Feds enacts cyber security law for critical sectors

Canada has enacted Bill C-8, An Act Respecting Cyber Security. The law has received Royal Assent and introduces new federal measures for telecommunications and other critical sectors.

The legislation amends the Telecommunications Act to make security an explicit policy objective and gives the federal government new powers to order action against threats to the telecommunications system.

It also creates the Critical Cyber Systems Protection Act, a new regulatory framework for designated operators in finance, telecommunications, energy and transportation. Those operators will be required to protect critical cyber systems, report significant incidents and meet obligations under the new regime.

While the changes to the Telecommunications Act take effect immediately, the new protection framework for critical cyber systems will be introduced in stages, with some provisions coming into force through a phased approach.

Ministers said the law is intended to strengthen the country's response to cyber threats against infrastructure and networks that support daily economic and social activity. The sectors covered by the new framework sit at the centre of the country's regulated infrastructure base. 

"Canada's national security depends on strong cyber defence. Bill C-8 reinforces the leadership of the Communications Security Establishment Canada in defending government systems and protecting Canada's critical infrastructure from increasingly sophisticated cyber threats. By strengthening how Canada prevents, detects and responds to malicious cyber activity, this legislation helps secure essential services, protect sensitive information and safeguard the systems that underpin Canada's security and prosperity," said David McGuinty, Minister of National Defence.

Federal authorities have argued that cyber threats are increasing in both frequency and sophistication, prompting a stronger legal basis for intervention and reporting. The new law is intended to provide that basis by formalising duties for operators and expanding federal authority over telecom security.

Canada's cyber defence and cybercrime response structure already rests on two key bodies. The Canadian Centre for Cyber Security, housed within the Communications Security Establishment, is responsible for securing and defending government information systems and helping prevent and respond to cyber incidents affecting critical infrastructure.

The National Cybercrime Coordination Unit, which sits within the Royal Canadian Mounted Police, also helps respond to cyber incidents and coordinate action against cybercrime. The new law adds another layer by creating statutory obligations for operators in critical sectors and strengthening federal oversight.

Budget 2019 set aside CAD $144.9 million to establish a new critical cyber systems framework for federally regulated infrastructure in the finance, telecommunications, energy and transport sectors. That funding underpinned the policy work that has now resulted in the legislation becoming law.

"Canadians expect their networks to be safe, reliable and secure. Bill C-8 ensures we can keep pace with emerging risks, protecting Canadians, strengthening our economy and allowing Canada to remain competitive in a rapidly changing world," said Mélanie Joly, Minister of Industry.