Adapt and survive: how governments can work to protect themselves against the cybersecurity threats of today – and tomorrow  

By on 15/07/2026 | Updated on 15/07/2026
government cybersecurity

At a Global Government Forum webinar, experts in public sector digital resilience discussed how governments can boost cybersecurity at scale, develop more robust systems, and adapt and recover when things go wrong

The transformation from analogue to digital has seen huge benefits for governments and society, but it also presents challenges – not least the threat of cyberattacks, which has grown due to geopolitical tensions and developments in artificial intelligence.

During a Global Government Forum webinar, three Canadian public servants discussed the threat and opportunity of artificial intelligence in cyber resilience, how to overcome barriers such as legacy systems, outdated governance and insufficient funding, and the importance of strengthening relationships with private sector suppliers and protecting public trust.  

Emerging cyber threats

Governments face a wide range of digital threats. Michael Goit, acting executive director and chief architect, digital credentials, at the Canadian Digital Service, highlighted that identity and phishing attacks are the most common type of cyberattack on citizen-facing systems and that AI has enabled criminals to orchestrate cyberattacks much more quickly and to cause more severe damage than had previously been possible.

In the past, Goit said, amateur hackers referred to as “script kiddies” would employ scripts written by others to try and infiltrate digital systems. Now, these previously relatively low-level malicious actors can use AI to pose the “kinds of threats we used to reserve for… very advanced cyber criminals or nation-state actors, sponsored actors”.

Jason Solomon, former chief of digital innovation at Statistics Canada and early pioneer in the adoption of AI technologies, reinforced this point. “Large language agents… [provide] a huge potential for people without a lot of skill to do a lot of damage if organisations aren’t prepared,” he said.

Olga Bakonyi, the head of digital technology services and the government services integration cluster within Ontario’s Ministry of Public and Business Service Delivery and Procurement, added that the damage even amateur cybercriminals can now inflict with the use of AI included ransomware attacks, compromising cloud service supply chains, attacks on critical infrastructure, and expanded capacity for identity and credential theft.

She explained that the problem of digital security and resilience is “not just an IT problem, it’s a public safety problem, an economic stability problem, [and] a privacy problem”.

And as Goit noted, the rapidly advancing nature of technology produces infinite new vantage points for cybercriminals to inflict damage from, resulting in government and private sector cybersecurity forces being in “a bit of an arms race… to keep up and maintain a posture” of security.

AccelerateGOV – Global Government Forum’s annual conference co-hosted by the Government of Canada – will return to Ottawa on 16 & 17 December 2026. Find out more and register here.

Resilience challenges

Solomon said that “almost every public service executive” has a good grasp of the threats and challenges they face and see cybersecurity as “a core part of [their] responsibility”, but he also said that while “there has been a dramatic evolution of focus on cybersecurity activities” in the last 15 years, “for government, just being aware of the concepts of the threats isn’t enough”.

Governments need to have the plans and frameworks in place to be able to identify and combat threats, and as the speakers explained, there are often institutional barriers that inhibit government from being able handle emerging digital threats effectively.

One challenge faced by those tasked with strengthening government cybersecurity, said Goit, is outdated bureaucratic requirements to implement system changes which often can’t keep up with the fast pace of software development.

He said the Government of Canada has traditionally used its Harmonized Threat and Risk Assessment Methodology to perform “point-in-time assessments of what all the threats against the system are”, but that this entails a very slow and rigid process to coming up with cybersecurity fixes.

The outdated methodology “doesn’t match up well with… a very agile [software] development pace” where teams are “doing research, building something, delivering and assessing it all within a sprint”.  

Goit also explained that there is a “mismatch in culture of how we manage… threats”. The cybersecurity experts continuously gather evidence and approve systems implementation in order to meet the threats of the day, while the “compliance folks” run systems that haven’t been “updated or maintained” in 15 years.

This, he said, is part of a broader problem facing government, with teams often forced to work with antiquated systems which both slow the pace at which government can meet cybersecurity threats and create new vulnerabilities that can be exploited by malicious actors.

Bakonyi elaborated on this point, explaining how government cybersecurity teams are often “trying to protect and keep running” systems that might have been implemented in the late 1990s or even earlier.  

The problem with this, Goit said, is that “a lot of the legacy stuff is… unmaintainable”. Teams can’t “call up the person who wrote a programme in the 1960s and ask them to help… fix it… the compilers for some of these technologies don’t exist, the information and data design isn’t in a state that actually allows us to evolve the way the systems work”.

As Bakonyi highlighted, an additional challenge is that lawmakers often aren’t providing the resources needed by cybersecurity teams. While IT experts are acutely aware of the problems faced by governments, those in charge of dispensing the resources to tackle these problems do not always understand the potential severity of attacks or what is needed to head them off.  

An obstacle she continually faces in trying to keep government systems secure, she said, is a lack of funds.

Read more: On the defensive: strengthening government cybersecurity in a changing landscape

Developing and implementing disaster recovery plans

The panellists’ recommendations on tackling these challenges and ensuring that government can protect its digital systems fell into two key categories: developing and implementing a robust disaster recovery plan, and using the evidence gathered to produce this plan to educate government organisations and private sector partners on how to patch existing holes and limit vulnerabilities.

Referring to the former, Bakonyi said it’s best to operate with the assumption that something will go wrong eventually and to have a disaster recovery plan in place so government can rebound quickly after an attack.

A key point she stressed throughout the webinar was “the notion of operational preparedness”. Governments can’t simply rely on their cybersecurity systems to protect them indefinitely; they need to take proactive steps to be able to handle an attack when one occurs. Critical systems need to be documented, disaster recovery plans need to be created and tested every year, and resilience and adaptability need to be prioritised, she said.

“Resilience is not [so much about] creating systems that can protect data, protect our solutions, our capabilities, but more about documenting the steps to prepare for an outage… [recover] systems, and adapting.”

Goit reinforced this point by saying that the idea that “you don’t get fit by climbing a mountain… you get fit, and then you climb the mountain” is applicable to cybersecurity and emphasised that creating a procedure for disaster recovery and testing it extensively is critical.  

Both he and Bakonyi explained how their organisations perform simulations of a cyberattack, putting their systems to the test and doing their best to break them. If a vulnerability is found, they have an “after-action discussion, not just on what the root cause of the error was or how the event happened, but… how did we respond, and what could we have done better,” Goit said.   

This approach shouldn’t be limited to certain systems but to the whole organisation, office tools, telephones, building access, and industry and supply chain partners. “Every part of that needs to get integrated in the simulations,” he said.

He acknowledged that this requires “energy, planning effort, logistics, all those things, but if you don’t practice, you’re never going to be really good, and I can promise you that the bad guys do a lot of practising – they’re constantly trying stuff on us”.

Read more: UK government launches cyber profession to bolster public sector IT resilience

Creating and rigorously testing disaster recovery plans not only makes government less vulnerable to cyberattacks but also provides cybersecurity teams with an opportunity to modernise legacy systems and make needed improvements.

This was the panellists’ second key recommendation: to use the information about vulnerabilities and the potential impacts of an attack gathered from creating disaster recovery plans and running simulations to educate people across government and industry partners on the threats and what is needed to close gaps.

Access to such information means cybersecurity experts can explain why a system or the governance surrounding it isn’t optimised to enable them to get it up and working again following an attack, to demonstrate the risks and show what’s needed to be able to fix them problem, and to ask for the required resources and investment.

They can “make that message loud and clear [and] use the opportunity to modernise and eliminate that technical debt”, Bakonyi said.

Talk turned back to artificial intelligence, and one of the messages that Bakonyi reinforced throughout the webinar was that while it creates new challenges, it also presents governments with new tools and opportunities to bolster cybersecurity and to accelerate the work of cybersecurity experts.

However, as Soloman noted, you can’t simply dump AI on employees and expect them to be able to use it effectively. “Using AI is incredibly easy, but using AI effectively is not,” he emphasised. Therefore, governments need “to be incredibly structured” in their implementation of AI and “train the people that are in the organisation already to become AI native” and amplify the work of those who are able to use it to boost productivity.

Read more: Ukraine ‘deepens cooperation’ with Estonia in digital governance and cybersecurity

Gaining and maintaining citizen trust

As cyberattacks and other digital threats become more common and have the potential to do more damage than ever before, maintaining the trust of citizens must be a key priority for governments going forward, the panellists said.

This entails governments not only to protecting in-house systems but strengthening their relationships with private sector suppliers in a bid to stay ahead of emerging threats.

“These relationships are going to be essential as we move forward,” Goit said.

Bakonyi emphasised that citizens expect government to protect their data, and that this is no less true if that data is being stored in the cloud managed by a private sector provider.  

“The fact that it’s in the cloud does not eliminate my responsibility to keep the platform up,” she said, adding that accountability still lies with government.  

Therefore, government needs to take an active role in embedding resilience into vendor contracts, and to “participate in and be able to influence what’s happening in their space, because they’re still our systems [and] it’s still our data”.  

Governments also need to be honest and transparent with citizens when something does go wrong. It’s the “transparency and the processes through which we respond to incidents that maintains trust,” Goit said.

By and large citizens understand that cyberattacks are a threat in the modern world and that prevention is not always possible. As Solomon put it: “I guarantee you, there’s not a single person watching this [webinar] right now that hasn’t received a notification… or seen something in the papers… about an institution that has had a breach.”

He highlighted that governments hold the “most important pieces of information” about citizens and that they rely on government to keep this information secure and to protect their identities. So, when a cyberattack does happen, the government response needs to be strong. Any attempt to try and hide the attack or to downplay it will only erode citizens’ trust in government further.

The development of technologies like AI poses new cybersecurity threats to government, and these will only advance in the coming years and decades, putting further stress on already strained systems.

The key message conveyed during the webinar was that governments are currently at an inflection point where they can either rise to meet the challenges posed by the rapid pace of technological advancement or fall behind and face dangerous consequences.

The panellists’ recommendations provide the foundations for governments to rise to the cybersecurity challenges of today and to position themselves to adapt to the threats of tomorrow.

The ‘Understanding – and boosting – digital resilience’ webinar was hosted by Global Government Forum and took place on 7 July 2026. You can watch the webinar here.

About Luke Barisonek

Luke is a student at Boston University pursuing a degree in international relations with a focus on environment and development. As part of the Boston University London Summer Internship Program, Luke is interning with Global Government Forum where he primarily works in the editorial department. Luke is active in Boston-based political organising and is a member of the Boston University Snowboard Team.

Leave a Reply

Your email address will not be published. Required fields are marked *