Bill C-26

Thank you, Mr. Chair.

Thank you, Ministers, for being with us this morning.

First, I want to talk to you about an article published in La Presse entitled “Quand Ottawa veut jouer au gérant d’estrade”. The article appeared in 2022, shortly after you tabled Bill C‑26. The bill was tabled some time ago—over eighteen months. One wonders if cyber security is indeed a priority for the Canadian government.

The article was written by Ms. Célia Pinto Moreira, a public policy analyst at the Montreal Economic Institute.

She begins her article as follows: “Imagine a referee at a Habs game approaching a player to explain how to shoot the puck into the net. He’d likely lose his job: it’s neither among his duties nor his field of expertise.”

She goes on to say that this is what Ottawa is doing with Bill C‑26. She says, “Instead of minding its own business, the federal government wants to interfere in the implementation of companies’ digital security plans.”

She adds, “In digital security, things move at breakneck speed. When a company discovers a flaw in its system, it knows full well that it has every incentive to fix it quickly; otherwise it exposes itself to significant legal, reputational and financial risks […]”

She goes on to say that the federal government is slow or inefficient, citing the passport saga.

We remember that saga. It’s been a while. Other examples include Phoenix, Canada Life, the border. I think the government has been slow and inefficient in those situations.

All in all, it seems likely that Canadian companies are currently well prepared. They already have to deal with cyber security incidents. It’s said that in 2021, Canadian companies invested over $10 billion to prepare for this type of breach. So they’re already doing the work.

In practical terms, what will Bill C‑26 change for Canadian companies?

Thank you very much, Minister.

Mr. Leblanc, the same question is for you.

I'm glad that you mentioned our Five Eyes partners. With the interconnectedness of our economy growing day by day, how important is it for Canada to do our part to advance our cybersecurity protection efforts, specifically with relation to Bill C-26?

Thank you very much, Mr. Chair.

I’d like to thank the witnesses for being here today.

Mr. Champagne, drawing on your experience, having worked with our economic partners around the world, including the U.S. and Europe, can you walk the Committee through the importance of passing C‑26 to protect not just our own businesses, but the businesses we work with every day under free trade?

Thank you.

We heard almost unanimously that this is an important bill, but this is also a poorly drafted bill. Business groups, civil liberties groups and cybersecurity firms are all united in the fact that Bill C-26 gives the government too much power with almost zero oversight. There's no requirement for regular reporting, no independent review and no requirements for production of written reports. In fact, most of the powers in this bill would be exercised in secret.

Do you think that the sweeping powers that you're attempting to give yourself have enough oversight mechanisms attached to them?

Thank you, Chair.

Thank you to the ministers and the officials for being here this morning.

We are definitely talking about a very serious issue here with cybersecurity and Bill C-26.

Minister LeBlanc, Public Safety Canada recognizes 10 critical infrastructure sectors, one of which is government. A recent NSICOP report noted that several departments and Crown corporations are not subject to Treasury Board policies related to cyber-defence or they apply those cyber-defence policies to their departments inconsistently. This leaves them vulnerable to cyber-attacks. In fact, just recently it was revealed that Global Affairs Canada was suffering from a massive data security breach.

Minister LeBlanc, why is your own government not adhering to the same cybersecurity standards as the designated operators listed in this bill whose confidential business and personal information you're planning to collect and store?

Thank you, Mr. Chair.

It is a great privilege to appear before you today. It’s been over eight years since I had the privilege of becoming a Member of Parliament and testifying before committees. This morning is particularly important, especially as I have the privilege of testifying with Minister LeBlanc. For the people watching us, Canadians from across the country, it demonstrates the significance of the issue.

We should first ask ourselves why we are here this morning. Minister LeBlanc outlined the reasons. People should be reassured to see Minister LeBlanc, and his department, working in concert with the Department of Industry on an issue that affects not only all Canadians, but Canadian businesses across the country.

The issue of cyber security affects our small and medium-sized enterprises, or SMEs, families, all institutions across the country and even internationally. I can tell you that in the various international forums I’ve attended, the issue of cybersecurity is of paramount importance, especially when you add in everything to do with quantum technologies and artificial intelligence. That’s why I’m proud to testify today with Minister LeBlanc, a great friend who also sees the importance of our two teams working hand in hand to accomplish this today.

As I was saying, I’m pleased to be able to discuss a legislative text of paramount importance with you, dear colleagues. People across the country expect us to respond quickly to a situation that is evolving just as quickly.

One of the most important things we can do as legislators is to protect our critical infrastructure across the country.

As Minister of Innovation, Science and Industry, I take a particular interest in securing Canada's telecommunications system. Telecommunications networks are vital to the safety, prosperity and well-being of Canadians. When you've seen disasters striking around the nation, citizens expect their telecom networks to work. That's why adding, as we would be doing in this law, the concept of security as an objective under the Telecommunications Act is so crucial. It's not only about cybersecurity, but it's about protecting Canadians in the times they need it most. That's why we are committed to protecting the telecommunications system that underpins much of our critical infrastructure in the country.

Take the emergence of new technologies, such as 5G, as one clear reason we need to redouble that focus. As you know, 5G is going to have a network that is far more decentralized. You're talking about the Internet of things, you're talking about connecting almost everything. The object will become intelligent and connected. If you think about the impact of cybersecurity you'll understand the size of the problem, and not only the emergency powers we need but also the duty to act we all have as parliamentarians.

The threats targeting these technologies and systems are increasing in number. I’m talking, among other things, about threats to our supply chains and cyber security threats from state and non-state actors, of course.

With these threats in mind, the government undertook a thorough review of 5G technology. In fact, I’d like to thank all the Ministry of Industry officials and the Ministry of Public Safety and Emergency Preparedness officials who are here today. They carried out extensive consultations with stakeholders across the country.

We carefully examined the issue from a technical and economic standpoint, as my colleague Minister LeBlanc said, as well as from a national security standpoint.

It is clear that while this technology will bring significant benefits, it will also introduce new security concerns that malicious actors could exploit, as 5G networks are more interconnected than ever. Therefore, threats will have a more significant impact on the safety and security of Canadians, including our critical infrastructures, than in previous network generations.

It is in light of this security examination that the Government of Canada found serious concerns about suppliers such as Huawei and ZTE. You will recall that in May 2022 we announced the intention to prohibit Canadian telecommunications service providers from using Huawei and ZTE products and services in their 5G and 4G networks.

Our statement specified that the proposed measures would be subject to consultation.

However, the risks associated with telecommunications go far beyond cybersecurity, as I was saying. We took action in May 2022, when we made this announcement.

Canadians watching will remember the famous Rogers outage in the summer of 2022, which probably impacted 12 million Canadians for a number of hours. With the after-effects of Hurricane Lee in Atlantic Canada in September 2023, my colleague, Minister LeBlanc, was really involved in restoring the services that people need.

I want colleagues to understand that this is not just about national security, but the role of the industry minister is to ensure resiliency. If you think about hurricanes, if you think about the network outage we had, in the case of Rogers we were successful in getting a voluntary undertaking in the memorandum we signed with them in September, but I think Canadians will be reassured that the minister would have legislative power to compel companies to do what's right.

We know that these risks are not something the market can solve on its own, that's why we need rules for industry, rules that protect Canadians, our networks, our businesses and our data.

Bill C‑26, which we are discussing today, is designed to address those risks and evolving threats. It will enable the government to act quickly, if necessary, to ensure network security.

In my opinion, the powers granted to the Minister of Industry would enable him to act quickly. In an emergency, temporary measures must be adopted, but it must be done quickly to prevent bigger problems across the entire network.

The second part of Bill C‑26 will also strengthen the protection of our critical cyber systems. I believe Minister LeBlanc was heavily involved in that portion.

Our telecommunication network is probably the backbone of infrastructure. I know people at home may think of infrastructure as bridges that we need to protect, they may think about nuclear power stations, but the telecom network, which is basically enabling everything else, is one of the key networks that we need to protect.

Mr. Chair, we want to make sure we get it right. As Minister LeBlanc said, that's why we listened carefully to the debates in the House of Commons and comments from stakeholders and colleagues, who are here because, when it comes to national security, that's not a partisan issue. That's why we are committed to making sure that we do that in the best possible way.

I am happy to see that there seems to be broad support for the bill and the objective of securing our telecom network.

We want to work constructively to get the best possible bill, but I must add that action is urgently needed. People who would like to inflict harm on Canada are obviously seeking potential loopholes in the system. So it’s urgent to provide the government with the powers it needs to do things right. That’s important.

I therefore eagerly await the passage of Bill C‑26 to better protect our critical infrastructures.

Mr. Chair, my colleague Minister LeBlanc and I will be pleased to answer our colleagues' questions.

Thank you.

I will with pleasure, Mr. Chair—with a lot of pleasure.

Thank you, Mr. Chair.

Thank you, colleagues, for inviting me to speak about Bill C‑26, which pertains to cyber security.

I am pleased to be here with my colleague François Philippe Champagne and the other officials kindly named by the Chair.

Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems. Canada's critical infrastructure plays a vital role in the delivery of essential services and the necessities of daily life. In order to safeguard our economic and national security, we need to take a more complete picture of the cybersecurity threats facing Canadians. We believe that Bill C-26 would be an important step in accomplishing that task.

This proposed legislation will protect Canadians and bolster cybersecurity across the federally regulated financial, telecommunications, energy and transportation sectors. These sectors are all critical contributors to both Canada's economy and the security of Canadians. Because of their vitality, they are also, obviously, attractive targets for malicious cyber-enabled activity, such as espionage, data and intellectual property theft, and of course sabotage itself.

These concerns are not just hypothetical. Recently the Canadian Centre for Cyber Security joined Five Eyes' operational partners in warning that People's Republic of China state-sponsored cyber-actors are seeking to pre-position themselves for disruptive or destructive cyber-attacks against the United States' critical infrastructure in the event of a major crisis or conflict with our neighbour to the south.

Cyber incidents are happening in our critical infrastructure sectors on almost a daily basis. In January 2023, CBC News reported that a territorial and Crown corporation, and the sole energy distributor in Nunavut, fell victim to a cyber-attack. In June of last year, the Calgary Herald reported that Canadian energy company Suncor suffered a serious cyber incident that shut down debit and credit processing at Petro-Canada gas stations across the country. We all remember the cyber incidents that paralyzed the Newfoundland and Labrador health care system in 2021.

Bill C-26 would help to defend our critical infrastructure and the essential services that Canadians and Canadian businesses rely on every day. This new act would increase collaboration and information sharing between industry and government and would require designated operators to report cybersecurity incidents to the Communications Security Establishment, which, as colleagues know, is an agency within the Department of National Defence.

By improving the government's awareness of the cyber-threat landscape in these critical, federally regulated sectors, we can warn operators of potential threats and vulnerabilities so they can take action to protect their systems and to protect Canadians as well.

However, the government can’t do it alone. That’s why we’re committed to working closely with our industry partners, through the formal regulatory process, to create a clear, consistent and harmonized regulatory regime across all provinces and territories.

We must and we will work alongside our allies, in particular the United States, to make sure that our interconnected critical infrastructure is protected.

This legislation is consistent with the cybersecurity approaches of our allies, and we have been engaging with international partners to identify opportunities for further collaboration. As recently as Tuesday of this week I participated in a Five Eyes ministerial call, during which Secretary Mayorkas, the U.S. Homeland Security secretary, raised many of the issues we're going to talk about this morning.

We found that stakeholders broadly support the intent of the bill and agree that we must work together to protect our critical infrastructure from cyber threats. However, some expressed concerns about certain aspects of the bill. We have, of course, listened carefully to the points raised by our colleagues in the House of Commons and others concerning transparency, accountability and the protection of Canadians’ privacy.

Fundamentally, this bill will help protect the privacy of Canadians’ personal information. Canada’s critical infrastructure systems, while secure, are not impenetrable. By requiring Canada’s critical infrastructure operators to maintain high levels of cyber security, we are also reducing the likelihood of personal data breaches on their systems.

I look forward to working with you, Mr. Chair, and Committee members, on all these issues. Of course, if the Committee deems it necessary, we are prepared to consider amendments that could strengthen the bill. In addition, we look forward to working with you to ensure that this bill is passed and that Canada remains a safe, competitive and connected country in a more secure environment.

Thank you.

I look forward to hearing what my colleague Mr. Champagne has to say—which is why I’m here this morning—and to answering questions from Committee members.

I call this meeting to order.

Welcome to meeting number 95 of the House of Commons Standing Committee on Public Safety and National Security.

Today's meeting is taking place in a hybrid format, pursuant to the Standing Orders. Members are attending in person in the room and remotely using the Zoom application.

I would like to make a few comments for the benefit of witnesses and members.

Please wait until I recognize you by name before speaking.

To prevent disruptive audio feedback incidents during our meeting, we kindly ask that all participants keep their earpieces away from any microphone. Audio feedback incidents can seriously injure interpreters and disrupt our proceedings.

As a reminder, all comments should be addressed through the chair.

Pursuant to the order of reference of Monday, March 27, 2023, the committee resumes its study of Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.

Appearing before us today are the Honourable Dominic LeBlanc, MP and Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs; and the Honourable François-Philippe Champagne, MP and Minister of Innovation, Science and Industry. Welcome.

Witnesses from the Department of Public Safety and Emergency Preparedness include Patrick Boucher, senior assistant deputy minister, national cyber security branch; Colin MacSween, director general, national cyber security directorate; and Kelly-Anne Gibson, acting director, national cyber security directorate.

Witnesses from the Department of Industry are Éric Dagenais, senior assistant deputy minister, spectrum and telecommunications sector; and Mark Schaan, senior assistant deputy minister, strategy and innovation policy sector.

Please note that the ministers will be with us for one hour and 30 minutes. The officials will stay for the rest of the meeting in order to answer questions from members.

Colleagues, we need about 10 to 15 minutes before the end of the meeting to deal with committee business items, such as budgets and the committee schedule.

Welcome to all.

I now invite Minister LeBlanc and Minister Champagne to make an opening statement of up to 10 minutes each.

Thank you.

Minister LeBlanc, will you start?

Thank you, Ms. Michaud.

We're right on schedule.

I appreciate the witnesses today.

Before asking for adjournment, I want to make people aware that our last meeting for Bill C-26 is Thursday. We're contemplating having the amendments in and ready for clause-by-clause when we come back, so that will be by Wednesday noon next week. I know there is some discretion, so we'll likely have further discussions on that on Thursday. That is the outline.

We're adjourned.

Thank you, Mr. Chair.

I have a fairly simple question. It's the same question that I've asked various stakeholders at other meetings.

Bill C‑26 sets out quite heavy financial penalties for organizations that fail to comply with decisions or demands imposed by the government. We don't know what these demands might be, because the power granted is quite broad.

I asked the stakeholders whether these penalties were excessive. Some said that, instead of imposing penalties, incentives should be introduced to encourage organizations to comply with the government's demands. Others said that the penalties should be maintained, but that incentives for organizations should still be implemented.

Mr. Smith or Mr. Ghiz, what do you think of the penalties targeting companies such as the ones represented by your association?

Thank you for that.

What you're saying is that there are some major difficulties with Bill C-26 that need to be responded to, that the bill itself needs to be considerably improved, and that there are a number of amendments that need to be considered for the bill to do what it purports to do but also to ensure that the protection of information and the transparency are there. Is that not true?

Thank you.

I'd like to move on to Professor Clement.

You signed on, along with a number of important organizations—the Canadian Civil Liberties Association, la Ligue des droits et libertés, the National Council of Canadian Muslims, OpenMedia, the Privacy & Access Council of Canada—pushing for a series of amendments, 16 recommendations that would help to, in the words of the briefing, “restrain ministerial powers”, “protect confidential personal & business information”, “maximize transparency”, “allow special advocates to protect the public interest”, and “enhance accountability for the Communications Security Establishment”. These are very valuable recommendations that you've brought forward to us, that the coalition has brought forward to us.

What are the most important ones, the ones that we need to be absolutely cognizant of in putting forward amendments to Bill C-26?

Okay. Thank you very much.

Ms. Mason, I have the same question for you. To what extent was the Canadian Bankers Association actually consulted on the drafting of Bill C-26?

Okay.

To what extent were you consulted around the drafting of Bill C-26?