Bill C-26, the Government of Canada’s stab at shoring up the country’s cyber readiness, passed first reading in the House of Commons on June 14, 2022. The legislation has two thrusts; first, to keep hardware from adversarial states out of Canada’s telecom networks; and second, to ensure our critical infrastructure is hardened against a plethora of new digital threats.
Nearly a year later, in late March 2023, C-26 limped through second reading. The bill now rests with the Standing Committee on Public Safety and National Security, for review and possible amendment.
That this law continues to languish at committee, 18 months after it first saw the light of day, encapsulates one of its core failings which, in fairness, is not unique to this piece of lawmaking: despite showing signs of having been written in a hurry, presumably in hopes of keeping pace with technological change, it’s emerging too slowly.
By the time it passes third reading, then meanders its way through the Senate to royal assent, C-26 may well have been overtaken by events. The threats it is intended to counter are multiplying far more quickly than the glacial pace of the legislative process.
What are these threats? The latest National Cyber Threat Assessment from the Canadian Centre for Cyber Security (the Cyber Centre) encapsulates them in language that, for a government document, is remarkably direct. Cybercriminals are rapidly scaling up, evolving ransomware and other attacks into a transnational enterprise, while state actors — specifically China, Russia, Iran and North Korea — are deploying vast resources to attack and undermine open economies and societies by eroding trust in public institutions and the factual foundation on which their credibility rests. “You may be tempted to stop reading halfway through,” writes Cyber Centre Head Sami Khoury in the foreword, “disconnect all your devices and throw them in the nearest dumpster.”
To counter this, the draft bill offers two pillars: first, a revamp of the Telecommunications Act, giving the federal minister of innovation, science and industry sweeping powers to order companies to ban certain products, clients or service providers, with possible daily penalties of up to $15 million if they don’t comply; and second, the Critical Cyber Systems Protection Act (CCSPA), which would allow the minister and an appointed official to order cyber measures in federally regulated parts of the private sector considered essential to national security.
These include telecom, energy and power infrastructure including pipelines and nuclear plants, transportation, banking, clearing and settlement.
Seen from 10,000 feet up, the broad scope of the legislation will appear justified to some; after all, don’t significant threats justify dramatic action? But there’s a difference between action that is on point, and action so riddled with gaps that it’ll need a reboot the day it becomes law.
Christopher Parsons, in a dissection for The Citizen Lab, outlines six major concerns, any of which should be grounds for disqualification: an excess of arbitrary power; too much secrecy; inadequate controls on information sharing within government; potentially prohibitive costs for smaller firms (the legislation draws no distinctions based on scale or industry sector); vague language; and no recognition of Charter or privacy rights. Brenda McPhail, in an October 2022 analysis for the Canadian Civil Liberties Association, echoes many of Parsons’s criticisms, noting wryly that the law joins “an increasingly long line of legislation that would fill a clear need, if only it were better.”
If the goal, broadly, is governance that promotes prosperity, security, accountability, diversity and equity in a democratic society, then C-26, as drafted, should not pass.
Is legislation urgently needed? Absolutely. But have its drafters gotten it right? No. Given the lightning pace of growth in cyberthreat vectors, it makes sense to continue to manage these threats on an ad hoc basis, as the minister has been doing, with assistance from the Cyber Centre and the CCSPA, and take the time needed to get the legislation right.
This article first appeared in The Ottawa Citizen.