Protecting Canada’s critical cyber systems

Remarks delivered by Trevor Neiman, Vice President, Policy and Legal Counsel, Business Council of Canada, to the House of Commons’ Standing Committee on Public Safety and National Security on Bill C-26

Mister Chair, committee members, thank you for the invitation to take part in your study of Bill C-26. 

Founded in 1976, the Business Council of Canada is composed of approximately 170 chief executive officers who run Canada’s most innovative and successful businesses.

As an organization representing a broad cross-section of Canada’s critical infrastructure sectors, I will restrict my comments to Part 2 of Bill C-26, the proposed Critical Cyber Systems Protection Act.

I will begin my remarks by underlining that Canada’s leading businesses are committed to maintaining a strong and resilient security posture in the face of growing cyber threats. Indeed, in a survey of our members, every single chief executive officer indicated that cybersecurity was either a “high” or “very high” priority for their business.

Our members are backing their commitment to cybersecurity with significant resources. In critical infrastructure sectors, most of our member companies each invest well over $150 million in Canada per year on measures to prevent, detect and respond to cybersecurity incidents. A plurality invests over $500 million annually on the same.

As cybersecurity risks to the country grow, so too do the resources that our members plan to devote to protecting Canadians. Over the next two years, over two-thirds of our members plan to increase both their cybersecurity spending and personnel staffing by at least 25 per cent.

However, we cannot lose sight that defending Canadians against cyberattacks is very much a “team sport”, requiring close coordination between government and industry.

That is why the Business Council of Canada supports the objectives of recent government cybersecurity initiatives. This includes Part 2 of the Bill, which if properly drafted and implemented, could improve the overall cyber resiliency of Canada’s economy by establishing a baseline of cybersecurity across critical sectors.

It is also important to stress that the enactment of Part 2 would bring Canada’s cybersecurity framework in line with best practices amongst our closest security partners.

In a period of growing global tensions, Canada must move in lockstep with its closest allies in strengthening its cyber resiliency. Otherwise, Canada risks being perceived as a “weak link”, which could have dire consequences for Canadians’ future security and prosperity.

Of course, no public or private sector initiative is perfect. It should therefore be no surprise that Canada’s business leaders would like to see targeted amendments to Part 2.

In the interest of time, I will highlight three of the most common suggestions for improvement that I have heard from our members.

First, Part 2 should be amended to adopt a risk-based methodology, which would impose regulatory requirements on designated operators proportionate to their level of risk. By imposing fewer and less onerous obligations on low-risk operators that have well-established cybersecurity programs, they can spend more of their finite resources on incident prevention activities. Regulators, on the other hand, could dedicate more of their finite resources towards high-risk operators that pose the largest threat.

Second, Part 2 should be amended to place fair and reasonable limits on Cabinet’s power to issue cybersecurity directions. In the absence of statutory safeguards, Part 2 would allow Cabinet to issue any direction regardless of whether such measure would be effective in reducing a risk to a critical cyber system. Directions could also be issued without Cabinet first consulting with impacted provinces and territories; negotiating in good faith with a designated operator; or considering relevant factors, such as the potential cost of the direction, whether reasonable alternatives exist to issuing the direction, or the potential consequences of the direction on competition, services or customers.

Third, and lastly, Part 2 should be amended to define key terms more precisely, such as “cyber security incident” and “critical cyber system”. The current definitions of these terms are overly broad. This will likely result in reporting inconsistencies as well as the over-reporting of immaterial incidents which could overwhelm government authorities.

I’ll conclude by noting that Part 2 is just one of several national security reforms that must be urgently undertaken to protect Canadians.

As a priority, the Business Council of Canada urges that lawmakers also amend of the Canadian Security Intelligence Service (CSIS) Act enable CSIS to proactively share actionable threat intelligence with Canadian companies where it is in the public interest and subject to all necessary safeguards and oversight.

This and nearly 40 other much-needed reforms are included in the Business Council of Canada’s recent report, Economic Security is National Security. That report is publicly available on our website.

Thank you for the opportunity to speak. I look forward to your questions.