Canadian Cyber in Context is sponsored by

All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.

Feature your business in Canadian Cyber in Context through sponsorship.

On February 17th, the Government of Canada finally released its long-awaited Security, Sovereignty and Prosperity: Canada’s Defence Industrial Strategy. As authoritarian states rise and seek to dismantle the rules-based international order established since the end of World War 2, Canada cannot rely on its allies and must increase its own defence investments to counter decades of inattention. The Defence Industrial Strategy is meant to accomplish this and I will breakdown and highlight where cyber and broader ICT plays a role in the strategy.

The vision of the Defence Industrial Strategy is to build "A robust Canadian defence industry that provides technological and operational advantage to the Canadian Armed Forces and its security partners in their mission to defend Canada, and maximizes growth, job creation and economic benefits for all Canadians."

Share

The Strategy has five pillars:

1. Renewing the government’s relationship with industry

2. Procuring strategically through the new Defence Investment Agency and a new Build-Partner-Buy framework

3. Investing purposefully to strengthen an innovative Canadian defence sector

4. Securing supply chains for key inputs and goods

5. Working with domestic partners, including in Canada’s North and Arctic

The Strategy identifies seven key areas where Canada already has strengths: space, artificial intelligence, cyber, quantum technologies, medical countermeasures, robotics, and drones. These are key areas that area repeated throughout the strategy and where we will see some of the largest and most focused investments.

Many of the key 10-year goals of the strategy will impact including build world-leading Canadian firms in key sovereign capability areas; increase the share of defence acquisitions awarded to Canadian firms to 70%; accelerate procurement of successful Canadian R&D innovations; boost government investment in defence-related reseach and development by 85%; increase total Canadian defence industry revenues by more than 240%; grow defence revenues for Canadian SMEs by more than $5.1 billion annually; increase Canada’s defence exports by 50%; create 125,000 new jobs.

All of these goals tie directly into Canada’s cybersecurity industry, which is as dual-use of a technology as you can get.

Cyber as a Key Sovereign Capability

The federal government’s increased focus on defence matters has also coincided with a greater emphasis on cyber as a key capability, yet it is often overlooked because many capabilities are not considered intrinsically required for national security. In the Defence Industrial Strategy, the government actually lays out the Canada’s key sovereign capabilities. While there is no specific “cyber” capability, the closest is Digital Systems, with some overlap with other key capabilities areas.

Key Area 3: Digital Systems

• Secure Cloud; Artificial Intelligence; Quantum Computing and Communications; Integrated Command, Control and Communications; High-Assurance Communications Equipment

You can also say cyber touches on:

Key Area 1: Aerospace:

• Aerospace Platforms; Avionics; and Aircraft Communications.

Key Area 6: Sensors

• Marine Sensors; Quantum Sensors; Electronic Warfare.

Key Area 7: Space

• Space-based intelligence; Surveillance and Reconnaissance; Space Domain Awareness; Satellite Communications; Space Launch.

Cyber and digital capabilities touch nearly everything. Although the areas above are most directly connected to cyber, it can be argued that everything relies on cyber in some capacity; the question is how large or small that role is. The future of warfare is data and connectivity, which means cyber is at the heart of everything.

Canadian Cyber Security Industry Quick Facts

• Canada is the 4th largest hub for cybersecurity in the world

• The broader cyber security industry and value chain contribute more than $3.2 billion to Canada’s annual GDP, representing more than 30,000 jobs.

• In 2020, Canadian cyber security services produced over $1.15 billion in exports, with nearly 80% going to Five Eyes partners.

• 94% of Canada’s cyber firms are SMEs and 99.7% of Canadian AI firms are SMEs

• The research and development intensity in the cyber security industry was close to 2.5 times the Canadian ICT average in 2020.

• Growth in cyber security revenues is nearly double that of the broader ICT sector

In other words, Canada’s cyber security is a major economic force in the country and was already growing quickly without the additional support and investments via the defence industrial strategy. Many of these figures are old, but the stats remain the same or are even higher in 2025/26.

The strategy estimates that more than half a trillion dollars of downstream economic activity and overall investment will occur. This is a massive opportunity for Canada’s cyber industry that must take advantage, but it will take some adjusting to understand the nuances of the defence sector compared to the general market.

Pillar 1: Renewing Relationship with Industry

While no one will dispute that there is an inefficient and unproductive relationship between the federal government and defence industry, the cyber security industry wishes it had the relationship with the government that the defence industry does.

In Canada’s National Cyber Security Strategy, forging whole-of-society partnerships was the first objective that centred on a Canadian Cyber Defence Collective. However, the government’s efforts to do this are not off to a great start. The cyber industry should not expect any cyber-specific gains or advantages from Pillar 1 efforts, but there is still room for cyber to benefit from this, as with all other sectors.

This pillar focuses on how the government will improve its engagement with industry, including through procurement and partnerships. This includes the already launched Defence Investment Agency, as well as two other key actions of interest to the cyber industry in security clearance and ISED support.

The government will invest to speed up the security clearance process. This is something that everyone, including cyber folk, is hit with. Many people must go through the process to work in a field that many complain is overly classified, which can bottleneck operations due to security clearance requirements. This is good news for everyone.

The Government will also be investing in “dedicated ISED ‘concierge’ service for companies working on defence and dual-use technologies.” This includes cyber and is likely to be of a massive benefit once implemented. Given the niche, small areas cyber firms can cover, this concierge service and the many opportunities listed are likely to be a significant advantage for the cyber industry and the broader defence industry in integrating Canadian cyber.

Pillar 2: Procuring Strategically/Build-Partner-Buy Framework

This pillar centers on Canada’s need to develop strategic capabilities domestically, supported by the Build-Partner-Buy framework to guide this process. A significant focus here is on developing and securing Canadian intellectual property (IP) to ensure Canada maintains strategic capability and that the economic benefits of that IP remain in Canada.

The Build-Partner-Buy framework will be an approach led by the Defence Investment Agency to integrate the separate defence, industry, and procurement authorities and inputs to enable faster, coordinated decisions on capability acquisition. The framework seeks to prioritize purchasing from Canadian suppliers, investing in Canadian capabilities, including frontier areas such as AI and cyber, and partnering to build and maintain sovereign control. The Defence Investment Agency has already taken on multiple projects, including the Enhanced Satellite Communications Project – Polar, Airborne Early Warning and Control, Operational Training Infrastructure Enterprise Modernization, and others that are cyber or overlap with cyber.

Part of this pillar that has already been making headlines is that the Government will enter into partnerships with “champions” to help “[secure] domestic ownership and control over critical intellectual property and capacities - while also supporting Canada’s larger geopolitical objectives…” The government has already been doing this to a degree If you have been following the government’s approach to AI at all and their support of Cohere. This is a good approach and something that could be good with championing certain cyber firms, but it comes down to their process.

It is important to note that this approach is intended to protect IP and the economic benefits thereof AND to safeguard strategic capabilities and knowledge for Canada’s security. The framework’s emphasis on domestic reinvestment and sovereign control has a major impact on cyber capabilities. As the top cloud and AI hyperscalers are all American, there are no Canadian firms occupying the same space and competing at the same level as AWS, Microsoft, or Google. This means that there will need to be a middle ground between investment and purchasing of Canada products balanced with non-Canadian products and services that the Government of Canada will need to find ways to invest in while avoiding risks to Canada’s digital sovereignty. However, the Government of Canada has yet to demonstrate a full understanding of how to maintain digital sovereignty, as current policies still risk it by using cloud and AI data centres owned by American corporations. Despite these troubles, the partner dimension of the framework opens major opportunities with European enterprises, many of which are in a similar position as Canada, to leverage mutual efforts to build American-free cloud and AI infrastructure.

It appears the government will use the Industrial and Technical Benefits (ITB) Policy as a key lever to achieve many of these objectives. I have long advised any company or individual in the Canadian cyber space dealing with defence that ITBs are your key. ITBs are massive math equations for businesses that quantify how a government contract with said business will benefit the Canadian economy. The government’s intent to reform this system could benefit Canada's cyber sector by enhancing the benefits of hiring Canadian cyber firms. I have long said the ITB is the lever to actually build a coherent and strong Canadian defence ecosystem, not just defence industry. This is likely to be of incredible importance and benefit as the Canadian Program for Cyber Security Certification slowly enters into force over the next few years and increases cyber security compliance demands for Canada’s defence industrial base.

The proposed changes include:

Feature your business in Canadian Cyber in Context through sponsorship.

Pillar 3: Investing to Strengthen Canadian Defence Innovation

This pillar focuses on broad mechanisms that support defence innovation, including government initiatives and broader economic conditions that encourage investment. Many of the listed mechanisms are applicable to cyber, but it depends on finding the right program and CFP. It can be difficult for cyber capabilities to fit into many of these programs due to the niche nature of their work or product, so I at least hope they are developing these new programs with this in mind and recognizing that cyber is a frontier and key sovereign capability that needs to be recognized and included.

Where cyber is likely to see the biggest benefit is the additional capital for investment and support for defence exports. There is significant competition right now, but if you have a key sovereign capability, you should engage with all of these instruments. As noted above, Canada already is a major player in cyber security and support from the government can help to maintain and grow Canada’s cyber industry. The strategy also touches on growing the defence workforce, which should include cyber security professionals, but unfortunately, this is unlikely to be the case.

Pillar 4: Securing Supply Chains

This section discusses securing supply chains in a way that differs from how we do in cyber. A very loose definition of the supply chain in cyber refers to the components and applications that make up an individual piece of software or business suite. A compromise of a single supplier in a cyber supply chain can compromise the entire product or service. This is increasingly a common vector for cyber attacks. However, this section focuses on securing capacity or access to physical supply chains such as critical minerals or steel. As a result, these initiatives are unlikely to have a major impact on cyber.

One area which could impact cyber is the government’s commitment to looking at “legislative and policy tools to safeguard its most sensitive technologies, research, and know-how from malign actors.” Two potential dimensions to this instantly come to mind. First, as cyber operations are a common mode for intellectual property theft, the government may be seeking ways to punish cyber threat actors. Second, the government could be looking at levers to punish actors which try to export intellectual property illicitly. The section is quite unclear about this, but both raise interesting questions.

Pillar 5: Working with Domestic Partners, including in Canada’s North and Arctic

Of the categories, Pillar 5 is likely the least directly connected to cyber issues, but that does not make it any less important. Pillar 5 includes collaborating with provinces and territories, indigenous groups, and Northern and Arctic partners. Much of this section discusses partnering with local communities to ensure the critical infrastructure and capacity needed to secure Canadian sovereignty.

The most direct connections to cyber here are that in the North and Arctic there is very little digital infrastructure. The government is currently investing in satellites to improve connectivity in the North and Arctic, but relying solely on satellites is risky; you will also need on-the-ground infrastructure. Satellites are prime real estate for cyber threat actors, especially during an invasion or active conflict. Nevertheless, to accomplish anything the government wants, cyber or otherwise, you need people, which is much easier said than done. Cyber security and cyber overall are often known for their labour shortages, while it is debatable about how much of a shortage there actually is, this is something that should be really addressed in the workforce of the future and in the North and Arctic.

There is a significant opportunity among people in the North and Arctic, and cyber is a powerful vehicle and sector to support this enable further growth.

Takeaways - So What?

There is much to commend in the Defence Industrial Strategy overall, and it is well received in part because it is well constructed. Over the past few years, Canada has been bad at developing strategies. As Phil Lagasse says, Canada doesn’t do strategy. So, it is good to see them actually hit it out of the park on this one.

That said, from a cyber and digital perspective, this strategy is likely to benefit Canada’s cyber industries overall but is unlikely to affect capabilities that require a hyperscaler-level corporation. Ultimately, many of these efforts will help support and grow Canada’s defence and cyber industries, but current investment plans do not provide the means to counter the major risks to Canada’s digital sovereignty posed by hyperscalers. The reason I included stats about Canada’s cyber industry at the start is to highlight just how many are SMEs, which struggle to engage with DND/CAF. They often rely on attaching themselves to a large, prime contractor to contribute to a larger contract or do task-based contracts. Defence traditionally has a very difficult time engaging with start ups and small businesses, which is where most of the advanced, emerging cyber innovation is done. There is a lot of room for improvement in how DND/CAF engaged with Canada’s cyber industry and ecosystem, which this strategy is certain to help, we must be realistic about its limitations in affecting the broader economic realities of cyber and broader ICT industry.

Cyber and ICT are among the most dual-use technologies you can get. Individuals, businesses, and government agencies largely use the same software, run on the same operating systems, use the same protocols, and employ similar network technologies (for the most part). The difference between civilian and security or defence software or ICT, in most cases, is often about scale, uptime, use case, and additional security and protection. You can find many Canadian SMEs that develop niche software or hardware applications, but in certain major hyperscaler capabilities, you are unable to find a major Canadian corporation that can readily fill this spot anytime soon.

Secure Cloud/Secret Cloud is a perfect example of this and why I have been talking about it non-stop for 5 years. Secret Cloud refers to the military capability of a cloud networking environment that supports the use of secret-level data, including operational data. There is no single “Secure Cloud” or “Secret Cloud” project for DND/CAF; however, Information Technology Infrastructure in Support of Command and Control (ITI in SP of C2) is the primary one discussed when we talk about military secret cloud. The $250 to $499 million funding range is very small. To get a secret cloud in the way DND/CAF wants/needs will likely be more expensive than this. This is part of why the project has been taking so long: the cost expectations and the lack of a sole-source Canadian option.

ITI in SP of C2 is software- and hardware-intensive, with a large infrastructure footprint that likely requires a hyperscaler to support. That means either Amazon Web Services, Microsoft, Google Cloud, or potentially Oracle (All American). As I have discussed, there are significant sovereignty concerns with using any American cloud option. The only potential Canadian option that I am aware of is ThinkOn, but the scale and depth of security and control required may be beyond what ThinkOn can provide at this time, given its relatively new position in the government cloud space compared to its American competitors. However, investment in ThinkOn or another sovereign Canadian option could position it as one of the “Canadian champions” competing with American hyperscalers for security- and defence-related cloud capabilities, but this will take time, which is not on our side.

The problem with these options is that, strategically, DND/CAF needed a secret cloud a couple of years ago. The ITI in SP of C2 has been stuck in the definition phase for many years. The implementation is (currently) scheduled to begin in 2025/2026, with initial delivery in 2028/29 and final delivery in 2030/31. Although the project is delayed and has encountered difficulties, the timeline can still be met, but it would require an American hyperscaler. Digital transformation and broader military modernization increasingly require cloud networking to enable seamless data transfer and support capabilities, including NORAD's cloud-based command and control and the many electronic and information capability suites of the F-35. As these capabilities are currently being acquired, there cannot be any further delay in DND/CAF acquiring its own secret cloud.

To compete with hyperscalers, the Government of Canada needs to think about sovereign Canadian cloud in terms of major government projects and understand the limits of the current economies of scale which make cloud, AI and other infrastructure-dependent capabilities difficult to overcome with the present Canadian business landscape. Canada’s cyber industry is world-leading and its SMEs are some of the best in the industry, but they usually cannot compete with hyperscaler capabilities in data centre and data infrastructure. If we fail to recognize the overreliance on last-mile technologies, we overlook that it is the first-mile technologies and infrastructure, like data centres, that the first-mile relies upon and determine if Canada maintains digital sovereignty.

Feature your business in Canadian Cyber in Context through sponsorship.

Share