The federal government’s new legislation proposing sweeping new powers to direct cybersecurity for private sector critical infrastructure operators has “good bones,” according to experts.
But they warn that provisions in the bill to gag any operator from disclosing orders from the government to fix their systems — potentially requiring tens of millions of dollars in technical changes — could pose a problem for transparency with investors and basic public accountability.
“I think that the bill is incredibly well-intentioned. I think it parallels the efforts of many of our allies who are also taking critical infrastructure security seriously,” said Christopher Parsons, senior research associate at the Munk School’s Citizen Lab at the University of Toronto.
“That having been said … there’s potentially a high degree of secrecy that may be attached to some of the orders that are passed down by the government.“
Under the new legislation, the government wants the power to compel cybersecurity action from a new category of what it calls “designated operators” working in four federally-regulated sectors: finance, telecommunications, energy and transportation.
If passed, the legislation would let the federal cabinet “direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.”
It adds: “Every designated operator that is subject to a cyber security direction is prohibited from disclosing, or allowing to be disclosed, the fact that a cyber security direction was issued and the content of that direction.”
There are no time limits on the prohibition, nor monetary threshold at which the cost of complying with a federal order would warrant the operator needing to provide some form of clarity for the spending to investors — for example, ripping out IT equipment from a pipeline or banking system.
Parson said while there are cases where some secrecy may be warranted in order not to telegraph security gaps or vulnerabilities to hostile actors until the problems can be fixed, that needs to be balanced with the reality that such fixes could be expensive.
Because of that, he said there’s a responsibility to make sure that the government’s directives are not impeding corporate transparency — or potentially putting small or regional critical infrastructure operators in remote communities serving Indigenous people out of business.
Get daily National news
“They should really be able to say, ‘Hey, we took a $10-million unexpected hit, it’s because we are complying with government security requirements,’ and at least by one reading of the legislation, that might be not permissible under the current framework,” he said.
“It might be the case that the minister is issuing orders to companies to improve their cybersecurity hygiene and indeed companies may be doing it,” Parsons continued. “But the effect might ultimately be that we lose 30 per cent of ISPs in Canada because some of them can’t afford to do this.”
ISP is the acronym for internet service providers.
The announcement of the bill by Public Safety Minister Marco Mendicino and Innovation Minister Francois-Philippe Champagne comes at a time when critical infrastructure protection and cybersecurity are taking on renewed roles at the centre of conversations about Canadian national security.
At the same time, the government is increasingly facing questions about its secretive approach to cyber operations, cyber protections, and what duty of transparency about the country’s threat level is owed to Canadians who could bear the front line impact of any critical infrastructure attacks.
Stephanie Carvin is a national security expert and associate professor at Carleton University specializing in critical infrastructure protection, technology and warfare. She told Global News she also has concerns about the secrecy provisions in the legislation, but said she believes those can be fixed.
Measures such as transparency reports about how often ministerial directives are issued to the designated operators, or how many are issued by sector, could be a good place to start, Carvin said.
But she also emphasized there are “giant gaping holes” in the effectiveness of the proposals when it comes to protecting critical infrastructure because one of the major targets of recent attacks is not under federal jurisdiction.
“The area that’s been hardest hit to me is hospitals,” Carvin said, adding that it is not enough for the federal government to hope that by implementing the legislation, provinces will follow suit.
“We need a strategy more than hope.”
One place to start, she said, would be increasing intelligence sharing with the provinces and municipalities on threats to critical infrastructure that fall within their jurisdiction.
There are countless examples of such attacks in recent years: Toronto’s Humber River Hospital, the Toronto Transit Commission, beef producer JBS Canada, the City of Saint John in New Brunswick, eHealth in Saskatchewan, and multiple municipalities and towns across the country.
David Masson, director of enterprise security at the British cybersecurity firm Darktrace, said he views the legislation as just the beginning of what will likely be additional efforts to ramp up critical infrastructure protections in Canada amid the growing threat.
“It’s a start, it’s a foundation,. There’s probably going to be more in due course.”
Masson said roughly 85 per cent of critical infrastructure in Canada is in the hands of the private sector, where there are varying levels of cybersecurity protections in place. Information technology, he said, tends to have stronger or more developed protections, while operational technology has less.
Information technology typically manages a company’s core functions and data with things like email, financial information and human resources, according to an explanation posted online by the technology company Cisco.
Operational technology, in contrast, is the tech controlling physical equipment and industrial processes — things like the operation of pipelines, ATM kiosks and other technologies connected to the internet.
Too often, Masson said, cyberattacks on the less secure systems controlling operational technology lead to blunt responses like shutting off the whole system.
“That kind of reaction to a cyberattack, it’s just not sustainable,” he said.
Mendicino said earlier this month the country is currently on “high alert” for cyberattacks from Russia.
Comments