Canadian ministers express willingness to amend Bill C-26 for critical infrastructure cybersecurity. (Screenshot via ParlVu)
Two senior Canadian cabinet ministers have expressed the government's willingness to amend its proposed cybersecurity legislation for federally regulated critical infrastructure providers, aiming to strengthen the bill. Industry Minister François-Philippe Champagne and Public Safety Minister Dominic LeBlanc made this commitment during a session with the House of Commons national security committee reviewing Bill C-26. This bill is designed to impact sectors such as telecommunications, finance, transportation, and energy.
Champagne emphasized the critical importance of the legislation and the urgency for action, noting that cyber threats are constantly evolving. He stated that the government is open to working with the committee to make unspecified improvements to the proposed cybersecurity act, aiming for a constructive outcome.
Some witnesses have criticized the bill, arguing that it grants the government or the industry minister excessive power to order designated critical infrastructure providers to take any action. Critics have called for more specific language in the legislation, specifying that government orders must be "reasonable" and "necessary." They also want provisions for consulting experts before making orders, including independent oversight in secret judicial hearings, and protecting personal information shared with the government.
Champagne and LeBlanc did not provide specific details on how these changes would be implemented but assured the committee that they would work closely with industry stakeholders to create a clear and consistent regulatory regime. They also noted that the legislation aims to promote resilience in critical infrastructure providers, not just improve cybersecurity.
The proposed legislation consists of two parts: amendments to the Telecommunications Act, which would give the government the power to order telecom providers to secure their systems, and the Critical Cyber Systems Protection Act, which would apply to other federally regulated critical infrastructure providers. These changes would establish a cybersecurity compliance regime and require firms to report cyber incidents to the Communications Security Establishment (CSE) immediately.
Conservative MP Doug Shipley criticized the bill, stating that it grants the government too much power with insufficient oversight. He called for amendments to address these concerns, which LeBlanc acknowledged, emphasizing the need for appropriate oversight given the evolving threat landscape.
Overall, the government is open to making changes to the proposed legislation to address concerns raised by industry stakeholders and ensure effective cybersecurity measures for critical infrastructure providers.
