THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS
EVIDENCE
OTTAWA, Monday, November 4, 2024
The Standing Senate Committee on National Security, Defence and Veterans Affairs met with videoconference this day at 4:01 p.m. [ET] to study Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
Senator Tony Dean (Chair) in the chair.
[English]
The Chair: Good afternoon, colleagues, before we begin, I would like to ask senators and other in-person participants to consult the cards on the table for guidelines to prevent audio feedback incidents. Thank you all for your cooperation.
Colleagues, before we begin today, I would like to take a moment to acknowledge our dear friend and colleague, the Honourable Murray Sinclair, who passed away this morning, as many of you know.
Senator Sinclair represented Manitoba in the Senate from 2016 to 2021. He had a highly distinguished law career prior to his appointment here, notably serving as the first Indigenous judge appointed in Manitoba. Senator Sinclair also served as the chair of the Truth and Reconciliation Commission, later receiving awards, including the Meritorious Service Cross, and the Order of Canada for his work on the commission.
Senator Sinclair, as you know, was dedicated to the community in many ways and was a force to be reckoned with in the Senate. He will be dearly missed by all of us and many beyond this place. I invite you now to share a moment of silence in his memory.
Thank you, colleagues.
Welcome to this meeting of the Standing Senate Committee on National Security, Defence, and Veterans Affairs. I’m Tony Dean, senator from Ontario, and I chair the committee. I’m joined today by my fellow committee members whom I welcome to introduce themselves, beginning with the deputy chair.
[Translation]
Senator Dagenais: Jean-Guy Dagenais from Quebec.
[English]
Senator Richards: David Richards from New Brunswick.
Senator M. Deacon: Welcome, Marty Deacon from Ontario.
Senator Cardozo: Andrew Cardozo, Ontario.
Senator Dasko: Donna Dasko, senator from Ontario.
Senator LaBoucane-Benson: Patti LaBoucane-Benson from Treaty 6 territory, Alberta.
Senator Boehm: Peter Boehm, Ontario.
Senator McNair: Welcome, John McNair, senator from New Brunswick.
Senator Yussuff: Hassan Yussuff, Ontario.
Senator Batters: Denise Batters. I’m a senator from Saskatchewan.
The Chair: Thank you colleagues. To my left is the committee’s clerk, Ericka Paajanen, and to my right, or Library of Parliament analysts, Ms. Anne-Marie Therrien-Tremblay and Mr. Ariel Shapiro.
We continue our study of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. We’re going to hear from three panels of witnesses today who will share their insights on this bill.
In this first panel, I’m pleased to welcome here in the room, Jennifer Quaid, Executive Director of the Canadian Cyber Threat Exchange, Kate Robertson, Senior Research Associate, Citizen Lab at the University of Toronto. And by video conference, Aaron Shull, Managing Director and General Counsel at the Centre for International Governance Innovation. Thank you all for joining us today.
We now invite you to provide your opening remarks, which will be followed by questions from our members. I remind you that you each have five minutes to present, and we begin today with Ms. Jennifer Quaid. Please proceed whenever you’re ready.
Jennifer Quaid, Executive Director, Canadian Cyber Threat Exchange: Good afternoon, Mr. Chair, and thank you for inviting me to participate in this critically important process.
Before I begin, I would like to clarify that my comments today will be limited to Part 2 of Bill C-26, the Critical Cyber Systems Protection Act. I’m honoured to be here representing the Canadian Cyber Threat Exchange, or CCTX, an organization created by Canadian companies to provide a safe environment for members to share cyber threat information and build cyber resilience by collaborating to understand threats and share best practices and ideas, to prevent successful attacks and the corresponding need to report. In a world where it’s not if but when an organization will be the target of an attack, the goal is to build resilience, not just in our critical infrastructure, but in all organizations to create a stronger economic environment for all.
With 190 members representing 15 sectors and more than 1.5 million employees, many of our members represent the sectors impacted by this legislation, while others may cut their supply chain, many of whom are small and medium-sized businesses, like so much of the Canadian economy.
There’s no question that this bill will strengthen Canada’s cybersecurity posture. It creates that common level of security for critical infrastructure across Canada, and it will provide increased awareness of what is impacting critical infrastructure, and that will be good for all of us.
The legislation will also assure our global partners that cyber security is a priority, and that measures are being taken to protect our critical infrastructure.
My concern with this legislation, as it is written, is that it focuses solely on reporting after a successful attack. In other words, it looks at how to close the barn door after the horses have gone.
The goal of the CCTX is to enable organizations to prevent a successful attack through improved knowledge and understanding. The rapidly evolving cyber threat environment necessitates sharing and collaboration among organizations, not only with the government. Cybersecurity is a team sport.
No organization can adequately develop and maintain the required level of cyber resilience on its own. Cyber resilience requires a broader approach. It is more than incident reporting. It requires sharing best practices and experiences in implementing the very security programs established here in this bill, sharing methods, preventing attacks and comparing experiences and technologies.
Many of the critical infrastructure organizations covered in this bill also participate in the CCTX because they realize the value in that collaboration, but their participation is limited by the perceived risk of exposure and litigation. They are sharing information in the U.S. that they feel they can’t share here in Canada.
If the objective of this legislation is to prevent cyber incidents, then we need to encourage and enable all parties to go beyond the required controls and reporting to regulators. We need to encourage them to create stringent controls in all systems and enable them to share relevant and timely information with their greater community and supply chain, many of whom are connected directly to their systems.
We need to create legal safeguards, so that they can share information and experiences, in order to warn others. This legislation provides us with an opportunity to create the legal protections we need. With a few minor adjustments, this bill could create safe harbour legislation that would have a truly lasting impact on the resilience of all organizations.
Safe harbour laws enable organizations to share information beyond operational capability with the greater community without fear of reprisal, information that may fall below the threshold for required reporting to regulators.
When done in conjunction with legislative requirements like these, we provide additional motivation for adopting increased security in all areas, not just critical systems.
We would create an environment that strengthens defences for all, a carrot and a stick.
Bill C-26, with a small change, presents an opportunity for the government to help thousands of companies strengthen their ability to protect personal information and sensitive data and create a truly resilient supply chain and economy.
Thank you.
The Chair: Thank you very much, Ms. Quaid.
Colleagues, we’ll now hear from Kate Robertson.
Ms. Robertson, whenever you’re ready, please proceed.
Kate Robertson, Senior Research Associate, Citizen Lab: Good afternoon, my name is Kate Robertson. I am a lawyer and currently a researcher at the University of Toronto’s Citizen Lab. My comments today draw on Citizen Lab’s research in cybersecurity and telecommunications, as well as constitutional law analysis I’ve submitted in a brief to this committee. Parts 3 and 4 of my brief set out recommended amendments to address constitutional deficits and a cybersecurity danger in the bill.
My brief builds on a report co-authored by a former colleague, Dr. Christopher Parsons, as well as analysis that I published earlier this year in The Globe and Mail with my colleague, Professor Ron Deibert, which warns of the encryption-breaking powers in Bill C-26.
I had the opportunity to observe last week’s hearing on this bill. Today, it would be most useful for me to be very clear on two key points. First, Bill C-26 does give the government power to make Canada’s networks less secure, such as by issuing orders to compromise encryption standards in 5G technology for lawful access purposes. Recommendation 13 of my brief, which has also been the subject of a parallel recommendation from numerous civil society groups, asks this committee to amend Bill C-26 to stipulate that the minister’s powers cannot be used to compromise the confidentiality or integrity of telecommunications services. This should not be a controversial amendment.
There are, unfortunately, pervasive vulnerabilities at the heart of the world’s mobile networks. Canada needs mandatory, uncompromised, and network-wide security standards. A defining feature of this law should be that no one — neither telecommunication companies, nor the federal government — should have the power to cut corners or compromise the security of Canada’s networks.
For years, analysts have warned of the security risks of lawful access back doors. When similar laws were pushed forward in the United States, the FBI discounted and minimized the warnings of cybersecurity experts. However over the last month, reporting in The Washington Post documents how a devastating security breach is unfolding in the government-mandated access points in U.S. telecom carriers, which are, as we speak, being exploited in a China-based hacking and spy operation.
As of yesterday, The Washington Post reporting suggests that the hack is ongoing — that’s the belief — and has now left millions of mobile phone users on the networks of three major carriers ongoingly vulnerable to government surveillance by a foreign agency. This has included the phones of candidates for the President and Vice President of the United States, and senior campaign staff on the eve of the U.S. presidential election.
In a letter from United States Senator, Ron Wyden, about the hack, which I referenced on page 18 of my brief, the senator states this needs to be a wake-up call for the U.S. government.
Here in Canada, these events illustrate the significance of what is at stake and should be a wake-up call for us on Bill C-26 as well. Reporting by the CBC in 2017 demonstrated that for a member of Parliament, all that was needed was his phone number to understand and be able to surreptitiously monitor his phone calls, texts and locations.
I would urge you to heed the warnings of experts and civil society groups and ask you to make this critical amendment to the legislation.
A second point should also be clear. There was some suggestion made last week that this bill may not result in the Communications Security Establishment Canada, or CSE, collecting and using private data from telecommunication companies. However, there is no doubt that the current text of the bill, which is what matters, creates a broad and warrantless power to collect sensitive data from telecommunication companies and to disclose it to federal agencies, including the CSE and the Canadian Security Intelligence Service, or CSIS.
Contrary to what was implied last week, Canada’s national security bodies would not need new powers to create this extraordinary effect.
Telecommunication providers are conveyors of the most private information known to our legal system. The absence of Federal Court oversight is an enormous gap, and a constitutional deficiency in this bill. Recommendations 6 and 7 of my brief put this bill on stronger constitutional footing.
Because of my time limit, I would specifically invite a follow-up question from this committee on concerns why the current measures in the legislation are not adequate to this task.
Thank you.
The Chair: Thank you, Ms. Robertson.
Finally, on behalf of the Centre for International Governance Innovation, or CIGI, Mr. Aaron Shull. The floor is yours whenever you’re ready.
Aaron Shull, Managing Director and General Counsel, Centre for International Governance Innovation: Thank you, honourable chair and members of the committee, for the opportunity to speak today on Bill C-26, a vital bill that aims to secure Canada’s telecommunications and critical infrastructure sectors against rising cyber-threats.
While this legislation marks significant progress, there are specific areas that warrant closer examination to ensure a balanced and effective approach to cybersecurity.
First, the issue of procedural fairness. While Bill C-26 represents a substantial advancement in safeguarding Canada’s critical infrastructure, there’s incongruity between clauses 15.9(1) (c) and (e) that warrant further consideration.
Clause (c) rightly recognizes an applicant should be reasonably informed of the case against them in a summary of the evidence which is crucial for procedural fairness, yet clause (e) allows the judge to base decisions on the evidence that the applicant may never see. This discrepancy could hinder an applicant’s ability to mount an effective defence and risks undermining transparency and trust in the judicial process. It also puts at risk an applicant’s ability to respond fully, which is fundamental to procedural fairness.
To address this, I would suggest the committee consider adding a mechanism for independent counsel or a special advocate. This addition could help ensure fairness by allowing for a full review of the evidence on the applicant’s behalf while maintaining the confidentiality of sensitive information. Such an approach could help harmonize these provisions and reinforce the integrity of the process.
Second, information sharing standards. The bill establishes different standards for sharing information within the Government of Canada versus external entities. Clause 15.6 allows sharing internally, but restricts it to purposes such as compliance and enforcement, whereas clause 15.7 permits external information sharing, such as with foreign states or provinces, based on a much broader standard. That is to say, if the information is deemed “. . . relevant to securing the Canadian telecommunication systems . . . .” This discrepancy could lead to inconsistent oversight and may impact public trust in how sensitive information is handled. Aligning these standards would support a uniform and secure framework for information sharing, ensuring that all exchanges meet rigorous criteria for necessity and security.
Third, and finally, supporting small- and medium-sized enterprises and encouraging innovation. Small- and medium-sized enterprises, or SMEs, are essential to the supply chains of critical infrastructure sectors, but they often lack resources for robust cybersecurity, and they appear nowhere in this bill. Incentives, such as a tax credit for CyberSecure Canada certification would help SMEs strengthen their defences and contribute to overall resilience. However, given the urgency of passing Bill C-26, these supportive measures may be better addressed in Canada’s forthcoming national cybersecurity strategy where they can receive focused attention.
Similarly, there is a risk that operators may approach the bill’s requirements as a minimum standard, meeting only basic compliance requirements rather than striving for continuous improvement in cybersecurity practices. This compliance-focused mindset could stifle innovation in cybersecurity, an area that demands adaptability to keep pace with evolving threats. Encouraging innovation through the broader cybersecurity strategy could complement Bill C-26’s foundational requirements and foster a culture of proactive security.
In conclusion, Mr. Chair, Bill C-26 is a significant step toward strengthening Canada’s cybersecurity framework. By addressing the issues of fairness, aligning information standards and supporting SMEs and innovation through the forthcoming cybersecurity strategy, we can maximize the bill’s effectiveness and reinforce Canada’s resilience against cyber-threats.
Thank you, and I look forward to further discussion on these critical issues.
The Chair: Thank you very much, Mr. Shull. We will now proceed to questions, starting with our deputy chair, Senator Dagenais.
[Translation]
Senator Dagenais: My question is for Ms. Quaid. I would like you to expand on the dangers we face. Your reports and assessments refer directly to cyber-threats from countries like China, Russia, Iran and North Korea. Based on your observations, is it fair to say that the current government’s deteriorating relations with the leaders of those countries are systematically leading to an increase in cyberattacks? If not, how might enemy activity vary? I see you smiling.
[English]
Ms. Quaid: It won’t be helping. The deterioration of relations won’t be helping, but truthfully, the countries you mentioned, nation states that are attacking us and so many other countries in this world, have been doing it for a long time, and they are doing it for a variety of reasons. North Korea is effectively funding its nuclear program through successful cyberattacks. That’s not dependent on relations with our government. That’s simply demand and greed, and the others are doing it for long-term political gain.
[Translation]
Senator Dagenais: I’d like to talk about the potential sabotage of critical infrastructure in this country.
Have our intelligence services successfully thwarted any such attacks in recent years? How will Bill C-26 really improve our ability to protect ourselves?
[English]
Ms. Quaid: The benefit that we’re going to see from Bill C-26 in protecting critical infrastructure and its supply chain in many ways comes down to the supply chain. Truthfully, the larger organizations in our critical infrastructure have some of the most sophisticated cyber programs you can imagine. They’re good, they’re strong and they follow the highest levels of all the global standards, particularly those that deal with the cross-border side of things, like our energy sector.
But Bill C-26 enables the critical infrastructure organizations to push the cyber requirements down through their supply chain, so they are going to have to enable those suppliers to be stronger.
The truth is, nowadays all systems are integrated. Suppliers are connecting directly into their clients. That is a risk. Bill C-26 may help to stop some of that risk. However, I will point out what Aaron Shull said. Many of these organizations, these suppliers, are small and medium businesses. They’re going to need help, and they’re going to need support, but that is one of the benefits of Bill C-26.
[Translation]
Senator Dagenais: Ms. Robertson, can you tell us more about the constitutional issues and risks you foresee with Bill C-26?
[English]
Ms. Robertson: Thank you for the question. In my remarks, I have identified privacy deficits that have been analyzed in my brief as being a significant gap in the constitutional footing of this bill.
In addition to those issues, which I outlined, the free expression deficits follow very closely on the heels of those privacy gaps in the legislation. By that, I mean the non-disclosure orders that attach to ministerial powers, which are virtually unlimited in scope and will have the potential to meaningfully interfere with public debate about matters of critical importance to the public interest.
In the judicial review proceedings that are in the Telecommunications Act, for example, there is some provision for secrecy. However, it is specifically limited to matters which are injurious to international relations, National Defence or national security or endanger the safety of any person.
For the non-disclosure orders which attach to the ministerial powers, there is no limit on the reasons that the minister may apply for requiring non-disclosure, and they are virtually time unlimited in temporal nature as well. Both of these privacy issues, as well as what is, ultimately, a free expression problem, are significant in this legislation, notwithstanding some very considerable improvements since it was studied in the House of Commons.
[Translation]
Senator Dagenais: Thank you very much, Ms. Robertson.
[English]
Senator Boehm: Thank you, witnesses, for being here. I have a question for each of you.
Ms. Quaid, I was quite interested in your mentioning safe harbour. Could you give us a little more detail on that in terms of the partnership that you envision?
I’m going to ask all three of my questions so that they’re out there.
Ms. Robertson, in part, you’ve answered just now with Senator Dagenais the question that I had. Of course, Citizen Lab has a long history of supporting advocacy for privacy rights. Could you provide a little more detail in terms of how this bill could improve? I know you have proposed amendments, but the privacy protections, particularly with respect to surveillance, capabilities and critical infrastructure.
Mr. Shull, the last question for you goes back to a recent article that you had co-authored. You’re saying now the government is finally taking national security more seriously. To go back to the bill specifically, how would you assess the alignment of the bill with international best practices, and in particular, what can Canada learn from similar legislation in Group of Seven, or G7, countries given that we will be chairing the G7 process next year?
Ms. Quaid: Thank you for the question. When I refer to “safe harbour legislation” and the type of information that it would enable companies to provide to the greater community, first and most important, I’m not suggesting that information should not be shared with regulators and with our Canadian Centre for Cyber Security. That is critical — absolutely critical. I’m talking about the type of information that in our industry we would call “Left of Boom,” before an attack happens, or before a successful attack happens, because attacks happen in the thousands per day. It’s the type of information that an organization, if they talk about it, it could show weaknesses in their system, and that could create litigation problems for them. So they don’t speak.
Every system has its flaws because the attackers are changing things on a daily basis. It is the type of information that, if they were able to share it, would help other organizations to strengthen their defences, so that a single attack stays as a single attack, as opposed to being a successful one-time that becomes multiples. That’s what we would like to see happen.
Senator Boehm: Thank you.
Ms. Robertson: With respect to privacy details in the legislation, there was some discussion last week as to the existing measures in the legislation, which some witnesses offered as protective with respect to privacy.
One of those measures is that there is a carve out that predated the explicit addition of this amendment that states that the bill does not authorize the interception of private communications. However, telecommunication carriers host troves of sensitive data that can be collected in ways that do not fit the technical definition of interception of private communications. That’s a very specific legal term that has a narrower scope compared to what telecommunication data includes.
The Privacy Commissioner of Canada testified in the House of Commons, and I agree with his testimony when he stated that if the collection and sharing powers are not more specifically constrained, this could lead to the inappropriate collection and sharing of data such as subscriber account information, communication data, website visits, metadata, location data and financial data. This speaks to the enormity of the potential reach of this very broad collection power, which in section 15.4 gives the minister the ability to ask for any information from these entities.
Mr. Shull: Thank you, Senator Boehm. It’s a pleasure to see you as well. I’ll touch on the two big pieces, the first on critical infrastructure protection.
It roughly lines up. The U.K. has the network and information systems regulations. The U.S., through the Cybersecurity and Infrastructure Security Agency, or CISA, has various mandates. Australia has the Security of Critical Infrastructure Act. They’re roughly similar. They’re focusing on critical infrastructure because it’s, well, critical. There are differences, to be sure.
Also focusing on telecommunications security and high-risk vendors. Again, that focus is exactly right, looking at how you manage risk from high-risk vendors. They do it in the U.K. and the U.S. The one point I would raise is this bill is largely silent on an explicit criteria or process for designating and banning specific high-risk vendors. The U.S. has been clear — Huawei and ZTE — but there’s no comparable criteria within this bill to make those designations.
Senator M. Deacon: Thank you to our witnesses and all of you for being here today. It is a very important topic, and your work is important.
As I was thinking about this yesterday, I was thinking about duopolies and monopolies in our telecommunications at risk. I’ve formulated a question that I hope is something you can respond to. I think I’ll start with you, Mr. Shull.
Looking at the current state, frankly, of Canada’s telecommunications sector and what it might mean for cybersecurity, whenever we discuss this topic, I can’t help but be reminded of the Rogers blackout in 2022, not that long ago, which wasn’t even an attack. It was simply human error that brought the lives and businesses of 12 million people to a standstill for days.
It seems that annually, the telecommunications options for Canadians are dwindling. I’m specifically thinking about the recent Shaw acquisition by Rogers, for instance.
Given how important these services are to our daily lives, is consolidation in this field a threat? It would seem on the surface that taking down one or two big targets could potentially cripple the country’s internet services. I wonder if we should be encouraging competition here while also hitting the brakes on consolidation.
Mr. Shull: That’s a great point, senator. It’s nice to see you as well. The standard kind of logic would say that you’re building in a single point of failure, that you’re reducing diversity and resilience and that you are effectively bringing your supply chain under one roof, so if there is a vulnerability in the supply chain, it’s going to permeate those. Also, there is a concentration of sensitive data. All of that stuff is true. There is also a greater risk of insider threats because if there is only one and there’s one insider, then you have a real problem. There are certainly national security implications.
I might remain silent on the competition and innovation side, except to say that I think I personally pay too much for my cell phone. If we can deal with that, for sure. I know what I know, and cell phone amalgamation isn’t on my list.
Senator M. Deacon: Line up for that cell phone reduction. Would either of you care to comment before I go to a second part? Okay. That’s great. Thank you.
If we look at this and we carry on and we have a duopoly or fewer providers, what could the government do to ensure there are redundancies in the event of an attack? Do you think the legislation covers or addresses this?
Mr. Shull: I think that’s kind of what it’s going toward as it relates to critical cybersystems, at least, and making sure that we don’t have bad gear in our back end. I think that is precisely the evil that is being remedied here — making sure there is no problematic gear in the supply chain.
Also, for what it’s worth, it may be outside the ambit of this bill, but there is the cyber centre, and they are doing good work. For what it’s worth, CSE are among the best in the world. I know many of them, and they are hard working.
This is what it comes down to, this idea of issuing directives and cybersecurity orders. While it’s not specifically enumerated in the bill, there is technical assistance and support that’s available. There are tools that are at play, but it is precisely that issue, senator, that you raise that I think is the principal evil being remedied as a consequence of this bill.
Senator M. Deacon: Thank you. Ms. Robertson, there were a number of amendments made to the legislation in the other place related to reasonableness, oversight and privacy protection before it arrived in the Senate. You mentioned a number of changes you would like to see, and I wonder if any of the amendments they did got it right, in your view, before we get to this table.
Ms. Robertson: I would simply note — maybe one of your colleagues can explore this further — many of those amendments are actually inapplicable to the information collection powers in clause 15.4.
Senator Yussuff: Thank you, witnesses, for being here.
Ms. Quaid, if I could come back to you, you raised an issue about supply chains. As you know, the supply chain is not just in Canada; it extends beyond our borders, and our ability to find out whether or not that supply chain is compromised is not adequate or does not meet our standard and is very problematic. Most of our major telecom companies currently outsource a significant portion of the work and the processing of data outside of the country.
How can we assure Canadians that their information is protected? Equally, if there is a breach, how would we ever know, given we have no control over what happens to this information?
Ms. Quaid: Thank you for the question. That is part of what this bill will do. The organizations that are governed by this are responsible for their supply chain.
Let’s remember that just because you have offshored something doesn’t mean that you are no longer responsible for it, and they know that. They are currently responsible for that, and they treat the information and the protections with the respect that they require and deserve. This bill will simply help to ensure the reporting on any of that.
Senator Yussuff: Let me continue. If our information were to be breached outside of the country, it would be very hard for us to know, given some of the countries that we’re dealing with — and we have incredible tension right now with India. A significant amount of our information is processed in China, given the contracting out. How would we ever know if that were the case?
In the specific case of India, we have a specific diaspora in our country who are worried about how they are being targeted by the Indian government. How do we even assure them that, yes, we understand the companies are responsible, but the company can’t even tell me if my information has been breached in India?
Ms. Quaid: I think that’s true of almost any organization and company that you are doing business with. You specifically referenced the telcos, but I think retail and so many different organizations offshore are still responsible for parts of their data collection and data privacy. If it has been breached and they are aware, then they would have to inform.
This is where I’m going to reiterate what Mr. Shull has said, and that is, our Canadian Centre for Cyber Security is very good at what they do. The CSE is very good at what they do. They are there to help the organizations — and they will — to determine whether or not there has been a breach and how large it is.
Senator Yussuff: Let me continue on this because this is one of the areas I’m trying to focus on.
In the context of a breach of information, I understand the obligation and responsibility. I’m coming back to the fact that given how important our network is to the vitality of our country — to our government and industry — if that information is stored outside the country and the country may not be able to say with any certainty that we can allow our information to be stored, isn’t it problematic for us passing a piece of legislation that has no curtain around where that information should be stored?
Ms. Quaid: It may be problematic, but that becomes the purview of a bill on privacy, and PIPEDA would govern part of that. This bill really deals with the critical cybersecurity systems, and that’s its focus. So, you may have a very good point. It just might not be the purview of this piece of legislation, unfortunately.
Ms. Robertson: I very respectfully have to disagree with my colleague here because I certainly appreciate that this is a privacy issue, and it was mentioned last week that the Personal Information Protection and Electronic Documents Act, or PIPEDA, would have some applicability here. This is what the Citizen Lab has been saying with respect to the historical deficiency in telecommunication networks that are subject to a range of complex, interlocking threats that have led to significant deficits in the security of our telecommunications services. The layers and layers of contracting and subcontracting is a locus point for some of these deficits, including pervasive geolocation surveillance, which is perpetuated around the world based on some of the signalling protocols that operate as a result of some of these contracts and subcontracts.
This is why we have said that it’s wrong in this legislation to fixate too much on select, high-risk vendors to the exclusion of some of the ongoing historical deficiencies that have been plaguing the world’s networks for a very long time, and why we need public transparency about how these orders are used or not used. That’s because part of these risks are a direct result of passive or lack of regulation among jurisdictions around the world. I’m happy to provide in writing after this meeting some of the parallel processes that are happening in the U.K. right now with the Office of Communications, or Ofcom, to specifically address the cybersecurity threats related to third party contracting.
Senator Yussuff: If you could do that, it would be very helpful for the committee.
Senator McNair: Thank you again to the people testifying today. This is a question for all three of you, and I expect there will be a difference of opinion on it.
You talk about this bill. We’re putting it in place to try to implement cybersecurity infrastructure to deal with cyberattacks. Ms. Quaid, you correctly indicate that our concern is that the number of attacks taking place each day is multiple thousands. We’re trying to avoid successful attacks. There are some timing issues with this legislation.
Ms. Robertson, one of your colleagues from the Munk School of Global Affairs & Public Policy was before our committee on another matter and used the quote, “Don’t let the perfect become the enemy of the good.” If you had to choose at this point whether to pass the bill as it is with over 40 amendments that have been made at the House of Commons — I understand, Ms. Robertson, that you would say that they do not deal properly with some of the issues relating to clause 15 — would you pass this legislation and work on improving it after the fact or would you hold it? That’s for all three of you. Ms. Quaid, maybe you could start.
Ms. Quaid: I’m glad I’m not in your chair. I would probably pass it because we are eight years behind some of our colleagues in putting forward legislation like this. It has been a very long time in coming. We have lost the faith of some of our colleagues because we don’t have these protections in place. I would probably pass it, reluctantly.
Ms. Robertson: We’re speaking about historical deficiencies that have been persisting for decades. I also don’t envy your seat. However, for me, the decision is clear that we need powers that have a compass point that is focused and directed to the destination that we want to go. With respect to the part 1 powers that are proposed in this act, they are not pointed to the correct compass point because at bottom we need laws that say that neither the government nor telecommunication companies have the power to compromise our networks.
The unspoken conversation that is happening in this bill — conversations that you did not have last week — is that these powers give the government to compromise our next-generation solutions. If we’re going to compromise those solutions, then I’m not sure what this bill is for, because functionally it is akin to saying that we should drill holes in the hull of a cruise ship in order to bring more life rafts or balers or life jackets aboard. That, quite frankly, doesn’t make sense. We do know that there have been some — I believe it was put last week — arrangements that are being made through various agreements to improve the status quo. But if we’re going to create a law on this, it needs to be the right law.
Mr. Shull: I would just preface this comment by saying that I am a huge fan of both Ms. Quaid and Ms. Robertson. I am going to diverge a little bit here. I say, “Pass it, and pass it as quickly as you can.” I am a big fan of judicial review, and if you can add in special advocates for the most sensitive aspects, that gets you 95% of the way there. Were it different, I would have offered more amendments, but as it currently stands, it’s a pretty good bill and I wouldn’t let the perfect get in the way of the good enough.
Also, as it relates to your colleague’s previous question, there is an entire ecosystem around this. If I were advising a private client, we would be conducting vendor risk assessments, using threat intelligence and monitoring tools, deploying end-point security solutions, implementing supply chain visibility and inspecting software and firm ware updates. We would be putting authentication controls up and down the chain; we would be red teaming and pen testing our networks and looking for indications of compromise, putting in zero-trust architecture, reviewing vendor-incident reports and requiring disclosures. This bill does not exist on its own. There is an entire ecosystem of cyber-experts and cyber-lawyers like me, who, if we’re doing our job properly, we’re going to be mitigating the risks my colleagues have done an admirable job of setting out.
Senator Batters: Thank you to all of you for being here and for your important work on these topics. The idea of “Don’t let the perfect be the enemy of the good” might be my least favourite expressions. We are the Senate of Canada. It is our job to make bills more perfect. I am the critic of the bill, so I think it’s part of my job to help make this bill better.
I also want to point out the House of Commons had this bill for two years. We only received it on the very last day we sat in June. Really, we’ve just been dealing with it for a bit over a month. We can afford to give it a little bit more time and good scrutiny. After all, we are the body of sober second thought.
I would like to start with Ms. Robertson from the Citizen Lab. What are the most crucial amendments to make to Bill C-26 to improve it and strengthen privacy protections for Canadians? You were referencing your updated brief in your remarks, but we as committee members don’t have it yet because it has to be translated before we receive it, so we don’t have it today. That’s important so that we can have it in both official languages. We don’t have it. You were making good references to it, but I haven’t been able to see it yet.
I was just looking at clause 15.4, which is a shockingly broad section as it exists right now. Maybe that’s something you want to speak about?
Ms. Robertson: Thank you for the question. I certainly understand the disadvantage that the timing of the filing and translation has put the committee in, in terms of consideration of the issues.
I’ll start with what is textually both problematic in terms of your question on the core privacy problems because it starts from the exceptionally broad language of clause 15.4, as you note in your question. I would go farther from there to look at some of the measures that are currently being offered or described as the measures for oversight or review.
Right now, judicial review was mentioned last week as a way that the courts will be involved. It is not applicable to the collection power in clause 15.4.
There is a new parliamentary reporting obligation added in the study of Bill C-26 in the House. It is not applicable to the collection power in 15.4. There are new notification obligations for the National Security and Intelligence Review Agency, or NSIRA and the National Security and Intelligence Committee of Parliamentarians, or NSICOP that are not applicable to the minister’s collection power in clause 15.4. There is a theme here.
There is also mention made that there is no interception of private communications in this bill. I spoke about how that only carves out a small subset of the data that is at issue and at stake here. One of the other measures that have been proffered — which was proffered during the study of the legislation, I don’t believe, as a result of a request for that amendment — which is to cite the Privacy Act, which we know applies. However, the government is not required to comply with the Privacy Act for the totality of its privacy obligations. It’s required to comply with the Constitution. Leaving aside the many statements by the Department of Justice Canada, parliamentary committees and the Privacy Commissioner, which have all had a refrain that the Privacy Act is sorely outdated, it is still not enough for this task.
That’s precisely why federal agencies that currently have the authority to collect data from privacy telecommunication companies do not turn to the Privacy Act for their authority. They have specialized legislation that requires that, for a collection power of this extraordinary magnitude — the most private information that our legal system recognizes — the courts review requests, and they can exercise restraints around retention, the scope of use and sharing.
That is the most significant gap in this legislation: The Federal Court has been essentially ousted from a review of the collection power itself. That’s what we recommend in recommendation 6, which you will ultimately receive, which refers to the need for Federal Court review. However, recommendation 7 in the brief is also there to recommend that these powers do not balloon, essentially, into surveillance or national security powers. This committee was told that this bill is about cybersecurity and not about national security. However, we know from the departmental positions of national security bodies like the CSE, data received for cybersecurity purposes will be used across its mandate. That ballooning effect should be constrained through what I recommend as recommend 7, which is to limit the use of this data to cybersecurity mandates alone.
Senator Batters: Thank you. I will go on a second round, if there is one.
Senator Dasko: Thank you to our witnesses for being here. My questions are for Ms. Quaid and Ms. Robertson.
You’ve each expressed some criticisms of the bill. Ms. Quaid, you were calling for a broader approach — safe harbour laws going, as you said, below the threshold in some ways. Ms. Robertson, you seem to be suggesting something different. I think you’re saying that the bill perhaps doesn’t go quite far enough, but, Ms. Robertson, you’re saying it perhaps goes too far because it has powers that place privacy at risk through the powers in the bill.
I don’t think I’ve ever asked a question quite this way, but I would like to ask Ms. Quaid this: What do you think about the concerns that Ms. Robertson has? Please stick with substantive issues as opposed to — do you share any of the concerns that she has expressed?
Ms. Quaid: Of course I do, but I’m not a privacy expert, and I am certainly not a privacy lawyer with that depth and breadth of understanding and knowledge.
Senator Dasko: But calling for changes, as I understand them, that might actually lower the threshold for privacy considerations.
Ms. Quaid: No. Let me clarify that. The change that I am calling for is the addition of enabling safe harbour protection for the six sectors that have been impacted by this legislation. Safe harbour protection would simply enable those companies to talk about things with the greater public without fear of legal reprisals. In other words, it enables them to share information about things they are seeing, doing and experiencing without fear of lawsuits.
That’s all I’m asking for. It has nothing to do with the privacy piece that Ms. Robertson has so eloquently spoken to.
Senator Dasko: It wouldn’t jeopardize any privacy if companies were in a position to share more information? It certainly sounds as if it could go in that direction.
Ms. Quaid: The types of information they would share would be information about their cybersecurity systems and their policies and procedures — no personal information.
Senator Dasko: Would you care to comment? Perhaps I would ask you what you think about Ms. Quaid’s suggestions.
Ms. Robertson: The coincidence is that we had —
Senator Dasko: You both make a great deal of sense, so I’m trying to see if there might be some sort of common ground between you in what you’re saying. Even though you’re speaking about different aspects of it, I see similarities in the areas you’re addressing. I’m just trying to see if there is a common ground at all.
Ms. Robertson: Yes. I don’t believe there is a misalignment between the recommendations and the topics that we are addressing this committee on. There are different aspects of the effects of this legislation.
I agree with Ms. Quaid’s comments. They resonate because we have — and I have in my brief — ultimately talked about the importance of the public’s right to understand their own cybersecurity and that there have been legacy deficiencies that have exposed people around the world to pervasive insecurity and historical telecommunication networks that were never designed to be secure in the first place; that wasn’t their originating purpose. However, there has been excessive secrecy in how telecommunication providers operate, intermediate and are regulated in, essentially, a self-regulated way. That has meant that individuals and external, independent cybersecurity experts have not had access to the type of information to fully understand the extent of those threats.
That’s why we have recommended in what you will ultimately see as recommendations 1 to 5, I believe, of my brief. They are textual changes to make this bill less excessive in terms of its potential secrecy, because as cybersecurity is a team sport, the public have a right to know. No one’s suggesting there should be mandatory reporting on unpatched vulnerabilities, which was a reason offered for why the orders have nondisclosure provisions attached to them. However, that specific reason for secrecy is much narrower than the potential secrecy that we may see in whether the government ultimately requires our networks to be secure at a network level. That’s why we say that if there is secrecy, it should be narrowly constrained. Specifically, we’ve agreed with the civil society recommendation that if there is going to be a nondisclosure order beyond, let’s say, a period of three months, Federal Courts should have to approve any extension of that secrecy or nondisclosure.
Senator Richards: My question has been answered a dozen times. That’s what I get for being last. Thanks very much for being here.
I have a quick question: How big a divide do you see between security and individual privacy, and how can your recommendation be integrated into the bill without losing what the actual bill intends? If there are amendments on these recommendations, how will they ever get passed in the other place?
I’m asking Ms. Robertson that.
Ms. Robertson: I see. I will have to, unfortunately, leave the political analysis to political experts. I’m here as a constitutional law expert who has very talented colleagues who have expertise in cybersecurity and technology. This should be a non-partisan issue because, as we’re seeing unfolding in the United States at present, there are systemic vulnerabilities that this bill should be focused on ameliorating. However, right now, this bill carries powers that will potentially compromise the very solutions to these problems, and so we are asking for targeted, specific amendments to ensure that, as I indicated earlier today, our compass is pointed in the right direction. I have a number of specific amendments that are included in our brief that provide specific textual language as to how to accomplish these goals.
Senator Richards: I wasn’t asking you how they would get past — I was referring to that for myself, but thank you very much.
The Chair: This brings us to the end of our time with this panel, but many of you would like to continue. Thank you, Ms. Quaid, Ms. Robertson, and Mr. Shull, for sharing your insights and taking the time to meet with us today. It’s relatively rare that as many senators as we saw today want to hear answers from all three witness, so that is very much a commendation toward your knowledge, skills and insightful contributions, so thank you for helping us today with this important piece of legislation.
Colleagues, we’re meeting to continue our consideration of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
Next hour, we have the pleasure of welcoming from the Canadian Chamber of Commerce, Ulrike Bahr-Gedalia, Senior Director, Digital Economy, Technology and Innovation, and from IBM Canada, Tiéoulé Traoré, Executive, Government and Regulatory Affairs, and Daina Proctor, Executive, Cybersecurity Services, and from the Canadian Telecommunications Association, Eric Smith, Senior Vice-President. Thank you very much for meeting with us today.
We now invite you to make your opening remarks to be followed by questions from our members. And we will begin this evening with Ulrike Bahr-Gedalia from the Canadian Chamber of Commerce. Please begin when you’re ready.
Ulrike Bahr-Gedalia, Senior Director, Digital Economy, Technology and Innovation, Canadian Chamber of Commerce: Mr. Chair, members of the Senate, good evening, my name is Ulrike Bahr-Gedalia and I’m the Canadian Chamber’s policy lead for the Digital Economy Committee, Future of Artificial Intelligence Council and Cyber. Right. Now. Council.
As Canada’s largest and most activated business network representing over 400 chambers of commerce and boards of trade, as well as more than 100 associations and over 200,000 businesses of every size from all regions and economic sectors of Canada, the Canadian Chamber is pleased to once again provide feedback on Bill C-26 following our appearance before the House of Commons Standing Committee on Public Safety and National Security, or SECU, in February.
I’d like to start off by acknowledging the adoption of some changes the Canadian Chamber had put forward during the bill’s committee study, the deletion of clause 10, thereby restoring due diligence defence, removal of the requirement for immediate reporting of cybersecurity incidents and harmonization with existing obligations.
I’d also liked to acknowledge the recent appointment of Sami Khoury as a senior government official for cyber security, a role and responsibility the Canadian Chamber’s Cyber. Right. Now. Council had been advocating for over the past two years, with a goal to ensure policy coherence, coordination of cybersecurity activities and initiatives, and alignment of resources across the government, all while increasing and improving two-way information sharing, which was also a concern we had expressed during our previous appearance.
While we are pleased to see the House SECU committee conclude their study on Bill C-26 and support the bill overall, certain amendments are still needed at this stage to ensure the bill reaches its full potential.
More specifically, with respect to the Telecommunications Act, while we applaud the House for making important changes to the bill, including a due diligence defence for administrative monetary penalties, we remain concerned that the bill suggests companies can be compensated for changes they may have to make under this regime. We believe the Senate should amend the legislation to allow the minister or Governor in Council to award compensation on a case-by-case basis.
With respect to the Critical Cyber Systems Protection Act, or CCSPA, our members continue to seek the following improvements: Two-way information sharing; as currently drafted, the CCSPA only contemplates one-way information sharing from designated operators to the government. We believe this is a missed opportunity and a potential weakness; a clearer definition of a reportable cybersecurity incident. This will ensure industry is not forced to report events that do not pose a material threat to a vital system. Failure to clearly define the parameters for a reportable incident will undermine the purpose of the bill and overwhelm government authorities who will have to process each cyber incident reported.
Another area of concern is the continued rise of ransomware incidents. In this context, we commend Canada in its involvement in the International Counter Ransomware Initiative, or CRI, which includes the development of a CRI public-private sector advisory panel.
The following facts emphasize the severity and urgency for more action on this issue. The RCMP states that almost 60% of cyber incidents reported to its national cyber crime coordination centre are ransomware attacks. The Canadian Centre for Cyber Security calls ransomware the most disruptive form of cyber crime facing Canada, and the most recent national cyber threat assessment report notes that ransomware is the top cyber threat facing Canada’s critical infrastructure, and Bill C-26 is about protecting Canada’s critical infrastructure.
While this bill has increased visibility of ransomware and other cyber-threats, we believe the issue of ransomware requires more public discussion and study and would encourage the Senate to look into how this scourge is affecting our country beyond the critical infrastructure sectors that the federal government focused on in this bill.
As more collective action and coordination to combat this growing challenge is required, the Canadian Chamber, together with the Cyber. Right. Now. Council, will be hosting their second cyber security and ransomware Hill Day later this month to discuss these challenges and opportunities with senior government officials from across government departments, ministries and agencies.
To conclude, we would like to stress the urgency to pass the bill so we can move on to developing the regulations and implementation framework. The clock is ticking, and the geopolitical environment continues to get worse, as does cyber crime.
Thank you for listening and for the continued opportunity to participate in the study of Bill C-26.
The Chair: Thank you.
[Translation]
Tiéoulé Traoré, Executive, Government and Regulatory Affairs, IBM Canada: Thank you, Mr. Chair. On behalf of IBM Canada, thank you for the opportunity to appear before the committee regarding Bill C-26.
[English]
This testimony — focused on Part 2 of the bill — will largely repeat the points initially made before the House of Commons Standing Committee on Public Safety and National Security last winter,
IBM continues to support the essence of this bill, an initiative made necessary in the wake of the digitization of the global economy, and the subsequent rise of cybercrimes. Cybersecurity protocols are not “nice to haves”: they are essential components of the foundations of business and governments.
Critical infrastructure is the number one target of cyber breaches, with each instance costing on average $9 million. Canada being a G7 country, it should indeed lead by example in this crucial file.
Last winter, we highlighted what we saw as issues that could prevent the government from truly fulfilling the bold mission embedded in Bill C-26. Months later, we are still of the belief that Bill C-26 should strive to clean up definitions, seek broader alignments with more mature cyber systems and avoid the excessive and unfair targeting of individuals.
Having discussed these topics with the House of Commons Standing Committee on Public Safety and National Security in February, my colleague, Ms. Proctor, will now provide additional points for each recommendation.
Daina Proctor, Executive, Cyber Security Services, IBM Canada: Thank you for the opportunity to discuss this important bill. My name is Daina Proctor, I’m a security executive with IBM.
Having had the opportunity to listen to last week’s testimony, I resonate with much of the commentary and also share many of the same concerns expressed.
The recent CRA breach highlighted the concern for existing government bodies to effectively consume and communicate the breach and breach awareness. It highlighted the challenges with our private and public partnerships, which we all recognize are essential if we are to collectively raise the bar for securing our nation’s critical infrastructure, which is ultimately the goal of Bill C-26.
Contrary to some of the testimony from last week, however, I would offer that there remain concerning misalignments with international standards and overreach of government that collectively are counter to the private and public partnership we are all seeking and are equally causing a chilling effect on our cybersecurity professionals.
It’s well documented and known that skilled and experienced cybersecurity professionals are in short supply. Statistics indicate that at the moment there are over 28,000 rules open right now in Canada, however, chief security officers, or CSOs, are equally leaving the industry more now than ever due to the burn out they’re experiencing.
I have found in my personal discussions with chief information officers CIOs and CSOs across the country, that Bill C-26 has inspired many to prepare resignation letters. There are a number of reasons why this chilling effect, as expressed in my appearance earlier this year, is occurring, but with time in my mind I just want to talk about two of them.
First is misalignment with international standards. The legislation penalizes victims of cybersecurity incidents through overly punitive compounding fines. This unfairly assumes the cyber security threat is the result of negligence. A criminal conviction can be imposed, a criminal conviction that can impose up to two years’ imprisonment. An uncapped fine, a personal liability on the part of an individual, despite the absence of prosecution or a conviction.
Respectfully, the enforcement actions that may be taken against individuals should be removed. At a minimum, we offer that there should be a defined standard to demonstrate objective and substantiated culpability and that scope be expanded to apply equally to our federal government agencies.
The next concern is with overreach of government. While IBM recognizes the need for compliance oversight, we suggest the government’s involvement be clearly articulated and limited to what is needed to enforce the provisions of Bill C-26. IBM recommends specifying and limiting the powers of regulatory authorities and related individuals. The power to impose remedial actions, for example, should be strictly restricted to critical situations meeting specific non-compliance thresholds. IBM suggests incorporating clear language outlining the steps that must be taken to mitigate cyber risks while ensuring that responsibility is appropriate but also proportionate to the risks involved.
In conclusion, we believe that enhanced harmonization with international standards, revision away from the punitive elements, and clear safeguards from potential government overreach would strengthen Bill C-26’s mandate to protect our critical infrastructure and encourage further private and public partnerships.
Thank you so much for your time. I look forward to your questions.
The Chair: Thank you very much, Mr. Traoré and Ms. Proctor. Finally, Mr. Eric Smith from the Canadian Telecommunications Association. Welcome. Please commence whenever you’re ready.
Eric Smith, Senior Vice-President, Canadian Telecommunications Association: Thank you. Good evening. The Canadian Telecommunications Association is dedicated to building a better future for Canadians through connectivity. Our members include service providers, manufacturers and other organizations that invest in, build, maintain and operate Canada’s world-class telecommunications networks.
I appreciated the opportunity to appear before you today to present our perspective on Bill C-26.
The security of Canada’s telecommunications system is of the utmost importance. Accordingly, our members invest significant resources to safeguard their systems and infrastructure from cyberattacks and other threats. Members also actively participate in the Canadian Security Telecommunications Advisory Committee, or CSTAC, which facilitates the exchange of information between the private and public sectors as well as strategic collaboration on current and evolving issues that may affect telecommunication systems, including cybersecurity threats.
In addition to providing connectivity services, many of our telecommunications service providers also deliver cybersecurity solutions to businesses across the country, helping them protect against cyberattacks. In other words, our industry takes security seriously and is committed to the security of the Canadian telecommunications system.
In our submission to the House of Commons Standing Committee on Public Safety and National Security, we raised several concerns with the initial version of Bill C-26 as it relates to the proposed amendments to the Telecommunications Act. We’re pleased to see that the amendments to the bill put forward by the House committee reflect many of our recommendations, including placing additional safeguards around order-making powers, adding a list of factors that must be considered before an order is made, requiring that orders must be proportional to the gravity of the perceived threat, expanding the definition of “confidential information” to include personal information and de-identified information, and reinstating the due diligence defence for violations of orders.
However, we have some remaining concerns. First, the proposed changes to the Telecommunications Act provide that:
No one is entitled to any compensation from Her Majesty in right of Canada for any financial losses resulting from the making of an order . . . .
We already know from real-life examples around the world that removing and replacing telecommunications equipment can be extremely expensive, hinder the expansion of telecommunications services to underserved communities, and in the case of smaller network operators, even threaten their ability to continue operations. Precluding compensation in all cases is unnecessary and unwise.
We propose a simple fix. These subsections should be replaced with the following:
An order may provide for compensation for financial losses and other costs if, in the circumstances, the minister [or Governor-in-Counsel, as applicable] considers it reasonable to so provide.
Second, although the bill provides that orders are subject to judicial review, the legislation provides that a judge can base his or her decision on evidence that the appellant is not allowed to see, and therefore, cannot challenge. This process robs appellants of procedural fairness and makes no effort to provide for alternative means of testing the government’s evidence, such as the appointment of a special advocate with the appropriate level of security clearance.
Third, while the House standing committee has put forward an amendment requiring the minister to report on an annual basis the number of times that an order supersedes a decision by the Canadian Radio-television and Telecommunications Commission, or CRTC, there remains no obligation for the commission to promptly notify the public as to which of its decisions have been amended or rendered unenforceable by an order. Overturning CRTC decisions without notice can erode public trust in regulatory bodies and create market uncertainty in regulatory decisions. They can be overturned without notice or explanation.
Thank you for the opportunity to express our views on these important issues. I’m happy to answer any questions you have.
The Chair: Thank you very much, Mr. Smith. We will now proceed to questions. As usual, four minutes for each question, including the answer. Please keep your questions as short as possible.
We begin the questions with our deputy chair, Senator Dagenais.
[Translation]
Senator Dagenais: My first question is for Mr. Smith. Mr. Smith, Bill C-26 comes as no surprise. Have people in your industry been able to be proactive in developing their facilities in anticipation of the restrictions that could come along with such a bill? Have contracts with suppliers had to be cancelled? Given that these things must be negotiated, are new technologies from abroad being verified?
[English]
Mr. Smith: Thank you for the question. Yes. Even without Bill C-26, our industry has been very proactive in implementing security protocols, working, as I said, through CSTAC, the public-private sector committee, to look at best practices to protect telecommunications systems. That has been an ongoing activity.
With respect to particular vendors, we know that a couple of years ago, the government requested that telecommunications providers cease using equipment from certain foreign vendors, and industry participants voluntarily agreed to do so and have been taking action to implement those changes.
[Translation]
Senator Dagenais: Could the development of our telecommunications networks be jeopardized because certain equipment suppliers pose a security risk? If so, can you provide some examples?
[English]
Mr. Smith: Certainly, as we’ve heard from other witnesses, telecommunications and other critical systems are made up of many different components. That’s no exception for telecommunications. There’s a supply chain that supplies equipment to operators around the world.
Governments work together and the industry works together to take measures to ensure they are using reliable equipment that is both resilient and safe. If an issue does arise, that’s really what this bill is targeted toward. The industry obviously does not knowingly implement security risks into their systems, but they work with government to identify potential risks and ameliorate those. This is really a backstop that would allow the government greater powers to make orders if they feel there’s something that needed to be done that was not being done.
[Translation]
Senator Dagenais: Ms. Bahr-Gedalia, you mentioned your recommendations regarding compensation that could be paid to companies forced to comply with regulations enacted for security reasons. Do you have a rough estimate of what such compensation measures could cost the government?
[English]
Ms. Bahr-Gedalia: I don’t have any specific amount or evaluation in mind, but in conversations with our telco members, of which we have all in our membership, it has become very clear that they have spent billions building their networks. Those networks come with enormous complexities, so they would be looking for some kind of compensation on a case-by-case basis. Mr. Smith had also mentioned the rationale of a reasonable judgment. Just modifying those networks could be incredibly costly and could also impact the services Canadians receive.
I want to comment that when a company may be required to make a change to the network, they should be able to make representations to the government to request that compensation if that change is required due to their previous investments.
We can’t envision all scenarios where the government may use this legislation. Therefore, outright banning of compensation is felt by members to be slightly heavy-handed, so they appreciate some flexibility to be allowed within the act.
Senator Cardozo: I have a couple of questions. Ms. Bahr-Gedalia, I’ll start with you. I tend to agree with Senator Batters’s point that our role is that of sober second thought. This is a very important bill, and if we feel we should amend it, we should. On your point about ransomware, you have concerns about it in this bill, but if we don’t make changes here, what other means would you see that issue being dealt with?
I’ll ask my second question now, if you don’t mind. Mr. Traoré, you and your colleague Ms. Proctor talked about overreach, and a feeling that you want us to move away from punitive measures in this bill. If you want to limit abuse and the misuse of information, isn’t it the norm to have punitive measures to guide behaviour in that direction?
I’ll start with Ms. Bahr-Gedalia, please.
Ms. Bahr-Gedalia: In terms of ransomware and to address this issue any further, I mentioned the Cyber. Right. Now. Council a few times, which is a group of experts that would kindly offer to the Senate and to the government at large to provide solutions and insight on how this could probably be solved or addressed. Members of the council have also agreed, and one member in particular, if the Senate is interested, to appear, testify and have conversations with the Senate about these particular issues.
The Cyber. Right. Now. Council, which I established for the Canadian centre, is a hub of experts. We’ve been around for four years now and going into our fifth year. If you wish to look further for recommendations into this particular topic of ransomware, ransom payments and such issues, we would offer our expertise to meet with us at any given moment.
Senator Cardozo: When you have that forum you mentioned on ransomware, if you can send us a report once you have a report, that would be helpful.
Ms. Bahr-Gedalia: Which forum?
Senator Cardozo: Did you mention a forum?
Ms. Bahr-Gedalia: Yes, absolutely. The Canadian Chamber of Commerce will be holding a Hill Day on cybersecurity and ransomware on November 18. Absolutely.
Mr. Traoré: We have to look at the underlying assumption behind these punitive financial sanctions. The idea that a cyber incident is the result of gross negligence, which, thankfully, isn’t always the case, or mostly the case. We are dealing with threats that are more elaborated, using technology that is very complex and very new against actors that are always on their back foot because you’re preparing for something that you don’t know is coming and in what form. Knowing that, more often than not, the victim of a cyber incident is a victim and was hit by something they never saw coming and knowing that we believe, as written, Bill C-26 doesn’t identify these scenarios as possibilities and paints a picture that isn’t always rooted, like the very serious nature of a cyber incident.
Senator Cardozo: Would you think there is some level of due process in that people wouldn’t get fined before there was due process? People could make the case that it wasn’t their fault.
Ms. Proctor: Indeed and as they should. To your point of having a punitive nature to guide behaviour is exceedingly fair, and that is found in other international regulations. Where this deviates, however, is the individual. An individual who often does not have decision-making power nor had culpability that has been proven. Our suggestion is to define a standard, which, if they’re not being demonstrated against it in an objective way or with a substantiated culpability, then they not face that.
When we look at other international organizations and standards such as General Data Protection Regulation, or GDPR, the California Consumer Privacy Act, or CCPA, or even SOCC, it’s an organization. Only when there is intentional malice proven against an individual is there penalty against an individual. That would be our suggestion: to guide without penalizing an individual.
Senator M. Deacon: Thank you for being here today. I’m going to direct this question first to the Canadian Chamber of Commerce, but if we have time, others are certainly welcome to respond.
We’ve read that a large number of Canada’s small- and medium-sized enterprises, or SMEs, struggle with cybersecurity. A 2021 KPMG report found that while 95% of the Canadian SMEs do surveillance for potential cyberattacks, only 56% test the effectiveness of these cyber defences.
My question is this: We know that not all SMEs would fall under the umbrella of this legislation, but their cybersecurity is still very important, especially when it comes to data breaches and personal information for their customers. From your perspective, and that of the people you represent, is there a hope of a trickle-down effect? Could this legislation be the tide that lifts all boats when it comes to cybersecurity in our private sector?
Ms. Bahr-Gedalia: Thanks for the question. SMEs are very important to the Canadian Chamber of Commerce, and the groups I mentioned are all comprised of many SMEs across different industries and sectors.
One of the goals of the Canadian Chamber of Commerce is to create greater public awareness and education around certification for SMEs. I’m bringing this down to a point. At a higher level, we have Bill C-26. We are waiting for the national cybersecurity strategy, which we hope will launch soon, in order to have the overarching strategy, which, I hope, will also include an outlook on SMEs. The Canadian Chamber of Commerce has been asking — and this is publicly known — for an SME cyberdefence fund to help SMEs protect themselves better.
How we have suggested to go about it is to reallocate funding from already-existing programs, which have been untapped or have been under-resourced in terms of funding available, and reallocate this funding toward that fund to help SMEs. The Canadian Chamber of Commerce has been advocating for this for at least the last two years, and we have had conversations with government on this level. We think this is one way to address it and help SMEs as well. This is a publicly known initiative that the Canadian Chamber of Commerce has been driving. We are not asking government for more money. We are asking the government to reallocate funding of programs that may have been underutilized.
Senator M. Deacon: Thank you. Would anyone else care to respond to my question?
Mr. Traoré: At IBM, we compile a Cost of a Data Breach Report every year, and the cost on average of a cyber breach instance is $6.32 million, which is a figure associated to companies. This is in Canada. It’s a figure that’s associated with big business here in Canada, but also to SMEs. Obviously, in the context of being victims of cyber incidents, that is a sizeable amount of money. If you factor in the cost of compliance and punitive sanctions being bestowed upon an actor who was a victim, that is a cost that is ballooning up. That is definitely something worth keeping in mind.
Different actors won’t have the same capabilities in terms of making sure their systems are adequate and they can effortlessly comply with this framework.
Senator M. Deacon: Thank you.
Senator Boehm: Thank you, witnesses, for being here. My first question is for Ulrike Bahr-Gedalia. I heard you speak about compensation for SMEs, about funds that would be set up, contingency-type funds.
But there is another element there of technical assistance, and that is the ease with which some might be able to fill out their applications. We’re talking bureaucracy here. For a small- and medium-sized company, that could be difficult and too involved. Are you contemplating technical assistance? If so — and I know you have international experience — have you looked at what other jurisdictions might have done to facilitate what small- and medium-sized enterprises could undertake?
Ms. Bahr-Gedalia: Thank you for the question. First, I am well aware of the complexity of a lot of programs government has put out there for SMEs to complete the application, sometimes only to find out at the end they might not be eligible.
We would set up the SME cyber defence fund. We would have to structure the format — it is still a work-in-progress — learning from exactly these programs that have been too complicated and cumbersome to complete.
We have looked at one example from the United States, and there happened to be an example from Malta as well. I know it is a small jurisdiction, but how they implemented a cyber fund for SMEs is something we could possibly look at in terms of access, ease of use and the application. I’m fully aware of that. We would not, at the Canadian chamber, add more burden to SMEs in terms of completing applications and applying for funds. Our goal is to make it easy. Providing assistance means getting it right from the beginning, so you don’t need assistance to complete these applications.
Senator Boehm: Thank you very much. I have a question for Mr. Smith as well. In your testimony, you frequently referred to your concerns about operational flexibility in terms of dealing with and balancing the security mandates that are implicit or explicit in Bill C-26. If this bill is passed without major amendment, would you see that being addressed in the implementation phase?
Mr. Smith: In terms of balance, there have been good amendments proposed in different areas of the act in terms of the proportionality of orders, for example. Orders have to take into account the differences of the companies that are impacted by those, their size, the operations of that company and their ability. I think there are some good protections that are being proposed in there. We’re on the right track in that respect.
Senator Boehm: Thank you.
Senator Batters: Thank you to all of you for being here today and helping us with this complex bill.
First of all, to the Canadian Chamber of Commerce, with these brand new requirements on such complex measures in Bill C-26, I know that small- and medium-sized businesses will be reaching out to you to express their concerns, as your members are concerned about their ability to comply with this bill once it comes into effect.
Maybe you could tell us what those major concerns are. Do you believe the government should assist with some dedicated funds to help smaller businesses meet cybersecurity standards?
Ms. Bahr-Gedalia: I’ll start with your last question. I’m always in favour of helping SMEs, but I’m also aware of not asking for new money in order to implement any funds. Of course, it would be helpful if there were a navigator program or any help and assistance, as we’ve seen with other programs in the past around immigration processes and so forth. There are already models that could probably work.
Again, back to my earlier point, if we could reallocate funds, as the Canadian chamber wouldn’t ask for new funding, that would be helpful to SMEs.
Anything that is a new bill and new legislation impacts small businesses in that new burdensome regulations might be coming their way. It is the nature of any new legislation and regulation, and I think small businesses do understand that. There is a community of support that the Canadian chamber provides where we would also be in a position to support small- and medium-sized businesses. To your point, they will come with us to ask questions and we will make ourselves available to help as we see fit.
Senator Batters: Thank you. One of the major things that I’ve noticed about this bill is the fact that it has no breakdown, as some of you have mentioned, as far as small- and medium-sized businesses have a certain level of potential maximum fine. It just says that for a corporation, the maximum penalty is $10 million or $15 million for subsequent violations. If there’s no breakdown, then it deals with individuals to just say $25,000 or $50,000 for subsequent violations. Obviously, that will come with precedent, but there should be some kind of indication right away.
Ms. Proctor, from IBM, during your intervention in the House and also here today, you mentioned that certain parts of Bill C-26 go well beyond very well-established international cybersecurity standards, particularly in relation to regimes of our allies. Could you tell us more about the aspects of Bill C-26, which, in your view, go beyond those international standards? Which elements, in your opinion, risk imposing unnecessary constraints or complicating the practices of Canadian industry compared to international standards?
Ms. Proctor: Thank you very much. Wonderful question.
Certainly, the international standards are broad. Starting with some of the overreach that you mentioned and asked about, the overreach relative to sharing of information but also allowing a government organization, specifically, having a minister have the ability to go on site, audit documents, dictate remedial actions are all further than many of our allies have gone. Balance that against the individual punitive natures goes just a little bit further as mentioned in our earlier conversation and earlier questioning. It’s usually stuck more directly to the corporation and only when found to have malicious intent or individual culpability, knowing culpability, does it go toward an individual.
Senator Batters: Exactly. When you have these types of sanctions, such as potential jail time, and I know the government is saying if it doesn’t go beyond negligence, there isn’t jail time, but that’s maybe cold comfort dealing with some of the things we’re dealing with here as your colleague said earlier. We’re not dealing with potentially gross negligence, and there doesn’t seem to be a requirement for that. It could be simply not adhering to the standards, perhaps.
Ms. Proctor: If I may, supplemental to that, cyber-threats —and I feel a little trite in saying this — are evolving every day. It’s a sophisticated business wherein there is recruitment, job advancement and exceedingly lucrative terms. Our ability to thwart that at every pass isn’t just because someone didn’t do something right; it’s that they did. I’m mindful to this bill of being guiding and informing, while also not having a chilling effect so that people don’t want to work in this industry and help us protect our critical infrastructure.
Senator Batters: Thank you very much.
Senator McNair: Thank you for the testimony you’re giving today. I think all of you touched on the fact that the bill specifically says, “no compensation.” No one is entitled to compensation. When officials were asked that last week, their response was that doesn’t mean that the minister or government in special circumstances or appropriate circumstances can’t give compensation. Maybe you could each comment in the order you presented. I assume that doesn’t give you enough comfort from your perspective.
Ms. Bahr-Gedalia: I speak, of course, on behalf of my members. It would be nice to see it in writing then. I would like to think as part of the bill, not as a verbal confirmation, but as written confirmation, and laid out so it can be referenced as needed.
Mr. Smith: We’ve heard that before and not just last week but in other discussions with government officials. I don’t think there’s any reason why we should set up a debate over what the word “entitled” means. We’ve seen some very good amendments proposed to this legislation. We proposed what I think would be a very simple one. We’re not asking to say there is a right to compensation. It’s just that it may be ordered, and as my colleague beside me said, there should be a mechanism that allows companies to make representations as to why they believe compensation is appropriate. I think it is an easy fix. I don’t think this is backing government into the corner by making this change. It’s just clearing up something that could cause unnecessary disputes in the future.
Senator McNair: This is for IBM. You already have a very effective and good cybersecurity program in place. From your perspective, if this bill passes, how will this practically affect how you deal with it on an everyday basis?
Ms. Proctor: The good news is it allows us to continue to work with our critical infrastructure, or CI, partners and our entire ecosystem. It will not substantively change, however. We do an awful lot of work internationally intentionally to align our clients from a regulatory-control perspective to make sure they are aware. If I lean this out a little further and say that as we all lean toward adopting generative AI and preparing for post-quantum cryptography, the topic of data governance is on all of our minds and in all our conversations.
That topic of data governance is predicated on knowing where your data is, who has access to it and the security controls around it, which this regulation would become part of. This regulation would be swirled into that ecosystem of how we maintain our organizations and ensure that data governance to ensure we can lean forward into those new advancements in a very positive manner, just as many of the advancements like the CCPA did just not too long ago.
Senator LaBoucane-Benson: This is for the Canadian Chamber of Commerce. Ms. Bahr-Gedalia, you called for clear definition of reportable incidents. Last week, the government officials told us these would be developed in regulation rather than law because the tech and the threat landscape changes so fast and so quickly. I think Ms. Proctor mentioned that as well. I imagine you’re eager to be consulted on those regulations. Do you have any thoughts about what the definition should be?
Ms. Bahr-Gedalia: First, I entirely agree that it would be timely to leave it up to the regulations because of, as I mentioned at the end of my remarks, the urgency of passing this legislation with the discussions we had here today and considerations, of course, of leaving it up to regulation.
I was prepared for this question because if I ask for a definition, I should be prepared myself. We were looking at the Department of Homeland Security in the United States. I remember that the White House had commissioned a study. They haven’t landed yet on a “cybersecurity incident” definition. I wanted to lean my definition on that outcome and product, again, to talk to our alliances, key trading partners and international harmonization. At this point in time, it hasn’t been really approved, and it is actually a comment I made during my February 5 appearance as well. I brought this forward and there hasn’t been any definition concurred, but I would strongly encourage that we look at those definitions to ensure Canada aligns with its international counterparts.
Senator LaBoucane-Benson: This question is for Mr. Smith, but I know that Ms. Proctor also weighed in on it. It is around the entitlement to compensation just to further clarify or talk about it. It doesn’t say that the government can’t choose to provide compensation. What it says is that the companies just don’t have an inherent right to it. My brain says, “Well that means the companies can’t sue for compensation because it clearly says they’re not entitled to it.” Nothing precludes the government from entering into a negotiation or a conversation if something really blows up and money has to be spent. It’s something that the government should wade into. Nothing stops them from doing that. Mr. Smith, am I reading that wrong, or is that a reasonable way to read that clause?
Mr. Smith: It’s a reasonable way to read it, but I think the fact there has been so much discussion around it means the language as it rests today it is uncertain and there is a difference of opinion. I think this is the time to add clarity to it.
Senator LaBoucane-Benson: Thank you.
Senator Yussuff: Thank you, witnesses, for being here. I think we would all agree that cybersecurity attacks are increasing on a daily basis. They are an incredible cost to companies and individuals because individuals don’t have any control when their personal information has been compromised and used against them. Standards are going to be critical, and holding those that are responsible for maintaining a standard is, going forward, fundamental.
Ms. Proctor, I think I heard you say that obviously you have some worry about individuals being held accountable. In the same vein, as we try to elevate whatever the standard might be, obviously, there are global standards that our companies are following, but we don’t want to remain there because everybody is evaluating what somebody is doing and they’re raising their standard.
What would you say is fair in the context of what we’re dealing with? Because the reality is today you can’t do anything without putting your information in a device, and somebody is going to get it. Given the degree of trust with which we’re relying on companies to protect that information, how does the public become more politically aware, not only as to what’s at stake for us as a country, but also to what’s at stake in general for all of us when we put our faith in businesses, in government and in, of course, the practices they’re going to tell us when something is truly compromised, so we’re not going to spend the rest of our lives worrying that somebody has our information and when they’re going to use it against us?
Ms. Proctor: I think that’s a brilliant question, and it speaks a little bit to a level of breach fatigue we all have where there is almost a little bit of apathy to it because it’s already been breached or people think my information is already out there or my credit card is already known. There is a level of apathy that I’m mindful about.
My colleague mentioned IBM’s Cost of a Data Breach Report 2024 certainly leans into a lot of the challenges we’re seeing. What we encourage and what we’re seeing benefit from, however, is recognizing the number of breaches, while increasing, are also shifting. We, as consumers, municipal governments, provincial governments, and federal governments are wiser. We are setting controls and regulations that are improving and benefiting ourselves.
The point that I really want to lean into that I would wholeheartedly agree with is that awareness. I think individuals who testified last week also leaned into this: that the awareness is key to this. Private-public partnership and the respect within it, I believe, are foundationally based on sharing of information and how we share that.
Earlier testimony was speaking of safe harbour. I would encourage us to go almost a little bit further than that, meaning that during breach response, we’re learning from each other without punitive measures. The Cost of a Data Breach Report 2024 had over 600 companies that were reporting breaches. One of the biggest findings was over 50% do not report because of fear of a punitive nature.
Senator Yussuff: But isn’t that a problem? If I trust you with my information and you don’t tell me or you don’t tell the government, how do we have any confidence in the system that we operate in, because we don’t have a choice? I can’t go back to where I dial a telephone so somebody wouldn’t hack my device.
The world is evolving at a much faster pace, and we need to keep up. The businesses that are utilizing whatever system, we don’t get to tell them what system to use. Don’t they have an obligation and a responsibility to recognize that they have a large degree of obligation to the people who are trusting them with their information?
Ms. Proctor: They do indeed, and the regulations go a long way to ensuring that their duty of care is aligned to a standard that is recognized as the right level of care. That goes back to malicious intent versus unknowing attempt versus a threat actor or being compromised by a savvy professional — all very different aspects. To your colleague’s comments earlier, that would be ideal: Just shift the regulations and Bill C-26 to have further levels of definition, if not also remove the individual culpability where malice or mistreatment isn’t intended.
Senator Yussuff: Individual culpability — in terms of drafting the regulations, you could put clarity to the regulation —
The Chair: We have to keep going.
Senator Richards: Thank you for being here. I asked this question of the last panel, and I wasn’t clear about the answer, if I got one.
What I asked was this: Is there a way to integrate the concerns of your individual rights with the needed security aspect of this important bill unless the bill is quite seriously amended — and that this bill is vitally needed, but is this the actual bill that is needed, or do we need some kind of compromise for the people involved? I ask any of you to maybe answer that.
Mr. Traoré: We understand the government’s intent to ensure the regulations can clear up some of the definitions and carve outs that are necessary to really fulfill the mission of the legislation. As we said at the onset, we do share the essence of this bill; we were aligned with the government in the sense that we need to act, and act now. When we’re looking at the cost of an average cyber threat that is majorly touching critical systems, there’s a need to act now. We need to ensure that Canada’s infrastructure is on par. This bill is trying to do just that.
We do believe, however, that the devil is in the details. A few definitions could be amended right now, before the regulations, to bring some certainty into the government’s resolve.
Ms. Proctor: I would agree with my colleague, Mr. Traoré.
Senator Richards: My second question is this: Do you know how many cyberattacks Canadians face on a daily or weekly basis, or are there just too many to count? How would you answer that?
Ms. Proctor: I have a view to the number of cyber attacks that IBM is assisting our clients and partners on a daily basis, but I would not begin to make a statement of how many in Canada are being encountered.
Last year, the number of records breached — and a record would be an individual’s credit card or an individual’s personal identifiable information, or PII, data — there were over 24,000 breaches of records last year.
Senator Richards: Thank you.
The Chair: We have time for two more questions.
Senator M. Deacon: Back to the chamber again, a number of amendments we know were adopted in the House, and I’m trying to sort through all these specific concerns raised by witnesses in those hearings. The Chamber of Commerce — I knew there was concern expressed around duplication and onerous reporting standards of the term “reportable cyber security instance” was not better defined. For its part, the Business Council of Canada was also concerned about the lack of a risk-based methodology — the blanket reporting standards that would catch up low-risk operations when looked at through the lens of national security.
Did the amendments that were made to address those concerns?
I’m just going to add something about high- and low-risk operations, but, first, with the concerns that were addressed — here is what we’re concerned about — do you believe the amendments that were offered to the House addressed those concerns?
Ms. Bahr-Gedalia: The concern of the definition of a “cyber incident” is still outstanding. I think this is why I was earlier asked the question to which I would hopefully look forward to being able to answer one of these days in order to give you a definition — so that wasn’t addressed, which is why I was referencing it again and pointing out that we were pleased that the changes were made that the Canadian Chamber of Commerce had been asking about, which was the one you just pointed out.
From that perspective, I would think our members would be looking for more clarification, but as noted earlier, that could probably also be addressed in the regulatory process in the regulations.
Senator M. Deacon: So how would you suggest we define “high-risk” and “low-risk” operations? What recourse would a business have if they disagreed with the designation they were given? Is there any thought that any of you have given to that?
It’s at our table, which is fair. I think about that, because that is going to be a question. That’s why I wondered if it was something that you had given any thought to.
Ms. Bahr-Gedalia: We could perhaps briefly say high and low risk reminds me of a conversation on another bill looking at those systems. These conversations have been happening at the Canadian chamber table, and with members but not pertaining to this bill. However, we have had discussions and are aware of the importance of the differences. We would have to look, probably, at more definitions pertaining to Bill C-26.
Senator M. Deacon: Thank you. Fair enough.
Senator Batters: Going back to the Chamber of Commerce on this, with respect to this reportable cybersecurity incident — that it remains undefined and the government is saying it will be defined in regulations — what are the potential consequences to an individual and to a corporation for offending that provision of Bill C-26? What could they be facing if their conduct, which is still undefined in the bill and potentially just left to regulations — what sorts of consequences could they potentially face under Bill C-26?
Ms. Bahr-Gedalia: I’ll answer this question by saying I would have to look at our bills or regulations in place where such consequences have been implemented and if it is comparable. But what particular consequences for not reporting, what kinds of penalties or what kinds of consequences, I wouldn’t be able to be lay them out, nor would I want to suggest any.
Senator Batters: To IBM, are these the type of things that could potentially fall within the very punitive penalties that are provided in this bill, either potential jail or very huge fines?
Ms. Proctor: Yes, is the easy answer. The definitions from designated operator to the incident response or the incident itself and the response mechanism are all collectively part of the challenge of what that means for how we operate.
To your earlier question of how are we operating this? This will guide. So the interest is not simply on certain terms; it is relative to how each one of those terms is going to impact the other. An organization’s ability to change their organizations shift and implement the technology needed for it will not be immediate, so I daresay there would need to be a burn-in or normalization period to it as well to ensure alignment with them after the regulations have been further defined.
The Chair: Thank you very much. This brings us to the end of our time with the panel. It’s my privilege to thank Mr. Smith, Ms. Bahr-Gedalia, Ms. Proctor and Mr. Traoré for being with us this evening and for your very clear answers to a number of tough questions. You could tell from the interest around the room how much thought your presentations provoked. We’re grateful for you being here and for helping us with this important legislation. Beyond that, you have jobs that I’m sure keep you awake at night and on some weekends. We thank you for that and for the very positive impact that this has on your clients and Canadians across the country. On behalf of the committee, thank you very much for doing that. It’s very much appreciated.
For our final panel of the evening, I welcome, from the Canadian Internet Registration Authority, Byron Holland, President and Chief Executive Officer; and Matt Malone, Balsillie Scholar at the Balsillie School of International Affairs. I thank you both for joining us today.
I invite our panellists to now provide their opening remarks. You have five minutes each for this testimony, and we will begin with Mr. Byron Holland of the Canadian Internet Registration Authority. Whenever you’re ready, please go ahead.
Byron Holland, President and Chief Executive Officer, Canadian Internet Registration Authority: Thank you very much. Mr. Chair, members of the committee, my name is Byron Holland, and I’m the President and Chief Executive Officer of the Canadian Internet Registration Authority, or CIRA. Thank you for the invitation to share our views and recommendations on Bill C-26.
The Canadian Internet Registration Authority is the not-for-profit organization best known for operating the .ca domain registry. In simple terms, this means that CIRA manages all 3.4 million .ca domain names, ensuring all websites and emails ending in .ca connect to the global internet and vice versa.
We maintain a global network that ensures the .ca domain is quickly available no matter where you are in the world, and we have a broader mission to promote a trusted internet, which we work toward by providing high-quality registry, domain name system and cybersecurity services, and by investing in the internet community. The Canadian Internet Registration Authority participates in numerous fora to provide and promote the security and resilience of the internet.
We’re long-time leaders in global internet governance, and this includes extensive engagement with the Internet Corporation for Assigned Names and Numbers, or ICANN, the global coordinator of the domain name system that ensures your web browser can reach websites like Canada.ca. We also contribute to the Internet Engineering Task Force, where the technical standards that underpin the internet are developed.
The Canadian Internet Registration Authority also provides cybersecurity services that keep over 8 million Canadians safe online, including CIRA Canadian Shield, our free cybersecurity service that protects Canadian households from online threats; DNS Firewall, our enterprise-level DNS protection used by over a thousand Canadian organizations, including many cybersystems; and Anycast DNS, our global infrastructure that increases the performance and resiliency of top-level domains like .ca and helps mitigate malicious activity, such as distributed denial of service attacks from foreign actors.
We collaborate with several institutions to keep these services up to date, including the Canadian Centre for Cyber Security, the Canadian Centre for Child Protection and the Internet Watch Foundation. CIRA strongly supports the government’s objective to raise the baseline level of cybersecurity across critical infrastructure through Bill C-26.
As I mentioned earlier, CIRA has a mission to promote a trusted internet. To achieve this, Canadians will need to trust the cybersecurity framework meant to protect them. With this in mind, I’ll now share our recommendations to strengthen Bill C-26 and promote trust in the legislation.
During the House’s study of Bill C-26, CIRA, alongside other witnesses, advocated for enhanced transparency provisions, which we are pleased to see reflected in the current draft of the legislation.
Today, we offer two recommendations to Part 2 of the bill, or the Critical Cyber Systems Protection Act, to better balance the bill’s cybersecurity objectives with well-established best practices in oversight and in information sharing.
First, to protect more effective oversight, the issuance of cybersecurity directions under Part 2 of the bill should be subject to section 3 of the Statutory Instruments Act. This would ensure the cybersecurity directions are examined by the Clerk of the Privy Council in consultation with the Deputy Minister of Justice.
Second, conditions on the use of information should be strengthened to increase confidence in the CCSPA’s information-sharing provisions. Currently, the bill does not explicitly limit how government entities can use information collected under certain sections. The additional guardrails proposed in our written brief would help ensure that collected information can only be used for the purposes set out in section 5 of the bill and mitigate concerns that CSE could use data collection under section 15 to pursue aspects of its mandate other than cybersecurity and information assurance.
In conclusion, CIRA recognizes the need to protect sources and methods in matters of national security and public safety. However, confidentiality and expedience must be balanced with due process and oversight. Through added provisions, we believe the Senate can enhance Canadians’ trust and confidence in this framework.
Thank you for the invitation to share our views and recommendations on Bill C-26 and for the Senate’s time and consideration. Thank you.
The Chair: Thank you very much. Mr. Malone, please take it away.
Matt Malone, Balsillie Scholar, Balsillie School of International Affairs, as an individual: Thank you. My name is Matt Malone. I’m currently a Balsillie scholar at the Balsillie School of International Affairs in Waterloo, and I’m also the founder of the Open By Default database, which is the largest public database of records released under the federal Access to Information Act. You can access that database right now at openbydefault.ca.
Before commencing, I just want to note that it’s a real pleasure to present with many incredible folks, including Mr. Holland, whose organization has contributed generously to the organization that hosts the Open By Default database. It’s quite the honour and privilege to present with subject-matter experts like him who show a real commitment to accountable and transparent government.
Turning to Bill C-26, I want to applaud the work of the committee for taking on the review. Thank you for the unexpected invitation. I stress that I’m just appearing in an individual capacity representing only my own views.
To summarize my views, while I see Bill C-26 as a well-intentioned bill that has necessary components, I personally view it as a measure that also entrenches government surveillance power, undermines Canadian privacy rights and further erodes our transparency frameworks. I believe there are better ways to achieve the bill’s stated goals.
My thoughts can basically be distilled into the following statement: Secrecy is not security. As government officials push a narrative that this bill is vital to protecting Canadians online, I ask you to consider that we are still waiting — quite some time now — for meaningful privacy reform to protect Canadians’ privacy rights online.
I also ask you to consider that if we had meaningful privacy legislation, this would be beneficial to our cybersecurity. Privacy legislation with teeth would help address all different kinds of situations, such as data breaches of companies, collecting fitness tracker data, data breaches of health care companies like LifeLabs or 23andMe by giving Canadians recourse to meaningful privacy rights.
This reform with privacy legislation would actually establish better incident protocols, enhanced data protection and do many of the things that this bill is seeking to do. This bill does many good things, but it also entrenches an approach to cybersecurity that significantly expands state control with secret order-making power that lacks adequate review.
Secrecy is not security. This bill endows very great powers to an agency, CSE, that is clearly struggling to get oversight right. For example, CSE will not answer basic questions about its respect of human rights, including whether it has used or is actively using spyware. As many have noted, CSE has refused to give documents to its oversight bodies like NSIRA.
I understand that the committee doesn’t have The Citizen Lab’s brief, but I direct you to paragraph 26 of Kate Robertson’s excellent brief for a history of how CSE has not given documents to NSIRA when requested.
What happens when the CSE doesn’t give documents to its oversight bodies, as it has failed to do in the past? We go through the Access to Information Act. The CSE has one of the slowest and worst response rates for access to information requests. It regularly fails to issue acknowledging letters, which is a procedural tactic to delay answering requests and to stymie reviews.
The government claims that we need this law to meet the challenges of the digital moment that we are in, but this is the same government — and CSE is a federal institution among many — that responds to access to information requests using CDs, USBs and paper mail, even when requesters ask for electronic records. This has happened to me many times.
There is also systematic document destruction happening on the front end and the back end. There was an article today in the Toronto Star concerning the Ford government. It has a direct analogy with things that are happening in the federal government. I’m happy to talk about that.
This brings me to, perhaps, the central issue in this legislation. While the bill before you is well intentioned and has some necessary components, it does not address shortcomings in the government’s own posture when it comes to cybersecurity.
Last Monday, members of Public Safety, ISED and CSE came before you to emphasize that they need these powers over the private sector. However, two days later, CSE admitted that China had compromised and infiltrated at least 20 networks associated with the federal government. The government has not installed the CSE sensors on all of the federal government institutions, as NSICOP — again, one of the oversight bodies in this legislation — has recommended.
The same week, CIRA discovered that hackers had obtained confidential information, pocketing more than $6 million. These are disclosures of government cybersecurity shortcomings from just last week, but there are many more we could discuss.
Rather than lead by example, the government is pushing through a bill for the private sector with order-making power that not many people truly understand. This resembles the problem currently in the state of affairs in Canada where when folks experience a cyberincident, they don’t necessarily know which body to report to in the first place. You could report to many different bodies in Canada.
While I believe that the best parts of the law are well intentioned, and the law is needed, I personally believe the worst parts will set terrible new norms for Canada, in particular, clause 15 of Part 1 and clauses 20 to 25 of Part 2. Thank you for your invitation today, and I’m happy to answer any questions.
The Chair: Thank you very much. We’ll go to questions and answers, starting with Senator Dagenais.
[Translation]
Senator Dagenais: My first question is for Mr. Holland.
Mr. Holland, correct me if I’m wrong, but you’re responsible for Internet domains ending in “.ca,” as opposed to the more prominent and more international “.com.” To what extent can cybercriminals from abroad obtain “.ca” domains from their place of operation or by using aliases living in Canada? Finally, how can those domains be used for criminal purposes?
[English]
Mr. Holland: Thank you for the question. If I could just take a moment, my colleague here Mr. Malone mentioned that CIRA had a $6 million breach. I think you meant CRA. CIRA has not had any breaches, no $6 million breaches — just for clarification.
Mr. Malone: Total misinformation.
Mr. Holland: To your question, thank you for the question. I think the good news story here is that CIRA runs what we in the industry call a very clean zone. The .ca top-level domain is among the top handful — when I say “top handful,” I mean two or three, the number varies month to month, but second or third cleanest zone of all the top-level domains in the world, including .com, .org, .uk, .net and all the rest of them. Fortunately, we have very few cyberbreaches or cybersecurity incidents emanating from a .ca domain name. To be clear, that means in the low single digits of .ca domain names where cybersecurity incidents are emanating from, which puts us as one of the cleanest top-level domains in the world.
[Translation]
Senator Dagenais: Do you have any idea how many “.ca” domains are currently in the hands of groups, countries or individuals who are using them to commit cybercrime?
[English]
Mr. Holland: Thank you for the question. By policy, only Canadian entities or individuals are allowed to register a .ca domain name. Whether you’re a permanent resident, citizen, corporation or institution, you must have a formal legal tie to Canada. By design, foreign nationals or foreign entities cannot get .ca domain names. From time to time, they try. We have both proactive audit and complaint-based mechanisms by which we try to unearth .ca domain names registered inappropriately by foreign actors and foreign nationals. It’s a tiny percentage where that happens, and we root them out as fast as we can.
[Translation]
Senator Dagenais: When sensitive information is being shared, what are your real concerns about the use of the information you possess? What sort of safeguards need to be put in place to ensure better protection?
[English]
Mr. Holland: Certainly, from CIRA’s perspective, as we look at Bill C-26, we’ve already made some recommendations to the House. Fortunately, one of them seems to have been taken up. We continue to make recommendations around oversight and the sharing of information as it pertains to CSE, and we certainly believe there are opportunities, as we’ve said in our submission, to tighten up the language and to put guardrails on how shared information is used and disseminated by CSE.
[Translation]
Senator Dagenais: Thank you very much.
[English]
Senator M. Deacon: Thank you to our witnesses for being here, and thank you for correcting misinformation.
A question for you, and thinking about this, Canada is the last G7 country to implement a robust regulatory framework for cybersecurity, something this legislation hopes to address.
I heard a little bit about the privacy legislation in some comments earlier. In your opinion, what took so long? What is taking so long? Is there something different or unique in Canada’s institutions that make us a little bit slow on the uptake? Is there an opinion you would like to offer based on the line of work that you do? I’ll ask you, Mr. Malone, first, and if you want to respond, Mr. Holland, that would be great.
Mr. Malone: Thank you for the question. I can opine a little bit. The Canada-United States-Mexico Agreement, or CUSMA, had some provisions on cybersecurity that favoured taking a risk-based approach as opposed to a prescriptive approach under the Trump administration, when such legislation was not in force. That didn’t come in until Biden came along when you saw a bunch of prescriptive legislation start to come. Perhaps we were more wed to that provision in CUSMA; we were following that. That is possibly one answer.
The other is when you look at peer states when it comes to this type of legislation, cybersecurity for critical infrastructure, there has been a series of updates to the legislation. Australia introduced its legislation in 2018, but it already went through revisions, and now there is a second version.
The Europeans did the same thing in 2016 when they introduced their version of cybersecurity legislation for critical infrastructure, NIS 1, which is now replaced with NIS 2.
There is also some defence of the approach of “we need to get it right,” and we shouldn’t rush.
Mr. Holland: Thank you for the question. I share some of the sentiments in that often we tend to look at what our peers around the world are doing, and I think there was an opportunity here for Canadian legislators to look at what some of the earliest legislation in the space was and learn from some of the challenges and mistakes, NIS 1 and NIS 2, for example.
I also think that we’ve had the benefit of being able to consider some of the supply chain challenges that impact cybersecurity in a way that some of our peer nations around the world didn’t have the opportunity to do because they got out of the gate more quickly than we did. On the other hand, we’ve had an opportunity to think about some of the issues that weren’t in the initial rounds of legislation.
Senator M. Deacon: Thank you. It is something with the chicken and egg, cause and effect.
Canada remains one of the most targeted countries by ransomware or cybercriminal groups. Is this the result of being cautious, thorough and taking your time, or is it that Canada might not be perceived as being as cyber wise as other comparable societies? That is the push-pull I’m thinking about. I’m not sure if there is anything else you would like to comment on.
Mr. Malone: I think one issue which has been highlighted by government officials who talked about the bill is the division of powers. There has been a big preoccupation with areas like health care, and government officials from the federal government emphasized we can’t really regulate in this area. There is some concern about where the problem is and who has leverage to effect the solution.
I still think there is space for the federal government to set norms and to learn best practices from peer jurisdictions. I think that’s important. I think this bill mirrors a lot of things we saw in NIS 1 in Europe that didn’t work and have been since rendered obsolete and replaced by NIS 2, but the division of powers definitely plays a part in this as well.
Senator M. Deacon: Thank you.
Senator Batters: Thank you to both of you for being here personally and for your work on this.
Professor Malone, thanks very much for your testimony today. I’m also very concerned about the secretive court proceedings that will occur under Bill C-26. I referenced that in my Senate second reading speech where I quoted some of your work on this as critic for the bill. This is especially so because there are some very onerous penalties that exist under this bill.
One of the things I quoted from your work is where you were talking about the office of the intelligence commissioner and the work they do with respect to the communications security establishment. Could you tell us a bit more about what you see as some crucial amendments that could be made to Bill C-26 to improve those provisions of the bill?
Mr. Malone: Thank you. I think one of the real shortcomings with the bill is that there is no oversight on the front end, when it comes to the issuance of the orders we’re talking about under clause 15 of Part 1 and clause 20 and onward in Part 2.
I should add that there were amendments that were made during the life of the bill in the House of Commons where in response to vocal concern from many folks, including open media, including The Citizen Lab, there were changes where notification requirements were put in to the National Security and Intelligence Review Agency, and the National Security and Intelligence Committee of Parliamentarians. But those were after the fact. What you have a problem with here is that there is no preapproval process that this is in fact an appropriate or considered measure. That markedly diverges from what the Communications Security Establishment Act passed in 2019 foresees as some of the mandates of Communications Security Establishment Canada. Many folks here have been emphasizing their concern about information collection under the act and the possibility of repurposing information that is collected.
One of the real concerns that the Communications Security Establishment Act addresses is that concern by specifically having the intelligence commissioner at the outset authorize, or not, certain types of actions, especially when it comes to breaking Canadian law where they might be collecting foreign intelligence or breaking Canadian law where they might be engaging in their cybersecurity assurance mandate. They have five mandates.
That is one of the issues: When you look at this law, you don’t see an equivalent. You see an after-the-fact obligation to notify NSIRA or NSICOP that an order has been made. There are many problems with this approach. One, CSE has a demonstrated history — and I refer you to the Citizen Lab’s incredible brief on this — of not providing information to NSIRA. That’s a big issue. It might be a valid concern because NSIRA itself has been the subject of a major cybersecurity incident, which they didn’t announce until 4 p.m. on a Friday, at one point. Those are real concerns that CSE might have. What you need to do is have some kind of preapproval, not just after the fact.
Of course, there is the issue of how those bodies are composed and the ability to muzzle the reports that those bodies might be producing, especially with NSICOP, which is not protected with parliamentarian privilege, so they are muzzled in terms of their work.
Senator Batters: Exactly. That was where I was going to go with my second question. For both NSICOP and NSIRA, the members of those bodies are all appointed by the Prime Minister, and they report directly to the Prime Minister. As you noted now, and in your opening remarks, there have been significant occasions over recent years when the federal government has refused to comply with NSIRA and NSICOP directives. How would you suggest that Bill C-26 be amended to improve the concerning situation about oversight?
Mr. Malone: Where preapproval or pre-authorization is necessitated under the Communications Security Establishment Act, you can see that it is not always given. That might be the reason, in the drafting of this bill, it is not provided. CSE’s annual report noted last year that, of the six times they had to go to the intelligence commissioner, they were only granted full approval half of those times. Some sort of preapproval from a truly independent body — I would consider Justice Noel truly independent — would be helpful.
The other problem the bill is going to have is that because it has been rendered obsolete by Bill C-70, in part, the judicial review provisions also introduce or inject these secured administrative review proceedings that have not been tested in law. As a law professor, I have a lot of concern about this provision because it doesn’t provide a lawyer role for the person who’s engaged in the judicial review. So they’re just defending their interests; they are not actually serving with ethical, deontological obligations toward the client in those contexts.
If you look at Part 2 of the bill — specifically in the context of cybersecurity directives — it is not clear to me how a party will know that those directives have been issued and will be able to engage in the judicial review or proceedings. It makes more sense if your internet gets cut off under the order-making powers of Part 1, but under Part 2, if those directives have been made, it is not clear how a party will know they have been made. This starts to resemble a warrant list kind of FISA proceeding. This will create problems for Canada when it comes to how the EU, under its much more protective approach to privacy and its more robust data protection measures, views the Canadian legal regime when it comes to safeguarding personal information.
This could ultimately represent a bigger problem for us in terms of the Europeans deeming our data-protection regimes adequate in terms of protecting personal information. The moment Bill C-26 is passed, I’m going to go to a European privacy activist, tell them about this, point them to these proceedings and say, “Do you feel that this adequately protects your privacy?” Adequacy agreements made by the European Commission about the United States have consistently been overturned on concerns that they don’t adequately protect privacy and that they infringe all kinds of rule-of-law issues.
Senator Batters: Thank you so much.
Senator Dasko: My first question was going to be the same question as Senator Batters to Professor Malone about amendments. I read into what you’ve said. It sounds as if there aren’t any amendments that would actually save this bill in terms of the issues that you’ve outlined. Would you start from scratch with a different bill? Would that be a better way to do it? It sounds like amendments wouldn’t be helpful here. You outline other issues, such as the fact that we don’t have privacy legislation. That puts this bill into a context in which it has a structural problem coming from elsewhere, and other issues that you outlined that seem to be part of this same context problem. Should we get rid of the bill and start from scratch with a different approach?
Mr. Malone: It’s a great question. The bill contains many necessary components. It’s laudable to require certain private-sector actors to have cybersecurity programs and to update those cybersecurity programs. There should be reporting obligations when certain breaches happen. Those could be expanded. We know that only 5% to 10% of cybercrimes are reported to a federal body. The Canadian Anti-Fraud Centre talks about that as a statistic. The CSE uses the same statistic. Anything that enhances reporting is good. It is salvageable by going toward lessons learned from the European Union. The NIS 2 is a good example, in my view, of how we might salvage it.
Senator Dasko: This one can be salvaged by looking at those opportunities.
Mr. Holland, I have a quick question. You’ve had such success with few cyberattacks on the .ca domains, and we had witnesses here earlier talking about best practices. Obviously, you must have something to share with the world about what you’ve done to be so successful. Would you share those with us?
Mr. Holland: Thank you for the question and the comment. We are definitely fortunate in that we have not suffered any kind of extreme or catastrophic cyberattacks. That doesn’t happen by accident, of course. It is because of the programs, procedures, policies, technology that we have in place, and the focus of our organization is a trusted internet of which .ca is a key part of that.
We already do many of the things contemplated in Bill C-26 as best practices in terms of how we operationalize security at the network level, security by design, multi-layered security, which are things that the people who were here just before us know. They know those things. Then, there was the panellist from IBM. I’m sure that they’re doing those things as well.
Those are lessons that we share. We share them in the Canadian context with our customers that we support. We share them in the international context in the industry that we’re in so we can help top-level domain operators from other countries who don’t necessarily have the benefit of all what we have to help lift them as well because cybersecurity, I’m sure you heard it here before, is a team sport, and we need to float all boats because inevitably it’s the weakest link that suffers the attack, which then spreads out to the rest of us. So we have policies, programs, procedures and technology in place and are always monitoring. We run business continuity and disaster recovery on a regular basis, not just once in a while. Those are the things we do, and then, we share with others to bring them best practices. That has a tendency to lift all boats, which is actually in everybody’s interest.
Senator Dasko: This is a playbook that’s pretty well known. It is a set of rules that not everybody follows but that you follow?
Mr. Holland: Yes, I think that is a fair and accurate representation. There are always going to be zero-day attacks, things that have never been seen before. That is the unfortunate landscape that we operate in, but for the most part, most things are known. It is about remediation and diligence, and the playbook that you refer to is how you respond when you are attacked because it truly is not if, but when. Those playbooks will protect most organizations the vast majority of the times, with the exception of zero-day attacks that have never been seen before, which do happen, but they’re not that common and they tend to be directed at only extremely high-value targets.
Senator Yussuff: I’ll start with Mr. Malone. Spying is a pretty interesting field. I’m not involved in it, but the CSE’s job is multi-layering responsibility for the nation’s security. There are things that they do that I don’t quite understand and maybe I don’t want to understand, but I trust they are protecting the nation’s interests. In terms of cyber breaches, both on the commercial and on the state side, this is happening at an alarming rate. There are a lot of things they share with other spy agencies around the world in terms of our friends.
I understand some of the concerns you’re raising, but I also think there is a fine line. How do we give them the authority or at least allow them the responsibility to do the things that are necessary to protect the nation’s security while at the same time recognizing they should adhere to some standards that are fundamental to protect our fundamental rights under the Constitution?
That’s a fine line. I always struggled with what the balance is because in the context of a crisis before us, I expect them to do the right thing and I’m not in their shoes, so I’m not there to assess what the right thing is, but I want to give them the latitude because they’re protecting the nation’s interests. Maybe you can elaborate a bit so I can understand you better.
Mr. Malone: That’s a great question, and this is one of the needles we need to thread very carefully. You heard many recommendations from folks about repurposing information.
Mr. Holland opened by saying you should limit the ability to share information that’s collected for the purpose of cybersecurity assurance, one of the mandates of CSE, but that’s not what the bill is doing. The bill is compelling, under clause 15.4, the ability to collect any information. Once that information is collected, it can be repurposed to any of the five mandates that CSE has. That’s very different from simply collecting information of a technical operation that you’re going to deploy in a limited cybersecurity assurance context. It goes beyond that. It says they can mandate the collection of any information they need and they preserve the right to share that information with just about anyone they want.
I really do believe that European privacy activists will be very concerned when they learn about the scope of that type of data sharing, and it might spur some action toward Canada because I think it constitutes a significant overreach. There are ways to cabin that. Many folks have suggested — and I share these views — that you should limit the information-sharing purpose and repurposing once that information is collected.
The reality is that CSE is going to make mistakes. They’re hyper competent, one of the most competent federal institutions we have. There’s no question, but they have a mandate to not collect information about Canadians or people in Canada, and yet we know that that happens sometimes. They make mistakes. The CSE’s annual report noted all kinds of privacy breaches, over 100 operational breaches involving privacy issues. I’ll point out that those breaches are under CSE internal guidelines not the Privacy Act, and they won’t release what the guidelines are. We don’t have a window into how CSE is legally interpreting many of their obligations. There is incredible work done by Bill Robinson at the BC Civil Liberties Association, but we need to cabin this information collecting and information repurposing once it’s collected. I think that would go very far in terms of addressing some of the issues there.
Senator Yussuff: Is it possible, Mr. Malone, that we could limit that in the context that a regulation be more specific about — collecting is one thing but — what is then shared with CSE?
Mr. Malone: I would point you to clause 15 of part 1. Clause 15.4 says clearly any information can be collected, and I think it’s 15.6 or onward that preserves the ability to share that information with just about anyone they want. There were assurances given to you last Monday in a committee that I saw talking about how this is just technical information, it’s not personal information, but that’s not what the law says. Kate Robertson, in one of the panels earlier, pointed out clearly that the language of the law, which is what is important, says any information can be collected, and I think we should take that at face value.
Senator Boehm: This is a very interesting discussion. Thank you both for being here.
I wanted to come at this from a little bit of a different angle. Mr. Holland, you said you have to float all boats. You were talking to people with similar responsibilities to your own in other jurisdictions. We always talk about the Five Eyes in this context, but it goes much broader than the Five Eyes as well. Dr. Malone, you have cited the European Commission a number of times and generally how that works.
In my previous life before coming here, I often sat at negotiating tables, particularly with our G7 partners, and the discussion on cybersecurity has been going on for years. There is an exchange of views, and there is an exchange of best practices. Then, everyone agrees that the adversary is getting stronger and changing approaches, and the ball is moved down the field until we meet again as it were. There are committees of officials that feed into the ministerial meetings, and there is probably a need for some leadership.
Now, with this legislation, we’re obviously playing a bit of catch up, but there are other countries who are doing things a little differently as well. Canada is taking over the presidency of the G7 in January. There will be ministerial meetings. They will feed into a big summit in Kananaskis in June.
Do either of you see this as an opportunity throughout the process to reach summits and ministerial meetings for Canada to demonstrate some leadership, not just on best practices but in trying to look ahead and anticipate what the adversary actually can do? Do we have that capability?
Mr. Holland: That’s a very important question — thank you for the question — and important to get different perspectives on it. Certainly, from my perspective at the operator level working with organizations like the Canadian Centre for Cyber Security, we just heard about how CSE is seen in the world that they occupy.
We actually have excellent services in this space, not because I’m saying it, but because how they are regarded by their peers in the Five Eyes and G7, the Five Eyes in particular. So there is considerable expertise in this space that is referred to by other agencies of similar and high calibre, yet we are regarded as having some excellent services on that front.
In terms of G7 leadership, I’m a network operator in the cybersecurity space, so I’m not sure I can answer that for you, but we do have very good talent in this space. I take your point about the kinds of meetings you’ve been at. People gather, people talk, exchange views and then, “see you next time.”
The field of play has changed. Certainly, the way Russia is behaving, the corner that they’re in, two wars that each one has seen an incredible amount of cybersecurity activity that is pushing the bar to places we have never seen before. Is this time different? I would like to think — not I would like to think. I believe that the times we occupy are forcing the issue upon us in a way that has never been the case before.
Mr. Malone: I want to echo that. The CSE has incredible competence. The sensors that Mr. Curry was talking about during his appearance either here or in the House of Commons — I might be scrambling — are world famous. The U.K. has installed so many of them.
We’re really seen as a leader. If you reviewed the CSE annual report last year, between the lines there’s a little mention of CSE leading the takedown of a ransomware group and really doing the heavy lifting on that; they were the labouring ore. We have incredible capacity there.
I think the problem is we don’t often use that in our own government, so we’re not often demonstrating show, not tell. This bill is preoccupied with the private sector, but it ignores the public sector. CSE sensors are world famous such that the U.K. has over 100,000 of them deployed on their systems, but NSICOP recommended that all federal institutions in government should be using them, and they’re not. There are still 50 that aren’t. Parts of the Canadian government are sort of janky, but we’re getting recognition from partners overseas.
I think the real issue is our own conduct when it comes to the government and cleaning up our own posture when it comes to cybercrime. You can point to a lot of examples here. The fact that there’s no single reporting place you go, imagine you’re a small business and you suffer a cyber incident, where do you go? To the Privacy Commissioner, the RCMP or the CRTC? Are you going to go to a local police station if the RCMP is not available? It gets really complicated really quickly. The Auditor General has a report on this, and the flowchart is wild.
These are real issues, and you can compare them with approaches taken in Estonia, where they have a mission of one touchpoint with the government. As a citizen, you have one touchpoint with the government. There’s a reason why, when NATO put up its Cooperative Cyber Defence Centre of Excellence, it did that in Estonia. But also, Estonia has had much earlier experiences with cyber incidents, including a shutdown of government in the early 2000s. We’ve been saved from that.
I think we’re slowly waking up to these issues in Canada. I think we’re starting to become really aware of the scourge of cybercrime, ransomware and cybersecurity incidents with our critical infrastructure.
Senator Boehm: Thank you very much.
The Chair: Colleagues, that bring us to the end of our questions for this panel.
To our last panel of the evening, I want to thank you, Mr. Malone and Mr. Holland, for a really impressive couple of presentations and for your very insightful and helpful responses to the large number of questions that you’ve heard this evening.
It’s a great note to end on, to be reminded, Mr. Malone, of CSE’s reputation globally. We hear about that all the time as we travel around and certainly hear it through NATO organizations. You’ve been very helpful to us on a very important piece of legislation, and we thank you very much, including for the important work that you both do every day.
On behalf of the Senate, this committee, thank you. Thank you to my colleagues for the questions that have brought the best out of panellists.
A few thoughts to share with you as I step down from this committee this evening as your chair, with the election of my successor to follow. First off, what a privilege this has been. It’s been a highlight of my time in the Senate. I will be staying in the Senate, but it’s not going to get any better than this. This has been an absolutely marvellous three years, definitely a highlight.
None of us realized when I took on the chair that within weeks we would see the Russian invasion of Ukraine. It was a channel changer, to say the least, and I think it’s fair to say that things globally have become more intense and more dangerous since then.
We saw Canada jump in with Operation UNIFIER before the invasion to start the training of combat troops. Our forces have been credited by Ursula von der Leyen and others for making a significant difference in the ability of Ukraine to withstand that initial invasion. That is a compliment, indeed, and we’ve seen that on our watch.
We’ve seen Canadian Forces lead a 10-nation battle group in Latvia, at Camp Adazi with a show of force on the border as part of a string of multi-country battle groups. We crossed the Arctic together. We travelled across the Arctic visiting Indigenous communities, meeting Canadian Rangers, meeting our Arctic defence forces, meeting with Indigenous representatives and peoples, and we were welcomed and learned so much from that experience.
We saw firsthand the world’s only binational military command structure in operation at NORAD HQ in Colorado Springs. We saw the seamless crossover of leadership between the two co-commanders, Canadian and U.S., while those balloons were in the air, if you remember that. That was coincident with our trip there.
It was a privilege, indeed, to do that and, certainly, it was a privilege to do that with you.
We’ve tackled a slew of important legislative initiatives in this place, including high priority bills and, recently, legislation to combat foreign interference in Canada’s democratic processes, which we need, I think, more than ever, and we’ve heard a lot more about that today. We worked together on firearms legislation. We are now in the midst of reviewing Bill C-26, which is designed to bolster Canadian organizations against cyber interference and cyber attacks, and we have witnessed over the last three years repeated and increasing efforts at foreign interference and cyber interference in our country, as well as an increasingly muscular, Russia, China and Iran, not only in a global context, but in terms of putting pressure on diaspora communities in this country and in our communities. That is a dramatic change in the landscape.
In all of this, in all of the work that you’ve done, I think we found a spirit of compromise. We’ve worked really well together. We’ve had occasional areas of disagreement, but we have respect for one another’s views, and we found a way through them together. This is the hallmark of a good committee and any good organization. You have all contributed to that equally, and I’m really grateful for it, and I’ve benefited from it.
I want to finish with some thank yous, first to my steering committee colleagues and the deputy chair, who stood in for me on some big meetings. I wasn’t absent on purpose, Senator Dagenais, but I watched you from afar, and you did a fantastic job, as usual. But joining me at steering, Senator Carignan, Senator Anderson, Senator Cardozo periodically, and, previously, Senator Boisvenu, all who have been wonderful, collaborative colleagues and who have worked to find a good balance among competing priorities and sometimes competing perspectives, but we got there together in the end, which is the best way to do it.
I want to thank our staff, who, every week in this room and across numerous other committees — our translators, our audio technologists, Senate pages and the myriad of others — ensure we look reasonably good every day in the work that we do.
I also want to acknowledge our own staff who support us every day. I thank your staff, but I look to my own staff, Hilary Bittle, who has been by my side for the last year or so and kept me going and kept me on track and reminded me of where I need to be and what I need to do. That is terrific support that has been hugely important, including at this committee.
I want to thank Lauren Thomas, who worked with me going back to Bill C-45, the legalization of cannabis bill, and who worked with me ever since until very recently. I told Ms. Thomas that our work was almost done, and then I joined this committee, and then Lauren had to do that work as well. She has now moved to Senator McNair’s office, where I know she continues to do good work.
I’m going to wrap up by thanking our clerk, Ericka Paajanen, and our Library of Parliament analysts, Anne-Marie Therrien-Tremblay and Ariel Shapiro. I’ve sometimes mistakenly referred to Ms. Paajanen as the chair of the committee, and that’s well earned.
Let me say this: I have worked over a long period of my career with public servants at all levels — municipal, provincial and federal — and I have worked with terrific public servants — analysts, advisers, managers and strategists. I can tell you that the three people who sit alongside me every week are second to none in comparison with the people I’ve worked with in other levels of my work. They are exemplary, and I will say that they bring good judgment, due diligence, emotional intelligence and an ethic of service quality, not just to me, but to this committee and to the Senate as a whole.
And here is the important thing, they are unafraid to provide the right advice when I, or we, are occasionally inclined to go down the wrong path — perhaps for the right reasons, but it might be the wrong path — to take us aside and give us the best of their advice. The three of you have saved me from going to places that I shouldn’t have gone, and likely saved this committee as well, and for that, I’m really grateful for your good judgment and counsel and hard work.
That being said, colleagues, I now take my leave, knowing that we have a committee at the top of its game, and I know we’ll have a succeeding chair at the top of their game. I congratulate you all on your hard work and achievements, and I thank you for your support.
Do I now — moving on — see a mover for our next chair?
[Translation]
Senator Dagenais: Mr. Chair, with your permission, I would like to nominate Senator Yussuff.
[English]
The Chair: Thank you for that nomination.
An Hon. Senator: I’d like to second that.
The Chair: Thank you.
What is the wish of the committee? I see approval. Thank you.
I’m going to invite Senator Yussuff to come up and assume the chair. I am going to leave now and leave this room to Senator Yussuff — and to you — as this transition takes place, and I wish you all the best, and I will see you all in the chamber tomorrow.
Thanks very much.
Senator Hassan Yussuff (Chair) in the chair.
The Chair: As our colleague is leaving, I think it would be equally important to acknowledge his eloquence, his thoughtfulness and the collaborative way in which he’s chaired our committee meeting.
I don’t think there was a time I left this meeting feeling that somehow I wasn’t heard or wasn’t given a fair opportunity to intervene, even when we were competing for space to try to ask the witnesses a question.
In assuming this responsibility, I realize I will pale in comparison to his leadership, as to what I would bring. I would ask for two things, one, I would bring as much thoughtfulness and collaboration as our previous chair has committed to this committee, but equally I know in time I will make mistakes and, when I do, I would hope you would show me some kindness but also give me an opportunity to correct whatever it is I may have erred on.
I’m hoping in the context of assuming the responsibility, we can work with the same degree of collaboration we have had, at least for the time I’ve been on this committee.
I should share a secret. When I first came to this committee, I didn’t necessarily volunteer to be here. My arm was twisted because the chair asked me to join the committee. I would have to say in the three years I’ve been on the committee, I’ve enjoyed every moment that we have been together and enjoyed every aspect of bills and studies that we have done in the last three years. I want to thank my colleagues for the confidence you’re placing in my hands. I commit to continue the collaborative way we work, with the respect and appreciation there will be many things that we will be faced with, hopefully — with steering but also with members of the committee — we can work in the same thoughtful and respectful way we’ve worked over the last three years. To continue to do the good work on behalf of the citizens of our country, to ensure we’re making a difference in the bills we are studying, but also in the studies we are doing, contribute to the greater good of this country.
I’ll stop there and take any questions. I want to thank my colleagues for the confidence placed on the Independent Senators Group, or ISG, that is based in me, and I want to thank all colleagues on the committee. I look forward to Ms. Paajanen and our colleagues’ guidance because I know there is much to learn. I’m open to learning as much as I need to ensure I do a good job on the committee.
I watched our previous chair break this last time we were meeting, so I will try to be as gentle as I can. If not, I’ll bring my own hammer the next time. Without further ado, I declare our meeting adjourned.
(The committee adjourned.)