Parliamentary Committee Notes: Minister Anandasangaree's appearance before the Standing Committee on Transport, Infrastructure and Communities (TRAN)
Canada Infrastructure Bank's financing of new vessels for BC Ferries

Overview Note

General Information

Date: February 25, 2026
Time: 4:30 p.m. to 5:30 p.m.
Location: Room 415, Wellington Building, 197 Sparks St.

Context

Last summer, the Standing Committee on Transport, Infrastructure and Communities (TRAN) convened to examine reports that BC Ferries had contracted a Chinese shipyard to construct four new vessels, supported by $1 billion in low-interest financing from the Canada Infrastructure Bank (CIB). Following the adoption of a motion in July, the Committee met on August 1, 2025, to study the issue, which included testimony from the Minister of Transport and departmental officials.

Production of documents

At its August 1st meeting, TRAN adopted a motion requiring Public Safety (PS), among others, to produce documents related to both Canada Infrastructure Bank's financing of BC Ferries projects and BC Ferries' acquisition of the four new vessels between January 1, 2023 and August 1, 2025. Relevant documents provided by Public Safety to the committee included:

1. A letter from the Minister of Transport to the Minister of Public Safety concerning the BC Ferries project;
2. A letter from the Minister of Transport to her British Columbian counterpart;
3. A meeting note for a bilat between the Deputy Minister (DM) of PS and the DM of Transport Canada on April 30, 2025;
4. A draft response from the Minister of Public Safety to the Minister of Transport.
5. Additional documents related to the above records.

At the time, PS reviewed the documents and determined that some information should be withheld on grounds that releasing this information could pose a threat to Canada's national security interests, including redactions recommended by the Canadian Security Intelligence Service. The approach used was consistent with PS's release of records if they were retrieved as part of an Access to Information Act ATIA request.

Regarding the documents provided to TRAN, committee members may raise concerns about the extent of the redactions and question information indicating that Public Safety lacks the authority to intervene in this matter. They may also seek an update on commitments to review and improve existing processes going forward.

Anticipated parliamentary positions

This BC Ferries issue has been closely monitored by opposition Members of Parliament (MPs) on TRAN and in the House of Commons. While early scrutiny focused on the sequence of events, the federal government's role, and the choice of a China-based shipyard over Canadian alternatives, attention is increasingly shifting toward the implications for Canada's economic security in the context of strengthened ties with China.

You can expect Conservative Party of Canada (CPC) members to concentrate on the government's recent efforts to reset its relationship with China and whether this approach heightens national security risks, echoing the line of questioning you received during your recent appearance at the Standing Committee on Procedure and House Affairs (PROC) on foreign election interference.

Although the Bloc Québécois (BQ) have largely focused on the decision not to procure from Davie Shipbuilding, their members are also beginning to further examine the national security risks associated with foreign acquisitions. For example, at PROC, MP Normandin (BQ) questioned you regarding potential security concerns related to the recently announced agreement involving Chinese-manufactured electric vehicles.

Given that critical infrastructure as well as vehicles fall within TRAN's mandate, you can expect questioning on these topics in context of national security and public safety. Your briefing package includes key messages that directly address these concerns and provide clear, factual context to support your appearance.

Officials

You will be appearing with the following officials:

• Richard Bilodeau, Senior Assistant Deputy Minister (SADM), National Security and Cyber Security Branch (NCSB), PS
• Vanessa Lloyd, SADM and Deputy Director, Operations, Canadian Security Intelligence Service (CSIS)

Opening Remarks

At the beginning of the meeting, the Chair will invite you to deliver opening remarks lasting approximately 5 minutes.

Your proposed opening remarks highlight the economic impacts of cyber incidents, and the work being advanced through Bill C-8, An Act Respecting Cyber Security. Your remarks also address the jurisdictional considerations regarding Public Safety's national security role in these type of situations, clarifying that while Public Safety Canada does have authority to conduct security reviews of foreign direct investment under the Investment Canada Act, it does not review procurement decisions, such as this one.

Rounds of Questions

Questions from Committee members will follow with the rounds of questions to be as follows:

First Round of Questions:

• Conservative Party, six minutes.
• Liberal Party, six minutes.
• Bloc Québécois, six minutes.

Second and Subsequent Rounds of Questions:

• Conservative Party, five minutes.
• Liberal Party, five minutes.
• Bloc Québécois, two and a half minutes.
• Conservative Party, five minutes.
• Liberal Party, five minutes.

Speaking Notes for The Honourable Gary Anandasangaree
Minister of Public Safety

Hello,

I'd like to start by acknowledging that we are meeting on the traditional and unceded territory of the Algonquin Anishnaabeg People.

Thank you, Mr Chair and members of the committee, for inviting me here today. à

Many British Columbians, especially in coastal communities, rely on ferries as modes of transportation for connection to the mainland.

The decision by BC Ferries last year to procure its new ferries offshore was a decision made by the province, after conducting their own due diligences, to accommodate growing demand and need for service.

The committee is understandably concerned about the implications of this deal on national security.

While Public Safety Canada does have authority to conduct security reviews of foreign direct investment under the Investment Canada Act, it does not review procurement decisions at the provincial level, such as this one.

Therefore, we would not have had the authority to conduct a national security review in this case.

Only after outreach from Transport Canada did Public Safety officials engage with BC Ferries.

BC Ferries had already made their procurement decision.

The Government is undertaking a number of initiatives to strengthen our national security and sovereignty in the face of ever-changing and ever-increasing threats.

We continually examine how to protect–and promote–Canada's economic security.

This includes expanding both domestic and international collaboration as well as identifying key areas of engagement and focus. Maintaining and bolstering economic security is crucial to our growth and our sovereignty.

This requires a whole-of-government approach across all levels of government, industry, Indigenous communities and partners, academia, and international allies.

Mr. Chair, once again, thank you for the invitation to appear at committee today. I welcome questions from the committee.

Key Messages

Purchase of BC Ferries

Public Safety Canada took action once it became aware of the situation.

• PS officials engaged with BC Ferries (May 27, 2025) following the outreach from Transport Canada.
• BC Ferries had already made their procurement decision (March 31, 2025) and were looking for support on managing the contract and relationship with the contractor going forward.

Economic security is a key government priority.

• Canada has expanded its economic security toolkit, giving us the guardrails we need to engage more confidently with a wider range of international partners. This includes measures like updating the Investment Canada Act, introducing the STRAC (Sensitive Technology Research and Affiliations of Concern) Policy, and setting out Canada's Sensitive Technology List.
• More recently, a national security review process has been put in place for major projects under the Building Canada Act.

Economic security is a shared responsibility across different orders of government as well as the private sector.

• The government is advancing important legislation related to cyber security that will raise the level of cyber security in key federally-regulated sectors.
• The intent of this legislation is also to serve as a model to further secure critical infrastructure that falls outside federal jurisdiction.

Cyber and Economic Security

Canada's critical infrastructure is under threat.

• Over 1,400 cyber incidents targeting critical infrastructure last fiscal, almost 20% higher than the previous year.
• Annual cost of incidents to Canada's economy is C$5 billion.
• Average ransom paid in 2023 was C$1.1 million, a 150% increase over two years.

Our critical infrastructure is highly interlinked.

• 2022 Rogers outage lost services to 12 million customers
• Bill C-8 is designed to aid operators with improving resilience to cyber threats by critical infrastructure in four sectors: finance, telecommunications, energy and transportation.

Public Safety is strengthening Canada's economic security by taking a whole-of-economy view.

• The federal government engages with other orders of government and the private sector to discuss economic security concerns or issues.
• The Canadian Security Intelligence Service (CSIS) can also directly engage with stakeholders to brief on specific threat vectors.

Foreign Interference

We're moving quickly to implement the Foreign Influence Transparency and Accountability Act (FITAA).

• We have identified former British Columbia chief electoral officer Anton Boegman for the position, and Parliament is currently studying the nomination.
• On January 3rd, proposed Regulations were published in the Canada Gazette, Part 1 for public consultation.
• IT requirements for registration will be ready on the day the Act comes into force.

We're building a strong, transparent framework to protect Canada's democracy.

• The information collected aims to ensure transparency, while preserving privacy.
• We propose to establish a penalty of up to $1 million dollars.
• Alternatively, as per FITAA, a person may be liable for a summary or indictable offence.

Intelligence systems are stronger, Parliamentarians are safer, and communities are engaged

• We've improved how the Government handles intelligence and implemented enhanced systems for routing and tracking.
• We've increased our work with civil society, particularly in combatting disinformation, which poisons our digital ecosystem

Economic-Based Threats to Critical Infrastructure (Shipping, Maritime, Supply Chains)

QP Notes

Q1 - You have assured the former minister of Transport that your officials were engaging with British Columbia (BC) "to support them in addressing security risks as the building process moves forward". When exactly did Public Safety Canada (PS) first become engaged on the BC Ferries file, what prompted that initial involvement, and how will you support them moving forward

• PS officials engaged with BC Ferries following the outreach from Transport Canada.
• BC Ferries had already made their procurement decision and were looking for support on managing the contract and relationship with the contractor going forward.

Q2 - The documents you produced to this committee show the former Transport Minister wrote on June 18, 2025 asking you to ensure a 'thorough review' of security implications. What specific work did your department complete in response, and what findings did you share

• Public Safety has an important role in coordinating the national security review of foreign investment process under the Investment Canada Act. It does not review procurement decisions at the provincial level.
• BC Ferries was more interested in discussing how best to manage the contract and relationship with the contractor going forward.

Q3 - Documents provided to the committee include a note prepared for your Deputy Minister that explicitly identifies national security concerns arising from this transaction, including risks related to supply chain disruption and the proximity of BC Ferries routes to sensitive federal assets. Given the seriousness of these concerns, what steps did your department take to assess and address these risks once they were identified

• The briefing note did not address specific concerns regarding the BC Ferries procurement. Rather it focused on the line of questioning Public Safety generally asks in the early stages of Investment Canada Act evaluations.
• Subsequent engagement with BC Ferries led to discussions on the management of the build given that the procurement decision had already been taken.

Q4 - This issue has highlighted areas where information-sharing between departments could be improved. What actions are being undertaken to enhance these processes and reduce the likelihood of similar issues arising

• Public Safety Canada works in collaboration with other government departments and agencies, as well as other orders of government, to understand the economic security threat landscape as issues are brought to its attention.
• Identifying and mitigating risk also depends on other jurisdictions flagging potential questions proactively.

Q5 - Your officials have stated in email exchanges there is presently no authority for a national security review in this case, and that Public Safety is exploring a greater role within the economic security space to enhance Canada's ability to address national security threats to our economy. Can you provide an update on this work

• The department regularly assesses the effectiveness of our current toolkit and advises on potential improvements.
• Specifically related to this type of investment, there is ongoing work to identifying and better safeguarding critical infrastructure, and to identify potential gaps in our current economic security toolkit.
• All these areas of work depend heavily on collaboration with other government departments.
• As you know, the government is also sponsoring important legislation related to cyber security, that will raise the level of cyber security in key federally-regulated sectors.

Q6 - What is the government's overall intent for strengthening Canada's economic security

• Economic security is a key government priority. For example, within the federal government responsibility, a national security review process has been put in place for major projects under the Building Canada Act.
• The government's investments in domestic capacity and autonomy are all part of that overall approach.
• While the government is seeking to diversify trade and bring in additional investments including from non-traditional partners, economic security guardrails continue to be important.
• Those guardrails include foreign investment screening.
• In addition, the government is also sponsoring cyber security legislation which is currently being studied by the Standing Committee on Public Safety and National Security.
• Further work is ongoing in terms of critical infrastructure and what additional economic security measures may be required.
• Additional measures to mitigate risks may come from another department or minister that has the appropriate mandate and authorities in a specific sector of concern, such as transport, natural resources, and finance.

Q7 - Your department warns about People's Republic of China-linked (PRC) economic and cyber threats, including the risk of suppliers subject to extrajudicial direction, yet the Prime Minister (PM) just announced a strategic partnership with the PRC. Has your department changed its national security posture with respect to these threats between the production of documents and now

• Our risk assessments have not changed. The strategic partnership announced by the PM acknowledges that there will be some areas of cooperation that may be more difficult.
• For example, the PM mentioned guardrails in regards to sectors such as Artificial Intelligence, critical minerals, and defence.
• Economic factors together with considerations of national security continue to be at the center of Canada's approach to counter and mitigate risks related to increased commercial engagement regardless of country of origin.
• Over recent years Canada has taken steps to strengthen our resilience and to bolster our economic security toolkit (e.g. modernization of the Investment Canada Act, adoption of the Sensitive Technologies Research and Affiliations of Concern (STRAC) Policy, the release of Canada's Sensitive Technology List, etc.)
• In addition, as part of the Building Canada Act, Public Safety is supporting national and economic security considerations in the government's objective of building the economy.
• These national and economic security guardrails have been instrumental in positioning Canada to better engage with a greater range of countries and will therefore remain in place and continue to inform our approach going forward.

Q8 - How can Canadians trust that national security isn't being sidelined by commercial priorities

• Economic factors together with considerations of national security continue to be at the center of Canada's approach to counter and mitigate risks related to increased commercial engagement regardless of country of origin.
• Over recent years, Canada has taken steps to strengthen our resilience and to bolster our economic security toolkit (e.g., modernization of the Investment Canada Act, adoption of the Sensitive Technologies Research and Affiliations of Concern (STRAC) Policy, the release of Canada's Sensitive Technology List, etc.)
• In addition, as part of the Building Canada Act, Public Safety is integrating national and economic security considerations in supporting the government's objective of building the economy.
• These economic and national security guardrails have been instrumental in positioning Canada to better engage with China and will therefore remain in place and continue to inform our approach going forward.

Q9 - Were you and your department consulted prior to the Prime Minister's decision to commit Canada to a strategic partnership with the PRC? Have you or your department reassessed its risk assessment(s) as a result of these strategic partnerships

• The strategic partnership is a reflection of the reality in terms of the need to diversify relationships on trade and investment.
• Our risk assessments have not changed. The strategic partnership announced by the PM acknowledges that there will be some areas of cooperation that may be more difficult.

Q10 - Can you explain the safeguards in place so this strategic partnership does not compromise Canada's national security

• The foreign investment review process under the Investment Canada Act will continue as before, under which foreign investment transactions are reviewed on a case-by-case basis.
• Similarly, Public Safety has research security measures in place, along with other government department levers that can help to identify, prevent and/or mitigate against risks.
• Additional safeguards in specific sectors may be necessary.
• The department is also leading an effort to identify critical infrastructure of national significance which can contribute to a clarification of authorities and stronger response mechanisms in dealing with economic security and other threats.

Q11 - What steps has your department taken to strengthen that coordination and work with provinces to align approaches to security

• The department and portfolio engages with provincial, territorial and private sector stakeholders across Canada to raise awareness and coordinate efforts on key issues.
• Public Safety engages on a wide range of economic security issues, such as foreign investment, research security, cyber security and critical infrastructure.

Q12 - In a note provided to your Deputy Minister, one of the identified concerns has been entirely redacted. Without disclosing classified information, can you explain to the committee, the nature of that concern and provide assurance that Public Safety Canada took appropriate steps to ensure it was properly assessed and addressed

The department advised the Deputy Minister on a range of questions and issues such as the structure of the transaction, the foreign entities involved in construction, details such as ultimate shareholder involved in those entities and the routes that the vessels will be using.

Q13 - You were quoted in the media recently that you do not share Premier Doug Ford's concerns about the cyber security of Chinese Electric Vehicles (EVs). Do you wish to elaborate

• As I mentioned, any vehicles that come in will have to abide by Canadian standards.
• There are security risks to be cognizant of with respect to a range of connected devices – mobile devices, networking equipment, video surveillance cameras, port cranes, drones, connected vehicles, etc.
• At the same time, there are important guardrails, some of which are already in place, others requiring further development and implementation, to minimize or mitigate against these risks.
• The Canadian security and intelligence community works diligently to assess and advise on measures to address threats to the security of Canada and Canadians.
• The Government of Canada will continue to invest in cyber security and take action to protect Canadians from cyber security threats, including those from AI and emerging technologies.

Bill C-8 and Public Safety Canada's Role in Risk Response

QP Notes

Q1 - How will the passage of Bill C-8 strengthen Canada's critical infrastructure risk response

• The Critical Cyber Systems Protection Act (CCSPA), found in Part 2 of Bill C-8, will be implemented collaboratively by six departments and agencies – Public Safety Canada; Innovation, Science, and Economic Development Canada (ISED); Transport Canada; Natural Resources Canada; Department of Finance and Communications Security Establishment – across the Government of Canada in recognition that cyber security is a horizontal issue that should have the same objectives and be addressed through a streamlined Government response across sectors.
• The purpose of the CCSPA is to protect the critical cyber systems that underpin Canada's critical infrastructure (CI) in the finance, telecommunications, energy and transportation sectors by establishing a regulatory framework to improve cyber security for services and systems that are vital to national security and public safety.
• Schedule 1 of the Act designates services and systems that are vital to the national security or public safety of Canadians. Currently, Schedule 1 includes:
  • Telecommunications services;
  • Transportation systems;
  • Banking systems
  • Clearing and settlement systems; and
  • Interprovincial or international pipeline and power line systems; and,
  • Nuclear energy systems.
• Schedule 2 of the Act will define Classes of Operators of the Vital Services and Systems identified in Schedule 1, as well as the responsible regulator for that class. Operators captured in a class are designated operators subject to the Act.

Q2 - Why were these four sectors chosen? Could Bill C-8 be expanded to other sectors

• The finance, energy, telecommunications and transportation sectors are largely federally regulated and were prioritized due to their importance to both Canadians and other sectors, and the impacts potential interruption would have on our daily lives.
• These four sectors serve as the foundation for Canada's economic and national security.
• Laying the framework in these key sectors first allows for future adoption by other sectors that are partially or fully provincially regulated.
• Following Royal Assent, the Governor in Council has the authority to add other federally regulated vital services and systems to Schedule 1, making them subject to the CCSPA. This includes those portions of water services that are federally regulated.

Q3. What were some of the findings of the Government's 2022 5G security examination

The examination found risks will be more difficult to contain in 5G networks because of their higher degree of interconnectedness of sensitive network functions. Of particular concern, applicable to any vendor, is a requirement to obey extra judicial direction, as is the case with Huawei and ZTE.

Q4 - Can Bill C-8 defend against emerging cyber threats such as Artificial Intelligence

The CCSPA is designed to be able to adapt and improve Canada's ability to defend and protect against cyber threats from evolving technology, such as Artificial Intelligence (AI).

Q5 - How could a future decision on whether to restrict high risk suppliers from 5G networks affect Canada's rural communities' ability to access the Internet

• Bill C-8 is designed to avoid negative impacts on Internet access in rural markets and takes into consideration the modest capabilities of smaller providers.
• Any future order made under C-8 would be subject to consultation with affected entities. Additionally, the legislation requires the Governor in Council and the Minister of Industry to consider a series of factors before making an order, including the operational and financial impacts on telecommunications service providers (TSPs), and effects on the provision of telecommunications services.
• The Government also intends to engage with industry throughout the implementation of such measures to ensure they appropriately take into consideration logistical realities and the need to maintain the resiliency of networks in Canada.
• In 2022, the proposed restriction on high-risk suppliers for 4G and 5G networks provided timelines that allow for replacement of equipment by 2027. This allows for predictability and changes in accordance with capital upgrade cycles.

Q6 - How has the government engaged with stakeholders to address key concerns? Was the Privacy Commissioner consulted

Consultations on this Bill began when it was first introduced as Bill C-26, and included the Privacy Commissioner. Feedback from stakeholders led to key amendments, such as clearer privacy protections, reporting requirements, and due diligence provisions, all of which remain in the current version of the bill.

Q7 - Could the CCSPA apply to provincially and territorially regulated critical infrastructure

• The legislative framework only applies to federally regulated services and systems in the finance, energy, telecommunications, and transportation sectors.
• The legislation can serve as a model for provinces and territories to help secure critical infrastructure outside of federal jurisdiction.

Q8 - How will the CCSPA interact with existing provincial/territorial cyber security laws and regulations

• CCSPA obligations apply only to the portions of infrastructure that are federally regulated, provinces and territories would continue to regulate infrastructure within their respective jurisdictions.
• The Government will work collaboratively with provincial and territorial governments during regulation making to ensure harmonization and avoid duplication.

Q9 - Are there laws with similar fine amounts to those in Bill C-8

• The fine amounts were replicated from existing legislation. For example, under the Radiocommunications Act, cases of non-compliance can result in administrative monetary penalties of up to $15 million.
• Similar regimes internationally allow for comparably large penalties, because the impact of cyber incidents can be immense, and the types of entities targeted by these penalties – like TSPs – can have very significant revenues. Maximum penalties are set high enough to ensure billion dollar companies take compliance seriously.
• In the case of Part 1, the Government must give due consideration to a number of factors when determining a penalty, including "the person's ability to pay the penalty".
• In the case of Part 2, it is envisioned that regulators will work with operators in their respective sectors to determine the penalty amount, by considering the history of compliance or the nature of the violation.
• There are also off-ramps available to designated operators, including entering into a compliance agreement with the regulator, who may then reduce the penalty in whole or in part.
• Finally, in both cases, maximum penalties are set high enough to promote compliance, and not to punish.

Q10 - Why doesn't Bill C-8 provide sufficient cyber security authorities for vehicles

• The CCSPA would provide a framework to protect cyber systems and services by setting requirements for designated operators of federally regulated critical infrastructure in Canada. As such, this would not include vehicle importers, retailers, and manufacturers.
• However, in the 2024 Fall Economic Statement the Government recognized and is considering options to address the potential security risks associated with technology and components that enable vehicle connectivity. The Government also previously sought comments on vehicle security through its public consultations on unfair trade practices in electric vehicles.

Q11 - It was recently revealed that other countries (Norway, Denmark, UK) are examining the cyber security of public transportation vehicles manufactured in China. Are you aware of any similar concerns in Canada

• The Government of Canada is aware of these concerns, and its priority is the safety and security of Canadians at home and abroad. Connected technologies such as mobile devices, networking equipment, surveillance systems, drones, and connected and automated vehicles present security risks that must be carefully managed.
• Canada's security and intelligence community works diligently to assess threats and provide advice on measures to protect the security of Canada.
• Several important guardrails are already in place to mitigate or minimize risks from connected vehicles, yet additional measures will be required. Public Safety Canada continues to work closely with partners and stakeholders to advance these efforts and ensure that Canada's security posture remains strong.
• Complementary initiatives to the CCSPA will be essential to further strengthen Canada's cyber resilience as the Act does not apply to motor vehicles.
• The Government of Canada remains committed to investing in cyber security and taking action to protect Canadians from cyber threats, including those arising from artificial intelligence and other emerging technologies.

Q12 - Why doesn't the Critical Cyber Systems Protection Act (CCSPA) have safe harbour provisions

• Safe harbour provisions are outside the scope of this legislation.
• A safe harbour regime is typically established when the requirement to report cyber incidents is voluntary and offers legal protections that reduce the legal risks of disclosing information.
• The CCSPA creates a mandatory incident reporting regime that already includes mechanisms to protect the confidentiality of the information that must be shared with the government. As such, it is not expected to expose designated operators to any additional risk of liability.

Q13 - Why doesn't CCSPA include federally regulated water

• The majority of water regulation, especially concerning usage, allocation, and local quality standards, is managed by municipalities.
• The Government of Canada is prioritizing the energy, finance, telecommunications, and transportation sectors because they are federally regulated, essential to Canadians' daily lives, and tightly interconnected with other critical sectors. This means that any disruption in these sectors could significantly affect public safety and national security.
• The Governor in Council has the authority to add other federally regulated vital services and systems to Schedule 1, making them subject to the CCSPA. This includes those portions of water services that are federally regulated.

Q14 - Why doesn't incident reporting require a Ministerial Authorization

• The CCSPA does not include a requirement for CSE to obtain a Ministerial Authorization for the Communications Security Establishment (CSE) to receive mandatory incident reporting because the activity would not contravene Canadian law or interfere with a reasonable expectation of privacy.
• The information that will be contained in the incident report will be specified through the regulatory process, consulted with stakeholders such as the Intelligence Commissioner, and published in the Canada Gazette II.
• CSE already receives voluntary incident reporting from critical infrastructure operators and other partners, which it manages under its current regime and authorities. CSE's robust privacy protection measures are managed under its internal operational policy regime, which equally applies to information disclosed to CSE.
• If an incident report indicates that an entity requires additional support from CSE, any subsequent CSE activities, including the handling of related information, would be governed by CSE's existing mandate and legislation, including the need for ministerial authorization where applicable, which would be done under the existing oversight regime of the Intelligence Commissioner.
• Bill C-8 does not grant CSE new powers, nor does it change CSE's mandate or the oversight role of the Intelligence Commissioner. Operational activities like this are already subject to a robust system of accountability and oversight governing CSE including review of our work by the National Security and Intelligence Review Agency, the National Security and Intelligence Committee of Parliamentarians, and the Privacy Commissioner, the Auditor General, the Canadian Human Rights Commission, and the Commissioner of Official Languages. Further, within CSE, our own internal Audit and Evaluation program regularly examines our activities and makes recommendations for improvement.

Combatting Foreign Interference – Anticipated Questions

QP Notes

Q1 - The Foreign Influence Transparency and Accountability Act (FITAA) received Royal Assent in June 2024, but its core provisions are still not in force. Why has the Government delayed bringing FITAA into effect

• There are three key pieces needed for the Act to come into force:
  • Appointment of a Foreign Influence Transparency Commissioner (Anton Boegman nominated);
  • Development of regulations which set out the detailed requirements for registration, exemptions and compliance; and
  • Development of a secure IT solution to support the Registry.
• Work is underway on all aspects and to ensure the Act is brought into force as soon as possible. Similar efforts in allied countries have taken over two years to implement.

Q2 - When will the Foreign Influence Transparency Commissioner be appointed, and what is the timeline for establishing the Commissioner's Office (FITCO)

• We have identified former British Columbia chief electoral officer Anton Boegman for the position, and the Government is moving forward with the necessary steps to confirm suitability.
• Under section 9(2), the Commissioner's appointment requires approval by resolution of both the Senate and the House of Commons.
• Before this approval, consultations must be held with:
  • Leader of the Opposition;
  • Leaders of each party with at least 12 members in the House of Commons
  • Leader of the Government and the Leader of the Opposition in the Senate; and,
  • Leaders of every other recognized party or parliamentary group in the Senate.
• Following successful consultations, appointment is done through Governor-in-Council decision.
• Work is ongoing to hire the staff needed to run the Office, set up the Commissioner's website and secure office space.

Q3 - When will the Registry and its case management system be operational, and how will it ensure timely public disclosure of foreign influence activities

• Individuals who have an arrangement with a foreign principal will be able to submit their registration the first day of the Act being in force. As registration information is provided, the Commissioner's Office will review the submissions and populate the public registry.
• The proposed regulations outline a comprehensive list of information that will be published online, informing the public about ongoing foreign influence activities. The information proposed to be disclosed includes registrant information, details about the foreign principal, and details about the foreign influence activities.

Q4 - The proposed regulations under the Act have now been pre-published in the Canada Gazette. Can the Minister outline the key elements of the regulations regarding registration

• The proposed regulations identify the types of information to be collected, including details about the registrant, the foreign principal, and foreign influence activities. This information is necessary to understand who is involved in the arrangement and the types of influence activities which will be undertaken.
• The proposed regulations specify what information will appear on the Registry for public viewing. By providing these key details about influence activities, the public will gain greater awareness.
• The regulations prepose clear timelines for updating registration information, notably that changes to submitted information need to be recorded the month after they occur.

Q5 - Can the Minister outline the key elements of the regulations regarding compliance

• The proposed regulations outline the Administrative Monetary Penalties regime, including the penalty range and factors that determine the final amount. This regime will provide the Commissioner with tools to enforce the Act and address noncompliance.
• Regulations propose a penalty range of $50 to $1 million. This range allows the Commissioner to consider a person's history of compliance with the Act, the severity of the harm to transparency, and the person's capacity to pay prior to levelling the penalty.
• The Commissioner would also have the option to enter into compliance agreements with individuals in contravention of the Act, which would allow for reduced or no penalties if the person meets the specified conditions. Ultimately, the goal is to encourage compliance and to not be overly punitive.

Q6 - Can the Minister outline the key elements of the regulations regarding exemptions to the Act

The regulations currently outline anyone who has an arrangement with a foreign principal to influence a Canadian political or governmental process will be required to register. The regulations include no further exemptions in addition to the diplomatic elements already outlined in the Act.

Q7 - What feedback has the Government received so far on the proposed regulations, and can the Minister speak to any major themes or concerns raised during the comment period

• Individuals had until February 2, 2026, to comment on the proposed regulations. We are still reviewing the feedback received.
• The Government will maintain ongoing engagement with stakeholders, including the diaspora community, to ensure the regime remains fair, transparent, and responsive.

Q8 - How will the Government incorporate stakeholder input—especially from diaspora communities, civil society, and privacy experts—before finalizing the regulations

The regulations were published in Canada Gazette Part I for a thirty-day comment period, which closed on February 2, 2026. The Government will incorporate this feedback to improve the regulations and ensure they align with the goals of FITAA. Public Safety (PS) continues to engage with diaspora communities, civil society, and privacy experts on a regular basis. Furthermore, these groups have been informed of the published regulations so that they may provide additional input.

Q9 - FITAA creates obligations for registration and transparency, but how will the Government ensure compliance and enforce these requirements in practice? Specifically, what approach will be taken to investigations, timelines, and penalties once the Act is operational

• The foremost goal of FITAA is to encourage compliance. The Commissioner will play a key role as an educator, informing the public of registration obligations with the goal of increasing transparency.
• FITCO will also have teams that will be able to support any queries from the public, or registrants to assure that those that need to register have the opportunity to ask questions and do so before any enforcement action is taken.
• FITAA has clearly defined violations that will lead to enforcement. These include:
  • Failing to provide information about the arrangement;
  • Failing to update the information;
  • Providing false or misleading information to the Commissioner; and,
  • Obstructing the Commissioner.
• An enforcement mechanism available to the Commissioner is the Administrative Monetary Penalties, which the regulations propose to range from $50 to $1 million. Factors that determine the final penalty amount include:
  • The person's history of compliance with the Act;
  • The impact of the violation, including the severity of actual or potential harm to the transparency of foreign influence activities;
  • Whether the violation was intentional or inadvertent;
  • The person's capacity to pay; and
  • Following the issuance of a notice of violation to the person, their responsiveness and cooperation with the Commissioner.
• In the event of more serious noncompliance, it may lead to fines of up to $5 million, jail time of up to 5 years, or both.

Q10 - Has the Government conducted pre-consultations with stakeholders, and what ongoing engagement is planned

• During pre-consultation, the Government met with different groups to incorporate their input through over 37 engagement activities. This input was instrumental in determining many aspects of the regulations including which information should be collected from registrants.
• In addition, with the proposed regulations being pre-published in the Canada Gazette Part I, groups have been informed so that they can provide further input.  

Q11 - How will FITAA's framework comply with the Charter and privacy laws, and what safeguards will protect sensitive personal and national security information

• Freedom of expression and association is an important part of Canadian culture. Registration requirements do not interfere with this right. Instead, registration promotes transparency regarding foreign influence activities.
• FITAA will comply with applicable privacy laws by obtaining consent and ensuring that the only information collected is that which helps the Commissioner—and Canadians—understand who is involved, which political or governmental process is targeted, and what the influence activities are.
• Only information pertinent to understanding the arrangement, and that would not undermine people's right to privacy, will be published. For instance, a home address is important for contact purposes but, as it is not relevant for public awareness and would undermine a person's privacy, it will not be published.
• We are working to ensure that all information is safeguarded. We will remain fully compliant with all applicable privacy and data protection requirements.

Bill C-8: An Act Respecting Cyber Security High Level Overview

Part 1: Telecommunications Act (TA) Amendments

General

• The TA would be amended to add "to promote the security of the Canadian telecommunications system" as a policy objective.
• An order making power tied to that objective would be created for the Governor in Council (GIC) and Minister of Industry that could be used to compel action by Canadian Telecommunications Service Providers (TSPs), if deemed necessary to secure the Canadian telecommunications system against any threat, including that of interference, manipulation, disruption or degradation.
• The legislation would require both the GIC and Minister of Industry to consult as appropriate before making any order. Further, the legislation includes a series of factors that the GIC and Minister of Industry must consider before making an order, including the operational and financial impact on affected TSPs, and the effect on the provision of telecommunications services in Canada.
• With these authorities, the Government would have the ability to take security-related measures to protect the telecommunications system, much like other federal regulators can do in their respective critical infrastructure sectors.
• Innovation Science and Economic Development (ISED) will exercise regulatory responsibilities, and an administrative monetary penalty (AMP) scheme would be established and administered to promote compliance with orders and regulations made by the GIC or Minister of Industry.
• Once amendments to the TA receive Royal Assent, GIC or Ministerial Orders could be issued to TSPs.
• TSPs that receive an order would be able to seek judicial review if they wish to challenge any part of it (see section on 'Judicial Review' below).

Part 2: Critical Cyber Systems Protection Act (CCSPA)

General

• The CCSPA will be implemented collaboratively by six departments and agencies – Public Safety Canada, ISED, Transport Canada, Natural Resources Canada, Department of Finance and Communications Security Establishment – across the Government of Canada in recognition that cyber security is a horizontal issue that should have the same objectives and be addressed through a streamlined Government response across sectors.
• The purpose of the CCSPA is to protect the critical cyber systems that underpin Canada's critical infrastructure (CI) in the finance, telecommunications, energy and transportation sectors by establishing a regulatory framework to improve cyber security for services and systems that are vital to national security and public safety.
• Schedule 1 of the Act designates services and systems that are vital to the national security or public safety of Canadians. Currently, Schedule 1 includes:
  • Telecommunications services;
  • Transportation systems;
  • Banking systems and clearing and settlement systems (financial sector); and
  • Interprovincial or international pipeline and power line systems and nuclear energy systems (energy sector).
• Schedule 2 of the Actwill define Classes of Operators of the Vital Services and Systems identified in Schedule 1. Operators captured in a class are designated operators subject to the Act.
• Minister of Public Safety (PS): In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister will have overall responsibility for the legislation, and lead a number of CCSPA-related processes including regulatory development and implementation.
• Governor in Council: Decision-making by GIC under the CCSPA ensures that a broad range of relevant factors – including national security, economic priorities, trade, competitiveness, international agreements and commitments – are considered when making decisions that have an impact across sectors.
• Other Ministers: Other involved ministers would be responsible for aiding in the development of regulations, participating in policy-related discussions for the issuance of Cyber Security Directions (CSD), and actively engage there regulators and share information where necessary for the administration of the Act.
• Regulators: The CCSPA leverages regulators' expertise and relationships with entities they already regulate under existing legislation.^{Footnote 1} Schedule 2 of the CCSPA will identify both the classes of designated operators as well as the regulator responsible for enforcing the CCSPA for each class.
• Canadian Centre for Cyber Security (Cyber Centre): The Cyber Centre is responsible for receiving reports of cyber security incidents under the CCSPA to allow it to use this information to help inform the Government and all cyber system operators of cyber security threats, and of how to better prepare, protect against and recover from cyber incidents. They will receive resources to provide advice, guidance and services to:
  • Designated operators in order to help them protect their critical cyber systems;
  • Regulators in support of their duties and functions to monitor and assess compliance; and
  • Public Safety and lead departments and their ministers as required, to support them in exercising their powers and duties under the Act.

Obligations of Designated Operators

Cyber Security Program

• The CCSPA will require designated operators to establish a Cyber Security Program (CSP) that documents how the protection and resilience of their critical cyber systems will be ensured.
• CSPs must be established by designated operators within 90 days of them becoming subject to the Act (i.e. when they fall into a class of designated operators published in Schedule 2 of the CCSPA). Once established, the CSP must be implemented, and must also be maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology.
• CSPs must include steps to:
  • Identify and manage organizational cyber security risks, including risks associated with the operator's supply chain, and the use of third party products and services;
  • Protect their critical cyber systems from compromise;
  • Detect cyber security incidents affecting, or with the potential to affect CCS; and
  • Minimize the impact of cyber security incidents affecting critical cyber systems.

Mitigation of Supply Chain Risks

With the increasing complexity of supply chains^{Footnote 2}, and increased reliance on the use of third party products and services (for example cloud based data storage or infrastructure-as-service), designated operators can be exposed to significant cyber security risks from those sources. When, through its CSP, a designated operator identifies a cyber security risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA requires that designated operator to mitigate those risks.

Mandatory Reporting of Cyber Security Incidents

• Under the CCSPA, designated operators will be required to report cyber security incidents affecting or having the potential to affect their critical cyber systems to the Communications Security Establishment, for use by the Cyber Centre.
  • A threshold defining this reporting obligation will be set in regulations.
• This new obligation will provide the Government of Canada with a reliable source of information about cyber security threats to critical cyber systems. The availability of incident reports will enhance visibility into the overall threat environment for the Cyber Centre as well as regulators' awareness of threats and trends.
• Findings from the analyses of incident reports will make it possible for the Cyber Centre to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and to inform Canadians of cyber security risks and trends, allowing one organization's detection to become another's prevention.

Cyber Security Directions

• Through a variety of mechanisms, the Government of Canada can be made aware of potential risks to national security or public safety that result from cyber security vulnerabilities and associated threats to critical cyber systems and the vital services or systems that they underpin.
• The CCSPA would create a new authority for the Government: under the Act, the Governor in Council (GIC) can issue Cyber Security Directions (CSD) to direct any designated operator to comply with a measure, should the GIC believe on reasonable grounds that a CSD is necessary, in order to protect a critical cyber system. Before making an order, the GIC must also consider relevant factors, like operational and financial impacts.
• CSDs would apply to specific designated operators or to certain classes of designated operators, and require those designated operators to take the measures identified in the CSD for the purpose of protecting a CCS, and do so within a specific timeframe (e.g. "operator A must take measure X within 30 days"). The designated operator is not permitted to disclose information around the CSD to protect confidential information of designated operators and prevent follow on exploitation of vulnerabilities.
  • A designated operator who fails to comply with a CSD could be subject to an AMP or face a regulatory offence that can lead to fines or imprisonment.
  • A designated operator subject to a CSD would be able to apply to the Federal Court of Canada to seek judicial review.

Judicial Review

• The Countering Foreign Interference Act amended the Canada Evidence Act to create a harmonized secure administrative review proceedings (SARP) regime for protecting and using sensitive information in Federal Court and Federal Court of Appeal proceedings, which now applies broadly to federal legislation, including Bill C-8.
• The SARP regime allows a judge to utilize sensitive information in their decision making while ensuring the continued protection of the information from public disclosure. They are permitted to appoint a special counsel if they are of the opinion that the considerations of fairness and natural justice require it. Lastly, it requires a summary of the confidential information to be provided to the non-governmental party to ensure they are reasonably informed.
• In addition to the provisions of the SARP regime which will apply to Bill C-8, the Minister of Industry for Part 1, and the Minister of Public Safety for Part 2, are provided the ability to withdraw evidence during a judicial review. There is also a requirement for the judge to ensure the confidentiality of all evidence including information withdrawn by the Minister.

Bill C-8: Cyber Incidents Targeting Canada's Critical Infrastructure (2023-2025)

Key Messages

• Cyber threats continue to increase in frequency, complexity and sophistication. The risk to public safety, national security, and the economy is real and rising.
• Cyber incidents cost Canadians dearly, disrupting essential services, exposing sensitive data, and driving up business costs.
• Just in recent months, we've seen high profile incidents including a ransomware attack on Nova Scotia Power and a breach of WestJet's servers and software systems.
• And the 2021 ransomware attack on the Colonial Pipeline, a major U.S. fuel pipeline, demonstrated how cyber incidents on critical infrastructure can have immediate and serious societal and economic impacts, including widespread fuel shortages, price spikes, and public panic.

Key Statistics

• There has been a significant rise in incidents targeting Canada's critical infrastructure.
  • In 2024–25, there were 1,406 cyber incidents against critical infrastructure, an average of almost four incidents every single day. That's nearly 20% more than the 1,175 reported the year before.^{Footnote 3}
• Ransomware is the top cybercrime threat facing Canada's critical infrastructure
  • In 2023, ransomware incidents rose 159% in telecommunications, 157% in finance, and 67% in the energy sector compared to the previous year.^{Footnote 4}
• Every cyber incident comes at a cost to Canadians, to businesses, and to the economy.
  • Cyber incidents cost Canada's economy C$5 billion annually.^{Footnote 5}
  • Recovery costs for Canadian businesses doubled from C$600 million in 2021 to C$1.2 billion in 2023.^{Footnote 6}
  • Canadian organizations pay an average of nearly C$7 million per data breach.^{Footnote 8}
  • In 2023, the average ransom paid in Canada in 2023 was C$1.1 million.^{Footnote 4}
• Cyber incidents put our sensitive data at risk.
  • In Fiscal Year (FY) 2024–25, private-sector organizations reported 693 breaches to the Office of the Privacy Commissioner (OPC), affecting approximately 20 million Canadian accounts. Finance (31%) and telecommunications (12%) were the largest affected sectors.^{Footnote 8}
  • Four in 10 Canadians (43%) said that they have been affected by a privacy breach, according to OPC's latest survey of Canadians.^{Footnote 8}
  • The rapid emergence of double, triple and even now quadruple extortion tactics are adding more pressure on victims to meet ransom demands and increasing the likelihood of more data breaches.
• Cyber incidents are vastly underreported so the actual numbers are likely much higher.
  • In FY 2024–25, the Cyber Centre received 380 cyber incident reports from critical infrastructure organizations; the actual figure is likely much higher.^{Footnote 3}

Key Cyber Incidents Against Canada's Critical Infrastructure (2023-Present)

Bill C-8: Stakeholders Consulted on an Act Respecting Cyber Security

Includes those who provided briefs or testimony to Parliamentary Committees (SECU and SECD) and/or those who have been consulted separately

Industry

• Business Council of Canada
• Canadian Internet Registration Authority
• Canadian Chamber of Commerce
• IBM Canada
• Insurance Bureau of Canada
• Bruce Power
• BlackBerry
• Bauceron Security
• Electricity Canada
• Canadian Radio-Television and Telecommunications Commission
• Manulife
• Canadian Airports Council
• Information Technology Industry Council
• American Chamber of Commerce in Canada
• Global Container Terminals
• Eastlink
• Canadian Bankers Association
• Railway Association of Canada
• Canadian Telecommunications Association
• Engineers Canada
• National Centre for Critical Infrastructure Protection, Security and Resilience
• Bell
• Rogers
• TELUS
• Canadian Gas Association
• Kyndryl Canada
• Tenable Inc.

Cyber Security Experts and Civil Liberties Associations

• Centre for International Governance Innovation
• Canadian Constitution Foundation
• Privacy and Access Council of Canada
• Citizen Lab
• OpenMedia
• Bouchard Avocats
• Canadian Civil Liberties Association
• International Civil Liberties Monitoring Group
• Ligue des droits et libertés
• National Council of Canadian Muslims
• Canadian Union of Public Employees
• TechNation
• Ashar S., Ahmed, Cyber Security Practitioner
• ISC2, inc.
• I-Sigma
• GeoComply Solutions Inc.
• Canadian Cyber Threat Exchange
• Andrew Clement, Professor at the University of Toronto
• Matt Malone, Balsille Scholar

Governments

• Intelligence Commissioner of Canada
• Privacy Commissioner of Canada
• Provincial and Territorial Governments
• Municipal Governments
• Five Eye Principals (United Kingdom, Australia, New Zealand, United States of America)

Regulators

• Canadian Energy Regulator
• Canadian Nuclear Safety Commission
• Office of the Superintendent of Financial Institutions
• Bank of Canada
• Minister of Industry
• Minister of Transport

BC Ferries: High-Level Timeline

• September 16, 2024: BC Ferries issued a Request for Proposals to pre-qualified shipyards for the construction of up to five new major vessels, with contract awards anticipated in spring 2025, subject to approval by the BC Ferries Commissioner.
• December 13, 2024: BC Ferries submitted an application to the Commissioner seeking approval to procure five vessels by 2029, which would enable the addition of a twelfth vessel on Major Routes.
• February 21, 2025: BC Ferries filed a supplemental application reaffirming that the construction of five New Major Vessels represented the most cost-effective and responsible option for customers and coastal communities, citing rising global economic uncertainty.
• March 31, 2025: The Commissioner, who has the sole authority to determine vessel need, approved the procurement of four vessels
  • Source for September 2024-March 2025 milestones
• April 16, 2025: Correspondence between BC Ferries CEO and Transport Canada deputy minister regarding economic and national security considerations related to the anticipated vendor.
  • pg 133 of TC's TRAN MPP package 1
• June 10, 2025: BC Ferries announced that it had selected China Merchants Industry Weihai Shipyards, following a due diligence process, to build four new major vessels.
  • News release
• June 10-16, 2025: Public statement attributed to former Minister Freeland indicated that no federal funds were used in the ferry procurement; these statements were later contradicted.
• The statement could not be located and are believed to have been made via social media and subsequently deleted.
• June 16, 2025: Former Minister Freeland wrote to the British Columbia (BC) Minister of Transportation and Infrastructure expressing disappointment with BC Ferries' decision, referencing Chinese tariffs on Canadian goods and raising security concerns. The letter requested verification that no federal funding would be used to support the acquisition of the vessels.
• June 18, 2025: Former Minister Freeland wrote to the Minister of Public Safety noting that the Government of Canada had no authority over BC Ferries' decision-making, while reiterating concerns regarding security and cybersecurity risks and the absence of Canadian content requirements.
• June 2025: BC Ferries CEO to Transport Canada Deputy Minister expresses concern about the Minister's reaction despite confidential heads up prior to the public rollout of decision.
  • News article
• July 7, 2025: Pursuant to Standing Order 106(4), members of the TRAN committee requested a meeting to consider the BC Ferries procurement issue following the announcement of the selected shipbuilder.
  • Notice of meeting
• 2029-2031: The first of these new vessels are expected to enter service in 2029, with four operational by 2031.

Additional information

CMI Weihai has previously delivered modern ferries for Marine Atlantic Inc., a federal Crown Corporation in Canada, established in 1986, that fulfills a constitutional obligation to operate year-round, daily ferry services between North Sydney, Nova Scotia, and Port aux Basques, Newfoundland and Labrador

• BC Ferries deck