Canada’s digital systems are no longer just administrative tools. They are part of the country’s critical infrastructure, and when they fail, the consequences go far beyond IT departments. The 2020 cyber incidents tied to the Canada Revenue Agency (CRA) offer a clear example. What initially appeared to be a technical and privacy problem also exposed the vulnerability of public-facing government systems when they hold sensitive personal data, process financial transactions, and serve as gateways to essential services. The lesson for policymakers is not simply that one department requires better security. It is that Canada’s digital state must become part of its broader resilience strategy.
State use of online government platforms for taxes, benefits, identity verification, and communication with public institutions has grown substantially in recent years. When those systems are disrupted or compromised, the effects are immediate and cause cascading effects on individuals. In the CRA’s case, compromised credentials were used to access accounts, redirect payments, and raise serious concerns about stolen identities and public trust. These compromises involved CRA “My Account” and GCKey login systems, not personal devices. The recent class-action settlement related to the 2020 incident returned the issue to public view and reminded Canadians that digital vulnerabilities carry real economic and institutional costs.
Public reporting demonstrates that the scale of the incidents was significant. Early disclosures confirmed approximately 5,500 CRA accounts and 9,041 GCKey accounts were compromised, later rising to 11,200 affected accounts across systems. These compromises involved CRA “My Account” and GCKey login systems, not personal devices. Subsequent forensic analysis conducted by the CRA identified 48,500 accounts with suspicious activity. While attackers did redirect benefit payments by altering direct‑deposit information, no public source provides a full dollar estimate of the financial impact.
Further reporting shows many compromised accounts were used to divert COVID‑19 benefits
The broader cyber environment makes these incidents more important, not less. Canada’s 2025–2026 National Cyber Threat Assessment warned that the country is facing an expanding and more complex threat landscape shaped by both state-sponsored actors and cybercriminals. It emphasizes that attackers are becoming more aggressive, more adaptive, and increasingly willing to target systems that affect everyday users. This is crucial, as it indicates that the biggest cyber risks to Canada are no longer confined to defence networks or intelligence systems. Civilian infrastructure and government services are now targeted to create disruption. Threat‑intelligence teams also report rising attacks on public and financial systems.
These tactics affect identity systems, payment platforms, verification services, communication portals, and the back‑end systems supporting them. The assessment is especially clear that state-sponsored cyber activity now significantly exceeds espionage. Adversaries are not only stealing information, but are also attempting to pre-position themselves in networks, conduct disruptive operations, and combine cyber activity with information campaigns. China is identified as the most sophisticated and active cyber threat to Canada through espionage operations, intellectual property (IP) theft, and malign influence, while Russia continues to target Canada because of its alignment with NATO/Ukraine and strategic importance in the Arctic. In Canada, “malign influence” includes foreign interference and elements of transnational repression. Iran, North Korea, and India also present varying levels of threat. North Korea, for example, has been repeatedly linked by governments and private cybersecurity firms to large‑scale theft of cryptocurrency, financially motivated intrusions against banks, and disruptive campaigns such as the WannaCry ransomware outbreak. Taken together, this means Canada’s cyber challenge is no longer hypothetical or distant, but embedded in the country’s political, economic, and diplomatic environment.
This is where the CRA incident becomes more than an isolated case study. Tax and benefits systems may not look like traditional national security assets, but they form the economic backbone of the state. They manage financial flows, store identity information, and help citizens access essential programs during periods of distress or emergencies. When such systems are compromised, public trust is weakened. Frauds can spread quickly. Administrative disruptions can affect people’s financial stability. This can mean delayed payments, locked accounts, call‑centre backlogs, and added verification steps. Further, repeated failures can create doubt about whether public institutions are prepared to protect the digital systems on which modern governance depends.
NATO members’ evolving approach to cyber threats reinforces this point. Over the last decade, NATO has increasingly treated cyberspace as a core operational domain rather than a secondary technical issue. The Alliance has made clear that cyber defence is part of its broader deterrence and defence mission, and that national resilience is essential to collective security. NATO policy and(CCDCOE) research stress that resilient civilian systems are essential to readiness. NATO’s cyber posture recognizes that allied strength depends on reliable civilian and institutional systems.
For Canada, that means domestic cyber resilience has geopolitical implications. A country that cannot adequately secure its own essential digital systems is also more vulnerable as an ally. NATO has emphasized the need for stronger national cyber defences, more resilient critical infrastructure, and deeper cooperation among member states. In practice, this means public platforms such as those managed by the CRA should not be viewed merely as administrative websites. They form part of a wider resilience architecture that supports fiscal stability, social trust, and state capacity. Protecting them contributes not only to good governance at home, but also to Canada’s credibility within the Alliance.
Outside traditional security norms, there also exists an economic argument. As the core of the information economy, cybersecurity is now inseparable from economic security. A digital economy depends on trust: trust that personal data will be protected, that online services will remain available, and that public institutions can manage digital risks responsibly. When a major federal platform is compromised, the damage extends beyond those directly affected. It can undermine confidence in digital service delivery, raise doubts about the safety of cross-border data practices, and weaken Canada’s image as a secure environment for innovation and commerce. In that sense, defending public digital infrastructure is also about defending the conditions that support investment, trade, and long-term stability. Canada’s cyber strategy also links secure digital systems to economic competitiveness.
Canada’s new 2025-2026 National Cyber Security Strategy reflects this broader understanding. To make proposed reforms more actionable, policymakers can look to Alliance guidance and member‑state practices for models. NATO’s cyber‑defence framework and allied initiatives provide templates for integrating civilian resilience into national defence planning, and some member states have pursued measures such as centralized identity standards, mandatory MFA for public services, and national‑level incident detection and response centres (for example, resilience‑focused approaches in Estonia and identity/standards work in the United Kingdom offer practical reference points). Drawing on these examples can help translate high‑level strategy into feasible operational steps for Canada.
Canada’s threat environment has already made clear that cyber risks demand serious attention. The real question is what Canada chooses to defend. If digital government systems now underpin services, finances, and public trust, they must be treated as strategic assets. The CRA incidents and NATO’s resilience agenda show that defending Canada today means defending the digital systems that hold the state together.
