THE STANDING SENATE COMMITTEE ON NATIONAL SECURITY, DEFENCE AND VETERANS AFFAIRS
EVIDENCE
OTTAWA, Monday, May 25, 2026
The Standing Senate Committee on National Security, Defence and Veterans Affairs met with videoconference this day at 4 p.m. [ET] to study Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
Senator Marty Deacon (Chair) in the chair.
[English]
The Chair: Honourable senators, welcome to this meeting of the Standing Senate Committee on National Security, Defence and Veterans Affairs.
I am Marty Deacon, senator from Ontario and chair of this committee. Just before I go to introductions, I want to welcome everyone back today and remind you that this is a pretty stimulating week for defence in Ottawa. I don’t know where to start — awards and recognition, people who we are seeing over and over at different events, the Quantum event at the War Museum, CANSEC and defence awards tonight. In honour of our guests, I want to acknowledge that the work matters, and our schedules are full. We have a car going tomorrow morning to view the drone demos, then on Thursday for another session. I know that some of you will be there. I look forward to seeing you there.
Before proceeding to our witnesses today, I would like to offer my colleagues the opportunity to introduce themselves.
Senator Al Zaibak: Mohammad Al Zaibak, senator for Ontario.
Senator Ross: Krista Ross, senator from New Brunswick.
Senator White: Judy White, senator from Newfoundland and Labrador.
Senator Hay: Katherine Hay, Ontario.
[Translation]
Senator Youance: Suze Youance from Quebec.
[English]
Senator Patterson: Rebecca Patterson, Ontario.
Senator Cardozo: Andrew Cardozo, Ontario.
Senator Boehm: Peter Boehm, Ontario.
Senator McNair: John McNair, New Brunswick. Welcome.
[Translation]
Senator Carignan: Claude Carignan from Quebec.
[English]
The Chair: Thank you. I’d like to welcome Senator Boehm, who is joining us today as we bid farewell to Senator Kutcher during our last session. Thank you, Senator Boehm, for joining us today.
Today, we continue our consideration of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts. We have the pleasure of welcoming four panels of witnesses today, with representation from business, research entities, law firms and non-governmental organizations. We have a full evening ahead of us.
For our first panel this evening, we are pleased to welcome John de Boer, Vice President, Government Relations, BlackBerry; David Shipley, Chief Executive Officer, Beauceron Security Inc.; and Philip Stupak, Senior Director, ISC2. Thank you all for joining us today and taking the time to be here. Your work certainly matters.
We will begin by inviting you to provide your opening remarks, which will be followed by questions from our members. I remind you that you each have five minutes for opening remarks. We will begin with John de Boer. Please proceed when you are ready.
John de Boer, Vice President, Government Relations, BlackBerry: Thank you, chair.
When Canadians board a train, turn on the lights, access their bank accounts or communicate during an emergency, they trust these systems will work securely and without interruption. That trust is what BlackBerry delivers every day.
Our QNX operating system is embedded in over 275 million vehicles and runs within energy grids, transportation systems and industrial environments where failure is not an option. We also secure the communications governments rely on during a crisis, ensuring decisions can be made safely when seconds matter most. In these environments, cybersecurity is not theoretical. It is about keeping systems operational when they are under pressure.
This is why Bill C-8 matters and why BlackBerry strongly supports its passage.
Canada is behind its peers. Every other G7 country has implemented baseline cybersecurity requirements and mandatory cyber incident reporting for critical infrastructure. At the same time, threats are accelerating, becoming more sophisticated and increasingly focused on disrupting operations, not just stealing data.
We are operating in a world that is less stable, more contested and far less predictable than even a few years ago. As a result, long-held assumptions about efficiency and global sourcing are being re-examined. Decision makers are asking more fundamental questions: Who controls the technology? Where does it run? How is data handled? Will it work when systems are disrupted?
In this environment, trust, resilience and operational control are essential.
Bill C-8 targets four critical sectors — energy, transportation, finance and telecommunications — all of which are increasingly digital, interconnected and exposed to cascading risk.
These risks are evolving. The emergence of post-quantum threats means adversaries are already collecting encrypted data today for future decryption. Without action, sensitive systems risk being exposed retroactively, making it essential that our approach be not only secure today, but future-proof.
Cybersecurity is not just about prevention. It is also about maintaining operations during an incident. We have seen that when coordination breaks down, the impact of an attack worsens significantly. This points to a critical gap with respect to the ability to communicate and coordinate securely in real time.
To that end, Bill C-8 should reinforce continuity of operations; secure, real-time coordination; and the ability to restore services quickly under pressure. Governments, including Canada, are placing increasing emphasis on trusted, sovereign solutions.
This reflects a simple reality: Security cannot be separated from trust and control, and systems must function reliably when it matters most.
The same applies across critical infrastructure sectors. Technologies that are security first, independently certified, and deployable in high-assurance environments are essential to long-term resilience.
To strengthen Bill C-8, there are a few practical elements to consider. First, we need clear and consistent definitions of what constitutes a reportable incident. Second, reporting needs to be timely, with a structured, tiered approach for reporting. Third, organizations must have access to secure communications tools so they can coordinate effectively during an incident. Finally, the bill should reinforce continuity of operations and be flexible enough to adapt to evolving threats.
Bill C-8 is a necessary step forward for Canada. It aligns Canada with our allies and strengthens our resilience in a more complex threat environment.
Most importantly, it helps ensure our critical infrastructure can continue to function when it matters most. Thank you.
The Chair: Thank you, Mr. de Boer.
David Shipley, Chief Executive Officer, Beauceron Security Inc.: Thank you, Madam Chair.
Senators, thank you for having me. My name is David Shipley. I’m the CEO and co-founder of Beauceron Security, which is based in Fredericton, New Brunswick. I have worked in cybersecurity for 14 years. I am a Certified Information Security Manager and a public interest technologist. I have been researching, writing and speaking about critical infrastructure cybersecurity for the past nine years. I have testified on cybersecurity policy before, including on Bill C-26, the predecessor to this proposed legislation.
I’m here to say one thing plainly and clearly: Pass Bill C-8.
It isn’t perfect, but it is good enough to help protect Canadians from real harm and to help us effectively respond when things go wrong.
The improvements over Bill C-26 are real: a narrower definition of the threats that can trigger government orders, the removal of confidential court submissions, a five-year statutory ministerial review and improved clarity that helps protect encryption.
Many of the remaining flaws can be dealt with in regulation. There are two specifically I want to talk about.
First, as my colleague noted, we must define “incident” with precision. Without that, we risk losing valuable insights in a cacophony of reporting. Second, personal liability must follow decision-making authority.
CEOs and CFOs set budgets and risk tolerance. Chief information security officers, or CISOs, do not. As drafted, this bill risks scapegoating the people charged with raising the alarm, while the people who set the spending and risk appetite may not face the appropriate consequences. That will simply cause experienced CISOs in the sectors where we need them most to choose to move to a new sector or, more likely, leave the field altogether.
There have been well-intentioned objections to Bill C-8 from various groups on privacy grounds. I believe the updates from Bill C-26 have gone a significant way to address many of them. Some may still feel otherwise.
However, the idea that Canadians’ data may be caught up in a Bill C-8-related incident filing is truly incidental. While we debate the potential risks of edge cases, criminals and nation-states are deciding whether Canadians get timely, lifesaving health care or safe access to drinking water.
The place we need to have the privacy fight right now is around Bill C-22, should it make its way here without fixing massive fundamental flaws.
So, I support Bill C-8, and not just because Canada is the last G7 country to pass this kind of legislation but because we need to move beyond these bare-bones basics and onto discussions and debates about the role of our national government and our agencies in protecting the other critical infrastructure this bill completely ignores: infrastructure under active threat.
Bill C-8 covers banks, telecommunications, energy transmission and transportation.
Bluntly, the banks were already well motivated and well regulated prior to this legislation. They are not even remotely my biggest concern. The telecommunications sector at the national level was, on the whole, well prepared and had voluntarily aligned closely with ISED through industry-government collaboration. Energy transmission, specifically pipelines and electrical assets not covered by the North American Electric Reliability Corporation and its regional subsidiaries, is a real concern. Transportation is likely the worst off of the four.
However, those four areas, and any providers closely linked to them, are not nearly enough when it comes to talking about what is truly critical infrastructure.
Let’s start with Canadian health care: Newfoundland in 2021, southwestern Ontario in 2023 and many more we never heard about. South of the border, we see much more, and it’s bad.
On April 6, Brockton Hospital in Massachusetts sent chemotherapy patients home and diverted ambulances after ransomware took down its systems. Since 2016, peer-reviewed research has documented more than 150 ransomware attacks on U.S. health care facilities that disrupted patient care.
Make no mistake: Canadians have likely died or had their lifespans shortened because of cyberattacks.
Researchers at the University of Minnesota School of Public Health found that ransomware attacks decrease hospitals’ ability to handle patient volume by 17% to 24% during the first week of an attack, with recovery taking up to three weeks. Among patients already admitted when an attack begins, in-hospital mortality rises by 34% to 38%.
The same researchers estimate that translates to between 42 and 67 Medicare patient deaths attributable to the impacts of ransomware between 2016 and 2021.
We need to stop hiding behind constitutional jurisdiction lines that were decided before the internet was popularized and get serious about organizing as a country with respect to this national security threat.
Now let’s talk about water. This month, Dragos, a cybersecurity firm, published findings on an intrusion at a water utility serving Monterrey, Mexico’s third-largest city —
The Chair: Thank you, Mr. Shipley. We can incorporate that into the question period.
Mr. Shipley: Sure.
The Chair: Thank you.
Philip Stupak, Senior Director, ISC2: Good afternoon, Madam Chair and members of the committee. Thank you for the opportunity to appear before you today. My name is Philip Stupak, and I serve as Senior Director of Advocacy at ISC2, the membership association for cybersecurity professionals. Prior to joining ISC2, I had the privilege of serving in the Biden-Harris administration as the Assistant National Cyber Director at the White House.
ISC2 is the world’s largest association dedicated to cybersecurity professionals, representing more than 265,000 members globally. Our third-largest membership base is here in Canada, where we have over 14,800 members. We offer nine professional certifications, the most recognized of which is Certified Information Systems Security Professional, or CISSP. It is widely regarded by employers as the gold standard for cybersecurity expertise.
I appear today on behalf of that global membership to express the cybersecurity profession’s strong support for Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
We live in an era of great contrasts. Our technology affords us a level of connectivity our forbears never could have imagined; our digital assets also enable foreign actors to shut off the power without ever setting foot on North American soil. At no other time in history have we been able to share information so fast nor have our schools been so easily shuttered by a thief a world away. It is a world of impressive capabilities, endless possibilities and dizzying vulnerabilities.
Not too long ago, using that same connectivity, the People’s Republic of China, or PRC, exploited one of those vulnerabilities to infiltrate telecommunications companies around the world.
Simultaneously, they began pre-positioning digital assets — that’s a polite way of saying weapons — within civilian critical infrastructure. This is Salt Typhoon and Volt Typhoon.
This is why the most recent National Cyber Threat Assessment highlighted that the PRC’s expansive and aggressive cyber program presents the most sophisticated and active state cyber-threat to Canada today.
The PRC is not alone. Threat actors around the world are trying to disrupt, degrade and interfere with Canada’s telecommunications system and everything connected to it. ISC2’s 14,800 Canadian members are trying to stop them. Our members keep us safe and secure in our shared online environments. They also ensure that we have power for surgeries, water for drinking, gas for driving and heat for living.
The bill before you sends two unambiguous messages: First, to our shared adversaries, pre-positioning cyber weapons in civilian critical infrastructure will not be tolerated. Second, to all of Canada’s cyber defenders, you are not alone. The Canadian government will answer the call to help you keep us safe.
By passing Bill C-8, you are meeting this moment of heightened uncertainty and protecting Canadians against the next threat.
My experience has afforded me the understanding that the arduous and slow process of passing cyber legislation means we need to respond to both the crisis of the moment and the unknown ones of the next 20 years. Bill C-8 provides the flexibility to adapt as the digital world evolves. This flexibility matters. It enables Canadians to defend against the threats and adversaries of today and tomorrow.
Bill C-8 also maximizes Canadians’ privacy rights. The Canadian Centre for Cyber Security has a long operational history of simultaneously protecting Canadians’ security and their privacy. They know how to do this, and they do it well.
The biggest, most persistent threat to privacy comes not from the Canadian government but from all the governments Canadians do not elect. Foreign adversaries can exploit vulnerabilities to gain access to your calls, emails and text messages. Bill C-8 shuts down that privacy violation by giving the government the tools it needs to secure the telecommunications sector, and it does so by expressly adding privacy-enhancing language to this security bill.
Bill C-8 is much more than a compliance or regulatory exercise. This legislation impacts daily life. Yes, Bill C-8 is about critical infrastructure, but it is also about everything that infrastructure enables: how we work; how we stay cool this summer and warm next winter; how we pay our bills; and how we get to work and visit our friends and family. That is what this bill is really about.
Protecting critical infrastructure from cyberattacks protects our way of life. I am proud to lend the voices of ISC2’s 265,000 global members in support of Bill C-8. On behalf of our future members, thank you for the flexibility to safeguard that way of life over the next 20 years.
Thank you for your time. I am pleased to answer any questions you may have.
The Chair: Thank you. I’d like to take this moment to welcome Senator Donna Dasko from Ontario. Thank you for joining us.
We will now proceed to questions. Our guests will be here with us until 4:55 p.m. We will do our best to allow time for each member to ask a question during this time. With this in mind, four minutes will be allotted to each question, including the answer, so hopefully we will be able to keep our questions succinct in an effort to get this work done. I would like to offer the first question to our deputy chair, Senator Al Zaibak.
Senator Al Zaibak: Thank you to all of our witnesses today. My first question is directed to you all.
What is the single biggest cyber vulnerability Canada must address immediately if we want to strengthen national resilience against hostile state actors and sophisticated criminal networks?
Mr. de Boer: The biggest vulnerability is a systemic risk, where we have legacy infrastructure that was not meant to be connected to the internet that is now being connected to the internet.
The challenge there is that there are no patches that can be run. There is a rip-and-replace process that needs to happen. That is the legacy infrastructure that covers rail and energy, though not so much banking and telecommunications. As an exporting country, if that breaks down, our entire economy will break down. There will be a lack of public trust, and it will be a national security incident as well.
Mr. Shipley: From my perspective, cyber means people in control of technology. The people expect our government to be able to react and act. We are not properly equipped with the laws, tools, experience and practice to respond to what John just said. This legislation gives us some of those tools.
Mr. Stupak: We frequently think about cybersecurity as information security. The challenge is that it is so much more now.
Nation-states and criminals have penetrated the cyber-physical barrier time and again. When you ask me what the biggest vulnerability is, it’s water. David was right: It is 100% water.
The difference between where finance and health care are is even greater than between health care and water.
Senator Al Zaibak: Thank you.
Senator Cardozo: Mr. Stupak, I have a couple of questions. Can you say more about water? What do you mean by that?
I sense that Canadians are sometimes more concerned about having privacy from the government than having privacy from other actors. Can you talk about that?
Mr. de Boer, on the question of digital sovereignty, we have very little of that. Most of our infrastructure is in the U.S. Could you talk about what that means for cybersecurity?
Mr. Stupak: First, on water, when I was in the White House, the absolute worst critical infrastructure sector we had for preparedness in cybersecurity was water. It remains water today.
Senator Cardozo: What does that mean?
Mr. Stupak: That means that there are almost no physical protections for cybersecurity within the water sector.
Senator Cardozo: Okay.
Mr. Stupak: Fundamentally, people are unwilling to pay an extra five cents per gallon for cybersecurity protection on their water. We need a movement for that market in order to build out cybersecurity protections within the water sector.
Senator Cardozo: Do you mean somebody poisoning the water?
Mr. Stupak: Absolutely. We have already seen it. Iranian actors were able to breach a water sector in Florida and alter chemical balances.
On the privacy point, this is an excellent point that the United States and Canada share, which is a desire to have greater protection of privacy from government than necessarily businesses or anyone else. I understand that.
I believe this act, at this point, has nine separate protections for privacy, and six of those reinforce the existing law. I think that is adequate protection from government misuse.
But a fundamental point is this: We cannot hamstring government’s ability to keep us all safe and keep our data — your data in Canada — away from other foreign actors because of a possibility that one small piece of personally identifiable information, or PII, might be in some record that’s shared somewhere. I understand the concern, but I think the bill adequately addresses it.
Mr. de Boer: In terms of digital sovereignty, there are a number of fundamental aspects. The Canadian government is now recognizing what those are: the ability to control infrastructure and data; ensuring the availability of access to that infrastructure; and also accountability when things go wrong.
Canada has not nurtured that infrastructure. It’s obviously evolved significantly over the past 10 years. It hasn’t nurtured it because the priority was efficiency. The priority was cost efficiency and scale. That has changed. Now governments are realizing we need to control.
Now we can do something about it. We have great Canadian tech companies. We’ve got emerging investments in satellite and space communications that can help control our telecommunications sector. As well, banking is attuned to this sovereignty question.
You see both industry and government being alive to the issue of ensuring that the data resides in Canada, that the infrastructure actually exists here and that we can control it.
Senator Cardozo: Thank you. Could you say more about that? Is that about having more data centres in Canada? How do we get those companies, which are usually American, to keep their information on Canadian soil?
Mr. de Boer: Yes, it means data centres in Canada. It also means having cloud infrastructure here in Canada, if you’re using cloud infrastructure. It also means incentivizing companies to invest in on-premises installations.
It also means being conscious about the kinds of applications we’re using. Many of the applications being used to exchange critical information are consumer-grade apps, the texts and voice messages we commonly use. They were not built for government or for critical infrastructure. We need to invest in technologies that were purpose-built for that.
Senator Cardozo: Thank you.
The Chair: Next is Senator McNair, the sponsor of the bill.
Senator McNair: Thank you to the panellists for being here today.
Todd Warnell, Chief Information Security Officer, Bruce Power, stated before this committee on May 4, 2026:
. . . Bill C-8 is not an end state; it is a foundation. However, in a world defined by greater volatility and uncertainty, establishing that foundation is urgent. The threat environment has evolved faster than our policy framework, and this legislation is an essential step toward closing that gap.
I think I know where you all stand on whether you agree with those comments, but I’m curious if you can expand on the threat environment evolving faster than we thought.
Mr. Shipley: Sure. Starting with AI, what I didn’t get a chance to talk about is Monterrey, Mexico, and the first documented AI attack on critical infrastructure. The perpetrators used tools to try to jump from the business network to mess with the water system.
In this case, they were unsuccessful. However, this happened the same week we learned that five water treatment plants in Poland had been compromised by traditional methods, so the gap is closing. That’s the speed at which we’re seeing it.
John mentioned that we designed these systems way before we ever thought of plugging them into a network. We’ve plugged them in haphazardly, in a rush, often during the pandemic.
Many Canadian municipalities hooked their water systems to the internet so people could remotely manage them from home. Those vulnerabilities were never remediated properly.
We have rushed, ill prepared, into a world that was never designed to be secure, and we have built a house of cards.
Mr. de Boer: Cybersecurity threats thrive on asymmetry, particularly in an interconnected world where all the infrastructure — such as banking infrastructure — depends on electricity or, the weakest link, telecommunications. We often focus on AI, and that is absolutely accelerating the threat. The one after that will be quantum technologies.
But what most people suggest is that we will get 95% there if we do basic cyber hygiene. Todd Warnell’s points are so important. We need to get there. Then we can be better placed to deal with the threats that come.
Finally, Philip mentioned Salt Typhoon. There are already pre-positioned threats in our networks. Our Canadian telecommunications networks were also exposed. Metadata, voice communications — all that is in the network today. We must also be able to protect against threats that are already present.
Mr. Stupak: There is a reason why adversaries are targeting water. Yes, it is because of life and limb. We all need water to survive and live.
But the other reason why they are targeting it is this: If you look back to the 20th century, we all competed in steel manufacturing. If you had steel, it meant you had good jobs. You could build buildings and battleships. That was a national security imperative.
Today, it’s not steel; it’s AI. When we look at the preconditions for AI, they are power and water. You need more data centres for data to stay in Canada. Those shut down without water because they need water for cooling. When an adversary can turn off your data centres at a time and place of their choosing, it means you can be made vulnerable at a time and place of their choosing. That is the evolution of the threat we are seeing: away from information and toward physical, real-life impacts.
Mr. Shipley: Also, we had the first attack against a health care provider in the U.S. as part of the Iran conflict. They didn’t ask for a ransom; they just crippled everything in there. They didn’t want money. They just wanted to shut the hospital down and to hurt people.
Senator McNair: Mr. Shipley, is there anything else you want to add to put on the record about water?
Mr. Shipley: It is not in the scope of this legislation. I am not looking for the Senate to amend the legislation to deal with that. I am looking for us to move beyond this legislation and study the issue.
The United States is ahead of us in health care because they have laws that hold health care accountable through HIPAA. We are not there. We are very much at risk on the health care side and on the water side, and we’re not having these conversations because we can’t even protect the four areas we have clear jurisdiction over and that we’ve stumbled on legislation around since 2022.
Senator Ross: My question is for Mr. Shipley. You’ve made the recommendation loud and clear that we pass Bill C-8 without trying to make any amendments, despite the fact that it may have some flaws that you feel could be fixed in regulations.
However, making observations is a tool that committees have when providing reports back to the Senate. Say you were a member of the National Security, Defence and Veterans Affairs Committee and wanted to add observations to the report to draw attention to a deficiency in this bill. What would be one or two key observations that you would recommend adding to the report that this committee will provide to the Senate?
Mr. Shipley: Specifically, one of the two areas I noted was ensuring that the regulations are as clear as possible as to what exactly an incident is. Some countries’ legislation was so unclear that they were drowned out in the noise of security events versus actual incidents that merited investigation.
The other goes back to CISO liability. I’ve talked to national critical infrastructure CISOs, who looked at the fines when they were $1 million and said, “That is my entire net worth. I am out when this bill passes.” Even at $500,000, I know CISOs of power utilities who believe it is not worth it for them to stay in their jobs. They are just not there, so if we are going to have personal liability, it should be on the boards of directors or the senior officers who actually make the decisions. That could be dealt with in regulation.
Senator Ross: Thank you.
Senator Boehm: Thank you, witnesses, for being with us today. This is my first recent meeting of this committee. However, I was on this committee two years ago when we were discussing Bill C-26. Much of the discussion is similar, but I wanted to probe a little bit.
Mr. Shipley, you mentioned that this bill is narrower and cleaner and that the government has benefited from a two-year interval to focus on and take account of developments both internationally and domestically in that context. You also mentioned that a lot can be achieved in the regulatory process, and that is something, of course, parliamentarians don’t often see. We look at the legislation but do not look at all the regulatory underpinnings.
I’m wondering whether you can provide some examples of how you see that evolving.
Mr. Shipley: As mentioned, the specificity around the definition of “incident” and who should be held personally liable when we decide to pierce the corporate veil is important.
Another important component of this legislation is the designation of critical providers to these sectors. That’s where we can broaden the scope to say we really depend on Google, Microsoft, Amazon, et cetera, for running the cloud services that now power some of our energy utilities and distribution grids, so I think a fair amount can be dealt with on that side.
Overall, the legislation takes a risks-based framework approach and talks about the bars that organizations have to clear to prove they have done due diligence.
The only other thing in regulation that could be wrestled with, and it is something we have debated back and forth, is liability for telecommunications providers if the government does a 90-degree turn on policy and says, “We don’t like this country anymore. Your equipment is coming out.”
One of the changes was that it was moved from a hard position of saying, “You’re not entitled to compensation,” to a softer position of saying, “It can be evaluated at the time.” They need to find a way to be clearer about that in the regulations because, let’s not kid ourselves, the rate payer is going to pay if they have to do this. Someone is going to pay.
Those are the major things I have thought about.
Senator Boehm: It would seem to me that, in looking at the regulatory process, we would also want to look at what other jurisdictions and countries are doing. You have all mentioned the G7. Well, we sit beside the “G1” geographically. There might be a lot of prospects there for osmosis in terms of ideas and approaches, but I would think the same is true with the Europeans, where there are certain similarities in terms of not only the threats and the malign actors behind the threats but also the different regulatory environments. This is open to the panel if I still have time, chair.
Mr. Shipley: One of the things that John and I and others have advocated is to harmonize with the American timelines. Many of our critical infrastructure providers are cross-border, so we suggest that we don’t have two different sets of instant definitions or timelines. Let’s try to be as unified in this as we can be on that side, which makes sense.
Mr. de Boer: I’d add two things.
One of the key lessons from other jurisdictions, in Europe and the U.S., has been public-private collaboration. Those systems are now being put in place in Canada. You are seeing that more. In Canada, we have something called the Canadian Forum for Digital Infrastructure Resilience, where you have companies from across the spectrum contributing to that. It’s chaired by ISED. You also have a new cyberdefence collective being set up by Public Safety and CSE. We are learning from the U.S. Joint Cyber Defense Collaborative, with all its faults, but having public-private collaborations is important because the time to respond is important.
The second lesson that we have learned at ISC2, which is in Europe, is that there was too much — maybe not too much, but the sole focus was on reporting cyber incidents after they happened, without an understanding of what to do during the attack.
How do you communicate securely? How do you establish standards to ensure that the information about that incident gets to the reporting authority in a way that is not compromised, not over consumer-grade apps, et cetera? Setting that up and being mindful of security and continuity of operations are also important.
[Translation]
Senator Youance: My question is for Mr. Shipley.
You mentioned that if you were a designated operator and this bill were passed, your company would be bankrupt. Did I understand correctly?
[English]
Mr. Shipley: Thank you. No. The legislation has the ability to hold individuals liable, so it pierces the legal protection that normally exists for corporations. Therefore, certain individuals could be held personally liable for failure to adhere to elements of the legislation.
That personal liability has caused a number of what are called certified information security officers, or CISOs, the most senior professionals with the most experience that we want at the helm, to re-evaluate whether they want to stay in the profession. This is a profession where over 50% of people want to quit already. So, if they could be personally ruined — or if that’s the perception — it’s going to make our problem even worse. My colleague may be able to speak to that as well.
[Translation]
Senator Youance: To what extent could the coming into force disrupt operators’ daily operations? Apart from personal responsibility, are there other factors that might lead all those responsible to leave?
[English]
Mr. Shipley: My company is not currently in scope, though it could be made a designated operator because we provide services to critical infrastructure. I’m not worried about adhering to the legislation. I think it makes sense. I think these are things we already do today.
I do worry about the utility CISOs.
[Translation]
Senator Youance: Thank you.
Could the Canadian Centre for Cyber Security or another federal entity provide support to designated operators?
What observation could be added to the bill to avoid this negative impact?
[English]
Mr. Shipley: I don’t think there is anything that can be amended in the bill to allay the concern. I don’t think that there needs to be. In the regulations — I don’t mind holding CEOs accountable if they make bad decisions, but I believe it should be directed to either the board of directors or the CEO. When I talked to the drafters of the law, their intent was to get executives to care.
Senator Al Zaibak: My question is directed to Mr. de Boer.
In your opening remarks, you identified four areas for improving the bill. It wasn’t clear to me whether you were suggesting amending the bill or are supporting the bill as is and, like Mr. Shipley, leaving it to the regulations to take care of those areas. Could you clarify, please?
Mr. de Boer: BlackBerry supports the bill and wants it passed. The elements of a clearer definition, timelines of reporting, continuity of operations and secure communications procedures can all be clarified in regulations.
Senator Al Zaibak: Thank you.
With respect to BlackBerry, it has evolved over the years and is very focused in cybersecurity protection. Where does it stand now among the major international players in this field?
Mr. de Boer: We specialize in securing mission-critical systems. We are 100% a software company now, and people trust us because of the “security first” approach that we take. We are a Canadian company; thus, we guarantee data sovereignty, and not just here. We are one of the few that ensure on-premise installations — that data where we work resides in those places. That is why governments come to us.
As I mentioned, we secure 275 million vehicles on the road today. For the majority of them, as they become more software defined, important BlackBerry’s operating system becomes more important. Nuclear power stations, missile guidance systems — all the software used in these systems relies on BlackBerry. Why? Because it is secure.
We have transitioned our emphasis on hardware security into software security because that scales the most. And Canada is a leader in this space. People trust Canadian technology, as well. BlackBerry is really proud to work with the Canadian government and other Canadian technology companies to advance that.
Senator Al Zaibak: Thank you.
Senator Hay: Thank you all for being here. I might now store some water in my home.
I just want to pick up the thread on the mission-critical piece and data sovereignty, as well as a bit of what Senator Cardozo was talking about.
Professor Janice Stein said recently that it is not so much about control, because end-to-end data sovereignty really isn’t possible in its entirety, but it is free from coercion, and that is probably the more important thing. When I think of BlackBerry and mission critical being very sovereign, based on BlackBerry’s positioning, that isn’t all data in Canada, though. Data travels, so it could boomerang through the United States before it lands. Please comment on that but also with respect to data centres and foreign clouds. It is more about cloud sovereignty than it is data sovereignty — or it is the same thing.
Please comment on that a bit.
If it’s being free from coercion that we’re striving for, how do we worry about state adversaries like China? Our trade situation with our ally south of the border and supply chains are potentially at risk right now.
Speak about those things — the U.S. CLOUD Act and our vulnerabilities there. I guess I’m looking at you, Mr. de Boer, because you did say that BlackBerry was fully sovereign. However, that is not the only place that holds our data.
Mr. de Boer: Thank you for that question.
When I say “sovereign,” I mean it is truly sovereign — all data and the applications that we provide, and there are a number of them. One is a secure, government-grade voice and text system. It is similar to WhatsApp or Signal but resides fully here in Canada. In fact, it is installed in government data centres.
Senator Hay: And you’re not governed, then, by the U.S. CLOUD Act or anything like that, right?
Mr. de Boer: If it is an on-premises installation, it doesn’t even go through BlackBerry servers. We don’t even see the data. It is fully sovereign. The Government of Canada has full control. Some other clients have full control, as well.
All our solutions were designed to be implemented and deployed that way. They can also be deployed to the cloud if consumers choose to do so. The difference between BlackBerry’s model and a lot of other entities is that they went cloud first and cloud only, and they stopped providing customers with the ability to control their data and to deploy it on-premises because it is more expensive, more specialized and more niche.
Two years ago, if people had told me that governments are going to start going back to on-premises as opposed to the cloud, I would have questioned them, but, today, that is the norm. That is why governments come to BlackBerry and others that provide those kinds of on-premises services.
Senator Hay: Mr. Shipley and Mr. Stupak, please talk a bit about non-BlackBerry sovereignty because that is a big conversation around our AI strategy, for example, in Canada and building data centres. BlackBerry is the Canadian success story; we know that.
Mr. Shipley: We are the only Canadian company left that does security awareness education at scale. We have 1,800 customers, including a number of our largest banks, all three national telecommunications providers and more. Everybody else has been bought. It’s an interesting place to be.
We rely upon Microsoft infrastructure here in Canada, but we also have our own control over the encryption. There are some elements in terms of questions about where the U.S. CLOUD Act could come into this, but we’re the closest we can be in our sector. To your point, there are elements. Sometimes, with some capabilities, as BlackBerry demonstrated, and at some value points — as there are significant costs to doing this — you can do it. That is the big thing. You can do full sovereignty if you are willing to pay the bill for it. Thus far, none have been unwilling to pay the bill.
Senator Hay: There are few countries that can do end-to-end sovereignty. So you’re saying that the trade-off is worth it when you’re working with hyperscalers like Microsoft and Amazon — it is the only way to do it.
Mr. Shipley: It has been. For us to compete against some of the extraordinarily funded American-based AI competitors now, we have to use every advantage we can. We’re proudly Canadian, but if we weren’t using hyperscaler cloud infrastructure, we would be dead in the water.
The Chair: We are running out of time and still have senators who wish to ask questions. Then we will see if we can get answers or a bit of homework out of it.
Senator Cardozo: I will cut it down to one question.
Mr. Stupak, can you talk to us about what the Americans are doing in this regard and what lessons we must learn? With your experience in the White House, what was the level of openness from government to taking these measures?
Senator Ross: My question is for Mr. Shipley. You mentioned health infrastructure and the security of health services.
Given that it is not covered in the bill, can you give us some insight on how that can be included, as it is not necessarily federal jurisdiction?
Mr. Stupak: From the American perspective, when I was in government — highlighting that I have been out of government since January 17, 2025 — information sharing is one of the more important things that we’ve been doing, and we are starting to almost get there with the Joint Cyber Defense Collaborative, or JCDC, for example. It is an area where this bill could go further in regulations: enabling information sharing among critical infrastructure providers so they can share vulnerabilities back and forth to protect themselves. That goes far.
The other piece I would highlight is we did not focus on data sovereignty — and I understand this is an unpopular opinion — as data sovereignty is something of a mirage. We focused on encryption and ensuring our data was encrypted at rest and in transit, as well as measuring every agency in the federal government against that standard so that I knew how good they were at encrypting everything they had.
Mr. Shipley: To answer Senator Ross’s question, the reason why I am so adamant about passing this legislation is so we can turn to the study of how we will wrestle with health care. Remember, our incentives in Canada are not aligned to invest in security. Every Canadian wants to hear how many more doctors, nurses, X-ray technologists or hospitals are being opened or how wait times are being reduced. No politician in this country is incented to invest in security, and the outcomes reflect that, so we need to have a serious conversation.
If we can tie federal funding to orthopaedic surgical wait times, we can tie federal funding to achieving baseline security standards; we can mandate formal cooperation with the Canadian Centre for Cyber Security.
We never received a full accounting of what happened in Newfoundland because the lawyers were there, because of the concerns there and because of politics. We need to treat a health care incident like an airplane crash, meaning we need to learn everything we can as fast as possible to prevent the next one. That is a conversation we can’t get to if we can’t even pass this bill.
The Chair: Thank you. This brings us to the end of our time with this panel. Thank you very much, Mr. de Boer, Mr. Shipley and Mr. Stupak. Your testimony was very helpful, and thank you for the work you’re doing in this lane. We obviously need it very much; it is very timely.
Welcome to Senator Yussuff, who has joined us.
For the next panel, we are pleased to welcome Kate Robertson, Senior Research Associate, Citizen Lab, at the University of Toronto; Christian Leuprecht, Professor, Royal Military College and Queen’s University; and Matt Malone, Balsillie Scholar, Balsillie School of International Affairs in Waterloo. Thank you for joining us today.
We’ll begin by inviting you to provide your opening remarks, to be followed by questions from our members. I remind you that you have five minutes each for these opening remarks.
Kate Robertson, Senior Research Associate, University of Toronto, Citizen Lab: Good evening. My name is Kate Robertson. I am a lawyer and, currently, a researcher at the University of Toronto’s Citizen Lab.
My comments today draw on our research on cybersecurity and telecommunications, as well as constitutional law analysis I submitted in a brief to this committee. My brief set out five amendments to address constitutional deficits and cybersecurity risks in the bill.
A series of important amendments were made to Bill C-8 in the House of Commons earlier this year. However, this committee is still left with an unfortunate irony: that the most significant constitutional vulnerability remains in the bill, which is the imbalance between the bill’s privacy-impacting powers and the contrasting absence of judicial oversight.
Judicial oversight amendments were implemented in the study by the committee but were subsequently ruled out of scope in the House. As a result, Bill C-8 remains highly vulnerable on constitutional grounds. Given its importance, this matter should not be disposed of for procedural reasons in Parliament.
My brief further outlines how the absence of independent oversight also destabilizes Canada’s existing national security framework, which faces precarious challenges at present even without the complications of Bill C-8. I recommend this committee find these constitutional risks are too significant to leave hanging over important public interest legislation. Addressing this imbalance should be a priority.
My brief also recommends mitigating amendments that are also important, particularly in the absence of judicial oversight.
First, we should clarify clause 15.2 to ensure that it also excludes the interception of metadata as well as clarify that it cannot be used to require telecommunications providers to adopt intercept capabilities.
We should stipulate that where personal or de-identified information is obtained from telecom providers, it should only be used by government agencies for cybersecurity and information assurance purposes.
Finally, clarification is needed on a new clause that was added by the House Standing Committee on Public Safety and National Security; in particular, the provision within clause 15.2 now stipulates that the powers cannot be used to decode encrypted private communications. This is good, but a correction is needed to include protection for encryption and technical safeguards in telecom generally, not just the specific type that attaches to private communications.
In the committee’s clause by clause, all members and parties were of the view that an amendment was needed for encryption. Several versions were tabled. Ultimately, the version that received majority support was around the theory that the verbiage that’s now in the bill expressly references the concept of encryption, which is laudable. However, this has the incidental problem of excluding important encryption technologies in Canada’s networks that don’t specifically attach to private communications, and this should be remedied.
Telecom networks are composed of many layers. Encryption is important in those layers generally. My brief proposes specific language on this. There are other options. Officials had expressed resistance during clause by clause about alternative phrasing, in particular the concept of “confidentiality, integrity and availability,” suggesting that was vague. I find that surprising. It is one of the most widespread, authoritative terms to describe cybersecurity. Ultimately, that’s something we see being proposed with respect to the controversial equivalent clause in Bill C-22, which is unfolding today. Those words are not vague, but I’ve also given another option in my brief.
Ultimately, this is not a riddle or a conundrum. Government experts undoubtedly know that encryption is in multiple layers of telecom networks and not just for private communications. I’ve included a 2024 report from Canada’s cyber authorities that describes this.
Australian legislation uses language that is broader than Bill C-8 in this regard. Even the much-criticized Bill C-22 recognizes that electronic protections include both encryption and authentication.
We need a more inclusive scope of protection.
Thank you very much for your attention. I would be happy to provide more context and discussion in the question-and-answer stage.
The Chair: Thank you.
[Translation]
Christian Leuprecht, Professor, Royal Military College and Queen’s University, As an individual: Thank you for the invitation. I’ll speak in English, but please feel free to ask your questions in the official language of your choice.
[English]
Thank you for having me back at the Senate to testify. My objective is going to, maybe, change the perspective on this bill.
Canada is under constant attack from hybrid and grey-zone activities intent on espionage, sabotage, subversion and outright destruction of data and networks below NATO’s Article 5 threshold.
Malign state, state-tolerated and non-state actors are not just going after vulnerabilities across Canada’s cyber systems; their ultimate objective is abusing and undermining society’s trust.
How do adversaries go after trust? They undermine our resilience. When an attack happens, how we respond has an implication for how our governments are perceived. Attacks are designed to make our state look weak. Citizens need to have trust in a state’s competence, which is a core part of Bill C-8.
Citizens need to have trust in the legitimacy of the Canadian state. Adversaries build up misinformation campaigns; you can witness it in the controversy over lawful access. The adversary’s narrative purports that all forms of surveillance are somehow illegitimate.
Hybrid warfare thus intends to conjure up friction that calls into question the legitimacy and competency of the Canadian state. Bill C-8 remedies some of these deficiencies.
Adversaries target social cohesion. They aim to fracture society. Bill C-8 also helps with that.
Citizens need to trust one another and Canada’s allies. Cohesion and solidarity in society are indispensable to a vibrant democracy, and I believe Bill C-8 does important work in shoring up cohesion.
Finally, what are the facts? What is right? What is real? How do we discern that? AI is further exacerbating uncertainty. Adversaries want our citizens to accuse the Canadian state of being authoritarian so as to weaken our defences. Bill C-8 provides important defences for the Canadian societal framework.
Bill C-8 addresses key weaknesses in Canada’s cyber ecosystem that adversaries have been exploiting at scale to undermine Canadian security, prosperity and democracy. Yet investments needed to shore up Canada’s resilience are actually fairly modest.
Bill C-8 is ultimately about building trust. For too long have government and society abdicated collective responsibility. Bill C-8 is part of a suite of measures to create and reinforce resilience and trust to sustain ourselves through political turmoil.
Bill C-8 provides a long-overdue legal framework to require designated operators across the finance, telecommunications, energy and transport sectors to enhance their cybersecurity strategies.
The legislation prioritizes resiliency and the ability of organizations to withstand an incident and to prohibit Canadian telecommunications companies using products or services that originate with the same high-risk suppliers whose countries of origin are intent on overturning the rules-based international order and thus pose an existential threat to our way of life. Protecting against these sorts of devices is essential.
Bill C-8 also introduces the critical cyber systems protection act, or CCSPA, which provides a comprehensive framework for ensuring the cyber systems that support Canada’s vital services and systems.
Importantly, the CCSPA would increase the sharing of information on cyber-threats by requiring the reporting of cybersecurity incidents above certain thresholds. Greater visibility on vulnerabilities by way of mandatory reporting by regulated entities is absolutely imperative. Canada’s key allies already have similar frameworks and requirements in place, and some of them have for years. In the age of global conflict and great power competition, Bill C-8 is not just essential for the integrity of Canada’s own cyber ecosystem but also an important signal to allies that Canada is serious about cyber because the allied cyber ecosystem is only as good as its weakest link.
That Canada is perceived as a weak link across myriad security issues by our closest ally is not lost on anyone here. On cyber, Canada has fared comparatively well. Bill C-8 is essential to maintain the trust and confidence Canada has built because Canadian vulnerabilities have cascading continental, allied and global consequences not just for Canada’s cyber ecosystem but for Canada’s reputation.
Guns and butter aren’t what they used to be. Technology, hybrid threats, total defence, conventional capabilities, state-of-the-art modern warfare technology, dual-use technology, cyber disruptions and airspace incursions are today’s guns. The butter is the freedom to have access to reliable and stable transport and energy, not to be disrupted in cyber or have medical devices weaponized. Today’s butter is to defend, deter, react and prevent. That is the purpose of Bill C-8.
The Chair: Thank you.
Matt Malone, Balsillie Scholar, Balsillie School of International Affairs, as an individual: Thank you very much for the invitation and the opportunity to speak today. We were saying it felt like Groundhog Day coming back here, so it’s fun to see everyone again.
My name is Matt. I am a scholar at the Balsillie School of International Affairs, and today I am speaking in a personal capacity. These are just my views.
To start with, on an optimistic note, I will make a general comment about the benefits of the bill.
Many of the changes this bill introduces, as my esteemed co-panellists shared, are welcome, including the requirements for certain actors to take cybersecurity more seriously, to develop programs, to mitigate risks and to report certain incidents.
Minor changes would also help achieve these objectives, too, including, in my opinion, shortening the reporting period; expanding the list of “vital services and systems” already at this stage to include vital services and systems like space and data centres; and expanding ransomware reporting obligations so that actors that fall through the cracks of the law, who aren’t covered by the law, would be required to report those too. Ransomware is the greatest cyber-threat facing average Canadians. Also, use an automatic, size-cap approach, as Europe does with its cybersecurity legislation, rather than a registration- or order-based system, as is contained in this one.
I’m happy to talk about these ideas in detail, but the focus of the remainder of my opening remarks will be on two issues related to oversight and review.
When it comes to oversight, I agree with my colleague from the Citizen Lab: This bill has serious flaws. The administrative standards in Parts 1 and 2 for issuing orders and directions are quite low, and the threshold is simply whether the Governor-in-Council or the minister, in relevant part, believes on reasonable grounds that it is necessary to issue either an order or a direction, and the language is quite expansive. It’s a low bar that could stretch to cover an enormous range of activity, and those orders or directives could be wrapped in a high level of secrecy, which I find particularly concerning.
Accompanying those order-making and direction-giving powers are information-gathering powers under clause 15.4 of Part 1 and clause 29 of Part 2, which Intelligence Commissioner Simon Noël has expressly warned might permit warrantless surveillance.
It is not a coincidence that the bill expressly bypasses the Intelligence Commissioner, in my opinion.
It is also worrying that Parts 1 and 2 permit wide latitude in the sharing of information that is obtained through these powers, both within organizations that have multiple mandates but also to foreign states, and perhaps there is a conversation there that you should be having.
As with oversight, when it comes to review, there are some serious issues with the bill. This is after the fact as opposed to before the fact. What passes for review in Parts 1 and 2 are the obligations to notify the National Security and Intelligence Committee of Parliamentarians, or NSICOP, and the National Security and Intelligence Review Agency, or NSIRA, when orders or directions are issued.
However, as I’m sure everyone in this room knows, those organizations face some real constraints in doing their review work.
NSICOP has produced phenomenal reports about the cybersecurity practices of the government itself. Those reports have largely had mixed success. NSICOP has made a number of recommendations that have not been taken up, and cyber has struggled to do its job as well. I wrote an article in January called “6 years on, Canada’s intelligence watchdog says it still struggles to access government documents,” highlighting how NSIRA repeatedly said in its annual reports that it was having trouble getting records from institutions it’s supposed to oversee, like CSE. This is despite provisions in NSIRA’s enabling law that says it can access any information it needs.
One of the most difficult federal institutions they’re experiencing this with is the CSE, whose powers will be expanded in this law.
Also, NSIRA has said openly that it is not performing some reviews simply due to budgetary constraints. At the same time that CSE has seen its budget double in recent years, NSIRA is part of the 15% cuts across the board.
The measures in the bill complement what we’ve seen in Bill C-4 and Bill C-22, as well as what I read as what is in the upcoming reforms to the Access to Information Act and Privacy Act, which all indicate we are heading toward further erosion of Canadians’ privacy rights.
The committee should treat these issues seriously and recognize that privacy and data security affect the health and security of our democracy. When it comes to privacy and data security, it is at the oversight and review stages where the rubber meets the road. Parliamentarians should carefully consider the concerns about potential harm from a lack of oversight and/or review.
In sum, I am not an opponent of the bill. I believe this is an important bill and we should have cybersecurity for critical infrastructure, but the bill could use refinements and needs better oversight and review and a lot less secrecy.
As parliamentarians, you have done important work on this bill, including Senator McNair catching drafting errors in its previous iteration. I applaud you for that work.
I hope you will continue this impressive work by strengthening the oversight and review provisions in the bill this time around. Thank you for the invitation to speak today.
The Chair: Thank you, Mr. Malone. We will now proceed to questions with the same restrictions as our last panel. Our guests will be with us until 5:55. I would like to offer the first question to our deputy chair.
Senator Al Zaibak: My first question goes to Ms. Robertson. In your opening remarks, you addressed the vulnerability of this bill to legal challenges. I’m going to ask you, from the Citizen Lab’s perspective, about the vulnerability of Canadian institutions, including parliamentarians, diaspora communities, journalists and researchers, to foreign cyber-enabled intimidation and surveillance. I would appreciate your concerns about the legal aspects of that when we come back to it.
Ms. Robertson: The Citizen Lab has multiple areas of research that are engaged by the scope of your question, and I will do my best to address the most important pieces as it relates to this bill.
Undoubtedly, expansive surveillance powers and security vulnerabilities often have the potential to impact the most vulnerable people in our communities, including from both domestic and foreign surveillance actors. Some of those surveillance actors are authorized; some of them are unauthorized and gain access by unlawful intrusions.
On the last occasion that I was here to testify with respect to Bill C-26, I spoke about what at the time was the recently unfolding public awareness of the Salt Typhoon attack, which is now — some months later — understood to be one of the most expansive cyber-espionage attacks in history.
That attack was facilitated by some of the vulnerabilities in telecom networks that we very much hope the Government of Canada and those around the world will take a more proactive role in remedying. However, in the absence of sufficient safeguards in this legislation, which carry a constitutional risk as well as a cybersecurity risk, we fear that we will see the efforts of some within government who view surveillance as a more important priority than the security of everyone, including by compromising some of the very safeguards that would prevent us from experiencing some of the Salt Typhoon attacks of the future.
Senator Al Zaibak: Are you proposing specific amendments to this bill for our consideration?
Ms. Robertson: Yes, my brief has five specific amendments. The first is that there be judicial authorization with respect to the very expansive information-collection powers. Corresponding amendments were, in fact, made by the Standing Committee on Public Safety and National Security on the other side but were voted as out of order in the House. Those should be brought back to address this constitutional problem.
I also outlined in my remarks corresponding clarifications to restrain the scope of what government surveillance actors may seek to use this bill for if it’s not explicitly made clear that they cannot do so. I really urged recognition that there is legislation going through Parliament under Bill C-22 that is explicitly a technical capability regime, but this bill could very well act as a technical capability regime if we don’t expressly make it not so. That’s what my amendments include.
Senator Al Zaibak: Thank you.
The Chair: Also, we did receive your information on Friday. At this moment, some of our colleagues may not have seen it because it’s in translation. I would encourage us to have a good, fulsome look at it when they have received it. Thank you.
Senator Cardozo: I’ll carry on the questioning that Senator Al Zaibak started.
Ms. Robertson, could you just provide more detail? We have you here, so maybe I can ask you to explain the clause you were looking at amending. Was it clause 15.2?
Ms. Robertson: The fifth recommendation relating to encryption relates to subclause 15.2(2.1), which references as an interpretive matter the stipulation that the powers in subclause 15.2 cannot be used to decode private communications. This is what I recommend be expanded to ensure that it doesn’t inadvertently exclude all forms of encryption and critical safeguards that are part of modern telecommunications.
Senator Cardozo: Can you explain that more? What would it include and what would it exclude?
Ms. Robertson: Certainly.
Right now, this stipulation is specifically there to prevent private communications from being decrypted when they’re wrapped in a form of encryption technology. However, there are many layers of telecommunications networks, and there are critical forms of encryption technology that apply to other elements of telecom technology in 5G — and 6G technology someday — that are really important to protect data generally, as it flows through telecom networks. That could include traffic and device identity or authentication.
This is ultimately a technical arena. I’ve included in my brief some illustrations as to why, from a cyber-expertise perspective — when I look at the guidance that Canada’s Cyber Security Centre has issued, for example — it’s urged for end-to-end encryption to be applied to all traffic.
This provision, in and of itself, is much narrower than that framing. We have language that I’ve put in the brief, but previous language that was discussed at the House Standing Committee on Public Safety and National Security referenced the concept of “confidentiality, integrity and availability,” often called the “CIA triad.” It’s a term of art to reference the three major pillars of cybersecurity, and it’s something that federal agencies already use in their official capacity.
Senator Cardozo: What are the three pillars?
Ms. Robertson: Confidentiality, integrity and availability. “CIA triad” is a term used to describe the way that strong cybersecurity shows up at a technical level in telecom systems.
Senator Cardozo: With regard to the amendment you had that was ruled out of order or out of scope, could you say more about that and where that would go?
Ms. Robertson: An amendment was made to Bill C-8 that would have specifically applied to ministerial orders and orders-in-council that would be issued under either clause 15.1 or clause 15.2. Those are some of the very expansive capability-making powers that are at the heart of Part 1 of Bill C-8. A Federal Court authorization was included by way of amendment in the House Standing Committee on Public Safety and National Security to ensure that the Federal Court continues to have oversight over something as significant as these types of orders.
I would also note that clause 15.4 would be what would enable the minister to basically request any information from telecom providers. I agree with the Intelligence Commissioner in his previous remarks: This warrantless power has no apparent justification, and it’s difficult to envision how that would not be struck down under the Charter or saved under section 1 of the Charter.
So, you have an opportunity to include authorization, in particular, for that information-collecting ability.
Senator Dasko: One of my questions has been answered, but I’ll get to the scope topic in a moment.
First, I want to ask Professor Leuprecht something that he raised that I hadn’t really known about and find quite interesting. You said that, so far, the cyber-threats that we’ve experienced have fallen below the NATO threshold. I was not aware that NATO could actually be engaged in a cyber-threat operation.
Could you explain what you meant by that?
Mr. Leuprecht: Sure.
Article 5 applies to any provision where allies might perceive themselves to be under an attack where they would call in the collective defence provisions.
Our adversaries, in terms of the asymmetric capacities they deploy, quite deliberately use tactics, means and methods that keep their attacks below a threshold where Canada or any other member of the alliance might be able to invoke or might need to invoke Article 5. However, they come very close to pushing that threshold across a wide range of capabilities.
One of the challenges, of course, in this environment is that, while I empathize with the need to have proper safeguards in place — I did a whole book on Five Eyes accountability review and oversight — at the same time, this is an environment that moves extremely fast, where we often need governments to make critical decisions in a very timely fashion.
Part of the objective of Bill C-8, as I see it, is to give government the ability to be more dynamic and agile in responding to this very rapidly evolving environment where the adversarial capabilities are expanding exponentially.
Senator Dasko: I assume that no one has ever invoked Article 5 around cyber-threats. Has anyone got close to it? Have there been situations where that threshold might have been reached? I haven’t heard about it before, so I’m quite interested.
Mr. Leuprecht: In this country, we have expanded the mandate of CSE and have included both active and offensive operations.
We’ve provided ourselves with the ability to engage in active operations, precisely to be able to neutralize as needed adversarial capabilities that might pose significant threats to the integrity, for instance, of critical infrastructure.
We also have offensive capabilities. It is rather improbable that those would be used by a country such as Canada because they would be classic warfare capabilities. But all major members of the alliance now have active capabilities in recognition of the fact that adversarial actors exist and that simply playing defence is not an option. So you need to be actively engaged. Think about, for instance, the Hunt Forward teams that both the United States and several other allies now deploy in terms of looking for pre-positioned payloads in networks.
The state has visibility in this domain that private sector actors don’t, so what this bill, in part, allows the state to do with the intelligence it has is act in a timely fashion on often rapidly evolving challenges. Take, for instance, Volt Typhoon, where the vulnerabilities were so significant that, at the time, the FBI received warrants to be able to engage in mitigating vulnerabilities in critical infrastructure systems because they were afraid their CISOs would not be able to act fast enough.
Time is of the essence here. Part of the balance in terms of the privacy elements is that we need to make sure we have the right balance in terms of where the pendulum swings in an environment where our adversarial actors and the asymmetric capabilities they have are becoming much more aggressive and brazen and pose a much greater risk to our critical infrastructure systems. We have a telecommunications company in this country through which, due to a software update, many of your phones would have not worked for three days.
I always say that if you want to destroy Western civilization, take out Microsoft. We have, sometimes by design, sometimes inadvertently, created significant vulnerabilities. Now we are catching up on how we mitigate those, since these are existential, vital systems for 21st-century society.
Senator Yussuff: Thank you, witnesses, for being here. Thank you for all your perspective and your important briefs.
Ms. Robertson, I will come to you. There have been many concerns raised about Bill C-26. It seems like déjà vu. It was a similar bill, but some of the improvements were critical in the context of those hearings.
I think my colleagues in the House of Commons did tremendous work in trying to address as many as they could to make the bill better, as did Senator McNair, who very aptly pointed out there were some challenges in how the bill was drafted that needed to be corrected.
Would you acknowledge that Parliament has substantially improved the bill from the last bill we had in Bill C-26?
Ms. Robertson: I was saying before the hearing began that my brief with respect to this legislation has changed a lot, but my focused remarks verbally have changed very little, because I have been urging that the priority issues to address are to ensure that we don’t have a piece of very important legislation that is dragged into the swamp of constitutional litigation.
We also don’t want the provisions, which are intended to make our systems more secure, to become over time the vehicle for undermining those systems for surveillance purposes. As I noted, that type of approach is what’s coming, perhaps, at some point, even to this very committee. It is not in the bill. This bill should be about cybersecurity and not surveillance.
Unfortunately, right now, we are at risk from how broad the framing is. It’s a blurred mandate, and we’ve seen this in past complex pieces of legislation like this, where agencies come before the Senate and testify as to how they interpret their mandate vis-à-vis powers of this kind.
Review agencies like the National Security and Intelligence Review Agency, or NSIRA, have actually documented how agencies like CSIS have changed their position after the legislation was implemented. We don’t want that here because we want these powers to make our systems more secure, not more compromised.
Networks like 5G and 6G ones have the important potential to help us mitigate some of the harms we are seeing, including cyber-fraud attacks that are all too easy to facilitate through telecommunications vulnerabilities. We hope those tasked with this legislation will implement it to address some of the legacy issues in telecommunications networks.
However, right now, we are seeing too much resistance to even the very basic premise that this bill shouldn’t be about surveillance and encryption breaking, and when the amendment actually came through a few months ago, it was quite technical and narrow, which is concerning in itself.
Senator Yussuff: Referring to the point you made earlier that the House committee did bring forth an amendment that was ruled out of scope in the other place. That would be the same challenge we will face here. If we put forward an amendment that is out of scope, it will be out of scope. We can’t do so.
The dilemma is that you can’t fix something that is out of scope because of the way the drafter drafted this piece of legislation. I do acknowledge the point you’re making, but the reality is, of course, that they already ruled in the other place that it is out of scope. We don’t have the luxury of simply ignoring some of the realities that already happened, pretending we are going to do our own thing and disregarding the House of Commons ruling on this.
Ms. Robertson: Brighter minds than mine would have to help me understand how adding the most important safeguard that section 8 of the Charter of Rights and Freedoms affords is out of the scope of the principle of the legislation.
I don’t understand that legal position. I’ve testified today that I don’t think that something so important should be addressed and disposed of by matter of a procedure like this. But I would note, as well, that I’m not the only witness to testify at this stage before this committee on this bill.
The Intelligence Commissioner also testified about the availability of review by his office and his position, and that is not an amendment that has been ruled out of scope. I don’t believe that either form of authorization should be ruled out of scope, but that is ultimately not for me to determine.
Senator Yussuff: Thank you very much for your work and for being here.
Senator Boehm: Thank you very much, witnesses, for being here. As Mr. Malone said, there is a sense of not just déjà vu but also Groundhog Day to this in terms of the work we did two years ago on Bill C-26, where you were also witnesses.
I recognize the value of civil society input. In the previous panel, we heard from practitioners from industry about the need to push forward. With any legislation that comes from the House of Commons to this place, there is always a need to push forward quickly.
I looked with some interest, Ms. Robertson, at your five proposed amendments. There is a lot that can be put into regulations and the regulatory aspect to a law, and those can be changed at almost any time, depending on circumstances. My question to both you and Mr. Malone is this: Would any of your concerns be fixed or ameliorated by regulatory changes?
Mr. Malone: I think the ability to amend what a “vital system or service” is enables the Governor-in-Council to make those changes and bring in industries that are excluded right now. I think that would be a benefit.
Ms. Robertson: Your question specifically referenced the amendments that I recommended in my brief. I actually think it would be quite a problem if they were left for regulation because they are a matter of statutory interpretation. If I could just use one example, right now, the bill references the lack of authority in clause 15.2 to order the intercept of private communication.
I recommended that should be inclusive of intercepting metadata as well. As a matter of statutory interpretation, Parliament’s intent will be divined from the clause that right now, as it stands, does not include metadata. There will be inferences drawn as to whether Parliament very much intended to enable the interception of metadata.
Similarly, I recommended an amendment to ensure that the bill doesn’t interfere with the encryption surrounding other layers of telecom that would protect people against, for example, geolocation surveillance that is unauthorized. Right now, it only explicitly protects encryption of private communications. Again, inferences will be drawn by that narrow definition.
Senator Boehm: Thank you. I wanted to get your metadata comment on the record, and that is specifically what I was referring to.
Senator Al Zaibak: Ms. Robertson, as a business matter, how accessible are Citizen Lab services to citizens, enterprises and businesses in practice?
Ms. Robertson: The Citizen Lab is an academic research lab based at the University of Toronto’s Munk School of Global Affairs, and it is engaged with research that is supervised by its director, Professor Ron Deibert. Its methods are entirely subject to the research and ethics protocols of the University of Toronto. It has no mandate to provide public services; it does public interest research.
Senator Al Zaibak: Thank you.
Mr. Malone, you suggested in your opening remarks expanding the scope of the bill to include space and data centres. Aren’t they included as a matter of fact in the telecommunications sector?
Mr. Malone: Certain telecommunications companies might be included, but the ability to amend these through regulation is one of the examples I provided to the other question — there is flexibility here.
One of the problems is how slowly this bill has moved through Parliament. I think this was introduced when ArriveCAN was still mandatory, so it has been four years now. It goes to show the drawbacks that registration-based systems or systems where we rely on regulations to be issued to make the changes come with.
These laws get passed and then are laws for decades. The Privacy Act was passed in 1983, and we’re doing a modernization right now for the first time. The Access to Information Act, PIPEDA — there are so many examples of this. I support the bill, but it is worth positing other approaches. One of the approaches that has a lot of merit is the European approach. After trying a registration-based system, NIS 1, they used a size-cap approach and disseminated these obligations for cybersecurity programs, mitigation efforts and reporting obligations based on the size of a company.
If Parliament draws these inferences, I share the concern that some of these law enforcement, national security and national intelligence agencies will read this language very carefully to utilize things like clause 15.4 in Part 1 and clause 29 in Part 2, the information-gathering powers that both the Intelligence Commissioner and the Privacy Commissioner have said will enable warrantless surveillance. However, the private sector will draw its own inferences too, and if they don’t have to follow these obligations, they won’t.
That is where size cap is a good model. It automates those things. It is like a trigger, and then private sector actors need to follow.
There is merit in other approaches. As much as there is an urgency to pass the law, which I recognize, the reality is that once we have the legislation, it is likely to be there for a long time.
Senator Al Zaibak: Thank you.
Senator Cardozo: I want to pursue that question in terms of passing the bill in its current form and making amendments or not. You don’t feel that the issues you’ve raised can be dealt with in regulation.
Given that we have taken so long to get here and that last time we had a couple of very technical errors that we sent back and a year and a half later we’re still here, would you consider that we should pass the bill as is and fix some of those things in a subsequent bill?
Ms. Robertson: I acknowledge it has been some time since I was here last, but I recall one of your colleagues on this committee had expressed some hesitancy around amendments because at that time there was a concern as to what would happen if the bill were to return to the House of Commons.
I don’t gather that it is as front and centre in the thinking of this committee. That would be my inference.
Senator Cardozo: It is a more stable government now than the last time you came here in terms of what was happening in the other place versus here.
Ms. Robertson: Even with that different opportunity available, I still testified on the last occasion — and I would repeat — that this is long-term cybersecurity. It is an approach that may be replicated at the provincial level. When you have something as precedent setting as this, you absolutely want its compass points pointed in the right direction.
I’ll repeat myself that there is surveillance capability legislation going through the House of Commons, and undoubtedly — or hopefully — parliamentarians will be attentive to the correspondingly significant safeguards that would need to accompany capabilities of that kind.
Right now, because this bill hasn’t been positioned as surveillance capability powers, it doesn’t have the corresponding safeguards.
This is not something we should be afraid of fixing. By the government’s own description, it’s not supposed to be surveillance legislation, and this committee should ensure that it is not.
Senator Cardozo: I read an article by you in The Walrus, “Trump Wants to Tap Your Phone. Ottawa Might Let Him,” with regard to Bill C-22. Some may be interested in reading that article. Will you be testifying on Bill C-22?
Ms. Robertson: I am not sure if I will be testifying. I had understood that the committee will be sitting for at least three hearing dates. If that remains true, then tomorrow will be the last occasion, in which case I will not be testifying because I was not invited.
Senator Cardozo: Thank you for being here today.
The Chair: This brings us to the end of our time with this panel. I would like to thank Ms. Robertson, Mr. Leuprecht and Mr. Malone for being here and taking the time to meet with us today. We appreciate your contributions and work on this bill, as well as the work that you’re doing each and every day.
Colleagues, I will be leaving for the second part of this meeting due to another defence-related engagement. Senator Al Zaibak will serve as the chair in my absence.
(Senator Mohammad Al Zaibak, Deputy Chair, in the chair.)
The Deputy Chair: Good afternoon, everyone. I am Senator Al Zaibak, deputy chair of the committee. I will chair the remainder of this meeting.
For our next panel, we are pleased to welcome Jennifer Quaid, Executive Director, Canadian Cyber Threat Exchange; Aaron Shull, Research Director, Centre for International Governance Innovation; and, by video conference, Ali Ghorbani, Professor and Director, Tier 1 Canada Research Chair in Cybersecurity, Canadian Institute for Cybersecurity, University of New Brunswick.
Welcome to you all. Thank you for joining us today.
We will begin by inviting you to provide your opening remarks, to be followed by questions from our members. I remind you that you each have five minutes for opening remarks.
Jennifer Quaid, Executive Director, Canadian Cyber Threat Exchange: Thank you, Mr. Chair. I am here today representing the Canadian Cyber Threat Exchange and its more than 200 member organizations, many of whom are in the sectors that this bill will legislate; others make up their supply chains.
I am here in support of passing Bill C-8, and I want to explain why through the same risk-based lens that security leaders across our country live by because, at its core, this legislation is about managing risk to Canadians.
A risk-based approach asks three simple questions: What is the likelihood of harm? What is the severity if it occurs? What is the cost of prevention versus inaction? Bill C-8 stands up well on all three counts.
First, regarding likelihood, the risks addressed by Bill C-8 are not hypothetical. They are present, persistent, pervasive and growing. Attacks on our systems are real and ongoing. Ignoring them does not make them disappear. It only increases the probability of more costly consequences later.
Second, regarding severity, the consequences of inaction are significant. A cyber breach in one system could trigger broader disruptions beyond the four critical infrastructure sectors addressed here, affecting essential services, markets and public confidence and trust.
Third, regarding cost effectiveness, prevention is surely cheaper and more effective than response. Bill C-8 is a measured investment in resilience. It doesn’t try to eliminate all risks; that would be completely impractical. Instead, it targets the most material risks with proportionate tools.
Concurrently, we must ensure that we retain the trust of Canadians. Canadians expect their institutions to anticipate risk, not just react to it.
When governments act early, they reduce both harm and recovery costs. Supporting Bill C-8 signals a commitment to responsible stewardship. This bill acknowledges risk and provides a proportionate strategy — because hope is not a strategy.
Finally, I want to address the concerns about privacy. A risk-based approach doesn’t dismiss privacy. It requires us to weigh it carefully. Bill C-8 does not operate in a vacuum.
Canada already has strong legal frameworks, independent oversight and accountability mechanisms that protect personal information and civil liberties. These safeguards are active and effective already today.
The question is not whether privacy will be protected; it already is. The question is whether we can address these risks within the existing framework. The answer is yes.
The bill builds on existing protections, ensuring risk mitigation does not come at the expense of fundamental rights.
Striving for consensus on a bill is admirable, but it is not practical. This bill will deliver real benefits now. It lowers risk. It improves coordination. It strengthens defences in critical systems.
Waiting for perfection doesn’t eliminate risk. It is a choice to accept it. The greater cost is in inaction, not imperfection.
We have to act now to reduce the risks facing Canadians while respecting the systems that safeguard their privacy. Bill C-8 strikes that balance.
In closing, Bill C-8 represents responsible governance. It is proactive, proportionate and grounded in evidence. It reduces both the likelihood and severity of future harm. For these reasons, I would urge you to support its passage.
Thank you.
The Deputy Chair: Thank you, Ms. Quaid.
Ali Ghorbani, Professor and Director, Tier 1 Canada Research Chair in Cybersecurity, Canadian Institute for Cybersecurity, University of New Brunswick, as an individual: Good evening. It is a pleasure to be with you today for this discussion on strengthening Canada’s legislative and strategic cybersecurity capabilities.
As introduced, my name is Ali Ghorbani. I’m a professor of computer science at the University of New Brunswick, a Tier 1 Canada Research Chair in Cybersecurity and founding director of the Canadian Institute for Cybersecurity, Canada’s first dedicated cybersecurity institute. Established 10 years ago, it is now a leading centre for research, training and collaboration.
While much of the importance of securing Canada’s critical infrastructure has already been well articulated, I would emphasize a key point: Cybersecurity is no longer solely a technical issue; it is central to our way of life, national security, national power, economic stability, societal values and public trust.
Canada’s critical infrastructure is increasingly exposed to sophisticated threats from state-sponsored actors, organized cybercriminal groups and rapidly evolving technologies. These risks are compounded by systemic challenges, including outdated regulatory frameworks, inconsistent information sharing, the under-reporting of cyber incidents and deep interdependencies across critical assets and sectors.
In this context, Bill C-8 is an important step forward, albeit a bit too late. It reflects the reality that telecommunications and digital infrastructure are foundational to Canada’s security, economy and public services. By strengthening regulatory expectations and enabling more timely intervention, the bill enhances Canada’s ability to respond to significant cyber-threats, including those targeting critical infrastructure.
I support the objectives of Bill C-8. The bill introduces consequential updates to Canada’s cybersecurity legislative framework and marks an important shift from a largely voluntary best-practices model to a more structured, mandatory, regulatory approach for critical infrastructure providers.
From an operational perspective, I view the bill as a positive development. It enables faster, more coordinated responses to significant cyber-threats and reduces delays in mitigating sophisticated attacks, including state-sponsored campaigns targeting critical infrastructure and telecommunications systems.
At the same time, implementation must be carefully balanced with strong safeguards, including transparency, independent oversight, privacy protections and continued support for encryption, research and innovation. Centralized authorities must be designed to avoid introducing systemic vulnerabilities or undermining public trust.
That reflects a broader tension in the bill: strengthening Canada’s physical and digital infrastructure while centralizing command and coordination in response to cyber incidents.
Finally, legislation alone is not sufficient. Long-term cyber resilience depends upon a comprehensive national strategy that combines effective regulation with sustained investments in research, innovation, workforce development, public awareness and strong collaboration across government, industry and academia.
Thank you very much, and I look forward to your questions.
The Deputy Chair: Thank you, Mr. Ghorbani.
Aaron Shull, Research Director, Centre for International Governance Innovation: Chair and members of the committee, thank you for the opportunity to appear before you on Bill C-8.
For context, I appeared in front of the Public Safety and National Security Committee in the other place last October. They took a lot of my suggested amendments on board. It was quite a technical takedown of the bill, so that makes my job here easy. I am going to urge you to do one thing, which is to pass the bill.
Let me begin with the threat environment because that’s why we’re all here. It is trite to say that our electrical grids, pipelines, telecommunications, water systems and financial networks are the arteries of modern life, but the point is that they’re all increasingly automated and under sustained pressure from sophisticated state-sponsored adversaries who are not simply stealing data any longer; they are pre-positioning to disrupt.
This is not an academic concern. Salt Typhoon told us what happens when telecommunications networks are penetrated at scale. Volt Typhoon told us that pre-positioning in operational technology is no longer a hypothetical, and every operator I work with has stories about the rising tempo of intrusions against industrial control systems.
The problem is that too often, we can’t tell if an outage was a fault or a foreign intrusion. The honest answer is that we just don’t know. That is a posture this country cannot afford.
In my view, Bill C-8 is the foundation to change that. It establishes a unified framework across federally regulated critical sectors and gives governments the tools to compel the hardening of the systems Canadians depend upon.
Also, the work done by the House Public Safety and National Security Committee has produced a meaningfully better bill. It is tighter on privacy, more procedurally disciplined and now contains a mandatory five-year review. I’ll come back to that. Also, as I said, several of the points I raised in October were addressed.
I want to address what I think is the constitutional elephant in the room. I watched the other witnesses, and I have a good sense of what’s going on and am wise to the debate. There is a serious argument, which has been advanced by the Intelligence Commissioner, the Citizen Lab, the Canadian Civil Liberties Association and the Conservative caucus — all groups I have a tremendous amount of respect for — that clause 15.4 should require prior judicial authorization. There are real foundations to that argument. The Supreme Court of Canada’s 2024 decision in Bykovets brought subscriber and IP data inside section 8 of the Charter, and the doctrinal starting point is Hunter et al. v. Southam Inc. That all favours a warrant.
However, on balance, I nevertheless support the passage of this bill as it stands. That is because the Branch and Jarvis cases recognize that regulatory compulsion of information from regulated entities for regulatory purposes operates under a Charter regime that is more permissive than the criminal-investigation warrant model.
The bill places major orders at the Governor-in-Council level, subjects them to NSIRA and NSICOP review, provides for post hoc judicial review by a designated Federal Court judge and now requires factor-based decision making at the issuing stage. That is serious oversight architecture. The constitutional questions are arguable, but they will be litigated in some form, which is okay. Kate Robertson said she doesn’t want the bill to be dragged into the muck of constitutional litigation, but — while I have a tremendous amount of respect for Kate — I don’t think that would be a bad thing. I don’t think constitutional litigation is “muck” or a quagmire; I think that is another branch of government doing precisely what it is designed to do.
The five-year statutory review, which I mentioned, is the right vehicle for recalibration if the operational record reveals that the harms of the existing scheme are too great.
So, I would urge this committee to do one thing: weigh the cost of delay.
Bill C-26 passed both chambers. It died on the Order Paper. Canada lost more than two years of critical infrastructure protection because the legislative process did not finish. I can tell you for sure that our adversaries did not take those two years off.
Operators are now waiting for two things from Parliament. The first is the certainty of an act that is in force. The second is regulations that will tell them what compliance actually means. Every additional week without that certainty is a week during which investment is deferred, hard governance conversations are deferred and adversaries continue their work uncontested.
To be sure, Bill C-8 is not perfect, but the threat surfaces are evolving faster than statutes can anyway. That is precisely why the five-year review matters and why the regulations that will follow the act will matter at least as much as the wording of the act itself.
The work that the House did, in my humble estimation, produced a workable, principled framework that addresses an urgent national security gap. Canada’s critical infrastructure operators and the Canadians who rely upon the systems they run are waiting for Parliament to finish what it started.
Thank you, and I would be pleased to answer the committee’s questions.
The Deputy Chair: Thank you, Mr. Shull.
We will now proceed to questions. Colleagues, our guests will be with us until 7 p.m.
Senator Cardozo: Welcome to all the witnesses; Mr. Ghorbani, even though you’re far away, you’re close at hand. Thank you for joining us today.
Ms. Quaid, could you tell us more about the Canadian Cyber Threat Exchange and how you came to the position on this bill that you have?
Ms. Quaid: The Canadian Cyber Threat Exchange is a private-sector, member-based not-for-profit. The reason for our existence is to enable our member companies — there are more than 200 of them — to share cyber information to build resilience in themselves and in each other. Cybersecurity absolutely cannot be a competitive advantage in any sector or organization. It is a team sport, and if we’re not sharing information, we are already behind.
Regarding the position I have on this bill, I have appeared before various other committees on this bill. At those times, I was, at the instruction of members, requesting certain changes and amendments to the bill. It was early in the process.
At this point, I am hearing from our members that this bill needs to pass. This bill represents basic table stakes in the cybersecurity world now. When it started down its path five or six years ago, the world was not a fabulous place for those in cybersecurity. The criminals were coming at us fast and furious. Let me tell you: It has not slowed down. In fact, it has got much worse.
We now have ransom as a service. Why develop your own code when you can just go online and rent it? Don’t buy it. By the way, it comes with a guarantee and a help desk. That is common now.
This bill will set the bar for our critical infrastructure and its supply chain. It’s not just the organizations that are being legislated. They are going to force their entire supply chain to elevate their cybersecurity, and that’s what we need.
Senator Cardozo: Thank you. If I might, I will ask Professor Ghorbani the same question with regard to the Canadian Institute for Cybersecurity. Tell us a little bit about it and how you came to the position you put forward today.
Mr. Ghorbani: The Canadian Institute for Cybersecurity, or CIC, is within the University of New Brunswick, but it is a self-sustaining institute. We don’t receive any money from anyone.
We work with industry, primarily large industry, but we also support medium and small enterprises as well. We work on their problems year-round. The institute has over 100 researchers, and we have members from critical infrastructure like power utilities, financial institutions, banks and companies that build cybersecurity solutions. They are our members. Our team works with them year-round on the types of problems that they have, whether it’s defence-related, finance-related or work related to smartgrid. We see how important it is for us to be able to act quickly on threats that are coming toward us and compromises that occur.
To date, as I mentioned, many of the security measures are voluntary-based, whether it’s information sharing regarding the compromises or acting toward a compromise. It’s not really regulated, and it’s not centralized. I think Bill C-8 allows the country to be responsive and to mitigate problems as quickly as possible in order to reduce damages and costs.
We never talk about the public safety part of the costs or the costs of societal pain that we feel in anything that happens. There are many examples I could give you. Three weeks ago, in Toronto, a fake cell tower affected millions of basic cellphones and brought them down to a point where they were not able to communicate for some time.
It is a societal pain and an economic pain that Bill C-8 will attend to, ensuring that we attend to compromises quickly.
The Deputy Chair: Thank you, Mr. Ghorbani and Mr. Shull.
Senator Yussuff: Thank you, witnesses, for being here. We are talking about cybersecurity. As you know, the federal government’s jurisdiction in this country is a certain size. The provincial governments’ are a certain size. Then, of course, you have municipal governments to layer on top of that.
Bill C-8 gives the federal government clear responsibility and authority, but the broader challenge we face as a country is in other jurisdictions because we don’t have one system in this country to protect Canadians. We recognize that there is a lot of sharing of information and a lot of good practices to do that, but each jurisdiction does its own thing in that regard.
Isn’t this a real challenge for the country? Given the seriousness of cybersecurity, do you think we should get to a better place than where we’re at given that we’re a federation and it is complicated to get other governments to either give up some of their authority or to relinquish some of their oversight in how we can do a better job of protecting this country? We’re talking about protecting the country, but the reality is we’re not actually talking about protecting the country because the federal government does not have jurisdiction over the other sectors of this country, which is far vaster than the federal government’s authority.
I’ll leave that to each one of you to respond to and give your own observation on.
Mr. Shull: You’re absolutely right. I see your point, and I raise you an exclamation mark. You hit the nail squarely on the head.
Let’s deal with it. The actual thing I worry about is municipalities because the federal government touches people in areas that I don’t think most Canadians feel on a daily basis. It’s super important, but it’s, for example, national defence or national security. But if your kid’s school goes dark, the hospital goes down, the water stops coming out of the tap or your garbage stops getting picked up, those are things that people would tend to notice. Most of those responsibilities are municipal, and that is unequivocally where our greatest threat vector is.
For what it’s worth, at the federal level, I’m not really worried about you. You have CSE on your network. You’ll be fine, but if you’re in Advocate Harbour, Nova Scotia, or Bobcaygeon, Ontario, you have Fred the IT guy who works on Tuesdays and half days on Thursdays. That is absolutely one of the most important gaps. We can’t deal with it in this bill, unfortunately, because of section 91 and section 92 of the Constitution Act, but I absolutely agree with you.
Ms. Quaid: I feel your pain on this, and you are quite correct. There are so many disparate, fractured systems, but we have to start somewhere, and this is a good place to start. If the federal government can pass this legislation, it will strengthen those four sectors and their critical supply chains. Those suppliers also supply others, so there will be a trickle-down effect on the overall economy, and perhaps the provinces will follow. I mean, what is it they say? “The best day to have started something was yesterday. The second-best day is today.”
Mr. Ghorbani: I would say that’s a real question, and it deserves a good answer.
As far as Bill C-8 goes, the areas that it covers — mainly telecommunications, banking, grid construction and others — are mainly also expanded to provinces.
In other words, in some ways, this bill covers the country from a cybersecurity perspective but doesn’t cover all — and this needs its own attention, as was mentioned before — health care, for example. It doesn’t cover municipalities and so forth. Those are coming into question.
It does cover, through these four major areas that Bill C-8 covers, other third-party providers, either within the country from various provinces or from outside the country.
Generally speaking, Bill C-8 does its work covering the country. However, there are elements of cybersecurity that are definitely left out of this bill and need their own attention. Health care would be one of them.
Senator Yussuff: Maybe I can ask you this, Ms. Quaid, because you represent a large extent of the private sector in your network: Obviously, they see the necessity of the bill and want the bill passed, but given their challenges and recognizing the fragmentation of the country and how we’re dealing with cybersecurity, is there a clarion call for us to do better with respect to how we can bring all these systems together?
I ask because when Canadians are faced with a crisis, they don’t really distinguish between a province, a municipality or the federal government; they want their governments to solve the problem and ensure they never have to face that problem again because they are just people who want to be protected.
How can we do that with the organization that you represent, recognizing we don’t currently have a system to do that? How can we move to create a system where such a vision is thought about for the future?
Because this, of course, still leaves that big gap within the system as to how we can work better with each other to ensure we have a better outcome.
Ms. Quaid: I would suggest that it starts with this bill and then trickles down. Large critical infrastructure is going to require their suppliers to be more secure.
Those suppliers are going to require their suppliers to be more secure. There will be a knock-on effect that will start to impact smaller and smaller organizations. Can we do more? Of course we can. There is always more to do. It is cybersecurity. It is a game of Whack-a-Mole.
Perhaps one of the areas we can do more is by providing better, clearer advice, guidance and incentives to small and medium businesses. Small and medium businesses make up 99% of our economy. We are not able to convince them of the need to ensure their own security.
I’ve run small and medium businesses most of my life. You are concerned with making payroll. As Mr. Shull said, you’re lucky if you have a guy that comes in a half day every month to look at your systems.
Give them a real incentive to do more and not just an opportunity for certification. What does that look like? Wiser minds than mine would have to take a look. But there are many things we could be doing — tax or insurance breaks — to get our small businesses to be cyber secure and cyber aware.
But I would also challenge that it starts with education. A million years ago, and I’m now dating myself, we had a program in Canada called ParticipACTION, a fabulous program run by the federal government, which, by the way, doesn’t run education. They kind of just did it on a very low budget. It encouraged all Canadians to be fit. We were taught in school at the age-appropriate level about physical fitness. Why are we not doing the same thing with cybersecurity?
The minute you put a device in a child’s hand, you have a responsibility to ensure that they understand the device and what it can do.
The Deputy Chair: Thank you.
Senator McNair: Ms. Quaid, thank you for reminding us that the privacy legislation is already in place. Privacy, to some extent, is protected.
Mr. Shull, you talked about amendments to the legislation, which put more guardrails around some of that.
One of the witnesses last week said the biggest threats to Canadians’ privacy are the actual cybersecurity incidents that Bill C-8 is meant to prevent — or hopes to prevent. Do you want to comment or expand on that a bit?
Ms. Quaid: That witness was absolutely right. Privacy is critically important; it is the foundation of so much of what Canada is.
However, if we are so focused on protecting the individual’s privacy from getting into the hands of our own government that we are losing sight of the fact that what we want to do is protect our privacy from getting into the hands of foreign governments or criminal elements, we’ve lost sight of the bigger picture.
While we sit here and talk about it and express concern over it, it feels quite a lot like Nero fiddling while Rome is burning around us.
This bill is designed to protect our privacy, plain and simple, from people who shouldn’t have access to our information.
Mr. Shull: I’m in the same place as my colleague. I read the Privacy Commissioner’s submissions. I’ve got a tremendous amount of respect for the Privacy Commissioner. I think he’s brilliant, for what it’s worth. That’s on the record now.
However, the issue is warrant or no warrant — go or no go — and getting a warrant is a time-consuming process. There is information to obtain. There are affidavits. There are a lot of things that have to happen in order to get a warrant.
Other witnesses have already testified to this: This type of cybersecurity intrusion happens in seconds or minutes.
The orders that we are talking about are designed to protect critical systems, not to exfiltrate Canadians’ personal data. As I said previously, there are a bunch of guardrails now currently in the bill.
But there is another issue too, and I want to put a fine point on this. You go to the Federal Court, to a designated judge who is a national security judge, and they are experts in that. But we’re talking about cyber-threat intelligence. This is the all-source type of intelligence.
This requires a technical and operational context that the executive holds and judges typically don’t. So a preauthorization would require a briefing of classified material to a depth that, in practice, would either be so cursory that it would be meaningless or so in-depth that it would be unworkably slow. That’s the issue that we are dealing with here.
My concern is that we’re going to push toward this privacy issue when we’re talking about personally identifiable information of Canadians, which is not the subject of this bill, into a warrant regime that is going to make us less safe.
Senator McNair: Thank you.
Mr. Ghorbani, is there anything you wish to add?
Mr. Ghorbani: I would not add anything. Everything has been said.
However, from a technical perspective, I want to again emphasize the fact that these cyber-threats or cyberattacks will not wait until we do or do not get a warrant. By that time, millions of peoples’ privacy could have been violated and their data could have been exposed, all because we wanted to do it in the way some say we should.
Having said that, it’s important to have oversight and do it right at the implementation part. But I don’t see waiting for this bill to be changed or amended because of privacy issues.
First, this bill is not violating privacy from what I can see technically. But even if there is some element in the future, which might be the case, then implementation and regulation could close the loop.
[Translation]
Senator Youance: My question is about technical standards and infrastructure resilience. Mr. Ghorbani just spoke about the rapid evolution of cyberthreats. Are the requirements proposed in Bill C-8 flexible enough to keep pace with rapidly evolving cyberthreats?
I also have some questions specifically for Mr. Ghorbani.
Does the bill promote innovation in cybersecurity? How do you see the role of universities in applied research or the development of solutions?
[English]
Mr. Ghorbani: That is a very good question. In the last part of my opening remarks, I mentioned that I’m hoping, that in implementation and regulation, innovation and research, to strengthen and harden the defensive system are being considered for the future. As a result, I want to see that in the legislation. On the implementation side, the critical infrastructure owners are kind of mandated on the research, innovation, talent development and awareness programs that are needed for this bill to be really successful.
Canada’s technical standing is fairly strong in cybersecurity, but this is not an area to be relaxed. With AI coming and AI attacks happening these days, as well as ransomware as a service and things of that nature, we must always stay at the edge of innovation. That’s why, again, this bill is a great first step in ensuring we have tools to prevent or mitigate attacks as quickly as possible. However, at the same time, as part of this implementation, I want to see the government mandate more innovation, research and talent development in this area.
Ms. Quaid: To add to what Dr. Ghorbani said, one of the strengths of this bill — you have heard a lot about its weaknesses over the past several days, I’m sure — is that it is technology agnostic. It doesn’t speak directly to AI or any other technology because we don’t know what’s coming. The bill is more based on the principles of collaboration and sharing information in a timely manner.
Mr. Shull: I don’t think this is an innovation bill. If anything, it will make it harder for adversarial states to steal our secrets and intellectual property, which has been a big issue for a long time.
If we’re talking about the critical cyber systems protection act, up and down, it’s simple. It says you have to have a cybersecurity program and you have to tell us what it is. If something bad goes on, you have to tell us what happened, and we can tell you to patch your systems or implement solutions to make it harder for bad guys to get in.
I don’t see this as an innovation-style bill. I see this as a security measure, which will, de facto, make innovation better, easier and more protected, but I see this as a security bill.
Senator Dasko: Thank you, witnesses. Ms. Quaid, some of your comments about medium and small businesses attracted my attention. I used to work in a medium-sized business in the private sector. What do you think the typical cost of prevention is for a company? I don’t know if there is any such thing. You are rolling your eyes, so maybe I’ve asked a bad question.
Are we talking about significant costs for companies to buy the security that they need? Do you have any sense of what the cost factor is? It is tough for companies to invest in many of these kinds of things.
Ms. Quaid: It is extraordinarily difficult. The cost depends on how secure you want to be. My interest is in going into a small business and ensuring that they can identify what their critical systems are. We’re not even talking about costs or technology. It is a matter of whether they can tell me what systems they need to operate their business tomorrow. If they can, can they tell me who has access? Again, we’re not talking about cost. We’re talking about policies, guidelines and practices.
Senator Dasko: Within the firm, you mean.
Ms. Quaid: Within the firm, and I don’t care if it’s a business of 1, 10 or 100 people — those same questions hold true. Then we should talk about training your staff. Putting your passwords on a sticky note at the bottom of your keyboard is not security.
Then we can get into the cost of implementing technologies, but with small and medium businesses, we need to start with the basics, the fundamentals, before we start talking about the cost.
Senator Dasko: Do we know about the motivations of perpetrators? We heard from other witnesses that, in some cases, it seems as if it could be random attacks. I don’t know if there is any basis for that.
You mentioned, Mr. Shull, stealing secrets. Is that a big component of the perpetrators’ motivations? Are they trying to steal? Are they trying to extract money from the victims? Do we have a picture of —
Mr. Shull: All of the above. We have to break it down. There is information technology, or IT; and operational technology, or OT. I’ll answer your last question and then segue to your primary one.
Security for IT is not that difficult or expensive. I’m just some guy. I don’t even work in a company. I use the most sophisticated commercially available malware detection software. I use a biographically and cryptographically locked password manager, and all my passwords are gobbledygook comprised of 17 or 18 characters. I use multifactor hardware authentication for my most sensitive matters, and I use an encrypted multi-hop VPN. All this stuff I listed costs a few hundred dollars a year. That’s your IT infrastructure.
Regarding OT, when you’re hooking real things up to the internet, they call them supervisory control and data acquisition — or SCADA — systems or industrial control systems, and that’s a different order of magnitude.
In answer to your question, if people are going after IT, that is typically for information, fraud, ransomware and all that terrible stuff. The thing that I worry about — that keeps me up at night — and that goes to the core of this bill is hostile state actors going after and pre-positioning on critical infrastructure. That is putting malicious exploits on our electrical grid to use them in the event of a conflict. We don’t need to think too long about geostrategy in terms of who we are talking about here.
Senator Dasko: Of course.
Mr. Shull: At the most fundamental level, this bill creates some fairness. If someone swipes in with a military badge or government badge on the other side and goes after civilian infrastructure, they are going to get in.
This is designed to let our government know about that and to balance it out so that we have a bit of a fair fight.
Senator Dasko: We heard about the vulnerability of water — for example, poisoning the water — and sectors like that.
Ms. Quaid: That would mostly be nation-state actors. People going after our systems are broken down into nation-state actors and criminal elements. Many of the latter are protected by nation-states and include those straight-up using ransomware to look for cash using what we would call a spray-and-pray approach. They send thousands of phishing emails, and only one has to hit.
Then there are the others, insiders and activists and hacktivists, but those are the two main elements we look at.
Mr. Ghorbani: To add on the last question, you asked about intent. There is an element in cybersecurity called cyber attribution. This is where we identify who attacked us, from where, and with what techniques and tactics. What was the intent of those attacks? This is where the Government of Canada is doing part of their work.
Recently, the government funded us, and we created the Cyber Attribution Data Centre here in Fredericton, where we do these kinds of studies.
Whether it’s coming from industry or government, we can study the behaviour and the profile of the attack and attribute them to where they are coming from, what kinds of attack groups they belong to, what kinds of techniques and tactics they use, et cetera.
So, those elements actually help us to identify who is attacking us and what their intentions are.
The Deputy Chair: Thank you, Dr. Ghorbani.
[Translation]
Senator Carignan: Mr. Shull, I’m interested in the issue of constitutionality. I like the way you framed it: The goal is to provide a framework and regulate operations. In fact, under that regulatory framework, legitimate expectations are lower, since we’re dealing with a regulated sector.
Let me draw a parallel with food. There are government inspectors in slaughterhouses and throughout the entire supply chain to ensure safety, proper labelling and so on. The goal is no longer to catch criminals, but to ensure that food is safe and protected, and that no system exists that could compromise food safety.
The same applies to information, data and computing. You are drawing a parallel by arguing that this is a regulated sector in which the government must have administrative powers to intervene in order to ensure that regulation is effective and functional for safety purposes. The objective isn’t to identify criminal conduct. In such cases, there would be investigations requiring a search warrant. Did I understand the nuance you’re trying to make?
Mr. Shull: Thank you for your question, senator.
[English]
That is exactly right.
There is a line of cases that make that clear — regulatory compulsion versus criminal investigation, and they are constitutionally distinct. I think we are in the regulatory compulsion bucket here.
I will also add to that the point I made about cyber-operational tempo. This is very brisk stuff. Warrants take time, and that process would inject into the system a delay that could be problematic.
I already talked about what I said are the layered oversight functions that already exist here. This is not a free-for-all where they can go out and start doing whatever they feel like. There is a pretty good oversight mechanism.
I have also talked about judicial competence in this area. We are talking about the executive holding information that judges don’t, and technical and operational contexts and expertise that are difficult to understand. You have to really educate the judges on this.
The orders being made are not penal; they are directed at corporate compliance.
I’ve also said there is this regulatory review structure. Let’s try it. There is a five-year review. If it doesn’t work, let’s get it right next time. I don’t want to let the perfect get in the way of what I think is the “good enough.”
Senator McNair: Mr. Shull, I like the way you describe cyber-event tempo, because I think that is the reality of the situation we are in. The other thing you talked about was what was keeping you up at night. A few weeks ago, we had one of the officials, Andre Arbour, indicate that what is keeping him up at night is the lack of authority to take action in this space. He went on to talk about hostile state actors, as you have tonight.
A lot of the devil is in the details and will be worked out in the regulatory process. You have confirmed that again tonight. I would appreciate a comment. I think you’re telling us that the judicial review process is just post-order.
Mr. Shull: An example bears it out.
Suppose we are dealing with an interprovincial pipeline in the winter. Suppose, further, there is a hostile state. We’ll make up a name and call that state Brussia. Let us say Brussia injects malicious code into the infrastructure and turns the gas off. Suppose, further, that the government knows how to fix it. They need to inject certain code into the infrastructure in order to address it. As it stands right now, there is no legal requirement for that infrastructure provider to take that code. Under this bill, there would be.
That is what we’re talking about here: cyber infrastructure and hostile states doing sophisticated things. We’re just trying to level the playing field.
Senator McNair: Thank you.
The Deputy Chair: This brings us to the end of our time with this panel. Thank you, Ms. Quaid, Mr. Ghorbani and Mr. Shull, for taking the time to meet with us today and for your service to our country. We greatly appreciate your contributions to our work on this bill.
For our final panel this evening, we are pleased to welcome Mr. Matthew Hatfield, Executive Director, OpenMedia; Ms. Sharon Polsky, President, Privacy and Access Council of Canada; and, by video conference, Mr. Robbie Grant, Associate Lawyer, Privacy and Data Protection, McMillan LLP.
Thank you all for joining us today. We will begin by inviting you to provide your opening remarks, to be followed by questions from our members. I remind you that you each have five minutes for opening remarks.
Matthew Hatfield, Executive Director, OpenMedia: Good evening.
I’m Matt Hatfield, Executive Director of OpenMedia, a grassroots community of 230,000 people in Canada who work together for an open, accessible and surveillance-free internet. I’m grateful to be with you tonight on the unceded territory of the Algonquin Anishinaabe Nation.
I want to begin with something I don’t often get to say at a committee very often, which is that the other house’s amendment work got a lot right on this bill. When civil society and the Privacy Commissioner came to the House with very severe concerns about the previous version of Bill C-8, many were heard, and real improvements were made to the text in front of you.
Every order must now be reasonable in relation to the gravity of the threat. The minister must weigh the impact on Canadians’ privacy before acting. The bill states the government cannot order a provider to decode an encrypted private communication and cannot use these powers to intercept private communications, and an individual cannot be cut off from service except against a genuine technical threat.
These are real protections, and the members who fought for them deserve credit. However, the job of fixing Bill C-8 is not entirely done, and I am hoping you will finish it.
Bill C-8 carefully limits why information may be collected and why it may be shared between departments. In each case, the purpose must relate to making or enforcing one of these cybersecurity orders. That is good drafting, but it stops one step short. Once information has been lawfully passed to an agency like the Communications Security Establishment, nothing in this bill limits what that agency may then use it for. The gate into the building is guarded; once inside, the data can be put to other purposes.
During the study of the predecessor bill, a CSE official testified to the agency’s interest in using information gathered under these powers beyond its cybersecurity mandate, so this is not a theoretical gap. It is one the government has told Parliament it intends to walk through.
The fix is small and surgical: Say in the statute that information obtained under this act is used only for cybersecurity and information assurance, not repurposed for foreign intelligence or unrelated operations. This is the recommendation the Citizen Lab put to the House. It does not touch the government’s cybersecurity powers at all. It simply holds them to their stated purpose.
Second, the standard throughout this bill is that an action be reasonable in relation to the gravity of the threat. But the Privacy Commissioner asked this Parliament for something more exacting and more familiar in privacy law: that any collection, use or disclosure of personal information be both necessary to achieve the purpose and proportionate to the benefit. That is the test our privacy framework uses everywhere else, and yet this bill did not adopt it. You can.
Third, an order under this bill can carry a provision forbidding anyone from revealing that it exists, and that secrecy has no end. The bill tells the minister to weigh transparency before imposing silence, which is welcome, but once imposed, there is no sunset and no requirement to return to a court to justify keeping it hidden.
Permanent, unreviewed secrecy is not something Parliament should not grant without limit. I urge you to ensure that the public is eventually informed of the existence of secret orders to service providers, if not their full text, and that representatives in NSIRA and NSICOP can ultimately review and comment on the text of these orders.
Underlying all this is a check that the other house wanted. Its committee adopted independent authorization of non-emergency orders by a judge, a safeguard at the start of the process. That was not voted down. It was removed before third reading on a procedural ruling about the bill’s scope. It belongs back in Bill C-8.
I know this committee weighs carefully when to ask democratically elected officials to think again. This is the right time to do so because you would be acting on proposals that the other house considered and even passed or that were directly proposed by Canada’s Privacy Commissioner — or both.
There are four narrow amendments, as I outlined, that would help with that purpose. More than 10,000 Canadians have written to ask that this bill become law only once it protects our rights as well as our networks. The other house brought it much of the way to doing that. What remains to do is putting in place basic limits that citizens of a democracy expect: that data taken for one purpose is used for that purpose; that orders are proportional, not just reasonable; that our rights are defended by appointed judges, not a private corporation’s decision to fight an order; and that no secret order stays secret forever.
Completing the job of adopting these safeguards into the law is a job that now only the Senate can do. I hope that you will.
Thank you, and I look forward to your questions.
The Deputy Chair: Thank you, Mr. Hatfield.
Sharon Polsky, President, Privacy and Access Council of Canada: Thank you and good evening. I appreciate the invitation to appear before you this evening.
My name is Sharon Polsky. I am President of the Privacy and Access Council of Canada, an independent, non-profit, non-partisan organization that is not funded by government or industry.
The need to strengthen Canada’s cybersecurity, data protection and intellectual property governance framework and protect its infrastructure is not new, nor are the overreaching attempts by too many governments to protect Canadians from themselves or from things that cannot be controlled, with cures that can be worse than the problems they’re supposed to fix. So, it is good to see that Bill C-8 now provides for improvement, but it still has a long way to go to earn Canadians’ trust and to not be able to be weaponized.
Being able to order telcos to “do anything or refrain from doing anything” is impossibly broad and can now escape all scrutiny.
Even at this late stage, we still don’t know who or what will be a designated operator or class of operators, how that will be determined or how narrow or broad it will be. They can be designated by order-in-council, and compliance orders can be issued by order — and presumably secret orders-in-council as well, which is a problem. Who they are should be designated in the law.
It is the Governor-in-Council that gets to gauge the impact of orders it is about to pronounce. And while it’s good that directions must be reasonable, when they’re secret, it’s impossible for anybody to know. But there are even bigger problems. I’ll focus on three.
Parts 1 and 2 assure Canadians that “. . . the Minister must not order the decoding of an encrypted private communication . . .” Undermining encryption is a feature of Bill C-22 that could be accomplished in secret. Further, with the Secretary of State for Combatting Crime having described Bill C-22 as a “first step” — and with the CLOUD Act on top of it — it is fanciful to think Bill C-8 will operate in isolation.
In the meantime, designated operators must report cybersecurity incidents within 72 hours, but within 72 hours of what we don’t know because the bill doesn’t say. That needs clarity.
Bill C-8 also puts our privacy in jeopardy and threatens Canadian industry, contrary to what previous witnesses — several of them this evening — have said. Our personal information is collected and disclosed under strict limits of privacy legislation, but Bill C-8 could compel organizations to disclose it, along with customer lists and system vulnerabilities, to the Government of Canada, to be handed to foreign states and agencies and international organizations, undermining our privacy and security.
The bill does not explicitly restrict data sharing to cybersecurity purposes. It only broadly limits information disclosed to foreign interests from being used for purposes “relevant to” investigating contraventions of laws that wouldn’t have consequences considered penal under Canadian law.
But it does not mandate oversight by our Privacy Commissioner. It does not limit how long information can be retained; and it does not say confidential information disclosed to a law enforcement agency must only be to a Canadian law enforcement agency — and it needs to.
As well, Bill C-8 does say information shared with foreign states and agencies must be disposed of, but it does not say it must be securely destroyed or within specific timelines. Those words make a fundamental difference and are standard in industry.
After-the-fact penalties for non-compliance or for breaching privacy aren’t the answer. If, on the other hand, the law stated that information disclosed to foreign interests was required to remain in Canada, under the custody and control of a Canadian body, it would be possible to monitor, audit and control access and preserve our digital sovereignty. It would be enforceable.
Finally, an amendment to the bill, clause 15.01, says interference with a telco includes actions of a technical nature but not the “effect of” lawful expression, persuasion or political debate. That is not as innocuous as it might sound.
For instance, if I praise someone or something, then an unruly mob decides to exhibit their displeasure with my comments by rioting and damaging a cell tower, they would be protected under Bill C-8 if their destructive actions were construed as the effect of my lawful expression.
That insidious provision condones public disorder and unlawful conduct, and it would enable the government to scrutinize, regulate and intervene around the systems, coordination, amplification and operational methods connected to any activity, claiming it is necessary to guard against some imagined future threat.
The wording lets government decide where lawful expression ends and where technical interference begins. They want to referee their own game.
This is all to say that Bill C-8 would benefit from clearer language, clearer mechanisms for independent oversight, accessible recourse for affected parties and stronger safeguards, to ensure cybersecurity measures are genuinely necessary, proportionate and consistent with Canadians’ privacy rights, so the power to protect infrastructure can only be used to protect infrastructure.
The Deputy Chair: Thank you, Ms. Polsky.
Robbie Grant, Associate Lawyer, Privacy and Data Protection, McMillan LLP, as an individual: Good evening, Mr. Chair and honourable senators.
My name is Robbie Grant. I am a lawyer at McMillan LLP, where I practise privacy and data protection law. I advise clients on privacy programs, data breaches and cybersecurity matters, including the deployment of AI technologies. I primarily work with private sector organizations, advising on private-sector privacy laws such as PIPEDA.
I am not representing a client today, nor am I speaking on behalf of my firm as a whole. I appear in my personal capacity only.
I have followed the evolution of this legislation closely. I wrote about Bill C-26 when it was first introduced. I continued to write about it as it progressed through Parliament. More recently, I had the privilege of moderating a panel on Bill C-8 at the International Institute of Communications annual conference in September.
I am grateful for the opportunity to share a few observations with this committee, beginning with the threat environment that makes this legislation necessary.
The numbers speak for themselves. According to IBM’s Cost of a Data Breach Report 2025, while the global average cost of a data breach has declined, the same cannot be said for Canada: The average cost of a data breach here rose to US$4.82 million.
That figure does not account for downstream harms, including increased costs to consumers or impacts on small businesses that rely on critical infrastructure or providers.
The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2025-2026 warns that Canada has entered “. . . a new era of cyber vulnerability . . . .” in which state-sponsored actors are becoming bolder and more aggressive; cybercriminals are leveraging new business models, such as Cybercrime-as-a-Service, to scale their operations; and artificial intelligence is amplifying the quality, scale and precision of attacks.
Against that backdrop, I want to emphasize that the organizations most directly affected by this bill — Canada’s banks, telecom providers, energy companies and transportation operators — are not starting from zero. Many have invested heavily in cybersecurity for years, not merely as a matter of legal compliance but because protecting their systems is fundamental to their business and to maintaining the trust of their customers.
This is worth acknowledging because the framing of cybersecurity legislation sometimes implies a gap in awareness or commitment that, in my experience advising clients in these sectors, does not always reflect reality.
That commitment is reinforced by the regulatory environment in which these organizations already operate. Many are subject to detailed cybersecurity guidance from their sectoral regulators, the Office of the Superintendent of Financial Institutions’s Guideline B-13: Technology and Cyber Risk Management being one example.
None of this is to suggest that Bill C-8 is unnecessary, but the bill’s implementation, and particularly its regulations, should be designed with this existing landscape in mind, avoiding unnecessary duplication.
That’s why I applaud the recently revised subclause 135(2) of the CCSPA, which would provide that the Governor-in-Council must, to the extent possible, ensure consistency with existing regulatory and standards regimes in making its regulations.
I am also supportive of two directions the bill takes, which I believe reflect important improvements from the original version.
First, when Bill C-26 was first introduced, it attracted criticism for the breadth of discretion it would give to government. As the bill progressed, various conditions were added to ensure these new powers are exercised in a more proportionate and accountable manner.
Second, I am pleased to see more protections for the privacy of Canadians incorporated into the bill’s framework. Cybersecurity and privacy are complementary, not competing objectives. The admirable goal of improving national security should not be used as a pretense for widespread surveillance.
To conclude, the threat environment facing Canada’s critical infrastructure is real and serious, and this legislation represents an important step in addressing it. My submission today is simply that its implementation should treat designated operators as the sophisticated, security-conscious actors many of them already are and should minimize duplication with existing regulatory frameworks.
Thank you, honourable senators. I look forward to our discussion.
The Deputy Chair: Thank you, Mr. Grant.
We will now proceed to questions, colleagues. This final panel will be with us until 8 p.m. As always, four minutes will be allotted for each question, including the answer.
Senator Cardozo: Thank you, witnesses, for being here. I appreciate your time and the considered submissions that you make today.
I’d like to start with Mr. Hatfield and Ms. Polsky and pursue the issue of data sharing you have raised.
Could you point us to the sections in the bill where — I think, Mr. Hatfield, you mentioned there isn’t a limitation on how the data is shared within government but that it remains within government agencies. Is that —
Mr. Hatfield: The concern here is that once the CSE acquires the data, then the data leaves the purview of protection. It should only enter CSE’s hands for cybersecurity purposes, but once it’s in their hands, they can make use of it for other purposes and hand it on to foreign intelligence agencies. That’s the concern: that this data could wind up finding quite different purposes.
Senator Cardozo: Within Canada, it could go to other agencies. Do you think it’s okay if it’s going to another agency for the purpose of looking at foreign interference — if it went to the RCMP, for example?
Mr. Hatfield: That’s an interesting question. I think you could get that for a cybersecurity purpose rather than needing to define it as “foreign interference.” Foreign interference generally involves a cybersecurity threat. If it were foreign interference through non-cybersecurity means, then, no, I would not want to see these powers used for that. If it were just regular investigations outside of the context of cybersecurity, I don’t think it would be necessary to use these powers.
Senator Cardozo: Some people might say foreign interference is a threat to us. Shouldn’t we be able to have that information available to people who are dealing with foreign interference?
Mr. Hatfield: There are many legitimate purposes of government that are not cybersecurity. What we’re asking is for a cybersecurity bill, one that may involve extraordinary access in some cases, to keep it to cybersecurity.
Senator Cardozo: You talked about sharing with other governments. Ms. Polsky, I think you probably talked about that a little more. Could you expand on that?
Mr. Hatfield: Yes. The concern is that currently once data collected for cybersecurity purposes under this bill enters the hands of our security intelligence agencies, it’s often passed on in an intelligence exchange with other foreign governments. Of course, once the data leaves Canada, we have no binding ability to control what is done with that data at all. I think many Canadians are increasingly concerned that not all our allies can be trusted with all Canadian data, so the sense is that, even if our intent were always to use it for cybersecurity purposes, it could easily find very different applications in other hands.
Senator Cardozo: Do you have anything more to add, Ms. Polsky?
Ms. Polsky: I have to concur with what Mr. Hatfield said. There is significant concern, and this bill does not restrict the sharing of data. It specifies that it can be shared with foreign governments and institutions and international organizations. Once it’s outside of Canada, we have no control over where it gets to be shared, whom it’s being shared with and — if it’s a matter of national concern — I have my doubts that any access-to-information request would actually be responded to other than to say, “It’s a matter of national security. Thank you for the request but you’re getting nothing.” It would be a blank page.
How can Canadians have trust? We’re told to trust. I’d rather have reason to trust, and this bill doesn’t quite give enough assurances to provide a reason to trust. It’s still too broad, non-specific and open to interpretation. I do appreciate — and our members appreciate — what a difficult task it is to craft legislation that is flexible and broad enough yet specific enough to go both ways to make it work. However, I think the consensus in our organization and with our members is that it’s not good enough to pass a piece of legislation that has so many flaws that so many people recognize while still saying, “Just pass it. It’s better than nothing. It’s better than what we have.”
You have the ability and the power to make recommendations that I hope would not cause significant delay and make something that actually protects information that, in some cases, does legitimately have to be shared with law enforcement, our American counterparts and our allies. Please make sure that it is done in a way where the information can only be used for cybersecurity.
The Deputy Chair: Thank you. Would you like to add anything, Mr. Grant?
Mr. Grant: No. I think they covered it.
Senator Yussuff: Thank you all for being here and sharing your thoughts. Mr. Hatfield and Ms. Polsky, I understand your concerns. I don’t think you’re here to raise the alarm bells for no good reason. You’re here for good purposes and to help us improve legislation.
However, as you know, Parliament went to great lengths to include many things that the original bill did not encompass, so this legislation has clearly been improved compared to the past version.
To acknowledge your point, there were proposed amendments that were ruled out of scope. All the legal minds involved in the process as we do this here — we don’t do this by ourselves, and I’m only saying this so that we don’t waste our time doing something that will be rejected by the House — have deemed this out of the scope of the legislation, and it’s just the way the legislation has been drafted.
Given that reality — and I’m speaking for myself and not for my colleagues who will deal with this when we get to clause by clause — we’re not likely to put in amendments that have already been rejected by the House of Commons because they’re out of scope. Still, I’d like to acknowledge you’re raising some important issues for us to consider.
I’ll come back to a point my colleague just touched on — and maybe you can comment on it — which is the sharing of information with other governments, mostly the Five Eyes nations. We provide security based on what other countries sometimes share with us, and we’re then able to better protect the Canadian public from harm. Some of it is necessary — and by the way, it prevents our country from experiencing harm. We know from experience.
Clearly, you don’t see this is nefarious. You see this as legitimate in the context of protecting Canadians and defending our sovereignty and our country at the same time. I’ll let you comment on that. I’m trying to provide a stage because I think improvements to the bill are welcome in this committee. Actually, almost every witness who has come here has acknowledged that this is a better bill than when it was first drafted.
Mr. Hatfield: I have a couple of quick comments on that. It’s true that it is much better than how it was first drafted, and that’s partly because these concerns were raised and answered. I think there could be a little bit more work done to continue that.
We’re within the context of Bill C-22, which, as you know, is likely coming here soon, and I think it’s hard not to interpret concerns in this bill in light of that bill, which really takes a wrecking ball to some of these issues.
In terms of your point about the legitimacy of intelligence sharing, certainly, there are times it’s important to share intelligence with our Five Eyes allies. This bill also proposes to expand the potential scope of data collection in Canada and the amount of data that we’re collecting domestically on both Canadian firms and Canadians. We’re also in a world where many Canadians have more concerns around the misuse of data, and some of our allies seem like less reliable partners around intelligence than they have been in the past.
The concern is that we’re potentially gathering much more data. We have greater fears about the misuse of that data in the hands of other governments than previously. Should we not strengthen the oversight there and ensure that data is handed over very judiciously and only when strictly necessary for cybersecurity purposes, not for broader intelligence sharing of “you do this favour, I’ll do that favour,” potentially leading to quite a bit of Canadian data being misused for other purposes outside Canada?
Senator Yussuff: As you know, we don’t know what the regulation will look like, but it will obviously be based on the scope of the bill. Do you not believe that some of the concerns that you’re raising can be addressed in the regulatory oversight of this bill?
Mr. Hatfield: I suppose they could be, but from a rights perspective, it’s better to have them defended in law. I’m not a lawyer, but it’s my understanding that the House’s concern regarding scope was specific to the House committee process, not necessarily to your process. Eventually, you could have something done here.
Senator Yussuff: Thank you so much.
The Deputy Chair: I have some questions of my own.
Apparently, similarly aligned democracies are also grappling with similar tensions between security and civil liberties. To your knowledge, are there international best practices that Canada should consider adopting to strengthen trust and accountability and to resolve this kind of tension?
The question is open to all of you.
Ms. Polsky: One of the leading Five Eyes partners that other countries look to is the Information Commissioner’s Office of the U.K., as well as to Australia. They have both set out very clear guidelines. The way they go about passing legislation, to my understanding, includes a much more robust engagement of their populations.
As an example, there was a piece of legislation here that received 49 submissions. In England, I think the equivalent was 45,000. It was comparable legislation. Yes, their population is slightly more than twice ours but the amount of engagement was much greater.
So many Canadians have no idea what this process is all about. I have been doing consulting in privacy for decades. This was new to me until relatively recently. People in Canada don’t even know that they can submit a comment. They pound their keyboards online on social media like Facebook and think that will make a difference. It doesn’t.
We need to look to other countries that do this much better in terms of having the public’s input so that the lawmakers, legislators and bureaucrats have a real sense of what the people do and don’t want.
Mr. Hatfield: Your instinct to look for international best practices is right. Although I don’t have a major concern at this stage of this bill around that, I do think you should always be asking the relevant ministries why we have deviated in major ways from the practices of our comparable allies, which will be highly relevant when Bill C-22 reaches the Senate.
Mr. Grant: I sympathize with my fellow panellists’ emphasis on consulting the public and checking in with other standards around the world. However, this bill has now gone through almost two complete rounds of the legislative process, and I think that process has been effective at rallying feedback. I would caution that, in trying to strike a balance between government powers to protect our critical infrastructure and privacy vis-à-vis the government, in trying to perfect that, we might be missing an opportunity to pass this legislation, which would protect us all from threat actors and foreign-state adversaries.
In a perfect world, we could consult forever, perfect things and still pass things on time, but we are past the deadline for when this legislation should have been passed.
The Deputy Chair: My follow-up on your answers is that the answers you have just provided relate to the process of borrowing best practices, but are there any specific provisions or amendments made in other countries that we can borrow that would be relevant to our deliberations at this point?
Mr. Hatfield: “Necessary and proportionate” is a very commonly well-recognized best-practice standard that we are lacking here. “Reasonableness” is a much more contestable standard, so adopting “necessary and proportionate” would be helpful.
The Deputy Chair: Thank you so much.
[Translation]
Senator Youance: Thank you to the witnesses.
My question is for Ms. Polsky and concerns the practical implementation of Bill C-8.
You’ve talked about grey areas several times. Beyond the principles, in the practical implementation of Bill C-8, when are privacy risks the greatest?
I’m trying to determine which risks are most concerning in the short term. You also mentioned data destruction. In the practical application of this bill, when are the risks the greatest?
[English]
Ms. Polsky: Most acute.
Part of the problem — and please understand that I have been inside organizations, from Fortune 50s to mom-and-pop shops, and advised and consulted governments across Canada — is that much of what Bill C-8 asks organizations to do involves things they ought to have been doing all along; it is nothing new to them. Yes, it is expensive, particularly for small- and medium-size businesses. They should have been doing this a long time ago. Without proper enforcement of those laws, of this one, the more things change, the more they stay the same.
Secure destruction is important because once the information gets into a department’s hands or a foreign government’s hands, when should it be destroyed. When? Destruction policies are internal to any organization, including government. It’s not publicly known, and they can change on a whim. It is an internal document. There is no control or accountability. It can stay there forever. It can be stored insecurely.
We have seen that countless times. The former Canada Student Loans Program stored every applicant’s information without encryption. A drive went missing — whoops. Alberta Health Services — every Albertan’s health record was on a tape. It went missing — whoops. So they changed the process so that there would be continuity; someone would have to sign for it when the courier picked it up.
That’s not adequate.
Secure destruction, secure storage, proper enforcement — and there are more than just those. It is a cascading effect. The Privacy Commissioner of Canada needs to have order-making power. We do not need an order-making power that ends up being overseen by another body to evaluate whether the commissioner’s decision is adequate or proper. Give the Privacy Commissioner the power to do his job and be involved in this so he can actually protect Canadians’ privacy. We already have his office, the framework is there and the laws are there — though inadequate and in need of updating, but in this particular instance, it could work.
Those are major concerns.
Mr. Hatfield: Surveillance routines are a fungus. They spread and go crazy in darkness, and they are kept limited in strong light. That is the concern around the potential for permanent secret orders that never become very clear to the public. The text of the order should be reviewable by the appropriate vetted authorities, and the public should be aware of the scope and extent.
Mr. Grant: I have two quick points.
On confidentiality, I understand that the annual reporting requirement does apply to confidentiality orders and that the reporting requirement to NSICOP and NSIRA within 90 days would also still apply to the confidential orders made under Part 1 of the act. I think this provides some response on whether these confidentiality orders are confidential forever. They would show up in an annual report.
On the point of government having free rein over data collected once it is in the government’s clutches, I would note that in the other place, amendments were added to say that, for greater certainty, nothing in the act affects the provisions of the Privacy Act, and the Privacy Act does have purpose limitations. They only apply to personal information, so there might be other data, but I think the primary concern is about personal information in this context.
I just wanted to put that on the record here, too.
[Translation]
Senator Youance: You’ve raised several concerns. You spoke about public trust. Does the bill, as proposed and amended by the House of Commons, maintain public trust in the handling of personal data?
[English]
Mr. Hatfield: It has a dual effect, of course. Insofar as it improves our cybersecurity, then yes, it does contribute to Canadian trust and security. But if and when it leads to Canadian data being in the wrong hands at some point, or if it leads to a sort of future Snowden moment where it turns out there’s been quite a bit going on that Canadians were not aware of that’s suddenly unveiled, then, of course, it can be very damaging and destructive to trust.
Ms. Polsky: The other part is that if there are secret orders, things going on behind closed doors, in the dark, without that sunshine of visibility, Canadians will wonder. It’s the same as Americans wonder what happened under a FISA order. It’s secret. Nobody knows. Nobody is allowed to talk about it. There are rumours. It is hard to defeat rumours when they get started. So, no, that way it will undermine trust.
Reporting to Parliament is wonderful. It’s after the fact. It may be statistical. There are no details. Rationale? It was necessary. For why? National security. It’s vague.
Give us something that people can look to and say, “There was a threat from a nation-state in this continent or this hemisphere.” That is something and not just, “Trust us.” That hasn’t worked.
Senator Yussuff: Mr. Grant, I thought you made a point earlier about security and privacy not being treated as competing objectives. That’s always a challenge in an important piece of legislation. However, in plain terms, how would Parliament think about the risk of not doing enough to prevent a serious cyberattack versus the risk of government going too far?
Mr. Grant: Well, plainly, those risks need to be balanced as much as possible. This legislation, while not perfect, strikes a good balance in that regard.
As I said, these critical infrastructure providers that are being regulated here, many of them are extremely sophisticated. Many of them already know that they are under a constant barrage of cyberattacks, and they are doing what they can. Where the legislation helps is it creates a kind of collaborative process. By reporting all breaches and being able to share information among regulators, and with the proactive auditing mechanisms, we are raising the tide and hopefully lifting all boats in that regard, which will really help.
Similarly, the supply chain requirements in the CCSPA would also contribute to promoting privacy in a much broader space than just this critical infrastructure and government. I sympathize with the submissions made by my fellow panellists and others at the Citizen Lab, but fighting to get this absolutely perfect may be impossible, and we are due for this legislation.
Senator Yussuff: Listening to the debate around this bill, do you think there is sometimes the risk that we frame every cybersecurity power as government overreach without weighing the real consequences to Canadians on critical infrastructure that might be breached, with foreign actors taking advantage of the challenges that we face?
Mr. Grant: We have heard submissions on both sides of that point. Listening to others today, you have had really strong proponents of the bill and passing it in its current form with urgency, as well as other pretty reasonable submissions on potential government overreach. Right now, I think that overreach is more theoretical than anything else. While there could be improvements made and it is not perfect in its current form, again, I say pass it now.
The Deputy Chair: We still have time for more questions or closing remarks, if you wish.
Ms. Polsky: Let me challenge my fellow panellist, Mr. Grant. We certainly don’t look for perfection, and it is too easy to say making tweaks and minor amendments that will have a major and fundamental positive impact is striving for perfection. It is striving for better. “Good enough” isn’t a good enough reason to pass the legislation as it is. It really could benefit from some minor tweaks that would make a huge difference and improve Canadians’ trust. Give them a reason to trust.
Mr. Hatfield: Laws sometimes last a very long time. Small imperfections passed in a law today can turn out to be very impactful and could kick around for many years. We heard from some of the earlier witnesses, including ones who care a lot about this bill and believe it should pass, that the biggest obstacles to cybersecurity in Canada today are not whether we do or don’t have this legislation. It’s basic things like education, investment and other things that we can rush forward without rushing forward this bill.
So, yes, pass a version of this bill eventually, but there is no reason to get this done so urgently that you can’t take a few more weeks to make necessary improvements.
Senator Yussuff: I would only make the point that we have heard from a lot of Canadians who have written to us and communicated with us, and they don’t distrust their government. They want their government to do the right thing and to protect them from foreign actors taking advantage of their security.
Ms. Polsky: That is a good thing — that Canadians are voicing their concerns. I certainly don’t have access to the submissions made by Canadians, but I would wonder, given the lack of education about all computer issues — desktop computers have been around since the 1980s. There is still not any effective, comprehensive education. There is coding. There’s being cyber-safe. There’s being polite online. But how to defend and protect yourself from scams, which are basics now — human nature is the biggest risk, and that is what is in every organization in both the public and private sectors. Without that basic, fundamental understanding of what they are dealing with, the people are the risk.
For the people who have submitted comments — and I applaud them and am glad they did — what is their actual level of understanding of the technology and of the risks, more than just to say, “Government, do something”? Because that absolves them of doing for themselves.
Senator Yussuff: My only point is we shouldn’t make assumptions we don’t know the answers to.
Ms. Polsky: That’s right. We don’t.
The Deputy Chair: Thank you. This has been a very rich session with a great diversity of thought and views. We really appreciate all of those views. This brings us to the end of our time with this panel.
Thank you, Ms. Polsky, Mr. Hatfield and Mr. Grant for taking the time to meet with us today. We greatly appreciate your testimony as we consider this bill.
This concludes the agenda items for today’s meeting. Our next meeting will take place on Monday, June 1, at our usual time, 4 p.m., when we intend to begin clause-by-clause consideration of Bill C-8.
Members are encouraged to contact the Office of the Law Clerk and Parliamentary Counsel should they wish to bring forward amendments and to share the amendments with the clerk as soon as possible.
If you would like your amendments bundled and distributed in advance of the meeting, please share them with the clerk by Friday morning at the latest. Otherwise, please bring sufficient copies of your amendments in English and French to the meeting.
With that, I wish everyone a good evening.
(The committee adjourned.)