The Great White North, or as we call it, Canada, has been dealing with a rise of malicious cyber activity, ranging from cyber-attacks to ransomware, and has spent approximately $4.8 billion on cybersecurity. Several of these attacks go unreported, and almost half of those reported have targeted critical infrastructure organisations. Amidst all this, Marco Mendicino, The Minister of Public Safety, has introduced new legislation named An act respecting cyber security Bill C-26. The Bill aims to bolster cyber security norms in key federally regulated sectors. As Canada does not have an explicit legal mechanism to address such threats, the bill would empower the regulators to impose fines or issue summary convictions to ensure compliance.
Currently, the bill includes four critical infrastructure sectors – Telecommunications, Finance, Energy, and Transportation – and would require the companies in these sectors to toughen their cyber-security and confidentially share cyber threat information with the state. Further, specific companies would be “designated” that are high risk and vital to national security, which will become the federal government’s focus.
After the proposed legislation is passed, government departments will meet with the companies and provide further details on how any breaches are to be reported, what the timeline for reporting will be, and what information should the reports mandatorily include. The specially designated companies would also have to “keep records of how they implement their cyber security program, every cyber incident they have to report, any step taken to mitigate any supply-chain or third-party risks and any measures taken to implement a government ordered action.”
Once passed, Bill C-26 would amend the Telecommunications Act and the Critical Cyber Systems Protection Act (CCSPA).
Amendments to the Telecommunications Act
The act oversees the telecom and internet providers, and the proposed amendments would add security to their policy objective, bringing telecommunication in line with other critical sectors. This would grant the government legal authority to mandate necessary actions to secure Canada’s telecommunications systems, including prohibiting companies from using products and services from “high-risk providers”. The regulators would include the Candian Radio-television and Telecommunications Commission (CRTC) and the Department of Innovation, Science and Economic Development Canada (ISED)
This would provide legal backing to the announcement regarding the prohibition and removal of any 5g equipment sourced from Huawei or ZTE. A move that has been delayed for years due to diplomatic feuds is in line with Canada’s closest allies, the United States
Amendments to the Critical Cyber Systems Protections Act (CCSPA)
The act lays down the framework for securing Canada’s critical cyber infrastructure that falls under federal jurisdiction and is vital to national security or public safety. The amendments would help the companies better prepare, prevent and respond to cyber security incidents creating a baseline level of protection in critical sectors.
Further, the CCSPA would allow the government to issue directions to the designated companies. The companies would be obligated to:
- Establish a cyber security program
- Mitigate any supply chain/third party service or product risks
- Report cyber security incidents to the Canadian Centre for Cyber Security
- Implement any cyber security directions
The regulators with authority to implement these cybersecurity provisions would include the ISED, the Office of Superintendent of Financial Institutions, the Bank of Canada, Transport Canada, the Canadian Energy Regulator, and the Canadian Nuclear Safety Commission.
Initially, only the four key sectors mentioned above will be included, but sectors like agriculture and manufacturing may be included later. Further, the federal government hopes that the legislation will serve as a model for provinces and territories to implement cyber security legislation to govern entities like hospitals, police departments, and the local governments.
The proposed amendments have been hailed as a positive step in cybersecurity and put Canadian laws on similar lines to those south of the border in the US. They require security agencies to notify regulators in the event of breaches, ransomware attacks, and demand for ransomware payments, especially regarding supply chain risks. Companies in these critical sectors must revise their security framework to meet compliance. It is hoped that the changes would bolster Canadian citizens’ national security and privacy.