Canadian Chamber Addresses Bill C-26, an Act Respecting Cyber Security, Before Senate Committee on National Security, Defence and Veterans Affairs

On November 4, 2024, our Senior Director, Digital Economy, Technology & Innovation, Ulrike Bahr-Gedalia, appeared before the Senate Standing Committee on National Security, Defence and Veterans Affairs to express our concerns on Bill C-26, an Act respecting cyber security.

With Canadians frequently accessing digital services, the risks are at an all time high and considered to be a "persistent threat to Canadians" by Canada's Centre for Cyber Security. Protecting privacy and data protection and securing Canadian critical infrastructure, supply chains and businesses of all sizes from cyberthreats are essential actions in our modern economy. The clock is ticking, and the geopolitical environment continues to get worse, as does cybercrime.

The full remarks and session recording can be accessed below

Mr. Chair, members of the Senate - good evening.

My name is Ulrike Bahr-Gedalia, and I am the Senior Director of Digital Economy, Technology and Innovation at the Canadian Chamber of Commerce.

I am also the Canadian Chamber's policy lead for the Digital Economy Committee, Future of Artificial Intelligence Council, and Cyber. Right. Now. Council.

As Canada's largest and most activated business network representing over 400 chambers of commerce and boards of trade, as well as more than 100 associations and over 200,000 businesses of every size, from all regions and economic sectors of Canada, the Canadian Chamber is pleased to once again provide feedback on Bill C-26, following our appearance before SECU in February.

I'd like to start off by acknowledging the adoption of some changes the Canadian Chamber had put forward during the Bill's Committee study.

• Deletion of clause 10, thereby restoring due diligence defence
• Removal of the requirement for immediate reporting of cyber security incidents
• Harmonization with existing obligations

I'd also like to acknowledge the recent appointment of Sami Khoury as a Senior Government Official for Cyber Security - a role and responsibility the Canadian Chamber's Cyber. Right. Now. Council had been advocating for over the past two years with the goal to ensure policy coherence, coordination of cybersecurity activities and initiatives, and alignment of resources across the government, all while increasing and improving two-way information sharing which was also a concern we had expressed during our previous appearance.

While we were pleased to see the House SECU Committee conclude their study on Bill C-26, and support the Bill overall, certain amendments are still needed at this stage to ensure the Bill reaches its full potential.

More specifically, with respect to the Telecommunications Act, while we applaud the House for making important changes to the Bill, including a due diligence defence for administrative monetary penalties, we remain concerned that the Bill suggests companies can't be compensated for changes they may have to make under this regime. We believe the Senate should amend the legislation to allow the Minister or Governor in Council to award compensation on a case-by-case basis.

With respect to the CCSPA, our members continue to seek the following improvements:

• Two-way information sharing. As currently drafted, the CCSPA only contemplates one-way information sharing from designated operators to the government. We believe this is a missed opportunity and a potential weakness.

• A clearer definition of a reportable cyber security incident. This will ensure industry is not forced to report events that do not pose a material threat to a vital system. Failure to clearly define the parameters for a reportable incident will undermine the purpose of the ill and overwhelm government authorities, who will have to process and assess each cyber incident reported.

Another key area of concern is the continuing rise of ransomware incidents. In this context, we commend Canada on its involvement in the International Counter Ransomware Initiative (CRI), which includes the development of a CRI Public-Private Sector Advisory Panel.

The following facts emphasize the severity and urgency for more action on this issue:

• The RCMP states that almost 60% of cyber incidents reported to its National Cybercrime Coordination Centre are ransomware attacks.
• The Canadian Centre for Cyber Security calls ransomware "the most disruptive form of cybercrime facing Canada".
• Their most recent National Cyber Threat Assessment report notes that ransomware is the top cybercrime threat facing Canada's critical infrastructure. And Bill C-26 is about protecting Canada's critical infrastructure.

While this Bill will help increase visibility of ransomware and other cyber threats, we believe the issue of ransomware requires more public discussion and study and would encourage the Senate to look into how this scourge is affecting our country beyond the critical infrastructure sectors the federal government has focused on in the Bill.

As more collective action and coordination to combat this growing challenge are required, the Canadian Chamber, together with the Cyber. Right. Now. Council, will be hosting their second cyber security and ransomware Hill Day later this month to discuss these challenges and opportunities with senior government officials from across government departments, ministries and agencies.

To conclude, we'd like to stress the urgency to pass the Bill, so we can move on to developing the regulations and implementation framework. The clock is ticking, and the geopolitical environment continues to get worse, as does cybercrime.

Thank you for listening and for the continued opportunity to participate in the study of Bill C-26.

Public link

Please use the above public link if you want to share this noodl on another website.