Tories again cause testimony on proposed cybersecurity bill to be shortened

For the second meeting in a row, Conservative MPs shortened witnesses’ testimony at committee meetings looking into proposed cybersecurity legislation for overseeing critical infrastructure providers. They did it by bringing forward and forcing debate on other business.

What’s before the public safety and national security committee is Bill C-26, which would do two things: Amend the Telecommunications Act, and create a new Critical Cyber Systems Protection Act (CCSPA). Both would impose new cybersecurity obligations on critical infrastructure providers like telecom companies, banks, and energy companies

On Monday — when long-awaited hearings on Bill C-26 first started — the Conservatives cut into the time Industry and Defence Department witnesses could be questioned on the legislation by bringing forward a motion to start looking into the increase of carjacking in Canada. [See our coverage of Monday’s session here]. When a motion is tabled, committee work stops until it is voted on.

On Thursday, shortly after two witnesses gave their five minute opening statements, the Conservatives again stopped the hearing by raising a motion to start looking into the Liberal cabinet’s use of the Emergency Act during last year’s Ottawa protests over COVID restrictions. This even though another Parliamentary committee is already looking into that incident.

Liberal, NDP and Bloc Quebecois MPs on the committee protested that this was the second time this week the agenda of the committee had been — properly according to committee rules — diverted. Their protests were determined enough that the Conservatives were forced to agree to suspend debate on the second motion to another time, so hearing the witnesses could continue.

However, so much time was eaten up — almost an hour — that MPs didn’t get a chance to question Trevor Neiman of the Business Council of Canada and Byron Holland, CEO of the Canadian Internet Registry Authority (CIRA) after the pair had each given five-minute introductory statements. Instead, they left and the committee heard from other witnesses scheduled for the second hour of the session.

The legislation would allow the government to designate services and systems that are vital to national security or public safety.

The government could also designate the operators, or classes of operators, responsible for their protection. Firms would have to show the government they have a cybersecurity program, and report certain cyber incidents.

Among the controversial parts: the Minister of Industry would have the power to order telecom providers to do “anything” necessary to secure the Canadian telecommunications system. Under the CCSPA, the cabinet would have a similar power over designated critical infrastructure providers. Civil rights groups worry that “anything” gives the government unchecked power. The Telecommunications Act, though, includes examples of orders the minister can give, such as the removal of a product from a provider’s network.

While critical infrastructure providers include manufacturers, food producers and processors, interprovincial transport, pipeline and energy companies, banks and internet operators, the government has said initially the legislation would only apply to high-risk companies.

Neiman, the Business Council’s vice-president of policy, said the group is asking for “targeted amendments” to the CCSPA in several areas including:

— “fair and reasonable limitations” on the federal cabinet’s power to issue cybersecurity orders to critical infrastructure firms. Otherwise, Neiman said, the cabinet could give an order regardless of whether it would be effective or reduce risk to a critical cybersecurity system. As the wording stands now, he said, there would be no obligation for the cabinet to consider the costs to companies of complying with an order, if there are reasonable alternatives to an order, or to consider the possible effects on competition or customers;

— putting a risk-based methodology into the legislation that would put fewer and less onerous obligations on low-risk firms with well-established cybersecurity programs.

Holland suggested three changes to C-26:

—  any cabinet orders issued to firms under the CCSPA should be first examined by the Clerk of the Privy Council — the head of the civil service — and the Deputy Minister of Justice, who is usually a career civil servant;

— the CCSPA should limit the ability of the government to use cybersecurity data collected from companies for only cybersecurity and information assurance purposes;

— and the government should have to report annually to Parliament on how many orders it has given companies under the act.

After Neiman and Holland left — without being questioned by MPs because time had run out for their session — the committee heard from Aaron Shull, managing director of the Centre for International Governance Innovation, a Waterloo, Ont.-based think tank, and Sharon Polsky, president of the Privacy and Access Council of Canada, who made a joint submission with several civil rights groups including the National Council of Canadian Muslims.

“I think the bill is pretty good as it stands,” Shull said. However, he added, it should include a tax incentive to encourage small and medium-sized businesses to invest in cybersecurity.

Polsky complained the bill could allow the government to force companies to create backdoors, break encryption, “or go on a fishing expedition to find whatever information the government wants, including what’s in your emails and your texts, your cellphone and vehicle locations, purchasing information, donor details, so that it can make an order — and the order will be secret until the target realizes something’s up.

“With a nod to Eastern European regimes a hundred years ago, this bill lets the [Industry] minister compel any person, under threat of punitive fines, to provide any information within any time, subject to any conditions that might be specified, or authorize anyone to enter and seize any information in [IT systems], but without the checks and balances that are the mainstay of democracy.”

In short, the bill makes it impossible for organizations to comply with privacy laws, she said. Nor is there an obligation for the government to consult with the federal Privacy Commissioner to ensure personal information handed over is adequately safeguarded.

The joint submission says the CCSPA should be amended in several ways. One is to make it clear that the Industry Minister can’t issue an action order unless there are reasonable grounds to believe it is necessary. Before issuing an order, the Industry Minster should have to consult with the Minister of Public Safety and a body of industry experts.

The law should also make it clear that the cabinet can only ask a firm to comply with an order to protect a critical cyber system only “against a material threat.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs