Contentious Liberal plan to overhaul cybersecurity faces more scrutiny

Click to play video: 'Cyber threats, AI, deepfakes targeting elections on the rise: CSE'
Cyber threats, AI, deepfakes targeting elections on the rise: CSE
The Communications Security Establishment (CSE), Canada's cybersecurity watchdog, is warning that deepfakes generated by artificial intelligence could have an impact on the next federal election. Abigail Bimman looks at how foreign governments could take advantage of these cyber threats, and what Canada needs to do to prepare – Dec 6, 2023

Industry Minister François-Philippe Champagne is defending the Liberal’s plans to overhaul critical infrastructure protection in Canada amid continued concerns Bill C-26 could undermine both Canadians’ privacy and government transparency.

Bill C-26 would give Champagne and his successors the ability to order private companies, such as banks and telecoms, in five critical sectors tied to national security to hand over potentially sensitive information about Canadians. It would also enable the ability to share that information with intelligence agencies, domestic governments and foreign allies.

It would permit the federal industry minister to compel any person or entity in Canada to turn over information the government believes is required to implement the new cybersecurity regime, according to an analysis of the bill done by the Library of Parliament.

The powers have been described as “broad” by the federal privacy commissioner, and widely panned by civil society and privacy groups, including some who have warned that authoritarian regimes would look at the provisions “in the course of justifying their own unaccountable, secretive and repressive ‘security’ legislation.”

Story continues below advertisement

But Champagne told a House of Commons committee on Thursday that those powers are needed to allow the government to “act fast” to address a potentially catastrophic cyber incident.

Breaking news from Canada and around the world sent to your email, as it happens.
For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.

Get breaking National news

For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.
By providing your email address, you have read and agree to Global News' Terms and Conditions and Privacy Policy.

“If we were to find that there was a failure or intrusion in a network that could have a systemic effect, you would want the minister of industry in the future to say ‘stop, or we disconnect that particular person or entity’ which is the source of the infection of the entire network,” Champagne said under opposition questioning. “The kind of power you need, you need to act very, very quickly.”

Asked why some of the orders could be made in secret, Champagne said “You would not want the actors, which are the ones who are trying to infiltrate our systems, to be aware that you’re asking them” to stop operations.

Both Champagne and Public Safety Minister Dominic LeBlanc pointed out that actions taken under Bill C-26 would be subject to judicial review. But while the legislation does require the orders to be openly published, the minister could also “prohibit the disclosure of their existence or some or all of their contents” according to the Library of Parliament.

The federal privacy commissioner, Philippe Dufresne, told the committee that those “broad” powers should be subject to independent scrutiny.

“It is important that any such confidentiality provisions, which have the effect of reducing public scrutiny regarding (Bill C-26’s) implementation, including any collection, use or disclosure of personal information be accompanied by appropriate transparency measures,” Dufresne told the House of Commons’ public safety committee on Monday. “I would also recommend that the bill be amended to include stronger accountability measures to ensure the protection of personal information that is shared outside of Canada.”

Story continues below advertisement

Bill C-26 has had a long and contentious path through the House of Commons since it was first introduced by then-Public Safety Minister Marco Mendicino in June 2022. After nearly two years, it’s finally being studied by a House of Commons committee with no timeline on when it could become law.

Throughout that time, the Liberals have repeatedly suggested they were open to amending the law amid a flurry of criticism from privacy and civil society groups who warned the legislation – designed to protect vital Canadian networks – could have dangerous consequences.

“The fundamental tenets of accountable governance, due process, and our right to privacy are all at risk of being compromised by Bill C-26 in its current form,” wrote Kate Robertson and Lina Li, researchers at the University of Toronto’s Citizen Lab, wrote in a submission to the committee. “It is long overdue for regulators to step in at national and international levels to secure our network services. However, Canada’s approach to the regulation of telecommunications and cybersecurity also needs to be transparent, accountable, and compliant with applicable human rights standards.”

Canada and western democracies around the world have seen significant jumps in attacks or threats against critical infrastructure over recent years as geopolitical tensions flare.

Sponsored content