Designated Canadian firms would have to report cyber breaches under proposed law

Certain companies in four federally-regulated Canadian critical infrastructure providers — including banks, telcos, energy providers and transport companies — would have to toughen their cybersecurity and share cyber threat information with Ottawa under proposed legislation introduced today by the federal government. Specific companies would be designated after the legislation passes, although in a briefing with reporters government officials said the focus will be on large “high risk” firms that are vital to national security. The officials also said that after the proposed legislation is passed, government departments will meet with companies to iron out details such as what information would have to be reported to the Canadian Centre for Cyber Security, how fast it would have to be reported after a breach of security controls, and how it would be reported. The proposed legislation has a lot to go through before being implemented. It will have to pass the scrutiny of committees in the House of Commons and the Senate. After passage, the cabinet would have to proclaim some regulations, and there would be industry consultations as well. No deadline for full implementation has been announced. Called the Act Respecting Cyber Security (C-26), the proposed legislation includes: —amendments to the Telecommunications Act, which oversees telecom and internet providers. If passed it would allow the government to create regulations directing providers to do anything necessary to secure their systems. These amendments would give the government the power to tell telcos to stop buying 5G wireless gear from Chinese-based network equipment makers Huawei and ZTE as announced last month. That announcement proposed deadlines for the removal of existing equipment. — the Critical Cyber Systems Protection Act (CCSPA), which provides a framework for the protection of critical cyber systems vital to national security or public safety under federal jurisdiction. If passed it would require designated operators to, among other things, establish and implement cyber security programs if they haven’t already done so, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions; and exchange of information with government agencies. This act would establish a baseline level of cyber security through a cross-sectoral management-based regulatory scheme applicable to designated operators. Initially only four federally-regulated sectors — telecom, financial, energy and transportation — would be covered. Other sectors Ottawa has varying degrees of responsibility over — for example, agriculture and manufacturing — could be included later. “This new act will help organizations better prepare, prevent and respond to cyber incidents across four federally regulated sectors,” Public Safety Minister  Marco Mendicino told reporters outside the House of Commons. In a background paper provided to reporters, the government notes Ottawa doesn’t currently have a clear and explicit legal mechanism to compel action to address cyber security threats or vulnerabilities in the telecommunications sector. The proposed legislation would close that hole. The act would increase and formalize existing cyber threat information sharing, which, a government official told reporters, is vital. For example, an official told reporters the government knows of 304 ransomware attacks last year. But, he added, “this is vastly under-reported.” Of those, half involved critical infrastructure organizations. While the proposed legislation only affects federally-regulated firms, the government hopes the provinces and territories will pass similar legislation to boost the cybersecurity of entities under their control, particularly hospitals, police departments, and local governments. Under the CCSPA the federal government would have the power to issue Cyber Security Directions to designated operators. Designated operators would be obligated to: ● establish a cyber security program; ● mitigate any supply chain / third party service or product risks; ● report cyber security incidents to the Canadian Centre for Cyber Security; ● implement any Cyber Security Directions. One part of the proposed legislation would give the government the power to forbid a designated telecom provider from disclosing any order to mitigate a vulnerability or buy a product. A government official told reporters that would be used under “exceptional circumstances” where, for example, the government wouldn’t want a cyber threat to an organization be publicly known. Regulators that would have authority to implement the telecom cybersecurity provisions would be the Canadian Radio-television and Telecommunications Commission (CRTC) and the department of Innovation, Science and Economic Development Canada (ISED). Regulators that would have authority to implement the cybersecurity provisions of the CCSPA include ISED, the Office of the Superintendent of Financial Institutions, the Bank of Canada, Transport Canada, the Canadian Energy Regulator, and the Canadian Nuclear Saftey Commission. The post Designated Canadian firms would have to report cyber breaches under proposed law first appeared on IT World Canada.