Bill C-26

We actually do continue to follow up with the entities. We continue to call them or work with them, and I don't want to leave anybody with the impression that there aren't relationships that exist. On the contrary, we have very great relationships with critical infrastructure, especially the energy sector, the telcos and the banks, where we meet with them regularly to talk about threats and to learn from each other about the threats they're facing. There are great relationships and governance bodies that exist to be able to work through understanding.

Having said that, though, we will continue to support and offer our support, but we can't force them. This is where, as I said in my opening remarks, Bill C-26 is really important in the four critical infrastructure sectors that have been identified as part of that bill, because they're really important to Canadians in the critical infrastructure space.

Okay. I apologize for the interruption.

When requested, we provide cyber-defence services and maintain an open line of communication to mitigate potential threats.

To detect malicious cyber-activity on government networks, systems and cloud infrastructure, the cyber centre uses autonomous sensors, including network-based sensors, cloud-based sensors and host-based sensors. These defences protect systems of importance from an average of 6.6 billion attempted malicious actions per day.

CSC continues to monitor Government of Canada networks and systems of importance for cyber-threats. We are working in close coordination with government partners, including relevant security agencies.

We deliver foreign intelligence-informed cyber-defence.

Finally, I would like to call members’ attention to the solutions available to them. Indeed, the Canadian Centre for Cyber Security offers parliamentarians a support service, in addition to holding regular information sessions for political parties on cyber-threats, as well as providing a dedicated point of contact at the centre for accessing cybersecurity support.

Since 2017, the CSE has established four unclassified reports on cyber-threats to Canada's democratic processes, and our “National Cyber Threat Assessment 2023-2024” highlights how online foreign influence activities have become a new normal, with adversaries seeking to influence elections and impact international discourse related to current events.

Since 2014, interdepartmentally, the CSE's cyber centre has worked closely with Elections Canada to ensure that our election systems and infrastructure remain secure. The CSE also continues to work as part of the security and intelligence threats to elections task force, SITE. Cyber-incidents such as ransomware, DDoS and supply chain compromises are becoming more frequent across all industry sectors, and these incidents are negatively impacting our prosperity, privacy and security. That's why Bill C-26 is so important. It would give the government new tools and authorities to better bolster defences, improve security across critical federally regulated industry sectors, and protect Canadians and Canada's critical infrastructure from cyber-threats.

Four sectors are subject to the mandatory cyber-incident reporting in Bill C-26: finance, energy, telecommunications and transportation. These were all prioritized due to their importance to both Canadians and other sectors. They are critical enablers. Bill C-26 will improve our ability to protect ourselves from both the threats we observe today and the threats we will face tomorrow.

The federal government intends to launch its updated national cybersecurity strategy, which will communicate Canada's long-term approach to addressing evolving threats in cyberspace. Central to the new strategy will be a shift in focus towards a whole-of-society approach to Canada's national cyber resilience, where public and private entities and all levels of government work in close partnership to defend against cyber-threats, including threats to our institutions. The government also recently announced the defence policy update, “Our North, Strong and Free”, which proposes a significant new investment in the CSE through budget 2024.

Finally, an important aspect of Canada's whole-of-society approach to our collective security includes practising good cyber hygiene, including safe social media practices, especially in those public roles. The cyber centre has released guidance on ways to protect yourself online. It also has cybersecurity resources for elections authorities, political campaigns and Canadian voters. I really encourage you to take a look at our website, getcybersafe.gc.ca. I would also encourage organizations that have been impacted by cyber-threats to contact the cyber centre, so that it can help share threat-related information with partners to help keep Canada and Canadians safe online.

Further, to make cyber-incident reporting easier for Canadians, the CSE is also working with its federal partners to establish a single-window solution for reporting cyber-incidents, with the ultimate goal being to ensure that Canadians can always find the help they need. This was a key recommendation this week from the Auditor General.

To conclude, the CSE and the cyber centre remain active in their collaboration with all partners, including the House of Commons, to improve Canada's cyber-resilience and protect our democratic institutions. We will continue to monitor any developing cyber-threats and share threat information with our partners and stakeholders, as always.

Once again, thank you for your invitation to appear before you today. We are pleased to be able to contribute to this important discussion and give you an overview of the way the Communications Security Establishment and the Canadian Centre for Cyber Security both work every day to protect Canadians and their democratic institutions.

Thank you for your attention.

Thank you for the question.

The Business Council represents approximately 170 of Canada's largest, most successful businesses, so I can't speak to the specifics of the challenges facing small and medium-sized businesses, but what I can say is that small and medium-sized businesses are very much a part of the supply chains of large businesses. Large businesses are quite concerned about the security posture of small businesses, because they can often be an indirect route to attack large businesses.

There needs to be much more done in this space in terms of government support, and Bill C-26 is one way to help in that regard. The private sector itself is also willing to step up and do more. For instance, our members are very much committed to working with their supply chains to build up their baseline resiliency, including through education, capacity building and relationship brokering, including working jointly with Canada's security and intelligence community, with agencies like CSIS, the CSE and the RCMP.

Thank you very much, Mr. Chair and distinguished committee members, for the opportunity to speak today on this important bill. It's a pleasure to be here.

Indeed, maybe I'll start by saying something that you probably don't all hear very often: Thank you very much. It was a real pleasure to see this bill proceed with the pace and with all of the work you're doing.

We're independent and non-partisan, so when I say this, I genuinely mean it. I know how hard you're working. We're sitting here in the evening, and everyone's working away to get this done, so thank you very much.

It's in that spirit that I plan to make three arguments.

Number one is that activities covered by the proposed foreign influence transparency and accountability act should extend to municipalities, and we need definitional clarity around who is a public office holder.

Number two, the registry and the commissioner should be in place before the next federal election.

Number three, the act should nest within a broader national security strategy.

Now, let me tell you what I mean by those things.

First, we need to extend this to municipalities, and we need definitional clarity. Now, in Canada, the preamble of a bill is an important tool for looking at its statutory interpretation. I don't want to put everyone to sleep by talking about the tools of that interpretation, but let me just say that the preamble provides an introductory statement that sets out the guiding principles, the values and the objectives of the legislation.

The preamble for the Foreign Influence and Transparency Accountability Act says:

Whereas efforts by foreign states or powers and their proxies to influence, in a non-transparent manner, political and governmental processes at all levels of government in Canada have systemic effects throughout the country and endanger democracy, sovereignty and core Canadian values;

I pause there to dwell on “all levels of government”, and just the impact of that.

Now we have to look at how it applies. The application of the act applies to:

(a) federal political or governmental processes;

(b) provincial or territorial political or governmental processes;

And, essentially, it applies to the governmental processes of indigenous groups and governments.

Now you have to look at the definitions. You go through them, and there's a definition of “public office holder”, but it's different in the Security of Information Act.

We're not covering municipalities here, and we have two different definitions in the same bill about what a public office holder is, so we're probably going to want to take a hard look at that.

If you contrast that with the Security of Information Act, what the bill says is that:

Every person commits an indictable offence who, at the direction of...or in association with, a foreign entity...engages in surreptitious or deceptive conduct...with the intent [to influence a political or governmental process, educational governance etc., etc., with a democratic right in Canada.]

It goes on to define a public office holder differently, and so now you have two pieces of legislation wrapped up in the same bill, effectively trying to do the same thing with different definitions of what a public office holder is.

I wonder why you wouldn't have concomitant obligations for registration. It's two sides of the same coin.

In my view, the SOIA provides the legal teeth to prosecute and punish covert foreign operations, while the FITAA—I don't know if that's what we're calling it, but I'll call it the FITAA—complements this by creating a preventive transparency regime aimed at exposing and deterring such activities through mandatory disclosure and public oversight.

It's a dual approach—deterrence and, hopefully, long-term preventative transparency.

Secondly, we must have the registry in place before the next federal election. You have to again go back to the purposes of the act, like we did at the beginning—“in Canada have systemic effects throughout the country and endanger democracy, sovereignty and core Canadian values”. It's not “might” have systemic effects; the bill says “have systemic effects”. It is a statement of fact.

If you were to meet that purpose, how can you not have it in place before the next federal election? It would be a little bit like bringing a birthday cake for a Saturday afternoon party on the following Tuesday. You will have missed it.

I watched the officials testifying. If it's too hard to do it all at once, just go with the federal government, the federal election. Roll it to provinces and municipalities separately and after. However, you have to get the birthday cake to the party.

Thirdly, it should nest within a broader national security architecture. The defence policy update said we're going to do a national security strategy every four years. The defence policy is going to be updated every four years. We have Bill C-26 that went through this committee, which I was happy to testify about. We have the CSE Act that's due for an update, a review, in 2022. The CSIS Act is now on a five-year review cycle. Bill C-34, on the Investment Canada Act....

This is all coming together. I think the point here is to look at all of the pieces of legislation and all of the various strategies—critical minerals, intellectual property, innovation, research, economic security. Look at them systematically, because adversarial states are looking at them systematically, believe me, and it requires a strategic approach.

As I said at the beginning of this, I've had the privilege of speaking with some of you before. I know how hard this committee works, and I know that you can do it, but I would just encourage you to think strategically and not just do the whack-a-mole thing on one piece of law.

Thank you very much, Mr. Chair.

The Telecommunications Act, as drafted currently, has a due diligence defence that applies broadly across the course of the act. Clause 10 of Bill C-26 would insert an exception that would essentially have it so that orders under Bill C-26 would not be subject to due diligence.

Rather than add amendments to insert due diligence back in, simply removing the exception in clause 10 would ensure that the due diligence defence that already exists in the telecom act would apply writ large. Just from a drafting standpoint, it avoids an exception and then a reinsertion of new language.