OTTAWA — The Liberal government is introducing cybersecurity legislation that will allow it to implement its Huawei and ZTE ban and put in place a new cybersecurity regime for critical infrastructure in the telecom, finance, transport and energy sectors.
The legislation amends the Telecom Act to set up the government to put in place its previously announced ban on equipment from Huawei and ZTE from Canada’s telecom networks. The government said in May telecoms will have to remove 5G equipment and managed services from Huawei and ZTE by mid-2024, and 4G equipment and services by the end of 2027.
Innovation Minister François-Philippe Champagne told reporters Tuesday, “those amendments provide the government of Canada with explicit legal authority to take any action necessary to secure our telecom systems from threat of disruption.”
‘Irresponsible and provocative’: China-Canada tensions on the rise over plane missions
Huawei ban won’t solve the problem of Chinese spying on Canada, experts say
The bill also sets out in legislation what the government previously said — that companies won’t be entitled to compensation for having to rip out equipment. That includes two of Canada’s largest telecom providers, Bell and Telus — on top of older, previously sold equipment. Huawei has sold slightly more than $700-million worth of equipment to telecom operators in Canada since 2018, mostly to those two companies.
But smaller entities would also be covered by new legislation. Christopher Parsons, a senior researcher at University of Toronto’s Citizen Lab, said it’s not clear how companies such as small, Indigenous-run ISPs might be impacted.
Such companies are “pretty tiny and they may not be in a situation…to rip and replace.”
Parsons said it’s unclear “if they’re required to meet certain security requirements as a result of the passage of this legislation, whether they will necessarily have the bandwidth to actually implement those requirements and simultaneously operate their businesses, which are often on pretty razor-thin margins.”
The new cybersecurity legislation announced Tuesday also introduces a new Critical Cyber Systems Protection Act. It would put new obligations on operators in the federally-regulated telecom, finance, transport and energy sectors to ensure cybersecurity of their systems.
Operators would have to establish cybersecurity programs, mitigate supply chain / third-party service or product risks, report incidents to the Communications Security Establishment, and implement cybersecurity directions from the government, according to briefing materials made available to reporters.
Public Safety Minister Marco Mendicino told reporters the legislation would “require the operators of the systems to bolster their protections against a wide array of incidents, including cyberattacks, electronic espionage and ransomware.”
He said “cyber incidents above a certain threshold will be required to be reported, and the government will be able to compel companies to respond to cyber threats to protect their customers and employees.”
Critical infrastructure has become more vulnerable to attacks in the past 10 or 15 years because more of it is now connected to the internet. Experts have warned of the potential of catastrophic effects in the event of a cyber attack.
The new legislation would also give government the power to make orders to enforce the new rules, as well as establishing enforcement mechanisms, including the levying of monetary penalties.
The order-making power includes the ability to designate some of those orders as confidential, meaning the government doesn’t have to disclose them.
Parsons said the fact that there is no public reporting function for how often the government makes these orders is a problem.
“It’s important for the government to be compelled to account for how it’s using those directives and their efficacy,” Parsons said, adding there’s a way to have transparency without naming specific companies or entities.
“If there’s a critical vulnerability, my preference is not to have the government” go and broadcast that a specific institution has a “gaping problem that affects all users,” Parsons said.
But there are benefits to more transparency, including reassuring the public that the government is on top of fixing potential problems. “Whereas if this is kept very secretive… Canadians are left in the dark, and they’re like, well, hopefully stuff is OK, but we don’t necessarily know,” he said.
During an earlier technical briefing, officials said the government won’t be publicly reporting details of the mandatory reports companies are required to give government. The information “won’t be itemizing who was hit by what incident, when,” an official said.
Asked about that during the press conference, Mendicino said the bill ensures the government is “able to take the steps necessary to protect trade secrets, competitive information, information that is sensitive to the industry itself.”
He said there are other oversight mechanisms that will apply where national security is involved, such as the National Security and Intelligence Committee of Parliamentarians, as well judicial oversight.
Sign up to receive the daily top stories from the National Post, a division of Postmedia Network Inc.
By clicking on the sign up button you consent to receive the above newsletter from Postmedia Network Inc. You may unsubscribe any time by clicking on the unsubscribe link at the bottom of our emails. Postmedia Network Inc. | 365 Bloor Street East, Toronto, Ontario, M4W 3L4 | 416-383-2300