The federal government has tabled legislation that seeks to give Ottawa broad powers over telecommunications service providers, including barring equipment – such as that made by Chinese flagship Huawei – as well as the power to keep any measures they take secret.
Fines for violating the orders made under Bill C-26 could run up to $15-million a day.
Public Safety Minister Marco Mendicino assured journalists on Tuesday that the government would not use the law to fine media outlets for reporting on these confidential measures if they learned of them.
The legislation introduced Tuesday gives Canada’s innovation minister a bigger role in protecting national security, but analysts are decrying the secrecy inherent in the bill, saying the measure goes too far.
Bill C-26 would give the innovation minister, after consultation with the public safety minister, the power to forbid a telecommunications service provider from using any specified product or service, or to force them to remove any specified product.
The measure would be used only when necessary to secure the Canadian telecommunications system, including against the threat of interference, manipulation or disruption, the government said.
Under the bill, telecoms providing cellphone, landline or internet services would be required to make their networks or procurement plans open to review by the government. They would also be required to conduct assessments as directed by the government to identify any vulnerabilities in their services or networks.
The legislation in the short term will be used to enforce the government’s recent decision to bar equipment makers Huawei and ZTE from Canada’s 5G networks after Ottawa announced a national intelligence review concluded that the two Chinese companies pose potential security risks.
Telecoms have until June 28, 2024, to remove existing 5G equipment and managed services provided by Huawei and ZTE from their networks, and until Dec. 31, 2027, to remove 4G gear and services from those suppliers.
The bill also seeks to inoculate the government against claims for reimbursement by companies for any financial losses resulting from an order.
It further says an order made under the legislation may also include a provision “prohibiting the disclosure of its existence, or some or all of its contents, by any person.”
Mr. Mendicino said the government does not plan to use C-26 to fine journalists who might break stories on secret measures. “That’s not the intent,” he said. The secrecy rules are to prevent the unlawful disclosure of measures “that could be injurious to national security” or reveal corporate trade secrets, Mr. Mendicino said.
“The fines are hefty, but I think it’s important to send a very powerful signal that when we are partnering with industry leaders in those vital sectors, that we also have an obligation to protect information that is sensitive to them.”
Stephanie Carvin, an associate professor of international relations at Carleton University’s Norman Paterson School of International Affairs and a former national security analyst, questioned aspects of the secrecy provisions.
She noted there is no mechanism in the bill for these secret orders to eventually be made public.
“They need to do better on the secret elements of the bill. Hopefully, when it is reviewed by committee, Parliament can put some reporting requirements in it that will make the government’s actions more transparent.”
She said laws such as the Telecommunications Act, which is being modified by C-26, were never intended as national security tools, but they are becoming that given economic security challenges.
Prof. Carvin said Canada should be fitting its new measures into an as-yet-unwritten national security strategy.
Bell and Rogers declined to comment on the bill Tuesday. Telus did not immediately respond to a request for comment.
David Shipley, chief executive officer of Beauceron Security, a Fredericton-based cybersecurity firm, said one possible instance for the government wanting to keep secret its directives to telecom service providers would be when they ask these companies to fix vulnerabilities that the government has discovered in software or hardware powering their operations. In this case, they would not want that vulnerability to become public knowledge as they may be using it as part of spying or offensive cyber operations against foreign entities using the same technology.
But he noted that Google’s Project Zero, which is tasked with finding software vulnerabilities, has a different policy: They notify companies of vulnerabilities that must be fixed but then give the firms 90 or in some cases 120 days to repair these problems before publicizing the security risks found in the related software or hardware.
“After that window is over then it’s made public,” he said. “I’d rather see a limit or time frame on the secrecy or non-disclosure.”
For subscribers only: Get exclusive political news and analysis by signing up for the Politics Briefing.