Question Period Note: Protecting critical cyber systems

• Cyber threats, including ransomware, are increasingly threatening Canada’s national security and public safety.
• The Government of Canada is committed to protecting the cyber systems that underpin our critical infrastructure and recognizes that, now more than ever, secure and reliable connectivity is a necessity for our daily lives, our collective safety and security and our economic recovery.
• That’s why the Government introduced legislation to increase cyber security in the critical sectors of transport, finance, telecommunications and energy.
• The Critical Cyber Systems Protection Act would establish a regulatory framework to support the improvement of baseline cyber security for services and systems that are vital to national security and public safety and give the government a new tool to respond to emerging cross-sectoral cyber threats.
• The Critical Cyber Systems Protection Act would establish a regulatory framework to support the improvement of baseline cyber security for services and systems that are vital to national security and public safety and give the government a new tool to respond to emerging cross-sectoral cyber threats.
• This legislation emphasizes our commitment to increasing Canada’s cyber security posture and can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.
IF PRESSED ON THE IMPACT OF THE FRAMEWORK ON PRIVATE SECTOR
• Provisions of the Act will be rolled out gradually, and consultation between government and industry stakeholders will be conducted.
• Thresholds for which companies will be designated will be established, and will be limited to those companies that support vital services for national security and public safety.
• In addition, funding provided as part of this initiative to the Canadian Centre for Cyber Security will enable it to further deliver on its mandate by continuing to provide advice and guidance to critical infrastructure owners and operators on how to better prevent and address cyber threats and vulnerabilities.
IF PRESSED ON MONETARY PENALTIES.
• The CCSPA gives applicable regulators powers to enforce the Act including the power to issue monetary penalties in order to promote compliance and are not meant to be punitive. Non-compliance with the Act can also result in summary convictions or convictions on indictment. However, such measures are only meant to be used as a last resort in more serious cases.

Cyber threats are evolving, increasing in frequency and becoming more sophisticated with more damaging consequences for Canada’s economy, national security and public safety.
Cyber incidents, such as those affecting the Colonial Pipeline in the United States and the health care sector in Newfoundland, demonstrate that such threats against critical infrastructure have the potential to seriously compromise national security and public safety. In the worst case scenario, a successful incident on vital services and systems could result in physical injury up to and including loss of life.
The economic and societal costs of cyber incidents and cybercrime, including ransomware, highlight the importance of securing Canada’s critical cyber systems to protect Canadians, governments and organizations so as to ensure a strong foundation for Canada’s economic recovery.
To this end, on June 14, 2022, Minister Mendicino introduced An Act Respecting Cyber Security (ARCS). In addition to amendments to the Telecommunications Act, this legislation introduces the Critical Cyber Systems Protection Act (CCSPA), which is intended to protect Canadians and bolster cyber security across the financial, telecommunications, energy, and transportation sectors. Budget 2019 provided $144.9 million for this initiative, which is designed to protect the critical cyber systems that underpin the vital services and systems upon which Canadians rely.
CCSPA is intended to be the foundation for securing Canada’s critical infrastructure against imminent cyber threats, including ransomware. More secure and resilient critical infrastructure will ensure the safety and well-being of Canadians, while spurring growth and innovation, which are key drivers for our economic recovery.
The Critical Cyber Systems Protection Act (CCSPA) would establish a baseline level of cyber security through a cross-sectoral management-based regulatory scheme applicable to designated operators. The Act would increase cyber threat information sharing, and provide the GIC with the power to issue Cyber Security Directions to designated operators. In addition, designated operators would be obligated to:
• Establish a Cyber Security Program;
• Mitigate supply chain / third party service or product risks;
• Report cyber security incidents to the Cyber Centre; and
• Implement Cyber Security Directions.
The Act would provide regulators with powers necessary to enforce the Act (such as audits, Administrative Monetary Penalties) and would create consequences for non-compliance (such as summary convictions or convictions on indictment).
Ultimately, this legislation would improve organizations’ ability to prepare, prevent, respond to and recover from all types of cyber incidents, including ransomware. Moreover, this legislation can also serve as a model for provinces, territories, and municipalities to help secure critical infrastructure outside federal jurisdiction.

None