Bill C-26

Madam Speaker, my hon. colleague and I are part of the class of 2019.

That is why a bill works its way through the House. Hopefully this is something that could be discussed at the committee phase, once it has passed through.

It also speaks to the important role of the official opposition in questioning these kinds of powers and holding the government to account. Certainly, I think we are open to these discussions continuing. Any way we can strengthen the bill is a win for Canadians.

Madam Speaker, I have a bit of a technical question for my hon. colleague. We are wondering how such legislation would apply, for example, to Hydro-Québec, the public utility in Quebec that generates electricity, since the legislation designates interprovincial power lines as a vital service and a vital system.

Does my hon. colleague have any idea what this could mean for Hydro-Québec, a public utility?

Madam Speaker, I do not have a technical response for the very technical question that the member asked. We have to consider the importance of protecting our electrical grids. New Brunswick relies heavily on our partners in Quebec, so it would certainly have implications for my constituents.

These are questions that we need to ask and hopefully consider during the committee stage, and hear testimony from witnesses that would be able to address those concerns.

Madam Speaker, I am pleased to hear from my Liberal colleague that the Liberals are open to much-needed amendments to this bill to increase the oversight, transparency and accountability on the executive branch.

I just want to read a quote from Jérémie Harris, who is the co-founder of Gladstone AI. He said, “ChatGPT is a harbinger of an era in which AI will be the single most important source of public safety risk facing Canada. As AI advances at a breakneck pace, the destructive footprint of malicious actors who use it will increase just as fast.”

Does my hon. colleague have any comments on how fast this technology is advancing, and how important it is that we equip all of our agencies to keep those vital systems safe?

Madam Speaker, I have a lot of concerns about how fast technologies are developing, particularly around artificial intelligence and facial recognition technology. All these moving pieces have incredible implications, especially for vulnerable people in our communities. It deserves a hard look by all members of the House, particularly in the committee that would be studying this legislation, but I think beyond that as well.

We are in a new, unpredictable time. I mentioned, in my speech, a lot about geopolitical factors and a lot of threats that are coming in. We do not know what we do not know at this point, and I think that causes a lot of fear. This is a conversation that is long overdue, and I thank the member for allowing me the opportunity to enter into that space. I really hope we have more fulsome discussions around those aspects in particular.

Madam Speaker, I would be interested in the hon. member's thoughts on how we protect rights without going down the rights rabbit hole that leads to paralysis with respect to a space that is going so fast that very few of us can actually comprehend how fast it is moving.

Madam Speaker, it speaks to the concept that we need to modernize a lot of our legislation. We need to modernize a lot of our approaches and processes. As I said about not knowing what we do not know, things are happening so fast at this point that we need to protect those who are most vulnerable. We need to protect the generations to come.

There are a lot of unknowns right now, and legislation like this allows us to bring in those experts, have those conversations and ensure we are getting ahead of these things and being proactive.

Madam Speaker, it is an honour to speak today in the House on Bill C-26, an act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other acts.

With every passing year, Canadians are increasingly moving their lives online. They communicate with loved ones through email, messaging, photo sharing, video calls and more. They can order their entire grocery orders, rent cars for the weekend and book appointments with a click in an app.

As more and more Canadians choose to put more of their lives online, it falls to us, as members of Parliament, to ensure our cybersecurity laws are as protective of their personal and private information as possible.

The next generation of Canadians are increasingly building their professional and personal lives online. At the same time, they face mounting threats from foreign actors, ranging from scammers to state actors. These actors have shown they would use any tactic, from identity theft to cyber-attacks, to exploit Canadians and attack our institutions.

That is why the legislation we have before us today is essential, and why getting it right the first time is even more important. In particular, it must protect our online information while not crushing our small business start-ups under mountains of red tape.

On this side of the House, my Conservative colleagues and I believe that, as currently constructed, Bill C-26 fails to account for the welfare of small business start-ups by adding more red tape and placing burdensome costs on our homegrown technology sector. As constructed, this bill would directly affect start-ups by adding further bureaucracy that would drive up their starting costs. It would overburden with regulation the small telecommunications providers, the companies that provide our families and businesses with access to a global market online.

Wrapping them in red tape could risk our access to competing on the world stage. The Liberal government has already made it hard enough for start-ups, and the Liberal record on small business has been one committed to mazes of bureaucracy, punitive fines and penalties, and rising inflation. A Liberal economy of high tax and wasteful spending has already made it hard enough for start-ups.

Through the overarching premise of this cybersecurity bill, we know that it is needed. We absolutely need to update our cybersecurity laws, while at the same time we cannot allow Bill C-26 to add unnecessary burdens to business, especially small businesses.

I am particularly concerned about how this bill's regulations would also apply to businesses “irrespective of their cyber security maturity”, implying that providers who already have advanced electronic protection measures would still have to comply with the new regulations of the bill. This means that businesses could not continue using their current, possibly more robust, cybersecurity systems. Instead, they would have to disregard their current cybersecurity measures and replace them with the newly proposed government model.

Even Canadian businesses that have already worked hard to protect their customer security at accepted global standards would still incur more cost despite their robust electronic security measures. They would need to invest in government-regulated security measures, incurring costs such as inspection, extra time, installation and further training. They may have to completely overturn their superior standards for the government's preference.

The thing is, we do not know what the regulations would be or how they would affect businesses, because the actual regulations have not been developed. That is how the government does a lot of its bills. There are great titles, with few details. We are expected to just trust the Liberals to figure it all out later, behind closed doors, with no opportunity to study them at committee with expert witnesses.

Imagine if this regulatory framework were applied to any other business. Suppose we were regulating changes in the banking security industry. We would require that every Canadian bank and credit union tear its building down to the ground, brick by brick, and then rebuild itself from scratch. That really does not make sense.

Now is the time when we should be encouraging competition and bringing in more telecommunications companies. We know Canada has some of the highest telecommunications costs in the world. As more and more Canadians move their lives online, whether for banking, social media or work, adding more tape in this bill, as mentioned, would make this transition far more difficult. Costs never remain in the businesses' ledgers forever; they are inevitably always passed on to the consumer.

As a government, we should encourage the next generation of Canadian entrepreneurs who are innovating.

I will mention, as a sidebar, that I was formerly on the industry committee and we did a quantum computing study, which was, frankly, terrifying. It was about how Canada could be exposed to bad actors, which could affect every part of our online lives. As these technological advances develop, we have to be aware of risks and be able to stay ahead of technology.

These enterprises, businesses and telecommunications providers do not need more red tape; they need a stable market without uncompetitive government interference. We know very well how easy it can be for the government to build regulations that only the largest providers of an industry can shoulder. Without attention to scale, a single fault of noncompliance could instantly wipe out a smaller company. The legislation would allow ministers and bureaucrats to levy fines as high as $15 million without special consideration, such as the size of a company's user base.

Nonspecific details like that are music to the ears of our largest telecommunications providers. Monopolization of our telecommunications sector is something Canadians are already concerned about. We must always proceed cautiously, so as not to turn away innovation and new businesses entering the market, which creates healthy competition. For example, these fines could also be enacted under the vague term of “protecting a critical cyber system”. This vague terminology can leave a lot of leeway for government ministers to injure Canadian businesses with rampant fines.

There is already a shortage of online and electronic security professionals in Canada. According to the Business Council of Canada, an estimated 25,000 personnel are needed in the cybersecurity industry. Instead of dissuading these crucial professionals from joining this industry and helping keep Canada safe from domestic and foreign cyber-threats, let us provide a better framework and encourage them to build new businesses in this essential industry. Let us not scare them off with red tape and penalties.

As members can see, the legislation proposed for Bill C-26 has some significant concerns that require amendments at committee. Regulations being made with a lack of transparency behind closed doors, after the bill passes, is a concern. Conservatives will be looking to make amendments to the bill at committee as we hear from experts.

As I mentioned earlier, my Conservative colleagues and I encourage and support new, updated and secure cybersecurity measures being put in place, especially as more and more Canadians move their lives online. However, by placing more and more red tape on small and start-up businesses and providers that have already been in the industry for years, the bill would effectively dissuade businesses from entering this market and providing more services for Canadians. Large and mature businesses can handle the related costs of Bill C-26, but the associated expenses could crush small businesses.

I have worked, for much of my career, around various regulated industries and have seen, all too often, red tape and regulations making it too hard for small businesses to even start or to stay afloat without being acquired by larger firms, as small companies just cannot keep up with the regulatory compliance.

Cybersecurity threats affect all our communities. In January, an international ransomware group claimed responsibility for an Okanagan College cyber-attack in my region. Let us keep Canada safe by building clear online security measures that would encourage start-up professionals and businesses to help build up our cybersecurity infrastructure to a world-class standard. We will not accomplish this goal if we continue to add burdensome fines, penalties and red tape.

Madam Speaker, I certainly hear my hon. colleague's support for small businesses and the concerns she is raising, but I come at this from a different standpoint where I feel there are protections here for small businesses. The bill is designed to protect them from unnecessary losses when they happen to be attacked or be subjected to ransomware.

Is there a balance here, where this is also about supporting them by preventing those losses?

Madam Speaker, I think a part of the piece of legislation is that we really do not have the details, and that is part of the concern, so I am hoping that, if it goes forward to committee, some of that could be worked out, because that is part of the concern right now.

We have the topic and we know what the overarching desire is and what the fines may be, but we do not actually know what all of the regulations would be, and that does raise a lot of concerns, especially for small businesses that do not really know at this point what the bill would mean for them. Hopefully that will come out at committee and there will be more information added, potentially as amendments to the bill.

Madam Speaker, I appreciate my colleague's comments, particularly about not wanting to add more bureaucracy and more red tape to small and medium-sized enterprises, especially small start-ups. I am looking at a study from the public safety committee about Canada's security posture in relation to Russia. I will just read one of the committee's recommendations. Recommendation number 4 states:

That the Government of Canada instruct the Communications Security Establishment to broaden the tools used to educate small- and medium-sized enterprises about the need to adopt cyber security standards.

Therefore, it is about making education tools available versus adding more red tape. I would like my colleague's comments on that.

Madam Speaker, I appreciate the great question from my colleague. That is a great recommendation, and I will just give a very specific example. One of the roles that I have had in my career was the privilege of being on the board of one of the largest credit unions in Canada for 10 years. We underwent extensive training and cybersecurity was one of the topics that we had to do.

I was able to take some of that training and bring it into my small business that I had at the time. I remember thinking that I wished a lot of other small business owners could be going through the extensive training that I just went through. That is a great approach and something that we should definitely work on.

Madam Speaker, clause 13 of Bill C-26 essentially allows the government to take new measures to protect critical cyber systems by order in council. That gives it a lot of flexibility. There is more flexibility there than in the legislative process.

Does my colleague think that the bill should be amended in committee so that we can be certain the government will be accountable to Parliament?

Madam Speaker, that is certainly something committee members could ask the expert witnesses when they are there at committee. Maybe they could delve into that more to see what those issues are and what the opportunities might potentially be for amendments. That is one of the things that could be looked at in the committee. Certainly the committee members there could ask those questions for the witnesses.