Approved Alberta

Cybersecurity and Defence

CDK
ecoadmin
Posted Wed, 31 Dec 2025 - 18:02

The Invisible Battlefield

In 2024-25, Canada's automated cyber defences blocked 2.3 trillion malicious actions—an average of 6.3 billion per day. The Communications Security Establishment responded to 2,561 cyber security incidents affecting federal institutions and critical infrastructure partners. State-sponsored hackers from China, Russia, Iran, and North Korea conducted ongoing campaigns against Canadian government networks, private sector companies, and critical infrastructure.

This is the new reality of national defence. While traditional military threats involve ships, aircraft, and soldiers, cyber threats operate invisibly through computer networks, targeting everything from government secrets to hospital patient records to the integrity of democratic elections.

This article examines Canada's approach to cybersecurity as a defence challenge: the threats the country faces, the institutions responsible for cyber defence, how offensive and defensive capabilities work, and the strategic questions citizens should understand.

Part One: The Threat Landscape

State-Sponsored Threats

Canada's official threat assessments consistently identify four primary state-sponsored cyber threats:

People's Republic of China (PRC)

The Cyber Centre assesses that China presents "the most sophisticated and active state cyber threat to Canada today." Chinese cyber operations target:

  • All levels of Canadian government (at least 20 federal networks compromised)
  • Private sector companies, especially in technology and natural resources
  • Canadian universities and research institutions
  • Diaspora communities and critics of the Chinese Communist Party

Chinese operations serve political, economic, and military objectives including espionage, intellectual property theft, and "transnational repression"—targeting dissidents and critics abroad. Activity intensifies during diplomatic tensions. Notably, China has pre-positioned capabilities within North American critical infrastructure for potential future disruptive operations.

Russian Federation

Russia uses cyber operations as part of a "hybrid strategy" combining espionage, influence campaigns, and destructive attacks. Russian threats include:

  • Targeting Canadian government, military, and private sector networks
  • Using criminal proxy groups to obscure state involvement
  • Coordinating cyber attacks with disinformation campaigns
  • Pre-positioning for potential disruptive operations against critical infrastructure

Since the 2022 invasion of Ukraine, pro-Russia non-state groups have conducted distributed denial-of-service (DDoS) attacks against Canadian websites, including government portals. In January 2024, a pro-Russia group claimed responsibility for manipulating water facility control systems in Texas—demonstrating willingness to target critical infrastructure.

Iran

Iran uses its cyber program to "coerce, harass, and repress its opponents, while managing escalation risks." Iranian operations focus on:

  • Political activists and opposition figures
  • Targets in allied countries
  • Information operations and disinformation

North Korea (DPRK)

North Korean cyber operations are distinctive in their financial motivation—the regime uses cybercrime to generate revenue circumventing international sanctions. DPRK activities include:

  • Cryptocurrency theft and financial fraud
  • Ransomware operations
  • Targeting of financial institutions

Emerging: India

The 2025-26 National Cyber Threat Assessment added India as a developing cyber concern, particularly espionage targeting critics abroad.

Cybercrime

While state actors represent strategic threats, cybercrime represents the most common threat affecting ordinary Canadians and Canadian organizations.

Ransomware

Ransomware—malicious software that encrypts data and demands payment for its release—is assessed as "the top cybercrime threat facing Canada's critical infrastructure."

Key statistics:

  • Global ransomware incidents rose 74% in 2023 compared to 2022
  • Global ransom payments reached a record $1 billion USD in 2023
  • Average ransom paid in Canada in 2023: $1.13 million CAD (up 150% in two years)
  • 16% of Canadian businesses experienced a cybersecurity incident in 2023
  • Total recovery costs in Canada in 2023: approximately $1.2 billion

The Cyber Centre's pre-ransomware notifications may have averted 74-148 ransomware incidents in 2024-25, with estimated economic savings of $6-18 million.

Cybercrime-as-a-Service (CaaS)

A significant development in cybercrime is the emergence of criminal service providers. Rather than conducting attacks themselves, criminal groups develop and sell:

  • Ransomware toolkits (Ransomware-as-a-Service)
  • Compromised credentials
  • Botnet access
  • Attack infrastructure

This model "is almost certainly contributing to the continued resilience of cybercrime"—when law enforcement disrupts one group, tools and services simply move to others.

Recent Attacks on Canadian Targets

The threat isn't theoretical. Recent incidents include:

Healthcare

  • October 2023: Five southwestern Ontario hospitals hit by coordinated ransomware attack, disrupting patient care for weeks, compromising over 50,000 patient records
  • December 2022: Hospital for Sick Children (Toronto) targeted by LockBit ransomware, delaying lab results and disrupting operations
  • May 2023: Personal health information of 3.4 million people seeking pregnancy care in Ontario compromised

Municipalities

  • February 2024: City of Hamilton ransomware attack disabled systems for weeks, affecting city phones and payroll
  • March 2024: Town of Huntsville cyber breach
  • June 2023: City of Richmond (BC) and Halifax Regional Municipality attacked
  • July 2022: Town of St. Marys (Ontario) ransomware attack cost $1.3 million

The Cyber Centre is aware of over 100 cases of cyber threat activity targeting Canadian municipalities since 2020.

Critical Infrastructure and Energy

  • January 2024: Qulliq Energy Corporation (Nunavut power plant) network breach
  • April 2023: Hydro-Québec website DDoS attack; Montreal and Halifax port authority websites crashed
  • June 2023: Suncor Energy breach affecting 1,500+ Petro-Canada gas stations

Government and National Security

  • September 2023: Brookfield Global Relocation Services breach compromised information about Canadian military and foreign service personnel
  • September 2023: International Joint Commission (US-Canada water rights) targeted by ransomware gang
  • 2024: Government of Canada statement warned of "wide-ranging and long-term campaigns" compromising government and private sector systems

Emergency Systems

  • September 2023: Pelmorex Corporation ransomware attack disrupted Weather Network and Alert Ready national emergency alert system

Part Two: Canada's Cyber Defence Architecture

Communications Security Establishment (CSE)

CSE is Canada's national cryptologic agency, responsible for:

  1. Foreign signals intelligence (SIGINT): Collecting intelligence from foreign communications
  2. Cyber security and information assurance: Protecting government systems
  3. Defensive cyber operations: Defending Canadian networks
  4. Active (offensive) cyber operations: Conducting operations against foreign targets
  5. Technical and operational assistance: Supporting other agencies

CSE traces its origins to World War II code-breaking operations and has operated continuously since 1946. It is a standalone agency reporting to the Minister of National Defence.

By the numbers (2024-25):

  • Budget: Just over $1 billion
  • Employees: 3,841 full-time (up 6% from previous year)
  • Intelligence reports produced: 3,385
  • Cyber incidents responded to: 2,561 (1,155 federal institutions, 1,406 critical infrastructure partners)

CSE is explicitly prohibited from directing activities at Canadians anywhere in the world, or at any person in Canada. Its activities are subject to oversight by the Intelligence Commissioner, the National Security and Intelligence Review Agency (NSIRA), and the National Security and Intelligence Committee of Parliamentarians (NSICOP).

Canadian Centre for Cyber Security (Cyber Centre)

Established in 2018, the Cyber Centre is the operational arm of CSE for cyber security. It consolidated previous cyber security functions from multiple departments and serves as:

  • Canada's operational and technical lead for cyber security
  • Single point of contact for cyber incident reporting
  • Publisher of threat assessments, advice, and guidance
  • Provider of advanced cyber defence capabilities to critical infrastructure

The Cyber Centre provides services to federal government, critical infrastructure operators, and increasingly the general public through initiatives like the "Get Cyber Safe" campaign.

Canadian Armed Forces Cyber Command (CAFCYBERCOM)

Established in September 2024, CAFCYBERCOM represents a major organizational milestone—making Canada the eleventh nation to have a dedicated military cyber command.

CAFCYBERCOM is responsible for:

  • Defensive cyber operations: Protecting CAF networks, platforms, and systems
  • Active (offensive) cyber operations: Conducting cyber attacks against adversaries
  • Electronic warfare: Exploiting the electromagnetic spectrum
  • Signals Intelligence: Collecting and analyzing foreign signals
  • Cyber support to operations: Providing cyber capabilities across all military domains

Led by Major-General Dave Yarker, CAFCYBERCOM works in close partnership with CSE. The CAF has publicly acknowledged conducting cyber operations in support of:

  • Operation REASSURANCE (Latvia): Defensive cyber threat hunting on Latvian government and critical infrastructure networks
  • Operation UNIFIER (Ukraine): Supporting Ukrainian cyber defence capabilities since early 2022

The creation of CAFCYBERCOM aligns with similar investments by allies in NORAD, Five Eyes, and NATO.

Other Players

Canadian Security Intelligence Service (CSIS): Investigates cyber threats of national security concern, thwarts malicious actors, and provides intelligence assessments. Unlike CSE, CSIS operates domestically.

Royal Canadian Mounted Police (RCMP): Operates the National Cybercrime Coordination Centre (NC3), investigating cybercrime and coordinating with domestic and international law enforcement.

Public Safety Canada: Leads cyber security policy coordination across government, including the National Cyber Security Strategy and critical infrastructure protection.

Five Eyes Partnership

CSE is a member of the Five Eyes—the intelligence alliance comprising Canada, Australia, New Zealand, the United Kingdom, and the United States. This partnership enables:

  • Intelligence sharing on cyber threats
  • Coordinated attribution of state-sponsored attacks
  • Joint defensive measures
  • Collaborative development of capabilities

The Five Eyes relationship is described as "the world's longest-standing and closest intelligence-sharing alliance."

Part Three: Defensive Capabilities

Government Network Defence

CSE's automated defence systems protect Government of Canada networks. In 2024-25, these systems blocked 2.3 trillion malicious actions—an average of 6.3 billion per day.

Defence involves multiple layers:

  • Network monitoring and intrusion detection
  • Malware identification and blocking
  • Threat intelligence integration
  • Incident response capabilities

Critical Infrastructure Protection

Canada's critical infrastructure spans multiple sectors:

  • Energy and utilities
  • Finance
  • Health
  • Food
  • Water
  • Information and communication technology
  • Safety (emergency services)
  • Government
  • Manufacturing
  • Transportation

The Cyber Centre provides services to critical infrastructure operators including:

  • Threat intelligence sharing
  • Security assessments
  • Incident response support
  • Advanced defensive capabilities

However, most critical infrastructure is privately owned or operated by provincial/municipal governments. Federal capacity to mandate security standards is limited.

The Critical Cyber Systems Protection Act

Bill C-26, passed in late 2024, establishes a regulatory framework to strengthen baseline cyber security for federally-regulated critical infrastructure vital to national security and public safety. Key provisions:

  • Mandatory security standards for designated operators
  • Incident reporting requirements
  • Government authority to direct security measures during emergencies

This addresses a significant gap—previously, the federal government had limited ability to require private sector cyber security measures.

Threat Warnings and Guidance

The Cyber Centre publishes:

  • National Cyber Threat Assessments: Comprehensive biennial reports on the threat landscape
  • Threat bulletins: Specific warnings about emerging threats
  • Advisories and guidance: Technical recommendations for organizations
  • Pre-ransomware notifications: Warnings to organizations showing signs of imminent attack

In 2024-25, the Cyber Centre published 7 major unclassified threat assessments.

Part Four: Offensive Capabilities

What Are Offensive Cyber Operations?

Offensive (or "active") cyber operations involve using cyber capabilities to achieve effects against foreign targets. These might include:

  • Disrupting adversary communications or command systems
  • Degrading hostile cyber infrastructure
  • Supporting military operations
  • Countering terrorist or criminal networks

Canada acknowledges conducting offensive cyber operations, though specific details remain classified.

Legal Framework

CSE's authority for active cyber operations comes from the CSE Act (2019). Key constraints:

  • Must be authorized by the Minister of National Defence
  • Must support foreign intelligence or defence objectives
  • Cannot be directed at Canadians or persons in Canada
  • Must comply with domestic and international law
  • Subject to Intelligence Commissioner approval and NSIRA review

For military operations, CAF offensive cyber operations are "approved by the Government on a mission-by-mission basis."

What Has Canada Done?

While most offensive operations remain classified, Canada has acknowledged:

  • Cyber operations supporting Operation REASSURANCE (Latvia) and Operation UNIFIER (Ukraine)
  • "Countering sophisticated cybercrime operations"
  • "Disrupting foreign-based extremist activity"

In 2022, Canada published its national position on the applicability of international law in cyberspace, establishing the legal framework guiding Canadian operations.

The Deterrence Question

A strategic question: Do offensive capabilities deter adversaries?

Arguments for deterrence value:

  • Demonstrating capability may discourage attacks
  • Ability to impose costs changes adversary calculations
  • Offensive operations can disrupt threats before they materialize

Arguments for skepticism:

  • Attribution in cyberspace is difficult—deterrence requires the adversary knowing who retaliated
  • Many cyber attackers (criminals, proxies) are not easily deterred
  • Escalation dynamics in cyberspace are poorly understood
  • Deterrence assumes rational actors making cost-benefit calculations

Canada has not articulated a public cyber deterrence doctrine, leaving questions about when and how offensive capabilities would be employed in response to attacks.

Part Five: Protecting Democracy

Election Security

Foreign interference in elections has become a significant concern. The Cyber Centre assesses that China, Russia, and Iran "will very likely use AI tools to attempt to interfere with Canada's 2025 federal election."

Threats to democratic processes include:

  • Cyber attacks on election infrastructure: Targeting voter registration systems, election administration, results reporting
  • Hack-and-leak operations: Stealing information and releasing it to influence public opinion
  • Disinformation campaigns: Using social media and AI-generated content to spread false information
  • Targeting of politicians: Phishing, surveillance, and harassment of elected officials and candidates

CSE helps protect democratic processes by:

  • Providing intelligence to government decision-makers about foreign threats
  • Defending federal election infrastructure
  • Providing cyber security guidance to political parties and Elections Canada
  • Sharing threat assessments with the public

The AI Challenge

The 2025 Cyber Threats to Democratic Process report highlighted growing use of artificial intelligence by adversaries:

  • Of 151 global elections between 2023-2024, there were 60 reported AI-generated disinformation campaigns
  • 34 known or likely cases of AI-enabled social media bot networks
  • Majority of attributed AI-enabled activity traces to Russia, China, and Iran

AI technologies have become "more powerful and accessible," enabling:

  • Synthetic media (deepfakes)
  • Automated disinformation generation
  • Enhanced social engineering
  • More sophisticated phishing campaigns

Despite these threats, the Cyber Centre assesses it is "very unlikely that AI-enabled activities will fundamentally undermine the integrity of Canada's next general election"—though vigilance remains essential.

Foreign Interference Inquiry

The Foreign Interference Commission examined how foreign actors have attempted to interfere in Canadian democratic processes. CSE produced over 85,000 documents supporting the inquiry, demonstrating both the scale of the problem and the challenge of transparency in intelligence matters.

Part Six: Investment and Strategy

Budget 2024 Investments

Budget 2024 proposed $917.4 million over five years to "enhance intelligence and cyber operations programs to respond to evolving national security threats."

Additional investments include:

  • $29.7 million over five years for Indo-Pacific cyber security
  • Funding for the new CAF Cyber Command
  • Resources for the National Cyber Security Strategy

National Cyber Security Strategy (2025)

In February 2025, Canada released a renewed National Cyber Security Strategy. The strategy articulates a long-term plan to:

  • Partner with provinces, territories, law enforcement, industry, Indigenous communities, and academia
  • Strengthen critical infrastructure protection
  • Build a skilled cyber workforce
  • Advance cyber security research and innovation
  • Enhance incident response capabilities

The strategy recognizes that cyber security is "a whole-of-society concern"—government cannot secure Canadian networks alone.

Workforce Challenges

A recurring theme in Canadian cyber security is workforce constraints. An internal DND review found:

  • Shortage of personnel and cyber specialist training
  • Recruitment challenges across the CAF
  • Security clearance processes taking too long
  • 84% of CAF personnel interviewed said there weren't enough cyber operators

CSE's workforce grew 6% in 2024-25 (to 3,841 employees), but demand for cyber expertise far exceeds supply across government and private sector.

Part Seven: Strategic Questions

The Attribution Problem

Cyber attacks are difficult to attribute definitively. Sophisticated actors:

  • Route attacks through multiple countries
  • Use infrastructure in neutral territories
  • Employ criminal proxies to obscure state involvement
  • Deploy "false flag" techniques mimicking other actors

This creates challenges for:

  • Determining appropriate responses
  • Achieving deterrence (adversaries must know who retaliated)
  • Building public consensus for action
  • Avoiding escalation based on misattribution

Canada participates in coordinated attribution efforts with allies—publicly naming state actors behind attacks—but attribution often takes months and remains contested.

The Escalation Question

Cyber operations exist in a grey zone between peace and war. Questions include:

  • What constitutes a cyber "attack" versus espionage?
  • When does a cyber operation justify a response—cyber or otherwise?
  • How do adversaries interpret Canadian offensive operations?
  • What are the escalation dynamics if both sides conduct offensive operations?

International law on these questions is evolving. Canada's 2022 statement on international law in cyberspace contributed to norm development, but significant uncertainties remain.

The Private Sector Problem

Most Canadian critical infrastructure is privately owned. Government can:

  • Provide threat intelligence
  • Offer guidance and support
  • Establish minimum standards (through Bill C-26)

But government cannot directly secure private networks. This creates dependency on private sector investment, awareness, and competence—which varies enormously across organizations.

The Transparency Dilemma

Intelligence agencies operate through secrecy—revealing capabilities or methods helps adversaries evade them. But democratic accountability requires some transparency:

  • How do citizens evaluate whether investments are worthwhile?
  • How do we know if offensive operations are used appropriately?
  • How do we assess threats we cannot independently verify?

The Cyber Centre's public threat assessments represent an effort at transparency, but citizens must ultimately trust government assessments they cannot fully verify.

Part Eight: Questions Worth Asking

Citizens evaluating cyber defence policy might consider:

On Threats

  1. How do we know? Government threat assessments come from classified sources. How should citizens evaluate claims they cannot independently verify?
  2. Proportionality: Are the threats as severe as described? How does the risk compare to other challenges (health, climate, economic)?
  3. Who benefits? Does threat inflation serve organizational interests (bigger budgets, more authority)? How do we distinguish genuine threats from institutional interest?

On Capabilities

  1. Are we effective? 2.3 trillion blocked actions sounds impressive—but is it the right metric? What attacks succeed despite defences?
  2. Offensive operations: Under what circumstances should Canada conduct offensive cyber operations? Who decides? What oversight exists?
  3. Deterrence: Do Canadian capabilities actually deter adversaries? How would we know?

On Investment

  1. Enough resources? Is $1+ billion annually for CSE sufficient given the threats? How should cyber investment compare to traditional defence?
  2. Right priorities? Should more resources go to defence versus offence? Government networks versus critical infrastructure? International cooperation versus domestic capability?
  3. Workforce: How does Canada compete for cyber talent against private sector salaries and foreign governments?

On Governance

  1. Accountability: How do citizens hold intelligence agencies accountable for operations they cannot see?
  2. Rights balance: How do we balance security against privacy concerns? Is CSE oversight sufficient?
  3. International cooperation: How much should Canada depend on Five Eyes versus developing independent capabilities?

Conclusion: The Continuous Battle

Cyber threats represent a fundamental shift in the nature of national security. Unlike traditional military threats, cyber attacks:

  • Happen continuously, not just during declared conflicts
  • Target civilian infrastructure as much as military systems
  • Blur distinctions between state actors, criminals, and proxies
  • Can be conducted remotely with minimal physical risk to attackers
  • Evolve rapidly as technology changes

Canada has built significant capabilities to address these threats. CSE, the Cyber Centre, and the new CAF Cyber Command represent substantial institutional capacity. Investments are increasing. Legal frameworks have been updated.

But challenges remain enormous:

  • State-sponsored threats continue to grow in sophistication
  • Ransomware affects organizations that cannot adequately defend themselves
  • Critical infrastructure remains vulnerable
  • Workforce shortages constrain capacity
  • The private sector owns most of what needs protecting

For citizens learning about national security, cyber defence illustrates several broader themes:

  • Invisible threats: Much of what matters in security cannot be seen directly
  • Technical complexity: Understanding requires specialized knowledge most citizens lack
  • Trust requirements: Democratic oversight depends on trusting institutions we cannot fully verify
  • Resource constraints: Even wealthy nations cannot address every threat
  • International dependencies: Security increasingly requires cooperation with allies

Cyber security will remain a central defence challenge for the foreseeable future. Understanding how it works—and what questions to ask—is essential for informed citizenship.

This article is intended as educational context for the Ducklings civic engagement platform. It presents multiple perspectives and does not advocate for any particular policy position.

Appendix: Key Statistics

Communications Security Establishment (2024-25)

  • Budget: ~$1 billion
  • Employees: 3,841
  • Intelligence reports: 3,385
  • Cyber incidents responded to: 2,561
  • Malicious actions blocked: 2.3 trillion

Threat Landscape

  • Primary state threats: China, Russia, Iran, North Korea
  • Global ransomware increase (2023 vs 2022): 74%
  • Global ransom payments (2023): $1 billion USD
  • Average Canadian ransom paid (2023): $1.13 million CAD
  • Canadian recovery costs (2023): ~$1.2 billion

Incidents

  • Municipal cyber incidents since 2020: 100+
  • Major healthcare attacks (2015-2024): 14+
  • Ontario patient records compromised (2023): 50,000+ (hospital attacks), 3.4 million (pregnancy care breach)

Investment

  • Budget 2024 cyber funding: $917.4 million over 5 years
  • CSE workforce growth (2024-25): 6%

Canadian Armed Forces Cyber Command

  • Established: September 26, 2024
  • Commander: Major-General Dave Yarker
  • Canada's ranking: 11th nation with dedicated military cyber command

Democratic Process

  • Global elections with AI disinformation (2023-24): 60 of 151
  • AI-enabled bot networks detected (2023-24): 34
  • CSE documents supporting Foreign Interference Inquiry: 85,000+
--
Consensus
Calculating...
0
perspectives
views
Constitutional Divergence Analysis
Loading CDA scores...
Perspectives 0