By Imran Ahmad
On February 27, 2018, the Minister of Finance tabled Budget 2018 – Equality + Growth: A Strong Middle Class (the Budget) before Parliament. The Budget includes investments in several key areas of the Canadian economy, including in the area of cybersecurity. In his remarks, the Minister of Finance stated that “[t]o safeguard Canadians’ privacy, and protect both our digital economy and our country, we are making an investment of over $750 million in cybersecurity.”
The proposed investment will serve primarily to establish the Canadian Centre for Cyber Security and the National Cybercrime Coordination Unit, which will serve as pillars of the federal government’s soon to be announced National Cyber Security Strategy.
Canadian Centre for Cyber Security
The Budget commits $155.2 million over five years and $44.5 million per year thereafter for the Communications Security Establishment to create a new Canadian Centre for Cyber Security (CCCS).
The objective of CCCS would be to consolidate operational cyber expertise from across the federal government under a single umbrella. It will become the primary “go-to” source for unique expert advice, guidance, services and support on cybersecurity operational matters. What is interesting is that it will also serve as the primary point of contact for cybersecurity advice to Canadian businesses and individuals. It is anticipated that the federal government will introduce new legislation to consolidate various government cybersecurity functions into the new CCCS.
National Cybercrime Coordination Unit
The Budget also proposes to provide $116 million over five years and $23.2 million per year thereafter to the RCMP to support the creation of the National Cybercrime Coordination Unit (NCCU).
The NCCU will be tasked with creating a hub for cybercrime investigations in Canada and will work with international partners on cybercrime issues. What is interesting is that the NCCU will also establish a national public reporting mechanism for Canadian citizens and businesses to report cybercrime incidents to law enforcement. It is unclear whether the reporting mechanism will be voluntary or mandatory and whether the reported information will be disclosed publicly.
National Cyber Security Strategy
The CCCS and NCCU are important aspects of Canada’s broader National Cybersecurity Strategy (the Strategy) which will be rolled-out in the coming months. The Strategy will focus on three principal goals:
1. Ensure security and resilient Canadian systems;
2. Build an innovative and adaptive cyber ecosystem; and
3. Support effective leadership and collaboration between different levels of Canadian government, and partners around the world.
The Budget’s proposed investment in the area of cybersecurity is the largest single investment made in this area by the Canadian federal government. It also sends a strong signal that the government is focused on cyber threats that pose a real risk to the Canadian economy and national security.
For businesses, the creation of the CCCS and NCCU may require them to revise their cyber incident response plans and law enforcement engagement strategy. Depending on when the CCCS and NCCU become operational, businesses may have a legal responsibility to report cyber incidents to law enforcement. That said, it remains unclear how this information will be used and disclosed by the CCCS.
Lastly, more details may emerge in the coming months as the Minister of Public Safety releases details regarding the Strategy which may include new programs and resources for Canadian businesses and individuals.
This article first appeared on millerthomson.com on February 28, 2018.
About Imran Ahmad
Imran Ahmad is a Business Law partner and specializes in the areas of cybersecurity, technology and privacy law. He also maintains an active trade, customs and regulatory compliance practice.
As leader of the cybersecurity and data breach practice, Imran works closely with clients to develop and implement practical and informed strategies related to cyber threats and data breaches. He focuses on legal risk assessments, compliance, due diligence and risk allocation advice, security and data breach incident preparedness and response. He also provides representation in the event of an investigation, an enforcement action, or a litigation.
To learn more about Imran or to connect with him, go here.
The blog sets out a variety of materials relating to the law to be used for educational and non-commercial purposes only; the author(s) of the blog do not intend the blog to be a source of legal advice. Please retain and seek the advice of a lawyer and use your own good judgement before choosing to act on any information included in the blog. If you choose to rely on the materials, you do so entirely at your own risk.