Fate of cybersecurity bill targeting Huawei uncertain after senator finds 'drafting error'

The future of a proposed bill aimed at protecting critical infrastructure from cyberattacks and giving the federal government the authority to ban telecommunications companies from partnering with high-risk vendors, such as Huawei, is uncertain due to a recently identified "drafting error," according to a senator involved in its review.

Bill C-26, introduced in 2022, has two primary objectives. First, it amends the Telecommunications Act to grant the government explicit powers to prohibit Canadian telecom providers from using products or services from "high-risk suppliers." The government cited national security concerns in its intent to bar Huawei and ZTE, two Chinese state-backed telecommunications firms, from Canada's next-generation mobile networks.

The second part of the bill, the Critical Cyber Systems Protection Act, would require federally regulated industries—such as finance, telecommunications, energy, and transportation—to strengthen their cybersecurity systems or face financial penalties.

Progress on the bill has been slow, and it hit another setback this week. Senators paused a clause-by-clause review of the legislation after Senator John McNair, the bill's sponsor in the Senate, flagged drafting errors with "potential significant impact." The issue was discussed in a closed-door session of the Senate’s national security committee.

Key Issue: Renumbering Error

Sources familiar with the matter revealed that a renumbering error in Bill C-26 could undermine its cybersecurity provisions. A separate foreign interference law, passed earlier this year, inadvertently repealed the cybersecurity section of Bill C-26 due to mismatched clause numbers. The foreign interference law amended the Canada Evidence Act and was intended to replace overlapping provisions in Bill C-26, but the numbering conflict has nullified the cybersecurity measures in the latter.

If senators decide to amend the bill to address this issue, it would need to return to the House of Commons for approval, further delaying its passage amidst existing parliamentary gridlock.

Concerns About Oversight

Experts have raised broader concerns about the bill. Matt Malone, a scholar specializing in cybersecurity policy, said the legislation’s "broad and vague language" allows for excessive government overreach. He emphasized the need for stronger oversight regarding the new powers granted by the bill.

Huawei Ban at Risk

The delay also affects the government’s efforts to formally ban Huawei and ZTE technology from Canada's telecom networks. Although the government announced its intent to prohibit these companies’ equipment over two years ago, Bill C-26 provides the legal framework required to enforce this ban.

The government previously directed telecom providers to remove 5G equipment from Huawei and ZTE by June 2024 and phase out 4G equipment by December 2027. However, sources indicate that not all major telecom companies have provided updates on their compliance.

Some companies, such as Rogers and Bell, have confirmed they are not using Huawei technology in their 5G networks. Telus, which initially planned to utilize Huawei equipment, has since partnered with Nokia, Ericsson, and Samsung for its 5G infrastructure. A Telus spokesperson stated that the company remains compliant with Canadian regulations.

Broader Implications of 5G

Critics have long expressed concerns that Huawei’s involvement in 5G networks could expose sensitive data about Canadian internet usage to the Chinese government. China's National Intelligence Law mandates that organizations and citizens must cooperate with state intelligence operations, raising fears about potential espionage. Huawei has consistently denied these allegations, asserting its independence from the Chinese government.

As the Senate committee prepares to discuss the bill again next week, its fate remains unclear, with significant implications for cybersecurity and national security efforts in Canada.