The federal government has created a bill that would make it mandatory for companies in the finance, telecommunications, energy and transportation sectors to build their networks to resist attacks or face threats. with expensive penalties.
If passed, the Cybersecurity Respect Act would give the federal government more control over how private companies in critical industries respond to potential attacks.
The act states that the board of governors may “direct any designated operator or class of operators to comply with any measure laid down for the purpose of protecting a network.” importance.”
But that information is unlikely to reach the public because the bill also says that anyone who receives such instruction is “barred from disclosing or otherwise authorized to disclose” that it was issued.
During a press conference, Public Safety Minister Marco Mendicino defended the provision as a way to protect national security and trade secrets.
Operators will have to report cyber attacks
Under the bill, operators in critical federally regulated industries would have to report cybersecurity incidents to the government’s Cyberspace Center. They are also expected to establish cybersecurity programs that can detect critical incidents and protect critical network systems.
Officials are still drafting a list of entities covered by the new bill. They refer to telecommunications companies such as Bell and Rogers and railroad companies that may be subject to the law.
The bill would give regulators the power to conduct audits to ensure private sector compliance. Those who do not comply can be subject to an administrative fine of $1 million for individuals and $15 million for others. They may also face summary judgments or convictions for non-compliance.
A federal government official who spoke to reporters ahead of the announcement said cyberattacks in Canada were reported to be lacking “overall” – often because their targets wanted to protect their reputation or avoid legal and insurance consequences.
“As we incorporate and integrate new technologies into our economy, we must also be very vigilant about the national security landscape as it survives more ransomware attacks, against dealing with foreign interference, dealing with a variety of tactics deployed by the enemy Mendicino said.
Federal officials say they are trying to avoid large-scale cyberattacks on critical infrastructure – such as the ransomware that hit the Colonial Pipeline in the US, causing pipeline operations to be disrupted. halted for several days, and the cyberattack on Brazil-based meat processing company JBS SA affected facilities in the US, Canada and Australia.
The legislation follows last month’s announcement that Chinese technology suppliers Huawei Technologies and ZTE would be barred from providing hardware for Canada’s next-generation 5G mobile networks.
Federal policy introduced in May prohibits the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G equipment or services must be removed or terminated by June 28, 2024.
Any use of new 4G equipment and managed services from the two companies will also be banned, with existing devices phased out by December 31, 2027.
The federal government at the time said it would also move forward with legislation to better protect critical infrastructure.
While federal ministers are tasked with increasing security in the energy, financial and transportation sectors, the federal government says it currently does not have a “clear and clear” regulatory mechanism in place. to force the telecommunications sector to address cybersecurity vulnerabilities.
As part of a bill enacted Tuesday, the Telecommunications Act will be amended to give the government new legal authority to require any action necessary to secure Canada’s telecommunications. That would include banning Canadian companies from using products and services from high-risk suppliers.
“If you think about the telecommunications sector, that is probably the most important infrastructure I can think of in our country,” said Innovation, Science and Industry Minister François-Philippe Champagne .
“If you think about the data economy, the coming digital economy, to protect our telecommunications infrastructure is key and most important.”
The NDP’s public safety critic Alistair MacGregor said the party would look closely at the proposed bill.
“We believe it’s important for companies to report cybercrime to protect people. If the full scope of the threat remains unknown, Canada could suffer further damage in the future. “, he said in a media statement.
“After six years of sitting and watching while cyberattacks from hostile parties became more common, the Liberals have finally begun to act because of pressure from the NDP.”
In parallel with Tuesday’s bill, the Communications Security Foundation, Canada’s cyber intelligence agency, announced it would expand its Security Assessment Program – which helps protect telecommunications equipment and services from threats cyber threats – to apply more broadly to Canada’s telecommunications networks and “considering risks from all major providers,” not just those deemed at risk.
The Security Assessment Program was introduced in 2013. It is designed to exclude risky equipment from sensitive areas of the Canadian network and ensure mandatory testing of the device prior to use.
CSE says it will be able to expand the program to develop mitigation strategies for devices if a vulnerability is identified.