Canadian Cyber in Context is sponsored by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

For the first time in recent memory in Canada, national security and defence were major election issues. Both the Liberal Party and the Conservative Party released costed platforms that included aspects of strengthening national security and national defence; however, there was a noticeable absence: cyber security.

Although the Liberal Party’s platform included a few mentions of cyber, including in relation to advanced defence research, it is largely devoid of policies to promote or improve cybersecurity, and there is no mention of how they would follow through to achieve the goals set out in the National Cyber Security Strategy. Although the Liberal platform had little regarding cyber security, there is an entire section dedicated to digital infrastructure, which is fantastic to see (although I will overlook its emphasis was on AI/ML infrastructure).

Now that the liberals have won another minority government with a renewed mandate, Prime Minister Mark Carney remains as Prime Minister. It was announced that the new cabinet would be sworn in on May 13th, 2025. As we await the new cabinet, one thing is certain:

Canada needs a Minister of Cyber Security and Digital Services

Background

From 2018 until 2021, Prime Minister Justin Trudeau’s government had a Minister of Digital Government, with a portfolio that included:

• Shared Services Canada

• Digital strategies and programming of the Treasury Board Secretariat

• A range of projects that effectively leads digital modernization across the federal government

By many measures, the Minister of Digital Government was a success. Although it only lasted three years and had three ministers, the government’s digital services for Canadians improved, many of the intra-department problems between Shared Services Canada (SSC) and other departments were being resolved, and the federal government’s online footprint and available information to the public increased. When SSC was first created, it was by all measures a disaster that took years to resolve. The Ministers of Digital Government helped to resolve many of the lingering issues that the creation of SSC made and helped to reestablish its reputation. While I do not think even SSC would say they are perfect, we have SSC in a strong position to better manage the government’s digital services and cyber security. If SSC’s ongoing development and growth is to stagnate, this would be harmful for the government, Canadians, and business.

However, since 2021, Canada’s digital services and commitment to cyber security have deteriorated due to a lack of focus and being relegated to tertiary status. This is perhaps most clear when looking at the latest National Cyber Security Strategy, which did not meet anyone’s expectations and left much to be desired. However, where the National Cyber Security Strategy was lacking, a Minister of Cyber Security and Digital Services could help develop an action plan to achieve the objectives and lead SSC, Treasury Board mechanisms related to cyber security, and work with ISED, Public Safety, and other departments as needed.

Why?

• Businesses spending money to prevent or detect cyber security incidents decreased from 61% in 2021 to 56% in 2023. (Stats Canada)

• On average, data breaches affecting Canadian organizations cost $6.32 million.

• Canada used to be ranked very high internationally for e-government, but has sharply dropped to 47th place after it was previously 5th in the world.

• The current federal government’s cyber security policy is developed and managed by committees composed of career bureaucrats from federal departments without a Minister.

• 70% of small and medium businesses lack skilled personnel to implement or monitor cyber security.

• 72% of small and medium business leaders reported being attacked by cyber criminals in 2024.

What are the Advantages?

This whole article could list statistics related to the status of cyber security in Canada to paint a troubling picture. Simultaneously, there are some positive signs that attacks are on the decline, but the volume of attacks does mean there is a reduction in successful attacks. On the contrary, the introduction of AI/ML and new methods is rapidly changing the threat environment into one that is more dangerous than ever. We Need a Minister of Cyber Security and Digital Services to ensure Canada maintains pace against the rising threats from criminals and adversarial states like Russia and China.

Leadership and Direction

The Deputy Ministers' Committee on Cyber Security (DM Cyber Security) is responsible for coordination, policy, and strategic objectives related to cyber security. The DM Cyber Security is responsible for:

• Identifying policy, legislative and program opportunities to ensure that Canada's 21st-century digital economy is secure by design, and that Canada is recognized internationally for leadership on cyber security issues; and

• Overseeing the evolution and progress of Canada's National Cyber Security Strategy implementation.

Having a Minister for Cyber Security and Digital Services to provide greater oversight and direction on behalf of the government to accomplish government priorities. The National Cyber Security Strategy lacks any kind of planning or implementation mechanism and broadly lays out a wishlist. A Minister of Cyber Security would help operationalize the strategy and oversee that it is actually implemented.

Presently, the Minister of Public Safety is the primary minister with the mandate to oversee Canada’s national cyber security and the strategy, but those to

Greater Accountability

With the release of the new National Cyber Security Strategy, the previous plan no longer applies. However, consider what happened with the 2018 National Cyber Security Strategy. Was it a success? What did it accomplish? What did it not accomplish? Why and why not?

These types of questions are not the government's concern because they haven’t made them one. There is currently no evidence to suggest that this was done internally. We will likely have to wait until someone not in the government does it themselves, and it will be a matter of whether the government cares enough to give it a look. As a result, Canadians are unlikely to know if the government is actually achieving its objectives related to cyber security because the government is not putting enough effort to ensure there is accountability.

This is all to say that there is little to no accountability in Canadian cyber security policy. Canada could achieve absolutely nothing under the current strategy, and the most that we could likely expect is a new strategy. I have yet to review the 2018 National Cyber Security Strategy to see what was accomplished, which is warranted because at the moment, we do not know if Canada achieved anything under the previous strategy.

Expansion in Cyber Security and Digital Services

Current approaches to cyber security across the government of Canada can broadly be described as good. The Communications Security Establishment (CSE) has a very extensive set of sensors across the government to help protect the federal government. Based on CSE’s latest report, 167 federal institutions and Crown corporations are protected by CSE sensors, which includes:

Host-based sensors protecting 102 federal institutions

Cloud-based sensors protecting 80 federal institutions

Network-based sensors protecting 84 federal institutions

Virtual network-based sensors protecting 5 federal institutions

This is a lot and CSE has been steadily growing these sensors over the past 10 years. However, Parliament has called for an expansion of this. The impediment here isn’t CSE, but federal institutions to spend the time and energy to request and pay for these sensors. Cyber security is not static, but the threat environment is constantly changing and the government has to respond accordingly to protect their systems. A Minister of Cyber Security would support this and help expand the CSE’s sensors program to better protect Canada from evolving threats.

TL;DR: So What?

Canada’s public and private sectors are constantly inundated with attacks from criminals and states. Ransomware continues to decimate the public sector, as Canadian libraries, schools, and universities are increasingly becoming favourite targets of ransomware groups. Even if a ransomware actor is paid, it is not unheard of for them to still try to extort others based on the data stolen, despite assurances it has been deleted, which is happening right now in Canada.

A Minister of Cyber Security and Digital Services is not an easy fix for all of Canada’s cyber security issues, but it will show that the government is committed to cyber security. Not only in terms of cyber security to protect Canadians, but also to grow Canada’s cyber security industry. Canada has an extremely robust cyber security industry that is recognized internationally, which can and should be supported to grow the sector, market it, and leverage it in government procurement to support homegrown Canadian cyber security businesses and products. A Minister of Cyber Security would help to lead in a time of complexity and provide confidence to Canadians that the Government of Canada is committed to ensuring cyberspace is safe to use.