Parliamentary Committee Notes: Protecting Critical Cyber Systems
Bill C-26: An Act Respecting Cybersecurity (Parliamentary Committee Binder)
Date: August 2, 2023
Classification: Unclassified
Fully releasable (ATIP)? Yes
Once Legislation Introduced
Branch / Agency: NCSB/PS
Protecting Critical Cyber Systems
Issue: Cyber Security – Critical Cyber System Protection Act (CCSPA) and Budget 2019 Funding.
Proposed Response:
- Cyber threats, including ransomware, are increasingly threatening Canada's national security and public safety.
- The Government of Canada is committed to protecting the cyber systems that underpin our critical infrastructure and recognizes that, now more than ever, secure and reliable connectivity is a necessity for our daily lives, our collective safety and security and our economic recovery.
- Budget 2019 provided $144.9 million to introduce a new critical cyber systems framework to protect critical infrastructure in the federally regulated finance, telecommunications, energy and transport sectors.
- On June 14, 2022, the Government introduced An Act Respecting Cyber Security (ARCS), a consolidated Bill comprised of both amendments to the Telecommunications Act announced in the Securing Canada's Telecommunications System policy statement, and the Critical Cyber Systems Protection Act.
- Part 2 of ARCS would enact the Critical Cyber Systems Protection Act (CCSPA), whichwould establish a regulatory framework to support the improvement of baseline cyber security for services and systems that are vital to national security and public safety.
- Designated operators under the CCSPA would be required to meet various obligations, including the requirement to:
- Establish a cyber security program;
- Mitigate supply chain and third party risks;
- Report cyber security incidents; and,
- Implement cyber security directions.
- The government would also be provided with a new tool to respond to emerging cross-sector cyber threats. Specifically, the CCSPA would provide the Governor in Council with the power to issue Cyber Security Directions. A CSD would direct a designated operator or classes of operators to comply with any measure set out in the direction to protect a critical cyber system.
- This legislation emphasizes our commitment to increasing Canada's cyber security posture and can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.
If pressed on the impact of the framework on private sector:
- These new tools are designed to raise cyber security baselines among critical infrastructure operators, ensure they are consistent, and address the important interdependencies between critical infrastructure sectors.
- It is important to note that provisions of the Act will be rolled out gradually, and consultation between government and industry stakeholders will be conducted during the development of regulations.
- In addition, funding for the Canadian Centre for Cyber Security will enable it to further deliver on its mandate by continuing to provide advice and guidance to critical infrastructure owners and operators on how to better prevent and address cyber threats and vulnerabilities.
Protecting Critical Cyber Systems Background:
Cyber threats are evolving, increasing in frequency and becoming more sophisticated with more damaging consequences for Canada's economy, national security and public safety.
Cyber incidents, such as those affecting the Colonial Pipeline in the United States and the health care sector in Newfoundland, demonstrate that such threats against critical infrastructure have the potential to seriously compromise national security and public safety. In the worst-case scenario, a successful incident on vital services and systems could result in physical injury up to and including loss of life.
The economic and societal costs of cyber incidents and cybercrime, including ransomware, highlight the importance of securing Canada's critical cyber systems to protect Canadians, governments, and organizations to ensure a strong foundation for Canada's economic recovery.
To this end, on June 14, 2022, the Government introduced An Act Respecting Cyber Security, which included the Critical Cyber Systems Protection Act, a new framework to protect Canada's federally regulated critical infrastructure in the finance, telecommunications, energy and transport sectors. Budget 2019 provided $144.9 million for this initiative, which is designed to protect the critical cyber systems that underpin the vital services and systems upon which Canadians rely.
CCSPA is intended to set the foundation for securing Canada's critical infrastructure against imminent cyber threats, including ransomware. More secure and resilient critical infrastructure will ensure the safety and well-being of Canadians, while spurring growth and innovation, which are key drivers for our economic recovery.
Ultimately, this legislation would improve the ability of various organizations to prepare, prevent, respond to and recover from all types of cyber incidents, including ransomware. Moreover, this legislation can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.
- Date modified: