THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS
EVIDENCE
OTTAWA, Monday, May 4, 2026
The Standing Senate Committee on National Security, Defence and Veterans Affairs met with videoconference this day at 4 p.m. [ET] to study Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
Senator Hassan Yussuff (Chair) in the chair.
[English]
The Chair: Honourable senators, I call this meeting of the Standing Senate Committee on National Security, Defence and Veterans Affairs, to order.
Before we begin, colleagues, I would like to inform you of my resignation from the chair of this committee. It has been a pleasure serving, of course, the past number of years. I have enjoyed working with each one of you and appreciate your efforts, your leadership and your support for everything we have done on the committee.
I don’t want to take too much time because we have the minister and officials here and we want to get on with our business. However, I want to sincerely thank you. I’m sure the new chair will find some time at the end for those who want to intervene so we don’t disrupt the committee meeting, but I want to conclude by saying thank you to all of you.
With that in mind, the Independent Senators Group, or ISG, has met as a group and proposed Senator Marty Deacon to replace me as the chair. I would put that as a recommendation that we support Marty Deacon to become the Chair of the Standing Senate Committee on National Security, Defence and Veterans Affairs. All those in favour?
Hon. Senators: Agreed.
The Chair: I’ll ask my colleague Senator Marty Deacon to take the chair.
Senator Marty Deacon (Chair) in the chair.
The Chair: Colleagues, thank you. It’s an honour to take on this role. I look forward to working with you in this new capacity. It’s going to challenge my desire to ask a million questions every day, but I will do my best to make that transition.
I know we have the minister here, and we’d like to get to that very important part of our meeting, but I want to thank you for putting your faith in me to chair this important committee at this moment in our history.
Thank you to the outgoing chair for his leadership and example as we move ahead with this task.
Chairing your first meeting with a minister is a bit like driving a Formula 1 car, so I ask you to show grace and patience as we move on.
I would also like to take a moment to acknowledge and thank the minister and folks in the room today who attended the event a few hours ago. When we look at the work we do and why, being there for the beginning of this monument and tribute to our Armed Forces members and civilians we lost in Afghanistan was a very powerful reminder of why we’re here on Monday afternoons. Speaking with the families, students and staff was very enlightening and also motivating for the work we do.
Before we get started and get to our witnesses, I’d ask that you please introduce yourselves this afternoon.
[Translation]
Senator Carignan: I’m Claude Carignan from Quebec.
[English]
Senator Batters: Denise Batters, from Saskatchewan.
[Translation]
Senator Youance: I’m Suze Youance from Quebec.
[English]
Senator White: Judy White, Newfoundland and Labrador.
Senator Al Zaibak: Mohammad Al Zaibak, Ontario.
Senator Patterson: Rebecca Patterson, Ontario.
Senator Hay: Katherine Hay, Ontario.
Senator Dasko: Donna Dasko, Ontario.
Senator McNair: John McNair, New Brunswick.
Senator Yussuff: Hassan Yussuff, Ontario.
Senator Ince: Tony Ince, Nova Scotia.
Senator Kutcher: Stan Kutcher, Nova Scotia. This is the East Coast side of the table.
The Chair: We’re glad that you’re here today. Thank you, Senator Kutcher.
Today, we will begin our consideration of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
To kick off this work, we have the pleasure of welcoming the Honourable Gary Anandasangaree, Minister of Public Safety. Thank you so much to you and your team for being with us today.
The minister is accompanied by the following officials from Public Safety Canada: Colin MacSween, Director General, National and Cyber Security Branch; and Kelly-Anne Gibson, Director, National Cyber Security Policy, National and Cyber Security Branch.
From Innovation, Science and Economic Development Canada, we have Andre Arbour, Director General, Telecommunications and Internet Policy Branch; and Wen Kwan, Director General, Spectrum and Telecommunications Sector. Thank you for joining us today.
We will begin by inviting the minister to provide opening remarks, followed by questions from our members.
Minister, welcome.
Hon. Gary Anandasangaree, P.C., M.P., Minister of Public Safety: Thank you, Senator Deacon. I’m going to ask for your indulgence at the outset, if I may, just to acknowledge, first, your chairship today and going forward of this very important committee. I want to congratulate you. I know that Senator Yussuff has left big shoes to fill, but I have absolute confidence in the work that you will, no doubt, do.
I want to thank Senator Yussuff for his leadership on a range of issues and for being someone I have been able to count on and call on as a friend for advice — often solicited but sometimes unsolicited. It’s always a pleasure hearing from him. I want to thank you, sir, for your leadership and your many years of service.
I also want to take a moment to acknowledge Senator Kutcher, whom I have had the pleasure of working with at the previous Special Joint Committee on Medical Assistance in Dying. We have mutual friends, and he is someone who over the years has distinguished himself as a very hard-working, smart, intelligent senator who has always held this government and other governments to account. He comes from decades of service in academia and in medicine. So thank you, Stan, if I may call you Stan at this moment, for your friendship and leadership. I wish you all the best in — “retirement” is probably not the right term, but certainly retirement from the Senate. We look forward to the work that you will continue to do.
With that, Madam Chair, I will start our time. I’d like to get this Formula 1 car on the road.
If I may, I will start by acknowledging that we are gathered and meeting on the traditional, unceded territory of the Algonquin Anishinaabe people.
[Translation]
It’s my pleasure to speak to you today about Bill C-8, an act respecting cybersecurity.
[English]
Many of you are already familiar with this bill, having studied a previous iteration and understand that this piece of legislation is critical to protecting Canada’s sovereignty, resilience and critical infrastructure.
According to the Communications Security Establishment Canada, or CSE, cybercrime is now one of the most pressing and dangerous threats to Canadians and their businesses.
[Translation]
Canada ranks second in the world for countries most affected by ransomware attacks.
[English]
Costly and harmful cyberattacks are increasing in frequency, in parallel with our reliance on the technologies under threat. We have all used the internet, smartphones and other technologies that have become essential to our ways of life.
In addition, emerging technologies, like artificial intelligence, are increasingly becoming integral to the ways we work and communicate.
[Translation]
All of this means we’re that much more vulnerable to cyberthreats.
[English]
This is why Bill C-8 is critical. This iteration of the bill has been shaped by Senate considerations and consultations with stakeholders.
[Translation]
Bill C-8 has two main parts.
[English]
First, it would amend the Telecommunications Act to strengthen the security of Canada’s telecommunications framework by adding “to promote the security of the Canadian telecommunications system” as a policy objective in the act; giving the Governor-in-Council and the Minister of Industry the power to compel telecommunications service providers to take action, when necessary, in the face of threats; and adding measures on monitoring and enforcement, including an administrative monetary penalty scheme.
Second, it would amend the critical cyber systems protection act, or CCSPA, by establishing a regulatory regime to strengthen cybersecurity in the federally regulated finance, telecommunications, energy and transportation sectors; increasing information sharing; providing the Governor-in-Council with the power to issue cyber security directions to protect a critical cyber system; obligate designated operators to establish a cybersecurity program; and establish enforcement powers and consequences such as an administrative monetary penalty regime.
These measures are necessary to protect Canadians, our economy and our critical infrastructure.
We must keep pace with our allies in the Five Eyes and G7, as well as ensure we do not fall further behind those who have already introduced similar cybersecurity legislation.
Madam Chair, the cost of recovering from an incident is far greater than the cost of investing in cybersecurity up front. It is critical that we are proactive in setting our systems for success so that we can continue to keep Canadians safe in all aspects of their lives.
[Translation]
Thank you, and I look forward to your questions.
[English]
The Honourable Mélanie Joly, Minister of Industry, will also be coming to the committee on a separate occasion, so if there are specific issues with respect to telecommunications — though I’m glad to answer questions — they may also be posed to her, and she will also be able to elaborate.
With that, I look forward to your questions and comments.
The Chair: Thank you, minister.
Just before we proceed, I’d like to welcome Senator Cardozo, from Ontario, who just joined us.
I’d also like to let the rest of the room know that Senator McNair is the sponsor of this bill. Thank you for the work you’re doing.
No pressure, Senator Kutcher. We hope you enjoy this final meeting with us. That is wonderful to hear too.
I have talked about the sponsor of the bill, but I’d also like to thank Senator Batters for being here as the critic of the bill. Thank you for joining us.
We’ll now proceed to questions. I’d like to note that the minister will be with us until about five o’clock. We’ll do our best to allow all members to ask a question during this first hour. A second round of questions with the officials will take place from 5:00 to 5:55. With this in mind, four minutes will be allotted for each question, including the answer. I’d ask that you keep the question part as succinct as possible so we can have as many interventions as possible.
I’d like to offer the first question to our deputy chair, Senator Al Zaibak.
Senator Al Zaibak: Thank you, Madam Chair, and congratulations.
Minister Anandasangaree, welcome back to this committee. Thank you to you and your team for your efforts in advancing Canada’s cybersecurity framework at a time of increasing global instability.
As cyber-threats become a central tool of statecraft, how does Bill C-8 position Canada to better deter and respond to state‑sponsored cyber activity, particularly from hostile actors?
Mr. Anandasangaree: Thank you, Senator Al Zaibak, for that question. Let me also acknowledge Senator Batters and, of course, Senator McNair for being the critic and the sponsor of this bill, respectively. I value both of their perspectives, and I want to thank them for the work they’ve done.
Every day, we come across new threats, especially cyber-threats, often using ransomware as a tool. Often, we see corporations — big corporations sometimes — paying out due to ransomware. Much of that is unreported. There’s no compulsion to report that right now, but it is increasing at a scale and speed that I don’t think any of us anticipated. This is likely to be even more complicated as AI and other tools are developed at speeds that we have not seen.
Whether by state actors or others, the use of cyberattacks has become a very critical tool of other states and parties to not just raise money but also to impact the personal privacy rights of individual Canadians.
Several weeks ago, we saw, for example, an attack on a major Canadian insurance company. I can go through a list of other attacks over the past several months alone. Suffice to say that it is at alarming speeds and a scale that we probably never could have anticipated even a couple of years ago.
Senator Al Zaibak: Thank you, minister. How does Bill C-8 ensure interoperability with Five Eyes partners, especially in responding to cross-border cyber-threats targeting shared infrastructure?
Mr. Anandasangaree: We were very much part of both the Five Eyes and G7, and I’ll combine them both in my answer. I’ve had the opportunity to be part of both conversations. We hosted the G7 in October, and I can tell you this is one of the most important issues that they’re dealing with. There’s a great deal of cooperation among both our Five Eyes and G7 partners, but, of course, Canada lags behind with respect to other countries in terms of our regime. I hope that will be corrected with the passage of Bill C-8.
Senator Al Zaibak: Thank you.
The Chair: Next, we go to other members of our steering committee.
[Translation]
Senator Carignan: Congratulations on your appointment, Madam Chair.
Minister, by definition, a law is a set of general and impersonal rules. This bill gives the Governor-in-Council the power to establish directions or to order an individual designated operator to comply with specific measures. That means that a direction can target a specific business. The scope of the direction is fairly broad in that the impact on the business is taken into account. However, paragraph 20(3)(e) indicates “any other factor that the Governor in Council considers to be relevant” and subclause 20(3.1) states the following, and I quote:
The provisions of the direction must, in scope and substance, be reasonable in relation to the purpose of protecting a critical cyber system.
The law already defines what, in your opinion, would be reasonable. How do you think that we can prevent abuses of power? How can the courts fulfill their traditional role of curbing such abuses of power when these parameters are so broad?
[English]
Mr. Anandasangaree: Thank you, senator, for the question.
The powers bestowed right now by way of order of the Governor-in-Council with respect to each operator are to ensure that there’s compliance and capability within the respective areas of regulation within an industry, for example, telecommunications.
The safeguards that are in place are important. When order-making powers are used, there is reference to both the National Security and Intelligence Committee of Parliamentarians, or NSICOP, and the National Security and Intelligence Review Agency, or NSIRA. When issues are of a confidential nature — in some cases, they have to be, for example, to ensure that industry is able to protect certain aspects of a business interest that they may not want to share. However, to ensure they still comply with the act, it is critical to have that specific set of guidelines for that particular industry, with some safeguards.
There is certainly the ability to have the matter go to the Federal Court. It is certainly within the purview. They may not want to, but within the safeguards that are built in, the reasonableness standard is the starting point, which is a legal standard that is fairly well understood. However, coupled with that is the potential for oversight with NSICOP and NSIRA if they choose to respond to a referral based on the act.
There are safeguards in place, and I believe that overreach is something that could be captured by them.
[Translation]
Senator Carignan: As for the provision regarding the five‑year review, many laws contain such a provision, but the review does not happen. At the National Security and Intelligence Committee of Parliamentarians, you indicated that this provision was set out in the legislation that was passed several years ago, but that the review has not yet been conducted. How will you ensure that this legislation will be reviewed in five years?
[English]
Mr. Anandasangaree: There are a number of acts. Bill C-12 just went through this committee. There’s a review period built in there. It’s customary with respect to NSICOP itself and NSIRA that there is need for review. Those are reviews that need to happen, and in this case, on a five-year timeline. It is up to parliamentarians and governments to ensure that those reviews take place.
Senator Cardozo: First, congratulations, Madam Chair, on your election.
Thank you, minister, for being here. Bill C-26 in the previous Parliament was introduced in June 2022, so four years ago. I wonder if you can talk a little bit about how the threat situation has changed since then and how the bill reflects that.
Specifically, with respect to adding sectors that you could be looking at or the regulations as outlined in clause 15, are those regulations pretty much ready to go or will that take a while? In terms of sectors, you haven’t looked at, for example, the education sector, where universities sometimes have a concern or problem. I know that’s a provincial jurisdiction, but I wonder if you can talk about whether that can be added to the picture.
Mr. Anandasangaree: Thank you. The observation of the passage of time is of critical importance. I can give you the number of incidents in the past couple of years, since 2022, that have had a significant impact on Canadians. I referenced the insurance company. In August 2025, we had Wealthsimple. In July 2025, we had the Colabar Group. In June 2025, we had Pembroke Regional Hospital and WestJet. We had Nova Scotia Power in April 2025. We had Shell in June 2024. Then there was the City of Hamilton, and I could go on. It has escalated in a significant way over the past number of years.
With reference to the four industries that are subject to this act — finance, telecommunications, energy and transport — those are the four that are primarily in the federal domain. When you referenced education, for example, that is very much of a provincial nature.
There’s an interplay with respect to telecom because telecom, in a broader sense, will have implications for health systems or education systems, which are run by the provinces. Breaches through the telecom sector will certainly have some implications and are subject to the act.
With the evolution with respect to regulation, there is flexibility. On issues of AI, for example, as technology develops, there is an evergreen set of regulations that can be brought in to ensure — and we speak about the actual underlying architecture and not necessarily the content — can be addressed through regulation.
At this point — my colleagues may be able to speak to it in greater detail — this changes the bill. We’ve had a number of changes from Bill C-26. I don’t believe the regulations are quite ready to go, but as soon as this bill passes, we will be able to move on the regulations quite fast. There are also the usual timelines once it’s gazetted. There’s a 30-day window or a certain time frame to get input before regulations become law.
Senator Cardozo: If there are other sectors you need to go to, do you have the ability to add that or are we stuck with these four?
Mr. Anandasangaree: Primarily, the focus is on these four because they are in the federal domain. We need to work with the provinces and territories to see if there are replicate bills that can be undertaken there or some reporting mechanisms, but so far, these four have been strictly in the federal domain.
Senator Cardozo: Good luck. This is urgent, and I hope it gets moving soon.
Senator Batters: Thanks very much. Minister, in your second reading speech, you argued it’s urgent to pass Bill C-8 because cyber-threats are becoming more numerous, sophisticated and pervasive. After a decade of consultation and after the Senate’s in-depth study of Bill C-26, and despite six months between that previous bill dying on the Order Paper because the government chose to prorogue, why did the government choose to reintroduce a virtually identical bill instead of making important revisions from the start that would have addressed the major flaws identified by key witnesses at this committee and allowed Parliament to move forward more quickly on that? Isn’t there a contradiction between the urgency you’re invoking and the lack of diligence that your government showed in preparing this bill initially last year?
Mr. Anandasangaree: I would beg to differ, senator. There was an urgency to produce the bill. The previous bill, Bill C-26, had gone through all the different stages. It was at Parliament’s doorstep for a technical amendment. The work of Senator McNair in that is noteworthy. It was to ensure that the bill was able to get Royal Assent.
Of course, when we introduced that bill, our expectation was that if there were new items that came up, we would work with our opposition. Some 75% of the amendments we accepted were from opposition, which is quite remarkable because we had a sense that working in collaboration was critical. This is not a bill to be politicized. For the most part, we were working with the different parties in the House to ensure that all those valid concerns were taken into account as amendments. We were able to pass those amendments, which are now before you.
Senator Batters: Right. The only thing is that many of those concerns had already been brought up in the previous iteration and could have been made before you introduced it. The technical amendment you spoke of could have potentially knocked out half your bill, so, yes, it was important to make it.
However, there were three important amendments made by Conservative MPs at the House committee on Bill C-8, which would have required that judicial authorization before ministerial powers and ministerial orders be allowed in certain instances under this statute. Your Liberal government chose to oppose those key amendments rather than agreeing to have those changes made to Bill C-8. You could have agreed to include those judicial authorization amendments in Bill C-8, but you hadn’t learned those lessons that were articulated by many witnesses who testified at our Senate committee during the Bill C-26 hearings. Nearly all the witnesses who testified, other than government witnesses, strongly advocated for more oversight, which would have been accomplished by that type of judicial authorization.
Minister, why didn’t your government agree to make those types of key amendments to improve the bill and protect Canadians’ rights by putting those important judicial authorization measures into Bill C-8?
Mr. Anandasangaree: Senator, I believe those amendments were ruled out of scope.
Senator Batters: You could have chosen to put them in.
Mr. Anandasangaree: Having a bill go through the different processes is neither an art nor a science. It’s a bit of both. This is a bill, for all intents and purposes, passed in its first iteration as Bill C-26. It has been improved, and it improved because all parties worked together, and it is now before this house. I believe that the strengthened bill should pass. There is an urgency and a need, and we need to work collaboratively to get to the point of passage of this bill.
Senator Batters: Do you not think the judicial authorization measures are required?
Mr. Anandasangaree: As I have indicated from the outset, the safeguards are there. There are references to NSIRA and NSICOP. There are some matters that are of a confidential nature that require protection, but entities have the ability to go to court if they so desire. Those safeguards are in place.
Senator McNair: Chair, congratulations on your election.
Minister and officials, thank you for being here. We appreciate your attendance. You grabbed our attention at the beginning when you talked about how we’re now second in the world for ransomware attacks. That is not a list we want to be on — not at that level, at least.
I was also going to ask questions about the three amendments made at the House committee, but Senator Batters covered those. I want to recognize that 37 amendments were made, and the committee should be recognized for the collaborative approach that it took.
I know the Privacy Commissioner in his appearance at the House committee made three recommendations. Two of them — as I understand it — were adopted by the committee in amendment, but the third was voted down. Can you speak to why the third amendment, which deals with the notification of privacy breaches directly to the Privacy Commissioner, was voted down by the committee?
Mr. Anandasangaree: Thank you, senator. You’re quite right: A number of amendments have been accepted. Over 50% of the amendments were accepted, and 75% of those amendments came from opposition; they were not government amendments.
I had the opportunity to meet with the Privacy Commissioner in October of this year, and I certainly respect the work that they have done. With respect to the input we received, two of the three amendments have been taken into account. The third one, which is part of the Personal Information Protection and Electronic Documents Act, or PIPEDA, already requires an organization to notify the Privacy Commissioner along with affected individuals. It’s already law under the Privacy Act for the disclosure to take place. That’s the primary reason why it wasn’t included in one of the amendments that went through committee.
Senator McNair: Is it already covered under PIPEDA?
Mr. Anandasangaree: That’s correct.
Senator McNair: Currently, the Social Affairs, Science and Technology Committee of the Senate is studying Bill S-5, the connected care for Canadians act, and that is an act to remove data blocking and make electronic medical records and electronic health records connected and interoperable. At committee, senators are hearing that a system of interconnected records risks creating a larger target for cyberattacks. As we well know, the health sector has been targeted over the past few years.
Subclause 6(1) of the critical cyber systems protection act, or CCSPA, permits the Governor-in-Council to add other federally regulated critical infrastructure sectors to Schedule 1. You talked a little bit about this already. In this committee’s report on Bill C-26, we recommended adding health systems within the legislative authority of Parliament to Schedule 1.
Has health security been considered in the context of Bill C-8?
The Chair: No, primarily for the reason I outlined previously. We are essentially staying in our lane. As you are aware, federal‑provincial relations can often result in lengthy court cases that will ultimately keep the federal government in its lane and the provinces in theirs. Senator McNair, we want to use this as a model and work with the provinces and territories to bring them on board with similar mirrored legislation within their jurisdictions or other forms of regulations that will have an element of disclosure and information sharing within the country, which we desperately need.
I believe the way to do it is through a collaboration. If we were to legislate, I’ve been assured by counsel that will be challenged, so our primary objective is to have a bill that is in line with our constitutional abilities to make laws in specific areas, which, in this case, are the four that have been outlined.
I believe it is an important starting point. We don’t expect this to be the end.
Senator McNair: Thank you.
Senator Kutcher: Chair, congratulations on your election. You have big shoes to fill.
Thank you very much, minister, for being here and for the kind words you said about Senator Yussuff. I want to continue with the health care issues and draw attention to virtual health care providers, whose regulation is not clear to me. Some of the virtual health care providers are non-Canadians. There is a tremendous amount of health information stored in Canada by virtual health care providers, which may use our telecoms, but also by virtual health care providers outside the country. Some of that data is very important personal data, but some of it, particularly in psychotherapy situations, is narrative data.
How does the regulation of that kind of data fit in? It’s a very difficult problem. I’m raising it not to criticize the bill but to try to understand how this bill may be a foundation for moving forward on that area.
Mr. Anandasangaree: Thank you, senator. If I know a retiring senator who can come up with a plan to address this, I would probably engage that person to do some more work.
You pose a very important question. We are seeing the evolution of virtual care. The interprovincial element is one aspect, and that’s probably easier to address than the overseas element.
At the end of the day, health care needs to be in line with the Canada Health Act. With respect to the protection of information, we can regulate information that is within Canada. There are certainly some concerns around data sovereignty. Those are live conversations that are now taking place as AI data centres evolve as well as the imposition of the USA PATRIOT Act on certain types of data that are Canadian but stored in U.S. facilities. Those are live questions to which, I will confess, I don’t have the answers. But they are part of the work that needs to be done post facto and part of the ongoing scrutiny that needs to take place in the context of cybersecurity because we know that those vulnerabilities continue to exist.
The challenge we face is that much of this data may not be in line with the Privacy Act. That is a starting limitation, whether it is a federal or provincial privacy act, because most provinces have some sort of privacy act in place.
When information is gathered and held overseas, accessing that information is not subject to Canadian privacy laws. We are already starting off with an uneven playing field.
One of the ways we can address it, apart from trying to regulate that here, is to have partnerships with different governments, depending on which country it is. As we enhance our trade relationships, we may be able to build collaboration with other countries on privacy protection.
Senator Ince: Thank you, Madam Chair, and congratulations.
I have some beautiful insoles for those shoes for you.
The Chair: Wonderful. Fill them up.
Senator Ince: Thank you, minister and staff, for being here.
Minister, on October 30, 2025, Philip Stupak, Senior Director of Advocacy for ISC2 Inc., told the House Standing Committee on Public Safety and National Security that not all federally regulated critical infrastructure sectors, including water systems, are included in Schedule 1 of the proposed CCSPA. In addition, Canada’s 2009 National Strategy for Critical Infrastructure identifies 10 critical infrastructure sectors, including water.
Why does Schedule 1 of the proposed CCSPA not include all 10 critical infrastructure sectors that are identified in the 2009 strategy?
Mr. Anandasangaree: We go back to being in the federal lane of regulation. We have authorities in a number of different sectors — finance, telecom, energy and transport being the primary ones — and the powers that would be bestowed through CCSPA are with respect to those four specific industries; it doesn’t go beyond them. That said, many provinces and municipalities, for example, have critical infrastructure, so this is both an opportunity and a challenge for us. Once we have a framework in place that works federally, we need to be able to work with the provinces to maybe adopt similar mirror legislation or some other ways for compliance and reporting within areas of provincial jurisdiction.
We were very careful not to overstep. Often, legislation is subject to judicial scrutiny, and one of the dangers we have is that if it goes beyond the scope of a federal mandate, then it can be subject to court intervention, perhaps even disallowing elements of the bill or striking provisions altogether.
That’s the primary reason we are sticking to the four areas that are outlined.
Senator Ince: Thank you.
Are there situations that could lead to other critical infrastructure sectors being added to Schedule 1?
Mr. Anandasangaree: Right now, senator, we don’t contemplate anything specific outside of the four sectors. However, the Governor-in-Council has the authority to add other federally regulated vital services and systems to Schedule 1, making them subject to the CCSPA. Those include those portions of water services that you talked about and that are now federally regulated.
So, while these are the four that we were sticking to when we contemplated the legislation, there are scenarios in which we could add others as needs and other opportunities arise for us.
Senator Ince: Thank you.
Senator Yussuff: Thank you, chair, and congratulations.
Minister, I have a few questions in regard to the gap based upon what we constantly hear in the public domain. Many of the major breaches that have taken place in terms of cybersecurity have been at the provincial level, over which you have no oversight or control.
Given the expectations of Canadians and the importance of this bill in trying to rectify the federal jurisdiction, how can we best collaborate with the provinces? They don’t have any of the infrastructure we do at the federal level that could aid and support them. Should there be an interprovincial approach to say, “For some of these things, we may want to defer recognizing what the Constitution says”? We’re going to continue to hear the same problems unless we find a way to have some symmetry in which we have broader oversight.
If you ask a Canadian in Ontario versus one in B.C. or Nova Scotia, they will believe that somebody is supposed to protect them. Of course, at the provincial level, we know they don’t have the same degree of oversight that is available at the federal level.
How can we accomplish that? I think one of the biggest gaps after this bill is passed will be that we will continue to be frustrated with hearing about these breaches while not knowing why they are happening in the first place.
Mr. Anandasangaree: Senator, that’s an astute observation. I would say it’s a source of frustration.
Our Confederation is complex. On most days, I think, most of us don’t fully comprehend the depth of our mandates, whether it is federal or provincial jurisdiction, and it is much harder to explain to Canadians the challenges the federal government would face, and vice versa, because there are also times the provinces are frustrated with the federal government.
I believe that this is an imperfect bill, but it captures what we want to do vis-à-vis federal authorities and jurisdiction. With its passage, one of the things we could do is also include this in our FPT. Between Mr. Fraser, the Minister of Justice, and I, the Minister of Public Safety, we have annual meetings with the provinces and territories. It’s an area we can certainly bring to the table and ask for collaboration in terms of how this could be mirrored within provincial jurisdictions. There may be slight variations in terms of the types of privacy acts that exist within each province, but it’s worth the conversation.
You’re right: For the average person, whether it’s a provincial water system, a federal water system or a credit union as opposed to a chartered bank, the distinction is moot. There is an impetus for us to ensure, for the sake of protection, that we expand this. It is a federal bill and always will be, but we need to have compliance by way of discussions and negotiations.
Senator Yussuff: Criminals don’t really care about who will be the benefactor once they are able to succeed in their efforts.
I would plead that the gap that exists here be recognized and not that federal-provincial collaboration is fundamental for Canadian security. It’s terrible to tell somebody that their data is now in some criminal’s hands and we can’t do anything about it because, at the provincial level, where they have jurisdiction, they didn’t have the elements the federal government could have offered to help them to better secure their data in the first place.
It would be extremely helpful.
If Canadians are watching this, they might be left scratching their heads when recognizing that the federal government cannot protect them at the provincial level, no matter what the situation might be.
Mr. Anandasangaree: In fact, if I may, with your indulgence, Madam Chair, the fact is that if something happens at the provincial level, chances are it will go to other provinces. It’s not just one province that would be impacted; it would be multiple provinces.
I acknowledge the need for federal leadership on this for collaborations to take place because, ultimately, it is about protecting Canadians, as you said.
Senator Dasko: Congratulations, Madam Chair. It is great to see you in that spot.
Thank you, witnesses and minister. I want to dig a little deeper, especially regarding the state actors or perpetrators of cybercrimes. I want to understand a few things about them. Who are they? What is their motivation? What are they looking for? Are they disruptors, or are they seeking certain kinds of information? Which sectors are they focusing on?
What they are interested in and what sectors they are focusing on would help us understand what their interests are and what they’re trying to do. I find it a little bit mysterious — but maybe it’s not mysterious and you have all the answers.
Technologically speaking, do you have the ability to collect information on exactly who they are — the who, what, when, where and why?
Mr. Anandasangaree: You always ask questions for which I think there are great answers but ones probably best given in a setting that is secure.
But let me try.
Senator Dasko: Let’s just turn off —
Mr. Anandasangaree: I will try to answer this, but I will also invite this committee to receive a secure briefing on this because it is quite important. I will talk about how there are a number of actors. CSIS’s annual report was tabled on Friday, and there are references to some actors there.
There are a number of motivations. One is to pose some instability to Canada —
Senator Dasko: Disruption.
Mr. Anandasangaree: — disruption to Canada, to Canadian institutions and to Canadian political systems, and that’s been a motivation for a number of nefarious actors.
In part, it is also to do with geopolitics and Canada’s position on a range of issues, including what are very strong human rights perspectives on a range of issues; Canada’s general tenor on human rights violations is consistent across a range of countries.
To be sure, the Foreign Influence Transparency Registry is an additional irritant to some actors. There is a range of motivations that may lead other state actors to be part of it.
Let’s also not underestimate private interests and those who are essentially, with ransomware, for example — doing it for money. They are doing it to raise money to add to the criminal networks that already exist, albeit in a much more sophisticated way than we may have seen in the past.
Senator Dasko: So, of course, the private actors are looking for information, material gain, commercial interests and so on. With respect to state actors, is it mainly to cause disruption or are they looking for information too?
Mr. Anandasangaree: I will go back to my initial point: This warrants, I believe, a closed conversation.
The speculation that I will offer is that, yes, it is about disruption. It is about ensuring that Canadian systems that are well developed, grounded by the rule of law and have safeguards in place that ensure privacy protection and human rights protection are challenged in a way that disrupts our way of life. They certainly won’t be successful in doing so, but these are attempts to destabilize.
We are a strong democracy with great institutions, such as the RCMP, CSIS, CBSA and CSE, that defend our borders. They are continuously doing the work to protect Canadians.
Senator Dasko: Thank you.
Senator Hay: Minister, just a few minutes ago, you said this is an imperfect bill, so I have a comment: If we wait for perfect, we will always be waiting. I thought I would throw that out there.
My question is this: How does this bill address or reduce the risk of AI-generated threats, like “deepfake” disinformation that’s been talked about, AI-powered phishing and autonomous cyberattacks? As a follow-up, will it be adaptive enough for the Wild West that is the AI world of today?
Mr. Anandasangaree: That’s a great question. The bill looks at the architecture that is under attack. It doesn’t necessarily look at individual breaches but rather more architectural weaknesses. For example, the use of AI is part of the regulation, although the AI itself is not being regulated here. It is the actual outcomes and impacts the architectural vulnerabilities have in the imposition of ransomware or other attacks that are addressed in this bill.
To the evergreen piece, as technologies evolve, as different AI is unleashed to the full extent, there is capability within the act to respond to those evolutions. However, one cannot predict how far we’re going to go in the next two, three or five years. Based on what we know now and what is readily and publicly available, we are quite confident that the bill and the regulatory authorities will enable us to keep up. However, the five-year review is critical for this.
We have a number of other bills. Bill C-22 is going to come before the House. We are all working toward bringing things up to current standards and even looking ahead a little bit, but we have to be vigilant in terms of what is coming down the pipeline.
Senator Hay: Just a quick follow-up — you talked about AI not being regulated. Do you see this bill working in line with the unfolding AI strategy and potential legislation that might come down the pipe?
Mr. Anandasangaree: Certainly, the regulatory powers will have some impact on AI, bots and other tools. There will certainly be other legislation that looks at AI. I know Minister Solomon was here during Question Period a couple of weeks ago, and he will be well positioned to speak about the vision in terms of where, as a country, we are embracing but also safeguarding AI. It’s a strategy that he is working on. The Prime Minister has talked about AI for a while, and I believe we will see more from Minister Solomon over the coming months.
Senator Hay: And this bill will plug into that?
Mr. Anandasangaree: It will, yes.
Senator Hay: Thank you.
[Translation]
Senator Youance: Welcome and congratulations. Thank you for being here, minister.
My question will focus on one specific example, but I would have liked to have given two or three others. Since the bill gives the government a new tool to require a designated operator to take measures to protect its cyber system “as needed”, could you give us an example of the sort of measures that the government could take in the event of a cyberattack, if Bill C-8 were already in place? You mentioned the cyberattack on WestJet earlier.
[English]
Mr. Anandasangaree: There are two things here. The first is disclosure in a timely manner. Right now, for example, if a company like an airline is attacked, information is leaked or there is some kind of ransomware demand, the ability to share that information with other similarly situated companies in the industry will enable greater vigilance and also proactive steps by others. Our ability to look at the technology that was used for that attack will also be helpful.
It is very much on a proactive basis to ensure that if the attack is on one narrow player, it doesn’t have broader implications on the entire industry. It is one way that the bill is designed. That’s one concrete example.
The other way is learning from this. There have been a number of examples recently where ransomware was used in one industry and another in a provincial setting. Again, there is greater learning for us as to what kind of an impact it will have on the broader sectors.
It is about CSE, for example, continuously playing its part in defence within the cyberworld, but also for governments to be able to share within the federal system to see how we can best prevent it from happening again.
The Chair: We’re approaching five o’clock. This brings us to the end of our time with the minister.
Thank you, minister, for taking the time to meet with us today. Thank you also to the front row, the back row and the two side rows of the team that supports you. All this work needs every one of you. We appreciate you being here.
Department officials have graciously agreed to stay behind, so we will carry on with our questions.
This past hour, we’ve had the opportunity and the pleasure of hearing from the Minister of Public Safety as we open our study of Bill C-8.
We will now carry on with our second panel and continue with our questions to Public Safety Canada and Innovation, Science and Economic Development Canada.
Senator Al Zaibak: Thank you all for being here today.
Bill C-8 introduces significant new authorities to issue cybersecurity directions. We received a briefing yesterday that it doesn’t add any significant authorities. I’m in need of your clarification in that respect.
What specific thresholds or risk criteria will trigger these interventions? How will consistency be ensured across all sectors?
Colin MacSween, Director General, National and Cyber Security Branch, Public Safety Canada: Thank you, senator, for the question. Just so I understand correctly, I think the question was about the new order-making power in Part 2 of the critical cyber systems protection act, known as cyber security directions.
The power itself is designed to give the Governor-in-Council the ability to order a designated operator to do anything necessary to protect their vital service or system. It was designed as a bit of a measure of last resort. I say that because there are a lot of things in front of that direction-making power.
The way Part 2 of the act works is it sets up a regulatory framework for the federally regulated critical infrastructure sectors that the minister mentioned. It will require them to do four things: have a cybersecurity program, identify and mitigate supply chain risks, perform mandatory incident reporting to the Canadian Centre for Cyber Security and, if necessary, implement a cyber security direction.
The reason I mention that is the cybersecurity program is really just an articulation of what the designated operator is doing to protect its vital service or system.
Within that, that’s where we’re able — with the help of the technical expertise of the Canadian Centre for Cyber Security — to understand if that particular critical infrastructure, or CI, owner is doing a sufficient amount of work to protect its vital service or system.
The order-making power is there in the event that the government has to order a designated operator to do something. However, there are certain steps along the way. For example, if a designated operator is found to be in non-compliance with the requirements of the legislation, they can enter into a compliance agreement with the regulator to address bringing them back into compliance so we don’t have to use any of those powers in the back end. They’re really just there as sort of an emergency power to allow the government to issue the direction, if it’s necessary, to protect that vital service or system for Canadians.
Senator Al Zaibak: From your perspective, how does the bill, as currently articulated, strike the right balance between security imperatives, citizens’ and businesses’ privacy and maintaining a competitive digital economy for all sectors?
Mr. MacSween: Thank you very much for the question.
In terms of the privacy and order-making powers, what the House of Commons committee did was reaffirm the application of the Privacy Act in the legislation to ensure that privacy rights are applied. Generally speaking, there are quite a few amendments around establishing guardrails in the legislation as well. The order-making powers are a good example in that case. There’s a non-exhaustive list of criteria that the Governor-in-Council would have to consider if they were to issue a direction.
An example of that could be considering the financial impact on a designated operator or the implications for the vital service or system if they order someone to do something in order to do that.
On the transparency side, as the minister had mentioned, again, if an order were issued, there would be an automatic notification to NSIRA and NSICOP, so they are aware that an order-making power was used, and should they feel it necessary, they would have the authority under their own act to review that.
Those are a few examples of what’s changed in the act that’s tried to balance the authorities versus the privacy concerns. Is there anything you wanted to add?
The Chair: If we can move along there, if you don’t mind and have our next question.
Senator Batters: Thank you. First, I want to follow up on a couple of things. I was very glad to hear the minister state that the Minister of Industry will come to this committee. That was going to be my first question: Where’s the minister? She came to the House of Commons to testify on Bill C-8, so I think both ministers should appear at the Senate committee to afford us the proper respect and enable the committee to ask questions. I look forward to that.
Following up, the minister indicated the regulations were not ready to go yet, but he stated that it would be “. . . quite fast . . .” after the bill passed. Isn’t that regulatory process more likely to be a two-year process? After the bill is passed and you go through the necessary consultations and that sort of thing, isn’t it likely to be about two years after the bill is passed that the regulations will come into effect?
Mr. MacSween: Thank you, senator, for the question.
The regulatory process is incredibly well defined. There are multiple steps that must be taken, which can expand timelines. The objective, though, obviously, as the minister stated, is to do these as quickly as we possibly can within the confines of that process. The regulatory process is established by the Treasury Board. There are obligations that we have to undertake, including, as you mentioned, public consultations.
Senator Batters: Since I have limited time, is it likely to be about a two-year process — yes or no?
Mr. MacSween: It could be shorter.
Senator Batters: How much shorter?
Mr. MacSween: You could easily do it in 12 to 18 months.
Senator Batters: All right. Also, the minister said he met with the Privacy Commissioner in October, but that was already months after Bill C-8 was introduced. Why weren’t the Privacy Commissioner and the Intelligence Commissioner consulted before Bill C-8 was introduced? Both of them had raised serious concerns about privacy, state powers, oversight and the lack of consultation they received from the government during the study of Bill C-26.
Kelly-Anne Gibson, Director, National Cyber Security Policy, National and Cyber Security Branch, Public Safety Canada: Bill C-26 was introduced, I believe, in June 2022. We had working-level consultations with the Privacy Commissioner in June 2019, so that would have technically been before.
Senator Batters: That was long before the bill. I’m talking about consultations about the actual bill and the problems they saw with Bill C-26 so it could be fixed with Bill C-8. Why weren’t there those kinds of consultations when both those officers raised those concerns throughout the Bill C-26 process?
Ms. Gibson: We would have had the bill drafted when we talked with them in 2019. It was drafted, and then it was introduced after that, obviously.
Senator Batters: But I’m asking why they weren’t consulted after Bill C-26 died on the Order Paper and you were preparing Bill C-8. They had raised serious concerns about going through the process in committees, both in the House of Commons and the Senate. Why weren’t they consulted by the government at that point to try to improve the bill before it was reintroduced as Bill C-8?
Ms. Gibson: We didn’t consult. We had consulted in other instances, and we had examined their submissions very carefully. We went with the changes that had been made in the House and the Senate.
Senator Batters: Not the ones from the Senate. The Privacy Commissioner had specifically requested an amendment. This was the one that Senator McNair was referencing earlier. It was the third out of the three that he had requested, and it was the actual amendment that I brought to the Senate committee. It was not adopted by the Senate, but it was one that the Privacy Commissioner wanted to know about with respect to what specific major cyber incidents would be so he could know whether to investigate and also inform Canadians, if need be.
Senator McNair: Mr. MacSween, you talked about the financial impact on designated operators. It ties into a concern some of my colleagues have raised about small- and medium‑sized enterprises making up over 99% of businesses in Canada and employing 90% of the private sector workforce. Increasingly, many of these firms, as you are aware, are digital and rely on telecommunications infrastructure.
Given that Bill C-8 introduces new compliance expectations and potential orders affecting telecom systems, how will the government ensure that SMEs are not disproportionately burdened, particularly those without in-house legal or extensive cybersecurity capacity?
Mr. MacSween: Thank you for the question, senator.
The bill was designed with that in mind. We obviously don’t want to see a negative financial impact, on small- and medium‑sized enterprises in particular. I think if you look at Schedule 1, at the moment, the vast majority of designated operators would probably be on the larger side. Maybe it would help if I described that a little bit.
Schedule 1 establishes the sectors, for lack of a better term, to which the law would apply. Schedule 2, which will be developed during the regulatory process, will establish the classes of operators. It’s not going to specifically name a particular institution, for example. Instead, it’s going to say, “If you’re an institution of this size that serves customers across the nation . . .” and so on. That is just by way of an example because that will be developed later. Those institutions that fall into that class would ultimately be subject to the requirements of the legislation.
Part of the benefit of the regulatory process, even though we will be expediting this as quickly as we can, is it will give us time to determine what those classes of operators will look like.
To help us with that, the way the law works is that the existing regulators are actually the ones who will ultimately be responsible for ensuring compliance with the act. That’s helpful for us because those existing regulators know their sectors incredibly well, including the entities that make up those sectors. Aside from hearing from industry directly, we’ll also be able to benefit from their knowledge when we set out those classes of operators.
[Translation]
Senator Carignan: I see that there have been several amendments to the bill compared to Bill C-26. I would imagine that this was necessary to maintain a balance when it comes to the protection of personal information and privacy. It is clear that new information or insights have come to light in that regard. However, subclause 20(1.1) includes the following prohibition: “. . . the Governor in Council must not order the decoding of an encrypted private communication”. That was not included in Bill C-26. Why did the government include this prohibition, which would prevent the Governor-in-Council from ordering decoding? How might that affect the effectiveness of investigations?
[English]
Mr. MacSween: Thank you very much for the question, senator.
That provision was an amendment proposed by the government. It was designed to address some concerns, specifically from civil liberties organizations, that this legislation could be used to undermine encryption or otherwise create a back door. The government decided to introduce the amendment to ensure that prohibition was there.
It is a “for greater certainty” that could never have been in the first place. The act is designed to protect the underlying infrastructure; that’s the objective of the act. There would be no action that the government could take to undermine that objective in the law. However, for greater certainty, that provision was added to address that concern and ensure the appropriate guardrails were in place.
[Translation]
Senator Carignan: This refers to section 183 of the Criminal Code, so does that mean it refers only to the communications of people who are in Canada?
[English]
Ms. Gibson: Yes, you’re correct. It references section 183 of the Criminal Code. It would use that definition.
Senator Kutcher: I want to follow up on the question from Senator McNair with regard to small- and medium-sized enterprises that need to comply with the act.
Have you given any thought to providing assistance to the ones that don’t have access to extensive legal support and all that — perhaps non-profit players? Have you given any thought to providing assistance to them to help them come into compliance?
Mr. MacSween: Thank you for the question, senator.
Yes, that is contemplated in the bill. When we look at the role of the Canadian Centre for Cyber Security in this piece of legislation, we’re leveraging their advice and guidance mandate in the Communications Security Establishment Act. That is to say that they will be obligated to provide technical advice and guidance to the government but also to regulators and designated operators. In that instance, those designated operators, if it were the case that they didn’t have the technical sophistication to spell out what they’re doing to protect their vital services or systems, they could turn to the Canadian Centre for Cyber Security for assistance.
Reflecting upon that, it’s important for us to consider that we are talking about vital services and systems for Canadians. At an initial glance, the impacts on small- and medium-sized enterprises aren’t evident right away. For example, we’re talking about banking systems by the big four banks; the telecommunications network, which is predominantly owned by three large companies in Canada; and the energy sector. For the energy sector, it’s important to consider that the federal government regulates only segments of that, so there are interprovincial and cross-border elements, as well.
The way the act is set up, we’re well positioned to support SMEs as well as we can. Again, any consideration of the impacts on SMEs will be taken into account as the regulations are drafted.
Senator Cardozo: What would be examples of SMEs that would be under the act? Would there be non-profit organizations?
Ms. Gibson: The way we thought about it in terms of small- and medium-sized enterprises, they would have to provide a function that is absolutely vital. The only case where it would be a small enterprise is if it were an entity that provided a very specific type of service or product as part of a broader chain.
We don’t think, initially, that any small- and medium-sized enterprise would be designated, necessarily.
A bigger risk to small- and medium-sized enterprises is actually if one of the vital services goes down. For instance, if they lose access to the telecommunications network and can’t do a transaction, that’s a bigger risk. However, having them actually be designated is relatively unlikely, we believe, unless they have a very specific function within the broader chain of the vital service.
Senator Cardozo: On the other issue of foreign interference in Canada, does this deal with that issue? It does, I’m sure, but what’s the crossover?
Mr. MacSween: As it relates to Part 2 of the bill, it does address the threat of foreign interference insofar as that threat is directed at a vital service or system for Canadians. It’s important to consider that’s the focus for Part 2 of the legislation. We do not tend to think of it in terms of the actual threat vector; it’s more about what it is that we’re protecting from an array of threats.
Again, that’s why we go back to the fact that the bill is centred upon the idea that ensuring these vital services for Canadians are available and as resilient as possible.
Senator Cardozo: Thank you.
Senator Kutcher: Thank you all for being here. You’re the four horsemen — or four horsepeople — of this bill.
I have the same question for each of you. We can start with Ms. Gibson and go from there. Now that you’ve listened to the debates in the House and you’ve heard the comments of witnesses in the House — and I know you would have studied them very carefully — is there one thing you would suggest the Senate think about that would improve the bill?
Ms. Gibson: That’s a tough question.
Senator Kutcher: I thought it was a soft lob.
Ms. Gibson: I’ve been part of this bill since it was Bill C-26, and I’ve seen the large numbers of improvements that have gone in, both when it was Bill C-26 and now as Bill C-8. I honestly can’t think of something in particular that you could put in that would improve it.
Would I like to be able to cover more sectors? Absolutely, but that’s not within our current Constitution. I’d like to be able to afford the protections to a greater jurisdiction, but since that’s not currently not possible, I don’t think there’s anything in particular that I would recommend.
Mr. MacSween: I am in the same boat, only because Parliament has had two chances at this legislation, and there were amendments from both the House of Commons and the Senate the last time. That made a number of changes, and all for the better, I think.
I’m at a loss as to how we could improve it more. I think this gets to a bit of an earlier question. The way the bill is constructed, it’s designed to work with technology.
There is some criticism that the actual legislation itself could be seen as vague. In a way, that’s deliberate, though, because if we start talking about technology or certain types of threats, such as ransomware, I know that came up, the legislation would stale‑date really quickly. Having legislation that puts in place the regulator framework where we can start to build out the detail and then have more of the technological detail in the cybersecurity programs is a very sound approach.
Andre Arbour, Director General, Telecommunications and Internet Policy Branch, Innovation, Science and Economic Development Canada: Thank you, senator, for the question. Given that there’s been quite a bit of study or engagement on the substance of the bill itself, nothing comes to mind in terms of the bill itself. What’s keeping me up at night is the lack of authority to take action in this space, and we have just scratched the surface in some of the questions in the first hour on the range of threats that we’re seeing. There is a fivefold increase in catastrophic damage from extreme weather events and skyrocketing increases in ransomware due to what we’ve seen in terms of organized crime and crypto-currency. There are hostile actors, and CSE has publicly talked about the People’s Republic of China, or PRC, Russia and Iran specifically, and pre‑positioning or linking them to other geopolitical events.
To my colleague’s point, a lot of the devil in the details will be worked out through the regulatory process, but we are already pretty substantially behind and are champing at the bit to try to get on with it, frankly. Thank you.
Wen Kwan, Director General, Spectrum and Telecommunications Sector, Science and Economic Development Canada: Thank you, senator, for the question. As you might expect, I would say nothing, but I will add a bit more context to it.
This bill has a good balance in terms of the viewpoints from a variety of stakeholders. You name it: We have provincial infrastructure operators; people from civil societies, academia and other associations; the Intelligence Commissioner; and the Privacy Commissioner — and the list goes on.
There’s nothing in my mind that would change the bill substantively in a way that is better. We will never be 100% perfect. Cybersecurity is never 100% secure, so the most urgent need in front of us is to get the framework going so we can take real action — because some action is better than nothing.
Senator Ince: Mr. MacSween, this committee received a letter earlier today from an industry player who seems to think that you’ve overlooked an area in cybersecurity protection, and that is discarded electronic devices and properly wiping equipment and devices. Can you give us an idea of whether that is something you have thought about? Is it something that we should be concerned with?
Mr. MacSween: Thank you, senator, for the question. I don’t know if we thought about that one very specific issue. If that is of concern — and this kind of goes back to my previous point about how the legislation is set up — when designated operators will be required to lay out their cybersecurity programs, we will have the opportunity in the regulations to build in what will be required in those programs. If the disposition of older devices is determined to be of concern, that can absolutely be built in as a requirement in the regulations for cybersecurity programs.
The honest answer to the question of whether we thought specifically about that is no. But can we address it under the legislation? Yes, that can be done. Absolutely.
Senator Ince: Let me try to get an understanding. When we talk about scanning equipment, confidential records, information, storage, media vaulting, digital and so on, you’re saying that it’s something that could be addressed?
Mr. MacSween: Yes. The caveat I have to put on that, though, is it’s insofar as it impacts a vital service or system. It always comes back to the protection of the vital service or system. As I mentioned, if any of those are considerations in the protection of that vital service or system, then yes, they can be considered.
Senator Ince: Thank you.
Senator Yussuff: I have a series of questions. I will put them to you in rapid fire.
Given it’s been quite some time since the last bill we were studying — here we are again on Bill C-8 — how would you describe the urgency around getting this passed?
Mr. Arbour: Thank you, senator, for the question.
The one mitigating factor is that in the interim we maintain some good, cooperative, voluntary activities with the private sector. It’s not to say that we’re not doing anything while waiting for the bill to pass.
Frankly, however, we’re falling further and further behind in terms of our ability to stand up the core architecture. There are many unknowns. When we start getting incident reports and more granular information, we will be in a better position to truly understand the nature of the challenges we are dealing with.
Sequencing the regulatory program will be a real challenge because there is a lot we will need to be prepared to tackle.
As it stands, first out of the gate — at least in the telecom space — will be high-risk vendor equipment. Then there is a slate of other considerations as we look at the security and resiliency of our networks. We will need to think hard about how best to sequence that because industry can only absorb so much in any given period, and we will do our best to design those rules so it is factored into their natural provisioning cycles so that it can be implemented in a sane way.
However, that will involve consultation and ensuring that we’re rolling it out in a staggered way so that it can best be implemented by our partners in the private sector.
Senator Yussuff: I have a follow-up on the question Senator Batters asked you, specifically on the time frame for the regulatory regime to happen. Given the urgency of this bill, because we are way behind on the needs of the country’s security, if we were to make an observation that we expect the government to move as quickly as possible within the next 12 months on the regulatory regime — because this legislation would be ineffective unless you have the regulatory regime — would that give you some strength, to be able to say, “We have direction that we need to act on in terms of the time frame”? We know regulation could take forever, and we can’t compel you once this bill is adopted by the Senate and then the House.
Mr. Arbour: Thank you, senator, for the question. Certainly, on the telecom space, the architecture is different such that we’re probably looking more within a 6-to-12-month time frame. It will depend on the decisions of cabinet, and it will also depend, to a certain degree, on what stakeholder comments we get. If we get a lot of unexpected things, then we will need to take more time to ensure that we get it right.
Certainly, we are seized with it. Ultimately, decisions are made by cabinet, but there’s an appreciation of the need to move quickly. Certainly, we have heard from the Prime Minister about his emphasis on that, and we are gearing up to try to hit the ground running post-Royal Assent, should that be received.
Senator Yussuff: Thank you.
Senator Hay: Thank you, all. I was triggered, probably literally through PTSD, by something that Senator McNair and then Senator Cardozo spoke about around SMEs and not‑for‑profits. This may be out of scope, but I want to share an experience I had.
Perhaps the definition of “vital service or system” needs to be refined.
In an organization I worked in before as the CEO, we were attacked with malware, ransomware, in a bad-actor environment quite significantly. They had been in our system for quite a while, hovering through our emails as well as on the financial side. Luckily, our organization had great friends in the banking system. We are talking hundreds of thousands of dollars, which is a lot to a small not-for-profit, for sure, but we were able to trace it and engage the RCMP and other police.
I would say law enforcement was not particularly responsive; we were small folks. Yet an organization that’s a 24-7 e-mental health solution is a vital service. So is 9-8-8 suicide prevention.
This may be totally out of scope, but it’s a real-life example that we stickhandled, and it took us months to harden our system and figure it out. I’m curious how this bill would help an SME or a not-for-profit in a similar regard? Luckily, it didn’t hit our data for the services we provided.
Mr. MacSween: As the minister pointed out, we can only legislate in the area of federal jurisdiction, hence the focus on federally regulated critical infrastructure. That being said, though, there are probably indirect benefits for small- or medium-sized organizations. Both Parts 1 and 2 are, obviously, heavily reliant on Canada’s telecommunications network — in order to run your own systems and whatnot.
The powers in the bill that allow us to ensure that those things are being managed properly will absolutely have an indirect positive impact on those smaller areas.
As well, I would highlight that, though not related to the legislation, the Canadian Centre for Cyber Security does put out quite a bit of advice and guidance that anyone can benefit from. That’s part of the reason that mandatory incident reporting is included in this bill: If we learn about a significant cybersecurity incident, the Canadian Centre for Cyber Security can take that in, anonymize the information and push out technical advice and guidance — whether it’s to a small not-for-profit or a hospital or a large corporation — on how to address it and then how to fix it.
As my colleague often says, we want to create that virtuous circle whereby one incident becomes a defence for all the others.
Senator Hay: That’s great. In the moment, though, that’s not particularly helpful. At some point, I’m sure it will be. I don’t mean to discount your advice.
The fact that it came in and out of the banking system, though, does that help a national not-for-profit because it’s in that finance pillar?
Mr. MacSween: If it did come in and out of the banking system, then this should assist. Again, we have to stress that, at the end of the day, the bill is about ensuring that the designated operators are doing what they need to do to protect that vital service or system. If through that we’re able to catch these types of threats, then ultimately it would have an impact —
Senator Hay: Thank you. I think it’s slightly out of scope, but it’s very helpful.
Senator Dasko: My question is about technology. We know how quickly technology changes. On the National Defence Committee, for example, we know a lot about drones and how drone technology changes almost every couple of weeks.
When it comes to the technology here, what’s called defence technology — that is my terminology, not yours — the technology that companies will be using, how does the fact of change intersect with your regulatory framework?
You’re requiring industries to take on various activities and technology. Do you also require them to keep up with changes? Is that part of the framework that you’re putting into place?
Mr. MacSween: Thank you for the question. Yes, it can be. I will step back a little bit, as I mentioned this before.
The legislation itself, if you read it, is fairly technology agnostic. You don’t see those terms in there. That’s obviously deliberate because, to your point, it evolves and changes quickly. We don’t want that legislation to stale-date.
In terms of the type of technology that a designated operator would be using, we would see that articulated in their cybersecurity program, for one, but the other key point in this bill is that they will be required to identify and mitigate risks in their supply chain.
If they are using a certain piece of technology that presents security risks, then the designated operators themselves will have to identify that and either describe how they are mitigating that risk or changing the technology. If there were a significant enough concern with that technology, there are obviously order‑making powers in legislation that could be used to have them remove that piece of technology and so on.
That is the long way around saying that’s how we intend to get to that question in the bill: through the identification in the programs and risk identification and mitigation.
Senator Dasko: You’re saying directly you have to change the technology but through the responsibilities they have going through it.
Mr. MacSween: Yes. I should note as well that the cybersecurity programs have to be refreshed. Perhaps my colleague can remind me how.
Ms. Gibson: It’s on an annual basis. I would add that, through incident reporting, we will also get smarter in terms of understanding what’s coming at us so that we can refine those cybersecurity programs and adjust our defences. It’s really meant to be an ongoing iterative process.
Senator Dasko: Thank you.
The Chair: In round two, Senator Batters and Senator Yussuff, if you wouldn’t mind both presenting your questions, we will have an opportunity for our panel to answer them.
Senator Batters: The government’s own Gender-based Analysis Plus for Bill C-8, except for three paragraphs found in the former Bill C-26 document that are missing from the new Bill C-8 document, is identical. In their place is the word “redacted.” Even so, the entire two-page Gender-based Analysis Plus document only refers to “women and girls” once.
Why did the government redact those three paragraphs in the Bill C-8 GBA Plus? It was a rare passage that actually specifically noted possible negative effects on certain Canadians. Was it to avoid drawing attention to the bill’s adverse consequences in hopes that parliamentarians wouldn’t notice it and wouldn’t notice what had been removed? Why are women and girls treated almost as an aside in a Gender-based Analysis Plus document?
Senator Yussuff: The two big concerns whether this bill meets the test or not have always been, first, whether there is a reasonable balance regarding privacy; and, second, whether there is a reasonable balance in terms of civil rights? The intrusion could always be the creep.
From the amendments that have been made at the House and what you have heard through Bill C-26, do you think we strike the right balance here?
The last question I would raise has to do with telecom data that is offshored for use by other operators that we have no control over because they are in another territory. How do we hold them accountable when they offshore that data outside the country?
Mr. MacSween: On the GBA Plus question, we’ll have to undertake to follow up with the committee, just so we can review the missing language. I’m not familiar with it off the top of my ahead.
In terms of striking the right balance, I believe we have. A lot of the amendments that were made obviously reaffirm the application of the Privacy Act and put significant guardrails around the order-making powers.
With Part 2, the act itself doesn’t contemplate the collection of personal information. It’s really focused on either confidential information — and we see that defined in the act and the protections around that — and technical information. That means technical information that would be required to assess a cybersecurity incident and determine what the technical response will be. The risk of that materializing would come through the mandatory incident reporting by the designated operator to the Canadian Centre for Cyber Security.
We have to acknowledge, though, that even though we will spell out in regulations the information a designated operator is to provide, which wouldn’t include personal information, its inclusion is always a possibility. The Intelligence Commissioner himself was on record as saying that in his reviews he has seen cases where information came in personally identifiable information, or PII, so that’s the real importance of striking that balance. We rely on the existing safeguards: the application of the Privacy Act in order to protect personal information as well as all the safeguards built into the Communications Security Establishment Act.
For this reason as well, there is the notification to review agencies so that they are aware of when orders are issued, have the ability to review and so on.
Mr. Arbour: I’ll just speak to the balance and then the offshore question.
I agree with my colleague that a very strong balance has been struck. I will actually step outside of the balance construct because, in my opinion, the threats we’re seeing are by far the biggest risk to Canadian privacy. The ShinyHunters ransomware attack on AT&T resulted in the information of 105 million of their customers being accessed. BPFDoor, an attack in SK Telecom in Korea, affected the data of 27 million customers.
The attacks that we are dealing with here are, in my opinion, by far the biggest risk to Canadians’ privacy. That said, I appreciate the questions about guardrails and ensuring that Canadian civil liberties are respected in this context. As a result of that feedback, a set of guardrails has been built into Bill C-8. It starts with the initial scoping. We’re not talking about national security writ large, so this doesn’t engage with law enforcement or investigations. It’s about the protection of the critical infrastructure specifically.
For greater certainty language, that order-making power cannot be used to intercept personal communications and cannot be used to disrupt encryption. There has been a lot of commentary about whether this could be a lawful access bill. That was not the intent, and that further language underscores that lawful access is a separate bill and is not within the scope here. Then, on the handling of personal information, should it be accidentally or inadvertently submitted to us, there’s an extra set of considerations and extra controls, over and above commercial information, to ensure that it is protected.
The Chair: Thank you.
Senator Batters: I have a point of clarification. I would like to let the officials know that I quoted the missing three paragraphs in their entirety in the second reading speech I gave in the Senate Chamber, so you can find them there.
The Chair: That brings us to the end of our time with you here today. Thanks for doing a double shift with our witnesses. We really appreciate that and appreciate you taking the time to meet with us.
For the next panel, we’re very pleased to welcome the Honourable Simon Noël, K.C., Intelligence Commissioner, Office of the Intelligence Commissioner, who is accompanied by Justin Dubois, Executive Director and General Counsel. We also welcome Brendan Carley, Managing Director, Legislative Affairs and Strategic Relations Division, Office of the Superintendent of Financial Institutions. Also joining us, by video conference, are our friends from Canada Energy Regulator, Chris Finley, Director, Emergency Management & Security; and Robert Shepherd, Technical Specialist.
Thank you all for joining us here today. This work is very important. You can see we’ve had a variety of testimony today.
We will begin by inviting you to provide your opening remarks, to be followed by questions from our members. I remind you that you each have five minutes for your opening remarks.
[Translation]
The Honourable Simon Noël, K.C., Intelligence Commissioner, Office of the Intelligence Commissioner: Thank you, Madam Chair and honourable members, for the invitation. I am accompanied today by Justin Dubois, Executive Director and General Counsel at the Office of the Intelligence Commissioner.
As some of you may know, I appeared before this committee to discuss Bill C-26, the previous version of this bill. I remain of the view that Canada must have the necessary tools to protect our critical electronic systems, but that these tools must be accompanied by the appropriate safeguards and independent oversight. Bill C-8 is a useful tool, and I support its objectives. However, I am of the view that independent oversight would strengthen the bill.
[English]
One of my duties as Intelligence Commissioner, or IC, is to approve ministerial authorizations for cybersecurity activities. These authorizations grant CSE permission to access and collect information from IT systems belonging to non-federal entities that have been designated as being of importance to the federal government. An example in the public domain are the IT systems of the governments of Nunavut, the Northwest Territories and the Yukon.
The reason why my approval is necessary is that for CSE to be effective in carrying out cybersecurity activities on those systems, it will inevitably have to collect information around which Canadians have a reasonable expectation of privacy. Parliament was therefore of the view that oversight was required. Before approving cybersecurity activities, I must determine that they are reasonable and proportionate and that CSE has taken all appropriate measures to protect information in which Canadians may have a privacy interest.
[Translation]
Under this bill, regulations will set out what information designated operators will have to provide to the Communications Security Establishment, or CSE, if they are a victim of a cybersecurity incident. CSE is our cybersecurity expert. It is in our national interest for CSE to have a more complete understanding of cyber-incidents to respond more effectively. The information shared will have to be sufficient to provide CSE with a robust understanding of the incident.
[English]
In my experience as IC, even if CSE is only interested in receiving technical information to understand incidents, there may be cases where it must receive more than technical information. There may also be cases where technical information will touch on the privacy interests of Canadians. Indeed, CSE’s recent written submissions to this committee confirm that data on cyber incidents can include information with a Canadian privacy interest.
For example, IP addresses can be indicators of compromise shared to better understand cybersecurity incidents, and the Supreme Court of Canada has confirmed that there can be privacy interests in IP addresses.
It’s also important to remember that, under this proposed legislation, the reporting of cyber incidents will be mandatory.
Through CSE, the government would be collecting this information.
I think it is necessary to collect information relating to cybersecurity incidents. CSE should receive the information it needs to be effective. However, I remain unconvinced that regulation will guarantee that information shared following a cybersecurity incident will absolutely never engage the privacy interests of Canadians. If that’s the case, the question for this committee is whether additional oversight is warranted.
You heard the answer of the Public Safety representative a few moments ago when he was talking about the regulations at the end.
[Translation]
I would be happy to answer any questions.
[English]
The Chair: Thank you very much.
[Translation]
Brendan Carley, Managing Director, Legislative Affairs and Strategic Relations Division, Office of the Superintendent of Financial Institutions: Good evening, Madam Chair and honourable senators. Thank you for the opportunity to appear before you today as part of your study of Bill C-8.
[English]
I am pleased to provide the perspective of the Office of the Superintendent of Financial Institutions, or OSFI, the regulator of federally regulated financial institutions, including banks, which, as we have heard, comprise one of the vital services or systems contemplated under the proposed critical cyber systems protection act.
From OSFI’s perspective, cyber risk is a prudential risk. More broadly, cyber-threats form part of a growing set of integrity and security risks that can affect operational resilience, erode public confidence and, if not well managed, have broader implications for an institution’s financial resilience.
These risks are evolving quickly. They are increasingly sophisticated, often originate outside the financial system and can spread through third-party service providers, supply chains and interconnected digital infrastructure. This is why OSFI has steadily strengthened its supervisory focus in this area.
Cyber risk, integrity and security are prominent areas of focus in OSFI’s Annual Risk Outlook publication, which we publish on our website. We have also established clear supervisory expectations through a number of important policy instruments.
This includes Guideline B-13 on technology and cyber risk management, which sets expectations for governance, technology resilience, cyber preparedness and incident recovery. It also includes Guideline B-10 on third-party risk management, which addresses risks arising from external service providers, including technology dependencies that may introduce operational vulnerabilities. In addition, OSFI’s Integrity and Security Guideline reinforces expectations around safeguarding institutions against a broad range of evolving threats.
[Translation]
OSFI also requires timely reporting of material cyber-incidents and works closely with federally regulated institutions to assess preparedness, strengthen resilience, and improve awareness of emerging threats. We actively collaborate with federal partners to strengthen collective situational awareness and support a coordinated approach to emerging cyber and other risks.
[English]
From OSFI’s perspective, Bill C-8 would complement our existing regulatory and supervisory framework. In particular, its emphasis on cybersecurity programs, incident reporting, supply chain and third-party risk mitigation and coordination among regulators is broadly aligned with the direction OSFI has already taken in our supervisory and policy work.
Importantly, Bill C-8 maintains a sector-based approach that recognizes the role of existing regulators and supports proportionate, risk-based oversight. From OSFI’s perspective, that alignment is important in reducing unnecessary duplication while reinforcing resilience across critical sectors.
Cybersecurity is not a static challenge, as we’ve discussed tonight. It requires ongoing vigilance, adaptation and close collaboration between regulated institutions, regulators and national security partners.
OSFI remains committed to doing its part to support a strong and resilient financial system in Canada.
[Translation]
Thank you. I would be pleased to answer your questions.
[English]
The Chair: Thank you.
Chris Finley, Director, Emergency Management & Security, Canada Energy Regulator: Good evening. My name is Chris Finley. I am the Director of Emergency Management & Security at the Canada Energy Regulator, or CER. I am joined today by Mr. Robert Shepherd, Technical Specialist, Security.
Thank you for inviting the Canada Energy Regulator to appear before the committee today to discuss Bill C-8.
Before going further, I want to acknowledge that I am appearing before you today from Calgary, Alberta, located within Treaty 7 territory, the traditional territories of the Blackfoot Confederacy, which includes the Siksika, Piikani and Kainai First Nations. Treaty 7 is also home to the Tsuut’ina First Nation and the Stoney Nakoda, including the Chiniki, Bearspaw and Goodstoney Nations. I would also like to recognize the Métis who have settled in Southern Alberta and call this place home.
I would like to give you an overview of the CER’s mandate. We work to regulate infrastructure to ensure the safe and efficient delivery of energy across the country.
The CER regulates pipelines, power lines, energy resource development and energy trade on behalf of Canadians, with a view to protecting the public and the environment while promoting market efficiency.
Safety is at the core of our work. We regulate to prevent harm in all forms, and this includes cybersecurity threats. The CER takes the matter of cybersecurity threats to Canada’s energy infrastructure seriously.
The CER oversees roughly 71,000 kilometres of oil and gas pipelines in Canada. We regulate pipelines that cross provincial boundaries or the Canada-U.S. border. CER-regulated companies are required to have proactive measures in place to protect this critical infrastructure from cybersecurity threats.
Under the CER’s Onshore Pipeline Regulations, regulated companies must have a security management program that anticipates, prevents, manages and mitigates conditions that could adversely affect people, property or the environment. In addition to physical threats to infrastructure, companies must consider cybersecurity threats in their security management program and implement appropriate mitigation based on the results of a security risk assessment process. These requirements are laid out in the Canadian Standards Association’s Z246.1 standard, which is included in the Onshore Pipeline Regulations by reference. Cybersecurity measures must reflect the criticality of cyber assets, as well as the results of regular assessments of threats, vulnerabilities and overall security risk.
The regulation of electricity generation, transmission and distribution rests primarily within the jurisdiction of provinces and territories. However, the CER regulates approximately 1,500 kilometres of international power lines.
The Canadian public rightfully expects us to hold the pipeline and international power line companies we regulate accountable for the safe operation of CER-regulated energy infrastructure.
The CER is well positioned to administer the obligations of Bill C-8 that apply to the companies we regulate, particularly given how these obligations complement those already found in the Canadian Energy Regulator Act. For example, the bill provides the CER with the ability to issue orders and to take necessary enforcement actions to bring a company back into compliance so that critical cyber systems are protected.
The CER already uses similar tools. For example, the CER issues notices of non-compliance, inspector orders and administrative monetary penalties, as necessary, to bring companies into compliance and ensure their safe operation.
The CER also verifies that companies are complying with requirements through inspections, audits, compliance meetings and emergency response and security exercises.
We work with federal, territorial, provincial and international agencies, as well as regulated industry, to ensure that proactive measures are taken to protect federally regulated energy infrastructure from cyber-related risks or attacks.
In closing, thank you for the opportunity to speak with you today about this important issue. We look forward to your questions.
The Chair: Thank you. We will now proceed to our questions this evening. Our guests will be with us until about seven o’clock. As always, we will do our best to allow each member to ask their questions. Also, four minutes will continue to be allotted for each question.
I ask that you keep questions as succinct and tight as possible. I’m going to offer the first question to our deputy chair.
Senator Al Zaibak: I thank you all for being here today.
Commissioner Noël, thank you for your opening remarks. From your opening statement, I’m wondering whether you are counting on this committee to make amendments to further improve the bill. If so, do you have any recommendations or submissions for us to consider?
Mr. Noël: Yes. Thank you for your kind comments.
My jurisdiction triggers when a minister makes a decision to permit CSE to, for instance, assume certain activities in order to protect Canadians. Then, my duty is to ensure that the activities occurring will not negatively impact Canadian data and information on Canadians.
The recommendation I have to this committee is simple: The Minister of Public Safety should annually grant authorization to CSE to do its work under this bill, which would become law, and that authorization the minister would grant would list whatever has to be done and related concerns. My duty, then, would be to review that decision once it is signed.
So, it’s twofold: Is it in line with what the legislation wanted? Second, and most importantly, are the policies of CSE sufficient to protect the Canadian data that will be collected? If they do collect information, how long are they going to keep it and for what purpose? It would also be my part to make sure that if that information is not useful, then it should be destroyed.
It would be like in other legislation — like the CSE Act. The minister should grant an authorization, which will be reviewed by the Intelligence Commissioner on a yearly basis. It’s not a big burden; it’s on a yearly basis. Then I would issue a decision that would explain whatever has to be done or, if an error has been committed, to flag it out. That what would be my suggestion.
Senator Al Zaibak: Thank you so much.
Are you also considering or suggesting more parliamentary oversight?
Mr. Noël: NSICOP already provides oversight from members of Parliament. That exists already.
The difference with the position of the Intelligence Commissioner is the following: NSICOP, the parliamentary committee, reviews things once the activities have occurred, and I come in before the activities begin. It’s an assurance that is given to the Canadian public that a third party has looked into the situation and has given its blessing or decided that the activity should be done differently.
Senator Al Zaibak: Thank you so much.
Senator Cardozo: First, to carry on with that conversation, Mr. Noël, your role is to oversee national security and intelligence activities that are planned by the Communications Security Establishment and CSIS. Does this bill help or otherwise affect your mandate?
Mr. Noël: I’m completely absent; I’m not involved. If you compare that to the cyber activity that the Canadian Centre for Cyber Security is authorized to do, it follows the decision of the Minister of National Defence, which I have reviewed. In this case, if you look at the documents of CSE that were filed — just for reference purposes, I’m looking at page 7, the top paragraph — it’s only a review that will be done. The type of job that I’m doing is not at all part of that process under this bill.
Senator Cardozo: Okay, thank you.
Mr. Carley, I’m paraphrasing, but you said something to the effect of this bill adding to a security framework that you currently have; correct me if I have quoted you wrong. What are the other acts that define your security framework?
Mr. Carley: Thank you for the question.
We are founded through legislation called the Office of the Superintendent of Financial Institutions Act that sets out the superintendent, the mandate of the office and our powers. We also administer financial institution statutes, like the Bank Act, the Insurance Companies Act, the Trust and Loan Companies Act — a number of statutes under the responsibility of the Minister of Finance. We would be added under this bill as one of the regulators for the designated operators in the banking sector.
Senator Cardozo: Are there other existing cybersecurity policies that affect your mandate?
Mr. Carley: In terms of our risk mandate around looking to assess and help improve the prudential health, security and integrity of federal financial institutions in Canada, we have broad authority to develop risk-management guidance that we, then, expect our regulating institutions to follow. That includes things like cyber and operational resilience and third-party risk management that then comes back to how they effectively manage the risks of operating as financial institutions and maintaining the trust of Canadians.
We look at some international best practices, and there are a number of regulatory colleges in which OSFI participates globally, that will inform some of our risk-management expectations and approaches, but we don’t have specific legislative cyber frameworks that we follow.
Senator Cardozo: Okay, thank you.
Senator Batters: Thanks very much to all of you for being here. My questions will focus on the Intelligence Commissioner, Mr. Noël.
While Bill C-8 has been improved somewhat, mainly by House of Commons amendments, as compared to Bill C-26, one area remains a glaring omission, which is oversight — pre‑authorization for the kinds of orders the law allows. There is virtually none in this bill. In fact, Bill C-8 specifically bypasses, as you indicated, the Intelligence Commissioner, even though your oversight is required in similar order-making contexts.
I understand that the government’s decision to bypass the Intelligence Commissioner is also at odds with a recent update report on developments in data protection in which Canada specifically trumpeted your office as a vital oversight actor, which it obviously is, but it’s shocking that it’s not being used here.
Please tell us more. You certainly got into this with Senator Al Zaibak in the opening exchange, but please tell us a little bit more why you think oversight and pre-authorization are so critical for this act.
Mr. Noël: The position I’m in is the following: I view the decision of the minister and the activities that he grants or permits the agencies to actualize.
I’ve been doing this for the past four years. I can tell you that my experience is such that two or three times I decided that some of the activities that the minister wanted to grant were not to be. Why did I do that? I had viewed the jurisdiction as it was granted, Senator Batters, and came to the conclusion that what the agency wanted to do was not in conformity with the jurisdiction. Therefore, this activity did not occur.
Let me go a little bit further. What did it do? They came back. They tried to improve, and they did in some cases. As recently as this year, they did. That’s justice one example. That’s for the cybersecurity aspect.
If I look at CSIS now, we’re not talking about cybersecurity, but it will provide a good example. CSIS operates in the field with human sources, and the human sources get their direction from their handler. My position is to follow up on the Minister of Public Safety’s decision, which is to permit the activities, and I look at whether there are categories of activities that can be actualized. Again, Senator Batters, on two occasions, I denied some of the activities. They would have been illegal and gone against the legislation.
Let me go further. The big concern for all Canadians is our information, be it our data, our bank information or our medical information. We are misers of our information. When I approach a decision in which I’m involved, I’m a miser in my decision, but by being so, I’m a miser for all Canadians. If you want to impact the personal information of Canadians, you must justify doing so. It compels the decision maker or the agency to really ask, “Can we do this? Are we doing it in accordance with the law?”
Senator Batters: Thank you.
Senator McNair: Commissioner Noël, thank you for the work that you have done over the past four years and for your testimony on Bill C-26 and again on Bill C-8. You mentioned in your comments it’s not onerous, what you’re suggesting, and is only on a yearly basis. Can you expand on that and explain that for me? I thought we were talking about prior to the order.
Mr. Noël: Yes, the decisions that I review are decisions that regard cybersecurity and are good for a period of one year. They have to come back a year later and ask the minister to continue. I review the decisions then.
Justin Dubois, Executive Director and General Counsel, Office of the Intelligence Commissioner: What the Intelligence Commissioner is proposing would be in the sense of a yearly authorization regarding how information from a cyber incident is handled by CSE. It wouldn’t be every single cyber incident getting pre-approval. It would be a framework for how that information is handled, and then that framework would be reviewed on an annual basis by the Intelligence Commissioner after being authorized by the minister.
Senator McNair: In accordance with the act at the time or the bill right now.
I’m sure Commissioner Noël is aware, and the other panellists probably are as well, that there were a number of amendments to the bill at the House of Commons committee that I think strengthened the bill. They were primarily around privacy safeguards and the applicability of the Privacy Act. Safeguards in the CSE Act continue to apply, regardless, and also put guardrails around the order-making power of the minister and cabinet.
We heard one of the officials from the second panel say that what keeps him up at night is the lack of authority to take action against cybersecurity threats currently without the legislation in place. He also said that the biggest threats to Canadian privacy are the cybersecurity incidents occurring on an ongoing basis.
In light of the changes that have been made, do you think the bill strikes the right balance at this stage? Mr. Carley, I’m curious to know if you would pass the legislation now or continue to work on improving it.
Mr. Carley: Thank you for the question. From OSFI’s perspective, we will be a responsible regulator under the act. We think that there are benefits to the legislation moving forward, and we support it. It will provide additional last-resort powers, as Public Safety officials have spoken about, in terms of our ability to compel reporting and administer penalties if the legislation isn’t respected.
These are next steps beyond what we already do and the general approaches that we take as the federal financial institutions regulator. We do, though, see some additional benefits in terms of the required reporting to the Cyber Centre under CSE. We think the information flowing more broadly — coming across from different critical sectors, enabling a better identification of risks and a better view of the threat landscape — will then assist critical service providers in different industries to then, as we talked about, harden their attack surfaces and be more resilient to the risks. We can’t control those risks. It’s about how you prepare and mitigate the risk threats to institutions.
So, we support the legislation and remain ready to administer our responsibilities under it.
Senator McNair: Thank you.
Senator Ince: My question is for Mr. Noël. Do the limits in Bill C-8 clearly prevent information collected for cybersecurity from later being used for intelligence purposes beyond what Parliament intended?
Mr. Noël: It all depends on how the Cyber Centre deals with that information. The Cyber Centre has its own policies and timetable as to how long they can keep information. I can assure you that I’ve been following that very closely. The policies are the best they can be at this time.
What the future can tell — cyberattacks change drastically. The modes of operation change. They can capture medical information. They can capture bank data. They can capture a list of electors in a province and decide to do something with it.
It’s hard for me to answer this question. I’m doing my best. The tools are there, but what is really missing is having somebody that looks over the shoulder and says, “Have you done your job correctly?” In fairness, I should say that NSIRA, the national security agency that reviews, comes post facto. They may see something, but that will be one, two or three years down the road.
Senator Kutcher: Thank you very much to my colleagues for ceding me their time.
My questions are to Mr. Finley and then to Commissioner Noël.
First, Mr. Finley, are there areas in this bill that you would improve or you suggest we look at improving?
And then, Commissioner Noël, is there legislation in other states and other jurisdictions that you think captures the issue that you are raising? If so, which jurisdictions what types of legislation is it?
Mr. Finley: Thank you for the question. Under the Canada Energy Regulator, we have fairly robust oversight currently with the Canadian Energy Regulator Act, the Onshore Pipeline Regulations and CSA standard Z246.1. We anticipate that Bill C-8 will increase and enhance what we already have in terms of the requirements for the cybersecurity program, supply chain considerations and especially on the incident reporting side, to inform the Cyber Centre of what’s happening in our industry and also be able to receive that information ourselves — to determine how we would implement the information that comes back in terms of our compliance oversight.
At this point, there is nothing that would be lacking from our perspective. We think that it’s fairly comprehensive and should supplement what we already have in place as a regulator. Thank you.
Mr. Noël: The position of the Intelligence Commissioner is really a Canadian product, and it’s hard to see what other countries would be doing under circumstances like this.
Let me add another point here: We have a Charter in Canada. Not too many countries have a Charter, so it’s hard to see if somebody else could do it. However, in my case, the Charter and the rights contained in it are top of mind when I deal with the issues that I have to on a daily basis.
[Translation]
Senator Youance: My question is for the Canada Energy Regulator. If we consider the example of the major blackout that occurred in Spain, what substantive safeguards does Bill C-8 provide to prevent or contain a cyberattack that could cause a widespread power grid failure in Canada?
[English]
Mr. Finley: Thank you for the question. I may turn it over to my colleague after responding.
Existing regulations on the international power line side are complex, no question.
The companies operating within Canada and crossing interprovincial and international borders generally follow strict North American Electric Reliability Corporation standards, so critical infrastructure standards and protection standards exist now, and they are fairly robust, and through the Canada Energy Regulator’s general order, companies that we regulate must also follow those standards.
The addition of the CCSPA would certainly enhance that protection and ability to understand the threat landscape and to work with federal departments, such as the Cyber Centre, CSE, CSIS and RCMP, as we look at our own infrastructure and how we regulate.
Mr. Shepherd, would you have anything to add?
Robert Shepherd, Technical Specialist, Canada Energy Regulator: I don’t have much to add. I will simply that we already require, as my colleague pointed out, that regulated companies have robust security management programs, which identify the assets and the threats and vulnerabilities associated with those assets and come up with and deploy countermeasures commensurate with the risks posed to those assets.
That would not change under the CCSPA. The addition of cybersecurity plans would complement what we already have.
The mandatory incident reporting requirement of the act will, as several of my colleagues pointed out, improve our situational awareness for the types of attacks or efforts that threat actors are implementing at any given time and improve our ability to react nimbly to that in terms of how we structure our compliance oversight of regulated companies to ensure that we are leaning forward and ensuring that they are mitigating those threats as well as they can. Thank you.
[Translation]
Senator Youance: With regard to the cybersecurity expertise required to address all of these challenges, would there be a disproportionate impact on small producers operating at a national level compared to larger companies?
[English]
Mr. Finley: Thank you for that question. I would say that the Canada Energy Regulator has a significant amount of experience in terms of how we regulate large and small operators through the Onshore Pipeline Regulations and the CSA standard we were referring to earlier. They are quite scalable to the type of operation that we regulate.
Most definitely, the opportunity is there, and through CCSPA and the regulations that will be developed to support it, we understand that there will be an opportunity to continue that kind of proactive and flexible performance-based oversight.
Senator Yussuff: Thank you, witnesses, for being here. I have a couple of questions. I will start with Mr. Carley. OSFI does an incredible job, obviously, in trying to provide oversight to what the banks can do, but let me dig down a little.
In Quebec, the largest financial institution is not a bank, but it has federal reach and operates outside of Quebec. How would you assist them in that regard? More importantly, a lot of our credit unions are not as large as banks but provide an incredible financial service to their consumers.
How do you assist them, granted that the province doesn’t have a robust system to help our credit union meet cybersecurity threats they may be faced with on a regular basis?
Mr. Carley: First, in terms of Quebec, the institution that you mentioned does have some federally regulated subsidiaries that are under the oversight of OSFI. Between OSFI and some of the prudential regulators — actually, all the provinces — we have a national association that is there for sharing information and best practices.
As a matter of course, when we come out with new regulatory guidance and expectations, we’ll share that in advance of publication and have ongoing conversations with a number of the provincial regulators about the evolution of our policy suite. That goes from things like capital liquidity standards for banks right through to these non-financial risks, as we often call them, so operational cyber-resilience and third-party risk management.
Further, the regulator in Quebec also has its own representation at the international level alongside OSFI and certain groups, so I wouldn’t underestimate the resources or capacity of some of the regulators.
Senator Yussuff: Commissioner Noël, thanks again for being here, and thank you for your insistence on your responsibility being acknowledged but equally being observed. We don’t need your office if your office is not being treated with respect and honoured for its responsibilities.
Given this enormous responsibility, I want to restate something you have said. I want to make sure I understand it correctly. You’re simply saying that you want the opportunity, for any order the minister would issue to CSE, to review that order to ensure they are in compliance in keeping with your responsibility as the oversight officer for that jurisdiction.
Maybe you could simplify for me what you see as missing in the legislation and how this could be corrected.
Mr. Noël: The fact that the Intelligence Commissioner is not part of the system means that, at the beginning of any decision, there will not be any involvement of a third party that will look into the situation and make sure that it’s in accordance with their legislation.
Second, when they do collect information on Canadians, they do it in accordance with their own internal policies. They will be left on their own, except after the fact.
Then NSIRA, the civilian review agency, will have an opportunity. It’s been shown that 50 decisions of our office have produced on the part of the agencies an attitude of being very meticulous and very concerned about information on Canadians and with ensuring that they don’t go overboard when they have to deal with it for the purposes of solving, for instance, a cybersecurity incident.
Senator Dasko: My questions are to Mr. Finley and Mr. Carley. We are talking about legislation that is supposed to protect the infrastructure in these two industries. I want to ask a question about prevention.
Will this help prevent anything? Are you just expecting to face a barrage of cyberattacks into the future? Are there any preventative expectations in this legislation or is it just protecting and cyberattacks will continue without letting up? I want your sense of the future with the legislation.
Mr. Carley: I will start on that question and some of the requirements under the legislation in terms of operators needing to have strategies in place to deal with cyber-threats. I can speak to OSFI’s experience in terms of similar requirements that we have through our guidance, but they don’t have the same power of law as what will be in this legislation.
With the operators needing to put in place a strategy to mitigate the risks, they need to understand what the risks are. They need to understand where their vulnerabilities are as operators, and then they need to have the resources and expertise and the mitigants put in place.
These types of general requirements in the legislation can drive very specific risk outcomes for operators over time. I don’t want you to go away with the expectation that, at least in the banking sector, we don’t have expectations in place like that already. We do. However, this bill’s reach across a number of industries and, as I mentioned, the reporting on incidents and the ability of the Cyber Centre to pull in that information and look across sectors, then provide that intelligence back to operators, can, over time, have an impact on the ability to mitigate and deter threats.
Senator Dasko: Mr. Finley, do you have any comment on that?
Mr. Finley: Yes, and thank you for the question. It is slightly different under the Canada Energy Regulator. We have the existing Onshore Pipeline Regulations, and there is a legal requirement for companies to develop a security management program already, so it does have prevention aspects to it. It is to anticipate, prevent, manage and mitigate conditions that could adversely affect people, property and the environment.
With Bill C-8, we would see the enhanced reporting fed back to us or given to us directly so we can look more on a preventative basis at our companies through our compliance oversight and get ahead of the game.
If we know something has happened in terms of an incident, we can look across our industry and either issue safety advisories or do compliance activities that focus on that specific issue. Thank you.
Senator Dasko: Thank you.
The Chair: In the interests of time and efficiency, we do have round two, Senator Cardozo. I would like to propose we have the three questions stated on the record, and then I would encourage you to respond to us in writing.
I want to get the three questions on the record, and responses would be greatly appreciated.
Senator Batters: My question is again to the Intelligence Commissioner, Mr. Noël. When you testified at the House of Commons committee six months ago, you said that Bill C-8 still lacks protection against warrantless searches. There were some amendments made after that, but a warrant is still not required generally for entry into and the search of an office or other non‑residential premises. I’m wondering if that hole — warrantless searches — in Bill C-8 continues to concern you. Today, you also reiterated your position that technical information could touch on the private information of Canadians. You also said you “. . . remain unconvinced that regulation . . .” will adequately protect Canadians’ rights on this.
That is contrary to the stance voiced by government officials on technical information. I would like you to tell us a bit more about that and how you believe those problems in Bill C-8 can be fixed if you think they need to be.
Senator McNair: I was just going to give Mr. Finley an opportunity to indicate whether they support the bill as is, as amended. Two things came from your comments: first, from Mr. Shepherd, that mandatory reporting will improve situational awareness; and, second, that one party’s breach becomes another party’s defence because you have the knowledge that it’s taken place.
That’s what is lacking now. That’s one of the things that one of the officials was concerned about earlier.
The Chair: This brings us to the end of our time this evening. Thank you, Commissioner Noël, Mr. Carley, Mr. Finley and Mr. Shepherd. We greatly appreciate your contributions and, frankly, your candour tonight related to this bill.
For this final panel of the evening, we are very pleased to welcome Michael Powell, Vice President, Government Relations, Electricity Canada; Todd Warnell, Chief Information Security Officer and Enterprise Resilience, Bruce Power; and Eric Smith, Senior Vice-President, Canadian Telecommunications Association. Thank you for joining us today.
We are going to begin with your opening remarks, to be followed by questions from senators. I remind you that you each have five minutes for opening remarks.
Michael Powell, Vice President, Government Relations, Electricity Canada: Good evening, and thank you, Madam Chair.
My name is Mike Powell, and I am the Vice President of Government Relations at Electricity Canada. I lead our security work and am also, among other things, the staff lead on our board committee on energy security.
Electricity Canada is the national voice of the electricity sector. Our members generate, transmit and distribute electrical energy across Canada to homes and businesses in every province and territory.
Critical infrastructure, like electricity, is constantly targeted by cyber-threat actors. We see this in the National Cyber Threat Assessment, which is consistently underlining the risks to our sector, be it from cybercriminals seeking financial gain through ransomware or hostile nation-state actors aiming to pre-position within our systems with the aim of potentially disrupting service delivery.
Electricity companies understand these threats and the importance of protecting their assets against them. Reliable electricity is essential to Canadians’ safety, and critical services depend on it. For these reasons, reliability, resiliency and safety have always been the main priorities for our sector. Our job is to keep the lights on for Canadians, and this includes protecting the grid from physical and cyber-threats.
Our sector has robust and well-developed cybersecurity programs. We are governed — as was mentioned in the last panels — by the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards, or NERC CIP, which provinces adopt and enforce through our members. These standards ensure strong and comprehensive measures to secure the grid.
We collaborate and share information on a regular basis with our partners in government, including Public Safety Canada, Natural Resources Canada and the Canadian Centre for Cyber Security, and our members already participate in programs like the Independent Electric System Operator of Ontario’s Lighthouse, which provides a near real-time view into cyber‑threats that might affect the system.
We share information among ourselves that enables the sharing of best practices and lessons learned. At Electricity Canada, we facilitate these discussions and work closely, as I said, to strengthen our collective resilience. Resilience is built by working together.
Bill C-8 has been part of public debate for some time. We recognize the need for this legislation, but we have two key concerns about how it may be implemented and potential unintended consequences.
First, there’s a risk of regulatory duplication. As mentioned, we’re governed by NERC CIP. Introducing new potentially conflicting federal requirements could create ambiguity, increase compliance burden and cause regulatory misalignment, undermining the bill’s objective of enhancing security. In the other place, the legislation was amended to address this issue. It strengthens the consistency with regulatory and standards regime provisions, requiring regulations to align with existing frameworks and allowing equivalent regimes to be recognized for compliance under the legislation. We urge the committee to maintain these amendments.
Our second concern is the risk to partnerships between critical infrastructure operators and the Cyber Centre, which is part of the CSE. Today, our sector benefits from a strong, collaborative relationship with the Cyber Centre, built on the confidence that information shared is not disclosed to regulators, enforcement bodies or other government departments. Bill C-8 could require the CSE to share incident reports with regulators, provide advice or services to regulators on operators’ compliance and supply‑chain risk mitigation and authorize CSE staff to share information with other government entities to issue cybersecurity directions. These new roles and responsibilities risk creating a chilling effect, as operators may hesitate to share information with the Cyber Centre if it could later be used for regulatory enforcement.
To protect these partnerships, we recommend that Bill C-8 better define information sharing between the CSE and the rest of government and protect voluntary information from being disclosed. If this clarification can’t be achieved or provided through legislative amendments, we would urge the government to address these concerns through clear, transparent policies.
The pace of change in both the threat landscape and the electricity sector has never been greater. Emerging trends, including the use of AI to identify and exploit cybersecurity vulnerabilities, are accelerating the need for strong cybersecurity programs and sustained investment. As we enhance Canada’s resilience to cyber-threats, we must ensure the new measures strengthen security and do not create duplication and unintended consequences for security partnerships.
Thank you for your time. I look forward to answering your questions.
The Chair: Thank you, Mr. Powell.
Mr. Warnell, please proceed.
Todd Warnell, Chief Information Security Officer and Enterprise Resilience, Bruce Power: Thank you, Madam Chair and members of the committee.
Bruce Power is Canada’s only private sector nuclear generator. Since 2001, Bruce Power has supplied roughly one third of Ontario’s electricity and produces medical isotopes used worldwide to fight cancer and sterilize medical equipment.
Thank you for the invitation to appear before the committee as you continue your study of Bill C-8. As with my previous testimony before both House and Senate committees, my comments today will largely reinforce what I shared previously but with an important update. The risk environment has accelerated faster than our original assumptions.
Bill C-8, and, in particular, Part 2 and the critical cyber systems protection act, is fundamentally about resilience. It is about ensuring the systems that Canadians rely on every day continue to operate safely and reliably in the face of a growing and increasingly sophisticated cyber-threat landscape. If anything, the world today is more unpredictable and contested than it was even just a year ago.
We are operating in a period of heightened geopolitical tension where cyber activity is not occurring in isolation but as part of broader strategic competition. Canadian and allied intelligence agencies have been clear: Nation-state actors and criminal organizations are actively pre-positioning within critical infrastructure networks. These are not abstract risks. They represent real, deliberate preparations for disruption, coercion or escalation during moments of potential crisis or broader conflict.
Against that backdrop, delay carries its own risk. Bill C-8 represents a necessary first step in establishing a national baseline for cybersecurity across Canada’s critical infrastructure sectors while respecting existing regulatory regimes. Importantly, the legislation does not attempt to prescribe detailed technical controls. Instead, it establishes an enabling framework that supports risk-informed, outcomes-based regulation, tailored to the varying realities of different sectors. In my view, that approach is not a limitation; it is a strength.
In a threat environment that is evolving faster than legislation ever can, flexibility in language is a feature that allows government, regulators and operators to respond promptly to changing conditions, incorporate new threat intelligence and adapt expectations without reopening the act each time the risk landscape shifts. In cybersecurity, rigidity is vulnerability.
Within Canada’s nuclear sector, we have demonstrated that this model works. Through sustained collaboration between industry, regulators and government, Canada has built a mature, performance-based cybersecurity regime that continues to evolve as threats evolve. Bill C-8 provides a mechanism to extend that same shared-responsibility model more broadly across other critical sectors.
The benefits of moving forward are clear. It strengthens national security and public safety by protecting essential services from increasingly capable adversaries. It drives proactive risk management, shifting organizations away from reactive response and toward continuous improvement. It enables decisive government action in high-risk or time-sensitive scenarios, helping prevent or limit cascading impacts. It keeps Canada aligned with our allies, many of whom are moving quickly to modernize their own critical-infrastructure resilience frameworks. And it protects economic security by reducing the likelihood of disruptive failures across interconnected systems.
In closing, Bill C-8 is not an end state; it is a foundation. However, in a world defined by greater volatility and uncertainty, establishing that foundation is urgent. The threat environment has evolved faster than our policy framework, and this legislation is an essential step toward closing that gap.
Thank you for the opportunity to appear before the committee. I look forward to your questions.
The Chair: Thank you, Mr. Warnell.
Eric Smith, Senior Vice-President, Canadian Telecommunications Association: Good evening. The Canadian Telecommunications Association is dedicated to building a better future for Canadians through connectivity. Our members include service providers, manufacturers and other organizations that invest in, build, maintain and operate Canada’s world-class telecommunications networks.
Thank you for the opportunity to appear before you today to discuss Bill C-8. The security of Canada’s telecommunications system is of the utmost importance. Telecommunications networks are critical infrastructure that underpins Canada’s economy, national security and public safety. They enable essential services, support government operations and connect Canadians to health care, education, emergency services and one another.
Our members take this responsibility seriously. They invest significant resources to safeguard their networks from cyber‑threats and actively collaborate through forums, such as the Canadian Security Telecommunications Advisory Committee, which facilitates the exchange of information between the private and public sectors, as well as strategic collaboration on current and evolving issues that may affect telecommunications systems, including cybersecurity threats.
We appreciate the government’s objective of strengthening Canada’s cybersecurity framework and recognize the importance of having the right tools in place to respond to evolving threats. We also welcome the meaningful improvements that have been made to Bill C-8 over the course of the legislative process.
At the same time, it is essential that government recognize that, under Bill C-8, telecommunications service providers will be responsible for implementing government orders that may have significant operational and financial implications. Ensuring that the legislation addresses this reality will be critical to its effectiveness.
With that in mind, I would like to highlight two areas where we think targeted refinements would strengthen the bill.
First, regarding compensation or cost recovery, Bill C-8 states that no one is entitled to compensation for financial losses resulting from compliance with the government orders. It is important to recognize the practical implications of this approach. Orders issued under this framework could require service providers to rapidly deploy new systems, reconfigure networks, replace equipment or take other actions that involve significant and unplanned costs. These are not routine operational expenses. They can be substantial, immediate and unbudgeted expenses that are incurred in the broader public interest to support national security objectives.
Failure to address the impact of extraordinary costs will have real consequences, not only for the sector but for all Canadians. Significant unplanned costs can constrain investment in network expansion, limit innovation and reduce the ability of providers to enhance service quality for Canadians. Uncertainty around whether these costs may be recoverable can also complicate internal decision making and delay the timely implementation of government orders.
While this applies across the industry, the impact is particularly acute for smaller and regional providers, which operate with less scale and tighter margins. For these providers, the financial burden of compliance can be especially challenging and, in some cases, may threaten their ability to continue operating, resulting in broader knock-on effects for competition, resilience and service availability.
For this reason, we recommend that the legislation explicitly confirm that the Governor-in-Council and the minister have the discretion to provide compensation to offset all or part of the costs incurred in complying with an order and that they make clear when issuing an order whether the affected parties will be entitled to compensation.
This is not a novel concept. Comparable approaches exist in other Canadian legislation. For example, Bill C-22 includes provisions that explicitly allow the minister to provide discretionary compensation to electronic service providers required to implement capabilities in support of lawful access.
Internationally, similar principles are applied. In the United States, for example, the government has recognized that certain national security measures, such as the removal and replacement of high-risk network equipment, can impose significant financial burdens on telecommunications providers. To address this, funding programs have been established to compensate eligible carriers for these costs. Importantly, these programs have been supported through innovative funding mechanisms, including the use of proceeds from spectrum auctions to finance reimbursement initiatives.
These approaches reflect a practical reality. When governments require private sector actors to take extraordinary measures in the interest of national security, there should be a clear and transparent mechanism to consider compensation.
Our second issue relates to liability protection.
As currently drafted, telecommunications service providers could face civil, regulatory or contractual liability for actions taken in good faith to comply with government orders. This could arise where compliance affects service levels, contractual obligations or other regulatory requirements.
This creates risk at precisely the moment when decisive action may be required. We therefore recommend the inclusion of a safe harbour provision to protect providers and their personnel from liability when acting in good faith and in compliance with lawful orders. This reflects a basic legal principle that parties should not incur liability for actions taken to comply with a legal obligation.
In closing, we share the government’s commitment to strengthening Canada’s cybersecurity and protecting critical infrastructure. With targeted refinements, particularly with respect to cost recovery and liability, Bill C-8 can provide a framework that supports both national security objectives and continued investment in secure and resilient telecommunications networks.
Thank you.
The Chair: Thank you. We will now proceed to questions.
Colleagues, this panel will be with us until about eight o’clock. As always, we’ll each have four minutes. Our first question for this panel goes to the deputy chair, Senator Al Zaibak.
Senator Al Zaibak: Thank you all for being here.
We’ve heard a spectrum of responses from industry and stakeholders based in various sectors. My question is for Mr. Smith.
Telecommunications networks are certainly foundational for all other sectors. You raised two concerns and suggestions for the improvement of the bill. I’m wondering whether you have raised those concerns with the House of Commons. If so, what kinds of reactions did your suggestions receive?
Mr. Smith: Yes, we certainly have.
With respect to the issue of at least making clear in the legislation that the minister and the Governor-in-Council have the discretion to award or consider compensation or cost recovery, you probably heard Minister Joly speaking before the House of Commons committee, saying the government views that as the cost of doing business. To a certain extent, that’s correct. Our members, as part of their business, take cybersecurity seriously. It’s part of their budgeting and risk management, and they spend a lot of money on that.
However, this bill gives the government a very broad scope in making orders to telecommunications providers, including extraordinary measures. I talked about orders to remove high‑risk equipment. We know that is on the table. We know that industry has already been cooperating with government in that respect, but we’re talking significant sums of money. We’re talking probably over $1 billion in terms of costs.
If you look at the United States, they’ve set up funds of approximately $3 billion or $4 billion, which is still underfunded, to compensate eligible carriers for taking those actions. You heard from Mr. Arbour from ISED today. I think his words were “a slate of measures” that they’re very anxious to implement in our industry, including things around making networks more resilient against severe weather events. Well, if you look around the world and at how other countries view those things, like Australia, for example, they’ve put a number of programs in place to deal with resiliency. As part of that, they’ve put in funding to help industry harden their networks.
If you look at the U.K., they were considering requirements to provide backup power for mobile cell sites. What they found in their preliminary investigation was that requiring every cell site to have just one hour of backup power would cost almost C$2 billion, and that doesn’t take into account that to provide backup power, you have to rely on other things in the supply chain — for example, fuel supply in order to replenish your generators.
All we’re saying is we have an example in Bill C-22 where the government has said that compensation and cost recovery are important as part of ordering telecommunications providers to do things. Yet here, we’re being told it’s the cost of doing business, and that has serious knock-on effects. It’s important we make sure to consider those.
Senator Al Zaibak: Thank you.
Senator Cardozo: I have questions for Mr. Smith and Mr. Powell, but I just want to mention, Mr. Warnell, I’ve been familiar with the isotope issue for some time. I congratulate you for that. I also happen to be, as of recently, the Senate co-chair of the cancer caucus of Parliament. I co-chair with a couple of MPs. It’s something that we certainly watch closely, and we count on you to produce those, as you do for Canada, and you export as well.
Mr. Powell, if I can paraphrase, you said you want to ensure the information you provide to CSE is not shared with others. I’d like you to say a little bit more about what kind of information you’re talking about. When you say if it’s not an amendment, you would like to see a policy. Does that mean regulation?
Mr. Smith, in terms of compensation for adjustments, I asked the question earlier with regard to small- and medium-sized businesses and non-profits, but I think you’re talking about big businesses. I want you to respond to this: One might say these measures are not just things the government is telling you to do but are essential to your business. If that is the case, why would you not be making those investments in your business?
Mr. Powell: To be clear, I think we’re concerned about the sharing of voluntary information that’s provided to the Cyber Centre and others.
The goal of the legislation is to encourage information sharing between industry and government, and I would suggest that’s already taking place. Our members, as I said, participate in a program called Lighthouse, which connects directly to the Cyber Centre. When we have our security meetings in Ottawa, they are often held in the offices of the Canadian Centre for Cyber Security. There’s a regular flow of information back and forth. The concern, at the moment, is that regulatory measures are added where there are potential penalties. It could add a chill that discourages open-ended information sharing.
We would suggest that voluntary information sharing, what’s already happening, should be protected to ensure it stays in that space. That’s already standard in the United States. I mentioned the North American Electric Reliability Corporation, or NERC. They have an information-sharing agency called the Electricity Information Sharing and Analysis Center, or E-ISAC, and information shared with them is kept separate from the regulator. I think that’s what we’re looking to make sure of.
The goal of the legislation should be to make our system more secure and add safety. I would suggest that by creating a risk that information be shared less forthrightly because of legal concerns, it would get in the way. We would rather it be in the legislation. We made suggestions at the House of Commons. However, ultimately, if it’s done by regulation or other policy, that would be the next best thing.
Senator Cardozo: Okay. Thank you.
Mr. Smith: To answer your question, certainly, it is part of doing business. As I said, millions of dollars are being spent every year on this. But we also have to consider situations where there are extraordinary orders, for example, to do things that are not contemplated as the ordinary course of business. We’ve already seen some orders with respect to high-risk suppliers in some countries, which will be coming to Canada.
That was not always the case. When that equipment was first procured, they were not considered high-risk vendors. We, obviously, are seeing right now quite a lot of changes in our geopolitical world. With countries that were trusted, and companies from those countries that were trusted suppliers, in the future, the government may say they don’t trust them anymore. Where it was once fine for us to spend billions of dollars to buy their equipment with a lifespan of 20 years, the government may now want us to take that out and replace it with something else.
We’re talking about those types of things. We also have to be mindful that our industry works in an interesting environment where this legislation is not in a silo. We have other legislation that has been passed or that will potentially be passed in the future that will continually increase the cost of doing business. At the same time, we’re trying to keep costs down for consumers.
Senator Batters: My first question is for Mr. Powell with Electricity Canada. You were talking about this a bit, but I want to give you more time to discuss it.
During the testimony of your colleague before the House of Commons, an important concern was raised that, because of sections 15 to 19, operators might hesitate to provide information to the Canadian Centre for Cyber Security if they fear it could then circulate to regulatory bodies and be used for compliance purposes.
Could you give us a concrete example of the kind of consequence that it could have in practice? How do you think the bill should be amended to avoid that chilling effect and preserve the voluntary sharing of information with the Cyber Centre?
I know that in your opening remarks you also said that if it can’t be done through legislation — which, of course, it can, and we’re in the business of making legislation better here — it could be done through policy. But given what we’re talking about here, that obviously wouldn’t have the kind of teeth that you would be looking for.
Mr. Powell: I will work backwards. We provided recommended legislative language to the House of Commons, which I’m happy to circulate to you after.
Senator Batters: Thank you. Yes, if you could, please.
Mr. Powell: The focus is on voluntary information sharing. We talk about what folks might be seeing on their systems and where there might be concerns.
I’m sure we’re all familiar with this in other parts. The moment that there is a regulatory piece where a risk could become involved, it changes the conversation about how information is shared with other parties.
What we have right now is a very collaborative, open-ended relationship where some people have a “.gc.ca” email address and others have an “our members.ca” email address, but we’re all working on the same team because the outcome is the same.
The risk of regulatory compliance — where there are penalties involved, if it’s not clear how voluntary information is being shared, it creates an added risk about how that can be provided right now.
The status quo — in the electricity sector, anyway — is that members are able to and do share information with their partners in government, the Canadian Centre for Cyber Security and elsewhere. We just wouldn’t want to create a situation where, inadvertently, in an effort to encourage information sharing, you kind of get in the way of that.
Again, if you look to our counterparts in the United States — well, it’s in the United States, but it’s a North American entity, the NERC E-ISAC. When you go to their office, they have different key codes and everything to get into different parts. The people who work on the information-sharing business are different than the regulatory side.
I don’t think we need to go that far, but just being certain and clear and embedding in the legislation that when we’re thinking about protecting the grid, we’re focused on that and not potential risk from legal issues elsewhere.
Senator Batters: Thank you. To Mr. Smith with the Canadian Telecommunications Association, I recall when Bill C-26 was being discussed and the government was being insistent that they would be providing assistance for small- and medium-sized businesses, including financially, I believe. We were trying to pin them down on what exactly they were talking about. But here is an example, as you mentioned, where there could be major consequences for smaller and regional providers from your association from having an explicit no go for compensation or cost recovery.
Tell us a bit more about that and what types of smaller and regional providers could be affected by this if this isn’t changed.
Mr. Smith: It depends on what the order from the government is and its impact. If you look at the example of the United States in terms of their “rip and replace” program regarding certain Chinese-sourced equipment, there are deadlines involved, and some smaller providers have said they have to stop providing services, and, in some cases, they’re the only provider in the community.
I don’t think we will see that in Canada, necessarily, with respect to the initial concern around Chinese equipment here, but we don’t know what’s coming down the pipe.
It’s important to remember the impact not just for this bill but all bills you consider. To the extent bills add costs of doing business, all carriers’ options involve cutting their costs elsewhere. We have seen that some of the largest carriers have cut their capital investment by billions of dollars in part because of regulatory overhang, or they pass on the cost to consumers.
Our industry contributes about $2 billion to $2.5 billion to the Canadian government’s coffers every year in a number of different ways. We have paid about $30 billion in spectrum auction fees to the government. All we’re saying is that some of that money can be used to offset the impact on Canadian consumers. This is a national priority.
Senator Batters: Thank you.
Senator McNair: Mr. Powell, you made two comments. The first one was on the risk of regulatory overlap or duplication. From what I understand, the amendment made in the other place fixes the problem. You were saying to leave it in place with respect to that.
Mr. Powell: Yes, that’s a fair assessment.
Senator McNair: Mr. Smith, I want to talk about the fact that the orders for either the minister or the cabinet now require them to consider the financial impact on the affected telecommunication service providers.
Does that not give you any comfort around the concerns you’re raising?
Mr. Smith: It gives me more comfort than if it were not there, but it just requires them to consider. It certainly doesn’t necessarily contemplate helping fund some of the measures, especially for extraordinary costs. It just says it has to consider.
We have heard the minister say this is just the cost of doing business. I don’t know how those balance one another out, but we have heard the Minister of Industry say that, no, this is the cost of doing business. There is no consideration of any type of funding.
Senator McNair: Mr. Warnell, when you testified before us on Bill C-26, you were clear at the time that it was urgent and we should be passing this legislation. Tonight, you made the point that the continuing delay is a further risk and that the legislation itself is an enabling framework that’s both flexible and adaptable, which is a good thing.
Can I assume your position remains unchanged, and that is to pass the legislation as quickly as possible?
Mr. Warnell: Yes. That is correct, senator. The broadness of the legislation allows it to adapt to the changing threat landscape, which is rapidly evolving, as we can all see through various news headlines and impacts on companies and countries over the past number of years.
I will reiterate that it’s a strong foundation that we need to build forward from. If you look at other jurisdictions, like with the U.K.’s Cyber Security and Resilience Bill and Australia’s Security of Critical Infrastructure Act and capabilities, they go a number of steps further than what Bill C-8 is contemplating. This will get us to at least a starting foundation, but, candidly, we have more work to do in this space.
Senator McNair: Understood. Thank you.
[Translation]
Senator Youance: My question is for Mr. Powell. You raised some concerns regarding the overlap between Bill C-8 and NERC’s CIP standards. Could you outline the main areas of overlap or duplication between Bill C-8 and these standards, particularly in relation to risk management, incident reporting and auditing?
If these standards are not specifically aligned with Bill C-8, do you think that this new bill is likely to weaken rather than strengthen the resilience of electrical grids by diminishing compliance efforts?
[English]
Mr. Powell: Our concern was — and I think the amendments help address this — that we would see a secondary, parallel cybersecurity regulation created. This is a broad bill, as my colleague from Bruce Power said, but those of us in the electricity sector are very far along on our cybersecurity journey. We’re on the front lines. We have been “shields up” for a long time. There is a reason why there is a North American standard for cybersecurity for critical infrastructure providers in the electricity space.
What we saw — and we heard this from the testimony from the Canada Energy Regulator, or CER, in the last panel — is that NERC has created a North American standard for participants in the bulk electric system, so people who generate and transmit power at the system level, not so much at your house. That already requires certain protections, rules and plans. It already has mandatory reporting. So we see this legislation that creates a potential parallel.
Our hope — and I think the amendment in the House of Commons allows for this — is a recognition that participation in NERC CIP satisfies the obligations that this might require. Obviously, we would also have to report to the energy regulator, but I see that’s where it is.
I think it’s worth noting that things are happening in parallel at the provincial level as well, including in Ontario, where they are looking at a reporting system through Lighthouse and the Independent Electricity System Operator, or IESO, as well.
Senator Kutcher: I have two questions. One is to Mr. Warnell, which I will ask first. Then I have one for Mr. Smith. You can think about the answer while Mr. Warnell is answering me.
Mr. Warnell, you said that the threat environment is evolving faster than anticipated, and that’s what we’ve heard from other witnesses. Are there any things that you would add to this bill to strengthen it against that threat environment that would not delay its passage?
Mr. Smith, I just asked AI what the net profit margins were for this type of industry in Canada. This is not me; it’s just AI telling me, so I don’t know if it’s true or not, but anyway, here I am.
The average net profit margin for telecommunications is 12.5%. Banking is 30%, so maybe we should all get into banking. Grocery and retail is 2.4%. Wholesale trucking is 6.4%.
Your industry is actually doing pretty well compared to most Canadian industries. Are you looking for full or partial government support? Can you share with us — if not today, then later — the financial arguments so we can actually see some numbers?
Mr. Warnell: Thank you for your question, Senator Kutcher.
I would direct the committee to look at legislation in Australia as a good example. We are talking today about the critical cyber systems protection act, but cybersecurity doesn’t exist in a vacuum.
When you think of it as an integrated total security mindset, that includes personnel security risks, physical security risks and really taking a broader resilience view to this bill, either in its current incarnation or in successive iterations. That would be my recommendation to both the Senate and House of Commons committees as we move forward in a rapidly evolving cyber‑threat landscape from nation-states and global cybercriminal gangs as well as, candidly, at the hands of AI at the fingertips of an ordinary person. The threats of cyber acts are becoming much more prevalent than they ever were.
Mr. Smith: I will follow up in writing. I will say, first of all, remember: Don’t trust AI. It’s not always right.
Senator Kutcher: I knew you would say that.
Mr. Smith: There are a couple figures to keep in mind, though. I mentioned that the industry provides the federal government between $2 and $2.5 billion. That’s equal to half the value of the net income of the industry itself, just to put it in relative terms.
Also, when you look at many of the operators, our largest operators have different lines of business. When you look at just the telecommunications services business, it’s essentially revenue — there’s no growth right now. That’s partly because of demographic changes, as well as competition, where, for example, wireless prices are down by 50% since 2020.
As you add regulatory costs and you have no growth, something has to be done, and usually that means cost-cutting. So what we’re looking at is, in extraordinary circumstances, having government consider — as they do by funding other industries for different things — ways to help meet those priorities.
Senator Kutcher: I won’t read what AI says about your growth. Thank you for that. It will be very helpful for us to have a better understanding of what those numbers are that you’re talking about.
Senator Yussuff: Thank you, witnesses, for being here. Mr. Warnell, let me start with you. My compliments for what Bruce Power is doing writ large for the province, and for a very life-saving medication that you have developed, which has been a godsend for many, many families struggling with cancers who require it, and also for the supply market that you are also involved in.
Mr. Powell, I have a question that is a bit challenging for me. Voluntary reporting is to try to understand what is going on and how we can make the system more resilient. I understand your members do that, and, obviously, there is value to it. It helps the sector, but it also helps, writ large, with how we could prevent cybersecurity from damaging one part of the economy of this country.
It may be, from time to time, that some of that may be necessary, but we also need to improve the regulatory regime to ensure that this is consistent across all regions and geographies across the country. Why would you be against that? I don’t get it.
Mr. Powell: We are not against mandatory reporting. The goal is a protection for information that is shared outside of the regulatory context.
Senator Yussuff: You’re the only witness who has come here who doesn’t recognize that the voluntary sharing of information is a good thing, however it may improve the system.
Mr. Powell: What we’re hoping to see is that information, when it’s shared on a voluntary, confidential basis — with, say, the Canadian Centre for Cyber Security — remains on a sort of voluntary and confidential basis.
That’s how it works with the most comparable organization. We have talked a little bit about NERC CIP. The Canada Energy Regulator witness from earlier talked about how they require participants that are CER regulated in the international power line space to adhere to NERC CIP. They have an information‑sharing system where, again, when information is provided voluntarily, it is protected from being shared with regulators. That’s really what we’re focused on, not the stuff that would meet the requirement under the act or a future regulation for mandatory reporting or sharing. It is more knowing that you can keep that free flow of information going on a voluntary basis without worrying or having legal concerns that doing so could add to some risk in the future for information being shared. Your information is yours.
Senator Yussuff: My point is voluntary information sharing about cybersecurity is fundamental to how we can improve the system writ large.
Mr. Powell: Yes.
Senator Yussuff: As legislators and regulators, there is a greater authority for us to protect the nation. How do we balance that when sometimes we may see a weakness? If the system is vulnerable, we want to make sure we can do whatever is necessary to help protect the system. It is for your self-interest, but it’s also for the consumers and Canadians in general, whom we serve.
Mr. Powell: I would say our members have had a very good track record of allowing information to be shared within the sector. They participate in information-sharing systems through Electricity Canada and our partner organizations, but also with organizations like Lighthouse and the NERC E-ISAC and with the Canadian Centre for Cyber Security.
The question is this: How do we make sure we continue to incent that information sharing on our side? Nothing stops the government from talking to us.
And when there are regulatory reporting requirements, that’s absolutely fine. It’s just, outside that non-emergency space, making sure that the conversation can continue.
Senator Yussuff: Thank you.
Senator Dasko: My question is for Mr. Warnell. You’re the only representative of a company here today. You have spoken favourably about the bill. What will Bruce Power look like after this bill is implemented? Will it look different? If so, how? In what ways?
Mr. Warnell: Thank you for your question, Senator Dasko. Candidly, the nuclear industry in Canada has been regulated, from a cybersecurity standpoint — formally, as a discrete domain — since 2014. We do not anticipate a large delta before or after the bill passes.
We are already an industry that puts safety first in all aspects, and we equate cybersecurity to safe operations and to reliable operations. Candidly, we don’t anticipate a material change in our posture, our thinking or our actions.
We are probably also here to advocate that moving forward on the bill is important because we recognize that we’re not an island unto ourselves. We operate within a system of systems. We are integrated with the electricity distribution organizations.
We participate in NERC CIP in collaboration with our partners in broader energy. We drive for maturity across broader energy organizations through things like the Energy Security Technical Advisory Committee, or E-STAC. I would say our existing mature capabilities can also be used to help lift all boats.
That broader resilience for Canada, and the energy sector overall, can be improved because it is an ever-increasingly challenging and dangerous time in very unpredictable waters.
Senator Dasko: So the regulator won’t be able to throw anything at you?
Mr. Warnell: Absolutely they can. The existing regulator is the Canadian Nuclear Safety Commission. They will absolutely potentially have new powers, but we already have the requirements for cybersecurity programs. We are regularly audited through the regulator as well as other partners. We participate internationally in information-sharing domains with other nuclear operators and other critical infrastructure partners to also drive for excellence in our operations, because excellence in cyber means safe, reliable operations.
To my point, I don’t see — or we don’t anticipate — a major delta. However, again, one of the differences with what we do in nuclear is we work in collaboration with industry, the operators and the regulator, through the Canadian Standards Association — much like the Canadian Energy Regulator — to co-create the standards that we’re held to.
It’s known as the CSA N290.7 standard, which is cybersecurity for nuclear facilities. We already do that; we’ve been doing it for over a decade. We expect and continue to deliver iterations on excellence under those frameworks.
Senator Dasko: Okay, thank you. I have another question for you.
You’ve mentioned the threat actors; more specifically, you’ve mentioned criminal organizations and state actors.
I asked the minister a question at the beginning. He was a little reluctant to say much about it. Can you tell me any more about these threats? Who are the criminal organizations? Where do they reside? Where are they from? And what about the state actors? Are there any state actors who are actually trying to perpetrate crimes on nuclear in Canada?
Mr. Warnell: I’ll reference what is already in the public domain.
Senator Dasko: Yes, for sure.
Mr. Warnell: I know the minister said earlier they can go deeper in a more classified scenario.
Especially over the past two to three years, there has been declassification of information related to known threat actors, including China, Russia and others around the world, who are known to be and are demonstrated to have been actively pre‑positioning in critical infrastructure sectors, including energy and telecommunications.
You might have heard reference to language like “Volt Typhoon” or “Salt Typhoon.” Those sorts of threat actor names are typically associated with Chinese state actors with the explicit intention of being in those networks to cause disruption or delay, should it be required.
It doesn’t mean it’s escalated to that impact, but the possibility is there. Again, this is work that would have been very much not in the public eye many years ago. But with the urgency and the impact, obviously, our intelligence partners in Canada, with our allies in Five Eyes and other nations around the world, have been able to bring that down, declassify it and make it part of the public discourse and conversation.
It is real. It is no longer hypothetical. We’re not just paranoid security professionals. It is happening, and we need to continue to mature our respective capabilities to build resilience.
Senator Dasko: Are the criminal organizations looking for money, information or —
Mr. Warnell: All of the above.
The Chair: Thank you, Mr. Warnell. We appreciate that.
Senator Al Zaibak: I have two questions, actually, directed to Mr. Powell and Mr. Warnell.
From your perspectives, what are the most immediate cyber vulnerabilities in Canada’s energy grid, particularly in the context of geopolitical tensions?
How prepared are your systems to defend against AI-driven cyberattacks, such as automated disruption of control systems? Mr. Powell?
Mr. Powell: Building on what Mr. Warnell said, there are identified threats that we have heard about from the Canadian Centre for Cyber Security in the National Cyber Threat Assessments. There are nation-state actors like China and Russia, and Iran has been on that list as well. On top of that, there are threats from criminal organizations, who may or may not be state affiliated. This is all in the public record.
Senator Al Zaibak: I’m sorry, just a correction — I’m asking what the vulnerabilities are, not who the threats are.
Mr. Powell: Part of it is that you don’t know what you don’t know. We have an increasingly connected system that works to be more integrated and is technologically aware.
There’s not a list that I’m given — as an association person — of the specific threats that they may see, but I do think that this is an area where there are constant challenges, both at the operational level and at the IT level. It’s something that requires constant vigilance.
No one knows where their next threat is coming from. We’ve seen conversations in the last few weeks around AI tools, like Mythos, that may change the game and present zero-day vulnerabilities much sooner than we would have seen. That requires a level of vigilance that we haven’t seen before and is accelerating the risks that are coming at us. As Mr. Warnell said, the world is getting more dangerous faster, and we have to keep up.
Mr. Warnell: Senator Al Zaibak, I don’t know that this is the right forum to talk about where vulnerabilities directly exist, given that it is a public forum. There are follow-up conversations we can have.
However, you can look at events that have already happened in the public eye. You can look at the Colonial Pipeline disruption in the United States a number of years ago. That had nothing to do with actually impairing their operational systems that deliver oil and gas. It was a ransomware event that took out their business systems, and, out of an abundance of caution, the operator shut down their pipeline impacts, which then impacted millions of Americans on the eastern seaboard who were unable to get energy. Those have happened, and those are relatively, I would say, immature attacks.
If you can broaden that to what the possibility is, there are some significant opportunities for us to uplift collective resilience. And this bill can start to lay that foundation to really drive that integrated resilience improvement.
Senator Al Zaibak: Thank you so much.
The Chair: Thank you very much. This concludes our time and our questions this evening, but I want to thank Mr. Powell, Mr. Warnell and Mr. Smith for taking the time to meet with us today. We appreciate your testimony as we consider this bill. I also want to acknowledge that all three of you represent really significant and large groups of employees, and that’s also an appropriate way for us to finish this evening, so we do appreciate that acute testimony.
Just before we finish, I would like to turn the microphone to Senator Kutcher.
Senator Kutcher: Thank you very much, chair, and I realize we’re still in public.
However, I just want to raise for our committee — and we all have shared this with each other, personally — our awareness of the stellar work that Senator Yussuff has done as chair of this committee over his tenure. When he came to this job, he said he wouldn’t keep it for a lifetime. I told him that was probably true, but he meant to do it for a short period of time.
I think we would all agree that he has guided us fairly, reasonably, respectfully and responsibly. He’s been aided by the members of the steering committee — he has spoken to me about all the work that the steering committee has done — and also by Ericka Paajanen, our clerk, who goes unsung as a heroine, but she certainly is one. I just want the record to show that the members of this committee recognize and appreciate Senator Yussuff’s contribution to the running of this group. Thank you, Senator Yussuff.
Hon. Senators: Hear, hear!
Senator Yussuff: I’m not going to say much except thank you, Stan, for your kind words. If I knew leaving this committee would receive this kind of applause, I would have done so sooner.
Let me quickly say thanks to my wonderful staff for helping me: Ceanray Harris-Read, who has been here, and Joel Bowen from time to time. I also want to thank Ericka. She made me laugh quite often and reminded me of the silliness of our committee members, even though we didn’t share that with them. Just kidding.
I want to thank Anne-Marie Therrien-Tremblay and Ariel Shapiro for their wonderful guidance as analysts for the committee. I want to thank the technical people for making the meetings run seamlessly. Equally, I want to thank the steering committee members and this entire committee. There are few committees I have worked with where we have never had any tension in steering. I can say that without a doubt. While we do argue, we always come to a conclusion about the greater good of the work we’re doing here.
I thank Senator Carignan for his friendship and kindness. I want to thank Senator Cardozo for his friendship and kindness, and also our deputy chair, Senator Al Zaibak, for his work. I’ve learned a lot from being in the chair, but I have also learned a lot from sitting here. While I’m not in the chair, I will continue to sit here and participate. As with everything else we do in this wonderful place, the Senate, sometimes we have to make space for others. I’m glad to have made space for my colleagues, but equally, I’m thrilled. People ask why I am leaving. I’m leaving because I think I’ve done my job and it’s time to give others a chance to succeed. I want to wish my colleague all the best in her responsibilities. All of us will do our best to support you.
The Chair: Thank you very much, and thank you to the panel for joining us for this part of our meeting.
Senator Kutcher and Senator Yussuff, thank you. This concludes our meeting for today. Our next meeting will take place on Monday, May 25, at our usual time: four o’clock. We will continue our consideration of Bill C-8.
With that, I wish you a very good evening. Thank you.
(The committee adjourned.)