Key enterprises in the banking, telecommunications and transportation industries would be among those required to bolster cybersecurity and report digital attacks – or possibly face penalties – under a federal bill introduced Tuesday.
The legislation is intended to flesh out Liberal government efforts to protect critical infrastructure following last month’s announcement that Chinese vendors Huawei Technologies and ZTE will be banned from Canada’s next-generation mobile networks.
The newly tabled bill goes further, taking additional steps to protect infrastructure in the telecommunications, finance, energy and transportation sectors.
The overall goal is to establish a framework to better shield systems vital to national security and give the government new tools to respond to emerging dangers in cyberspace.
From electronic espionage to ransomware, the threats to Canadians from malicious cyberactivity are greater than ever, the government says.
The businesses and organizations in each federally regulated sector that fall under the legislation would be determined through coming consultations.
The bill proposes giving regulators the ability to enforce various measures, such as audit powers, fines and even criminal penalties.
Attacks by cybercriminals who hold data hostage in return for a ransom have become alarmingly common.
Some targeted organizations have preferred to pay the fee demanded to try to make the problem go away quietly, making it difficult for officials to get a full picture of the phenomenon.
Under the bill, a designated business must immediately report a cybersecurity incident involving any of its critical systems to the Communications Security Establishment, the main federal cyberdefence agency.
Federal officials say consultations will help determine the threshold for mandatory reporting of such incidents.
Through changes to the Telecommunications Act, the bill would give the government legal authority to order any necessary action to secure Canada’s telecom systems.
This would include prohibiting Canadian companies from using products and services from high-risk suppliers.
The federal policy outlined in May forbids the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G gear or services must be removed or terminated by June 28, 2024.
Any use of new 4G equipment and managed services from the two companies will also be prohibited, with existing gear to be pulled out by Dec. 31, 2027.
For subscribers: Get exclusive political news and analysis by signing up for the Politics Briefing.