Canada lags behind G7 peers in cybersecurity oversight, BlackBerry warns

Content of the article

John de Boer, BlackBerry's senior director of government affairs in Canada, testified before the House of Commons national security committee. Photo via ParlVu

Opposition to the Liberal government's cybersecurity law for critical infrastructure providers highlighted a Parliamentary committee hearing on Thursday.

Content of the article

A BlackBerry official called on MPs on the House of Commons national security committee to pass Bill 26, as other countries have laws that make the private sector legally responsible for cyber security.

Content of the article

“Canada is at odds with its closest allies and this legislation will help bridge the gap,” said John de Boer, the company's senior director of government affairs and public policy in Canada.

Jennifer Quaid, executive director of the Canadian Cyber ​​Threat Exchange, a threat intelligence cooperative, said the bill would help strengthen cybersecurity among critical infrastructure providers with “a few minor changes.”

Chris Lowen, executive vice-president of regulatory affairs at the Canadian Energy Regulator (CER), which regulates interprovincial pipelines and electricity operators, said the bill's mechanisms for regulators would be similar to how the CER currently operates.

But Frances Bradley, CEO of the Electric Suppliers Association, warned that the proposed law could leave Canadian power producers out of the cybersecurity requirements of the North American Electric Reliability Corporation (NERC), which oversees U.S. and Canadian companies.

Leila Wright, executive director of telecommunications at the Canadian Radio-television and Telecommunications Commission (CRTC), said C-26 would give her agency a new mandate to promote cybersecurity among telecommunications providers and ensure carriers comply with government cyber-related orders. But he won't comment on loopholes or ways to improve the bill because it's a proposed law. The task of the commission is to implement the adopted legislation, he explained.

Content of the article

Content of the article

To highlight the importance of the effort, de Boer noted that in the last four months of 2023, BlackBerry stopped 5.2 million cyberattacks on behalf of customers; Of these, 62 percent targeted critical infrastructure (CI) providers such as banks and government departments.

A Five Eyes report this week on the China-backed Typhoon Volta threat group said it threatened several critical infrastructure providers in the US, including some in the communications, energy, transportation and water sectors. He said the US official feared the report was “the tip of the iceberg”.

Aside from data privacy protection requirements in the Personal Information and Electronic Data Protection Act (PIPEDA), Canada has no legislation that allows critical infrastructure providers to report, prepare for or prevent cyberattacks, he said.

Conversely, in 2022, the US passed the Critical Infrastructure Cyber ​​Incident Reporting Act, which requires CI providers to report cyber security incidents to the government within 72 hours. Also in 2022, the European Union passed legislation forcing providers to implement basic cyber security and to report serious incidents to national cyber security authorities within 72 hours.

Content of the article

“Canada lags behind the G7 in cybersecurity,” de Boer said.

Bill C-26 has two parts: One is to amend the Telecommunications Act, giving the federal cabinet and the Minister of Industry the power to order telecommunications providers to do “anything” to protect their systems from various threats. The CRTC plays a role in ensuring that telecommunications providers comply with the act.

Another part of C-26 that makes up the CCSPA applies to other critical infrastructure providers. Initially, this will be limited to banking, financial clearing firms, interprovincial transport and energy companies and nuclear power operators. Similar to changes in the Telecommunications Act, it creates a cyber security compliance regime for designated firms. Cyber ​​incidents will be required to be reported “immediately” to the Department of Defence's Canadian Security Agency (CSE), which is responsible for government cyber security.

CCSPA helps governments and the private sector quickly share information about a cyberattack, de Boer said, alerting and protecting other potential victims, and quickly deploying aid to prevent damage from attacks.

Content of the article

The proposed CCSPA is not perfect, he said. He proposed three changes:

— The obligation of CI providers to immediately report cyber incidents within 72 hours should be changed;

— there must be guarantees that companies cannot be sued or prosecuted for cyber-related information they disclose to the government;

— and the bill should make it clear that firms will not be penalized if they make good-faith cybersecurity efforts but their firm violates security controls or is found to be outside the law.

Quaid said the CCSPA preamble should encourage all Canadian public and private organizations to share information about their cyber threats; CI should allow providers to share threat information through cyber exchanges as well as with the government; and should allow CI providers to join any cybersecurity threat intelligence community.

Bradley complained that the bill does not recognize established safety standards and expertise in the Canadian energy sector. Among other issues, he said, the bill leaves the definition of a reportable cybersecurity incident to the yet-to-be-published regulations. Our definition should be the same as the NERC definition, he said.

Content of the article

Click here to view Electric Canada's written submission

NERC's cybersecurity requirements – which members of Electric Power Canada must adhere to – are higher than CCSPA, so he believes the bill will not improve the cybersecurity of members on this side of the border.

But Bradley said that while cyber security for energy suppliers here is higher than in other sectors, the CCSPA will help close the gap.

He does not want the adoption of the bill to be delayed, but believes that it needs to be amended in some areas.

Hearings continue Monday with testimony from federal privacy commissioner Philippe Dufresne, the Office of the Superintendent of Financial Institutions, the Canadian Bankers Association and the Canadian Telecommunications Association.

Canada lags behind G7 peers in cybersecurity oversight, BlackBerry warns appeared first on IT World Canada.

This section is provided by IT World Canada. ITWC covers the enterprise IT spectrum, providing news and information for IT professionals aiming to succeed in the Canadian market.

Content of the article