Bill Respecting Cyber Security, Amending the Telecommunications Act and Making Consequential Amendments to Other Acts

Moved third reading of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

He said: Honourable senators, I rise today to speak at third reading of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

I wish to first thank my colleagues on the Standing Senate Committee on National Security, Defence and Veterans Affairs for their thoughtful study of the bill.

Colleagues, every aspect of our daily lives, from how we communicate with loved ones to how we heat our homes, access health care and manage our finances, relies on digital infrastructure. The digital space is no longer just a tool for convenience; it is a foundational piece of our modern society, our economy and our national security. While this interconnectedness brings immense opportunity, it also exposes us to unprecedented vulnerabilities.

To understand why Bill C-8 is before us, we must first look at the threat landscape facing Canada. Our critical infrastructure, including our telecommunications networks, financial systems, energy grids and transportation pipelines, all operate on highly interconnected digital pathways. These vital systems are now targeted daily by state-sponsored actors, cybercriminals and hacktivists. Collectively, these attackers seek to disrupt our way of life, steal our intellectual property and undermine our democratic institutions.

As we heard during the course of our study of Bill C-8, these threats to Canada’s cybersecurity are no longer abstract warnings but are measured in the hours or mere minutes it takes an attacker to cripple a network. They present real and urgent risks to our public safety, national security and economy, and that is why we must act.

Indeed, as we have already heard, the data confirms the scale of this threat. Just in the last year, we have witnessed a significant rise in incidents targeting Canada’s critical infrastructure. In 2024-25, there were more than 1,400 cyber incidents against critical infrastructure. That is an astounding average of almost four incidents every day and a nearly 20% increase from the previous year.

Ransomware remains the top cybercrime threat facing our critical infrastructure. Operators are frequently targeted because cybercriminals know they are highly motivated to pay ransoms to avoid service disruptions for customers. These numbers are also staggering. In 2023, ransomware incidents skyrocketed by 159% in information technology, 157% in finance and 67% in the energy sector, compared to the previous year.

Just in recent months, we have seen high-profile domestic incidents, including a ransomware attack on Nova Scotia Power as well as a server breach at WestJet. These are not isolated IT glitches. They are direct hits on the essential services and private data of everyday Canadians.

We have also seen the devastating potential of these attacks on a global scale. The 2021 ransomware attack on Colonial Pipeline in the United States demonstrated exactly how an assault on critical infrastructure can understandably trigger panic. A single breach led to widespread fuel shortages, price spikes and the declaration of a national state of emergency by the President.

The Communications Security Establishment has explicitly warned that Canada’s oil, gas and broader energy sectors face this exact same threat.

Every single cyber incident also comes at a direct cost to Canadians, Canadian businesses and our national economy. These disruptions cost Canada’s economy $5 billion annually.

Colleagues, we are living in an era where our national security is no longer defined solely by physical borders. Today, our sovereignty, our economy and the daily lives of Canadians are linked to the digital architecture that underpins our nation. A successful, coordinated cyberattack on our energy grid during a Canadian winter or a widespread disruption of our banking systems is no longer a hypothetical plot point. It is a clear and present threat to national stability.

Aaron Shull, Research Director at the Centre for International Governance Innovation, laid out the threat environment in his testimony at committee:

It is trite to say that our electrical grids, pipelines, telecommunications, water systems and financial networks are the arteries of modern life, but the point is that they’re all increasingly automated and under sustained pressure from sophisticated state-sponsored adversaries who are not simply stealing data any longer; they are pre-positioning to disrupt.

This is not an academic concern. Salt Typhoon told us what happens when telecommunications networks are penetrated at scale. Volt Typhoon told us that pre-positioning in operational technology is no longer a hypothetical, and every operator I work with has stories about the rising tempo of intrusions against industrial control systems.

He went on to say:

The problem is that too often, we can’t tell if an outage was a fault or a foreign intrusion. The honest answer is that we just don’t know. That is a posture this country cannot afford.

In my view, Bill C-8 is the foundation to change that. It establishes a unified framework across federally regulated critical sectors and gives governments the tools to compel the hardening of the systems Canadians depend upon.

Bill C-8 provides a comprehensive, proactive and robust framework to safeguard Canada’s digital ecosystem.

I will not repeat today what the bill does, but I will talk briefly about our committee study and some of the testimony we heard.

Stakeholders were generally supportive of the bill in its amended form. Industry stakeholders who have always been in favour of the bill emphasized that the need for this legislation has continued to grow as technology evolves rapidly.

Todd Warnell, the Chief Information Security Officer for Bruce Power, stated before the committee:

. . . Bill C-8 is not an end state; it is a foundation. However, in a world defined by greater volatility and uncertainty, establishing that foundation is urgent. The threat environment has evolved faster than our policy framework, and this legislation is an essential step toward closing that gap.

Philip Stupak, the former Assistant National Cyber Director for the Biden administration, said:

The bill before you sends two unambiguous messages: First, to our shared adversaries, pre-positioning cyber weapons in civilian critical infrastructure will not be tolerated. Second, to all of Canada’s cyber defenders, you are not alone. The Canadian government will answer the call to help you keep us safe.

By passing Bill C-8, you are meeting this moment of heightened uncertainty and protecting Canadians against the next threat.

My experience has afforded me the understanding that the arduous and slow process of passing cyber legislation means we need to respond to both the crisis of the moment and the unknown ones of the next 20 years. Bill C-8 provides the flexibility to adapt as the digital world evolves. This flexibility matters. It enables Canadians to defend against the threats and adversaries of today and tomorrow.

Mr. Stupak went on to state:

Bill C-8 also maximizes Canadians’ privacy rights. The Canadian Centre for Cyber Security has a long operational history of simultaneously protecting Canadians’ security and their privacy. They know how to do this, and they do it well.

The biggest, most persistent threat to privacy comes not from the Canadian government but from all the governments Canadians do not elect. Foreign adversaries can exploit vulnerabilities to gain access to your calls, emails and text messages. Bill C-8 shuts down that privacy violation by giving the government the tools it needs to secure the telecommunications sector, and it does so by expressly adding privacy-enhancing language to this security bill.

David Shipley, the Chief Executive Officer of Beauceron Security Inc., stated:

There have been well-intentioned objections to Bill C-8 from various groups on privacy grounds. I believe the updates from Bill C-26 have gone a significant way to address many of them. Some may still feel otherwise.

However, the idea that Canadians’ data may be caught up in a Bill C-8-related incident filing is truly incidental. While we debate the potential risks of edge cases, criminals and nation-states are deciding whether Canadians get timely, lifesaving health care or safe access to drinking water.

Even those who expressed concerns over how the bill treats privacy rights recognized the need for this legislation and acknowledged that, while Bill C-8 may not be a perfect bill, it is very much needed.

Aaron Shull spoke about the importance of passing the bill and beginning the regulation process:

Operators are now waiting for two things from Parliament. The first is the certainty of an act that is in force. The second is regulations that will tell them what compliance actually means. Every additional week without that certainty is a week during which investment is deferred, hard governance conversations are deferred and adversaries continue their work uncontested.

To be sure, Bill C-8 is not perfect, but the threat surfaces are evolving faster than statutes can anyway. That is precisely why the five-year review matters and why the regulations that will follow the act will matter at least as much as the wording of the act itself.

The work that the House did, in my humble estimation, produced a workable, principled framework that addresses an urgent national security gap. Canada’s critical infrastructure operators and the Canadians who rely upon the systems they run are waiting for Parliament to finish what it started.

As Mr. Shull stated, timely implementation of the regulations will be key.

In a letter to our committee, the Minister of Public Safety said this about the regulatory process:

With regard to Part 1 of Bill C-8, the first orders could be developed in roughly 6-12 months after receiving Royal Assent. This timeline would support a robust order-making process, including opportunities for stakeholders to provide information and submit comments, and for the Minister or Governor in Council to consider relevant factors set out in the Bill. It would also provide stakeholders with time to review and align investment and operational planning with any new requirements.

Regulations to implement the [Critical Cyber Security Systems Protection Act] are expected to take approximately 12-24 months consistent with the Cabinet Directive on Regulation. In line with the Government’s commitment to consult throughout regulatory development, this process will include engagement with provincial and territorial governments, industry stakeholders, Non-Governmental Organizations (NGOs), the Privacy Commissioner, the Intelligence Commissioner, and Canadians more broadly.

Personally, I am pleased to see the government’s commitment to consult with the Privacy Commissioner and the Intelligence Commissioner as part of the regulatory process.

As we debate this bill at third reading, our responsibility as a chamber of sober second thought is to balance the absolute necessity of national security with the fundamental rights, freedoms and privacy guarantees owed to every Canadian citizen.

This legislation contains robust guardrails. It is not a back door to surveillance, nor will it repress free expression. Instead, it ensures the security and resilience of our country’s digital networks.

Colleagues, Bill C-8 is focused on technical, operational and network data. The bill limits data collection strictly to regulatory necessities, such as equipment configurations, software update protocols and threat details.

The Communications Security Establishment, or CSE, submitted a brief to the committee clarifying this. They indicated:

The specific requirements for incident reporting have not yet been finalized. The design of the reporting framework — including the structure and types of data collected — will be developed through a regulatory process that includes consultation and engagement with industry stakeholders.

This process will help ensure that only necessary and appropriate technical information is collected. Potential data elements may include indicators of compromise, exploited vulnerabilities, tactics, techniques, and procedures used by threat actors, and other technical details relevant to incident analysis.

This data can include information that has a Canadian privacy interest, such as suspected malicious IP addresses or a username, but it does not include information like the content of emails, credit card numbers, relationships, or birth dates.

All information collected will be handled in accordance with the CSE Act and other applicable legislation, including the Privacy Act. Protecting the privacy of Canadians is a legal requirement that underpins all of CSE’s activities.

Colleagues, to provide absolute certainty, the bill explicitly states that any personal data must be destroyed in accordance with the provisions of the Privacy Act once it is no longer required. It now also specifies that federal powers cannot be used to assist law enforcement investigations or intercept private communications.

Ensuring infrastructure operators maintain high security standards will likely create stronger protections for the privacy of Canadians, as it will reduce the likelihood of data breaches of companies who hold their sensitive personal information.

In fact, the greater risk to our privacy right now is not having this framework in place. Andre Arbour, Director General of the Telecommunications and Internet Policy Branch at Innovation, Science and Economic Development Canada, or ISED, said the following at committee:

What’s keeping me up at night is the lack of authority to take action in this space, and we have just scratched the surface in some of the questions in the first hour on the range of threats that we’re seeing. There is a fivefold increase in catastrophic damage from extreme weather events and skyrocketing increases in ransomware due to what we’ve seen in terms of organized crime and crypto‑currency. There are hostile state actors, and CSE has publicly . . . [pre-positioned or linked] them to other geopolitical events.

 . . . a lot of the devil in the details will be worked out through the regulatory process, but we are already pretty substantially behind and are champing at the bit to try to get on with it, frankly.

Mr. Shull laid out an example for us of our current reality without the bill being in place. He said:

Suppose we are dealing with an interprovincial pipeline in the winter. Suppose, further, there is a hostile state. . . . [that] injects malicious code into the infrastructure and turns the gas off. Suppose, further, that the government knows how to fix it. They need to inject certain code into the infrastructure in order to address it. As it stands right now, there is no legal requirement for that infrastructure provider to take that code. Under this bill, there would be.

Furthermore, the regulatory bodies responsible for enforcing this act will be subject to accountability structures, ensuring that their powers are exercised reasonably, proportionately and in accordance with the law.

This legislation achieves a vital balance between rapid executive action and democratic accountability. Every order issued under this act must meet strict standards of reasonableness and necessity.

To ensure robust oversight, the government must notify the National Security and Intelligence Committee of Parliamentarians, or NSICOP, and the National Security and Intelligence Review Agency, or NSIRA, within 90 days of any confidential order being issued.

Furthermore, the minister will table annual reports explaining in detail the utility and necessity of these powers, which will also be augmented by a mandatory five-year review of the legislation following Royal Assent.

Taken together, these rigorous guardrails ensure transparency, protect confidentiality and, in my view, give Canadians confidence that these powers will be used responsibly.

Honourable senators, the digital threats we face are evolving at an alarming rate, and our laws must evolve with them. We cannot afford to wait for a catastrophic cyber incident to expose the gaps in our defences before we take action. The passage of Bill C-8 is an essential step forward in our national defence.

This is not about imposing unnecessary bureaucratic red tape on businesses. It’s about establishing a baseline of resilience.

We now live in a world where cyber-threats are a daily reality. Bad actors constantly target our financial systems, energy sectors and telecommunications networks. When a hospital’s systems are held to ransom, patient care is compromised. When an energy grid is disrupted, homes lose power and businesses grind to a halt. When our banking system is targeted, Canadians lose access to their money, and trust in our financial institutions is shaken.

These attacks are larger and more complex than ever before. When a cyber incident succeeds, the consequences are severe and long-lasting. Indeed, it is individual Canadians who suffer most when their data is stolen and their daily lives are disrupted. Because our critical infrastructure is so interconnected, a breach in one sector can quickly cripple another.

Colleagues, in the development of policies meant to help protect Canadians, there will necessarily be tension between protecting privacy and ensuring our national security. I think the House of Commons did a good job at committee in balancing those competing priorities while making sure that our security agencies have the tools they need to protect Canadians. They did this through the introduction of 37 amendments.

Our allies have already moved to protect their digital borders. Canada must keep pace. We cannot afford to leave our critical systems unsecured for another day.

As lawmakers, we have the power to secure our digital economy. We can ensure that our banks and telecom networks remain safe and reliable. This bill protects Canadians, businesses and the vital systems they rely on today and into the future.

For all of those reasons, I hope all senators will join me in supporting this bill. It is long overdue and it is urgently needed. Let us work together to secure our digital borders, protect our citizens and ensure Canada remains a safe, prosperous and free society in the digital age.

Thank you. Meegwetch.

Senator McNair, would you take a question, please?

I certainly would.

Senator McNair, you started your speech — and we are thrilled to see this bill and be at this point. It was a year and a half ago when we were at this point before. It was December before we sent it back to the House because of a very consequential error that you identified. I am glad to hear that you think good progress has been made in the meantime.

I want to focus on one of the first things you said: This is the first step in a long journey. We have a lot more work to do as a country to keep Canadians safe in an area where adversaries are really doubling down on their efforts because they have been successful.

Can you give us any indication about what next steps we might be seeing and where you see this moving from what you’ve heard? It is crucial that this be step one and that we see more work coming down this road.

Thank you for the question. It is a good question.

The next steps are the regulatory process, putting the teeth into the bill so that they can take action. I mentioned the letter that the Minister of Public Safety sent to the committee. One of the sections in the letter — about a page and a half of it — deals with federal-provincial-territorial collaboration. I think that is part of the next steps.

I look forward to seeing the regulatory process start. I’m pleased the minister confirmed in writing that it could take place for Part 1 of the bill within 12 months, suggesting they would adhere to 12 to 24 months for Part 2 of the bill.

Thank you.

Were there discussions on the importance of incorporation by reference — incorporating industry consensus-based standards by reference — in order to speed up the regulatory process? I am not talking about developing stand-alone, unique regulations to move the bill forward but, wherever possible, to incorporate industry standards as being equivalent to the intention of the bill. That could rapidly speed up the process, especially in consultation with industry experts.

Was that a consideration as guidance to the government during discussions because that two-year period is still a long time away?

I didn’t hear any discussions generally, but what you are suggesting makes sense. I will suggest that to the minister in my future conversations.

Thank you.

I would. Thank you.

You said in your third reading speech today that stakeholders are generally in favour of the bill, but what about those witnesses who had significant criticisms of the bill and testified at committee and suggested improvements and amendments right up until the end of our government-truncated Bill C-8 time frame? Off the top of my head, those include the Intelligence Commissioner, Kate Robertson of the Citizen Lab, Professor Matt Malone and Sharon Polsky.

You also said in your speech today that you are “. . . pleased to see the government . . . consult with the Privacy Commissioner and the Intelligence Commissioner . . . .” But, Senator McNair, this is too little, too late on this bill. The government’s own senior officials testified at committee that the government had not consulted with the Privacy Commissioner or the Intelligence Commissioner in between that six-month time frame, which was between the time that the House received back the amended Bill C-26 and when they basically reintroduced an unchanged bill as Bill C-8 in the House of Commons in the new Parliament. They didn’t consult with either of those senior officials. Then when Intelligence Commissioner Simon Noël testified at the National Security, Defence and Veterans Affairs Committee about Bill C-8, he told us that he is “completely absent” from the processes that the Liberal government has set out in Bill C-8.

Do you contend that is appropriate?

I’m encouraged by the fact that the minister is committing that there will be discussions with both the Privacy Commissioner and the Intelligence Commissioner during the regulations-making process. The Intelligence Commissioner is a well-respected individual, as is the Privacy Commissioner.

The Privacy Commissioner made three recommendations to the committee in the other place. Two of those recommendations were followed up on and put into action. As to the third one, it is really a difference of opinion on whether they have to notify the Privacy Commissioner of security breaches when there is a requirement already in the Personal Information Protection and Electronic Documents Act, or PIPEDA, for individuals to do it.

I am pleased they will have further discussions.

I know they didn’t meet within the window of time you talked about, but they had met with both the Privacy Commissioner and Intelligence Commissioner before that window of time to discuss generally. I think the discussions will be much more focused from both sides.

Regarding the time frame you just talked about, they told us they met with the Privacy Commissioner at an official level in 2019. The first bill — Bill C-26 — was only introduced in 2022. That’s what they were talking about for their time frame of meeting.

You were just saying in one of your answers to our colleague here that you expect the full regulations to come into effect in “12 to 24 months.” I thought they were going to try to get them done at the outset — which would be 18 months when I was asking about it at committee — but now it is back to 24 months. That will be more like a 12-year time frame from the start of their consultations on this bill to the end.

Is 24 months correct?

The letter talks about a range of 12 to 24 months.

There is a sense of urgency, not only at the ministerial level but also at the official level. As Minister Anandasangaree has clearly shown, they are chomping at the bit to get this done. And 18 months is halfway between 12 and 24 months, as you know.

The goal is to push hard on this. My understanding is that officials are ready to start out as soon as they get the proclamation.

Senator McNair, would you take a question?

Certainly.

First, let me start by thanking you for the second time for trying to get this bill through the Senate. I recognize the exhaustive process we went through the last time in having to fix the deficiencies and deal with an election.

The vast majority of witnesses who came before the committee to testify on this bill recognized that it’s not perfect in its ideal sense, but they also stressed the importance of us passing this bill as soon as possible so that we can protect Canadians writ large. In the absence of this legislation, they remain vulnerable to the challenges of cyber breaches in this country.

Senator Yussuff, that’s exactly the position that the vast majority of people appearing before the committee took, as it was in 2024. If anything, the sense of urgency is heightened today even more, as you say, because we’re in a position where we can’t protect Canadians properly.

Mr. Shull said, “If I have one thing to tell you, it’s pass the legislation now.”

Colleagues, we’re all aware that we live in a federation called Canada, and the vast majority of cyber protection in this country falls at the local level at the provincial or territorial level and at the municipal level.

Senator McNair, we did, of course, ask the minister very directly about this question in regard to how we can better integrate the federal government’s responsibility and also collaborate with the provinces and territories and include the municipalities in the important work they are doing, including private industry. He gave what I thought was an important answer, recognizing that we live in a constitutional democracy and we have the division of powers in this country.

Is it possible for you to reflect so that this chamber can understand the importance of this and why we need to get this right in working with the provinces, territories and municipalities across this country?

Thank you, Senator Yussuff. The minister referred to the ongoing collaboration with the provinces, territories and municipalities. He is a champion of that, and in his letter to the committee, there was a page and a half dealing just with the intersection points and how he uses those to promote collaboration and cooperation.

I am satisfied that he will continue to push hard on that. The best-case scenario from the federal government’s point of view is that they use Part 2 of the bill as a template for putting in their own legislation. The best-case scenario would be if all provinces and territories have the critical cyber systems protection act in place provincially and nationally.

Senator McNair, let me begin first by wishing you a happy birthday. That’s partly why I got a question in.

Senator McNair, during the formulation of this bill, was there any discussion about quantum computers and the severe threat that they pose, potentially using quantum technology to break standard encryption? And how might we protect against this on a go-forward basis? Thank you.

There was no direct discussion at the committee level, but there was discussion among people on artificial intelligence and quantum computing.

The point about this bill is that it’s robust enough and not specific — it’s generic at this stage — so the regulatory process can deal with issues around quantum computing and artificial intelligence.