(OTTAWA) Businesses and other private sector organizations would be required to report incidents of ransomware and other cyberattacks to the government under a federal bill to be introduced Tuesday.
Posted at 7:48 a.m.
The legislation aims to flesh out the Liberal government’s efforts to protect critical infrastructure following last month’s announcement that Chinese providers Huawei Technologies and ZTE will be banned from Canada’s next-generation mobile networks.
At that time, Public Safety Minister Marco Mendicino said the Liberals would introduce legislation that would go further by taking additional measures to protect infrastructure in telecommunications, finance, energy and transport.
He said it would establish a framework to better protect systems vital to national security and give the government a new tool to respond to emerging dangers in cyberspace.
Attacks on corporations, universities, and even hospitals by cybercriminals who hold data hostage in exchange for ransom have become extremely common.
Some targeted organizations have preferred to pay the required fees to try to make the problem disappear smoothly, which is detrimental to those in charge who wish to have a complete picture of the phenomenon.
Minister Mendicino told a recent House of Commons committee meeting that the government was considering making reporting of such attacks mandatory.
Planned measures also include amendments to the Telecommunications Act that would allow the government to prohibit the use of equipment and services from designated providers as needed.
The federal policy outlined in May prohibits the use of new 5G equipment and services from Huawei and ZTE. It will also be necessary to remove their existing 5G equipment and terminate the services they manage by June 28, 2024.
Any use of new 4G equipment and services from the two companies will also be prohibited, with existing equipment and the services they manage to be retired by December 31, 2027.
The government is planning other measures that would create a comprehensive telecommunications security framework, consistent with the approach taken by allies and partners.
Last year, the UK passed legislation imposing stricter requirements on telecommunications providers to defend their networks against threats that could lead to failure or the theft of important data.
In March, the UK opened a public consultation on draft regulations outlining the specific steps suppliers should take to meet their legal obligations, as well as a draft code of practice on compliance with the regulations.
The Canadian government plans to increase its planned legislative measures by building on the existing security review program, led by the Communications Security Establishment ― the Electronic Spy Service ― in partnership with telecommunications service providers Canadians.
The program is designed to exclude specified equipment from sensitive areas of Canadian networks and ensure mandatory testing of equipment before it is used in less vulnerable systems.
The government intends to expand the program to consider the risks of all major vendors and apply its efforts more broadly to help industry improve cybersecurity.