New federal bill would compel key industries to bolster cyber security or pay a price

The federal government has tabled a bill that would allow it to compel companies in the finance, telecommunications, energyand transportation sectors to either shore up their cyber systems againstattacks or faceexpensive penalties.

If passed, theAct Respecting Cyber Security would give the federal government more control over how private companies in critical industries respond to potential attacks.

The legislation reads the governor-in-council may "direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system."

But that information is unlikely to trickle down to the public because the bill also says that anyone who receives such direction "is prohibited from disclosingor allowing to be disclosed" that it wasissued.

During a news conference,Public Safety Minister Marco Mendicinodefended the provisionas a way to protect national security and trade secrets.

Operators would have to report cyberattacks

Under the bill, operators in key federally-regulated industries would have to report cyber security incidents to the government's Cyber Centre. They'd also be expected toestablishcyber security programs thatcan detect serious incidents andprotect critical cyber systems.

Officials are still crafting the list of entities thatfall under this new bill. Theymentioned telecommunications companies like Bell andRogers and rail companies as likely subjects for the legislation.

The bill would give regulators the power to run audits to ensure the private sector is in compliance. Those thatdon't fall in line could face administrative monetary penalties of $1 million for individuals and $15 million for others. They also could facesummary convictions or convictions on indictment for non-compliance.

A federal government officialspeaking on background with reporters ahead of the announcementsaid cyberattacksin Canada are "grossly" underreported often because their targets want to protect their reputations oravoidlegal and insurance consequences.

"As we incorporate andintegrate new technologies into our economy, we also have to be very sober about the national security landscapeas it existsdealing with more ransomware attacks, dealing with foreign interference, dealing with the wide array of tactics that are deployed by hostile state actors and their proxies,"said Mendicino.

Federal officials say they're trying to avoid large-scale cyberattacks on essential infrastructure such as the ransomware hit on the Colonial Pipeline in the U.S., which halted the oil pipeline's operations for days, and the cyberattack on the Brazil-based meat processing company JBS S.A., which affectedfacilities in the U.S., Canadaand Australia.

The legislation follows last month's announcement thatChinese tech vendors Huawei Technologies and ZTE will be banned from supplying hardware toCanada's next-generation 5G mobile networks.

The federal policy outlined in May forbids the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G gear or services must be removed or terminated by June 28, 2024.

Any use of new 4G equipment and managed services from the two companies will also be prohibited, with existing gear to be pulled out by Dec. 31, 2027.

The federal government said at the time it also would move forward with legislation to better protect critical infrastructure.

While federal ministers have mandates to shore upsecurity in the the energy, financeand transportation sectors, the federal government says it does not currently have a "clear and explicit" legal mechanism to compel the telecommunications sector to address cyber security vulnerabilities.

As part of the bill introduced Tuesday, the Telecommunications Act would be amended to give the government new legal authorityto require any necessary action to secure Canada's telecommunications. That would include prohibiting Canadian companies from using products and services from high-risk suppliers.

"If you think of the telecommunication sector, that is probably the most critical infrastructure I can think of in our country," said Innovation, Science and Industry MinisterFranois-Philippe Champagne.

"Ifyou think of the data economy, the digital economy that is coming, to protect our telecom infrastructure is key and foremost."

The NDP's public safety critic Alistair MacGregorsaid the partywill review the proposed billclosely.

"We believe that it is important that companies report cybercrimes to protect people. If the full scope of the threat remains unknown, then there could be further damages to Canada in the future," he said in a mediastatement.

"After six years of sitting by and watching while cyberattacks from hostile actors became more common, the Liberals have finally begun to act because of pressure from the NDP."

In tandem with Tuesday's bill, the Communications Security Establishment, Canada's cyber intelligence agency, announced it will expand its Security Review Program which helps protect telecommunications equipment and services from cyber threats to apply more broadly to Canada's telecommunications networks and to "consider risks from all key suppliers," not just suppliers thought to posea risk.

The Security Review Program wasintroduced in 2013. Itwas designed to exclude risky equipment from sensitive areas of Canadian networks and to ensure mandatory testing of gear before it was used.

CSE said it will be able to expandthe program todevelop mitigation strategies for equipment if a cyber security gap is identified.