Two senior Canadian cabinet ministers have told a parliamentary committee that the government is willing to make changes to its proposed cybersecurity legislation for federally regulated critical infrastructure providers to strengthen the bill.
Industry Minister François-Philippe Champagne and Public Safety Minister Dominic LeBlanc made that pledge Thursday before the House of Commons national security committee studying Bill C-26, which would affect the telecommunications, financial, transport and energy sectors.
It was part of a lobbying effort to get speedy passage for what Champagne called a “critically important piece of legislation.”
However, unlike with the proposed privacy and artificial intelligence laws being discussed by another committee, where Champagne produced a list of amendments he’s willing to make, he and LeBlanc only said they are willing to work with committee members to make unspecified improvements to the proposed cybersecurity act.
“We wish to work constructively to achieve the best result,” Champagne said, “but there is also an urgency for action. The actors who want to harm Canada are looking at the possible defects in the [IT] system, so it’s important to act quickly.”
In the past few weeks, some witnesses have complained that the bill gives the government or the industry minister the power to order designated critical infrastructure providers to do “anything.” Critics see that as over-reaching, and would at least like the proposed legislation to say the government only has the power to order things that are “reasonable” and “necessary.” While those words sound vague, they have been defined in regulatory rulings in some sectors.
Other critics want the bill to specify that the government has to consult with experts before making an order to the private sector; to specify that any secret judicial hearings held under the law must include a court-appointed “friend of the court” as an independent voice; to specify ways that any personal information the private sector has to give the Communications Security Establishment (CSE, the government’s cyber expert) will be protected and limited from being shared with other government departments; to give legal protection to firms for handing over personal information relating to cyber incidents; and to narrow the cyber incident reporting requirements firms will have to comply with.
However, few MPs asked whether the government is willing to make these particular changes, and if so how they would be worded.
Champagne did note that the proposed law says any orders the government issues have to be to “promote the security of the telecommunications system.”
He also promised after the law has been passed to work “closely” with industry on regulations to create a “clear, consistent harmonized regulatory regime across all jurisdictions.”
Some critics say changes should be in the law, not in regulations that the government can change without notice.
LeBlanc said the government “would look favourably” on proposals to the addition of an independent observer to test the need for a secret government order to a critical infrastructure provider, without committing to what wording would be acceptable.
One of Champagne’s main messages is that the legislation is about encouraging resiliency in critical infrastructure providers as much as it is about improving their cybersecurity.
The government should have the power to compel critical infrastructure providers to close holes in their networks, he added, rather than rely on their “goodwill.”
During the massive outage suffered by Rogers Communications in 2022, the government relied on voluntary agreements to get things done, Champagne said. That’s when Ottawa realized it needed special powers for some situations.
As for complaints that the government could levy fines of up to $15 million for not complying with an order, Champagne said having a fine too low risks a provider thinking, ‘Let’s ignore the minister.’ “You need kind of a stick to make people comply,” he said.
LeBlanc said by making firms report cyber incidents to CSE, the government will have better data on cyber attacks sector by sector.
Conservative MP Doug Shipley called the legislation “a poorly drafted bill.”
“Business groups, civil liberties groups, cyber security firms are all united in the fact that Bill C-26 gives the government too much power with almost zero oversight,” he said. “There is almost no requirement for regular [Parliamentary] reporting, no independent review [of the orders governments will give providers], and no requirement for the production of written reports. In fact, most of the powers in this bill would be exercised in secret.”
“We’ve obviously taken note of the concerns expressed,” LeBlanc replied. “We would expect, in the work of this committee, if there are amendments that in your view answer some of these concerns, of course we will be open to working with the committee to ensure collectively we get the best legislation we can. We recognize these are extraordinary powers in many ways that require appropriate oversight. There is an element of judicial oversight. But we also recognize the threat landscape is evolving as well.”
Bill C-26 has two parts:
— One would amend the Telecommunications Act to give the federal cabinet and the Minister of Industry the power to order designated telecom providers to do “anything” to secure their systems against a range of threats.
— The other part, creating the Critical Cyber Systems Protection Act, would apply to other federally regulated critical infrastructure providers. Initially, these would be limited to banking, financial clearing firms, interprovincial transport and energy companies, and nuclear power operators. Similar to the Telecommunications Act changes, it would create a cyber security compliance regime for designated firms. Included would be a requirement to report cyber incidents “immediately” to the CSE, the branch of the Defence Department responsible for government cybersecurity. How fast “immediately” means would be defined in regulations.
