Shared Services Canada (SSC), the federal agency responsible for delivering digital services and IT infrastructure across the Government of Canada (GC), has issued a comprehensive update on the state of cybersecurity and digital transformation within the federal public service. In a recent ministerial transition briefing, SSC detailed both pressing challenges and strategic advancements, with a focus on enhancing the resilience of GC systems against digital threats.

The report, addressed to the newly appointed Minister of Government Transformation, Public Works and Procurement, Joel Lightbound, stressed the need for modernization and enterprise-wide coordination. Scott Jones, President of SSC, and Raj Thuppal, Executive Vice-President, acknowledged ongoing progress but emphasized the need for continuous improvement.

“While SSC is providing tangible results, there remains significant room to do better,” they stated, noting the importance of shifting from fragmented, siloed IT management to a whole-of-government approach. This model, they argue, has already produced measurable gains in cost savings, service reliability, and cyber resilience.

A Massive Cyber Threat Landscape

The scale of cyber threats faced by Canada’s federal systems is staggering. SSC’s cybersecurity services, in collaboration with the Canadian Centre for Cyber Security (CCCS), block nearly 6.5 trillion malicious attempts each year aimed at disrupting government services. This includes stopping 7,000 phishing and malware campaigns and analyzing over 135 billion cyber events annually. 

According to the agency, cyber threats continue to grow in complexity and severity. These include criminal ransomware operations and state-sponsored cyber adversaries targeting national infrastructure and sensitive data. Legacy systems, which are more vulnerable to such threats, further complicate the protection of GC systems. 

To counter these risks, SSC employs a multi-layered defense model incorporating enterprise-grade tools such as firewalls, anti-malware solutions, network scans, and strict access control mechanisms. The agency is also adopting a zero-trust architecture, which limits access based on user credentials and restricts trust even within the network perimeter. 

Sharing the Responsibility for Cyber Security

Cybersecurity within the federal government is managed as a shared responsibility. SSC handles the infrastructure and enterprise services layer; the Treasury Board of Canada Secretariat’s Office of the Chief Information Officer (TBS OCIO) oversees policy and strategic governance; and the CCCS, part of the Communications Security Establishment (CSE), provides technical expertise and operational defense. 

Together, these organizations deploy advanced cyber sensors and automate detection mechanisms capable of defending against over 6 billion malicious actions per day. In the event of a cyber incident, the Government of Canada Cyber Security Event Management Plan (GC CSEMP) provides a framework for coordinating response and mitigation activities across departments, with SSC taking a central role in monitoring, containment, and recovery operations. 

Supply Chain Integrity Under Watch 

SSC has also flagged increasing risks to supply chain security, particularly as sophisticated threat actors attempt to embed vulnerabilities at the hardware and software levels. Since 2012, SSC has implemented Supply Chain Integrity (SCI) reviews to assess products and vendors across three risk dimensions: sensitivity, foreign ownership and control, and technical vulnerabilities. 

To date, more than 83,000 SCI assessments have been conducted. Products flagged as medium or high risk may be subject to mitigation requirements or disqualified from procurement processes. 

Addressing Gaps in Small Agencies 

One key vulnerability identified by a 2022 National Security and Intelligence Committee of Parliamentarians report involved 43 Small Departments and Agencies (SDAs) that were operating outside SSC’s secure enterprise internet services.  

In response, SSC began onboarding these agencies to standard services, including secure Internet, email, remote access, and malware detection. By the end of FY 2024–25, 23 SDAs had been fully integrated into SSC-managed connectivity services, and 15 had migrated to enterprise email platforms. 

Artificial Intelligence and IT Resilience 

With malicious actors increasingly leveraging artificial intelligence (AI) to scale attacks, SSC is also turning to AI to reinforce defensive capabilities. Security tools such as firewalls and malware scanners are now AI-enhanced to respond more quickly and accurately to threats. 

At the same time, SSC is investing in Enterprise Command Centres (ECCs) designed to monitor the GC’s IT infrastructure in real-time. These centers, including a new centralized hub in the National Capital Region, aim to detect and mitigate performance issues and outages before they escalate into critical failures. 

Procurement Pressures and Vendor Risk 

SSC also noted growing pressures in the global IT market that are affecting federal procurement strategies. Inflation, rising cloud infrastructure costs, and geopolitical tensions are increasing dependency risks and potentially reducing vendor diversity. The CCCS’s National Cyber Threat Assessment 2025–26 highlighted the dangers of vendor concentration, where reliance on a small number of suppliers can create systemic vulnerabilities. 

To manage this, SSC plans to diversify suppliers, invest in sovereign digital capabilities, and enhance its compliance with national security procurement standards. 

References: 

• https://www.canada.ca/en/shared-services/corporate/about-us/transparency/briefing-documents/ministerial-transition-may-2025.html#toc04-4