A bill that forces companies to report cyberattacks

(OTTAWA) Businesses and other private sector organizations will have to report extortion programs and other cyber attacks to the government under a federal bill to be presented Tuesday.

Posted at 7:48 p.m.

Jim Bronskill
Canadian press

The law aims to specify the liberal government’s efforts to protect critical infrastructure after last month’s announcement that Chinese providers Huawei Technologies and ZTE would be banned from accessing next-generation mobile networks in Canada.

At the time, Public Security Minister Marco Mendicino said that the Liberals would introduce legislation that would go further, taking additional measures to protect infrastructure in telecommunications, finance, energy and transport.

He said it would provide a basis for better protection of systems vital to national security and give the government a new tool to respond to emerging threats in cyberspace.

Photo by Fred Chartran, Canadian press

Marco Mendicino

Attacks on corporations, universities and even hospitals by cybercriminals who hold hostages in exchange for ransom have become extremely common.

Some target organizations preferred to pay the necessary fees to try to smoothly eliminate the problem, which is detrimental to those responsible who want to have a complete picture of the phenomenon.

Minister Mendicino said at a recent meeting of the House of Commons committee that the government was considering mandatory reporting of such attacks.

The planned measures also include amendments to the Law on Telecommunications, which will allow the government to ban the use of equipment and services from designated providers if necessary.

Federal policy outlined in May prohibits the use of new 5G equipment and services from Huawei and ZTE. It will also be necessary to remove existing 5G equipment and discontinue their managed services by June 28, 2024.

Any use of new 4G equipment and services by the two companies will also be banned, and existing equipment and services that they succeed in will be discontinued until December 31, 2027.

The government is planning other measures that will create a comprehensive telecommunications security system in line with the approach of allies and partners.

Last year, the UK passed a law that tightens requirements for telecommunications providers to protect their networks from threats that could lead to failure or theft of important data.

In March, the UK launched a public consultation on draft regulations outlining specific steps that suppliers need to take to meet their legal obligations, as well as a draft code of practice on compliance.

The Government of Canada plans to strengthen its planned legislation based on the existing Security Verification Program, led by the Office of Communications Security – Electronic Spy Service – in partnership with Canadian telecommunications service providers.

The program is designed to exclude special equipment from sensitive areas of Canadian networks and to ensure mandatory testing of equipment before using it in less vulnerable systems.

The government intends to expand the program to take into account the risks of all major suppliers and to expand its efforts to help the industry improve cybersecurity.