Lessons from Canadian cyber-defence
The threat of cyber attacks on governments and national institutions is real and growing. In a webinar, public and private sector experts came together to discuss the challenges and how to tackle them – in Canada and beyond
Like other nations, Canada is working tirelessly to stay one step ahead of the bad actors orchestrating cyber attacks.
The threat from cyber attacks is global, but the specific responses needed vary from country to country, depending on their unique circumstances. Every government has its own cyber weak spots, whether due to its internal structures, geopolitical exposure, legacy technology infrastructure or a combination of these and other factors. And yet, every solution successfully applied in one country can provide a lesson to another about how to achieve the common goal of national security.
During a Global Government Forum webinar, supported by knowledge partner Google Cloud Security, public and private sector experts from Canada came together to discuss cyber challenges and how to address them, touching on best practice techniques – and the threat and opportunity presented by AI.
Read more: A problem shared: how governments are tackling cyber threats
TTPs and ‘red teaming’
Éric Sauvé, chief information officer at the Canada Council for the Arts, said that within the complex mesh of things governments do and do not know about so-called ‘bad actors’, the tactics these actors employ are now relatively well understood. In the Government of Canada, this knowledge is supported by several frameworks that the administration leverages, along with routine internal assessments.
“The way I try and think of the threat landscape is a little bit less around the players and a little bit more around what the main strategies they would pursue are,” he said. “This is an opportunity for an organisation to feel fairly on top of it.”
Nevertheless, he said that it is difficult for governments to keep abreast of a broad landscape of cyber threats that is constantly shifting – where once visible threats become obscure, and where new and unfamiliar threats are continually being uncovered.
Justin Lafontaine, director of technology analysis at the Office of the Privacy Commissioner of Canada, said the privacy commissioner is “uniquely positioned” to understand the nature and scale of the cyber threats the department faces.
“We’re a regulator that’s there to enforce the Privacy Act, which stipulates how federal government departments should be handling privacy matters, and then also pivot up how the private sector should be handling personal information,” he explained.
When a breach involving the personal information of Canadians happens, it is a mandatory requirement that the privacy commissioner be informed of that breach. The wealth of data this builds up over time gives the commissioner a “unique vantage point” from which to protect its own systems.
For departments without these same advantages, Lafontaine agreed with Sauvé’s point that it is best to focus on what is referred to in cyber security as the ‘TTPs’ (the tactics, techniques and procedures employed by bad actors), as well as on ‘red teaming’.
In Lafontaine’s words, red teaming is when a team of cyber security experts “put on the bad guy hat” and try to hack their organisation’s internal systems in order to “find vulnerabilities and exploit them before the actual bad people do it”.
Read more: Canadian minister signals push for cybersecurity and digital credentials
Public and private sector practices
Jesse Jordan, deputy lead of cyber strategy for Mandiant Canada, Google Cloud, discussed how well – from his perspective in the private sector – public sector bodies understand the scale and nature of existing cyber threats.
“Some of the most dedicated and skilled people that I’ve worked with are in the public sector,” he said. “They appreciate the depth of the incident and the impact that they’re responsible for.”
He stressed that nearly all the cyber challenges faced by the public sector are the same as those faced by the private sector, even if what’s at stake differs, and that resources are currently stretched thin “across all industries”.
Both public and private sectors received a wake-up call earlier this year when news broke of “insider threat workers” being used to “exfiltrate intellectual property [and] other sensitive information” in North Korea, he said.
Google Cloud’s blog site summarised the country’s tactics, illustrating the threats governments face. “It’s long been known that the North Korean regime has been involved in cybercrime and other cyber operations to advance its strategic goals. One of its more recent tactics has been to create fake workers – names, resumes, and even personalities – to get their IT workers hired remotely as employees at major companies, and in high-paying technical roles.”
In his contributions, Jordan also set out what the public sector stood to learn from the private sector, particularly about how artificial intelligence could be used to enhance cyber defence practices.
“We talk a lot about the negatives of AI, but there are a lot of positives from a defender’s advantage perspective. We’re also seeing a lot of collaboration on security awareness, cyber defence modernisation and intelligence sharing.”
Jordan’s colleague Alishia Hui, who is principal consultant for Mandiant Canada at Google Cloud, highlighted that a lot of recent attacks have leveraged “some form of social engineering… so breaking business processes that are actually in place”.
“How do we as security professionals really look at making sure we have not just that understanding [of the threats] but are integrating some of those checks into business processes and equipping those frontline workers who are interacting with the public or who may be targeted by more sophisticated attacks?” she asked.
She said one way of equipping frontline workers was through initiatives like Cyber Security Awareness Month.
Read more: Responsibility for UK public sector cybersecurity moves to Government Digital Service
Deepfakes, frustrations, and the need to ‘trust, but verify’
Jordan said he felt enough was being done to develop officials’ awareness so they were able to practice basic cyber ‘hygiene’, but that it was understandably difficult to keep pace with modern threats, including those posed by AI.
“We’re seeing a lot of AI deepfakes, like voice cloning, [which are] getting pretty advanced. Some very advanced models are now able to… use our voices, and with a little bit of intelligence gathering [capability], it’s easy to trick people and service desks into giving passwords, or to enable access for a threat actor into an environment.”
He said his biggest frustration comes from seeing officials using the same passwords for multiple logins. In his view, these are small mistakes that no modern organisation can afford to make.
Lafontaine said his two “pet peeves” were “lack of multifactor authentication” and, like Jordan, the prevalence of “credential reuse”.
“I swear, if those two were mitigated or implemented properly, 90% of the breaches would not happen,” he said.
In Sauvé’s view, there is a need to be patient with the pace of progress but without succumbing to complacency.
“In the Government of Canada, we’ve got a three-year security planning cycle with ‘re-up’ every year. This is a good kind of time horizon to think about. You need to think about it in the long haul. System modernisation takes a long time. Having a yearly re-up of your three-year plan allows you to adjust for new or changing threat vectors or guidance and allows you to achieve things that are possible to achieve within a shorter timeframe.”
Hui concluded on a theme central to the discussion: trust. All cyber-attacks prey on people’s trust, whether they impersonate a user or convince them to do something that is not in their interest. Whether we like to admit it or not, she said, trust makes us vulnerable. But trust is also essential to being human. Balancing healthy suspicion with innate human trust is what makes phrases like ‘trust, but verify’ so important to embed in organisations.
“We’re all people, so what are those controls we can put in place [so that] we’re still treating this like we are people, but are also putting in controls to reduce the ability for threat actors to take advantage of that?”
The ‘How to tackle the most common threats the Canadian government faces’ webinar was held by Global Government Forum in partnership with knowledge partner Google Cloud Security on 2 October 2025. Watch the webinar in full here and hear the panellists’ answers to a range of other cybersecurity-related questions.
About Jack Aldane
Jack is a British journalist, cartoonist and podcaster. He graduated from Heythrop College London in 2009 with a BA in philosophy, before living and working in China for three years as a freelance reporter. After training in financial journalism at City University from 2013 to 2014, Jack worked at Bloomberg and Thomson Reuters before moving into editing magazines on global trade and development finance. Shortly after editing opinion writing for UnHerd, he joined the independent think tank ResPublica, where he led a media campaign to change the health and safety requirements around asbestos in UK public buildings. As host and producer of The Booking Club podcast – a conversation series featuring prominent authors and commentators at their favourite restaurants – Jack continues to engage today’s most distinguished thinkers on the biggest problems pertaining to ideology and power in the 21st century. He joined Global Government Forum as its Senior Staff Writer and Community Co-ordinator in 2021.
Related Posts
