How Canada is approaching the evolving cybersecurity landscape

Cybersecurity risks are only compounding with the interconnected nature of businesses and relationships with third-party vendors, as well as the added layer of complexity due to the continued adoption of artificial intelligence solutions.

At the IAPP Canada Symposium 2026 earlier this month, a number of Canadian regulators and cybersecurity professionals weighed in on emerging cyberthreats, including those derived from AI, as well as the common threads that have led to a recent string of high-profile cyberattacks. 

Federal government's approach

The Government of Canada released its first Enterprise Cyber Security Strategy in 2024. Treasury Board of Canada Secretariat Chief Information Security Officer Po Tea-Duncan said the strategy represents a "whole of government approach."

According to Tea-Duncan, the Canadian government is taking more proactive approaches responding to cyber risks. Those include establishing new safeguards in response to novel and emerging threats, recruiting more cyber defense talent and improving the security culture throughout the government. Additionally, the government is placing an emphasis on the security of technology vendors it has contracts with. 

"You can outsource services, but you can't outsource accountability," Tea-Duncan said. "It's really up to the government to still make sure that we have protected information, whether that be in our systems, or those systems hosted outside the government of Canada. We're moving away from a fragmented, staggered approach to a unified, proactive enterprise approach."

Canadian Centre for Cyber Security Director General for Cyber Resilience Lyall King described the current cyber defensive landscape in Canada as being in a "constant state of reconnaissance" that is "punctuated by compromises." 

Canada's federal government has been compromised "at least 20 times" in the past four-to-five years by Chinese government-backed hackers, according to King. Hackers' efforts are no longer singularly focused on committing acts of espionage, instead they are more frequently targeting critical infrastructure IT systems and "sitting and waiting" to take an action at a time of their choosing. 

Attacks are now "about prepositioning on critical infrastructure," he said. "It's about getting into systems and sitting there and waiting ad being able to take an action … that could be disruptive." 

Bill C-8, which passed in the House of Commons 26 March, amends the Telecommunications Act to enact the Critical Cyber Systems Protection Act. That provision creates a framework to enhance the cybersecurity of critical information networks. He said the draft legislation has the potential to fundamentally improve cybersecurity throughout Canada's digital economy. 

"The (information security) space is moving from a voluntary framework to a regulatory framework and it's game-changing for us in that regard," King said. "There'll be a critical effect across the ecosystem, which we see being a potentially positive thing. But there will be some far-reaching challenges in terms of what an operator has to do under this act, they'll have to demonstrate that they have good cybersecurity programs and we will have to establish what that looks like in the Cyber Centre to provide baseline requirements for that."

Provincial thinking

British Columbia Information and Privacy Commissioner Michael Harvey discussed how the provincial privacy regime, between the Freedom of Information and Protection of Privacy Act and Personal Information Protection Act, establishes the IPC's "reasonable safeguards" for organizations to deploy to ensure the security of personal data.

Organizations covered under FIPPA are subject to mandatory breach reporting, but private sector entities covered under PIPA do not face the same reporting requirement. However, Harvey said despite the lack of mandatory reporting for PIPA-covered entities, many organizations that encounter breaches still lodge reports with the OIPC. 

As breach reporting increases in both the public and private sectors, the IPC is committed to offering tailored support to organizations of all sizes.

"Everything from the smallest organization, to the largest one, is a potential target," Harvey said. "Considering that private sector breach reporting isn't even mandatory, we still get a lot of them coming in, which is good because we were able to provide support. It is a priority for my office to figure out what resources that we can provide, how we can support small and medium sized, public and private sector organizations to respond to this threat environment."

Threat of AI-generated cyberattacks looms large

Beyond state-backed attacks, the nature of cybercrime is also transforming amid the AI revolution. 

CCCS's King said while his organization is primarily concerned with identifying and responding to threats posed by nation-state actors, the availability of cutting-edge AI tools is lowering the barrier to entry to commit complex cybercrimes. 

"It's the proliferation of tools, capabilities and resources out there," he said. "What used to be in the domain of the most advanced state and sophisticated state actors is now, those tools and capabilities, are available across the board to many actors. So, it's contributing to this broad range of activity that we see all the time."

Commissioner Harvey indicated a key best practice once a breach is identified is to notify a regulator as soon as possible. In some instances, British Columbia public sector organizations delayed contacting the IPC following a before eventually notifying the agency when they "felt like they got their heads around the situation," Harvey said.

"There's a concern by public and private sector organizations that by coming and notifying OIPC that this (incident) is going to result in an enforcement action. That is not the purpose of contacting OIPC," he added. "If you look at our outputs, the number of enforcement actions that have occurred against organizations for cyberattacks are pretty minimal, because the purpose of contacting us is so we can gather data about what's happening, provide initial support and ask questions to make sure that support is being fulfilled." 

An emerging factor in how companies are enhancing their own defensive cyber capabilities is the integration with AI solutions. 

King noted frontier AI models present a "rapid development of capabilities" in terms of expanding the cyber risk matrix following the global buzz around the release of Anthropic's Claude Mythos.

"It's not necessarily that these things can do anything newer, but they're able to rapidly chain together vulnerabilities to create exploit paths," he said. "This means that we're going to be faced with waves of more vulnerabilities. We have to rethink how we approach these issues, rethink how we resource these issues, and that is going to be a real challenge for us in the short-term."

KPMG Partner for Cybersecurity Services Alexander Rau said privacy issues stemming from data breaches represent a "business risk and not an IT risk." He said organizations will struggle to integrate AI into their security apparatuses if they do not already have an embedded security culture. 

"A security-first approach needs to be embedded, not just by relying on technology, but there needs to be a collaboration between the business's IT and leadership to ensure that the culture within the organizations adheres to its security principles," Rau said. "We now have AI and we can't avoid talking about AI coming into organizations. Everyone wants to use it to be more efficient, more effective, but you still have to remember that it needs to be used in a secure way."