Telecommunications cybersecurity bill gives Canadian government too much secrecy power: Researcher

Last summer, the federal government proposed amendments to the Telecommunications Act which he says will force Canadian telecom providers to step up cybersecurity.

However, a researcher from an academic think tank says the legislation is full of government secrets and accountability loopholes.

In a report released this weekChristopher Parsons, a senior research associate at Citizen Lab, part of the University of Toronto’s Munk School of Global Affairs and Public Policy, has suggested 30 changes to the proposed legislation to blunt the powers granted to the Minister of Industry .

“If these recommendations or those derived from them are not followed, the government will create legislation of the worst kind in that it will force the public – and telecommunications providers – to simply believe that the government knows what it is doing. , is to make the right decisions, and that there is no need for a broader public discussion of the kinds of protections that should be in place to protect the cybersecurity of Canada’s telecommunications networks,” Parsons wrote. .

“Cybersecurity cannot thrive on secret and obscure government decrees. The government must change its legislation to ensure that its activities are consistent with Canada’s democratic values ​​and standards of transparency and accountability.

Parsons complained that

— the extent of what the government could order a telecommunications provider to
do is not sufficiently bounded;
–the excessive secrecy and confidentiality provisions imposed on telecommunications
vendors threaten to establish a class of secret laws and regulations;
– there is significant potential for excessive information sharing within the federal administration
government as well as with international partners;
–the costs associated with complying with the reforms may endanger the viability of small
suppliers;
–vague drafting language means that the full outlines of the legislation cannot be
assessed;
– no acknowledgment of privacy or other Charter-protected rights exists as a counterbalance
to the proposed security requirements, and no appropriate obligation of accountability or transparency is imposed on the government.

Bill C-26 would empower the Minister of Innovation, Science and Economic Development — more commonly known as the Minister of Industry — to compel telecommunications providers to do or refrain from doing anything to protect Canadian telecommunications networks from interference threats. , manipulation or disruption, the report notes.

The act would authorize the minister to compel suppliers to disclose confidential information and then allow the minister to distribute it widely within the federal government; this information could potentially include personally identifiable or anonymized information. Additionally, the Minister could share non-confidential information internationally even though doing so could result in regulatory processes or a private right of action against an individual or organization. “If the minister or another party to whom the minister shares information unintentionally loses control of the information, the government would not be responsible for the accident,” the report said.

When ordinances or regulations are published, the report states, they would not need to be published openly in the Canada Gazette. and gag orders could be attached to those receiving the orders. There may even be situations where the government could issue an order or regulation, according to the report, along with a publication ban and gag order. This goes against a decision of the Canadian Radio-television and Telecommunications Commission (CRTC) and overrides some aspects of that decision. And in all cases where a telecommunications provider seeks judicial review, they may never see the evidence used to support an order or settlement.

However, according to the report, if a telecom provider is found to have willfully ignored or failed to comply with an order, the individuals who led the action or the telecom provider could face administrative monetary penalties.

The bill giving the federal government the power to compel four key federally regulated Canadian industries — telecommunications, banking, transportation and energy providers — to boost their cybersecurity comes as a number of Western nations are concerned about the potential damage that could occur if a nation – state or sophisticated threat actor launched a cyberattack on a bank, airline, telecom operator or pipeline.

Attacks in 2015 and 2016 against the electricity network in Ukraine and the ransomware attack that shut down the Colonial Pipeline in the United States are examples of worrisome threats.

The crux of Parsons’ argument is that, unlike peer or allied nations, the Canadian government has not publicly demonstrated that Canada’s critical telecommunications networks are insecure. He adds that he has also not released an overarching policy document outlining how Bill C-26 fits into a larger effort to secure Canada’s critical infrastructure.

“In addition to specific legislative changes, the Government of Canada should clearly and publicly explain the risks it is concerned about and the extent to which proposed legislation looks back to address existing or historical issues versus the extent to which it is forward-looking and intended either to meet future challenges or to enable activities with closely allied nations,” Parsons writes.

The bill has yet to go to a parliamentary committee where the government would give a detailed defense of the proposals and opposition parties could question the Minister of Industry.

The report notes that Citizen Lab has previously argued that the government should have the ability to compel private organizations to adopt standards in order to better secure critical infrastructure. And, where telecommunications companies resist
explaining how they secure the systems, it makes sense that the government can
to compel this information.

“But the powers sought by the government are not sufficiently limited, come with overly broad confidentiality clauses and could undermine the ability to
private companies to challenge requests, orders or regulations issued by the
government,” the report says.

“Similarly, there is a real risk that the CRTC will write a set of public laws
by its decisions while a kind of secret law, promulgated by ordinances and regulations, in fact guides the behaviors of telecommunications providers in terms of cybersecurity.

“The powers proposed by the government in Bill C-26 must therefore be reduced in places, essential clauses and terminology must be defined, and accountability and transparency requirements must be sprinkled liberally in a modified version of the legislation.