Parliamentary Committee Notes: Questions and Answers Part 2: Critical Cyber Systems Protection Act

Bill C-26, An Act Respecting Cyber Security

Updated as of July 28, 2023.

Table of Contents

General

1. Q1. What is the purpose of Bill C-26, An Act Respecting Cyber Security?
2. Q2. What is the purpose of the Critical Cyber Systems Protection Act?
3. Q3. What problem is this legislation intended to address?
4. Q4. Why is the Government introducing two legislative/regulatory initiatives in the telecommunications sector? How do these initiatives complement one another? How is the CCSPA different from the amendments to the Telecommunications Act?
5. Q5. How will the available funding support the implementation of this initiative?
6. Q6. What new authorities will the Government have under the CCSPA?
7. Q7. What are the timelines for implementing the CCSPA and associated regulations?
8. Q8. Will stakeholders be consulted during the regulation-making phase?
9. Q9. How will "Classes of Operators" be established? What criteria is the Government going to use?
10. Q10. What is the difference between the designation process under the CCSPA and the designation process under the CSE Act?
11. Q11. Why were these four sectors chosen? Could this legislation be expanded to other sectors?

Federal-Provincial Considerations

12. Q12. Could the CCSPA apply to Provinces and Territories?
13. Q13. Who regulates CI protection and cyber security in Canada?
14. Q14. Are there instances where a designated operator may be subject to the both the CCSPA (and its associated regulations) and provincial legislation (and regulations)?
15. Q15. How will the CCSPA (and its associated regulations) co-exist with provincial cyber security laws and regulations?
16. Q16. How do Federal-Provincial-Territorial governments, including regulators, work collaboratively in an effort to harmonize federal and provincial regulations and avoid duplication and overlap?
17. Q17. Will Provinces and Territories participate in the development of federal regulations necessary for implementing the CCSPA?
18. Q18. Does The Ccspa Provide Mechanisms For Information Sharing Between Federal-Provincial-Territorial Governments?

Program Design

19. Q19. How will the CCSPA impact designated operators that are subject to the Act?
20. Q20. What effect will the CCSPA have on affected federally-regulated critical infrastructure sectors?
21. Q21. Does the CCSPA impose specific cyber security standards?
22. Q22. Can a third party service provider be identified as a designated operator?
23. Q23. Would this legislation create undue burden on small and medium enterprises?
24. Q24. Will funding be provided to support designated operators in the implementation of the CCSPA?
25. Q25. Can the CCSPA defend against emerging cyber threats such as Artificial Intelligence?
26. Q26. Can the CCSPA help prevent an incident such as the mass Rogers outage from occurring?

Incident Reporting

27. Q27. Will CCSPA require operators that are subject to the Act to report cyber security incidents?
28. Q28. Why is mandatory reporting necessary?
29. Q29. Why does the CCSPA not include a requirement to report ransom payments?
30. Q30. Why did the Government not require the reporting of incidents to law enforcement?
31. Q31. Does the CCSPA provide the CSE with new powers or authorities?
32. Q32. The CCSPA would require designated operators to report cyber security incidents to CSE. Under what authority would CSE collect this incident reporting?
33. Q33. Does the receipt of cyber security incident reports from Canadian businesses contravene Subsection 22(1) of the CSE Act, which requires that CSE activities "must not be directed at a Canadian or at any person in Canada"?
34. Q34. Does cyber security incident reporting to CSE include Canadian Identifier Information (CII) or Private Information (PI)? How is CII/PI protected now, and how will it be protected once the CCSPA comes into effect?
35. Q35. If CSE incidentally acquires information related to a Canadian or person in Canada, could it share that information with other government institutions?
36. Q36. Could CSE use information collected under its cyber security and information assurance mandate (Section 17) be used in support of its foreign intelligence (Section 16), defensive cyber operations (Section 18), active cyber operations (Section 19) or technical and operational assistance mandates (Section 20)?
37. Q37. In specific circumstances, CSE is permitted to collect information under one of its mandates and use it in support of another one of its mandates. In such cases, how is CII or PI protected? Will this change once CCSPA is enacted?

Privacy, Disclosure And Liability

38. Q38. Does the CCSPA protect Canadians' privacy?
39. Q39. Does the CCSPA ensure that the information shared by designated operators with the Government is protected from disclosure?
40. Q40. Why are designated operators prohibited from disclosing information around the fact that a Cyber Security Direction was issued?
41. Q41. Why can't CSDs be disclosed to the public?
42. Q42. Why does the CCSPA require that a designated Federal Court judge must keep information secret?
43. Q43. Does the CCSPA open up designated operators to increased liability?
44. Q44. Does the CCSPA include a ''safe harbour'' to protect designated operators when they report cyber security incidents and share information with the Government?

Penalties

45. Q45. What is the intent of the penalties within the CCSPA?
46. Q46. How does the Government expect businesses or individuals to afford a $15M penalty?

General

Q1. What is the purpose of Bill C-26, An Act Respecting Cyber Security?

• Part 1 of the Bill seeks to amend the Telecommunications Act to add security as a policy objective and provide new security-related authorities for the Governor in Council and Minister of Industry. This would bring the framework regulating telecommunications in line with those of other critical sectors.
• Part 2 of the Bill introduces the Critical Cyber Systems Protection Act (CCSPA), which is intended to protect the critical cyber systems that underpin Canada's critical infrastructure in the finance, telecommunications, energy and transportation sectors.

Q2. What is the purpose of the Critical Cyber Systems Protection Act?

• The purpose of the CCSPA is to protect the critical cyber systems that underpin Canada's critical infrastructure in the finance, telecommunications, energy and transportation sectors.
• The CCSPA would establish a regulatory framework to improve cyber security for services and systems that are vital to national security and public safety by:
  • Establishing a requirement for designated operators to have a Cyber Security Plan (CSP) on how they will protect those critical cyber systems;
  • Creating a requirement for designated operators to report cyber security incidents thus permitting enhanced visibility of the overall threat landscape; 
  • Providing a mechanism (Cyber Security Directives) to compel action in response to a cyber security threat or vulnerability; and,
  • Establishing a consistent cross-sectoral approach to cyber security in response to the growing interdependency of cyber systems.
• Where possible, this legislation would build on and strengthen existing security-related authorities and introduce additional regulatory tools (e.g., mandatory incident reporting). 

Q3. What problem is this legislation intended to address?

• This legislation is intended to address longstanding gaps in the government's ability to protect the vital services and systems upon which Canadians depend. This includes the:
• inability to ensure that private operators are protecting the cyber systems that underpin Canada's critical infrastructure;
• inability to ensure that cyber security incidents are reported;  
• lack of authority to compel action in response to an identified cyber security threat or vulnerability; and,
• need for a consistent cross-sectoral approach to cyber security in response to the growing interdependency of cyber systems.
• Secure and resilient critical infrastructure is necessary for the safety and well-being of Canadians and underpins Canada's economic growth and recovery.

Q4. Why is the Government introducing two legislative/regulatory initiatives in the telecommunications sector? How do these initiatives complement one another? How is the CCSPA different from the amendments to the Telecommunications Act?

• These two pieces of legislation serve different purposes in their approach to the telecommunications sector.
• The CCSPA will help identify threats and risks to critical cyber systems and will increase their resilience to a broad range of threats across the finance, energy, transportation, and telecommunications sectors. However, the CCSPA, is not intended to prohibit the use of products or services from high-risk suppliers.
• The Telecommunications Act amendments will establish a legislative framework that will allow the Government to take action to secure Canada's telecommunications system from the threat of disruption, manipulation and interference. New authorities would enable the government to take action to promote the security of the Canadian telecommunications system. This could include general measures to mitigate risks to the telecommunications system, or it could include prohibiting telecommunications service providers from using products or services that are deemed to pose a threat to Canada's telecommunications system.
• The Telecommunications Act amendments will complement the CCSPA by adding a new policy objective on security and creating security-related authorities for the Governor in Council and the Minister of Industry, bringing the framework regulating telecommunications in line with those overseeing the finance, energy, and transportation sectors.

Q5. How will the available funding support the implementation of this initiative?

• Budget 2019 committed $144.9 million to help protect Canada's critical cyber systems in the finance, telecommunications, energy and transport sectors through the implementation of this Act.
• Funding will support Public Safety Canada, lead departments, and federal regulators in implementing this framework, including consulting with industry stakeholders and working closely with the Communications Security Establishment's (CSE) and its Canadian Centre for Cyber Security (Cyber Centre).
• CSE, as the national operational hub for cyber security expertise, would be resourced through this proposal to augment its existing capacity to provide technical advice, guidance, and services to designated operators, regulators, the Minister of Public Safety, and lead departments and their Ministers.

Q6. What new authorities will the Government have under the CCSPA?

• The CCSPA would create a new authority for the Government: under the Act, the Governor in Council (GIC) can issue Cyber Security Directions (CSD) to direct any designated operator to comply with a measure in order to protect a critical cyber system. 
• CSDs are meant to fill a gap in authority for the government to compel cyber security measures. The intent is for the GIC is to consider whether any other authority to compel these measures already exists before issuing a CSD.
• CSDs would apply to specific designated operators or to certain classes of designated operators and require those designated operators to take the measures identified in the CSD for the purpose of protecting a critical cyber system, and do so within a specific timeframe (e.g., "operator A must take measure X within 30 days").
• A designated operator who fails to comply with a CSD could be subject to an administrative monetary penalty or face a regulatory offence that can lead to fines or imprisonment.
• It is important to note that CSE would not receive any new authorities under the CCSPA. It would leverage its existing mandate under the Communications Security Establishment Act (CSE Act) for cyber security and information assurance to provide technical advice, guidance and services to designated operators and Government of Canada partners. CSE would not assess compliance with regulatory obligations.

Q7. What are the timelines for implementing the CCSPA and associated regulations?

• The provisions of the CCSPA would come into force on a day or days to be fixed by order of the GIC following the regulation-making phase.
• The Government will take a consultative approach in the development of associated regulations and will follow the standard timelines for regulatory development.

Q8. Will stakeholders be consulted during the regulation-making phase?

• Yes. The Government will consult Canadians, including provinces and territories at all stages of the regulatory process, including prior to pre-publication in the Canada Gazette Part I through until the regulations are approved and published in the Canada Gazette Part II.
• The regulation making process will be a formal, iterative and collaborative process during which the Government will take a consultative approach that will follow the standard timelines for regulatory development.
• In particular, the Government will engage stakeholders with respect to:
  • The designation of operators under Schedule 2;
  • Cyber Security Programs (CSP); and
  • The process for reporting cyber security incidents.
• Existing regulatory frameworks, standards and best practices will be considered to avoid duplication for jurisdictions and sectors that already have cyber regulations and standards in place.

Q9. How will "Classes of Operators" be established? What criteria is the Government going to use?

• The Government will be taking a consultative approach with stakeholders to determine "Classes of Operators" under the CCSPA. Through the regulation-making process the Government will consult with implicated sectors and stakeholders before the GIC establishes the "Classes of Operators" under Schedule 2 of the Act.
• Work to define "Classes of Operators" will be led by Public Safety Canada, in collaboration with implicated departments and regulators, and in consultation with industry, to bring all the appropriate information to support a GIC decision.
• Only those federally regulated operators who deliver a vital service or system (as per Schedule 1) would be captured under the Act. "Classes of Operators" would be as narrow as possible or as wide as required in order to capture operators whose systems must be protected to ensure the continuity of a designated service or system.
• For example, a class could state that operators that "provide a designated vital service to 5 million people or more" are designated, while another class could restrict this provision to a certain geographic area, de facto designating a single operator or very few operators.
• Publication of Schedule 2 "Classes of Operators and Corresponding Regulators" would mark the beginning of the application of the Act to the designated operators captured under that class; however, where regulations are required, the Act would not be fully effective until these regulations are in force.
• The GIC is authorized to amend Schedule 2 and the "Classes of Operators" that underpin vital services and systems as needed to protect their critical cyber systems.

Q10. What is the difference between the designation process under the CCSPA and the designation process under the CSE Act?

• The designation of critical cyber systems under the CCSPA is a separate and distinct process from the designation of electronic information and information infrastructures of importance to the Government of Canada under the CSE Act.
• Under Subsection 21(1) of the CSE Act, the Minister of National Defence may designate non-government information infrastructures as of importance to the Government of Canada. Once an information infrastructure is designated under the CSE Act, CSE may carry out activities, including under Ministerial Authorization, to support that infrastructure, upon request.
• In order for CSE to provide advice, guidance, and services to operators designated under the CCSPA, those operators would need to be designated under the CSE Act.

Q11. Why were these four sectors chosen? Could this legislation be expanded to other sectors?

• These federally regulated sectors (finance, energy, telecommunications and transportation) were prioritized due to their importance to both Canadians and other sectors (due to their interconnectedness and the impacts of interruption directly affecting the security and resilience of critical infrastructure within and across numerous sectors).
• While these four are currently subject to the CCSPA, the GIC has the authority to add or remove services and systems from Schedule 1 of the legislation, making them subject to the CCSPA.
• The GIC can do so under two conditions:
  • The service or system is delivered as part of a work, undertaking or business that is under the authority of Parliament – in other words, federally-regulated sector; and
  • The GIC is satisfied that the service or system is vital to national security or to public safety.

Federal-Provincial Considerations

Q12. Could the CCSPA apply to Provinces and Territories?

• No, the legislative framework only applies to federally regulated services and systems in the finance, energy, telecommunications and transportation sectors.
• However, this legislation can serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction. In sectors that use the same standards across jurisdictions, there is an opportunity for the CCSPA to help build cyber security capacity and expertise to support more resilient systems across sectors across the country.
• Recognizing that many services and systems that are designated under the CCSPA are dependent on, or interconnected with, other cyber systems that fall outside federal jurisdiction, the Government will continue to engage with provinces and territories to discuss how to better protect Canada's cyber systems through a comprehensive, collaborative Canadian cyber security protection framework.

Q13. Who regulates CI protection and cyber security in Canada?

• Responsibilities for CI in Canada are shared by federal, provincial and territorial governments, local authorities as well as the CI owners and operators – who bear the primary responsibility for protecting their assets and services.
• As CI is often interconnected and interdependent within and across provinces, territories, and national borders, each level of government in Canada has distinct roles and responsibilities related to the regulation of each CI sector.

Q14. Are there instances where a designated operator may be subject to the both the CCSPA (and its associated regulations) and provincial legislation (and regulations)?

• It is not uncommon for CI entities to be subject to both federal and provincial regulations.
• It is possible that an entity identified as a "designated operator" under the CCSPA and subject to the Act and associated federal regulations could also be subject to provincial regulations. 
• However, it is important to note that the designated operator would only be subject to obligations under the Act and associated regulations for those portions of their infrastructure and critical cyber systems that are federally regulated. Provinces and territories would continue to regulate infrastructure, services and systems within their respective jurisdictions. 
• Moreover, during the regulation-making phase, existing regulatory frameworks and international standards will be leveraged to avoid overlap and duplication for jurisdictions that already have cyber security legislation and regulations in place.

Q15. How will the CCSPA (and its associated regulations) co-exist with provincial cyber security laws and regulations?

• Th CCSPA and the regulations necessary for implementing the Act are intended to respect and complement existing provincial cyber security legislation and regulations.

Q16. How do Federal-Provincial-Territorial governments, including regulators, work collaboratively in an effort to harmonize federal and provincial regulations and avoid duplication and overlap?

• Pursuant to the Cabinet Directive on Regulation, the Government will work collaboratively with stakeholders, including provincial and territorial governments to ensure harmonization and avoid overlap and duplication with existing provincial regulations.
• As part of this process, the Government will work with stakeholders to reduce regulatory duplication and consider the cumulative impacts of regulations on stakeholders.

Q17. Will Provinces and Territories participate in the development of federal regulations necessary for implementing the CCSPA?

• Yes. The Government will consult Canadians, including provinces and territories at all stages of the regulatory process, including prior to pre-publication in the Canada Gazette Part I through until the regulations are approved and published in the Canada Gazette Part II.
• The regulation making process will be a formal, iterative and collaborative process during which the Government will take a consultative approach that will follow the standard timelines for regulatory development.
• In particular, the Government will engage stakeholders with respect to:
  • The designation of operators under Schedule 2;
  • Cyber Security Programs (CSP); and
  • The process for reporting cyber security incidents.
• Existing regulatory frameworks, standards and best practices will be considered to avoid duplication for jurisdictions and sectors that already have cyber regulations and standards in place.

Q18. Does the CCSPA provide mechanisms for information sharing between Federal-Provincial-Territorial governments?

• Yes. Sections 23 and 27 of the CCSPA, if enacted, would provide an additional legal mechanism for the Government to share information collected under the Act with provincial and territorial governments, including confidential information.
• In addition, under its existing authorities, the CSE is currently able to set up agreements and arrangements to exchange cyber security information with provinces and territories.

Program Design

Q19. How will the CCSPA impact designated operators that are subject to the Act?

• The CCSPA would require designated operators to:
  • Establish a CSP to protect their critical cyber systems;
  • Take reasonable steps to manage cyber security risks associated with Third Party or supply chains;
  • Report cyber incidents above a certain threshold; and
  • Comply with any CSDs. 
• As it in everyone's best interest to prevent a cyber security incident, industry stakeholders are already taking steps to protect their critical cyber systems. As such, it is not expected that this legislation will impose an undue burden on industry.
• Moreover, it is expected that this legislation will improve our understanding of the cyber threat landscape (through mandatory reporting), which will permit designated operators, and indeed all Canadians, to take more effective action to protect their cyber systems.

Q20. What effect will the CCSPA have on affected federally-regulated critical infrastructure sectors?

• Cyber security incidents have negative effects on public safety, national security and the economy, and may cost businesses a lot of money. Industry is already taking steps to protect their critical cyber systems. As such, it is not expected that this legislation to impose an undue burden on industry.
• Nevertheless, the Government is committed to ensuring the seamless integration of this legislation through ongoing engagement and collaboration with government partners and industry stakeholders.
• As such, the legislation is drafted with the specific intent of limiting undue burden on all designated operators. To this end, the legislation will only take effect once there has been extensive consultation with all affected critical infrastructure sectors through the regulation-making process.

Q21. Does the CCSPA impose specific cyber security standards?

• This Actdoes not set standards or impose a specific methodology for cyber security. Instead, it creates a regulatory framework to strengthen baseline cyber security protections of the services and systems that are vital to the national security and public safety of Canadians.
• Many operators in Canada already take measures to protect their cyber systems and align closely with recognized cyber security approaches, including for example the widely adopted Cyber Security Framework from the U.S. National Institute for Standards and Technologies, or the UK's Security of Network & Information Systems Regulations.
• The use of a framework that is already familiar is expected to minimize the need for operators to modify their existing cyber security approach.

Q22. Can a third party service provider be identified as a designated operator?

• Yes. A third party service provider could be designated as an operator if they deliver a vital service or system as captured under Section 6 and fall within a class of designated operators captured under Section 7 of the Act.
• Additionally, the Act requires that designated operators identify in their CSP risks associated with their use of third-party products and services, notify the regulator of material changes in their use of third party products and services, and mitigate risks identified with their use of third party products and services.
• For the purpose of verifying compliance or preventing non-compliance with the Act, the regulators could request that any person, partnership or unincorporated organization provide them with the requested information as per Section 29 of the Act). This could include third party service providers. 

Q23. Would this legislation create undue burden on small and medium enterprises?

• It is not expected that this legislation would create undue burden on small and medium enterprises (SME). In fact, it is intended to ensure that small businesses, and all Canadians, can rely on systems and services that are vital to their well-being and livelihoods. 
• Only those federally regulated operators who deliver a service or system, which is vital to national security or public safety; such as those essential to the health, safety, security or economic well-being of Canadians, would be captured under the Act.
• "Classes of Operators" would be as narrow as possible or as wide as required in order to capture operators whose systems must be protected to ensure the continuity of a designated service or system.
• While it is possible that an SME could be captured under a established "Class of Operators", based on the criteria for identifying and establishing these classes, it is not likely. This would only be the case should it be determined that the SME's critical cyber systems must be protected to ensure the continuity of a designated service or system as identified in Schedule 1.

Q24. Will funding be provided to support designated operators in the implementation of the CCSPA?

• While funding will not be provided to support operators in the implementation of the CCSPA, it is important to note that the costs of recovering from a cyber security incident are far greater than the cost to invest in improving one's own cyber security.
• The regime is not intended to force operators to make drastic, costly changes to their cyber security. It strives to establish an iterative process of improving each designated operator's cyber security over time, thereby continually improving cyber security across Canada.

Q25. Can the CCSPA defend against emerging cyber threats such as Artificial Intelligence?

• The CCSPA is designed to be able to adapt and improve Canada's ability to defend and protect against cyber threats from evolving technology, such as AI.
• Under the CCSPA, designated operators will be required to establish a CSP; mitigate supply chain and third-party service or product risks; report cyber security incidents; and implement CSDs. Through these obligations, the Act is intended to create a virtuous cycle in cyber security, whereby designated operators are better able to prevent, detect, respond to and recover from cyber threats and incidents, including those enabled through the use of AI.

Q26. Can the CCSPA help prevent an incident such as the mass Rogers outage from occurring?

• This proposed legislation is intended to be the foundation for securing Canada's critical infrastructure against cyber threats and vulnerabilities. The Rogers outage was caused by a network system failure following an update, and therefore, would not likely have been something that the CCSPA would have been able to prevent.
• That said, this legislation is intended to enhance the resilience of Canada's critical cyber systems, and would improve an organization's ability to prepare, prevent, respond to and recover from all types of cyber security incidents.

Incident Reporting

Q27. Will CCSPA require operators that are subject to the Act to report cyber security incidents?

• Yes, under the CCSPA, designated operators will be required to report certain cyber security incidents affecting or having the potential to affect their critical cyber systems to the CSE.
• The types of incidents to be reported will be outlined in regulations as per Section 135(c) of the Act.
• The new requirement for designated operators to report cyber security incidents will provide invaluable insight into the cyber security threat landscape in Canada. In turn, increased information sharing about threats will allow governments and the private sector to take the right measures to better protect critical and other cyber systems.
• Pursuant to section 17 of the CSE Act, information received through mandatory incident reporting would be analyzed by the Cyber Centre and could be anonymized and aggregated with other reports and information to:
  • provide designated operators with technical advice and guidance to address and recover from cyber security incidents;
  • warn, without delay, other designated operators; and
  • inform Canadians of cyber security risks and trends, without disclosing confidential information.
• Disclosure of sensitive information contained in cyber security incident reports, such as information that could reveal a vulnerability of a critical cyber system, or information that could result in a material financial loss for the designated operator (for example, harm to its reputation) will be limited to protect it from inappropriate disclosure under the CCSPA.

Q28. Why is mandatory reporting necessary?

• CSE's Cyber Centre currently receives reports of cyber security incidents voluntarily provided by critical infrastructure organizations and other businesses, disseminates information and advisories about those threats, and helps coordinate the response to serious incidents.
• But because organizations do not report cyber security incidents consistently, the Government lacks visibility into cyber compromises targeting CI. This hampers the Government's ability to share information about compromises with other vulnerable industries.
• The requirement for designated operators to report cyber security incidents will provide invaluable insight into the cyber security threat landscape in Canada. In turn, increased information sharing about threats will allow governments and the private sector to take the right measures to better protect critical and other cyber systems.
• Information received through mandatory incident reporting will allow CSE's Cyber Centre to provide designated operators with technical advice and suggested actions to contain the compromise or prevent further incidents, and recover from the cyber security incident that has been reported.
• A more complete picture of the cyber security threats facing Canada will better position the Government to develop policy and operational responses. CI operators would also benefit from better threat information. For example, if provided with indicators of compromise, CI operators could scan their own systems for traces of this same compromise.

Q29. Why does the CCSPA not include a requirement to report ransom payments?

• The purpose of this legislation is to protect the federally regulated cyber systems that underpin Canada's critical infrastructure. The reporting of ransom payments, while a useful tool to help authorities identify perpetrators and better understand the illicit currency flows that enable the ransomware model, does not contribute to improving the cyber security posture of designated operators against cyber threats.
• The proposed legislation is focused on the prevention of any and all cyber security incidents, including but not limited to ransomware. By remaining threat and technology agnostic, the proposed legislation is best placed to help designated operators address the wide range of threats that exist now and will emerge in the future.

Q30. Why did the Government not require the reporting of incidents to law enforcement?

• The intent of mandatory reporting is to improve the Cyber Centre's ability, pursuant to its cyber defence mandate, to provide advice and guidance to assist owners and operators in protecting their critical cyber systems.
• Nothing in this Act prevents reporting to law enforcement, and indeed, all victims are encouraged to report cybercrimes, including ransomware attacks, to law enforcement through their local police services or to the RCMP through the Canadian Anti-Fraud Centre website.

Q31. Does the CCSPA provide the CSE with new powers or authorities?

• Although designated operators would, under the CCSPA, now be required to report incidents to CSE, CSE would not receive any new authorities under the CCSPA. CSE would collect this new required reporting pursuant to the cyber security and information assurance mandate outlined in Section 17 of the CSE Act. CSE could also continue to collect voluntarily-provided incident reporting as it does currently.

Q32. The CCSPA would require designated operators to report cyber security incidents to CSE. Under what authority would CSE collect this incident reporting?

• The CCSPA would not provide the CSE with new powers or authorities. CSE would collect mandatory incident reporting from designated operators pursuant to its existing cyber security and information assurance mandate outlined in  Section 17 of the CSE Act.

Q33. Does the receipt of cyber security incident reports from Canadian businesses contravene Subsection 22(1) of the CSE Act, which requires that CSE activities "must not be directed at a Canadian or at any person in Canada"?

• CSE's activities in this regard are consistent with Subsection 22(1) of the CSE Act as CSE is looking only at the electronic infrastructure that has been impacted by the cyber security incident.
• CSE does not direct its activities at Canadians or persons in Canada when undertaking activities in support of its foreign intelligence, cybersecurity and information assurance, defensive cyber operations or active cyber operations aspects of its mandate.
• CSE is mandated to provide advice, guidance, and services to federal institutions and other designated systems of importance, which can include Canadian companies, outlined in Section 17 of the CSE Act.
• Activities in support of this mandate, including cyber security incident reporting, are focused on what is happening to a system, and CSE's role is to provide cyber security advice, guidance, and services about the system.

Q34. Does cyber security incident reporting to CSE include Canadian Identifier Information (CII) or Private Information (PI)? How is CII/PI protected now, and how will it be protected once the CCSPA comes into effect?

Currently

• Currently, information is voluntarily submitted to CSE by critical infrastructure operators across all sectors, businesses, IT professionals, and government institutions.
• The majority of information received through cyber security incident reports is technical in nature and does not include personal information.
• CSE has non-disclosure agreements in place with certain systems of importance regarding information sharing. In addition, before someone can submit information to CSE via its web portal, users must read and accept a disclaimer and terms of a Privacy statement.
• Section 24 of the CSE Act requires CSE to ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of information related to them acquired in the course of the furthering the foreign intelligence and cyber security and information assurance aspects of CSE's mandate (incidentally collected information).
• Accordingly, any personal information that is provided to CSE through the incident reporting process is handled with the privacy protections of all applicable legislation, including the Privacy Act.
• Additionally, review and oversight bodies such as the NSIRA and the Intelligence Commissioner (IC) serve as additional accountability measures through their regular review of CSE's collection, use, and retention of CII and application of ministerial authorizations.

Under the CCSPA

• Under the CCSPA designated operators would be required to report cyber security incidents to the CSE.
• The specific information that CSE would receive in an incident report has not yet been determined. The development of the incident reporting process, intake forms, and the types of technical data that  would requested, where appropriate, would be part of the regulation development process and carried out in consultation with industry.
• Importantly, the focus of these reports would not be individuals, but rather information pertaining to the critical cyber system that has been impacted by the cyber security incident.
• For example, as part of the regulation development process, CSE will recommend the most relevant types of artifacts, data, and logs from affected devices and networks that could be included in incident reports for effective analysis by the Cyber Centre. This could include information related to cyber threat indicators, the tactics, techniques, and procedures of the actors, exploited vulnerabilities, the incident type(s), the targeted technology asset and any other important facts describing the incident.
• Section 24 of the CSE Act requires CSE to ensure that measures are in place to protect the privacy of Canadians and of persons in Canada in the use, analysis, retention and disclosure of information related to them acquired in the course of the furthering the foreign intelligence and cybersecurity and information assurance aspects of CSE's mandate (incidentally collected information).
• Accordingly, any personal information that would be provided to CSE through the incident reporting process would be handled with the privacy protections of all applicable legislation, including the Privacy Act.
• Additionally, review and oversight bodies such as the NSIRA and the IC would serve as additional accountability measures through their regular review of CSE's collection, use, and retention of CII and application of ministerial authorizations.

Q35. If CSE incidentally acquires information related to a Canadian or person in Canada, could it share that information with other government institutions?

• CSE could only share such information in specific and limited circumstances.
• Section 44 of the CSE Act states that information relating to a Canadian or person in Canada that has been acquired, used or analysed through the cybersecurity and information assurance aspect of CSE's mandate as outlined in Section 17 of the CSE Act, may be disclosed to a person or classes of persons designated by the Minister only if necessary to protect:
  • Federal institutions' electronic information and information infrastructure; and
  • Electronic information and information infrastructures designated under Section 21(1) as systems of importance to the Government of Canada.
• Subsection 46(1) of the CSE Act allows for CSE to use and analyse information relating to a Canadian or a person in Canada if it has reasonable grounds to believe that there is an imminent danger of death or serious bodily harm to any individual and that the information will be relevant to the imminent danger.
  • Subsection 46(2) specifies that this information may be disclosed to any appropriate person if its disclosure may help prevent the death or serious bodily harm
• Review and oversight bodies such as the NSIRA and the IC would serve as additional accountability measures through their regular review of CSE's collection, use, and retention of CII and application of ministerial authorizations.

Q36. Could CSE use information collected under its cyber security and information assurance mandate (Section 17) be used in support of its foreign intelligence (Section 16), defensive cyber operations (Section 18), active cyber operations (Section 19) or technical and operational assistance mandates (Section 20)?

• CSE would collect mandatory incident reporting from designated operators pursuant to its existing cyber security and information assurance mandate outlined in Section 17 of the CSE Act.
• The intention of information acquired by CSE through the CCSPA is to provide advice and guidance to stakeholders at all levels of government, across both federally and provincially regulated sectors, and to Canadians writ large. CSE is not given any new authorities through the CCSPA.
• While true that information collected by CSE pursuant to one aspect of CSE's mandate can be used by CSE under another aspect of the mandate, it is only in specific and limited cases that meet the conditions in the CSE Act. For example, CSE may utilize information about indicators of compromise (IOCs) to help inform activities to counter cyber threats under its foreign intelligence mandate, but must ensure that there are measures in place to protect the privacy of Canadians or persons in Canada in terms of incidentally collected information. 

Q37. In specific circumstances, CSE is permitted to collect information under one of its mandates and use it in support of another one of its mandates. In such cases, how is CII or PI protected? Will this change once CCSPA is enacted?

• Pursuant to Section 24 of the CSE Act, CSE must ensure that there are measures to protect the privacy of Canadians or persons in Canada in terms of incidentally collected information.
• Additionally, review and oversight bodies such as NSIRA and the IC serve as additional accountability measures through their regular review of CSE's collection, use, and retention of CII and application of ministerial authorizations.
• The CCSPA will not impact CSE's legislative authorities and privacy responsibilities.

Privacy, Disclosure And Liability

Q38. Does the CCSPA protect Canadians' privacy?

• In this day and age, privacy protection is largely dependent on good cyber security. No cyber system is impenetrable, but continuously improving one's cyber security posture significantly helps reduce the likelihood of a data breach. 
• By requiring Canadian critical infrastructure operators to maintain high levels of cyber security, we are also decreasing the likelihood of data breaches on their systems which often contains personal information and data.
• As always, Canadians are protected by the Canadian Charter of Rights and Freedoms, the Privacy Act, and the Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to their personal information held by the Government. This includes any personal information that may be collected under Bill C-26.

Q39. Does the CCSPA ensure that the information shared by designated operators with the Government is protected from disclosure?

• Yes, the Act protects confidential information obtained by the Government. This includes information relating to a critical cyber system that:
  • concerns a vulnerability of a critical cyber system or the methods used to protect it and that is consistently treated as confidential by the designated operator;
  • could lead to financial or competitive harms to the designated operator if disclosed; or
  • could interfere with the contractual or other negotiations of a designated operator.
• To protect this confidential information shared with the Government, the Act contains provisions to control and restrict the disclosure of this sensitive information collected under the Act. Inappropriate disclosure of confidential information would be an offence under the Act.
• It should also be noted that this information would not be disclosed under the ATIA and the Privacy Act would continue to apply.
• The confidentiality provisions would not prevent disclosure to the Canadian Security Intelligence Service or law enforcement where the disclosure is otherwise lawful.

Q40. Why are designated operators prohibited from disclosing information around the fact that a Cyber Security Direction was issued?

• CSDs are intended to be used in serious circumstances under the CCSPA where there is an urgent need to address a known threat or vulnerability.
• The purpose of not disclosing orders is to protect the confidential information of designated operators and to avoid follow-on exploitation of vulnerabilities. We do not want to put a target on designated operators' backs.

Q41. Why can't CSDs be disclosed to the public?

• CSDs are intended to be used in serious circumstances under the CCSPA where there is an urgent need to address a known threat or vulnerability.
• The purpose of not disclosing orders is to protect the confidential information of designated operators and to avoid follow-on exploitation of vulnerabilities. We do not want to put a target on designated operators' backs.
• The Minister of Public Safety is, however, required to table an annual report to Parliament which could include, for example, the number of CSDs issued and in what sector(s). Information disclosed to government can be anonymized and used by the Cyber Centre to provide alerts and advisories to industry and Canadians more broadly.
• The National Security and Intelligence Review Agency (NSIRA) and National Security and Intelligence Committee of Parliamentarians (NSICOP) also have review mandates that could be leveraged.
• Finally, there is also a process for judicial reviews for affected designated entities to challenge orders.

Q42. Why does the CCSPA require that a designated Federal Court judge must keep information secret?

• CSDs are subject to judicial review, however the CCSPA provides that the designated Federal Court judge must keep any evidence and other information provided by the minister secret from the public, the applicant and their counsel, if in the judge's opinion, its disclosure would be injurious to international relations, national defence or national security, or endanger the safety of any person.
• A judicial review applicant is entitled to a summary of the evidence and other government information made available to the judge "that enables the applicant to be reasonably informed" of the government's case, excluding the aforementioned injurious information.

Q43. Does the CCSPA open up designated operators to increased liability?

• The Act will ensure that designated operators are protecting the cyber systems that underpin Canada's critical infrastructure, and would help them better prepare, prevent and respond to emerging cyber threats. In this way, this Act should assist designated operators in reducing risks and liabilities associated with cyber security incidents.
• The Act does, however, rely on both an administrative monetary penalty regime and regulatory offences regime for enforcement of its provisions, which can involve the personal liability of directors and officers that direct, authorize, assent to, acquiesce in or participate in a violation of the CCSPA.
• However, designated operators have the right to make representations and exercise a defence of due diligence. Regulators are granted discretion to correct errors in a notice of violation, cancel it or enter into compliance agreements with terms the regulator considers appropriate, including the reduction of the amount of the penalty in part or in whole.

Q44. Does the CCSPA include a ''safe harbour'' to protect designated operators when they report cyber security incidents and share information with the Government?

• No. The CCSPA does not include a "safe harbour" regime that would reduce or eliminate designated operators' legal or regulatory liability.
•  The CCSPA does include provisions for the protection of confidential information provided pursuant to this Act.
• And while the Act does include an 'administrative monetary penalty' and 'regulatory offences' regime for enforcement of provisions, the purpose of a penalty is to promote compliance with the Act and not meant to be punitive.
• To this end, a designated operator may enter into a compliance agreement with its regulator, which may reduce the penalty in whole or in part.
• Moreover, due diligence is a defence in a proceeding in relation to a violation.

Penalties

Q45. What is the intent of the penalties within the CCSPA?

• The CCSPA provides applicable regulators powers to enforce the Act, including the power to issue administrative monetary penalties. These are intended to encourage compliance with the Act and are not meant to be punitive.
• Non-compliance with certain provisions of the Act can also result in summary convictions or convictions on indictment. These include the hybrid offences of contravening a CSD, disclosing information about the existence or contents of a CSD and disclosing confidential information in circumstances not permitted under the Act.
• Proceeding with an act or omission as a violation would preclude proceeding with it as an offence and vice versa.

Q46. How does the Government expect businesses or individuals to afford a $15M penalty?

• The mandatory penalty in respect of each violation may be fixed by regulations. The CCSPA would impose a maximum threshold for administrative monetary penalties of $1M in the case of individuals, and $15M in the case of organizations.
• These thresholds were set by reviewing existing legislation, and ensuring they were set high enough so that, through sector specific regulation development in consultation with partners, they can be brought to the acceptable level for each sector.
• Furthermore, the amount of a penalty is to be determined by taking into account a range of factors including:
  • the designated operator's history of compliance or non-compliance with the Act;
  • the nature and scope of the violation;
  • whether reasonable efforts were made to mitigate the effects of the violation; and
  • whether the violation contributed to any economic or competitive benefit.

Date modified:

2024-06-04