Bill C-26 is a law proposed to bolster cybersecurity by amending the Telecommunications Act and other relevant legislation. It was recently introduced to the House of Commons of Canada "to modernize the tools available to law enforcement and national security agencies to investigate and combat online threats."
If passed, Bill C-26 would give Canadian law enforcement and intelligence agencies new powers to collect data on Canadians and order companies to hand over customer information. The most salient feature of the proposed Act is that the government can mandate telecommunications service providers to adhere to specific Canadian cybersecurity requirements to protect the country's telecommunications system.
The proposed legislation will pave the path for implementing the Critical Cyber Systems Protection Act (CCSPA), which gives the government the authority to classify critical systems and enforce data protection duties on their operators.
How will it bolster Canadian cybersecurity?
The Canadian government believes that ransomware will continue to threaten the country's security and economy. The lawmakers seek to amend the Telecommunications Act to make security a policy priority for the Canadian telecommunications system by incorporating new technologies. These changes will affect all Canadian carriers' transmission facilities, including but not limited to local voice, VoIP, internet, long-distance, wireless, and payphone services.
The proposed amendments will give the governors special powers to secure the Canadian telecommunications system. Governors can prohibit telecommunications service providers from using or providing certain products and services if they believe the systems' security is at risk due to interference, manipulation, or disruption. The governor can also stop the provision of telecommunications services to individuals, including the telecommunications service provider, for a certain period.
Similarly, a minister may direct a telecommunications service provider to:
Prohibit the use of or command the removal of any product from its service provider.
Prohibit, halt, or put restrictions on providing services to individuals, including another telecommunications service provider.
Prohibit entering into or terminating specific service agreements relating to its telecommunications network or facilities.
Create a security plan for its telecommunications services, including vulnerability identification evaluations and procedures to mitigate any vulnerabilities.
Implement regulatory standards for its services, networks, and facilities, among other things.
What is the CCSPA?
Under Canadian law, businesses providing critical infrastructure services in finance, telecommunications, energy, and transportation fall under the purview of the Critical Cyber Systems Protection Act (CCSPA). These businesses must implement cybersecurity programs to prevent and respond to cyberattacks.
The Act will:
Empower the Governor in Council to declare any service or system to be a vital service or system.
Empower the Governor in Council to create classes of operators for a vital service or system.
Require designated operators to build and implement cybersecurity procedures, reduce supply-chain and third-party risks, report cybersecurity incidents, and follow cybersecurity guidelines, among other things.
Allow for the exchange of information between parties; permit the execution of the Act's duties; and set penalties for non-compliance.
In addition to federally regulated operators, the CCSPA will also apply to their regulators. All operators will get 90 days to develop a cybersecurity program that meets the requirements specified in the Act. Operators must assess their programs annually or as defined in the regulations and notify the regulator of any changes.
The CCSPA empowers the governor to direct operators to take any measure necessary to defend a critical cyber system. With a few exceptions, operators cannot reveal the directive's contents.
If cybersecurity concerns get detected in the operator's supply chain or its usage of third-party products and services, the operator must take reasonable steps to mitigate those risks. While the Act does not specify what actions operators must take, regulations in the future may regulate such measures.
Bill C-26 addresses the dynamically changing landscape of Canadian cybersecurity. As Bill C-26 progresses through various stages of discussions, lawmakers will observe the impact of amendments to both the Acts on Canada's cybersecurity landscape. The proposed legislation is a step toward ensuring critical installations do not succumb to the ploys of state and non-state-sponsored malicious actors. With telecommunications becoming integral to Canada's economic goals, protecting them from threats is imperative. The Act seeks to bolster Canadian cybersecurity by mandating operators and regulators to take corrective steps in advance.