Francesco Sorbara

Madam Speaker, we all have a role to play in preventing gender-based violence. Many men and boys are aware of gender inequities. It is crucial to start discussions at a young age to encourage them to act now to develop healthy masculinities.

Can the Parliamentary Secretary to the Minister for Women and Gender Equality and Youth speak about what our government is doing to support the allyship of men and boys in addressing gender-based violence?

Madam Speaker, we must always protect the civil liberties and rights of Canadians. Any legislation brought to the House needs to pass that means test, if I can call it that.

With reference to Bill C-26, it is definitely required that we update our cybersecurity laws to reflect the ongoing changes in technology that have happened over the last number of years and the increasing use of cybersecurity, cyber-threats, increasing digitization that has been going on in the world, and the fact that Canadians are increasingly interconnected in this world.

We need to maintain checks and balances within the system and ensure that individual rights of Canadians are protected.

Madam Speaker, I thank my colleague from Quebec for her question.

In the preliminary version of the Library of Parliament's assessment of the bill, there is a reference that the bill specifies that no one would be entitled to any compensation from the federal government for any financial losses resulting from these orders. I am not certain if these orders pertain to exactly what the member was speaking to, but I do believe so. I would have to get back to the member on that specific question, because it is a pertinent question.

Madam Speaker, of course, fundamentally I believe in the oversight of government and ensuring that there are checks and balances.

When bills proceed to committee, obviously members within the pertinent committee should bring forth ideas to strengthen them, and that includes Bill C-26. Our main priority as MPs is to bring forth good legislation, to improve it and to protect the security of Canadians, whether it is their cybersecurity or health and safety. Bill C-26 would take us down that path.

Madam Speaker, I say good morning to all of my hon. colleagues, and I thank the hon. member for Davenport for her insightful discussion of this bill.

I am thankful for the opportunity to weigh in on Bill C-26, an act respecting cybersecurity, as we continue debate at second reading. Bill C-26 will take great strides to enhance the safety of our cyber systems and will make changes to allow for measures to be taken within our telecommunications system.

There are two parts to this act. Part 1 amends the Telecommunications Act to “promote the security of the Canadian telecommunications system” as a policy objective. An order-making power tied to that objective would be created for the Governor In Council, or GIC, and the Minister of Industry. That power could be used to compel action by Canadian telecommunications service providers if deemed necessary. With these authorities, the government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.

The bill would enable action against a range of vulnerabilities to these critical systems, including natural disasters and human error. The Department of Innovation, Science and Economic Development would exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry. Once amendments to the Telecommunications Act receive royal assent, GIC or ministerial orders could be issued to service providers.

Part 2 of the act would create the critical cyber systems protection act, or the CCSPA. The CCSPA would be implemented collaboratively by six departments and agencies: the departments of Public Safety; Innovation, Science and Economic Development; Transport; Natural Resources; and Finance, as well as the Communications Security Establishment. They will all play a key role. Indeed, across the Government of Canada, there is a recognition that cybersecurity is a horizontal issue, and it should be addressed through a streamlined government response across sectors, all rowing in the same direction.

Schedule 1 of the act would designate services and systems that are vital to the national security or public safety of Canadians. Currently, schedule 1 includes telecommunications service and transportation systems. It also includes, in the finance sector, banking systems and clearing and settlement systems, and, in the energy sector, interprovincial or international pipeline and power line systems and nuclear energy systems.

Schedule 2 of the act would define classes of operators of the vital services and systems identified in schedule 1, as well as the regulator responsible for those classes. Operators captured in a class are designated operators subject to the act.

In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister of Public Safety would have overall responsibility for the legislation and would lead a number of CCSPA-related processes.

Decision-making by GIC under the CCSPA would ensure that a broad range of relevant factors, including national security, economic priorities, trade, competitiveness and international agreements and commitments, are considered when making decisions that have an impact across sectors. The CCSPA would also leverage regulators' expertise and relationships with entities they already regulate under existing legislation.

The Canadian centre for cybersecurity, or the cyber centre, is responsible for technical cybersecurity advice and guidance within Canada, and that would be no different under the CCSPA. It would receive resources to provide advice, guidance and services to designated operators in order to help them protect their critical cyber systems; regulators in support of their duties and functions to monitor and assess compliance; and public safety and lead departments and their ministers, as required, to support them in exercising their powers and duties under the act.

The CCSPA would require designated operators to establish a cybersecurity program that documents how the protection and resilience of their critical cyber systems will be ensured. CSPs must be established by designated operators within 90 days of them becoming subject to the act, that is, when they fall into a class of designated operators published in schedule 2 of the act.

Once established, the CSP must be implemented and maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology. CSPs must include reasonable steps to identify and manage organizational cybersecurity risks, including risks associated with an operator's supply chain, and the use of third party products and services. They must also protect their critical cyber systems from compromise, detect cybersecurity incidents that affect or have the potential to affect CCS and minimize the impact of cybersecurity incidents affecting critical cyber systems.

This legislation would also help confront supply chain issues. With the increasing complexity of supply chains and increased reliance on the use of third party products and services, such as cloud-based data storage and infrastructure as a service, designated operators can be exposed to significant cybersecurity risks from those sources.

When a designated operator, through its CSP, identifies a cybersecurity risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA would require the designated operator to take reasonable steps to mitigate those risks. Taking reasonable steps to mitigate risk is understood to mean reducing the likelihood of the risk materializing by, for example, securing a supply chain by carefully crafting contractual agreements to gain more visibility into equipment manufacturing, or by choosing another equipment supplier. It can also mean reducing the impact of a risk that materializes.

Under the CCSPA, there would also be a new obligation to report cybersecurity incidents affecting or having the potential to affect critical cyber systems to the Communications Security Establishment, for use by the cyber centre. A threshold defining this reporting obligation would be set in regulations. This would provide the government with a reliable source of information about cybersecurity threats to critical cyber systems. The availability of incident reports would enhance visibility into the overall threat for the cyber centre. Findings from the analyses of incident reports would make it possible for the centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and it would help to inform Canadians of cybersecurity risks and trends, allowing one organization's detection to become another's prevention.

The CCSPA would also create a new authority for the government. Under the act, the Governor in Council would be allowed to issue cybersecurity directions when it decides that specific measures should be taken to protect a critical cyber system from a threat or known vulnerability. Directions would apply to specific designated operators or to certain classes of designated operators. They would require those designated operators to take the measures identified and to do so within a specific time frame. Failure to comply with directions could be subject to an administrative monetary penalty or an offence that can lead to fines or imprisonment. The CCSPA would also includes safeguards to ensure that sensitive information, such as information that was obtained in confidence from Canada's international allies, is protected from disclosure.

All of this provides an overview of strong new legislation, which I hope I have adequately described in two distinct parts. I look forward to our continued debate of this landmark bill, and I encourage all colleagues to join me in supporting Bill C-26 today.

Mr. Speaker, more than one in three women experiences gender-based violence during their lifetime. As a father blessed with three beautiful daughters, this is a terrifying statistic and a reality that is not acceptable. No one should face violence because of who they are.

Today marks the fifth day of the 16 Days of Activism Against Gender-based Violence campaign, which began on November 25. Violence against women and girls remains the most prevalent human rights violation in the world. This is not a challenge we can overcome in 16 days.

We have proof that violence against women and girls is preventable. The single biggest action we can take is to support a strong and autonomous women's movement, here in Canada and abroad. It is up to all of us to be better and to do better.

I call on all members of the House and everyone living in Canada to step up and take action to end violence against women and girls.

Madam Speaker, I thank the member for Windsor West, who I have travelled and worked with on the Canada-U.S. interparliamentary association. From my understanding of the bill, the tribunal will provide for access to justice and contribute to the further development of privacy expertise. That is very important in this day and age, when we are dealing with artificial intelligence and with a lot of data. We need to ensure that individuals' data is not misused, that we can move forward and that people can have confidence that their data is being protected.

Madam Speaker, once the bill arrives at committee stage there will be plenty of time to bring forth ideas and to strengthen legislation. That is the job of all members of Parliament here. We are sent here to improve legislation, so I encourage my colleague to do so.

All MPs know, from studying PIPEDA and other pieces of legislation that we have examined while sitting on committees, that because of technology, be it Facebook, Instagram or the use of AI, we need to revise our privacy laws. This is a good, solid step in that direction.

Madam Speaker, I thank my colleague for her question and her comment about my French. I practice a lot, but not all the time.

I am going to answer her question about Quebec's law in English.

It is interesting that we are again following the Province of Quebec, much as we did with the child care plan we introduced in Canada. This piece of privacy legislation is really modelled and follows the Quebec law that was put into place. My understanding, from reading over the notes on the bill, is that where there is provincial jurisdiction that is deemed to be similar to the law we introduce, we will obviously hand it over or defer to the provincial legislation.

There is nothing that infringes on the law that is currently in place in Quebec. I applaud the Quebec provincial authorities for bringing forward legislation over the years that the federal government has looked to and modelled.