During a recent Parliamentary committee hearing, a stark warning was issued by BlackBerry's senior director of government affairs and public policy for Canada, John de Boer, highlighting a significant gap in Canada's cybersecurity framework compared to its G7 counterparts. This comes as Canada deliberates over proposed cybersecurity legislation, Bill C-26, aimed at bolstering protections for critical infrastructure providers against the backdrop of increasing cyber threats globally.
The hearing witnessed a mix of opinions on the Liberal government's proposed cybersecurity law, with representatives from key sectors expressing their views on how Canada can enhance its cybersecurity posture. While BlackBerry championed the swift passage of Bill C-26 to align Canada with international cybersecurity standards, other voices called for careful consideration and specific amendments to the bill.
Jennifer Quaid from the Canadian Cyber Threat Exchange emphasized the need for minor modifications to strengthen cybersecurity among critical infrastructure sectors. In contrast, Chris Loewen of the Canadian Energy Regulator highlighted the bill's potential to harmonize with existing regulatory mechanisms.
However, concerns were raised by Francis Bradley, CEO of Electricity Canada, regarding potential conflicts between the proposed legislation and the North American Electric Reliability Corp.'s (NERC) cybersecurity requirements. Similarly, Leila Wright from the CRTC outlined the new mandate the bill would grant the agency to promote cybersecurity among telecom providers. However, she refrained from commenting on the bill's specific content.
The urgency of enhancing Canada's cybersecurity defences was underscored by BlackBerry's revelation that it thwarted over 5.2 million cyber attacks in the latter months of 2023, with a significant portion targeting critical infrastructure providers. This, coupled with international warnings about threat groups like China-backed Volt Typhoon compromising essential infrastructure in the U.S., paints a grim picture of the cybersecurity challenges facing Canada and its allies.
Bill C-26 comprises two main sections: one amends the Telecommunications Act to empower federal authorities to mandate cybersecurity measures for telecom providers, and the other creates the Critical Cyber Systems Protection Act (CCSPA) for a broader range of critical infrastructure providers. This legislative effort aims to establish a more robust cybersecurity compliance regime, including immediate incident reporting to the Canadian Security Establishment.
Despite the proposed bill's intentions to enhance Canada's cybersecurity framework, de Boer suggested amendments to refine the reporting timeline, provide legal protections for companies reporting cyber incidents, and ensure firms are not penalized for breaches despite diligent cybersecurity efforts. Quaid and Bradley also proposed adjustments to encourage information sharing among organizations and recognize the existing cybersecurity standards within the Canadian power sector.
The debate on Bill C-26 highlights the balancing act between establishing stringent cybersecurity standards and ensuring these measures are practical, industry-compliant, and conducive to fostering a secure and resilient digital infrastructure in Canada. As the hearings continue, with input from various stakeholders, the path to comprehensive and effective cybersecurity legislation remains a critical concern for Canada's national security and its position within the global cybersecurity landscape.
Comentários