The Bill does two things. First, it amends the Telecommunications Act by adding the promotion of the security of the Canadian telecommunications system as an objective of Canadian telecommunications policy and it authorizes the Governor in Council and the Minister of Industry to direct telecommunications service providers to do anything, or refrain from doing anything, that is necessary to secure the Canadian telecommunications system. These orders may be made public, or not, the Governor in Council will have that discretion. If they are not, disclosing their existence will result in penalties.
Those unwilling to comply with future directives could face monetary penalty or even jail time. As for compensation, the Bill makes it clear that no one will be entitled to compensation to cover losses resulting from an order made under these new powers.
Bill C-26 also creates the Critical Cyber Systems Protection Act, which we’re told will provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament.
Under this new Act, the Governor in Council will be able to designate any service or system as a vital service or vital system. It will also be given the power to establish classes of operators within a vital service or vital system and require those designated operators to, among other things, establish and implement cyber security programs, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions. Again, there are consequences for non-compliance.
The operators are yet unknown but the first list of vital services or vital systems have already been identified.
- Telecommunications services;
- Interprovincial or international pipeline and power line systems;
- Nuclear energy systems;
- Transportation systems that are within the legislative authority of Parliament;
- Banking systems; and,
- Clearing and settlement systems.
These are the earliest of days for this Bill and the cyber security industry, not to mention the current list of identified vital industries really haven’t had an opportunity to digest it all. Much could change as the Bill makes its way through our parliamentary system and the regulatory process. Expect lobbying to be quite intense.
That said, two things are immediately clear. The demand for cyber security products and services in critical areas of the Canadian economy will be rising. Also, regulators would be wise to continue consulting the cyber security industry to make certain that future regulatory requirements keep pace with the ever-changing cyber attack surface and the innovative responses to these developments that the private sector is producing.
If you would like to know more about how to voice your concerns with key government decision-makers and help shape policies that are sound and effective, reach out to Fernando.