National Cyber Security Strategy 2019-2024: Report on the Mid-term Review

Forward

So much has changed since the National Cyber Security Strategy (the Strategy) was released in June 2018. Now, more than ever, Canadians are working, learning, shopping and socializing online, with the COVID-19 pandemic accelerating Canada's transition to a digital economy.

As physical infrastructure is increasingly digitalized, Canadian systems are more interconnected than ever before. Interconnectivity has great benefits, but it can also make us vulnerable. Today, threats such as ransomware, online fraud, cyber-espionage, foreign interference, theft of sensitive data, and disruptive attacks on vulnerable infrastructure continue to become more frequent. Our government has been working hard to reduce these risks by securing critical systems, supporting innovation, and protecting Canadians online, but there is still more we can do.

In the last few years, there has been a significant rise in cyber threats to national and personal security. Hostile state actors and cybercriminals have targeted our critical infrastructure, government institutions, sensitive scientific information and intellectual property, as well as individual Canadians. The borderless nature of cyberspace increases our risk, as we are not protected by our geography.

Our Strategy was designed to be adaptable to the continuously changing nature of cyberspace. To ensure the Strategy remains responsive and agile to new and existing issues, Public Safety Canada led a Mid-Term Review (the Review) of the Strategy, which helped to identify risks, opportunities and gaps in our current approach. The Review has made clear what our future priorities in cyberspace need to be.

Moving forward, the Review will inform our approach to fulfil the Prime Minister's mandate commitment to develop and implement a renewed National Cyber Security Strategy, which will articulate Canada's long-term strategy to protect our national security and economy, deter cyber threat actors, and promote norms-based international behavior in cyberspace.

I am pleased to share the findings of the Review in this report. We look forward to continuing our work alongside partners to build a more secure and prosperous Canada.

The Honourable Marco Mendicino
Minister of Public Safety Canada

Executive Summary

Introduction and Background

In June 2018, the Government of Canada (Government of Canada, the Government) released the National Cyber Security Strategy (NCSS, the Strategy). The Strategy outlined Canada's vision for security and prosperity in the digital age, and outlined three goals in response to evolving threats, emerging opportunities, and the need for collaborative action. Under the Strategy's supporting 5-Year Action Plan (2019-2024), 14 horizontal initiatives are led by eight federal organizationsFootnote 1. Funded through Budget 2018 ($507.7M over five years, and $108.8M ongoing), these initiatives represent an incremental first step to achieving this vision. As the Strategy was designed to be flexible, it was anticipated that additional initiatives could be identified as the cyber landscape continues to evolve.

In 2021, Public Safety Canada launched a Mid-Term Review (the Review) of the Strategy with support from federal partners. The objectives of the Review were to:

  1. Assess the performance and continued relevance of the Strategy; and
  2. Review progress made towards expected outcomes and lessons learned.

Findings of the Review

The Review highlighted key trends observed in cyber security. The global landscape has changed substantially since the Strategy was released in 2018. The COVID-19 pandemic forced many more Canadians to work, learn, shop and socialize online. While Canada's online participation creates many benefits, it also exposes us to an evolving threat landscape.

The Review found growing risks in today's cyber security landscape as highlighted below:

  1. Since the launch of the Strategy in 2018, reliance on Canada's digital systems and infrastructure has increased, a trend accelerated by the COVID-19 pandemic. Also, critical systems that Canadians depend on every day are increasingly digitalized and interconnected.
  2. There has been a significant rise in the number and sophistication of cyber threat actors. These actors take advantage of our dependency on Internet-connected technologies in order to conduct malicious activities. Also, intelligence, security and police services are facing growing challenges to keep pace. Investigating, mitigating and countering cyber threat activity, including cybercrime, is resource-intensive, complex and often multi-jurisdictional.
  3. Growing cyber security workforce shortages continue to be a pressing challenge for governments and organizations, both in Canada and world-wide.

Conclusion

The Government of Canada continues to be confronted by the challenges of an increasingly complex cyber threat environment. Due to rising international tensions, Canadian values, national interest and prosperity are now challenged more than ever before by both state and non-state actors leveraging malicious cyber activities. Online foreign influence activities have become a new normal, cybercrime and online fraud are increasing in volume and complexity, ransomware incidents are rising in numbers, and critical infrastructure owners and operators continue to be targeted across the country. The Government of Canada should continue to protect against threats that target Canadians and Canadian systems, but also work to advance its offensive cyber capacity. This two-fold approach will be essential in ensuring that Canada remains adaptive to the ever evolving cyber ecosystem.

Canada's plan for security and prosperity in the digital age relies on federal leadership as well as collaboration with other levels of government and the private sector. Federal leadership can help raise the cyber security bar at the national level, protecting Canadians and Canadian businesses. A secure and prosperous digital Canada will help to build a stable, predictable, inclusive, and global cyberspace.

Introduction

Canada's Place in the Digital World

The cyber landscape has been deeply altered by the COVID-19 pandemic that emerged in early 2020. As more Canadians work, shop, and socialize remotely, threat actors increasingly take advantage of the growing importance of the Internet and Internet-connected technologies.

Every day, Canadians and Canadian systems are the targets of malicious cyber activities. Recent cyber activities have targeted COVID-19 vaccine research,Footnote 2 shut down critical infrastructure (e.g., Newfoundland and Labrador health sector,Footnote 3 Northwest Territories Power CorporationFootnote 4), and cost Canadians and Canadian businesses hundreds of millions of dollars in both direct and collateral costs.Footnote 5 Globally, recent cyber events include the Colonial Pipeline ransomware incident,Footnote 6 the SolarWinds Orion hack,Footnote 7 and the JBS Foods incident,Footnote 8 which disrupted fuel supplies in the United States, compromised sensitive data around the world, and delayed food production respectively. Disruptions caused by malicious cyber activity have real-world consequences for Canadians as they impact essential services, cause significant financial and reputational damage to organizations, and adversely affect trust in institutions. They also highlight the vulnerabilities of Canada's systems, critical infrastructure and supply chains, and the fabric of its democratic systems.

The National Cyber Security Strategy

The 2018 National Cyber Security Strategy outlined Canada's vision for security and prosperity in the digital age. The Strategy established three core goals in response to evolving threats, emerging opportunities, and the need for collaborative action:

The accompanying 5-Year Action Plan (2019-2024) is a detailed plan for the implementation of the Strategy. It sets out the initiatives and milestones supporting each of the three goals. It also presents a roadmap for how the Government plans to achieve and maintain Canada's vision of security and prosperity in the digital age.

The Strategy supports and amplifies a range of other priorities for the Government across its national security, defence, foreign policy, and economic agendas. This includes ongoing efforts to protect Government of Canada systems, enhance cyber policy in Canada's international agenda, develop the Canadian Armed Forces' cyber capabilities, and fulfill the Minister of Democratic Institutions' mandate to defend the electoral process from cyber threats.

Mid-Term Review of the National Cyber Security Strategy

Working alongside federal partners, Public Safety Canada initiated the Review in 2021 to assess the performance of the Strategy and identify opportunities for refinement. This report outlines the performance achievements, milestones reached, and challenges and lessons learned in the delivery of the Strategy. It is intended to act as a first step in a larger and ongoing national conversation on cyber security.

Performance Achievements

The Review assessed the performance of initiatives over the first three years of the Strategy. Overall, the Review found milestones are being met and results are being achieved. It also found the Strategy is overall benefiting Canada and Canadians, and the Strategy's strategic federal investments have established a solid foundation for the Government of Canada to build upon.

Since 2018, steps have been taken to defend Canada against cyber threats and malicious actors, and to further develop Canada's cyber security posture. Collaboration with domestic and international partners has enhanced the Government of Canada's ability to protect Canadians from cybercrime and respond to emerging threats. Collaboration was also key in providing advice and guidance to critical infrastructure owners and operators.

Government of Canada leadership has helped grow Canada's cyber security sector through modest investment in research and innovation, but we continue to face challenges in meeting the growing demands for cyber talent. Internationally, Canada is taking a leadership role to advance Canada's cyber security interests, including shaping cyberspace in a manner that advances Canada's values, economic and security interests.

Key achievements to date include the establishment of two flagship organizations under the Strategy: the Canadian Centre for Cyber Security (Cyber Centre) under the Communications Security Establishment (CSE) and the National Cybercrime Coordination Unit (NC3), a National Police Service under the stewardship of the Royal Canadian Mounted Police (RCMP). Additionally, the Canadian Security Intelligence Service (CSIS) established a dedicated Cyber Operations branch to investigate threats to the security of Canada, emanating from hostile cyber actors. Creating these centres of expertise mark major achievement for the Government of Canada. Alongside these many successes, the Review provides insights on areas that could be bolstered under the Strategy. These insights respond to emerging societal and technological developments, growing threats, and exponentially increasing risks.

Spotlight on Flagship Organizations

Canadian Centre for Cyber Security (Cyber Centre)

CSE maintains a second location that was completed in 2021. Created through the Strategy, the Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public. Cyber Centre employees are able to work in this facility's multi-classification environment, which is required to support the Cyber Centre as an outward-facing organization. With the Cyber Centre, Canadians have a clear and trusted place to turn to for cyber security issues.

National Cybercrime Coordination Unit (NC3)

The NC3 was established through the Strategy to help reduce the threat, impact and victimization of cybercrime in Canada. As a National Police Service, the NC3 serves all Canadian police agencies. It coordinates cybercrime investigations in Canada and works with partners internationally to combat a wide range of cybercrime incidents. In 2020, the NC3 reached initial operating capability, and will reach full operating capability in 2024.

Goal 1: Secure and Resilient Canadian Systems

Under the first goal of the Strategy, concrete steps have been taken by the Government of Canada to protect Canadians and Canadian systems over the last three years. This includes actions that address cybercrime and that respond to evolving threats, and actions that help defend critical cyber systems, including critical infrastructure.

Key achievements:

Key challenges:

Goal 1: Milestone Table

Description: A table outlining the initiative milestones for the National Cyber Security Strategy Goal 1: Secure and Resilient Canadian Systems. The table lists the initiative, department leading the initiative, the initiative action or milestone, the target date for achievement and the current status of the action or milestone.

Initiative

Department

Action/Milestone

Target End Date

Status

Supporting Canadian Critical Infrastructure Owners and Operators

Public Safety Canada (PS)

Acquire/develop a technical cyber assessment tool

2019

Completed

Establish an Industrial Control System (ICS) Advisory Committee

2019

Completed

Increase the number of cyber security exercises delivered to critical infrastructure stakeholders

2020

Completed

Develop technical ICS security training and awareness solution

2020

Completed

Improved Integrated Threat Assessments

Communications Security Establishment (CSE)

Increase capacity to enable CSE to better meet increasing demands for cyber threat assessments

2024

In Progress

Increase capacity to enable CSE to assess a wider array of cyber threats reflecting the Cyber Centre's growing client base

2024

In Progress

Preparing Government of Canada Communications for Advances in Quantum

Communications Security Establishment (CSE)

Protect Government of Canada's classified information against anticipated advancements in quantum computing

2023

In Progress

Expanding Advice and Guidance to the Finance and Energy Sectors

Communications Security Establishment (CSE)

Finance and energy sectors work cooperatively with the Cyber Centre and within their sectors to improve their cyber security postures

2024

In Progress

Improve cyber security posture of the finance and energy sectors

2024

In Progress

Cyber Intelligence Collection and Cyber Threat Assessments

Canadian Security Intelligence Service (CSIS)

Augment CSIS collection of national security cyber intelligence and production of cyber threat assessments

2023

In Progress

National Cybercrime Coordination Unit (NC3 Unit)

Royal Canadian Mounted Police (RCMP)

Reach initial operating capability

2020

Completed

Establish NC3 Unit Advisory Group

2021

Completed

Full implementation of the National Cybercrime and Fraud Public Reporting System

2023

In Progress

Reach full operating capability

2024

In Progress

Federal Policing Cybercrime Enforcement Capacity

Royal Canadian Mounted Police (RCMP)

Deploy cyber specialists abroad

2020

Completed

Establish/support cybercrime investigative teams

2021

Completed

Recruit/train cyber capability specialists

2021

In Progress

Goal 2: An Innovative and Adaptive Cyber Ecosystem

Under Goal 2, the Government of Canada has played a leadership role in supporting Canada's growing cyber security sector through investments that supported research, innovation, and skills development. The Government of Canada envisions a future in which all Canadians play an active role in shaping and sustaining our nation's cyber resilience. Initiatives launched under Goal 2 were designed to allow Canadian governments, businesses, and citizens to anticipate trends, adapt to a changing environment, and remain on the leading edge of innovation in cyber security.

Key Achievements:

Key challenges:

Goal 2: Milestone Table

Description: A table outlining the initiative milestones for the National Cyber Security Strategy Goal 2: An Innovative and Adaptive Cyber Ecosystem. The table lists the initiative, department leading the initiative, the initiative action or milestone, the target date for achievement and the current status of the action or milestone.

Initiative

Department

Action/Milestone

Target End Date

Status

Cyber Security Student Work Placement Program

Employment and Social Development Canada (ESDC)

Launch student work-integrated learning program

2018

Completed

Complete student work-integrated learning program and conduct evaluation

2021

Completed

Cyber Security Assessment and Certification for Small and Medium-Sized Enterprises (SMEs)

Innovation, Science, and Economic Development (ISED), with CSE and SCC

Develop security controls in collaboration with CSE

2019

Completed

Launch cyber education and awareness tool

2019

Completed

Launch cyber certification program

2019

Completed

Launch national standard for cyber security

2020

Completed

Goal 3: Effective Leadership, Governance and Collaboration

Under Goal 3, the Government of Canada has demonstrated leadership in advancing Canada's cyber security interests and values both domestically and abroad. The Government of Canada has enhanced collaboration and coordination of cyber security and cybercrime issues amongst stakeholders and advocated for an open, free, and secure Internet. Also, the Government of Canada increased information sharing amongst partners in support of evidence-based decision-making.

Key achievements:

Key challenges:

Goal 3: Milestone Table

Description: A table outlining the initiative milestones for the National Cyber Security Strategy Goal 3: Effective Leadership, Governance and Collaboration. The table lists the initiative, department leading the initiative, the initiative action or milestone, the target date for achievement and the current status of the action or milestone.

Initiative

Department

Action/Milestone

Target End Date

Status

Strategic Policy Capacity in Cyber Security and Cybercrime

Public Safety Canada (PS)

Recruit strategic policy team

2022

Completed

Undertake annual progress review

2021-2024

In Progress

Undertake governance review

2021

Completed

Cyber Security Cooperation Program (CSCP)

Public Safety Canada (PS)

Launch the renewed CSCP

2019

Completed

Conduct program marketing

2019

Completed

Initiate Call for Proposals

2019

Completed

Disburse project funding

2019

Completed

Canadian Centre for Cyber Security

Communications Security Establishment (CSE)

Virtual launch of the Canadian Centre for Cyber Security (the Cyber Centre)

2018

Completed

Achieve basic operating capability

2022

In Progress

Achieve full operating capability

2023

In Progress

International Strategic Framework for Cyberspace

Global Affairs Canada (GAC)

Launch International Cyber Engagement Working Group

2018

Completed

Create cyber unit at Global Affairs Canada

2019

Completed

Develop International Cyber Strategy

2022

In Progress

Undertake cyber-related capacity building

2019

Completed

Develop attribution policy

2019

Completed

Staff Washington Mission position

2020

Completed

Host relevant cyber security meetings

2024

In Progress

Support international participants in cyber negotiations

2024

In Progress

Promote Canadian interests and values on cyber issues in international forums

2024

In Progress

Bilateral Collaboration on Cyber Security and Energy

Natural Resources Canada (NRCan)

Recruit and hire core staff for the Bilateral Collaboration Team

2019

Completed

Launch initial call for expressions of interest and proposals for projects

2019

Completed

Sign contribution agreements and disburse funding for first round projects

2019

Completed

Launch second call for expressions of interest and proposals for projects

2020

Completed

Sign contribution agreements and disburse funding for second round projects

2020

Completed

Participate in key information sharing activities, workshops, and briefing sessions with the U.S. government

2023

In Progress

Advance joint initiatives with U.S. partners on cyber security and energy (e.g. tabletop exercises, R&D, information sharing)

2023

In Progress

Challenges and Lessons Learned

The Review provided an opportunity to reflect on challenges and lessons learned over the first three years of the NCSS. The largest challenge faced in the implementation of the Strategy was the COVID-19 pandemic, which began in early 2020, less than a year into delivery of the 5-Year Action Plan (2019-2024). The pandemic resulted in decreased program spending, caused procurement challenges, and exacerbated staffing shortages. However, while there were initial delays, most departments and agencies were able to pivot to virtual delivery, and the community remains on track to achieve key milestones. In some instances, virtual forms of engagement have enabled some departments and agencies to expand the reach of their programs and services.

In addition to these overarching findings, the Review also found specific challenges and lessons learned, outlined below:

Government of Canada Systems:

National Security:

Cybercrime:

Critical Infrastructure:

Innovation, Adaptation and Workforce Development:

Leadership, Governance and Collaboration:

Conclusion

Initial investments through the National Cyber Security Strategy were foundational to the Government of Canada's efforts to protect Canada and Canadians against cybercrime, cyber-espionage, the disruption of critical infrastructure, and other cyber-enabled threats such as foreign interference and economic threats to national security. However, since the Strategy was released in 2018, the global cyber landscape has changed. An expanding threat landscape and the accelerated pace at which threats are evolving now requires a much more comprehensive and agile national and international response.

In the wake of recent cyber incidents, including the one that disrupted critical healthcare systems across Newfoundland and Labrador in October 2021Footnote 9, the Government of Canada will continue to build on Canada's foundation of cyber resilience to secure the safety of Canadians, our economy, and national security.

The cyber security workforce shortage remains one of the most critical and pressing challenges for Canada. The Government of Canada will continue to support workforce development on the national stage to prepare for the next generation of cyber security professionals.

Canada can continue to advance national cyber security by securing its digital infrastructure, strengthening offensive capacity to take disruptive action against cybercriminals, deterring escalating challenges to Canadian national interests, growing the cyber workforce, investing in critical cyber security innovation, pursuing and disrupting cybercriminals through law enforcement action, increasing cyber hygiene and awareness of cyber threats, and collaborating with other levels of government, the private sector, and academia.

In December 2021, the Prime Minister reaffirmed the strategic importance of cyber security by mandating the renewal of the Strategy. This Renewal will present an opportunity to explore what further investments will be required to continue to protect Canada's national and economic security against cyber-enabled threats such as espionage, cybercrime, the disruption of critical infrastructure, and foreign interference.

Annex A: Glossary

Artificial Intelligence
The subfield of computer science concerned with developing intelligent computer programs that can solve problems, learn from experience, understand language, interpret visual scenes, and, in general, behave in a way that would be considered intelligent if observed in a human.
Critical Infrastructure
Processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence.
Cybercrime
A crime committed with the aid of, or directly involving, a data processing system or computer network. The computer or its data may be the target of the crime or the computer may be the tool with which the crime is committed.
Cyber Defence
Cyber defence is a subset of cyber security activities. Cyber defence may be understood as the technical capability to discover and detect cyber incidents, and to develop and deploy measures to defend against them.
Cyber Incident
Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource.
Cyber Resilience
The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
Cyber Security
The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices, and response and mitigation measures designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access so as to ensure confidentiality, integrity, and availability.
Cyberspace
The electronic world created by interconnected networks of information technology and the information on those networks. It is a global commons where more than 3 billion people are linked together to exchange ideas, services, and friendship.
Cyber Threat
Any circumstances or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service
Cryptography, including Encryption
Cryptography is a discipline that includes the principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use. The conversion of the information to hide its content from unauthorized individuals is referred to as encryption. The conversion of information back to its original form is decryption.
Digital economy
The digital economy incorporates all economic activity reliant on, or significantly enhanced by the use of digital inputs, including digital technologies, digital infrastructure, digital services and data. It refers to all producers and consumers, including government, that are utilising these digital inputs in their economic activities.
Digital infrastructure
Digital infrastructure possesses the foundational services that are necessary to the information technology capabilities of a nation, region, city or organization.
Hacker
Someone who uses computers and the Internet to access data without permission.
Malicious Cyber Activity
Involves the unauthorized use, manipulation, interruption or destruction of, or access to, via electronic means, electronic information or the electronic devices or computer systems and networks used to process, transmit, or store that information.
Malicious Software/Malware
Malicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.
Quantum Computing
Quantum computers are experimental devices that are designed to process certain calculations very quickly. While a classic computer works with ones and zeros, a quantum computer will have the advantage of using ones, zeros and "superpositions" of ones and zeros. Certain difficult tasks that have long been thought impossible for classic computers will be achieved quickly and efficiently by a quantum computer.
Ransomware
Malicious software that denies an individual or organization access to key files and systems until a ransom is paid to the cybercriminal. Ransomware involves encryption, locked screens and/or other methods to prevent file access and extort victims, such as leaking sensitive data online, and ransomware payments often involve cryptocurrency. 
Threats to the Security of Canada
Espionage, sabotage, or foreign influenced activities that are clandestine or deceptive in nature and are detrimental to the interests of Canada. Threats can also include activities directed toward, or in support of, the threat or use of serious violence for the purpose of achieving a political, religious or ideological objective or activities directed toward undermining by covert unlawful acts the constitutionally established system of government in Canada.

Annex B: The Cyber Threat Landscape

The global cyber security threat landscape is rapidly evolving. Cyber incidents, including significant critical infrastructure incidents, are increasing in number and sophistication.Footnote 10 As more important day-to-day activities such as banking, government services, health services, commerce, and education move online, they also become susceptible to threat activity. In today's COVID-19 pandemic context, this trend has accelerated as Canadians increasingly work and socialize remotely.

Cyber threat actors continue to adapt their activities to find valuable information and attempt to obtain it, hold it for ransom, and/or destroy it. These incidents disproportionally threaten the health, prosperity, and privacy of the most vulnerable in Canadian society, including senior citizens and individuals in remote communities.

The Cyber Centre has identified five trends driving the evolution of the cyber landscape and threat activity.Footnote 11

1. The physical safety of Canadians is increasingly being put at risk

The safety of Canadians depends on critical infrastructure, as well as consumer and medical goods, many of which are controlled by computers embedded within them. Increasingly, these computers are being connected to the Internet by their manufacturers to enable new features or provide data to a third party. Once connected, these systems and goods are susceptible to cyber threat activity, and maintaining their security requires investments over time from manufacturers and owners. As much of the critical infrastructure in Canada is owned and operated by the private sector,Footnote 12 these security investments, although essential, can be difficult to sustain.

The Cyber Centre assesses that, almost certainly, the most pressing cyber threat to the physical safety of Canadians are to operational technologyFootnote 13 and critical infrastructure. In 2021, Canadians experienced significant cyber events involving critical infrastructure, including the October 2021 compromise of critical information technology systems supporting healthcare providers in Newfoundland and Labrador and the temporary removal of the websites and services of the Canada Revenue Agency, Government of Quebec, and Metrolinx-GO Transit in response to a critical vulnerability identified in December 2021.

2. More economic value is being put at risk

State-sponsored cyber threat actors and cyber criminals continue to exact costs from Canadian individuals and businesses and damage the economy. Cyber criminals defraud individuals and companies and extort money from them through ransomware, and state-sponsored threat actors steal intellectual property and proprietary business information.Footnote 14 In Canada, the estimated average cost of a data breach (a compromise that includes, but is not limited to ransomware), is C$6.35M.Footnote 15 In 2021-22, the NC3 also received over 380 reports of ransomware with a nexus to Canadian victims, infrastructure and/or suspects, which represents a fraction of the actual level of victimization given underreporting challenges. The Canadian Anti-Fraud Centre (CAFC) also received $379 million in reported losses in 2021, more than double the previous record losses from 2020, and 70% were cyber-enabled.

The protection of intellectual property is crucial to the productivity and competitiveness of Canadian companies, and vital for Canada's economic growth and national defence. Certain countries continue to use advanced cyber espionage programs to obtain unfair advantages in the global marketplace and to improve their military technology. Commercial cyber espionage against Canadian companies is ongoing across a range of fields including aviation, technology and artificial intelligence, energy, and biopharmaceuticals.

3. More collected data increases privacy risk

Canadians generate an incredible amount of data about their locations, shopping habits, pattern of life, personal health, and more when they use their Internet-connected devices. As Canadians generate, store, and share more personal information online, this data becomes vulnerable to cyber threat actors via breaches or misuse by the companies or foreign governments that collect it. For example, the Office of the Privacy Commissioner of Canada (OPC) recorded 680 data breaches impacting 28 million Canadians in the year ending November 1, 2019.Footnote 16 These large data breaches reveal personal information that can be used in follow-on crimes. Meanwhile, advances in data science make it more difficult to maintain data anonymity and privacy protections. 

4. Advanced cyber tools and skills accessible to more threat actors

The commercial sale of cyber tools – in both legitimate and illegal markets – coupled with a global pool of talent, has resulted in more threat actors and more sophisticated threat activity. Purchasing tools and services greatly reduces the start-up time for cyber criminals and enables them to use better tools. State-sponsored threat actors are also recruiting skilled expatriates with lucrative salaries to rapidly develop their national cyber programs.Footnote 17 These trends make it more challenging to identify, attribute, and defend against cyber threat activity. To illustrate the scale and scope of this challenge, on any given day, CSE's defensive cyber systems can block anywhere from 3 to 5 billion actions targeting Government of Canada networks. As noted above, cyber incidents may result in the denial of critical services, the theft of sensitive information, and disruptions to government supply chains.

5. Internet at a crossroads

Adversaries also use online influence to further their core interests, which include national security, economic prosperity, and ideological goals.Footnote 18 Online foreign influence activities have become a new normal, and adversaries seek to influence both domestic events, like elections, as well as international discourse related to current events.Footnote 19 In addition, many states are pushing hard to change the accepted approach to Internet governance from the existing, multi-stakeholder approach, to one of state sovereignty that will allow them to track their citizens and censor information.

Date modified: