Last summer, the federal government proposed changes to the Telecommunications Act that it says will force Canadian telecom providers to toughen cybersecurity.

However, a researcher at a university think tank says the legislation is full of government secrecy and accountability deficiencies.

In a report issued this week, Christopher Parsons, a senior research associate at the Citizen Lab, part of the University of Toronto’s Munk School of Global Affairs and Public Policy, suggested 30 changes to the proposed legislation to blunt powers given to the Minister of Industry.

“Should these recommendations or ones derived from them not be taken up, then the government will be creating legislation of the worst kind insofar as it will require the public—and telecommunications providers—to simply trust that the government knows what it is doing, is reaching the right decisions, and that no need exists for a broader public discussion concerning the kinds of protections that should be put in place to protect the cybersecurity of Canada’s telecommunications networks,” Parsons wrote.

“Cybersecurity cannot thrive on secretive and shadowy government edicts. The government must amend its legislation to ensure its activities comport with Canada’s democratic values and the norms of transparency and accountability.”

Parsons complained that

— the breadth of what the government might order a telecommunications provider to
do is not sufficiently bounded;
–the excessive secrecy and confidentiality provisions imposed on telecommunications
providers threaten to establish a class of secret law and regulations;
–significant potential exists for excessive information sharing within the federal
government as well as with international partners;
–costs associated with compliance with reforms may endanger the viability of smaller
providers;
–vague drafting language means that the full contours of the legislation cannot be
assessed;
–no recognition of privacy or other Charter-protected rights exists as a counterbalance
to proposed security requirements, nor are appropriate accountability or transparency requirements imposed on the government.

Bill C-26 would empower the Minister of Innovation, Science and Economic Development — known more commonly as the Industry Minister — to compel telecommunications providers to do, or refrain from doing, anything in the service of securing Canadian telecommunications networks against the threats of interference, manipulation, or disruption, the report notes.

The legislation would authorize the Minister to compel providers to disclose confidential information and then enable the Minister to circulate it widely within the federal government; this information could potentially include either identifiable or de-identified personal information. In addition, the Minister could share non-confidential information internationally even when doing so could result in regulatory processes or private right of actions against an individual or organization. “Should the Minister or other party to whom the Minister shares information unintentionally lose control of the information, there would be no liability attached to the government for the accident,” the report says.

Where orders or regulations are issued, the report says, they would not need to be published openly in the Canadian Gazette. and gag orders could be attached to those receiving the orders. There may even be situations where the government could issue an order or regulation, the report says, with a publication ban and gag. That runs counter to a decision by the Canadian Radio-television and Telecommunications Commission (CRTC) and that overrides aspects of that decision. And in any cases where a telecommunications provider seeks judicial review, it might never see the evidence used to justify an order or regulation.

However, the report says, if a telecommunications provider is found to have deliberately ignored or failed to adhere to an order, then either the individuals who directed the action or the telecommunications provider could suffer administrative monetary penalties.

The proposed legislation giving the federal government the power to compel four critical federally-regulated Canadian industries — telecom, banking, transportation and energy providers — to toughen their cybersecurity comes as a number of Western nations worry about the potential damage that could happen if a nation-state or sophisticated threat actor launched a cyber attack against a bank, an airline, a telecom carrier or a pipeline.

Attacks in 2015 and 2016 against the electrical grid in Ukraine and the ransomware attack that forced the Colonial Pipeline in the U.S. to close are examples of worrying threats.

The heart of Parsons’ argument is that, unlike peer or allied countries, the Canadian government has not publicly shown evidence that Canada’s critical telecommunications networks are insecure. Nor, he adds, has it issued a general strategic document that delineates how Bill C-26 fits within a broader effort to secure Canadian critical infrastructure.

“In addition to specific legislative amendments, the Government of Canada should clearly and publicly explain the risks it is concerned about and the extent to which the introduced legislation looks backward to address existent or historical issues versus the extent to which is it forward-looking and meant to either address future challenges or enable activities with closely allied nations,” Parsons writes.

The legislation has yet to be assigned to a parliamentary committee where the government would give a detailed defence of the proposals and opposition parties can question the Industry minister.

The report notes that Citizen Lab has previously argued that the government should have the ability to compel private organizations to adopt standards in order to best secure critical infrastructure. And, where telecommunications companies are resistant to
explaining how they are securing systems, it makes sense for the government to be able
to compel that information.

“But the powers being sought by the government are insufficiently bounded, are accompanied by overly broad secrecy clauses, and would potentially impair the ability of
private companies to dispute demands, orders, or regulations that are issued by the
government,” the report argues.

“Similarly, there is a real risk that the CRTC could draft one set of public law
through its decisions while a kind of secret law, promulgated through orders and regulations, actually guides telecommunications providers’ cybersecurity behaviours.

“The government’s proposed powers in Bill C-26, then, need to be pared back in some places, essential clauses and terminology need to be defined, and accountability and transparency requirements must be sprinkled liberally in an amended version of the legislation.”

 

The post Proposed telecom cybersecurity law gives Canadian government too much secret power: Researcher first appeared on IT World Canada.