OTTAWA — Ransomware is the most disruptive cybercrime in Canada and one of the most worrying of all cyber threats, according to the federal cyber-defence agency, but the Liberals’ bill to address those threats won’t require companies that pay ransoms for their own data to tell the authorities.
That gap is acknowledged in federal documents The Logic obtained through an access-to-information request, a multi-part package of briefing material prepared for Public Safety deputy minister Shawn Tupper.
Talking Points
- Canada’s stalled bill on cybersecurity wouldn’t make companies that pay off ransomware attackers notify federal authorities, unlike the equivalent U.S. law
- Cyber authorities say ransomware is the biggest cyber threat to most Canadians, and most attacks end with victims paying the perpetrators
He was to chair a top-level meeting last November with Chris Inglis, who was then the U.S. national cyber director, and his scripted notes emphasized just how much the proposed Critical Cyber Systems Protection Act—part of Bill C-26, which Public Safety Minister Marco Mendicino tabled in June 2022—is like an American version that President Joe Biden had signed the previous March.
Cyber threats cross borders, and Canadian critical infrastructure is “intimately intertwined with that of you, our American neighbours to the south,” so it’s important that Canadian and U.S. laws line up, Tupper’s script said.
“While I won’t go into the details here, [Bill C-26] is consistent with the United States’s Cyber Incident Reporting for Critical Infrastructure Act of 2022,” Tupper’s script said.
Yet also in the package was a comparison chart of the U.S. law and the Canadian bill, on which several key points of difference were marked with big Xs.
If the Canadian bill passes—it has not yet been taken up by a House of Commons committee for close examination—it will give Canadian authorities some powers regulators in the U.S. don’t have, such as requiring critical infrastructure operators to develop cybersecurity plans or to do specific things to avert or mitigate threats.
But the Canadian side of the chart had more gaps when lined up against the U.S. regime: No requirement to report ransomware payments. No task force on ransomware or active efforts to find vulnerabilities. No requirement for cyberattack victims to keep Canadian authorities apprised of new developments after an initial report. And no provisions to keep the contents of companies’ reports of their own breaches from being used against them in lawsuits.
If the government wants to change this, the public servants who prepared the document advised, it will need to amend its bill.
Some companies do have legal obligations to report cyber breaches to privacy commissioners (when private data has been stolen and there’s a “real risk of significant harm”) or the Office of the Superintendent of Financial Institutions. But not to police or cyber-defence authorities.
Given several days, Public Safety Canada could not explain to The Logic why Bill C-26 doesn’t include requirements to report ransomware payments.
The scale of the ransomware problem in Canada is huge. In its basic form, hackers break into a target’s computers and lock up either its systems or critical data, offering to return them for a fee. Sometimes the bad actors sell data they’ve stolen or threaten to expose a target for having lax security around customers’ private information.
“Ransomware is one of the most impactful cyber threats in Canada, benefiting significantly from the specialized cybercrime economy and the growing availability of stolen information,” the Communications Security Establishment (CSE) reported in its most recent public threat assessment.
High-profile recent targets include Indigo and Superior Plus propane. Other recent victims of cyberattacks that exposed customer data—the details of which are often kept murky—include Mackenzie Investments and Sun Life.
Those are just cases that have become public. Earlier in July, the cyber-law group at Blake, Cassels & Graydon estimated that ransomware accounted for nearly 70 per cent of cybersecurity incidents in Canada last year—and two-thirds of the targeted organizations ended up paying off the attackers, up from 56 per cent the year before.
Under Bill C-26, those ransom payments would not have to be reported, unlike in the United States.
“I’m always surprised at governments’ surprise when I talk about things that I see that they don’t,” said Ian Paterson, CEO of cybersecurity firm Plurilock, in an interview with The Logic. “The industry would be better overall if the people who can do something about ransomware—a.k.a. nation-states—had all of the details to make informed decisions about how to allocate resources to try and make it stop.”
If the Canadian Centre for Cyber Security (a unit within the CSE, which answers to the defence minister) had more information about ransomware attacks, it could spot patterns and potentially identify attackers sooner, he said.
But there’s a collective-action problem. “Everybody in industry recognizes that the community is better off the more disclosure that happens,” Paterson said. “But nobody wants to go first. They want to get the data; they don’t want to give the data.”
Firms would have legitimate concerns about reporting breaches to the CSE, which supplies technical expertise to authorities such as privacy commissioners, who might seek to penalize companies for being lax with data.
“You have an agency that might be building a case against you, and therefore you don’t actually want to talk to them,” Paterson said.
They also might worry their reports of their own breaches might be revealed or leaked, he said—a very bad outcome for a company that has paid a ransom to keep the breach quiet, but one that’s less worrying than it used to be.
“For better or worse, because everybody’s getting hacked, I don’t think it matters as much as it did a couple years ago,” Paterson said.