New federal bill would compel key industries to bolster cyber security — or pay a price

The federal government has tabled a bill that would allow it to compel companies in the finance, telecommunications, energy and transportation sectors to either shore up their cyber systems against attacks or face expensive penalties.

If passed, the Act Respecting Cyber Security would give the federal government more control over how private companies in critical industries respond to potential attacks.

The legislation reads the governor-in-council may "direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system."

But that information is unlikely to trickle down to the public because the bill also says that anyone who receives such direction "is prohibited from disclosing or allowing to be disclosed" that it was issued.

During a news conference, Public Safety Minister Marco Mendicino defended the provision as a way to protect national security and trade secrets.

Operators would have to report cyberattacks

Under the bill, operators in key federally-regulated industries would have to report cyber security incidents to the government's Cyber Centre. They'd also be expected to establish cyber security programs that can detect serious incidents and protect critical cyber systems.

Officials are still crafting the list of entities that fall under this new bill. They mentioned telecommunications companies like Bell and Rogers and rail companies as likely subjects for the legislation.

The bill would give regulators the power to run audits to ensure the private sector is in compliance. Those that don't fall in line could face administrative monetary penalties of $1 million for individuals and $15 million for others. They also could face summary convictions or convictions on indictment for non-compliance.

A federal government official speaking on background with reporters ahead of the announcement said cyberattacks in Canada are "grossly" underreported — often because their targets want to protect their reputations or avoid legal and insurance consequences.

"As we incorporate and integrate new technologies into our economy, we also have to be very sober about the national security landscape as it exists dealing with more ransomware attacks, dealing with foreign interference, dealing with the wide array of tactics that are deployed by hostile state actors and their proxies," said Mendicino.

Federal officials say they're trying to avoid large-scale cyberattacks on essential infrastructure — such as the ransomware hit on the Colonial Pipeline in the U.S., which halted the oil pipeline's operations for days, and the cyberattack on the Brazil-based meat processing company JBS S.A., which affected facilities in the U.S., Canada and Australia.

The legislation follows last month's announcement that Chinese tech vendors Huawei Technologies and ZTE will be banned from supplying hardware to Canada's next-generation 5G mobile networks.

The federal policy outlined in May forbids the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G gear or services must be removed or terminated by June 28, 2024.

Any use of new 4G equipment and managed services from the two companies will also be prohibited, with existing gear to be pulled out by Dec. 31, 2027.

The federal government said at the time it also would move forward with legislation to better protect critical infrastructure.

While federal ministers have mandates to shore up security in the the energy, finance and transportation sectors,  the federal government says it does not currently have a "clear and explicit" legal mechanism to compel the telecommunications sector to address cyber security vulnerabilities.

As part of the bill introduced Tuesday, the Telecommunications Act would be amended to give the government new legal authority to require any necessary action to secure Canada's telecommunications. That would include prohibiting Canadian companies from using products and services from high-risk suppliers.

"If you think of the telecommunication sector, that is probably the most critical infrastructure I can think of in our country," said Innovation, Science and Industry Minister François-Philippe Champagne.

"If you think of the data economy, the digital economy that is coming, to protect our telecom infrastructure is key and foremost."

The NDP's public safety critic Alistair MacGregor said the party will review the proposed bill closely.

"We believe that it is important that companies report cybercrimes to protect people. If the full scope of the threat remains unknown, then there could be further damages to Canada in the future," he said in a media statement.

"After six years of sitting by and watching while cyberattacks from hostile actors became more common, the Liberals have finally begun to act because of pressure from the NDP."

In tandem with Tuesday's bill, the Communications Security Establishment, Canada's cyber intelligence agency, announced it will expand its Security Review Program — which helps protect telecommunications equipment and services from cyber threats — to apply more broadly to Canada's telecommunications networks and to "consider risks from all key suppliers," not just suppliers thought to pose a risk.

The Security Review Program was introduced in 2013. It was designed to exclude risky equipment from sensitive areas of Canadian networks and to ensure mandatory testing of gear before it was used.

CSE said it will be able to expand the program to develop mitigation strategies for equipment if a cyber security gap is identified.