The federal government arrogates to itself the right to dictate to telecommunications companies any measure essential to national security, according to a bill tabled on Tuesday that makes possible the announced ban on Huawei and ZTE in Canada.
Ottawa also plans to oblige companies in the finance, energy, transport and telecommunications sectors to inform it of all computer attacks they suffer. These companies under federal jurisdiction will also have to adopt a cybersecurity plan.
“The telecommunications infrastructure is one of the most important sectors, if not the most important, of tomorrow’s economy. [Il faut] protect this infrastructure against security attacks to ensure resilience,” explained federal Minister of Innovation, Science and Industry, François-Philippe Champagne, on the sidelines of the unveiling of Bill C-26. .
The Canadian government has come to realize through expert reports that it has no law to force telecommunications companies to patch loopholes that leave them vulnerable to attacks from hackers or hostile states. , such as doing business with a “high risk” supplier.
The first action he will take after the new law comes into force is to ban Huawei and ZTE from the development of Canadian 5G networks, as announced last month after two and a half years of dithering.
Telecommunications companies, such as cell phone or Internet providers, for example, face fines of up to $10 million if they are tempted to defy a federal decree on national security. This amount can climb to 15 million dollars for each recurrence.
Reduce self-regulation
Hacking threats have taken a growing place in Canada in the “connected post-COVID world”, senior federal public safety officials told the media. Ottawa recorded 304 cybersecurity incidents last year, a number considered “underestimated”, since companies are not currently required to report them.
Nearly half of these incidents affect infrastructure essential to the country’s national security. Officials make it clear that the attacks do not necessarily come from other countries, but can also come from criminal groups motivated by financial gain, such as in the case of ransomware.
“The government has long let the industry regulate itself,” explains Jean-Christophe Boucher, assistant professor in the school of public policy at the University of Calgary. What we found out is that it doesn’t work. »
Even companies that manage essential infrastructure in Canada such as pipelines or power grids do not invest enough in cybersecurity and do not necessarily disclose the attacks they are victims of, he says. “It is high time for the government to pass laws that will improve cybersecurity. »
The observation is shared by Nicolas Pellerin-Roy, associate researcher at the Multidimensional Conflicts Observatory of the Raoul-Dandurand Chair at UQAM.
“Right now companies are empowered in how they manage and respond to cybersecurity. Most affected businesses likely already have cybersecurity plans. [Mais] often their leaders do not understand the urgency or the importance of having good protection. There they will be forced to take it seriously, ”he believes.
Scope of the law to be defined
The government intends to consult the regulators of the four sectors “essential to national security” targeted by the bill to determine more precisely which companies will fall under the new obligations.
“The approach is to continue self-regulation [des entreprises de ces secteurs]but to use it in partnership [avec le gouvernement]as required by the bill,” said Public Safety Minister Marco Mendicino, the sponsor of Bill C-26.
Even if the companies concerned will have to indicate to the government when they are victims of a computer attack, their customers or the general public will not be notified. This would constitute the balance between the imperatives of transparency and national security, according to Minister Mendicino.
The Minister hopes that his text will serve as an inspiration to the provinces and municipalities so that they too can adopt a mechanism for sharing information with the companies under their jurisdiction. C-26 has no chance of being passed before the House of Commons summer recess, scheduled for June 23. It will be considered when MPs return to Ottawa next fall.