When Ottawa wants to micromanage cybersecurity
Imagine a referee who, during a Leafs game, took a player aside to explain how to put the puck in the net. He would probably soon be unemployed, because a) that’s not part of his job description, and b) it’s not within his field of expertise.
Yet this is what Ottawa is trying to do with Bill C-26 in the field of digital security. Instead of attending to its own affairs, the government wants to insert itself into the implementation of companies’ digital security plans.
Concretely, if this bill is adopted, companies will have to fill out new forms to present their digital security plans and submit them to the appropriate regulatory body.
Federal bureaucrats will then go over each plan with a fine-toothed comb and, if they’re satisfied, give it their stamp of approval so that it can be put into effect. For any change, however minor, a company will have to fill out more paperwork and await a response from the government.
The addition of this new layer of bureaucracy is a problem.
When it comes to digital security, speed is of the essence. If a company finds a vulnerability in its system, the need to repair it quickly is crystal clear, since failure to do so exposes it to serious legal, reputational, and financial risks—just ask Desjardins.
While many adjectives can be used to describe the federal government, “fast” and “efficient” are not usually among them, as those who had to renew their passports recently are well aware.
Unfortunately, when the government requires that it be advised of companies’ program changes and other new measures, it adds a delay between the decision and its implementation. More concretely, this lengthens the delay between the moment when a breach is detected and the moment when it has been sealed.
And the risk is substantial. The companies affected are not only financial institutions but also telecommunications providers and pipeline operators. These are companies we need to be able to trust with our data. Surely we can all agree that slowing down the process through which they fix problems would be bad detrimental.
Government action could perhaps be justified if Canadian companies were not concerning themselves with computer security, but the data tell a different story.
In the banking sector, 93% of managers single out cybersecurity risk as a key factor in their decision-making, and the strategies they employ to minimize this risk are diverse and innovative.
For example, certain companies hire what are known as “ethical hackers” to text the security of their systems, find its cracks, and fill them before an individual with malicious intent can take advantage of them.
Indeed, spending levels and growth confirm that companies are not just talking, but are acting. In 2021 alone, Canadian companies spent nearly $10 billion on the prevention and detection of cybersecurity incidents.
It’s therefore clear that companies realize the importance of digital security and are ready to do what’s required, without Ottawa adding a small army of bureaucrats into the equation.
It’s not that the federal government has no role to play in digital security. But interfering with the rapid decisions that companies have to make runs the risk of being counterproductive and removing resources from other fields where their expertise is more useful. There is the prohibition of services that could threaten national security, for instance, like those of Huawei, or digital issues related to foreign state actors.
You won’t see a referee tell players how to score a goal. In the same vein, Ottawa has to learn to mind its own business. Our companies already know how to run theirs.
Célia Pinto Moreira est analyste en politiques publiques à l’IEDM et l’auteure de « Projet de loi C-26: les risques d’une microgestion de la cybersécurité ». Elle signe ce texte à titre personnel.