The Canadian federal government reportedly tabled a bill on Tuesday that would allow it to push companies in the finance, telecommunications, energy and transportation sectors to strengthen their systems against cyberattacks or face significant penalties.
If passed, the Act Respecting Cyber Security would give the federal government more control over how private companies in critical industries respond to potential cyberattacks.
According to the legislation, the governor-in-council may “direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.”
In a news conference, Public Safety Minister Marco Mendicino defended the legislation as a method to protect national security and trade secrets.
Under this bill, operators in important federally-regulated industries would have to report cyber security incidents to the government’s Cyber Centre. Additionally, they’d be expected to establish cyber security programs that can detect serious incidents and protect key cyber systems.
Officials are currently creating the list of entities that fall under this new legislation. Telecommunications companies like Bell and Rogers and rail companies have been mentioned as likely targets of the bill.
The legislation would provide regulators with the power to run audits in order to ensure the private sector is in compliance. Those that fail to comply could face administrative financial penalties of up to $1 million for individuals and $15 million for others. They also could face summary convictions or convictions on indictment for not complying.
Underreported Cyberattacks
A federal government official who spoke on background with reporters before the announcement said cyberattacks in Canada are “grossly” underreported — usually because their targets want to protect their reputations or avoid legal and insurance consequences.
“As we incorporate and integrate new technologies into our economy, we also have to be very sober about the national security landscape as it exists dealing with more ransomware attacks, dealing with foreign interference, dealing with the wide array of tactics that are deployed by hostile state actors and their proxies,” said Mendicino.
Federal officials also said that they’re looking to avoid large-scale cyberattacks on essential infrastructure, like the ransomware attack on the Colonial Pipeline in the US. This cyberattack stalled the oil pipeline’s operations for days.
This legislation follows an announcement in May that Chinese tech vendors Huawei Technologies and ZTE will be banned from supplying hardware to Canada’s 5G mobile networks.
As part of the bill introduced on Tuesday, the Telecommunications Act would be amended to provide the government with new legal authority to require any necessary action to secure Canada’s telecommunications. This would include banning Canadian companies from using products and services from high-risk suppliers.
“If you think of the telecommunication sector, that is probably the most critical infrastructure I can think of in our country,” said Innovation, Science and Industry Minister François-Philippe Champagne.
“If you think of the data economy, the digital economy that is coming, to protect our telecom infrastructure is key and foremost,” he added.