Question Period Note: Cyber Security

•The Government of Canada recognizes that more than ever, secure and reliable connectivity is a necessity for our daily lives and our collective safety and security.
•The Government of Canada has taken an important step to further protect Canada’s critical infrastructure systems with the introduction of Bill C-26, An Act Respecting Cyber Security.
•The proposed legislation amends the Telecommunications Act to add security as a policy objective, bringing telecommunications in line with other critical sectors, and introduces the Critical Cyber Systems Protection Act to create a regulatory framework requiring designated operators in the finance, telecommunications, energy, and transportation sectors to protect their critical cyber systems.
•In addition, my colleagues and I are also working to develop a renewed National Cyber Security Strategy that articulates Canada's long-term plan to protect our national security and economy, deter cyber threat actors, and promote norms-based international behavior in cyberspace.
•As part of the renewal process, Public Safety Canada administered an online public consultation that sought the views of Canadians on the government’s approach to cyber security. Public Safety also consulted provinces, territories, and the private sector. These consultations will inform the approach of the renewed Strategy.
•The Government of Canada is also working to enhance the cyber security of the country’s critical infrastructure through the identification of cyber threats and vulnerabilities, and by responding to cyber incidents.

If pressed
•Public Safety’s Canadian Cyber Security Tool helps owners and operators of Canada’s critical infrastructure to evaluate their cyber maturity against established benchmarks and by peer comparison, while also offering concrete guidance on how they can become more cyber-resilient.
•Public Safety Canada also coordinates and delivers cyber-based exercises for the critical infrastructure community to test and develop capabilities to respond to, and recover from, malicious cyber activities. More broadly, the Department promotes communication and collaboration to raise awareness of cyber threats and risks, including with our international partners.
•Public Safety Canada also works closely with the Communication Security Establishment’s Canadian Centre for Cyber Security to enhance the resilience of critical infrastructure in Canada. The Cyber Centre, in addition to providing public advisories, shares valuable cyber threat information with Canadian critical infrastructure owners and operators.
•Budget 2022 committed $852.9 million to enhance the Communications Security Establishment’s ability to conduct cyber operations, make critical government systems more resilient, and prevent and respond to cyber incidents on critical infrastructure.

Malicious cyber activity directed at the digital systems that underpin essential services and critical infrastructure are a constant concern for businesses, individuals, and all levels of governments in Canada.

Threat Environment
Cyber security is one of our most serious economic and national security challenges. Today, Canada and Canadians are facing a rise in the number and sophistication of threats to national and personal security. Hostile state actors and cyber criminals are targeting our critical infrastructure, government institutions, sensitive scientific information and intellectual property, as well as individual Canadians’ privacy and finances. As the borderless risks that Canada faces in cyberspace continue to grow in size and complexity, Canada is no longer protected by its geography. State and non-state actors continue to challenge Canadian values and interests in non-traditional domains where they operate with near ‘immunity.’ These threats are increasingly significant as they seek to exploit ongoing efforts towards the digitalization of Canada’s economy.

Government of Canada Response
The Government of Canada (GC) is responsible for enforcement against cyber threats, responding to evolving national security threats, and defending critical GC systems. Federal government interventions to protect cyber systems take many forms, including helping to inform potential victims of malicious cyber activity and helping computer security professionals adopt best practices to prevent and react to incidents in order to minimize the impact on essential operations. The federal government also continues to work with provincial and territorial governments, associations, academia and industry, under the auspice of the National Cyber Security Strategy (the Strategy), to advance cyber security policy that can be adapted to these issues.

The Strategy, published in 2018, has three primary goals – secure and resilient Canadian systems; an innovative and adaptive cyber ecosystem; and effective leadership, governance, and collaboration. The subsequent National Cyber Security Action Plan (2019-2024) lays out the specific roadmap that will allow for the realization of the Strategy’s goals.

In the December 2021 mandate letter, the Minister of Public Safety was asked, alongside the Ministers of National Defence, Foreign Affairs, Innovation, Science and Industry, and other implicated Ministers, to develop and implement a renewed Cyber Strategy which will articulate Canada’s long-term strategy to protect our national security and economy, deter cyber threat actors, and promote norms-based international behaviour in cyberspace.

Moreover, the Minister was asked to contribute to broader efforts to promote economic security and combat foreign interference by introducing legislation to safeguard critical infrastructure, including Canada’s 5G networks to preserve the integrity and security of its telecommunications systems. On June 14, 2022, the Government introduced Bill C-26, An Act Respecting Cyber Security. This proposed legislation is intended to protect Canadians and bolster cyber security across the financial, telecommunications, energy, and transportation sectors.

Budget 2022 included significant investments in cyber security—a total of $892.9M in direct funding for initiatives to enhance Canada’s cyber security through operations; improve prevention and response on critical infrastructure; protect small departments, agencies and Crown corporations; increase resilience; and support research in important technologies like quantum computing and artificial intelligence.

As part of the National Cyber Security Action Plan, Public Safety Canada is leading on several items that will enable critical infrastructure owners and operators to better secure their systems and information. Public Safety works to enhance the cyber security of Industrial Control Systems by raising awareness of risks to these systems and enhancing the capabilities of their operators through symposiums and technical workshops.

In addition, Public Safety has worked closely with the Cyber Centre to develop the Canadian Cyber Security Tool which provides Canadian critical infrastructure organizations with an easy-to-use, online self-assessment tool to strengthen their cyber security posture. Furthermore, Public Safety also offers Canadian critical infrastructure organizations more in-depth, facilitated assessments and analysis of their cyber security programs and practices through the Canadian Cyber Resilience Review and the Network Security Resilience Analysis.

Public Safety’s Regional Resilience Assessment Program’s Cyber Assessments Team has various assessment tools to provide expert advice and guidance to critical infrastructure owners and operators on how to improve their cyber security and cyber resilience posture. This work has been performed in close collaboration with the Cyber Centre, which uses the reports to better understand sectorial gaps and optimally target programs and resources to mitigate cyber risks.

From a national security perspective, CSIS is mandated to investigate cyber-enabled espionage, sabotage, foreign interference and terrorism to determine the motivations and capabilities of threat actors. This intelligence is then disseminated to inform GC partners on cyber attributions, policies, investments and governance.

None