This April, against a backdrop of Canadian and Ukrainian flags, Prime Minister Justin Trudeau stood on stage at Toronto’s Royal York hotel alongside Ukrainian Prime Minister Denys Shmyhal. Mr. Trudeau reiterated Canada’s support for Ukraine and told reporters about a new military aid package designed to help Kyiv fend off Russia’s illegal invasion.
In the weeks that followed, pro-Russian hackers retaliated the way they often do against governments that support Ukraine, with a rash of distributed denial of service attacks that aim to overwhelm high-profile websites and knock them offline.
Pro-Russian groups went on to claim responsibility for a string of incidents affecting major targets including a natural gas pipeline, the Prime Minister’s Office and Hydro-Quebec. Their message? They have the power to disrupt Canada’s networks and they’re not afraid to use it.
In August, the Canadian Centre for Cyber Security and RCMP issued a report warning that cyber criminals operating from “cybercrime safe havens” like Russia will “almost certainly” continue to target critical infrastructure in Canada.
With geopolitical tensions and cybercrime on the rise, these attacks underscore the need for Canada’s cyber defences to step up in the face of a constantly evolving threat landscape.
Bill C-26, the federal government’s draft legislation to improve cybersecurity across federally-regulated cyber systems critical to Canadian society – the ones that support the energy, finance, telecommunications, and transportation sectors – is our next best chance to have a national conversation about what’s needed to create strong, coordinated cyber defences.
The good news is that, so far, these acts have failed to significantly disrupt the lives of Canadians. But, more serious and debilitating cyber attacks are a matter of when ─ not if.
Tomorrow, pro-Russian groups or other adversaries could show their true powers and shut down the operations of a power company, a water supplier, a large hospital. Such attacks, if successful, could harm or even threaten the lives of Canadians.
Despite our best efforts, Canada is stuck in a game of whack-a-mole. We’ve got the tools, but we need the coordination. Cybersecurity is a team sport, not solely the responsibility of any single stakeholder—government, the private sector, technical operators, civil society and Canadian citizens—but of all of them.
That’s why we need to get on with Bill C-26, which would raise the baseline level of cybersecurity across the federally-regulated cyber systems Canadians rely on most.
Among other requirements, the bill would have designated operators in the energy, finance, telecommunications, and transportation sectors create cybersecurity programs and report incidents. These measures are vital to keep pace with the changing threat environment and innovation in technology and will enhance Canada’s national security and public safety.
Ensuring that these operators secure their networks is of utmost importance. A forthcoming survey commissioned by CIRA suggests that only 44 per cent of surveyed organizations that experience a cyber incident report it to customers whose data are compromised—despite an existing requirement to do so. That so few organizations report on cyber incidents demonstrates that we, as a country, need to do better.
Bill C-26 has been referred to the House of Commons Standing Committee for Public Safety and National Security for study, but it likely won’t be reviewed by the committee until later this fall. The slew of recent cyber attacks against Canadian critical infrastructure operators make it clear that we need to move quickly.
The committee phase of the legislative process is a key opportunity for rigorous study and public debate to strengthen the bill. This process can bring the cybersecurity community together with critical infrastructure operators and parliamentarians to ensure that C-26 is the most effective legislation it can be.
The string of recent cyber attacks attributed to pro-Russian organizations should serve as Canada’s warning. Bill C-26 is our opportunity to heed the call and work together to protect Canadians. Let’s get on with it, before we find ourselves making legislation in the middle of a national cybersecurity crisis.