Bill C-26

Madam Speaker, what does the member propose for a solution? What are the immediate steps needed to be taken to deal with the pressing issue of cybersecurity attacks we are facing in the country?

Madam Speaker, Bill C‑26 does contain some good solutions and some interesting elements.

The only thing is, we will have to look at the details and see what is next. Are we giving the minister too much power? At the same time, we may have to think twice about giving more power to the minister at the expense of Parliament when we are not sure whether the minister will fulfill his commitments. There have been promises followed by waffling in the past. There are definitely things that need to be looked at, yes, but at least this bill is motivated by good intentions. For that alone, it deserves to be supported at this stage.

Madam Speaker, my colleague's intervention today was very interesting. He seems to know the subject very well. Looking at this legislation, we have been talking about how it has been a long-time coming, and how we would have liked to have seen this legislation before us sooner.

I wonder if, as he studied this bill, he had an opportunity to look at legislation from other countries, and if there is legislation from other countries that we could be emulating and looking at as we try to improve this bill. After second reading, I think all parties want to make sure this bill improves.

Madam Speaker, as I said at the beginning, I was a bit critical. Unfortunately, in this country, in this Parliament and in this postnational system, it is clear that there is much hemming and hawing in far too many files.

Take a look at the general political culture of other countries like the United States. It did not take them long. Consider the example of Huawei; it took no time at all. They looked at it, concluded that it was preposterous and they put an end to it.

Why has it taken Canada years? This is still something to keep an eye on.

The European Union is also starting to take action. It is starting to move on this front by setting up institutes to monitor interference, the extraterritoriality of certain practices, and so on. There are certainly practices that should be monitored.

Madam Speaker, I thank my colleague from Saint‑Hyacinthe—Bagot, who said he wished that we could talk a bit about what is being done proactively, and that is what I intend to do.

As members know, we cannot discover new worlds until we have the courage to not see the shore. Those who know me know that I would rather talk about the “why” than the “how”. I like to clearly define what we are talking about.

Let us start with the word “security”. Security is an absence of worry. It is peace of mind, a form of safety. It is rather easy to define.

Now, what is the definition of the prefix “cyber”? Cybersecurity is a word that is used in all kinds of ways. We want to combat cybercrime with cybersecurity. We want to prevent cyberstalking. Sometimes it can be confusing. What is the meaning of the prefix “cyber” that is used everywhere?

The origin of the word will help us to understand it. It was coined after the Second World War by an American researcher named Norbert Wiener. This brilliant mathematician was hired by the Massachusetts Institute of Technology, or MIT, to work on a research project on new types of weapons. More specifically, he was asked to develop missiles that could take down V‑1s and V‑2s, the unmanned German aircraft filled with explosives that were causing so much damage in England.

To that end, Professor Wiener had to model the behaviour of a pilot who knew he was being chased in order to better understand the decision-making mechanisms of humans in general. We will use the term human so as not to offend anyone. In 1948, Norbert Wiener named this field of research “cybernetics”, a new area of science that studies the mastery of machines. He was inspired by the Greek term kubernao, which means to pilot and from which the terms “government” and “governance” are also derived. It means “to steer”.

In 1949, Wiener's book was deemed one of the most important works of the 20th century. The New York Times praised it and predicted that cybernetics would be a leading branch of science in the future, which has come to pass. This book still contributes practical knowledge to today's world because one of the main concepts underlying this new theory is that of regulation. That is what we are discussing today.

With the Internet, everything becomes cyber, but the societal challenge is huge because in cyberspace we no longer know what is the cause and what is the effect. We are no longer certain who governs and who is governed. We no longer strive to determine if the chicken came before the egg or if the egg came before the chicken. In cyberspace, we cannot make sense of the chickens and the eggs.

When we talk about the Internet, we are talking about space and time. Space and time are concepts that, throughout history, have allowed us to place and understand ourselves. In philosophy it is said that nothing exists without space and time because everything is always somewhere in space and in a given moment, it is situated in time.

However, the Internet is everywhere and nowhere. In fact, when we talk about the web we picture an entanglement of threads without a centre. Humans, with their neurolinguistics, have a hard time placing themselves when there is no centre. We are always looking for the end. The Internet does not have one. In space, there is no centre and time is eternal. The Internet is always, never, and in perpetuity. It is therefore very hard to understand and associate with the cyber point of view.

Bill C‑26 is divided in two parts. In the first part, it says that it seeks to reinforce the security of the Canadian telecommunications system. Then there are indications of how it will change this and how it will change that. In the second, it says it will create the new critical cyber systems protection act to do this or that. I am summarizing the bill.

I noticed when I read Bill C‑26 that there is a lot of “how” and not a lot of “why”. What is the “why” behind Bill C‑26? In my opinion, there is just one reason why and that is to ensure that citizens can trust in the mechanism that protects them in the area of cybernetics and cyberspace.

Trust is complicated because it is not something that is easily granted. I will use the example given by my colleague from Saint‑Hyacinthe—Bagot. I know him and he is conspicuous in his absence, even though I am not allowed to say that. I do not have eyes in the back of my head.

It is pretty easy to build up trust between two individuals. However, trusting an entity, a company or a government is harder. Trust means having peace of mind, without needing supporting evidence. It is difficult to achieve in the public sphere. It is essential, however, and I think that is what Bill C-26 seeks to accomplish.

Trust begins with education and insight. Since this has been explored in speeches throughout the day, I will not dwell on it, but the geopolitical world is changing these days, and the balance of power is shifting. In addition, it is hard to know where the centre is, as I explained a little earlier.

The Canadian government's foreign policy is vague at best. It took years for the government to acknowledge that there was a problem with Huawei. It was the only Five Eyes nation that did not see the inevitable, that did not see the evidence right under its nose.

I am talking about education, but the bill does not contain any provisions for education in cybersecurity. I am talking about education in terms of privacy and facial recognition. Education would help people avoid the temptation to commit the act that we are trying to prohibit here.

We also know that we are stronger together. It is interesting to see who has already thought about these issues. One of our colleagues said that other institutions have thought about this. Yes, there is a concept known as cyber diplomacy, which involves co-operation and dialogue between nations. Moreover, to answer a question that has not been asked, which is the nature of philosophy, the Council of Europe could offer some very interesting answers and solutions in this matter.

This brings me to another question. Despite the many measures, there are quite a few things I do not see in this bill. I do not see measures that would prevent our devices from being taken over by malware, for example, or by a foreign power. Device takeover is something we recently studied at the Standing Committee on Access to Information, Privacy and Ethics. It is not the stuff of science fiction; it is actually happening now.

Also, I do not see how this bill prevents intellectual property infringement. I could name 200 other things I do not see in this bill, but I will mention just one more. I do not see how we are going to regulate what is known as the dark web. However, the bill names six organizations that will have the power to act as regulators.

However, I would like to ask the following question: Do these organizations have the necessary knowledge to do that? It is not always clear. In previous bills on other subjects, we were told, for example, about the CRTC, which was responsible for implementing some provisions. We saw that the CRTC was an outdated organization. The organizations in question now are not much better.

Cybersecurity is not something that is easy to regulate. That is why it is a good idea to look up and try to see a little further. I agree that the bill is well-intentioned, but intention without courage is meaningless.

A poet that I recently met in Montmartre told me that there is no love, only shows of love. It is the same thing here, except that we are talking about shows of courage, and so I hope that the government will show courage with Bill C‑26 and turn its intentions into action.

Let us send Bill C‑26 to committee as soon as possible.

Madam Speaker, I will be splitting my time with the member for Kootenay—Columbia.

I am pleased to rise in the House today to speak to Bill C-26, the critical cyber systems protection act, introduced in June 2022 and split into parts 1 and 2. The former aims to amend the Telecommunications Act to include:

the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.

The latter outlines the introduction of the critical cyber systems protection act, which would create a new regulatory regime requiring designated critical infrastructure providers to protect their cyber systems.

I would like to emphasize that the safety and security of our telecom industry, with particular reference to foreign adversaries such as the Beijing Communist Party, has been a broad theme in communications lately. This is especially concerning the controversial Bill C-11, the online streaming act, or, should I say, government censorship, and new revelations from the Canadian Security Intelligence Service, CSIS, flagging election interference from those involved with the Beijing Communist Party.

We Conservatives believe it is of paramount importance to defend the rights and interests of Canadians from coast to coast to coast. Thus, Canada's national security should be strongly well equipped to be prepared for cyberwarfare threats that could be presented by emerging digital technologies, intelligent adversaries or authoritarian artificial intelligence.

The NDP-Liberal government has had a long record of denying Canadians the truth. Instead of protecting their rights and freedoms, the government uses deflection tactics to divide Canadians, pitting them against one another to distract from the real issue: that the NDP-Liberal government has been too slow to address cyber-threats. For this critical lack of action, Canada has seen several serious incidents occur with no substantive legislative response for over seven years. After years of chronic mismanagement and utter failure, it is time for the government to step aside and let the Conservatives turn Canadians' hurt into hope.

We support the stringent and thorough examination of this legislation. We will always defend and secure the security of Canadians, especially with regard to cybersecurity in an increasingly digitized world. There is a pressing demand to ensure the security of Canada's critical cyber-infrastructure against cyber-threats. Let us not forget that these very systems lay the foundation of the country as a whole. It is these cyber systems that run our health care, banking and energy systems, all of which should be guarded against the cybercriminals, hackers and foreign adversaries who want to infiltrate them.

Akin to several other Liberal ideas, a number of aspects of this bill require further review, and it should thus be sent straight to committee where it can be further dissected and refined to ensure that all flaws are addressed. One can only imagine the disaster that a hospital system crash would add to the already horrible wait times in emergency rooms and shortages of medical professionals thanks to the NDP-Liberal government. The results would be disastrous. Furthermore, disruption of critical cyber-infrastructure in health care can bring severe consequences, such as enabling cybercriminals to access confidential patient health care information.

While we understand that it is imperative to provide the resources necessary to effectively defend against cyber-threats, it is still equally important to ensure that the government does not overreach on its specified mandate through Bill C-26. A research report written by Christopher Parsons called “Cybersecurity Will Not Thrive in Darkness” highlights some recommendations to improve Bill C-26. Among these recommendations is an emphasis on drafting legislation to correct accountability deficiencies, while highlighting amendments that would impose some restrictions on the range of powers that the government would be able to wield. These restrictions are critical, especially concerning the sweeping nature of Bill C-26, the critical cyber systems protection act, as outlined in parts 1 and 2, which I have explained in my opening statement.

The sweeping nature of this legislation is not new, particularly for the Liberal government. It even goes back to Bill C-11, the online streaming act, which essentially placed the Liberal government as the online content regulator controlling what Canadians see or listen to online. If members ask me, the government policing what Canadians view online is a cyber-threat in its own way, but I will not get into that right now.

There are other flaws in Bill C-26 that I would like to highlight, which brings us back to having Bill C-26 closely reviewed in committee.

In terms of civil liberties and privacy, some civil liberties groups have flagged serious concerns regarding the scope and lack of oversight around the powers that may be granted to the government under Bill C-26. In September last year, the Canadian Civil Liberties Association, along with other groups, released a joint letter of concern regarding Bill C-26, highlighting that the bill is “deeply problematic”, like several other questionable Liberal policies. They went on to further explain that Bill C-26 “risks undermining our privacy rights, and the principles of accountable governance and judicial due process”.

From an economic perspective, the bill lacks recognition of foreseeable impacted enterprises, such as small and medium-sized businesses, which will undoubtedly bring forth unintended consequences. According to the Business Council of Canada, some concerns include the lack of transparency seen through the one-way sharing of information. This brings about serious concerns. Operators are required to provide information to the NDP-Liberal government, yet those same operators are not entitled to receive any information back from the government or other cyber-operators. This whole information-sharing regime is lacking and, simply put, completely misses an opportunity to implement a transparent information-sharing system that would benefit all parties involved.

There is also concern regarding government overreach. Considering what powers would be granted to the government to order what a telecommunications provider has to do under Bill C-26, I would have expected to see sufficient evidence to support this overreach. However, that was not addressed at all, if not vaguely, in this bill. This, on top of blatant disregard for the recognition of privacy and other charter-protected rights, proves how the government only cares about granting itself more and more power, even in the face of blatant transparency and accountability concerns like election interference or the Bill C-11 censorship bill.

I only highlighted a few of the several highly valid concerns regarding this critically flawed bill. Obviously, it is important to defend national cybersecurity and defend against cybercriminals or foreign threats. However, there is a fine line between upholding the best interests of Canadians and just using another faulty bill as a power grab for the NDP-Liberal government, despite concerns regarding cyber systems, privacy and security infrastructure.

We Conservatives believe that it is of paramount importance to truly defend the rights and interests of Canadians from coast to coast to coast. One of the best ways this can be done is by securing Canada's cyber-infrastructure from attacks. While we welcome the idea of protecting the interests of Canadians in terms of cybersecurity, we want to flag that Bill C-26 has some highly concerning content that should be closely reviewed and discussed in committee to correct flaws and prevent potential overreach from the NDP-Liberal government. In the interest of protecting Canada's cyber-infrastructure, we must also guard against the sweeping government powers outlined in the critical cyber systems protection act.

Madam Speaker, on the one hand, the member says that he is really concerned about cybersecurity, and then on the other hand, the member is saying that the government is doing too much and that he is concerned about overreach and is very skeptical. Then he uses examples of health care and talks about waiting lists and so forth. I am a bit confused about exactly where the Conservative Party is with respect to the legislation.

Would the member not agree that, at the very least, many of the issues or concerns he raised might be somewhat irrelevant to the debate and that parts of his comments would probably be better served if the bill went to committee? He seems to give me the impression in his comments that the Conservative Party supports the principles of the legislation. Does the member believe that he will be voting in favour of the bill so that it can go to committee?

Madam Speaker, yes, I think we will be voting in favour of the bill. The problem is that although the bill would address the fact of cybersecurity as a very important thing we need to deal with, it seems like every type of legislation the Liberal government puts forward would also take away our rights and freedoms as Canadians. The Liberals always try to make sure the government is in charge, controlling what we can or cannot do. I think that is quite evident in this legislation when they start talking about one-way sharing of information.

Madam Speaker, I agree somewhat with my colleague. Sometimes, the Conservatives want their bread buttered on both sides, especially when it comes to cybersecurity or Internet bills. They support the principle, but oppose the intervention. It is difficult for them to find the right balance.

My colleague did not address the concerns. He spoke instead about Bill C-11, which is a very important bill for the promotion of French content on the Internet, but which was blocked by my Conservative friends.

Over the past two break weeks, I spoke with many Quebec artists. The Union des artistes fervently hopes that Bill C‑11 will pass so that French content will be promoted on line. It is extremely important. However, the Conservatives are stonewalling. They did so in committee, and even now, they are delaying the work in this place.

How does my colleague feel about the fact that all Quebec and francophone artists across Canada are against his party?

Madam Speaker, I think there is some confusion as to what we do and do not stand for. I believe there are a lot of opportunities in Canada when it comes to online streaming and how we can get our products out to market. However, when we start talking about Bill C-11, we start talking about censorship and what can or cannot happen here in Canada. Everyone talks about how we are going to protect the rights of our artists, but I am very concerned about the time when the censorship starts taking place and Canadians actually start understanding there is going to be content that would not be allowed to be viewed. I sure hope the member is right that there will not be such censorship, but I am afraid he could be mistaken.

Madam Speaker, I am pleased the member is going to vote in favour of the legislation. Could he provide a specific example within the legislation that he would say is government overreach?

Madam Speaker, that was probably the briefest time I have ever heard the member speak in the House; it is shocking. I will do my best as well.

When we start talking about information sharing, all these companies have to provide information as to what they are doing to make cybersecurity safe in Canada. However, the government is not reaching out to the same companies and people to say what it is hearing about and what it is understanding. That is one of the biggest problems; it would not be a two-way sharing system but only a one-way sharing system. Once again, the government is trying to control what Canadians can or cannot do.

Madam Speaker, it is always an honour to rise in the House, especially when I can talk about safety and security.

I always try to enhance safety and security for Canadians at home and abroad, for our corporations that are major contributors to our economic base, and of course, for government institutions. Today, discussing cybersecurity in Canada is an opportunity to enhance our country's ability to protect us from cyber-threats.

Security is a significant concern for all Canadians. Lately, with the rise in organized crime and gang offences to the tune of a 92% increase in gang crime, I have to wonder when the government will be led by evidence, or in other words, provide evidence-based action. It is extremely important for our country to have cybersecurity to protect itself from threats, and I welcome Bill C-26. However, I am apprehensive about how successful this bill may be since accountability is a question that the opposition brings up every day in this House.

Bill C-26 is basically divided into two parts. The first part aims to amend the Telecommunications Act to promote the security of the Canadian telecommunications system. It aims to do this by adding security as a policy objective to bring the telecommunications sector into line with other infrastructure sectors.

By amending the Telecommunications Act to secure Canada's telecommunications systems and prohibit the use of products and services provided by specific telecommunications service providers, the amendment would enforce the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure, as well as the removal and termination of related 4G equipment by 2027. Of concern is the time it took the government to react to enforce the ban on Huawei.

The second part aims to enact the critical cyber systems protection act, the CCSPA, which is designed to protect critical cybersecurity and systems that are vital to national security or public safety or are delivered or operated within the legislative authority of Parliament. The purpose of the CCSPA is to ensure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third party products and services; protect critical cyber systems from being compromised; ensure the proper detection of cybersecurity incidents; and minimize the impacts of any cybersecurity incidents on our critical cyber systems.

The effects of this bill will be far-reaching, and there are some points to consider: The government would have the power to review, receive, assess and even intervene in cyber-compliance and operational situations within critical industries in Canada. There would also be mandatory cybersecurity programs for critical industries, as well as the enforcement of regulations through regulatory and law enforcement with potential financial penalties.

Under both provisions, the Governor in Council and the Minister of Industry would be afforded additional powers.

If any cybersecurity risks associated with the operator's supply chain or its use of third party products and services are identified, the operator must take reasonable steps to mitigate these risks. While the bill does not indicate what steps would be required from the operators, such steps may be prescribed by the regulations during a committee review.

The act also addresses cybersecurity incidents; a cybersecurity incident is defined as an:

incident, including an act, omission or circumstance, that interferes or may interfere with

(a) the continuity or security of a vital service or vital system; or

(b) the confidentiality, integrity or availability of the critical cyber system

touching upon these vital services. It does not indicate what would constitute interference under the act.

In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the act does not prescribe any timeline or indicate how “immediately” should be interpreted. Again, there is an opportunity to address this at committee.

There are some concerns with Bill C-26 as it is presently drafted. What the government might order a telecommunications provider to do is not clearly identified. Moreover, the secrecy and confidentiality provisions of the telecommunications providers to establish law and regulations are not clearly defined.

As has been brought up today, potential exists for information sharing with other federal governments and international partners, but it is just not defined. Costs associated with compliance with reforms may endanger the viability of small providers. Drafting language needs to be in the full contours of legislation, and that could be discussed at committee as well. In addition, there should be recognition that privacy or other charter-protected rights exist as a counterbalance to proposed security requirements, which will ensure that the government is accountable.

Some recommendations, or ones derived from them, should not be taken up, such as that the government should create legislation requiring the public and telecommunication providers to simply trust that the government knows what it is doing. Of course, this is a challenge. Telecommunications networks and the government must enact legislation to ensure its activities support Canada's democratic values and norms of transparency and accountability.

If the government is truly focused on security for Canadians, should we not be reviewing our gang and organized crime evidence? Our present policies have failed. Should we not look at the safety and security of our bail reform in an effort to prevent innocent Canadians from becoming victims?

Bill C-26 is a step in protecting Canada from cybersecurity threats. What is the review process to ensure compliance and effectiveness, as well as that goals are met?

In terms of bail reform, even though the evidence clearly shows that Bill C-75 has failed, we see that the NDP-Liberal government is not interested in reviewing bail reform. Cybersecurity is important to our country's security; so are victims of crime after their safety and security has been violated.

I am concerned that the government is struggling with evidence-based information to review Bill C-26, as it has with Bill C-75 and Bill C-5. These bills are not supported by evidence. In fact, offenders and criminals have a higher priority than victims do. My concern is as follows: If Bill C-26 requires amendments and review, will the government follow up? It is so important to be flexible and to be able to address changes, especially in a cybersecurity world, which changes so rapidly.

Bill C-26 proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security. Therefore, although late out of the gate, Bill C-26 is a start. However, since this bill proposes compliance measures intended to protect cybersecurity in sectors that are deemed vital to Canadian security, I would like to see individuals, corporations, and most importantly, the government held accountable. There should also be measures to ensure that the objectives of the bill are met and that there is a proper review process.

As I have stated, government accountability has not been a priority. For the proposed bill to succeed, there have to be processes for review and for updating the critical cyber systems protection act.

The failure of Bill C-75 on bail reform is clear with recent violent acts by murderers and individuals who should never have been out on bail. Today we are debating Bill C-26, and I would hope that there are lessons learned from our failure to review Bill C-75. In addition, we can learn from the failure of Bill C-5, as gang violence and organized crime rates are up 92%. Surely the government will open a door for review and making required changes to Bill C-26 on cybersecurity.

I am thankful for the time to speak on the responsibilities related to cybersecurity.