A panel discussion at CIO Peer Forum in Ottawa. – Photo by Jennifer Friesen,
By the time MajorGeneral Dave Yarker took the mic at the CIO Association of Canada’s Peer Forum in Ottawa, the tone was already clear: Canada’s digital borders are under siege.
“The cyber weather is always bad, much worse than Ottawa,” said Yarker, Commander of the Canadian Armed Forces Cyber Command.
He wasn’t being figurative. In cyber defence circles, “cyber weather” is a shorthand for the constant background noise of digital threats. And right now, the skies are stormy.
According to panellists from the Canadian government and private sector, the threats facing Canada’s digital infrastructure are persistent, global, and increasingly automated. And perhaps most troubling of all, the most dangerous actors are no longer lone hackers or even traditional criminal networks.
Now, the real threat comes from nationstates with time, resources, and political will.
A shifting threat landscape
Bridget Walshe, associate head of the Canadian Centre for Cyber Security at the Communications Security Establishment (CSE), laid out the findings from Canada’s latest National Cyber Threat Assessment.
Among the most consistent and strategic threats, she said, are statesponsored actors, especially from China.
“The largest strategic threat that we see to Canada’s cybersecurity comes from the PRC,” said Walshe. “We’ve had over 20 compromises of Government of Canada networks from PRC actors in the last few years.”
Walshe also cited persistent cyber activity from Russia and statealigned actors targeting critical infrastructure and public events, such as attacks timed with President Zelensky’s visit to Canada.
She noted that Iran and North Korea pose their own risks, particularly through cyberenabled repression and financially motivated ransomware activity.
On top of this, artificial intelligence is reshaping the threat landscape.
“It’s used to find vulnerabilities. It’s used to make very convincing phishing emails. It’s used to research targets. It’s used to industrialize and to automate the processes used by the threat actors,” she said. “Artificial intelligence is really reaching that space where we’re starting to see the uptake in the cyber threat sphere.”
Yarker confirmed that the military sees the same list of hostile actors — China, Russia, Iran, North Korea — but explained that Cyber Command evaluates threats through a different lens: deliberate targeting.
“The things that get my attention are things that are deliberately targeted at the Canadian Armed Forces and the Department of National Defence,” he said. “Because those are the things that are going to have second and thirdorder negative impacts.”
Walshe and Yarker emphasized that understanding why attacks occur is just as important as understanding how. This distinction helps identify when an incident is background “cyber weather” or a sign of something more serious.
On the private sector side: Fewer resources, same battlefield
André Boucher, CISO at National Bank of Canada, offered a view from the frontlines of the private sector. He made no attempt to downplay the gap between what national agencies see and what he can access.
“I need what they see. I need their information. I need them to help me out and vector, and help us focus. Because I don’t have unlimited resources,” Boucher said. “These two very lucky people with us today hire the top 5% quality people in Canada… The rest of us, the 95%, we have to take what we have, invest it smartly, and do the best that we can with the tools that we have.”
When it comes to visible threats, Boucher pointed to ransomware as the most consistent risk, especially where it intersects with financial crime. He noted that commercial cyber detection tools often use different naming conventions and labels from those used by government, creating barriers to alignment.
His solution? Collaboration and trusted communities.
“The analogy I always use is… imagine if we’re all connected and we’re all holding the same bat together, and I’m the one who’s first attacked by something and I swing and I miss, but I tell everybody in my community what just happened,” Boucher said. “They will not swing and miss.”
But sharing isn’t always easy.
“Your reputation is at risk,” he explained. “Your clients want to hear about it. Your lawyers are lawyering up. Your public relations team is telling you to zip it up.”
In those moments, trust becomes currency. Boucher described private, encrypted channels, like Signal and Telegram, where industry peers quietly flag emerging threats to each other. It’s a closed loop, built on experience and discretion.
With a grin, he offered a warning: these are not the kind of spaces that welcome outside scrutiny.
“So I hope in your single community, don’t bring journalists,” he joked. is still waiting for an invitation.
Resilience comes from planning, not improvisation
When moderator Bruno Couillard asked how each panellist’s organization builds cyber resilience, the consensus was that training, not tools, is the foundation.
“In the private sector, at least in publicly traded companies, you have a board,” said Boucher. “As a CISO, I need my board to tell me what their risk appetite is. How bad can it get? Because I can’t do everything.”
He stressed the importance of scenario planning and handson training to build resilience. He explained that organizations need to model risks, anticipate failures, and then actively rehearse responses through exercises like tabletop simulations and live attack drills, sometimes even using third parties to launch unannounced tests on their own teams.
“Practice,” he said. “It’s not perfect, but it works.”
Yarker agreed, saying, “If you do the basics well, there’s no guarantee, but that really works.”
Walshe expanded the discussion to include the human cost.
“The fact that when there’s a cyber incident going on, and in this role we observe so many and have those conversations with the organizations and really hear the emotional impact and the toll it takes on people,” she said. “It’s also the ability to respond and understand and be resilient when somebody is coming after them with social engineering.”
Looking beyond AI to the quantum horizon
The panel ended by looking ahead to quantum computing. While AI is a current and active threat vector, Couillard raised concerns about the future risk of quantum computers cracking encrypted data years after it’s stored.
“I need to be very mindful with my next dollar,” Boucher said candidly, explaining that quantum computing is still a future concern (what he called “the day after next”) while AI poses immediate challenges.
He noted that in boardroom discussions, quantum threats tend to get little traction, with decisionmakers often losing interest and moving on.
Walshe emphasized the importance of planning for quantum readiness through regular upgrade cycles. Organizations should be thinking about longterm resilience now, she said, by asking key questions during procurement and infrastructure decisions.
“What am I life cycling when I’m purchasing new equipment?” she asked. “Is it going to be automatically upgraded? When I’m working in the cloud, is my cloud service provider ready to start providing me with those things in my on prem infrastructure?”
Yarker echoed her caution.
“Quantum remains a serious threat and a potential challenge,” he said. “But in terms of the things we can do today to mitigate how we guess that threat will materialize, we’re doing.” Still, he warned against tunnel vision. “The thing that worries me is the sort of more black swan bit that we’re not talking about.”
A shared defence with no bench limit
One of the most resonant moments came when Yarker recalled a comment from U.S. Cyber Command’s first leader.
“Cyber is a team sport, but the best thing about this team sport is it’s got no bench limit,” he said.
It was a fitting close to a conversation that began with bad weather, because in a storm that never lets up, what matters most is who’s standing beside you.
Canada’s digital resilience, the panel agreed, doesn’t come from isolated defences or perfect systems. It comes from people, coordination, and shared responsibility.
Boucher summed it up by saying “Although we think we’re working in technology, we’re really working in the human landscape.”
is the national media partner for the CIO Association of Canada.
This article was created with the assistance of AI. Learn more about our AI ethics policy here.
