Parliamentary Committee Notes: Protecting Critical Cyber Systems
Issue
Cyber Security – Critical Cyber System Protection Act (CCSPA) and Budget 2019 Funding.
Proposed Response
Canada's critical infrastructure is a prime target for malicious cyber enabled activity, data and intellectual property theft and sabotage, all of which pose significant threats to our national security, economic stability and public safety.
The Government of Canada is committed to protecting the cyber systems that underpin our critical infrastructure and recognizes that, now more than ever, secure and reliable connectivity is a necessity for our daily lives, our collective safety and security and our economic recovery.
Budget 2019 provided $144.9 million to introduce a new critical cyber systems framework to protect critical infrastructure in the federally regulated finance, telecommunications, energy and transport sectors.
On June 14, 2022, the Government introduced An Act Respecting Cyber Security (ARCS), a consolidated Bill comprised of both amendments to the Telecommunications Act announced in the Securing Canada's Telecommunications System policy statement, and the Critical Cyber Systems Protection Act.
Part 2 of ARCS would enact the Critical Cyber Systems Protection Act (CCSPA), which would establish a regulatory framework to support the improvement of baseline cyber security for services and systems that are vital to national security and public safety.
Designated operators under the CCSPA would be required to meet various obligations, including the requirement to:
- Establish a cyber security program;
- Mitigate supply chain and third party risks;
- Report cyber security incidents; and,
- Implement cyber security directions.
The government would also be provided with a new tool to respond to emerging cross-sector cyber threats. Specifically, the CCSPA would provide the Governor in Council with the power to issue Cyber Security Directions (CSD). A CSD would direct a designated operator or classes of operators to comply with any measure set out in the direction to protect a critical cyber system.
This legislation emphasizes our commitment to increasing Canada's cyber security posture and can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.
Ultimately, this legislation will strengthen Canada's defenses against cyber threats – ensuring the continuity of services Canadians rely upon daily.
It will protect Canadians, businesses and the services and systems they depend on well into the future.
If pressed on the impact of the framework on private sector
These new tools are designed to raise cyber security baselines among critical infrastructure operators, ensure they are consistent, and address the important interdependencies between critical infrastructure sectors.
It is important to note that provisions of the Act will be rolled out gradually, and consultation between government and industry stakeholders will be conducted during the development of regulations.
In addition, funding for the Canadian Centre for Cyber Security will enable it to further deliver on its mandate by continuing to provide advice and guidance to critical infrastructure owners and operators on how to better prevent and address cyber threats and vulnerabilities.
Background
Cyber threats are evolving, increasing in frequency and becoming more sophisticated with more damaging consequences for Canada's economy, national security and public safety.
Cyber incidents, like the non-malicious software update by CrowdStrike to Microsoft Windows systems in July 2024 causing widespread disruptions across the transportation, banking and healthcare sectors, demonstrate that such threats against critical infrastructure have the potential to seriously compromise national security and public safety. In the worst-case scenario, a successful incident on vital services and systems could result in physical injury up to and including loss of life.
The economic and societal costs of cyber incidents and cybercrime, including ransomware, highlight the importance of securing Canada's critical cyber systems to protect Canadians, governments, and organizations, ensuring a strong foundation for Canada's digital economy.
To this end, on June 14, 2022, the Government introduced An Act Respecting Cyber Security, which included the Critical Cyber Systems Protection Act, a new framework to protect Canada's federally regulated critical infrastructure in the finance, telecommunications, energy and transport sectors. Budget 2019 provided $144.9 million for this initiative, which is designed to protect the critical cyber systems that underpin the vital services and systems upon which Canadians rely.
CCSPA is intended to set the foundation for securing Canada's critical infrastructure against imminent cyber threats, including ransomware. More secure and resilient critical infrastructure will ensure the safety and well-being of Canadians, while spurring growth and innovation, which are key drivers for our economic recovery.
Ultimately, this legislation would improve the ability of various organizations to prepare, prevent, respond to and recover from all types of cyber incidents, including ransomware. Moreover, this legislation can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.
- Date modified: