Canadian Chamber Appears before Standing Committee on Public Safety and National Security

On February 5, 2024, our Senior Director of Digital Economy, Technology and Innovation Ulrike Bahr-Gedalia, addressed the House of Commons Standing Committee on Public Safety and National Security to discuss Bill C-26, An Act respecting cyber security. She emphasized the critical importance of cyber security, particularly for SMEs, and advocated for a prevention-first approach. She outlined key recommendations, including the need for clear definitions for reportable cyber security incidents and a 72-hour reporting period. While expressing support for Bill C-26, she highlighted areas for improvement, such as enabling two-way information sharing and ensuring full parliamentary oversight of Ministerial Orders, and encouraged Committee members to engage directly with telecommunication providers.

The full remarks and video recording can be found below.

Mr. Chair, Members of the Committee – good afternoon.

My name is Ulrike Bahr-Gedalia, and I am the Senior Director of Digital Economy, Technology and Innovation at the Canadian Chamber of Commerce.

I am also the Canadian Chamber’s architect and policy lead for the Digital Economy Committee, Future of Artificial Intelligence Council, and Cyber. Right. Now. Council.

As Canada’s largest and most activated business network representing over 400 chambers of commerce and boards of trade and more than 200,000 business of all sizes, from all sectors of the economy and from every part of the country, the Canadian Chamber is pleased to have this opportunity to provide feedback on Bill C-26.

Our Cyber. Right. Now. Council has been calling on government to prioritize cyber security and focus on a prevention-first approach and improved information sharing for close to three years.

Today, I’d like to share a few key recommendations and why cyber security is important to the Canadian Chamber and our members within the Canadian economy.

Over 98% of Canadian businesses are small-or medium-sized enterprises. SMEs need greater cyber security threat awareness, protection, and training to utilize the full suite of tools at their disposal to keep Canadians safe from bad actors.

Just as in other countries, Canada is facing an increasingly complex and risk-prone digital landscape. With a cyber security skills gap of some four million people globally and an ever-increasing number of connected devices (at least 67 billion devices and counting), the challenges and costs associated with securing our digitally-enabled world are increasing.

But while every organization of every size in every industry is at risk of a cyber breach, few carry the same real-world risk of crippling cyberattacks as those in the critical infrastructure sector. This threat will only grow as our critical infrastructure increasingly relies on software and connected technology to power and support its operation.

We are pleased to see Bill C-26 proceed to Committee study and support the bill overall. However, certain amendments are needed to ensure the bill reaches its full potential.

More specifically, our telecommunication members have expressed their concerns with respect to a few provisions in the Telecommunications Act, such as the lack of a due diligence defense for violations under section 15 of Part 1 resulting in monetary penalties and the extent of Ministerial Order Making Powers. I will note that this defense is present elsewhere in Bill C-26, such as in relation to cyber directions in Part 2, the CCSPA, as well as full due process for and parliamentary oversight of Ministerial Orders.

I encourage the Committee to reach out to the telecommunication providers as it is important to hear from them firsthand.

With respect to the CCSPA, our members are seeking the following improvements.

• Firstly, a clearer definition of a reportable cyber security incident. This will ensure industry is not forced to report events that do not pose a material threat to a vital system. Failure to clearly define the parameters for a reportable incident will undermine the purpose of C-26 and overwhelm government authorities, who will have to process and assess each cyber incident reported.
• Secondly, allowing for a 72-hour reporting period for cyber security incidents as opposed to immediate reporting. Allowing for reporting “within 72 hours” provides organizations the time to investigate, and will harmonize with existing regimes, such as in the United States, one of our key trading partners.
• Finally, two-way information sharing is crucial. As currently drafted, the CCSPA only contemplates one-way information sharing from designated operators to the government. We believe this is a missed opportunity and potential weakness and underscores my earlier noted prevention-first approach: the more information we have, the more we can work together and the better we can help prevent incidents.

Thank you for listening and for the opportunity to participate in the study of Bill C-26.