Ottawa wants sweeping new powers to direct companies’ ‘critical’ cyber defence

The Canadian government wants sweeping new powers, including access to confidential information, in order to “direct” how critical infrastructure operators prepare for and respond to cyberattacks.

And it wants to prohibit those companies from disclosing to the public anything about the directions issued by the federal government — including the mere existence of any orders to beef up protections.

Public Safety Minister Marco Mendicino and Innovation Minister Francois-Philippe Champagne held a press conference to announce the details of the new legislation, which also grants the government the promised power to bar companies from using technology from firms like Huawei and ZTE.

The announcement, however, comes at a time when the government is increasingly facing questions about its secretive approach to cyber operations, cyber protections, and what duty of transparency about the country’s threat level is owed to Canadians who could bear the frontline impact of any critical infrastructure attacks.

Critical infrastructure refers to the networks, systems, services and supply chains that are paramount to Canadian national security and the country’s security interests. That can apply broadly to things like 911 phonelines, electric grids, pipeline operations, hydroelectric dams, food supplies and emergency medicine stockpiles, and the IT networks protecting critical government operations and information.

It is a broad term that encompasses the ever-shifting nature of national security, particularly in light of the increased focus on cyberattacks and ransomware targeting critical infrastructure by actors like Russia and China, or proxies working in alignment with them.

Russia is frequently cited as one of the major attackers in the cyber sphere, most recently in the context of the invasion of Ukraine and Russian attacks on both Global Affairs Canada and Ukrainian government institutions.

And although the federal Liberals have been building out the capacities of Canadian cyber forces working with the military and the Communications Security Establishment, they remain secretive when it comes to basic questions about what actions are being taken in the name of their citizens.

Now, the government wants to hand additional responsibilities to the CSE, which is tasked with protecting government infrastructure and signals intelligence, through the new legislation.

Under the new provisions, the government wants the power to compel cyber security action from a new category of what it calls “designated operators” working in four federally-regulated sectors: finance, telecommunications, energy, and transportation.

If passed, the legislation would let the federal cabinet “direct any designated operator or class of operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.”

It adds: “Every designated operator that is subject to a cyber security direction is prohibited from disclosing, or allowing to be disclosed, the fact that a cyber security direction was issued and the content of that direction.”

The legislation would also grant the government the power to order companies in the telecommunications sector not to use products deemed to be a high risk to the national security — a power officials say they need in order to implement a promised ban on Huawei and ZTE technology.

It will also require companies to disclose cyberattacks to federal security authorities — but the public will not be able to know about any such attacks on service providers they might rely on, such as banks or internet service providers, that are covered by the proposed new changes.

More to come.

by Global News