National Cyber Security Strategy 2019-2024: Report on the Mid-term Review

Forward
Executive Summary
Introduction
Performance Achievements
Challenges and Lessons Learned
Conclusion
Annex A: Glossary
Annex B: The Cyber Threat Landscape

Forward

So much has changed since the National Cyber Security Strategy (the Strategy) was released in June 2018. Now, more than ever, Canadians are working, learning, shopping and socializing online, with the COVID-19 pandemic accelerating Canada's transition to a digital economy.

As physical infrastructure is increasingly digitalized, Canadian systems are more interconnected than ever before. Interconnectivity has great benefits, but it can also make us vulnerable. Today, threats such as ransomware, online fraud, cyber-espionage, foreign interference, theft of sensitive data, and disruptive attacks on vulnerable infrastructure continue to become more frequent. Our government has been working hard to reduce these risks by securing critical systems, supporting innovation, and protecting Canadians online, but there is still more we can do.

In the last few years, there has been a significant rise in cyber threats to national and personal security. Hostile state actors and cybercriminals have targeted our critical infrastructure, government institutions, sensitive scientific information and intellectual property, as well as individual Canadians. The borderless nature of cyberspace increases our risk, as we are not protected by our geography.

Our Strategy was designed to be adaptable to the continuously changing nature of cyberspace. To ensure the Strategy remains responsive and agile to new and existing issues, Public Safety Canada led a Mid-Term Review (the Review) of the Strategy, which helped to identify risks, opportunities and gaps in our current approach. The Review has made clear what our future priorities in cyberspace need to be.

Moving forward, the Review will inform our approach to fulfil the Prime Minister's mandate commitment to develop and implement a renewed National Cyber Security Strategy, which will articulate Canada's long-term strategy to protect our national security and economy, deter cyber threat actors, and promote norms-based international behavior in cyberspace.

I am pleased to share the findings of the Review in this report. We look forward to continuing our work alongside partners to build a more secure and prosperous Canada.

The Honourable Marco Mendicino
Minister of Public Safety Canada

Executive Summary

Introduction and Background

In June 2018, the Government of Canada (Government of Canada, the Government) released the National Cyber Security Strategy (NCSS, the Strategy). The Strategy outlined Canada's vision for security and prosperity in the digital age, and outlined three goals in response to evolving threats, emerging opportunities, and the need for collaborative action. Under the Strategy's supporting 5-Year Action Plan (2019-2024), 14 horizontal initiatives are led by eight federal organizations^{Footnote 1}. Funded through Budget 2018 ($507.7M over five years, and $108.8M ongoing), these initiatives represent an incremental first step to achieving this vision. As the Strategy was designed to be flexible, it was anticipated that additional initiatives could be identified as the cyber landscape continues to evolve.

In 2021, Public Safety Canada launched a Mid-Term Review (the Review) of the Strategy with support from federal partners. The objectives of the Review were to:

Assess the performance and continued relevance of the Strategy; and
Review progress made towards expected outcomes and lessons learned.

Findings of the Review

The Review highlighted key trends observed in cyber security. The global landscape has changed substantially since the Strategy was released in 2018. The COVID-19 pandemic forced many more Canadians to work, learn, shop and socialize online. While Canada's online participation creates many benefits, it also exposes us to an evolving threat landscape.

The Review found growing risks in today's cyber security landscape as highlighted below:

Since the launch of the Strategy in 2018, reliance on Canada's digital systems and infrastructure has increased, a trend accelerated by the COVID-19 pandemic. Also, critical systems that Canadians depend on every day are increasingly digitalized and interconnected.
There has been a significant rise in the number and sophistication of cyber threat actors. These actors take advantage of our dependency on Internet-connected technologies in order to conduct malicious activities. Also, intelligence, security and police services are facing growing challenges to keep pace. Investigating, mitigating and countering cyber threat activity, including cybercrime, is resource-intensive, complex and often multi-jurisdictional.
Growing cyber security workforce shortages continue to be a pressing challenge for governments and organizations, both in Canada and world-wide.

Conclusion

The Government of Canada continues to be confronted by the challenges of an increasingly complex cyber threat environment. Due to rising international tensions, Canadian values, national interest and prosperity are now challenged more than ever before by both state and non-state actors leveraging malicious cyber activities. Online foreign influence activities have become a new normal, cybercrime and online fraud are increasing in volume and complexity, ransomware incidents are rising in numbers, and critical infrastructure owners and operators continue to be targeted across the country. The Government of Canada should continue to protect against threats that target Canadians and Canadian systems, but also work to advance its offensive cyber capacity. This two-fold approach will be essential in ensuring that Canada remains adaptive to the ever evolving cyber ecosystem.

Canada's plan for security and prosperity in the digital age relies on federal leadership as well as collaboration with other levels of government and the private sector. Federal leadership can help raise the cyber security bar at the national level, protecting Canadians and Canadian businesses. A secure and prosperous digital Canada will help to build a stable, predictable, inclusive, and global cyberspace.

Introduction

Canada's Place in the Digital World

The cyber landscape has been deeply altered by the COVID-19 pandemic that emerged in early 2020. As more Canadians work, shop, and socialize remotely, threat actors increasingly take advantage of the growing importance of the Internet and Internet-connected technologies.

Every day, Canadians and Canadian systems are the targets of malicious cyber activities. Recent cyber activities have targeted COVID-19 vaccine research,^{Footnote 2} shut down critical infrastructure (e.g., Newfoundland and Labrador health sector,^{Footnote 3} Northwest Territories Power Corporation^{Footnote 4}), and cost Canadians and Canadian businesses hundreds of millions of dollars in both direct and collateral costs.^{Footnote 5} Globally, recent cyber events include the Colonial Pipeline ransomware incident,^{Footnote 6} the SolarWinds Orion hack,^{Footnote 7} and the JBS Foods incident,^{Footnote 8} which disrupted fuel supplies in the United States, compromised sensitive data around the world, and delayed food production respectively. Disruptions caused by malicious cyber activity have real-world consequences for Canadians as they impact essential services, cause significant financial and reputational damage to organizations, and adversely affect trust in institutions. They also highlight the vulnerabilities of Canada's systems, critical infrastructure and supply chains, and the fabric of its democratic systems.

The National Cyber Security Strategy

The 2018 National Cyber Security Strategy outlined Canada's vision for security and prosperity in the digital age. The Strategy established three core goals in response to evolving threats, emerging opportunities, and the need for collaborative action:

Secure and Resilient Canadian Systems: With enhanced capabilities and in collaboration with partners, the Government of Canada will better protect Canadians from cybercrime, respond to evolving threats, and help defend critical government and private sector systems.
An Innovative and Adaptive Cyber Ecosystem: The Government of Canada will support advanced research, foster digital innovation, and the development of cyber skills and knowledge to position Canada as a global leader in cyber security.
Effective Leadership, Governance and Collaboration: In collaboration with provinces, territories, and the private sector, the federal government will take a leadership role to advance cyber security in Canada, and will, in coordination with allies, work to shape the international cyber security environment in Canada's favour.

The accompanying 5-Year Action Plan (2019-2024) is a detailed plan for the implementation of the Strategy. It sets out the initiatives and milestones supporting each of the three goals. It also presents a roadmap for how the Government plans to achieve and maintain Canada's vision of security and prosperity in the digital age.

The Strategy supports and amplifies a range of other priorities for the Government across its national security, defence, foreign policy, and economic agendas. This includes ongoing efforts to protect Government of Canada systems, enhance cyber policy in Canada's international agenda, develop the Canadian Armed Forces' cyber capabilities, and fulfill the Minister of Democratic Institutions' mandate to defend the electoral process from cyber threats.

Mid-Term Review of the National Cyber Security Strategy

Working alongside federal partners, Public Safety Canada initiated the Review in 2021 to assess the performance of the Strategy and identify opportunities for refinement. This report outlines the performance achievements, milestones reached, and challenges and lessons learned in the delivery of the Strategy. It is intended to act as a first step in a larger and ongoing national conversation on cyber security.

Performance Achievements

The Review assessed the performance of initiatives over the first three years of the Strategy. Overall, the Review found milestones are being met and results are being achieved. It also found the Strategy is overall benefiting Canada and Canadians, and the Strategy's strategic federal investments have established a solid foundation for the Government of Canada to build upon.

Since 2018, steps have been taken to defend Canada against cyber threats and malicious actors, and to further develop Canada's cyber security posture. Collaboration with domestic and international partners has enhanced the Government of Canada's ability to protect Canadians from cybercrime and respond to emerging threats. Collaboration was also key in providing advice and guidance to critical infrastructure owners and operators.

Government of Canada leadership has helped grow Canada's cyber security sector through modest investment in research and innovation, but we continue to face challenges in meeting the growing demands for cyber talent. Internationally, Canada is taking a leadership role to advance Canada's cyber security interests, including shaping cyberspace in a manner that advances Canada's values, economic and security interests.

Key achievements to date include the establishment of two flagship organizations under the Strategy: the Canadian Centre for Cyber Security (Cyber Centre) under the Communications Security Establishment (CSE) and the National Cybercrime Coordination Unit (NC3), a National Police Service under the stewardship of the Royal Canadian Mounted Police (RCMP). Additionally, the Canadian Security Intelligence Service (CSIS) established a dedicated Cyber Operations branch to investigate threats to the security of Canada, emanating from hostile cyber actors. Creating these centres of expertise mark major achievement for the Government of Canada. Alongside these many successes, the Review provides insights on areas that could be bolstered under the Strategy. These insights respond to emerging societal and technological developments, growing threats, and exponentially increasing risks.

Spotlight on Flagship Organizations

Canadian Centre for Cyber Security (Cyber Centre)

CSE maintains a second location that was completed in 2021. Created through the Strategy, the Cyber Centre is the single unified source of expert advice, guidance, services and support on cyber security for government, critical infrastructure owners and operations, the private sector and the Canadian public. Cyber Centre employees are able to work in this facility's multi-classification environment, which is required to support the Cyber Centre as an outward-facing organization. With the Cyber Centre, Canadians have a clear and trusted place to turn to for cyber security issues.

National Cybercrime Coordination Unit (NC3)

The NC3 was established through the Strategy to help reduce the threat, impact and victimization of cybercrime in Canada. As a National Police Service, the NC3 serves all Canadian police agencies. It coordinates cybercrime investigations in Canada and works with partners internationally to combat a wide range of cybercrime incidents. In 2020, the NC3 reached initial operating capability, and will reach full operating capability in 2024.

Goal 1: Secure and Resilient Canadian Systems

Under the first goal of the Strategy, concrete steps have been taken by the Government of Canada to protect Canadians and Canadian systems over the last three years. This includes actions that address cybercrime and that respond to evolving threats, and actions that help defend critical cyber systems, including critical infrastructure.

Key achievements:

Government of Canada networks benefit from the most advanced protections in the world. Concrete actions have also been taken to protect the Government of Canada's most sensitive communications against future threats to cryptography posed by quantum computing.
The RCMP and law enforcement partners are taking action against cybercrime. While cybercrime continues to rise in scale and impact, key foundational measures have included the NC3 and new RCMP Cybercrime Investigative Teams, which has enhanced operational capacity to take action against priority cybercrime activity
CSIS enhanced its cyber intelligence collection and threat assessment capacity. In June 2020, CSIS established a dedicated Cyber Operations branch to more fully investigate cyber-enabled threats to Canada's national security posed by both state and non-state actors, including cyber espionage, theft of intellectual property, foreign influence, and sabotage.
Foundational steps have been taken to enhance critical infrastructure resilience and improve the cyber security posture of critical infrastructure in Canada.

Key challenges:

The ability of the Government of Canada to respond to incidents is hampered by low reporting rates. Increased cyber incident reporting would allow law enforcement and the Canadian Centre for Cyber Security to provide concrete support to victims, better awareness of trends and effective targeting of operational resources to pursue, disrupt and prevent cybercrime activity.
National key stakeholders need to increase collaboration to ensure Canadian systems are secured against existing and emerging cyber threats. The evolving threat landscape and rapid evolution of cyber technologies underscore the importance of sharing information concerning cyber threats with key stakeholders.
The Government of Canada needs to be better equipped and use all tools at its disposal to protect Canada and its national interests from threats, including cybercrime, and ensure Canada and Canadians remain secure and resilient against malicious cyber activity.

Goal 1: Milestone Table

Description: A table outlining the initiative milestones for the National Cyber Security Strategy Goal 1: Secure and Resilient Canadian Systems. The table lists the initiative, department leading the initiative, the initiative action or milestone, the target date for achievement and the current status of the action or milestone.

Initiative	Department	Action/Milestone	Target End Date	Status
Supporting Canadian Critical Infrastructure Owners and Operators	Public Safety Canada (PS)	Acquire/develop a technical cyber assessment tool	2019	Completed
		Establish an Industrial Control System (ICS) Advisory Committee	2019	Completed
		Increase the number of cyber security exercises delivered to critical infrastructure stakeholders	2020	Completed
		Develop technical ICS security training and awareness solution	2020	Completed
Improved Integrated Threat Assessments	Communications Security Establishment (CSE)	Increase capacity to enable CSE to better meet increasing demands for cyber threat assessments	2024	In Progress
Improved Integrated Threat Assessments	Communications Security Establishment (CSE)	Increase capacity to enable CSE to assess a wider array of cyber threats reflecting the Cyber Centre's growing client base	2024	In Progress
Preparing Government of Canada Communications for Advances in Quantum	Communications Security Establishment (CSE)	Protect Government of Canada's classified information against anticipated advancements in quantum computing	2023	In Progress
Expanding Advice and Guidance to the Finance and Energy Sectors	Communications Security Establishment (CSE)	Finance and energy sectors work cooperatively with the Cyber Centre and within their sectors to improve their cyber security postures	2024	In Progress
	Communications Security Establishment (CSE)	Improve cyber security posture of the finance and energy sectors	2024	In Progress
Cyber Intelligence Collection and Cyber Threat Assessments	Canadian Security Intelligence Service (CSIS)	Augment CSIS collection of national security cyber intelligence and production of cyber threat assessments	2023	In Progress
National Cybercrime Coordination Unit (NC3 Unit)	Royal Canadian Mounted Police (RCMP)	Reach initial operating capability	2020	Completed
		Establish NC3 Unit Advisory Group	2021	Completed
		Full implementation of the National Cybercrime and Fraud Public Reporting System	2023	In Progress
		Reach full operating capability	2024	In Progress
Federal Policing Cybercrime Enforcement Capacity	Royal Canadian Mounted Police (RCMP)	Deploy cyber specialists abroad	2020	Completed
		Establish/support cybercrime investigative teams	2021	Completed
		Recruit/train cyber capability specialists	2021	In Progress

Goal 2: An Innovative and Adaptive Cyber Ecosystem

Under Goal 2, the Government of Canada has played a leadership role in supporting Canada's growing cyber security sector through investments that supported research, innovation, and skills development. The Government of Canada envisions a future in which all Canadians play an active role in shaping and sustaining our nation's cyber resilience. Initiatives launched under Goal 2 were designed to allow Canadian governments, businesses, and citizens to anticipate trends, adapt to a changing environment, and remain on the leading edge of innovation in cyber security.

Key Achievements:

A national standard and certification process for cyber security was established for Small and Medium Enterprises (SMEs). This initiative is expected to increase in the number of SMEs with cyber security resilience by 2024, better positioning Canadian SMEs to compete globally.
More than 1,000 student work placements were created in cyber security, helping students develop job-ready skills and employers to identify talent to support their future hiring needs.

Key challenges:

Canada must work to increase cyber security awareness, knowledge, and hygiene across the nation, with a specific focus on equity-deserving groups such as children, women and gender diverse people, seniors, and newcomers to Canada.
Canada must maintain an agile and adaptive cyber security posture as it pursues new economic opportunities, and develops and adopts key technologies and capabilities.
Further investments in an innovative and adaptive cyber ecosystem will be foundational to the Government of Canada's efforts to position Canada as a global leader in cyber security.

Goal 2: Milestone Table

Description: A table outlining the initiative milestones for the National Cyber Security Strategy Goal 2: An Innovative and Adaptive Cyber Ecosystem. The table lists the initiative, department leading the initiative, the initiative action or milestone, the target date for achievement and the current status of the action or milestone.

Initiative	Department	Action/Milestone	Target End Date	Status
Cyber Security Student Work Placement Program	Employment and Social Development Canada (ESDC)	Launch student work-integrated learning program	2018	Completed
Cyber Security Student Work Placement Program	Employment and Social Development Canada (ESDC)	Complete student work-integrated learning program and conduct evaluation	2021	Completed
Cyber Security Assessment and Certification for Small and Medium-Sized Enterprises (SMEs)	Innovation, Science, and Economic Development (ISED), with CSE and SCC	Develop security controls in collaboration with CSE	2019	Completed
		Launch cyber education and awareness tool	2019	Completed
		Launch cyber certification program	2019	Completed
		Launch national standard for cyber security	2020	Completed

Goal 3: Effective Leadership, Governance and Collaboration

Under Goal 3, the Government of Canada has demonstrated leadership in advancing Canada's cyber security interests and values both domestically and abroad. The Government of Canada has enhanced collaboration and coordination of cyber security and cybercrime issues amongst stakeholders and advocated for an open, free, and secure Internet. Also, the Government of Canada increased information sharing amongst partners in support of evidence-based decision-making.

Key achievements:

The Government of Canada established the Cyber Centre as the single unified source of expert technical advice, guidance and services for Canada. These efforts support a broad range of Canadian stakeholders with insights to inform decision-making and improve cyber resilience.
The Government of Canada enhanced Canada's international cooperation and worked with international partners to advance Canadian interests. Efforts resulted in strong and visible Canadian leadership on the international scene in support of cyber security and cybercrime operational and policy priorities.
Important steps were taken to strengthen the resilience of Canada's domestic and cross-border energy infrastructure. The Government of Canada took a leadership role to advance and facilitate sector-wide collaboration on energy sector cyber security in Canada. The Government of Canada also increased bilateral collaboration with the United States on critical energy infrastructure protection. These efforts ensure Canadians have access to sustainable, secure, and resilient energy supplies. They also promote stronger relationships with key American energy partners.
The Government of Canada enhanced data collection on cyber security issues in Canada. The Canadian Survey of Cyber Security and Cybercrime reports on the impact of cybercrime. The survey helps to provide an accurate view of cyber security and cybercrime issues and their impacts. The data is used by policy-makers, researchers, academics, and industry to understand trends and drive the development of technology and service innovation.
The Government of Canada released Canada's Statement on International Law applicable in Cyberspace. Canada's Statement on International Law applicable in Cyberspace, a G7 commitment, was published on Global Affairs Canada's cyber foreign policy webpage on April 28, 2022. This Statement will contribute to building common understandings amongst States of how international law applies in cyberspace. It will also contribute to increased transparency, predictability and security in cyberspace by signalling to others the legal framework under which Canada conducts and assesses cyber activities.

Key challenges:

Since the launch of the Strategy, emerging technologies have played a significant role in changing the digital landscape. In this new reality, cyber security and its governance must evolve in lockstep with the pace of societal change and technology developments.
A strong and secure digital environment will depend on enhanced collaboration across federal organizations, as well as with a broad range of stakeholders nationally and internationally.
While many departments and agencies work on cyber security issues within the Government of Canada, not all those who are responsible for delivering cyber security policy and programs are signatories under the Strategy. A whole-of-society approach to cyber security must include all implicated federal organizations and a number of different components of national organisation.

Goal 3: Milestone Table

Description: A table outlining the initiative milestones for the National Cyber Security Strategy Goal 3: Effective Leadership, Governance and Collaboration. The table lists the initiative, department leading the initiative, the initiative action or milestone, the target date for achievement and the current status of the action or milestone.

Initiative	Department	Action/Milestone	Target End Date	Status
Strategic Policy Capacity in Cyber Security and Cybercrime	Public Safety Canada (PS)	Recruit strategic policy team	2022	Completed
		Undertake annual progress review	2021-2024	In Progress
		Undertake governance review	2021	Completed
Cyber Security Cooperation Program (CSCP)	Public Safety Canada (PS)	Launch the renewed CSCP	2019	Completed
		Conduct program marketing	2019	Completed
		Initiate Call for Proposals	2019	Completed
		Disburse project funding	2019	Completed
Canadian Centre for Cyber Security	Communications Security Establishment (CSE)	Virtual launch of the Canadian Centre for Cyber Security (the Cyber Centre)	2018	Completed
		Achieve basic operating capability	2022	In Progress
		Achieve full operating capability	2023	In Progress
International Strategic Framework for Cyberspace	Global Affairs Canada (GAC)	Launch International Cyber Engagement Working Group	2018	Completed
		Create cyber unit at Global Affairs Canada	2019	Completed
		Develop International Cyber Strategy	2022	In Progress
		Undertake cyber-related capacity building	2019	Completed
		Develop attribution policy	2019	Completed
		Staff Washington Mission position	2020	Completed
		Host relevant cyber security meetings	2024	In Progress
		Support international participants in cyber negotiations	2024	In Progress
		Promote Canadian interests and values on cyber issues in international forums	2024	In Progress
Bilateral Collaboration on Cyber Security and Energy	Natural Resources Canada (NRCan)	Recruit and hire core staff for the Bilateral Collaboration Team	2019	Completed
		Launch initial call for expressions of interest and proposals for projects	2019	Completed
		Sign contribution agreements and disburse funding for first round projects	2019	Completed
		Launch second call for expressions of interest and proposals for projects	2020	Completed
		Sign contribution agreements and disburse funding for second round projects	2020	Completed
		Participate in key information sharing activities, workshops, and briefing sessions with the U.S. government	2023	In Progress
		Advance joint initiatives with U.S. partners on cyber security and energy (e.g. tabletop exercises, R&D, information sharing)	2023	In Progress

Challenges and Lessons Learned

The Review provided an opportunity to reflect on challenges and lessons learned over the first three years of the NCSS. The largest challenge faced in the implementation of the Strategy was the COVID-19 pandemic, which began in early 2020, less than a year into delivery of the 5-Year Action Plan (2019-2024). The pandemic resulted in decreased program spending, caused procurement challenges, and exacerbated staffing shortages. However, while there were initial delays, most departments and agencies were able to pivot to virtual delivery, and the community remains on track to achieve key milestones. In some instances, virtual forms of engagement have enabled some departments and agencies to expand the reach of their programs and services.

In addition to these overarching findings, the Review also found specific challenges and lessons learned, outlined below:

Government of Canada Systems:

The Government of Canada has been largely successful in defending the core of its own networks and those under federal jurisdiction in the face of increasing threats, but needs to look beyond and extend its protections.
The Government of Canada should continue collaborating with key stakeholders to ensure Canadian systems are prepared and secured against threats posed by the upcoming quantum computing revolution.

National Security:

The Government of Canada continues to be confronted by the challenges of an increasingly complex cyber threat environment. To protect Canada and its national interests, the Government of Canada should continue using all tools and ensure it has the right tools at its disposal to protect against threats that target Canadians and Canadian systems and adapt to the ever increasing and evolving cyber ecosystem.

Cybercrime:

The Government of Canada should continue to focus on the increasing volume and complexity of cybercrime and online fraud that puts demand on law enforcement organizations to keep pace, pursue cybercrime activity targeting Canada's business economy and other victims and maintain their position of strength as a partner to key stakeholders and allies.
The ongoing rise of ransomware, online fraud and the criminal use of cryptocurrency requires greater law enforcement action on several fronts to pursue, disrupt and prevent cybercrime threats to Canada in collaboration with domestic and international partners.

Critical Infrastructure:

The high economic and societal costs of cyber incidents underscore the importance of securing Canada's critical cyber systems. Continuing to focus on critical infrastructure resilience and the accurate and timely reporting of cyber incidents by all parties will help protect Canadians, governments, and organizations.

Innovation, Adaptation and Workforce Development:

The Government of Canada should continue efforts to raise awareness of the importance and need for increased understanding of cyber security by all users and businesses.
Investment in an innovative and adaptive cyber ecosystem and skills are foundational to the Government of Canada's efforts to position Canada as a global leader in cyber security. More needs to be done to increase Canadian cyber security skills and the talent pipeline, to safeguard research and innovation and enhance collaboration on digital standards.

Leadership, Governance and Collaboration:

Since the launch of the Strategy, emerging technologies have played a significant role in changing the digital landscape. In this new reality, cyber security and its governance should evolve alongside societal change and technology developments through systematic engagement with other levels of government and other sectors of the Canadian society.
A strong and secure digital environment continues to depend on collaboration with a broad range of stakeholders nationally and internationally. There is a need for enhanced coordination to maximize use of the entire toolkit to protect Canadians and Canadian interests.

Conclusion

Initial investments through the National Cyber Security Strategy were foundational to the Government of Canada's efforts to protect Canada and Canadians against cybercrime, cyber-espionage, the disruption of critical infrastructure, and other cyber-enabled threats such as foreign interference and economic threats to national security. However, since the Strategy was released in 2018, the global cyber landscape has changed. An expanding threat landscape and the accelerated pace at which threats are evolving now requires a much more comprehensive and agile national and international response.

In the wake of recent cyber incidents, including the one that disrupted critical healthcare systems across Newfoundland and Labrador in October 2021^{Footnote 9}, the Government of Canada will continue to build on Canada's foundation of cyber resilience to secure the safety of Canadians, our economy, and national security.

The cyber security workforce shortage remains one of the most critical and pressing challenges for Canada. The Government of Canada will continue to support workforce development on the national stage to prepare for the next generation of cyber security professionals.

Canada can continue to advance national cyber security by securing its digital infrastructure, strengthening offensive capacity to take disruptive action against cybercriminals, deterring escalating challenges to Canadian national interests, growing the cyber workforce, investing in critical cyber security innovation, pursuing and disrupting cybercriminals through law enforcement action, increasing cyber hygiene and awareness of cyber threats, and collaborating with other levels of government, the private sector, and academia.

In December 2021, the Prime Minister reaffirmed the strategic importance of cyber security by mandating the renewal of the Strategy. This Renewal will present an opportunity to explore what further investments will be required to continue to protect Canada's national and economic security against cyber-enabled threats such as espionage, cybercrime, the disruption of critical infrastructure, and foreign interference.

Annex A: Glossary

Artificial Intelligence: The subfield of computer science concerned with developing intelligent computer programs that can solve problems, learn from experience, understand language, interpret visual scenes, and, in general, behave in a way that would be considered intelligent if observed in a human.
Critical Infrastructure: Processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence.
Cybercrime: A crime committed with the aid of, or directly involving, a data processing system or computer network. The computer or its data may be the target of the crime or the computer may be the tool with which the crime is committed.
Cyber Defence: Cyber defence is a subset of cyber security activities. Cyber defence may be understood as the technical capability to discover and detect cyber incidents, and to develop and deploy measures to defend against them.
Cyber Incident: Any unauthorized attempt, whether successful or not, to gain access to, modify, destroy, delete, or render unavailable any computer network or system resource.
Cyber Resilience: The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
Cyber Security: The protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices, and response and mitigation measures designed to protect networks, computers, programs, and data from attack, damage, or unauthorized access so as to ensure confidentiality, integrity, and availability.
Cyberspace: The electronic world created by interconnected networks of information technology and the information on those networks. It is a global commons where more than 3 billion people are linked together to exchange ideas, services, and friendship.
Cyber Threat: Any circumstances or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service
Cryptography, including Encryption: Cryptography is a discipline that includes the principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or prevent its unauthorized use. The conversion of the information to hide its content from unauthorized individuals is referred to as encryption. The conversion of information back to its original form is decryption.
Digital economy: The digital economy incorporates all economic activity reliant on, or significantly enhanced by the use of digital inputs, including digital technologies, digital infrastructure, digital services and data. It refers to all producers and consumers, including government, that are utilising these digital inputs in their economic activities.
Digital infrastructure: Digital infrastructure possesses the foundational services that are necessary to the information technology capabilities of a nation, region, city or organization.
Hacker: Someone who uses computers and the Internet to access data without permission.
Malicious Cyber Activity: Involves the unauthorized use, manipulation, interruption or destruction of, or access to, via electronic means, electronic information or the electronic devices or computer systems and networks used to process, transmit, or store that information.
Malicious Software/Malware: Malicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware.
Quantum Computing: Quantum computers are experimental devices that are designed to process certain calculations very quickly. While a classic computer works with ones and zeros, a quantum computer will have the advantage of using ones, zeros and "superpositions" of ones and zeros. Certain difficult tasks that have long been thought impossible for classic computers will be achieved quickly and efficiently by a quantum computer.
Ransomware: Malicious software that denies an individual or organization access to key files and systems until a ransom is paid to the cybercriminal. Ransomware involves encryption, locked screens and/or other methods to prevent file access and extort victims, such as leaking sensitive data online, and ransomware payments often involve cryptocurrency.
Threats to the Security of Canada: Espionage, sabotage, or foreign influenced activities that are clandestine or deceptive in nature and are detrimental to the interests of Canada. Threats can also include activities directed toward, or in support of, the threat or use of serious violence for the purpose of achieving a political, religious or ideological objective or activities directed toward undermining by covert unlawful acts the constitutionally established system of government in Canada.

Annex B: The Cyber Threat Landscape

The global cyber security threat landscape is rapidly evolving. Cyber incidents, including significant critical infrastructure incidents, are increasing in number and sophistication.^{Footnote 10} As more important day-to-day activities such as banking, government services, health services, commerce, and education move online, they also become susceptible to threat activity. In today's COVID-19 pandemic context, this trend has accelerated as Canadians increasingly work and socialize remotely.

Cyber threat actors continue to adapt their activities to find valuable information and attempt to obtain it, hold it for ransom, and/or destroy it. These incidents disproportionally threaten the health, prosperity, and privacy of the most vulnerable in Canadian society, including senior citizens and individuals in remote communities.

The Cyber Centre has identified five trends driving the evolution of the cyber landscape and threat activity.^{Footnote 11}

1. The physical safety of Canadians is increasingly being put at risk

The safety of Canadians depends on critical infrastructure, as well as consumer and medical goods, many of which are controlled by computers embedded within them. Increasingly, these computers are being connected to the Internet by their manufacturers to enable new features or provide data to a third party. Once connected, these systems and goods are susceptible to cyber threat activity, and maintaining their security requires investments over time from manufacturers and owners. As much of the critical infrastructure in Canada is owned and operated by the private sector,^{Footnote 12} these security investments, although essential, can be difficult to sustain.

The Cyber Centre assesses that, almost certainly, the most pressing cyber threat to the physical safety of Canadians are to operational technology^{Footnote 13} and critical infrastructure. In 2021, Canadians experienced significant cyber events involving critical infrastructure, including the October 2021 compromise of critical information technology systems supporting healthcare providers in Newfoundland and Labrador and the temporary removal of the websites and services of the Canada Revenue Agency, Government of Quebec, and Metrolinx-GO Transit in response to a critical vulnerability identified in December 2021.

2. More economic value is being put at risk

State-sponsored cyber threat actors and cyber criminals continue to exact costs from Canadian individuals and businesses and damage the economy. Cyber criminals defraud individuals and companies and extort money from them through ransomware, and state-sponsored threat actors steal intellectual property and proprietary business information.^{Footnote 14} In Canada, the estimated average cost of a data breach (a compromise that includes, but is not limited to ransomware), is C$6.35M.^{Footnote 15} In 2021-22, the NC3 also received over 380 reports of ransomware with a nexus to Canadian victims, infrastructure and/or suspects, which represents a fraction of the actual level of victimization given underreporting challenges. The Canadian Anti-Fraud Centre (CAFC) also received $379 million in reported losses in 2021, more than double the previous record losses from 2020, and 70% were cyber-enabled.

The protection of intellectual property is crucial to the productivity and competitiveness of Canadian companies, and vital for Canada's economic growth and national defence. Certain countries continue to use advanced cyber espionage programs to obtain unfair advantages in the global marketplace and to improve their military technology. Commercial cyber espionage against Canadian companies is ongoing across a range of fields including aviation, technology and artificial intelligence, energy, and biopharmaceuticals.

3. More collected data increases privacy risk

Canadians generate an incredible amount of data about their locations, shopping habits, pattern of life, personal health, and more when they use their Internet-connected devices. As Canadians generate, store, and share more personal information online, this data becomes vulnerable to cyber threat actors via breaches or misuse by the companies or foreign governments that collect it. For example, the Office of the Privacy Commissioner of Canada (OPC) recorded 680 data breaches impacting 28 million Canadians in the year ending November 1, 2019.^{Footnote 16} These large data breaches reveal personal information that can be used in follow-on crimes. Meanwhile, advances in data science make it more difficult to maintain data anonymity and privacy protections.

4. Advanced cyber tools and skills accessible to more threat actors

The commercial sale of cyber tools – in both legitimate and illegal markets – coupled with a global pool of talent, has resulted in more threat actors and more sophisticated threat activity. Purchasing tools and services greatly reduces the start-up time for cyber criminals and enables them to use better tools. State-sponsored threat actors are also recruiting skilled expatriates with lucrative salaries to rapidly develop their national cyber programs.^{Footnote 17} These trends make it more challenging to identify, attribute, and defend against cyber threat activity. To illustrate the scale and scope of this challenge, on any given day, CSE's defensive cyber systems can block anywhere from 3 to 5 billion actions targeting Government of Canada networks. As noted above, cyber incidents may result in the denial of critical services, the theft of sensitive information, and disruptions to government supply chains.

5. Internet at a crossroads

Adversaries also use online influence to further their core interests, which include national security, economic prosperity, and ideological goals.^{Footnote 18} Online foreign influence activities have become a new normal, and adversaries seek to influence both domestic events, like elections, as well as international discourse related to current events.^{Footnote 19} In addition, many states are pushing hard to change the accepted approach to Internet governance from the existing, multi-stakeholder approach, to one of state sovereignty that will allow them to track their citizens and censor information.

Footnotes

Footnote 1

Canadian Security Intelligence Service (CSIS); Communications Security Establishment (CSE); Employment and Social Development Canada (ESDC); Global Affairs Canada (GAC); Innovation, Science and Economic Development Canada (ISED); Natural Resources Canada (NRCan); Public Safety Canada (PS); and Royal Canadian Mounted Police (RCMP).

Return to first footnote 1 referrer

Footnote 2

Communications Security Establishment, CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development, 2020. CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development - Communications Security Establishment (cse-cst.gc.ca).

Return to first footnote 2 referrer

Footnote 3

"N.L. health-care cyberattack is worst in Canadian history, says cybersecurity expert", CBC News. November 14, 2021. https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyber-attack-worst-canada-1.6236210.

Return to first footnote 3 referrer

Footnote 4

Walter Strong. "NTPC confirms 'cyber attack' from unknown source on Thursday, RCMP investigating", CBC News. April 30, 2020. NTPC confirms 'cyber attack' from unknown source on Thursday, RCMP investigating | CBC News.

Return to first footnote 4 referrer

Footnote 5

CCCS, Cyber Threat bulletin: The ransomware threat in 2021, 2021. Cyber threat bulletin: The ransomware threat in 2021 - Canadian Centre for Cyber Security.

Return to first footnote 5 referrer

Footnote 6

William Turton and Kartikay Mehrotra. "Hackers Breached Colonial Pipeline Using Compromised Password", Bloomberg. June 4, 2021. https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password.

Return to first footnote 6 referrer

Footnote 7

"SolarWinds hack was 'largest and most sophisticated attack' ever: Microsoft president", Reuters. February 14, 2021. https://www.reuters.com/article/us-cyber-solarwinds-microsoft-idUSKBN2AF03R.

Return to first footnote 7 referrer

Footnote 8

"JBS: Cyber-attack hits world's largest meat supplier", BBC News. June 2, 2021. https://www.bbc.com/news/world-us-canada-57318965.

Return to first footnote 8 referrer

Footnote 9

Government of Newfoundland and Labrador, Information and Updates on Cyber Incident, 2022. Information and Updates on Cyber Incident - Health and Community Services (gov.nl.ca).

Return to first footnote 9 referrer

Footnote 10

CCCS, National Cyber Threat Assessment 2020, 2020, p. 5. https://cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020.

Return to first footnote 10 referrer

Footnote 11

Ibid.

Return to first footnote 11 referrer

Footnote 12

Government of Canada, Let's Talk Critical Infrastructure - Frequently Asked Questions, 2022. https://www.letstalkcriticalinfrastructure.ca/frequently-asked-questions.

Return to first footnote 12 referrer

Footnote 13

Operational technology (OT) is a broad term that refers to technology used to control physical processes such as dam openings, broiler activities, electricity conduction, and pipeline operations.

Return to first footnote 13 referrer

Footnote 14

CCCS, National Cyber Threat Assessment 2020, 2020. ncta-2020-e-web.pdf (cyber.gc.ca).

Return to first footnote 14 referrer

Footnote 15

IBM, The Cost of a Data Breach Report 2021, July 28, 2021. https://www.ibm.com/downloads/cas/OJDVQGRY.

Return to first footnote 15 referrer

Footnote 16

CCCS, National Cyber Threat Assessment 2020, 2020. ncta-2020-e-web.pdf (cyber.gc.ca).

Return to first footnote 16 referrer

Footnote 17

Ibid.

Return to first footnote 17 referrer

Footnote 18

CCCS, Cyber threats to Canada's democratic process: July 2021 update, 2021. https://cyber.gc.ca/en/cyber-threats-canadas-democratic-process-july-2021-update.

Return to first footnote 18 referrer

Footnote 19

CCCS, National Cyber Threat Assessment 2020, 2020. ncta-2020-e-web.pdf (cyber.gc.ca).

Return to first footnote 19 referrer

Date modified:: 2022-06-27

Language selection

Search and menus

Search

National Cyber Security Strategy 2019-2024: Report on the Mid-term Review

Table of contents

Forward

Executive Summary

Introduction and Background

Findings of the Review

Conclusion

Introduction

Canada's Place in the Digital World

The National Cyber Security Strategy

Mid-Term Review of the National Cyber Security Strategy

Performance Achievements

Spotlight on Flagship Organizations

Canadian Centre for Cyber Security (Cyber Centre)

National Cybercrime Coordination Unit (NC3)

Goal 1: Secure and Resilient Canadian Systems

Goal 1: Milestone Table

Goal 2: An Innovative and Adaptive Cyber Ecosystem

Goal 2: Milestone Table

Goal 3: Effective Leadership, Governance and Collaboration

Goal 3: Milestone Table

Challenges and Lessons Learned

Conclusion

Annex A: Glossary

Annex B: The Cyber Threat Landscape

1. The physical safety of Canadians is increasingly being put at risk

2. More economic value is being put at risk

3. More collected data increases privacy risk

4. Advanced cyber tools and skills accessible to more threat actors

5. Internet at a crossroads