A Conservative government will create a cabinet committee on cybersecurity and data privacy if it wins the October federal election, leader Andrew Scheer has promised.
In a speech to the Montreal Chamber of Commerce last week, Scheer also said he will set up an expert committee with industry leaders to define binding digital security standards for critical infrastructure sectors and penalties for non-compliance, order periodic penetration testing on all government departments, and establish cybersecurity performance benchmarks for senior public servants.
He also promised his government will:
- Ensure that plain language use agreements are put in place so that companies collecting electronic data must receive informed consent from Canadians. This would presumably be done by amending the Personal Information Protection and Electronic Documents Act (PIPEDA)
- Apply regulatory standards for the ethical and secure use of artificial intelligence and the Internet of Things
- Create the Canada Cyber Safe brand to ensure that consumers know when products have met rigorous security standards
“The Trudeau Liberal government has been particularly careless on cybersecurity,” Scheer said, noting recently an unnamed Quebec company “made headlines”. This was an apparent reference to the data theft by an employee at Desjardins Group who reportedly gave the personal information of more than 2.7 million individual members and 173,000 businesses with a person or persons outside the institution.
“Many Canadian companies are at risk of being the next victims of these criminals,” said Scheer. “It’s past-time the federal government did something to protect Canadians’ information online,” said Scheer. “It is vital, that the government adopt new policies and keep up with technology to make sure that Canadians – their money and their personal information – is protected.”
His speech comes after CTV said this month that in the first seven months of the new federal mandatory data breach notification scheme under PIPEDA 446 breaches were reported to the federal privacy commissioner involving information of 19 million Canadians.
UPDATE: The Conservative Pary platform, released October 11, also says if elected the government would introduce a Cyberbullying Accountability Act to counter bullying against children. It would prohibit the use of a phone or the Internet to threaten or advocate self- harm, and make it clear even if a bully is outside of Canada and the victim is in Canada, the offence occurred in Canada.
Scheer didn’t make it clear how Ottawa will create binding cybersecurity standards that critical infrastructure organizations have to meet. The 10 critical infrastructure sectors named under federal cyber strategy are health, food, finance, water, information and communications strategy, safety, energy and utilities, manufacturing, government and transportation.
However, these are sectors the government works with to lower the risk of cyber attacks. It directly regulates only a few of these, like federally chartered banks and telecommunications providers. It doesn’t, for example, directly regulate municipal, territorial or provincial governments, or provincially chartered credit unions. Nor does it directly regulate software companies.
Ottawa recently created a voluntary Cybersafe Canada program (see below), where companies receive a certification they have met certain minimum standards.
The accusation that the Liberals have been “careless” on cybersecurity comes after an active 12 months by the government on the issue. Just over a year ago it created the Canadian Centre for Cyber Security, merging several federal functions into one unit under the defence department to be more visible to the public. These include Public Safety Canada’s Canadian Cyber Incident Response Centre (CCIRC) and the Get Cyber Safe public awareness campaign; many functions of the Shared Services Canada’s Security Operations Centre; and the entire IT security branch of the Communications Security Establishment (CSE), which now has responsibility for the centre. Shared Services Canada is a service which operates data centres for much of the federal government.
However the CCIRC won’t be fully operational in a new building until 2020.
This year also saw more money added to federal spending for cybersecurity. And after releasing a new national cybersecurity strategy a year ago, in August the government announced an implementation plan., It also announced a pilot project to create a certification for small and medium businesses called Cybersecure Canada, and it will see the Standards Council of Canada create a national standard for cybersecurity for SMBs, who, if they can prove they meet certain minimum standards, can carry the Cybersecure Canada brand on their websites.