For the second meeting in a row, Conservative MPs shortened witnesses’ testimony at committee meetings looking into proposed cybersecurity legislation for overseeing critical infrastructure providers. They did it by bringing forward and forcing debate on other business.
What’s before the public safety and national security committee is Bill C-26, which would do two things: Amend the Telecommunications Act, and create a new Critical Cyber Systems Protection Act (CCSPA). Both would impose new cybersecurity obligations on critical infrastructure providers like telecom companies, banks, and energy companies
On Monday — when long-awaited hearings on Bill C-26 first started — the Conservatives cut into the time Industry and Defence Department witnesses could be questioned on the legislation by bringing forward a motion to start looking into the increase of carjacking in Canada. [See our coverage of Monday’s session here]. When a motion is tabled, committee work stops until it is voted on.
On Thursday, shortly after two witnesses gave their five minute opening statements, the Conservatives again stopped the hearing by raising a motion to start looking into the Liberal cabinet’s use of the Emergency Act during last year’s Ottawa protests over COVID restrictions. This even though another Parliamentary committee is already looking into that incident.
Liberal, NDP and Bloc Quebecois MPs on the committee protested that this was the second time this week the agenda of the committee had been — properly according to committee rules — diverted. Their protests were determined enough that the Conservatives were forced to agree to suspend debate on the second motion to another time, so hearing the witnesses could continue.
However, so much time was eaten up — almost an hour — that MPs didn’t get a chance to question Trevor Neiman of the Business Council of Canada and Byron Holland, CEO of the Canadian Internet Registry Authority (CIRA) after the pair had each given five-minute introductory statements. Instead, they left and the committee heard from other witnesses scheduled for the second hour of the session.
The legislation would allow the government to designate services and systems that are vital to national security or public safety.
The government could also designate the operators, or classes of operators, responsible for their protection. Firms would have to show the government they have a cybersecurity program, and report certain cyber incidents.
Among the controversial parts: the Minister of Industry would have the power to order telecom providers to do “anything” necessary to secure the Canadian telecommunications system. Under the CCSPA, the cabinet would have a similar power over designated critical infrastructure providers. Civil rights groups worry that “anything” gives the government unchecked power. The Telecommunications Act, though, includes examples of orders the minister can give, such as the removal of a product from a provider’s network.
While critical infrastructure providers include manufacturers, food producers and processors, interprovincial transport, pipeline and energy companies, banks and internet operators, the government has said initially the legislation would only apply to high-risk companies.
Neiman, the Business Council’s vice-president of policy, said the group is asking for “targeted amendments” to the CCSPA in several areas including:
— “fair and reasonable limitations” on the federal cabinet’s power to issue cybersecurity orders to critical infrastructure firms. Otherwise, Neiman said, the cabinet could give an order regardless of whether it would be effective or reduce risk to a critical cybersecurity system. As the wording stands now, he said, there would be no obligation for the cabinet to consider the costs to companies of complying with an order, if there are reasonable alternatives to an order, or to consider the possible effects on competition or customers;
— putting a risk-based methodology into the legislation that would put fewer and less onerous obligations on low-risk firms with well-established cybersecurity programs.
Holland suggested three changes to C-26:
— any cabinet orders issued to firms under the CCSPA should be first examined by the Clerk of the Privy Council — the head of the civil service — and the Deputy Minister of Justice, who is usually a career civil servant;
— the CCSPA should limit the ability of the government to use cybersecurity data collected from companies for only cybersecurity and information assurance purposes;
— and the government should have to report annually to Parliament on how many orders it has given companies under the act.
After Neiman and Holland left — without being questioned by MPs because time had run out for their session — the committee heard from Aaron Shull, managing director of the Centre for International Governance Innovation, a Waterloo, Ont.-based think tank, and Sharon Polsky, president of the Privacy and Access Council of Canada, who made a joint submission with several civil rights groups including the National Council of Canadian Muslims.
“I think the bill is pretty good as it stands,” Shull said. However, he added, it should include a tax incentive to encourage small and medium-sized businesses to invest in cybersecurity.
Polsky complained the bill could allow the government to force companies to create backdoors, break encryption, “or go on a fishing expedition to find whatever information the government wants, including what’s in your emails and your texts, your cellphone and vehicle locations, purchasing information, donor details, so that it can make an order — and the order will be secret until the target realizes something’s up.
“With a nod to Eastern European regimes a hundred years ago, this bill lets the [Industry] minister compel any person, under threat of punitive fines, to provide any information within any time, subject to any conditions that might be specified, or authorize anyone to enter and seize any information in [IT systems], but without the checks and balances that are the mainstay of democracy.”
In short, the bill makes it impossible for organizations to comply with privacy laws, she said. Nor is there an obligation for the government to consult with the federal Privacy Commissioner to ensure personal information handed over is adequately safeguarded.
The joint submission says the CCSPA should be amended in several ways. One is to make it clear that the Industry Minister can’t issue an action order unless there are reasonable grounds to believe it is necessary. Before issuing an order, the Industry Minster should have to consult with the Minister of Public Safety and a body of industry experts.
The law should also make it clear that the cabinet can only ask a firm to comply with an order to protect a critical cyber system only “against a material threat.”