Improving Canada's cybersecurity readiness must be a priority for political party leaders in this month's federal election. Read why

National security will be one of the hot issues when the federal party leaders hold their French (Wednesday) and English (Thursday) language debates.

I hope cybersecurity will feature prominently, at least as big as adding more soldiers and artillery, bullets, ships and tanks.

That’s because as much as the U.S. is squeezing Canada to spend more on defence, we’re under cyberattack daily from China, Russia, North Korea and other nations.

True, national cybersecurity responsibilities fall under the Defence Department, so when leaders talk about increasing spending on national security, cybersecurity can seem to be covered. But hopefully the leaders will talk specifically about what they’d do as Prime Minister to stiffen our cyber defences in the public and private sectors. Defending the nation’s critical IT infrastructure should take an immediate priority over armament.

Note that last year the federal government’s Canadian Centre for Cyber Security warned China is increasingly targeting Canadians and Canadian organizations through the scale and scope of its cyber operations. China’s cyber threat activity “outpaces other nation-state cyber threats in volume, sophistication and the breadth of targeting.”

For one thing, I’d like to see the leaders commit to re-introducing and quickly passing Bill C-26, which imposes cybersecurity obligations on telecom, banking, transportation and interprovincial pipeline providers. C-26 was in third reading in the Senate when Parliament was dissolved for the election. That’s equivalent to being inches from the finish line.

But I’d like to hear the leaders say more than a nod towards C-26.

Is cybersecurity a priority of the leaders? Here’s something telling: A week ago I emailed the Liberal, Conservative and NDP campaigns asking for comment before I published this article. I received no response.

David Shipley, CEO of New Brunswick’s Beauceron Security and a co-chair of the Canadian Chamber of Commerce’s cybersecurity committee thinks it may take a cyber related pipeline explosion before the public pays attention to cybersecurity.

Cybersecurity, he argues, should be linked to national sovereignty in the same way as defence is.

It doesn’t help, he added, that the Liberal government took two tries at improving the federal privacy law covering the private sector (C-27, which included a proposed act regulating artificial intelligence) and still couldn’t pass it before Parliament was dissolved.

Because both C-26, C-27 and the proposed Online Harms bill (C-63, which put some obligations on social media providers to mitigate the risk that users will be exposed to harmful content on the services) were lost when the election was called our digital sovereignty is imperilled by American tech hegemony, he said.

These three pieces of legislation should be a priority for the new government, he said, before talking about increasing spending on better securing federal IT systems and helping the private sector better secure hospitals, municipalities, and utilities.

“Ottawa needs to govern, not just write a cheque,” he said.

I disagree. At the leaders’ debates and in their party platforms there should be promises to increase spending and resources for the Communications Security Establishment (CSE), which has responsibility for protecting federal IT networks, for the Canadian Cyber Security Centre, which advises both the public and private sectors on cyber defence, and for the RCMP’s National Cybercrime Co-ordination Centre (NC3). In addition, the federal government should help the provinces offer incentives to people to shift to careers in cybersecurity.

“State adversaries are getting bolder and more aggressive,” the latest National Cyber Threat Assessment says in part. “Cybercriminals driven by profit are increasingly benefiting from new illicit business models to access malicious tools and are using artificial intelligence to enhance their capabilities.”

To get an idea of the state of the country’s cybersecurity readiness see this recent survey by CDW Canada, which concluded the number of cyberattacks against organizations are dropping, but successful attacks have intensified and are increasingly disruptive.

See also this recent 103-page report from the Canadian Cybersecurity Network (Registration required) with essays from a number of experts who delve deeply into problems and offer solutions.

Among the recommendations in a section on increasing cybersecurity resiliency:

--following the example of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which in 2021 launched the U.S. Joint Cyber Defense Collaborative (JCDC), a platform for real-time intelligence between the public and private sectors, to help detect, and respond to cyber incidents on a national scale. (I’m not sure, however, if President Donald Trump is still funding this platform after announcing cuts to the CISA);

--supporting training incentives and subsidies for cybersecurity education and certifications. “By providing tax credits to companies investing in their cybersecurity workforce, the government could promote ongoing professional development, offsetting the high costs associated with industry-standard certifications and training programs,” the section says.

“All in all, addressing the cybersecurity skills shortage is crucial to reducing Canada’s vulnerability to ransomware and other cyber threats, and it is one of the most effective long-term investments the government can make in the nation’s digital security infrastructure,” it adds.

The Russians aren’t going to seize Ellesmere Island tomorrow. The Chinese aren’t going to seize Vancouver Island tomorrow. But threat actors from both countries are sniffing around our critical infrastructure every hour. The way political parties can show leadership is by making cyber defence at least as important as overhauling and expanding the Canadian Armed Forces.