Bill Respecting Cyber Security, Amending the Telecommunications Act and Making Consequential Amendments to Other Acts

Moved second reading of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

He said: Honourable senators, I rise today to speak as the sponsor of Bill C-8, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.

This bill was initially introduced during the Forty-fourth Parliament as Bill C-26, back in June 2022. It was passed by the House of Commons and the Senate, with amendments, but died on the Order Paper before the House could consider the Senate’s amendments when Parliament prorogued in December 2024.

The bill now returns to us with minor changes, which I will outline later on in my speech.

Colleagues, the Communications Security Establishment, or CSE, has said cybercrime is now the most prevalent and pervasive threat to Canadians and Canadian businesses, and, in particular, ransomware is a significant threat. CSE’s Canadian Centre for Cyber Security states in the National Cyber Threat Assessment 2025-2026 that:

Canada is confronting an expanding and complex cyber threat landscape with a growing cast of malicious and unpredictable state and non-state cyber threat actors, from cybercriminals to hacktivists, that are targeting our critical infrastructure and endangering our national security. . . .

They go on to say:

Canada’s state adversaries are becoming more aggressive in cyberspace. . . . State-sponsored cyber threat actors are almost certainly attempting to cause disruptive effects, such as denying service, deleting or leaking data, and manipulating industrial control systems, to support military objectives and/or information campaigns. We assess that our adversaries very likely consider civilian critical infrastructure to be a legitimate target for cyber sabotage in the event of a military conflict.

Colleagues, Canada is becoming increasingly vulnerable to cyberattacks.

The Cyber Centre states:

Canada has entered a new era of cyber vulnerability where cyber threats are ever-present, and Canadians will increasingly feel the impact of cyber incidents that have cascading and disruptive effects on their daily lives.

Advancements in communications and computing technologies have ushered in a world of ubiquitous connectivity for Canadians. In this environment, online platforms and digital technologies continue to shape and mediate Canadians’ interactions with the physical world—the way we work, shop, travel, socialize, get informed, and access critical services. These systems record and process vast amounts of data about us . . . . These systems are also interconnected and fragile: cyber incidents, from cyber attacks to flawed software updates, can knock airlines, hospitals, banks, and retailers around the world offline.

Canadians must be prepared to deal with these threats in order to protect our people, our critical infrastructure and our economy, while ensuring that Canada remains secure, competitive and connected.

Bill C-8 looks to implement baseline cybersecurity-specific requirements to ensure that federally regulated critical infrastructure operators in Canada are resilient in the face of cyber-threats.

Senators, the threat is real, the threat is pervasive, and the threat is happening now. State and non-state actors are targeting internet-accessible devices to exploit basic vulnerabilities, such as insecure remote-access software or the use of default passwords. We know that they are likely attempting to disrupt vulnerable internet-connected operational technology systems within Canadian critical infrastructure when the opportunity arises. These disruptions may cause systems to malfunction, leading to damage or destruction of those systems and possible harm to public safety.

Let me turn to some recent examples. In April 2025, Nova Scotia Power was subject to a sophisticated ransomware attack that affected 280,000 customers. The data breach exposed personal information and resulted in an operational disruption to the utility’s smart-meter communications systems.

In June 2025, WestJet was the target of a cyberattack that impacted its internal IT systems and restricted access for users of the WestJet application. While flight operations were not disrupted, the privacy breach exposed the sensitive personal information and travel-related data of 1.2 million passengers.

Only last month, Telus said that it was investigating a cybersecurity incident that saw 700 terabytes of data stolen from their systems. The hacking group ShinyHunters claimed responsibility for the attack. Although there was no evidence of disruption to customer connectivity or service, ShinyHunters said that the stolen data included information related to at least two dozen companies, including personally identifiable information, call data and recordings, background-check information and source code spanning multiple business divisions.

Thankfully, none of these examples caused harm to our public safety, but they do highlight the growing risks to our critical infrastructure.

Senators, to give you a sense of the magnitude of the threat, the Cyber Centre blocks an average of 6.6 billion potentially malicious actions each day, ranging from routine scans to sophisticated intrusion attempts. When just one of these malicious actions gets through their defences, it can lead to a cyberattack such as in the examples I mentioned or worse.

The financial costs are also staggering. It is estimated that cyber-incidents cost Canada’s economy $5 billion annually, with Canadian businesses paying an average of nearly $7 million per data breach.

Colleagues, Bill C-8 consists of two distinct and complimentary legislative initiatives.

Part 1 introduces amendments to the Telecommunications Act to add security as a policy objective of the act and create new authorities that would be used to secure Canada’s telecommunications systems against threats, including those posed by high-risk suppliers, in line with the government’s May 2022 policy statement.

The authorities proposed under Part 1 of Bill C-8 will allow the government to strengthen Canada’s telecommunications framework to respond to risks, whether they are from high-risk suppliers, cyber-threats or natural disasters and extreme weather events.

Specifically, Part 1 of Bill C-8 seeks to amend the Telecommunications Act by adding “. . . to promote the security of the Canadian telecommunications system” as a specific policy objective. An order-making power tied to that objective would be created for the Governor-in-Council and the Minister of Industry that could be used to compel action by Canadian telecommunications service providers, or TSPs, if necessary, to secure the Canadian telecommunications system against any threats, including those of interference, manipulation, disruption or degradation. Defining the scope in terms of the security of the telecom system rather than security issues, generally, is an important limiting factor. This means that authorities can only be used to direct TSPs to secure their networks; they cannot be used to advance general law enforcement or other security goals.

The legislation would require both the Governor-in-Council and the Minister of Industry to consult before making any orders and includes a series of factors that the Governor-in-Council and the Minister of Industry must consider, including the operational and financial impacts and the effects on the provision of telecommunications services in Canada.

The bill also grants new information-collection authorities with respect to TSPs to advance this objective. Once again, any collected information needs to be reasonably related to protecting the telecom system, specifically information and details on network equipment. An administrative monetary penalty scheme is also established to encourage compliance with orders and regulations.

If adopted by Parliament, these authorities will be a critical tool in our efforts to ensure Canada’s networks are reliable, resilient and secure. These new provisions will also provide a clear and explicit legal authority to prohibit Canadian TSPs from using high-risk products and services, as the government committed to do in its 2022 policy statement.

With these new powers, the Governor-in-Council and the Minister of Industry would have the ability to take security-related measures, just as other federal regulators can do in their respective critical infrastructure sectors. These authorities can also be used to take action to manage risks from human errors or climate-based disruptions that can cause outages of critical telecommunications networks.

Colleagues, I want to be clear: In Part 1, the scope of the order‑making powers is specific. The language in the bill states that order-making powers are meant to promote the security of the telecommunications system. The government’s powers cannot be used for security issues more broadly, and they cannot be used to spy on Canadians.

Part 2 of the bill enacts the critical cyber systems protection act, or CCSPA. The purpose of this proposed legislation is to establish a cross-sectoral regulatory framework to strengthen baseline cybersecurity for services and systems that are vital to national security and public safety. This new act would require designated operators in the federally regulated finance, telecommunications, energy and transportation sectors to take specific actions to protect their critical cyber systems. Once designated, operators would be obligated to establish a cybersecurity program, mitigate supply-chain and third-party service or product risks, report cyber-incidents and comply with cybersecurity directions.

The legislation gives the government a new tool to compel a designated operator to take action, if necessary, to protect its critical cyber system from threats or vulnerabilities.

Similar to Part 1, the CCSPA requires the Governor-in-Council to consider a series of factors before issuing the cybersecurity direction. Those factors include the operational impacts on affected designated operators, the impact on the public safety of Canadians, the impact on the privacy of Canadians, the financial impacts on affected designated operators, the impact on the delivery of vital services and vital systems to consumers, and any other factor the Governor-in-Council considers to be relevant. Finally, the CCSPA provides existing industry regulators with the necessary powers to enforce the act and creates consequences for non-compliance.

Once the bill is implemented, designated operators would develop cybersecurity programs informed by current threat landscapes. Mandatory ongoing incident reporting to the Cyber Centre would be evaluated, including against classified intelligence, to enhance our understanding of evolving cyber‑threats. The Cyber Centre would then offer expert advice and guidance, not only to designated operators but to all Canadians, enabling us to tailor our defences to the specific threats we face.

By improving the government’s awareness of the cyber-threat landscape and leveraging the Cyber Centre’s expertise, their advice and their guidance mandate, we essentially turn one organization’s incident into another’s prevention. In doing so, we strengthen cybersecurity across Canada, safeguard the privacy and security of information stored on these systems and mitigate the economic impact of cybercrime.

Simply put, this part of the bill provides the tools the government needs to take action to address a wide range of cybersecurity vulnerabilities. Currently, there are no legal requirements for industry to share information on cyber-incidents and no legal mechanism for the government to compel action in the face of known threats or vulnerabilities.

Colleagues, when it comes to national security, we can’t rely on the goodwill of industry alone; we must enshrine a more robust cybersecurity framework into law.

Part 2 of Bill C-8 also serves as a model for our provincial, territorial and municipal partners to protect critical cyber infrastructure in sectors under their respective jurisdictions.

Colleagues, while the two parts of Bill C-8 are distinct, with one focused on strengthening our existing telecommunications regulatory framework and the other focused on creating a new framework supporting the security of critical cyber systems, taken together, they respond to the urgent need to ensure that the critical infrastructure Canadians rely upon every day remains secure, resilient and protected.

I want to briefly outline the ways in which Bill C-8 differs from its last iteration, Bill C-26. As I noted earlier, the text of Bill C-8 at the time of tabling in 2025 was virtually identical to the version of Bill C-26 that was passed by both the House and Senate but did not receive Royal Assent. It reflects prior parliamentary study and incorporates amendments made to strengthen the former Bill C-26.

In addition to amendments made to Bill C-26, a small number of administrative changes were made to the bill before it was reintroduced in 2025. Most substantively, provisions in Bill C-26 that would have amended the Canada Evidence Act to provide for judicial review issued under Bill C-26 have been removed entirely, as those have now been replaced by a single, uniform secure administrative review proceeding framework, known as SARP, which was established by Bill C-70, An Act respecting countering foreign interference.

The SARP regime is far more robust in terms of the guidance and powers it provides the courts when potentially injurious information is disclosed during a review. Examples include the ability to appoint a special counsel to represent the interests of parties unable to view the protected information, the ability for the judge to make any order necessary to ensure fairness during a proceeding and clear procedures for issuing certificates and administering notices.

All other changes have been technical fixes in the bill, ensuring that clause numbering, translations and some phrasing regarding scope and substance remain consistent as needed.

Bill C-8 underwent thorough study in the House of Commons at the Standing Committee on Public Safety and National Security. The House committee spent five meetings on clause‑by-clause consideration of Bill C-8 and made 37 amendments. Following the Standing Committee on Public Safety and National Security’s study of the bill, several amendments were adopted in both parts, which broadly fit into two categories: the need for additional guardrails on order-making powers and further privacy protections.

Specifically, for Part 1, the government proactively proposed amendments to add a new extensive list of factors for the minister or Governor-in-Council, or GIC, to consider prior to making the contents of an order confidential, as well as an amendment clarifying that orders cannot be used to break encryption on private communications. A number of amendments effectively affirm or clarify what Innovation, Science and Economic Development Canada, or ISED, considers to already be the status quo reality of the bill. For example, orders made under Part 1 address threats that are technical in nature and not related to the effects of lawful expression.

Amendments have also clarified that the government must inform any person named in an order when the order is made, which is already required under the principles of administrative law. Amendments have also been made to ensure that the collection of information related to order making, the disclosure of information collected and the exchange of information among federal authorities are all reasonable in relation to the gravity of the threat that the orders seek to address.

The largest number of amendments adopted concern the collection, protection and sharing of information, with a particular focus on personal and de-identified information. Specifically, amendments were passed to automatically deem all personal and de-identified information collected to be confidential; establish stricter conditions for the disclosure of personal and de-identified information, compared with other confidential information, like corporate financial or operational information; establish that all personal and de-identified information collected must be disposed of once it is no longer needed for purposes related to order making, in line with existing requirements under the Privacy Act; and, finally, establish that when information is shared with another government, which must be done under a written agreement, MOU or a similar document, the information-sharing agreement must indicate that the information is to be disposed of once it is no longer needed for the purposes for which it was shared.

In response to feedback from stakeholders and parliamentarians, a number of amendments were also made to strengthen Part 2, the Critical Cyber Systems Protection Act, or CCSPA. Like Part 1, the bulk of the amendments largely fit into the categories of additional guardrails on order-making powers and further privacy protections. Other amendments also address regulatory duplication and personal liability concerns.

To provide assurances that the government’s new powers will only be used for their intended purposes, the CCSPA now requires that the provisions of a cyber security direction, or CSD, must, in scope and substance, be reasonable in relation to the purpose of protecting a critical cyber system.

And, similar to Part 1, the bill now specifies that CSDs cannot be used to break encryption. The amendments also serve to further clarify the scope and use of order-making powers in Part 2.

In response to concerns raised by civil liberties associations and the Privacy Commissioner on privacy protections, the bill now includes a definition of personal information and clarifies that any personal information will be disposed of in accordance with the Privacy Act when it is no longer needed.

Further privacy protections include an amendment for greater certainty that the Personal Information Protection and Electronic Documents Act, or PIPEDA, continues to apply. This is to ensure designated operators understand that the CCSPA does not relieve them of obligations found under PIPEDA, such as reporting data breaches.

It was also specified that the personal information protections found in the Communications Security Establishment Act remain in effect as a means of clarifying that the Communications Security Establishment, or CSE, is not receiving new powers or new abilities to access personal information as a result of the CCSPA.

To address concerns that industry stakeholders raised around regulatory duplication, an amendment was made that requires the GIC to harmonize, to the extent possible, with existing regulatory standards regimes. This amendment would also allow the GIC to determine which regimes are compliant with the requirements of the CCSPA.

A new provision was introduced that establishes that the CSE may develop guidance on third-party and supply chain risk mitigation, taking internationally recognized standards into account. This is not a new power per se as the CSE already does this for all of industry on an as-needed basis.

Another amendment focused on softening personal liability. Some stakeholders raised concerns that the CCSPA may deter individuals from taking on senior roles, such as chief security officers, due to personal liability risks. In response, the maximum penalty amount for individuals under the administrative monetary penalty framework was reduced from $1 million to $500,000. In relation to this, the bill now makes it explicit that solicitor-client privilege continues to apply to information shared with the government.

Finally, an amendment was made that introduces a new requirement for the minister to conduct a review of the act five years after its implementation. After conducting the review, a report on its effectiveness must be tabled in both houses of Parliament.

Bill C-8, like Bill C-26, also maintains an obligation to notify the National Security and Intelligence Committee of Parliamentarians, or NSICOP, and the National Security and Intelligence Review Agency, also known as NSIRA, within 90 days after a confidential order is made.

Further, annual reports to Parliament will need to include information such as the number of orders that were issued and an explanation of the necessity, reasonableness and utility of the orders. Taken together, these provisions provide the government with further clarity and fairness around the use of their new powers.

In short, colleagues, amendments to Part 1 of the bill brought to the House of Commons following the committee study enhance program clarity, strengthen safeguards on order-making powers, reinforce protections for personal information and encrypted communications and increase transparency through new reporting requirements.

Amendments to Part 2 collectively reinforce strong privacy protections, clarify oversight requirements, limit enforcement powers and introduce new accountability measures within the Critical Cyber Systems Protection Act.

The clear protections and guardrails set out in both parts of Bill C-8 in both its original and amended forms assure Canadians that the powers proposed under this bill will be used as they should be, that is to say, to support and ensure the security and resilience of our critical cyber systems and telecommunications networks.

Bill C-8 will not be a back door to the surveillance of communications, the repression of free expression or the unfounded use of order-making powers.

Colleagues, the amendments by the House of Commons were a collaborative effort by all parties, and I strongly believe they further strengthen the bill.

In particular, I am pleased to see that two of the three recommendations made by the Privacy Commissioner in his testimony to the committee were adopted.

I hope that we can move Bill C-8 forward to committee for proper study, as I believe it builds a strong foundation for securing Canada’s critical infrastructure against fast-evolving cyber-threats.

In today’s world, there is no shortage of bad actors who seek to exploit vulnerabilities in our cyber systems across our country.

Whether it is in our financial systems, telecommunications systems, energy sector, transportation sector or other critical infrastructure, we now live in a world where cyber-threats are commonplace even as they are also becoming larger and more complex than ever before.

Individuals, governments, businesses and critical infrastructure owners and operators all experience this new reality on a daily basis.

Successful cyberattacks have severe, lasting and far-reaching consequences for every entity that is impacted, but most of all, for the well-being of individuals whose lives are disrupted and whose data is compromised.

Bill C-8 brings a much-needed, consistent cross-sectoral approach to cybersecurity. It will allow the government and industry to do more to prevent debilitating attacks and to fight back more powerfully when they do occur.

Colleagues, I hope we can get this important bill across the finish line. It is critical legislation that is needed to protect our national security, economy and sovereignty.

Thank you. Meegwetch.

Certainly.

Thank you for the question. I don’t speak for the Liberal government today, but I can say that officials have reviewed the document carefully. I recall the examples that you cite and the “debacle,” as you put it, but officials have assured me that they have reviewed the document, and there should not be any situation like that again.

Thank you for the question, Senator Batters. My recollection of the testimony on Bill C-26 doesn’t mirror yours exactly as far as the numbers that you’re talking about.

Be that as it may, my understanding is that the three amendments were ruled out of scope by the Speaker and were struck from the bill. The amendments, as I understand them, would have required judicial authorization before an order or direction could be made by the Governor-in-Council. The order‑making powers under Bill C-8 rest with the Minister of Industry and the Governor-in-Council because the orders are based essentially on policy decisions that involve balancing public and private interests. Requiring Federal Court approval before an order is made places the court in a position of making a policy determination rather than reviewing legality. Other guardrails are present, and judicial oversight is still maintained, as the Federal Court can be asked to review an order after it has been made to ensure that the government stays within the limits prescribed in the legislation.

Thank you, Senator Ross, for the question. It’s a good question, and I will raise it with officials at committee. However, what I can say is that, to my knowledge, the Department of Industry is used to working with small businesses. Obviously, the larger players in the telecommunications world have a certain level of systemic risk compared to a small provider that serves, for example, 500 or 750 customers or consumers. I believe that the department is very much aware of those challenges faced by small businesses, and I’m confident that the department will tailor their rules to match the skills of service providers of all sizes. However, I will raise it at committee with the officials.

Thank you for the question. I’m not aware of any discussions along that line of thought at this stage. There is hope that the provinces will use this act as a template. From the federal side, I’m sure they would be willing to enter into discussions, but I will raise it with officials and report back to you.

It makes perfect sense to do so, and I’m willing to do that.

As I understand it, the GBA Plus is appended to a memorandum of cabinet and is not meant to be a public document. A summary of the analysis was prepared and provided to committee members — in the past, at least, and I suspect that’s been done again this time. I will raise with officials the issue of why there aren’t more references along the line you are suggesting.

Perhaps that question could also be raised at committee with officials.