From real-time incident response to embedding cybersecurity across government, Canada’s senior cyber official, Sami Khoury explains how collaboration, public trust, and forward-looking strategies address AI, quantum, and evolving threats.
As Canada’s Senior Official for Cybersecurity, how are you ensuring that cybersecurity policies across different federal departments remain consistent, coordinated, and aligned with national priorities?
Coordination across the Canadian government is a critical element to effectively respond to cybersecurity challenges and protect Canadian organizations from the constantly evolving threats. With a career spanning over three decades at the Communications Security Establishment Canada (CSE), a career that values collaboration and partnership, I recognize where expertise lies within the Security and Intelligence community and beyond to tap into the right resources. These years of experience and a voice at key digital tables contribute to discussions that better inform decision-makers with accurate, up-to-date, and authoritative information.
What mechanisms are in place to ensure real-time coordination between government, regulators, and security partners?
Cyber incidents can have a significant impact on an organization if not promptly addressed. Speed is essential to contain the incident and limit the impact of the malicious cyber actor. We often say cyber is a team sport, and a well-functioning team is built on clarity of roles; everyone playing their position. Within the Government of Canada, that clarity of roles is codified in legislation (for example, CSE is recognized as the technical authority for cybersecurity), and cyber incidents affecting Government of Canada (GC) systems and non-GC systems have respective response frameworks including the Government of Canada Cyber Security Event Management Plan (GC CSEMP) and the Federal Cyber Incident Response Plan. These frameworks outline, based on the severity of the incident, the various roles and structure to support the incident response. Since there are no two incidents alike, lessons learned are incorporated in revisions of these frameworks to ensure they are efficient and effective in responding to incidents.
How is the federal government working to strengthen resilience while also building public trust in Canada’s digital systems?
The release of the National Cyber Security Strategy (NCSS) in 2018 recognized the criticality of addressing cybersecurity challenges. The establishment of CSE’s Canadian Centre for Cyber Security (Cyber Centre) and its recognition as the technical authority for cybersecurity were key enablers. For the past seven years, the Cyber Centre has been expanding its reach, supporting organizations across the country, publishing advice and guidance, issuing alerts, and advocating for an agenda of resilience and preparedness. Building partnerships with private and public organizations is crucial to earning their trust and enabling timely information sharing. Informing Canadians about cyber threats takes many forms, including media engagement, conference participation, and private events. This sustained engagement helps raise awareness of the Government of Canada’s breadth of capabilities and the benefits gained from these partnerships.
How are you ensuring cybersecurity considerations are embedded into broader government decision-making?
Whether in government, the broader public, or private sector, effectively tackling the cybersecurity challenges we face is not only reliant on technical ability but also depends on well-informed governance and leadership. At the broadest level, the Canada School of the Public Service offers a mandatory cyber ecurity awareness course to the federal public service. This course level-sets awareness of the latest threats and challenges and offers some best practices to mitigate common vulnerabilities. Within the federal government, there are also several senior-level committees representing a broad range of government departments that meet regularly to discuss all aspects of cybersecurity and inform the government of the latest developments. These engagements ensure the widest possible awareness of cybersecurity challenges and inform the necessary considerations across the government.
Looking ahead, what emerging threats or policy challenges do you see as most urgent for Canada’s cybersecurity posture in the next 3–5 years?
We are living in an unprecedented digital revolution. Over the next three to five years, our mindset for anticipating and proactively combatting threats needs to evolve as rapidly as we see the technology evolving. Looking ahead, this applies particularly in the areas of artificial intelligence and quantum science. Canada has already proven itself a leader in these two emerging fields that are expected to bring many beneficial impacts to Canadians, in the areas of research, productivity, and security, to name a few. However, these emerging fields also need continued attention and thought leadership to ensure net benefits for all, given the scope and scale of malicious actors, trying to exploit this rapid pace of innovation to leverage these capabilities to their advantage. It is worth noting that these innovations do not exist in a vacuum. Cybersecurity is a whole-of-society issue, that requires a whole-of-society response. Increasing our collective level of vigilance will be key to maintaining our strong cybersecurity posture over the next three to five years – and beyond.
