Moved second reading of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

He said: Honourable senators, I rise today as the sponsor of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

Colleagues, this is a bill of critical importance. Cyber-threats have become pervasive in our society. Over the past few years, we have seen increasingly sophisticated cyberattacks all across our country. They put our critical infrastructure at risk and impact Canadians’ ability to go about their daily lives. There are numerous examples of cyberattacks, and I want to briefly mention a few of them.

In May of this year, a major pharmacy chain was the target of a ransomware attack and was forced to close all of its 79 stores for over a week. Many Canadians were put in the difficult position of being unable to fill vital prescriptions without any advance notice. Additionally, the hackers in that case released sensitive stolen employee data.

A somewhat different example was the ransomware attack that took down the Toronto Public Library’s computer systems in October 2023. From a CBC article on the incident:

. . . the [Toronto Public Library] is the busiest urban public library system in the world. Members borrowed from its 11 million lendable items around 27 million times in 2022 . . . .

The article continues that, in October 2023, cybercriminals encrypted their computer systems and stole employee data. The library didn’t pay a ransom to restore its systems. Instead, it chose to rebuild them, and it did this while keeping its doors open to the public.

The Toronto Public Library provides vital services, including access to the internet and a free public haven, in addition to the books, CDs and DVDs that it loans out on a daily basis. It took four months for the library’s services to come back online.

This past March, the City of Hamilton, Ontario, was the victim of a ransomware incident that knocked out several of its online services. While Hamilton’s critical services were not affected, cyberattacks on municipal networks can lead to dangerous situations if they tamper with emergency, water or waste water systems.

In 2020, the municipal computer network for the City of Saint John was the victim of a ransomware attack that forced the city to disconnect itself from the rest of the world. I was living and working in Saint John at that time and remember the attack only too well. On November 13, criminal hackers executed a ransomware attack on Saint John’s IT systems. Upon discovery, the city immediately severed its IT links to the outside world to prevent the virus from spreading. The city developed a temporary website to ensure municipal services were able to resume quickly. Alternative IT processes had to be developed rapidly, and Saint John managed to do this with a great deal of success.

An analysis completed by a third-party expert company determined that no personal identifying information — including such things as credit card numbers, bank account details and social insurance numbers — had been leaked or stolen. Furthermore, despite the cyberattack, almost all municipal services continued with minimal disruptions. This included services such as emergency response, garbage removal, provision of water, treatment of sewage, road repair, winter storm management, public transit and council meetings. The city quickly made the determination that repair of the existing systems was not an option given the degree of penetration of the virus. Instead, they, like the Toronto Public Library, decided to build a completely new network. That new network would allow them to take advantage of the latest innovations in cybersecurity and network design as well as remove the risk of any lingering virus remnants.

This incident forced Saint John to upgrade their cyberdefences. The city manager emphasized in an update to city council that it is no longer a question of “if” a corporation or entity will be attacked, but rather “when.” He further stated:

. . . there is no doubt that institutions with which anyone interacts will be breached and sometimes you will not even know about it. . . .

To that end, the city shared their lessons learned with many public and private sector organizations as well as provincial and federal stakeholders.

There has also been an increase in cyberattacks and activity at the provincial level. Earlier this year, numerous cybersecurity incidents were identified on the Government of British Columbia’s networks. Last year, Hydro-Québec was the victim of a cyber incident on its website. In 2021, Newfoundland and Labrador’s health care system was targeted, resulting in a significant IT systems outage for their health care system.

At the federal level, a number of government departments have also been targeted in recent months. And I am sure we all remember the 2020 announcement by the Government of Canada that cyberattackers had accessed and modified personal information held by the Canada Revenue Agency and Employment and Social Development Canada for financial gain. That attack compromised the sensitive personal information of tens of thousands of Canadians.

Colleagues, in this day and age, being online and connected is essential to all Canadians for the purposes of staying in touch with our loved ones, conducting business, paying bills and accessing needed services. Now more than ever, Canadians rely on the internet in their daily lives. Our critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cyber systems, and the consequences of cyberattacks like the ones I have just mentioned have far-reaching impacts on our country.

These examples of cybersecurity attacks clearly indicate that all sectors are at risk: our banks, our utilities, our businesses and our governments. Simply put, it’s our entire critical infrastructure. And the number and sophistication of attacks are on the rise. The Communications Security Establishment has indicated that cybercrime is now the most prevalent and pervasive threat to Canadians and Canadian businesses.

Earlier this year, the Communications Security Establishment’s Canadian Centre for Cyber Security joined Five Eyes’ operational partners in warning that foreign state-sponsored cybercriminals are seeking to preposition themselves for disruptive or destructive cyberattacks against critical infrastructure in our respective countries. Malicious cyber-enabled activity such as espionage, data and intellectual property theft and sabotage pose significant threats to Canada’s national security and its economic stability. As was the case for the City of Saint John, it is no longer a question of “if” our systems will be attacked, but rather “when.”

Let me be clear about the policy gaps that Bill C-26 is intended to remedy. First, ministers in some critical infrastructure sectors, such as those responsible for the energy, finance and transportation sectors, all currently have a security mandate. The telecommunications sector does not, and it is obviously vulnerable to cyberattacks. This needs to be remedied. Second, during the 2016 public consultations that led to the 2018 National Cyber Security Strategy, industry highlighted the need for regulation in cybersecurity — a space that has largely been unregulated. Third, the government currently does not have a clear and explicit legal authority to compel action to address cybersecurity threats or vulnerabilities. This extremely hinders our ability to fight back. Fourth, it is not currently a requirement for organizations to report when they have been the target of a cyberattack. Mandatory reporting is essential to improve cyber-threat information sharing between the private sector and the Government of Canada to the benefit of both industry and governments.

Bill C-26 includes two complementary initiatives that will help equip governments and industry with the tools they need to respond to cyber-threats. Part 1 introduces amendments to the Telecommunications Act to add the promotion of security as an objective of the act and to create new authorities which could be used to secure Canada’s telecommunications system against threats posed by high-risk suppliers. This will bring the telecommunications sector in line with our other critical infrastructure sectors of energy, finance and transportation.

Amendments to the Telecommunications Act will authorize the Governor-in-Council and the Minister of Innovation, Science and Industry, through the use of cybersecurity directions, to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system.

Part 1 also establishes an administrative monetary penalty framework to promote compliance with orders and regulations made by the Governor-in-Council and the Minister of Industry to secure the Canadian telecommunication system. Importantly, it also provides specific rules for the judicial review of those orders and regulations.

This will allow the government, when necessary, to prohibit Canadian telecommunications service providers from using products or services from high-risk suppliers, meaning those risks are not passed on to users. For example, if this bill passes, it will give the government the ability to ban products/services from the Chinese providers like Huawei and ZTE.

Under these new powers, telecommunications service providers could be prevented from using or be required to remove all products and services from designated suppliers.

Part 1 also allows the government to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.

Part 2 of Bill C-26 enacts the new “Critical Cyber Systems Protection Act.” That act would establish a cross-sector regulatory framework, requiring designated operators in the federally regulated finance, telecommunications, energy and transportation sectors to protect their critical cybersystems.

Part 2 also, among other things, specifically authorizes the Governor-in-Council to designate any service or system as a vital service or vital system; authorizes the Governor-in-Council to establish classes of operators in respect of a vital service or vital system; requires designated operators to, among other things, establish and implement cybersecurity programs, mitigate supply-chain and third-party risks, report cybersecurity incidents and, most importantly, comply with cybersecurity directions. It also provides for the exchange of information between relevant parties, and it authorizes the enforcement of the obligations under the act and imposes consequences for non-compliance.

Part 2 also makes a number of consequential amendments to certain acts.

Currently, incident reporting by organizations is inconsistent, to say the least. Because of this, the federal government lacks a clear picture of the scope and depth of cyberattacks targeting critical infrastructure. Canadians rely upon and place trust in critical infrastructure operators to provide services and protect their data. Mandatory cyberincident reporting is about supporting operators in this responsibility.

The government will be able to provide timely cyber-threat information and mitigation advice to help operators secure their systems, making one organization’s detection another’s prevention.

In addition, this part of Bill C-26 also aims to serve as a model for our provincial, territorial and municipal partners to protect critical cyberinfrastructure in sectors under their respective jurisdictions. This could ideally avoid a patchwork system and streamline cybersecurity programs across government partners.

While Bill C-26 was supported by all parties in the other place, stakeholders suggested some amendments to strengthen the bill. Accordingly, the Standing Committee on Public Safety and National Security in the House adopted a number of amendments. Those include an amendment adding a reasonableness standard for the issuing of ministerial orders and cybersecurity directions; an amendment implementing review provisions to ensure that the National Security and Intelligence Committee of Parliamentarians, or NSICOP, and the National Security Intelligence Review Agency, also known as NSIRA, can review the government’s orders and directions; an amendment requiring the Minister of Industry and the Minister of Public Safety to table an annual report on the making of orders and directions issued; an amendment making explicit reference to the provisions of the Privacy Act; an amendment setting a baseline 72-hour deadline for affected critical infrastructure providers to notify the Cyber Centre of an attack — incidentally, that is consistent with U.S. reporting standards; an amendment committing the federal government to work collaboratively with the provinces and territories; an amendment clarifying the applicability of the due diligence defence for companies that take all reasonable steps to protect their critical cybersystems; and an amendment updating information-sharing provisions to ensure that all confidential information provided to the government by regulated critical infrastructure providers will be kept confidential.

I am of the opinion that the adopted amendments appropriately address the concerns raised about a need for more oversight and transparency, as well as the need to protect privacy.

Bill C-26 has been drafted to respect privacy and civil liberty, while balancing the need to ensure Canadians’ safety and the national security of our country. Although privacy is protected through a number of constitutional and legislative instruments, amendments to the bill now provide even greater certainty that personal information and privacy will be protected in accordance with the Privacy Act.

The bill also now makes it clearer that confidential information must continue to be treated as such by anyone receiving it when it is necessary to be shared. Further, the amendments adopted will bolster transparency and, in doing so, ensure that Canadians can hold authorities accountable.

Honourable senators, from electronic espionage to ransomware, the threats to Canadians from malicious cyberactivity, including cyberattacks, are greater than ever. Bill C-26 will help critical infrastructure operators better prepare for, prevent and respond to cyberattacks. As 5G networks continue to be installed across Canada, the government is committed to helping seize the opportunities they present while also safeguarding Canadians from the risks. That includes taking significant measures to protect the cybersystems and infrastructure that everyone rightly relies upon.

Amending the Telecommunications Act to add security as a policy objective will bring telecommunications in line with other critical sectors of our economy. The amendments proposed to the Telecommunications Act will allow the government to mandate necessary actions to secure Canada’s telecommunications system. This includes prohibiting Canadian companies from using products and services from high-risk suppliers.

Furthermore, the new critical cyber systems protection act, or CCSPA, will be a major step forward in the protection of Canada’s critical infrastructure. The CCSPA will increase information sharing between industry and government by requiring designated critical infrastructure operators to report cybersecurity incidents to the Communications Security Establishment, the Canadian Centre for Cyber Security and industry regulators.

By improving the government’s awareness of the cyber-threat landscape in the critical, federally regulated sectors of finance, telecommunications, energy and transportation, the government will be better able to warn operators of potential threats so they can take immediate action to protect their systems and to protect Canadians.

In the 21st century, cybersecurity is a critical part of national security. It is the government’s responsibility to protect Canadians from growing cyberattacks.

We all recognize that recovering from cybersecurity incidents is both costly and time-consuming. Accordingly, when it comes to improving cybersecurity, the interests of government and private industry are very much aligned. Nevertheless, an administrative monetary penalty framework has been added, and offence provisions will be established within both parts of the bill to promote compliance with orders and regulations. Summary and indictable offences would be punishable under the act by fines/imprisonment.

For example, Part 1 of the bill would make it an offence to contravene an order or regulation made by the Governor-in-Council or Minister of Industry. Part 2 of the bill would create a number of summary and hybrid offences for contravening specified provisions of the act. These include the offences of contravening a cybersecurity direction, disclosing information about the existence or contents of a cybersecurity direction and disclosing confidential information in circumstances not permitted under the act. In addition, an organization that fails to comply with mandatory reporting and/or fails to set up a cybersecurity program may face penalties.

Colleagues, to put it bluntly, without this bill, we remain an easy target for cybercriminals. Our Five Eyes allies are already miles ahead of us in bolstering their cybersecurity defences. We need to get on the same page. To summarize, Part 1 of Bill C-26 ensures that the telecommunications sector can be regulated for purposes of securing the Canadian telecommunications system and that the government can act swiftly in an industry where milliseconds can mean the difference between safety and risk.

Part 2 establishes a cross-sectoral approach to cybersecurity across four federally regulated sectors.

In short, this legislation will form the foundation for securing Canada’s critical infrastructure against fast-evolving cyber-threats while spurring growth and innovation to support our economy.

Let’s be clear: There is no shortage of bad actors who — whether with strategic, financial or criminal aims — would seek to exploit vulnerabilities in our cybersystems.

Nowadays, our cybersystems are understandably complex and increasingly interdependent with other critical infrastructure. Consequently, security breaches are far-reaching. Incidents like the ones I mentioned earlier have severe, lasting and alarming consequences for the entities involved, but more critically for the individuals whose lives were impacted.

A consistent cross-sectoral approach to cybersecurity is needed to address this complex issue. I believe this bill has found the right balance.

Bill C-26 will allow the government to take action against threats to the security of our telecommunications, transportation, finance and energy sectors and ensure Canada remains secure, competitive and connected while also aligning us with our Five Eyes partners.

Once again, colleagues, it is not a matter of “if” but “when” we do this.

I look forward to the timely passage of this bill after careful consideration at committee, and I hope my colleagues will support it.

Thank you, meegwetch.

Thank you for the question. I do not have any specific insight on that issue. I haven’t spoken to the minister about it, but I will raise it with officials and try to return to you with a response.

Honourable senators, I’m the critic for this bill, but I only found out that you were making your sponsor speech about an hour before we were sitting today. I thought it was going to take place later, so I haven’t had my critic’s briefing yet. I’m not as up to speed on it as I would like to be able to ask you substantial questions on it. It’s a big bill; it’s 90 pages. I would have hoped for more detail on certain parts of this bill because I feel like it’s a very wide-ranging and important bill.

My first question, Senator McNair, is this: There are many parts — as you described in your speech — that give the Governor-in-Council, that is, the cabinet, the power to do. In Part 1, you said that they’re allowed to do anything to secure the Canadian telecommunications system. That’s cabinet that’s allowed those powers. Part 2 authorizes the Governor-in-Council to do this and the Governor-in-Council to do that. There are significant, wide-ranging powers that are being granted in this bill to the cabinet, the executive branch of government.

What kind of oversight is provided in Bill C-26 to oversee those major powers in the cybersecurity realm? I see a reference to judicial review in the bill’s summary, but as you know, with your legal background, a judicial review application often comes with quite significant limitations to be able to access it.

Thank you, senator, for your question and comment. I apologize that you didn’t realize it was being done today. I also note your comments on the judicial review sections. An application is necessary in those cases.

There is — as I indicated — the review by the two agencies and the openness or transparency of filing an annual report from both ministers. I understand that it is a Governor-in-Council, as you said, but there are procedures in the act for somebody to bring forward an application for judicial review.

Thank you. I will have to look more into that in terms of the National Security and Intelligence Committee of Parliamentarians, or NSICOP, and the National Security and Intelligence Review Agency, or NSIRA. You were saying that that was done as a result of amendments in the House of Commons committee. I would have thought there might be even more parliamentary oversight on this. If there is, could you check into that and let me know?

My second question would be this: Could you please tell us more about the potential criminal offences that someone could be charged with under this act?

Thank you for the question. I will provide you with information on that. The thresholds or the maximum fines are quite high, and there was discussion about that at the other place’s committee, but there is a reason for making sure there is enough flexibility to have appropriate fines in the case. I will obtain the specific information and forward it to you.

You don’t have the information now?

I do have the act, but instead of taking the time to go through it at this stage, I’ll respond later.

Honourable senators, I would like to thank Senator McNair for bringing forward this timely and essential bill. My interest was piqued when you talked about the power to ban products and services. You mentioned Huawei as one potential example, and I wanted to understand what it meant to ban services. I’m looking at section 15 of the act, which is I think where this may be addressed, but I would like to be clear. Could this, hypothetically, give a government the power to ban a social media service such as TikTok or does this only apply to services used by designated operators?

Thank you for the question. It’s my understanding that it only applies to designated operators and would not extend to the other examples you mentioned.

The government’s statement on record to date on telecommunications service makes it clear that the government considers some providers as high-risk suppliers, and the statement announces the intention to prohibit the use of designated products and services from those suppliers.

I’m still somewhat confused. Does this mean that a telecommunications company like Rogers, Bell or TELUS couldn’t sell or offer Huawei phones, but that people could buy them as independent consumers? I want to be clear because I find TikTok to be problematic. I stopped using the service well before the government was giving that direction to officials because I was concerned about what I had read about it. I want to understand what we’re actually talking about when we’re banning services.

I believe it is services and not phones, as in your example. In terms of Huawei phones, I don’t think any decision has been made with respect to that at this stage. It’s the broader context of the services provided by the high-risk supplier.

Thank you, Senator McNair, for that very thorough presentation. I appreciate the opportunity to ask a question.

There is mention of high-risk suppliers. Does a list exist at the present time? The reason I’m asking is that, as I’m sure people are intimately aware — throughout both this chamber and the other place — communications throughout the North are particularly vulnerable. In some situations, access to things like the internet doesn’t exist, or they are particularly vulnerable. When existing telecommunications fail, people flock to immediate solutions. Technology is rapidly evolving, and solutions are available from other places and other countries.

Does a list of the high-risk suppliers exist in an office somewhere? What happens when that horse has already left the barn, so to speak? What provisions are there if purchases have already been made?

Thank you for the question, Senator Duncan. I am not aware of any list that exists at this stage. I will check with officials. We had a technical briefing on the first day back, and we put that question to them.

Remember, this includes only federally regulated suppliers or operators of the telecommunications system that they are dealing with at a very high level. In terms of the smaller ones that have made investments, they take that into account when they are about to make the cybersecurity direction, and they can put different conditions in there as far as timing. But for equipment that’s already been purchased, my understanding is if they deem it to be high risk or at risk, they would like to see that phased out of the system over time, unless it is critical to have it phased out immediately. In your circumstance, I guess they would let them use equipment that operates and works as a solution.

If Senator McNair wouldn’t mind another question, I have been thinking about the fact that our geopolitics changes every time. Today’s enemy is tomorrow’s ally; today’s ally is tomorrow’s arch-enemy.

I am curious to know how we will establish this — I’m sure the bill explains it, and I apologize that I have not delved into it in enough detail. What are the criteria to decide what is high risk?

I’m thinking, for example, of our global dependency on Elon Musk’s SpaceX and Starlink satellite system, which many Canadian telecommunications are also part of. Given Mr. Musk’s increasingly erratic political behaviour, what do we do if something that is so essential to our communications infrastructure becomes something that is problematic?

Good question, Senator Simons. I don’t have an answer for you here today.

Realize that this bill, if it is enacted, is essentially the teeth necessary to do the enforcement. The next step will be setting the regulations and setting up some of the information as to how they are going to do that, and that’s going to be done in consultation with service providers at the same time.

Senator McNair, first of all, let me start by thanking you for your maiden sponsorship of a bill. I appreciate the enormous responsibility, the reading and the background work that goes into this. It’s a very complex piece of legislation, obviously. We will get a chance to scrutinize it at committee much more in depth than we are doing here in the chamber right now.

But I think it would be fair to say that Canadians are quite fearful, in general, about cybersecurity attacks on many of the services that they use throughout the country, whether it is a bank, their own government, the hospital or a municipal government to a large extent. I recognize the point you have made in terms of the power that will be granted to cabinet in regard to the things they may need to do which are not yet explicit in the bill.

My fundamental question comes back to this: I assume the departments have assured us that this bill is Charter-compliant in regard to what is entailed but also, equally, the potential powers that could be granted as a result of an order-in-council which may not cross that line that is so important for us in protecting us while, at the same time, ensuring that our more fundamental rights are protected under this legislation.

Thank you, Senator Yussuff, for the question. I have read the Charter Statement, and the department does indicate that it is appropriate. There could be challenges, but with respect to any of the limitations at this stage, they are of the view that they are reasonable and justified in a free and democratic society. It is the balancing of privacy and civil liberties against the protection of cyber systems and our critical infrastructure in the country.

Senator McNair, on the last point you just made — because I haven’t looked at it yet — does the Charter Statement actually say, as you were saying, that it does violate but then it is saved by section 1? Can you clarify, please?

I’m sorry if I wasn’t clear on that. No, it doesn’t say that.

What does it say?

The Charter Statement indicates that the legislation is appropriate.