Bill C-26 Introductory Remarks for the Canadian Chamber of Commerce
On Monday, February 5, 2024, Beauceron Security CEO and Co-Founder, David Shipley, was invited to provide a testimony to Bill C-26 before SECU in Ottawa, Canada.
Good afternoon. My name is David Shipley, and I am the chief executive officer and co-founder of Beauceron Security Inc. I am also the co-chair of the Canadian Chamber of Commerce’s Cyber Council. I am a proud Canadian Forces veteran, having served with the Canadian Army reserve in the 8th Canadian Hussars.
I am not a computer scientist. My expertise and perspective are based on my experience as CEO and co-founder of Beauceron Security. I do not see cybersecurity as a technological issue. It is a people and business risk issue.
I founded Beauceron Security in 2016. We now serve more than 750 organizations in Canada, the United States, Europe, and Africa. We have helped more than 650,000 people learn how to spot, stop, and report cyber-attacks. Beauceron Security has demonstrably reduced individual and organizational cyber risk. Our made-in-Canada solution is used by global banks, national telecommunications carriers, educational institutions, healthcare facilities, governments, and small businesses.
So why does my background and experience matter?
We live in a world where North Korean hackers steal billions of dollars of cryptocurrency to fund nuclear weapons programs. Something that 25 years ago would have sounded too far-fetched to even be the plot of a James Bond movie is all-too real and contributing to global instability today.
It is also a world where a Canadian federal government IT worker by day becomes one of the most successful ransomware affiliates by night, making millions as a digital extortionist for an international criminal gang.
I share these real-life examples because they highlight the first point I want to make: when it comes to cyber, anything, even the bizarre, is not just possible, it is the norm. The challenge of managing cyber risk is to balance the incredible creativity of humans with the unpredictability of complex digital systems.
I know for many this topic can be overwhelming. Many feel they do not have the technical background needed to think about these issues. You may also feel this way as legislators wrestling with this law.
This is not a technology issue.
Throughout my career in cybersecurity and as CEO of Beauceron Security, the root cause of every single cyber incident we and our customers have ever had to deal with is always traced back to the combination of people, process, culture, AND technology. Cybersecurity has never been about technology alone and it can never be solved by technology alone.
The story is, has always been and will continue to be about the relationship between technology, people, and control, which is, the actual meaning of the word cyber.
Reducing cyber risk to Canadians will require legislation and a regulatory regime tailored and developed collaboratively at the industry level. These regulations and directives must look at people, process, and culture as well as technology-based risk controls.
I support the need for this legislation. We need this, now more than ever. We are far behind our allies, and we are risking the safety and prosperity of Canadians every day we delay.
This legislation and the accompanying regulatory regimes must ensure a proactive, positive security culture is instilled and maintained within Canada’s critical infrastructure firms. With some fine-tuning, I believe it can accomplish that goal.
I support the recommendations put forward by the Canadian Chamber of Commerce to improve the bill to ensure fairness, effectiveness, and proportionality of the proposed legislation. In addition to their recommendations, I urge this committee to look at the following issues:
Add due diligence defences to proposed administrative monetary penalties. We need to create positive reasons to invest in security and compliance with legislation, not just negative consequences for failure.
Remove personal liability for individuals. At a time of cybersecurity labour shortage and when as many as 75% of the most senior cybersecurity leaders are considering a career change, this will only make things worse and subvert the objectives of this legislation.
Ensure regulators charged with creating industry-specific cybersecurity directives have the skills required to do so effectively. While regulators such as the Office of the Financial Superintendent are experienced, others are being given responsibility for cyber for the first time. This legislation should require government collaboration with industry, such as what has been done with ISED and the Canadian Security Telecommunications Advisory Committee.
Lastly, and considering recent news about Global Affairs, this legislation should limit the amount of sensitive data collected by regulators about cybersecurity defences of Canadian critical infrastructure, lest we inadvertently create a one-stop shop for hostile nation-states and criminals to learn how to cripple these vital sectors and firms.
The opportunity before you with C-26 is to ensure that the Canadian people, through parliament, are in control of the technologies they rely on for the functioning of our society, not the technology itself, not the technology companies alone, and not our adversaries.
I look forward to discussing Bill C-26 with you further this afternoon and answering what questions you may have for me.
Check against delivery.