Cybersecurity threats impacting Canada and its businesses are rapidly evolving as the world continues to see an influx of political and economic instability. Data breaches, cyberattacks and other information security incidents are finding themselves centre stage in national security discussions, as borders and physical distance can no longer be relied upon to protect Canadians and their property.
In response to these evolving threats, the Government of Canada has been attempting to upgrade its national security regime by introducing measures designed to protecting against cybersecurity threats to its critical infrastructure. As part of these initiatives, the government has proposed Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts, which introduces the Critical Cyber Systems Protection Act ("CCSPA").
The proposed legislation emerges from the government's acknowledgement that some cyber systems are critically important to Canada's infrastructure, economy and national security, and their disruption could have serious consequences for the nation. The CCSPA would establish a framework for the protection of the critical cyber systems of services that are vital to national security or public safety. Many of these systems are prime targets for cybercriminals and state-sponsored actors, given their sensitivity to harmful disruptions.
If the CCSPA becomes law, it would impose a series of obligations on designated operators, as well as their supply chain and party service providers, in four federally regulated sectors: telecommunications, finance, energy and transportation.
As per the CCSPA, designated operators in those four sectors will be to required to:
- Implement a cybersecurity program with risk mitigation measures and a governance framework;
- Mitigate cybersecurity risks within their supply chain;
- Report cybersecurity incidents;
- Abide by directions set out by the Governor in Council; and
- Maintain compliance records.
The CCSPA would also establish broad enforcement powers to regulators to prevent non-compliance and grant authority to the Governor in Council to direct designated operators to comply with any measure set out in the direction for the purpose of protecting a critical cyber system.
Broad Reach of the CCSPA
While the CCSPA's reach may seem limited on its face, this impending legislation has far-reaching implications for many Canadian businesses. In fact, companies providing products or services to federally regulated entities listed by the CCSPA could potentially shoulder some of the burden of establishing more robust cyber protections within these sectors.
As part of their duties, designated operators will be required to monitor cybersecurity vulnerabilities within their supply chain and third-party service providers. This is a key part of the CCSPA, as threat actors are increasingly targeting organizations through their external networks by finding the weakest link.
The focus on critical infrastructure supply chain and service providers results from the ability of threat actors to infiltrate an organization's network perimeter by compromising one of the members in their supply chain or service providers. With businesses using more digitally connected supply chains and outsourced service providers, the technology infrastructures become more globally distributed, resulting in increasing points of vulnerability. Detecting any compromises within this expanded chain of connected businesses can be difficult, which leaves entire networks vulnerable to attack.
These new obligations mean that designated operators under the CCSPA will begin requesting that their suppliers and third-party providers take major steps to improve their cyber resilience. Large organizations are expected to be particularly stringent with their requirements, as they rely heavily on multiple tiers of outsourcing to run their day-to-day operations. This will no doubt cause a downstream effect to many businesses who are currently operating with little to no cybersecurity programs of their own.
The CCSPA is clear in its message to Canadians that building Canada's national cyber resilience requires a collaborative effort across all sectors. The impacts of cyberattacks, no matter how small, can have serious and devastating impacts on businesses as well as unexpected effects on the nation. As Bill C-26 continues its review at the House of Commons, businesses should consider implementing proactive measures in preparation for these changes. Enhancing cybersecurity posture, isolating critical assets and training employees are all important steps that can be taken now to guard against cyber risks and prepare for emerging threats.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.