Work on the second plank of the Liberal government’s cybersecurity and privacy strategy started Monday afternoon.
That’s when the House of Commons Standing Committee on Public Safety and National Security opened hearings on Bill C-26, which amends legislation governing telecommunications companies and creates the Critical Cyber Systems Protection Act (CCSPA).
“This legislation is among the most important safety and regulatory regimes of a generation,” says David Shipley, head of New Brunswick’s Beauceron Security and co-chair of the Canadian Chamber of Commerce’s cyber council.
“We have to both get it right and get it done. We’ve mostly gotten it right, with a few surgical tweaks needed. We’ve been abysmal at getting it done.
“Canada is woefully behind the United States, Australia and Europe when it comes to the protection of our critical infrastructure,” he said. “We had the airport equivalent of a near miss between two planes last year where an amateur Russia hacking team almost made a Canadian pipeline explode. They had access and were given the green light by their GRU handler. It was good fortune that saved us, not good defences and good planning.
“We don’t want to see what happens when good fortune runs out.”
If C-26 passes, for the first time there will be legislated security obligations for “high-risk firms” in six of Canada’s critical infrastructure sectors — telecommunications providers, banks, financial clearing systems, interprovincial energy providers, nuclear energy stations, and transport companies.
Those firms deemed vital to national security would be designated under regulations to toughen their cybersecurity and confidentially share cyber threat information with the Communications Security Establishment (CSE), the government’s IT security and signals intelligence agency.
Designated firms would have to implement and report on a cybersecurity program to address risk across the organization, third-party services, and supply chains. The government would have the power to tell providers to do anything necessary to secure their systems.
The industries — and outside experts — have had almost two and a half years to think about what they like and don’t like about the proposed legislation. In a statement today, the Canadian Telecommunications Association, which represents major telcos including Bell, Rogers and Telus, said detailed comments about proposed changes to the Telecommunications Act will come when it testifies.
But briefly, the statement said, the association’s members have concerns about the “overly broad scope of order-making powers [by the government] and the absence of a requirement for government to consult with or consider the advice of industry and security experts. We are also concerned that the bill does not require the government to make its orders proportionate to the alleged security risk, that telecom providers can be held liable for violations even when they have taken all reasonable steps to comply with an order, and that the bill prohibits the government from providing compensation to parties for the costs associated with complying with a government order.
“Finally, while we recognize there may be situations where orders must be kept secret, the bill errs on the side of secrecy rather than transparency. Transparency is an important element for maintaining the public’s trust in the exercising of government authority.”
In a brief to the committee, Electricity Canada, which represents many utilities and power producers, complained C-26 doesn’t recognize established security standards and expertise within the sector. “In practice, the bill risks adding very little security to our sector, and redundantly adds an additional layer of regulatory requirements,” the submission says.
Other groups have already issued criticisms:
— Shortly after the legislation was introduced, a senior research associate at the Citizen Lab, part of the University of Toronto’s Munk School of Global Affairs and Public Policy, suggested 30 changes to the proposed legislation to blunt powers C-26 would give the Minister of Industry;
— The Business Council of Canada worries the CCSPA will impose costly regulatory obligations on many critical infrastructure providers with no associated benefit. The law should impose different regulatory requirements on designated operators proportionate to their level of risk, it argued. The council also argues the CCSPA should follow Australia’s similar Security of Critical Infrastructure Act to limit the power of the government to issue designated firms to comply “with any measure” for the “purpose of protecting a critical cyber system;”
— the Canadian Civil Liberties Association and other groups have called on Parliament to amend the legislation to limit government powers over the private sector.
Today’s hearing starts with closed-door testimony to MPs from senior officials in the Departments of Industry and Public Safety. After that, officials from those departments, as well as the CSE, will answer questions in an open committee session.
Meanwhile, committee hearings will resume shortly on the other leg of the government’s strategy, an overhaul of federal private sector privacy legislation to create the Consumer Privacy Protection Act (CPPA), plus the Artificial Intelligence and Data Act. (AIDA).