The Trudeau Liberal Government Failed Canada on Cybersecurity
We were promised a new national cybersecurity strategy and modern laws. We have neither.
In 2021, at the height of the COVID-19 Pandemic, Prime Minister Justin Trudeau and his government decided it was the best time to hold an election. This ushered in a Liberal minority government and a new set of cybersecurity priorities in the Ministers' mandate letters. This offered some renewed hope for the portfolio, and the government was putting some additional attention on cybersecurity, but that turned out to be an empty hope, as many Liberal promises to address cybersecurity have turned out to be.
Just over three years later, in January 2025, Prime Minister Trudeau announced he was resigning as Leader of the Liberal Party and requested the Governor General to prorogue parliament until March 24, which she granted. Prorogation of Parliament terminates the current session of Parliament, including all of the bills and legislation being considered. While the Liberal government has had multiple failures and victims in cybersecurity, this prorogation immediately has three major victims that make Canadians less secure in cyberspace. If you are interested in learning more about prorogation and what it means, I recommend reading Dr. Philippe Lagassé’s substack on the topic here. For this article, I will focus exclusively on the impacts of prorogation and Trudeau’s resignation on three major cybersecurity and cyber defence public policy initiatives.
In this era of hyperpartisanship, I unfortunately must also note that the Conservative’s track record is not much better. If anything, they may have an even worse track record on cyber defence that I will get to later this year when we are closer to an election. It is important to note that poor cyber defence is not a party problem in Canada.
It is a Canadian political problem.
National Cybersecurity Strategy
One of the biggest victims is the National Cybersecurity Strategy. The last Canadian National Cybersecurity Strategy was released in 2018 when Ralph Goodale was Minister of Public Safety and Emergency Preparedness. Under the 2018 National Cybersecurity Strategy. The 2018 strategy did not explicitly have a timeline but was specifically given 500 million dollars over five years. At the time, this was toted as the “largest single investment in cybersecurity” ever made by the Government of Canada. Even in 2018, this was not the brag that the government thought it was; it only highlighted how little it was investing in cybersecurity.
Since 2018, the Government of Canada has dwarfed this investment, but these other investments have always been targeted and not part of an overall national plan to improve cybersecurity and cyber defence. Worsening the situation, many of these initiatives have been failures. However, the cyber threat environment is not remotely what it was in 2018; if anything, it is much worse, and conditions continue to grow more precarious.
In 2023, 1 in 6 businesses was impacted by a cybersecurity incident. Although large businesses with 250+ employees were the most often hit, at 30%, small and medium businesses together accounted for the most attacks, at 37%. While there is some hope that overall, cybersecurity incidents will continue to decline, survey data suggests that cybersecurity is becoming more expensive.
Spending on recovery from cybersecurity incidents doubled from 2021 to 2023, which suggests that even if incidents are declining, they are becoming more expensive. This would align with the steady growth of ransomware by threat actors, which increased in use over the same period. Making matters worse, businesses spending money on prevention and detection declined from 61% to 56% during this period. While it may not be feasible to reach 100%, we should strive for all Canadian businesses to be protected.
These trends indicate that cybersecurity is becoming more costly, which may contribute to declining spending on cybersecurity. Despite a relative decline in incidents, businesses' spending on cybersecurity is also declining. This will lead to more businesses, especially small and medium businesses, being affected by cyber attacks and fraud.
We need a new National Cybersecurity Strategy to protect Canadians and the economy.
Bill C-26
Many will have already heard of the fate of Bill C-26, but it would be a failure on my part if I didn’t mention it as a massive loss. With Parliament prorogued, that means Bill C-26, An Act respecting cybersecurity, amending the Telecommunications Act and making consequential amendments to other Acts, is now dead and will not receive royal assent. Bill C-26 is the chief piece of legislation whose loss negatively affects Canadian cybersecurity. It was introduced to Parliament in 2022 and faced trouble every step of the way until it finally recently made it to the Senate. Except a drafting error was found, meaning it would have to go back to the House of Commons for final approval. Unfortunately, that final approval before receiving royal assent will now never happen. While there were certainly issues with the legislation itself, the core of what it did is very much needed in Canada.
Bill C-26 was divided into two sections: It amended the Telecommunications Act and introduces the Critical Cyber Systems Protection Act.
Part One: Amendments to the Telecommunications Act
Would have added promoting cybersecurity as an objective of Canadian telecommunications policy.
It would give the Governor in Council and Minister of Industry authority to:
Prohibit telecommunications service providers from using products or services from a specific person or organization
Direct telecommunication service providers to remove all products from a specified person or organization
Would also give the Minister and Governor in Council additional powers to secure Canadian telecommunications infrastructure
Part Two: Critical Cyber Systems Protection Act
This new act specifically addressed critical infrastructure by creating cybersecurity obligations for designated operators who manage critical services or systems.
Schedule 1 of the bill listed the following as designated operators:
Telecommunications services; Interprovincial or international pipeline and power systems; Nuclear energy; Transportation systems within the legislative authority of Parliament; Banking; Clearing and settlement.
New regulations that designator operators would have been required to follow included reporting cybersecurity incidents within 72 hours, taking specific steps to increase their cybersecurity, and complying with cybersecurity orders imposed by the Governor in Council.
There remains a chance that this Bill could be revived in some fashion because it was about to become law, but it is difficult to see this as a possibility with how hostile the Conservative party is towards anything the Liberals have touched.
Many in the Canadian defence and security space will be familiar with Bill C-26. This bill would have given the government of Canada the power to ban Huawei equipment from critical infrastructure, among other things. You may remember that the Government announced that it would ban Huawei from certain infrastructure in 2022 due to national security concerns. Technically, the Government could not do what it specifically wanted to do, which led to Bill C-26. More than two years later, this is just another failure.
Parliamentary Secretary for Cybersecurity
Did you know that Prime Minister Trudeau named MP Jennifer O’Connell as Parliamentary Secretary for Cybersecurity in September 2023? Industry and civil society have been calling for a Minister for Cybersecurity for some time, but they were given a Parliamentary Secretary instead. In September 2023, debate was picking up on Bill C-26, which was when MP O’Connell was chosen, and it was no surprise to anyone. O’Connell is well known in the House on cybersecurity topics due to her fervent defence of the Government of Canada’s efforts and policies on cybersecurity. This is not a critique of MP O’Connell. Instead, I would suggest that she did tremendous in her role, but the problems lie in what she had to defend.
O’Connell has spearheaded the government’s engagement on legislative matters concerning cybersecurity in the House of Commons, all while the government has broadly taken a differential approach to cybersecurity and cyber defence. Parliamentary secretaries are meant to be the government’s and Minister’s lead in parliament on specific matters, which often includes spearheading engagement with stakeholders on legislative matters. In this case, O’Connell engaged a lot for Bill C-26 and a range of other cyber-adjacent topics in the House of Commons. However, as good as O’Connell is, this is not enough to make up for the government's failures on cyber as a whole. In the end, all that the Parliamentary Secretary for Cybersecurity position did was remind us we likely need a Minister for Cybersecurity.
What Does This Mean?
Since 2020, Canada’s e-government ranking globally has declined despite an increase in the number of Canadian citizens participating in e-government. The Liberal Government used to have a Minister for E-Government, which produced some tangible progress. Prime Minister Trudeau removed this position following the major Liberal loss in 2021, which is emblematic of the Trudeau government’s approach to cybersecurity: tertiary consideration.
The National Cybersecurity Strategy, Bill C-26, and Parliamentary Secretary for Cybersecurity are just three losses due to Prime Minister Trudeau’s resignation as leader of the Liberal Party and prorogation of Parliament. These losses are characteristic of a government that has relegated cybersecurity.
Cybersecurity and cyber defence must be acknowledged in the ongoing Liberal leadership race and likely eventual Canadian general election. Canadians are much more likely to fall victim to cybercrime than other forms of crime. Yet, we don’t treat it like it harms Canadians on a daily basis. The first politician to take this on with meaning will monopolize the topic.
No amount of federal powers will stop phishing & ransomware. This can be achieved through continued punitive fines & mandatory cyber insurance for corporations that hold valuable data. This change is happening and will continue with or without a bill like C-26.
Given how far behind Canada is regarding Cybersecurity, IT Security, Physical Security and Personnel Security, I'd submit that blaming one PM for 30+ years of ignoring the problem is insufficient.