have done here. They have put some stuff together and thrown it into the House to say they are working on cybersecurity, but it is half done. The committee is now going to have to do the rest of the job, to actually finish it and hopefully get a good piece of legislation.

That is in question, because we do have a Liberal-NDP government here. They tend to side with each other all the time. Will they side together here, or will they actually take a step back and say, yes, we have to do what is right for Canadians and address the issues that have been raised by different associations and different groups? Are they going to look at what they can do to make this a better piece of legislation, or are they going to stick to their partisan angles and dig in their heels? If they do that, the people who really lose out are Canadians. They are the people who will be impacted by a cyber-attack, because we did not put the proper safeguards in place.

We should not think that this will not have an impact on our economy. A good example we have just seen is the cyber-attack on Indigo last week. Its computer systems are down as we speak. It is telling customers they cannot buy books online. They actually have to go to a storefront to buy their books because of a cyber-attack, a ransomware attack.

We have seen, over and over again, different schools and universities facing these types of attacks. They need to know that the government is there and is going to be there to help them. They need to know that the people who are doing these attacks will be identified and somehow dealt with, if possible. We understand that a lot of these attacks happen from Russia or North Korea, outside of our territory, but when they happen from within Canada, we want to make sure that the people who are doing these types of things are properly dealt with. We want to make sure that this does not happen again. We want to make sure we learn from the experience so it cannot happen again.

There are lots of things in this legislation that can be really good if it is dealt with properly, but it has to go to committee. I think Conservatives have been very clear. We want to see this go to committee. I just hope the committee members are able to actually do the work that is required to take a piece of legislation that is mediocre at best and make it into something that will work for all Canadians.

Mr. Speaker, it is always an honour to rise in this House on behalf of the people of my riding of Moose Jaw—Lake Centre—Lanigan.

The safety and security of our nation is of paramount importance, and I understand the need to enhance the safety and security of Canadians, both here at home and abroad. This would include many of our international corporations, which are large contributors to our economic base, and of course our own government institutions and interests. Having the opportunity to speak to cybersecurity in Canada gives us an opportunity to enhance or increase our country's ability to protect us from cyber-threats.

A significant concern for all Canadians is security. This concern has increased in recent times, as we see the rise in organized crime and gang-related offences, which have gone up 92%. The question I ask myself when I see this increase is this: Will the Liberal government be led by evidence and act on the evidence that has been reported?

Cybersecurity is extremely important for our nation to protect itself from inside and outside threats. I welcome Bill C-26, but I do have some concerns pertaining to the success of the bill, and one concern is about accountability. This is a question that we in opposition bring up every day in this House and regularly.

Bill C-26 is essentially divided into two different parts. The first part is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system, adding security as a policy objective; to bring the telecommunications sector in line with other infrastructure sectors; and to secure Canada's telecommunications system and prohibit the use of products and services provided by specific telecommunications service providers. This amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure and would remove or terminate 4G equipment by the year 2027. What stands out to me, which has been a concern, is the time that it took the government to react to enforce the ban on Huawei.

The second portion of this bill is to enact the critical cyber systems protection act, or CCSPA, designed to protect critical cyber systems and “systems that are vital to national security or public safety and that are delivered or operated...within the legislative authority of Parliament.” As a report by Norton Rose Fulbright notes, the purpose of the CCSPA is, first, to “[e]nsure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third-party products and services”; second, to “[p]rotect critical cyber systems from being compromised”; third, to “[e]nsure the proper detection of cybersecurity incidents”; and finally, to “[m]inimize the impacts of any cybersecurity incidents on critical cyber systems.”

The impacts of this bill would be far-reaching, and here are the things that need to be considered when this bill is in place. The government would have the power to receive, review, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada; to make mandatory cybersecurity programs for critical industries; and to enforce regulations through regulatory and legal enforcement, with potential financial penalties. With this in place, the Governor in Council and the Minister of Industry would be afforded additional powers.

As the report notes:

If any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services are identified, the operator must take reasonable steps to mitigate those risks. While the Act doesn’t give any indication of what kind of steps will be required from operators, such steps may be prescribed by the regulations [at committee].

It goes on:

The Act also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems touching upon these vital services and systems. No indication is given as to what would constitute interference under the Act. In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the Act does not prescribe any timeline or give other indication as to how “immediately” should be interpreted.

Some deficiencies in Bill C-26, as it is presently drafted, can be listed as follows:

The breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.

The secrecy and confidentiality provisions imposed on telecommunications providers threaten to establish a class of secret law and regulations.

There is a potential for excessive information sharing within the federal government and with international partners.

The costs associated with compliance with reforms may endanger the viability of smaller providers.

The vague drafting language means that the full contours of the legislation cannot be assessed.

There exists no recognition of privacy or other charter-protected rights as a counterbalance to the proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.

Should these recommendations or ones derived from them not be taken up, the government could be creating legislation that would require the public and telecommunications providers to simply trust that it knows what it is doing and that its actions are in the best interests of everyone.

Is it reaching the right decision to say that no need exists for broader public discussion concerning the kinds of protections that should be in place to protect the cybersecurity of Canada's telecommunications and networks? The government could amend its legislation to ensure its activities conform with Canada's democratic values and norms, as well as transparency and accountability.

If the government is truly focused on security for Canadians, should we not start by reviewing the gang and organized crime evidence showing that our present policies have failed? Should we not look at safety and security in our bail reform to protect innocent Canadians who become victims?

If Bill C-26 is a step in protecting Canada from cybersecurity threats, what is the review process to ensure compliance? What is the review process to ensure effectiveness and goals are met when we look at Bill C-75 regarding bail reform? The NDP-Liberal government is not interested in reviewing bail reform even though the evidence clearly shows that Bill C-75 failed.

Cybersecurity is important to our country's security, as are the victims of crime after their safety and security are violated. I am deeply concerned that the government is struggling with evidence-based information to review Bill C-26, as Bill C-75 and Bill C-5 are not supported by evidence. In fact, offenders and criminals are a higher priority than their victims are. My concern is if Bill C-26 requires amendment or review.

Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start.

In conclusion, I would like to see some clear accountability to ensure the objectives of this bill are met and that a proper review process is conducted that holds individuals, corporations, and most importantly, our government accountable.

Mr. Speaker, I really appreciate the debate and the questions my colleague posed.

I think most Canadians back home watching this are wondering what the technical nuances are of everything we are discussing with respect to this legislation. We have even had some members of Parliament stand up here and say that they do not feel properly equipped to have this conversation.

I think one thing that everybody back home can relate to is seeing something on the news stating that the credit card information of a million people has been stolen or the data of some businesses that might have their personal information is now being held hostage in a ransomware attack. That is why this is a very important debate. I will be speaking about this a bit later.

I think the bill is missing the component of protecting the personal information of Canadians. Can my colleague tell us his thoughts on the bill in this regard? My speech will focus on the advances in technology and network infrastructure, as well as the rapid pace of technological development. With this bill, would we actually be able to keep up with the threats we are facing?

Mr. Speaker, Canadians are very trusting people. We like to give. However, when we buy into something, such as an app, we are giving over some vital information that is ours. We have seen cases where people had that information abused, and there has been no full disclosure. This is one of the concerns I have with the bill.

There are concerns that we have already witnessed in this country in terms of different businesses; a colleague mentioned Indigo being attacked. My hope is that, during committee, we ensure that we are protected. We have a responsibility to Canadians to protect them.

Mr. Speaker, I am hearing some contradictions from my Conservative colleagues today. My colleagues in the Bloc have perhaps done a better job than me of explaining the importance of banning Huawei and the fact that Canada has been slow to do so. My Conservative colleague also mentioned it, but one of the Conservative leadership candidates actually worked for Huawei, so one wonders which way the Conservatives are leaning.

I met with an interdisciplinary cybersecurity research group and learned some fascinating things. Canada's bureaucracy is really slow when it comes to cybersecurity. The research chair at the Université de Sherbrooke criticized the fact that the cybersecurity issue was allowed to drag on under the pretext that it was not yet an election issue. Now it is finally becoming one. That is exactly what we are seeing right now with China's interference.

The Conservatives were not very quick either, because we are behind many other countries. The first RCMP report on cybercrime was not released until 2014, and the report was criticized at the time for containing no numbers, no statistics. The comments were general and predictable, and there were no forecasts. Things have not happened fast enough.

Here we are in 2023, and we really have a lot of ground to make up compared to many other countries, especially European countries. I think it is time to turn this over to the committee, make up for lost time, and pick up the pace on this bill.

Mr. Speaker, I agree with the member that when the bill is in committee, this issue has to be really focused on. Obviously, we want it to move swiftly but not at the expense of overlooking some of the potential pitfalls that will impact Canadians. I think we have to trust the committee to actually make good amendments on this.

Mr. Speaker, I would ask the member about the secrecy and lack of transparency. Does the member believe that the committee can solve this, or is this bill just too shallow for it to go forward?

Mr. Speaker, we always give loaded questions.

I would have to say that, obviously, when one is a member of Parliament, one's honour is on the line all the time. I would hope that our ability to restore honour in our profession always depends on our own moral compass. Sometimes we see that fail, and it is disappointing. However, I really hope this committee can get its act together and get this sorted out.

Mr. Speaker, there is a pressing need to secure Canada's critical infrastructure against cyber-threats.

Computer systems, which run our health care, energy and financial systems, are targets for criminals and foreign adversaries to attack. Disruption of medical services at a hospital or electricity through a grid would have severe consequences, possibly including injury or death.

This is exactly what happened on October 30, 2021, in my province of Newfoundland and Labrador. My hon. colleague across the way agrees with what I am saying because he, his family members or his friends, I am sure, had some of their personal information breached in that attack.

Personal information belonging to thousands of patients and employees was obtained through a cyber-attack on Eastern Health. In fact, over 200,000 files were taken from a network drive in Eastern Health's IT environment. Over 58,000 patients and almost 300 staff and former staff had their personal data breached.

The information taken included health records, medicare plan numbers, dates of birth, names and addresses. In fact, some even had their social insurance numbers taken. The immediate result was that a complete shutdown of the health care system took place throughout the entire province.

Patients who had waited through the pandemic found that critical care for such things as cancer and heart disease were put on hold. Many had to wait weeks or even months to have their appointments rescheduled. Some of these folks had poor outcomes. In fact, people's lives were shortened in some cases as a result of the cyber-induced shutdown of the health care system in Newfoundland and Labrador.

This is very serious stuff. This was not the first time such a cyber-attack happened in Canadian health care. In October of 2019, three hospitals in Ontario were victimized in a similar fashion.

On another note, a pipeline company in the United States fell victim to hackers in 2021. This led to diesel and jet fuel shortages, disrupting most of the economy of the eastern seaboard of our neighbour to the south.

These are just a few examples of catastrophic outcomes resulting from cyber-attacks in recent years. Canadians need protection from these types of attacks. This legislation is intended to align with the actions of our allies in the Five Eyes. This bill would give clear legislative authority to the government to prohibit high-risk entities, such as Huawei, from assuming critical roles in our cyber-infrastructure.

This legislation is filled with good intentions. Currently, a cybersecurity incident is defined as:

an incident, including an act, omission or circumstance, that interferes or may interfere with

(a) the continuity or security of a vital service or vital system; or

(b) the confidentiality, integrity or availability of the critical cyber system.

There is no indication given as to what would constitute interference under the bill. Does this mean that the cyber-attack on Newfoundland and Labrador health care would not be classified as interference?

In addition, there is no timeline specified in this bill for the reporting of cybersecurity incidents to the CSE and the appropriate regulator. The bill says that reporting must be immediate. “Immediate” is not interpreted in this bill. Is it one hour, one day or one week? This is something we need to know.

In terms of civil liberties and privacy, technical experts, academics and civil liberties groups have serious concerns about the size, scope and lack of oversight of the powers that the government would gain under the bill.

In late September 2022, the Canadian Civil Liberties Association, the International Civil Liberties Monitoring Group and the Privacy and Access Council of Canada, as well as several other groups and academics, released their joint letter of concern regarding Bill C-26.

While stating the collective's agreement with the goal of improving cybersecurity, the joint letter goes on to state that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.

The joint letter outlines several areas of concern, including increased surveillance. The bill would allow the federal government “to secretly order telecom providers to ‘do anything, or refrain from doing anything’” necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption.

While this portion of the bill goes on to list several examples of what “doing anything” might entail, including, for example, prohibiting telecom providers from using specific products or services from certain vendors or requiring certain providers to develop security plans, the collective expresses the concern that the power to order a telecom to do anything “opens the door to imposing surveillance obligations on private companies, and to other risks such as weakened encryption standards”.

Bill C-26 would allow the government to “bar a person or company from being able to receive specific services, and bar any company from offering these services to others, by secret government order”, which raises the risk of “companies or individuals being cut off from essential services without explanation”.

The bill would provide for a collection of data from designated operators, which could potentially allow the government “to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.”

There is a lack of “guardrails to constrain abuse”. The bill would allow the government to act without first being required to perform “proportionality, privacy, or equity assessments” to hedge against abuse. This is concerning to the collective, given the severity of the penalties available under the statute.

There is the potential for abuse by the Communications Security Establishment, the federal agency responsible for cybersecurity but, more prominently, signal intelligence. The CCSPA would grant the CSE access to large volumes of sensitive data. However, it would not constrain its use of such data to its cybersecurity mandate.

The civil liberties of Canadians are already under attack. Bill C-26 does not accurately enough define how our civil liberties would be protected. Given the need for protection from cyber-attacks, a bill like this is quite necessary, no doubt.

In its current form, with so many unknowns for Canadians, I will not be able to support it. However, I do support sending it to committee for some input from Canadians and for some fine tuning, to turn it into an instrument to protect us all from cyber-attacks.

Mr. Speaker, it seems that the Conservative Party keeps pointing out the flaws or weaknesses in this bill as it is put forward. However, I wonder, if it goes to committee and gets amended, does the member think it would prevent the so-called robocall scam that happened a few years back, when the Conservative Party was found guilty of using it during an election?