Transition Binder: Cyber Security

Public Safety Canada (PS, the Department) is the national cyber security policy lead for the Government of Canada (GoC). The Department works with multiple other departments and agencies to advance cyber security resilience in Canada, namely with the Communications Security Establishment; Royal Canadian Mounted Police; Canadian Security Intelligence Service; Department of National Defence; Innovation, Science and Economic Development Canada; Transport Canada; Employment and Social Development Canada; Natural Resources Canada; Finance Canada; Global Affairs Canada; and Treasury Board Secretariat.

Relevant Mandate Letter Commitments

• Advance the National Cyber Security Action Plan (2019-2024)
• Develop and implement a renewed National Cyber Security Strategy
• Introduce legislation to safeguard Canada's critical infrastructure, critical cyber systems and telecommunications systems (5G)
• Support innovation ecosystems across the country to support job creation, technology adoption and scale-up

Further Information

National Cyber Security Strategy

The National Cyber Security Strategy (NCSS, the Strategy) was announced through Budget 2018 with $507.7 million earmarked over five years, and $108.8 million per year thereafter. The Strategy is a horizontal initiative, involving seven partner organizations^{Footnote 1} delivering 14 initiatives. Notably, it created the Canadian Centre for Cyber Security (Cyber Centre) that is part of the Communication Security Establishment (CSE) and the National Cybercrime Coordination Centre (NC3) that is part of the Royal Canadian Mounted Police (RCMP). These centers are unified sources of expert advice, guidance, services and support for Canadians on cyber security and incidents.

In December 2021, the Prime Minister mandated the Minister of Public Safety to work with the Minister of National Defence, the Minister of Foreign Affairs, and the Minister of Innovation, Science and Industry, in collaboration with implicated ministers to develop and implement a new NCSS.

PS released a Mid-Term Review of the 2018 NCSS in June 2022. The Review found that while the Strategy was performing well and its goals remained appropriate, a much-changed global context and growing threat landscape require a stronger federal response to protect Canada's national security. Taking into account the findings of the Mid-Term Review, a new NCSS was drafted in collaboration with partners. [REDACTED]

[REDACTED]

Bill C-26, An Act Respecting Cyber Security

On June 14, 2022, the Minister of Public Safety introduced Bill C-26 in the House of Commons. The Bill consists of two distinct parts.

Part 1, led by Innovation, Science and Economic Development Canada (ISED), seeks to amend the Telecommunications Act to add security as a policy objective. This will provide the Government with the legal authority to mandate any necessary action to secure Canada's telecommunications system, such as prohibiting Canadian companies from using products and services from high-risk suppliers. The legal authority is required to enforce the government's policy decision to ban Huawei and ZTE equipment from Canada's telecommunications network.

Part 2, led by PS, introduces the Critical Cyber Systems Protection Act (CCSPA), which would establish a regulatory framework to strengthen baseline cyber security for services and systems under federal jurisdiction that are vital to national security and public safety.

After being studied by both the Standing Committee on Public Safety and National Security (SECU) and the Standing Senate Committee on National Security, Defence, and Veteran Affairs (SECD), the Bill was passed by the Senate as amended on December 5, 2024, and is currently awaiting concurrence from the House of Commons before proceeding to Royal Assent.

Federal Cyber Incident Response Plan (FCIRP)

The FCIRP is a framework for the Government of Canada's management of cyber incidents that affect assets that are not owned or operated by the GC but are essential to the health, safety, security, defence, or economic well-being of Canadians. The FCIRP is co-chaired by Public Safety as the cyber security policy lead for the Government of Canada and the Canadian Centre for Cyber Security as the technical lead on cyber security for the Government of Canada.

The FCIRP has 4 response levels which dictates the level of coordination required for any given cyber security incident, as well as stakeholder participation and reporting requirements. If a cyber security incident under the FCIRP reaches a catastrophic or severe level (Level 4), those plans would transition to the Federal Emergency Response Plan (FERP), which outlines the processes required to facilitate Government-of-Canada-wide response to severe or catastrophic events that impact the national interest and supports an all hazards arrangements and response mechanism.

Attribution of Malicious Cyber Activity

PS plays a key role in Canada's attribution framework, which is led by Global Affairs Canada. This framework is used when the GoC is considering attributing malicious cyber activity to a state actor. PS supports GAC's strategic assessment through analysis of domestic implications to determine if attribution would bring excessive risk to Canadian critical infrastructure, intelligence operations, law enforcement investigations, or other Canadian interests. Public attribution of cyber incidents holds malicious actors accountable, and is part of our larger approach to deterring future incidents and promoting responsible state behaviour in cyberspace. These attributions are often made in coordination with like-minded partner states, and the Minister of Public Safety regularly co-releases attribution statements.

Artificial Intelligence

PS collaborates with various departments and agencies to develop strategies, policies, and initiatives addressing artificial intelligence (AI) related threats. PS aims to ensure that Canada is prepared for, and can respond to, a range of national security and cyber security threats including through the use of AI. PS is undertaking a range of work on offensive and defensive uses of AI including policy related to the use of AI and how it can be used to either enhance or degrade cyber security. PS is currently examining how AI technology will be incorporated into the regulation development phase for C-26 to improve cyber security in critical infrastructure.

Ransomware

Ransomware is the most disruptive form of cybercrime facing Canadians. According to the most recent National Cyber Threat Assessment, ransomware is the top cybercrime threat to Canadian critical infrastructure. The impact of ransomware can be extensive, and includes core business disruptions, data loss, significant recovery costs, and potentially the loss of life. Ransomware threatens to disrupt critical infrastructure across all sectors and may cause physical harm to individuals or even results in the loss of life; for example, a compromised health care system can disrupt patient care delivery. While it is criminal, it is also a threat to public safety and national security. As such, PS engages in a number of domestic and international initiatives to mitigate ransomware (e.g., Ransomware Working Group (RWG) and Counter Ransomware Initiative (CRI)). In September 2024, as part of the CRI, Canada launched a new Public-Private Sector Advisory Panel to advise and support CRI members in combating ransomware. Canada will co-chair this advisory panel with Blackberry until the 2025 CRI Summit.

Canada's Indo-Pacific Strategy (IPS)

The Indo-Pacific region is central to a number of Canada's most pressing national and economic security priorities. The IPS, led by Global Affairs Canada, aims to advance and defend Canadian interests and values by supporting a more secure, prosperous, inclusive, and sustainable Indo-Pacific, and reaffirms Canada's role in its emerging security environment. PS and its portfolio agencies have significant stakes in the IPS' Defence and Security pillar, which includes a Cyber Diplomacy and Security Initiative. This multi-departmental initiative aims to promote responsible state behavior in regional cyber governance, build regional cyber capacity, expand Canada's cooperation with allies and partners, strengthen Canada's ability to protect national security and the economy from cyber threats, and aid Canada in detecting foreign influence operations. PS' responsibilities under this initiative involve expanding Canada's cooperation with allies and partners and sharing best practices on the development and implementation of domestic cyber security policy and legislation. Work is underway to achieve these objectives through international engagements and cyber capacity building in the region. The initiatives will also support the implementation of the forthcoming new National Cyber Security Strategy.

Canadian Program for Cyber Security Certification (CP-CSC)

The GoC is working to establish a cyber security certification program for defence procurement, that will result in mandatory requirements for select federal defence contracts. PS is involved in efforts, led by Public Service and Procurement Canada (PSPC), to establish this program in response to the U.S. Department of Defence launch of the Cyber Maturity Model Certification (CMMC). This would allow Canada to ensure a baseline of cyber security across suppliers to the Department of National Defence (and eventually to sectors beyond defence). The establishment of this program will ensure the protection of unclassified federal information held by Canada's defence suppliers. Implementation of the program is expected to begin in Winter 2025.

Stakeholder Perspectives

There is an expanding desire from stakeholders for increased national engagement on cyber security issues, and improved coordination with other national security and emergency response initiatives. Essential to future success will be increased collaboration and engagement by federal partners with industry, academia and other orders of government to collaboratively find solutions to tomorrow's cyber security challenges. Many CI sectors fall under provincial and territorial authority and require strengthened national collaboration and access to timely intelligence as threats increase. Provinces, territories, and CI owners and operators are looking to the federal government for guidance and collaboration. Further, as cyber security is, in its nature, borderless, international allies and partners are increasingly focused on engaging with PS to both build domestic resilience and ensure that policy development processes are synchronised, where possible.

Date modified:

2025-04-22