Canada’s Proposed Cybersecurity Law Is Flawed, but Can Be Salvaged

History offers a lesson on the importance of drafting regulations that can evolve.

April 3, 2023
In current form, Canada’s proposed cybersecurity law does not keep pace with evolving threats. (Photo illustration via REUTERS)

The tragedy of the RMS Titanic was not that the ship had too few lifeboats; it was that it had more than the law required.

After the ship sank in April 1912, the official British post-mortem report laid much of the blame on weak regulation. The ship had been built to code, but the code in question, the Merchant Shipping Act, 1894, only required lifeboats based on tonnage, not passenger count. The law’s highest category was tonnage of “10,000 and upwards.” At approximately 45,000 tons, the Titanic set sail carrying just 20 lifeboats — four more than necessary to comply with the law. Everyone knows the rest of the story.

This history offers a lesson on the importance of drafting regulations that can evolve to keep up with changes over time — preparing for the worst scenario, not best. Regulations crafted too inflexibly let corporate actors dodge reasonable standards and safeguards, as the White Star Line fatefully did with the Titanic.

Canada’s current approach to cybersecurity regulation could benefit from this lesson.

The government’s proposed Critical Cyber Systems Protection Act (CCSPA) presents significant reforms to Canada’s regulatory approach to cybersecurity for federally regulated private sector industries. The law would set minimum standards for cyber due diligence for actors in many vital sectors of the economy. It is a much-needed and important reform. But as they stand, the regulations risk obsolescence before they even become law.

As we argue in a recent article, several things should change.

First, the draft law only applies to a subset of industries it deems “critical” — a system of categorization that is deeply flawed. Notably missing from the list are vital sectors such as drinking water and wastewater infrastructure; public administration; and food production, processing and distribution, to name just a few.

Even more problematically, the law only applies when the government proactively and specifically identifies designated operators of these “critical” cyber systems.

But hoping the government can identify all relevant actors and keep an updated list is wishful thinking. The Europeans tried this with their first major cybersecurity legislation in 2016. It did not work. As Europe is now doing with newly proposed cybersecurity legislation, Canada should adopt a size cap and descriptive approach. The law should apply automatically to entities of a certain size and nature. This approach would make cybersecurity a collective responsibility rather than the responsibility of a single government minister or their delegates.

Second, the proposed law establishes only vague obligations for operators of critical cyber systems. Canada’s law should, instead, identify specific activities forming a baseline for proactive cybersecurity conduct and diligence, as Europe is now doing. This country has very competent cybersecurity authorities, including the Communications Security Establishment (and its Canadian Centre for Cyber Security). But the guidance they provide is entirely non-binding. The law should be revised to require that operators follow at least some of their technical guidance.

Third, oversight measures in the law need to be improved. There are serious concerns with the proposed law’s opacity surrounding the federal government’s power to issue secretive “cyber security directions.” Our concern in this respect echoes similar critiques from the Citizen Lab and the Canadian Civil Liberties Association about concerns with recently proposed amendments to the Telecommunications Act, which were introduced alongside the CCSPA. Meaningful review of these secretive powers is absent from the current draft law.

Finally, the new law needs teeth. Its current penalties for non-compliance are exceptionally weak. They ignore bad faith and negligent behaviour. The law should include better tools to punish where necessary. It should also identify factors that will inform enforcement measures and allocate responsibility accordingly; this would follow the European approach. As well, penalties should adopt a percentage-based scheme similar to the one used in Europe, not an abstract dollar-amount approach. The pain for non-compliance should be felt equally — for actors large and small.

In its current form, the proposed law does not keep pace with evolving threats. In an era when cyberattacks are hobbling Canadian hospital networks (indeed, entire provincial health-care systems), Canadian diplomatic stations abroad and the Canadian tax service, we need legislation that will create meaningful and proactive cybersecurity obligations. As ministers in the federal government repeatedly intone, “cyber security is national security.” In its current form, the proposed law does not suggest they’re serious about this.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Authors

Matt Malone is an assistant professor at the Thompson Rivers University Faculty of Law. 

Russell Walton is studying law at Thompson Rivers University and has expertise in software development and media.