Ottawa wants sweeping new powers to direct companies’ ‘critical’ cyber defence

Click to play video: 'Feds introduce act requiring businesses to report ransomware attacks or face penalties'
Feds introduce act requiring businesses to report ransomware attacks or face penalties
WATCH: Feds introduce act requiring businesses to report ransomware attacks or face penalties – Jun 14, 2022

The Canadian government wants sweeping new powers, including access to confidential information, in order to “direct” how critical infrastructure operators prepare for and respond to cyberattacks.

And it wants to prohibit those companies from disclosing to the public anything about the directions issued by the federal government — including the mere existence of any orders to beef up protections.

Public Safety Minister Marco Mendicino and Innovation Minister Francois-Philippe Champagne held a press conference to announce the details of the new legislation, which also grants the government the promised power to bar companies from using technology from firms like Huawei and ZTE.

The announcement, however, comes at a time when the government is increasingly facing questions about its secretive approach to cyber operations, cyber protections, and what duty of transparency about the country’s threat level is owed to Canadians who could bear the frontline impact of any critical infrastructure attacks.

Story continues below advertisement

Critical infrastructure refers to the networks, systems, services and supply chains that are paramount to Canadian national security and the country’s security interests. That can apply broadly to things like 911 phonelines, electric grids, pipeline operations, hydroelectric dams, food supplies and emergency medicine stockpiles, and the IT networks protecting critical government operations and information.

It is a broad term that encompasses the ever-shifting nature of national security, particularly in light of the increased focus on cyberattacks and ransomware targeting critical infrastructure by actors like Russia and China, or proxies working in alignment with them.

Click to play video: 'Ex-officials warn Canada unprepared for national security threats'
Ex-officials warn Canada unprepared for national security threats

Russia is frequently cited as one of the major attackers in the cyber sphere, most recently in the context of the invasion of Ukraine and Russian attacks on both Global Affairs Canada and Ukrainian government institutions.

Story continues below advertisement

And although the federal Liberals have been building out the capacities of Canadian cyber forces working with the military and the Communications Security Establishment, they remain secretive when it comes to basic questions about what actions are being taken in the name of their citizens.

Now, the government wants to hand additional responsibilities to the CSE, which is tasked with protecting government infrastructure and signals intelligence, through the new legislation.

Under the new provisions, the government wants the power to compel cyber security action from a new category of what it calls “designated operators” working in four federally-regulated sectors: finance, telecommunications, energy, and transportation.

If passed, the legislation would let the federal cabinet “direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.”

It adds: “Every designated operator that is subject to a cyber security direction is prohibited from disclosing, or allowing to be disclosed, the fact that a cyber security direction was issued and the content of that direction.”

Click to play video: 'Increasing concern about cyberattacks in Canada'
Increasing concern about cyberattacks in Canada

The legislation would also grant the government the power to order companies in the telecommunications sector not to use products deemed to be a high risk to the national security — a power officials say they need in order to implement a promised ban on Huawei and ZTE technology.

Story continues below advertisement

It will also require companies to disclose cyberattacks to federal security authorities — but the public will not be able to know about any such attacks on service providers they might rely on, such as banks or internet service providers, that are covered by the proposed new changes.

Canada 'not ready' for new world of threats

News of the proposed changes comes after Mendicino had hinted last week that mandatory reporting by companies hit by ransomware and cyberattacks was on the table.

He had also vowed while announcing plans to implement the ban on Huawei and ZTE that additional legislation would come shortly aiming at the cyber protections in place for the four critical sectors.

Last month, a report from security experts at the University of Ottawa’s Graduate School of Public and International Affairs warned the government is not prepared for an increasingly dangerous environment marked by economic espionage, foreign interference in domestic politics and cyber attacks.

Story continues below advertisement

“It’s a dangerous world. Canada, not just its governments, but its people writ large, have not always taken national security seriously,” said Vincent Rigby, who advised Prime Minister Justin Trudeau on national security issues, in an interview with Global News last month.

“I’m not sure that the threat is really coming home to Canadians at the moment. … There are all these threats out there. We need a comprehensive strategy to deal with all that.”

Mendicino told the House of Commons public safety committee last week that Canada is on “high alert” for cyberattacks by Russia and others.

How would the proposed new powers work?

The proposed legislation contains two separate parts: one part dealing with the creation of the powers the government says it needs to order a ban on high-risk telecommunications equipment, and one part dealing with the proposed new powers to direct the activities of critical infrastructure operators.

Story continues below advertisement

It is not clear whether those parts could be split into two separate bills for a quicker passage, if parliamentarians raise concerns about the second part of the legislation.

Under Part Two, the government wants to create a Critical Cyber Systems Protection Act that lets the federal cabinet place federally regulated sectors on a list of “designated operators.”

Those designated operators would be required to establish a cyber security program within 90 days of the bill becoming law or of a new operator being added to the list. The operator must then provide that plan to an “appropriate regulator” who can then provide the CSE with “any information, including any confidential information” about that plan in order to get “advice, guidance or services” from the CSE.

With the House of Commons now set to rise for the summer on June 23, it appears unlikely the legislation unveiled on Tuesday would be able to make it through the chamber before that recess.

It’s also not yet clear whether the Senate would raise concerns when the bill comes to the Red Chamber for review, potentially in the fall.

That chamber has balked at provisions viewed as overreach in government legislation before, most recently amending a controversial bill on Monday, according to Postmedia, that sought to create a new legal threshold for the search of personal digital devices by border guards.

Story continues below advertisement

With a file from Global’s Alex Boutilier.

Sponsored content