SUMMARY - Critical Infrastructure and Cyber Threats
The systems Canadians depend on daily—power grids, water treatment, telecommunications, banking, transportation, healthcare—increasingly rely on digital infrastructure that is vulnerable to cyberattack. As critical infrastructure becomes more connected and automated, the potential consequences of successful attacks grow more severe. Understanding these threats, and how Canada is responding, is essential for informed discussion of national security in the digital age.
What Is Critical Infrastructure?
Critical infrastructure encompasses the systems and assets essential to public health, safety, security, and economic wellbeing. Canada identifies ten critical infrastructure sectors: energy and utilities, finance, food, transportation, government, information and communication technology, health, water, safety, and manufacturing. Disruption to any of these sectors could have cascading effects across the others and throughout society.
These systems have become deeply interconnected and increasingly digital. Industrial control systems manage everything from electricity generation to water purification. Financial systems process billions of transactions daily through networked computers. Hospitals rely on connected medical devices and electronic health records. This digitization brings efficiency but also creates attack surfaces that did not exist when critical infrastructure was primarily mechanical.
The Threat Landscape
Nation-State Actors
The most sophisticated cyber threats to critical infrastructure come from nation-states with significant resources and strategic objectives. Russia, China, Iran, and North Korea have all been implicated in cyber operations targeting Western infrastructure. These operations range from espionage and intelligence gathering to prepositioning for potential future attacks to actual destructive operations.
The 2015 and 2016 attacks on Ukraine's power grid, attributed to Russian actors, demonstrated that cyberattacks could cause real-world blackouts affecting hundreds of thousands of people. While no comparable attack has occurred in Canada, security agencies warn that similar capabilities exist and that Canadian infrastructure is targeted for reconnaissance.
Criminal Organizations
Ransomware attacks by criminal groups have hit critical infrastructure repeatedly in recent years. Hospitals have had systems locked, forcing them to divert patients and delay procedures. Pipeline operators have paid millions in ransom to restore operations. Municipal governments have seen services disrupted for weeks. These criminal attacks, while financially motivated, can have impacts as severe as state-sponsored operations.
The line between criminal and state activity is often blurred. Some ransomware groups operate with the tacit approval or active support of state sponsors, particularly Russia. This nexus of criminal and state threats complicates attribution and response.
Insider Threats and Human Error
Not all infrastructure threats come from external adversaries. Insider threats—whether malicious employees or those compromised by external actors—pose significant risks. Human error, such as clicking phishing links or misconfiguring security settings, creates vulnerabilities that attackers exploit. Many successful attacks begin with social engineering rather than technical sophistication.
Vulnerabilities in Canadian Infrastructure
Legacy Systems
Much critical infrastructure runs on aging technology never designed for security. Industrial control systems installed decades ago may lack basic security features and cannot easily be patched or updated. Replacing these systems is expensive and disruptive, so many organizations continue operating vulnerable equipment.
Supply Chain Risks
Critical infrastructure depends on components, software, and services from global supply chains. Vulnerabilities in these supply chains can propagate through many systems. The SolarWinds attack, which compromised software used by thousands of organizations including government agencies, illustrated how supply chain attacks can achieve broad impact.
Concerns about specific vendors, particularly those with ties to adversary nations, have led to restrictions on using certain equipment in telecommunications networks. But comprehensively securing supply chains remains a significant challenge.
Interconnection and Cascading Failures
The interconnection that makes modern infrastructure efficient also creates systemic risk. A cyberattack on the electricity grid could disable water treatment plants, hospitals, and telecommunications. Disruption to telecommunications could impair financial systems and emergency services. These cascading effects could amplify the impact of an attack far beyond its initial target.
Private Sector Ownership
Most critical infrastructure in Canada is privately owned and operated. This creates coordination challenges, as government cannot simply mandate security measures without considering economic impacts and property rights. Private operators may underinvest in security if they do not bear the full costs of potential attacks on society.
Canadian Response and Preparedness
Government Structures
Multiple government agencies share responsibility for critical infrastructure cybersecurity. The Canadian Centre for Cyber Security provides advice and support to critical infrastructure operators. Public Safety Canada coordinates national strategy. The Communications Security Establishment conducts foreign cyber operations and supports domestic defence. Sector-specific regulators address particular industries.
This distributed structure allows specialization but creates coordination challenges. Critics have called for clearer leadership and more unified approaches.
Regulatory Frameworks
Canada's approach to critical infrastructure security has historically relied more on voluntary guidelines than mandatory requirements. This is changing. New legislation and regulations are imposing security requirements in some sectors, though implementation varies. The balance between prescription and flexibility remains contested.
Information Sharing
Effective defence requires sharing threat information between government agencies, critical infrastructure operators, and international partners. Information sharing mechanisms exist but face obstacles including classification restrictions, liability concerns, and competitive sensitivities. Improving information sharing while protecting sensitive data remains an ongoing challenge.
Incident Response
When incidents occur, response capacity matters as much as prevention. Canada has developed cyber incident response capabilities, but questions remain about whether these are adequate for major attacks affecting multiple critical systems simultaneously.
International Dimensions
Cybersecurity is inherently international. Attacks originate from around the world, and infrastructure often spans borders. Canada cooperates closely with allies, particularly through the Five Eyes intelligence alliance, on cyber threats. International norms regarding state behaviour in cyberspace are developing but remain contested, with limited enforcement mechanisms.
Offensive cyber capabilities—the ability to conduct cyberattacks against adversaries—are increasingly seen as part of deterrence and response. Canada has acknowledged developing such capabilities, though details remain classified. The ethics and effectiveness of offensive operations are debated.
Balancing Security and Other Values
Cybersecurity measures involve trade-offs with other important values. More intrusive monitoring might improve security but raises privacy concerns. Restricting certain technologies might reduce risks but also reduce innovation and competitiveness. Security requirements impose costs that may be passed to consumers or reduce investment in other priorities.
Democratic oversight of cybersecurity activities is essential but challenging given the classified nature of much cyber intelligence. Finding appropriate transparency while maintaining necessary secrecy remains difficult.
Questions for Further Discussion
- Should Canada impose mandatory cybersecurity standards on critical infrastructure operators, and if so, how prescriptive should these be?
- How should responsibility for critical infrastructure security be shared between government and private sector owners?
- What level of investment in cybersecurity is appropriate, and who should bear the costs?
- How can Canada better prepare for and respond to major cyber incidents affecting critical systems?
- What role should offensive cyber capabilities play in Canada's national security strategy?