---

THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS

EVIDENCE

---

OTTAWA, Monday, October 28, 2024

The Standing Senate Committee on National Security, Defence and Veterans Affairs met with videoconference this day at 4:01 p.m. [ET] to study Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

Senator Tony Dean (Chair) in the chair.

[English]

The Chair: Honourable senators, before we begin, I would ask all senators and other in-person participants to consult the cards on the table for guidelines to prevent audio feedback incidents. Thank you for your cooperation.

Welcome to this meeting of the Standing Senate Committee on National Security, Defence and Veterans Affairs. I am Tony Dean, a senator from Ontario and chair of the committee. I am joined today by my fellow colleagues, who will introduce themselves beginning with our deputy chair.

[Translation]

Senator Dagenais: Jean-Guy Dagenais from Quebec.

[English]

Senator Richards: Dave Richards, New Brunswick.

Senator Patterson: Rebecca Patterson, Ontario.

Senator Fridhandler: Daryl Fridhandler, Alberta

Senator M. Deacon: Marty Deacon, Ontario. Welcome.

Senator Gold: Marc Gold, Quebec.

Senator Dasko: Donna Dasko, a senator from Ontario and a member of this committee.

Senator Duncan: Pat Duncan, senator for the Yukon.

Senator Kutcher: Stan Kutcher, Nova Scotia.

Senator McNair: John McNair, New Brunswick.

Senator Boehm: Peter Boehm, Ontario.

Senator Yussuff: Hassan Yussuff, Ontario.

[Translation]

Senator Carignan: Claude Carignan from Quebec.

[English]

Senator Batters: Denise Batters, Saskatchewan.

The Chair: Thank you. We have a full house today. Ericka Paajanen is the clerk of the committee. To my right are our Library of Parliament analysts Anne-Marie Therrien-Tremblay and Ariel Shapiro.

Today, colleagues, we begin our consideration of Bill C‑26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

To kick off this work, I am pleased to welcome back the Honourable Dominic LeBlanc, Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs; and the Honourable François-Philippe Champagne, Minister of Innovation, Science and Industry.

The ministers are accompanied today by the following officials from Public Safety Canada: Patrick Boucher, Senior Assistant Deputy Minister, National and Cyber Security Branch; Colin MacSween, Director General, National and Cyber Security Branch; and Kelly-Anne Gibson, Acting Director, National and Cyber Security Branch. From Innovation, Science and Economic Development Canada’s Spectrum and Telecommunications Sector, we have Martin Proulx, Director General; Wen Kwan, Senior Director; David Gibson, Director; and from the Strategy and Innovation Policy Sector, Andre Arbour, Director General.

Thank you for joining us today. We now ask you to provide your opening remarks, beginning with Minister LeBlanc. It is good to see you again. Whenever you are ready.

The Honourable Dominic LeBlanc, P.C., M.P., Minister of Public Safety, Democratic Institutions and Intergovernmental Affairs: Mr. Chair, I am always ready, and I am always happy to be here. Thank you, sir, to you and your colleagues for this opportunity as well.

Cyber-threats have grown more complex and sophisticated, and they are being undertaken by state and non-state actors alike. Bill C-26 — which you, Mr. Chair, properly noted, is before this committee — will protect Canadians and bolster cybersecurity across the federally regulated financial, telecommunications, energy and transportation sectors. Those are the big ones that we collectively think of when we speak about federally regulated sectors of the economy.

The Communications Security Establishment Canada, or CSE, has said cybercrime is now the most prevalent and pervasive threat to Canadians and Canadian businesses. The CSE’s Canadian Centre for Cyber Security has warned us of the many risks, with ransomware at the top of the list. We’ve already seen the damage that such a cyberincident can cause when a U.S. energy company was the target of a ransomware attack, for example, in May 2021. A Russian criminal group extorted $4.3 million after they disrupted the largest fuel line in the United States. This incident was so significant that it led to President Biden calling a national state of emergency.

[Translation]

Over the past two years, we have noted a significant increase in this type of cyber-attack in Canada.

Last year, the Communications Security Establishment, or CSE, stated that a cyber-threat actor “had the potential to cause physical damage to Canadian critical infrastructure”. Thankfully, there was no physical damage to Canadian infrastructure, but as the CSE’s Canadian Centre for Cyber Security stated, “the threat is real”. We shouldn’t fool ourselves.

In June of last year, the Calgary Herald reported that Canadian energy company Suncor suffered a serious cyber‑incident that shut down debit and credit processing at Petro‑Canada gas stations across the country.

Last March, the City of Hamilton was the latest victim of a ransomware attack that interrupted a number of its online services. These are but a few examples of the recent attacks clearly showing that Canada must act immediately.

This bill would allow the government to take security measures and prohibit Canadian telecommunications service providers from using products and services from high-risk suppliers.

[English]

Additionally, this act will increase information sharing between industry and government by requiring designated critical infrastructure operators to report cybersecurity incidents to the CSE’s Cyber Centre. Mandating the sharing of essential information will improve the government’s awareness of the cyber-threat landscape across the country. When the government has a clearer picture of the threat facing critical infrastructure providers, we can warn operators of potential threats and vulnerabilities. Bill C-26 will make one organization’s detection another’s prevention. Further, designated operators of vital services and systems would be obligated to implement cybersecurity programs, mitigate supply chain and third-party risks, and comply with cybersecurity directions.

The House Standing Committee on Public Safety and National Security, as members of this committee will know, made a number of notable amendments related to reasonableness, oversight and privacy protection. The committee amended the bill in the House to add reasonableness standards for the issuing of ministerial orders and cybersecurity directions; implement robust review provisions to ensure the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency have the ability to review the government’s orders and directions; and references, as colleagues would know, were explicitly made to the Privacy Act and the government’s obligation, of course, to respect that legislation.

[Translation]

Dear colleagues, we believe this bill has great merit. It was passed unanimously in the House of Commons. To conclude, the bill is in line with legislation established by our Five Eyes partners.

[English]

It’s a much better acronym in English — Five Eyes. When the ministers meet, there are actually 10 eyes in the room. I pointed that out at my first meeting. Secretary Mayorkas still makes that joke.

[Translation]

The bill will protect Canadians, private sector firms and the cyber-systems Canadians rely on each day. Thank you very much.

[English]

The Chair: Thank you, Minister LeBlanc.

Colleagues, we will hear next from Minister Champagne. Whenever you are ready.

[Translation]

The Honourable François-Philippe Champagne, P.C., M.P., Minister of Innovation, Science and Industry: Thank you, Mr. Chair. Thank you, colleagues. I believe this is the first time I have appeared before this senate committee. Thank you for your welcome and for inviting me to appear and discuss Bill C-26, a bill of paramount importance for Canada’s security.

The fact that I am here today with my friend and colleague the Honourable Minister of Public Safety shows the intersectionality between telecommunications and public safety in the 21st century.

More specifically, I would like to speak to you about Part I of the bill, which will amend the Telecommunications Act to better secure our telecommunications networks.

[English]

Canadians increasingly rely on the internet and wireless services in their day-to-day lives. Anyone who has kids or who operates a business in this country will know this to be true. From financial transactions and e-commerce to education, health care and emergency services, such as 9-1-1, these critical services need to rely on a robust, modern and safe telecommunications system.

We know, however, that risks to this critical infrastructure are on the rise. Minister LeBlanc mentioned many of them, and we have seen many of them not only in Canada but with many of our partners and allies around the world. We need to be vigilant and engaged when we talk about cyber threats and cybersecurity, with our eyes wide open. The risks I am talking about include nefarious actions by hostile foreign states who seek to compromise our critical infrastructure — Minister LeBlanc mentioned a number of ransom threats, some of which have been very public in the recent past — and telecom products from global suppliers that pose an unacceptable risk to the Canadian telecommunications systems.

This is where Bill C-26 comes in. I would echo the words of Minister LeBlanc to say there is urgency to act to make sure that we would, as a government, have the tools to protect Canadians, protect our national security and protect our economic security. It would allow the government, when necessary, to prohibit Canadian telecom service providers from using products from high-risk suppliers. This will, in turn, help secure our critical infrastructure from various threats.

[Translation]

We need to act quickly and decisively. I’m therefore pleased the bill has such strong cross-party support at the House of Commons. Honourable senators, you saw that all members of the House of Commons supported the initiative we put forward in Bill C-26. Protecting and securing our telecommunication networks is essential.

[English]

I was also pleased to see strong cross-party support in the House to further strengthen the bill at the committee stage in response to views that have been expressed by stakeholders and a number of witnesses. For example, we have seen amendments that were made to ensure that confidential information remains protected. Indeed, the bill now explicitly states that Canadians’ personal information and privacy will be protected in accordance with the Privacy Act. I want to be clear that Bill C-26 has never been about collecting the data of Canadians or monitoring communications. That is precisely why language has been added to eliminate any confusion in this regard. Moreover, amendments were added to provide further transparency to stakeholders in terms of reporting, as well as an explicit reasonableness test for the powers that have been vested in the minister and the Governor-in-Council in the bill. In short, there is solid consensus when it comes to Bill C-26, and we expect telecom service providers to act decisively to protect Canada’s telecommunications system.

Now let me say a few words about what this bill is not. For one, Bill C-26 is not intended to punish providers that diligently work to protect consumers and themselves. This has been made clear with an explicit due diligence defence. You may have seen that this has been added at the committee stage. The due diligence defence is in the monetary penalties authorities that have been vested with the minister and the Governor-in-Council, having heard and incorporated the concerns of stakeholders.

Second, Bill C-26 is not about avoiding accountability in the name of quick action. This is more about giving the minister, in the case of the telecom network, the ability to act decisively, strategically and in accordance with best practices to protect our national security. On the contrary, this bill will help to protect the safety and security of Canada’s critical infrastructure without compromising individual privacy or rights.

[Translation]

Mr. Chair, allow me to conclude with the following: A modern and innovative nation like Canada has a duty to ensure it has reliable and secure telecommunications networks. I am firmly convinced that Bill C-26 sets the path for working with telecommunication operators to ensure the security of our systems and networks in the interest of the country and of Canadians.

In closing, Mr. Chair, thank you for giving me the opportunity to address the committee. Like my colleague, I believe we must act quickly to protect our systems and face the threats that we are subjected to in the 21st century and ensure the health and safety of Canadians.

Thank you, Mr. Chair.

[English]

The Chair: Thank you very much, Mr. Champagne.

Colleagues, we will now proceed to questions. Four minutes is allotted for each question, including the answer, as usual. Please keep your questions succinct in an effort to allow as many interventions as possible. We have a long list, so when there are 30 seconds remaining, I will be showing the red card, for those football fans in the room. The first question goes to our deputy chair, Senator Dagenais.

[Translation]

Senator Dagenais: My first question is to Minister LeBlanc.

Minister, with the opinions that businesses such as Bell and Québecor have put forward over the past few months on the CRTC’s capacity and slowness in modernizing Canadian telecommunications regulations, to what degree can you assure us that the organization will be able to quickly and effectively apply the cybersecurity rules set out in C-26? How quickly do you expect the CRTC to respond? Also, does the CRTC have the resources needed to meet this type of challenge?

Mr. LeBlanc: If you’ll allow me, senator, that’s an excellent question. The portions dealing with the CRTC are in my colleague’s hands. He will be able to provide a more specific answer than I can.

Mr. Champagne: Is that all right with you, senator?

Senator Dagenais: That works for me.

Mr. Champagne: We cover it in tandem, Minister LeBlanc and me.

Senator, you ask a very important question. You’ll see that, in Bill C-26, the authority is in the hands of the Minister of Industry in a number of ways. To take specific and decisive measures, as we said, we need to act quickly. The nature of the threats we are facing is varied. There is the issue of cybersecurity but, remember that in cases of bad weather and natural disasters, the Minister of Industry was called in. You’ll remember also that during the Rogers incident, that infamous time when telecommunications went down for a number of hours in Canada, decisive action had to be taken. That’s why, at the time, there was even an agreement made between telecommunications providers to ensure interoperability between the networks in cases of emergency, so that communications would be provided for public authorities and citizens. A mutual assistance program was also put in place because that’s what we expect from telecommunication companies in extraordinary circumstances. In that specific case, you can see we were quite specific in Bill C-26 in terms of that authority, as I exercised it at the time, and so that it is in the hands of the Minister of Industry.

One aspect that I see as anachronistic, and I don’t use that word lightly, is that it is one of the rare laws that provides a framework for essential infrastructure, where security is not one of the objectives. Bill C-26 corrects this situation. Security will be at the heart of the objectives, as it is in the case of energy and other critical sectors for transport. I wasn’t there when the law was adopted. When I intervened at the time, senator, I would say that I often did so as a soft power. At the time, the minister did not necessarily have the authority to direct telecommunications companies to take certain actions. History has shown us that we cannot rely solely on the good faith of players. There needs to be authority under the law to require that certain actions be taken. Think of the Internet. In terms of 5G, once everything is connected, there may arise extraordinary instances in which the minister will have to take targeted and strategic action quickly to protect the country’s network as a whole.

Senator Dagenais: Thank you very much for your answer.

Senator Carignan: Thank you, ministers, for being here.

While examining Bill C-26, I wondered what measures the government would put in place for itself, what it would do to practise what it preaches. I have great appreciation for that. However, it seems that the government is requiring much more of the private sector than of itself.

There is, for example, the leaks at the Canada Revenue Agency this past spring, that we just learned about through reporting by CBC/Radio-Canada. Is it not misleading to say that you are taking this seriously when leaks impacting around 30,000 people are hidden and not disclosed? Individual who were identified as victims were not informed, either. If a private sector actor did that, it would be required to pay $10 million in fines. For its part, the government of Canada and its revenue agency hide behind systems and prepare communiqués for ministers in cases that become public, but that’s it. Isn’t there a double standard?

Mr. LeBlanc: Thank you, senator. I will provide some comments and Mr. Champagne can add what he’d like.

I acknowledge that double standards must be avoided at all costs. We need to be able to do what we require of others. I completely agree with your first comment. It’s not the first time a government is accused of this type of thing.

However, I’m not a cybersecurity expert, far from it. I take part in information sessions with the Canadian Security Intelligence Service, the RCMP and other government stakeholders. You’re right to say that the threats are evolving very rapidly. Governments, whether at the federal, provincial or municipal level, have also been victims of these attacks and threats. I hope it was never implied that we, as governments, are immune. In fact, we have to be very aware of the threats. We have quite effective resources at the Department of National Defence that I am very impressed with, such as the Communications Security Establishment and other organizations that you know well. I saw, in the case of some provincial governments, such as the one for Newfoundland and Labrador, that during a fairly significant attack on its health care system on the Avalon peninsula, in St. John’s, where information was stolen, that the federal government was able to help very quickly.

We try to help each other. We should never create obligations that we wouldn’t agree to for ourselves. I don’t believe it’s the case, but I am aware of the ongoing need to invest in technologies, experts and other instruments to protect ourselves, because the threats are real.

And I just did what Mr. Champagne did with your colleague’s question: I didn’t let him answer. I know this is a big disappointment to you, senator.

Senator Carignan: He’s my member of parliament for Champlain.

Mr. LeBlanc: He may have something to add.

Mr. Champagne: Senator, your MP will always be available to answer your questions.

I understand your frustration and that of Canadians. Of course, we must do better. I think that Bill C-26 does call for cooperation. I can say that we regularly work with operators on telecommunications systems.

What’s critically missing today in the Telecommunications Act is that it’s not within the purpose of the act to focus on security. It’s a bit anachronistic, given what you’ve just said about attacks on the private sector, provincial, municipal and federal governments. Just imagine the effect of artificial intelligence, quantum computing and the Internet. When it comes to cybersecurity and telecommunications, we’re doing right by Canadians by sharing all the information over the networks, and thereby enabling better protection.

[English]

Senator Boehm: Thank you, ministers, for being here. As we heard in the last exchange, the nature of the threat is getting more sophisticated. It replicates itself more quickly, it develops, and governments have to catch up.

This is a question for both of you. You have both been involved in not just Five Eyes discussions but also G7 discussions under the current Italian presidency. We are picking up the flame from Italy in January. In 2018, work was done by a cybersecurity working group in the G7 context, and there was work done on infrastructure and shielding infrastructure. I was a little involved in that. So it goes beyond Five Eyes and all our partners, friends and even those who are not as friendly. Here is my question: Do you think that in each of your portfolios, Canada will be in a position to exercise leadership, bring in new ideas and push the agenda forward?

Mr. Champagne: Senator, you did very well. I hope we can replicate your leadership. The Italians, our friends, are expecting a lot from us. They had a successful G7 presidency.

There is already a global-coordination group working on telecom with some G7 countries and beyond. It has to do with two things. One is standards, and as you know, it is key in the international arena to promote standards that will be in line with our values, let me say, in terms of telecom infrastructure. I come back to that in particular. In the 5G world, things will be different. By the way, we’ve now signed a protocol with the Americans on 6G now. Believe it. We are not just working on 5G. We are already thinking about what 6G will be doing. I will stop there so Minister LeBlanc can follow up on that.

More important is the supply chain. We have been working with a number of allies. You may have seen Ericsson has made a generational investment, close to a billion dollars, in Kanata. It is the same with the Nokia research centre, one of the largest in the world, here in Kanata, in Ottawa.

I would say we are working on both standards and supply chain because if we want to have reliable and secure vendors and supply chains and equipment, we need to work with our international partners in the Five Eyes and the G7 to make sure we lead in research and development, standards and equipment so we’re not beholden to nations who would use our networks to spy on our people, to disrupt or to gather information.

Mr. LeBlanc: Senator Boehm, you are absolutely right. The Five Eyes as a security partnership is very much seized with these issues. I have participated in a handful of Five Eyes meetings where cyber-threats were very much on the agenda.

As you noted and as Minister Champagne said, we have been participating in an active series of ministerial meetings that the Italians organized. I was at one near Naples a few weeks ago where the Italian interior minister, who was there with the new minister from France and all of our G7 colleagues, was talking about how this is a borderless threat. Some regions are more active than others, and you would have seen the intelligence in your previous role, senator. Some particular regions and countries are very active. Others are themselves victims and then house some of these threat actors. I think there has to be a continuation. Certainly, my understanding of the G7 priorities and the public safety area for our presidency would absolutely include a continuation of this work that began with the Italians.

The intelligence services are active, including, as you said, with countries that may not be in the European Union, Five Eyes or G7 — pick your nice bureaucratic name for the group. There are a lot of countries that themselves detect this, and the intelligence sharing is extensive. I’m reassured of that by non‑traditional partners.

Senator Gold: Welcome, ministers. It is nice to see you.

I want to ask a question about the powers in the bill that are bestowed on the government and the safeguards that are built in. For example, the government has powers, as you have described, to direct the telecom providers to do certain things or not to do certain things. They also, in some cases, provide that the orders to do or not to do should not be disclosed. Could you talk about, in general, the safeguards, limitations and the oversight that would exist? Could the cabinet use these authorities to intercept the communications of political adversaries? Could the RCMP use them for investigative tools? Perish the thought, but I am asking the question. Why would orders not be disclosed, and what safeguards are in place for those?

Mr. LeBlanc: Mr. Chair, thanks to our friend Senator Gold for the question. He is absolutely right. I have learned a lot about this area since becoming the Public Safety Minister. There is an important balance to be struck in terms of the transparency of these measures.

Some of the witnesses on the House committee, some of the private businesses, are, understandably, concerned if some of these orders were made public. The advice that I got, Senator Gold, from the security and intelligence agencies is that by divulging, for example, these orders that the government may issue publicly, you certainly paint a vulnerability landscape for the threat actors. You can point the way for some less sophisticated threat actors: “Oh, this particular group is zeroing in here; maybe we should try that.” They are understandably hesitant to make this stuff public.

Minister Champagne can talk about big publicly traded companies. I’m not sure what that does to the investor confidence in a large telecommunications company if they have been subject to four orders and their competitor to zero. Does that speak to their own lack of protection?

The transparency requirement has to be balanced against some of the unintended consequences — the House of Commons committee looked at this a lot — by mandating, for example, the government to be transparent on an annual basis about the number of orders that were issued and by specifically referring to NSICOP or the National Security and Intelligence Review Agency. There is a role for the Federal Court. There are designated judges of the Federal Court, like the ones that would see the CSIS warrants that I might sign. These aren’t dragged into an open court process. It would be reckless and dangerous to do so. But there is an appropriate judicial oversight with amicus curiae. There is a process that is well worn and quite effective, but we will be listening to the work of this committee to ensure we have the balance right.

Mr. Champagne: I think you may be thinking about the telecom CEOs watching today, but there was an amendment that was made that, for example, the orders the minister of industry could direct would have to be reasonable. There is a reasonable standard. The amendments also talk about the financial impact and the impact on telecommunication services.

Whilst the minister and the Governor-in-Council would have the power, we have put the checks and balances in the system to ensure that we achieve the purpose that this is intended, which is to protect the network, but, at the same time, there would be due consideration to, for example, the due diligence standard. If a company had done everything they could to achieve a particular outcome, they would have a defence. We got the balance right, in my view.

As Minister LeBlanc said, there is a reason why the warrants would go to NSICOP, because, in my view, at least, and the players in the telecom industry, you don’t want to bring that to the public eye, because then, as Minister LeBlanc said, we could just attract even more at the particular time we need to put a patch on a breach. If you are going public with that before you have the patch, that would be terrible for the network.

The Chair: Thank you, minister.

Senator Yussuff: Thank you, both ministers, for being here. I have two questions, and they are specific.

First, what has been the consultation with private interests and the telecom companies in trying to understand the legislation that is coming? How are they cooperating and recognizing that they have an important role to play in that regard?

Second, at least three of our national telecom companies have a lot of their work contracted out of the country. This is being processed in other places. We have no control. They are in other countries, and some of them I would identify as countries that are not so amenable. With one of them, we just kicked their diplomats out of our country. How are we going to protect Canadians’ data now that it has been processed offshore when we don’t have any control over what these telecom companies are subjected to in other places?

Mr. Champagne: We have been working with the telecoms. We have seen more violent and more frequent natural disasters, and when people are facing a tragedy or a threat to their safety, for example, the 9-1-1 network and the telecommunications network become essential. It is true in our daily lives, but it’s even more true in cases of emergency.

I would say we have a robust cooperation with them, especially after the Rogers’ outages when we put the MOU in place to ensure there would be roaming, mutual assistance and communication with the public. They understood that we needed to play a role to protect the public interest. Today, that’s giving us the tools.

A lot of the things we have done, senator, rely on the goodwill and the advocacy of the government to ensure that we reach the right outcome. But experts would have said that you also need to have the tools in the toolbox, if you need to demand and even force a provider, for example, to do something.

Coming to your example, if there was a network provider using equipment from a country which we know through the Five Eyes and other agencies could compromise the entirety of our network or spy on Canadians or collect information, you would want the minister and the government to have the power to ask that particular operator to cease using that type of equipment. You have seen we have done that with Huawei and ZTE when we issued a directive. Obviously, the law will give us the tools now to implement that. Those are the types of things that you want to see in the toolbox.

Mr. LeBlanc: Mr. Boucher reminded me that there were extensive consultations with many of those private telecommunications companies that you referred to in your question and that Minister Champagne touched on.

Assuming this legislation gets to Royal Assent and we get to the regulatory stage and making regulations under the act, there is also a comprehensive plan to include provinces, territories and private-sector actors. You would want to hear from academic experts and others. And, of course, there is the oversight of the joint committee and so on. We haven’t finished the effort to consult. We think it is important in the regulatory phase as well.

Senator Kutcher: Thank you, both, for being with us.

You both mentioned health care systems, and I would like to ask about that. One of the largest data breaches in our history came from LifeLabs, which is a health care data system. Increasingly, we find national telecommunications companies providing direct health care and collecting all that data. We also have the complexity of provincial-based health care systems. Health care is not identified in Schedule 1. Can this bill protect health care data, particularly health care data that is collected by a national telecommunications company? You can see your doctor online from Telus Health, for example. No province runs that system. Have you given any thoughts to how we could better protect Canadians’ health care data given this reality?

Mr. Champagne: That is a very good point, senator, and it is interesting. There are more and more telecoms now are involved in the provision of health care. Again, I hate to come back to this, but we need to think forward 10, 20 or 30 years from now, when you add AI and other technologies. That’s all going on the network one way or the other. The day of the fax machine used by doctors is, hopefully, something of the past in the not-too-distant future.

Mr. LeBlanc: Senator Kutcher still faxes prescriptions to people.

Mr. Champagne: There will be a world one day where you would imagine there would be a flow of information that would be different and that would transit through the network. That’s why one of our objectives is to protect privacy. That was one of the amendments made at the committee stage, to ensure that the networks make sure that the data they collect — and the power we have — protects privacy.

In terms of designated sector, I will leave that to Minister LeBlanc. You are right. We said the finance sector, energy, transport and telecom. With respect to health care, I may leave Minister LeBlanc to speak to that. I think there is an intersection, and we are both here because all that data transits through a network, even when it’s through a fax machine.

It’s all about protecting the security and resiliency of the network and ensuring that people don’t have access. When everything is connected, you are dependent on the weakest link not interfering in our network. That is why you need new powers to ensure that the weakest link is not compromising the entirety of the system, such that you can shut down part of it, patch it and make sure that we don’t compromise the rest of the system.

Mr. LeBlanc: Senator Kutcher, Mr. Boucher reminded me that we’re purporting to use the federal legislative power for federally regulated sectors. With health care, I’m thinking of the example in Newfoundland and Labrador that Premier Furey and I worked on, and it was a provincial health authority. As you would know better than anybody, our regulatory ability doesn’t touch that. However, you gave the example of telecommunications companies such as Telus Health, whose ads I see all over the place. If we deem that to be a critical piece of the infrastructure — I can’t imagine, for the reasons you said, that we wouldn’t, but I don’t purport to have seen that advice now — they would absolutely fall under our ability to regulate their activities and the protection of the private health care information of the patients they are treating. I can’t imagine it wouldn’t be part of that. It is an interesting issue you raise, and I will push down on it.

Senator M. Deacon: Thank you for being here today.

I had the opportunity to sit around the table in Europe this summer and have a very similar conversation to this one about what we are doing — mostly Five Eyes, but other countries also — and where we are at. One of the takeaways for me was that we have an opportunity to take this on, and we know it is a huge issue, but we want to get it right. As the minister said, we have to look down the road, around the curve and the other curve as we’re doing this.

Could tell me today what we have presently in front of us, looking at the minutes in the House and following the other committee? Are there any pieces through the changes that were made or amendments that were made that you wish were still here? I know you have a bias, but is there anything, from listening to people and different experts, that you would add to make this bill better for the time, knowing where we’re trying to go?

Mr. Champagne: Bill C-26 is a game changer when it comes to telecom policy. I go back to my opening statement. The fact that security is not even one of the listed objectives strikes me as a gap we need to fill very quickly, because, obviously, you want the minister of industry, under the Telecommunications Act, to promote security. That is just common sense, like you said. We would be one of the very few nations in the Five Eyes or even the G7 which doesn’t even have that as an objective. You want reliability, resiliency and many other things, but in this day and age — above all or equally with other things — you want security of the system.

I’m fine with the checks and balances that were put in there in terms of reasonableness standards and the defence because we want to work with the telecom sector and the providers to reach the best possible outcome. However, the most important thing is for the minister and those who are going to succeed me in 10 or 20 years from now — whether in an emergency, natural disaster or cyberattack, in a world that we can barely foresee now, especially when you add quantum and AI — that person, whoever it may be, would have the authority to direct telcos to do something specific, or someone specific in the network, to prevent a bigger outcome, threat or damage that could occur to the country and to the whole network. I’ll stop there.

Particularly when you have the Internet of Things, your question is very pointed when if you think that one day under 5G let alone 6G, everything is interconnected and instant. What I don’t have today, but I wish my successor would have, or perhaps if you approve the bill and then we have Royal Assent, is the ability to act swiftly. Time is of the essence. You need to take decisive action. The only way a minister could do it today would be to self-power, and we need to enshrine that in the law. This is a game changer today, and I can live with the checks and balances that are in it.

Senator McNair: Thank you to both ministers and the officials for being here tonight. We appreciate it.

I think this question is properly to Minister Champagne, and it is comprised of two parts. Is there a divergence between the government’s stated goal of ensuring reliable access, especially in remote and rural areas of Canada, with the desire to secure our 5G networks, especially given the decision to restrict high-risk suppliers from our telecom service providers?

Secondly, will smaller providers be disproportionately impacted by the decision to ban certain high-risk providers such as Huawei and ZTE, as you discussed earlier?

Mr. Champagne: Thank you, senator, for your role in the bill.

When you are making billions of dollars of investments, you want predictability and certainty. You need these big infrastructure investments. You need to have a vision, going back to Senator Deacon. You need to look at 5, 10, 20 or 30 years down the road. We have always been very forthcoming with the industry about the type of risk we see with certain vendors. You have seen what we did in May 2022 with ZTE and Huawei. This was on the back of what we had seen in other Five Eyes countries, which had determined that this would be detrimental.

I didn’t see a push back in the sense that the operators understood that it was in their best interests to transition to something more reliable and that would be permanent in their system. In that sense, I think they saw that coming, and even the directive we had issued has been accepted by the telcos as being the way to do it. It is in our mandate and duty — you as the Senate and we as the government — to make sure that when everything is interconnected, an operator’s decision could compromise all the others in the ecosystem. We cannot allow that. Therefore, it was well understood that we needed to take action.

To your point about the smaller operators, there was not much of Huawei and ZTE equipment in the 5G network. It was more in the 4G, for which we left a bit of time to ensure that everyone could replace that equipment safely, proactively and in the best interests of the ecosystem.

In my interactions with the leaders of the telecom companies in the country, they understand we are doing this because we have at heart the best interests of everyone. First and foremost, I would say economic security is national security today. We cannot allow someone to compromise everyone else, and that’s why we adopted the directive at the time and we’re going to back it by legislation with Bill C-26.

Senator Batters: I have so many questions, but not enough time with both of you.

Minister LeBlanc, Bill C-26 imposes some significant requirements for cybersecurity for small- and medium-sized Canadian businesses without really acknowledging that those requirements could be a lot more onerous for smaller enterprises than for massive organizations.

Today, to follow up on what Senator Carignan was asking about, we saw an alarming news article about a huge cyberattack on a branch of your government, the Canada Revenue Agency, with serious implications for Canadian taxpayers involving millions of dollars. We also see in that report that Minister Bibeau was advised about that major cyberattack on the Canada Revenue Agency many months ago, and she was provided with media lines and messages to respond to any questions, but the article notes, “In the end, the public was never alerted to the scheme.” Minister LeBlanc, why didn’t your government tell Canadian taxpayers about this? As Public Safety Minister, with the responsibility for cybersecurity, were you also notified about this major cyberattack? If so, why didn’t you insist Canadians were told about it?

Mr. LeBlanc: Senator, thank you for the question.

I agree entirely that this legislation can’t create an undue burden on small- and medium-sized enterprises. We don’t believe that’s the case. It is intended to ensure that small businesses and all Canadians, for the reasons that Minister Champagne and others enunciated, can rely on some of these larger providers essential for their business activities. Only federally regulated operators who deliver services in the system, which would be vital to national security or public safety like, to Senator Kutcher’s point, health, safety, security and economic well-being of Canadians, would be captured. I totally agree that we have to be careful not to create that burden on small and medium-sized businesses. We’ll be sensitive as the legislation and regulations are adopted that we look at the effects of some of these potential orders and so on, to be conscious of that.

With respect to the breach, I personally was not aware until today of the circumstances that I read about publicly with respect to the Canada Revenue Agency. I’m told that the agency would have, perhaps, talked to officials in our department — obviously, the Centre for Cyber Security, and there is an important element of the Department of National Defence and the Communications Security Establishment, but I’m not aware of the details of how officials at Canada Revenue Agency would have spoken to officials either in our department or at National Defence with respect to this breach.

Separate and apart from the specific circumstances at Revenue Canada that I’m not in a position to talk about, there is a balance. I have seen this with provincial and municipal governments and talked informally with large private sector operators around the transparency of telling their shareholders, their partners — and in the case of public governments, municipalities, provinces and territories their taxpayers — about preserving the confidence that people have in the system or also not giving a road map for the next potential negative or hostile actor to identify a vulnerability until the vulnerability is fixed. I have been in meetings where people say, “This has happened to our province. We’re not going to discuss it publicly until we have been able to build a backbone” — that was the phrase I heard — “to ensure that somebody won’t come right in behind them,” and then I think that particular provincial government talked about it publicly. That’s just one circumstance I was in.

Senator Batters: I don’t really understand how that applies here, given that the minister had lines ready to give.

Minister LeBlanc, this bill has been a long time in coming. The Trudeau government first held public consultations on it back in 2016. In 2018, your government released a National Cyber Security Strategy, and took it another four years, until 2022, for you to draft and introduce this bill in Parliament. It then two more years to work its way through the House of Commons, which included major amendments at the committee stage which basically overhauled this bill. Even after it passes the Senate, it will take another two years in the regulatory phase before much of the impact of the legislation even comes into effect. Minister, all of this means that this cybersecurity bill will take your government a full decade to bring protections on this critical topic into effect. Why this extreme delay?

The Chair: I am going to ask the minister to reflect on that, because we have gone a minute over. We will go to Senator Dasko now, and if there is time, perhaps you can address that later.

Senator Dasko: Thank you to the ministers for being here today.

I want to get back to the topic of the overall landscape, this being the cybercrime side of the issue. You mentioned, minister, that there are both state and non-state actors. I am interested in who they are. Who are the state actors, and who are the non-state actors? Are the non-state actors mainly foreign actors? I’m talking about the perpetrators, those who are committing these crimes, and their motivation. It sounds like there may be mixed motivations. You mentioned extortion in one example. Is this a main motivation of the perpetrators? Is it information gathering? Is it disruption of our services? There are all kinds of potential motivations.

My second question is about the remedies, this being a crime. It sounds like the remedies are for us to secure our systems, but what about sanctions? Are there sanctions against these perpetrators? Is that viable? How does that work? What are they?

Then, can we repel these actors? I’m thinking of cyber wars — maybe I have seen too many movies — but there is a possibility of repelling them, at least potentially. Those are my questions.

Mr. LeBlanc: Thank you, senator. That is a series of very thoughtful and appropriate questions.

You began by asking us to reflect on hostile state and non‑state actors. That’s the phrase that we often use or in meetings that I am in that people use. A great deal of this, of course, is classified intelligence or police information if there are ongoing investigations, but it is a well-known, public fact, for example, that Russia is very active in many of these disinformation and potential cyberattacks. There have been public comments around China. But, again, I’m just going with what has been in the public space. I sometimes see briefings where other state actors are quite active.

Many of the threats that would come from nonhostile state actors are organized crime networks operating, again, in some of the countries that themselves perpetrate some of these attacks or countries that may not have extradition treaties. You can think of countries that wouldn’t have extradition treaties with the United States, European countries and Canada. You may find some of these organized criminal networks that do these ransomware attacks or extortions based there.

The threat is evolving all the time. A lot of it increasingly — this has been publicly commented on by the Communications Security Establishment — becomes a source of funding for organized crime. Large transnational criminal networks may have a branch that does this kind of activity from country X, and it can be quite lucrative in what we take as the public reporting of large companies or public sector entities that have paid ransoms. Some are paid that we don’t know about and are never reported publicly, for obviously understandable reasons as well. That is the threat landscape, and I think there is more we could say in terms of the countries.

I’ll conclude with this: You asked why they would do this. I’m not a criminal profiler, but a lot of these hostile state actors, these countries, do it precisely to shake people’s confidence in public institutions — in banking, telecommunications, in your local health authority. They seek to disrupt confidence in large Western democracies. Some of it can be designed by ideologically motivated violent extremists who are also seeking to create a context where they can recruit in certain communities. It is a vast myriad of reasons why. I see it in some of the intelligence reporting some of these elements, but they are as vast as are the attacks.

The Chair: Thank you very much.

Ministers, I’m doing a time check here. It is closing in on 5:00. I’m going to ask if you would have 11 or 12 minutes remaining to cover off four senators who have questions. We’ll give them three minutes each, if you are agreeable.

Mr. LeBlanc: Yes, absolutely, but I have a meeting at 5:30 with two of my cabinet colleagues at the Marriott hotel, which has been planned for a number of months. We’re meeting a group of Indigenous leaders from the Jay Treaty Border Alliance.

The Chair: We will be quick.

Senator Patterson: Thank you, ministers.

Minister LeBlanc, this is for you. It follows up on Senator Kutcher’s question. There is a federal health care system, the Canadian Armed Forces, and they do have an electronic system that must reach into provinces and territories to exchange information. While information has been held in a repository, we already know there was accidental deletion of massive amounts of data. Why does this matter? Because the health of our troops is also a definite cyber target for nefarious actors out there. I wanted to add that to it. My question is also related to Indigenous Services, which is outside provincial and territorial jurisdictions. When you’re looking at vital services and vital systems — the Department of National Defence has an un‑classed stake in this as well — how will that be addressed by this bill?

Mr. LeBlanc: Senator, you are right. The RCMP is also provided some medical services, like people who serve in the Armed Forces. Correctional Service Canada has 13,500 federally sentenced inmates who need health care. You’re absolutely right. We have a responsibility to protect that data and its reliability for a person offering treatment to those persons and to do so in a way that would not compromise their security in the case of serving members of the Armed Forces or the RCMP. If you will, Mr. Boucher may be able to provide a specific answer in the context of how that operates.

Patrick Boucher, Senior Assistant Deputy Minister, National and Cyber Security Branch, Public Safety Canada: As the minister alluded to earlier, there was extensive engagement with various stakeholders from across the country — provinces, territories, Indigenous organizations and the private sector. That was all to get baseline information on how to define vital systems.

As the minister said earlier on the question of small to medium-sized enterprises, chances are that these vital systems will be held by the major corporations, the big telcos that are out there. There was a methodology applied to start identifying those vital systems, and we will continue to work with industry, with partners, to zero in through the regulatory process to lock those down and, through the regulatory process, to ensure we have the flexibility to update them, because it will evolve. The threat will evolve. New vital systems may be needed to be protected under this act, so the regulatory framework will allow us to do that.

Senator Duncan: I thank the ministers for being here.

The physical threat in the North is twofold. There are threats from climate change and equipment failure, and this occurs more often than we care to count. It was evident this spring when Yukon lost all communications for a period of time. The Government of Yukon has made significant investments in redundancy for the future. Does there exist — I think Mr. Boucher touched on this — a realistic account or analysis of the infrastructure throughout the North, particularly identifying the gaps? One of those threats is the physical critical infrastructure, where it exists, how vulnerable it is and where it doesn’t exist. Those are the gaps. The other concern is when the equipment failed, many Yukoners turned to Starlink. Starlink is evident everywhere. How secure is it? It’s used by government agencies. What is its level of security, and how do we intend to address that? Does Bill C-26 address the issue of security in cyberspace communications?

Mr. Champagne: I will try to do justice to your question, but we would need to talk for an hour to go over all of that.

The fact that we will promote security resilience and reliability in the network is key now. I am mindful of the situation you are describing because I was very much involved when Yukoners lost connectivity. You may have seen Telesat’s recent investment in low-Earth-orbit satellites to make sure we would be covered. I would say it has much to do with national security and resiliency because, to your point, I don’t think we should outsource national security when it comes to the Northwest Passage, aviation for maritime services, law enforcement and others. We are tasked, obviously, to protect the North, but we also have our NATO obligations. I think this was a wise investment that will allow us to support a Canadian company and have the equipment there to help the resiliency of communications in the North. I am happy to have a longer discussion, but I see that the chair would like me to offer only a brief response.

Senator Al Zaibak: Thank you, ministers, for being here, and my apologies for missing the first part of your statements.

Mr. LeBlanc: They were fantastic. Your colleagues were absolutely captured. It was a seminal performance.

Senator Al Zaibak: I am sure.

In my humble view, neither technology alone nor legislative power alone can provide a viable solution to the questions we have and the threats we are facing, especially when it comes to cybersecurity. I believe cybersecurity requires a concerted effort between the federal government and private industry, the stakeholders, as private industry stakeholders often own the telecommunications and IT infrastructure.

Bill C-26 appears to create obligations for the telecommunications providers, yet optimal implementation requires strong public-private partnership. What frameworks or incentives within Bill C-26, in your view, could foster effective collaboration between the federal government and private telecommunications companies to ensure long-term viable cybersecurity solutions?

Mr. Champagne: Thank you, senator.

One of the objectives is also to provide general security of the telecom network in Canada. There are many ways we can do that. As you said, the powers we have here are to direct certain actions, acts or omissions, by certain actors within the ecosystem.

Senator, I don’t know if you arrived after I spoke and after the eloquent introductory comments from the very humble Minister LeBlanc, but I mentioned that we have seen significant investments, for example, in Kanata. One of Nokia’s largest research centres is here. Ericsson recently invested here. Both companies invested more than $500 million. To your point, policy will help, and having regulatory power will help, but we need to work hand-in-hand in research and development.

We talk about standards and supply chains with our allies. I don’t know if you had arrived by the time I said this, but believe it or not, we signed an understanding to work together with the Americans not on 5G but on 6G, so you see we are already beyond the next technology. The fact that some of that research will be done in Canada is a good example that we want to lead, secure our network and be sure that we have the highest standard when it comes to our telecom network because it will be vital for our security and economic prosperity in the country.

The Chair: Thank you, colleagues.

Sadly, this brings us to the end of our time with the ministers today. We not only had the red card but we also went into overtime, so we thank you for that. Thank you, Minister LeBlanc and Minister Champagne, for taking the time to be with us today. On behalf of our colleagues in the room and the broader Senate, we thank you for the hard work that you do on behalf of us and Canadians every day and most nights and weekends. We appreciate that. It is always good to see you.

Colleagues, officials from Public Safety Canada and Innovation, Science and Economic Development have graciously agreed to stay behind to answer questions until 6:25. They will be joined for the next 75 minutes by officials from Communications Security Establishment Canada, which we’ve heard a lot about today. We will now continue our question period with officials from Public Safety Canada and Innovation, Science and Economic Development Canada who are joined on this panel by the following representatives from the Communications Security Establishment: Sami Khoury, Government of Canada Senior Official for Cyber Security; Danielle Couillard, Director General, Partnerships and Risk Mitigation at the Canadian Centre for Cybersecurity; and Stephen Bolton, Director General, Strategic Policy. Welcome to you all, and thank you for joining this panel. I understand that our officials will interchange as necessary to be fully responsive to our questions.

[Translation]

Senator Dagenais: My question is for Mr. MacSween.

There’s talk of concerted action with the Five Eyes. Are there any actions or prohibitions here in Canada that are not in line with those of our allies? If so, can you give us examples and explanations to justify why we are not aligned with our allies, the Five Eyes?

Colin MacSween, Director General, National and Cyber Security Branch, Public Safety Canada: Thank you for your question.

[English]

In terms of the prohibitions, currently, absent Bill C-26, when we look at our Five Eyes partners, many of them do have similar regimes in place now, specifically in the U.S., the U.K. and Australia, and I am talking specifically about Part 2 of the bill here. There are similarities and differences in what they do. One of the main similarities is the mandatory reporting requirement that we do see in those three other countries. I would say we are learning a lot from them in terms of how we want to set the threshold for that mandatory reporting. To your point on gaps and prohibitions, absent Bill C-26, the mandatory requirement to report in is not there for the CI sector. That is a big gap for Canada.

Part of the reason we want do that is to ensure we have a full line of sight on all the threats that are coming in. Also, this allows our colleagues at the Canadian Centre for Cyber Security to push out threat-related advice to other impacted CI sectors, and I would note that’s not just federally regulated sectors but they can go out to all CI sectors as well. That’s certainly one of the gaps we want to address and one of the differences we see in the law in Part 2.

[Translation]

Senator Dagenais: Some of the provisions of Bill C-26 that were passed may have retroactive effects on threats to Canada. Can you give us examples of provisions in Bill C-26 that were adopted and would have retroactive effects?

[English]

Mr. MacSween: Retroactive effect, I think that’s a bit more related to Part 1 of the bill. With Part 2, upon Royal Assent, nothing immediately switches on right away. In order to build out the requirements, we have to go through the regulatory process, and only then would the designated operators that be will be identified as part of that process become subject to the requirements of the act. There is no retroactive action in Part 2.

I don’t know if Mr. Arbour wants to mention anything about Part 1.

[Translation]

Andre Arbour, Director General, Strategy and Innovation Policy Sector, Innovation, Science and Economic Development Canada: Thank you.

To clarify, the policy announced by the government in 2022 is entirely voluntary. It’s an agreement that sets out intentions with respect to Huawei and ZTE equipment, but it’s voluntary. Under the bill, we’d be consulting once again on the order in question. So it’s not retroactive, it’s forward-looking in terms of the application of the act specifically.

Senator Dagenais: Thank you.

Senator Carignan: I’d like some clarification on the scope of the act and the minister’s powers. My question concerns GPS or geo-referenced data, like what you’d find in my Garmin watch, my self-driving car, the self-driving taxis we’re increasingly seeing in the U.S. and information held by location-based systems like Google Maps.

Under Bill C-26, would the minister have the power to intervene if someone were to use this data for interference purposes, to threaten or spy on or even take control of autonomous cars? It may seem like science fiction, but it’s not far off. What powers would the minister have?

Mr. Arbour: Thanks for the question.

The bill deals with matters under federal jurisdiction. In the context of telecommunications, for example, if it has to do with the supply of telecommunications services, that could include GPS data, but if there’s a link with —

Senator Carignan: There’s no link to the cellular antenna; I mean satellites, for instance.

Mr. Arbour: Satellite communications could be included in telecommunications, but it depends on the circumstances. This technology exists in several sectors — health care and energy, for example — but the scope of the bill concerns sectors under federal jurisdiction, i.e., telecommunications, finance, energy and transport.

So, it depends on the circumstances. If part of the sector, service or activity in question is under federal jurisdiction, like Bell Canada, a telecommunications service, then it may be possible to take action. However, if it’s under provincial jurisdiction, like, for example —

Senator Carignan: Let me be more specific. If we’re talking about autonomous cars or taxis, which we’re increasingly seeing in the United States, and there’s a risk the vehicle could be controlled remotely, does the minister have the power to act?

Mr. Arbour: If the vehicle in question is operating within a federal area of jurisdiction, it’s possible —

Senator Carignan: So, the minister can intervene if the taxi is used for interprovincial transportation or travel between Ottawa and Gatineau, but not if it’s strictly in Montreal, say? Is that what you’re saying?

Mr. Arbour: As for jurisdiction over regulations in the transportation sector, certain things can be done. This is because transportation falls under the jurisdiction mentioned in part 2. Again, it depends on the circumstances.

Other tools are also available to the government, for example if it’s an economic measure that has a similar effect on tax security issues, for example, or control over access to certain vehicles in Canada.

I would also add that this is an open question for the current government, the option to take all necessary measures for autonomous or electronic vehicles. The government has stressed the importance of this issue.

[English]

Senator Yussuff: I asked a question previously to the two ministers and I did not get an answer, so I will repeat myself and hope to get an answer this time.

Many of the telecom companies in our country are currently subcontracting work out to subcontractors abroad. They are collecting our data and processing that data in other countries, and yet, here we are having a debate and discussion about a bill that will protect our cybersecurity. Can you assure me that this bill will protect that data that Canadians entrust in those telecom communities? We have no control over it. Somebody can call me from India, Egypt or anywhere in the world, and they are collecting that information, and yet we have no control over what the telecom companies are doing and how that data could be compromised if it is now in another country.

Mr. Arbour: Thank you for the question.

Starting with existing measures, there are privacy requirements under PIPEDA that are conditional on the consent of the user, as well as voluntary measures that my department has for engaging with telecommunications providers in terms of the protection of their networks. I appreciate the perspective that that it is insufficient. Indeed, that is one of the reasons why this bill is so important.

Part 1 does allow for a pretty broad set of considerations. It is for protecting the security of the telecommunications system writ large, from the full set of threats. It is not just an individual cyberattack, but it would include a full set of other risks. There is scope there to take regulatory action to protect those networks and services against those risks.

Senator Yussuff: Let me follow up with that. What Canadians are entrusting with their telecom provider — whoever that might be right now — is the responsibility that they are protecting their data. There is nothing you are telling me that makes me assured that it is going to be any better under this legislation, because if they continue to subcontract that work outside of the country to a foreign entity, we have no control. If that was breached in another country, you tell me, “Sorry, we don’t have any control over what happened in Egypt or India, but we’re here to tell you we’re going to protect you under this piece of legislation.” We can’t do that under the current law, so how do we do it in the future under this bill?

Mr. Arbour: To clarify, currently, we don’t have a legal authority to take action, which is part of the point of the bill.

Senator Yussuff: Is that not what most Canadians are wondering about, what is allowed right now? Here we are talking about cybersecurity for some of the most important entities that we trust, our telecom companies, and we have no control right now to even say, “Excuse me, you are compromising something that is so fundamental to our national security.”

Mr. Arbour: There has been good action that has been taken basically through moral suasion and leaning on the companies, as well as through other measures such as the way that the government engages with the telecom operators.

To circle back to what this bill can and cannot do, the point is to have a framework that allows for the government to take action against a set of threats. It doesn’t spell out in detail the specific issue that you are raising because it is intended to be technologically neutral and flexible to respond to the set of threats that do arise and to have an effective toolbox to be able to respond to those risks. It does include a set of powers to allow for the monitoring of the behaviour of the telecom operators, to compel the provision of information based on their activities in terms of how they are securing their network and how they are protecting in the data of their customers, and then measures to raise the bar in terms of what rules and behaviours they would need to put in place to better protect that. It is about ensuring that we have the tools to be able to take action against risks that could include this and the broad range of risks that we know about now or could appear in the future.

Senator Gold: Thank you for being with us.

I want to ask you to comment in greater detail on a question that I put to the two ministers. Given the increased powers, which we need to protect ourselves, comes a requirement that the right balance needs to be struck.

Could you give us a little more detail on the safeguards, limitations and oversight that is built into this act? If there are other acts that complement that, please feel free to provide that larger context.

[Translation]

Mr. MacSween: Thank you for the question.

[English]

In terms of the safeguards, I’m focusing on Part 2 here, but some of these apply to Part 1, and the ministers mentioned this. As it relates to privacy, one of the specific provisions that was built into the act was an explicit reference to the Privacy Act to reassure Canadians that the Privacy Act does apply to the collection and use of their personal information. Bill C-26 also provides no new authorities or powers to organizations like our friends at the Communications Security Establishment. They will still be subject to the existing privacy protection requirements in their act. That’s one piece there.

What was built in as well — and I think the ministers alluded to this — was related to the exercise of their order-making power and to ensure some transparency around that. In Part 2, the Minister of Public Safety will be required to advise the NSICOP or NSIRA, our international security review bodies, of the issuance of cybersecurity directions. This was a deliberate amendment made to ensure that the review body itself would have the authority to review those, but I think the intention there was to ensure that the review body was aware it happened and had the opportunity to look into it if they so desired. They have their own discretion as to what they will seek to review.

Obviously, for any of the provisions in the act, there is recourse to the Federal Court, and this absolutely applies to the issuance of, in the case of Part 2, cybersecurity directions, as well as the administrative monetary penalty regime or the summary offences as well. So there is judicial oversight of the bill as well.

The other aspect that was built in, and I think this was included in both parts of the act, and again, this is more around the transparency aspect, but to ensure everybody is aware of the administration of the law, the ministers will be required to table a report in Parliament. There is a non-exhaustive list included in the legislation of all the information that is to be included in that report. That is another measure to make sure that there is sufficient transparency and oversight of the bill.

Mr. Arbour: To build on that, I think there are different stages of consideration in terms of the overall framing of what is in scope and what is not. For example, the policy objective is to protect the telecommunications system in the case of telecommunications, not to advance national security writ large. That is not to say that there aren’t important national security or law enforcement objectives, but that’s not what is within scope. If it is not about protecting our network infrastructure — it has nothing to do with the RCMP cracking down on organized crime or anything like that. That’s out of scope.

There are provisions that were added to help provide further comfort. They include the reasonableness test so that the orders must be reasonably linked to that objective. That was a requirement already established by the Supreme Court, but it is spelled out clearly in the legislation now. There are provisions added given the concerns about having further comfort around privacy. For instance, personal information and de-identified information are defined in that section. There is the reference to the Privacy Act. There is a “for greater certainty” note order in the telecommunications section which can be used to intercept personal communications. We couldn’t do that as it was drafted on tabling, but it is for extra certainty there.

To the question about the confidential orders, generally speaking, when we are regulating the telecom sector, we want everyone to know the rules of the road. We have a public consultation — we are required to — and that still exists with the bill in general. The minister spoke to a few specific examples, such as if there is a specific vulnerability in an individual operator such that publishing that would advertise to the world where to attack, that does allow for a confidential order in those exceptional circumstances. To help ensure that in those narrow circumstances it would not be used inappropriately, there are the additional oversight mechanisms, in particular, notification to NSIRA and NSICOP.

Senator Batters: First of all, to officials from the Communications Security Establishment, CSE, civil liberties organizations have expressed some major concerns about the lack of accountability in Bill C-26, even though the bill was amended to now include notification of NSICOP and NSIRA in the event of confidential orders. An updated brief from the Canadian Civil Liberties Association specifically highlighted CSE’s repeated refusal in the past to comply with NSIRA directives, stating:

As presently drafted, C-26 risks continuing a situation where the CSE interprets its mandates now supercharged with even more Canadians’ personal information in manners that have been found noncompliant with the Privacy Act by their reviewer. The Senate has a role and obligation to prevent such a mishandling of Canadians’ often most sensitive information, especially given the CSE’s long track record of failing to cooperate with its review agencies.

Could you please tell me how you would respond to those serious concerns?

Sami Khoury, Senior Official for Cyber Security, Communications Security Establishment Canada: Thank you for the question.

We take the role of the review body very seriously, and we cooperate with them in all of their reviews.

In the context of Bill C-26, the information that we will be receiving from the designated operators is meant to be indicators of compromise. We are not receiving or we will not be in receipt of any personal information from the operators. All we want to be able to do is assess the severity of the cyber incident by understanding how it happened and the telltales of the compromise or the vulnerability that was exploited. Those tend to be fairly technical exchanges that we would have with the various operators in order to understand the severity of the incident and be able to maybe understand the breadth of the incident and warn other operators, if they have similar technologies, or warn more organizations if they use that technology. So, in a sense, what we will be receiving are technical details to understand what has happened, and nothing of a personal nature will be exchanged between us, whether it is a telecom operator, a financial organization or an energy company. We would not be in receipt of anything that would be of a personal nature in that case.

Senator Batters: Isn’t it the case that you would potentially still be receiving personal information, although de-identified information? The two are different. Is that not the case? Am I incorrect on that?

Mr. Khoury: Every incident is different, so I cannot speculate on what an operator would be in a position to share with us in the context of a specific incident. If it was up to us, we would want to understand how the incident happened. Again, we’re looking at cybersecurity incidents, and we would want to understand how it happened. If there was a reason for that operator to maybe identify some e-mail or something that would be personal information, either it would be de-identified or we have obligations to protect the privacy of Canadians under our own legislation.

Senator Batters: To the Public Safety officials, this bill has taken eight years to advance to this point, and the federal government still hasn’t produced a Gender-based Analysis Plus for it. This government had promised to make GBA Plus documents mandatory for all bills they introduced in Parliament. When I inquired as to whether there was a Gender-based Analysis Plus for Bill C-26, the government finally replied with only this: “If passed, a GBA Plus analysis will be conducted as part of the regulations development process.” How does the government justify their failure to produce a GBA Plus document — their own requirement — on Bill C-26 until long after the bill passes both Houses of Parliament?

Mr. MacSween: Thank you very much for the question.

In the case of Bill C-26, there was a GBA Plus analysis that was completed, and I understand a summary of this analysis — it happened in two instances — was provided to the committee.

Senator Batters: I’m the critic of the bill. I asked for it, and the response I got was, “If passed, a GBA Plus analysis will be conducted as part of the regulations development process.” They told me there wasn’t one. If you have one, I would sure be happy to get it, but I note it still hasn’t been produced after the House of Commons had the bill for two years.

Mr. MacSween: My understanding is the summary was provided to the committee today.

Senator Batters: Today? Okay. Interesting.

Senator McNair: I would like to drill down a little more around the confidential proceedings questioning or responses.

Bill C-26’s critic in the Senate raised concerns during her second reading speech about closed court proceedings. Can you comment on how long closed proceedings have been an element of our court system whenever matters of national security are concerned? Can you also expand on what factors a court might consider in determining whether such proceedings might be appropriate in a specific case?

Mr. MacSween: Thank you for the question.

I don’t have the exact time frame for how long these types of proceedings have existed. I have been a national security practitioner for about 12 years now, and they have existed for my lifetime in that field.

Generally speaking, just to the second part of the question, the intention behind the confidential proceedings is to protect classified information or, specifically, information that is deemed injurious to national security or international relations. How that plays out — and the way it is written in the legislation — is that a person that is subject to a proceeding has to identify to the Attorney General of Canada whether they intend to rely on classified information. Should that be the case, the Attorney General of Canada can then make an application to the court to have that information protected. At that point, a justice would review the relevant information and make their own determination as to whether there is injury to national security, international relations or public safety. That conversation would take place with the Attorney General and the minister.

In the case of the regime being proposed here, I think we all understand Bill C-70 passed and that regime will take over. One of the items in that regime is that the court can avail itself to special counsel who is there to protect the rights of the individual who cannot see the information. That, again, is at the discretion of the court as to whether it is required, but that’s kind of the process and how it plays out.

In terms of the confidential information, it is just limited to that information, which is classified and could, at the end of the day, be injurious to international relations or public safety. The open court principle would apply to everything else.

Senator Boehm: My questions are for Mr. Khoury. It is good to have you back.

You have been in this business for a while. You have been waiting for this bill to pass for a while. From your vantage point, what do you see as the most critical challenge in terms of implementing the legislation effectively, ensuring both the public and private sectors are adequately prepared? Is it FTEs? Is it budget? That’s one question.

The other question is, assuming passage of the bill and its implementation, are you prepared for any retaliation from malign actors who are going to try to test you and test us?

Mr. Khoury: Thank you, senator, for the question.

If I can answer in reverse order, no, I don’t necessarily expect malign actors to retaliate because Canada is raising its cyber‑resilience. If anything, they might be a bit more determined. But the hope is that with that bill, we raise the collective cyber‑resilience not only of critical infrastructure sectors but also of other sectors that are not subject to the bill and ensure that our collective cybersecurity is better. Maybe that’s the answer to the second part.

For the first on the challenges, Canada is a huge country, very diverse and dispersed, and the biggest challenge will be how we tackle all of these operators across all these sectors and support them in their cybersecurity journey. They are not all at the same point in their cyber maturity. Some big companies are well vested in cybersecurity; smaller ones might need a bit more hand-holding.

Also, maybe a challenge in the short term would be drawing the threshold on what is a cyber incident that is a reportable cyber incident. We don’t want to be putting the line too low, so that — for argument’s sake — if you lose your password, you report it. But we don’t want to put it very high, so that we don’t receive any cyber reports at the end of the year. We want to find the right balance in defining a cyber incident, but we also want to be mindful of the impact of our definition of trans-border activities. For a Canadian company that operates in the U.S., we might have to be mindful of the fact that we don’t want to create confusion by having one definition in Canada and one definition in the U.S. How do we balance that?

Senator Boehm: Going back to Senator Batters’ earlier question, do you have any plans for small and medium-sized enterprises, SMEs, that will need assistance? She asked the ministers but didn’t quite get the answer that we all wanted. Are you looking more closely at that in terms of a plan?

Mr. Khoury: For Bill C-26, we will have to look at who the designated entities are and work with them. Some of them could be big companies, some of them could be a potentially small- or medium-sized company, and they will all be treated with the Bill C-26 umbrella. For small and medium businesses that are not part of Bill C-26, we have a separate program at the Cyber Centre that is meant to work with them to promote cybersecurity best practices and security controls. That is ongoing today. For either one, we don’t have to wait for Bill C-26. We are working with those industries and businesses today to make sure that they have all the necessary tools to raise their cyber-resilience.

Senator Kutcher: Thank you for being with us today.

I’m going to come back to the health care data issue. In addition to what Senator Patterson talked about, we are finding that more and more health care is being delivered online mostly by private vendors in a telecommunications space, but by other private vendors as well. Some of the health care that’s being delivered online is not just what we found in LifeLabs with lab results, but psychotherapy is being delivered online with an incredible amount of personal data that could be very damaging to individuals who have major roles to play in government, captains of industry and all sorts of other people. Don’t you think that health care should be added to Schedule 1?

Mr. MacSween: Thank you very much for the question.

I don’t disagree that the health care sector has absolutely been a target of malicious cyberactivity, and certainly it is the case that a lot of very sensitive personal information is held in that sector. However, as the ministers pointed out, the bill as written only applies to federally regulated critical infrastructure sectors.

In the case of Part 2, we will have to go through a process where we designate the operators of the vital services and systems, and that will happen as part of the regulatory process. I can’t say whether or not telecom service providers would be caught up in that if they are providing health care advice. I just don’t have that information right now. That process will happen later on.

Mr. Arbour: To build on that, the schedule under Part 2 is pre-populated with the most obvious, very clearly federal jurisdiction systems and sectors. We’re chomping at the bit to move forward — should this receive Royal Assent — with some very clear, urgent and pressing needs that are very clearly in federal jurisdiction. There is a range of more cooperative activities that perhaps Sami could speak to as well.

To the extent that there are issues within the telecommunications sector tied specifically to telecommunication services, there is scope there. To the extent that they are not captured but under federal jurisdiction, the schedule can be amended by the Governor-in-Council. It doesn’t require going back to Parliament, which allows for some flexibility, provided that it is within federal jurisdiction.

The last point I would make is that there are obligations within the privacy sphere in terms of generalized obligations on the private sector if in federal jurisdiction. If you are a private company — even in the health care space — you are subject to PIPEDA, and potentially under Bill C-27 as well which has expanded authorities to ensure that the private sector is protecting Canadians’ personal information.

Mr. Khoury: Besides Bill C-26, we at the Cyber Centre at CSE are very busy working with the health care sector. We take the protection of Canadians’ medical data very seriously, and we have seen, unfortunately, too many incidents affect the data and the health care system. We have constant engagement with the health care community to bring to their attention the latest threats that we are seeing and how to promote cyber hygiene to raise the collective bar. We constantly issue advisory alerts providing advice and guidelines on the latest vulnerabilities out there. It could be something on an MRI machine or an electronic medical records system. We are constantly communicating that information at all levels of the health care, both provincial and municipal.

Mr. MacSween: The ministers are on record as saying that Bill C-26, even though it applies to federally regulated sectors, is intended to be a model for other levels of government — provinces, territories and municipalities. We at the official level have done engagements with the provinces and territories, providing advice on the legislation and the requirements therein but also talking about regulatory harmonization so if they ever did go down the road to enact a similar type of legislation, then we would be ready, willing and able to have those conversations about how we can best support that. We have seen some legislative initiatives in Quebec and Ontario. They are novel, but they are trending in this direction.

Senator Duncan: Thank you to the witnesses.

There are significant gaps in Canada’s North where communications technology is very limited. The Rangers perform a vital presence in Canada’s North, and law enforcement throughout the North is the RCMP. Communications is vital to these two specific areas and the individuals involved. It is health; it is safety; it is personal safety; it’s also national security. When communication systems are not available, organizations turn to what is available, and that is perhaps a satellite link that is not provided by Canada or not provided by a Canadian. How will Bill C-26 help that situation? Canada’s answer is coming, but it is a way’s away, and I am concerned that we’re going to be closing the barn door after the horse has left.

Mr. Arbour: Thank you, senator, for the question.

This issue is a huge priority for my department and for the government. In 2022, Minister Champagne announced the Telecommunications Reliability Agenda, which is that we are going to use every single tool in the toolbox to promote the reliability of the telecommunications system. Bill C-26 is a part of that agenda, but it is one part.

I’ll give you a few examples. The Dempster Fibre Line between Dawson and Inuvik was funded by the Connect to Innovate fund with Infrastructure Canada and the Yukon Territory. Another example of this would be a new regulatory regime the department announced that in June to facilitate direct communications between average cellular devices and satellites. Historically, the technology would not allow for that, and you would need a special satellite phone. That’s another way to enable communications when you don’t have access to the terrestrial network.

In 2023, the government issued a formal policy direction to the Canadian Radio-television and Telecommunications Commission, the CRTC, under the Telecommunications Act. That’s a legal instrument on the CRTC. It set out a range of expectations, covering a broad set of issues on competition and consumer protection, but improving resiliency was a core stream of those efforts. The CRTC is looking at how it can best update its rules and programs, such as its broadband fund, to better support resiliency.

In terms of the authorities under Bill C-26, it ensures that security considerations are front and centre in the policy objectives of the act to make it clear that the government can take action. It has a set of tools to be able to do so in a nimble way against a variety of threats. That includes information‑collection authorities. If we hear or see concerns about a particular network system that requires further investigation, we can investigate it and, as necessary, impose obligations to mitigate it. That can go so far as an outright prohibition. In the case of high-risk vendor equipment, there are clear examples where the risk cannot be mitigated through less intrusive means, so an outright prohibition is indicated. Sometimes that might mean additional protocols or mechanisms to have that in place. In doing so, we want to make sure that we strike the right balance between what makes sense from an implementation standpoint and a risk-management standpoint, and then abilities to respond. We will never get to a risk level of zero. There will always be a forest fire or some other type of threat. Resilience is about not just having rules up front but also having rules and procedures in place to be able to respond to a crisis so that, when there is an incident, there is an ability to respond.

The memorandum of understanding that Minister Champagne talked about with the telecom operators — and this is an example of that — included voluntary mechanisms. They are just voluntary, but we are starting with, for instance, emergency roaming. When we had the tragic fires around Jasper, that enabled TELUS to have access to the Rogers’ network and route its traffic through them.

Senator M. Deacon: Thank you for being here.

I was encouraged, Mr. Khoury, to hear you talk about operators and sectors, what the threshold is, what the threat is and what it is not, and, of course, determining designated entities.

This is our night. We’ve opened up a bill here in committee. We’ve heard from our ministers. There are a whole bunch of people behind you who bring different expertise to support you. We will carry on speaking to and listening to other witnesses next week. My question is, with the wealth of knowledge behind you, is there anything that we have not touched on tonight that your teams bring that we should be hearing from you while you are here? We are asking questions, for sure, but to fill that gap, is there anything that we have not touched on that the folks in the room have expertise on?

Mr. Khoury: I can start and maybe ask my colleagues to chime in.

This bill is super important because it will give us a better pulse of the threat landscape that Canada is facing. Today, incident reporting is voluntary, so we don’t have that ability to assess — not just in a particular sector but across sectors — what the threat is. With that incident reporting, it will at least give us more data points so that we can see whether a certain sector is under attack or if, across a sector, there’s suddenly a new cybercrime group or a new state-sponsored actor that is going after Canada. We will have those data points.

The threat landscape is getting more and more complex every day. For us, partnership would be very important, not only at the sectoral level. Today, we have good engagement with the various sectors, for example, the banking sector, the telecom sector and the energy sector. We have very good engagement and regular meetings. We talk frankly and openly about what they are seeing.

If we can get into a specific program, I can ask my colleague Mr. Couillard to add more colour commentary on the nature of the partnership that we want to take up with those various sectors.

Daniel Couillard, Director General, Partnerships and Risk Mitigation, Canadian Centre for Cyber Security, Communications Security Establishment Canada: Thank you for your question. It is very surprising for you to ask us to tell you what to look for. I will pick up on Mr. Khoury’s point and try to highlight the big value that Bill C-26 will bring to Canada.

Part of the requirement that will be on designated operators is the creation of a cybersecurity program that will describe their security controls that they are putting in place to address those threats. What we have now is the ability to have a full feedback loop. As Mr. Khoury mentioned, if they see a threat, they will report to us, and if we will see a threat, we can provide advice and guidance on how to mitigate that threat. Once we have all these designated operators reporting to us, we will be able to see if the mitigation we recommend — because that mitigation technically will be implemented by the designated operators and will be reflected in the cybersecurity program that they need to maintain as current. Every year, it needs to be refreshed. We will be able to see the value of the security controls and the advice and guidance we are giving. If it doesn’t work, we can change it, so we have will have a feedback loop. Some of our Five Eyes partners don’t have that model. They focus on mandatory incident reporting, but they don’t have the feedback loop for advice and guidance that they are giving. For me, that’s a valuable process to implement.

In Canada, some large designated operators that we will have are obvious. The quantity of designated operators will be to a level that makes it workable for us to actually engage in a meaningful, deeper relationship with those designated operators, ultimately leading to better risk management. I think this aspect of the bill does not come out as much as it maybe can, but it is a fundamental benefit that we would have from this bill.

Senator M. Deacon: Thank you.

Senator Batters: Going back to the question from the Bill C-26 sponsor Senator McNair, law professor Matt Malone has pointed out that the lack of transparency in the secretive court proceedings under Bill C-26 is in direct contrast to the legislation governing creation of the Communications Security Establishment, and he states:

This diverges markedly from the thrust of the CSE’s enabling legislation, which seeks to impose greater accountability over certain conduct through prior authorization and review obligations. For example, under that enabling legislation, when the CSE’s spying activities contravene federal law or interfere with the reasonable expectation of privacy of individuals in Canada, the agency must obtain approval from the Office of the Intelligence Commissioner. Last year, the Commissioner fully granted half of such requests (three out of six). The cybersecurity direction powers in Bill C-26 are subject to no similar kind of review.

Why doesn’t Bill C-26 contain those types of review powers?

Mr. MacSween: Thank you very much for the question.

Obviously, one of the amendments that was made by the Standing House of Commons Committee on Public Safety and National Security was the issuance of an advisory to NSIRA and NSICOP because those bodies themselves were set up to ensure transparency and that there were groups that could look at all the classified information and make recommendations on the basis of what they were seeing. The advisories to NSIRA and NSICOP particularly in the case of cybersecurity directions are intended to be measures to ensure transparency and review of those cybersecurity directions if it’s required. In the case of both bodies, they do have broad access to all the information holdings at the Communications Security Establishment.

Senator Batters: May I interrupt you? Sorry, I have a limited time here. How do those bodies ensure transparency when they report to the Prime Minister? Their members are appointed to those bodies by the Prime Minister and they report to the Prime Minister, and then the Prime Minister’s office could vet those reports and provide to the public what they deem is necessary for the public to see. How does that ensure transparency?

Mr. MacSween: I don’t pretend to know the enabling legislation of the review bodies that well. I know that, in the case of NSIRA, they are independent of both the executive level of government and of Parliament. Again, the whole raison d’être for those bodies is so that someone can look at classified information and make a determination. I can’t speak to the actual appointment process.

On just the protection of classified information, because you asked about that, what is proposed in Bill C-26 is no different than what we could see in other regimes such as the Passenger Protect Program, and it is simply a mechanism to protect classified information from public disclosure. To protect the state’s most secretive information, whether it is information shared by an ally, collected by human source or by technical covert means, there does need to be a mechanism to be able to protect that. That is the regime that is set up in the case of Bill C-26 as it relates specifically to the cybersecurity directions. All of that can be reviewed by the Federal Court. A designated judge in the Federal Court can see all of that information and make their own determinations on the injury to national security and public safety. That’s consistent with the regimes we’ve seen in other administrative proceedings.

Senator Batters: Early in Minister LeBlanc’s opening remarks today, he talked about what a major threat ransomware is. Why is Bill C-26 specifically silent on the word “ransomware?” I found no explicit reference to it anywhere in the bill.

Mr. MacSween: Sorry, I missed the question.

Senator Batters: Minister LeBlanc was talking about ransomware and what a major threat it was, but Bill C-26 itself is silent on the very word “ransomware.” There is no explicit reference to it anywhere in the bill.

Mr. MacSween: As it relates to the mandatory incident reporting, it is threat agnostic. Regardless of whether it is ransomware or another type of malicious threat activity, that will need to be reported in to the Cyber Centre. The way the legislation is constructed is that we did not want to put specific references to specific threats in the legislation because those can change and evolve on a constant basis. You could see references to that, perhaps, in the regulations or in the cybersecurity programs, but in the legislation itself, if you look at it, it tends to be threat and technology agnostic so that it stands the test of time and does not become outdated.

Senator Batters: There is part of your bill, of course, that is already outdated. Bill C-70, which we passed in the Senate in June, had a portion that has already outdated a certain portion of Bill C-26.

Mr. MacSween: To be honest, I’m not an expert on Bill C-70, but I think the intention there, if I understood the policy intent correctly, was actually to amalgamate the security requirements for administrative proceedings into one piece of legislation under the Canada Evidence Act as opposed to bespoke pieces of legislation like the Passenger Protect Program or Bill C-26.

[Translation]

Senator Dagenais: My question is for Mr. MacSween. Mr. MacSween, the impact of some decisions, rulings and orders in telecommunications could go well beyond cybersecurity, given Canada’s less than harmonious trading relationships with countries like China, India and Russia.

Have you discussed whether the legislation could have an impact on our trading relationships? If so, on what sectors and how will this be managed?

Mr. Arbour: Thank you for your question. With respect to the telecommunications sector, it is of course important to consider potential negative feedback from other countries, but we hold regular discussions with our allies to converge on a policy between us and to protect Canadians in general. The protection of Canadians is the cornerstone of our policy.

This also applies to other economic sectors. Consistent policies among the Five Eyes and with other allied countries make for stronger policies that protect Canadians.

Senator Dagenais: Thank you.

[English]

Senator McNair: I had a question on the remote access or connectivity, but it was covered off by Senator Duncan’s question.

I just want to say that I liked Senator Deacon’s question, the catch-all, which is, what else should we have asked? In response to her question, as I understand it, the answer would be, “Ask us in a year; ask us in two years; ask us in three years.” The regulation-making process is not stagnant. It will be ongoing — evergreen, essentially — to make sure the document incorporates feedback you receive — from what you said, we are one exception of the Five Eyes — but the other part is so that it meets the current threat landscape at that time. Is that accurate as far as the process and the regulations?

Mr. MacSween: Yes, senator, I believe that’s an accurate description. As you know, the regulation-making process in this case could take anywhere from 18 to 24 months. Obviously, there is a great deal of consultation that will be required, especially in the case of Part 2, to establish the regulatory regime. We will need to be talking with our private sector partners, subnational levels of government, academia and civil society to make sure that what we build is correct and, most importantly, at the end of the day, to make sure that it is do-able by the industry partners as well and achieves the objectives of the legislation.

We will be learning a lot as we go. Part of the reason we set that up in the regulatory regime is because of the mandatory requirement to do the consultations with those partners as well. For a lot of that, we will absolutely be learning as we go. Another example — I will refer to what my colleague Dan mentioned — is what we see in the cybersecurity program. Part of the objective of this bill is to ensure a baseline level of cybersecurity across the various sectors. As we work with the finance, telecommunications and other sectors, we will be learning about what is in there, what is practical and what is realistic. We will be sharing that information between sectors to help them establish those programs. It will certainly be evolving over time.

As you rightly point out, in the case of Part 2, the legislation is deliberately constructed in that manner so that we can learn as we go and be able to adapt to the threats and how the landscape is changing, and also the technology, which is ever evolving.

Senator McNair: Fortunately or unfortunately, there will be never be a “pens down” situation. You will always be working on it.

Mr. MacSween: I will be employable for the next few years.

Senator McNair: You should be.

Senator Kutcher: I must say that I do have a level of discomfort on the health care component. I will try to get my head around that for the next little while, particularly because, as Senator Yussuff pointed out, some of the health care providers are now international. You can go online and get interventions from somebody who is in another country, but you have no idea where that provider is. I will try to get my head around that.

My question is for Mr. Khoury. The threat landscape is evolving very, very quickly. Can this bill as written allow us to appropriately mitigate the threat landscape as it evolves?

Mr. Khoury: Thank you for the question, senator.

Absolutely, it can help us, because once the bill passes and we’ve finished the establishment of the regulations for those four critical infrastructure sectors on which Canadians depend, we will be able to get a true, accurate picture of the threats they are seeing day to day. Today, we strive to build good working relationships with many of those industries, with many of those corporations, but, nevertheless, we still have gaps in our engagements with them. This bill will give us a chance to get that pulse of the Canadian cyber ecosystem and be able to mitigate it and also work with them on mitigation. The bill establishes a framework that probably will sustain the test of time, but it will be on us to keep it alive and to work with the operators when they report an incident to make sure that we are timely in our reaction and that we can share that information with others.

Senator Fridhandler: I will follow on Senator Yussuff’s attempt to address the issue of offshore data because I don’t think we’ve got clarity yet. We seem to be able to regulate, to some degree, the import of nefarious equipment and utilization by operators, but does the legislation permit the minister or authorities to issue pre-emptive orders on data location? For example, if an operator decides that the best price for data storage is in North Korea, why would we not stop that just like we stop the import of equipment? Is there an ability under the legislation? If not, I would also like to know, from your expertise, are there disclosure requirements relative to where customers’ data might be stored so that they actually have a consumer choice in what’s happening? If there is no authority to restrict, whether pre-emptively or in reaction to events, was this even discussed and, if not, why not? Sorry for that mouthful, but I’m trying to get to the bottom line on this because it’s always a big concern.

Mr. Arbour: Thank you, senator, for the question.

In short answer, there absolutely are order-making or regulatory powers that allow for proactive obligations to protect against a full range of threats. The bill was developed with a view to try and anticipate the different threats that could exist, whether they be cyber or natural disaster or other types of bad behaviour. That would allow, within the telecommunications sector, for instance, the imposition of positive obligations on how they govern their networks. That could include both equipment considerations but also human factors or other business processes, if it would protect the Canadian telecommunications system. In looking at that, we will take a risk-management approach in terms of how that could be done. There is a range of different possible considerations in terms of how to best protect that.

The last piece, I would say, is just to circle back to PIPEDA and C-27, which applies more broadly. It is under the trade and commerce head of power, so it applies generally as opposed to being sector-specific. It does have specific obligations for the private sector in terms of the protection of Canadian data. Bill C-27 includes augmented enforcement authorities to ensure that the private sector respects those obligations.

Mr. MacSween: I could probably mention, too, under Part 2 of the act, one of the requirements to which designated operators will be subjected is to identify and mitigate risks from third‑party contractors. That’s a specific requirement in the act. Those risks will have to be outlined in their cybersecurity program, with the mitigation measures as well. When we say “mitigation measures,” we mean what they are doing to minimize likelihood that the risk will materialize or that the risk will happen in the first place. That is a strict obligation under Part 2 for those who are subject to the requirements.

[Translation]

Senator Carignan: I have a question about the no compensation clause. In the making of an order, the Governor‑in-Council takes into account factors like the financial impact on the telecommunications company. Then, a clause reads:

No one is entitled to any compensation from Her Majesty in right of Canada for any financial losses resulting from the making of an order under subsection (1).

This could be a really serious matter. Huawei is currently the supplier with the largest financial impact, but other companies once thought to be extremely solid are beginning to show signs of weakness given all the decisions affecting their activities. In fact, it’s surprising to see how debt-ridden some companies with a monopoly in the telecoms sector are.

Isn’t there a high risk of pushing businesses to the brink of bankruptcy if there’s no compensation clause? Is the department thinking of some other form of financial compensation or assistance to prevent hobbling these businesses due to cybersecurity concerns?

Mr. Arbour: Thank you for your question.

Let me give you an example. In the context of telecom regulations, spectrum licensing rules have a huge impact on wireless service offerings. We see the effect on service providers on a regular basis, and it’s essential to take this into consideration.

For high-risk equipment, the deadlines we set are based on networks’ procurement cycles. For example, the cut-off date for 4G equipment is 2027. We’ll also be consulting on the drafting of an order for this bill, for this type of impact to be taken into consideration. The aim is to have reliable, yet available, telecommunications services. So, we’re already used to operational considerations. To be clearer, there are specific requirements in the bill.

No one is currently entitled to compensation. However, we’re not opposed to the idea. If the government wishes to include it in the budget and provide grants to replace equipment, the option would exist, but no one is entitled to this type of compensation at the moment.

Senator Carignan: In the case of industry, businesses, telecommunications companies, cell towers, for example, equipment is approved by Innovation, Science and Economic Development Canada and your department ensures compliance. It’s a bit odd that you’d allow a part, which then ends up in the equipment, and two years later, when everything is installed, you say you’re removing it without compensation. That’s a bit odd.

Mr. Arbour: The impact on industry of any order or regulation taken in the current Telecommunications Act or in the Radiocommunication Act regarding spectrum management is critical. We have a variety of objectives. It’s not just about security issues; it’s also about increasing access to services in rural and remote areas and increasing competition. For example, with alternative or smaller service providers, there are incentives for the department to take these risks into consideration. To make the House process run more smoothly, amendments were brought so these considerations would be explicit in the bill. This is something that we’ve been doing for a long time.

[English]

Senator Dasko: I will be very brief. I had asked the ministers about sanctions, penalties and remedies in the bill. Obviously, there is mandatory incident reporting, and there are administrative penalties if these are not achieved, but these are for the domestic companies. When it comes to the perpetrators — foreign actors, state actors — does the bill have penalties and sanctions for the perpetrators of these crimes, and/or is it too difficult to do this because of the nature of who they are and the kinds of entities they are?

Mr. Khoury: Thank you, senator, for the question.

If I step back for a second, the perpetrators of these cyber incidents can be —

Senator Dasko: No. They are crimes.

Mr. Khoury: Some of them I would call crimes, and some of them are cyber incidents. We have the state-sponsored actors, and we have publicly named China, Russia, North Korea and Iran as being in the state-sponsored category. We have cybercriminals who are in it for the money, so they are the perpetrators of ransomware attacks or stealing information to then peddle it on the dark web and make money off of it. Often, the cybercriminal organization — or they are almost organizations, the cyber criminals — hide behind protections afforded by countries like Russia, so they are not within the reach of Canadian law. You can’t go and serve a warrant for their arrest in Russia.

Having said that, there are a number of tools that the Canadian government has at its disposal, either cooperating with organizations like INTERPOL and others to extend the reach of the prosecution of these perpetrators, or, at the Cyber Centre at CSE, we also have the authorities to conduct cyber operations to impose a cost on these actors.

Senator Dasko: It’s retaliation. Sorry.

Mr. Khoury: I call it cyber operations to impose a cost. Either one is a way by which — and also, we shouldn’t forget Global Affairs Canada has the diplomatic tools at its disposal to démarche or otherwise if the attribution points in a certain direction. There are a number of tools available, irrespective of Bill C-26, that the government can avail itself to today to impose a cost of some sort.

Senator Dasko: Thank you.

The Chair: Thank you, Mr. Khoury.

Colleagues, this brings us to the end of this evening’s meeting. I have the pleasure of thanking officials from Public Safety Canada; Innovation, Science and Economic Development Canada; and the Communications Security Establishment for being with us today. You have been very generous with your time and advice and the provision of information, including those things that we might have asked but didn’t. Thank you for going the extra mile there.

You do hugely important work every day on behalf of us in this room and Canadians. We ask a lot of you, and you operate in an area that we struggle to keep pace with. You appear to be keeping pace with it. I will say that, having travelled around a bit, the CSE and related agencies have a strong reputation — you know this — among our Five Eyes allies and beyond. We thank you for the important work that you do, and we may have further questions for you as we continue our consideration of the bill.

For the time being, colleagues, our next meeting is Monday, November 4, at 4 p.m. Eastern, here in Room C128 at the Senate of Canada Building. I finish by thanking my colleagues for your questions and interventions and for your time and effort in this regard as we study this important bill.

(The committee adjourned.)