Opposing viewpoints on the Liberal government’s proposed cybersecurity law for critical infrastructure providers highlighted a Parliamentary committee hearing on Thursday.
A BlackBerry official urged MPs on the House of Commons national security committee to pass Bill-26, because other countries have laws putting legal cybersecurity responsibilities on the private sector.
“Canada is out of step with its closest allies, and this legislation will help close the gap,” said John de Boer, the company’s senior director of government affairs and public policy for Canada.
Jennifer Quaid, executive director of the Canadian Cyber Threat Exchange, a threat information co-operative, said that with “a few small modifications” the bill will help strengthen cybersecurity among critical infrastructure providers.
And Chris Loewen, executive vice-president for regulatory affairs at the Canadian Energy Regulator (CER), which regulates interprovincial pipeline and electricity operators, said the bill’s mechanisms for regulators would be similar to the way CER currently works.
But Francis Bradley, CEO of Electricity Canada, an association of power providers, warned that the proposed legislation could put Canadian energy producers offside with the cybersecurity requirements of the North American Electric Reliability Corp. (NERC), which oversees U.S. and Canadian companies.
Leila Wright, executive director for telecommunications at the Canadian Radio-Television and Telecommunications Commission (CRTC), said that C-26 would give her agency a new mandate to promote cybersecurity among telecom providers and ensure carriers comply with government cybernetics-related orders. But she wouldn’t comment on omissions or ways the bill could be improved, because it’s a proposed law. The commission’s job, she explained, is to implement legislation that has been passed.
To emphasize the importance of action, de Boer noted that in the last four months of 2023, BlackBerry stopped 5.2 million cyber attacks on behalf of customers; 62 per cent of them targeted critical infrastructure (CI) providers like banks and government departments.
A Five Eyes report this week on the China-backed Volt Typhoon threat group said it had compromised several critical infrastructure providers in the U.S., he noted, including some in the communications, energy, transportation and water sectors. A U.S. official, he added, fears the report is just “the tip of the iceberg.”
Aside from data privacy protection requirements in the Personal Information Protection and Electronic Data Act (PIPEDA), Canada has no legislation to make critical infrastructure providers report, prepare for, or prevent cyber attacks, he said.
By contrast, in 2022 the U.S. passed the Cyber Incident Reporting for Critical Infrastructure Act, requiring CI providers to report cybersecurity incidents to the government within 72 hours. Also in 2022, the European Union passed legislation forcing providers to implement baseline cyber security and to notify national cybersecurity authorities of serious incidents within 72 hours.
“Canada is falling behind our G7 peers in cybersecurity,” de Boer said.
Bill C-26 has two parts: One would amend the Telecommunications Act to give the federal cabinet and the Minister of Industry the power to order designated telecom providers to do “anything” to secure their systems against a range of threats. The CRTC would have a role in ensuring telecom providers comply with the act.
The other part of C-26, creating the CCSPA, would apply to other critical infrastructure providers. Initially, these would be limited to banking, financial clearing firms, interprovincial transport and energy companies, and nuclear power operators. Similar to the Telecommunications Act changes, it would create a cyber security compliance regime for designated firms. Included would be a requirement to report cyber incidents “immediately” to the Canadian Security Establishment (CSE), the branch of the Defence Department responsible for government cybersecurity.
The CCSPA will help governments and the private sector quickly share cyber attack information, de Boer said, warn and protect other potential victims, and rapidly deploy assistance to contain damage from attacks.
The proposed CCSPA isn’t perfect, he said. He recommended three changes:
— the obligation for CI providers to report cyber events immediately should be changed to within 72 hours;
— there should be guarantees that companies can’t be sued or prosecuted for cyber-related information reported to the government;
— and the bill should make it clear firms won’t be punished if they put good faith efforts into cybersecurity, but their firm suffered a breach of security controls or is believed to be offside the law.
Quaid said CCSPA’s preamble should encourage all Canadian public and private organizations to share their cyber threat information; should allow CI providers to share threat information through cyber exchanges as well as with government; and should allow CI providers to join any cyber security threat information sharing association.
Bradley complained the bill doesn’t recognize established security standards and expertise within the Canadian power sector. Among other problems, he said, the bill leaves the definition of a cybersecurity incident that has to be reported to yet-to-be-announced regulations. Our definition must be the same as NERC’s, he said.
Click here to see Electricity Canada’s written submission
NERC’s cybersecurity requirements — which Electricity Canada members have to follow — are higher than the CCSPA, he added, which is why he believes the bill won’t improve cybersecurity among his members on this side of the border.
But Bradley did say that while the cybersecurity of the energy providers here is higher than in other sectors, the CCSPA would help fill the gap.
He doesn’t want to see the passage of the bill delayed, but thinks it should be amended in some areas.
Hearings resume Monday, with testimony from federal Privacy Commissioner Philippe Dufresne, the Office of the Superintendent of Financial Institutions, the Canadian Bankers Association and the Canadian Telecommunications Association.
