Canadian Cyber in Context is sponsored by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

For many, the yearly DND/CAF Departmental Results is not worth thinking too much about as it usually contains a lot of information that we already know and is usually outdated (Looking at you

However, this has not always been the case with cyber issues. DND/CAF’s annual Departmental Results is often one of the few times you would get updates about DND/CAF’s cyber force development. Over the past few years, this has gradually changed as DND/CAF has expanded its capabilities and initiated a more comprehensive digital modernization effort, becoming more open and transparent (where possible) about these activities. I would also like to think that my constant pestering and poking about what the departmental results say, and don’t say, helps motivate them to provide more clarification, but every academic likes to think their impact is greater than it is.

It is also important to note that this is part of a broader trend to have more detail in the Departmental Results that each Government of Canada department must release annually.

This article will take a look at what the latest DND/CAF’s Departmental Results Report 2023-24 says about cyber or related digital capabilities and provide some additional commentary or explanation about them. There are still major gaps in what is reported, so I will attempt to focus on just what the Departmental Results says and provide any additional context. I will be covering the Departmental Plans in a later article.

Background

What should we all expect when reading this document? Personally, I expected a lot. In 2024 alone, the Digital Services Group (DSG) and CAF Cyber Command (CAFCYBERCOM) were both created. The reorganization and creation of these organizations represent a fundamental paradigm shift in DND/CAF’s approach to cyber and digital capabilities. The DSG reorganized DND’s organizations, which oversee and manage DND’s digital enterprise, into a single organization after more than a decade of complicated and overlapping authorities, responsibilities, and accountabilities. CAFCYBERCOM raised the role of the CAF’s Cyber Forces in the CAF itself by creating an independent command where the commander reports directly to the Chief of the Defence Staff (CDS).

Under the CAF Digital Campaign Plan, 2025 was intended to be the year that DND/CAF centralizes its digital modernization, marking a stronger push for digital modernization in the years to come. The Departmental Results include a lot of indicators as to how DND/CAF are on track with this plan and are in the process of centralizing its management of digital modernization.

The departmental results breaks down DND/CAF’s work into six core responsibilities and internal services. I will cover any noteworthy mention of cyber or digital capabilities and provide some additional commentary.

Core Responsibility 1: Operations

Operations cover DND/CAF’s activities to “detect, deter and defend against threats to or attacks on Canada.” This section contains a lot of what the CAF is actively doing, but only little bits concerning cyber operations.

Not surprisingly, one of the most prominent and first mentions is related to Operation UNIFIER:

Since 2022, CAF and CSE have been providing cyber security support to Ukraine. CAFCYBERCOM Commander Yarker recently described this operation along similar lines as the joint defensive operations in Latvia. The Latvian operation is Operation REASSURANCE, which is Canada’s contribution to the NATO Enhanced Forward Presence leading the Latvia Battle Group. Although the Departmental Results do not mention it, the CAF conducts a joint defensive cyber operation with Latvia as part of its NATO commitment. These joint operations are an invaluable source of training and intelligence, contributing to both Latvia and Canada’s cyber defence. These Operations are likely to continue in the future and are cornerstones to the CAF’s cyber defence activities. The specific “placing pressure on CAF force generation” is likely referring to non-cyber security elements, as I will explain in the next section.

Core Responsibility 2: Ready Forces

The Ready Forces refers to “Field combat-ready forces able to succeed in an unpredictable and complex security environment in the conduct of concurrent operations associated with all mandated missions.” The “cyber” in this section refers to the “Ready Cyber and Joint Communication Information Systems (CIS) Forces,” which broadly includes CAFCYBERCOM, CAF Cyber Forces, and related trades and forces.

As far as I know, there has not been a significant increase to the numbers of the CAF Cyber Forces. Previously, they had been struggling to meet their targets for cyber operators and CIS forces. However, CAFCYBERCOM at the very least appears to be happy with the current number of personnel, and they have noted that there has been no major increase in personnel since its launch in September 2024. There have been some hints that they will be expanding; however, no information is available yet on what this will entail. The new defence investments announced will include a sizeable investment in cyber capacity and capabilities, so we can expect the CAF Cyber Forces to benefit as a result.

Hidden away in this section is a pretty detailed update on some network architecture improvements. Overall improvements in procuring a secure gateway to support better access to classified information in support of major and minor capital programmes may be for specific procurement activities, but this also likely supports eventual procurement of Secret Cloud. One of the biggest obstacles to procuring Secret Cloud is adhering to regulations related to how secret data can be accessed and stored and such a gateway may help to overcome such obstacles for a more permanent Secret Cloud solution. This is in addition to a range of other improvements that paint a picture of DND/CAF steadily modernizing its network infrastructure and replacing legacy systems with more cloud-based and interoperable systems.

Exercises

This section also lists some of the exercises the CAF has been involved with, which have increasingly incorporated cyber and the CAF Cyber Forces. This includes:

• Exercise COALITION SPACE FLAG

  • A United States Space Force-led collective defence in space exercise, which includes cyber and electronic warfare

• THORS HAMMER 23 and SCHRIEVER WARGAME 23

  • THORS HAMMER and SCHRIEVER WARGAME are future-based space and cyber wargames.

    • THORS HAMMER is attended by the Four-Eyes nations (United States, Canada, United Kingdom, and Australia) that is concerned with “optimizing Allies’ space intelligence gathering architectures and the conduct of combined space operations.”

    • SCHRIEVER WARGAME is attended by the Five Eyes, Germany, France, and Japan and focused on optimizing allied space intelligence gathering and combined space operations.
      

• Locked Shields

  • This section actually does not contain all the cyber-related exercises CAF Cyber Forces have participated, one of the biggest being Locked Shields. Locked Shields is an annual NATO cyber defence exercise, which the CAF has been attending for some time. However, as far as I can tell, their participation has only been regularized in the past few years.

  • Locked Shields is a purely defensive exercise and includes Canadian organizations other than the CAF as well.

Share

Core Responsibility 3: Defence Team

Whereas the Ready Forces refers to field, combat-ready forces, Defence Team refers to the whole of DND and CAF. When looking at the raw numbers, there are both positive and negative signs. The overall amount of regular and reserve force positions being filled has increased, but occupations with critical shortfalls have increased.

By and large, the number of positions filled is improving, and the CAF has more intake than attrition, which includes filling critical shortfalls. However, the departmental results note that training requirements for recruits to be trained to effective strength mean there is a delay between an intake of someone for a critical occupation and actually filling that role due to the time it takes to train them.

There are no indications that Cyber Operators are amongst the occupations with critical shortfalls in the Departmental Results and based on public and private statements by CAFCYBERCOM officials. However, the Cyber Operator occupation has the potential to face shortfalls. This is due in part because training takes approximately 72 weeks to complete. In addition, the training itself is considered difficult by some, although it is unclear if this is in part a result of dissatisfaction with Willis College, which provides 60 weeks of cyber security foundations training. The departmental results states that significant effort has been placed on improving the training infrastructure for Cyber Operators, which has dramatically improved over the last couple of years. While there remain major issues, it has come a long way and they appear to be steadily moving towards developing a full military cyber operator military school.

In addition to restating what CAFCYBERCOM has been communicating publicly, it provides another update that the CAF is studying if it should establish a Cyber Officer occupation. Despite how this section makes it sound, the Cyber Officer occupation study is scheduled to be completed this year. There is mixed messaging about its creation this year, but as I understand it, the study is only set to be completed in 2025, and the occupation is not being established this year. This means that the Cyber Officer occupation is not guaranteed to occur. The entire CAF Cyber Forces wants the Cyber Officer occupation, but there has long been resistance from DND and senior CAF leadership. I want to think that the study will support the creation of a Cyber Officer occupation, but I fear most of what I have heard is from biased sources in favor of its creation.

One thing that jumped out to me that could impact Cyber Forces’ numbers is that morale appears to be worsening. Military personnel increasingly do not view the CAF as providing a reasonable quality of life for service members and their families. This could have an even greater impact on cyber because DND/CAF recognizes that they cannot compete with the private sector for funding/pay, so any additional hardship they impose makes it even harder to retain the people who want to be in the CAF and contribute to their country.

Core Responsibility 4: Future Force Design

Future force design is probably the most straightforward category, which involves understanding future threats, security risks, and operating environments, and preparing DND/CAF to operate effectively in these environments and address new and evolving threats and risks.

Although public messaging does not always communicate this well, addressing cyberspace is a cornerstone of future force design and digital modernization.

If you have followed me for any length of time, you will know how important the Digital Campaign Plan for DND/CAF. For those unfamiliar, the Digital Campaign Plan is the CAF’s plan to undergo a full digital transformation and become a digitally modern organization. Here it says that the Digital Campaign Plan was approved with $200 million over five years. Overall, this is not much to really undergo digital modernization. However, the new defence investments which specifically provide funding for “digital foundations” is likely to contribute in major ways to help DND/CAF to pick up its pace in digital modernization.

The Cyber Mission Assurance Program (CMAP) can broadly be viewed as the mechanism to ensure cyber security across all levels of DND/CAF, including land, air, sea, and space domains. As DND/CAF improve its networks overall, this will improve the CMAP’s ability to defend DND/CAF networks.

Core Responsibility 5: Procurement of Capabilities

This section is fairly self-explanatory and focuses on DND/CAF’s ability to procure new capabilities and use procurement to maintain and innovate their existing capabilities.

Defence Information Technology acquisition is… Well Managed?

This next section is what I would describe as the reason you often have to take some of the statements made in the Departmental Results with an enormous grain of salt.

While there have indeed been significant improvements over the last few years in management, I am hesitant to say that DND/CAF’s defence information technology management acquisition has been well-managed, given that it has been undergoing constant change management for the past few years. In addition, some of the major projects are behind schedule.

Although the DND/CAF is satisfied with the number of cyber operators they currently have, there have been vacancies in other areas, such as procurement for cyber-related projects. These can be very challenging to fill because you need individuals who understand how the military will use the technology, understand the procurement process itself, and have the appropriate classification levels to be involved. Similar to how it can take time to fill operational roles with training, these policy and procurement-related roles require a lot of time to develop the dual-fluency to understand everything involved.

The biggest change over the last year has been the creation of the Digital Services Group, which has been a major step forward. I would like to think there has been a dramatic shift in how procurement is managed, but there have not been enough public indicators that enough has changed to warrant such statements.

Core Responsibility 6: Sustainable Bases, Information Technology Systems and Infrastructure

This section covers quite a broad category, which most often people associate with bigger and more traditional infrastructure such as physical bases, runways, roads, radars, but a sizeable portion is the physical information technology infrastructure for communications and data. Despite Information technology being included in this category, there has historically been very little information about how much funding in this category is specifically for information technology and what this category even includes. As a result, there is not much to talk about here other than to say there is a lot of information technology infrastructure that is included here.

Internal Services

The last major section concerns Internal services, which “are the services that are provided within a department so that it can meet its corporate obligations and deliver its programs.” This includes a lot of administrative or bureaucratic functions which ensure that DND/CAF functions as a large organization, which includes “information management services” and “information technology services.” This covers a lot of the functions of the Digital Services Group.

However, as much as the Digital Services Group handles much of the administration and bureaucracy of digital and cyber capabilities, they ultimately service the rest of DND/CAF. As an example, DND/CAF’s public and digital communications:

There is still a lot to criticize about DND/CAF’s public engagement and transparency, but there have been concerted efforts to improve digital communications over the last few years. They boast a 6.6% increase in audience across social media platforms, but I would argue that this is quite small and there should be a much bigger increase in light of the major defence investments and changes over the last couple years. Improving transparency and how DND/CAF engages with the public should be a priority and would produce many benefits.

Lots of Data Stuff Happening

Data and properly making use of all the data that DND/CAF has is the bedrock to digital modernization and future pan-domain command and control operating concepts.

• A DND/CAF Data Operating Model will be developed

• The Digital Literacy Roadmap will be expanded to included data and AI

• A Chief Data Officer Instruction on Data Access Requests has been created

• Data Stewardship Model is being applied across DND/CAF

• Data costing guide is being finalized

• A Chief Data officer Directive on Minimum Baseline Metadata is being developed

Baby Steps to Cloud

A lot of work is being done to ensure DND/CAF is ready to adopt cloud infrastructure. This is something I do not think I fully appreciated before. It will not be enough to simply procure a secret cloud capability and grow current capabilities, but all places information technology and networking infrastructure will need to be bolstered to ensure secure and reliable access to DND/CAF cloud.

Consider the difficulties that others regularly have to access internet throughout Canada. DND/CAF are facing the same difficulties as it develops its infrastructure to ensure that it will even be able to have access to its cloud capabilities.

TL;DR: What are the Takeaways

There was a lot here, so what are the takeaways?

• DND/CAF have made major positives steps to reorienting how it manages its digital and cyber enterprise

• I am unsure if I would agree that information technology acquisition is well managed, but there are a lot of positive indicators that it has dramatically improved.

• Many major cyber capability projects remain behind schedule, but new defence investments are intended to help change this and help bolster procurement processes.

  • Digital and cyber capabilities are identified as a priority amongst this.

• CAFCYBERCOM is in a very positive position for personnel and funding, but not face the tough task of growing as an organization. In particular, growing from many disparate parts into a more unified CAFCYBERCOM.