Bill C-26: The increased importance of Canadian cybersecurity

On June 14, the House of Commons introduced Bill C-26: An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26). This bill is presented in two parts:

• The first is to amend the Telecommunications Act to promote the security of the Canadian telecommunications system;
• The second is to enact the Critical Cyber Systems Protection Act (CCSPA), designed to protect critical cyber services and systems that are vital to national security or public safety or are delivered or operated within the legislative authority of Parliament (together, the Acts).

Under both Acts, the Governor in Council (governor) and the Minister of Industry (minister) will be afforded additional powers. While it appears that the general application of Bill C-26 and the powers granted thereunder will be undertaken by the minister, the governor will also have powers to directly intervene to secure systems and services vital to Canada. This may prove useful when a situation warrants a rapid response.

Part I: Amending the Telecommunications Act

The Canadian government has predicted that ransomware will continue to pose a threat to Canada’s security and economic prosperity. To protect against these threats, and balance the integration of new technologies with the ongoing need for cybersecurity, the Telecommunications Act will be amended to promote the security of the Canadian telecommunications system as a policy objective. The amendments will impact any transmission facility of a Canadian carrier, including but not limited to, local voice service providers, voice-over-IP service providers, internet service providers, long distance service providers, and wireless and payphone service providers.

Security of the Canadian Telecommunications System

These amendments grant the governor specific powers to secure the Canadian telecommunications system. If the governor believes the security of the telecommunication systems is threatened, either by interference, manipulation or disruption, the governor may prohibit a telecommunications service provider from using or providing certain products and/or services, regardless whether the other party in question is an individual or a service provider. Similarly, the governor may prohibit a telecommunications service provider from providing services to a specific person, including a telecommunications service provider, or suspend services for a specified time.

The minister may similarly order a telecommunications service provider to:

• Prohibit from using or direct to remove any specified product from its provision of services;
• Prohibit, suspend or impose conditions on the provision of services to a specific person, including another telecommunications service provider;
• Prohibit from entering into service agreements relating to its telecommunications network or facilities or terminate specific service agreements;
• Develop a security plan in relation to its telecommunication services, including conducting vulnerability identification assessments and taking steps to mitigate any vulnerabilities; or
• Implement regulated standards in relation to its services, networks, or facilities, among others.

Additionally, the governor will have the power to make regulations relating to the above orders.

To promote compliance, telecommunication service providers may be subject to administrative monetary penalties (AMPs) of up to C$10 million for each day of non-compliance, and up to C$15 million for subsequent contraventions.

Part II: The introduction of the CCSPA

Notably, the CCSPA introduces the protection of critical cyber systems in the federally regulated private sector. A “critical cyber system” means a cyber system that, if compromised, could affect the continuity or security of a vital service or system. Schedule 1 to the Act outlines that these vital services or systems are: (i) telecommunications services; (ii) interprovincial or international pipeline and power line systems; (iii) nuclear energy systems; (iv) transportation systems that are within Parliament’s legislative authority (under federal jurisdiction); (v) banking systems; and (vi) clearing and settlement systems.

The purpose of the CCSPA is to:

• Ensure the identification and effective management of any cybersecurity risks, including risks associated with supply chains and using third-party products and services;
• Protect critical cyber systems from being compromised;
• Ensure the proper detection of cybersecurity incidents; and
• Minimize the impacts of any cybersecurity incidents on critical cyber systems.

If passed, the CCSPA will apply to a class of operators who carry on work subject to federal jurisdiction, and the regulator for this class. Subject to any extensions granted by the regulator, all operators under this definition will have 90 days to establish a cybersecurity program that meets the four purposes outlined above, and to notify and provide the regulator with its program. The CCSPA requires operators to annually review their programs, or as otherwise prescribed by the regulations, and to notify the regulator of any changes to their programs.

The CCSPA gives the governor the authority to direct operators to comply with any measure for the purpose of protecting a critical cyber system. Operators are prohibited from disclosing the contents of the direction with limited exceptions.

If any cybersecurity risks associated with the operator’s supply chain or its use of third-party products and services are identified, the operator must take reasonable steps to mitigate those risks. While the Act doesn’t give any indication of what kind of steps will be required from operators, such steps may be prescribed by the regulations later.

In order to request advice, guidance or services from the Communications Security Establishment (CSE), or in respect of the exercise of a regulator’s duties, an appropriate regulator may provide the CSE with any information, including confidential information, regarding an operator’s cybersecurity program.

The Act also addresses cybersecurity incidents, which are defined as incidents, including acts, omissions or circumstances, that interfere or could interfere with the continuity or security of vital services and systems, or the confidentiality, integrity or availability of the critical cyber systems touching upon these vital services and systems. No indication is given as to what would constitute interference under the Act. In the event of a cybersecurity incident, a designated operator must immediately report the incident to the CSE and the appropriate regulator. At present, the Act does not prescribe any timeline or give other indication as to how “immediately” should be interpreted.

Takeaways

The landscape of Canadian cybersecurity is ever-changing, and Bill C-26’s introduction addresses this rapidly evolving industry. As Bill C-26 goes through subsequent stages, it will be interesting to see how changes to both Acts will shape Canada’s cybersecurity landscape.

While it’s evident Canada’s appetite for cybersecurity risk is low, in the absence of regulations, some uncertainty remains on how detailed the cybersecurity programs must be, or how industries will need to alter their existing agreements and policies to accommodate these amendments. Nevertheless, the Canadian government’s introduction of Bill C-26 follows on some initiatives brought forward by the US and other jurisdictions regarding cybersecurity awareness and response with regard to critical infrastructure, and mirrors many of the requirements introduced in these other jurisdictions.

For the time being, Bill C-26 has passed the first reading in the House of Commons. As it makes its way through the legislative process, we will continue to provide updates on its implementation.