NDDN Committee Report
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
List of Recommendations
As a result of their deliberations committees may make recommendations which they include in their reports for the consideration of the House of Commons or the Government. Recommendations related to this study are listed below.
Recommendation 1
That the Government of Canada establish an ongoing multistakeholder platform for collaboration and engagement on cybersecurity issues. The objectives of this platform could be modelled after the Industry 100, in the United Kingdom. It should be established to create a collaborative space where industry and cyber officials meet to exchange information, best practices and establish forms of reporting private sector cyberattacks to lead to better information sharing and prevention of future attacks.
Recommendation 2
That the Government of Canada invest in its own network infrastructure cybersecurity and undertake a comprehensive assessment of additional requirements necessary to harden government systems and third-party network infrastructure on which its data is stored, with the goal of ensuring that its sensitive data is protected and secure.
Recommendation 3
That the Government of Canada work with our Five Eyes partners to adopt a Cybersecurity Maturity Model Certification (CMMC) that would be consistent and recognized by our partners to ensure that Canadian defence companies are not disadvantaged by having different security standards in Canada compared to our Five Eyes partners.
Recommendation 4
That the Government of Canada take steps to incentivize companies, which could include tax credits, to adopt cybersecurity measures, such as the “CyberSecure” standard established by ISED and CSE for small and medium organizations.
Recommendation 5
That the Government of Canada expedite the renewal of Canada's national cybersecurity strategy and establish an ongoing review that can better keep pace with the changing nature of cyber threats.
Recommendation 6
That the Government of Canada continue its ongoing dialogue with critical infrastructure owners/operators such as municipalities, Provincial, Territorial, Indigenous governments, and private sector operators such as utility companies; and, that this ongoing work be formalized to have consistent and ongoing dialogue to discuss potential threats as well as best practices.
Recommendation 7
That the Government of Canada examine the CSIS Act to ensure that CSIS has the legislative tools it needs to keep pace with technological advancements, modern digital realities, and the ever-evolving cybersecurity threats facing Canada.
Recommendation 8
That the Government of Canada work with provinces and industry to create requirements for private sector critical infrastructure operators to report ransomware and cybersecurity incidents to the Canadian Centre for Cyber Security within a designated time-period; create appropriate safeguards for victims of cyberattacks to mitigate or eliminate disincentives to reporting; and that the government incentivize owners and operators of critical infrastructure to cooperate with relevant authorities in identifying, reporting, and eliminating vulnerabilities.
Recommendation 9
That the Government of Canada work with industry partners to improve cyber-security at the development stage of hardware and software, in order to help shift the cyber-security burden away from individual users.
Recommendation 10
That the Government of Canada take steps to retain Canadian-developed information technology intellectual property in Canada, including commercialization measures that maintain Canadian ownership of cyber-technologies.
Recommendation 11
That the Government of Canada, in collaboration with civil society, industry and allies, further develop resources to deal with foreign cognitive warfare activities—such as misinformation, disinformation and malinformation—to better protect Canadians and ensure the public can access accurate information.
Recommendation 12
That the Government of Canada ensure federal departments and contracts are audited to confirm the information security standards are being met by government and contractors.
Recommendation 13
That the Government of Canada work with provinces to establish minimum standards for cyber security for small and medium organizations and incentivize companies to adopt the latest security measures to protect from both high-risk low probability and low-risk frequent attacks.
Recommendation 14
That the Government of Canada expand its collaboration with Canadian security and defence industries to bolster Canada’s offensive and defensive cyber infrastructure amidst the growing assertiveness of malign foreign states.
Recommendation 15
That the Government of Canada undertake a comprehensive cyber security analysis to identify existent cyber vulnerabilities in Canada, including but not limited to critical infrastructure, and prioritize eliminating current vulnerabilities and intrusions by hostile actors.
Recommendation 16
That the Government of Canada include space-based platforms as critical infrastructure and, ensure they are protected and secure.
Recommendation 17
That the Government of Canada clearly define the roles and responsibilities of each government department currently responsible for monitoring, responding, and employing cyber capabilities in Canada.
Recommendation 18
That the Government of Canada reviews all cyber-related infrastructure, used for the operational functions of the Department of National Defence and the Canadian Armed Forces, to ensure it is free from sensitive technology designed, assembled and operated, either directly or indirectly, by malign foreign states, which could pose a cybersecurity risk or otherwise compromise protected information.
Recommendation 19
That the Government of Canada mandate all federal government departments and request provincial, territorial, municipal, and Indigenous governments to provide a detailed list of critical infrastructure to Treasury Board and the Communications Security Establishment and update it annually.
Recommendation 20
That the Government of Canada increase funding to the Canadian Centre for Cyber Security to improve coordination between federal and provincial cybersecurity systems to better address incidents.
Recommendation 21
That the Parliament of Canada create a special joint committee on cybersecurity, information warfare and artificial intelligence.
Recommendation 22
That the Government of Canada immediately undertake a comprehensive review and expeditious reform of the procurement process for military equipment, including cyberwarfare equipment—this would include Treasury Board guidelines on competition and sole sourcing—with the intent to bring project times down from years to months or weeks.
Recommendation 23
That the Government of Canada adapt and develop a comprehensive plan for the recruitment and retention of cyber operators which is competitive with the private sector to ensure positions are filled and the cyber skills gap is closed in the Canadian Armed Forces and the Communications Security Establishment.
Recommendation 24
That the Government of Canada develop and deploy “persistent engagement” capacity in collaboration with the Canadian Armed Forces.
Recommendation 25
That the government of Canada implement a system for allowing veterans to maintain security clearances equivalent to the clearances they had with the Canadian Armed Forces when transferring out of service thus enabling a seamless continuity in clearance in order to facilitate their employment in the Department of National Defence. The government should also examine a system of fast-tracking security clearance for veterans seeking employment in other federal departments.
Recommendation 26
That the Government of Canada take steps to clearly define the duties and responsibilities of the Canadian Armed Forces and the Communications Security Establishment as they relate to cyber security in Canada and abroad.
Recommendation 27
That the Government of Canada take immediate steps to address logistical support issues in the Canadian Armed Forces, including the Cyber Forces.
Recommendation 28
That the Government of Canada ensure the future viability of the CAF Cyber Forces by creating a retention program for its Cyber Operators and supplying them with the necessary cyber infrastructure.
Recommendation 29
That the Government of Canada continuously update the legal framework for dealing with cyberattacks, which includes guidelines for attribution, response and liability.
Recommendation 30
That the Government of Canada work with our allies to update international laws, such as the Rome Statute and the Geneva Convention, to include state-sponsored cyberwarfare as a war crime.
Recommendation 31
That the Government of Canada immediately adopt all outstanding recommendations of the Auditor General’s Report 7—Cybersecurity of Personal Information in the Cloud, tabled to Parliament on November 15, 2022.
Recommendation 32
That the Government of Canada use existing sanctions regimes to target individuals and entities targeting Canadians with misinformation, disinformation and/or malinformation.
Recommendation 33
That the Government of Canada impose effective sanctions on countries which condone or deploy cybercriminals for purposes such as theft of funds, theft of intellectual property, information warfare, and other malicious intents.
Recommendation 34
That the Government of Canada open a review of existing cyber-defence policy and hold bilateral conversations with allies, such as the US, to ensure cohesive and consistent policies are being used.
Recommendation 35
That the Government of Canada share Finland and Sweden’s cognitive warfare education for civilians with the provinces.
Recommendation 36
That the Government of Canada establish clear boundaries in the operations of the Communications Security Establishment between their signals intelligence and cybersecurity mandates, including ministerial authorization processes and reporting mechanisms.
Recommendation 37
That the Government of Canada appoint a cybersecurity ambassador.