Improving Bill C-26 to Strengthen Canada's Cybersecurity Position | TheFutureEconomy.ca

Improving Bill C-26 to Strengthen Canada’s Cybersecurity Position

CybersecurityPolicyTech
Jennifer Quaid
Jennifer Quaid
Executive Director
Canadian Cyber Threat Exchange
Published on

In February, I was privileged to be invited to speak to The House of Commons Standing Committee on Public Safety and National Security on the topic of Bill C-26, the Critical Infrastructure Cyber Security Protection Act.  I appreciated the opportunity to present the views of the CCTX membership on this important piece of legislation, which has been in the making for a long time. While the discussion with the Committee members was productive, I walked away from the experience wishing I had been able to say more. Below are the things I wish they had asked me, the things I wish we had the time to discuss, and the things I wish they had addressed in the final Bill.

The Delay of Bill C-26

Portrait of serious businesswoman using laptop during meeting in high tech IT security office

Regarding the Committee’s question on the potential impact of delaying this legislation, I would have liked to have expanded on the cost to Canadian companies and Canadians. Organizations are currently paying billions of dollars each year in the cost of ransom, remediation, and rebuilding. While our large corporations may be able to afford this financial impact, smaller businesses can not. I would also have said that there is a false belief that cyber incidents are corporate issues and do not impact individuals in the same way auto theft might. An attack on a hospital runs the risk of delaying life-saving treatment and access to necessary information. Meanwhile, companies pay millions in remediation and ransom, costs that are passed on to the consumer, adding to inflation and impacting everyone.

“Organizations are currently paying billions of dollars each year in the cost of ransom, remediation, and rebuilding.”

The Need for a National Cybersecurity Strategy

Colleagues running data center electronics diagnostic tests to determine and patch software issues. Mechanics using laptop and tablet to repair critical systems, checking for flaws

I wish I had the opportunity to say that while this legislation is important, the need for an overarching national cybersecurity strategy is even more important. Canada needs a strategy that includes support and services for all Canadians—individuals and organizations—going beyond the protection of government systems. We need a comprehensive cyber strategy that reflects our increasing dependence on technology. We need a strategy in which all Canadians can participate, one that informs the development of an updated critical infrastructure strategy and supports future legislation. We need to encourage and enable every individual, organization, and level of government to be part of our overall cyber defence and resilience. In order to be successful, cybersecurity must be a community effort with everyone—governments, corporations, and individuals—doing their part and supporting each other.   

“A continued piecemeal approach to cyber policies and strategies has the potential to create isolated pockets of resilience, missing the opportunity to strengthen the cyber posture of the greater economy.”

I would also have spoken about the potential for a lasting beneficial ripple effect on the cyber resilience of the entire critical infrastructure supply chain. The legislated sectors will have to pass their heightened cybersecurity requirements down to their suppliers. This effect, if supported by a broader national cyber initiative, could be profound and could create a truly cyber-resilient Canada.  However, a continued piecemeal approach to cyber policies and strategies has the potential to create isolated pockets of resilience, missing the opportunity to strengthen the cyber posture of the greater economy.

I wish that I had the opportunity to explain to the Committee that cybersecurity isn’t about technology; it’s about risk and deciding what level of risk an organization is willing to accept. It is not a decision on how much corporations will spend on the tools, it’s about what information an organization has, and how much they are willing to lose. In this economy, where every organization collects, uses, or runs on data, every organization is at risk. The fact that the data needs protection is unquestionable. The degree of risk an organization is willing to accept, and the corresponding level of commitment to cybersecurity is a discussion that must be addressed at the most senior levels—in the boardroom and executive offices. 

The Role of CISOs

If asked about the legislation’s proposal to assign liability to the CISO, I would have said that rather than make CISOs liable for an attack, we should protect them. We should enable and encourage them to speak out about incidents so that others in the greater community can learn and improve their defences and resilience strategies. Being able to share the details of a cyber event without ramifications or shame would help protect other organizations. We have learned nothing from the attack on the Newfoundland Health System two years ago. What attacks on other organizations could have been prevented if the lessons learned from Newfoundland had been made public? The same is true of the Indigo attack—how many organizations have to suffer the same fate before we share information? I would also have challenged the idea of holding CISOs accountable for a decision on risk that should be made at the Executive level.  

“If we continue to shame the victims of cybercrime, organizations will only report the bare minimum of what is legally required, and none of the useful information that could help to protect and defend others will ever come to light.”

I wish I had the opportunity to say that we need to stop shaming organizations that are impacted by cyber-attacks and stop treating victims as criminals. If we continue to shame the victims of cybercrime, organizations will only report the bare minimum of what is legally required, and none of the useful information that could help to protect and defend others will ever come to light. One of our greatest challenges in understanding the scale of the problem today is that we do not have comprehensive and accurate reporting on the number and severity of cyber incidents, and we never will if victims are made to feel shame. Victims of cybercrime need our support. We need better information on the size and scale of the problem, and we need to share useful information on the attacks to help support others.

The Future of Cybersecurity

While I appreciated the opportunity to address the Committee and answer their questions, I am disappointed by how little the proposed Bill has changed as a result of the review process. Thoughtful and reasonable changes were proposed, which could have strengthened this legislation and created lasting impacts on the cyber resilience of the economy as a whole. Regrettably, very few changes were made.

Canada needs to make cybersecurity a priority. The security of information and systems is foundational to the success of our economy. More needs to be done, and quickly, to support Canadian industry and Canadians.   

See the Full Series
We use cookies to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Learn more about our cookies.