In June 2022, the Parliament of Canada introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.
The Bill has two parts:
Bill C-26: Part 1
The Telecommunications Act, created in 1993, has allowed the Government of Canada to pursue telecommunications policy objectives intended to shape telecommunications systems capable of:
- Safeguarding, enriching, and strengthening Canada’s social and economic fabrics
- Enhancing efficiency and competitiveness within the sector
The proposed amendments align with these traditional policy considerations.
What are the amendments to the Act?
The amendments to the Telecommunications Act grant the government the authority to issue orders that:
- Prohibit the installation of certain products on a carrier’s system
- Require carriers to remove identified products from their systems
- Prohibit the provision of identified services to particular entities
These orders can be issued if there are reasonable grounds to believe that required measures will better defend Canadian telecommunications systems or secure them from interference, manipulation, or disruption.
What about non-compliance?
The federal government can conduct inspections to confirm compliance with any order issued under these amendments. If a carrier fails to comply, the government may offer an opportunity to enter a compliance agreement and levy monetary penalties if the terms of that agreement are also unfulfilled.
Bill C-26: Part 2
Part 2 of the Bill creates the Critical Cyber Systems Protection Act (CCSPA). Canada’s Constitution limits the federal government’s ability to regulate commercial activity, so the CCSPA focuses only on private sector entities already subject to federal regulation, including:
- Telecommunications services
- Interprovincial or international pipeline and power line systems
- Nuclear energy systems
- Transportation systems that are within the legislative authority of Parliament
- Banking systems as well as clearing and settlement financial systems
These systems fall under the CCSPA because they are vital to national security and public safety, and the information infrastructures used to operate these systems are critical cyber systems. The Government of Canada can add other federally regulated sectors to this list in the future.
The CCSPA is a complex piece of legislation with many moving parts. This blog summarizes a few key elements of the Act (you can also read it in full here).
1. Developing Cyber Security Programs
The Act authorizes the Government of Canada to require the designated operators of vital systems to develop Cyber Security Programs. These programs outline the steps to:
- Identify and manage organizational cyber security risks, including supply chain threats and the use of third-party products and services
- Protect their critical cyber systems from compromise
This plan must be shared with the regulator of the associated sector, for example:
- The Superintendent of Financial Institutions
- The Bank of Canada
- The Canadian Nuclear Safety Commission
- The Canadian Energy Regulator
In practical terms, Cyber Security Programs become part of the designated operator’s licence to operate. The federal government can enact regulations imposing requirements the programs must meet. However, defining these requirements is a responsibility shared between the Government of Canada and the associated regulator.
2. Reporting cyber security incidents
Designated operators must report cyber security incidents impacting their critical cyber systems’ operations to:
The Cyber Centre will investigate the incident and provide mitigation advice. Designated operators must follow the Cyber Centre’s recommendations to reduce risk and protect their critical systems.
The Act also allows the federal government to share technical or confidential information, as necessary, to protect vital infrastructure. Specifically, the Cyber Centre would be able to:
- Share its findings with designated operators belonging to the same sector
- Inform regulators of a designated operator’s failure to implement a Cyber Security Program
3. Complying with Cyber Security Directives
The Act allows the Government of Canada to issue Cyber Security Directives to designated operators if there is an imminent threat to critical cyber systems.
These Directives could be quite specific, even:
- Identifying the particular designated operators directly
- Specifying the cyber security measures to take
- Outlining an implementation period for those measures
Designated critical cyber security operators must keep records of their efforts to meet the Directive, as the Act allows regulators to conduct compliance inspections with these Cyber Security Directives. During inspections, regulators have the power to:
- Seek a warrant permitting forceful entry to a premise
- Remove or copy relevant documentation or cyber systems
- Issue a non-compliance notice
How the Critical Cyber Systems Protection Act will change cyber security in Canada
Before tabling this Bill, practical efforts to secure the private sector’s critical infrastructure focused on the CSE providing cyber security advice, guidance, and services when a breach or significant threat activity was found. However, this required the operator to first request help.
The CCSPA is an enormous step forward in Canada’s cyber security capability, and it will strengthen Canada’s defence by:
Implementing measures that better secure critical systems
By proposing a model similar to the European Union's Directive on the Security of Network and Information Systems, the CCSPA allows the Government of Canada to implement measures that better secure the critical cyber systems relied on by federally regulated critical infrastructures in Canada.
Fostering collaboration between government and regulatory bodies
The CCSPA fosters collaboration between federal governments and the regulatory bodies overseeing a particular critical infrastructure sector. This collaboration ensures that Cyber Security Programs and Directives consider the unique operational and business needs of a system’s environment.
Encouraging incident information-sharing
Requiring designated operators to report cyber incidents creates an opportunity to prove that sharing incident information can benefit other at-risk operators without causing adverse consequences for those who reported the threat.
Incentivizing effective cyber security measures
Finally, the CCSPA demonstrates the role governments can play in incentivizing the development and adoption of effective cyber security measures by sectors most likely to benefit from those measures. While the CCSPA applies only to federally regulated industries, it’s a model for provinces to consider.
Want to learn more about Bill C-26?
For a more thorough review of Bill C-26 and its implications on businesses in Canada, the Bill is publicly available on the Parliament of Canada website.
If you want to know how Bill C-26 affects cyber security as it relates to your business or have specific questions about the Bill, please reach out to our experts.
