Canada

The new federal bill will force key industries to increase cybersecurity – or pay the price

The federal government has introduced a bill that would allow it to force companies in the financial, telecommunications, energy and transport sectors to either secure their cyber systems against attacks or face costly fines.

If passed, the Cybersecurity Respect Act will give the federal government more control over how private companies in critical industries respond to potential attacks.

The law states that the manager of the board may “direct each designated operator or class of operators to comply with any measure specified in the direction in order to protect a critical cybersystem.”

But this information is unlikely to reach the public, as the bill also says that anyone who receives such an instruction “is prohibited from disclosing or allows it to be disclosed” that it has been issued.

During a press conference, Public Security Minister Marco Mendicino defended the provision as a way to protect national security and trade secrets.

Operators will have to report cyberattacks

Under the bill, operators in key federally regulated industries will have to report cybersecurity incidents to the government’s cybercenter. They are also expected to create cybersecurity programs that can detect serious incidents and protect critical cyber systems.

Officials are still drawing up the list of entities covered by this new bill. They mentioned telecommunications companies such as Bell and Rogers and railway companies as possible subjects of the legislation.

The bill will give regulators the power to conduct audits to ensure that the private sector complies. Those who do not qualify may face administrative fines of $ 1 million for individuals and $ 15 million for others. They may also face summary sentences or convictions for non-compliance.

A federal government official speaking to reporters before the announcement said cyber attacks in Canada were “severely underestimated” – often because their goals were to protect their reputations or avoid legal and insurance consequences.

“As we deploy and integrate new technologies into our economy, we also need to be very sober about the national security landscape, as it exists to deal with more ransomware attacks, to deal with foreign interference, to deal with a wide range of tactics used by hostile state actors and their proxies, “Mendicino said.

Federal officials say they are trying to avoid large-scale cyberattacks on key infrastructure, such as the Colonial Pipeline ransom software that halted oil pipeline operations for days and the cyberattack on Brazilian-based meat processing company JBS SA that affected facilities in the United States, Canada and Australia.

The law follows last month’s announcement that Chinese technology providers Huawei Technologies and ZTE will be banned from supplying hardware for Canada’s next-generation 5G mobile networks.

Innovation, Science and Industry Minister Francois-Philippe Champagne, left, and Public Security Minister Marco Mendicino give a press conference in Ottawa on May 19 to announce that Huawei Technologies will be banned from Canada’s 5G networks. (David Kawai / Canadian Press)

Federal policy outlined in May bans the use of new 5G equipment and managed services by Huawei and ZTE. Existing 5G facilities or services must be phased out or discontinued by June 28, 2024.

Any use of new 4G equipment and managed services by both companies will also be banned, with existing equipment withdrawn by 31 December 2027.

The federal government then said it would continue with legislation to better protect critical infrastructure.

While federal ministers have mandates to maintain security in the energy, finance and transport sectors, the federal government says there is currently no “clear and explicit” legal mechanism to force the telecommunications sector to address cybersecurity vulnerabilities.

As part of a bill presented Tuesday, the Telecommunications Act will be amended to give the government new legal authority to require all necessary action to protect Canada’s telecommunications. This would include banning Canadian companies from using products and services from high-risk suppliers.

“If you think about the telecommunications sector, this is probably the most critical infrastructure I can think of in our country,” said Minister of Innovation, Science and Industry Francois-Philippe Champagne.

“If you think about the data economy, the digital economy that is coming, protecting our telecommunications infrastructure is key and above all.

In tandem with Tuesday’s bill, Communications Security Establishment, Canada’s cyber intelligence agency, said it would expand its security review program – which helps protect telecommunications equipment and services from cyber threats – to be more widely applied to telecommunications Canada’s networks and “take into account the risks of all key providers”, not just providers who are considered to pose a risk.

The Security Review Program was launched in 2013. It is designed to exclude hazardous equipment from sensitive areas of Canadian networks and to ensure mandatory testing of equipment before it is used.

CSE said it would be able to expand the program to develop strategies to mitigate the impact of the equipment if a cybersecurity loophole is identified.