New Canadian law necessitates financial, energy, telecommunications, transportation sectors to protect critical cyber systems

The Canadian government introduced a legislative bill that seeks to strengthen Canada’s cybersecurity stance across the financial, telecommunications, energy, and transportation sectors. The move would also introduce a regulatory regime requiring designated operators in the finance, telecommunications, energy, and transportation sectors to protect their critical cyber systems. 

Bill C-26, titled ‘An Act Respecting Cyber Security (ARCS),’ addresses longstanding gaps in the government’s ability to protect the vital services and systems that Canadians depend on. The bill enables the government to designate services and systems that are vital to national security or public safety in Canada as well as the operators or classes of operators responsible for their protection and ensure that designated operators are protecting the cyber systems that underpin Canada’s critical infrastructure. 

“In the 21^st century, cyber security is national security – and this new legislation will ensure that Canada’s defenses meet the moment,” Marco Mendicino, Canada’s Minister of Public Safety, said in a media statement. “Most importantly, it will help both the public and private sectors better protect themselves against cyberattacks. This bill is one part of our robust strategy to defend Canada and the crucial infrastructure that Canadians rely on,” he added. 

“The communications sector is a critical industry in itself, but in turn, it facilitates a basic need for every industry,” Jonathon Gordon, directing analyst at Takepoint Research, told Industrial Cyber. “The proliferation of connectivity, together with sensitive data these networks deliver, has made them a key target for cyberattacks and malicious actors,” he added.

The ARCS bill also ensures that cyber incidents that meet or exceed a specific threshold are reported, compel action by organizations in response to an identified cyber security threat or vulnerability, and provides a consistent cross-sectoral approach to cyber security in response to the growing interdependency of cyber systems.

The proposed legislation seeks to amend the Telecommunications Act to add security as a policy objective, bringing telecommunications in line with other critical sectors. This will provide the Government with the legal authority to mandate any necessary action to secure Canada’s telecommunications system. This includes prohibiting Canadian companies from using products and services from high-risk suppliers.

Last month, the Canadian government said that it intends to prohibit its telecommunications service providers from deploying Huawei and ZTE products and services in their 5G networks. The step follows serious concerns about suppliers such as Huawei and ZTE who could be compelled to comply with extrajudicial directions from foreign governments in ways that would conflict with Canadian laws or would be detrimental to Canadian interests.

Furthermore, the Canadian legislation introduces the Critical Cyber Systems Protection Act (CCSPA) which lays a foundation for securing Canada’s critical infrastructure. It will help organizations better prepare, prevent, and respond to cyber incidents. This legislation could also serve as a model for provinces, territories, and municipalities to help secure their critical infrastructure in collaboration with the federal government.

“The Government of Canada will always protect the safety and security of Canadians and will take any actions necessary to safeguard our telecommunications infrastructure,” François-Philippe Champagne, Canada’s Minister of Innovation, Science and Industry, said. “The changes announced today will support the long-term security of Canada’s networks while ensuring Canadians can continue to benefit from high-quality and secure telecom services.”

“An attack on a communications provider or through a compromised provider is both very possible scenarios,” Gordon observed.

“Today’s announcement demonstrates our government’s commitment to national security,” Anita Anand, Canada’s Minister of National Defence, said. “These legislative measures will help to further protect Canadians and defend our critical infrastructure in an evolving and increasingly complex digital environment. CSE and its Canadian Centre for Cyber Security will continue to play a critical role in protecting Canada’s security and economic prosperity, and in safeguarding Canadians’ rights, freedoms, intellectual property, and personal privacy.”

The ARCS Act increases cyber threat information sharing and provides the Governor in Council (GIC) with the power to issue Cyber Security Directions (CSDs). A CSD could be issued to direct a designated operator or classes of operators to comply with any measure set out in the direction to protect a critical cyber system. 

CSDs would require designated operators to act based on the measures identified in the CSD, for the purpose of protecting a critical cyber system, and to do so within a specific timeframe. A designated operator who fails to comply with a CSD could be subject to an administrative monetary penalty or face a ‘regulatory offence’ that could lead to fines or imprisonment.

The legislation will also increase collaboration between the private sector and government while providing a framework for the Canadian government to take measures where cybersecurity risks may be inadequately addressed. Under the CCSPA, designated operators will be required to establish a Cyber Security Program (CSP) that documents how they will ensure the protection and resilience of their critical cyber systems. It also requires that reasonable measures be in place to detect cyber security incidents and to minimize the impact of such incidents on critical cyber systems.

Designated operators will also be obligated to mitigate supply chain and third-party service or product risks, report cybersecurity incidents to the Communications Security Establishment (through its Canadian Centre for Cyber Security (Cyber Centre), and implement CSDs.

Under the Act, designated operators will be required to report cyber security incidents affecting or having the potential to affect their critical cyber systems to the Cyber Centre for review. A threshold defining this reporting obligation will be set in regulations, it added.

Earlier this year, the Australian government passed the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 on Thursday. The SLACIP Act will boost the security and resilience of the nation’s critical infrastructure framework to safeguard the essential services that Australian citizens rely on from physical, supply chain, cyber, and personnel threats.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.