Federal cybersecurity legislation meant to protect Canada’s critical systems and services has languished for almost two years in Ottawa, even as data breaches and cyberattacks have escalated.
Bill C-26 was brought to Parliament in the session that began Nov. 22, 2021, by Marco Mendicino, who was the Minister of Public Safety at the time but was dropped from cabinet this summer. The bill was lauded by many cybersecurity professionals and received support – at least for its intent, if not in its entirety – across political lines.
Since then, however, the legislation has been stuck in a holding pattern. It has only gone through the early reading stages, and senators say they don’t have a clear timeline for when it will move from Parliament to the Senate.
Meanwhile, the Online Streaming Act (Bill C-11) and the Online News Act (Bill C-18), along with several other bills introduced the same legislative session as Bill C-26, have sailed through Parliament and have now become law.
The House of Commons is scheduled to sit again later this month, after a two-month summer break. A standing committee on public safety and national security is expected to discuss Bill C-26, though no dates for legislative activity have been set.
But since the bill’s introduction, hundreds of organizations in both the public and private sectors – including major hospitals, grocery chains, the Prime Minister’s Office and the Senate’s website – have been hit by cyberattacks.
“At this point, it’s just sad how long this cybersecurity bill has languished, sitting idly by, as we keep hearing about these attacks,” said independent Senator Colin Deacon in a recent interview with The Globe and Mail.
Mr. Deacon, who represents Nova Scotia, is worried about the slow pace of the bill because hacking groups are innovative and agile. Some parts of the proposed legislation may have already become stale, he said. Several other members of the Senate feel this way.
In its current form, Bill C-26 would give the government more authority to protect vital infrastructure in federally regulated sectors such as finance, energy, transportation and telecommunications. It would instruct companies to have a cybersecurity plan in place and report any incidents. But it would also prohibit organizations from revealing orders from Ottawa to fix their systems, citing the need to protect confidential information.
Charles Noir, the vice-president overseeing policy and community investment for the Canadian Internet Registration Authority, said the bill is a great starting point to improve the country’s posture on cybersecurity, but getting it through Parliament has been “a bit slower perhaps than we’d like it to be.”
There are concerns with the bill, as there are with any security legislation, Mr. Noir said, because “the need for secrecy can lead to an abuse of power.” Bill C-26 should be updated, he said, specifically in terms of oversight mechanisms and transparency reporting from Ottawa, so Canadians know how the legislation is being used by the government to instruct companies to protect consumers.
Mr. Mendicino and current Minister of Public Safety Dominic LeBlanc both declined repeated requests for interviews.
In a brief statement, a spokesperson for Mr. LeBlanc said cybercrime poses a risk to Canada and Bill C-26 is “an important part of our overarching response to cyberthreats,” along with “close collaboration” from ally countries. Jean-Sébastien Comeau would not say if the legislation needs to be updated, whether it has been given the urgency it may require or what Mr. LeBlanc thinks of the work done by Mr. Mendicino during his time on the file.
Mr. Mendicino’s spokesperson, Monica Bento, did not provide any comment. She said she shared The Globe’s questions with Mr. LeBlanc’s office but did not hear back.
A December, 2021, mandate letter to Mr. Mendicino from Prime Minister Justin Trudeau outlined cybersecurity as a top priority for his post. He was tasked to “ensure that Canada is in a position to respond to rapidly evolving risks and threats in cyberspace.”
Mr. Trudeau’s press secretary, Alison Murphy, would not say if or when a new mandate letter would be issued to Mr. LeBlanc and other cabinet ministers.
Cybersecurity consultants, law enforcement officials, legal experts and reformed hackers have continually pressed Ottawa to update its cybersecurity policies over the past few years – even more so since the U.S. Securities and Exchange Commission adopted new rules in July requiring publicly traded companies to disclose any material hacking incidents within four days and periodically describe their efforts to manage cyberthreats.
Late last month, the RCMP and the Communications Security Establishment warned in a joint report and news conference that Canada’s national security and economic prosperity will be threatened by organized cybercriminals over the next two years. In 2022, 70,878 known incidents caused at least $530-million in losses, up more than 40 per cent from 2021, itself a record year, according to the report.
The real numbers are likely much higher, closer to $5-billion, officials said, because only about 5 per cent to 10 per cent of organizations actually report cyberattacks to the authorities.