OTTAWA – Businesses and other private sector organizations should report incidents of ransomware and other cyberattacks to the government under a federal bill that will be introduced today.
The law seeks to flesh out the Liberal government’s efforts to protect critical infrastructure following last month’s announcement that Chinese vendors Huawei Technologies and ZTE will be banned from Canada’s next-generation mobile networks.
At the time, the Minister of Public Security, Marco Mendicino, said that the Liberals would introduce legislation that would go further, taking additional measures to protect the infrastructure of the telecommunications, finance, energy and transport sectors.
He said it would set a framework to better protect vital systems for national security and give the government a new tool to respond to emerging dangers in cyberspace.
Attacks on companies, universities and even hospitals by cybercriminals who hold data hostage in exchange for a ransom have become alarmingly common.
Some targeted organizations have preferred to pay the required fee to try to make the problem go away smoothly, making it difficult for officials to have a complete picture of the phenomenon.
Mendicino noted at a recent House of Commons committee meeting that the government was looking to make it mandatory to report such attacks.
The planned measures also include amendments to the Telecommunications Act that would allow the government to ban the use of equipment and services from designated providers when necessary.
The federal policy outlined in May bans the use of new 5G equipment and managed services from Huawei and ZTE. Existing 5G equipment or services must be removed or terminated by June 28, 2024.
The use of new 4G equipment and managed services by both companies will also be banned, and existing equipment will be withdrawn before December 31, 2027.
The government plans other measures that will create a holistic telecommunications security framework, aligning with the approach of allies and partners.
Last year, the UK passed legislation imposing stricter requirements on telecommunications providers to defend their networks from threats that could lead to failure or theft of important data.
In March, the UK launched a public consultation on draft regulations outlining the specific steps suppliers should take to comply with their legal obligations, along with a draft code of practice on compliance.
The Canadian government plans to increase the planned legislative measures based on the existing Security Review Program, led by the Communications Security Center, the electronic intelligence service, in collaboration with Canadian telecommunications service providers.
The program is designed to exclude specific equipment from sensitive areas of Canadian networks and ensure mandatory testing of the equipment before it is used on less vulnerable systems.
The government intends to expand the program to consider the risks of all key vendors and apply its efforts more broadly to help the industry improve cybersecurity.