The Canadian government’s proposed law forcing critical infrastructure providers to toughen their cybersecurity is “needed now more than ever,” an expert told a parliamentary committee on Monday.
“We are far behind our allies” in protecting critical infrastructure firms, David Shipley, CEO of New Brunswick’s Beauceron Security and co-chair of the Canadian Chamber of Commerce’s cyber committee, told the House of Commons national security committee.
“And,” he added, “we are risking the safety and prosperity of Canadians every day we delay.”
However, again delaying and reducing the amount of time witnesses could testify on Bill C-26, which would create the Critical Cyber Systems Protection Act (CCSPA), is exactly what MPs on the committee did.
For the second meeting in a row, MPs bickered about allowing a Conservative motion to have sessions examining current and former cabinet ministers, to justify invoking the Emergency Act a year ago to break up protests in Ottawa. It was the third meeting on C-26 that a proposed Conservative motion on a different topic interrupted witness testimony. In contrast, an industry committee meeting Monday dealt with a Conservative motion at the end of the session, so witness time wasn’t cut.
At least 30 minutes of the two hours set aside Monday to hear witnesses testify on the proposed cybersecurity law Monday was chewed up as Conservative Glen Motz — in the middle of the experts’ testimony — tried to continue debate on his motion last week calling for witnesses and government legal documents justifying use of the Emergency Act. Later, he interrupted testimony by introducing a second, slightly different, motion to do the same thing.
Motz thought he had a “gentleman’s agreement” to introduce that motion last week. But under protests for the length of time he was taking — and the fact that witnesses had flown to Ottawa to testify at the taxpayer’s expense — he agreed to adjourn his motion for Monday’s committee meeting.
Eventually things got testy, with Liberal Jennifer O’Connell verbally fencing with meeting chair Conservative Doug Shipley [no relation to David Shipley]. Shipley told her to stop interrupting him, then abruptly adjourned the meeting.
Bill C-26 has two parts: One would amend the Telecommunications Act to give the federal cabinet and the Minister of Industry the power to order designated telecom providers to do “anything” to secure their systems against a range of threats. The other part, creating the CCSPA, would apply to other critical infrastructure providers. Initially, these would be limited to banking, financial clearing firms, interprovincial transport and energy companies, and nuclear power operators. Similar to the Telecommunications Act changes, it would create a cyber security compliance regime for designated federally regulated firms. Included would be a requirement to report cyber incidents “immediately” to the Canadian Security Establishment (CSE), the branch of the Defence Department responsible for government cybersecurity.
In his opening remarks, David Shipley of Beauceron Security — a regular guest on IT World Canada’s Cyber Security Today Week in Review podcast — said C-26 needs some “fine-tuning,” including the following:
— companies should be allowed to raise the defence of “due diligence” (essentially, ‘We did our best’) if faced with administrative fines under C-26 for not keeping their IT networks secure;
— MPs should remove C-26’s ability to hold employees, directors, and officers to be held personally liable for committing or directing violations of the act. That puts “a target on their heads” and will discourage people from choosing a career in IT, Shipley said;
— the government should ensure in C-26 that regulators who will have to enforce the CCSPA have the cybersecurity skills to do it.
— and MPs should change the bill to limit the amount of sensitive data regulators can collect about cybersecurity defences of critical infrastructure firms. That information would be a “one-stop shop” for cyber crooks looking for ways to cripple those firms, Shipley said.
In their presentations Monday, the Canadian Chamber of Commerce and IBM said C-26 should be changed to allow designated firms up to 72 hours to report cyber events to regulators. They also called on MPs to clarify in the proposed law details such as what has to be reported, and not leave it up to the government to declare those details in regulations after the law passes.
Todd Warnell, chief information security officer at Bruce Power, an Ontario nuclear power generator, said C-26 “is of vital importance.”