David Shipley: I think it’s a great first step, and I think it brings telecommunications, energy and transportation up to the same level of cyber security oversight and accountability as the Canadian financial system. And given their importance to our economy, I think it’s entirely appropriate. It sets up some basic cyber security hygiene standards, creates the relationships between experts at the Canadian Security Establishment (CSE) with the regulators for each of these important sectors to advance the state of security — and that’s not a bad thing. And it does provide for mandatory breach reporting by these sectors, which is fantastic. So there’s a lot I like.
But there are also some concerns: It doesn’t require mandatory information sharing from CSE back to stakeholders when they learn about incidents. They do a good job of that today, but it is voluntary. I’d like to see that firmed up a little bit in the legislation so that the insights and lessons learned –that’s the most important thing — when a cyber incident happens we’re telling somebody about: What were the root causes? How can we improve?
When we look at the Europeans’ NIS2 proposal [an EU cybersecurity standard] they’re going beyond just key sectors to any sector that could have a meaningful economic impact. I think about the food supply chain and the JBS Meats ransomware attack. At a minimum, this [Canadian] legislation should have the food supply chain in there because they are just getting hammered with cyber attacks.
But if we step back, the majority of actual attacks are not in these four sectors [telecom, energy, finance and transportation]. It’s far more likely to be subnational and entities — hospitals, school districts, municipalities, small and mid-sized businesses who are not covered by this proposed regulation. Senior Canadian government officials indicated in a technical briefing they have the ability to add more sectors to the law the intent for now is to see provinces actually draft their own mandatory breach reporting for areas of their jurisdiction. That’s problematic for several reasons: Number one is if each province is going to regulate these other sectors. You could have have-not security provinces. Second, imagine if there are 13 different cybersecurity reporting laws and I get hit but have business across the country. Reporting to all jurisdictions seems like a nightmare. And finally some provinces might have industry write the laws. Well, that hasn’t worked out so well when it comes to things like the right to information.
Howard: The proposed act has some gaps that are going to be filled in after consultations with industry and the issuance of regulations. One of the things it does do is define what cyber incidents have to be reported: Anything that interferes with the continuity, confidentiality, integrity, security or availability of a vital IT system. Is that too broad?
David: It is a really interesting question. There may be some pushback from the industry about scale and significance. Under this legislation theoretically one device hit with ransomware and encrypted might check all these boxes. But is that really what CSE wants to hear, or do they want to hear about more significant outbreaks that have more meaningful impact?
Howard: But the problem is in your example where there’s only one computer in a company that’s been hit by ransomware it may be a unique strain and that company may have stopped the attack from spreading. Isn’t that justification for very quickly notifying the government of that attack?
David: I tend to agree with you. It’s like if you catch a patient zero with a new novel coronavirus — imagine how important to identify [the new virus] and notify others. Little attacks might fit into a bigger picture pattern that CSE may have. So I’m not against this. I think it’s going to have, as a CISO friend said to me when I when I shared the legislation, this is going to have budget leverage, a financial impact on companies.
Howard: I mentioned that there are some gaps. There are things that the government still wants to negotiate with companies and will set certain standards in regulations. One of them is how fast an incident will have to be reported. Another is how much detail will have to be reported. Those are pretty crucial details missing for a CIO or CISO.
David: Timeline’s going to be important. I think we should match the American required timeline of 72 hours for firms in critical infrastructure. We’ve seen some legislation proposed in other countries that require disclosure within hours of becoming aware. That’s completely ludicrous … But also if it’s a multi-sector attack, a nation-state start of a real big push you don’t want to have a huge window of weeks here. I hope it’s as closely aligned in process and look and feel as the Americans have done, because we are a tightly integrated economy. Many of our companies will probably have to report to the United States as well as Canada, so having different sets of processes is probably unreasonable. That is one of the concerns that’s been raised by some industry stakeholders: ‘We already have to report to our regulator. Why couldn’t the regulator just decide if CSE gets to hear this? Why do we have to create duplicate processes?’
Howard: The regulator who they might have to report to is the privacy commissioner of Canada. But then there’s a different standard. You report to the privacy commissioner if there’s been a breach of security controls on data that would have a real risk of serious harm to a customer or an employee. [As opposed to the CPPA’s standard described earlier].
David: Canadian banks have to report to the Office of the Superintendent of Financial Institutions (OSFI}, which sets their cybersecurity standards for them. Why not just keep that single process flow and make the regulator responsible for feeding information to CSE, is an argument.
Howard: One provision in the proposed Canadian cybersecurity legislation says that as soon as any cybersecurity risk to a company’s supply chain or its use of third-party products and services has been identified the company has to take reasonable steps to mitigate those risks. Is that going to cause a problem for IT departments?
David: It gets interesting. When we go back to the SolarWinds attack [where the update mechanism for its Orion network management suite was compromised] think about all these Canadian companies have to report to CSE they got hit. The government has order-making capability. What if it says to companies, ‘Pull it all out’? But IT can’t monitor the network without Orion. The government replies, ‘We don’t care.’ Theoretically, that might happen. Or they might say, ‘Tell us what your plan is to replace it,’ which puts more onus on companies to say, ‘We’ve worked with the vendor they’ve improved their processes. We’ve tightened up our contracts.’ It’ll be interesting to see how it gets applied — if we even ever know how it gets applied. The legislation gives the government the ability to issue completely private security orders.
Howard: But it’s an emergency clause. There’s some logic to saying a company isn’t moving fast enough to plug a hole in its system for whatever reason and so we’re going to issue an order to them to protect the public’s safety.
David: I agree the order-making power is sort of a weapon of last resort. I think the hope is that these companies see it’s in their own self-interest to deal with cyber threats as soon as possible. The part that I am concerned about is the secrecy component. The government can make secret orders to companies to pull equipment, force patches or force changes et cetra. And it’s not to say that there can’t be a secrecy window. But think about like Google Project Zero, for example. Google gives a window of time for organizations to get their stuff cleaned up and then they’ll publicly report a vulnerability. This is something when a parliamentary committee reviews the proposed law. It needs revisiting because I don’t like the idea of the government being able to make secret orders without ever having to be publicly accountable.
Howard: This goes back to an old debate: If companies have to notify the government there’s been a data breach or a serious cyber incident, why shouldn’t they notify the general public as well?
David: There has to be an appropriate notification regime, and I think we can deal with that. But when, say, an energy utility gets punched and punched hard it doesn’t necessarily want to give all the gory details out to the public and reduce confidence and trust in the work that it’s doing. There are all kinds of reputational implications and harms that could come into play. So I’m okay with them getting a shield on this one — particularly if we’re talking about one computer. But what’s important on the other side of that equation is what they [regulators] do with the breach reporting. We get the de-identified, anonymized key root causes, lessons learned and disseminated — at least to other energy companies so that they don’t make the same mistakes. Ideally that gets posted publicly again without names so that other industries where it might also be germane can see. Right now in Canada we rely on vendors in the security industry to issue reports, which is okay in some respects but they always do it from their own lens of, ‘You need to buy my thing .’And I say this as the CEO of a cyber security company. I like the idea of an independent government agency publishing the facts of an incident and the lessons learned and the best practices so you don’t have that vendor lens on it.
Howard: As I said the cyber security legislation package had two parts. The other part amends the federal Telecommunications Act and gives the government the power to ban telcos and internet providers from doing anything that harms their networks. This is the legal basis for the government of Canada to forbid cellular carriers from having network equipment from China’s Huawei and ZTE in their systems. What do you see in this package that would worry telecoms and internet providers?
David: There could be some legitimate concerns. We could be told to pull a piece of equipment for whatever reason and we’re not given any compensation. We made that investment. We made it in good faith et cetera and if we don’t do that there’s a big stick of a $10 million to $50 million fine. It’s an awfully big stick. I’m not sure what the checks and balances are. [Editor’s note: Telcos can appeal to a judge.] Given the critical role they play having the telecommunications industry with additional regulatory oversight relative to cyber security makes sense. But a little give and take here, particularly if you’ve got a government that maybe didn’t give clear direction or the geopolitical situation may have changed in radical ways that no one could have seen. I wonder if that will get some sober second thought as [Parliamentary] committees get to dig into things.
Howard: We had a quick look at the proposed privacy legislation that was introduced only hours before we started this recording, but to me it looks awfully similar to the original version. That didn’t pass Parliament before the election was called last year. What do you think of it?
David: We desperately need modernized privacy legislation in Canada with real accountability for firms that are abusing people’s personal information. This is a good step. [Right now] we’ve got essentially got paper tigers with our federal privacy commissioner. We look back at things that have happened with social media companies like Facebook or the Cambridge Analytica case, or we think about the stuff that was going on with Clearview AI , we’ve had the essential consequence of a stern finger-wagging for serious violations of privacy. This [new legislation] does move the bar. I particularly like the improvements they’ve made that data involving children is particularly sensitive and additional rigor around [protecting] that. What’s disappointing about this legislation, both its original version and its re-introduction, is we were the pioneers in Canada in privacy by design … and that framework isn’t apparent in this legislation.
Howard: One of the things that both the first attempt by the government to reform the privacy law and this new attempt includes is the creation of a data privacy tribunal that will review the recommendations by the federal privacy commissioner to issue fines for companies that don’t comply with the privacy legislation. In England, for example, the privacy commissioner has the power to issue a fine. The Canadian legislation creates a tribunal. The privacy commissioner would only have the power to recommend fines — and admittedly they’re multimillion-dollar fines. But it would be up to the privacy tribunal to actually approve fines. The previous privacy commissioner complained this is an extra step and it just drags out the whole process.
David: This comes down to whether you trust your privacy commissioner to do their job, which is to investigate and then to impose consequences. I think that’s a clearer signal. I’d rather have you hire a privacy commissioner, you empower them with a team, make sure they’re applying the law as you as you’ve written it and they do their action — and companies can appeal to the courts. A tribunal is unnecessary.
Howard: I’ll play the part of business: ‘I don’t want a bureaucrat and appointed person to act as judge and jury — he judges me on whether I’ve complied with the privacy law, and then he fine me.’
David: ‘But I would like three more bureaucrats [in the tribunal] to be on top of that bureaucrat.’ You’ve got the privacy commissioner and then you’ve got the courts [to appeal to], who are professional legal experts and arguably would probably be better for you overall in applying law than a tribunal appointed by the government who aren’t judges. If you really want accountability and oversight over this office, do it through the federal court.
Howard: One thing to remember is that the Liberal government is in a minority. These pieces of legislation need the support of a big enough opposition party to pass. So there’s there’s no guarantee they’re going to become law [without changes].
David: I don’t see philosophical opposition to the privacy legislation or even the cybersecurity legislation from the key party that’s propping them up, the NDP. I think the Conservative Party will want to dig into the business impacts on the privacy law and how that’s going to affect the Canadian economy. I think one of the most important questions that probably needs to be asked is if this law isn’t up to snuff for the European equivalency [under the General Data Protection Regulation]?
Howard: I would expect that the government has had informal conversations on the wording of the proposed privacy legislation.
David: I certainly hope so.The post Cyber Security Today, Week in Review for Friday June 17, 2022 first appeared on IT World Canada.