It is no surprise that the federal government has brought back its federal critical infrastructure cyber security bill, a bill labeled C-8 that will enact the Critical Cyber Systems Protection Act. When the prior government first proposed this law in 2022 as bill C-26, its stated objective was to “address longstanding gaps” in its ability to protect systems and services of national importance. Industry is generally onside, mobilized by the by the 2021 ransomware attack against Colonial Pipelines that highlighted the fragility of North American supply chains.
The CCSPA – which will apply to “designated operators” of federally regulated critical cyber systems – has come back in much the same form as introduced with Bill C-26. In lieu of providing a summary of the entirety of Bill C-8, here are seven points for designated operators to consider.
- The CSSPA will be framework legislation with very limited substance or clear guidance. Designated operators can assess only the high-level requirements relating to cyber security program establishment, implementation and maintenance, with the required substance of cyber security programs likely to be dealt with in detail by regulation
- The “critical cyber system” definition will delineate the scope of obligations, and is very broad: “a cyber system that, if its confidentiality, integrity or availability were compromised, could affect the continuity or security of a vital service or vital system.” The words “could affect” establish a low criticality threshold. In its current form, Bill C-8 likely encompasses control systems and a wide range of other systems.
- It appears that designated operators will be permitted to prioritize and schedule their risk mitigation commitments, with the exception of risk mitigation commitments relating to supply chain risks. Bill C-8 prioritizes supply chain risks by stipulating that designated organizations must take steps to mitigate such risks “as soon as” they are identified. This distinction does not appear to be risk-based, noir is the rationale is clear.
- Incident reporting (to the Communications Security Establishment) is to be done within 72 hours, presumably of validation. The incident definition, however, is broad: “an incident, including an act, omission or circumstance, that interferes or may interfere with… the continuity or security of a vital service or vital system… or the confidentiality, integrity or availability of the critical cyber system.” Operationalizing an obligation to report an occurrence that “may” have an impact will be difficult. Designated operators will struggle to distinguish between the many immaterial “cyber events” – e.g., alerts and false positive reports – that they identify and cyber incidents that must be reported. Designated operators may also rush to report and over-report given the Bill does not contemplate a period of assessment or investigation.
- The government’s power to issue binding directions is broad, and not expressly constrained by pre-conditions such as necessity or reasonableness. There is no requirement to consult with designated operators about potential operational impact or other concerns prior to or after issuing a direction nor will directions be subject to the same vetting process that applies to regulations under the Statutory Instruments Act.
- Designated operators may seek judicial review of directions by applying to Federal Court. In one of the few changes implemented with Bill C-8, the government has (positively) removed provisions that contemplated the hearing of these review applications ex parte and in camera.
- Like its predecessor, Bill C-8 provides for government use and disclosure of information provided by designated operators and, to protect the security and business interests of designated operators, deems certain information confidential. The question is whether the balance struck by the Bill is proper and fair to designated operators given the sharing allowances in the Bill are broad.
Government is legitimately concerned with the need for a responsive regime that encourages the protection of critical infrastruture from adversaries, though there are legitimate and important questions for critical infrastructure owners and operators to consider about whether Bill C-8 strikes an appropriate balance.