Enhancing the resiliency of Canada’s critical cyber systems
Letter to The Honourable Marco E. L. Mendicino, Minister of Public Safety, regarding Bill C-26, An Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts.
Dear Minister Mendicino:
The Business Council of Canada is pleased to provide its views on Bill C-26.
Cybersecurity is a priority and responsibility shared by Canada’s public and private sectors. To that end, Canadian businesses are investing billions to protect their operations, employees, and customers from cyber threats. Moreover, through organizations such as the Canadian Cyber Threat Exchange, they are sharing threat intelligence with government and peers to enhance the resiliency of Canada’s digital networks and supply chains.
While the submission which follows relates specifically to Bill C-26, we recognize the government is in the process of undertaking a series of measures to modernize Canada’s laws, regulations, rules, policies, and plans with respect to cyber and national security. Canadian business leaders support the stated objectives of these interconnected efforts and are pleased to work with the government to help ensure they are achieved.
Introduction of the Critical Cyber Systems Protection Act
Part 2 of Bill C-26 introduces the Critical Cyber Systems Protection Act (CCSPA) which creates a new regulatory regime requiring designated critical infrastructure providers to protect their critical cyber systems.
The Business Council’s membership includes many owners and operators of critical infrastructure assets. They are committed to maintaining a strong and resilient security posture in the face of ever-evolving cyber security threats. As part of this commitment, they work with government agencies, regulatory bodies, and standards organizations to continuously assess and strengthen their cyber security programs.
Still, we recognize there is more to be done to improve the overall resiliency of Canada’s critical infrastructure. In this light, we offer our views of the CCSPA, as summarized below:
1. The CCSPA should adopt a risk-based methodology
The CCSPA imposes the same prescriptive regulatory obligations on all designated operators irrespective of their cyber security maturity. Given the robust cyber security programs that many designated operators already have in place, there are concerns that the CCSPA will impose costly regulatory obligations on many critical infrastructure providers with no associated benefit.
The CCSPA would be far more effective and efficient in protecting critical cyber systems if the Act were to adopt a risk-based methodology that imposed different regulatory requirements on designated operators proportionate to their level of risk.
By imposing fewer and less onerous obligations on low-risk designated operators that have well-established cyber security programs, low-risk operators could allocate the resources that they would have otherwise expended on regulatory compliance to incident prevention activities.
By allowing regulators to dedicate more of their finite resources towards high-risk organizations, a risk-based approach would also allow regulators to target threats to critical cyber systems more effectively and efficiently.
2. The CCSPA should encourage meaningful two-way information sharing
Although one of the CCSPA’s primary objectives is to “encourage information sharing among cyber security stakeholders,” as currently drafted, the Act would do little to encourage this beneficial activity. The CCSPA only contemplates one-way information sharing from designated operators to government. No provision is made to provide designated operators with access to government information or to encourage greater information sharing between designated operators.
This is a missed opportunity. The Act should be amended to encourage meaningful two-way information sharing within and between the public and private sectors, including on emerging threats to critical cyber systems, the safety record of current technologies, and the relative benefits of different security measures.
To facilitate the sharing of classified threat intelligence, designated operators’ cyber security personnel should also be granted expedited access to security clearances. It currently takes months, sometimes years, for private sector cyber security experts to obtain the security clearances they need to access classified threat intelligence.
In addition, classified systems should be made available at designated operators’ facilities. This will enhance the ability of security-cleared personnel at such organizations to access and share classified threat intelligence with government and other security-cleared designated operators.
3. The power to issue cyber security directions should be tempered and accompanied by statutory safeguards
The CCSPA grants the Governor in Council the power to direct any designated operator to comply “with any measure” for the “purpose of protecting a critical cyber system.” Failure to comply with a direction could result in significant fines and/or imprisonment.
It may be appropriate for the government to exert control over a privately owned and operated critical cyber system in exigent circumstances, such as when an organization’s act or omission threatens Canada’s national security, and the organization is unwilling to take reasonable measures to address that threat. However, the Governor in Council’s power to issue cyber security directions, as currently drafted, raises significant concerns.
First, the legal threshold for issuing cyber security directions is set too low, not reflecting the extraordinary power granted to the government. Under the Act, the Governor in Council is authorized to issue a direction as long as the purpose of the measure is to “protect” a critical cyber system. Given the ambiguity built into this legal threshold, a future government could interpret it broadly as allowing it to issue a direction where the threat to a critical cyber system is negligible, and therefore not a credible danger to Canada’s national security. Such an action may not be intended by the Act, but the language currently used could allow for it and, as a result, violate of the legal principles of proportionality and necessity.
Australia’s Security of Critical Infrastructure Act, 2018 (SCSA) sets a far more appropriate legal threshold for issuing directions. The SCSA empowers the Minister to order a critical infrastructure operator “to do, or refrain from doing, a specified act,” where, in connection with the operation of critical infrastructure, “the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security.” “Security” is defined by the SCSA, in turn, as the protection of Australians from national security threats, such as foreign interference, espionage, sabotage, or politically motivated violence.
An equally concerning element of the Governor in Council’s powers is the absence of statutory safeguards incorporated into the Act.
Under the SCSA, the Minister must not make an order unless:
- An adverse security assessment in respect of the critical infrastructure operator has been given to the Minister for the purpose of a direction;
- The Minister is satisfied that the measure specified in the order is reasonably necessary for purposes relating to eliminating or reducing the risk to security;
- The Minister is satisfied that reasonable steps have been taken to negotiate in good faith with the critical infrastructure operator to achieve an outcome of eliminating or reducing the risk without an order being given;
- The Minister is satisfied that no existing regulatory system could instead be used to eliminate or reduce the risk to security; and
- The Minister has consulted the First Minister of the jurisdiction in which the critical infrastructure asset is wholly or partly located and each Minister of the jurisdiction who has regulatory oversight of the relevant critical infrastructure sector.
The SCSA also places constraints on how the Minister exercises their power. When issuing an order, the Minister must have regard for the following considerations:
- The adverse security assessment;
- Any representations given by the critical infrastructure operator or a consulted minister;
- The cost that would be likely incurred by the critical infrastructure operator in complying with the order;
- The potential consequences that the order may have on competition in the relevant critical infrastructure sector; and
- The potential consequences that the order may have on customers of, or services provided, by the critical infrastructure operator.
In the absence of similar statutory safeguards, the CCSPA would allow the government to issue any direction regardless of whether such measure would be effective in eliminating or reducing a risk to a critical cyber system or society. Directions could also be issued without the government first consulting with impacted provinces and territories; negotiating in good faith with a designated operator; or considering relevant factors, such as the potential cost of the direction, whether reasonable alternatives exist to issuing the direction, or the potential consequences of the direction on competition, services or customers. In short, the CCSPA could lead to the imposition of unknown, unlimited, and very likely burdensome requirements on industry and society at large.
The CCSPA should be amended to incorporate statutory safeguards, like those included within the SCSA.
4. The CCSPA should be harmonized with pre-existing obligations
The CCSPA adds another layer of regulatory obligations on top of many existing cyber security requirements that apply to critical infrastructure providers – particularly those with operations in other legal jurisdictions. To avoid overlap and conflict, the government should harmonize the CCSPA’s requirements with existing obligations, including cyber security requirements in the United States. Harmonizing the Act would significantly reduce compliance costs and enable designated operators to dedicate greater resources to incident prevention activities.
5. Proposed penalties are unduly high and unnecessary to encourage the adoption and implementation of effective cyber security programs
The significant business impacts of a cyber security incident – including damage to critical systems, legal liability and litigation risk, loss of revenue, insurance costs, and reputational harm – already create powerful financial incentives for designated operators to establish and implement effective cyber security programs. The severe penalties set out under the CCSPA – including fines of up to $15,000,000 and/or prison terms of five years – are therefore unduly high and unnecessary to ensure compliance.
6. Personal liability could exacerbate Canada’s cyber security talent shortage
The CCSPA would impose significant fines and/or prison terms on individuals in their personal capacity for certain breaches of the Act. Holding individuals personally liable for activities that occur in the course of their employment will make it more difficult for designated operators to attract and retain the cyber security personnel needed to protect their critical cyber systems. As it stands, more than 25,000 job openings in the field remain unfilled. The Act should be amended to eliminate personal liability.
7. The CCSPA’s continuing offenses discourage carefully considered remediations
The CCSPA treats certain offenses that continue for more than one day as separate offenses for each day the offenses continue. This may create significant unintended consequences. For instance, instead of encouraging carefully considered remediations to supply-chain or third-party risks, continuing offenses could encourage quick fixes that may inadequately eliminate or mitigate a risk. The Act should be amended to eliminate this issue.
8. Technical difficulty should be considered by decision-makers when determining penalties
When imposing penalties for a violation of the CCSPA, decision-makers should be required by the Act to consider relevant mitigating factors, not least the technical difficulty of compliance with the provisions of the Act or its regulations.
9. Regulators should be required to coordinate their enforcement actions
A single cyber security incident can trigger multiple enforcement actions from distinct regulators. To avoid conflicting enforcement actions, the CCSPA and any other relevant legislation should be amended to require all applicable regulators to coordinate their enforcement activities.
10. “Cyber security incident” and “critical cyber system” require more precise definitions
The definition of “cyber security incident” includes an act, omission, or circumstance that “may interfere with” a critical cyber system or vital service or system. The definition of a “critical cyber system” includes a system that, if compromised, “could affect” a vital service or vital system. These overly broad definitions, which include the possibility of an occurrence, invite interpretation into the Act that will likely result in reporting inconsistencies. These definitions may also result in the over-reporting of immaterial incidents. Significant incidents could be overlooked in this process. The Act should incorporate a more precise definition for each term.
11. Immediate reporting of cyber security incidents must be interpreted reasonably
The CCSPA proposes “immediate” reporting of a cyber security incident in accordance with the regulations. The Act itself should define “immediate” as being “as soon as practicable within 48 hours.” Notification without analysis greatly reduces the effectiveness of reporting. It also takes away valuable time and resources from incident responders who are trying to identify and contain an incident. A clearly defined timeframe would allow designated operators to collect relevant information, assess the materiality of an incident, and compile an actionable report.
12. The CCSPA’s record-keeping obligations should be amended
The CCSPA’s record-keeping requirements are unduly burdensome. Particularly problematic is the requirement to keep records respecting “any steps taken to implement the designated operator’s cyber security program.” [Emphasis added]
This requirement would potentially require retention of documentation that is insignificant, having no bearing on risk reduction. Designated operators should instead be obligated to prepare annual reports summarizing actions taken to implement their cyber security program and its performance. This approach is more consistent with proportionality principles which balance the costs of maintaining information with its potential value.
13. Notifications on third-party product and service changes are unnecessary
The CCSPA would require designated operators to report “any material change in [their] supply chain or in its use of third-party products and services.” This requirement would impose an unsustainable reporting burden on organizations that utilize potentially thousands of third-party products and services and would, as part of normal operations, evaluate, update, upgrade and replace those services and products on an ongoing basis.
The Act already provides a requirement for designated operators to mitigate any risks associated with their supply chains and their use of third-party products and services – a requirement we discuss in greater detail below. In addition, the Act further requires designated operators to keep records respecting any steps taken to mitigate any supply-chain or third-party risks. It is therefore unnecessary and unduly onerous to report any or every change to their use.
14. The CCSPA should define “material change”
Several of the CCSPA’s reporting obligations are triggered upon a “material change” to a designated operator’s circumstances. The Act does not define what constitutes a “material change”. The requirement is therefore open to interpretation and could lead to inconsistent reporting. The Act should define “material change” to reduce uncertainty.
15.The obligation to mitigate supply-chain and third-party risk should be refined
The CCSPA imposes a poorly defined obligation on designated operators to manage supply-chain and third-party risks. This obligation should only apply to “critical cyber systems”. In addition, the Act itself should provide greater clarity as to what steps are expected from designated operators to mitigate such risks. There is currently a lack of clarity on the processes and steps that designated operators should take when a vendor is deemed to be a cyber security risk. Without a defined process of transitioning designated operators from one vendor to another, there are significant risks that designated operators may face service interruption, commercial loss, and broader reliability issues that could adversely impact society.
16. Reporting must preserve designated operators’ security
The more information that a designated operator shares about its critical cyber systems with third parties, the greater the likelihood that such information could fall into the hands of a potential adversary. To preserve designated operators’ security, the sharing of information regarding designated operators’ critical cyber systems with government should follow the principle of least privilege, omit sensitive details, and be limited to the smallest number of individuals and agencies as possible.
17. The CCSPA must protect privileged documents
The CCSPA would give regulators broad power to examine documents, raising concerns about improper access to documents covered by solicitor-client or litigation privilege. The power to examine documents should exclude privileged documents or, at the very least, provide a mechanism by which a designated operator could challenge requests for documents that it believes are privileged.
18. The CCSPA’s limitation period is too lengthy and creates significant uncertainty
The CCSPA’s limitation period limits the commencement of a proceeding to three years after the subject matter of the proceeding became known to the appropriate regulator. At three years, the limitation period is too long. A two-year limitation is more appropriate and consistent with legislation found in peer jurisdictions.
The CCSPA’s limitation period also introduces far too much uncertainty into the Act. The CCSPA leaves it up to regulatory processes to determine when “the subject matter of the proceedings became known to the appropriate regulator.” When this is combined with the overly broad definitions of “critical cyber system” and “cyber security incident” and the resulting high volume of reports that would have to be shared with regulators, designated operators would have little to no certainty as to when the window for proceedings is closed.
Finally, the Act’s limitation period may also have the unhelpful effect of promoting over-reporting to “start the clock.”
19. The CCSPA should provide greater clarity on the qualifications and responsibilities of inspectors
The CCSPA lacks clear parameters around who the government designates as inspectors and what their obligations will be towards designated operators. Greater clarity should be provided in the Act on the qualifications necessary to be designated as an inspector and the responsibilities inspectors will have to designated operations.
20. Designated operators should be given adequate time to bring themselves into compliance
The Governor in Council should fix the date for the CCSPA’s coming into force to a day 24 months following Royal Assent. This would provide designated operators with the time necessary to bring their practices into compliance with the Act.
21. Better support critical infrastructure providers
We commend the government’s efforts to establish a framework encouraging the adoption and implementation of effective cyber security programs. However, these efforts must be accompanied by ongoing support to be truly successful. To this end, we urge that the government establish a centre of excellence within the Canadian Centre for Cyber Security to help critical infrastructure providers enhance their cyber-resiliency. Services offered by this center should include:
- Identifying cyber security gaps within designated sectors and working in partnership with industry to mitigate them;
- Providing targeted financial incentives to critical infrastructure providers to defray the high costs associated with increasing the resiliency of their assets;
- Offering onsite incident response services to critical infrastructure providers that require immediate assistance; and
- Convening and supporting regular tabletop and threat hunting exercises where critical infrastructure providers and government stakeholders can work through simulated events to improve their collective responses to major cyber incidents.
Amendments to the Telecommunications Act
Part 1 of Bill C-26 introduces amendments to the Telecommunications Act (TA) to add security as a policy objective and to provide the government with the ability to take measure to secure Canada’s telecommunications system. We also offer our views of theamendments to the TA, as summarized below:
1. Due diligence should be an acceptable defence for violations resulting in an administrative monetary penalty
Despite the best intentions of all parties, it may not be possible to fully implement an order made by the Minister or Governor in Council, or to do so in a specified timeframe. A due diligence defence should be acceptable to the government, as it is for other violations.
2. There should not be an outright prohibition on compensation for parties who comply with an order
As currently drafted, the amendments to the TA never allow the government to financially compensate parties for losses incurred by complying with an order. This removes the Minister’s discretion to allow compensation under exceptional circumstances, which cannot be known in advance of a specific order being made or implemented. An outright ban on compensation is therefore unnecessarily restrictive and inappropriate. The proposed amendment should be revised to permit compensation if the Minister or Governor in Council considers it reasonable.
3. There should be checks and balances on the powers to make orders secret
It is fully accepted that the nature of security threats means it may be necessary to maintain the secrecy of government orders in many instances. However, the proposed amendments to the TA err on the side of secrecy rather than transparency. For example, orders should be published in the Canada Gazette unless the Minister reasonably considers that the publication would threaten Canada’s national security or the integrity of Canada’s telecommunications system.
4. The Minister’s order-making powers should be both proportional to the risk posed and tempered by the need to obtain advice from experts
Given the broad scope of the Minister’s new order making powers, there is the potential for disproportionate reactions to trivial security risks. Given this risk, the Minister should be required to obtain and consider advice from industry experts and expert bodies, such as the Canadian Security Telecommunications Advisory Committee (CSTAC), or one of its subcommittees, before making a security order. The CSTAC is well-positioned to evaluate risks and recommend responses to the Minister.
Minister, thank you for this opportunity to share our views on Bill C-26. We look forward to working with you and your colleagues to help protect Canadians, now and in the future.
Sincerely,
Goldy Hyder