Federal government announces latest National Cyber Security Strategy

On February 6, the Government of Canada announced its latest National Cyber Security Strategy (the NCSS), detailing the federal government’s plan to help Canadian organizations prepare for and respond to the rapidly evolving and increasingly sophisticated cyber security threats of today and tomorrow. 

The NCSS seeks to build off of the success of the prior edition released in 2018, which established the Canadian Centre for Cyber Security and National Cybercrime Coordination Unit under the purview of the RCMP. The NCSS aims to strengthen Canada’s overall cyber security resiliency through strategic partnerships, investments in innovation, and increased detection and disruption of cyber attacks.

Overarching principles

The NCSS is characterized by two overarching principles: 

• Whole-of-society engagement. The Government of Canada seeks to both raise public awareness of cyber threats and deepen partnerships with key stakeholders, including other levels of government, the private sector, law enforcement, and Indigenous communities, among others, to tackle critical cyber security issues. 
• Agile leadership. The NCSS is meant to evolve based on close collaboration with key partners and stakeholders – and not to be a static plan. This will allow the Government of Canada to respond to emerging risks as they occur and to make ongoing investments in support of Canada’s cyber security posture. 

Three pillars to deliver results under the NCSS

Guided by these principles, the NCSS establishes three pillars with broad objectives for achieving results.

Pillar 1: Working with partners to protect Canadians and Canadian businesses from cyber threats

The Government of Canada plans to spearhead an “unprecedented level of public-private partnering” with key stakeholders, including by establishing a new Canadian Cyber Defence Collective to serve as a national multi-stakeholder engagement body. The federal government also intends to strengthen partnerships with academia through initiatives like the recently announced funding for the Cyber Attribution Data Centre (CADC) at the University of New Brunswick. The CADC will harness intelligence analytics to better understand cyber threats and train the next generation of cyber defence specialists to leverage modern tools like artificial intelligence (AI).

Recognizing the role human error plays in the majority of cyber attacks and that deterrence often starts at the individual user level, the federal government will continue to provide cyber hygiene tips to the public through the “Get Cyber Safe” program and to advance other public awareness campaigns. 

Internationally, the Government of Canada will continue to work with global allies to deter and respond to malicious cyber attacks. This will be supported by a new position established by Global Affairs Canada, the Senior Official for Cyber, Digital and Emerging Technology whose role will be to assist in collaborating with other nations in their capacity-building efforts (including in particular, the Indo-Pacific region) and to represent Canada internationally to identify and address cyber threats.

Pillar 2: Making Canada a global cyber security industry leader

To establish Canada as a global leader in cyber innovation, the Government of Canada plans to invest in various facets of the cyber security industry. This involves funding existing initiatives such as Canada’s Digital Charter and the Cyber Security Innovation Network, among others, and continuing to provide grants and contributions through the Cyber Security Cooperation Program. Additionally, the government announced the Canadian Cyber Security Certification Program, which aims to enhance cyber security in the defense sector. 

The NCSS acknowledges that updated legislation and regulation are also necessary to foster cyber innovation in Canada. While recent efforts to implement those changes were waylaid with the prorogation of Parliament last month, the NCSS suggests the federal government still views fortifying private-sector privacy regulations and establishing parameters for the responsible use of AI as immediate priorities. Federal guidance and directives on the use of AI will continue to be modernized as well. 

Pillar 3: Detect and disrupt cyber threat actors

The Government of Canada aims to make the country a more difficult target for threat actors by reducing the volume and severity of cyber attacks against Canadian organizations. To do so, the government intends to bolster the capacity of various national security and law enforcement agencies, such as the RCMP’s National Cybercrime Coordination Centre. 

In addition, the federal government plans to reduce inequality in resources among communities and organizations across Canada to assist with cybersecurity readiness, including through Public Safety Canada’s Cyber Security Cooperation Program. The federal government will also explore additional ways to discourage ransomware payments and impose costs on cybercriminals.  

Viewing transparent reporting of cyber security incidents as critical to disrupting criminal activity and preventing future cyber attacks, the Government of Canada will be implementing a new cybercrime and fraud reporting system that will also serve as an information sharing hub for law enforcement agencies.

Finally, critical infrastructure remains a key target for threat actors, particularly those sponsored by adversarial states, and a primary concern from a national cyber defence perspective due to the essential products and services these owners and operators deliver. In support of Canada’s critical infrastructure, the federal government will seek to strengthen relationships with partners and stakeholders to foster diverse supply chains and the work done by various cyber security organizations like the Canadian Cyber Threat Exchange. The Canadian Centre for Cyber Security is also working to share advanced defence capabilities with various owners and operators in the critical infrastructure space.

Key takeaways 

In a time of considerable political uncertainty, domestically and internationally, the latest NCSS nevertheless represents an important commitment by Canada’s federal government to strengthening the country’s cyber security posture and resiliency, as well as establishing Canada as a leader in cyber security innovation. As noted in the NCSS, regulatory reform in relation to cybersecurity, privacy, and the responsible use of AI remains much needed after prior attempts at modernization have died on the order paper.

Regulatory reform is a much lengthier and more nuanced process than many of the initiatives detailed in the NCSS, however. As resiliency against evolving cyber threats is likely to remain a top priority for any iteration of Canada’s federal government for the foreseeable future, we will be closely tracking the implementation of these and other related initiatives. Check back here for updates in that regard.

The authors would like to thank Chloe Loblaw, articling student, for her contribution to preparing this legal update.