A new research report says federal network security legislation so flawed, it would allow authoritarian governments around the world to justify their own repressive laws.
The report by Christopher Parsons of the University of Toronto’s Citizen Lab makes 29 recommendations to increase transparency and accountability on proposed measures introduced by the Liberal government in June.
The government wants to establish a framework to better protect systems critical to national security and provide authorities with new tools to respond to emerging threats in the air. cyberspace.
Experts say Ottawa’s cybersecurity bill has ‘good things’ – but secrecy rules need to be implemented
Under Measure C-26, key businesses in the banking and telecommunications industries would be required to improve cybersecurity and report digital attacks, or could face penalties.
The proposed bill gives authorities the ability to enforce measures through audit powers and fines, and allows criminal penalties in cases of non-compliance.
The report says the powers Ottawa is seeking are not sufficiently binding, come with overly broad terms of secrecy and are likely to limit the ability of private companies to dispute the claims. , order or regulation issued by the government.
Sign-up problems can be avoided: Cybersecurity expert
The report describes a scenario in which the federal broadcasting regulator could draft a piece of public law through its decisions while “a kind of secret law” is made through orders and regulations. The decision will actually guide the cybersecurity behavior of telecommunications providers.
It says the agencies proposed in Measure C-26 need to be backtracked in some places, essential terms and terms defined, and accountability and transparency requirements defined. “given freely” in an amended version of the law.
The report states: “If the government refuses to meaningfully amend its laws and make itself more accountable and transparent to telecommunications providers and the public, it will inform through a bad law”.
“Authoritarian governments will be able to point to Bill C-26 unamended in the process of justifying their irresponsible ‘security’ laws, secrecy and repression.”
Parsons, a senior research associate at Citizen Labs, which focuses on communications technology, human rights and global security, was among a number of individuals and groups who wrote a joint open letter to the Secretary of State for Security. Public Attorney Marco Mendicino last month expressed concern about the bill.
Feds take action to require businesses to report ransomware attacks or face penalties
He argued that the government owes it to citizens and businesses to justify why they are seeking new powers and the underlying reasons driving the introduction of cybersecurity legislation.
Among his report’s recommendations:
_ The orders of the Council and the Ministry implemented to ensure the safety of the telecommunications system must be necessary, proportionate and reasonable;
_ orders must be published on the Canada Gazette within 180 days of issue, or within 90 days of orders being made;
_ The minister should be forced to make an annual report on the orders issued;
_ the government should explain how it will use information from telecommunications providers and specify the agencies to which the information may be disclosed;
_ relief measures should be taken if the government mishandles private or confidential information; and
_ there should be specified periods of time for how long the government may retain data of telecommunications service providers.
The report warns, the costs associated with complying with government orders could seriously affect telecom providers, including the risk that some companies may not be able to continue providing services. service to all their customers.
The report adds.
“Security can and must be consistent with Canadian democratic principles,” Parsons writes. “Now the government must amend its laws to suit them.”
& copy 2022 Canadian Press