# Canadian Cyber Security Policy Under the Carney Government: A Detailed Report *Prepared: February 23, 2026 (Expanded Edition)* --- ## Table of Contents 1. [Political Context: The Transition of Power](#1-political-context-the-transition-of-power) 2. [Legislative History: From Bill C-26 to Bill C-8](#2-legislative-history-from-bill-c-26-to-bill-c-8) 3. [The 2025 National Cyber Security Strategy](#3-the-2025-national-cyber-security-strategy-ncss) 4. [Bill C-8: The Critical Cyber Systems Protection Act](#4-bill-c-8-the-critical-cyber-systems-protection-act) 5. [Bill C-26 vs. Bill C-8: What Changed](#5-bill-c-26-vs-bill-c-8-what-changed) 6. [Civil Liberties, Privacy, and Constitutional Concerns](#6-civil-liberties-privacy-and-constitutional-concerns) 7. [The Threat Landscape](#7-the-threat-landscape) 8. [Ransomware: Canada's Most Immediate Cyber Threat](#8-ransomware-canadas-most-immediate-cyber-threat) 9. [Defence Industrial Strategy and Cyber Sovereignty](#9-defence-industrial-strategy-and-cyber-sovereignty) 10. [Budget 2025: Fiscal Commitments](#10-budget-2025-fiscal-commitments) 11. [The Broader Legislative Ecosystem](#11-the-broader-legislative-ecosystem) 12. [International Comparative Analysis](#12-international-comparative-analysis) 13. [The Governance Gap](#13-the-governance-gap-does-canada-need-a-minister-of-cyber-security) 14. [The Workforce Challenge](#14-the-workforce-challenge) 15. [International Dimensions](#15-international-dimensions) 16. [Cybercrime Enforcement](#16-cybercrime-enforcement) 17. [Implications and Assessment](#17-implications-and-assessment) 18. [Key Sources](#key-sources) --- ## 1. Political Context: The Transition of Power Mark Carney was sworn in as Prime Minister in March 2025, succeeding Justin Trudeau as Liberal leader. The change in government coincided with an already-evolving cyber security policy landscape — the previous government's flagship cybersecurity legislation, **Bill C-26**, had died on the Order Paper when Parliament was prorogued in January 2025. The Carney government inherited both the unfinished legislative agenda and a rapidly deteriorating threat environment, and has moved to position cyber security as a pillar of a broader **sovereignty and defence** narrative. The Carney government's approach to cybersecurity is distinguished from its predecessor by three characteristics: 1. **Sovereignty framing** — Cybersecurity is positioned as an element of Canadian strategic autonomy, not merely a technical or public safety issue. 2. **Urgency** — Bill C-8 was introduced within three months of the new Parliament sitting, signalling that the Carney government treats cybersecurity legislation as a priority rather than a back-burner item. 3. **Defence integration** — The February 2026 Defence Industrial Strategy explicitly links cybersecurity to military modernization and industrial policy, an integration not attempted under the Trudeau government. --- ## 2. Legislative History: From Bill C-26 to Bill C-8 Understanding Bill C-8 requires understanding the legislative journey that preceded it. ### Bill C-26: Introduction (June 14, 2022) The Trudeau government introduced Bill C-26, *An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts*, through then-Minister of Public Safety Marco Mendicino. The original bill had three parts: - **Part 1:** Amendments to the *Telecommunications Act* granting the Governor in Council and Minister of Industry sweeping powers to direct telecom providers on security matters - **Part 2:** The *Critical Cyber Systems Protection Act* (CCSPA), creating a new regulatory framework for critical infrastructure cybersecurity - **Part 3:** Consequential amendments to the *Canada Evidence Act*, granting the Federal Court special jurisdiction over proceedings involving sensitive information The original bill was **widely criticized** for: - **Unbounded government powers** — The Minister could compel "any person" to provide "any information" under "any conditions" without clear limiting principles ([Citizen Lab](https://citizenlab.ca/2023/11/bill-c26-analysis-and-recommendations/)) - **Excessive secrecy** — Orders could be kept entirely secret with no oversight notification, no annual reporting, and no public disclosure obligation - **Secret judicial review** — Under Section 15.9, the government could make ex parte submissions and base court decisions on evidence the affected party never saw - **No privacy anchoring** — No reference to PIPEDA, no Privacy Act savings clause, no definitions for "personal information" - **Open-ended threat definition** — The word "including" before the list of threats made the triggers for government action non-exhaustive - **No proportionality standard** — No requirement that orders be reasonable relative to the gravity of the threat ### SECU Committee Study (January–April 2024) The Standing Committee on Public Safety and National Security (SECU) conducted five hearings (January 29–February 12, 2024) and received **31 briefs** from stakeholders including the Citizen Lab, CCLA, Privacy Commissioner, ISC2, Engineers Canada, and individual practitioners. Clause-by-clause study occurred on March 18 and April 8, 2024. Key amendments adopted at committee: | Amendment | Effect | |---|---| | **Due diligence defence** | Restored the due diligence defence that the original bill had denied | | **Personal information definitions** | Added definitions for "personal information" and "de-identified information" to Part 1 | | **Privacy Act savings clause** | Added Section 15.71: "Nothing...affects the provisions of the *Privacy Act*" | | **Mandatory annual reporting** | Minister must table reports to Parliament including number/nature of orders, affected providers, and explanation of necessity/reasonableness | | **NSIRA/NSICOP notification** | Minister must notify oversight bodies within 90 days of orders | | **Reasonableness standard** | Added non-exhaustive list of factors including "operational and financial impacts" | | **72-hour incident reporting** | Specified maximum timeframe (previously left to regulations) | | **Regulatory harmonization** | Required regulations to be harmonized with existing regimes where possible | ### House Passage and Senate (June–December 2024) Bill C-26 passed the House of Commons on **June 19, 2024** and advanced to the Senate's Standing Committee on National Security, Defence and Veterans Affairs (SECD). The Senate identified and corrected a drafting error that would have nullified roughly half of the CCSPA's enforcement provisions ([CBC](https://www.cbc.ca/news/politics/cybersecurity-bill-c26-senate-amend-1.7401358)). ### Death on the Order Paper (January 2025) When Prime Minister Trudeau prorogued Parliament in January 2025, Bill C-26 died before completing the Senate process. ### Bill C-8: Reintroduction (June 18, 2025) The Carney government introduced Bill C-8 on June 18, 2025, incorporating all House and Senate amendments plus additional changes (detailed in Section 5 below). It passed second reading and is currently being studied by SECU. --- ## 3. The 2025 National Cyber Security Strategy (NCSS) On **February 6, 2025**, the Government of Canada announced its new [National Cyber Security Strategy: Securing Canada's Digital Future](https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg-2025/index-en.aspx). While initiated under the previous leadership, this strategy has been adopted and operationalized by the Carney government. ([Full PDF](https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg-2025/ntnl-cbr-scrt-strtg-2025-en.pdf)) ### Two Overarching Principles 1. **Whole-of-society engagement** — Partnerships across all levels of government, law enforcement, Indigenous communities, the private sector, academia, and civil society. 2. **Agile leadership** — Iterative development of cyber security solutions in close collaboration with stakeholders, acknowledging that the threat landscape evolves faster than traditional policy cycles. ### Key Institutional Innovations - **Canadian Cyber Defence Collective (CCDC):** A new national multi-stakeholder body, jointly established by Public Safety Canada and the [Canadian Centre for Cyber Security](https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026), to advance public-private partnership on national-level cyber challenges, policy priorities, and defence efforts. - **Cybersecurity Attribution Data Centre (CADC):** Funded at the Canadian Institute of Cybersecurity at the University of New Brunswick, applying cyber analytics to identify malicious threat activity and train the next generation of AI cyber security specialists. - **Canadian Cyber Security Certification Program:** A new certification regime ensuring that companies bidding for select Canadian government defence contracts meet a high standard of cyber security. - **Cyber Security Cooperation Program 2025:** [Launched in August 2025](https://www.canada.ca/en/public-safety-canada/news/2025/08/government-of-canada-launches-cyber-security-cooperation-program-2025.html), providing up to **$10.3 million over five years** to support cyber security innovation, knowledge sharing, and capacity building among Canadian organizations. - **Mandatory ISP Botnet Blocking:** Rules requiring internet service providers to disrupt malicious networks before they reach Canadian users. --- ## 4. Bill C-8: The Critical Cyber Systems Protection Act The centrepiece of the Carney government's legislative agenda on cybersecurity is [**Bill C-8**](https://www.parl.ca/DocumentViewer/en/45-1/bill/C-8/first-reading), introduced on **June 18, 2025**. It creates a new statute — the **Critical Cyber Systems Protection Act (CCSPA)** — and amends the Telecommunications Act. As of late 2025, it passed second reading and is being studied by the Standing Committee on Public Safety and National Security. ### Two-Part Structure **Part 1 — Telecommunications Act Amendments:** - **Governor in Council powers (s. 15.1):** May prohibit telecom providers from using products/services from specified persons or direct removal of equipment. Published in the Canada Gazette within 90 days. - **Ministerial powers (s. 15.2):** The Minister may prohibit service provision, suspend services, impose conditions, require security plans, mandate vulnerability assessments, and direct implementation of specified standards. - **Interception prohibition:** The Minister is explicitly prohibited from ordering interception of private communications as defined in Criminal Code s. 183. - **Information demands (s. 15.4):** The Minister may require information relevant to order-making or compliance verification. - **Confidential information (s. 15.5):** Protections for trade secrets, financial/commercial data, personal information, and de-identified information. - **Cross-government information sharing (s. 15.6):** Among the Minister, Ministers of Public Safety/Foreign Affairs/National Defence, CSE, CSIS, and CRTC Chair. - **Privacy Act savings (s. 15.71):** "Nothing...affects the provisions of the *Privacy Act*." - **Annual reporting (s. 15.21):** Minister must table reports including number/nature of orders, affected providers, compliance descriptions, and explanation of necessity/reasonableness. - **Oversight notification (s. 15.22):** NSIRA and NSICOP notified within 90 days of non-disclosure orders. - **Administrative monetary penalties (s. 72.131–72.139):** Individuals: up to $25K/$50K; corporations: up to $10M/$15M. **Part 2 — Critical Cyber Systems Protection Act (CCSPA):** ### Scope: Designated "Vital" Sectors Bill C-8 applies to **designated operators** of critical cyber systems across: - Telecommunications - Banking and financial clearing/settlement systems - Interprovincial/international pipeline and power line systems - Nuclear energy systems - Transportation systems (federally regulated) ### Key Obligations on Designated Operators 1. **Cybersecurity program (s. 9)** — Must be developed and implemented within **90 days** of designation, covering risk identification, system protection, incident detection, and impact minimization. Annual reviews mandatory. 2. **Supply chain and third-party risk management (s. 15)** — Mandatory identification and mitigation of supply chain vulnerabilities as soon as identified. 3. **Incident reporting (s. 17)** — Cyber security incidents must be reported to CSE within **72 hours**, with immediate notification to the appropriate regulator. 4. **Record keeping (s. 30)** — Records of programs, incidents, mitigation measures, and compliance must be maintained **in Canada** per regulatory specification. 5. **Material change notification** — Operators must report material changes to ownership, supply chain, or third-party arrangements within 90 days. ### Cyber Security Directions (ss. 20–22) The Governor in Council may issue binding directions to designated operators. Before issuing, must consider: operational impacts, public safety effects, financial impacts, service delivery consequences, and "any other factor" deemed relevant. Directions may include non-disclosure requirements. The GIC cannot order interception of private communications. ### Enforcement and Penalties | | First Violation | Subsequent Violations | |---|---|---| | **Individuals** | Up to $25,000 | Up to $50,000 | | **Corporations** | Up to $10 million | Up to **$15 million** | Violations continuing multiple days constitute separate violations for each day. Directors and officers face personal liability. Criminal offences carry fines and imprisonment of up to **two years less a day** (summary conviction). Due diligence is a valid defence. ### Inspection Powers (ss. 32–85) Regulators possess entry authority (including dwelling-house access via warrant), examination rights over systems/documents, and copying permissions. Must be accompanied by peace officers when using authorized force. ### Government Powers The CCSPA grants the federal government authority to: - Issue **binding cybersecurity directions** to designated operators, potentially with little or no prior consultation. - Require organizations to implement specific security measures, cease certain activities, or **remove particular technologies** from their systems. - Through amendments to the Telecommunications Act, the Minister of Industry gains authority to **restrict or ban certain suppliers** from operating in Canada and direct providers to remove at-risk equipment — building on the May 2022 Huawei/ZTE 5G ban and providing permanent legislative authority for future supply chain security actions. --- ## 5. Bill C-26 vs. Bill C-8: What Changed While Bill C-8 is largely identical to the final (third reading) version of C-26, it contains **five categories of substantive changes**. ### 5.1 Threat Definition — Narrowed | | C-26 (as introduced, 2022) | C-8 (2025) | |---|---|---| | **Section 15.1(2)** | "necessary to secure the Canadian telecommunications system, **including** against the threat of interference, manipulation, disruption or degradation" | "necessary to secure the Canadian telecommunications system against the threat of interference, manipulation, disruption or degradation" | | **Legal effect** | The word "including" made the list **non-exhaustive** — the government could invoke unenumerated threat categories | Removal of "including" makes the list **closed and exhaustive** — only four named threats trigger government power | ### 5.2 Judicial Review — Substantially Reformed This is the **most significant change** between the two bills. | Element | C-26 (original) | C-8 | |---|---|---| | Ex parte / confidential government submissions | **Allowed** — government could present evidence in absence of applicant and counsel | **Eliminated** | | Government withholding evidence on national security grounds | **Allowed** | **Eliminated** | | Judge basing decisions on undisclosed evidence | **Allowed** — judge could use evidence the affected party never saw | **Prohibited** — judge must exclude withdrawn evidence and return it to Minister | | *Canada Evidence Act* amendments | **Included** — Part 3 granted Federal Court special jurisdiction over sensitive information | **Removed entirely** — Bill C-8 has no Part 3 | | Special counsel provisions | Not present | **Introduced** — special counsel to handle sensitive information during review | | Appeal of judicial decisions | No mechanism | **New Section 146** — introduces appeal right | | Net effect | Government could defend orders using secret evidence | Government **must disclose evidence**; no confidential or ex parte proceedings | Under C-26, the government could defend its own cybersecurity orders in court without disclosing the evidence to the affected telecom provider. Under C-8, this is no longer possible. This reform was **widely demanded** by the Citizen Lab, CCLA, Privacy Commissioner, and academic commentators. ### 5.3 Canada Evidence Act — Amendments Removed Bill C-26 included a Part 3 proposing amendments to the *Canada Evidence Act* that would have granted the Federal Court jurisdiction over proceedings involving sensitive or potentially injurious information under the Telecom Act and CCSPA. Bill C-8 removes this entirely. Standard rules of evidence and disclosure now apply. ### 5.4 Appeal Mechanism — New **Section 146** introduces a mechanism for appealing judicial decisions made during review proceedings. This right did not exist in C-26 (original or amended). ### 5.5 Drafting Corrections C-26 contained structural and cross-referencing issues that **nullified enforcement provisions** under the CCSPA ([Gowling WLG](https://gowlingwlg.com/en/insights-resources/articles/2025/critical-infrastructure-cyber-security-bill)). These were identified during Senate study and corrected in C-8, making all penalty and compliance provisions operable. ### 5.6 What Remains Unchanged The vast majority of both bills is identical: - Core obligations (cybersecurity programs, incident reporting, supply chain mitigation, record-keeping) - Designated sectors and operator framework - Ministerial and GIC order-making powers - Information sharing provisions - Confidential information regime - Penalty schedule ($25K/$50K individuals; $10M/$15M corporations) - Criminal offences (up to 2 years imprisonment) - Inspection and compliance order powers - NSIRA/NSICOP notification requirements - Annual reporting obligations --- ## 6. Civil Liberties, Privacy, and Constitutional Concerns Despite improvements from C-26, Bill C-8 has attracted significant criticism from privacy advocates, oversight bodies, and constitutional scholars. ### 6.1 Privacy Commissioner of Canada In an [October 2025 statement to the Standing Committee](https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2025/parl_20251030/), the Privacy Commissioner: - **Supported** the overall objective but warned that **privacy risks remain**, including: - A **low threshold** for authorities to invoke powers that raise privacy concerns - **No mechanism** requiring notification to the Office of the Privacy Commissioner when cybersecurity incidents involve material privacy breaches - **Weak privacy requirements** around information shared with foreign governments - Warned the legislation could enable inappropriate collection of subscriber account information, communication data, website visits, metadata, location data, and financial data ([IAPP](https://iapp.org/news/a/canadas-opc-urges-stronger-privacy-protections-for-bill-c-8)) ### 6.2 Intelligence Commissioner of Canada The Intelligence Commissioner [warned](https://www.thewirereport.ca/2025/10/31/independent-oversight-needed-in-new-cybersecurity-bill-c-8-privacy-intelligence-commissioners-tell-mps/) that Bill C-8 would authorize **warrantless seizure of sensitive private information** and questioned whether this approach is constitutionally justified. ### 6.3 Constitutional Analysis A detailed constitutional analysis on [ABlawg](https://ablawg.ca/2025/09/05/securing-the-infrastructure-straining-the-constitution-bill-c-8s-cybersecurity-overhaul/) raised several Charter concerns: - **Section 8 (Unreasonable Search and Seizure):** The bill's broad directives allowing officials to compel providers to "do anything or refrain from doing anything" could function as **back-door surveillance**, sidestepping traditional warrant processes and undermining protections established in *R v Spencer* (2014 SCC 43). - **Shadow governance:** Ministerial cybersecurity orders could **persist indefinitely**, immune from democratic checks, legal challenge, and invisible to the public. No automatic expiry, periodic review, or sunset clause exists. - **Encryption backdoors:** The CCSPA **does not prohibit** government directives compelling companies to weaken encryption. Deliberate vulnerabilities could "hand foreign actors the very exploit paths [the bill] claims to defend against." - **Data sharing without limits:** Information-sharing provisions lack explicit limits on purpose, retention duration, or Privacy Commissioner oversight, potentially enabling "investigative surveillance, without warrant, reasonable grounds, or even public transparency." ### 6.4 Civil Society Organizations - The **Canadian Civil Liberties Association** (CCLA) called on the government to [fix "dangerous flaws"](https://ccla.org/privacy/fix-dangerous-flaws-in-federal-cybersecurity-proposal/), citing a lack of safeguards against government surveillance. - The **Canadian Constitution Foundation** [warned](https://theccf.ca/bill-c-8-would-allow-minister-to-secretly-cut-off-phone-internet-service-ccf-warns/) that the bill would allow a minister to **secretly cut off phone and internet service**. - The **Digital ID & Authentication Council of Canada** [urged](https://diacc.ca/2025/11/12/statement-on-bill-c-8-strengthening-cybersecurity-while-preserving-digital-trust/) a balance between cybersecurity and preserving digital trust. ### 6.5 Industry Concerns - **Prescriptive approach risks:** David Fraser warned in [National Magazine](https://nationalmagazine.ca/en-ca/articles/law/in-depth/2025/a-cybersecurity-bill-with-built-in-vulnerabilities) that prescriptive government mandates could force "every Canadian system under federal regulation" to use identical equipment, creating **uniform vulnerabilities** rather than diverse, resilient architectures. - **Information sharing without guardrails:** Brent Arnold warned that the bill "doesn't seem to have any guardrails around information sharing," raising concerns about data flowing to foreign governments — particularly relevant given geopolitical uncertainties. - **EU adequacy risk:** Arnold also emphasized that C-8 could jeopardize Canada's **EU privacy adequacy assessment** by presenting "the prospect that government access to private data can be abused in secret." - **Small business burden:** No exemptions exist for small businesses or organizations with mature, existing cybersecurity programs. No financial incentives for proactive investment. ### 6.6 Persistent Gaps (C-26 to C-8) | Concern | Status in C-8 | |---|---| | No PIPEDA compliance mandate | **Unchanged** | | No limits on info sharing with foreign governments | **Unchanged** | | No Privacy Commissioner breach notification | **Unchanged** | | No small business exemptions | **Unchanged** | | No financial incentives for proactive cyber investment | **Unchanged** | | No mandatory pre-order stakeholder consultation | **Unchanged** | | No sunset clause on ministerial orders | **Unchanged** | | No independent regulatory body | **Unchanged** | | No prohibition on compelling encryption backdoors | **Unchanged** | --- ## 7. The Threat Landscape ### 7.1 National Cyber Threat Assessment 2025–2026 The policy push is informed by the [**National Cyber Threat Assessment (NCTA) 2025–2026**](https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026), released by the Canadian Centre for Cyber Security (part of CSE) in October 2024. ([PDF](https://www.cyber.gc.ca/sites/default/files/ncta-2025-2026-e.pdf)) ### State-Sponsored Threats - **China (PRC):** Assessed as presenting the **"most sophisticated and active state cyber threat to Canada."** PRC operations target Canada for espionage, intellectual property theft, malign influence, and transnational repression. - **Russia:** Russia's cyber program furthers Moscow's ambitions to **"confront and destabilize Canada and our allies."** Canada is assessed as a "very likely" valuable espionage target given NATO membership, support for Ukraine, and Arctic presence. Supply chain compromises are a key vector. - **Pre-positioning:** State-sponsored actors are **"very likely targeting critical infrastructure networks in Canada and allied countries to pre-position for possible future disruptive or destructive cyber operations."** - **Hybrid operations:** State actors are combining disruptive network attacks with online information campaigns to intimidate and shape public opinion. ### 7.2 Threats to Democratic Processes A separate [2025 update](https://www.cyber.gc.ca/en/guidance/cyber-threats-canadas-democratic-process-2025-update) assessed cyber threats to Canada's democratic process, particularly relevant given the 2025 federal election that brought the Carney government to power. --- ## 8. Ransomware: Canada's Most Immediate Cyber Threat The [Ransomware Threat Outlook 2025–2027](https://www.cyber.gc.ca/en/guidance/ransomware-threat-outlook-2025-2027) from the Canadian Centre for Cyber Security paints a grim picture. ### Scale and Trajectory - Ransomware incidents in Canada have grown an average of **26% year-over-year** since 2021 - Recovery costs **doubled to CAD $1.2 billion** in 2023 (from $600M in 2021) - Canada is the **second most targeted country globally** for ransomware on critical infrastructure, behind only the United States - Ransomware was identified as the attack method in **13% of reported incidents** (up 2% since 2021) - The Cyber Centre issued **336 pre-ransomware notifications** in 2024–2025, potentially saving up to $18 million ### Top Threat Groups Targeting Canada - **Akira** — Emerged April 2023, likely connected to defunct Conti. Targets manufacturing and telecommunications. - **Play** — Emerged June 2022, shifted to RaaS model November 2023. Targets IT and professional services. - **Medusa** — Active since June 2021, focuses on critical infrastructure and communications technology. ### Healthcare Under Siege Canadian healthcare has been particularly hard-hit: - **Southwestern Ontario hospitals (October 2023):** A ransomware attack on IT provider TransForm forced five hospitals offline for weeks, costing over **$7.5 million** and compromising records of hundreds of thousands of patients and employees ([CBC](https://www.cbc.ca/news/canada/windsor/southwestern-ontario-hospitals-cyberattack-1.7308623)) - **SickKids Hospital (Toronto):** Faced delays in vital treatment - **Newfoundland and Labrador:** Province-wide breach costing **$16 million** and delaying thousands of procedures - Cancer treatments cancelled at multiple facilities following attacks ([Bitdefender](https://www.bitdefender.com/en-us/blog/hotforsecurity/cancer-treatments-cancelled-after-canadian-hospitals-hit-by-ransomware-attack)) ### Evolving Tactics - **Multi-extortion:** Beyond encryption, actors now conduct DDoS attacks and contact third-party suppliers/customers for additional ransom demands - **Exfiltration-only attacks:** A shift away from encryption — groups like Hunters International (rebranded World Leaks, January 2025) prioritize data theft as faster and simpler - **AI integration:** Threat actors leverage generative AI for malware development, deepfake creation, victim negotiation automation, and social engineering - **Ransomware-as-a-Service (RaaS):** Has dramatically lowered technical barriers, with affiliate-based business models, initial access brokers, and dark web marketplaces facilitating transactions ### Policy Gap Notably, healthcare falls largely **outside Bill C-8's scope** — it applies only to federally regulated sectors. Provincial hospitals and health systems are not designated operators under the CCSPA, leaving one of Canada's most targeted sectors without federal cybersecurity obligations. --- ## 9. Defence Industrial Strategy and Cyber Sovereignty On **February 17, 2026**, Prime Minister Carney launched [Canada's first Defence Industrial Strategy](https://www.pm.gc.ca/en/news/news-releases/2026/02/17/prime-minister-carney-launches-canadas-first-defence-industrial), which places cyber security within a broader framework of **strategic autonomy and sovereignty** ([BNN Bloomberg commentary](https://www.bnnbloomberg.ca/business/politics/2026/02/17/canadas-new-defence-industrial-strategy-and-a-new-sign-in-the-window-sovereignty-through-capability/)). ### Key Cyber-Related Elements - **BOREALIS** (Bureau of Research, Engineering and Advanced Leadership in Innovation and Science): A new body to accelerate research in **AI, quantum computing, and cybersecurity**, anchoring a national network of secure innovation hubs. - **Sovereign digital capabilities** identified as a priority: secure cloud, AI, and quantum. - **CAFCYBERCOM** (Canadian Armed Forces Cyber Command): [Expanded role](https://www.canada.ca/en/department-national-defence/corporate/organizational-structure/cafcybercom.html) in international cyber exercises, intelligence sharing, and capacity building with NATO, NORAD, Five Eyes, and Indo-Pacific partners. - **$10.9 billion** allocated to digital modernization and cyber defence. - **Domestic procurement target:** Increase from ~33% to **~70%** of Canada's defence needs, with **$180 billion** in total direct defence procurement investment projected by 2035. - **Defence export growth:** Boost Canada's defence exports by **50%** over the next decade. - **$6.6 billion** over five years to strengthen Canada's defence industrial base, including $4.6B for research, capital access, and supply-chain resilience ([BetaKit](https://betakit.com/feds-6-6-billion-defence-industrial-strategy-takes-aim-at-building-a-robust-canadian-defence-sector/)). ### Huawei/ZTE Ban as Precedent The legislative powers in Bill C-8's Telecommunications Act amendments build on the May 2022 decision to [ban Huawei and ZTE from Canada's 5G networks](https://www.canada.ca/en/innovation-science-economic-development/news/2022/05/policy-statement--securing-canadas-telecommunications-system.html). That decision required removal of all 5G equipment by June 28, 2024 and all 4G equipment by December 31, 2027. Bill C-8 provides **permanent legislative authority** for future supply chain security actions of this nature, rather than relying on ad hoc policy statements. --- ## 10. Budget 2025: Fiscal Commitments [Budget 2025](https://tactconseil.ca/en/federal-budget-2025/) provides the fiscal backbone for the cybersecurity agenda: | Allocation | Amount | Timeframe | |---|---|---| | **Total defence spending** | $81.8 billion | 5 years (from 2025–26) | | **Digital modernization & cyber defence** | $10.9 billion | 5 years | | **CAFCYBERCOM growth, digital resources, AI deployments** | $560 million | 2025–26 | | **Defence industrial base** | $6.6 billion | 5 years | | **AI and quantum computing** | $1+ billion | 5 years | | **Cyber Security Cooperation Program** | $10.3 million | 5 years | | **Defence spending target** | $73 billion/year by 2030 | Ongoing | | **NATO target** | 2% GDP (achieved); 5% GDP by 2035 | Ongoing | The $84-billion defence spending boost was described as responding to a "dangerous and divided world" ([Globe and Mail](https://www.theglobeandmail.com/politics/article-federal-budget-2025-defence/)). --- ## 11. The Broader Legislative Ecosystem Bill C-8 does not operate in isolation. Several other legislative instruments shape the cybersecurity policy landscape. ### Bill C-70: Countering Foreign Interference Act (Royal Assent June 20, 2024) [Bill C-70](https://www.canada.ca/en/public-safety-canada/news/2024/06/legislation-to-counter-foreign-interference-receives-royal-assent.html) represents the most significant update to the CSIS Act since 1984. Key cybersecurity-relevant provisions: - **Modernized CSIS investigative tools:** New warrants for specific investigative techniques, addressing gaps caused by technological advancement since the pre-internet era - **Foreign Influence Transparency Registry:** Independent commissioner overseeing mandatory registration of advocacy on behalf of foreign principals - **New criminal offences:** For deceptive or surreptitious acts undermining democratic processes - **Renamed statute:** The *Security of Information Act* became the *Foreign Interference and Security of Information Act* - **Sabotage offence modernization:** Updated Criminal Code provisions The intersection with Bill C-8 is significant: C-70 addresses the **intelligence and criminal** dimensions of cyber-enabled foreign interference, while C-8 addresses the **infrastructure protection and regulatory** dimensions. ### Canada's Intelligence Priorities (September 2024) The [Cabinet-approved Intelligence Priorities document](https://www.canada.ca/en/privy-council/services/publications/canada-intelligence-priorities.html) — a rare public articulation — directs the Canadian intelligence community and explicitly identifies cyber threats among national priorities. --- ## 12. International Comparative Analysis ### Canada (Bill C-8/CCSPA) vs. EU (NIS2 Directive) | Element | Canada (CCSPA) | EU (NIS2) | |---|---|---| | **Governance** | Authority consolidated in federal Cabinet and Minister; no independent regulatory body | Distributed governance with national authorities, mandatory CSIRT, single point of contact per member state | | **Transparency** | Annual reporting to Parliament; orders can be secret | Periodic public reporting required; emphasis on institutional accountability | | **Scope** | Federally regulated entities only (telecom, banking, energy, nuclear, transport) | Broad: public and private sectors, including health, digital infrastructure, public administration | | **Enforcement** | Administrative penalties + criminal offences | Harmonized enforcement through national authorities | | **Incident reporting** | 72 hours to CSE | 24-hour early warning + 72-hour notification to CSIRT | | **Supply chain** | Mandatory risk mitigation | Mandatory with coordinated EU-level vulnerability disclosure | | **Encryption** | No prohibition on compelling backdoors | Encourages end-to-end encryption | | **Independent oversight** | No independent body | National authorities subject to EU-level coordination | **Key gap:** The ABlawg analysis notes that unlike NIS2, which "places significant emphasis on transparency, institutional accountability, and harmonized enforcement," Bill C-8 creates "no independent regulatory body" and bypasses "institutional safeguards." ([ABlawg](https://ablawg.ca/2025/09/05/securing-the-infrastructure-straining-the-constitution-bill-c-8s-cybersecurity-overhaul/)) ### Canada vs. United States (CIRCIA) The US *Cyber Incident Reporting for Critical Infrastructure Act* (CIRCIA) requires companies to report certain cyber incidents and ransomware payments to CISA. Canada's framework is broader in its regulatory powers but narrower in its sectoral scope. ### Canada vs. United Kingdom The UK's *Product Security and Telecommunications Infrastructure Act* focuses on supply chain security with a product-security-first approach, contrasting with Canada's operator-centric model. --- ## 13. The Governance Gap: Does Canada Need a Minister of Cyber Security? A notable debate has emerged about whether Canada's institutional architecture is adequate. An [analysis by Cyber in Context](https://www.cyberincontext.ca/p/canada-needs-a-minister-of-cyber) argues that Canada needs a **dedicated Minister of Cyber Security**, noting that cybersecurity responsibilities are currently fragmented across: - **Public Safety Canada** (policy, NCSS, Bill C-8) - **CSE / Canadian Centre for Cyber Security** (threat intelligence, operational defence) - **National Defence** (CAFCYBERCOM, military cyber operations) - **Innovation, Science and Economic Development** (Telecommunications Act authorities under Bill C-8 Part 1) - **Treasury Board** (government IT security) - **RCMP / NC3** (cybercrime enforcement) - **NSIRA** (oversight/review) This fragmentation, critics argue, creates gaps in accountability, slows response times, and makes it difficult to mount a coherent national response to incidents — a structural weakness the Carney government has not yet addressed. --- ## 14. The Workforce Challenge Canada faces a significant cybersecurity **talent gap** that complicates all of the above ambitions: - An estimated **25,000-person shortage** in the cybersecurity workforce, with Canadian institutions producing fewer than 4,000 graduates annually ([Rogers Cybersecure Catalyst](https://cybersecurecatalyst.ca/why-is-there-such-a-massive-cybersecurity-talent-gap-in-canada/)) - **One in six** cybersecurity positions goes unfilled - Globally, an estimated **4.8 million roles remain unfilled** ([ISC2 2025 Cybersecurity Workforce Study](https://www.isc2.org/Insights/2025/12/2025-ISC2-Cybersecurity-Workforce-Study)) - The 2025 hiring landscape was led by large multinational defence and technology companies, alongside major telecom providers - Industry is shifting focus from **headcount to skills** — addressing specific capability needs through professional development of existing staff rather than simply hiring more people - High stress and burnout are driving turnover among existing practitioners, exacerbating the gap - The NCSS, CADC at UNB, and BOREALIS are partial responses, but the gap between ambition and capacity remains wide --- ## 15. International Dimensions ### Five Eyes Canada remains deeply integrated into the [Five Eyes intelligence-sharing alliance](https://opencanada.org/canada-and-the-five-eyes-intelligence-community/). CSE is described as a "proud and valuable member" of the alliance, and CAFCYBERCOM participates in joint cyber exercises with Five Eyes, NATO, and NORAD partners. ### U.S.–Canada Relations The Carney government's emphasis on sovereignty — including the Defence Industrial Strategy's push for domestic procurement and the ["five big moves"](https://policyoptions.irpp.org/magazines/may-2025/carney-global-security/) recommended for Canada's global security posture — must be understood in the context of strained U.S.–Canada relations. The drive to reduce dependence on foreign (including American) technology supply chains has direct implications for cybersecurity procurement and intelligence sharing. ### Joint Attribution In **November 2025**, Canada issued a [joint statement on malicious cyber activity targeting Canadian critical infrastructure](https://www.canada.ca/en/communications-security/news/2025/11/joint-statement-on-malicious-cyber-activity-targeting-canadian-critical-infrastructure.html), reflecting continued allied cooperation on threat attribution despite sovereignty tensions. --- ## 16. Cybercrime Enforcement ### National Cybercrime Coordination Centre (NC3) The RCMP's [National Cybercrime Coordination Centre](https://rcmp.ca/en/federal-policing/cybercrime/national-cybercrime-coordination-centre) was established as a priority under the NCSS. Key developments: - **Report Cybercrime and Fraud website** (launched November 2025): A new national reporting system for individuals, businesses, and organizations, consolidating fragmented provincial reporting into a single platform. - **Maple Disruption 2025** (December 2025): A cross-sector sprint bringing together over **25 organizations** to identify and disrupt the systems that cybercriminals rely on — malicious email addresses, phone numbers, and cryptocurrency accounts. - **National Cybercrime Solution (NCS):** Full implementation expected in 2025, providing an integrated system for law enforcement to coordinate cybercrime investigations nationally. ### Enforcement Challenges Despite institutional progress, cybercrime enforcement faces structural challenges: - Jurisdictional fragmentation between federal and provincial policing - Attribution difficulties with state-sponsored and transnational actors - Cryptocurrency anonymization techniques complicating financial tracking - The speed at which criminal infrastructure can be rebuilt after disruption --- ## 17. Implications and Assessment ### What the Carney Government Has Done 1. **Revived stalled legislation** — Bill C-8 resurrects the critical infrastructure cybersecurity framework that died with Bill C-26, signalling bipartisan continuity on the underlying policy objective. 2. **Improved the bill** — The judicial review reforms, narrowed threat definition, and appeal mechanism in C-8 represent genuine improvements over the original C-26. These changes respond to stakeholder criticism and bring the bill closer to constitutional viability. 3. **Embedded cyber in sovereignty** — The Defence Industrial Strategy and BOREALIS frame cybersecurity not just as a technical issue but as a pillar of Canadian strategic autonomy — a distinctive Carney-era framing. 4. **Invested in institutions** — CCDC, CADC, CAFCYBERCOM expansion, NC3, and the Cyber Security Cooperation Program represent institutional capacity-building across defensive, offensive, and enforcement domains. 5. **Committed significant resources** — $10.9 billion for digital modernization, $560 million for CAFCYBERCOM, $6.6 billion for defence industrial base, and $1+ billion for AI/quantum. ### Unresolved Tensions 1. **Security vs. civil liberties** — Despite judicial review improvements, Bill C-8's broad government powers (indefinite secret orders, no encryption backdoor prohibition, weak privacy safeguards, warrantless information collection) remain constitutionally contentious. The Privacy Commissioner, Intelligence Commissioner, CCLA, and CCF have all raised substantive objections that may surface in Charter challenges. 2. **Scope gaps** — Bill C-8 covers only federally regulated sectors. Provincial and municipal systems — **including hospitals, schools, elections infrastructure, and local transit** — fall outside its jurisdiction. Healthcare, one of Canada's most-attacked sectors, is largely unprotected by the federal framework. 3. **Governance fragmentation** — The absence of a dedicated Minister of Cyber Security means responsibility remains diffused across seven or more departments and agencies with no single point of accountability. 4. **Workforce gap** — The 25,000-person shortfall is a structural constraint on all ambitions. Without a dramatic acceleration in training pipelines, legislative mandates and budget commitments will outpace implementation capacity. 5. **Sovereignty vs. alliance integration** — The push for domestic cyber capability must be balanced against the reality that Canada depends heavily on Five Eyes (especially U.S. and UK) intelligence and technology. "Sovereignty through capability" is aspirational; the transition path is unclear. 6. **Speed of regulation vs. speed of threats** — Bill C-8's 90-day compliance window for designated operators is ambitious, but the rulemaking, designation, and enforcement machinery has yet to be built. Ransomware actors are not waiting. 7. **International competitiveness** — Canada's approach lags behind the EU's NIS2 in institutional accountability, scope, and encryption protections. Without independent oversight, the CCSPA risks being viewed internationally as a tool of executive power rather than a transparent regulatory framework — with potential consequences for EU privacy adequacy. 8. **Ransomware response gap** — Despite ransomware being Canada's most immediate and costly cyber threat ($1.2B in recovery costs, 26% annual growth), the legislative framework does not specifically address ransomware payment policies, negotiation standards, or mandatory disclosure of ransom payments. --- ## Key Sources ### Government of Canada - [National Cyber Security Strategy 2025](https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg-2025/index-en.aspx) - [National Cyber Threat Assessment 2025–2026](https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026) - [Ransomware Threat Outlook 2025–2027](https://www.cyber.gc.ca/en/guidance/ransomware-threat-outlook-2025-2027) - [Defence Industrial Strategy (Feb 2026)](https://www.pm.gc.ca/en/news/news-releases/2026/02/17/prime-minister-carney-launches-canadas-first-defence-industrial) - [Bill C-8 — First Reading text](https://www.parl.ca/DocumentViewer/en/45-1/bill/C-8/first-reading) - [Bill C-26 — Third Reading text](https://www.parl.ca/documentviewer/en/44-1/bill/C-26/third-reading) - [Bill C-26 — First Reading text (original)](https://www.parl.ca/DocumentViewer/en/44-1/bill/C-26/first-reading) - [Bill C-70 — Countering Foreign Interference Act](https://www.canada.ca/en/public-safety-canada/news/2024/06/legislation-to-counter-foreign-interference-receives-royal-assent.html) - [Canada's Intelligence Priorities (Sept 2024)](https://www.canada.ca/en/privy-council/services/publications/canada-intelligence-priorities.html) - [Cyber Security Cooperation Program 2025](https://www.canada.ca/en/public-safety-canada/news/2025/08/government-of-canada-launches-cyber-security-cooperation-program-2025.html) - [CSE Annual Report 2024–2025](https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-canada-annual-report-2024-2025) - [RCMP National Cybercrime Coordination Centre](https://rcmp.ca/en/federal-policing/cybercrime/national-cybercrime-coordination-centre) - [Maple Disruption 2025](https://rcmp.ca/en/news/2025/12/4348267) - [Huawei/ZTE 5G Ban Policy Statement](https://www.canada.ca/en/innovation-science-economic-development/news/2022/05/policy-statement--securing-canadas-telecommunications-system.html) - [SECU Committee amendments summary](https://www.publicsafety.gc.ca/cnt/trnsprnc/brfng-mtrls/prlmntry-bndrs/20250226-1/08-en.aspx) - [Budget 2025 defence overview](https://tactconseil.ca/en/federal-budget-2025/) ### Oversight & Civil Liberties - [Privacy Commissioner statement on Bill C-8 (Oct 2025)](https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2025/parl_20251030/) - [Intelligence Commissioner on Bill C-8](https://www.thewirereport.ca/2025/10/31/independent-oversight-needed-in-new-cybersecurity-bill-c-8-privacy-intelligence-commissioners-tell-mps/) - [CCLA: Fix dangerous flaws in cybersecurity proposal](https://ccla.org/privacy/fix-dangerous-flaws-in-federal-cybersecurity-proposal/) - [CCF: Bill C-8 would allow secret service cutoffs](https://theccf.ca/bill-c-8-would-allow-minister-to-secretly-cut-off-phone-internet-service-ccf-warns/) - [ABlawg constitutional analysis](https://ablawg.ca/2025/09/05/securing-the-infrastructure-straining-the-constitution-bill-c-8s-cybersecurity-overhaul/) - [DIACC statement on Bill C-8](https://diacc.ca/2025/11/12/statement-on-bill-c-8-strengthening-cybersecurity-while-preserving-digital-trust/) - [Citizen Lab: Bill C-26 Charter analysis and recommendations](https://citizenlab.ca/2023/11/bill-c26-analysis-and-recommendations/) ### Legal Analysis - [BLG: Bill C-8 — what critical infrastructure sectors need to know](https://www.blg.com/en/insights/2025/07/bill-c8-revives-canadian-cyber-security-reform-what-critical-infrastructure-sectors-need-to-know) - [Fasken: Bill C-8 reboots cybersecurity legislation](https://www.fasken.com/en/knowledge/2025/10/bill-c-8) - [Dentons: From Bill C-26 to Bill C-8](https://www.dentonsdata.com/from-bill-c-26-to-bill-c-8-house-of-commons-reintroduces-key-cybersecurity-legislation/) - [McMillan: Bill C-8 revives comprehensive cybersecurity law](https://mcmillan.ca/insights/back-from-the-grave-bill-c-8-revives-comprehensive-cybersecurity-law/) - [McCarthy Tétrault: Bill C-8 preparation guide](https://www.mccarthy.ca/en/insights/blogs/techlex/bill-c-8-what-operators-critical-cyber-systems-should-know-and-do-to-prepare-their-cybersecurity-programs) - [Gowling WLG: Critical infrastructure cyber security bill](https://gowlingwlg.com/en/insights-resources/articles/2025/critical-infrastructure-cyber-security-bill) - [Miller Thomson: Bill C-8 cybersecurity overhaul](https://www.millerthomson.com/en/insights/technology-ip-and-privacy/bill-c-8-canadas-cybersecurity-overhaul-reboots/) - [National Magazine: A cybersecurity bill with built-in vulnerabilities](https://nationalmagazine.ca/en-ca/articles/law/in-depth/2025/a-cybersecurity-bill-with-built-in-vulnerabilities) - [MNP: Bill C-8 compliance guide](https://www.mnp.ca/en/insights/directory/bill-c8-new-era-cyber-security-compliance-canadas-vital-sectors) ### Academic & Comparative - [PMC: Comparing CCSPA with EU cybersecurity requirements](https://pmc.ncbi.nlm.nih.gov/articles/PMC9975875/) - [Hitachi Cyber: Bill C-8 and global cybersecurity regulations](https://hitachicyber.com/blog/what-bill-c-8-and-global-cybersecurity-regulations-mean-for-organizations/) ### Commentary & Analysis - [Policy Options: Five big moves Carney must make](https://policyoptions.irpp.org/magazines/may-2025/carney-global-security/) - [Policy Options: What Ottawa can do to protect Canadians from cybercrime](https://policyoptions.irpp.org/2026/02/canada-cybercrimes/) - [Cyber in Context: Canada needs a Minister of Cyber Security](https://www.cyberincontext.ca/p/canada-needs-a-minister-of-cyber) - [Insight Threat Intelligence: Security priorities for Canada's 2025 government](https://www.insightthreatintel.com/news/carney-security-priorities-2025) - [CIGI: Banning Huawei was the start, not the end](https://www.cigionline.org/articles/banning-huawei-was-the-start-not-the-end-of-protecting-cyber-infrastructure/) ### Workforce - [Canadian Cybersecurity Network: State of Cybersecurity in Canada 2025](https://canadiancybersecuritynetwork.com/hubfs/CS-Report-CCN-2025-All-v10.pdf) - [ISC2: 2025 Cybersecurity Workforce Study](https://www.isc2.org/Insights/2025/12/2025-ISC2-Cybersecurity-Workforce-Study) - [Rogers Cybersecure Catalyst: Canada's cybersecurity talent gap](https://cybersecurecatalyst.ca/why-is-there-such-a-massive-cybersecurity-talent-gap-in-canada/)