From ransomware to quantum disruption, Canada must take urgent steps to defend its institutions and build long-term cyber capacity. Observer Labs
This Q&A is part of Observer’s Expert Insights series, where industry leaders, innovators and strategists distill years of experience into direct, practical takeaways and deliver clarity on the issues shaping their industries. At a moment when cyber threats are escalating alongside geopolitical tensions, Canada finds itself at a crossroads: how to defend its digital infrastructure, protect its economy and maintain global competitiveness while preserving the values of an open, democratic society.
Judith Borts, senior director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University, sits at the intersection of policy, security and economic strategy. With a career spanning provincial economic development, national innovation policy and cross-sector collaboration, Borts has become one of Canada’s most vocal advocates for treating cybersecurity not as a niche technical specialty but as a shared societal responsibility—one that will determine the country’s digital sovereignty in the years ahead.
Her work at the Catalyst focuses on building the talent, partnerships and operational capacity Canada needs to withstand increasingly sophisticated attacks. But it’s her policy background that gives her a panoramic view of what’s at stake. Canada, she argues, can no longer afford a reactive approach to cyber risk. Nation-state adversaries, criminal networks and A.I.-accelerated threats are moving faster than traditional governance models can respond, and the downstream costs to Canadians are already enormous.
Borts outlines where Canada is falling behind global peers, what a truly unified national cyber strategy would require and why talent development may ultimately matter more than any single technological breakthrough. She also offers a candid look at the sectors most vulnerable today, the policies needed to strengthen resilience and how emerging technologies like A.I. and quantum computing will reshape the country’s digital future. Canada’s prosperity increasingly depends on something once viewed as purely defensive: a secure and trusted digital ecosystem.
With global alliances shifting and the U.S. pulling back from international cooperation, how are these geopolitical tensions directly reshaping Canada’s cybersecurity priorities and its role in intelligence-sharing networks?
Even as global alliances shift, intelligence sharing through networks like the Five Eyes, G7 and NATO remains strong. That’s not really where Canada’s biggest challenge is. What we really need to zero in on is building our own sovereign defence and resilience—including in the cyber and digital domains—so we can protect ourselves, respond quickly when threats come up and recover safely and securely.
Cyberattacks today can come from anywhere (foreign governments, organized groups or even individuals), and they pose real risks to Canadian institutions, businesses and citizens. Our national security and defence strategies need to reflect that reality. We need to invest more in homegrown talent and innovation, from cybersecurity research to advances in A.I. and quantum technologies, so that Canada can stay ahead of the curve. It’s not about losing trust in our allies; it’s about maintaining our strong relationships while also making sure we have the strength and resilience to stand on our own when it matters most.
Which Canadian sectors are most exposed to cyber risk, and how prepared are they to defend against the sophisticated attacks we’re seeing today?
Every sector in Canada, as well as around the world, is exposed to cyber risk. Healthcare continues to face some of the most visible and alarming threats. Ransomware attacks have forced hospitals to cancel surgeries and even shut down emergency systems, putting patient safety directly at risk. The energy sector is another major target. And what used to be mainly about stealing data has now shifted to attempts to interfere with the systems that keep our power grid running. As our digital and physical infrastructure becomes more connected, those risks multiply and even a single successful attack can throw essential services across the country into chaos.
Canada’s economy is powered by small and medium-sized businesses, which make up about 99 percent of all companies in the country and account for more than half of the country’s GDP. These companies are increasingly being targeted but often lack the specialized staff, training and resources to respond effectively. Plus, the impacts of a ransomware attack on an SMB’s bottom line can be massive.
We’re seeing progress in some areas, but these are still isolated efforts. Real national cybersecurity and resilience mean a coordinated approach, one that brings strong security standards together with real investment in education, innovation and long-term capacity building. That’s how we keep Canada’s economy secure and competitive in the years ahead.
What specific policy mechanisms are needed to create a unified national cyber strategy that also respects Canada’s diverse regional priorities?
A top-down approach alone won’t keep up with how fast threats evolve or be able to address the practical needs of all regions. Real resilience comes from bringing federal, provincial and local efforts together so we can build safe and secure communities, share information faster, respond in real time and build trust across sectors.
We also need to make it easier for Canadian businesses to operate securely, both at home and abroad. That means creating a more harmonized and less fragmented set of cyber standards and compliance requirements, so companies aren’t forced to navigate a maze of conflicting rules across jurisdictions. Taking a more unified approach that integrates leading global approaches and consistent standards would help Canada stay internationally competitive while keeping our digital ecosystem strong and secure.
In a nutshell, the federal government should set the national vision and provide the framework and tools while empowering local governments, organizations and innovators to adapt that framework to their realities. When everyone works from the same playbook, security can become part of how we do business—not a barrier to it.
As cyber threats evolve, is Canada keeping pace with peers like the U.S. and the E.U. in building defensive capabilities, or are governance gaps holding it back?
It’s an exciting time for cybersecurity in Canada, but the truth is we’re not yet keeping pace with our peers. The United States invests close to $800 billion or 3.5 percent of GDP annually in research and development, while Canada spends less than 2 percent of ours, and only a fraction of that goes toward cyber and defense innovation. That gap matters. The European Union, meanwhile, approaches cybersecurity not just as a security issue but as a pillar of economic resilience, seeing digital protection and competitiveness as two sides of the same coin.
Canada has world-leading talent in cybersecurity, A.I. and quantum. We are also building a strong foundation with proposed legislation like the Critical Cyber Systems Protection Act (Bill C-8) and a growing base of innovation, but we need to move faster—connecting our federal, provincial and municipal strategies, strengthening our talent pipeline and investing in homegrown technology. If we treat cybersecurity as both national defence and economic opportunity, we can close the gap and position Canada as a real leader in the digital future.
What are the most critical lessons from recent high-profile cyberattacks, and how should they guide efforts to build systemic resilience?
If there’s one thing recent cyberattacks have taught us, it’s that we need to wake up. No one is really paying attention to how serious this has become. We’re seeing massive fraud and data theft happening quietly, every day, and too often the response is weak at best. The impacts are not only felt at the victim’s level; the burden of the costs to Canadians is enormous, and we’re all paying for this.
And still, people aren’t changing their passwords, companies still skip basic protections like multi-factor authentication, and we’ve normalized the idea that our data will be stolen eventually. That has to change.
There’s a common mantra in the cyber community that when it comes to cyber threats: ‘it’s not if, but when.’ But the lesson isn’t that attacks are inevitable. It’s that we need to take preventative action and prepare for potential threats. Complacency is our biggest weakness.
We can’t treat cybersecurity as background noise while we rush to adopt new technologies like A.I. A.I. can make systems smarter, but it also makes cyber threats faster, more targeted and harder to detect. At the same time, many organizations are adopting A.I. without fully addressing the very real risks that come with it. Every organization embracing A.I. should be asking: Are we doing this in a way that keeps us secure and our clients/customers safe?
True resilience isn’t about specific actions by a cyber team; it’s about how fast and effectively we respond and how seriously we take the responsibility to protect ourselves in the first place.
What role should partnerships between universities, public institutions, government, private industry and Canadian tech companies play in building national cyber resilience?
No single group can solve Canada’s cybersecurity challenges on its own—the threats are too complex, the digital infrastructure is too vast and diverse and the stakes are too high. True resilience depends on everyone working together: universities driving research and developing talent, government providing intelligence, guidance and coordination, industry building secure systems and helping to generate specialized talent and Canadian tech companies pushing innovation forward.
But collaboration can’t just happen in boardrooms or policy papers: we also have to meet Canadians where they are. Digital resilience and cyber awareness are no longer specialized skills; they are now basic workplace essentials. Everyone, regardless of their role, needs to understand how to protect information, manage digital tools responsibly, and remain vigilant to evolving threats. If we’re going to reach everyone, it means finding more creative and practical ways to weave cyber awareness and digital resilience into everyday life, whether that’s through local community programs, small business training or more accessible education.
When universities, public institutions, government, and industry connect directly with Canadians, cybersecurity stops being an abstract concept and becomes something everyone can take part in.
That whole-of-society approach is no longer optional. It’s literally the foundation of our national resilience.
How does developing a skilled and diverse cybersecurity workforce contribute to Canada’s digital sovereignty and long-term competitiveness?
When we talk about securing Canada’s digital future, the real advantage isn’t just in technology; it’s in people. We need Canadians to protect what matters to Canada and build a robust digital infrastructure that we can rely on to keep our economy and country growing in the face of mounting threats. This requires a trustworthy and capable workforce. At the Catalyst, we have no delusions about the impacts of A.I. on cybersecurity work. The key question is: what does a skilled cybersecurity workforce look like in the age of A.I.?
We are hyper-focused on creating not only skilled cybersecurity professionals, but also helping those in other organizational roles across different sectors to better understand the cybersecurity challenges they are facing while maintaining a keen eye on emerging technologies such as A.I. and quantum computing. Through our programs, we’re building job-ready professionals who can address the human, organizational and technical issues of cybersecurity.
But in an era where A.I. can automate certain technical functions, the real challenge—and opportunity—is in ensuring that we have an agile workforce and that we educate and support individuals in exercising judgment, creativity, critical thinking, contextual understanding and ethical reasoning that machines can’t replicate.
It’s like asking how you maintain a community of great writers when A.I. can draft a paragraph for you: the value shifts to insight, empathy, strategy and human perspective.
How can Canada’s cyber strategy link security, innovation and economic growth?
For too long, we’ve talked about cybersecurity as a purely defensive measure. Many still view it as just the cost of doing business. The truth is, in the modern economy, cybersecurity is an investment, and resilience is one of our biggest competitive advantages. It’s the bedrock of national prosperity and our ticket to maintaining our position as a serious player on the global stage.
Think about it: when we create an environment built on digital trust, with infrastructure that is both robust and secure, everything else follows. It’s what gives international partners the confidence to invest here, and it’s what gives our own innovators in critical sectors like finance, healthcare and technology the secure launchpad they need to bring their best ideas to life.
So, the critical question is, how do you intentionally build that kind of environment? It doesn’t happen by accident, and it can’t rest solely on a policy or a plan. It only comes about through action.
By combining smart government policies and strong intellectual property and patent protections with real incentives for our businesses, we stop treating cybersecurity as a problem to be solved and start seeing it for what it is: a massive opportunity to build our next generation of tech leaders and secure Canada’s role as an innovator.
How will emerging technologies such as A.I. and quantum computing reshape Canada’s cybersecurity landscape, and what must be done now to ensure a secure, sovereign, and competitive digital ecosystem by 2030?
A.I. is rewriting the cybersecurity landscape, and quantum computing won’t be far behind. Each one presents both huge opportunities and serious threats. As these technologies start to converge, we will see incredible new possibilities and potential, but also significant power to cause real damage if we’re not prepared.
A.I. is now an arms race. For every advanced risk detection model we create, our adversaries are using A.I. to launch attacks. And quantum computing is the horizon. This will threaten most of the common encryption used today.
This new reality demands a strategic change, including what the industry calls the “shift-left approach.” Traditionally, security testing happened at the end of a project, just before the software was released. Shift-left flips that model by pushing security earlier in the development cycle—essentially “shifting” it to the left on the project timeline.
For example, instead of waiting until a new system is fully built to check for vulnerabilities, developers should build security into the design on day one, and then test for risks at each step. This approach comes from modern software engineering, but it’s now essential for cybersecurity: if emerging technologies like A.I. aren’t built with security-by-design, we’re already behind.
Ultimately, by investing in talent, targeting the best in R&D, and investing in an innovative ecosystem, Canada can make sure we’re not just reacting to technological change but we are leading the change.