Parliamentary Committee Notes: ARCS High Level Overview

Part 1: Telecommunications Act (TA) Amendments

• The TA would be amended to add “to promote the security of the Canadian telecommunications system” as a policy objective.
• An order making power tied to that objective would be created for the Governor in Council (GIC) and Minister of Industry that could be used to compel action by Canadian Telecommunications Service Providers (TSPs), if deemed necessary.
• With these authorities, the Government would have the ability to take security-related measures, much like other federal regulators can do in their respective critical infrastructure sectors.
• ISED will exercise regulatory responsibilities, and an administrative monetary penalty scheme would be established to promote compliance with orders and regulations made by the GIC or Minister of Industry.
• Once amendments to the Telecommunications Act receive Royal Assent, GIC or Ministerial Orders could be issued to TSPs.

Part 2: Critical Cyber Systems Protection Act (CCSPA)

General

• The CCSPA will be implemented collaboratively by six departments and agencies - Public Safety, Innovation Science and Economic Development, Transport Canada, Natural Resources Canada, Finance and Communications Security Establishment- across the Government of Canada in recognition that cyber security is a horizontal issue that should have the same objectives and be addressed through a streamlined government response across sectors..
• Schedule 1 of the Act designates services and systems that are vital to the national security or public safety of Canadians. Currently, Schedule 1 includes:
  • Telecommunications service;
  • Transportation systems;
  • In the finance sector: Banking systems and clearing and settlement systems; and
  • In the energy sector: Interprovincial or international pipeline and power line systems and nuclear energy systems.
• Schedule 2 of the Act will define Classes of Operators of the Vital Services and Systems identified in Schedule 1. Operators captured in a class are designated operators subject to the Act.
• Minister of Public Safety (PS): In line with the responsibility to exercise leadership in matters related to national security and public safety, the Minister will have overall responsibility for the legislation, and lead a number of CCSPA-related processes.
• Other Ministers and Governor in Council (GIC): Decision-making by GIC under the CCSPA ensures that a broad range of relevant factors – including national security, economic priorities, trade, competitiveness, international agreements and commitments – are considered when making decisions that have an impact across sectors.
• Regulators: The CCSPA leverages regulators' expertise and relationships with entities they already regulate under existing legislation^{Footnote 1}. Schedule 2 of the CCSPA will identify both the classes of designated operators as well as the regulator responsible for enforcing the CCSPA for each class.
• Cyber Centre: The Cyber Centre is responsible for receiving reports of cyber security incidents under the CCSPA to allow it to use this information to help inform the Government and all cyber system operators of cyber security threats, and of how to better prepare, protect against and recover from cyber incidents. They will receive resources to provide advice, guidance and services to:
  • Designated operators in order to help them protect their critical cyber systems;
  • Regulators in support of their duties and functions to monitor and assess compliance; and
  • Public Safety and lead departments and their ministers as required, to support them in exercising their powers and duties under the Act.
    

Obligations of Designated Operators

Cyber Security Program

• The CCSPA will require designated operators to establish a Cyber Security Program (CSP) that documents how the protection and resilience of their critical cyber systems will be ensured.
• CSPs must be established by designated operators within 90 days of them becoming subject to the Act (i.e. when they fall into a class of designated operators published in Schedule 2 of the CCSPA). Once established, the CSP must be implemented, and must also be maintained by the designated operator in order to keep it up to date and responsive to changing threats and evolving technology.
• CSPs must include reasonable steps to:
  • Identify and manage organizational cyber security risks, including risks associated with the operator's supply chain, and the use of third party products and services;
  • Protect their critical cyber systems from compromise;
  • Detect cyber security incidents affecting, or with the potential to affect CCS; and
  • Minimize the impact of cyber security incidents affecting critical cyber systems.

Mitigation of Supply Chain Risks

• With the increasing complexity of supply chains^{Footnote 2}, and increased reliance on the use of third party products and services (for example cloud based data storage or infrastructure-as-service), designated operators can be exposed to significant cyber security risks from those sources. When, through its CSP, a designated operator identifies a cyber security risk to its CCS in relation to its supply chain or its use of third party services or products, the CCSPA requires that designated operator to take reasonable steps to mitigate those risks.
• Taking “reasonable steps” to mitigate the risk is understood as:
  • Reducing the likelihood of the risk materializing (for example, secure its supply chain by carefully crafting its contractual agreements to gain more visibility into equipment manufacturing; or by choosing another equipment supplier); or
  • Reducing the impact of a risk that materializes.

Mandatory Reporting of Cyber Security Incidents

• A new obligation to report cyber security incidents is created under the CCSPA will provide the GC with a reliable source of information about cyber security threats to critical cyber systems. The availability of incident reports will enhance visibility into the overall threat environment for the Canadian Centre for Cyber Security (CCCS).
• Findings from the analyses of incident reports will make it possible for the CCCS to warn other designated operators and any operator of a cyber system of potential threats or vulnerabilities, and to inform Canadians of cyber security risks and trends, allowing one organization's detection to become another's prevention.
• Under the CCSPA, designated operators will be required to report cyber security incidents affecting or having the potential to affect their critical cyber systems to the Communications Security Establishment, for use by the CCCS.
  • A threshold defining this reporting obligation will set in regulations.

Cyber Security Directions

• Through a variety of mechanisms, the Government of Canada can be made aware of potential risks to national security or public safety that result from cyber security vulnerabilities and associated threats to critical cyber systems and the vital services or systems that they underpin.
• The CCSPA creates a new authority for the Government: under the Act, the GIC will be allowed to issue Cyber Security Directions (CSDs) when it decides that specific measures should be taken in order to protect a CCS from a threat or a known vulnerability.
• CSDs would apply to specific designated operators or to certain classes of designated operators, and require those designated operators to take the measures identified in the CSD for the purpose of protecting a CCS, and do so within a specific timeframe (e.g. “operator A must take measure X within 30 days”).
  • A designated operator who fails to comply with a CSD could be subject to an administrative monetary penalty or face a regulatory offence that can lead to fines or imprisonment.
    
• The CCSPA also includes safeguards to ensure that sensitive information – for example, information that was obtained in confidence from Canada's international allies – is protected from disclosure.

Date modified:

2024-06-04