Certain companies in four federally-regulated Canadian critical infrastructure providers — including banks, telcos, interprovincial energy providers and transport companies — would have to toughen their cybersecurity and confidentially share cyber threat information with Ottawa under proposed legislation introduced today by the federal government.
Specific companies would be designated after the legislation passes, although in a briefing with reporters government officials said the focus will be on large “high risk” firms that are vital to national security.
The officials also said that after the proposed legislation is passed, government departments will meet with companies to iron out details such as what information would have to be reported to the Communications Security Establishment (CSE, the government’s IT security and signals intelligence agency), how fast it would have to be reported after a breach of security controls, and how it would be reported.
Designated companies would also have to keep records of how they implement their cyber security program, every cyber incident they have to report, any steps taken to mitigate any supply-chain or third-party risks and any measures taken to implement a government-ordered action.
The proposed legislation has a lot to go through before being implemented. It will have to pass the scrutiny of committees in the House of Commons and the Senate. After passage, the cabinet would have to proclaim some regulations, and there would be industry consultations as well. No deadline for full implementation has been announced.
Called the Act Respecting Cyber Security (C-26), the proposed legislation includes:
—amendments to the Telecommunications Act, which oversees telecom and internet providers. If passed it would allow the government to create regulations directing providers to do anything necessary to secure their systems.
These amendments would give the government the power to tell telcos to stop buying 5G wireless gear from Chinese-based network equipment makers Huawei and ZTE as announced last month. That announcement proposed deadlines for the removal of existing equipment.
— the Critical Cyber Systems Protection Act (CCSPA), which provides a framework for the protection of critical cyber systems vital to national security or public safety under federal jurisdiction.
If passed it would require designated operators to, among other things, establish and implement cyber security programs if they haven’t already done so, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions; and exchange of information with government agencies.
This act would establish a baseline level of cyber security through a cross-sectoral management-based regulatory scheme applicable to designated operators.
Initially only four federally-regulated sectors — telecom, financial, interprovincial pipeline and powerline providers and transportation — would be covered. Other sectors Ottawa has varying degrees of responsibility for — for example, agriculture and manufacturing — could be included later.
The CCSPA “will help organizations better prepare, prevent and respond to cyber incidents across four federally regulated sectors,” Public Safety Minister Marco Mendicino told reporters outside the House of Commons.
“It will require operators of systems to bolster their protections against a wide array of incidents including cyber attacks, electronic espionage and ransomware. Cyber incidents above a certain threshold will be required to be reported, and the government will be able to compel companies to respond to cyber threats to protect their customers and employees.”
Innovation, Science and Economic Development minister François-Philippe Champagne noted the changes to the Telecommunications Act will allow the government to order telcos to “take any action necessary” to secure their systems from threat of distruption.
In a background paper provided to reporters, the government notes Ottawa doesn’t currently have a clear and explicit legal mechanism to compel action to address cyber security threats or vulnerabilities in the telecommunications sector. The proposed legislation would close that hole.
The act would increase and formalize existing cyber threat information sharing, which, a government official told reporters, is vital. For example, an official told reporters the government knows of 304 ransomware attacks last year. But, he added, “this is vastly under-reported.” Of those, half involved critical infrastructure organizations.
While the proposed legislation only affects federally-regulated firms, the government hopes the provinces and territories will pass similar legislation to boost the cybersecurity of entities under their control, particularly hospitals, police departments, and local governments.
Under the CCSPA the federal government would have the power to issue Cyber Security Directions to designated operators.
Designated operators would be obligated to:
● establish a cyber security program;
● mitigate any supply chain / third party service or product risks;
● report cyber security incidents to the Canadian Centre for Cyber Security;
● implement any Cyber Security Directions.
Asked by a reporter why firms would be obliged to confidentially report some breaches of security controls without letting the public know, Mendicino said the law mandates government employees to protect corporate trade secrets and “information that is sensitive to industry.”
One part of the proposed legislation would give the government the power to forbid a designated telecom provider from disclosing any order to mitigate a vulnerability or buy a product. A government official told reporters that would be used under “exceptional circumstances” where, for example, the government wouldn’t want a cyber threat to an organization be publicly known.
Regulators that would have authority to implement the telecom cybersecurity provisions would be the Canadian Radio-television and Telecommunications Commission (CRTC) and the department of Innovation, Science and Economic Development Canada (ISED).
Regulators that would have authority to implement the cybersecurity provisions of the CCSPA include ISED, the Office of the Superintendent of Financial Institutions, the Bank of Canada, Transport Canada, the Canadian Energy Regulator, and the Canadian Nuclear Saftey Commission.
“This is a positive step by the government,” said Toronto-based Imran Ahmad, co-head of the information governance, privacy and cybersecurity practice at the Norton Rose Fullbright law firm. “The requirements are in line with what we’re seeing south of the border in terms of supply chain risks and reporting obligations.
“This follows what our U.S, colleagues are doing with the Cybersecurity and Infrastructure Security Agency requirement to notify in the event of ransomware attacks and report any ransom payments. It shows a great focus on cybersecurity (as opposed to just privacy compliance) issues facing businesses operating in critical industries (nuclear, telecom, banking, etc.).”
The proposed reporting obligations and supply chain risk management will definitely require companies in key industries to adopt “demonstrable compliance,” he added, meaning demonstrate operational and governance compliance. “This will require businesses to revise their cybersecurity framework.”