Protecting Critical Cyber Systems

On June 14, 2022, the Government of Canada introduced Bill C-26, An Act Respecting Cyber Security (ARCS). ARCS would enact the Critical Cyber Systems Protection Act, which would establish a regulatory framework to strengthen baseline cyber security for services and systems that are vital to national security and public safety and gives the Government a new tool to respond to emerging cyber threats. It would also introduce a regulatory regime requiring designated operators in the finance, telecommunications, energy and transportation sectors to protect their critical cyber systems. This is in addition to proposed amendments to the Telecommunications Act, which are also part of the Bill.

The legislation addresses longstanding gaps in the Government’s ability to protect the vital services and systems Canadians depend on by enabling it to:

• designate services and systems that are vital to national security or public safety in Canada as well as the operators or classes of operators responsible for their protection;
• ensure that designated operators are protecting the cyber systems that underpin Canada’s critical infrastructure;
• ensure that cyber incidents that meet or exceed a specific threshold are reported;
• compel action by organizations in response to an identified cyber security threat or vulnerability; and
• ensure a consistent cross-sectoral approach to cyber security in response to the growing interdependency of cyber systems.

New Legislative Tools

The Act increases cyber threat information sharing and provides the Governor in Council (GIC) with the power to issue Cyber Security Directions (CSDs). A CSD could be issued to direct a designated operator or classes of operators to comply with any measure set out in the direction to protect a critical cyber system. CSDs would require designated operators to act based on the measures identified in the CSD, for the purpose of protecting a critical cyber system, and to do so within a specific timeframe (i.e., “operator A must take measure X within Y days”).

A designated operator who fails to comply with a CSD could be subject to an administrative monetary penalty or face a regulatory offence that could lead to fines or imprisonment.

Decision-making by the GIC ensures that a broad range of relevant factors – including national security, economic priorities, trade, competitiveness, international agreements and commitments – are considered when making decisions that have an impact across sectors.

Obligations

The legislation will increase collaboration between the private sector and government, while providing a strong framework for the Government of Canada to take measures where cyber security risks may be inadequately addressed. Under the CCSPA, designated operators will be required to establish a Cyber Security Program (CSP) that documents how they will ensure the protection and resilience of their critical cyber systems. It also requires that reasonable measures be in place to detect cyber security incidents and to minimize the impact of such incidents on critical cyber systems.

Designated operators will also be obligated to:

• mitigate supply chain and third-party service or product risks;
• report cyber security incidents to the Communications Security Establishment (through its Canadian Centre for Cyber Security (Cyber Centre); and
• implement CSDs.

Under the Act, designated operators will be required to report cyber security incidents affecting or having the potential to affect their critical cyber systems to the Cyber Centre for review. A threshold defining this reporting obligation will be set in regulations.

Sectors Affected

This legislation will apply to designated operators of federally regulated services and systems in four priority sectors: finance, energy, telecommunications, and transport.

Schedule 1 of the Act establishes vital services and systems in each of these four sectors. This currently includes:

• telecommunications services;
• interprovincial or international pipeline and power line systems;
• nuclear energy systems;
• transportation systems that are within the legislative authority of Parliament;
• banking systems; and
• clearing and settlement systems.

The GIC has the authority to add or remove sector-specific services and systems from Schedule 1, making them subject to the CCSPA.

Schedule 2 authorizes the GIC to establish classes of operators in each of the vital services or systems listed in Schedule 1. The Government will consult with stakeholders to determine the designation of “Classes of Operators” under the Act. Provided an operator is captured under a class of operators, they are deemed ‘designated’, and subject to the obligations under the Act.

In addition to consultation on Schedule 2, the Government will also engage implicated sectors on the additional regulations necessary for implementing the CCSPA, including the process for reporting cyber incidents.