Madam Speaker, I rise to speak in support of Bill C-8, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.
This legislation is a necessary, measured step to protect systems that Canadians rely on every single day. This bill would help critical infrastructure operators better prepare, prevent and respond to cyber-incidents. It would do what responsible governments must do: It would set clear, enforceable standards for operators in the most critical sectors; it would enable rapid, targeted interventions when threats emerge; and it would ensure that Canada is aligned with international partners that are facing precisely the same challenges. In this era, it is very important that we pass this piece of legislation.
Let me talk about two big things the bill would do. First, it would modernize the Telecommunications Act so that our security agencies and responsible ministers can issue targeted, time-limited directions to defend our networks against serious and evolving threats. Second, it would enact the critical cyber systems protection act, the CCSPA, which would set baseline, legally binding cybersecurity duties for designated operators in federally regulated critical sectors. This would mean cyber-risk management programs, timely incident reporting and accountability up and down the supply chain. Those are not “nice to haves” anymore; they are the basic hygiene that we need for running a critical service in 2025.
Colleagues will recall earlier efforts under Bill C-26. With Bill C-8, our government has brought back a refined, clearer and in some places improved framework because the threat landscape did not pause when Parliament did. Several independent analyses confirm that Bill C-8 substantially revives the Bill C-26 approach while correcting drafting issues and clarifying process where needed, and that is prudent governance.
Why does this matter? For Canada, cyber-risk is now an economic risk, a jobs risk and a public safety risk. A successful attack can freeze payrolls, disable hospitals, shut down pipelines or even take down our 911 lines.
Across London, manufacturers, research labs at Western University, students at Fanshawe College, local clinics and small businesses on our main streets all depend on secure networks. The southwestern Ontario supply chain and the supply chain across Canada, which include major investments in EVs, batteries and advanced manufacturing, cannot function with brittle digital infrastructure. When a single compromised supplier can ripple through an entire regional economy, cyber-resilience becomes a competitiveness strategy.
Essentially, what Bill C-8 would require under the CCSPA is that designated operators, such as those in banking and financial services, telecommunications, energy and transportation, must establish and maintain a cybersecurity program proportional to their risks, report cyber-incidents quickly and consistently, manage third party and supply chain vulnerabilities, and comply with enforceable directions in extraordinary circumstances. There are administrative monetary penalties for non-compliance because rules without consequences are just suggestions. We cannot afford to bring just suggestions forward.
On the telecom side, Bill C-8 would modernize the tool kit so that government can act surgically when credible threats emerge in our networks. These powers are not a blanket. They are tied to concrete risks and are subject to review. In today's environment, speed matters. A 72-hour delay can be the difference between a contained incident and a national outage.
Some civil society groups and legal scholars have raised important concerns about privacy, transparency and due process, especially around how directions are issued and reviewed and how information flows between government and private operators. I want to take the opportunity to acknowledge those concerns, which are clearly on the floor of this House. Some of our colleagues have mentioned them in this debate.
The goal of Bill C-8 is to protect Canadians, not to weaken their rights. As this bill advances to committee, I look forward to seeing the conversations that colleagues from across the aisle will have and the suggestions they will be putting forward. As we did before on Bill C-26, I think we will be able to achieve a consensus on what this bill is going to look like. Essentially, the goal is to protect Canadians.
I also have some thoughts on some of the things we could look at. Number one is that we could look at tightened transparency around reporting, including public statistics on the use of cybersecurity directions wherever national security considerations allow. We can also look at strengthened due process, making judicial review avenues practical and timely, and clarify data handling and retention so information shared for cybersecurity is not used for unrelated purposes and that it is protected with robust safeguards.
I do not sit on the committee, but I do know we have colleagues on it from across the aisle who are going to have robust conversations on how to strengthen the bill as we did in the past. We voted for Bill C-26. It is now back in the House, refined and reframed for all our colleagues to discuss and to propose measures they want to see within the spirit of wanting to protect cybersecurity for all Canadians.
I think these are reasonable and constructive asks that would make for good dialogue and would strengthen the bill. I am sure there will be more suggestions that I look forward to reading from my colleagues. I am sure they will support and pass the bill in a very timely manner, because if we are having a conversation about a cybersecurity bill in 2025, we need to pass it. I think we understand that the bill is not coming forward as a nice-to-have conversation; it is really critical.
Not every critical service is a national giant. Many are medium-sized providers or municipal utilities that keep water flowing and transit moving. For these operators, the question is often capacity. Having the people, the tools and the processes that meet modern standards is really important. I support complementary measures alongside Bill C-8: practical guidance, shared services, threat intel programs that actually reach the front lines, and funding that helps smaller providers implement the basics, such as asset inventories, multi-factor authentication, network segmentation, backup discipline and tabletop exercises.
Standards without support risk becoming paper compliance. What we should be trying to do with our approach is to enable real resilience for Canadians. We also need to be honest about where the real attack surface is today: suppliers, managed service providers, and software dependencies. Bill C-8's supply chain provisions are a step forward, but we must continue to keep pushing for secure-by-design practices. The objective is learning and early warning, not blame-shifting.
I hope that colleagues at committee will have the time to ensure that timelines will also allow the time to consult, that thresholds and formats are clear, and that we streamline duplication with sectoral regulators where possible.
Critical services in indigenous and rural communities face unique constraints.
I do not think I will be able to finish my speech, but I want to say that the legislation is really important for all Canadians. I am happy to speak to and support the bill. I look forward, for all our colleagues who have been speaking to the bill today, to their actually helping us bring it to committee so we can bring amendments that are necessary and we can pass the bill as quickly as possible. They voted for it in the last Parliament under Bill C-26. It is back now, and it is really important we pass it as quickly as possible.