Bill C-26

Madam Speaker, the member is right. When we get to committee, we can iron out some of the flaws that we have seen in Bill C-26. It is going to be important to focus on accountability and the member did not address that. That is where this bill can either succeed or fail. We need to ensure there is an accountability process for the government, so when it follows through with Bill C-26, we have a process and we can go back and say we need to tweak or change something because cybersecurity changes so fast.

Madam Speaker, we have been hearing details about the impact this bill could have. I would like to hear my colleague's thoughts on the following question. Why are we always in reaction mode?

In 2019, the Standing Committee on Access to Information, Privacy and Ethics was looking at how to separate information pertaining to social insurance numbers in order to protect citizens' privacy.

What message does this bill send? Yes, a structure exists. Yes, there are correspondents, organizations and individuals who will have more power and potential accountability, but what is behind all of this? Are the Liberals trying to clear their conscience for all the scandals of the past few years?

I would like to hear my colleague's thoughts on that.

Madam Speaker, I am not too sure what the specific scandals were, but this bill certainly opens the door for information sharing and, as was brought up, intelligence sharing, and, through accountability, we can cover those. We can actually be accountable in how we share information safely and we can protect the rights of Canadians.

Madam Speaker, I want to thank the hon. member for his speech today and for his many years in law enforcement. He certainly knows a lot about this file. Throughout the member's speech, the number one word he used, and we can check Hansard, was “accountability”, and also the frustration with the Liberal government on a lot of the bills that have been passed.

How does he feel on this particular bill on accountability?

Madam Speaker, in the last several months, we have seen accountability raise its head here in Parliament with Bill C-5, Bill C-75 and Bill C-11. Without accountability, it is as though the government does not actually care what we are doing because with a majority government, the NDP and Liberals can make decisions based on what they think is right and there is no accountability.

With Bill C-5, the evidence is not there. Bill C-21, taking legal guns from legal gun owners, is another non-evidence-based process. With Bill C-26, which we are talking about today, it is time that we start building in some processes for accountability so the government is actually accountable for what it is doing.

Madam Speaker, I am very pleased to be joining the debate today to offer some of my thoughts and perspective on Bill C-26, a much awaited bill on a cybersecurity infrastructure.

Bill C-26 is a good reminder to members that the Department of Public Safety and its subject matter is so much bigger than just firearms, because, of course, firearms and Bill C-21 have been dominating the news cycle for the last couple of months. That bill, in particular at the public safety committee, has occupied so much time and wasted so many resources. Bill C-26 is a good reminder that with cybersecurity we have so many other agencies that are dedicated to national security under the umbrella of public safety. Cybersecurity is a big subject matter. We also have Bill C-20, which is an important bill on oversight and accountability for both the CBSA and RCMP.

Today, we would not find many members in the House of Commons who are arguing against the need for better cybersecurity. All of the evidence out there points to this being a new and evolving threat. Artificial intelligence systems offer some interesting advantages, but with those advantages come threats and with those threats come actors who are determined to use them in nefarious ways that will harm and have harmed Canada's interests. We need a whole host of options to counter this threat. We need our national security agencies to take these threats with increased importance. We also need legislation to fill in the gaps and make sure that all of Canada's laws are up to date.

I have spent a lot of time on the public safety committee. We did a couple of reports that directly touched on this area. One of our first reports identified violent extremism. Our most recent study looked at the threat posed by Russia. We know that since Russia conducted its invasion of Ukraine, which has recently passed the one-year anniversary, it has also increased the threats that it offers to Canada and to like-minded countries. One of those areas is cybersecurity.

Our committee has not yet tabled its report, which should be tabled in the House of Commons soon so that members of the House and the public can not only see the results of the deliberations, but also see the important recommendations that the committee is going to make. However, we heard a lot of testimony during those committee hearings on the cyber-related threats from Russia. Many witnesses identified that those are among the most serious and relevant for Canada's public safety and national security, particularly in relation to critical infrastructure.

I want to set this table before I get into the nuts and bolts of what Bill C-26 is offering, but also set some of the problems that are in evidence with this first version of the bill.

We have to understand a few basic terms. The Government of Canada refers to critical infrastructure as the “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government”, whether that is the federal government, the provincial governments or our municipal governments. Because so many of those pieces of critical infrastructure are now tied into computer systems that are vulnerable to attack, a bill like this becomes quite necessary.

I could go on and on about all of the critical systems in our modern society and the range of sectors, from our energy production to our food distribution systems to our electricity grid and transportation networks and how our ports and our banking system work. If one were to interrupt any one of those services, it could create absolute havoc within any Canadian community or countrywide.

One of the witnesses we had during our public safety meetings on the topic of the threats posed from Russia, and this was just talking about the cyber-threat more broadly, was Jennifer Quaid, Executive Director of the Canadian Cyber Threat Exchange. She reminded our committee that there are nation-states that are conducting espionage and statecraft through the Internet, but there are also criminals who are engaging in cybercrime for financial gain.

In some cases, those criminal groups and the nation-states are working together. There is evidence of this not only in Russia but in places like North Korea and China, where it is almost like the policy that was in place back in the 1700s and 1600s, where privateers would go out and do a nation-state's bidding. In this modern-day version of that policy, there are criminal organizations that are working hand in glove with some nation-states to give them some plausible deniability, but the systems they are using do pose a very real threat to Canada.

One of our key witnesses during the study was Caroline Xavier, Chief of the Communications Security Establishment. She was not able to go into much detail or specifics, given the very sensitive nature of the topic, but she was able to assure the committee that cybercrime is absolutely the most prevalent and most pervasive threat to Canadians and Canadian businesses. She observed that the state-sponsored cyber programs of China, North Korea, Iran and Russia posed the greatest strategic threat to Canada, and that foreign cyber-threat activities have included attempts to target Canadian critical infrastructure operators, as well as their operational and information technology.

Leaving aside the government, it is important for members to realize that most of Canada's critical infrastructure is, by and large, in the hands of the private sector. This is going to underline some of the important elements of Bill C-26.

We also had testimony from David Shipley, Chief Executive Officer of Beauceron Security. He was relaying the same stuff about Russian criminal organizations working in tandem with the government, and saying that criminal gangs have crippled Canadian municipalities. They have gone after health care organizations. The range of malicious cyber-activity has absolutely extended to many small and medium-sized enterprises.

When we look at the reporting requirements of Bill C-26, one of the biggest gaps that we have in our system is the fact that many businesses, private enterprises, are loath to report the fact that their systems have experienced a cyber-attack. They may be threatened to not do so. There is also a very real concern about the institutional harm that could come from the public release of said information. A large corporation that relays to its customers that it has experienced a cyber-attack may find people are loath to do business with it if they are unsure that its systems are up to par.

I also want to highlight a recent example from 2021, where the Government of Newfoundland and Labrador experienced a health records cyber-attack on October 30. The investigation revealed that over 200,000 files were taken that contained confidential patient information.

One can just imagine that in a province the size of Newfoundland and Labrador the fact that over 200,000 files were taken, that is a shocking theft of personal and confidential information. It really underlines just how important addressing this is.

I also want to touch briefly on the topic of artificial intelligence. I want to read a quote from a recent Hill Times article. This is from Jérémie Harris who is one of the co-founders of Gladstone AI, which is an artificial intelligence safety committee. He says:

But perhaps more concerning are the national security implications of these impressive capabilities. ChatGPT has been used to generate highly effective and unprecedented forms of malware, and the technology behind it can be used to power hyperscaled election interference operations and phishing attacks. These applications—and countless other, equally concerning ones also enabled by new advances in AI—would have been the stuff of science fiction just two years ago.

He goes on to say:

...ChatGPT is a harbinger of an era in which AI will be the single most important source of public safety risk facing Canada. As AI advances at a breakneck pace, the destructive footprint of malicious actors who use it will increase just as fast. Likewise, AI accidents—now widely viewed by AI safety specialists as a source of global catastrophic risk—will take more significant and exotic forms.

Something all members of the House really have to be aware of is how, just in the last two years, AI has advanced so quickly. We can think about what AI will be capable of two years or a decade from now. Just as Mr. Harris said, what it is doing right now was inconceivable just two years ago. The fact that AI is now being used to generate unique code for malware indicates there is no telling what it can be used to do and how it could be used to wreak havoc. That underlies just how important this issue is and how seriously we, as parliamentarians, have to take it as we serve our constituents and do the important work of equipping our nation with the tools it needs to keep Canadians, and the critical infrastructure they depend upon, safe.

When I was a member of the public safety committee, I had a chance to speak with Mr. Harris. I actually put a motion on notice that the committee should be undertaking a study on the range of threats posed to Canada's public safety, national security and critical infrastructure, specifically by AI systems. I hope one day the committee can take that study up, but it is a committee with a very heavy workload. It is still trying to find its way through Bill C-21. It is waiting for Bill C-20 to arrive on its door and, of course, this bill, Bill C-26, would also keep committee members quite busy.

I would like now to turn to the specifics of Bill C-26 and what it is attempting to do. It is separated into two main parts. According to the summary of the bill:

Part 1 amends the Telecommunications Act to add the promotion of the security of the Canadian telecommunications system as an objective of the Canadian telecommunications policy and to authorize the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.

There are a number of orders that the Minister of Industry could issue. For example, he or she could prohibit a TSP from using any specified product or service in its networks or facilities; direct a TSP to remove a specified product from its networks or facilities; impose conditions on a TSP’s use of any product or service; subject a TSP’s networks or facilities, as well as its procurement plans for those networks or facilities, to a specified review process. Those are just a few examples of how the minister's orders could be issued. The bill does require the Governor in Council or the Minister of Industry to publish these orders in the Canada Gazette, but there is an allowance in the bill to allow these provisions to be prohibited, so the government can prevent the disclosure of these orders within the Gazette if they feel they need to be kept secret.

Part 2 would enact a brand new statute of Canada, a critical cyber systems protection act, which would “provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety”. In schedule 1 of the government's bill there is a brief list. Vital systems and services can include telecommunication services, interprovincial or international pipelines and power line systems, and nuclear energy systems. Those are a few examples. A really important point is that the Governor in Council, through this bill, would be able to establish classes of operators and require designated operators to establish and implement cybersecurity programs.

This is where the bill would affect the private sector and make sure those cybersecurity programs are in place, especially when that private sector is involved in critical infrastructure. As a brief outline, with those cybersecurity programs, the expected outcomes would be that they could identify and manage any cyber-risk to the organization, including supply chain risks; prevent their critical cyber systems from being compromised; detect cybersecurity incidents; and limit the damage in the event a cybersecurity incident did occur.

I want to talk about concerns with the bill, because there are a lot of concerns. I have had the chance to speak with a number of organizations, but first and foremost was OpenMedia. I had a great conversation with the people there. There is a section on its website that specifically deals with Bill C-26. OpenMedia absolutely realizes that new cybersecurity protections are needed to protect Canada's infrastructure, but it believes they have to be balanced by appropriate safeguards, and this is to prevent their abuse and misuse.

We rely on these essential services, and their protection is important, but Bill C-26, as it is currently written, would give the executive branch huge sweeping powers. In my reading of the bill, there would not be enough accountability and oversight; there would not be enough review mechanisms for Parliament to check the power of the executive, and I think this is a critical point. I think, in principle, we have a good idea with the bill, but a lot of work will be needed at committee to ensure that this executive power would be checked and that it would fit within the parameters of the law. We absolutely must have that kind of parliamentary oversight.

I also know of the Canadian Civil Liberties Association, which said:

The problems with the Bill lie in the fact that the new and discretionary powers introduced by C-26 are largely unconstrained by safeguards to ensure those powers are used, when necessary, in ways that are proportionate, with due consideration for privacy and other rights. The lack of provisions around accountability and transparency make it all more troubling still.

I think, at this stage, we want to ensure, with the minister's powers to order or direct service providers, and the requirement to comply with these orders, that these powers are being subjected to the appropriate safeguard mechanisms. They are quite broad, as currently written.

In conclusion, I want to see a bill that protects vulnerable groups from cyber-attacks. So many Canadians rely on these critical systems, and we know so many have been targeted and are being targeted as we speak, and we know these dangers are going to multiply and get worse the longer we go on. We want to make sure they are protected, but we want to make sure that we do not have broad unchecked ministerial powers with no public oversight. That is the balance that must be achieved.

I must express, in my closing minute, my personal frustration with how the Liberals draft their bills. The idea behind Bill C-26 is a good one, but the problem with how the Liberals drafted the bill is that it would give huge sweeping amount of power to the executive branch. I just wish they would have had the foresight to understand that, of course, these provisions would be met with opposition. It seems the Liberals are putting the work on committee members to fix the bill for them, rather than having had the foresight and intuition to understand that these are problematic elements of the bill.

I think a lot more work could have been done on the government's side to have presented a better first draft. I guess we have what we have to work with, but a lot of work is going to be needed to be done at committee, and I look forward to seeing members do that work.

I also look forward to voting for the bill at second reading and sending it to committee. I welcome any questions or comments from my colleagues.

Madam Speaker, Bill C-26 would assist in empowering our laws and legislators to ensure there is a higher sense of Canadian confidence in the digital world, given the importance of the critical systems that are at work. Whether they are in health care services or consumer purchases, we have witnessed a great deal of advancement over the last number of years in cyberspace.

I am wondering if the member could provide his thoughts on why it is so important that legislation is brought forward to support Canadian confidence and protect privacy at the same time, and deal with the issue of the security of our Internet.

Madam Speaker, it is quite clear that legislative gaps exist. Many of my remarks were focused on detailing the threat landscape out there.

The good people who work at CSIS, CSE and Public Safety Canada are dedicated professionals who treat this threat very seriously. Every day they go to work, they are determined to keep Canadians safe. The problem lies in the fact that so much of our critical infrastructure, those systems that our society relies on every single day, lies in the private realm. We want to ensure that the government is there as a partner to help them beef up their cyber systems so that, if any one of them is attacked, we can pool resources, address the threat and also learn from it to prevent ones in the future.

There is a need there, but again the crux of my comments is that we have a good idea in this bill. There is a need. It is just the details and specifics that need to be hammered out.

Madam Speaker, I am going to build a little on the last question to the member. I know he sat on the public safety committee for a while. From his viewpoint, what does he think is the greatest cyber-threat to Canadians?

I would ask him to speak again to why getting this legislation right is so important, but I am interested in his take on what he perceives to be the greatest cyber-threat to Canadians.

Madam Speaker, in my opinion, based on what I have heard, it is artificial intelligence and its capabilities in the hands of nefarious actors.

We heard from Caroline Xavier, the chief of the Communications Security Establishment, at committee. She identified China, Russia, Iran and North Korea as countries that are actively trying to undermine Canada's national security. If we combine that with what Mr. Jérémie Harris has identified as what AI is capable of now and what it could be capable of, I am very concerned that those countries that are actively trying to undermine Canada's national security interests will use this emerging technology to construct malware, the likes of which we have never seen.

That is why a bill such as Bill C-26 is important, but it is important that we get it right. We absolutely must make sure that our critical systems are beefed up and secured against not only those particular nation states, but also others that are actively trying to undermine our interests.

Madam Speaker, I heard loud and clear what the bill is missing. It lacks teeth and, of course, accountability mechanisms.

I heard my colleague opposite talk about the purpose of this bill, which could restore some degree of public trust. It is safe to say that trust is being undermined at the moment. My colleague is concerned not only about the fact that people's safety must not be compromised, but also about the impact on democracy and the need to ensure that it is not undermined.

Does my colleague agree that this bill has been crafted well enough to deal with the serious problems we are facing in terms of cyber-attacks and interference in our elections?

Madam Speaker, the hon. member has a point. I would identify the system that deals with our democratic process, including all of the actors involved, as being a critical system. It is probably the most critical system. However, while I do acknowledge there are definitely state actors who are trying to undermine our system, they are trying to undermine democratic systems all over the world. We see evidence of that.

I have a lot of confidence in the public servants who work at Elections Canada and who work for the office of the Commissioner of Canada Elections. They are doing their utmost to protect the sanctity of our democratic system. That being said, we cannot rest on our laurels, and it is up to us, as parliamentarians, to acknowledge these evolving threats and to equip our dedicated public servants with the tools they need to counteract these threats actively.

I would agree with the member's saying that these threats are real. They do need to be acknowledged. We owe it to ourselves to get Bill C-26 right so our public servants have the tools to counteract those threats.

Uqaqtittiji, given that there are concerns about our privacy rights being infringed upon and that Bill C-26 is not doing enough to protect our privacy rights, I would like to hear what the member thinks needs to happen to make sure this bill is improved.

Madam Speaker, a 20-minute speech does not give a lot of time to go over the multitude of concerns with Bill C-26. Yes, there are a lot of privacy concerns with this bill. We have had those concerns outlined not only by the Canadian Civil Liberties Association, but also by OpenMedia.

The way we allay those concerns is that we empower committee members on the public safety committee to give this bill a thorough going-over, and to make sure those expert witnesses are brought forward so they can identify the specific clauses of this bill that are problematic. We need to give members of the committee enough time to draft the amendments.

What I ultimately want to see when this bill is reported back to the House is an acknowledgement that there is a very real threat; that the bill would empower the government to counteract that threat; and that the bill would also provide a very important layer of parliamentary oversight and accountability, which I think should include some of our dedicated public servants, like the Privacy Commissioner and others.