anada’s national security policy has long been focused on defending against and deterring hard threats to its citizens, infrastructure and allies. As such, the emphasis on the delivery of such security has been the purview of the Canadian Armed Forces (CAF), the Canada Border Services Agency (CBSA), the Royal Canadian Mounted Police (RCMP), and the Canadian Security and Intelligence Service (CSIS).
In the aftermath of September 11, the Government of Canada realized its federal security agencies lacked coordination, from a policy and operational perspective. Policy development was left to each individual arm’s-length organization. Some policy and operational capabilities were duplicated; others, specifically around collaboration with other domestic and international security agencies, were inhibited by the organization’s enabling legislation. The government-of-the-day’s response was to create Public Safety Canada, a new department to “ensure coordination across all federal departments and agencies responsible for national security and the safety of Canadians.”
The COVID-19 pandemic and the subsequent policy and operational response by the Government of Canada and subnational governments have demonstrated that the definition of security has not evolved at the same pace as the threat environment facing Canada’s security. More importantly, the government’s national security response apparatus has been too narrowly defined to defend against and respond to modern threats.
The federal government was reducing its stockpiles of personal protective equipment (PPE) in the period leading up to the global pandemic. As COVID-19 took hold, it became clear that the broader public and private sectors in Canada were dependent on foreign supply chains to fulfill their PPE needs. Questions arose over whether public health security in Canada has held the policy prominence required to ensure the country has the resources and plans needed to address such crises. The Cabinet Committee on Global Affairs and Public Security does not include the federal minister of health, despite the fact that both Health Canada and the Public Health Agency of Canada have relevant international and security mandates.
These obvious policy and operational oversights will likely be corrected in the aftermath of the COVID-19 pandemic. To be effective, the federal government will have to go beyond its structural scope of responsibility and coordinate with the provincial governments, where most operational health programming is mandated and delivered. The federal government has levers, such as the Canada Health Act, and funding that will require innovation to achieve this end.
The government’s national security response apparatus has been too narrowly defined to defend against and respond to modern threats.
Canada will also have to maintain some of its alternative supply chains for PPE and other critical health tools, such as ventilators and data-analysis platforms. The relationship between the public and private sectors was reshaped out of necessity, given COVID-19’s rapid growth into a pandemic. As a result, manufacturers shifted gears to develop essential goods, and the government shifted its usual outreach and procurement practices in response to the unprecedented health impacts. The government will have to assess whether any fundamental policy objectives, such as transparency and accountability, were not respected; however, it should not be too quick to return to the status quo, given the positive outcomes that can be achieved from such collaboration.
The broader economic and social implications resulting from the COVID-19 pandemic have also made it clear that the government has not kept pace with the resulting digital transformation, with its own digital infrastructure creating new security risks and challenges. Many Canadian businesses and their employees were able to shift from in-office work to work from home. The banking sector had to shut down in-branch operations but was able to deliver services online. And many bricks-and-mortar retailers had to transition to online approaches.
The public sector did not transition with such ease. While children were unable to attend school, provincial governments and school boards scurried to create online curricula on existing video conferencing platforms. The federal government was unable to leverage its Employment Insurance software infrastructure to deliver the Canada Emergency Response Benefit (CERB) that compensated Canadians who lost their jobs as a result of COVID-19. The software was written on a coding language that was generations old and wasn’t scalable to address the millions of Canadians out of work as a result of the pandemic. The federal government, too, created a patchwork solution to deliver CERB in a timely fashion, which may create downstream risks.
While Canadians’ primary concern about COVID-19 relates to health security, there are growing cybersecurity concerns with more Canadians online, interacting with government for essential services such as payments, health care and education. The risks are further amplified by Canadians’ online interactions with the private sector for such services as banking and retail necessities.
These risks put vulnerable populations such as children, seniors and those living on fixed incomes at greater risk of being victimized by cybercrime because they did not have in-person options for essential services during the shutdown and may not have the education or “cyberhygiene” to keep themselves safe.
The Communications Security Establishment (CSE), Canada’s signal intelligence agency, has reported a significant increase in cybercrime threats against Canadians during the COVID-19 pandemic, including falsified government websites for Canadians claiming CERB. The threat environment has also hit children harder, with an increase in attempted online child sexual exploitation in Canada and globally as children spend more time online for their schooling and generally.
The threats have a number of actors, from foreign and domestic child sexual abusers, to cybercriminals seeking financial gain, to sovereign-backed entities. The latter tend to engage in misinformation to destabilize countries. The Oxford Internet Institute reports that 92 percent of the misinformation regarding COVID-19 from state-backed agencies around the world originated in Russia and China.
The Government of Canada has made investments in recent years to secure critical infrastructure from cyber threats and combat cybercrime. The Canadian Centre for Cyber Security was created in 2018 primarily to secure its own digital operations. However, its mandate will have to grow, given that so much digital infrastructure that is critical to the economy and well-being of Canadians is outside the federal government’s purview.
On the investigation of cybercrimes, the Government of Canada created the National Cybercrime Coordination Unit (NC3). Housed within the RCMP, the NC3 has a national mandate to coordinate cybercrime investigations domestically with provincial and municipal police agencies, and internationally.
The NC3 and the Canadian Centre for Cyber Security have had limited strategic engagement with the private sector to date, with respect to both understanding and determining the threat landscape and to developing the strategic tools required to defend against and investigate cybercrimes. Formalizing relations and interoperability with the provinces, and their critical digital infrastructure, will be an important step forward, as will developing the relationship with private companies that provide cybersecurity tools and operate critical communications infrastructure, such as Canada’s wireless providers.
Canada boasts a nascent cybersecurity sector. With our vast public investments in research through federal granting organizations and universities and directly to companies, the government could have a strong understanding of, and relationship with, this sector. However, companies operating in this space have argued they have neither an ongoing, strategic and operational dialogue with their national security agencies, nor co-development opportunities with their own federal and provincial governments as well as with large corporations, which is the norm in other jurisdictions with strong cybersecurity sectors.
The historical military-industrial complexes that traditionally applied to the development of hardware in leading cybersecurity countries have extended to digital technologies. However, the development of cyber tools requires more than just funding; cybersecurity developers and practitioners need a deep understanding of the threat environment, which evolves rapidly in today’s digital economy and society.
Balancing funding, access to classified threat information and operational personnel in the government requires a thoughtful and structured policy response. For example, the 21 US intelligence agencies established an arm’s-length organization called In-Q-Tel, whose mandate is to work with the private sector to address the technology needs of the intelligence community. In return, the organization provides financing, operational exposure, data sharing and strategic guidance to companies.
The Government of Canada has signalled its willingness to invest substantial funds to address the challenges related to security in the digital age. In 2017, it created the Innovation for Defence Excellence and Security (IDEaS) program and provided $1.6 billion in funding over 20 years. However, the program, in its infancy, has not created the outreach to Canada’s innovative companies to enable the co-development of technologies. Access to end-users of these technologies, as opposed to procurement officials, at all stages of the development process is also fundamental to the success of these technologies. Furthermore, a data policy that maintains policy objectives such as privacy while reconciling the operational requirements of a development project is required to enable the co-development of security-related technologies. These factors will be essential to the long-term success of the program and Canada’s cybersecurity sector.
The superficial nature of engagement with the broader technology-intensive private sector is exemplified by the ongoing public discourse around Canada’s decision whether to let Chinese telecommunications technology provider Huawei access Canada’s fifth-generation (5G) network. Canada’s allies and Five Eyes intelligence-sharing partners (Australia, New Zealand, the United Kingdom and the United States) have already announced they will not let Huawei into their networks, given the uncertainty around the company’s relationship with the Chinese government and whether it and the technology could be exploited in the future, putting their citizens’ security at risk.
Different arms of the Canadian government have signalled different positions through media leaks. The CAF and CSIS have expressed a desire to ban Huawei, with the CSE adopting a nuanced position, believing that security concerns can be mitigated. While the Government of Canada has waffled on its decision whether to allow Huawei into its 5G network, Canadian telecommunications providers have been left without federal guidance and have had to make significant 5G infrastructure investments in the process.
The development of cyber tools requires more than just funding; cybersecurity developers and practitioners need a deep understanding of the threat environment.
At the same time, at least 13 Canadian universities and their researchers are engaged in research partnerships with Huawei to develop strategic technologies, such as sixth-generation and artificial intelligence (AI) applications. This type of collaboration poses both a security and a prosperity risk to Canada and its allies. The intellectual property (IP) related to potential foundational technologies can drive windfall revenues and profits, even if governments ban specific foreign companies’ products. These gains can be achieved through licensing of such technologies or by seeking damages for IP infringement.
Canada has long had an IP leakage issue beyond Huawei. MDA, the British Columbia-founded aerospace company best known for developing the Canadarm, provides strategic technologies to the Government of Canada. A foreign takeover bid in 2008 was blocked by the federal government under the Investment Canada Act on national security grounds, given the government itself was a strategic customer of the company. Learning from this experience, the government amended the act to explicitly include national security as a consideration for deals requiring federal approval.
MDA went through a number of structural changes to pursue US government contracts. These changes ultimately led to a de facto foreign takeover, with MDA’s IP and strategic data assets being transferred without federal review.
At present, foreign acquisitions of a publicly traded company valued at more than $1 billion, or with an explicit national security or cultural consideration, are reviewed by federal regulators. In practice, technologies that could pose a threat, could defend against threats or are of strategic national importance are leaking to foreign interests. This situation is best exemplified by Canadian researchers’ breakthroughs in AI, much of which is now held by foreign interests.
A new national security doctrine will require updated thinking on how takeovers are reviewed. This policy will also have to look at how research in strategic and security-related areas, such as cybersecurity, AI and quantum computing, is governed. A good place to start is the relationship management with researchers and small and medium-sized enterprises (SMEs) conducting industrial research in strategic areas, so that the government has a better understanding of the technologies that exist and their potential opportunities and risks.
The risks posed to Canada through the leakage of its research are not hypothetical concerns. It has been reported that the National Research Council was breached by a Chinese state-sponsored cyberattack in 2014, resulting in a loss of research, data and IP worth “100s of millions of dollars.”
Bringing the federal research granting councils more formally into the Government of Canada’s national security tent, with explicit security policies that their beneficiaries must adhere to, would be a good step.
The risks posed to Canada through the leakage of its research are not hypothetical concerns.
These organizations enable research within government labs and Canadian universities as well as Canadian SMEs. They have an understanding of the research and corporate innovation landscape. By giving them an explicit security mandate, the government would have a better understanding of potential security strengths and how the leakage of such research, technology and talent could harm Canadians.
When broader security issues arise, knowing where research, technologies and talent that could be helpful in developing a response strategy reside in Canada is also critical. As the threat landscape evolves, the operational response may require public servants outside the traditional security agencies, as demonstrated during the COVID-19 pandemic.
There are also highly technical skill sets that do not reside within the broader public sector that may need to be leveraged, should a security risk emerge. Cybersecurity serves as a prime example. While the government has technical abilities through the CAF, the CSE, the Canadian Centre for Cyber Security and the RCMP, there may be challenges for which they do not have internal experts to address.
The CAF has realized that such highly technical talent cannot be acquired and maintained within its general ranks. Identifying this talent in the research community and operationalizing it quickly is a strategic asset. In 2018, the CAF announced a pilot program to achieve this end called the Cyber Mission Task Pilot Project.
Such a program should be made permanent. General reservist training and deployment requirements should be relaxed to ensure top technical talent is not screened out. The program should also be extended to other federal agencies with cybersecurity mandates. Should the model prove successful, it could be replicated in other emerging security risk areas, such as pandemics.
Ultimately, if the Government of Canada is going to successfully anticipate and respond to the emerging security threats to Canadians, it first must modernize its definition of security to encapsulate all plausible challenges, including those related to health and cybersecurity, and bring together experts in relevant ministries. The federal government, too, must deepen its engagement across the public sector to include arm’s-length agencies, provincial governments and universities, as well as the private sector. It will need to take stock of the risks these actors carry and the strategic assets they bring, including supply chains of essential products and technologies to ensure they are sufficient and not leaking to foreign interests. The federal government must create structures to leverage these assets in a timely fashion to respond to security threats. This process is not a one-time activity; it must be a constant exercise that is formalized to ensure operational readiness.
Beyond engagement across sectors, there are a number of policy innovations required to ensure the Government of Canada can respond to emerging security threats. These include a review of the Investment Canada Act to ensure Canada is not leaking intangible assets that put Canadians’ security at risk. Furthermore, the government will need to develop strategic IP, data and procurement policies that encapsulate the public and private sectors to balance Canada’s security and prosperity interests.