Cyber Security
Public Safety Canada (PS) is the national cyber security policy lead for the Government of Canada (GoC). The Department works with multiple other departments and agencies to advance the goals of the National Cyber Security Strategy, namely with the Communications Security Establishment; Royal Canadian Mounted Police; Canadian Security Intelligence Service; Department of National Defence; Innovation, Science and Economic Development Canada; Transport Canada; Employment and Social Development Canada; Natural Resources Canada; Global Affairs Canada; and Treasury Board Secretariat.
Relevant Mandate Letter Commitments
- Introduce legislation to safeguard Canada’s critical infrastructure, critical cyber systems and telecommunications systems (5G)
- Advance the National Cyber Security Action Plan
- Develop and implement a renewed National Cyber Security Strategy
- Support innovation ecosystems across the country to support job creation, technology adoption and scale-up
Further Information
National Cyber Security Strategy
The National Cyber Security Strategy (NCSS, the Strategy) was announced through Budget 2018 with $507.7 million earmarked over five years, and $108.8 million per year thereafter. It introduced a new strategic direction for cyber security in Canada, and directly addressed gaps and opportunities within Canada’s current cyber security climate, through its vision of Security and Prosperity in the Digital Age. The Strategy is a horizontal initiative, involving seven partner organizationsFootnote1 delivering 14 initiatives under three key goals:
- Secure and Resilient Canadian Systems: The GoC will better protect Canadians from cybercrime, respond to evolving threats, and help defend critical government and private sector systems.
- An Innovative and Adaptive Cyber Ecosystem: The GoC will support advanced research, foster digital innovation, and develop cyber skills and knowledge to position Canada as a global leader in cyber security.
- Effective Leadership, Governance and Collaboration: The GoC will take a leadership role to advance cyber security in Canada, and will, in coordination with allies, work to shape the international cyber security environment in Canada’s favour.
In 2019 the National Cyber Security Action Plan was released to provide a roadmap of how the GoC will reach the goals of the Strategy.
In June 2022, PS released a Mid-Term Review of the 2018 NCSS. The Mid-Term Review was envisioned as an opportunity to evaluate early returns on investment and explore what further investments would be required to continue to protect Canada and Canadians against cybercrime, the disruption of critical infrastructure, and other cyber threats to national security. The Review found that while the Strategy was performing well and its goals remained appropriate, a much-changed global context and growing threat landscape require a stronger federal response to protect Canada’s national security.
In December 2021, the Prime Minister mandated the Minister of Public Safety, the Minister of National Defence, the Minister of Foreign Affairs, and the Minister of Innovation, Science and Industry, in collaboration with implicated ministers to develop and implement a renewed National Cyber Security Strategy.
As part of the process of developing a new NCSS, PS conducted an online public consultation in 2022 that sought the views from Canadians on the GoC’s approach to cyber security. PS will conduct additional targeted engagement with industry, Indigenous groups, provinces, and territories in Summer 2023 to further refine the new Strategy, which is currently in development.
Bill C-26, An Act Respecting Cyber Security
On June 14, 2022, the Minister of Public Safety introduced Bill C-26 in the House of Commons with a view to protect Canadians and bolster cyber security across the federally regulated financial, telecommunications, energy, and transportation sectors. The Bill was referred to the Standing Committee on Public Safety and National Security (SECU) on March 27, 2023. It is anticipated that Committee study in the House of Commons will begin this Fall.
Bill C-26 consists of two distinct parts. Part 1, led by Innovation, Science and Economic Development Canada (ISED), seeks to amend the Telecommunications Act to add security as a policy objective, bringing telecommunications in line with other critical infrastructure sectors. This will provide the Government with the legal authority to mandate any necessary action to secure Canada’s telecommunications system. This includes prohibiting Canadian companies from using products and services from high-risk suppliers. Part 2, led by PS, introduces the Critical Cyber Systems Protection Act (CCSPA), which would establish a regulatory framework to strengthen baseline cyber security for services and systems that are vital to national security and public safety.
As part of the GoC’s commitment to substantive and meaningful engagement and consultation, since tabling of Bill C-26, PS, ISED, CSE and other implicated federal partners have met with a number of stakeholders, including provinces and territories, private industry, academia, and non-governmental organizations (NGO). PS will continue to engage with industry, provinces and territories, NGOs and other interested stakeholders as Bill C-26 moves through the legislative and regulatory process.
Attribution
PS plays a key role in Canada’s attribution framework, which is led by Global Affairs Canada. This framework is used when the GoC is considering publicly or privately attributing malicious cyber activity to a state actor. PS supports GAC’s strategic assessment through analysis of domestic implications to determine if attribution would bring excessive risk to Canadian critical infrastructure, intelligence operations, law enforcement investigations, or other Canadian interests. Public attribution of cyber incidents holds malicious actors accountable, and is part of our larger approach to deterring future incidents and promoting responsible state behaviour in cyberspace. These attributions are often made in coordination with like-minded partners, and the Minister of Public Safety is regularly a co-releaser.
Ransomware
Ransomware is almost certainly the most disruptive form of cybercrime facing Canadians. The impact of ransomware can be extensive, and often includes core business disruptions, data loss and potentially significant recovery costs. In critical infrastructure sectors, such as health care, ransomware could cause physical harm to individuals or even result in loss of life. While it is criminal, it is also a threat to public safety and national security. As such, PS engages in a number of domestic and international initiatives to mitigate ransomware (e.g., Ransomware Working Group (RWG), Counter Ransomware Initiative (CRI)). The CRI Summit in Washington, D.C. October 31-November 1, 2023 will provide PS with an opportunity to discuss progress to date and the forward plan.
Indo-Pacific Strategy (IPS)
The Indo-Pacific region is central to a number of Canada’s most pressing national and economic security priorities. The IPS aims to advance and defend Canadian interests and values by supporting a more secure, prosperous, inclusive, and sustainable Indo-Pacific, and reaffirms Canada’s role in its emerging security environment. PS and its portfolio agencies have significant stakes in the IPS’ Defence and Security pillar, which includes a Cyber Diplomacy and Security Initiative, which aims to promote responsible state behavior in regional cyber governance, build regional cyber capacity, expand Canada’s cooperation with allies and partners, strengthen Canada’s ability to protect national security and the economy from cyber threats, and aid Canada in detecting foreign influence operations. The initiatives will also support the implementation of the forthcoming new National Cyber Security Strategy.
Canadian Program for Cyber Security Certification (CP-CSC)
The GoC is working to establish a cyber security certification program for defence procurement, that will result in mandatory requirements for select federal defence contracts. PS is actively involved in efforts, led by Public Service and Procurement Canada (PSPC), to establish this program in response to the U.S. Department of Defence launch of the Cyber Maturity Model Certification (CMMC). This would allow Canada to ensure a baseline of cyber security across suppliers to the Department of National Defence (and eventually to sectors beyond defence), as well as help ensure that Canadian firms maintain access to the U.S. market. The establishment of this program will ensure the protection of unclassified federal information held by Canada’s defence suppliers, and that defence contractors which do business in both Canada and the U.S only need to be certified under a single regime. Efforts to establish reciprocity between the programs are currently underway.
Stakeholder Perspectives
There is an expanding desire from stakeholders for increased national engagement on cyber security issues. Essential to future success will be increased collaboration and engagement with industry, academia and other levels to government to collaboratively find solutions to tomorrow’s cyber security challenges. Many CI sectors fall under provincial and territorial authority and require growing national collaboration as threats increase. Provinces, territories, and CI owners and operators are looking to the federal government for guidance and collaboration. Further, as cyber security is, in its nature, borderless, international allies and partners are increasingly focused on engaging with PS to both build domestic resilience and ensure that policy development processes are synchronised, where possible.
Footnotes
- 1
PS, CSE, CSIS, RCMP, ESDC, ISED, NRCan and GAC
- Date modified: