There’s no doubt that Bill C-26 is needed and that the intention is sound. A recent poll of Canadian cybersecurity decision-makers found that 78 per cent support the objectives of the bill.

But the legislation still needs strengthening, in three key areas. First, as currently drafted, there is limited oversight for Cyber Security Directions in Bill C-26. Adding an oversight mechanism to ensure expert, nonpartisan actors review Cyber Security Directions before they are issued would help make sure they aren’t used for political purposes.

Second, the legislation needs additional guardrails around how information is shared by the government. Under the CCSPA, the government can collect confidential or commercially sensitive information and share it widely with its intelligence partners, with few restrictions. To help Canadians trust the bill, the draft law should be amended so that information collected under the CCSPA is used only for cybersecurity purposes.

Third, additional transparency measures should be built into the law to ensure Canadians understand how the government is using its new powers. There should be annual reports that outline the number of Cyber Security Directions issued each year, the sectors they’re issued to, and other key details, in a way that doesn’t compromise national security or any company’s competitiveness.