In recent years, Canada's cybersecurity status has been tested by a variety of threat campaigns targeting critical infrastructure, businesses, and individuals. The increase in digitization has led to the weaponization of digital tools and processes by script kiddies, activists, organized crime agencies, and state-sponsored actors. This resulted in the disruption of critical systems and caused a loss of confidence in physical, psychological, and economic well-being.
The advent of both the COVID-19 pandemic and the Ukraine-Russia conflict has been a catalyst in bolstering national and international cyber defence practices, requiring improved policies, guidance, and cyber intel. With rising geopolitical tensions, government-driven hostile cyber operations are more prevalent now than ever, posing an increased threat level to Canada's security, economic prosperity, and public safety
The Communications Security Establishment (CSE) identified critical infrastructure and large enterprises with operational technology assets as lucrative targets for ransomware groups1. Moreover, Five Eyes cybersecurity authorities have recently urged critical infrastructure operators to harden their cyber defences amidst growing state-sponsored attacks2.
However, with 85% of Canada's critical infrastructure owned and operated by the private sector, provinces, and non-governmental agencies, standardized cybersecurity practices cannot be achieved through industry-derived policy alone but will continue to see increased use of legal frameworks to drive societal cyber defence improvements.
What is Bill C-26?
On June 14, 2022, the House of Commons of Canada introduced Bill C-26, an Act Respecting Cyber Security (ARCS), proposing new cybersecurity requirements that protect vital systems and services pertinent to Canada's security and public safety. 3
The objective of Bill C-26 is to improve security in critical sectors, mitigate cyber risk across federally regulated sectors more effectively, and provide the Government of Canada with greater legislative power to respond to threats accordingly.
The bill has two parts:
- Amending the Telecommunications Act to secure Canada's telecommunications systems and prohibit the use of products and services provided by specific telecommunications service providers. This amendment enforces the ban on Huawei Technologies and ZTE from Canada's 5G infrastructure, as well as the removal or termination of related 4G equipment by 2027.
- Enacting the Critical Cyber Systems Protection Act (CCSPA) to provide a comprehensive regulatory framework to protect cyber systems that underpin Canada's critical infrastructure through risk mitigation and reporting, and to foster collaboration between government entities and operators through information sharing.
The effects of this bill will be far-reaching, and here are the top considerations:
- The government will have the power to receive, review, assess, and even intervene in cyber compliance and operational situations within critical industries in Canada.
- Mandatory cybersecurity programs for critical industries.
- Enforcement of regulations through regulatory and law enforcement with potential financial penalties.