THE STANDING SENATE COMMITTEE ON TRANSPORT AND COMMUNICATIONS
EVIDENCE
OTTAWA, Wednesday, April 29, 2026
The Standing Senate Committee on Transport and Communications met with videoconference this day at 6:45 p.m. [ET] to examine and report on the opportunities and challenges of artificial intelligence (AI) in the information and communication technology sector.
[English]
Andrea Mugny, Clerk of the Committee, Senate of Canada: As clerk of your committee, it is my duty to inform you of the unavoidable absence of the chair and deputy chair and to preside over the election of an acting chair.
[Translation]
I am ready to receive a motion to that effect.
Senator Miville-Dechêne: I am pleased to move a motion that for this meeting, our colleague and committee member, Senator Duncan Wilson, serve on a temporary basis as acting chair of the committee. Is there agreement on this motion?
Ms. Mugny: Thank you, senator.
It is moved by the Honourable Senator Miville-Dechêne that the Honourable Senator Wilson do take the chair of this committee for today.
[English]
Is it your pleasure to adopt the motion?
Hon. Senators: Yes.
Ms. Mugny: Thank you. I declare the motion carried.
Senator Wilson, I’ll invite you to the chair.
Senator Duncan Wilson (Acting Chair) in the chair.
The Acting Chair: I will call this meeting of the Standing Senate Committee on Transport and Communications to order. Thank you for your cooperation.
My name is Duncan Wilson, and I’m a senator from British Columbia. I’d like to ask my colleagues to introduce themselves, starting from my left.
Senator Simons: Senator Paula Simons, Alberta, and I come from Treaty 6 territory.
[Translation]
Senator Cormier: René Cormier from New Brunswick.
[English]
Senator Arnold: Good evening.
[Translation]
Dawn Arnold, also from New Brunswick.
Senator Aucoin: Réjean Aucoin from Nova Scotia.
Senator Miville-Dechêne: Julie Miville-Dechêne from Quebec.
The Acting Chair: Thank you, colleagues.
I would like to welcome everyone with us today, as well as those listening to us online on the Senate’s website sencanada.ca.
We are meeting today to continue our study on the opportunities and challenges of artificial intelligence, or AI, in the information and communication technology sector.
With that, I would now like to introduce our first panel.
[English]
From the Centre for International Governance Innovation, or CIGI, we have Aaron Shull, Research Director.
From the Fédération culturelle canadienne-française, we have Sven Buridans, Director, Innovation and Digital Partnerships. And, as an individual, we have Dan Brown, Professor, Computer Science, University of Waterloo.
Thank you all for joining us today. Witnesses will provide opening remarks of approximately five minutes each, which will be followed by a question-and-answer session with senators. I now invite Mr. Shull to give his opening remarks.
Aaron Shull, Research Director, Centre for International Governance Innovation: Honourable senators, thank you for the invitation to appear.
Your order of reference asks the committee to study, among other things, the rise of AI-generated disinformation, misinformation and “deepfakes” and their potential impact on public trust and media integrity. I am grateful that you are studying this.
Artificial intelligence did not create deception, fraud or harm. However, it does change the economics, making it cheaper to produce, easier to personalize and faster to scale.
However, I would like to put a sharper point on it. Canadians already have a recent and painful experience with what happens when we choose not to regulate a transformative communications technology. We have failed, for over a decade, to set up meaningful guardrails on social media, and harms have materialized in children’s mental health, in classroom learning, in our democratic process and now in the courts.
The bill is coming due.
I raise this history not as a lament but as a warning, because we are at risk of repeating it with generative AI.
I offer three propositions that I think make the case.
First, the harms AI is enabling are not theoretical. They are already in our courtrooms and our classrooms and in cases I will not soon forget.
Last November, an Ontario man named Allan Brooks brought an action against OpenAI, alleging that ChatGPT, over 21 days and over 90,000 words of conversation, induced and reinforced a psychotic delusion. His complaint argues that the product’s design caused him real and lasting harm. His is one of seven concurrent actions against the same company; four of them, tragically, involve suicides.
Then there is Tumbler Ridge. In February of this year, a shooter took the lives of six children and two adults in northeastern British Columbia. We have since learned that the platform the shooter had been using flagged his account internally more than six months earlier, its own systems and employees identifying potential danger and its leadership choosing not to escalate to police. The chief executive has since apologized.
I raise Tumbler Ridge with humility and certainly not to assign legal liability; that is for the courts. I raise it because in this country we are now asking this question: What did the platform know and when? And what did it do? This is not an academic paper. It involves courtrooms and grieving households.
That is the same question that has animated a generation of social media litigation, and it is one that this committee can help legislate around.
Second, Canadians already have legally cognizable rights and interests engaged by these harms. The work the courts are doing now is to apply them.
Consider the inventory. We already have the right to protection from defamation; the right to be free from non‑consensual intimate imagery; the right not to be impersonated for fraud; the right not to be targeted by deceptive business practices under the Competition Act; the right to a free and fair election under the Canada Elections Act; and various privacy rights under the Personal Information Protection and Electronic Documents Act. Parenthetically, I note that last September, the Office of the Privacy Commissioner of Canada and provincial counterparts formally found that one of the major platforms had contravened those laws in handling children’s personal information.
These rights are not aspirations; they are live, enforceable rights. They sit alongside institutional interests of public bodies, like school boards, health systems and electoral authorities, for it is these public bodies that bear the operational consequences when platforms direct their products into these settings.
The legal architecture for recognizing many of these rights is already in place. Where a company has deliberately designed and directed its conduct into a setting it knows to be vulnerable, where it has profited from that engagement and where it has been put on notice and chosen not to act, that company has — in the language of one of our courts — put themselves into a position of proximity, rendering them liable for the harm they have created.
Third, and most importantly for this committee, policy makers should not wait for the courts.
Consider the timelines. The Ontario school board litigation against Meta, Snapchat and TikTok was filed in 2024. A trial will take years, and appeals will take more. The U.S. multidistrict litigation has been running since 2022, with the first bellwether case recently awarding $6 million in a jury trial against Meta and YouTube.
Common law development is indispensable, but it is slow, plaintiff dependent and the pace of technological change does not match it.
Parliament has tools the courts do not. It can set baselines, shift burdens of proof, require provenance, mandate platform‑side duties of care and create statutory causes of action prospectively and uniformly.
What I would urge — and what CIGI’s work on platform accountability and information integrity supports — is a layered model. This could include provenance standards such as C2PA; platform duties on recommendation, advertising and impersonation response; legal modernization beyond elections; and support for victims and journalism.
Unfortunately, there is no silver bullet. There should be no truth ministry. Narrow, rights-based measures raise the cost of deception and lower the cost of verification.
I will close with this: We have been here before. We have watched social media reshape our information environment, schools and democratic processes. We let courts and victims do the work that legislatures should have done. The cases unfolding now in Ontario, California, New Mexico and places on the Canadian map I will not soon forget are the bill coming due for that delay. Please do not let AI become the second instalment.
Thank you. I look forward to your questions.
[Translation]
The Acting Chair: Thank you, Mr. Shull.
I will now invite Mr. Buridans to give his opening remarks.
Sven Buridans, Director, Innovation and Strategic Partnerships, Fédération culturelle canadienne-française: Good morning, Mr. Chair and members of the committee.
My name is Sven Buridans, and I am the Director of Innovation and Digital Partnership at the Fédération culturelle canadienne-française, or FCCF.
For nearly 50 years, the FCCF has been the national political voice of the artistic and cultural sector of the Canadian and Acadian francophone community. We represent an ecosystem of nearly 350 organizations working in all artistic disciplines and in all provinces and territories outside Quebec.
Our sector, which includes artists, non-profit organizations, private companies and public institutions, participates fully in the economic, social and linguistic vitality of our communities and, more broadly, of Canada. As such, it is essential that our sector be fully recognized as a stakeholder in the development of Canadian public policies on artificial intelligence.
We fully support the recommendations made by the Coalition for the Diversity of Cultural Expressions, or CDCE, of which we are a member.
In addition, we have two further recommendations. First, we suggest that Canada develop a production and governance strategy for francophone cultural data to ensure that AI developments are truly inclusive and representative of our communities across the country. Second, we recommend that Canada invest sustainably in digital literacy and AI skills, including by supporting foundational initiatives such as Impulsion 2030, the digital strategy for the artistic and cultural sector of the Canadian and Acadian francophone community.
Let me elaborate on our two recommendations.
In terms of the need for a production and governance strategy for francophone cultural data, many studies have highlighted the risks associated with the use of biased training data. These biases can hinder the protection and promotion of the diversity of cultural expressions. AI models are largely trained on a corpus where some cultures are overrepresented and the English language and English content, particularly American, dominate. The result is systemic bias that makes minority groups even more invisible, including Canadian francophone communities that are located outside Quebec.
In concrete terms, that means both that our francophone artists and content are less discoverable and that technologies are expected to become much more effective in English than in French. These phenomena pose an existential threat to our cultural and creative industries, as well as to Canadian cultural sovereignty.
The FCCF feels that a national AI strategy can only be credible if concrete action is taken to improve the quality and representativeness of cultural data, particularly but not solely from a linguistic standpoint, as well as its governance. One thing is clear: For our francophone minority sector, which is facing specific challenges, a wait-and-see approach is not an option.
That’s why the FCCF launched Impulsion 2030, a strategy to give our ecosystem concrete tools to deal with digital transformations and AI. By rolling out four projects, the FCCF seeks to build an evidence-based culture and make the cultural sector central to the digital world.
Federal AI investments to the tune of $1.7 billion, plus hundreds of millions of dollars for Scale AI and RAII, the Regional Artificial Intelligence Initiative, must not only benefit the private sector. They must also support civil society and, in particular, cultural non-profit organizations, which contribute to the vitality and resilience of the Canadian economy. The digital transformation must be supported by clear, consistent and stable funding that takes into account infrastructure and workforce training needs. The employability of future generations in our sector is directly affected.
Our recommendations are a continuation of the report recently tabled by the Standing Committee on Canadian Heritage about AI in the creative industries, to which the FCCF actively contributed.
The idea of taking into account the linguistic issue and minority cultural content, along with its effects on all francophone communities in Canada, currently appears to be a blind spot in Canadian public policy on AI. This urgently needs to be rectified. The substantive equality of Canada’s official languages is at stake, a principle enshrined in Part VII of the Official Languages Act.
Thank you for listening. I look forward to your questions.
[English]
The Acting Chair: Thank you, Mr. Buridans.
I now invite Mr. Brown to give his opening remarks.
Dan Brown, Professor, Computer Science, University of Waterloo, as an individual: Thank you for the invitation to speak to your committee. It’s a real honour. I’m sorry I can’t be present in Ottawa.
I have been a professor of computer science at the University of Waterloo for about 25 years. For the past 10 years, my primary research focus has been on a subject called computational creativity, which is basically the study of computer systems that generate artifacts which, had they been made by people, we would say were creative artifacts.
That is to say, for the past 10 years and longer, we’ve been thinking about a lot of the questions that are suddenly very germane to policy makers, researchers, creative individuals, labourers and entrepreneurs. Are these systems creative? Can their products be copyrighted, and if so, by whom? Is training these models a copyright violation and copyright infringement? Also — following up on the previous speaker’s comments — what do we do about creative labourers and their futures and careers?
As an academic, I feel it is my job to at least ask a few questions that are, perhaps, a little more abstract. One of them is this: Can computers be creative in the first place?
As a positive example, I want you to consider a system called MEXICA, which is by my colleague Rafael Pérez y Pérez. MEXICA generates Mexican stories in the style of ancient Mexican epics. It’s a system that Professor Pérez y Pérez has been working on for decades. You or I could use it, but it still embodies his actual creative vision and spark. Its products could be creative, and they’re created by him.
By contrast, if you consider the scenario where you use a generative AI system, like Google Gemini, and ask it to write a poem, there, the question of whether the user is involved in the creative process becomes a little more abstract and uncertain. In particular, if a good poem results from such a simple prompt, it has to be the case that actually arose in the system itself — or in its training data, potentially — not in the user, who simply supplied a generic prompt. So there is a wide range of possibilities.
Now I want to move on to talk about questions of infringement. Commercial large language models, or LLMs, and vision language models, or VLMs, have used large amounts of copyrighted data in their creation, and the Copyright Act in Canada allows for dealing with copyrighted materials under certain very specific exceptions.
About five years ago, before you had all ever heard of large language models, some colleagues at Waterloo and I spent a while studying whether training of these large language models was infringement, was a violation or was fair dealing. Our conclusion was it probably is not a fair dealing of those materials, and the specific reason why is because it creates materials that compete then in the same marketplace as the training materials itself.
For example, I asked Google Gemini to generate me an image of tulips in the style of Norval Morrisseau — and it did so in about 15 seconds — and that might potentially cause someone to buy those rather than real ones. There are already too many Norval Morrisseau fakes out there.
This is my next question: Can generative AI output be copyrighted, and if so, by whom? It is a somewhat strange question, given that we have already had the possibility that these are infringing models. Yet, at the same time, it has to be the case that this is a way that creative people can generate new objects and assign ownership of them to themselves.
For example, if the user systemically wrote a poem using Google Gemini and, along the way, workshopped the poem, made edits to the poem, changed the prompt and engaged in an interaction with Gemini around the process, I think that sounds like creativity. I think that sounds like creation.
A specific case that I want to highlight at the very end here is one of computer code, which is to say that, specifically, computer code is something that we allow to be copyrighted in Canada, and that needs to continue to be the case even as this new technology for creating such code comes into existence. Programmers should have copyright for their code created by Claude Code just as they do for code they create using other tools.
I want to quickly mention something about creative workers. In a study of professional fiction writers, we found that especially minoritized fiction writers — LGBTQ and disabled fiction writers — were very worried about the effects of this technology on their future. It is important to talk about that as we go forward as well: What do we do with respect to minority groups? I will echo my colleague who spoke before.
I have a lot of things to say, but they will come up in the question portion, I’m sure.
The Acting Chair: Thank you very much, Mr. Brown.
Senator Simons: I have so many questions. I will start with one for Mr. Shull.
A story broke last week about AI-generated political videos on YouTube — created in the Netherlands, strangely — designed to share disinformation about the Alberta punitive referendum campaign. There was a massive wave of AI-generated ads. They tricked Calgarian actors into auditioning, and then they repurposed their faces and voices and made them say things that were in favour of not just Alberta separatism but joining the United States. They are an assault on Canadian sovereignty. They had, as of last week, 40 million downloads.
There are only 5 million people in Alberta, so even if all 5 million of us watched them 10 times, that is still an unusual number of downloads.
This is just the start. How do we regulate against disinformation that is purposefully designed to poison our political discourse and sway our elections, especially ones that are, indeed, a product of foreign interference?
Mr. Shull: Thank you for the question, senator, and it is a good one. There is a lot to unpack there.
First, what I really appreciated about this committee’s terms of reference was it wasn’t just about an election. Oftentimes, we tend to follow the shiniest thing in the disinformation conversation, which is elections. That is germane because that is the backbone of a free and democratic society, but it is much bigger than that. It is about poisoning the information environment generally.
There are a couple of things that are going on in your question. Extraterritorial application of Canadian law is one, where there are foreign actors, and a lot of the time, that is the case. I would say that there needs to be collaboration with democratic partners because it’s not just us feeling the effects of this.
It is a different issue when we’re dealing with hostile adversarial states, but in this case — the one that you mentioned — they are a friend and ally. So mutual legal enforcement treaties, but it has to be quick, short and sharp. If someone is going to do this, they need to know right away — you mentioned two or three criminal offences right there — impersonation and fraud. There is a whole bunch of stuff going on that is already caught. It’s just translating it from our Criminal Code to the penal sanction of the individuals outside our borders. It is not just the election; it is the information environment in its entirety that is at risk here.
Senator Simons: Dr. Brown, I had some questions for you. You were my invitee to the committee because I found your website enchanting. I want to understand — as someone who made my living for many years as a writer — how do you differentiate? You talked about a Gemini poem that gets workshopped and massaged, but you are also working with computers that write music.
How can you differentiate with respect to a composer using AI as a creative tool, and hence the music is the genius/genesis of the human composer? At what point do we believe the generative AI is creating music as opposed to following code?
How is it different than a player piano?
Mr. Brown: That is a great question. How is it different from a player piano? The player piano only does what you tell it to do. You could make the same argument for these AI systems, I suppose.
Once they start to surprise you, and I mean that in a sort of “I didn’t expect that would be so good” way, then you have passed the margin where it is not just your product as the programmer; it is beyond that.
There are a lot of different actors in this, and one of the actors is actually the collection of training data that the model is trained on. That collection might also be very influential on how the model works. If I had an AI system that was only trained on Beethoven, it would make music that was mostly going to sound like Beethoven. At that level, I don’t know that you would assign the creativity to the model. It is really that you would assign the creativity to the source. There are a bunch of different actors here, and you are right to be concerned.
Senator Simons: Toward the end of your opening statement, you talked about displacing cultural workers and especially people who are already marginalized by being othered in some way by our society.
Mr. Brown: That is extremely important.
Senator Simons: I want to turn this question around because it comes back to something a previous witness, Michael Geist, said.
If you are training the models on Mozart, Beethoven and Tchaikovsky, they will come out with classical music. If you are training the models on Bo Diddley, James Brown and B.B. King, you will get a different outcome. However, one of the challenges is that if you train it on the conventional canon, you will leave out the kinds of traditionally suppressed voices that we need to hear more of.
Mr. Brown: Yes.
Senator Simons: How do we make sure that, without exploiting LGBTQ writers, without exploiting Afro-Canadian writers, without exploiting Indigenous artists, we are fairly and equitably sampling their work so that the AI does not just give us dead White dudes?
Mr. Brown: This is super important, and I’m so glad you raised it. It was a key reason why we did that study of LGBTQ and disabled fiction writers. I am as worried about this as you are.
I had an informal experiment a couple of years ago where I tried to get ChatGPT to tell me a romance story about two men. You start off with, “Tell me a romance story,” and, of course, it is about a man and a woman. Then you say, “Tell me a romance story set in San Francisco.” It’s still a man and a woman. “Tell me a romance story set in San Francisco, in the Castro.” It’s still a man and a woman. It really required a lot of effort before you got Tom and Mike to be the people we were writing about and not Tom and Mary — and they really did have kind of WASPy names like that.
You are right to be very concerned. In particular, this is a major product of our culture as Canadians that we need to be worried about, too, for the reasons that the previous speaker referred to about marginalized linguistic communities but also for LGBTQ folk and other minoritized groups.
One answer is that you use your powers as legislators to fund arts communities more broadly and more diversely so that those voices continue to exist. Another is that we prize the things about Canadian culture that are so diverse.
I give a talk sometimes where I ask generative models to generate me a picture of two men kissing with the Stanley Cup. I have not given that talk since “Heated Rivalry” came out as a TV series. I imagine it would give me a different response now than it would have before.
We need to emphasize these voices.
Senator Arnold: My question is for Mr. Shull. I very much agree with your thesis that we didn’t do enough with social media, and we have this opportunity now to perhaps not make some of the same mistakes.
Toward the end of your opening remarks, you started to talk about the tools that Parliament has that the courts don’t. I think we can all agree that is going to take too long and is not going to work.
Can you expand on those with more detail?
Mr. Shull: Absolutely. I am happy to do that. I would like to knit your question together with the previous senator’s question because I didn’t fully answer it. I talked about the extraterritorial application of Canadian law and the existing powers, but I didn’t say anything about the responsibilities of the platforms that are recommending the content and advertising it. They are handling the impersonation and the systems, and they are amplifying the conduct and making it commercially viable, which comes to your point because you said there are millions of views.
What is interesting to me is that after that jury trial I mentioned in California, where there was a $6-million jury award against Meta and YouTube, trial lawyers started advertising on Meta and YouTube, looking for clients. Interestingly enough, you will be shocked to know that they shut down these advertisements. So their ability to know what the content of those advertisements is, is actually pretty good. When they don’t want them there, they are able to turn them off like a tap. I think that is instructive.
I would say what is missing from the conversation is a coherent federal approach to synthetic media generally. I’m talking here about provenance and labelling. There are ways you can watermark it. It is not perfect, and it’s not going to be the silver bullet, but it’s going to be helpful. Good actors will watermark, and bad actors will not. There are ways you can do that technically, and we can talk about that in greater detail, labelling and then also takedown.
To the previous senator’s question, there would have been a notification case saying, “This is fake. This is not me. I didn’t authorize it. I’m not rallying for Alberta separatism.” The platform should have had a legal duty to take it down right away. We already know that they can because trial lawyers proved it by virtue of advertising on those platforms.
It is part of a suite, so it’s technical, legal architecture that can go a long way to remedying a lot of it. However, one of the biggest issues is the business model of the platforms. It’s the amplification. Bad people will do bad things. They are going to use these tools to do awful stuff. What we don’t need to do is give them a supercharged megaphone and let American companies make billons of dollars for ripping apart our democratic society.
Senator Arnold: Thank you.
The Acting Chair: We have a little more time if any other witnesses would like to respond. No? Okay.
[Translation]
Senator Cormier: My first questions are for Mr. Buridans.
I want to delve further with you into some of the strategies or options you mentioned. You talked about a production and governance strategy for francophone cultural data. I would like to know more. What does that mean in practical terms? What applications could this have in the sector?
Mr. Buridans: That’s a good question, senator.
I think that’s a position that might seem original. In fact, when we talk about the arts and culture sector, we are often defensive, and rightly so, because when it comes to copyright infringement, training, and text and data mining, it has been a bit of a mess in recent years, especially in the face of American AI giants.
There are other frugal, ethical and responsible models for which we do not have to wait for major laws to regulate Sam Altman and his buddies at OpenAI. However, we can work with projects that are already on the table, at the prototype stage, where we would promote and secure our data, even if it means using training models and generative AI. These could be used to produce texts and fixed or animated images, meaning photos, drawings and videos, and sound or musical works. All of this would be assisted by artificial intelligence tools and systems, as long as it is done within the framework of clear copyright licensing agreements. We can start doing this; we cannot wait to win the game with the big American looters. We need to start our own projects.
I’ll give you a couple of examples.
The first is Culturepédia. This is a project led by Culture pour tous, a Quebec organization that we partner with. Culturepédia is both a legal and a technological innovation. It is a legal innovation because, in fact, it is the first social utility trust for cultural data management. We have an ethical governance framework for cultural data management and a platform where we upload data. When I say data, I mean reports, accountability documents, surveys and impact measurements of everything we have been doing for years and will continue to do. The goal is to record the impact of arts and culture in our communities. On that platform, given that there is ethical governance, you can start working with an AI model that uses frugal open source code. It’s a tool that can work on servers and internal tools, so it’s not energy intensive. You can start analyzing and cross-referencing data from cultural organizations that, beyond simplifying their administrative steps more quickly, want to further their thinking, analyses and business models to determine the economic impact of arts and culture in the areas of health and territorial development.
Senator Cormier: I understand. Did you share this thinking process with Minister Solomon as he prepared his strategy? I’m trying to see where you stand in that process.
Mr. Buridans: I did, in fact, attend the first National Summit on AI and Culture in Banff last month. I did not have a chance to speak directly with Mr. Solomon at the time, but we met him in October with a delegation from the CDCE. We keep saying the same thing. We support the CDCE’s messages on respecting copyright, which is an essential basis for defending the community. Minister Solomon often talks about innovation. The arts and culture sector, by definition, is an area of innovation. The true purpose of our sector is to innovate.
Senator Cormier: What are the four projects of the 2030 Impulse strategy that you mentioned?
Mr. Buridans: The digital strategy was launched in Banff. We’ve been analyzing digital issues with our members for two years. We have two cross-cutting objectives, the first being to build a truly evidence-based culture. Before working with AI systems, you have to have properly structured data. The second is to make the arts and culture sector central to the digital world. I would remind you that there is no one from the arts and culture field in Minister Solomon’s working group.
The first of the four projects is to influence public policy, which is what we are doing here. We continue to explain our position on copyright protection, but we are also positioning ourselves as an innovative sector, and we are trying to get funding for that.
The second project is building capacity and continuing to develop our digital skills. Digital literacy is in its infancy in our francophone minority sector, because we have focused a lot on Quebec projects. Quebec’s digital cultural plan was set up in 2014. I’ll put it this way: The plan is the digital learning locomotive and the francophone community is the cars. However, the idea is not for the cars to be pulled by the locomotive, but for people to walk around in the train. It has to do with skills transfer, the creation of new trades, our independence in terms of approaches and digital strategies that our members can work with independently.
The third project is to continue developing foundational alliances. I mentioned alliances with organizations in Quebec, but also at the international level, because there are no longer any borders within the francophone community and the digital world.
Senator Cormier: I’m interrupting you, but I understand what you are doing on the ground between organizations and also with your partners and all that. However, I have a perhaps more direct question, and that is why I brought up Minister Solomon. My question is about all the essential analysis you are doing. We know that the majority of the AI landscape is anglophone and that there will be a major problem with the potential disappearance of francophone communities and francophone culture if we don’t do something. In that sense, aligning with Minister Solomon’s strategy seems to me to be absolutely essential.
Mr. Buridans: Absolutely. The reason we have been working for the past two years with our members is to take the lead. We are not taking a wait-and-see approach. The message is that there must be interdepartmental agreements on AI issues. I was actually referring to investments made with SMEs and the private sector. They are very good, but, for the moment, non‑profits and civil society do not have access to them.
I’ll give you a very basic example. Everything remotely related to learning and digital literacy comes from the envelopes we’ve managed to get through the Canada Council for the Arts. Those envelopes will no longer be forthcoming, including the Grow program, which provided funding of up to $1 million. Projects like Culturepédia come from this type of very foundational funding. Now we have envelopes in the range of $100,000. Canadian Heritage funded our “bande numérique” initiative, which is a program to support our members in digital literacy. Funding for the final development phase of our initiative has been cut in half, right at a time when we should be ramping up our efforts.
We are asking Minister Solomon and Innovation, Science and Economic Development to work with Canadian Heritage. This summit is a very good first step. Now we need to go further. In fact, we need to provide access to non-profits, particularly in arts and culture, to programs that are currently dedicated to the private sector so that we, too, can continue to learn, organize projects and have digital autonomy. We hear all about sovereignty, but this is something national, something Canadian. I would also like to talk about digital autonomy. There are organizations and sectors that are able to develop their own tools within entirely reasonable regulatory frameworks.
Senator Aucoin: I would like to follow up on your comments and Senator Cormier’s questions.
I don’t want to talk to you about funding. That’s something else you talked about. If we had a crystal ball, what would be the most important thing, the priority, the preferred tool or the actions the government could take to solve some of the many problems you mentioned to protect the arts and culture in francophone minority communities?
Mr. Buridans: Funding is the lifeblood.
Senator Aucoin: Well, not necessarily.
Mr. Buridans: Of course. That’s actually why I was giving you a few examples, such as Culturepédia, and there are others. In Quebec, there’s a project called ArtIA that’s in the process of demonstrating how artificial intelligence systems can support and aid creation. There are some absolutely fascinating projects being done with a critical eye.
I find that the arts and culture sector — particularly from the francophone community — is missing from Mr. Solomon’s working group. We’re on the front lines in terms of taking an ethical, critical and constructive look at AI systems. The idea isn’t to develop a Canadian capacity to create our AI systems that would compete with those already in place and launched by American giants. The idea isn’t to have a French-language ChatGPT either. That isn’t the only thing that will help us, even though linguistic nuances are absolutely important when it comes to talking to a chatbot. When I talk about managing francophone cultural data, it goes beyond language; it’s what represents our francophone communities across the country. We have to be at the discussion table with the experts around Minister Solomon’s office to discuss the national AI strategy that will be coming soon. This will allow us to feel that the extremely relevant discussions that took place during the Banff summit are having some influence on this strategy’s direction, and that there is indeed a place to continue the discussion on arts and culture.
Senator Aucoin: Thank you.
I have a question for Mr. Shull, perhaps followed by Mr. Brown.
First, Mr. Shull, you talked about a coherent federal approach to these AI-generated companies. What can we do in our recommendations? Would you like to see more legislation, more policies or enforcement measures? What do we do with Senator Simons’ example? What should have been done or what should the government have done? What can it do for the future of artificial intelligence and to protect us?
[English]
Mr. Shull: Thank you for the question, senator. First, I would urge you to resist what will inevitably be a push from the platforms. They’re going to say a lot of things to you about self‑regulation and non-binding codes of conduct. They’re also going to say that if you regulate them, you will kill innovation — that there will never be innovation again if you regulate.
None of that is true. What I would say is this: Look for narrow areas where you can regulate. And there are already mechanisms in place, as I said earlier, around fraud, impersonation, abuse and child sexual abuse material, or CSAM. All these things I mentioned are set to get much worse, so look for areas where we can do something.
As I said, regarding provenance, we can label things that are generated using AI through metadata.
I’ll let Professor Brown speak more about this because they don’t teach you anything about computer science in law school.
However, there are ways you can do this, and we can encourage that labelling and also takedown.
And the other thing you can look at doing is creating, through statute, duties of care. These companies are making billions of dollars creating technology that is hurting people.
If we were talking about bridges or elevators, this would be the shortest Senate committee hearing in the history of the world, because we all agree that if someone gets hurt on an elevator, there is a duty of care, but we wouldn’t do it here. So look for ways to bring in duties of care so lawyers like me don’t have to deal with it 10 years down the road, because all I can bring to the courtroom is blunt-force instruments, and by the time it gets to us, it’s too late.
[Translation]
Senator Aucoin: I would like to make a comment. I’m also a lawyer. For the first time in my life, I’m hearing that the government is moving faster than the lawyers and the court. That’s quite interesting.
Mr. Brown, do you have anything to add?
[English]
Mr. Brown: Yes, I certainly want to say that the duty of care question is important. I want to say that, but I also want to put a big asterisk there. You can spend about $10,000 and buy a computer system that you can run a state-of-the-art model from 12 to 18 months ago on and make some of the worst materials imaginable. You can just push those forward into the world, and those are open-source models that kind of deny anyone being responsible for them.
That’s a really scary place to be at when you start talking about the duty of care, though I do think, in the case of the giant companies we’ve been hearing about, it is an essential thing to have.
I am similarly concerned about the question of watermarking and identification of AI-generated materials. There is constant warfare between the two sides of that kind of battle. I fear that the side that is trying to identify trustworthy and believable materials is always going to be on the defensive.
It’s an important thing to have, but I still think it is a challenging space to work in.
[Translation]
Senator Miville-Dechêne: My question is for Mr. Shull.
I had a strong reaction when you talked about protecting children, because, for several years, I led a bill to defend against children’s exposure to pornography, whether on social media or digital platforms. As you know, if you live in Canada, that isn’t a reality.
I would like you to talk about that kind of disconnect, in the sense that people seem to be completely obsessed with artificial intelligence. I understand; it’s a new development and all that. However, people seem to have somewhat forgotten about the digital platforms, social media and the fact that there has been absolutely no legislation on this.
Do you see that disconnect? Do you think both should be legislated? That’s what I understand from what you said. Which is the priority? There are still a number of things to do that haven’t been done yet. Should we first focus on the most vulnerable among us, who are often children? Should we try to do everything at the same time?
Right now, I feel a bit overwhelmed by the magnitude of the task at hand.
[English]
Mr. Shull: Thank you for the question, senator. I promised the clerk I have been studying French every day for 560 days on Duolingo. I won’t try to answer in French, but the next time I come, I’ll try my best.
First, thank you for doing that. I absolutely agree. Children’s mental health and autonomy — it’s all on the table right now, and we’re trading it away so American companies can get rich. But the thing is, we all know it; we can all see it now.
And there are two jury trials I mentioned, one in New Mexico and one in California, that are quantitatively and qualitatively different. We’ve heard about these companies being fined by the EU; they’re fined for this and they’re fined for that.
These were two jury trials. One was $375 million and one was $6 million. The $6-million one was what they call a bellwether, so there’s the multidistrict litigation. There are 3,000 cases behind that one that are coming.
There is also litigation in Canada. School boards have seen fit to sue social media companies, but it’s all on the basis of, effectively, children’s mental health. I would start there if I were you, because you’re right, there’s a lot going on here.
Even in this, we’re talking about copyright and culture and disinformation. I would start with children and go to the platforms, because they’re the source of amplification. And, for what it’s worth, they’re the ones about which the public is saying, “Oh, yeah.”
I wrote an op-ed for the San Francisco Chronicle. I called this a big tobacco moment. People are saying that social media is awful and our kids are getting sick from it. There’s a moment when the public can align behind this.
Generative AI feels ephemeral to people; they don’t really know what it is. However, if you can regulate at the platform level, you will go a long way in stopping amplification, which I think is one of the principal challenges when it comes to misinformation and disinformation.
It’s what Senator Simons said: All of a sudden, they come up with some cheap video and reach millions of people in real time, and it’s kind of convincing.
So I would start there: Go with children. And I can come in with more pointed recommendations in writing. I’m happy to help because this is a tricky area, but you got it right.
Senator Miville-Dechêne: Who should we look to around the world in terms of examples? Because obviously we’ve been extremely slow in reacting in Canada. Are there some good examples with respect to artificial intelligence or platforms of social media? What do you think we should look at?
Mr. Shull: We were almost there with the Online Harms Bill. There was some good material there.
The U.K. and Australia are obviously leading examples. And when it comes to AI regulation, the EU is out in front on this, and they have been for a long time. They have the AI Act; they have the General Data Protection Regulation, or GDPR. There are ways to deal with it.
And Canada is right there. We were looking at amending the Personal Information Protection and Electronic Documents Act; there was the AI act and the online harms act. All of which, in my humble opinion, could have used a little refinement, but it’s better than nothing. I feel in this country, we often let the perfect get in the way of the good enough.
We have been at it for 20 years; kids are getting hurt. We need to get out the door on some of this. If we can get ourselves in a position where we are protecting kids, it’s hard to grab the other side of that argument.
[Translation]
Senator Miville-Dechêne: In Europe, there’s some push-back against legislation. Laws governing AI have been passed, and some people say those laws create too many barriers and stifle creativity. You told us it’s a big lie to say that all this is going to hurt creativity. What do you think?
[English]
Mr. Shull: There will inevitably be pushback. To the extent you can stay away from the content layer — you don’t want to get into the business of speech police, saying, “This is good. This is bad.” If you can stay away from the content layer as much as possible — look at the architecture and the design. Kids aren’t allowed on or are only allowed access to certain things.
And when you deal with it at the architectural and design layer, you can get yourself out of the policing speech game. And I think that’s probably part of what was going on in Europe, because people are reticent around that.
But there are ways to do it with specificity, with rights-based approaches that are very narrow and very tailored to get the worst of it right now.
This will be with us forever, but if we can deal with the worst of it quickly and effectively, that will set us up for some success down the road.
[Translation]
Senator Simons: I need to ask my question in French because everyone is speaking French this evening. I’m not really bilingual, but I’ll try.
I know that the French spoken in Paris is not the same as the French spoken in Montreal, which is not the same as the French spoken in Bathurst. Copyright is important to me, but I’m wondering if you’re afraid that models from France, not from Canada, or from Montreal, not Rimouski, Bathurst or Shediac, don’t represent the same language? How can we protect copyright and, at the same time, try to have models that reflect the full spectrum of the French language?
Mr. Buridans: Thank you very much for the question and for your efforts, senator. Your French is certainly better than my English, so it’s much appreciated.
That’s a very interesting thought. It makes me think of Richard Khoury, a researcher affiliated with Quebec’s Université Laval, who’s working on training a model in Québécois. I am a French immigrant to Quebec who lives in Montreal and works for francophone minority groups in Canada and Acadia. I’ve lived here for 20 years, and the spectrum of French language is absolutely fascinating and merits a closer look for training models as well. Richard Khoury is training a model in Québécois. We could certainly expand this project, explore it and look at how people speak in Acadia. Chiac is a dialect in New Brunswick and Nova Scotia, and not all Acadians speak it.
Senator Simons: There are francophone communities back home in Alberta too.
Mr. Buridans: Exactly. There are linguistic features in French that are worth examining.
There are also things like MétaMusique, a Quebec-based project for classifying music metadata. When it comes to discoverability, AI is a game changer.
Picking up on what you said earlier, you’re absolutely right. Everyone is talking about AI, and it affects everything to such a great extent that we need to step back a bit, look at structured data, and link metadata, discoverability issues and how AI transforms all of that. That’s why digital literacy is such a high priority for us. It’s not just about working with AI, it’s about seeing how AI is disrupting the entire digital value chain that we’ve been working on for years.
I’d like to wrap up with an example. Even in music metadata, we thought about whether we should put the key words “FR Quebec” and “FR Saskatchewan.” What key words should we use for “Franco-Yukonnais,” “Fransaskois” and “Franco-Manitobain”? These questions have to do with language as well as metadata and the digital semantics that go hand in hand with all this work.
[English]
Senator Simons: I will personally ask it of him later.
[Translation]
Senator Cormier: I have a question for all the witnesses.
Here’s the scenario: I’m writing a novel and I’m on the first chapter. I have a dictionary I can consult. Once I’m done, I ask the AI to refine my text linguistically, syntactically or by adding images. To what extent is the end result still considered the work of an author? How do you decide were to draw the line? That’s a key issue for me. Of course we’re interested in the impact on children, but what really interests me is the issue of copyright and artists’ compensation. This is a key concern with respect to AI.
I also have a follow-up question. For example, in the case of the French language, will it eventually be homogenized?
I will ask Mr. Brown to answer the question, and then Mr. Buridans.
[English]
Mr. Brown: We already have rules for this in existing copyright legislation and case law in Canada, around the level of skill and the level of effort the creator used in the production of their work. So, I actually think we already have what we need; we just need to start applying it more directly. If it’s the case that the vast majority of skill, effort and cleverness weren’t yours, then it’s not yours, but if it is the case —
Senator Cormier: How would someone know? If I don’t tell them, who is going to decide whether it is my work?
Mr. Brown: Yes, it is a totally legitimate question. The time that will probably happen is when somebody wants to infringe upon it and claims it wasn’t copyrighted in the first place.
Senator Cormier: It will go to court.
[Translation]
Mr. Buridans: It doesn’t matter if there’s a machine involved in the creative process or in the act of creative production. What matters is editorial and artistic agency. You have your own editorial agency and your own artistic agency, so you decide how much any given digital system contributes, particularly in AI.
Creative works have been produced with digital assistance for years. It’s the artist who decides, as well as the publisher, the producer and the distributor. In fact, the entire value chain decides when to involve the artist and when a work is complete. At some point, the publisher says it’s time to go over the work, and so on. All of that work transcends any machinery.
I have another question about your example. What model are you working with? If you’re working with ChatGPT, it would be a bit of a stretch to consider your human work to be 100% original given the additional input from an AI system. However, if you train a model with your data or data from consenting artists who have signed agreements and want to see their signature style blended with other styles, and if you pay them to make prototypes, then what you’re doing is perfectly legitimate, because you’ve paid royalties. You’ve trained a model and you know exactly what’s involved. The outcome, again, is based on your decision. Now we’re speaking the same language.
The Acting Chair: Thank you Mr. Shull, Mr. Buridans and Mr. Brown for being with us this evening.
We’ve reached the end of our time for this panel.
[English]
I would like to continue with our next panel.
I would like to welcome, from Communications Security Establishment Canada, Bridget Walshe, Associate Head, Canadian Centre for Cyber Security; and Joshua Kilberg, Senior Director. Thank you for joining us today.
As you probably noted from the last panel, we have approximately five minutes for questions and answers. I think we’ll have plenty of time for senators to ask questions, as we did with the last panel, so we won’t be too tight on that.
Ms. Walshe, please provide your opening remarks.
Bridget Walshe, Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment Canada: Good evening, Mr. Chair and members of the committee. Thank you for the opportunity to appear before you today and to contribute to your study on the opportunities and challenges of artificial intelligence in the information and communication technology sector.
My name is Bridget Walshe. I am the Associate Head of the Canadian Centre for Cyber Security, commonly referred to as the Cyber Centre, within the Communications Security Establishment Canada, or CSE. I am joined today by my colleague Josh Kilberg, Senior Director at the Cyber Centre.
While we recognize the breadth and significance of this study, our testimony today will focus specifically on the rise of AI‑generated disinformation, misinformation and “deepfakes” and their potential impact on public trust and media integrity.
The remaining elements of the study fall outside the Cyber Centre and CSE’s legislated mandate.
[Translation]
The Canadian Centre for Cyber Security is Canada’s national authority on cybersecurity, providing a single, trusted source of expert advice, guidance and services to Canadians and organizations across the country.
Our expertise includes developing advanced cyber defence capabilities, protecting critical systems — including federal government networks — and operational leadership during cybersecurity incidents.
[English]
We work closely with Government of Canada departments, critical infrastructure operators, Canadian businesses and international partners to prepare for, respond to, mitigate and recover from cyber events. Through these long-standing relationships, we continue to strengthen Canada’s cyberdefences and enable Canadians to participate safely and confidently in an increasingly digital world.
We are at a pivotal moment in the evolution of artificial intelligence. AI technologies are advancing at an unprecedented pace and offer significant societal and economic benefits. At the same time, their dual-use nature introduces complex and evolving risks to Canada’s national security, democratic institutions, economic resilience and the privacy of Canadians.
As outlined in our Cyber Threats to Canada’s Democratic Process: 2025 Update and National Cyber Threat Assessment 2025-2026 reports, malicious threat actors are increasingly exploiting emerging technologies, particularly AI, to conduct disinformation campaigns, cyber-espionage and election interference.
In recognition of this rapidly evolving landscape, CSE launched its Artificial Intelligence Strategy last year to ensure we are well positioned to understand, adopt and respond to emerging technologies as adversaries grow more sophisticated in their use of them. The strategy establishes key priorities, informs operational planning and anchors efforts to modernize governance, policy and processes in the face of rapid technological change.
Previous assessments, including National Cyber Threat Assessment 2023-24, identified the growing ability of state‑aligned actors to create and spread AI-generated disinformation. This trend has accelerated.
In our 2025-26 threat assessment, we observed that hostile foreign actors are increasingly exploiting AI to generate and disseminate fake articles, manipulated images, “deepfake” audio and video and fabricated online personas, deliberately polluting the information environment. These tactics are designed to undermine trust in democratic institutions, distort public discourse and exacerbate societal divisions.
[Translation]
The Cyber Centre can assist when deepfakes or AI-generated content impact official government websites or accounts, or when they pose a cybersecurity risk to the Government of Canada or to systems of importance. This may include cases involving malicious hyperlinks, data leaks or unauthorized messaging.
[English]
Our support can include providing expert advice and guidance, assisting with incident response and, where appropriate, facilitating takedown efforts in collaboration with partners.
While it is unrealistic to hope to fully prevent the exposure or misuse of publicly available image and audio data, particularly for public figures, we continue to advance efforts to educate and empower Canadians to identify and mitigate AI-enabled risks.
To that end, the Cyber Centre has published an AI fact sheet and the report Top 10 IT security actions to protect internet-connected networks and information to raise public awareness and promote responsible AI adoption across sectors, alongside a range of cybersecurity advice and guidance on generative AI and its role in misinformation, disinformation and malinformation.
[Translation]
The cyber threat environment is dynamic and continually evolving, but our commitment to protecting Canadians remains steadfast.
Working alongside domestic and international partners, CSE and the Cyber Centre will continue to protect Government of Canada systems, Canada’s critical infrastructure and the integrity of our digital ecosystem so that Canadians can rely on secure and trusted services.
[English]
CSE and the Cyber Centre have a long history of leading the way in developing, adapting and applying cutting-edge technologies in support of our mandate to keep Canada safe and secure.
Thank you once again for the opportunity to appear before the committee today. We would be pleased to answer your questions.
The Acting Chair: Thank you, Ms. Walshe.
Senator Simons: I think you were in the room when I posed my questions to the previous panel.
I’m an Alberta senator, so this particular story is haunting me. I’m sure you saw the story last week about these faceless videos being created on YouTube and monetized, which are designed to sow discord in Alberta to enhance support for separatism and, more particularly, to enhance support for Alberta to become a part of the United States. Millions of people have seen these videos, which are absolutely fake and made outside of Canada.
Given current legislation and given your current powers, what can be done to convince YouTube to take down this malicious disinformation that is attacking the sovereignty and future of our country?
Ms. Walshe: Thank you very much for the question, and thank you for the context and background. It is a difficult situation to know and understand where disinformation is coming from and who it is targeting. We focus our efforts within the Cyber Centre and CSE at understanding those online threats — disinformation and misinformation. I will turn in a moment to my colleague to speak about the trends we see.
I cannot speak specifically to the particular incident you have referenced. What I can speak to a little is what we can do and what is within our mandate. I spoke a little about that in my opening remarks.
We are an organization with a mandate to help protect government networks. To that end, if we are alerted to misrepresentation of Government of Canada information, or impersonation of websites or individuals within government, it is certainly within our mandate to help. That assistance that we can provide can include things like supporting to seek the takedown of the information if it is impersonating a government website, for example.
Outside that space, there are others who could be involved. There are certainly issues that would fall within the mandate of the RCMP to investigate, for example. In those instances, it is always important to report any concerns to the police.
However, we certainly look at those trends, not directing our activities at what is going on in Canada but at trends globally. So what do we see and how do we see threat actors taking advantage of the ability to use AI to generate misinformation and disinformation? We have looked at how those trends impact democratic institutions globally, for example.
I might turn it over to Josh to provide a little more background.
Senator Simons: I understand better now. If somebody spoofs an Environment Canada website and puts up a fake notice of an evacuation order, that you could respond to. If they make a fake video of Mark Carney — and we have seen oodles of them — that you do not respond to.
Ms. Walshe: There is nuance. If there were a fake video of Prime Minister Carney talking about the activities of the government, and it was made to look like a government website, that is certainly where we would evaluate. Our process is to evaluate and understand whether something is purporting to be the government or an agent of government, et cetera. If it falls in there, then it is certainly something we can take action on.
I will add this nuance too: If it is also something that looks to pose a cyber-threat, so if it is something that we determine is being used to trick somebody into clicking on a link — it is common that threat actors look for any way for you to click and get that download, that way to have their malicious software installed. If we see that, it is also a place where we can take action.
Senator Simons: We in the Senate get those phishing notices all the time.
Ms. Walshe: Absolutely.
Senator Arnold: Thank you for being here with us. So you are reactive then. You are not proactive with respect to preventing these things.
Ms. Walshe: I will split it into two pieces. On the reactive side, absolutely, we do take action. When it sits within our mandate, there are actions that we can take to address it, as I explained. We also work closely on the reactive side with colleagues across government. We collaborate with colleagues in the RCMP, for example, to provide advice and guidance support in any actions they might take under their mandate. We work closely with colleagues in CSIS, who can also take different actions under their mandate. There is operational coordination that goes on, ensuring that, under the mandate of whichever organization it is, we are well synced up and can take action.
On the preventative end, there are a few pieces I would mention. First, information is helpful and useful to inoculate, to let the Canadian public know the risks and what to look out for. To that end, we publish information and assessments.
I can turn it over to my colleague to share more about some of those assessments and how they work. His area is responsible for doing a lot of that work.
That allows Canadians to know and to understand what those threats are in advance so that they know what to look for.
We have advice and guidance through Get Cyber Safe and other initiatives that allow every Canadian to know what those cyber-threats are and how to recognize them.
On the preventative side, as well, especially when it comes to democratic institutions, we also work across the security and intelligence community. During the past three general elections and through several by-elections, we have stood up a group called the Security and Intelligence Threats to Elections Task Force, or SITE. So CSE, the Cyber Centre as well as our colleagues in signals intelligence across our mandate support that — CSIS, the RCMP and Global Affairs. We work together to understand what the threats are.
CSE is an intelligence organization, so we contribute important and valuable intelligence that goes toward understanding what the threats are, including those threats that are related to misinformation and disinformation, as do our other colleagues in the SITE construct. That is a very important step that can be both reactive when a threat is occurring but also preventative because it allows us to understand the landscape and set conditions.
I might turn it over to Josh to talk a little more about how our assessments go into advice and guidance for Canadians.
Joshua Kilberg, Senior Director, Communications Security Establishment Canada: Thank you very much for the question, senator. We have been writing about cyber-threats to the democratic process since 2016, and we have been studying this. Every time we publish one of these reports and put it online, it is informed by all of our classified intelligence. We actually do our best to track disinformation and misinformation in elections around the world. We put this on the website as a means of forewarning Canadians to say what we are seeing happening, why we think it is important and what effects may occur.
It is really instructive to look back from 2016 until now in our understanding of this technology and how it can be used to manipulate elections has evolved.
To the previous senator’s question about threats, on the particular example that you mentioned, I don’t have specific information on that. However, I can say that when we think about threat actors doing this, we look at the foreign end of things because that’s within our mandate. As my colleague Bridget said, cybercriminals will react to what is in the news and try to monetize that. It could be a cybercriminal group. It certainly could be a state. A nation-state will seek to either advance their national interest or simply sow chaos in a democratic country like Canada to show that this type of democracy, this type of government, is not as great as we purport it to be.
It could also be activists. These are non-state actors who, with the evolution of technology, are able to quite easily take an idea they have and weaponize it using tools that are available, especially through artificial intelligence. That serves to lower the bar of entry around participating in this for everyone.
We are seeing more and more cybercriminals. We are seeing more and more nation-states involved in this. The simple truth is that it is easy, relatively cheap and does not require the same amount of expertise as it did back in 2016 and certainly before then.
The Acting Chair: Thank you.
[Translation]
Senator Cormier: I understand that your work focuses on government networks. I’m trying to see how your cybersecurity insights and findings can help institutions that are non‑governmental, but that are important to our democracy: cultural and public institutions. How could your insights and tools help public and cultural institutions guard against the malicious use of AI, say?
Ms. Walshe: Thank you for the question.
When I described what we can do within our mandate to help deal with misinformation problems, I described a situation that involved managing identity theft. We help non-governmental organizations as well.
[English]
When we look at the situation writ large, it is more than just governmental organizations that are impacted. The primary way we work with organizations that are non-governmental is through advice and guidance. The publications that we put out, we make them accessible to all Canadians. We do aim certain publications, quite clearly, toward democratic institutions. We also work very closely with colleagues across government who do the same.
For example, I talked about the Security Intelligence Threats to Elections Task Force. Alongside that group, during elections — and non-election periods — we also work closely with the Privy Council Office and their democratic institutions area. They also put out advice and guidance. We provide input to colleagues who do all these pieces that help protect civil society and those who are important in the democratic process.
Something I would highlight is that the information we put together for candidates during elections provides them with the details and the information they need to be cybersecure and more immune to cyberattacks. For example, when we see threat activity, we will warn an organization.
The first time we saw the pattern and warned of it was in late 2024. We saw cyber activity targeting some of the political parties, media and some of those entities that are close to democratic institutions. We briefed some of these entities about the issues we were seeing and the targeting online — computer network activity targeting their organizations — and we also provided a public statement and guidance and information on what to do. In those cases, we try to act reactively when we see a threat and, hopefully, before there is any sort of cybersecurity compromise of the organization.
All those pieces come together in the work that we do for these assessments that we put out, share and brief on.
I might turn to Mr. Kilberg, who might have more to share.
Mr. Kilberg: Thank you for the question, senator.
When we talk about non-governmental organizations, especially in cyberspace, first, all our information is now digital. Everything that we discuss and work on is all held digitally, which means that it is all vulnerable to cyberattacks and manipulation. It is no different for a government department or a non-governmental organization.
What is substantially different, though, are the resources that are available to most non-governmental organizations. This is why Ms. Walshe was talking about how we share advice and guidance, and we work with as many collector groups, if you will, around the country to communicate that information and get that information in the hands of those who need it most.
The truth of the matter is that a lot of the cyber compromises that we see are the equivalent of — when you leave your house, you lock the door behind you and make sure the stove is turned off. These are basic things that people are doing in the real world, but they are not doing the equivalent in cyberspace.
We talk about this constantly when we meet with partners to try to get this point across. We share the tools, and we have campaigns to get this point across. It is especially acute with non-governmental organizations because the smaller you are, the less likely you are to have a dedicated cybersecurity or information technology department.
With respect to what we call the “threat surface” or the “attack surface” — so, again, if you use the house analogy, how many windows and doors a robber can break into — protecting all of those and locking all of those digital doors is important, and that often gets overlooked in small organizations.
Senator Cormier: Are you confronted, in the actions you are taking, with issues around fundamental rights and freedom of expression? Do these play a role when you are taking action? What types of considerations do you have concerning freedom of expression and fundamental rights?
Ms. Walshe: It may be good for me to talk a little about our mandate at CSE and the protections we have in place to ensure we respect the privacy of Canadians, for example.
As I said, we are an intelligence organization, and because of that, we have strong legislation that governs the work that we do. We have, under that legislation, a strong policy process. We also have oversight.
In terms of the actions that we take, they are all governed by the policies we have established that help us ensure a big culture within the organization and ensure that every step we take is compliant with those policies and follows the law.
But we also have oversight and review, and that’s very important. The National Security and Intelligence Committee of Parliamentarians, the National Security and Intelligence Review Agency, or NSIRA, and the Office of the Intelligence Commissioner all provide that important review of the work that we do and ensure that we maintain that important role within our mandate and respect the privacy of Canadians.
[Translation]
Senator Aucoin: Ms. Walshe, I’m trying to understand to what extent CSE can interfere in areas of jurisdiction other than strictly within the scope of federal institutions or departments.
Consider a Superior Court judge hearing a case of national importance — child pornography, say — and that judge is the subject of a disinformation and misinformation campaign. It could be about the case, but let’s say it’s about the judge. The judge is appointed by the federal government but works in a province. Could you do anything about that? Would you do anything? If so, what?
I understand that if it’s a federal department, it’s clear, you’re going to intervene, you’re going to offer suggestions and work with them.
Ms. Walshe: Thank you very much for the question.
I’d start by saying that, although we are a federal agency of the Government of Canada, we work with every province and territory on all cybersecurity matters. We actually have a memorandum of understanding with all 14 members, all of the provinces and territories, to share cybersecurity information. This is an important way to ensure that we can respond quickly during an incident.
[English]
I would also add that jurisdiction, as I’m sure you would know much better than I do, senator, is complicated. When we went through the earlier example, when we are notified of an incident, we have a phone number — “1-800-CYBER” basically — and a website that allow any Canadian to report an issue. We have a hotline through which senators such as yourselves can contact us. If you don’t have that information, we can follow up to make sure you do. There are a lot of ways information comes to us about a threat. When we receive information, like in the example you have provided, senator, we look at it and ask, “Is this something we can solve in our mandate? Is there some action we can take?”
In a case like this, we would have to know all the details, but it is likely that we would not be able to take all the direct action ourselves, if any action, but there are steps we take. We would come back and indicate to whoever reported it that we advise this be reported to police. Then the police can check to see if there is anything that they can do in that particular situation.
We can, and often do, advise — because in some instances, there may be an element of foreign interference ongoing in Canada — that someone report it to CSIS because there are certainly actions CSIS can take under their mandate.
When one of those organizations is investigating and looking at an issue, they can request assistance from us as well. Under our mandate at CSE, we can provide technical assistance to other organizations. If there is a technical aspect to a situation where our cybersecurity and online operations expertise is helpful, we can provide that support as well.
Sometimes, these issues may fall under the jurisdiction of a province, for example, but the police may be able to coordinate with them on their own and could certainly speak better to that.
Yes, we are a federal organization, but we can and do provide advice, guidance and assistance, and we certainly do when we see a report of something. The minimum we provide is cybersecurity advice on the situation but also advice on who else the impacted individual could go to for support.
[Translation]
Senator Aucoin: Are there other regulatory standards, policies or rules that could be passed, produced or implemented to help you do your job better? Things are evolving so quickly in the field of disinformation and misinformation.
With AI, are you lacking any tools? Are there other tools the government could put in place or create in addition to laws and regulations?
Ms. Walshe: Thank you for the question.
At Communications Security Establishment Canada, we’re not responsible for regulation. We’re responsible for policy development, so we work with other government agencies to provide advice on technical matters.
[English]
When we think about how the government develops these policies and regulations, we work closely with colleagues — for example, in Public Safety, who are responsible for cyberpolicy development — to share our experiences, observations and technical advice as they perform their role in putting forward new policies and proposals for regulation and all of the related issues.
[Translation]
Senator Aucoin: Perhaps you didn’t understand the question. Is your organization lacking anything? Are there other tools that you need?
Ms. Walshe: Thank you very much for the question. I understand. I cannot say that we’re lacking anything, but my colleagues from other organizations that handle these types of situations would be in a better position to answer you.
The Acting Chair: Thank you.
Senator Miville-Dechêne: I’m a very pragmatic person. Since the beginning of your presentation, I’ve been wondering what you’re talking about. Your comments are pretty vague.
I understand that you deal with cyber attacks on government sites, but what exactly are you talking about? Does that happen a lot? Do you have any examples? Can you do more than talk in general terms about the fact that you’re responsible for the cybersecurity of government institutions? What can you say to give us a sense of whether this is a widespread problem or not?
Essentially, we know that, for the election, examples appeared in newspapers and certain things were made public. Generally speaking, though, are people trying to get information from, say, a Revenue Canada website? What do you know? What’s going on? Can you tell us?
Ms. Walshe: Thank you for the question.
Yes, of course. I have some statistics for 2024-25.
[English]
We do track statistics, and maybe I can go through a bit of an example and then turn it over to Mr. Kilberg.
There are two pieces I would talk about. We certainly see cyber-threats hitting not just the Government of Canada but also Canadian organizations. In our role, there are a few things that we do that are important. One is working very closely with government organizations on cyberdefence. For example, and importantly, we have cyberdefence sensors. They show a view into the networks in government that allows us to understand and see threat activity on those networks, so we are able to look and see when an activity that is known to be malicious is targeting the Government of Canada. We can block it in certain cases.
Senator Miville-Dechêne: How many times does that happen? Where does it happen?
Ms. Walshe: I have some numbers. When it comes to cyber‑threats, in the past year, in our 2025 report, I think over 2,000 incidents were reported across government and in the range — if I can find my binder with the exact numbers. We have an annual report, and the numbers are there. Certainly, over 2,000 incidents were reported to us, either directly by the organization or through other tipoffs that organizations —
Senator Miville-Dechêne: Can you give examples?
Ms. Walshe: I cannot speak to specific incidents. Those tend to be sensitive. But it is in the 2,000s — and keep in mind an incident may be quite small. It may be that an organization was targeted, their password was stolen and no other information was taken.
We work on every little piece that comes across government to make sure it’s resolved and regulated. We certainly see a large number of organizations being targeted, so that range is large.
When it comes to specific examples of what we do — and I’ll turn it to Josh to talk a bit more about the specific numbers and what we see, but when it comes to what happens during an incident — I know, senator, you mentioned CRA. I won’t speak to any particular organization, but what happens typically, if it’s in government, is that organization may contact us because something in the monitoring that they do of their system tipped them off that they are worried there is an incident, or we have another indication.
We contact that organization and work very closely with them. We also work with the Treasury Board Secretariat, where the Government of Canada Chief Information Officer is, and we all work to contain it to make sure that that threat is off the system and to give advice and guidance on how to rebuild.
There is a lot of work that goes into saying what is on a system. I’ll turn it to Josh to talk about what we see globally in the Government of Canada, but also what happens and what type of information is taken during an incident.
Senator Miville-Dechêne: If you know, can you tell me if they are foreign actors, the ones who are trying to infiltrate our public institutions?
Ms. Walshe: Absolutely.
Mr. Kilberg: The cyber-threat landscape facing Canada is large and expanding day by day.
We see activity both against the Government of Canada and against Canadians. The most frequent cyber compromise for a normal Canadian would be cybercrime. They can induce you through a spear phishing email to click on a link or open something —
Senator Miville-Dechêne: This is actually for government.
Mr. Kilberg: For government?
Senator Miville-Dechêne: Because it is your mandate, isn’t it?
Mr. Kilberg: Yes. As the Government of Canada, there are a lot of other governments around the world that are interested in accessing our information.
Senator Miville-Dechêne: Like whom?
Mr. Kilberg: In the National Cyber Threat Assessment, we talk about what we call “the big four.” These are the People’s Republic of China, Russia, Iran and North Korea. There are more and more as time goes on because this is a relatively inexpensive and relatively lucrative way of gathering information to advance their national interests.
They are doing this via a variety of means. Some of them are the same things that a cybercriminal would use. Spear phishing is the most popular way of gaining access to a system because they trick us into doing it. This is the human element to it.
They also do this through what is called exploiting a vulnerability. So there are millions of lines of code that run our lives and run the systems, and if they understand access into that, it is like a crack in a wall. They can sneak in.
As Bridget was saying, this is why this program that we have is useful because it is both protection around the Government of Canada but also within. So we’re not going to stop everyone getting in. We will never get to zero with cyber compromises. This is not something that will happen. It is about mitigating the damage, identifying it quickly and stamping it out.
Senator Miville-Dechêne: Is it about AI, or is it just about more traditional computer systems?
Ms. Walshe: When you’re talking about cyber compromise, so breaking into a computer system, I think the best way to think about artificial intelligence is that it is a tool that speeds things up and makes them easier. It’s like an electric bicycle. You can ride a bike, but when you get on an electric bike, it is easier to ride that thing. That is what artificial intelligence is doing.
From a defensive perspective, we use artificial intelligence to identify these threats at speed because these are coming at us very, very frequently throughout the day. We are able to block a lot of them.
But, equally, from an offensive perspective, the attackers, our adversaries, are using artificial intelligence to make their lives easier and to do it faster at an industrial scale.
Senator Simons: Mr. Kilberg, I want to pick up exactly there. We heard earlier that there are maybe 2,000 attacks a year. Have they escalated markedly? As Senator Miville-Dechêne alluded to, we have had hackers as long as we’ve had computers. I mean, cybersecurity existed long before generative AI. So can you quantify for us the degree of escalation? Are there many, many more attacks, or are the attacks just more sophisticated?
Mr. Kilberg: If we talk about threats to the democratic process, which we have been looking at since 2016 and onward, we publish a public report ahead of every election, and the most recent one we published was in 2024. It described a marked increase — I don’t have the percentage with me at the moment, but I am happy to get that to you — in the use of generative AI to create content for disinformation within a political process. That was virtually unheard of in 2016 and 2017, when we started looking at this.
Back then, threat actors were using social media in a similar way as they would now, but they were doing it without the benefit of being able to craft an email in perfect English or perfect French, or whatever language, in half a second and being able to deliver that.
Senator Simons: Or even a “deepfake” that takes —
Mr. Kilberg: Or use a “deepfake.”
Senator Simons: I think about this all the time. We televise these hearings to an audience of the tens and tens of people who watch them. But someone could presumably take our faces and our voices, which are on the internet all the time, and make a convincing René Cormier “deepfake,” who could send messages to people asking them for money or some other kind of — I mean, it is very difficult to know how we protect ourselves in that environment.
Mr. Kilberg: Correct. It’s certainly easier now with the tools that are available. And if we come back two months from now, it will be easier then. The speed at which AI tools are progressing is exponential.
Senator Simons: You talked about numbers from 2024. That was a long time ago in this accelerated reality. Can you track how things have changed from 2024 to 2026?
Ms. Walshe: We certainly do track this over time. I have them in front of me, the numbers for 2024-25. It was 1,155 targeting Government of Canada institutions and 1,406 targeting critical infrastructure. Keep in mind that not all of those were full-blown incidents where information was stolen, et cetera, but were ones we helped respond to.
Senator Simons: I think I can say this, having just said tens of tens of people are watching, but we have had a couple of incidents in the past couple of years where the Senate of Canada website has been hacked and pulled down so that it just doesn’t work. There is not much on the Senate of Canada website that is top secret.
I’ve always been curious who would want to hack the Senate of Canada website and disable it — and to what end.
Ms. Walshe: So it may be good for us to talk a little bit about the types of threats and the types of threat actors we see.
Generally, there are three categories. So there are state‑sponsored threats, as was posed previously. We see state actors. We see cybercrime, those who are out to gain money and are trying to extort. But we also see non-state actors that are state‑inspired. The type of activity where, for example, a website is taken down and is unavailable can sometimes be linked to making a statement like, “I’m going to take away that service.”
I don’t know if Josh would like to provide more background.
Senator Simons: I must point out that millions of Canadians do not go to the Senate of Canada website every day. It is a fairly low-traffic site.
Mr. Kilberg: Sometimes, when there is a compromise, it is faster to just reset the website and get it back up, which is always what the affected person wants.
However, one of the key things that we see here, be it state-sponsored activity, their proxies, hacktivists or cybercriminals — if hacktivists or just some kids find a vulnerability, they will just deface a website for fun. They might do it for political reasons, as well. It’s digital graffiti, just like spray paint. It’s certainly disruptive to the affected party or organization when it happens, and it can certainly reduce trust in the organization or institution.
There are nefarious ways that a state can often have a proxy — a non-state actor group or cybercriminal group — doing their bidding for them. That separates them and their culpability from the activity.
Finally, we do attributions for major cyber incidents that we see occur in Canada. We will write an attribution, which is effectively who we think was responsible for the cyber incident. That is incredibly labour-intensive, and we sometimes do not get the clear answer that we want. However, we endeavour to track that down so that, going forward, we can better inform and better understand the threat that is coming at us.
It is changing. From 10 years ago until now, the number of attributions we have worked on has gone up quite a bit, because it has become increasingly important for us to really understand where the threats are coming from. We look at foreign threats that are hitting Canada, and then it would be the RCMP, CSIS and others who would look at domestic threats in Canada.
[Translation]
Senator Cormier: When AI-generated content causes harm through either disinformation, identity theft or reputational damage, what analysis do you do to determine the extent to which users, platforms and system designers are responsible?
When you analyze a problem such as interference, what methods or tools do you use to determine the cause and the parties involved, whether they’re users, platforms or system developers?
Ms. Walshe: Thank you for the question.
When we’re analyzing a situation involving disinformation, identity theft, or something else, we have to understand the entire situation and all the factors involved.
[English]
That is one of the reasons why we have this construct; for example, it is for protecting elections, the Security and Intelligence Threats to Elections Task Force. From that perspective, a few things are important. First, the membership cuts across the security intelligence community. We have the full mandate of CSC, CSIS, the RCMP and Global Affairs to inform the analysis of the situation. Across the mandates, we have intelligence, police investigation and the analysis that Global Affairs does of actions online.
All those pieces come together to make a determination, especially when we talk about foreign interference and those foreign threats that are impacting or could impact Canadian democratic processes.
Senator Cormier: You have a lot of issues, of course, but what is the biggest challenge you are facing?
Ms. Walshe: From a broad security perspective?
[Translation]
Senator Cormier: What keeps you up at night?
[English]
What is the biggest challenge you have?
Mr. Kilberg: It’s funny. I never have problems sleeping; I work really hard.
The challenges are broad. One is the pace of the threat, as we discussed. That is something that, as an organization, we strive to respond to. When I think about the pace, that’s where artificial intelligence can also be helpful. The threat actors are automating and do what they do faster and more cheaply, but so are we. We use artificial intelligence for the work that we do to protect systems and to develop software to protect those systems. We are doing the same thing.
We try to take each challenge and address it.
Other issues, I think, come down to the context of the threat. As my colleague mentioned, we see different categories of threats. It is a challenge to keep on top of understanding those. What are the technologies being used by cybercriminals? What are the technologies being used by state actors, by their proxies and by hacktivists? Knowing that, we can provide good, solid advice and guidance.
Finally, I would say the challenge is thinking about how we evolve our response — the research aspect. How do we stay on top of cyber-threats and evolve the technologies that we use and develop to protect information and detect cyber-threats so that we’re staying ahead?
The Acting Chair: We have reached the end of our time for this session. We appreciate your testimony. I would like to thank Ms. Walshe and Mr. Kilberg for being here at this later hour tonight and broadcasting to our global audience with us. I would like to thank our staff and senators. In particular, I would like to thank the translators tonight, because one of the things going on behind the scenes is that we had some difficulty with connectivity with our online witness. They persevered so that questions could be asked and answered.
(The committee adjourned.)