Parliamentary hearings opened Monday into proposed new laws that would give Ottawa authority over the cybersecurity readiness of critical infrastructure providers, with the government quickly signaling that it’s sensitive to complaints about the amount of information companies may have to give bureaucrats.
The committee had set aside an hour for MPs to discuss Bill C-26, which would amend the Telecommunications Act overseeing telecom companies and create the Critical Cyber Systems Protection Act (CCSPA). Both would obligate designated critical infrastructure providers to have cyber security plans and report breaches of security controls to the Communication Security Establishment (CSE), a division of the Defence Department responsible for securing government networks and, through the Canadian Centre for Cyber Security, advising the private sector and government departments on cybersecurity.
Initially, only a few critical infrastructure sectors (banking, telecom, interprovincial pipelines and energy providers) will be covered.
In his opening remarks to MPs, Sami Khoury, head of the Cyber Centre, told Parliament’s public safety committee that “we are aware of privacy concerns raised by some stakeholder groups about the reporting requirements of cyber incidents to CSE.
“CSE and the Cyber Centre have an important responsibility to protect Canadians’ privacy and personal information, and we take it very seriously.”
However, right after Khoury finished his introduction, the Conservatives introduced a motion demanding the committee call government and private sector witnesses to investigate the recent rise of car thefts in the country. Two Conservative speakers on that motion took up 34 minutes before a Liberal motion to adjourn debate on the request was passed by a 6-5 vote.
Committee members then only had about 10 more minutes to ask questions of government department witnesses on C-26 before the committee adjourned for the day.
During that time, Kelly-Anne Gibson, director of CSE’s cyber protection policy division, told MPs that the CSE knows the privacy of personal and cyber threat information that firms have to provide the government if there are cyber breaches or risks is a “key consideration” for the private sector.
“Protection of confidential information underpins this legislation,” she said, “because if companies and operators don’t feel that we are going to protect information then they are not going to share it. So what you see in the legislation are specific provisions to define confidential information, protect it, and there are consequences if we or others don’t protect that confidential information.”
Federal experts have been meeting behind closed doors for years with critical infrastructure providers — who cover every sector in Canada except retail and hospitality — to improve their ability to withstand cyber attacks. However, no legislation compels them to specific action.
International legislation
As cyber attacks against hospitals, banks, utilities and other critical infrastructure providers around the world increase, some governments are starting to regulate cybersecurity in the private sector.
In 2021 — after the Colonial Pipeline ransomware attack — U.S. President Joe Biden signed a National Security Memorandum (NSM) on improving cybersecurity for critical infrastructure control systems, ordering the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and the Department of Commerce’s National Institute of Standards and Technology (NIST) to develop cybersecurity performance goals for critical infrastructure firms.
Then, in 2022, he signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), making designated firms report cyber incidents and ransomware payments to CISA. Final disclosure rules have to be set by September 2025.
In 2018, Australia passed the Security of Critical Infrastructure Act. It creates a Register of Critical Infrastructure Assets, where critical infrastructure firms have to provide the government with their operational and ownership information. Firms also have to report cyber incidents that impact the delivery of essential services to the Australian Cyber Security Centre, and adopt a written risk management program.
Canada’s Bill C-26
Under Bill C-26’s proposed changes to the Telecommunications Act, carriers like Bell, Rogers, and Telus could be ordered by an Order-in-Council — that is, by the federal cabinet — to do anything necessary to secure their systems. That includes, for example, tearing out a compromised server or router known to be susceptible to a zero-day vulnerability.
The CCSPA would require designated operators — like banks and interprovincial utilities — to establish and implement cyber security programs if they haven’t already done so, mitigate supply-chain and third-party risks, report cyber security incidents to the CSE, exchange information with government agencies, and comply with cyber security directives.
Government officials said details of what companies will have to do will be fleshed out in regulations created — with private sector consultations — after the legislation passes. That would include what kinds of cybersecurity programs critical infrastructure must have, how much firms would have to tell the government about their cybersecurity programs, and how they are taking “reasonable steps” to mitigate risks of cyber attacks through third parties like partners and suppliers.
Khoury highlighted the bill’s importance during his opening remarks, noting that Bill C-26 “is a critical next step that provides the government with new tools and authorities to better bolster defences, improve security across federally regulated industry sectors, and protect Canadians and Canada’s critical infrastructure from cyber threats. This legislation would also establish a regulatory framework to strengthen cybersecurity for services and systems that are vital to national security and public safety, and give the government new authority to issue cybersecurity directives to respond to emerging cyber threats.
“At the Cyber Centre, it will facilitate the sharing of information [from designated firms] as necessary to protect critical infrastructure and investigate reported incidents, and provide mitigation advice [to the private sector]. It will also allow regulators to request advice, guidance or services from CSE by providing information about the designated operator’s cybersecurity program and mitigation of risk from the supply chain or use of third-party products and services.”