The federal government’s proposed cybersecurity and mandatory reporting legislation is initially getting mixed reactions from experts in the field.
“There’s nothing particularly innovative here,” said Christian Leuprect, a Queen’s University professor and senior fellow in security and defence at the Macdonald Laurier Institute. “What we’re doing with this legislation our major partners have already done and are significantly further ahead in many cases than we are.”
He specifically referred to U.S. federal legislation approved in March mandating companies in critical infrastructure sectors report hacks to the Department of Homeland Security within 72 hours of discovering an incident, and within 24 hours if they make a ransomware payment. However, the law doesn’t come into effect until the Cybersecurity and Infrastructure Security Agency finalizes regulations.
The Liberal government is “trying to sell this as a really advanced bill in terms of protecting Canada and Canadians,” Leuprect said, “but how long have we been calling for mandatory reporting? Everyone knew that mandatory reporting is the only way forward. And when do we do it? After the Americans pass their requirement.”
Under the proposed Critical Cyber Systems Protection Act (CCSPA), companies yet to be named in four federally-regulated Canadian critical infrastructure providers — including banks, telcos, interprovincial energy providers and transport companies — would have to toughen their cybersecurity and confidentially share cyber threat information with the Canadian Security Establishment (CSE).
Critical details such as what information would have to be reported, how fast it would have to be reported after a breach of security controls and how it would be reported have yet to be set. They will be part of regulations proclaimed by the government after talks with industry.
Leuprect also isn’t happy that the reporting will be confidential.
“Mandatory reporting is really critical because … you never know how big the actual problem is: Who got hit, how heavily did they get hit. But it appears the mandatory reporting is essentially to be secretive reporting. There’s not going to be a requirement for companies to report publicly … The only people who will know is the [CSE’s] Canadian Centre for Cyber Security. If the public doesn’t know, it’s not going to have an impact on share prices, for instance. It’s really the most minimalist solution they [the government] could come up with.”
The only way companies will be pushed to invest in cyber hygiene, he argued, is if they feel pressured by the public.
The government says reporting has to be confidential to protect corporate secrets.
On the other hand former Toronto Hydro CIO Robert Wong, chair of the Ontario Cybersecurity Expert Panel for the Broader Public Sector, said the proposed legislation “is going in the right direction.”
“The real proof,” he acknowledged, “will be in the details that come out of the consultations.”
Mandatory reporting to the CSE will help incident response times, he noted, through anonymized reports from the Cyber Centre.
As for concerns that confidential reports will blunt the public impact of a data breach, he argued that “it’s pretty hard to hide a successful breach” when a company has to take services down.
The legislation will force designated companies to keep records of how they implement their cyber security program, of every cyber incident they have to report, any steps taken to mitigate any supply-chain or third-party risks, and any measures taken to implement a government-ordered action. Regulators will also have the power to order firms to take certain steps if they feel an organization isn’t doing enough.
The legislation is needed, Wong said. “We’re not doing enough” on cybersecurity, he said. “This will force organizations to do more.”
“The federal government has been trying to encourage businesses to strengthen their cybersecurity posture and adopt best practices,” he said, “but I do believe in terms of corporate governance, organizations need to do more. This will not only encourage, it will force organizations to do more. From what I’ve seen, many organizations are so far behind that they haven’t taken this seriously enough. They only take it seriously after something bad happens.”
Ed Dubrovsky, managing partner of Cypfer, a Toronto incident response firm, noted many Canadian companies already have to report breaches of security controls to the federal privacy commissioner. “Certainly the new act will take a broader view, but how will it really change anything is not that clear,” he said in an email.
“In the majority of incidents I have handled in the past, organizations such as hospitals, critical infrastructure and other government entities without a single fail have always notified the government of the incident,” he added. “Hence, I honestly do not believe that the act will improve reporting and notification.
“However, I am hopeful that with the new act the government itself will improve on its own capabilities to receive the reports in a timely fashion and act in an effective and expedited manner to inform the public (not just critical infrastructure or government-backed Crown corporations) including the private sector of relevant threats. If this happens, the collaboration between public and private sectors where it comes to cybersecurity will yield powerful benefits.”