Key enterprises could face penalties under federal bill to bolster cybersecurity

A woman uses her computer keyboard to type while surfing the internet in North Vancouver, B.C., Wednesday, Dec. 19, 2012. Businesses and other private-sector organizations would be required to report ransomware incidents and other cyberattacks to the government under a federal bill to be tabled today. THE CANADIAN PRESS/Jonathan Hayward

OTTAWA — Key enterprises in the banking and telecommunications industries would be among those required to bolster cybersecurity and report digital attacks — or possibly face penalties — under a federal bill introduced Tuesday.

The legislation is intended to flesh out Liberal government efforts to protect critical infrastructure following last month’s announcement that Chinese vendors Huawei Technologies and ZTE will be banned from Canada’s next-generation mobile networks.

The newly tabled bill goes further, taking additional steps to protect infrastructure in the telecommunications, finance, energy and transportation sectors. It could apply to everything from pipeline and power systems to banking networks and railways.

Ottawa wants to give industry leaders, particularly operations vital to national security, the resources they need to safeguard their sectors and the Canadian public generally, said Public Safety Minister Marco Mendicino.

“I think it’s really important to underline that as we incorporate and integrate new technologies into our economy, we also have to be very sober about the national security landscape,” Mendicino told a news conference.

“It’s about both seizing the economic opportunity, but protecting Canadians as well.”

The overall goal is to establish a framework to better shield systems vital to national security and give the government new tools to respond to emerging dangers in cyberspace.

From electronic espionage to ransomware, the threats to Canadians from malicious cyberactivity are greater than ever, the government says.

The specific businesses and organizations from each federally regulated sector that fall under the legislation would be determined through coming consultations.

The bill proposes giving regulators the ability to enforce various measures through audit powers and fines, and would allow for criminal penalties in cases of non-compliance.

Attacks by cybercriminals who hold data hostage in return for a ransom have become alarmingly common.

Some targeted organizations have preferred to pay the fee demanded to try to make the problem go away quietly, making it difficult for officials to get a full picture of the phenomenon.

Under the bill, a designated business must immediately report a cybersecurity incident involving any of its critical systems to the Communications Security Establishment, the main federal cyberdefence agency.

Federal officials say consultations will help determine the threshold for mandatory reporting of such incidents.

Through changes to the Telecommunications Act, the bill would give the government legal authority to order any necessary action to secure Canada’s telecom systems.

This would include prohibiting Canadian companies from using products and services from high-risk suppliers.

“We all recognize here in Canada that our telecom infrastructure is among the most important and most critical infrastructure in our country,” said Innovation Minister François-Philippe Champagne.

Canada’s critical infrastructure is becoming increasingly interconnected, interdependent and integrated with cybersystems, particularly with the emergence of new technologies such as 5G that will increase the threat and introduce new vulnerabilities, the government says.

Ottawa has serious concerns about suppliers Huawei and ZTE, suggesting they could be compelled to comply with directions from Beijing to compromise Canada’s national security.

The federal policy outlined in May forbids the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G gear or services must be removed or terminated by June 28, 2024.

Any use of new 4G equipment and managed services from the two companies will also be prohibited, with existing gear to be pulled out by Dec. 31, 2027.

This report by The Canadian Press was first published June 14, 2022.

Jim Bronskill, The Canadian Press