Canada deliberates Bill C-26, focusing on cybersecurity for critical sectors. Concerns arise over government powers and industry collaboration. (IT World Canada)
This afternoon marks the commencement of the second phase of the Liberal government's cybersecurity and privacy strategy. The House of Commons Standing Committee on Public Safety and National Security is set to conduct hearings on Bill C-26, a legislation that proposes amendments to the regulations governing telecommunications companies and introduces the Critical Cyber Systems Protection Act (CCSPA).
David Shipley, head of New Brunswick’s Beauceron Security and co-chair of the Canadian Chamber of Commerce’s cyber council, emphasizes the significance of this legislation, calling it one of the most crucial safety and regulatory regimes in a generation. He points out the need to strike the right balance and swiftly implement effective measures. Shipley highlights Canada's lag behind the United States, Australia, and Europe in safeguarding critical infrastructure. He cites a near miss incident last year involving a Russian hacking team targeting a Canadian pipeline, underlining the potential consequences of relying on good fortune rather than robust defenses.
Should C-26 gain approval, it will establish security obligations for "high-risk firms" across six critical infrastructure sectors in Canada. These sectors include telecommunications providers, banks, financial clearing systems, interprovincial energy providers, nuclear energy stations, and transport companies. The legislation aims to designate certain firms as vital to national security, imposing stricter cybersecurity measures and requiring them to share cyber threat information with the Communications Security Establishment (CSE), the government’s IT security, and signals intelligence agency.
Designated firms will be obliged to implement and report on comprehensive cybersecurity programs addressing risks within their organization, third-party services, and supply chains. The government will possess the authority to instruct providers to take necessary actions to secure their systems.
Stakeholders, including industries and external experts, have had nearly two and a half years to assess the proposed legislation. The Canadian Telecommunications Association, representing major telcos like Bell, Rogers, and Telus, expresses concerns about the broad order-making powers granted to the government. The association also highlights the absence of a requirement for government consultation with industry and security experts. Transparency and proportionality in government orders, liability for telecom providers, and the issue of compensation are additional points of concern.
Electricity Canada, representing utilities and power producers, argues in its committee brief that C-26 fails to acknowledge established security standards within the sector and may add redundant regulatory requirements without significantly enhancing security.
Various groups, including the Citizen Lab, the Business Council of Canada, and the Canadian Civil Liberties Association, have already raised criticisms, suggesting amendments to the legislation to address perceived flaws and excessive government powers.
The hearings commence with closed-door testimony from senior officials in the Departments of Industry and Public Safety, followed by an open committee session with officials from these departments and the CSE. Concurrently, the committee continues hearings on the government's broader strategy, including an overhaul of federal private sector privacy legislation to introduce the Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA).
