Rapid advances in artificial intelligence and other emerging technologies, as well as intensifying and destabilizing geopolitical conflicts, are making cyberspace increasingly more complex and open to illegal activity. There is an urgent need for all Canadians and organizations to be better protected from scammers, hackers and other digital criminals in the interest of national security.
Prime Minister Mark Carney has framed improved cybersecurity as crucial to Canada’s sovereignty and economic strength, and the introduction of Bill C-8 on related legislation would suggest his government is making it a high priority.
What’s already possible
Many Canadians would be surprised to learn that telecommunications service providers (TSPs) such as Bell Canada, Rogers Communications and Telus already have the technical capability to block known malicious internet traffic before it ever enters Canadian networks. As early as 2022, the Canadian Radio-television and Telecommunications Commission (CRTC) acknowledged that regulatory action was necessary to address the growing volume of illegal traffic targeting Canada’s computer networks. The commission ordered an industry review and requested recommendations. This led to a formal framework released last June (Telecom Directive CRTC 2025-142) directing carriers to block known malicious traffic at the source. Yet despite a compliance deadline of Aug. 12, 2025, little has happened so far.
The challenge is not technical. Canadian carriers already have controls to filter and block harmful traffic. The real difficulty lies in determining, with confidence and consistency, what should be classified as malicious.
The current directive places the burden on each service provider to independently build and maintain its own threat intelligence database. This is resource-intensive and unnecessarily duplicates efforts. It also exposes carriers to legal and reputational risks should legitimate traffic be blocked in error. Without a centralized and legally protected means to identify malicious sources, the CRTC directive will simply not be implemented by the TSPs.
Canada’s tech policies and priorities aren’t doing enough to make citizens safer online
Canadian businesses need a new government approach to cybercrime
The Canadian Centre for Cyber Security (CCCS), the federal government’s technical authority on cybersecurity, works closely with its Five Eyes counterparts — the United States, United Kingdom, Australia and New Zealand — to develop and maintain a highly reliable, automated threat-intelligence data feed known as the Aventail blocklist. The feed is shared with operators of critical infrastructure — including power utilities, banks, airports and nuclear plants — under a legal disclaimer that protects the CCCS from any responsibility should there be errors in Aventail’s content.
Because of that disclaimer, TSPs wanting to block illegal traffic cannot rely on information being shared without assuming liability for any errors originating outside their control.
While no cyber-threat data can capture every emerging menace, the feeds are based on intelligence that has been thoroughly analyzed and vetted before being shared. But the question is not whether the feed is 100 per cent complete, but how often it is wrong. Aventail has been used effectively for many years to protect federal government computer networks. The Canadian Internet Registration Authority (CIRA) has long relied on the feed and states publicly on its website that Aventail’s false-positive rate is “very close to zero.”
Consequences of cyberattacks
Statistics Canada has reported that Canadian businesses spent an estimated C$1.2 billion in 2023 recovering from cybersecurity breaches such as ransomware, identity theft and unauthorized data transfer — and that figure includes only those that were reported. Examples of major cyberattacks in Canada include:
- Suncor Energy: In June 2023, a cyberattack countrywide on the energy company’s Petro-Canada gas stations disrupted card payments and loyalty programs. Although Suncor did not publicly disclose the financial impact, losses from operational disruption, recovery efforts and lost sales involving similar security breaches for companies this size have been considerable.
- Ontario hospitals: In October 2023, a ransomware attack against a shared IT service provider crippled systems at five Ontario hospitals for months. It forced cancellations of clinical services, exposed sensitive patient data and resulted in roughly C$7.5 million in direct recovery and remediation costs.
- Sobeys: In late 2022, a cyberattack on Sobeys, one of Canada’s largest food retailers, disrupted pharmacy and store operations across the country. It was revealed some months later that personal information of employees and customers may have been compromised. The grocery chain said the attack cost it C$25 million.
Where do we go from here?
Against this backdrop it is time to reassess whether the Aventail feed should be shared with telecommunications services providers without their having to assume legal responsibility for errors. TSPs do not have the resources to develop and maintain their own cyber-threat intelligence to a national standard, nor should they be expected to accept liability for mistakes made by others.
The telecommunications regulator, the CRTC, does not have the resources or the expertise to manage a national cyber-threat list. In the CRTC’s June telecom directive, the Canadian Centre for Cyber Security said it could not do so either because that regulatory function is “inconsistent with its mandate.” But the reality is that the CCCS has been managing the Aventail blocklist for years. It is simply not prepared to play the role of regulator and accept legal responsibility should there be an error in Aventail’s content.
One solution would be a memorandum of understanding to provide the Aventail feed to service providers under the authority of the CRTC, but with the support of the CCCS. The CRTC — not the service providers — would assume liability on behalf of the federal government in cases where providers unintentionally blocked legitimate activity based on wrong information from Aventail.
Given such an agreement, the CRTC’s June directive could be amended to require TSPs to block all known malicious internet traffic using Aventail’s threat-intelligence, but without assuming liability for errors. This would enable them to build on their existing infrastructure to provide added cyber protection for all computer networks and smartphones in Canada at no additional cost to taxpayers. This approach would be a practical and low-cost step that would align well with Carney’s overarching goal of making Canada stronger, more resilient and better protected in an increasingly uncertain world.
