Parliamentary Committee Notes: ARCS High-level overview

Part 1: Telecommunications Act (TA) amendments

The TA would be amended to add “to promote the security of the Canadian telecommunications system” as a policy objective.

An order making power tied to that objective would be created for the Governor in Council (GIC) and Minister of Industry that could be used to compel action by Canadian Telecommunications Service Providers (TSPs), if deemed necessary.

With these authorities, the Government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.

ISED will exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry.

Once amendments to the Telecommunications Act receive Royal Assent, GIC or Ministerial Orders could be issued to TSPs.

Part 2: Critical Cyber Systems Protection Act (CCSPA)

General

The CCSPA will be implemented collaboratively by six departments and agencies - Public Safety, Innovation Science and Economic Development, Transport Canada, Natural Resources Canada, Finance and Communications Security Establishment- across the Government of Canada in recognition that cyber security is a horizontal issue that should have the same objectives and be addressed through a streamlined government response across sectors..

Schedule 1 of the Act designates services and systems that are vital to the national security or public safety of Canadians. Currently, Schedule 1 includes:

• Telecommunications service;
• Transportation systems;
• In the finance sector: Banking systems and clearing and settlement systems; and
• In the energy sector: Interprovincial or international pipeline and power line systems and nuclear energy systems.

Schedule 2 of the Act will define Classes of Operators of the Vital Services and Systems identified in Schedule 1. Operators captured in a class are designated operators subject to the Act.

Minister of Public Safety (PS): In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister will have overall responsibility for the legislation, and lead a number of CCSPA-related processes.

Other Ministers and Governor in Council (GIC): Decision-making by GIC under the CCSPA ensures that a broad range of relevant factors – including national security, economic priorities, trade, competitiveness, international agreements and commitments – are considered when making decisions that have an impact across sectors.

Regulators: The CCSPA leverages regulators' expertise and relationships with entities they already regulate under existing legislation^{Footnote 1}. Schedule 2 of the CCSPA will identify both the classes of designated operators as well as the regulator responsible for enforcing the CCSPA for each class.

Canadian Center for Cyber Security (CCCS): The Cyber Centre is responsible for receiving reports of cyber security incidents under the CCSPA to allow it to use this information to help inform the Government and all cyber system operators of cyber security threats, and of how to better prepare, protect against and recover from cyber incidents. They will receive resources to provide advice, guidance and services to:

• Designated operators in order to help them protect their critical cyber systems;
• Regulators in support of their duties and functions to monitor and assess compliance; and
• Public Safety and lead departments and their ministers as required, to support them in exercising their powers and duties under the Act.

Obligations of Designated Operators

Cyber Security Program

The CCSPA will require designated operators to establish a Cyber Security Program (CSP) that documents how the protection and resilience of their critical cyber systems will be ensured.

CSPs must be established by designated operators within 90 days of them becoming subject to the Act (i.e. when they fall into a class of designated operators published in Schedule 2 of the CCSPA). Once established, the CSP must be implemented, and must also be maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology.

CSPs must include steps to:

• Identify and manage organizational cyber security risks, including risks associated with the operator's supply chain, and the use of third party products and services;
• Protect their critical cyber systems from compromise;
• Detect cyber security incidents affecting, or with the potential to affect CCS; and
• Minimize the impact of cyber security incidents affecting critical cyber systems.

Mitigation of Supply Chain Risks

With the increasing complexity of supply chains^{Footnote 2}, and increased reliance on the use of third party products and services (for example cloud based data storage or infrastructure-as-service), designated operators can be exposed to significant cyber security risks from those sources. When, through its CSP, a designated operator identifies a cyber security risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA requires that designated operator to mitigate those risks.

Mandatory Reporting of Cyber Security Incidents

A new obligation to report cyber security incidents is created under the CCSPA will provide the GC with a reliable source of information about cyber security threats to critical cyber systems. The availability of incident reports will enhance visibility into the overall threat environment for the Canadian Centre for Cyber Security (CCCS).

Findings from the analyses of incident reports will make it possible for the CCCS to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and to inform Canadians of cyber security risks and trends, allowing one organization's detection to become another's prevention.

Under the CCSPA, designated operators will be required to report cyber security incidents affecting or having the potential to affect their critical cyber systems to the Communications Security Establishment, for use by the CCCS.

• A threshold defining this reporting obligation will set in regulations.

Cyber Security Directions

Through a variety of mechanisms, the Government of Canada can be made aware of potential risks to national security or public safety that result from cyber security vulnerabilities and associated threats to critical cyber systems and the vital services or systems that they underpin.

The CCSPA would create a new authority for the Government: under the Act, the Governor in Council (GIC) can issue Cyber Security Directions (CSD) to direct any designated operator to comply with a measure, should the GIC believe on reasonable grounds that a CSD is necessary, in order to protect a critical cyber system. Before making an order, the GIC must also consider relevant factors, like operational and financial impacts.

CSDs would apply to specific designated operators or to certain classes of designated operators, and require those designated operators to take the measures identified in the CSD for the purpose of protecting a CCS, and do so within a specific timeframe (e.g. “operator A must take measure X within 30 days”).

• A designated operator who fails to comply with a CSD could be subject to an administrative monetary penalty or face a regulatory offence that can lead to fines or imprisonment.

The CCSPA also includes safeguards to ensure that sensitive and confidential information are protected from disclosure. This includes information relating to a critical cyber system that:

• concerns a vulnerability of a critical cyber system or the methods used to protect it and that is consistently treated as confidential by the designated operator;
• could lead to financial or competitive harms to the designated operator if disclosed; or
• could interfere with the contractual or other negotiations of a designated operator.

To protect this confidential information shared with the Government, the CCSPA contains provisions to control and restrict the disclosure of this sensitive information collected under the CCSPA. Inappropriate disclosure of confidential information would be an offence under the CCSPA.

Date modified:

2025-03-03