Parliamentary Committee Notes: Industry Stakeholders and Associations – Critical Cyber Systems Protection Act
Purpose
The purpose of this note is to provide a summary of stakeholders' proposed amendments for Part 2 of Bill C-26, the Critical Cyber Systems Protection Act (CCSPA).
Background
On June 14, 2022, the Government introduced Bill C-26, An Act Respecting Cyber Security (ARCS) in the House of Commons. The bill was referred to the Standing Committee on Public Safety and National Security (SECU) on March 27, 2023.
This proposed legislation will protect Canadians and bolster cyber security across the federally regulated financial, telecommunications, energy, and transportation sectors. Part 1 of Bill C-26 seeks to amend the Telecommunications Act to add security as a policy objective, bringing telecommunications in line with other critical infrastructure sectors. Part 2 of Bill C-26 introduces the CCSPA, which would establish a regulatory framework to strengthen baseline cyber security for services and systems that are vital to national security and public safety and gives the Government a new tool to respond to emerging cyber threats.
Since tabling of Bill C-26, and as part of the Government's commitment to substantive and meaningful engagement and consultation, Public Safety Canada's (PS) National Cyber Security Directorate has met with a number of interested stakeholders on an ongoing and as needed basis, including provinces and territories, industry, academia, and non-governmental organizations. These discussions have focused on providing clarity around the proposed legislation where needed, as well as to address stakeholders' concerns.
PS received written stakeholder submissions on Part 2 of Bill C-26, the CCSPA. PS reviewed these submissions and identified proposed amendments that pertain to five themes:
- Program Design;
- Information Sharing and Privacy;
- Secrecy and Accountability;
- Program Administration; and
- Federal-Provincial Considerations.
Considerations
Industry stakeholders have generally been supportive of the CCSPA and have highlighted the importance of strengthening the cyber security and resilience of Canada's critical infrastructure. Feedback received thus far has focused primarily on amendments to: 1) Ensure that any new Government powers have appropriate checks and balances in place to prevent their misuse and improve accountability; 2) Protect the privacy of Canadians; 3) Add clarity to the regime (i.e., around program design and administration); and 4) Enhance collaboration and reciprocal information sharing for government-industry partnerships to enhance trust and transparency.
What follows is a summary of the proposed stakeholder amendments across the five themes.
Program Design
Almost all stakeholders provided written submissions to PS that included proposed amendments related to program design. PS divided these into four sub-themes. The first sub-theme, “Definitions and legislation”, includes proposed amendments that seek increased clarity and specificity in the definitions included in the legislation to ensure that designated operators are able to effectively meet legislative obligations. The second sub-theme, “Cyber Security Programs (CSP)”, argues that the CCSPA should require CSPs to be underpinned by existing standards and practices (both domestic and international). The third sub-theme, “Supply chain and third party risk mitigation”, calls for increased specificity in the language around supply chain and third party risk mitigation so that designated operators are able to meet their legislative obligations in this area. The final sub-theme, “Cyber Security Directions (CSD)”, proposes that immunity be provided to designated operators that comply with a CSD and that the CCSPA not preclude a designated operator from notifying its insurance provider of a change in material risk as a result of the issuance of a CSD.
Information Sharing and Privacy
Approximately half of the stakeholders provided written submissions that related to the theme of information sharing and privacy. PS divided these into two sub-themes. The first sub-theme, “Reciprocal information sharing”, argues that CCSPA should include provisions that encourage meaningful collaboration and reciprocal information sharing for government-industry partnerships to enhance transparency and trust. The second sub-theme, “Privacy concerns and sensitive information”, seeks to ensure that confidential and privileged information must be kept safe through CCSPA by further protecting and restricting the disclosure of sensitive information.
Secrecy and Accountability
A number of written submissions related to the theme of secrecy and accountability. PS divided these into two sub-themes. The first sub-theme, “Accountability and sweeping powers”, argues that CCSPA provides the Government with sweeping powers that lack accountability, including through the Governor in Council's ability to issue CSDs without guardrails or statutory safeguards and the ability to access designated operators' sensitive or privileged information. The second subtheme, “Secrecy”, argues that CCSPA does not provide sufficient oversight over the Government's actions and this secrecy undermines accountability and due process.
Program Administration
Stakeholders also provided written submissions that pertained to the theme of program administration. PS divided these into three sub-themes. The first sub-theme, “Penalties and offenses”, contends that administrative monetary penalties are too high and that they should be confidential under CCSPA. The second sub-theme, “Compliance”, calls for more time for designated operators to bring themselves into compliance with CCSPA. The third sub-theme, “Costs”, encourages the Government to consider how it will financially support designated operators with the compliance of CCSPA.
Federal-Provincial Considerations
Provinces are largely supportive of the policy intent and desired outcomes of the proposed legislation and agree that federal and provincial governments must work together to secure critical infrastructure against cyber threats. While supportive of the of the proposed legislation, some provinces expressed concerns that, if enacted, the CCSPA would risk creating dual and potentially competing regulatory systems in instances where organizations are regulated by both the federal and provincial governments. Some provinces expressed concerns around the scope of the application of the CCSPA on businesses under provincial jurisdiction, and that the proposed legislation has the potential to regulate areas that are already covered by existing provincial cyber security regulations and standards. Additionally, one province sought clarity around information sharing provisions contained within the CCSPA, as they were concerned that the proposed legislation as currently drafted does not allow for information around CSDs and cyber security incident reporting to be shared with provincial governments. One province also noted that clarity may be required on certain provisions, regarding the impacts on the population and on businesses in the province, which may raise issues related to human rights and the delivery of essential services.
Next Steps
In consultation with inter-departmental partners, PS is assessing the stakeholders' proposed amendments to provide a recommendation to assist the Government in determining whether it may wish to consider any of them should they be proposed at Committee stage.
- Date modified: