Budget 2022: Support for Canadian Federal Government Departments and Agencies for Cybersecurity and Fighting Misinformation

Author(s): Matthew Bourne

Digital transformation has accelerated since the onset of the pandemic in the beginning of 2020 to serve the changing expectations of Canadians. Services have changed to include more contactless interactions – whether those services are externally facing for Canadian constituents or internal in nature.

Alongside greater digitization and dependence upon these digital systems, online attacks have significantly increased. It’s big business: By one published account, cybercrime is expected to total US$10.5 trillion by 2025. In Canada the tally is estimated to amount to more than Can$3 billion per annum. In addition to this already complex environment is the rise of misinformation – incorrect or misleading information – in the digital sphere.

However, online attacks are not only about money. Rogue actors, many of them foreign, are also going after national secrets and intellectual property such as improvements in artificial intelligence or quantum computing – anything bringing advantage or leveling the playing field in today’s winner-takes-all, hypercompetitive global economic environment.

The protection of computer systems and networks from information disclosure and theft of or damage to their hardware, software, or electronic data, as well as protection from the disruption or misdirection of the services that they provide is the mandate of cybersecurity. But this effort is becoming more and more complex, a losing game for more and more of Canada’s populace. As a result, the Canadian government earmarked a significant outlay for cybersecurity measures in the 2022 budget. The government outlined Can$875.2 million over the next five years, starting in FY2022-23, as well as $238.2 million ongoing for additional measures to address “the rapidly evolving cyber thread landscape.” Additional details were also outlined in the budget (all values in Canadian dollars):

  • $263.9 million over five years, starting in 2022-23, and $96.5 million ongoing to enhance CSE’s [Communication Security Establishment’s] abilities to launch cyber operations to prevent and defend against cyber attacks;
  • $180.3 million over five years, starting in 2022-23, and $40.6 million ongoing to enhance CSE’s abilities to prevent and respond to cyber attacks on critical infrastructure;
  • $178.7 million over five years, starting in 2022-23, and $39.5 million ongoing to expand cyber security protection for small departments, agencies, and Crown corporations; and
  • $252.3 million over five years, starting in 2022-23, and $61.7 million ongoing for CSE to make critical government systems more resilient to cyber incidents.

Moreover, Budget 2022 proposed $17.8 million over five years beginning in FY22-23 and $5.5 million thereafter until 2031-32 for the Communication Security Establishment for a unique research chair program funding research on cutting-edge technologies relevant to the CSE’s activities.

What does this all mean? The Canadian government is not only taking an increasingly sophisticated view of cybersecurity but is also adopting both offensive and defensive measures in pursuit of its goals. The outlay of funds allows the government to expand upon the National Cyber Security Action Plan originally outlined in the 2018 federal budget (that action plan was created from a comprehensive cyber review in 2016 with public consultations and inputs from both private and public sectors).

Of course, the Treasury Board Secretariat outlines the direction that departments must make, as outlined in the Policy on Government Security and other related directives. Indeed, networks and security are cited as priority number one in Shared Services Canada 3.0: An Enterprise Approach. Yet the stakes are higher than ever, and the National Capital Region finds itself having to resolve conflicting IT initiatives, as well as competing with the private sector in the war for talent. This very complex environment is the basis of the government’s reasoning to keep investing in cybersecurity measures.

Racing to Keep Up

Info-Tech's Security Priorities 2022 report covers five security priorities for 2022: acquiring and retaining talent, securing a remote workforce, securing digital transformation, adopting zero trust, and protecting against and responding to ransomware.IT organizations are racing to keep up with change. Info-Tech’s research outlines several recommendations reflecting an IT world altered forever by the catalysts that are the global pandemic, remote work, and increasingly sophisticated cybercrime. It is more important than ever before that organizations (whether public or private) attend to the steps needed to ensure continuing digital transformation. The average cost of a data breach was US$4.24M in 2021; when remote working is involved, the average cost of data breaches is US$1.07M higher than when remote work is not involved. Our recent research solution set Security Priorities 2022 examines this shifting environment in greater detail and outlines recommendations for Government of Canada departments and agencies.

Constantly Shifting Ground

Info-Tech's Cybersecurity Priorities in Times of Pandemic blueprint covers five priorities: culture and awareness, network security, endpoint security, vulnerability management, and security incident management.

Ever since the global pandemic took hold, organizations have struggled to find the right balance between implementing too many security controls – potentially impacting productivity – and not enough security to ensure that organizations remain protected and secure.

It is essential that government departments and agencies cover all applicable domains of IT security whilst adhering to security-related directives. Continual, ongoing retraining of end users, securing endpoints, and updating security response runbooks are just the bare essentials.

It All Starts With a Strategy

Info-Tech's Security Strategy Model focuses on creating a strategy that is business-aligned, risk-aware, and holistic. It covers the business context, pressures, security target state, security current state, and roadmap.

All institutions, public or private, should have an IT security strategy that outlines the security direction for the organization and how that IT security strategy is to be achieved. There can be no substitute for the fundamentals here: A right-sized cybersecurity strategy is based on an organization’s overall IT security strategy. Info-Tech provides an information security strategy blueprint that aligns with organizational objectives, assesses organizational risk, incorporates a comprehensive current state assessment, and prioritizes IT security initiatives into an IT security roadmap. Smaller departments especially benefit from a strategy that takes into account their leaner environments while protecting and defending the organization from rogue actors and cyberattacks; see our specialized playbook Build an Information Security Strategy for Small Enterprises.

Cybersecurity in the Federal Government Context

The title slide of the Federal Government Cybersecurity Report, an industry key trend.

Federal Government agencies have unique characteristics – conditions that have become even more acute since the beginning of 2020. Our Federal Government Cybersecurity Report outlines these scenarios in far greater detail, offering a framework to help departments and agencies support the National Cyber Security strategy and ensure continued public trust in government institutions.

What to Do With Legacy

Many pieces fall under the umbrella of digital strategy: digital principles, organizational goals, the digital operating model, and the digital delivery model all work together with their various parts.Most Federal Government of Canada ministries and departments are not new entities. Many Government of Canada departments are older than many private-sector organizations and as such are more likely to be saddled with legacy solutions and legacy maintenance processes. Legacy solutions may not be able to accommodate current security features such as multifactor authentication, single sign-on, or RBAC (role-based access controls), let alone novel encryption methods. It is harder for legacy solutions to accommodate changes with the agility that today’s workplace requires, putting additional pressure on IT to keep up to date with ever-changing release and deployment management commitments. Moreover, legacy applications regularly suffer from compliance issues, declining vendor support, and resource skill shortages. These are not good ingredients for digital transformation.

Of course, departments have known this for years – the latest incarnation of efforts generally being enshrined within the term modernization, an effort involving IT and business teams to work as one to deliver products and services preferentially through technology; see our playbook Modernize Your Applications. In the zero-sum environment of cybersecurity where an organization’s security posture is denominated by its weakest link, it is essential that IT departments have a plan in place to either sunset, fortify, or isolate these legacy systems.

Our Take

The Federal Government has realized the importance of cybersecurity as a key tenet of sustaining digital transformation. By committing ongoing funds to improving cybersecurity readiness, it is acknowledging the complexity of the changing global environment that Canada finds itself and investing resources for the long run.

Want to Know More?

Click any of the links above to book a call on the topic and get ready to improve your cybersecurity and readiness for digital transformation!

Related Content

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019