Let’s start the year by comparing recent government initiatives in the United States to better protect its critical infrastructure with the much more timid ones on the Canadian side of the border.
A few weeks ago, I presented an article to you on the likely incursion of the Chinese Communist Party into the telecommunications networks of our American neighbours. The attack, called Salt Typhoon, exfiltrated personal user data, sensitive network infrastructure information and employee identifiers, compromising communications security and facilitating potential future attacks.
For our part, in Canada, the Communications Security Establishment Canada (CSE) stated on December 7, 2024, that it “is not aware of any Canadian networks affected by this activity.” In short, we do not know, but we have some doubts about it.
We can say that 2024 ended with a reality check regarding the cyber security of critical infrastructure. The cyber-security landscape in the U.S. was deeply shaken by the discovery of this espionage campaign. This intrusion, dubbed the “worst telecom attack in the nation’s history” targeted at least nine major U.S. telecommunications providers, including AT&T, Verizon and T-Mobile.
The need for a comprehensive cyber security strategy was already recognized in the United States. Its purpose was to engage critical infrastructure agents, their suppliers and key supply chain stakeholders. The increase in the pace and complexity of attacks simply accelerated this process. I would therefore like to give you a brief non-exhaustive summary of what has transpired south of the border over the last few months.
Enhanced cyber security measures
In response to this threat, the U.S. government quickly implemented a series of measures to strengthen national cyber security:
New executive order on cyber security
On January 13, 2025, President Biden is expected to sign an executive order to strengthen cyber security standards for federal agencies and contractors. The main provisions of this order include:
- The use of artificial intelligence (AI) for cyber defence, including a Pentagon program to use AI models to improve cyber defence efforts;
- More stringent requirements for secure software development by federal contractors;
- Strengthened security in the cloud systems used by the federal government;
- Implementation of “strong identity authentication and encryption” for government communications.
Launch of the U.S. Cyber Trust Mark
On January 7, the White House officially launched the U.S. Cyber Trust Mark, a voluntary cyber security labelling program for consumer-connected devices.
Strengthening public-private partnerships
The Biden administration also focused on strengthening public-private partnerships in cyber security, including:
- Subsidies and rebates on security products optimized for small hospitals;
- The supply of free or low-cost cyber security resources for school districts;
- The launch of the Illicit Virtual Asset Notification program to combat financial crime related to cryptocurrencies and ransomware.
New FCC regulations
On December 11, 2024, the Federal Communications Commission (FCC) proposed new rules requiring telecommunications operators to secure their networks from illegal intrusions. These measures include:
- A mandatory statement confirming that operators are legally required to secure their networks;
- The requirement for suppliers to establish cyber security risk management plans and to annually certify their compliance with those plans.
Strengthened federal guidance
On September 5, 2024, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI issued updated guidance for telecommunications providers and other critical infrastructure organizations. These guidelines focus on:
- Configuration management;
- Vulnerability management;
- Network segmentation;
- Industry-wide information sharing.
Secure American Communications Act
In January 2025, Senator Ron Wyden introduced a bill requiring the FCC to implement specific cybersecurity requirements.
Preparing for the quantum era: FIPS standards
On August 13, 2024, the National Institute of Standards and Technology (NIST) finalized three new Federal Information Processing Standards (FIPS) for post-quantum cryptography. These FIPS standards represent a significant step forward in preparing for the quantum computing era. Their gradual adoption in both government and private systems will be critical to maintaining the security of communications and sensitive data over the long term.
What is happening in Canada?
International collaboration
On December 7, 2024, the Canadian Centre for Cyber Security (Cyber Centre) participated in a joint publication with the United States, Australia and New Zealand to provide security advice to telecommunications companies on strengthening their infrastructure.
Strengthening monitoring
The Cyber Centre has increased its collaboration with government partners and critical infrastructure providers to help them protect their networks from cyber threats.
New cyber threat assessment
On October 15, 2024, Canada released a national cyber threat assessment for 2025-26, noting that Canada’s state adversaries are becoming more aggressive in cyberspace and targeting critical infrastructure.
Death of bills C-26 and C-27
Bill C-26 and Bill C-27 respectively aimed to strengthen the cyber security of critical infrastructure and modernize Canada’s personal data protection and artificial intelligence legislation.
As a result of the Canadian Parliament being prorogued on January 6, 2025, Bill C-26 and Bill C-27 effectively died on the order paper, putting an end to their legislative progress.
Prorogation, which ends a session of Parliament, results in the abandonment of all current business, including bills that have not yet received royal assent. For these bills to become law, they will have to be reintroduced in the new session of Parliament and the whole legislative process will need to be started over again from scratch.
While this represents a setback for these initiatives to strengthen cyber security and personal data protection in Canada, it is possible that the government may choose to reintroduce them. These bills could include amendments based on the debates and studies conducted to date. However, there is no guarantee that these bills will be a priority in the new session. Their future will depend on the government’s legislative priorities after prorogation.
Let’s stop dithering
Despite the efforts made, the increase in the budget for cyber security and the initiatives announced, it is clear that Canada is significantly behind in implementing robust frameworks to protect its critical infrastructure. While our allies, until proven otherwise, such as the United States, the United Kingdom and Australia, have already put in place strict regulations and mandatory certification programs, Canada still seems reluctant to take decisive action.
Vital sectors such as energy, transportation, health care, telecommunications and financial services remain potentially easy prey to sophisticated cyber-attacks, as demonstrated by the Salt Typhoon incident with our U.S. neighbours. The absence of strict regulatory frameworks and mandatory security standards leaves these critical infrastructures at unacceptable risk in an ever-changing threat landscape. It is fortunate that a number of private Canadian and Quebec institutions are taking the bull by the horns and developing a first-class cyber defence. Unfortunately, it is not what most are doing.
In an increasingly uncertain geopolitical environment, where state-sponsored cyber attacks are becoming commonplace, it is imperative that Canada stop dithering and take a leadership role in cyber security. The time for endless consultations and failed bills is over. The citizens of this country and its businesses deserve the certainty that their critical data and systems are protected by measures commensurate with current threats.
Let us hope that the next Canadian government will show strong and decisive leadership in cyber security. Canada must act to catch up and ensure the resilience of its critical systems in the face of 21st-century cyber threats. Inaction is no longer an option in a world where national and economic security increasingly depends on our ability to protect our digital assets.