by Policy Options. Originally published on Policy Options
August 4, 2025
by Policy Options. Originally published on Policy Options
August 4, 2025
As cyberthreats continue to increase and become more serious, it’s quickly becoming clear there is a need for a paradigm shift to shared responsibility across the entire cybersecurity ecosystem.
The new federal cybersecurity strategy, securing Canada’s digital future, seems to acknowledge this, with its emphasis on two overarching principles, including a focus on “whole-of-society engagement” – a recognition that all Canadians, including businesses, “have a role to play in improving Canada’s national cyber resilience.” It thus places a large premium on fostering partnerships with the private sector in this area.
However, this rhetoric has not been matched by action. The federal approach remains top-down, paternalized enforcement with strict controls and too much secrecy.
Instead, Ottawa can take several steps to help – delegate powers to individuals and businesses to bring some cases on their own, give businesses new civil legal options and eliminate duplication in reporting and enforcement among government agencies.
Last summer, the auditor general ran a performance audit of Ottawa’s management of its activities, responsibilities and resources in this area.
The resulting report concluded that the primary federal institutions responsible for combating cybercrime “did not have the capacity and tools to effectively enforce laws intended to protect Canadians from cyberattacks and address the growing volume and sophistication of cybercrime.”
While accepting the recommendations, Dominic LeBlanc, then minister of public safety, reiterated his confidence in “law enforcement and intelligence agencies’ ability to continue to keep Canadians safe online.”
Many Canadian businesses may not share this view because they are increasingly confronting data breaches, intellectual property theft and ransomware attacks.
A failure to report
Perhaps nothing epitomizes this lack of trust more than the fact that as of 2023, the last year for which there is data, only one in eight Canadian businesses reported cybersecurity incidents to police services. This is only slightly higher than the individual reporting rate. The Canadian Anti-Fraud Centre (CAFC) estimates that only five to 10 per cent of cybercrimes are reported by individuals.
Why do so many businesses do this? Well, the reporting systems are not simple. There is no single point of contact to report a cybercrime. Although the RCMP has discussed establishing one, it has not been created. This leaves Canadian businesses to navigate a jurisdictionally complex landscape.
Consider that each of the following federal institutions has its own channel for reporting cyber incident-related information: the RCMP, the Communications Security Establishment, the CAFC, the Canadian Security Intelligence Service, the Office of the Privacy Commissioner, the Canadian Radio-television and Telecommunications Commission, the Competition Bureau and more.
Instead of reporting cybercrime to government, Canadian businesses are looking to private parties for protection. In the most recent official survey on the topic, a 2022 Statistics Canada survey found 47 per cent of responding large businesses had a cyber security insurance policy in 2021 – a considerable increase from nine per cent only two years earlier.
A disappointing track record
The RCMP tackles cybercrime through the CAFC, the National Cybercrime Coordination Centre and the federal policing cybercrime program, which investigates “the highest levels of cybercrime threatening Canadians and [Canada’s] national interests.”
However, the force has struggled to staff these teams. About one third of its cybercrime positions were vacant as of January 2024. According to an access to information request from October 2023, there were only 73 employees working as cybercrime investigators across the entire country – roughly the same number of people at Public Safety who either have “communications” in their job title or who work in the dedicated communications branch of the department.
Even if a cybercrime is reported and investigated, there is often no clear path to prosecute the wrongdoer. The Public Prosecution Service of Canada does not even have a section devoted to cybercrime or IP theft from Canadian businesses – in contrast with the U.S. Department of Justice which has a division focused on computer and IP-related crime.
Even where Canada has decent criminal laws, it rarely uses them. In 2022, a key trade secret part of the Criminal Code of Canada was used for the first and only time when an RCMP investigation led to the arrest and charges against Yuesheng Wang, an employee of Hydro-Québec who allegedly obtained trade secrets on behalf of China.
It’s time to delegate
If the federal government to improve its track record, it needs to rethink its enforcement paradigm. The current approach favours the concentration of power in the hands of government, which leads to lacklustre results. A more agile approach would see the government delegate some of it.
For example, British Columbia, Manitoba and Nova Scotia have all recently created civil legislation – complementing existing criminal laws – to give individual victims of non-consensual disclosure of intimate images more power to bring cases on their own.
When it comes to protecting IP, businesses could profit from having civil tools such as rights of action for the misappropriation of trade secrets and confidential information. Creating such actionable rights would go far in redressing the paltry state of government enforcement of criminal laws.
Similarly, enforcement is currently handled by a plethora of separate government agencies replicating many functions. They should be streamlined to make them more efficient. Despite a public service that has grown rapidly in recent years, along with record spending on consultants, there are severe staffing issues in the areas of fighting cybercrime.
The Carney government has vowed to break down provincial barriers and make government itself more productive. Delegating power to businesses – recognizing that government cannot do everything – and streamlining reporting obligations on businesses are critical steps in acting against cybercrime.
This article first appeared on Policy Options and is republished here under a Creative Commons license.
Click Here For The Original Source.
