In June of 2022, the Canadian House of Commons introduced its first reading of Bill C-26, an initiative addressing cyber security within Canada’s infrastructure. This bill is not a very controversial document, and if it passes, it will bring about a few significant changes to cyber security standards in Canada.
We don’t know when (or if) C-26 will become law. But because it is keeping with trends in third-party liability law, it’s wise for software companies (and companies involved in Canadian infrastructure) to take note of the bill’s implications.
Bill C-26 deals with an emerging issue in cyber security law—third-party liability. For an overview of this issue and why it’s important, read our Executive’s Guide to Third-party Liability in Cyber Security Law.
In this article:
This bill aims to make Canadian infrastructure more secure in two major ways.
First, C-26 would keep Huawei technologies outside of Canadian telecommunications systems by amending the Telecommunications Act. While other nations have built Huawei technology into their 5G networks, Canadian legislators want to protect their network (and their data) from being accessible to the Chinese tech giant.
Second, C-26 would raise cyber security standards for companies that operate vital systems by enacting the Critical Cyber Systems Protection Act (CCSPA).
The CCSPA designates some operators as critical cyber systems (CCSs). The act defines a CCS as a system that “if its confidentiality, integrity, or availability were compromised, could affect the continuity or security of a vital service or vital system.” If the CCSPA is enacted, organizations responsible for critical cyber systems would be required to do the following:
This act applies to designated operators: individuals, partnerships, and unincorporated organizations that belong to at least one of the following classes:
Many companies that would become designated operators under this bill are already doing most of the things this bill would enforce. However, if this bill obtains royal assent, a few major changes will take place.
If Bill C-26 becomes law as it stands, then we can expect three things to change: incident reporting, supply chain regulations, and the degree of direct control the government will have on enforcing cybersecurity measures.
The CCSPA will require any designated operator to immediately report any security incident that affects a CCS. The procedure and detail of such reports are yet to be determined.
The goal is to tighten the response loop when vulnerabilities and breaches are discovered. By requiring organizations to report incidents immediately, Canadian legislators hope to keep the public and private sectors unified in their responses to cyber threats.
The supply chain has always been an effective way to breach large entities. Just like it’s easier to climb into a wooden horse than it is to directly climb the walls of Troy, it’s easier to breach a small software contributor than it is to directly breach an enterprise application.
This is why the CCSPA would formally increase security around designated operators’ software supply chains. Under this act, companies who operate critical cyber systems would need to immediately take “reasonable action” as soon as any threat or risk related to their third-party suppliers is discovered—including actions prescribed by regulators.
This act wouldn’t simply change the status quo regarding responses to third-party vulnerabilities—it would also give Governors in Council the authority to direct any single designated operator (or class of designated operators) to take new cybersecurity measures. This may be in response to a known threat, or it may be preemptive.
If you operate in a vital class designated by C-26, or if you plan to sell software services to organizations that will become designated operators under C-26, it would be wise to start preparing for the CCSPA now. (And even if you don’t sell into these industries, keeping your systems secure is both smart and responsible.)
Specific requirements will be determined by regulating authorities, and discussions have already begun. Talk to the regulators who oversee the designated class you do business in—this will be your best source of information.
This is also your chance to bring ideas and concerns to regulators. The rules will depend on how diligent and well-informed the regulators of each sector are when the bill goes into effect—so if there are security measures you’ve found particularly effective, there are threats and vulnerabilities you find especially concerning, or there are proposed cybersecurity measures that could negatively impact other aspects of your business, now is a good time to make those known.
If you do business in one of the classes C-26 designated, you will need to take reasonable steps to protect your software supply chain from threats. A wise place to start is by asking your vendors for their software bills of materials (SBOMs). This will give you a full view of what code libraries your vendors used to make the software your critical cyber systems rely on.
Beyond obtaining your vendors’ SBOMs, now is a good time to analyze your vendors for vulnerabilities. You can do this easily with a software composition analysis tool like Finite State, which allows you to analyze other organizations’ code for vulnerabilities, even if you don’t have direct access to that code.
In order to continue doing business with designated operators, your software supply chain must be compliant with regulatory standards. You can expect your designated-operator clients to begin asking you for your software bill of materials.
This applies to you even if you’re not a Canadian company.
Therefore, you can take three actions to prepare for this bill to go into effect:
Having your house in order will put you in the most prepared position when (or if) the CCSPA goes into effect.
Even if you don’t do business with a designated operator, there’s a chance that one of your customers or partners does. If this is the case, it’s possible that they will pass their new cybersecurity standards on to their suppliers and partners.
Now is a good time to check if you’re part of a future designated operator’s supply chain. If you are, consider preparing your own SBOM. At the very least, make a plan for what to do if one of your customers or partners begins raising cybersecurity standards for you.
Pro-tip: You can use Finite State to generate your own SBOM or the SBOM of any other software. Our customers tell us that our reports are more thorough and accurate than most in-house SBOMs—book a demo if you’d like to see how it works!
Cybersecurity measures will only increase in the future. One way to prepare for legislation like the CCSPA is to implement our advanced SCA platform.
Finite State allows you to analyze code for vulnerabilities as it’s being written, and it lets you check for third-party vulnerabilities in both your test environment and your live product. It also gives you the opportunity to automatically patch vulnerabilities in your software supply chain, which keeps you, your customers, and your users more safe from cyber-attacks than they otherwise would be.
If you want to raise your own cybersecurity standards ahead of C-26, schedule a Finite State demo today. Our team will show you how you can begin protecting yourself from supply-chain risks now.