Thursday’s announcement that Canada would bar the Chinese telecom giants from the network came with a promise of speedy legislation to protect critical infrastructure from cyber attacks. That legislation must come with regulations and forward-looking actions that the bans do not address, researchers say.
“Just removing Huawei won’t fix everything,” said Christopher Parsons, a cybersecurity researcher at the University of Toronto’s Citizens Lab.
“It will certainly address certain kinds of concerns … but it will not address that broader spectrum of threats that are real or emerging.”
While 5G has been billed as more secure, networks are made up of far more connection points and devices than previous networks, including the now-standard 4G.
That has experts — including Tom Wheeler, the former chairman of the U.S. Federal Communications Commission and a champion of 5G — warning that the technology has more opportunities for nefarious actors to take advantage of.
The network is also run through software as opposed to centralized hardware, making it harder for security controls to be maintained at critical chokepoints.
Parsons says many of the security standards that do exist for 5G are currently optional, not mandatory, for private telecom companies to install — making the need for further regulation and incentives crucial.
“The government hasn’t to date at least come out and said that these elements of the standards must be adopted or must be integrated,” he said.
“At the same time, there’s a concern that we may not see a full activation of those properties because they may increase the challenge in running the network. … There’s typically an impetus to remove that complexity, which can also ease costs slightly, and one way to do that is to make those controls optional.”
Currently, much of Canada’s existing 5G network has been built as an extension of the existing 4G network, and Parsons estimates it may still be years before 5G is standalone across the country.
He says the government needs to use that time to work with cybersecurity researchers to identify emerging threats to 5G that may not be known yet.
Prime Minister Justin Trudeau said Friday that his government is working closely with big financial institutions as well as other companies across the country to protect vital networks from malicious attackers.
The Liberal government made it clear this week that the long-awaited decision to ban Huawei and ZTE is only a first step in an era of perpetual cyberattacks, ransomware operations and efforts by criminal hackers and state-sponsored players to pilfer information or sabotage key infrastructure.
Public Safety Minister Marco Mendicino said Thursday the government would table legislation to protect critical infrastructure in the finance, telecommunications, energy and transport sectors.
In addition, Mendicino’s mandate letter from the prime minister directs him to expand efforts to detect security risks in foreign research and investment partnerships, partly by increasing RCMP and security agency resources for this purpose.
Prime Minister Justin Trudeau on Friday reiterated his government’s commitment to “do more” to protect critical industries.
The latest federal budget earmarks $875 million over five years, and $238.2 million ongoing, for cybersecurity measures including programs at the Communications Security Establishment, Canada’s electronic spy service, as well as more robust protection for small federal departments, agencies and Crown corporations.
Fen Hampson, a professor of international affairs at Carleton University, told the Canadian Press that Canada “need(s) to do a lot more” to help protect the “hidden wiring” of the economy, much of which is in private hands.
“I think the short answer is no,” he said when asked if Canada is prepared for a major cyberattack. “I mean, yes, we’re getting better at it. But it’s not just being able to thwart and deter those attacks, but how resilient are we?”
The Communications Security Establishment (CSE) said in December that more than half of Canadian ransomware victims last year were in critical sectors like health care, energy and manufacturing.
Ransomware attacks increased 151 per cent during the first year of the COVID-19 pandemic, the cyber security agency said in a report, as remote work skyrocketed and critical operations went virtual.
The average cost of recovering from such attacks has increased even more dramatically — from $970,000 in 2020 to $2.3 million in 2021, the agency said.
Parsons is hopeful that the government’s coming legislation to address these concerns will include incentives to help companies boost their security protocols, warning the cost of leaving them out of their networks will be far greater.
He also wants to ensure that any bill is “clean” and is not used to usher in more opportunities for law enforcement to monitor online activity — an area that could also be exploited by nefarious actors.
Most of all, he does not want the legislation to only target China.
“We need to make clear to China and the world that Canada is taking a principled approach to security,” he said.
— with files from the Canadian Press