Thanks for catching that and commenting! My proofreading software really dislikes Substack and can cause phantom edits resulting in incomplete sentences while resolving other issues which do not appear until published. I often rely on it too heavily to make up for my ADHD, but a good reminder I need to double check once published.
Alex — your piece does a good job of describing the symptoms of Canada’s federal cyber challenge: fragmented implementation, committee-heavy governance, and an absence of decisive leadership. Where I think it misses an important dimension is why many departments are structurally resistant to the kind of centralized direction you’re calling for.
That resistance isn’t ignorance or inertia. It’s the product of history and governance design.
In the early-2000s, when I was establishing Managed Security Services at CGI, industry providers were aggregating operational security telemetry on behalf of roughly 45 federal departments. During that period, Communications Security Establishment approached industry requesting access to the aggregated data.
The response was straightforward and non-ideological: we could not provide that data without violating dozens of departmental contracts. Each department was — and remains — the data owner and the risk authority. If CSE wanted access, it needed to seek consent from the participating departments directly.
That did not happen.
What followed were candid discussions across the Canadian security community, many convened under the Standards Council of Canada, where a clear position was established: industry would not bypass departmental authority, contractual obligations, or consent models in response to centrally framed requests, regardless of intent.
That episode matters because it hardened a lesson departments have not forgotten:
Central visibility without explicit authority, consent, and accountability is not leadership — it is unmanaged risk.
This history also aligns directly with how Treasury Board Secretariat security policy actually works — a point often missed in calls for stronger central control.
TBS does not direct departments to implement security in a prescriptive or operational way. It establishes overarching policy objectives, principles, and expectations, and deliberately leaves implementation to departments. That is by design. Departments remain accountable for their own systems, data, and risk decisions, and they are expected to adopt policy in ways that fit their mandate, threat profile, and legal obligations.
In other words, departments are not ignoring leadership; they are operating within the governance model Parliament and Treasury Board have chosen.
This is why arguments that Canada’s cyber posture could be fixed if a central actor simply “took charge” fail to resonate internally. They collide with two enduring realities:
CSE does not have standing authority to compel departmental data sharing, and history has reinforced caution around informal or implied expansion of mandate.
TBS security policy is enabling, not coercive — it defines the what and why, not the how, where, or with whom data is shared.
So yes, the federal cyber system lacks coherence. But the solution is not stronger assertion within existing boundaries. It is clearer authority, explicit consent models, and governance mechanisms that respect departmental ownership by construction rather than by reassurance.
Until that foundation exists, skepticism toward centralization isn’t obstructionism — it’s responsible governance informed by experience.
Thanks for the super detailed comment, Pete! This is all super helpful, that history helps to put a lot into context. I actually considered going into some of those inter-governmental obstacles and governance, but worried it'd get too messy to explain in this article alone. It is why I emphasize political leadership, in large part because they're not invested in cyber security in general, but also I think a lot of the protracted obstacles you note would benefit from engaged political leadership. I ultimately agree with you. I am not necessarily saying more assertion is needed, but arguing for more active engagement by political leadership amid cyber security being treated as a second-order issue. Based on the auditor's report, it is clear that things are working on some level, so a big change isn't what I am saying, but having more engaged political leadership could mainstream and accomplish what you note: developing clearer authorities, governance mechanisms, etc.
"The common theme was surprise that the..."
<The lights went out, there was a scream>
For some reason the email I received and the post here in substack is missing something? I can guess and fill in the blanks but perhaps I should not.
Thanks for catching that and commenting! My proofreading software really dislikes Substack and can cause phantom edits resulting in incomplete sentences while resolving other issues which do not appear until published. I often rely on it too heavily to make up for my ADHD, but a good reminder I need to double check once published.
Alex — your piece does a good job of describing the symptoms of Canada’s federal cyber challenge: fragmented implementation, committee-heavy governance, and an absence of decisive leadership. Where I think it misses an important dimension is why many departments are structurally resistant to the kind of centralized direction you’re calling for.
That resistance isn’t ignorance or inertia. It’s the product of history and governance design.
In the early-2000s, when I was establishing Managed Security Services at CGI, industry providers were aggregating operational security telemetry on behalf of roughly 45 federal departments. During that period, Communications Security Establishment approached industry requesting access to the aggregated data.
The response was straightforward and non-ideological: we could not provide that data without violating dozens of departmental contracts. Each department was — and remains — the data owner and the risk authority. If CSE wanted access, it needed to seek consent from the participating departments directly.
That did not happen.
What followed were candid discussions across the Canadian security community, many convened under the Standards Council of Canada, where a clear position was established: industry would not bypass departmental authority, contractual obligations, or consent models in response to centrally framed requests, regardless of intent.
That episode matters because it hardened a lesson departments have not forgotten:
Central visibility without explicit authority, consent, and accountability is not leadership — it is unmanaged risk.
This history also aligns directly with how Treasury Board Secretariat security policy actually works — a point often missed in calls for stronger central control.
TBS does not direct departments to implement security in a prescriptive or operational way. It establishes overarching policy objectives, principles, and expectations, and deliberately leaves implementation to departments. That is by design. Departments remain accountable for their own systems, data, and risk decisions, and they are expected to adopt policy in ways that fit their mandate, threat profile, and legal obligations.
In other words, departments are not ignoring leadership; they are operating within the governance model Parliament and Treasury Board have chosen.
This is why arguments that Canada’s cyber posture could be fixed if a central actor simply “took charge” fail to resonate internally. They collide with two enduring realities:
CSE does not have standing authority to compel departmental data sharing, and history has reinforced caution around informal or implied expansion of mandate.
TBS security policy is enabling, not coercive — it defines the what and why, not the how, where, or with whom data is shared.
So yes, the federal cyber system lacks coherence. But the solution is not stronger assertion within existing boundaries. It is clearer authority, explicit consent models, and governance mechanisms that respect departmental ownership by construction rather than by reassurance.
Until that foundation exists, skepticism toward centralization isn’t obstructionism — it’s responsible governance informed by experience.
Thanks for the super detailed comment, Pete! This is all super helpful, that history helps to put a lot into context. I actually considered going into some of those inter-governmental obstacles and governance, but worried it'd get too messy to explain in this article alone. It is why I emphasize political leadership, in large part because they're not invested in cyber security in general, but also I think a lot of the protracted obstacles you note would benefit from engaged political leadership. I ultimately agree with you. I am not necessarily saying more assertion is needed, but arguing for more active engagement by political leadership amid cyber security being treated as a second-order issue. Based on the auditor's report, it is clear that things are working on some level, so a big change isn't what I am saying, but having more engaged political leadership could mainstream and accomplish what you note: developing clearer authorities, governance mechanisms, etc.