Advertisement: Click here to learn how to Generate Art From Text
For the second meeting in a row, Conservative MPs shortened witnesses’ testimony at committee meetings looking into Proposed Cybersecurity LegislationFor overseeing providers of critical infrastructure. They did this by forcing debates on other issues.
What’s before the public safety and national security committee is Bill C-26, which would accomplish two things: Amend Telecommunications Act and create a Critical Cyber Systems Protection Act. Both would impose new cyber obligationsCritical infrastructure providers, such as banks, telecom companies and energy companies, are also included.
On Monday — when long-awaited hearings on Bill C-26 first started — the Conservatives cut into the time Industry and Defence Department witnesses could be questioned on the legislation by bringing forward a motion to start looking into the increase of carjacking in Canada. [See our coverage of Monday’s session here]. When a motion has been tabled, the committee’s work stops until a vote is taken.
On Thursday, shortly after two witnesses gave their five minute opening statements, the Conservatives again stopped the hearing by raising a motion to start looking into the Liberal cabinet’s use of the Emergency Act during last year’s Ottawa protests over COVID restrictions. The Conservatives are doing this even though another committee is already investigating the incident.
Liberal, NDP and Bloc Quebecois MPs on the committee protested that this was the second time this week the agenda of the committee had been — properly according to committee rules — diverted. Their protests were so strong that the Conservatives agreed to suspend the debate over the second motion until a later date, in order to continue hearing the witnesses.
However, so much time was eaten up — almost an hour — that MPs didn’t get a chance to question Trevor Neiman of the Business Council of Canada and Byron Holland, CEO of the Canadian Internet Registry Authority (CIRA) after the pair had each given five-minute introductory statements. Instead, they left the room and the committee heard testimony from other witnesses scheduled to appear in the second half of the session.
The legislation would permit the government designate services and system that are essential to national security or safety of public.
The government can also designate the operators or classes responsible for protecting them. Firms would be required to demonstrate that they have a cybersecurity plan and report certain cyber incidents.
Among the controversial parts: the Minister of Industry would have the power to order telecom providers to do “anything” necessary to secure the Canadian telecommunications system. Under the CCSPA the cabinet would be given a similar amount of power to control designated critical infrastructure companies. Civil rights groups worry that “anything” gives the government unchecked power. The Telecommunications Act, though, includes examples of orders the minister can give, such as the removal of a product from a provider’s network.
The government initially stated that the legislation would not apply to all critical infrastructure providers, including manufacturers, food processors and producers, interprovincial transport companies, pipeline and energy companies as well as banks and internet service providers.
Neiman, the Business Council’s vice-president of policy, said the group is asking for “targeted amendments” to the CCSPA in several areas including:
— “fair and reasonable limitations” on the federal cabinet’s power to issue cybersecurity orders to critical infrastructure firms. Neiman said the cabinet could issue an order regardless of how effective it is or whether it reduces risk to a crucial cybersecurity system. As it stands, he said the cabinet is not required to take into account the costs for companies to comply with an order or to look at alternatives if they are reasonable, or to think about the effects on customers or competition.
— putting a risk-based methodology into the legislation that would put fewer and less onerous obligations on low-risk firms with well-established cybersecurity programs.
Holland suggested three modifications to C-26
— any cabinet orders issued to firms under the CCSPA should be first examined by the Clerk of the Privy Council — the head of the civil service — and the Deputy Minister of Justice, who is usually a career civil servant;
— the CCSPA should limit the ability of the government to use cybersecurity data collected from companies for only cybersecurity and information assurance purposes;
— and the government should have to report annually to Parliament on how many orders it has given companies under the act.
After Neiman and Holland left — without being questioned by MPs because time had run out for their session — the committee heard from Aaron Shull, managing director of the Centre for International Governance Innovation, a Waterloo, Ont.-based think tank, and Sharon Polsky, president of the Privacy and Access Council of Canada, Who submitted a joint statement with several civil rights organizations including the National Council of Canadian Muslims.
“I think the bill is pretty good as it stands,” Shull said. Shull said that the bill should include a tax incentive for small and medium-sized business to invest in cybersecurity.
Polsky complained the bill could allow the government to force companies to create backdoors, break encryption, “or go on a fishing expedition to find whatever information the government wants, including what’s in your emails and your texts, your cellphone and vehicle locations, purchasing information, donor details, so that it can make an order — and the order will be secret until the target realizes something’s up.
“With a nod to Eastern European regimes a hundred years ago, this bill lets the [Industry]Minister can compel anyone, under threat or punitive fines to provide information within a specified time frame, subject to any conditions. Or authorize anyone to enter a building and seize information. [IT systems], but without the checks and balances that are the mainstay of democracy.”
She said that the bill made it impossible for organizations comply with privacy laws. The government is not required to consult the federal Privacy Commissioner in order to ensure that the personal information it receives is adequately protected.
The joint submission states that the CCSPA needs to be amended several ways. One is to make it clear that the Industry Minister can’t issue an action order unless there are reasonable grounds to believe it is necessary. Before issuing any orders, the Industry Minister should consult with the Minister for Public Safety and an industry expert group.
The law should also make it clear that the cabinet can only ask a firm to comply with an order to protect a critical cyber system only “against a material threat.”