Threats to Cybersecurity and Governmental Oversight in Canada

Cybersecurity Overview

In its most recent Threat Assessment, The Canadian Centre for Cybersecurity has warned that the trend towards connecting important systems to the Internet increases the threats to cybersecurity for Canadian individuals and organizations. Among other things, the report singles out ransomware and the disruption of critical Canadian infrastructure as some of the greater threats facing Canada’s cyber landscape. Despite this, the federal and provincial governments have mostly had little to no jurisdiction over the cybersecurity processes of private companies and even public sector organizations that are not formally part of the government. This is beginning to change.

Since 2015, at least 14 major cyberattacks have targeted Canadian health information systems, and Canada ranks 10th in breach count globally, with more than 207.4 million compromised accounts since 2004. The Canadian Centre for Cyber Security warned in an August 2023 report that over the next two years, Canada’s critical infrastructure will continue to be targeted by cybercriminals. Health organizations are especially vulnerable to such targeting because of their reliance on outdated systems.

One recent and substantial incident is the five southwestern Ontario hospitals hit by a ransomware attack in October 2023. These attacks targeted TransForm Shared Service Organization, which runs technology systems for all five hospitals. The attacks disrupted such vital technology as diagnostic imaging and curative radiation treatments. As a result, countless CT (Computed Tomography) scans, mammograms, and surgeries have had to be rescheduled, with delays as high as six weeks. Another such case is the August 2023 cyber-attack on British Columbia’s healthcare sector. Attackers were able to access a server hosting the sites and application forms for Health Match BC, the BC Care Aide and Community Health Worker Registry, and the Locums for Rural BC programs. Similarly, a 2022 cyber-attack against Sick Kids Hospital in Toronto put most of the facility’s priority systems offline and affected its operations.

In all these cases, the affected organizations had their cybersecurity networks provided and monitored by independent IT security firms. Both in their immediate response and long-term changes, the government did not play a central or direct role. This includes the most recent attack on London Drugs.

The CEO of London Drugs says the company is rebuilding its data infrastructure with the help of leading third-party experts to bring its operations safely back online. Similarly, in a Monday news release, the company claimed that it was working with independent cybersecurity experts to bring its systems back online after the breach was discovered. There is no indication from either the provincial government or London Drugs that there is any governmental involvement or oversight in the response effort.

Generally, the Canadian Centre for Cyber Security publishes guidance documents with proposed cybersecurity measures for various enterprises, but federal law cannot compel their suggestions in any way. Even with respect to providers of essential services and operators of critical infrastructure.

So far, it seems that the cyber-attack on London Drugs has not put any new pressure on the provincial government to enact legislation that would impose greater cybersecurity measures on providers of essential services. The reason for this might be that there are already such legal measures in the works, and some which have already passed on account of previous cybersecurity breaches.

The first of these is Bill 22, which passed into law in February 2023, and requires all public bodies to give notice of a “privacy breach” to the Office of the Information and Privacy Commissioner of British Columbia (OIPC). This bill also compels public bodies to implement a Privacy Management Program (PMP). Public bodies are defined as provincial government ministries, school boards, health authorities, crown corporations and municipalities, and privacy breaches include theft, loss, or unauthorized collection of personal information in the custody or under the control of a public body. To be compliant with this bill, a PMP must meet a set of requirements, some of which include having a procedure for responding to privacy complaints and privacy breaches, as well as having a procedure for regularly monitoring and updating the PMP. Though this legislation does not cover private companies, it is nevertheless a significant step towards greater governmental involvement in cybersecurity processes in British Columbia.

Another example is Ontario’s Bill 194, which among other things would establish regulations compelling certain cybersecurity requirements across various public sector bodies, including hospitals, school boards, and postsecondary institutions. The requirements it would mandate include cybersecurity instance reporting, program leads, and maturity progress reporting schedules. Bill 194 mirrors British Columbia’s Bill 22 in the way it moves the province toward greater governmental oversight of cybersecurity processes in critical public sectors. It has successfully passed its first reading and is slated for a second reading in Ontario’s legislature.

More significant is the proposed Bill C-26, which has left the Committee and is at its third reading in the House of Commons. This legislation would give Ottawa the power to direct how critical infrastructure operators prepare and respond to cyber-attacks. The proposed legislation covers telecommunications, pipelines, nuclear energy, and federally regulated transportation and banking, but not healthcare organizations. If passed, this legislation would give the government access to covered businesses’ confidential information in the name of enhancing national cybersecurity. Though this bill is federal and does not include healthcare organizations, it is the first of its kind and could serve as a model for more specific provincial legislation targeting healthcare organizations later. This bill is therefore worth paying attention to as a bellwether for what might come. 

In Closing...

As more and more critical sectors of Canada’s economy, infrastructure, and public service go online, we are likely to see an increase in disruptive cyberattacks from criminal groups and state-backed actors. It remains to be seen if this trend will be the impetus towards greater governmental regulation of cybersecurity processes and standards in Canada. and we can expect this legislative trend to continue in the years ahead.

Keep Up to Date With Trending News

This website uses cookies to ensure you get the best experience on our website visit.

CHG Logo.