Thursday, June 30, 2022

Mixed reaction to Canada’s proposed cybersecurity law

The federal government’s proposed cybersecurity and mandatory reporting legislation is  initially getting mixed reactions from experts in the field.

“There’s nothing particularly innovative here,” said Christian Leuprect, a Queen’s University professor and senior fellow in security and defence at the Macdonald Laurier Institute. “What we’re doing with this legislation our major partners have already done and are significantly further ahead in many cases than we are.”

He specifically referred to U.S. federal legislation approved in March mandating companies in critical infrastructure sectors report hacks to the Department of Homeland Security within 72 hours of discovering an incident, and within 24 hours if they make a ransomware payment. However, the law doesn’t come into effect until the Cybersecurity and Infrastructure Security Agency finalizes regulations.

The Liberal government is “trying to sell this as a really advanced bill in terms of protecting Canada and Canadians,” Leuprect said, “but how long have we been calling for mandatory reporting? Everyone knew that mandatory reporting is the only way forward. And when do we do it? After the Americans pass their requirement.”

Under the proposed Critical Cyber Systems Protection Act (CCSPA), companies yet to be named in four federally-regulated Canadian critical infrastructure providers — including banks, telcos, interprovincial energy providers and transport companies — would have to toughen their cybersecurity and confidentially share cyber threat information with the Canadian Security Establishment (CSE).

Critical details such as what information would have to be reported, how fast it would have to be reported after a breach of security controls and how it would be reported have yet to be set. They will be part of regulations proclaimed by the government after talks with industry.

Leuprect also isn’t happy that the reporting will be confidential.

“Mandatory reporting is really critical because … you never know how big the actual problem is: Who got hit, how heavily did they get hit. But it appears the mandatory reporting is essentially to be secretive reporting. There’s not going to be a requirement for companies to report publicly … The only people who will know is the [CSE’s] Canadian Centre for Cyber Security. If the public doesn’t know, it’s not going to have an impact on share prices, for instance. It’s really the most minimalist solution they [the government] could come up with.”

The only way companies will be pushed to invest in cyber hygiene, he argued, is if they feel pressured by the public.

The government says reporting has to be confidential to protect corporate secrets.

On the other hand former Toronto Hydro CIO Robert Wong, chair of the Ontario Cybersecurity Expert Panel for the Broader Public Sector, said the proposed legislation “is going in the right direction.”

“The real proof,” he acknowledged, “will be in the details that come out of the consultations.”

Mandatory reporting to the CSE will help incident response times, he noted, through anonymized reports from the Cyber Centre.

As for concerns that confidential reports will blunt the public impact of a data breach, he argued that “it’s pretty hard to hide a successful breach” when a company has to take services down.

The legislation will force designated companies to keep records of how they implement their cyber security program, of every cyber incident they have to report, any steps taken to mitigate any supply-chain or third-party risks, and any measures taken to implement a government-ordered action. Regulators will also have the power to order firms to take certain steps if they feel an organization isn’t doing enough.

The legislation is needed, Wong said. “We’re not doing enough” on cybersecurity, he said. “This will force organizations to do more.”

“The federal government has been trying to encourage businesses to strengthen their cybersecurity posture and adopt best practices,” he said, “but I do believe in terms of corporate governance, organizations need to do more. This will not only encourage, it will force organizations to do more. From what I’ve seen, many organizations are so far behind that they haven’t taken this seriously enough. They only take it seriously after something bad happens.”

Ed Dubrovsky, managing partner of Cypfer, a Toronto incident response firm, noted many Canadian companies already have to report breaches of security controls to the federal privacy commissioner. “Certainly the new act will take a broader view, but how will it really change anything is not that clear,” he said in an email.

“In the majority of incidents I have handled in the past, organizations such as hospitals, critical infrastructure and other government entities without a single fail have always notified the government of the incident,” he added. “Hence, I honestly do not believe that the act will improve reporting and notification.

“However, I am hopeful that with the new act the government itself will improve on its own capabilities to receive the reports in a timely fashion and act in an effective and expedited manner to inform the public (not just critical infrastructure or government-backed Crown corporations) including the private sector of relevant threats. If this happens, the collaboration between public and private sectors where it comes to cybersecurity will yield powerful benefits.”

Any private or public organization is often reluctant to publicly talk about or report its victimization by a cyber-attack, said David Masson, Ottawa-based director of enterprise security at Darktrace. There are many reasons behind this reluctance, some legal, some revolving around a desire to protect reputation. Disclosure of an ongoing attack may make things worse, and sometimes that’s because the organization doesn’t have the technology to reveal what’s happening. But keeping these cyber incidents in the dark poses problems when trying to defend nationwide infrastructure from attack, he said.
“The federal government has a good idea about the scale of the cyber-threat to itself and uses this to take steps to defend and better mitigate the risk from attack. But outside of government, understanding of the cyber-threat facing the entire country is patchy. There are local polls, business sector surveys, and a small sampling of affected businesses and individuals, but these attempts at assessment are fragmented and siloed and can’t give Canada the ‘big picture.’ Enacting legislation that will compel cyber-attack reporting to a central point will finally allow Canada to build the big picture, which will allow much better allocation of resources, budget, and people to deal with the cyber-threat we face nationally.”
“Unfortunately,” he added, “we must also recognize the reporting ‘burden’ now placed on overworked and overstressed cyber security teams. These increased requirements call for better technology that can support the scarce human resources and allow cyber analysts to report fully, accurately and promptly without disrupting their cybersecurity process.”
(This story has been updated from the original to clarify that Robert Wong was CIO at Toronto Hydro)

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.