A cybersecurity bill with built-in vulnerabilities

Cybersecurity legislation is long overdue in Canada.

So, it made sense that one of the bills the federal government revived from those that died on the order paper when Parliament was prorogued and eventually dissolved for the election earlier this year was Bill C-8. The latest version of the legislation sets out requirements for protecting critical systems and creates an organization to ensure compliance with the threat of steep administrative monetary penalties. 

“In the first iteration, it was very unclear what was critical infrastructure,” says Kirsten Thompson, a partner at Dentons and national lead of its privacy and cybersecurity group.

Since then, a schedule has been passed that outlines vital services and systems and the varying requirements they must meet. Those critical systems include telecom, interprovincial and international pipelines and power line systems, nuclear energy, transportation systems that cross borders, banking and clearing, and settlement systems. 

A designated operator of these systems will be required to put a cybersecurity system in place and be subject to regular review. There is also a requirement for operators to manage cybersecurity risk with their supply chains and third-party products.

“Most major organizations have hardened their cybersecurity systems, public and private, but the weak points often are third-party vendors, which are smaller and have limited resources,” Thompson says. 

“If you want to topple one of the big players, you go in through one of their smaller, third-party providers.”

While changes have been made to improve clarity and transparency in the latest iteration of the bill, the criticism remains that the obligations are bureaucratically onerous.

“Any good, solid cybersecurity program, particularly one that follows the SOC 2 or NIST requirements, is going to have a lot of documentation and a lot of processes,” Thompson says, referencing existing cybersecurity standards from the American Institute of Certified Public Accountants and National Institute of Standards and Technology. 

“The whole point of a robust cybersecurity program is to have a concrete, well-scoped repeatable process.”

She says that early on, there were complaints that if someone already has a NIST or SOC 2 certification or an ISO, why would they have to do it again for this legislation, when they should be offered an exemption? To date, that hasn’t been addressed, but she expects it will come up.

The new bill has also removed the government’s ability to make confidential submissions to the Federal Court when issues are escalated to that level, and to withhold disclosure citing national security concerns. Thomson expects the government will try to finesse their own amendment on this to find some middle ground to retain these rights under exceptional circumstances. 

While federal intervention is permitted under the latest bill, it must be under an identified factor which was broadly worded in the previous iteration. The current version has a non-exhaustive list with four categories, even though the categories are not defined.

“It just raises the threshold for government to intervene,” Thompson says.

David Fraser, a partner with McInnis Cooper in Halifax, says his biggest worry is the bill's prescriptive language, which could allow government agencies to micromanage.

“Rather than allowing organizations to implement what are internationally-known best practices or to meet international standards, what this allows governments to do is dictate exactly what their practices are, really at a detailed level,” he says. 

“I think that’s overreach, and I think that’s unnecessary.”

The legislation allows government regulators enormous access to the systems, information and data of regulated organizations, which has the potential to introduce cybersecurity vulnerabilities. For example, Fraser points to the government’s power to ban Huawei technology from Canadian systems and its ability to dictate what equipment must be used instead. That could mean every Canadian system under federal regulation is using the same equipment with the same vulnerabilities.

He would rather the government provide a list of approved vendors from which companies can choose.

“Everyone knows you need to keep an eye on your equipment, you need to check for vulnerabilities and patches, but the mosaic as a whole means the system as a whole is more secure.”

Fraser is also concerned that there's no limit on the scope of those powers because the law also requires critical sector companies to ensure compliance in their supply chains.

“My law firm provides services to organizations that are going to be regulated within this—we are in their supply chain,” he says, which could put the firm in the legislation's scope, open it up to a regulator telling it how to operate, or set up a competition between regulators. 

While Fraser doesn’t believe that was the intent, it is a possible outcome. He says the government needs to be aware of the law's scope and mindful of its impact. 

Brent Arnold, the founder of Captsan Legal in Toronto, who is also the chair of the Canadian Internet Society and the vice-chair of the CBA’s privacy and access section, says that the context around information sharing has changed between the former bill and the current iteration.

“(The American government) didn’t worry us as much when we were in the process with C-26, and it was the Biden administration. But with the Trump administration in place now, we’re seeing an administration that is happy to weaponize the law and its powers to go after people it doesn’t like,” he says. 

As a result, while Canadian authorities still cooperate at an operational level, they must now be more careful about how much they trust their counterparts.

Arnold says the bill doesn’t seem to have any guardrails around information sharing, which hits harder as the security versus civil liberties balance is more tenuous than it was a few years ago. Like C-2, the omnibus border security bill, C-8’s provisions can potentially mandate backdoor access to software and platforms, which could put Canada at odds with the European Union.

“The way the (General Data Protection Regulation) in Europe works is that they make decisions about the adequacy assessment of the privacy regimes of other countries,” Arnold says. 

“If they feel another country doesn’t adequately protect privacy, they are far more restrictive about the conditions under which they will let private information about European citizens be handed over to companies or countries.”

Canada narrowly passed the EU’s most recent assessment, partly based on a promise that federal privacy laws would be changing. However, that particular bill did not pass before the election.

Arnold says this bill could potentially undo that because it presents to Europeans the prospect that government access to private data can be abused in secret. 

“This has the effect of weakening our existing privacy regime, and in advance, weakening the new one that’s going to come in, which could put us in a real problem with Europe.”

Ultimately, that could impact our tech-focused economy, which is the last thing Canada needs when it’s trying to diversify trade.

Conservative Senator Denise Batters, who was the critic of the former Bill C-26, says the federal government failed to include her “reasonable” proposed amendment to C-26 in C-8. It would have required the Communications Security Establishment to notify the Privacy Commissioner if the private information of Canadians were released in a cybersecurity breach.

“Despite strong expert witness testimony supporting this amendment, including support from the Privacy Commissioner himself, this Liberal government seems intent on passing virtually the same flawed bill as last session,” Batters said in an email.

Some have pointed to the fact that C-8 doesn’t grant exemptions for small companies, even though the rise of AI means they can operate in a larger space with only a few employees. Thompson says that while small companies are likely to find the compliance obligations overwhelming, exempting them from the regime makes them vulnerable to ransomware attacks because those ransomware groups know to target weak players.

“If there’s a law that says this doesn’t apply to businesses under 50 employees or whatever, then that’s exactly who ransomware groups are going to target,” she says.