Parliamentary Committee Notes: Overview Deck
Securing Canada's Critical Infrastructure Against Rising Cyber Threats
- Canada's critical infrastructure (CI) plays a vital role in the delivery of essential services and the necessities of daily life, such as electricity, transportation, banking and the Internet
- Canada's CI is increasingly at risk from cyber threats and is a prime target for cybercriminals and state-sponsored actors
- Disruptions to CI could result in loss of vital services, economic impacts to small and medium sized enterprises, harm to the public, or even loss of life
- Like our allies, we must act now to protect our CI, which underpins Canada's economic security
Opportunities for Advancing Cyber Security in Canada
- Ministers in some critical infrastructure sectors, such as those responsible for the energy, finance, and transportation sectors, have a security mandate. The telecommunications sector would benefit from an explicit mandate for security
- During the 2016 public consultations that led to the 2018 National Cyber Security Strategy, industry highlighted the need for regulation in cyber security
- The Government of Canada does not have a clear and explicit legal mechanism to compel action to address cyber security threats or vulnerabilities
- Mandatory reporting is an opportunity to improve cyber threat information sharing between the private sector and the Government of Canada to the benefit of both industry and governments
Background – What We've Done
- 2013: Communications Security Establishment (CSE) established its Security Review Program (SRP)
- 2016: Conducted public consultations on cyber security
- 2018: Released the National Cyber Security Strategy (NCSS). CSE's Canadian Centre for Cyber Security was established as a key NCSS initiative
- 2019: Allocated $144.9M through Budget 2019 to develop a Critical Cyber Systems framework
- 2021: Completed an inter-departmental 5G Security Examination, which recommended an updated security framework to safeguard Canada's telecommunications system
- A cornerstone of the updated framework is an evolution of the SRP, which would continue to engage with Canadian Telecommunications Service Providers (TSPs) and equipment suppliers to help ensure the security of Canadian telecommunications networks, including 5G
Bill C-26: An Act Respecting Cyber Security, 2022
- As a result of the work to address these identified concerns and improve Canada's cyber security posture, in June 2022, the Government introduced Bill C-26, An Act Respecting Cyber Security (ARCS), which is intended to promote cyber security across four federally-regulated critical infrastructure sectors
- ARCS would consist of two distinct parts:
- Part 1 introduces amendments to the Telecommunications Act to add security as a policy objective and provide the Government with the ability to take measures to secure the telecommunications system; and
- Part 2 introduces the Critical Cyber Systems Protection Act to create a regulatory regime requiring designated operators in the federally regulated finance, telecommunications, energy, and transportation sectors to protect their critical cyber systems
Part 1: Telecommunications Act Amendments
- Following the Government of Canada's 5G Security Examination, the Government proposes to strengthen our current legislative framework to promote the security of Canada's telecommunications system through amendments to the Telecommunications Act (TA):
Policy Objective
- The TA would be amended to add "to promote the security of the Canadian telecommunications system" as a policy objective
Legislative Tools
- An order making power tied to that objective would be created for the Governor in Council (GIC) and Minister of Industry that could be used to compel action by Canadian TSPs, if deemed necessary
- With these authorities, the Government would have the ability to take security-related measures to improve protection against a range of threats (cyber, natural disasters, etc.)
Monitoring and Enforcement
- Information gathering, confidentiality and sharing authorities as well as an administrative monetary penalty scheme to promote compliance
Part 2: Critical Cyber Systems Protection Act
- The Critical Cyber Systems Protection Act (CCSPA) would establish a regulatory regime to strengthen baseline cyber security across the federally regulated finance, telecommunications, energy and transportation sectors.
New Legislative Tools
- The Act would increase information sharing, and provide the GiC with the power to issue Cyber Security Directions to designated operators
Obligations
Designated operators would be obligated to:
- Establish a Cyber Security Program
- Mitigate supply chain and third-party service or product risks
- Report cyber security incidents to CSE
- Implement Cyber Security Directions
Enforcement Powers and Consequences
- The CCSPA would provide regulators with powers necessary to enforce the Act (e.g., audits, Administrative Monetary Penalties (AMPs), and would create consequences for non-compliance (e.g., summary convictions or convictions on indictment)
Key Amendments Carried at SECU
- Broad agreement on importance of bill; targeted amendments strengthened or clarified certain provisions
- Amendments on the overall Bill:
- Added a reasonableness standard for orders and directions
- Specified reporting requirements
- Notification requirements for confidential orders and directions
- More explicit provisions on privacy and confidential information
- Amendments more specific to Part 1:
- Explicit consultation requirement
- Addition of an explicit due diligence defence
- Amendments more specific to Part 2:
- Clarity around program design (timing of reporting, supply chain, etc.)
- Federal / Provincial considerations around information sharing
Part 1 and Part 2 Comparison
Part 1: TA |
Part 2: CCSPA |
|
|---|---|---|
Lead Minister |
Innovation, Science and Industry |
Public Safety |
Sectors |
Telecommunications |
Telecommunications, Finance, Transportation, Energy |
Regulators |
Minister of Industry |
Minister of Industry, Office of the Superintendent of Financial Institutions, Bank of Canada, Transport Canada, Canada Energy Regulator, Canadian Nuclear Safety Commission |
AMPs |
Yes |
Yes |
Order Making |
GiC, Minister of Industry |
GiC |
Conclusion
- If passed, this legislation promotes Canada's security and resilience, and our cyber security posture, by:
- Adding security-related authorities for the GiC and Minister of Industry under the Telecommunications Act;
- Creating cross-sector regulations specific to cyber security;
- Providing the legislative authority to direct action in response to cyber threats; and
- Supporting increased cyber threat information sharing
- Overall, ARCS would emphasize the Government's commitment to increasing the cyber security baseline across Canada, and help ensure the national security and public safety of Canadians
- Date modified: