SECU Committee Meeting
Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
For an advanced search, use Publication Search tool.
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
Standing Committee on Public Safety and National Security
|
l |
|
l |
|
EVIDENCE
Monday, January 29, 2024
[Recorded by Electronic Apparatus]
[English]
I would like to unsuspend the meeting.
The only small issue is that I have a personal family matter that I'm dealing with and I'm going to have to step out.
I see the other vice-chair has just left, so I'll leave this in the clerk's hands.
Mr. Chair, while you're in, I move that Rob McKinnon chair this meeting.
That is what we normally do in a situation where the vice-chair is not available and the chair is not available. We, as a committee, can appoint a chair for the meeting, so I would like to move that.
I moved it. You were in the chair. You could just stay in the chair, and then we could vote on it and it would be done. That's parliamentary democracy.
Honourable members of the committee, page 1043 of House of Commons Procedure and Practice stipulates that in the absence of the chair and vice-chairs, “the committee clerk must preside over the election of an Acting Chair before the committee can begin its work”.
We must now proceed to the election of an acting chair in order to conduct other business.
I'm ready to receive motions to that effect.
[Translation]
Mr. Julian moves that Mr. Ron McKinnon be elected acting chair of the committee.
[English]
Are there other motions?
Mr. Motz, go ahead.
I move that we appoint Eric Melillo. It's time for a young face.
No offence, Ron, but you have a bad knee.
The second motion is that Mr. Melillo be acting chair.
Are there other motions that we should consider?
Since more than one candidate has been nominated, pursuant to Standing Order 106(3)(b):
any motion received after the initial one shall be taken as a notice of motion and such motions shall be put to the committee...until one is adopted.
I understand there are two motions.
We'll proceed now to the first motion, that Mr. Ron McKinnon be elected acting chair of the committee.
(Motion agreed to: yeas 7; nays 4)
The Clerk: Mr. McKinnon has been duly elected as the acting chair. Thank you very much.
Some hon. members: Hear, hear!
Thank you. All this feels oddly familiar.
I call this meeting to order. Welcome to the public portion of meeting number 90 of the House of Commons Standing Committee on Public Safety and National Security.
Pursuant to the order of reference of Monday, March 27, 2023, the committee commences its study of Bill C-26, an act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other acts.
I would now like to welcome our witnesses today. From the Communications Security Establishment, we have Sami Khoury, head, Canadian Centre for Cyber Security, and Daniel Couillard, director general of partnerships and risk mitigation at the Canadian Centre for Cyber Security.
To support the Communications Security Establishment, from the Department of Public Safety and Emergency Preparedness, we have Colin MacSween, director general of the national cybersecurity directorate; and Kelly-Anne Gibson, director of the cyber-protection policy division. From the Department of Industry, we have Andre Arbour, director general of the telecommunications and Internet policy branch.
I now invite Mr. Khoury to deliver his opening statement.
Please go ahead.
Thank you, Mr. Chair and members of the committee, for the invitation to appear today and discuss Bill C-26, an act respecting cybersecurity and amending the Telecommunications Act.
My name is Sami Khoury and I am the head of the Canadian Centre for Cyber Security—also known as the cyber centre—at the Communications Security Establishment.
As you know, the world is becoming increasingly interconnected and our reliance on technology continues to grow. However, this dependence exposes us to new risks and threats, particularly in the realm of cybersecurity and critical infrastructure. It also requires us to adopt new tools to strengthen our cyber-defences and respond to emerging cyber-threats.
[Translation]
We take these threats and the rise in state-sponsored attacks seriously, which is why we are committed to defending the Government of Canada and keeping its systems secure from cyber threats.
[English]
I'll begin today by providing an overview of the cyber centre and CSE's mandate to this committee.
The cyber centre, part of CSE, is Canada's technical authority for cybersecurity and information assurance. It's also responsible for serving as a unified source of expert advice. In its operational capacity, the cyber centre shares cyber-alerts and threat assessments across the GC to ensure that our information systems remain secure, responsive and well defended.
[Translation]
The Canadian Centre for Cyber Security uses autonomous sensors to detect malicious cyber activity on government networks, systems and cloud infrastructure.
[English]
These sensors allow the cyber centre to detect cyber-threats. Our classified knowledge of threat actor behaviour allows us to defend against and block these threats.
CSE also has a foreign signals intelligence mandate and conducts cyber-operations to support Canada's national security objectives. This allows us to provide intelligence on foreign cyber-threats, including the activities and intentions of state and non-state actors, which is used to defend Canada.
[Translation]
Together, the foreign intelligence branch and the Canadian Centre for Cyber Security work hand in glove to detect and prevent cyber attacks on government networks, critical infrastructure and other Canadian organizations.
[English]
I'd like to highlight a few of the key changes included in Bill C-26.
To continue to adapt to the ever-evolving threat environment, Bill C-26 is a critical next step that provides the government with new tools and authorities to better bolster defences, improve security across critical federally regulated industry sectors, and protect Canadians and Canada's critical infrastructure from cyber-threats.
This legislation would also establish a regulatory framework to strengthen cybersecurity for services and systems that are vital to national security and public safety and give the government a new authority to issue cybersecurity directives to respond to emerging cyber-threats.
[Translation]
At the Canadian Centre for Cyber Security, the legislation will facilitate the sharing of information, as necessary, to protect critical infrastructure and investigate reported incidents and provide mitigation advice.
[English]
It would also allow regulators to request advice, guidance or services from the CSE by providing information about the designated operator's cybersecurity program and mitigation of risk from the supply chain or use of third party products and services.
We are aware of the privacy concerns raised by some stakeholder groups about the reporting obligation of cybersecurity incidents to the CSE. The CSE and its cyber centre have an important responsibility to protect Canadians' privacy and personal information, and we take it very seriously.
Moving forward, we are hopeful to see the continued progress of Bill C-26 in Parliament.
Members of the committee, I can assure you that as the cyber-threat landscape in Canada continues to evolve, the CSE and the cyber centre remain dedicated to ensuring that the necessary protections are in place to support critical infrastructure and work closely with our partners.
[Translation]
We encourage Canadians to consult cyber.gc.ca for up-to-date advice and guidance related to cyber threats or if they wish to receive more tailored cyber threat information.
[English]
We also encourage victims to report a cyber-incident to the cyber centre through our online portal at cyber.gc.ca, so that we can help share threat-related information with our partners to help keep Canada and Canadians safe online.
Thank you for the opportunity to contribute to this important discussion. I'm looking forward to answering any additional questions you may have.
Thank you, Mr. Chair.
At this time, I would be in a position to move a motion in both official languages regarding car thefts. I believe it's been distributed to members of this committee. It reads as follows—
I have a point of order, Mr. Chair.
Mr. Chair, we aren't in committee business. Although I know that notice of this motion was provided, we aren't in committee business, and it's not on the subject matter, so I would suggest that it's out of order.
Thank you, Ms. O'Connell.
The motion was given proper notice, and he was recognized on something other than a point of order.
Mr. Brock, you may proceed.
Thank you, Mr. Chair.
The motion reads as follows:
Given that,
After 8 years of Liberal government, car thefts across Canada have drastically increased, including:
93% in Saint John
106% in Montreal
122% in Ottawa-Gatineau
190% in Moncton
217% in Toronto
Auto theft is devastating for those impacted, and costs are being passed on to consumers in the form of higher insurance premiums, therefore the committee report this to the House its grave concern about the increased auto theft, that the Minister of Public Safety has not offered any new measures to immediately tackle the problem and recognize the government's failure to act on this matter and the committee immediately:
A) Call the Minister of Public Safety to appear before committee within two weeks of this motion being adopted
B) Call the RCMP, CBSA and industry experts to appear before committee within two weeks of this motion being adopted.
Mr. Chair, that is the motion. I'm prepared to provide some opening comments in support of this motion.
I moved a motion. Customarily, the mover is also entitled, unless they cede that position, to provide some commentary.
Thank you.
We know that this issue has caught the attention of the government. It announced what it thought was going to be a pivotal moment in time. It was going to convene a summit with industry leaders, government officials and law enforcement officials to discuss this ever-increasing, urgent need to get control on our streets and to ensure that criminals who engage in this activity are not only detected, but charged, prosecuted and sentenced accordingly.
This soft-on-crime government over the last eight and a half years has done nothing but telegraph a message to criminals and would-be criminals that crime pays in this country. Bail provisions allow repeat offenders to continually receive bail on very generous conditions, providing no measure of community safety. In relation to this area of car thefts, they essentially allow criminals to continue this trade almost unabated.
The problem we have here is that this is not a recent phenomenon. This has certainly been the cause of Justin Trudeau's failed leadership over the last eight years, which has seen a marked increase of criminal activity across the board in this country. However, in relation to property offences and car thefts, we have seen a pronounced increase. It's almost three times, 300%, in Toronto alone.
Criminals are getting wise to the fact that luxury vehicles have a significant market abroad. They aren't stealing them for their own purposes. They're not stealing them so they can enjoy the benefits of a luxury vehicle. They're stealing them because they're part of an organized crime entity that operates numerous criminal organization entities that operate from coast to coast in this country, and they have found a niche market of having these individuals—some as young as 12 and 13 years of age, anecdotally.... I prosecuted those young offenders who were stealing cars, primarily at that time to strip vehicles of the wheels and other apparatus. They called it “chinging”, and they received a handsome amount of money for it.
Long gone are the days when shoplifting at grocery stores and convenience stores actually paid off. They've realized that cars, in particular, carry a significant value abroad.
What's happening—and we're reading these stories literally ripped from the headlines every single day across this nation—is that because of our porous ports in this country, given that this Liberal government has not seen fit to equip CBSA officials with the appropriate powers and resources to check containers that are often placed on railcars or placed on ships, eventually, leaving our country for international domains.... This is where the cars are going. There is a market in the Middle East. There's a market in Africa. There's a market in South Asia for these vehicles. This is a very lucrative operation for these criminals.
This federal government has been derelict in its responsibility to deal effectively with criminal laws surrounding this area. Police services across this country are under-resourced or understaffed and are dealing with serious violent criminals, and when they have the time, they are investigating car thefts.
Unfortunately, anecdotally I can speak to this. In my own riding of Brantford—Brant, we simply don't have the resources to put into car thefts, and it's a shame, because victims come in many forms in this country. Generally, we think of victims in the physical sense—that some physical violence has been bestowed on them—but people who are subjected to car thefts are indeed victims.
I recall a story that we heard most recently at our Conservative caucus event on Sunday, where our leader spoke about some town halls and some meetings he'd had in metro Toronto over the past few days. He was talking to one individual in particular who had his luxury vehicle stolen from his driveway, not once but twice. The first time he didn't see the culprits, and they made good their escape. I'm sure that vehicle is now safely in the hands of some foreign individual. However, he equipped himself with the appropriate surveillance outside of his house. Within days of his replacement of that vehicle with a similar vehicle, he happened to be alerted to the fact that these individuals—probably the same individuals—were in the process of stealing his car again.
Once he saw that happening in his driveway, he immediately called the police, and the police said, “We're sorry. We can't get there because we're dealing with other pressing, urgent matters.” He informed the operator that he was going to take matters into his own hands and deal with this, and he was warned against that: “Don't do that.” I think he received that advice for good reason: You don't know if these individuals are armed with a gun or a knife or some other violent apparatus.
He literally saw this happening, but he was wise, because he had put one of those AirTag trackers on his second vehicle and he was able to track the movement of his second stolen car. He followed that particular device to a railway and happened to confirm that his vehicle was secured in a railway container. He hopped the fence—whether it was CN or CP rail—and was approaching the railcar when he saw railroad officials descending upon him. He thought, “Great! I have authorities and officials who will help me stop the train to retrieve my stolen vehicle.” What did he get in exchange for that misperception? He was actually fined for trespassing, even though he had the evidence that his stolen vehicle was on a railcar controlled by CP or CN. It was allowed to leave. He saw the railcar leave in the presence of these officials. Talk about double victimization, Mr. Chair.
That is just one story of probably thousands of stories that I'm sure members can share with this committee. This is a pressing and urgent matter that the public safety committee has a mandate to review thoroughly.
Canadians in particular can't wait for this miraculous summit to produce results. The Liberal government is great at convening, great at having meetings and great at announcements, but terrible at follow-through. This is the follow-through that needs to take place. We need to have this motion passed, and we need to set aside the appropriate days to hear from the appropriate witnesses.
Thank you, Chair.
Thank you, Chair.
Thank you to my colleague for bringing this forward.
I want to continue with some of this. It's interesting that some of the reasons we know for other crimes where this government has failed to act—
Pardon me, Mr. Motz.
To me, it looks like this is going to carry on until the end of our meeting. I wonder if we can have agreement to.... No. Okay.
Carry on.
Thank you again, Chair.
I want to remind committee members that over the course of the last number of years, our former justice minister had not one, but two government vehicles stolen. In spite of this, we still had no action on auto theft.
It is a problem. It's not just a problem in Toronto, where vehicles are stolen and head to the port of Montreal, or in Montreal, where they go to the port and they end up in other countries. I have been told first-hand about incidents where people have travelled to other countries and seen cars with the licence plates of our provinces on them, with Calgary Flames stickers on the back of the vehicles, or with Ontario and Quebec licence plates, driving around in the Middle East and some places in Africa.
In Alberta, we don't have the numbers that Montreal and Toronto have for auto theft, thankfully, but it's a growing crisis across the country. In Alberta, auto thefts were up 20% from 2021 to 2022. Essentially, one out of every five vehicles in Canada is stolen in Alberta on a per capita basis, so that makes us the second-highest province in the country per capita to have vehicles stolen. Saskatchewan is number one. Manitoba is number three.
What does this really boil down to? We all have to pay insurance. The cost of insurance is climbing exponentially as a result. Everybody pays higher premiums because of these vehicles being stolen. Canada-wide, we are being told that the annual insurance costs of auto thefts have risen to over $1 billion a year. According to the Alberta auto insurance board, the per capita rate of auto theft claims on those insurances that have a comprehensively insured vehicle is 148% higher than the national average. That impacts me and my province directly, but it's not unusual across the country.
Premiums on high-theft models have gone up 25% to 50% over the last two years, with some insurers introducing what they call a high-theft vehicle surcharge of up to $500. Above the premium increases, we have this surcharge on top of it. Why?
I look back to policing days, when auto theft wasn't as prevalent as it is today, but it was certainly becoming a burden and a problem. As I've indicated, some of these vehicles were stolen just for the joyride and some of them were stolen for what we consider to be the traditional chop shops, where the vehicle was taken and sold for parts, or the VINs were changed and auto plates were changed out in order to effect some cash. That's really what it was all about.
This issue has gotten worse and worse. If you track it from 2015 onward, it has become a significant issue, and it's come up 30% to 34% as an increase from 2015 to 2022. That is significant.
Why are we having these issues going on and why are we having so many vehicles stolen? I'll tell you.
From talking to some of those who were involved in crime and some of those who are still involved in crime, and from talking to our police agencies that deal with them when they get caught, there's no deterrent. There's nothing that makes these kids or adults afraid of the justice system. It no longer has the teeth necessary to prevent crime, and that's what some legislation is supposed to do. It's supposed to make it serious enough that those who wish to commit crimes reconsider and say, “It's not worth it.”
The drastic increase, to me, is the direct result of the policies of this government, such as the soft-on-crime approach and the whole catch-and-release policy.
This is just one area where that particular policy is now impacting Canadians on average. Almost everybody drives a car, and almost everybody is going to pay higher premiums for their insurance. If you've ever had your car stolen, it's not a fun process. If it is stolen and recovered.... In these circumstances, most times they aren't recovered in this part of the world because they're easy to get to a port. It does create some challenges with respect to the whole aspect of owning a vehicle. Some people can't afford higher premiums. They can't afford to have a vehicle and then have to get a rental or something while their car is stolen.
I think there are some solutions here. One, we need to ensure that there is an opportunity for law enforcement to work collaboratively with rail and CBSA authorities. We know that our ports are very porous for contraband coming into this country and for stolen goods and contraband leaving this country. It would seem reasonable that we would focus some attention on the ports and on law enforcement.
I read recently of Toronto's great work on a number of arrests made and charges laid on a group of individuals who were in a car theft ring. It's organized crime, and it has become big business, very big business.
I can tell you what the going rate is in different parts of the world for various drugs, but I don't know what the going rate now is for a stolen luxury car. However, it is lucrative enough for people to continue stealing them. We need to be in a position where we take these issues seriously. CN and CP have their own police agencies, and we can work with them.
What I find troubling is the incident that Mr. Brock explained: one Canadian's experience of having his vehicle stolen twice and the frustration that this must cause. It brings the whole justice system from that perspective into disrepute. The more people hear about stuff like that.... It brings it into disrepute. This is because law enforcement leaves the impression—and I appreciate the fact that they are busy with some hot calls most times—that it can't respond in a timely fashion. The frequency with which these types of offences occur also overwhelms the resources that law enforcement has.
This individual did some proactive work by putting a suitcase tracker in a vehicle and monitoring where his vehicle was. I don't know what agencies he tried to contact along the way, but you would think that there would be a willingness to co-operate with each other and have the issue dealt with. The car was in a container, and you would think that it wouldn't be the only car in that container. It would be amazing to see what sort of co-operation can happen.
I think we need to revisit the issues of our justice system and what our courts view as repeat offenders. We had a step in a bill recently, last fall, on improving the bail system. It was a start, but it wasn't as far as we needed to go. We need to ensure that these individuals, if they are caught, don't repeat—and repeat and repeat—their offences before they even get to trial.
As you look across the globe, you have to ask this question: Why is Canada a target for this sort of criminal activity? It's pretty simple. It's because we don't do anything to our criminals.
We've gotten to the point where it's high reward and low risk. Even before, there was that slippery slide of our justice system, where our courts and the laws were such that there was reverse onus on those who committed offences. Criminals would tell you they are not afraid of the justice system. There's no punishment anymore. We can't change behaviour if we don't do anything to reinforce that we have a law and it needs to be followed. Compared to the United States, which has much larger crime rates than we do, our auto theft is substantially higher. Why? It's the catch-and-release program. As I said, it's the high-reward, low-risk environment.
Our border, as we've talked about, is porous. The fact is.... Do we have proper resources in place to deal with the fact that we have so much contraband coming in and then issues with this circumstance of stolen vehicles leaving the country? I mean, if they're being shipped out of the country, there are only a couple of places you need to go—Vancouver and Montreal—for a port. Rarely do they cross land borders. It happens, but it's rare that they do. Dedicated teams to deal with this, like the interdiction teams for drugs, could be done similarly for automobiles. I think that's something that we need to play close attention to. The question may be asked about all these containers needing to have manifests. You can't ship stuff without some sort of tracking device or tracking paperwork. Organized crime submits fraudulent cargo manifests claiming that they ship anything but, and we don't check.
There is the summit, as had been mentioned, coming up in February to address this issue. My question is, why did it take so long to have even a conversation about this particular issue? Why did it take so long to have former justice minister Lametti address it when he had two cars stolen himself, albeit they were not a big deal to him? They weren't really his cars. They were government cars, so we don't get too worked up over somebody else paying the bill on that, I suppose. The insurance industry pays out $1.2 billion, which is covered off by premiums. Insurance companies aren't in the business of losing money, so we are all paying for it.
I wonder what's going to come of this summit. Many years ago, I was at a summit of then minister of public safety Ralph Goodale. It was on gangs and guns. It was somewhere around 2015 or 2016. We talked big, but we didn't really solve a lot of problems at that particular time. It took years to even start getting any action, so I'm wondering what to expect from this. I'm not necessarily optimistic that we're going to have a huge uptake on this. I really hope to be wrong. It's sad when our country has a reputation as a donor country for stolen vehicles. That's really what the industry and other countries think we are. We're a donor country.
When you look at the bigger picture, we all care about the welfare of our communities and about the safety of our communities. I believe everyone on this committee certainly does. We have different approaches to solve it, but we all agree. Why would we not provide significant focus on an industry that is making billions of dollars off stolen vehicles annually? Where does that money go? It's organized crime. It's going to drug trafficking, human trafficking and terrorist financing. Those are the sorts of things that we need to.... We've all been, as government and opposition and party.... We're all on the same page of wanting to deal with those issues.
I would hope that as a group, as a committee that has a responsibility on this and many other issues related to public safety and policing in this country, and borders and CBSA, we would look seriously at this auto theft study and pass this motion.
Thank you very much, Mr. Chair.
Thank you so much, Mr. Chair.
Again we see Conservatives filibustering. They talk a big game when it comes to public safety, but we have before us officials who are here on cybersecurity, something that the Conservatives pretend to care about but will filibuster at the same time. They don't want to hear from witnesses. They don't want to hear from experts. They come to ask for a motion. A different version has already been adopted—Madame Michaud's motion with respect to auto theft—by members, understanding that this is an area of concern. That has been adopted. That's something we want to go forward on. But no, let's burn half a meeting. That's the Conservative viewpoint on this. They don't care. It's just about chaos at this point.
We see Mr. Brock throwing municipal police services under the bus. He knows that the federal government isn't responsible for the resourcing of municipal police services. Mr. Motz promotes American-style laws and at the same time says they don't work. I guess when you just go on and talk about nothing in an attempt to filibuster, that's the type of stuff you'll get.
It's truly shocking, Mr. Chair, but that's what we've seen the Conservative Party come to. When there is an issue of security before the committee, an issue of national security and cybersecurity—we spent months talking about it in question period, and here it is, legislation to take action on it—it's delay, delay, delay.
They're right that auto theft is a concern. It was adopted by this committee, I believe unanimously, that we study this. The best way to get to that study, the quickest, is to get through debate on Bill C-26 so that we can get to a study that we all want to get to, but the Conservatives want to delay.
Mr. Chair, I move that we adjourn debate on this subject so that we can get back to the witnesses.
Thank you, Mr. Bittle.
The motion to adjourn debate on this is on the floor.
(Motion agreed to: yeas 6; nays 5)
Thank you. It's great to return to the business of the committee.
My question is for the panel. There is a framework being brought in in terms of security programs that operators need to have. What does an average security program entail?
Thank you very much for the question.
In developing a cybersecurity program—perhaps my colleague can help me out with a bit more detail here—what we'd be looking for in that cybersecurity program is essentially just a layout of what the designated operators are doing to protect their critical cyber systems, the specific measures they're putting in place. There are technical elements that will be built in, which they can do, of course, in consultation with our colleagues at the cyber centre. That service will be available to them to help them put in that information.
Is there anything further?
I don't have too much extra to add, beyond saying that the cybersecurity program is one of the obligations that we'd be looking to flesh out in regulation, in consultation with our stakeholders and the cyber centre with the expertise in that area.
The idea is that the cybersecurity program would be something that continues to be an iterative program, so that as we bring in information and understand the threat we need to face, those cybersecurity programs can evolve over time. It's almost a virtuous circle whereby we're learning and continuing to be able to adapt to the threat before us.
Great. Thank you.
It also says that designated operators will be obliged to take “reasonable steps” to mitigate supply chain and third party service or product risks. Can you speak a bit more about what that is?
Put incredibly simply, it's reasonable steps to decrease the likelihood of the risk materializing and to decrease the impact of a risk materializing. Again, as my colleague pointed out, the details of that will be fleshed out in regulation.
During the consultation phase, you obviously spoke to several different individuals, parties and stakeholders. Did you notice there were similar themes that arose, which you need to tackle or incorporate?
In talking with stakeholders, one of the key things we heard was general support for the legislation. As was pointed out, and you've seen in your reports, several had different views, depending on the stakeholders. We heard some of them today. There's probably more information required on the privacy protections in place and questions around the ministerial powers that are included. Those tended to be the key themes that came up.
What about the protection of confidential information? What have you heard from stakeholders on that, because that's always of key concern?
We've heard that it is a key consideration. It's one that I think we have acknowledged going into the drafting of this legislation.
What we've generally spoken to is the idea that the protection of confidential information underpins this legislation, because if companies and designated operators don't feel that we are going to protect that information, they're not going to share it.
What you see in the legislation are specific provisions to define confidential information and protect it, and there are consequences if we or others don't protect that confidential information. It was something that we heard from stakeholders, and we spoke about the provisions that exist within the act.
Under part 2, the government would get the ability to issue a cybersecurity directive. That would be a GIC order.
Andre, do you want to take part 1?
Under part 1, for the amendments to the Telecommunications Act, there would be new authorities to issue an order in council regarding high-risk vendor equipment and for telecommunications service providers to remove or put restrictions on that equipment.
It would also include a ministerial order power regarding secondary issues around the security of telecommunications networks. That would include direction to telecommunications service providers—providers of Internet or cellular services—to protect their networks against a range of different threats. Those could include cyber-risks, but also physical threats. For instance, you'd collect information or take certain actions to make sure that their networks are more resilient. They'd have multiple paths within their networks so that if there happens to be a failure, there's resiliency in the network to deal with that.
There are certain authorities that stem from that, which go into more implementation issues. There's collecting information from the carriers to inform those order-making powers, as well as inspection and enforcement powers, including administrative monetary penalty authorities.
[Translation]
Thank you very much, Mr. Chair.
I thank the witnesses for being here.
I’d like to ask a question about the current context of labour shortages. That subject, among other things, was raised at the Standing Committee on National Defence. Often, we might have a good bill, but its implementation is a problem if, for instance, we don’t have sufficient resources to apply cybersecurity directives to certain businesses.
While the private sector currently seems to have an easier time recruiting staff than the public sector, are you concerned that a lack of staff would make implementing Bill C‑26 difficult, given the additional burden the cybersecurity directives represent?
Thank you for the question.
We have a partnership program with the private sector that is rather well developed. Our teams work 24/7 to create these critical infrastructure partnerships, and the teams continue to grow. We are currently recruiting more people and our turnover rate is less than 4%, which is a rather impressive number.
Of course, with the new bill, we will be able to recruit even more people. We are trying to be proactive and determine where we are going to find these people in Canada. It won’t necessarily be in Ottawa. We will also look for staff in Montreal. We are even starting to talk about a pilot project to open a small office in Montreal.
I understand that certain businesses can be designated as owners or operators of critical cyber systems covered by the bill. However, others will fall into a grey zone, meaning it will be unclear if they own or operate this type of infrastructure. According to the way Bill C‑26 is drafted, will it be enough to push some undesignated businesses into complying independently and voluntarily with the cybersecurity directions outlined in the bill?
If applicable, is there any opportunity for smaller businesses that fall into a grey zone to take advantage of the essence of Bill C‑26? Again, it brings us back to the labour shortage issue; if ever there’s a kind of appetite for this, is there a plan to be able to respond?
Thank you for the question.
Regarding the designation of businesses under the bill, I will ask my colleagues from the Department of Public Safety and Emergency Preparedness to answer you, because this will be done through their process.
At the Centre, we help anyone who asks. Whether businesses are designated or not, we will be there to respond to their cybersecurity needs and support them as their cybersecurity plan evolves. Even if businesses fall into a grey area, that does not prevent us from having talks and helping them develop their cybersecurity plan.
If I may, I would like to keep the ball rolling.
Would it be worthwhile to take steps and encourage businesses to use your services? When businesses are the victims of a cyber attack, there is an impression that they tend to shy away from admitting they were caught in that trap. Should additional work be done in this area to encourage businesses not designated as owners or operators of critical cyber systems to use your services?
In a context where cybersecurity is everywhere, with the internet of things and all that, it’s not just designated businesses that could become critical: everyone will be. Should we offer businesses more financial incentives, for example, so that they use the Communications Security Establishment’s services?
Thank you for your excellent question.
It touches somewhat on a major dilemma we are currently facing in cybersecurity: on the one hand, reporting can have value; but on the other, it represents risk for reputations or business processes.
I think Bill C‑26 tries to show the advantages of reporting. Indeed, one of the Canadian Centre for Cyber Security’s roles is to help a business in a given sector solve its problem when it reports. This also helps us to know what happened, develop indicators of compromise and quickly send information on an ad hoc basis to the entire sector and all sectors in Canada.
I think one of the very important aspects of the bill is that it will allow us to collect this information, help the victim and help the entire sector and other sectors in Canada benefit from it, as well as small and medium businesses, and even the entire Canadian economy.
Very well.
A motion to adjourn the meeting is on the floor.
(Motion agreed to)
The Acting Chair (Mr. Ron McKinnon): I believe it carries.
Thank you to our witnesses. Your testimony is certainly important to us. Sometimes it doesn't appear that way, but we appreciate your time and your effort.
We are now adjourned. Thank you.
Publication Explorer
Publication Explorer