In January, news broke that Global Affairs Canada had been the victim of a month-long security breach. Reports suggest there was unauthorized access to sensitive government data and personal information, and that many employees are now unable to work remotely.
Unfortunately, major cyber breaches are on the rise internationally and in Canada. Earlier this year, researchers said they had discovered 26 billion online records – including username and password combinations – on the dark web. Here in Canada, high-profile attacks have taken down household names like Petro-Canada, Indigo and the LCBO.
Individually, each headline about a cyber breach represents a bad day for an organization and the Canadians who rely on it. But when considered collectively, they serve as a warning. As international tensions grow and foreign adversaries develop new cyber capabilities, the private sector will increasingly become a target for bad actors who want to wreak havoc on our critical infrastructure and undermine Canada’s national security.
Members of Parliament sat down this month to study the government’s signature cybersecurity legislation, Bill C-26. Lawmakers on the House of Commons standing committee on public safety and national security have heard from a range of witnesses on how the bill can be improved to bolster cybersecurity in Canada’s private sector.
As stakeholders, including CIRA, have noted, Bill C-26 can and should be strengthened to foster Canadians and Canadian organizations’ trust in the new law.
Bill C-26 has two big jobs to do: as currently drafted, part one of the bill amends the Telecommunications Act to equip the government with new powers to secure Canada’s telecommunications system.
Part two, known as the Critical Cyber Systems Protection Act, or CCSPA, is designed to improve cybersecurity across four major critical infrastructure sectors: energy, finance, telecommunications and transportation. Among other things, every designated operator within these four sectors will have to implement cybersecurity policies and procedures and report any cyber incidents that occur to their sectoral regulator.
Under the bill, the government would also be able to issue Cyber Security Directions, legally binding orders that require organizations such as banks or nuclear plants “to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.”
There’s no doubt that Bill C-26 is needed and that the intention is sound. A recent poll of Canadian cybersecurity decision-makers found that 78 per cent support the objectives of the bill.
But the legislation still needs strengthening, in three key areas. First, as currently drafted, there is limited oversight for Cyber Security Directions in Bill C-26. Adding an oversight mechanism to ensure expert, nonpartisan actors review Cyber Security Directions before they are issued would help make sure they aren’t used for political purposes.
Second, the legislation needs additional guardrails around how information is shared by the government. Under the CCSPA, the government can collect confidential or commercially sensitive information and share it widely with its intelligence partners, with few restrictions. To help Canadians trust the bill, the draft law should be amended so that information collected under the CCSPA is used only for cybersecurity purposes.
Third, additional transparency measures should be built into the law to ensure Canadians understand how the government is using its new powers. There should be annual reports that outline the number of Cyber Security Directions issued each year, the sectors they’re issued to, and other key details, in a way that doesn’t compromise national security or any company’s competitiveness.
Anybody who has read the news recently knows that Canada needs more sophisticated legislative tools to bolster cybersecurity. Although there is no silver bullet solution, Bill C-26 is a welcome step toward improving the baseline level of security across critical infrastructure in Canada.
Bill C-26′s committee review gives lawmakers a golden opportunity to ensure the bill is the strongest it can be. We hope MPs will consider the views of Canada’s cybersecurity community and put forward amendments that promote a trusted, more secure digital future in Canada.
Byron Holland (MBA, ICD.D) is the president and CEO of the Canadian Internet Registration Authority (CIRA), the national not-for-profit best known for managing the .CA domain and developing new cybersecurity, DNS, and registry services.
Byron is an expert in internet governance and a seasoned entrepreneur. Under Byron’s leadership, CIRA has become one of the leading ccTLDs in the world, with over 3 million domains under management. Over the past decade, he has represented CIRA internationally and held numerous leadership positions within ICANN. He currently sits on the Board of Directors for TORIX, and is a member of the nominations committee for ARIN. He lives in Ottawa with his wife, two sons, and their Australian shepherd, Marley.
The views expressed in this blog are Byron’s opinions on internet-related issues, and are not necessarily those of the organization.
