Mitigating Supply-chain and Third-party Risks: What You Need to Know about Bill C-26 and the CCSPA

In June of 2022, the Canadian House of Commons introduced its first reading of Bill C-26, an initiative addressing cyber security within Canada’s infrastructure. This bill is not a very controversial document, and if it passes, it will bring about a few significant changes to cyber security standards in Canada.

We don’t know when (or if) C-26 will become law. But because it is keeping with trends in third-party liability law, it’s wise for software companies (and companies involved in Canadian infrastructure) to take note of the bill’s implications.

Bill C-26 deals with an emerging issue in cyber security law—third-party liability. For an overview of this issue and why it’s important, read our Executive’s Guide to Third-party Liability in Cyber Security Law.

In this article:

A quick overview of Bill C-26

This bill aims to make Canadian infrastructure more secure in two major ways.

First, C-26 would keep Huawei technologies outside of Canadian telecommunications systems by amending the Telecommunications Act. While other nations have built Huawei technology into their 5G networks, Canadian legislators want to protect their network (and their data) from being accessible to the Chinese tech giant. 

Second, C-26 would raise cyber security standards for companies that operate vital systems by enacting the Critical Cyber Systems Protection Act (CCSPA). 

The CCSPA designates some operators as critical cyber systems (CCSs). The act defines a CCS as a system that “if its confidentiality, integrity, or availability were compromised, could affect the continuity or security of a vital service or vital system.” If the CCSPA is enacted, organizations responsible for critical cyber systems would be required to do the following:

1. Establish a cybersecurity program within 90 days of becoming a designated operator
2. Mitigate against third-party and supply-chain risks
3. Immediately report cybersecurity incidents related to any CCS
4. Comply with any direction from the Governor in Council with regard to securing CCSs
5. Adhere to new rules regarding the disclosure and use of information

This act applies to designated operators: individuals, partnerships, and unincorporated organizations that belong to at least one of the following classes:

• Telecommunications services
• Interprovincial or international pipeline and power line systems
• Nuclear energy systems
• Transportation systems that are within the legislative authority of Parliament
• Banking systems
• Clearing and settlement systems

Many companies that would become designated operators under this bill are already doing most of the things this bill would enforce. However, if this bill obtains royal assent, a few major changes will take place.

Three major changes to cybersecurity under the CCSPA

If Bill C-26 becomes law as it stands, then we can expect three things to change: incident reporting, supply chain regulations, and the degree of direct control the government will have on enforcing cybersecurity measures.

1. Security incidents will become more transparent 

The CCSPA will require any designated operator to immediately report any security incident that affects a CCS. The procedure and detail of such reports are yet to be determined.

The goal is to tighten the response loop when vulnerabilities and breaches are discovered. By requiring organizations to report incidents immediately, Canadian legislators hope to keep the public and private sectors unified in their responses to cyber threats.

2. Supply-chain security will be regulated

The supply chain has always been an effective way to breach large entities. Just like it’s easier to climb into a wooden horse than it is to directly climb the walls of Troy, it’s easier to breach a small software contributor than it is to directly breach an enterprise application. 

This is why the CCSPA would formally increase security around designated operators’ software supply chains. Under this act, companies who operate critical cyber systems would need to immediately take “reasonable action” as soon as any threat or risk related to their third-party suppliers is discovered—including actions prescribed by regulators.

3. The government will compel companies to take security actions

This act wouldn’t simply change the status quo regarding responses to third-party vulnerabilities—it would also give Governors in Council the authority to direct any single designated operator (or class of designated operators) to take new cybersecurity measures. This may be in response to a known threat, or it may be preemptive.

How to prepare for C-26

If you operate in a vital class designated by C-26, or if you plan to sell software services to organizations that will become designated operators under C-26, it would be wise to start preparing for the CCSPA now. (And even if you don’t sell into these industries, keeping your systems secure is both smart and responsible.)

Talk (and listen) to the regulators

Specific requirements will be determined by regulating authorities, and discussions have already begun. Talk to the regulators who oversee the designated class you do business in—this will be your best source of information.

This is also your chance to bring ideas and concerns to regulators. The rules will depend on how diligent and well-informed the regulators of each sector are when the bill goes into effect—so if there are security measures you’ve found particularly effective, there are threats and vulnerabilities you find especially concerning, or there are proposed cybersecurity measures that could negatively impact other aspects of your business, now is a good time to make those known.

Future designated operators: begin analyzing your vendors’ software.

If you do business in one of the classes C-26 designated, you will need to take reasonable steps to protect your software supply chain from threats. A wise place to start is by asking your vendors for their software bills of materials (SBOMs). This will give you a full view of what code libraries your vendors used to make the software your critical cyber systems rely on.

Beyond obtaining your vendors’ SBOMs, now is a good time to analyze your vendors for vulnerabilities. You can do this easily with a software composition analysis tool like MergeBase, which allows you to analyze other organizations’ code for vulnerabilities, even if you don’t have direct access to that code.

Vendors to future designated operators: prepare your supply chain security documentation.

In order to continue doing business with designated operators, your software supply chain must be compliant with regulatory standards. You can expect your designated-operator clients to begin asking you for your software bill of materials.

This applies to you even if you’re not a Canadian company.

Therefore, you can take three actions to prepare for this bill to go into effect:

1. Assemble your software bill of materials. Compile a list of any third-party code you are using in your product, as well as any other third parties who have access to the code you sell.
2. Ask your suppliers for their software bill of materials. This will help you get a comprehensive view of all the contributors to your final product.
3. Analyze your entire supply chain for vulnerabilities. You can use an advanced software composition analysis tool like MergeBase to find and patch vulnerabilities in your own code as well as your suppliers’ code—and their suppliers’ code too.

Having your house in order will put you in the most prepared position when (or if) the CCSPA goes into effect.

All software companies: expect trickle-up cybersecurity standards to increase.

Even if you don’t do business with a designated operator, there’s a chance that one of your customers or partners does. If this is the case, it’s possible that they will pass their new cybersecurity standards on to their suppliers and partners.

Now is a good time to check if you’re part of a future designated operator’s supply chain. If you are, consider preparing your own SBOM. At the very least, make a plan for what to do if one of your customers or partners begins raising cybersecurity standards for you.

Pro-tip: You can use MergeBase to generate your own SBOM or the SBOM of any other software. Our customers tell us that our reports are more thorough and accurate than most in-house SBOMs—book a demo if you’d like to see how it works!

Mitigate third-party and supply chain risks with a software composition analysis (SCA) platform

Cybersecurity measures will only increase in the future. One way to prepare for legislation like the CCSPA is to implement our advanced SCA platform. 

MergeBase allows you to analyze code for vulnerabilities as it’s being written, and it lets you check for third-party vulnerabilities in both your test environment and your live product. It also gives you the opportunity to automatically patch vulnerabilities in your software supply chain, which keeps you, your customers, and your users more safe from cyber-attacks than they otherwise would be.

If you want to raise your own cybersecurity standards ahead of C-26, schedule a MergeBase demo today. Our team will show you how you can begin protecting yourself from supply-chain risks now.