Ottawa’s cybersecurity bill flawed and should be amended, new report warns

Click to play video: 'Government introduces new privacy bill to give Canadians more control over online data'
Government introduces new privacy bill to give Canadians more control over online data
WATCH: Government introduces new privacy bill to give Canadians more control over online data – Jun 16, 2022

A new research report says federal cybersecurity legislation is so flawed it would allow authoritarian governments around the world to justify their own repressive laws.

The report by Christopher Parsons of the University of Toronto’s Citizen Lab makes 29 recommendations to bolster transparency and accountability of the proposed measures introduced in June by the Liberal government.

The government wants to establish a framework to better shield systems vital to national security and give authorities new tools to respond to emerging dangers in cyberspace.

Under Bill C-26, key enterprises in the banking and telecommunications industries would be required to improve cybersecurity and report digital attacks, or possibly face penalties.

The bill proposes giving authorities the ability to enforce measures through audit powers and fines, and would allow for criminal penalties in cases of non-compliance.

Story continues below advertisement

The report says the powers being sought by Ottawa are insufficiently bounded, come with overly broad secrecy clauses, and would potentially limit the ability of private companies to dispute demands, orders or regulations issued by the government.

Click to play video: 'Registration glitch avoidable: Cybersecurity expert'
Registration glitch avoidable: Cybersecurity expert

The report describes a scenario where the federal broadcast regulator could draft one set of public law through its decisions while “a kind of secret law” that unfolds through orders and regulations would actually guide telecommunications providers’ cybersecurity behaviour.

Breaking news from Canada and around the world sent to your email, as it happens.

It says the proposed authorities in Bill C-26 need to be pared back in some places, essential clauses and terminology defined, and accountability and transparency requirements “sprinkled liberally” in an amended version of the legislation.

Story continues below advertisement

“If the government declines to meaningfully amend its legislation and make itself both more accountable and transparent to telecommunications providers and the public alike, it will have passed a bad law,” the report says.

“Authoritarian governments would be able to point to a non-amended Bill C-26 in the course of justifying their own unaccountable, secretive and repressive ‘security’ legislation.”

Parsons, a senior research associate at the Citizen Lab, which focuses on communication technologies, human rights, and global security, was among several individuals and groups who wrote a joint open letter to Public Safety Minister Marco Mendicino last month expressing concern about the bill.

Click to play video: 'Feds introduce act requiring businesses to report ransomware attacks or face penalties'
Feds introduce act requiring businesses to report ransomware attacks or face penalties

He argues the government owes it to citizens and businesses alike to justify why it is seeking the new powers and the underlying rationales driving introduction of the cybersecurity legislation.

Story continues below advertisement

Among his report’s recommendations:

_ Orders-in-council and ministerial orders made to secure the telecommunications system must be necessary, proportionate and reasonable;

_ orders must be published in the Canada Gazette within 180 days of issue, or within 90 days of an order being implemented;

_ the minister should be compelled to table an annual report about orders issued;

_ the government should explain how it will use information from telecommunications providers and indicate the agencies to whom the information may be disclosed;

_ relief should be available if the government mishandles confidential or personal information; and

_ there should be defined periods for how long government can keep telecommunications providers’ data.

The costs associated with compliance with government orders might materially affect telecommunications providers, up to and including the risk that some companies may be unable to continue providing service to all of their customers, the report warns.

To enhance independent oversight, the government should make clear what roles the federal privacy commissioner, the National Security and Intelligence Committee of Parliamentarians and the National Security and Intelligence Review Agency would have at different stages of the order- or regulation-making process, the report adds.

Story continues below advertisement

“Security can be, and must be, aligned with Canada’s democratic principles,” Parsons writes. “It is now up to the government to amend its legislation in accordance with them.”

Sponsored content