Protection of critical cyber systems: Canada introduces new legislation under Bill C-26

With Canada's proposed regulatory framework for the protection of critical cyber systems, organizations in various sectors may be subject to new requirements in the operation of systems vital to national security or public safety.

On June 14, 2022 the Government of Canada introduced Bill C-26, An Act Respecting Cyber Security in an effort to “protect Canada’s critical infrastructure”. While Part 1 of Bill C-26 amends the Telecommunications Act and Canada Evidence Act, Part 2 enacts the Critical Cyber Systems Protection Act (“CCSPA” or the “Act”), which would provide a new framework for the protection of critical cyber systems for services and systems vital to national security or public safety.

As parliamentary business will resume in September 2022 in Ottawa, many stages of the legislative process remain before Bill C-26 is passed and the CCPSA is enacted.  Until then, we can expect that a number of provisions will be added, modified or removed. Nevertheless, considering the scope of the regulatory framework to be established and the multiple requirements it entails, impacted organizations should closely monitor the Bill’s progression.

We provide a few of the key highlights of the proposed CCSPA below.

1. Applicability

The Preamble to the proposed CCSPA establishes that the Act serves to impose obligations on organizations that have cyber systems that “are critically important to vital services and vital systems” such that their “disruption could have serious consequences for national security or public safety”.

Once enacted, the CCSPA will apply to federally regulated persons, partnerships or unincorporated organizations belonging to a class of operators that will be listed in Schedule 2 of the Act,[1] i.e., designated operators, that own, control or operate a critical cyber system.[2] Schedule 2 will also include a list of regulators corresponding to each class of operators.[3]

While a cyber system is broadly defined as “a system of interdependent digital services, technologies, assets or facilities that form the infrastructure for the reception, transmission, processing or storing of information”,[4] the definition of “critical cyber system” further delineates the proposed legislation’s scope:

critical cyber system means a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.[5]

“Vital services” and “vital systems” are set out under Schedule I of the CCSPA, and the Governor in Council may add a “service that is delivered, or a system that is operated” within the legislative authority of Parliament, if the Governor in Council is satisfied that the service or system is vital to national security or public safety. In this first version of Bill C-26, the following services or systems are referred to under Schedule 1:

• Telecommunications services;
• Interprovincial or international pipeline or power line systems;
• Nuclear energy systems;
• Transportation systems (federally regulated);
• Banking systems; and
• Clearing and settlement systems.

This assessment and the resulting qualification as a "critical cyber system" triggers several new requirements for designated operators. Additional guidance on how to assess whether the compromise of a given cyber system could affect the "continuity" or "security" of those services or systems would be useful.

2. Establishment of a cyber security program

The proposed CCSPA provides that a designated operator must, within 90 days after being designated a part of that class, establish a cyber security program in respect of its critical cyber systems, including reasonable steps to:

(a) identify and manage any organizational cyber security risks, including risks associated with the designated operator’s supply chain and its use of third-party products and services;

(b) protect its critical cyber systems from being compromised;

(c) detect any cyber security incidents affecting, or having the potential to affect, its critical cyber systems;

(d) minimize the impact of cyber security incidents affecting critical cyber systems; and

(e) do anything that is prescribed by the regulations.[6]

The designated operator also has to provide its cyber security program to the regulator,[7] as well as periodically review the program and notify the regulator of changes.[8]

3. Mitigation of supply-chain and third-party risks

As soon as a designated operator identifies any cyber security risk associated with its supply chain or its use of third-party products and services, it has an obligation to “take reasonable steps, including any steps that are prescribed by the regulations, to mitigate those risks”.[9]

Should Bill C-27 become law, guidance documents or regulations can be expected to provide clarification on how to determine what might constitute reasonable mitigation steps to fulfill this obligation.

4. Reporting of cyber security incidents

A designated operator would have to immediately report a cyber security incident in respect of any of its critical cyber systems to the Communications Security Establishment (“CSE”),[10] Established in 2019, CSE is a national agency that provides the federal government with information technology security and foreign signals intelligence.

This obligation is in addition to similar reporting obligations that exist under other regulatory frameworks, such as privacy legislation. In this regard, we note that the government recently proposed Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (“Bill C-27). Under Bill C-27, the federal government notably proposes to enact a new statute to protect personal information in the private sector. While Bill C-27 will be the subject of a separate article, we note that the reporting obligation under the privacy legislative framework is triggered when a breach of security safeguards involving personal information creates a real risk of significant harm to an individual.

Under the CCSPA, based on the definition of “cyber security incident”, the reporting threshold is rather tied to an assessment of the interference (or potential interference) of an incident on (a) the continuity or security of a vital service or system or (b) the confidentiality, the integrity or the availability of the critical cyber system.[11]

We note that reporting a cyber security incident to the CSE does not absolve a designated operator from notifying its regulator.[12]

5. Compliance

As proposed under Bill C-26, the CCSPA also includes a number of provisions regarding the powers of relevant authorities and the directives and orders they can issue to ensure compliance with the legislation.

Section 20 of the proposed legislation allows the Governor in Council to issue an order directing a designated operator or a class of operators to comply with any measure for the purpose of protecting a critical cyber system.[13] A direction would specify the measures to be taken, the period within which the measures are to be taken, and any conditions imposed on the designated operator.

The Act also includes the power for a regulator, such as the Office of the Superintendent of Financial Institutions, to order a designated operator to conduct an internal audit of its practices, books and other records to determine the designated operator’s compliance with the act or the regulations and to report the results of its audit to the regulator.[14] In addition to internal audit orders, regulators also have the power to order a designated operator to terminate the contravention to any provision of the Act or the regulations and to take any measure to comply with the provision’s requirements or mitigate the effects of non-compliance.[15]

Regulators could even enter “a place” to verify compliance or prevent non-compliance with the Act if they have “reasonable grounds to believe that an activity regulated under this Act is being conducted or any document, information or thing that is relevant to that purpose is located”. The proposed legislation currently provides broad powers of entry for the regulators, including the right to “examine anything in the place”, to use any cyber system for the purpose of examining any information contained in it, and to examine, copy or take extracts of any record, report, data or other document.[16] Except for the requirement to obtain a warrant or the consent of the occupant in the case of a dwelling-house,[17] there appear to be few restrictions on the use of these broad powers.

In reviewing these powers, the objective of establishing regulatory oversight of critical cyber systems is clear. However, in its current form, Bill C-26 raises a number of questions about both the reasonable exercise of these powers and the effective capacity of regulators to use them.

6. Record-keeping

The designated operators also have an obligation to keep records respecting (a) any steps taken to implement their cyber security program, (b) every cyber security incident reported to the CSE, (c) any steps taken to mitigate supply-chain or third-party risks, (d) any measures to implement a cyber security direction, and (e) any matter prescribed by the regulations.[18]

7. Violations and offences

The proposed CCSPA provides administrative monetary penalties for violations of the Act and its regulations as well as offences for specific contraventions. Administrative monetary penalties could be imposed on any designated operator or other person that contravenes or fails to comply with a provision of the Act or its regulations.  The maximum amount for such penalties is currently set at $1,000,000, in the case of an individual, and $15,000,000, in any other case.[19] Directors and officers of a designated operator may also be found liable to a penalty if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation.[20]

Finally, the Act also sets forth a series of offences for the contravention of specific provisions of the Act, such as the reporting obligations for cyber security programs and cyber security incidents.[21] As with administrative monetary penalties, a director or an officer that directed, authorized, assented to, acquiesced in or participated in the commission of the offence is a party to the offence and is liable on conviction to the punishment provided for by the Act.

CONCLUSION

Over the last few years, organizations that operate cyber systems in all sectors have become acutely aware of cyber security issues. Whether in response to a previous security incident or following the evolution of the privacy legislation, many have already implemented organizational and technical measures to further secure their systems.

With the intensification of cyber attacks on critical infrastructure entities, other governments have also adopted legislation requiring these entities to report cyber attacks.[22] The introduction of Bill C-26 reflects the federal government's intention to strengthen the protection of the vital services and systems on which Canadians rely.