Imagine a referee who, during a Canadiens game, goes to see a player to explain to him how to send the puck to the net. He would run the risk of losing his job: it is not part of his duties or his area of expertise.
Yet that is what Ottawa is trying to do with Bill C-26 in the area of digital security. Instead of minding its own business, the government wants to embed itself in setting up companies’ digital security plans.
Concretely, if this bill is passed, companies will have to fill out new forms to present their digital security plans and submit them to the appropriate regulatory body.
Federal officials will then comb through the plan and, if satisfied, stamp it for approval so it can be implemented. For every change, no matter how minor, the company will have to redo the paperwork and wait for a response from the government.
It is the addition of this new bureaucratic step that poses the problem.
In digital security, things move at breakneck speed. When a company finds a flaw in its system, it knows full well that it has every interest in fixing it quickly, otherwise it exposes itself to legal, reputational and important financial statements – ask Desjardins.
Although many terms can describe the federal government, “fast” and “efficient” are generally not among them. Talk to anyone who has had their passport redone lately.
Unfortunately, when the government requires notification of program changes and other new corporate measures, it adds a delay between decision-making and implementation. More concretely, it stretches the time between when a breach is found and when it is closed.
And the risk remains significant. The companies affected are both financial institutions and cellular service providers or pipeline operators.
Perhaps government action could be justified if Canadian companies were not concerned about computer security. The data tells us that this does not square with reality.
In the banking sector, 93% of managers consider cybersecurity risk a key factor in their decision-making1and the strategies they employ to reduce this risk are as diverse as they are innovative.
For example, some companies employ what are called “ethical hackers” to test the security of their systems, find their flaws and thus be able to plug them before a malicious individual can exploit them.
Expenses – and their evolution – confirm that companies do not just talk, but take action.
In 2021 alone, Canadian businesses spent nearly $10 billion preventing and detecting cybersecurity incidents2.
It is therefore clear that companies realize the importance of digital security and are ready to do what it takes to ensure it, without even Ottawa adding a small army of civil servants to the equation.
We are not saying that the federal government has no role to play in digital security, but interfering in the quick decisions that our companies must make risks being counterproductive and taking resources away from other areas where their expertise is most useful.
We can think of the banning of services that could hinder national security, such as those of Huawei, or even digital issues in connection with foreign state actors.
You won’t see a referee telling players how to score a goal. Similarly, Ottawa must learn to mind its own business. Our companies already know how to do their job.