Canada’s Draft Cybersecurity Legislation Must Be Resurrected

Bill C-26 would have been the Canadian government’s first attempt at bringing our country into the twenty-first century with respect to cybersecurity.

April 4, 2025
cybercyber
Despite its gaps, Bill C-26 was important legislation and should be revived, the author argues. (Illustration via REUTERS)

Much has been written about the travails of the Liberal government at the end of 2024 and the subsequent prorogation of Parliament. Less discussed are the implications for the bills that were set to receive royal assent in the new year. Among the most important was Bill C-26, An Act Respecting Cyber Security.

I have paid particularly close attention to this piece of legislation due to its broad implications for the cybersecurity industry, including Waterloo, Ontario-based eSentire, my current employer. In my industry, this legislation, albeit far from perfect, is considered important.

C-26 would have been the Canadian government’s first attempt at bringing our country into the twenty-first century with respect to cybersecurity. It targeted “designated operators” in telecommunications, energy, finance and transportation, aiming to secure these sectors against adversaries and elevate their baseline cybersecurity.

Had it been passed into law, these industries would have been required to develop cybersecurity programs, establish reporting procedures and address vulnerabilities — potentially under government directives to remove hostile foreign tech.

While a number of organizations comprising Canada’s critical national infrastructure have cybersecurity programs, the goal was to create a standard to ensure key industries were properly addressing the risk from cyberthreats, foreign and domestic.

The stakes are high: In 2021, there were a reported 235 ransomware attacks against Canadian industry with an average cost of $6.35 million, putting the total cost to the broader Canadian economy at more than one billion dollars.

Admittedly, C-26 had gaps. It overlooked four vital areas: private-sector collaboration to grow domestic cybersecurity, industries outside critical national infrastructure, talent development, and leveraging Canadian managed detection and response providers to support our national security.

First, by collaborating with Canadian managed detection and response providers, the government would be helping to grow an industry critical to our overall economic success in the next decade. These managed detection and response firms already shield diverse businesses from cyberattacks, offering real-time detection and response — capabilities unmatched by basic best practices. Government support, such as tax credits, could reduce the frequency and cost of these attacks by empowering firms in the sector to scale and innovate.

As I am employed by a Canadian managed detection and response firm with a global presence, I see the power of the capability daily, to detect and respond to cyberattacks. I strongly believe that if the government were to stimulate this emerging industry, there would be a corresponding reduction in the impact and cost of cyberattacks against Canadian businesses.

In addition, industries not formally considered critical — such as agriculture, which arguably should be — remain challenged in addressing the cyber risk. To properly protect this industry, and others like it, the Government of Canada should provide financial incentives to small and medium-sized enterprise firms employing cybersecurity providers.

These incentives would encourage organizations that have previously not had the additional IT or security budget for a full cybersecurity program of their own to consider partnering with a Canadian provider.

Next, talent development was absent from C-26. Canadian cybersecurity firms, many with global reach, need incentives to grow domestically. A tax credit would enable such companies to invest more in talent and provide industry-standard training to keep pace with the rapid change of technology. Failing this, Canada risks losing its edge in a field that demands skilled professionals.

National security ties it all together. Currently, the Royal Canadian Mounted Police and the Canadian Centre for Cyber Security focus on reducing cybercrime’s impact and offering guidance. But neither provides hands-on keyboard, day-to-day support for small and medium-sized enterprises hit by cyberattacks.

Partnering with Canadian providers would bridge this gap, enhancing real-time response and intelligence sharing to fortify national defences, something that has been suggested in the latest National Cyber Security Strategy through the Canadian Cyber Defence Collective.

Whichever party forms the government later this year, a top priority must be resurrecting Bill C-26 with these additions. It should be a priority within the next government’s first 100 days. The bill’s foundation — securing critical infrastructure — is sound, but it must expand to cover overlooked industries, harness private-sector expertise, build talent and integrate privately held cybersecurity firms into our national security grid. Only then can Canada address the full scope of cyberthreats, foreign and domestic.

Let’s be clear: Canada is under digital attack. There are tools and capabilities available to stop these attacks, and we should use them. The delay in implementing C-26 risks leaving us exposed. A revised and improved version, implemented quickly, could turn that around.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Ryan Westman is a director of threat intelligence at Waterloo, Ontario-based eSentire and leads the firm’s threat intelligence team. He is also a former Digital Policy Hub visiting fellow who focused on the impact of poor digital defences on the Canadian economy.