Question Period Note: Cyber Security and Critical Infrastructure

• Malicious cyber activity directed at the digital systems that underpin essential services and critical infrastructure are a constant concern for businesses, individuals, and all levels of governments in Canada.

• As Canada grows its clean economy of the future, we will increasingly rely on resilient systems to protect Canadians, Canadian businesses, critical infrastructure, and our democracy.
• These changes have come with cyber risks that are evolving at a rapid pace.
• Threats on this digital landscape, including cybercrime, are emerging dynamically, and we know that malicious actors – whether financially driven or state actors –continue to increase in number and sophistication, threatening our national and economic security.
• The Government of Canada is committed to tackling these serious, disruptive threats that can have profound consequences on individual Canadians.
• Following extensive community consultations with Canadians, we released a new National Cyber Security Strategy in February 2025. At its core, the new Strategy is about engagement and collaboration.
• Also at its core is a flexible approach to cyber security solutions. This will be put in place through issue-specific action plans that support the new Strategy’s vision and objectives.

• Under the Strategy, we will implement a grants and contributions program to fund cyber security projects across Canada that that will underpin our collective digital prosperity. We will also create a forum to engage with key stakeholders to ensure that we are taking a whole-of-society approach to building our resilience to cyber threats.
• Public Safety Canada and its portfolio agencies support critical infrastructure across ten essential sectors, with self-assessment tools and guidance.
• We also coordinate the federal response to cyber security incidents through the Federal Cyber Incident Response Plan, which provides a reliable framework for coordination and information-sharing among government departments and agencies when managing significant cyber incidents or events affecting non-Government of Canada systems.
• The Canadian Security Intelligence Service is working closely with Canadians, industry, and academia to build awareness and resilience to cyber threats, including by sharing information through new authorities to alert Canadians to potential cyber vulnerabilities, and help them adopt robust security practices.
• Through this ongoing work, we continue to take strong action to protect and defend all people in Canada from cyber threats.
 

Threat Environment

• The 2025-2026 National Cyber Threat Assessment identifies ransomware as the top cybercrime threat to Canada's critical infrastructure, emphasizing state and state-sponsored threat actors more than the previous assessment. It lists China, Russia, Iran, North Korea, and notably India, which was not identified in the 2023-2024 National Cyber Threat Assessment.
• The report highlights India's likely use of its cyber program for national security, espionage, counterterrorism, and enhancing its global status. It likely uses commercial vendors to enhance its cyber operations.
• The report also lists China as presenting the most comprehensive cyber security threat facing Canada today. The objectives of its operations include political and commercial gains, espionage, Intellectual Property theft, and transnational repression. Canadian politicians at all levels of government have been targeted.

Government of Canada Response

• The Government of Canada is responsible for responding to cyber threats and national security threats, as well as defending critical Government of Canada systems. Federal interventions include informing potential victims of cyber activity and aiding security professionals in adopting best practices to minimize the impact on essential operations.
• In its newly released National Cyber Security Strategy, the Government of Canada takes a whole-of-society and agile approach to cyber threats to advance adaptable cyber security policies.
• Following the announcement of the new Strategy in February 2025, Public Safety Canada secured funding to establish the flagship initiatives of the NCSS: the Canadian Cyber Defence Collective, which will formalize collaboration and information sharing between all levels of government, Indigenous organizations, private industry, and academia; and the next iteration of the Cyber Security Cooperation Program, which is Public Safety Canada’s cyber-related grants and contributions initiative.
• Public Safety Canada supports critical infrastructure owners and operators, encompassing ten sectors essential to Canadians' well-being: energy and utilities, finance, food, transportation, government, information and communication technology, health, water, safety, and manufacturing. For example, Public Safety Canada, in collaboration with the Cyber Centre, developed the Canadian Cyber Security Tool for self-assessment.
• Public Safety Canada also co-chairs the Federal Cyber Incident Response Plan to coordinate responses to cyber incidents affecting non-Government of Canada systems, which serves to enhance situational awareness and inform decision making during significant cyber events.

If Pressed
Q1- Question on the reintroduction of former Bill C-26, An Act Respecting Cyber Security
• An Act Respecting Cyber Security (formerly introduced as Bill C-26) was a bill with two distinct legislative initiatives intended to protect federally-regulated critical infrastructure from cyber threats.
• Part 1 proposed to amend the Telecommunications Act to add security as a policy objective and provide order-making powers to the Minister of Industry and Governor in Council, while Part 2 would have introduced the Critical Cyber Systems Protection Act with the goal of establishing a regulatory framework to strengthen baseline cyber security across federally-regulated critical infrastructure sectors.
• The proposed legislation, which received near-unanimous approval in both the House and the Senate, had advanced to the final stages of the Parliamentary process before it died on the Order Paper due to prorogation while awaiting concurrence from the House of Commons on an administrative amendment made in the Senate.
• By introducing legislation establishing a cyber security framework for key federally regulated entities and centralizing cybercrime and cyber incident reporting, Canada will significantly enhance the cyber security of the federally-regulated critical infrastructure upon which Canadians rely, impacting our national and economic security, and ensure criminals are held accountable.
• Importantly, it also ensures that Canada does not fall further behind its like-minded allies who have experienced the same push to introduce and revise legislative measures to address cyber security.
Q2- Question on the Detection and Reporting of Cybercrime
• The government is working with stakeholders to make it easier for the public and business to report cybercrime to ensure crimes reported are actioned properly.
• The Royal Canadian Mounted Police’s (RCMP) National Cybercrime Coordination Centre and Canadian Anti-Fraud Centre are jointly responsible for national cybercrime and fraud reporting in Canada, by both victims and victimized organizations with a nexus to Canada.
• These two Centres are developing a new National Cybercrime and Fraud Reporting System to improve and streamline cybercrime and fraud reporting, enhance technical capabilities of these Centres, and support Canadian law enforcement to action victim reporting of cybercrime and fraud.
• By improving and centralizing reporting, the RCMP can further aggregate, analyze, and improve information sharing with law enforcement and security partners to support prevention, deconfliction, and investigative efforts.
• Any individual who has been a victim of cybercrime, fraud or scams, should contact their local police and report it to the Canadian Anti-Fraud Centre.
Q3- Question on Specific Incidents
• We are aware of the {Insert type of incident, city, province} and we are closely monitoring the situation.
• The federal cyber community meets regularly to discuss potential and ongoing incidents to coordinate the federal response. To this end, the Federal Cyber Incident Response Plan, for incidents affecting non-Government of Canada systems, and the Government of Canada Cyber Security Event Management Plan, for incidents affecting Government of Canada systems, are escalated as needed according to the severity of the incident.
• The Government Operations Centre is working to determine what type of federal assistance may be required by provinces and territories and the critical infrastructure providers to deal with the situation.
• First responders and provincial officials are responsible for addressing the immediate needs of citizens in the affected areas.
• As the situation is evolving rapidly, it would be inappropriate for us to comment further.
Q4– Question on holding cybercriminals responsible
• The RCMP Federal Policing Cybercrime Program investigates the highest levels of cyber-related criminal activity and threats to national security. This includes cybercrime directed against institutions of government, critical infrastructure of national importance, and key Canadian institutions and business assets. The RCMP has a broad mandate to combat cybercrime domestically and internationally, and deploys various enforcement measures to enable arrests, charges, and other disruption outcomes (for example, actions to neutralize the threat, minimize victimization, and hold cybercriminals to account where possible).