Canada’s federal government networks are bombarded by an average of 6.3 billion malicious actions each day, totalling 2.3 trillion cyberattacks last year, according to the latest Communications Security Establishment (CSE) annual report. CSE—Canada’s signals intelligence and information security agency—paints a picture of the opaque world of cybersecurity and cyberthreats in Canada’s digital economy. The report details the scale of cyber vulnerabilities Canada faces and the immense level of effort national security agencies like CSE take to combat cyberthreats.

The scope and breadth of CSE’s cyber activities outlined in the report indicate the complex threat environment Canada faces in cyberspace. This article summarizes the annual report’s key sections, providing critical insight into Canada’s cybersecurity environment, the role CSE plays, and the importance of cybersecurity knowledge and skills in Canada’s digital economy.

Protecting Government Networks

In 2022-2023, CSE issued 3,007 foreign intelligence reports to federal departments and agencies, cabinet, and partner governments. While many of these reports cover sensitive signals intelligence, a portion cover cybersecurity matters, including cybercrime, hacking, intellectual property theft, and disinformation. The information provided in these reports helps protect federal government institutions, critical infrastructure, and federal crown corporations.

According to CSE’s annual report, state actors (i.e., foreign governments) and state-sponsored actors, cybercriminals, and non-state actors all pose a threat to Canada’s digital systems. Common cybersecurity threats to federal government networks include malware, unauthorized mapping of digital systems and networks, and information theft. To help protect Canada’s digital systems from this deluge of attacks, in 2022-2023, CSE deployed sensors across 860,000 government devices and over dozens of federal ministries and departments.

Requests for Technical and Operational Assistance

In addition to defending federal IT networks, CSE participates in “requests for technical and operational assistance” from other federal security agencies, such as the RCMP. CSE received 62 requests from its partner agencies in 2022, representing a 56% increase over 2021. Of these, 59 were approved, one was denied, and two were cancelled. While few details on these requests are offered in the report, such requests could generally include information collection, technical and linguistic support work, and cyber operations.

Protecting Non-Federal Networks

Under CSE’s cybersecurity mandate, the agency can act under the direction of the Minister of National Defence to protect non-federal systems on an emergency basis. In 2022, CSE was tasked by a ministerial order to help an undisclosed, non-federal institution in Canada respond to a major cybersecurity incident. While the CSE report doesn’t provide any additional details on this episode, the incident does demonstrate how broadly CSE can act under special circumstances to protect Canadian digital systems.

Networks in Ukraine and Latvia were also designated “systems of importance” (SOIs) by ministerial order in March 2022. This was the first time a network outside Canada received an SOI designation, demonstrating how globalized cybersecurity cooperation has become and how important cybersecurity is during an international crisis. While we often think of cybersecurity as a purely technical domain, cyberthreats can be driven by international events.

Protecting Canada’s Critical Infrastructure

CSE engages with around 1,400 partners responsible for Canadian critical infrastructure, including healthcare providers, energy companies, academic institutions, and local and provincial governments. Over the past year, CSE’s Cyber Centre managed 1,132 incident cases involving threats to Canadian critical infrastructure.

In one notable example, CSE alerted its critical infrastructure partners to an identified cybersecurity threat that “had the potential to cause physical damage to Canadian critical infrastructures.” The incident may have been a cyberthreat against a Canadian gas pipeline system in April 2023. While CSE reports that no damage was caused in the end, this incident underscores how cyberattacks do not just threaten digital networks or computer hardware but also physical assets such as infrastructure. According to reporting by Security Intelligence, in 2022, there was a 140% increase in cyberattacks against industrial targets, including critical infrastructure.

Protecting Canada’s Research Enterprise

The theft of Canadian research and intellectual property is an emerging area of concern for universities, research institutes, and Canada’s national security community. CSE notes that research and intellectual property “are frequent targets of cyber espionage.” Under Innovation, Science and Economic Development Canada’s 2021 National Security Guidelines for Research Partnerships, CSE and other national security agencies began a “national security risk review process” of international research partnerships between Canadian research institutions and prospective international partners. While collaborating globally on scientific breakthroughs and new technology is critical for Canada’s innovation economy, it can also put Canadian intellectual property at risk.

CSE also provided its expertise during the development of Canada’s 2022 national quantum strategy. Indeed, cybersecurity and privacy were key considerations in the quantum strategy. Advances in quantum computing have the potential to make current cybersecurity practices and protocols much less effective, if not obsolete, in the foreseeable future.

Protecting Canadians

CSE’s Cyber Centre publishes regular public-facing reports and alerts regarding threats and vulnerabilities to Canada’s digital systems. Such information is crucial for business and IT departments in responding to developments and threats in cyberspace. The Cyber Centre also published its biennial National Cyber Threat Assessment 2023-2024 in October 2022. This flagship report forewarns government institutions and businesses of the emerging cyber risk environment Canada will face in the coming years.

Through the Cyber Centre, CSE works with partners to identify and shut down malicious domains—commonly used by cybercriminals for hacking and fraud—and track harmful email phishing and text-based smishing campaigns. Through collaboration with its partners, the Cyber Centre identified and tracked 274,000 malicious URLs used in such fraud.

CSE also conducted public information campaigns through its Get Cyber Safe initiative to help Canadians become more cyber-aware and improve their online safety. In 2022, Get Cyber Safe topics included online dating safety, protecting oneself from phishing scams, and securing online financial transactions, among others. CSE also promotes an annual Cyber Security Awareness Month every October and collaborates with partner government agencies to promote Fraud Prevention Month each March.

International Cybersecurity Cooperation and Canada’s Contribution to the “Five Eyes”

Canada works closely with its “Five Eyes” partners—Australia, New Zealand, the United Kingdom, and the United States—on cybersecurity and signals intelligence matters. As a select group of long-term allies and fellow democracies, the Five Eyes collaborate in collecting and sharing sensitive information to enhance the national security of each partner state.

A strong supporter of the “rules-based international order,” Canada plays a major role in shaping norms and developing international law to govern conduct in cyberspace. To ensure CSE’s activities in cyberspace conform to international norms, the agency collaborates heavily with the Department of Justice and Global Affairs Canada. By acting within identified international cyberspace norms, CSE’s actions reinforce these norms and strengthen international cyber law.

Attracting Cyber Talent

Canada is currently facing a talent shortage of cybersecurity professionals. A 2022 report by ICTC found that Canada is short 25,000 cybersecurity professionals and that one in six cybersecurity job postings go unfilled. Like other Canadian employers, CSE strives to recruit cybersecurity talent while increasing workforce diversity. Reaching diverse job candidates, including women, Indigenous people, racialized Canadians, and members of the LGBTQ2S+ community, has proven to be especially challenging for the agency.

In partnership with Microsoft, ICTC offers Cybersecurity Training and a Work Integrated Learning Program to women and non-binary students at partnering post-secondary institutions. The program includes training toward Microsoft’s AZ900 and SC900 certifications and a paid work-integrated learning placement in the cybersecurity industry. Participating employers receive $7,000 in wage subsidies per trainee. (Employers interested in participating in the Cybersecurity Training and Work Integrated Learning Program should email cybersecuritytrainingandwil@ictc-ctic.ca for more information.)

Developing Canada’s Cybersecurity Talent Ecosystem

CSE also promotes the development of Canada’s cybersecurity talent ecosystem by participating in curriculum advisory groups at Canadian post-secondary institutions, partnering with industry and academia to identify cybersecurity skill gaps, and creating cybersecurity resources for students and educators. In 2022, CSE published a cybersecurity career guide and updated its extensive guide to cybersecurity certification programs. CSE also organized its annual GeekWeek at the Canadian Centre for Cybersecurity and contributed to hackathon events with partners Hackergal and CyberTitan (an initiative by ICTC).

These varied cybersecurity activities underscore the efforts CSE deems needed to stand up to the complex threat environment faced by Canadian networks and Canada’s digital economy. CSE’s 2022-23 annual report, while by necessity vague, describes the magnitude and significance of the challenge cyberthreats pose to Canada. It provides a glimpse into the opaque but multi-faceted way national security agencies work to reduce risks to Canadian government networks, critical infrastructure, businesses, the national research enterprise, and everyday Canadians in cyberspace.