June 2022 was when the first reading of Bill C-26 was done in parliament. The full title of the Bill is:
“An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts.”
If you want to dig into the actual wording on the bill, have a gander at it here.
There are a few things this bill does. The first is to provide an amendment to the Telecommunications Act. The second is to enact the CCSPA (Critical Cyber Systems Protection Act).
In this post I will discuss how this bill will affect Telecom Service Providers. First in regards to the Telecom Act amendments, then the CCSPA.
This is how the Telecom Act Amendments will affect Telecom Service Providers (and those utilizing their services to provide services).
The Telecom Act amendments will impact any transmission facility of a Canadian carrier, including but not limited to, local voice service providers, voice-over-IP service providers, internet service providers, long distance service providers, and wireless and payphone service providers.
To promote compliance, telecommunication service providers may be subject to administrative monetary penalties (AMPs) of up to C$10 million for each day of non-compliance, and up to C$15 million for subsequent contraventions.
As per the bill, the Governor in Council (governor) and the Minister of Industry (minister) will be afforded additional powers. If the governor believes the security of the telecommunication systems is threatened, either by interference, manipulation or disruption, the governor may prohibit a telecommunications service provider from using or providing certain products and/or services, regardless whether the other party in question is an individual or a service provider. Similarly, the governor may prohibit a telecommunications service provider from providing services to a specific person, including a telecommunications service provider, or suspend services for a specified time.
The minister may similarly order a telecommunications service provider to:
- Prohibit from using or direct to remove any specified product from its provision of services;
- Prohibit, suspend or impose conditions on the provision of services to a specific person, including another telecommunications service provider;
- Prohibit from entering into service agreements relating to its telecommunications network or facilities or terminate specific service agreements;
- Develop a security plan in relation to its telecommunication services, including conducting vulnerability identification assessments and taking steps to mitigate any vulnerabilities
- Direct a telecommunications service provider to do anything or refrain from doing anything necessary to secure the Canadian telecommunications system
While some of the proposed modifications are primarily directed at Canadian carriers, both facilities-based providers and resellers of telecommunications services should review their cybersecurity posture. This includes any organization that provides services running across the transit uplinks of the carriers, or in Canadian datacenters that leverage those same carriers. However, services running completely in the public cloud do not fall under the same scope or scrutiny.
These amendments are interesting because they can act as place holders for actions that can be taken in the future by the government on an as-needed basis. Earlier this year Huawei and ZTE hardware were banned from being used in Telecoms, but there is a weening-off timeline that goes to 2027. See this article for more of the backstory on that.
So if the government decided that a new vendor, or person, or organization poses a threat to the integrity of security of the country or industry, then they can ban them a lot faster. Also, this would be done at the telecoms expense. This becomes a big risk for telecoms as it could cost them millions of dollars in lost revenue if they had to cripple their infrastructure to maintain compliant. The alternative would be to pivot technologies as quickly as possible, and incur the financial penalties during that period.
So what I see telecoms doing instead is vetting vendors, partners and alliances a lot more carefully to ensure that there is no exposure to this sort of risk in the future.
This is how the CCSPA will affect Telecom Service Providers.
| Scope | Telecommunications services have been identified in the legislation as services that are vital to national security and/or public safety. The CCSPA authorizes the Federal Cabinet to designate a class of operators in respect of these systems who must comply with the requirements of the legislation. A class of operators could include facilities-based telecommunications service providers as well as resellers of telecommunications services. |
| Responsible Regulator | The Minister of Industry is the regulator charged with administering the CCSPA in respect of telecommunications services. Bill C-26 would also would amend the Telecommunications Act by introducing security as a policy objective, and providing the Federal Cabinet and the Minister of Industry with a series of powers that are largely directed at Canada’s 5G infrastructure and equipment. The Communications Security Establishment (CSE), Canada’s national cryptologic agency. |
| Cybersecurity Programs | Designated operators will be required to establish a cybersecurity program (CSP) within 90 days of being designated under the CCSPA. The CSP must include reasonable steps to identify and manage organizational cybersecurity risks: 1. Include reasonable steps to protect critical cyber systems from being compromised, detect cybersecurity incidents and minimize related impacts; 2. Be reviewed and updated annually, or more frequently if specified by regulation; and 3. Be filed with the Minister of Industry including notices of any updates to the CSP following periodic reviews. |
| Supply Chain Management | Designated operators must take reasonable steps to mitigate any identified cyber security risks associated with the designated operator’s supply chain or use of third-party products and services. These risk management measures must also be addressed in the operator’s CSP. |
| Change of Control Reporting | Designated operators are required to notify the Minister of Industry of any material changes to ownership and/or control as well as to its supply chain or use of third-party products and services. |
| Cybersecurity Incident Reporting | Designated operators will be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system, or the confidentiality, integrity or availability of the critical cyber system. First, designated operators must “immediately” report a cybersecurity incident to the CSE in a manner to be set out in the CCSPA’s regulations. Second, designated operators must notify the Minister of Industry “immediately after reporting a cybersecurity incident” to the CSE. |
| Recordkeeping | Designated operators must keep certain records, including copies of reported cybersecurity incidents and evidence of various security and related measures required under the CCSPA. These required records must be kept in Canada in accordance with additional guidance that may be established by the Minister of Industry or regulations. |
| Compliance with Directions | The CCSPA grants the Federal Cabinet broad authority to issue directions to designated operators ordering them to comply with any measure for the purpose of protecting a critical cyber system. The Minister of Industry is also granted powers to order a designated operator to stop doing anything that is or is likely to be in contravention of the CCSPA or to take any measure that is necessary to ensure compliance or mitigate noncompliance with the CCSPA. In relation to telecommunications services, networks and equipment, the Minister of Industry may, among other things: – prohibit a telecommunications service provider from using all products and services provided by a specified person in, or in relation to, its telecommunications network or telecommunications facilities, or remove any such products; – direct a telecommunications service provider to do anything or refrain from doing anything necessary to secure the Canadian telecommunications system; – require that a telecommunications service provider develop a security plan; – require that assessments be conducted to identify any vulnerability in its services, network or facilities; and – require that a telecommunications service provider take steps to mitigate any vulnerability in its services, network or facilities. |
| Disclosure Restrictions on Confidential Information | The CCSPA prohibits the disclosure of certain confidential information obtained under the CCSPA in respect of a designated operator’s critical cyber system. Disclosure of directions issued by the Federal Cabinet or the Minister of Industry under the CCSPA is also generally prohibited. |
| Inspections and Audits | The Minister of Industry is granted broad audit and inspection powers under the CCSPA, which are not limited to the physical premises of the designated operator. The Minister of Industry may also order a designated operator to conduct an internal audit of its practices, books and other records to determine compliance with the CCSPA. |
| Enforcement | Enforcement of the CCSPA includes administrative monetary penalties regime for noncompliance with the legislation. Directors and officers of designated operators are party to any violations of the CCSPA if they direct, authorize, participate, assent to, or acquiesce in the commission of the violation. The CCSPA states that the purpose of a penalty is to promote compliance and not to punish. The CCSPA allows a designated operator or their directors and officers to raise a due diligence defence in a violation proceeding. The range of penalties are to be prescribed by regulation, but CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. Noncompliance with certain provisions of CCSPA may alternatively be prosecuted as an offence punishable with criminal fines and/or imprisonment. The CCSPA also authorizes the Minister of Industry, to enter into a compliance agreements with a designated operator in respect of the operator’s obligations under the CCSPA. |
Let’s look at some key points in layman’s terms and out of the realm of legalese.
- The CCSPA will apply to telecom carriers and anybody that provides services through them. This is very far reaching and has a possibility of including any organization that has a datacenter (or colocation) with uplinks provided by the carriers. Upon further revisions of the bill, there should be more clarity. Hopefully.
- Any organization that is defined within the above scope (after the bill is passed) will have 90 days to create a cybersecurity program. This alone could be very costly or even impossible for many organizations that don’t have the budget, expertise or sufficient staff to implement.
- Part of the creation of the CSP (cybersecurity program) will entail an elevated level of governance and mandatory compliance that, if not followed, could have financial penalties to the organization and individual executives, on the order of millions of dollars.
- All security logs and records of incidents must be kept in Canada. This means that any security solutions that send logs to the US, or anywhere else abroad will be non-compliant. Whether this means “only in Canada” or “Canada and abroad”, is yet to be determined.
- Organizations must do regular vulnerability assessments and take actions to fix those vulnerabilities.
- If the government tells you to do something, like terminate services to someone, or stop using a certain technology, you cannot disclose those details to anyone. In other words, follow the first rule of fight-club, or you will be in non-compliance.
- If the government wants to audit an organization, they have carte blanche to do so. They can also just get organizations to do it themselves and provide detailed reports.
The legislation will improve the security posture of critical infrastructure in Canada, and something had to be done quickly and forcefully.
There is a full-scale global cyber war ongoing right now and it is not a matter of “if”, but “when” any given organization is breached. How well they are prepared will determine their continued viability as an entity. It’s like being told that a hurricane is coming and everybody needs to board up their homes. Whether or not it’s possible with the resources, time and skills at hand, remains to be seen for many.
However the onus is left on organizations to figure it out in very short order, and there is a massive shortage in staff with sufficient capabilities in the market. This is where an external company that focuses on cybersecurity can comes in and addresses all of the requirements of bill C-26 in a short period of time. I’ll write another article that describes in detail how they can do it, but in the meantime, have a look here.
Designing Risk in IT Infrastructure 