The federal government has tabled a bill that would allow it to compel companies in the finance, telecommunications, energy and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties.
If passed, the Act Respecting Cyber Security would give the federal government more control over how private companies in critical industries respond to potential attacks.
The legislation reads the governor-in-council may “direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.”
But that information is unlikely to trickle down to the public because the bill also says that anyone who receives such direction “is prohibited from disclosing or allowing to be disclosed” that it was issued.
During a news conference, Public Safety Minister Marco Mendicino defended the provision as a way to protect national security and trade secrets.
Operators would have to report cyberattacks
Under the bill, operators in key federally-regulated industries would have to report cyber security incidents to the government’s Cyber Centre. They’d also be expected to establish cyber security programs that can detect serious incidents and protect critical cyber systems.
Officials are still crafting the list of entities that fall under this new bill. They mentioned telecommunications companies like Bell and Rogers and rail companies as likely subjects for the legislation.
- Canada bans Chinese tech giant Huawei from 5G network
- What is 5G, and why is Canada banning Huawei from its telecom networks?
The bill would give regulators the power to run audits to ensure the private sector is in compliance. Those that don’t fall in line could face administrative monetary penalties of $1 million for individuals and $15 million for others. They also could face summary convictions or convictions on indictment for non-compliance.
A federal government official speaking on background with reporters ahead of the announcement said cyberattacks in Canada are “grossly” underreported — often because their targets want to protect their reputations or avoid legal and insurance consequences.
“As we incorporate and integrate new technologies into our economy, we also have to be very sober about the national security landscape as it exists dealing with more ransomware attacks, dealing with foreign interference, dealing with the wide array of tactics that are deployed by hostile state actors and their proxies,” said Mendicino.
Federal officials say they’re trying to avoid large-scale cyberattacks on essential infrastructure — such as the ransomware hit on the Colonial Pipeline in the U.S., which halted the oil pipeline’s operations for days, and the cyberattack on the Brazil-based meat processing company JBS S.A., which affected facilities in the U.S., Canada and Australia.
The legislation follows last month’s announcement that Chinese tech vendors Huawei Technologies and ZTE will be banned from supplying hardware to Canada’s next-generation 5G mobile networks.
The federal policy outlined in May forbids the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G gear or services must be removed or terminated by June 28, 2024.
Any use of new 4G equipment and managed services from the two companies will also be prohibited, with existing gear to be pulled out by Dec. 31, 2027.