Work on the second plank of the Liberal government’s cybersecurity and privacy strategy starts this afternoon.<\/p>\n
That’s when the House of Commons Standing Committee on Public Safety and National Security opens hearings on Bill C-26, which amends legislation governing telecommunications companies and creates the Critical Cyber Systems Protection Act (CCSPA).<\/a><\/p>\n \u201cThis legislation is among the most important safety and regulatory regimes of a generation,” says David Shipley, head of New Brunswick’s Beauceron Security<\/a> and co-chair of the Canadian Chamber of Commerce’s cyber council.<\/p>\n “We have to both get it right and get it done. We\u2019ve mostly gotten it right, with a few surgical tweaks needed. We\u2019ve been abysmal at getting it done.<\/p>\n \u201cCanada is woefully behind the United States, Australia and Europe when it comes to the protection of our critical infrastructure,” he said. “We had the airport equivalent of a near miss between two planes last year where an amateur Russia hacking team almost made a Canadian pipeline explode.<\/a> They had access and were given the green light by their GRU handler. It was good fortune that saved us, not good defences and good planning.<\/p>\n \u201cWe don\u2019t want to see what happens when good fortune runs out.\u201d<\/p>\n If C-26<\/a> passes, for the first time there will be legislated security obligations for “high-risk firms” in six of Canada’s critical infrastructure sectors — telecommunications providers, banks, financial clearing systems, interprovincial energy providers, nuclear energy stations, and transport companies.<\/p>\n Those firms deemed vital to national security would be designated under regulations to toughen their cybersecurity and confidentially share cyber threat information with the Communications Security Establishment (CSE), the government\u2019s IT security and signals intelligence agency.<\/p>\n Designated firms would have to implement and report on a cybersecurity program to address risk across the organization, third-party services, and supply chains. The government would have the power to tell providers to do anything necessary to secure their systems.<\/p>\n The industries — and outside experts — have had almost two and a half years to think about what they like and don’t like about the proposed legislation. In a statement today, the Canadian Telecommunications Association, which represents major telcos including Bell, Rogers and Telus, said detailed comments about proposed changes to the Telecommunications Act will come when it testifies.<\/p>\n But briefly, the statement said, the association’s members have concerns about the “overly broad scope of order-making powers [by the government] and the absence of a requirement for government to consult with or consider the advice of industry and security experts. We are also concerned that the bill does not require the government to make its orders proportionate to the alleged security risk, that telecom providers can be held liable for violations even when they have taken all reasonable steps to comply with an order, and that the bill prohibits the government from providing compensation to parties for the costs associated with complying with a government order.<\/p>\n “Finally, while we recognize there may be situations where orders must be kept secret, the bill errs on the side of secrecy rather than transparency. Transparency is an important element for maintaining the public\u2019s trust in the exercising of government authority.”<\/p>\n In a brief to the committee, Electricity Canada, which represents many utilities and power producers, complained C-26 doesn’t recognize established security standards and expertise within the sector. “In practice, the bill risks adding very little security to our sector, and redundantly adds an additional layer of regulatory requirements,” the submission says.<\/a><\/p>\n Other groups have already issued criticisms:<\/p>\n — Shortly after the legislation was introduced, a senior research associate at the Citizen Lab, part of the University of Toronto\u2019s Munk School of Global Affairs and Public Policy, suggested 30 changes to the proposed legislation to blunt powers C-26 would give the Minister of Industry;<\/a><\/p>\n — The Business Council of Canada worries the CCSPA will impose costly regulatory obligations on many critical infrastructure providers with no associated benefit. The law should impose different regulatory requirements on designated operators proportionate to their level of risk, it argued<\/a>. The council also argues the CCSPA should follow Australia’s similar Security of Critical Infrastructure Act to limit the power of the government to issue designated firms to comply \u201cwith any measure\u201d for the \u201cpurpose of protecting a critical cyber system;\u201d<\/p>\n — the Canadian Civil Liberties Association and other groups have called on Parliament to amend the legislation<\/a> to limit government powers over the private sector.<\/p>\n Today’s hearing starts with closed-door testimony to MPs from senior officials in the Departments of Industry and Public Safety. After that, officials from those departments, as well as the CSE, will answer questions in an open committee session.<\/p>\n Meanwhile, committee hearings will resume shortly on the other leg of the government’s strategy, an overhaul of federal private sector privacy legislation to create the Consumer Privacy Protection Act (CPPA), plus the Artificial Intelligence and Data Act. (AIDA).<\/a><\/p>\n The post Hearings on Canada\u2019s proposed cybersecurity law to start today<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Public Safety committee to hear from senior officials on how the proposed legislation covering critical infrastructure firms<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[58,16],"tags":[415,527,393,275],"class_list":["post-43867","post","type-post","status-publish","format-standard","hentry","category-government-public-sector","category-security","tag-government-of-canada","tag-legislation","tag-security-strategies","tag-top-story"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/43867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=43867"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/43867\/revisions"}],"predecessor-version":[{"id":43887,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/43867\/revisions\/43887"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=43867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=43867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=43867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}