Parliamentary Committee Notes: Overview Deck

Bill C-26: An Act Respecting Cyber Security

Securing Canada's Critical Infrastructure Against Rising Cyber Threats

• Canada's critical infrastructure (CI) plays a vital role in the delivery of essential services and the necessities of daily life, such as electricity, transportation, banking and the Internet
• Canada's CI is increasingly at risk from cyber threats and is a prime target for cybercriminals and state-sponsored actors
• Disruptions to CI could result in loss of vital services, economic impacts to small and medium sized enterprises, harm to the public, or even loss of life
• Like our allies, we must act now to protect our CI, which underpins Canada's economic security

Opportunities for Advancing Cyber Security in Canada

• Ministers in some critical infrastructure sectors, such as those responsible for the energy, finance, and transportation sectors, have a security mandate. The telecommunications sector would benefit from an explicit mandate for security
• During the 2016 public consultations that led to the 2018 National Cyber Security Strategy, industry highlighted the need for regulation in cyber security
• The Government of Canada does not have a clear and explicit legal mechanism to compel action to address cyber security threats or vulnerabilities in the telecommunications sector
• Mandatory reporting is an opportunity to improve cyber threat information sharing between the private sector and the Government of Canada to the benefit of both industry and governments

Background – What We've Done

• 2013: Communications Security Establishment (CSE) established its Security Review Program (SRP)
• 2016: Conducted public consultations on cyber security
• 2018: Released the National Cyber Security Strategy (NCSS). CSE's Canadian Centre for Cyber Security was established as a key NCSS initiative
• 2019: Allocated $144.9M through Budget 2019 to develop a Critical Cyber Systems framework
• 2021: Completed an inter-departmental 5G Security Examination, which recommended an updated security framework to safeguard Canada's telecommunications system
  • A cornerstone of the updated framework is an evolution of the SRP, which would continue to engage with Canadian Telecommunications Service Providers (TSPs) and equipment suppliers to help ensure the security of Canadian telecommunications networks, including 5G

Bill C-26: An Act Respecting Cyber Security, 2022

• As a result of this multi-year work, to address these identified concerns and improve Canada's cyber security posture, including in 5G technology, in June 2022, the Government introduced Bill C-26, An Act Respecting Cyber Security (ARCS), which is intended to promote cyber security across four federally- regulated critical infrastructure sectors
• ARCS would consist of two distinct parts:
  • Part 1 Introduces amendments to the Telecommunications Act to add security as a policy objective and provide the Government with the ability to take measures to secure the telecommunications system; and
  • Part 2 Introduces the Critical Cyber Systems Protection Act to create a regulatory regime requiring designated operators in the federally regulated finance, telecommunications, energy, and transportation sectors to protect their critical cyber systems

Part 1: Telecommunications Act Amendments

• Following the Government of Canada's 5G Security Examination, the Government proposes to strengthen our current legislative framework to promote the security of Canada's telecommunications system through legislative amendments to the Telecommunications Act (TA):

Policy Objective

• The TA would be amended to add “to promote the security of the Canadian telecommunications system” as a policy objective

Legislative Tools

• An order making power tied to that objective would be created for the Governor in Council (GIC) and Minister of Industry that could be used to compel action by Canadian TSPs, if deemed necessary
  • With these authorities, the Government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors

Enforcement Powers and Consequences

• An administrative monetary penalty scheme and an offence provision would be established to promote compliance with orders and regulations made by the GiC and the Minister of Industry

Part 2: Critical Cyber Systems Protection Act

• The Critical Cyber Systems Protection Act (CCSPA) would establish a regulatory regime to strengthen baseline cyber security across the federally regulated finance, telecommunications, energy and transportation sectors.

New Legislative Tools

• The Act would increase information sharing, and provide the GiC with the power to issue Cyber Security Directions to designated operators

Obligations

Designated operators would be obligated to:

• Establish and maintain a Cyber Security Program
• Take reasonable steps to mitigate supply chain and third-party service or product risks
• Report cyber security incidents to CSE
• Implement Cyber Security Directions

Enforcement Powers and Consequences

• The CCSPA would provide regulators with powers necessary to enforce the Act (e.g., audits, AMPs), and would create consequences for non-compliance (e.g., summary convictions or convictions on indictment)

Part 1 and Part 2 Comparison

Conclusion

• If passed, this legislation promotes Canada's cyber security posture, by:
  • Adding security-related authorities for the GiC and Minister of Industry under the Telecommunications Act;
  • Creating cross-sector regulations specific to cyber security;
  • Providing the legislative authority to direct action in response to cyber threats; and
  • Supporting increased cyber threat information sharing.
• Overall, ARCS would emphasize the Government's commitment to increasing the cyber security baseline across Canada, and help ensure the national security and public safety of Canadians

Date modified:

2024-06-04