House of Commons Hansard #164 of the 44th Parliament, 1st Session. (The original version is on Parliament's site.) The word of the day was cybersecurity.

Topics

The House resumed consideration of the motion that Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, be read the second time and referred to a committee.

Telecommunications ActGovernment Orders

3:40 p.m.

Conservative

Kyle Seeback Conservative Dufferin—Caledon, ON

Madam Speaker, it took eight long years for the Liberal government to recognize that cybersecurity threats exist in this country and around the world. Congratulations to them for coming to the party a little late.

The Liberals have now presented a bill to try to address issues of cybersecurity in the country. As I said, it took them eight years to get there, but I have to say I am pleased that the Liberals have decided to finally do something. I look forward to this bill being passed so that it can be extensively studied at committee.

There are some things in this bill that are good. I know praising the Liberal government is strange territory for me, but I will say that the bill would give the government some tools to respond quickly to cyber-threats. There is currently no explicit legislative authority in the Telecommunications Act to ensure that telecom providers are suitably prepared for cyber-attacks. This is a good reason why this bill should probably move forward to committee to be studied.

The challenge I have, though, includes a whole number of things. My issue with the government is trust. While I do want this legislation to go to committee, I have extraordinary concerns about this bill. Many of these concerns have been raised by many groups across the country, and I do want to speak to some of those in the probably somewhat whimsical hope that the government will listen and take some of these amendments seriously.

There has been a very bad track record of the government responding to concerns from the opposition or from outside organizations with respect to legislation. There is a view that the Liberals are going to do what they want to do on pieces of legislation and that they really do not care what other people have to say. I am very concerned that the government is not going to listen to the very serious concerns that have been raised about this bill.

I have my own concerns when I look at how the government has behaved with respect to other pieces of legislation. We have to look at Bill C-11. There has been a multitude of organizations that have said the bill needs further amendment. Margaret Atwood has said that she has grave concerns about the legislation, that she supports the intent but has grave concerns about the implementation and how it is going to affect artists and content creators. We have had folks who compete in the YouTube sphere who have raised all kinds of concerns about Bill C-11, and the government's response has been that it does not care what they have to say, and that it is going forward with the legislation as it is.

The Senate has made a number of amendments to Bill C-11. I suspect the government's attitude is going to be the same, which is that it does not care what the amendments are and that it is going to proceed with the bill as it sees fit.

We also have only to look to Bill C-21 as well. We had the minister clearly not aware of what constituted a hunting rifle and a hunting gun. The Liberals introduced amendments at committee, and it took extraordinary push-back from Canadians from coast to coast to coast to get them to wake up and withdraw those amendments that they had put in at the last minute.

What it speaks to is that, despite having at its disposal the entire apparatus of the Canadian government, the Liberals are still unable to get legislation right. It takes an enormous amount of effort and hue and cry across the country saying that this has to stop and that this has to be changed. If there is not a massive uprising, the government tends not to listen to the legitimate concerns of other constituents or other groups when it introduces legislation.

With that context, it is why I have real concerns that the government is not going to listen to some of the serious concerns that have been raised with respect to Bill C-26. I am going to go through some of those.

The Canadian Civil Liberties Association has some very serious concerns. It has issued a joint letter that says that the bill is deeply problematic and needs fixing, because it risks undermining our privacy rights and the principles of accountable governance and judicial due process. This is a big bell that is going off, and I hope the government is listening. As I have said, I do not have a lot of faith, given other pieces of legislation where thoughtful amendments have been put forward and the government decided not to do anything with them.

I want to enumerate a few of the concerns from the Canadian Civil Liberties Association. On increased surveillance, it says that the bill would allow the federal government “to secretly order telecom providers” to “do anything or refrain from doing anything necessary...to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption”.

That is a pretty broad power. Where is the government putting the guardrails in that would limit the effects of this or protect the privacy rights of Canadians? That is something I think is incredibly concerning.

On the termination of essential services, Bill C-26 would allow the government to bar a person or a company from being able to receive specific services and bar any company from offering these services to others by secret government order.

Where are we going to have the checks and safety checks on this? Unfortunately, I am not in a position where I think I can trust the government to do the right thing on these things. We have seen it through vaccine mandates, in the legislation on Bill C-21 and in how the Liberals are trying to push through Bill C-11 without listening to reasoned amendments. If reasonable concerns are raised about Bill C-26, I just do not have faith the Liberals are going to take those concerns seriously and make the amendments that are necessary. I really hope they do.

On undermining privacy, the bill would provide for the collection of data from designated operators, which would potentially allow the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations. When someone takes the de-identified personal information of Canadians and does not say how they are going to deal with it or what protections they have in place to make sure it is not misused, what happens in the event that they take that information and somehow there is a government breach? Where does that information go? These are things I think we should be extraordinarily concerned about.

There was also an analysis provided with respect to this by Christopher Parsons, in a report subtitled “A Critical Analysis of Proposed Amendments in Bill C-26 to the Telecommunications Act”. Parsons raises concerns about vague language. The report notes that key terms in the bill, such as “interference”, “manipulation” and “disruption”, which trigger the government's ability to make orders binding on telecom service providers, are unidentified.

Where are the guardrails in the legislation to prevent government overreach and therefore protect Canadians? This is something that I think all Canadians should be watching and be very concerned about. They should be letting their voices be heard by the government on this.

The report talks about how the minister of industry's scope of power to make orders is also undefined. We would be giving a whole host of undefined powers to the minister and the government that would allow them to have all kinds of sensitive information. These are things that may be necessary, but I do not know. They are highly concerning to me. They should be highly concerning to Canadians, and I hope the government will hear from real experts at committee.

Let us not have a two-day committee study where we think Bill C-26 is perfect as it is and bring it back to the House of Commons, bring in time allocation or closure and pass it through. We have seen that story before, and we do not want to see it with the piece of legislation before us. My really big hope is that the government is going to take the time to really consider the seriousness and breadth of Bill C-26 and make sure we have the ways to protect Canadians.

I just want to add that the Business Council of Canada has released its own letter to the Minister of Public Safety, expressing its incredibly deep concerns with respect to the bill: there is a lack of a risk-based approach, information sharing is one-way and the legal threshold for issuing directions is too low.

There are three reports, right there, that are outlining significant concerns with Bill C-26, and I, for one, just do not believe the government is going to listen or get it right. It does not have the track record of doing so, but I am hoping it will, because cybersecurity is incredibly serious as we move toward a digital economy in so many ways. I really hope the government is going to listen to these things, take them seriously, do the hard work at committee and bring forward whatever amendments need to be brought forward, or, if the amendments are brought forward by the opposition, listen to and implement those amendments.

Telecommunications ActGovernment Orders

3:50 p.m.

NDP

Bonita Zarrillo NDP Port Moody—Coquitlam, BC

Madam Speaker, the NDP sees the growing threat of cybersecurity, and we also see that Canada is far behind. However, we have concerns about transparency, and I know that the NDP member for Cowichan—Malahat—Langford has been instrumental in strengthening and making bills that the Liberals have brought to the floor more appropriate, so I have more than enough confidence that the NDP will ensure Canadians get the transparency and protection they believe in.

My question for the member is whether he could speak to the point that the government legislation before us would allow for a complete exemption from the Statutory Instruments Act. That would mean such orders could not be reviewed by Parliament through the scrutiny of the regulations committee. I wonder if I could get some comments on that.

Telecommunications ActGovernment Orders

3:50 p.m.

Conservative

Kyle Seeback Conservative Dufferin—Caledon, ON

Madam Speaker, I would just add that to the list of things I am concerned about with this particular piece of legislation. I am glad and encouraged that the member has stated that New Democrats are going to try to strengthen this piece of legislation. I hope they do that. They talk about wanting transparency and I hope they are going to work really hard for transparency on this.

Conservatives would love to see transparency at a different committee, where we are trying to get someone to come and testify. Maybe the New Democrats can bring their love for transparency to that other committee and we can have PMO officials testify there.

Telecommunications ActGovernment Orders

3:55 p.m.

Conservative

Randy Hoback Conservative Prince Albert, SK

Madam Speaker, one of the things I have heard in talking to universities and different groups is that one of the faults of this piece of legislation is that they have to share this information with the government when they have been attacked, but it is a one-way street. When they see an attack happen, they share it with the government, but there is no information given to other businesses to help them protect against attacks similar to that in nature.

Could the member talk about why it is important and what it means to companies when they are attacked and how it can hurt not only their bottom line? Indigo, for instance, would be a good example of what happens when there is a cybersecurity attack.

Telecommunications ActGovernment Orders

3:55 p.m.

Conservative

Kyle Seeback Conservative Dufferin—Caledon, ON

Madam Speaker, everyone here knows how serious cyber-attacks are. I often get a notification from Google that says it believes one of my passwords was exposed in a hack of some other organization and that I should take steps to make sure the password is not used in any other applications. We know that the threat of cyber-attacks exists and we know the damage caused.

What I go back to is that we know we need to do something, and I am glad that the government is doing it. It has taken it eight years, but it is finally here trying to deal with this issue. What it has to do is make sure that every voice on this is heard, whether it is industry saying it needs some information back, or whether it is others saying the threshold for some of these things is too low or asking what guardrails are put in place on some of the things.

The government has a lot of work to do and I hope it is willing to do it at committee.

Telecommunications ActGovernment Orders

3:55 p.m.

NDP

Don Davies NDP Vancouver Kingsway, BC

Madam Speaker, I think everybody in the House agrees that we need to up our game in this country to protect Canadians and our society from cyber-attacks.

My specific question has to do with certain specific vulnerable groups. I am thinking of young people, particularly teenagers between the ages, say, of 13 and 19. Even more particularly I am thinking of young girls and women who may be subject to all sorts of cyber-bullying and other offences, as well as seniors who can be victims of cyber-fraud.

I am wondering if my hon. colleague has any thoughts as to how Bill C-26 might impact those particularly vulnerable groups and what suggestions he may have legislatively to help protect them.

Telecommunications ActGovernment Orders

3:55 p.m.

Conservative

Kyle Seeback Conservative Dufferin—Caledon, ON

Madam Speaker, that is a pretty tough question to answer in about two minutes.

As the father of a 16-year-old daughter, I am constantly worried about what is going on in the cybersphere for her, whether or not there is an instance of bullying going on. There have certainly been episodes of bullying in her real life. I know that at one point she was eating her lunch in the bathroom because she was being bullied by some folks. Online harassment and bullying are serious problems. I do not know enough about this particular piece of legislation to know if it would actually deal with that, but if not, I really hope that it would.

We have a lot of work do for seniors who are vulnerable to these things. This is something the government has to take on. Whether or not it is just waking up to it now as part of this bill, we need to educate seniors. I host events like this with seniors, where we let them know about the threats of cybersecurity and other things. The government needs to pick up the ball on that a little more as well.

Telecommunications ActGovernment Orders

3:55 p.m.

Conservative

Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON

Madam Speaker, I am proud to rise in the House today to speak to this important legislation on behalf of the good people of Barrie—Springwater—Oro-Medonte. I am pleased to see Bill C-26 come forward in the House. Improving the resiliency of our critical infrastructure is of the utmost importance to our national security and the everyday safety of Canadians.

This legislation consists of two separate parts. The first portion, among other things, would give the Governor in Council powers to order telecommunications providers to secure their systems against threats and to remove malicious actors from our telecommunications infrastructure. The second portion would create the critical cyber systems protection act, which would establish a cybersecurity compliance framework for federally regulated critical infrastructure operators. This would specifically regulate the sectors of finance, telecommunications, energy and transportation.

I believe that in principle, this legislation appears promising. I think we can all agree that we need a robust cybersecurity framework in Canada. However, it is worth noting that under the current government, we have done the least to bolster our resilience to cyber-attacks compared to all other Five Eyes partners. We lag behind our western allies in national security, and as such, Canada has failed to secure our critical infrastructure against complex and ever-evolving cyber-threats in the modern world. Therefore, before I get into the specific merits and deficiencies of this legislation, I want to speak about the emerging threats to our critical infrastructure and the pressing need to protect our national security.

Threats to our critical infrastructure are real and imminent. In fact, Caroline Xavier, chief of the Communications Security Establishment, or CSE, recently testified before the public safety and national security committee and stated, “cybercrime is the most prevalent and most pervasive threat to Canadians and Canadian businesses.” She also noted, “Critical infrastructure operators and large enterprises are some of the most lucrative targets.”

While there are several forms of cyber-attacks that our critical infrastructure operators are vulnerable to, the Canadian Centre for Cyber Security has noted in its most recent annual national cyber-threat assessment that ransomware is the most disruptive form of cybercrime facing Canadians and that critical infrastructure operators are more likely to pay ransoms to cybercriminals to avoid disruption. For example, in 2018, cybercriminals deployed a malicious software and successfully held the city hall of a municipal government in Ontario hostage, which resulted in that government paying $35,000 to the hackers to avoid disruption. However, this is not always an effective strategy. A survey of Canadian businesses found that only 42% of organizations that paid ransoms to cybercriminals had their data completely restored.

In 2021, the CSE stated that it was informed of 304 ransomware incidents against Canadian victims, with over half of them in critical infrastructure. However, it acknowledged that cyber-incidents are significantly under-reported, and the true number of victims is much higher.

The enormous economic toll that these cyber-breaches have on Canadian companies is worth noting. According to IBM, in 2022, the average cost of a data breach, which includes but is not limited to ransomware, to Canadian firms was $7 million. There is currently no framework to ensure that companies report when they are victims of these attacks. I will acknowledge that the legislation before us takes steps to address this pervasive issue that Canadians are facing; however, it is certainly an overdue effort.

We saw the damage a cyber-attack of this magnitude can cause in May 2021, when a U.S. energy company was subject to a ransomware attack carried out by a Russian-based criminal group that successfully extorted roughly $4.3 million in coin-based currency. As members may remember, this attack disrupted the largest fuel line in the U.S. for five days and led to President Biden calling a national state of emergency. In 2021, at the U.S. Senate committee on homeland security, the CEO of that company testified that he had no emergency preparedness plan in place that specifically mentioned “ransom or action to ransom”. This incident underscores the fact that we as a country must enhance preparedness and improve the resiliency of our critical infrastructure in order to avoid similar incidents.

Therefore, I am pleased to see this proposed legislation come forward. However, it is worth noting that this is the first substantive legislative response to this issue during the government’s tenure, despite a steady increase in cyber-threats over the years.

The entirety of our federally regulated critical infrastructure is connected to the Internet in some way, and it is extremely important to prevent malicious actors from setting up on our infrastructure and attacking it. Previously, there has been no mechanism for the government to formally remove a company from our telecommunications networks.

The clearest example of the need for this mechanism would be the controversy surrounding Huawei, a company that was part of the design of our 5G networks despite glaring national security concerns related to its activities and relationship to the Communist Party in Beijing. It is a significant move that this company will be kicked off our servers, but it is a delayed one. We know that under China's national intelligence law, the CCP has the authority to instruct any company to hand over information to support, assist and co-operate with state intelligence work. Accordingly, we ought to be cautious and avoid contracting with companies that could potentially compromise the security of our critical infrastructure.

It is certainly positive that Canada will be able to kick malicious actors such as Huawei off our networks. However, many have noted that we lessened our credibility among the Five Eyes nations due to our delayed response to this issue. Indeed, the United States lobbied Canada for years to exclude Huawei from our 5G mobile networks and warned that it would reconsider intelligence sharing with any countries that use Huawei equipment.

In some respects, this legislation is a positive step toward establishing a baseline standard of care for organizations whose functions are integral to our critical infrastructure. As I have previously mentioned, incidents of cyber-attacks often go unreported or under-reported. This legislation's mandatory reporting mechanism, which specifies that a designated operator must immediately report an incident to the CSE and the appropriate regulator, is a welcome step toward addressing this issue. However, the act does not prescribe any timeline or give any other information as to how “immediately” should be interpreted by an operator.

As I have just laid out, there are aspects of this legislation that my Conservative colleagues and I fully support. However, I have concerns with several elements of the bill.

First and foremost, there is a complete lack of oversight over the sweeping new powers afforded to the cabinet ministers, regulators and government agencies mentioned in this legislation. Alongside a lack of oversight, there is little information on the breadth of what the government might order a telecommunications operator to do.

It is evident that this bill draws on much of Australia's legislative model, which was first introduced in 2018 and eventually amended. However, we did not follow suit in terms of the oversight measures Australia included in its critical infrastructure protection act. Notably, Australia introduced political accountability mechanisms alongside its legislation, including a requirement for regular reporting, an independent review and the production of a written report. The Conservatives would like to see annual reporting from the minister on what actions have been taken and a public disclosure of the orders that the government is making under these newly afforded powers.

In terms of concerns from the public, we have heard from a number of organizations that are concerned that elements of this legislation undermine the privacy rights of Canadians. In September of last year, several privacy rights organizations signed an open letter to the Minister of Public Safety, which laid out their concerns with Bill C-26. For example, they were concerned about the sweeping new powers this legislation would give to the government over access to the personal data of Canadians and the data of companies. They noted that Bill C-26 “may enable the government to obtain identifiable and de-identified personal information and subsequently distribute it to domestic, and perhaps foreign, organizations.”

I think we can all agree that while enacting measures to improve the resilience of our critical infrastructure is of the utmost importance, civil liberties and privacy must be fully respected when drafting those measures. On the other hand, we have heard from stakeholders who are concerned about the regulatory burden this legislation may have on businesses, especially small and medium enterprises.

Many stakeholders have noted that the high costs and business impacts of a cyber-incident already incentivize companies to ensure rigorous cybersecurity protocols. Recent statistics released by Statistics Canada found that in 2021, Canadian businesses spent over $10 billion on cybersecurity, a 41% increase compared to 2019. Many stakeholders have noted that the proposed penalties related to this act, which reach up to $15 million and five years of jail time, are touted as being intended to promote compliance rather than to punish. However, I think we can all agree that a $15-million fine would indeed be unduly punitive on a small business that may be subject to this act. Therefore, we must ensure that fines and compliance costs are distributed evenly so as not to stifle competition and endanger the viability of small and medium enterprises in our critical infrastructure sectors.

Finally, we face a problem related to definitions and the scope of this bill. Various terms are not defined, including what constitutes a cyber-incident, and it is not immediately clear how the government will determine who is subject to this legislation. I look forward to receiving an explanation from the government to demystify some of the vague language found within it.

To conclude, a threat to our critical infrastructure is a threat to our national security. I think all parties agree that the government must take strong and immediate action against cyber-attacks. We support this bill in principle, but we believe that it needs to be amended significantly to ensure greater transparency and accountability from the government and future governments. I look forward to studying and amending this bill at the public safety committee with my colleagues across all parties.

Telecommunications ActGovernment Orders

4:05 p.m.

NDP

Don Davies NDP Vancouver Kingsway, BC

Madam Speaker, like my colleague, I think we are broadly supportive of the aims and principles of this bill but have some significant concerns about many of the details. This includes that the bill would open the door to new surveillance obligations; would allow the termination of essential services, perhaps without due process; may undermine privacy; lacks guardrails to constrain abuse; and has some relatively disturbing secrecy provisions that would obviate the minister from having to be accountable to Parliament by publishing the measures he takes.

Among the many concerns expressed about the bill, which ones does the member find the most troubling that he would like addressed at the committee stage?

Telecommunications ActGovernment Orders

4:10 p.m.

Conservative

Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON

Madam Speaker, all of those are legitimate concerns that we will be addressing at the public safety committee if and when this bill gets there. I do not know if I can rank them today, because I think they are all significant. Everybody has different issues that come to mind based on what is most important to them. Obviously, privacy is one of the most important things to people.

What I mentioned in my speech was the ability for companies to still manage themselves once these fines have been imposed. We do not want to put out of business the small and medium-sized companies that have already had cyber-attacks, and then give a fine on top of that.

There are many things we need to address in committee. I am looking forward to studying the bill with my colleagues from all sides when it gets there.

Telecommunications ActGovernment Orders

4:10 p.m.

Bloc

Simon-Pierre Savard-Tremblay Bloc Saint-Hyacinthe—Bagot, QC

Madam Speaker, there has been a lot of talk about TikTok and the fact that it could be used as a tool for interference. In fact, I closed my account at that time and, like everyone else, removed the app from my device.

What does my colleague think about apps like WeChat, which are known to be spying platforms? What does he think about the fact that a G7 parliament, like Canada's, has been using Zoom for years, a Chinese app that once interrupted a live meeting of Chinese dissidents? It is disturbing, to say the least.

Telecommunications ActGovernment Orders

4:10 p.m.

Conservative

Doug Shipley Conservative Barrie—Springwater—Oro-Medonte, ON

Madam Speaker, to be quite candid, I have two teenage boys who are always kidding that I am a bit of a dinosaur when it comes to different social media platforms. I have never had TikTok. I do not know much about it, but I understand there have been a lot of issues with it. I think with all of our social media platforms, we need to stop, review them and look at who is taking information from them, because a lot of information can be gleaned from them.

We jumped into this new media method many years ago without knowing the direction and road it was going to take. Now that we are well down it, I think it is time we looked at all these different platforms and realized what information is being taken from them.

Telecommunications ActGovernment Orders

4:10 p.m.

Liberal

Tony Van Bynen Liberal Newmarket—Aurora, ON

Madam Speaker, it is with great pleasure that I rise to discuss Bill C-26, an act respecting cybersecurity. I will be addressing elements of the legislation that deal with securing Canada's telecommunications system.

As Canadians rely more and more on digital communication, it is critical that our telecommunications system is secure. Let me assure the House that the Government of Canada takes the security of that system seriously. That is why we conducted a review of 5G technology and the associated security and economic considerations. It is clear that 5G technology holds lots of promise for Canadians: advanced telemedicine, connected and autonomous vehicles, smart cities, clean energy, precision agriculture, smart mining, and lots more.

However, our security review also made it clear that 5G technology will introduce new security concerns that malicious actors could exploit. Hostile actors have long sought and will continue to seek to exploit vulnerabilities in our telecommunications system. The Canadian Security Intelligence Service recognized this in its most recent public annual report. The report said, “Canada remains a target for malicious cyber-enabled espionage, sabotage, foreign influence, and terrorism related activities, which pose significant threats to Canada’s national security, its interests and its economic stability.”

The report said that cyber-actors conduct malicious activities to advance their political, economic, military, security and ideological interests. These actors seek to compromise government and private sector computer systems by manipulating their users or exploiting security vulnerabilities. The CSIS report also highlighted the increasing cyber-threat that ransomware poses.

The Communications Security Establishment has similarly raised concerns about threats like ransomware in recent public threat assessments. We have seen how such attacks by criminal actors threaten to publish victims' data or block access to it unless a ransom is paid. It is not just cybercriminals doing this. CSIS has warned that state actors are increasingly using these tactics, often through proxies, to advance their objectives and evade attribution.

To be sure, Canadians, industry and government have worked hard to this point to defend our telecom system, but we must always be alert and always be guarding against the next attacks. This has become more important as people are now often working remotely from home office environments, and the challenges are accentuated by the 5G technology. In 5G systems, sensitive functions will become increasingly decentralized to be able to be faster where speed is needed. We all recognize cell towers in our communities and along our highways, and 5G networks will add a multitude of smaller access points in order to increase speeds. The devices the 5G network will connect to will also grow exponentially. Given the greater interconnectedness and interdependence of 5G networks, a breach in this environment could have a more significant impact on the safety of Canadians than with the older technology. Bad actors could have more of an impact on our critical infrastructure than before.

The security review we conducted found that, for Canada to reap the benefits of 5G, the government needs to be properly equipped to promote the security of the telecommunications system. We need to be able to adapt to the changing technology and the threat environment.

Now, for these reasons, we are proposing amendments to the Telecommunications Act. The amendments would ensure that the security of our telecommunications system remains an overriding objective. This bill would add to the list of objectives set out in section 7 of the Telecommunications Act. It would add the words “to promote the security of the Canadian telecommunications system.” It is important to have these words specified in law. It would mean that the government would be able to exercise its power under the legislation for the purposes of securing Canada's telecommunications system.

The amendments also include authorities to prohibit Canadian telecommunication service providers from providing and using products and services from high-risk suppliers in 5G and 4G networks if deemed necessary after consultation with the telecommunications providers and other stakeholders. They would also give the government the authority to require telecommunications service providers to take any other actions to promote the security of the telecom networks, upon which all critical infrastructures depend.

We have listened to our security experts, Canadians and our allies, and we are following the right path. We will ensure that our networks and our economy are kept secure. A safe and secure cyberspace is important for Canadian competitiveness, economic stability and long-term prosperity.

It is clear that the telecommunications infrastructure has become increasingly essential, and it must be secure and resilient. Telecommunications present an economic opportunity, one that grows our economy and creates jobs.

The amendments to the Telecommunications Act accompany the proposed critical cyber systems protection act. This bill will improve designated organizations' ability to prepare, prevent, respond to and recover from all types of cyber incidents, including ransomware. It will designate telecommunications as a vital service.

Together, this legislative package will strengthen our ability to defend telecommunications and other critical sectors, such as finance, energy and transportation, that Canadians rely on every single day.

The legislation before us today fits with the Government of Canada's telecommunications reliability agenda. Under this agenda, we intend to promote robust networks and systems, strengthen accountability and coordinated planning and preparedness.

Canadians depend on telecommunications services in all aspects of their lives, and the security and reliability of the network has never been more crucial. They are fundamental to the safety, prosperity and well-being of Canadians.

We will work tirelessly to keep Canadians safe and able to communicate securely. This legislation is an important tool to enable us to do that.

Telecommunications ActGovernment Orders

4:20 p.m.

Bloc

Andréanne Larouche Bloc Shefford, QC

Madam Speaker, I thank my colleague for his speech. In January, I requested a meeting with the Université de Sherbrooke, which has a research chair in cybercrime. I learned a lot about how behind the times Canada is.

This bill is good, but it comes at a time when we are at greater risk than ever before. The federal government does not seem to be taking cybercrime seriously, yet many European countries have other models and have made headway against cybercrime. How can we address the fact that we need to catch up?

We have to act faster to protect ourselves from cyber-attacks. There is also the whole issue of Hydro-Québec and the fact that those are interprovincial lines. How are the authorities going to be able to manage all that given the agreements and the importance of respecting Quebec's and the provinces' jurisdiction over certain types of critical infrastructure?

It is high time this critical infrastructure was included in a bill to protect it. I would like to hear my colleague's thoughts on that.

Telecommunications ActGovernment Orders

4:20 p.m.

Liberal

Tony Van Bynen Liberal Newmarket—Aurora, ON

Madam Speaker, I share the member's sense of urgency in making sure that we advance opportunities to make the networks safer. The technology has developed very quickly in recent years, so it is important that we stay ahead of that technology.

On the relationship between the provinces and the federal government, I think it is important that we develop reliable agreements where appropriate, but telecommunications is the responsibility of the federal government, and we are not going to shirk from our responsibilities in making sure that the network is safe for our citizens.

Telecommunications ActGovernment Orders

4:20 p.m.

NDP

Lindsay Mathyssen NDP London—Fanshawe, ON

Madam Speaker, I too reiterate the thoughts of my Bloc colleague that we are quite behind in this with respect to what other countries are doing.

However, my concern has to do with the broad scope of powers being granted to the minister in this bill. It was specifically written so that some of these orders were not published in the Gazette, so I would really love to hear from the hon. member why the bill was crafted specifically to keep that public piece of information out.

Telecommunications ActGovernment Orders

4:20 p.m.

Liberal

Tony Van Bynen Liberal Newmarket—Aurora, ON

Madam Speaker, we all realize how important security is. In some cases, it may be necessary to act without making the information available so that the perpetrators of fraud against the cyber-network understand what is being accomplished. There are situations where information needs to be maintained securely. A responsible government will do so on the basis of being accountable and transparent to the extent that is appropriate, and I believe the government will do that.

Telecommunications ActGovernment Orders

4:20 p.m.

Conservative

Alex Ruff Conservative Bruce—Grey—Owen Sound, ON

Madam Speaker, I will build on that last question a bit because I think the member took it out context, though I may be wrong.

The question is around specific cyber-incidents or transgressions that need to be dealt with by the appropriate authorities. The issue is the legislation itself and how the power would be used by our security establishments. One of the criticisms that needs to be fleshed out at committee is how this bill and the legislation get reported back here to the House of Commons and to Canadians.

Would the member agree that it would be an important addition or amendment to the legislation to include the requirement for an annual report back to Parliament on how this legislation is progressing and what key changes our national security organizations have made so that Canadians can understand how their lives are being impacted in the cyber-realm?

Telecommunications ActGovernment Orders

4:20 p.m.

Liberal

Tony Van Bynen Liberal Newmarket—Aurora, ON

Madam Speaker, I believe that transparency, to the extent that is possible without jeopardizing security, is important. Committees will contribute a significant amount of improvements, and the government will listen to reasonable solutions, amendments and additions to protect the safety of Canadians. That is a value that we all share.

Telecommunications ActGovernment Orders

4:20 p.m.

Green

Mike Morrice Green Kitchener Centre, ON

Madam Speaker, I want to continue the line of questioning of other members on balancing the need to address cybersecurity and privacy at the same time.

One group that has shared some concerns is the Citizen Lab. It has put together a report called “Cybersecurity Will Not Thrive in Darkness” and has offered 30 recommendations for the governing party to consider at committee.

I wonder if the member has seen this report and if there are any recommendations in the report that he sees worthy of going ahead with. He may not see them all as worthy of going ahead with, but are there some recommendations that he thinks we should pursue?

Telecommunications ActGovernment Orders

4:25 p.m.

Liberal

Tony Van Bynen Liberal Newmarket—Aurora, ON

Madam Speaker, no, I have not seen those recommendations, but it would be appropriate for those recommendations to be presented to the committee for consideration.

Telecommunications ActGovernment Orders

4:25 p.m.

Conservative

Marty Morantz Conservative Charleswood—St. James—Assiniboia—Headingley, MB

Madam Speaker, six years ago Statistics Canada found that more than one-fifth of all Canadian businesses were impacted by cybersecurity incidents, a sobering statistic in its own right. That was six years ago.

What we need to understand is that cyber-technology moves at a mile a minute. What is groundbreaking one year can become ordinary or obsolete even just a year later. I do not doubt that cyber-defence systems in Canada, both by the government and by private businesses, have become much more sophisticated throughout the last several years, but the technology used for cyber-attacks, whether by foreign or by domestic actors, has developed even more quickly.

We are seeing this play out in real time. Just a month ago, Indigo fell victim to a ransomware attack. Online purchases became impossible. In-store purchases could still happen, but only if one was carrying cash. Most alarming of all, information about the chain's employees was accessed. The situation continues to drag on, Canada's largest bookstore chain held for ransom. The emergency that Indigo finds itself in is terrible, but back in January the Russia-tied group that carried out this attack, LockBit, did something far more cruel when it hacked the SickKids Hospital in Toronto.

Those are just two examples of how cyberwarfare transpires in Canada, amongst thousands of other examples every single year. Today, particularly at a time when we know foreign powers are actively seeking to undermine Canada, its institutions and its critical infrastructure, it is time for the government to step in and put forward a cybersecurity strategy. It almost goes without saying that in this digital age, online systems run just about everything that keeps this nation up and running, including hospitals, banking and the energy that heats our homes.

What the government has failed to realize until now is that as these systems become more digitized, so too do they become more vulnerable. This was on full display when SickKids was hacked. Lab results, imaging results and the hospital's phone lines were wiped out for days before order was finally restored. Just in 2020, CRA was hacked, compromising the accounts of 13,000 Canadians. Bold action is what is needed to fight against attacks of that scale, and it is Parliament's job to provide that action.

When I look at a bill like Bill C-26, I start by thinking about what it would let the government do and whether that would be an improvement on our existing cybersecurity regime. In that regard, there is actually a lot to like here. Now more than ever, cyber-attacks can take place in little more than the blink of an eye. An attacker could dig its claws into a company's online system, inflict all the damage it wants, take all the information it wants, and it might be hours later than the affected company realizes what it is being done to it.

Having a rapid response to those incidents is absolutely critical. It is clear to me that the type of broad, sweeping powers contained in this bill would allow the government to provide that rapid response. It would also bring some much-needed cohesion to the link between the state and telecom providers. Right now, telecoms can decide to work with the government and prepare for a cyber-attack, but this is entirely voluntary. They can share information with the government, but only if they really feel like it.

As far as having a unified cybersecurity strategy goes, ours is laughable. It is about time that we act accordingly and fall in line with our Five Eyes allies. This bill covers such an important policy area, yet in so many ways it just does not get it right. It is another page in that long Liberal book entitled, “Having the right intention and making the wrong move”. I should not have to say this in a room full of parliamentarians, but here we are: the written text of a law actually matters.

A law needs to be clear. It needs direction. It needs guardrails. That is why it is so strange to come across a bill that lets a minister go up to a telecom provider and make them “do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.” All the power goes to the minister with nothing in the way of guardrails constraining their power.

When I read this part of the bill, I was reminded of one of my favourite Abraham Lincoln quotes. Abraham Lincoln said, “Nearly all men can stand adversity, but if you want to test a man’s character, give him power.” That is what this section does, it provides immense power to the Minister of Industry, which is not abridged or protected in any way.

There is nothing wrong with a law that gives the government new powers, but in this case, with the cyber-threats that we are currently facing, that type of law is exactly what we need to get right now.

The problem here is that we are debating a bill today where those new powers are not specified and are not restricted whatsoever. Alongside the Canadian Civil Liberties Association, I am seriously concerned about the way that Bill C-26 would infringe on the privacy rights of Canadians.

This bill would allow the government to collect data from telecoms. With guardrails in place, this would actually make a lot of sense. The government might want to see the weak spots in a company's cybersecurity system, for example. With the government being able to get these companies to do anything, we do not have a clue what it will demand to collect.

As it stands now, there is no way of stopping them from collecting personal data and juggling it between various departments. Foreign affairs, defence, CSIS, anyone could take a look if the state decides that it is relevant.

At the minister's discretion, the data could even go to foreign governments. Again, this all comes back to the problem of unchecked power. With zero restraints in place, we can only assume the worst. Like so many bills under the Liberal government, what we are seeing here is a government-knows-best approach.

I am really not sure how it can defend this level of information sharing. “Well, yes, we could share one's personal information, but we definitely will not do that.”

It wants Canadians to give it the benefit of the doubt. The government is well past the point of being given the benefit of the doubt.

The Canadian Civil Liberties Association says that the bill is “deeply problematic and needs fixing”, because “it risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.

A number of organizations and individuals have raised red flags. The Business Council of Canada wrote to the Minister of Public Safety, expressing the business community's concerns about Bill C-26, including the potential of brain drain, as the result of personal liability and unduly high monetary and criminal penalties.

The council also expressed concerns that information sharing is one-way. Operators are required to provide information to government but receive nothing back from government.

The bill misses the opportunity to implement an information-sharing regime that could benefit all operators subject to the law.

Aaron Shull, managing director of the Centre for International Governance Innovation said that Ottawa should deploy a wide range of strategies, including tax breaks to individual small businesses, to take cybersecurity more seriously.

The Munk School issued a report on Bill C-26 where they itemized a series of deficiencies including that “the breadth of what the government might order a telecommunications provider to do is not sufficiently bounded.”

There are massive, glaring issues in Bill C-26.

What is so unfortunate about this is that I think that enhancing Canada's cybersecurity is something that all parties can get behind. I am willing to see this bill move forward but it is going to need some major amendments in committee, amendments that protect civil liberties and constrain abuse.

There needs to be a threshold test, providing that an order being given by the government is proportionate, reasonable and, above all else, necessary. The minister should have to table reports, annually perhaps. How many orders did they issue in a given year? What kinds of orders, broadly speaking?

If the government mishandles someone's personal information, which it likely will, this bill needs to make it clear that those people will be compensated.

We find ourselves debating another highly important, poorly crafted bill, courtesy of the Liberal government.

I want to see this bill go to committee so that experts, especially those with a focus on civil liberties, can help make this bill work.

To be clear, if the issues in this bill concerning privacy and impacts to businesses are not addressed, the Conservative Party is ready to pull its support immediately and put up a very strong defence to stop this bill from going beyond committee.

After all, if the Liberals cannot manage Canada's cybersecurity, they can just get out of the way and let Conservatives handle it.

Telecommunications ActGovernment Orders

4:35 p.m.

Winnipeg North Manitoba

Liberal

Kevin Lamoureux LiberalParliamentary Secretary to the Leader of the Government in the House of Commons

Madam Speaker, I understand that the Conservative Party is going to actually be voting in favour of the legislation. I am glad to hear that because we recognize that it does not matter which political party one is of, the issue of cybersecurity is something that we all need to take seriously.

Listening to the debate today, Conservatives come up and say, yes, they support the bill and it is a bill that they want to see go to committee.

Given the member's comments, does the Conservative Party actually have any amendments that it is prepared to share, through the House of Commons, with Canadians? What tangible amendments would they like to see made to the legislation that he could share with us prior to it going to committee?

Telecommunications ActGovernment Orders

4:35 p.m.

Conservative

Marty Morantz Conservative Charleswood—St. James—Assiniboia—Headingley, MB

Madam Speaker, I want to thank my colleague from Winnipeg North. It is always nice to get a question from a fellow Winnipegger. I love the Prairie pragmatism of his question on what amendments might we put forward.

The purpose of my speech and the speeches we have heard from our side of the House today is to point out the flaws in the bill. We will support the bill to get to committee stage and it is at committee stage where we can have a fulsome discussion with the experts about these flaws and come up with serious, practical amendments that make this bill even stronger. I think my colleague from Winnipeg North would agree it is in everybody's interest to make this bill as strong as possible.