Photo by Samuel Souvannason
March 2026
Table of Contents
- Introduction
- What is CAFCYBERCOM?
- Why was CAFCYBERCOM Created?
- What can CAFCYBERCOM do?
- Authorities for Military Cyber Operations
- International Joint Defensive Cyber Operations
- Offensive Cyber, Transparency, and CSE Technical and Operational Assistance
- Strategy & Future Challenges - Building an Advanced Persistent Threat
- Understanding CAFCYBERCOM’s Role in Persistent Cyber Conflict
- We Can’t Pretend to do Mission Command
- Making it Happen: Funding, Procurement, and Force Development
- Conclusion
- About the Author
- Canadian Global Affairs Institute
Introduction
On September 26, 2024, Minister of National Defence Bill Blair and Chief of the Defence Staff General Jennie Carignan held a ceremony at Canadian Forces Station Leitrim, the home of the Canadian Armed Forces (CAF) Network Operations Centre (CFNOC), to officially create CAF Cyber Command (CAFCYBERCOM). Although the creation of CAFCYBERCOM was first officially announced in Our North, Strong and Free only five months earlier, in April 2024, CAFCYBERCOM represents the culmination of nearly 25 years of work by the CAF’s cyber operations program. While CAFCYBERCOM was stood up in near record time compared to similar organizations, it took the Department of National Defence (DND) and senior CAF leadership considerable time to recognize the need for such a command in the first place. Its creation had been a long time coming and desperately needed—it was the early 2010s when the Defence Team’s Cyber Task Force identified many issues related to command and control and the force development of DND/CAF’s digital and cyber capabilities. Canada’s investment in CAF cyber capabilities has only recently begun to parallel similar investments by other Five Eyes and NATO allies, so there remains significant work for CAFCYBERCOM to grow as an organization. As a result, it is important that we understand why it was created, the purpose of a cyber command, what CAFCYBERCOM can do, and the ways the Government of Canada can authorize CAFCYBERCOM to conduct cyber operations.
What is CAFCYBERCOM?
CAFCYBERCOM is Canada’s military organization responsible for the cyber defence of the CAF and Canada. This means that it acts as the national defence authority for cyber operations and is responsible for the force employment, generation, sustainment, management, and development of the CAF Cyber Forces. CAFCYBERCOM is built upon the CAF Cyber Forces created in 2017 but expands them into a fully independent command structure that integrates the CAF’s cyber capabilities, signals intelligence (i.e., CAF military signals intelligence units and cooperation with the Communications Security Establishment (CSE)), and joint electronic warfare. One aspect that makes CAFCYBERCOM unique is that it is a fully independent command that has authority over all military cyber operations, force employment, and generation, but most of its administrative and bureaucratic functions are done by the primarily civilian Digital Services Group (DSG).
DSG’s unique support role enabled CAFCYBERCOM to go from initial announcement to official creation in five months. Further, the Defence Team agreed to launch the command as soon as it reached what the first Commander of CAFCYBERCOM, Major-General Dave Yarker, calls “minimum viable command.” This term is borrowed from “minimal viable product,” which many technological startups use to describe a product that possesses the bare essentials required to achieve the most effect and receive the most customer feedback. On the day of the official launch of CAFCYBERCOM in September 2024, there was no physical change to the CAF Cyber Forces; however, major changes occurred to the command structure and organization of the CAF Cyber Forces into CAFCYBERCOM. By adopting this approach, CAFCYBERCOM has been able to quickly stand up as an organization and begin building out its full structure over the next few years. The most immediate benefit of this approach is that it resolves many of the complicated command and control issues of CAF cyber operations and the Cyber Forces. By aligning its administrative and bureaucratic functions with the DSG and strengthening its existing relationship with CSE, CAFCYBERCOM has significant potential to become a cornerstone of Canadian national defence.
Why was CAFCYBERCOM Created?
The political and military reasons for the creation of CAFCYBERCOM are different. The Government of Canada stated that the creation of CAFCYBERCOM demonstrates to allies that Canada is committed to cyber defence and CAF cyber operations and reflects the recognition that cyber has an “essential role” in modern operations. For DND/CAF, the creation of CAFCYBERCOM has much more to do with the increasing operational effectiveness of military cyber operations and force development Before CAFCYBERCOM was created, operational command authority of the CAF’s Cyber Forces was vested in the Cyber Force Commander, who reported to the Assistant Deputy Minister (Information Management) for administrative issues and the Vice Chief of the Defence Staff for military operations, who subsequently reported to the Chief of the Defence Staff.
Complicating this further, the Cyber Force Commander was also the Chief of Staff (Information Management), Chief of Cyberspace Staff, and the CAF J6, meaning that the Cyber Forces were led as part of a large portfolio. Command and control during this time was also cumbersome, requiring the Cyber Force Commander to report through the Vice Chief of the Defence Staff to the Chief of Defence Staff for operations, a process that was inefficient and time consuming. Cyber operations are often time sensitive or require direct authorization from Cabinet or Minister of National Defence for certain operations, which made this command and control structure ineffective. This motivated the CAF to create CAFCYBERCOM as a full, independent military command, allowing its commander, Major General (MGen) Dave Yarker, to dedicate his full attention to the development and conduct of military cyber operations while reporting directly to the Chief of the Defence Staff. This allows MGen Yarker to prioritize both operations and force development, improves the efficiency of command and control by streamlining reporting through the Chief of the Defence Staff to CAFCYBERCOM, and ensures there is a dedicated cyber champion among the senior leadership of the CAF.
The creation of CAFCYBERCOM and DSG are part of a broad institutional shift to improve how DND/CAF manages the entirety of its digital and cyber enterprise that began under former Chief of Defence Staff Wayne Eyre and Vice Chief of Defence Staff Frances Allen. Historically, DND/CAF’s management of information and communications technology has been marred by conflicting and overlapping authorities, responsibilities, and accountabilities. Because these determine who is supposed to do what, when, and why, the redundant and conflicting authorities, responsibilities, and accountabilities, led to inaction, confusion, and delays in the management and operation of the Cyber Forces. While the creation of CAFCYBERCOM is indeed a great step forward to addressing these challenges, it also shows how slow DND/CAF has addressed structural and institutional issues. These problems in the information management of DND/CAF were identified by the CAF Cyber Task Force in the early 2010s. However, it took until a 2022 audit that confirmed that there were issues with authorities, responsibilities, and accountabilities for DND/CAF to begin to work towards resolving this.
While the creation of CAFCYBERCOM and DSG helps to resolve many of these issues, DND/CAF must be conscious that this is only the beginning and must maintain an adaptive approach to developing CAFCYBERCOM and improving the overall management of the Cyber Forces with DSG. The improved alignment in command and control and authorities, responsibilities, and accountabilities now enables DND/CAF’s digital and cyber institutions to help lead digital modernization and adoption of the CAF’s digital and cyber-enabled future fighting concept of pan-domain command and control, but this still requires engaged leadership to make use of these new institutions to ensure DND/CAF’s digital objectives are met.1
What can CAFCYBERCOM do?
CAFCYBERCOM is responsible for cyber operations, but what does this mean? For DND/CAF, the authorities for these generally fall under three areas: cyber security and cyber mission assurance, defensive cyber operations, and offensive cyber operations. Cyber security and cyber mission assurance are often what people have in mind when they think of “cyber security” such as installing antivirus software, maintaining password policy compliance, and monitoring networks for suspicious activity. These activities encompass most of the operations and work conducted by CAFCYBERCOM. DND/CAF derives the authority for setting cyber policy and conducting cyber security operations from two sources: Section 161 of the Financial Administration Act and its Cyber Mission Assurance Program from Strong, Secure, Engaged.
Section 161 of the Financial Administration Act allows all ministers, not just the Minister of National Defence, to take appropriate measures to protect computer systems. One central method for managing and setting policy for cyber security and information technology across DND/CAF are the Defence Administrative Orders and Directives (DAOD), which are directives issued under the authority of the Deputy Minister and Chief of the Defence Staff that affect all of DND/CAF. The DAOD 6000 series specifically addresses information technology and management and includes a wide range of policies such as acceptable use for the Internet and Defence Intranet, wireless networking, radio frequency spectrum, and more. Helping to augment these policies is the Cyber Mission Assurance Program, created through Strong, Secure, Engaged, which incorporates cyber security requirements into the procurement process. These are often the policy levers used to affect the broad information technology landscape in DND/CAF, with additional high-level direction from the Digital Campaign Plan and related plans to guide substantive decision making. CAFCYBERCOM and CFNOC are responsible for carrying out these policies and maintaining the CAF’s cyber security posture.
These broad cyber security operations occur regularly in the private sector; but it is defensive cyber operations and offensive cyber operations that are distinctly the realm of military cyber operations. The CAF defines defensive cyber operations as “defensive operation[s] conducted in or through cyberspace to detect, defect and/or mitigate offensive exploitative actions to maintain freedom of action.” While defensive cyber operations can often be an all-encompassing term, they are further classified into two categories: defensive cyber operation – internal defensive measure and defensive cyber operation – response actions.
Defensive cyber operation – internal defensive measures are conducted within DND/CAF’s own cyberspace and networks to maintain freedom of action. These measures are often comparable with cyber security operations but can include more advanced operations against active threats. When such operations are insufficient and CAF or Canadian networks are still under attack, CAFCYBERCOM can conduct defensive cyber operation – response actions. Defensive cyber operation – response actions are operations conducted against active or imminent threats to preserve the freedom of action of CAF networks, which is another way of saying using an offensive cyber operation against an adversary that is attacking your network. Defensive cyber operation – response actions are usually reserved for specific circumstances, and conducting an offensive operation to stop an active attack is usually a last resort as Defensive cyber operation – internal defensive measures and other measures are usually sufficient.
When an offensive operational technique or method is not conducted as part of a defensive cyber operation – response actions, it is an offensive cyber operation, which the CAF defines as “an offensive operation intended to project power in or through cyberspace to achieve effects in support of military objectives.” Tactics, techniques, and procedures of offensive cyber operations are usually highly classified and operation-specific, but the fundamentals of what constitutes offensive cyber operations are generally consistent. Broadly speaking, offensive cyber operations seek to exploit a vulnerability in an adversary’s network or capability. This can involve actions such as spear phishing to trick an adversary into opening a file infected with a virus, accessing a device or network due to an unpatched vulnerability or zero-day, or overloading a network or computer with internet traffic to slow it down to make it inoperable.2
What CAF cyber operators do in offensive cyber operations will vary considerably depending on the operation in question and can vary in terms of its length and complexity, with some lasting months. However, the Communications Security Establishment (CSE) is more likely to conduct longer and more complex operations. However, little is publicly known about the specific types of offensive cyber operations DND/CAF and CSE conduct. In particular, the relationship between DND/CAF and CSE regarding the types of cyber operations they will conduct together versus separately remains unclear. One of the few aspects that is better understood is how Cabinet can authorize cyber operations, and how it can hide CSE’s involvement when it conducts cyber operations with the CAF.
Authorities for Military Cyber Operations
Since 2022, the Government of Canada has shown a greater willingness to authorize military cyber operations, following pressure from the United States and NATO allies to do more to counter Russian aggression in cyberspace after Russia’s second invasion of Ukraine. One of the first major actions to follow was Minister of National Defence Anita Anand’s order to conduct a review of Cabinet authorities to direct DND/CAF and the CSE to conduct cyber operations. The review’s report breaks down the government’s authority to authorize DND/CAF’s cyber operations into four distinct categories: operations authorized under Section 161 of the Financial Administration Act, the Cyber Mission Assurance Program, and Crown Prerogative for defence and the delivery of cyber effects. This review provided the needed clarity for the Cabinet and Prime Minister Trudeau to authorize additional defensive cyber operations as well as the first CAF offensive cyber operation.
The review found that the Government of Canada derives its authority to conduct defensive cyber operations and offensive cyber operations from Crown Prerogative. Crown prerogative is “a source of executive power and privilege” in Canada and is “accorded by the common law to the Crown.” In particular, “the legislature does not play a legally mandated role in the executive’s decision making process in the area of international deployments of [CAF] elements.” Currently, Canadian law does not differentiate military cyber operations, and it comes down to the discretion of Cabinet and the Prime Minister of Canada to authorize the CAF to conduct cyber operations. This means that the Prime Minister may deploy CAF defensive and offensive cyber operations as it may deploy conventional Armed Forces. With this newfound understanding and confidence in what Cabinet can authorize, the Government of Canada undertook two immediate actions: deployed a defensive cyber operation in Latvia and authorized CAF offensive cyber operations.
International Joint Defensive Cyber Operations
One of the very first international defensive cyber operations authorized by the Government of Canada was a “hunt forward operation” in Latvia. Hunt forward operations are a United States military term for joint defensive cyber operations conducted between a host country and a supporting country or military. These operations serve many purposes, including intelligence gathering and sharing, training, and exchange of best practices, all while working together to defend networks.
In March 2022, the Minister of National Defence signed two ministerial orders that designated Latvian and Ukrainian electronic information systems and networks as “systems of importance,” which, under the CSE Act, allowed CSE to operate in Latvia and Ukrainian networks to defend them. In July 2022, Latvia announced that it had launched a cyber threat hunting operation with Canadian cyber security experts, including the CAF. This was an expansion of the relationship between the CAF and Latvia, which has been working cooperatively since 2017, when Canada took leadership of the NATO enhanced Forward Presence Battle Group in Latvia. It appears that this activity has since become a regular part of the CAF’s contribution to the NATO presence in Latvia after USCYBERCOM announced it had completed a joint hunt forward operation with the CAF and Latvia.
Offensive Cyber, Transparency, and CSE Technical and Operational Assistance
In addition to the Latvian hunt forward defensive cyber operation, the CAF was authorized to conduct its first offensive cyber operations. DND/CAF’s 2022-23 Departmental Results states that the CAF was authorized under Crown Prerogative and the National Defence Act to conduct offensive cyber operations “against adversaries who wished to threaten Canada’s national interest.” This is the first public admission by the government that the CAF has conducted offensive operations in cyberspace. It is unclear how many offensive operations this has included, as the Departmental Results are intentionally vague and open-ended, but it is possible that the CAF conducted multiple offensive cyber operations with CSE as part of a larger, cohesive mission or operation. The DND/CAF’s 2023-24 Departmental Results contains no mention that the CAF is still conducting offensive cyber operations. However, this does not mean that they are not conducting such operations; it shows that there is currently a lack of official government policy for transparency and oversight of military offensive cyber operations.
No law states that DND/CAF or the Government of Canada must report when the CAF conducts offensive cyber operations. This makes the 2022-23 Departmental Results an outlier due to its level of transparency, but it cannot be assumed that the government of Canada will maintain this level of transparency in the future. It is not unusual for the government of Canada to withhold information about military deployments, which is often the case with special operations forces. Because the Government of Canada currently approaches the deployment of CAFCYBERCOM and the CAF Cyber Forces as it does special operations, a similar lack of transparency is likely to persist unless there is a change to the law.
The lack of reporting and transparency mechanisms also affects how CSE reports when it conducts cyber operations. Normally, when CSE conducts foreign cyber operations, they are authorized by the Minister of National Defence, with the Minister of Foreign Affairs providing consultation or approval depending on the type and circumstances of the operation. These operations are reported in CSE’s annual report and are subject to review by the National Security Intelligence Review Agency and the National Security and Intelligence Committee of Parliamentarians.
However, when the CSE supports the CAF in conducting cyber operations, it does so under the CSE’s “Technical and Operational Assistance” mandate. This mandate allows CSE to provide “technical and operational assistance to federal law enforcement and security agencies,” including DND/CAF. When CSE provides technical and operational assistance, they may adopt the legal mandate and exemptions of the organization they are supporting. This allows CSE to support the CAF in conducting military offensive cyber operations, but in doing so, they are not reported as CSE foreign cyber operations and are instead reported as Technical and Operational Assistance. CSE states that assistance to federal partners like the Royal Canadian Mounted Police or Canadian Security Intelligence Service can include “collecting and processing communications, providing linguistic support” or conducting operations. In the context of CAFCYBERCOM, this mandate can be used to provide direct support to military operations, including offensive operations. This presents a potential gap in Canadian law that would allow the Cabinet and the Prime Minister to obscure when CSE conducts offensive cyber operations. Rather than disclosing operations carried out with CAFCYBERCOM, they may report them only as part of the annual technical and operational assistance authorizations.
Strategy & Future Challenges - Building an Advanced Persistent Threat
An advanced persistent threat refers to well-resourced cyber threat actors with significant expertise in conducting cyber operations, characterized by a level of persistence generally not found in most threat actors and criminals. The term advanced persistent threat is most often used to refer to state-sponsored groups controlled by adversarial governments such as North Korea’s Lazarus Group, Russia’s Sandworm, and China’s Volt Typhoon. However, it is false to assume that only non-Western, non-NATO countries have advanced persistent threats, with the United States’ National Security Agency’s Equation Group being one of the most well-known.
Although there is debate over why we generally do not hear about Western or NATO advanced persistent threats, some common explanations include a data bias where Western cyber security companies do not have customers or visibility into the adversarial countries that are being targeted. This data gap may soon change as China appears to be increasingly adopting a similar naming and shaming approach as Western countries by publicly releasing arrest warrants for National Security Agency personnel. Other arguments include that there is greater restraint than with non-Western advanced persistent threats, such as the use of self-terminating malware, which can potentially diminish the impact and exposure of operations.
While the reasons for this lack of insight into Western operations are numerous and debatable, the context is that CAFCYBERCOM is entering a field of conflict that is still being defined; norms and doctrine are still being developed by allies and adversaries alike. Although CAFCYBERCOM can learn from allies and experts in information security, it must define a CAF and CAFCYBERCOM approach to cyber conflict.
CAFCYBERCOM has completed some of its easiest steps, including standing up as an organization, and now faces the tasks of developing its structure, strategy, and approach to fighting cyber threats. Fortunately, Canada is not alone. Canada’s allies are also innovating and learning what it means to operate in cyberspace to support national security and defence, which is difficult when the environment and threat actors are constantly evolving. CAFCYBERCOM has strong working relationships with other military cyber commands including France and the United States to learn best practices, but there remains a need and opportunity to develop a distinctly Canadian approach to military cyber operations. Since Strong, Secure, Engaged, Canada has advocated for adopting norms of responsible state behavior in cyberspace. This has included creating a cyber unit at Global Affairs Canada, which works closely with CSE to ensure foreign cyber operations adhere to international law. Similarly, there is an opportunity for CAFCYBERCOM to innovate upon lessons learned in existing operations and from allies to develop a Canadian human security-informed approach to cyber conflict.
Understanding CAFCYBERCOM’s Role in Persistent Cyber Conflict
The key distinction in understanding cyber conflict is that the size and scale of cyber operations do not dictate the capacity or potential success by an actor. Significant investment and access to highly advanced research and development can give states greater potential to develop innovative persistent offensive and defensive cyber capabilities, but it does not determine the capacity or the threshold for entry for cyber operations. North Korea’s adoption and use of cyber operations provide an example of these principles and the ability of a state to conduct cyber operations, albeit on a smaller scale than the United States, yet achieve considerable success despite this limitation.3
Canada is well-equipped to develop an advanced spectrum of cyber capabilities to defend Canada in and through cyberspace with CAFCYBERCOM and CSE. Although CSE has a more intelligence-focused mandate, CSE can be deployed to conduct defensive and active cyber operations against state and non-state actors that are comparable or even more advanced than the capabilities of CAFCYBERCOM. CSE could conduct CAFCYBERCOM’s defensive cyber operations and offensive cyber operations, but this would defeat the purpose of the CAF as a military organization that requires military personnel to defend or project force in and through cyberspace in the context of military conflict and national defence.
While CSE does indeed have the same ability to conduct cyber operations as CAFCYBERCOM, the purposes of CSE and CAFCYBERCOM differ, and their cyber capabilities are developed to address different needs of Canadian cyber defence. CAFCYBERCOM and military cyber operations are new tools for the Government of Canada, and the most effective ways to use them are still being understood, but as an institution, CAFCYBERCOM will be fundamentally concerned with addressing military cyber threats and protecting DND/CAF.
Former USCYBERCOM Commander and Chief of the National Security Agency said that Cold War-style deterrence “does not comport to cyberspace.” What General Nakasone meant by this was that nuclear deterrence-informed strategies that aim to build cyber defences and threaten actors with severe consequences in the event of an attack do not reduce cyber incidents or the inclination of adversarial actors to target the United States and Canada. While this may sound logical, it does not work in cyberspace due to the persistence of cyber conflict and cyber threat actors and how Canada can mitigate these cyber threat actors. This is not to say that cybersecurity or focusing on defence is unimportant. On the contrary, they are the foundation to cyber defence, but it is one part of a broader portfolio of cyber defence that also requires addressing the source of attacks. Fundamentally, in cyber security and defence, the objective is to prevent harmful activity from occurring in the first place with layered security in depth. This can include using filters to prevent threat actors' malicious emails from reaching users’ inboxes, adopting a zero-trust security architecture, or deploying network- or host-based sensors such as CSE does for the federal government. In cases where an advanced persistent threat or cyber threat actor inflicts, or risks inflicting harm or disruption, a defender like CSE or CAFCYBERCOM could deploy other “active” capabilities to deny the threat actor the ability to conduct the attack. A useful way to understand how traditional deterrence fails to work is in the Canadian government’s own messaging on cyber attacks.
CSE boasts that it stops, on average, billions of malicious actions on its networks daily. This can largely be attributed to the CSE’s network, cloud, and host-based sensors, which use various methods to detect and stop malicious or suspicious network activity before human intervention is even required. These types of tools are quite common across the cyber security industry, but CSE in particular is recognized internationally for its ability and skill in threat detection. Although stopping an average of 6.3 billion malicious actions daily is significant, such volumes are not unusual for large organizations, including governments or multinational corporations. If Canada adopted a Cold War-style deterrence model, it would essentially be faced with determining which of these billions of daily malicious actions warranted escalation and confrontation. This approach becomes untenable as most malicious activity is not state directed but rather is unintentional or the result of non-state actors, such as criminals. Further, CAFCYBERCOM does not have the resources to respond to all these malicious actions, nor can law enforcement investigate all of them. This means that CAFCYBERCOM and Canada’s response must be prioritized based on more nuanced considerations, such as (but not limited to) intelligence from CSE, Canada’s other intelligence organizations or allies, the (potential) severity of the attack, or Canada’s national security and defence priorities.
Despite these measures and ongoing actions by the government of Canada to improve cyber security and defence, since 2020, the federal government has been hit with cyber attacks. This has included the Canada Revenue Agency, Employment and Social Development Canada, Shared Services Canada, Global Affairs Canada, Financial Transactions and Reports Analysis Centre of Canada, and the Royal Military College. In addition to federal agencies, the provinces of Nova Scotia, British Columbia, Prince Edward Island, and Newfoundland and Labrador were also impacted by serious incidents. The ongoing vulnerability and cyber security incidents in the federal government in part motivated the House of Commons Committee on National Defence to encourage greater investment in cyber security and CSE sensors, but passive capabilities are only one tool to address a broad range of cyber threats that requires an entire suite of tools and capabilities to stop them. CAFCYBERCOM is just one of these tools, but they must be given the ability to do the work they were created to accomplish. Canada’s new planned defence investments include resources for CAFCYBERCOM, which suggests that Canada considers it as a critical tool in this portfolio.
We Can’t Pretend to do Mission Command
CAFCYBERCOM was created as an independent command, but does it have the trust of the federal government, the military, and partners to do what it was created to do? Due to the highly technical and complex nature of cyber operations, which makes direct oversight of actions difficult, it is important to develop trust between policymakers, bureaucracy and cyber operators throughout the entire course of an operation. In the military, this trust and command and control is often spoken of in relation to “mission command.” Mission command has many definitions, but generally refers to a command philosophy where “delegation of authority and the freedom to carry out actions consistent with the intent of the commander,” which seeks to maximize human creativity and initiative to allow subordinates the freedom to adjust missions or operations based on changing conditions. Historically, the CAF has used mission command as one of its central command philosophies, but over the last two decades, there have been increased concerns about its decline due to an increase in micromanagement resulting from heightened risk aversion.
Regardless of whether this decline in mission command is real or perceived, Cabinet and DND/CAF must avoid the risks of micromanagement and distrust. Compared to when CSE was given its mandate to conduct foreign cyber operations, DND and CAFCYBERCOM may have a harder time developing the same institutional trust. When CSE was provided its mandate to conduct foreign cyber operations, multiple mechanisms were developed to review and disclose when CSE’s is authorized to conduct cyber operations. These mechanisms, together with CSE’s strength and proficiency have helped to build its strong reputation with Cabinet, the federal government and international partners.
Comparable review and disclosure mechanisms do not exist for CAFCYBERCOM’s activities, which makes it more difficult to build trust with the government and the public. In recent years, this has at times resulted in CSE’s role in cyber defence overshadowing the related work of the CAF Cyber Forces, and more recently, CAFCYBERCOM. The existence of more open review mechanisms built with the additional investments in CSE cyber defence and operations has led to greater confidence in CSE’s cyber capabilities.4 CAFCYBERCOM does not benefit from the same review processes that can help build confidence and trust, putting them at a disadvantage compared to CSE. While CAFCYBERCOM has already established equity and trust based on the preceding work of the CAF Cyber Forces, it must now build upon this as a new institution with a greater role in Canadian cyber defence.
DND/CAF has maintained a longstanding working relationship with CSE to develop cyber capabilities and conduct cyber operations; however, CAFCYBERCOM is a separate, newly established military organization that raises the profile and role of the CAF Cyber Forces and transforms the Canadian foreign cyber operations dyad involving Global Affairs Canada (GAC) and CSE into a triad. However, CAFCYBERCOM’s inclusion in the cooperative arrangement between GAC and CSE is not guaranteed, and it remains to be seen if the government of Canada intends to integrate CAFCYBERCOM in this arrangement. While a joint cyber unit between CSE and CAFCYBERCOM exists, little public information about this unit is available, and it remains unknown if the creation of CAFCYBERCOM changes how DND/CAF works with CSE and GAC. Further, it is also publicly unknown whether GAC provides similar consultative or supportive services to CAFCYBERCOM as it does for CSE’s foreign cyber operations program.
The creation of CAFCYBERCOM better positions the CAF Cyber Forces to defend DND/CAF and Canada, but maximizing their effectiveness means acknowledging and formalizing their role in Canada’s overall cyber defence ecosystem in relation to CSE and GAC. DND/CAF and the CAF Cyber Forces already work with CSE and GAC, but the degree to which this relationship has matured alongside the creation of CAFCYBERCOM has not been made clear publicly, if indeed, they have matured at all.
Importantly, while CAFCYBERCOM is new as an organization, its personnel are not. On the contrary, CAFCYBERCOM’s leadership is quite experienced in cyber defence, with Major General Dave Yarker, CAFCYBERCOM first Commander, serving as a good example. MGen Yarker has been in leadership positions in the CAF since 2010, many of which connected with CAF Cyber Forces and their predecessor organizations. This includes his appointment as Joint Force Cyber Component Commander in 2022, where he oversaw the CAF Cyber Forces as it significantly increased its responsibilities, including its joint defence operation in Latvia and the CAF’s first offensive cyber operation. As a result, MGen Yarker is uniquely positioned with experience in CAF cyber defence from force development to operations, making him the best candidate to be CAFCYBERCOM’s first commander and the CAF’s “cyber champion” to communicate DND/CAF’s cyber capabilities internally and externally.
Historically, the absence of a “cyber champion” ” within the CAF representing the perspectives and concerns of the CAF Cyber Forces has contributed to cyber capabilities being misunderstood, overlooked, or suboptimally managed. As CAFCYBERCOM directly reports to the Chief of Defence Staff, CAFCYBERCOM’s Commander becomes the cyber champion at the highest levels of the military and better situates CAFCYBERCOM in the CAF’s command and control to address cyber threats as needed. However, while this is a very positive step to better position cyber in DND/CAF, CAFCYBERCOM must be treated as a cornerstone to Canada’s cyber defence outside of DND/CAF as well as within it.
Making it Happen: Funding, Procurement, and Force Development
Concerns were raised by some defence analysts about the appropriate funding and the lack of commitment to reach 2 percent of GDP spending on the military when Our North Strong and Free was unveiled in 2024. However, as a notable exception, CAFCYBERCOM and cyber operations received a sizeable funding commitment. For “Enhancing Canada’s Intelligence and Cyber Operations,” Canada allocated $917 million over five years and $2.8 billion over 20 years. It remains unclear how much of this is specifically for CAFCYBERCOM, the rest of DND/CAF, and CSE; however, officials have indicated they are happy with the funding they are receiving and have stated they are not worried about the funding provided.
In June 2025, newly elected Prime Minister Mark Carney announced an additional $9 billion in defence investments to reach 2 percent of gross domestic product spent on defence by the end of the fiscal year. CAFCYBERCOM is expected to benefit from these investments, of which an undisclosed amount will contribute to cyber capabilities. While this is encouraging, concerns remain about whether Canada’s procurement system can effectively deliver on these new investments, even though the Government of Canada has indicated that part of the funding is intended to support the programmatic mechanisms for defence procurement projects.
One of DND/CAF’s core projects under Strong, Secure, Engaged, Cyber Defence—Decision Analysis and Response (CD-DAR), highlights the difficulties with the procurement of advanced cyber capabilities. The CD-DAR project is intended to acquire CAF defence cyber capabilities to support defensive cyber operations capabilities on command networks, the defence wide area network, and extensions. This project entered its definition phase in June 2020 and remains “in progress” according to the government’s Defence Capabilities Blueprint.
The only public indications of the cause of delays in this project come from the Independent Review Panel for Defence Acquisition’s Progress Report – 2021 & 2022, which suggests that CD-DAR and other projects suffer from personnel shortages and increasing costs that constrain DND/CAF’s capacity and resources to deliver. This likely refers, in part to DND/CAF’s difficulty in delivering sensitive or classified capabilities such as CD-DAR, due to limited internal expertise and dual-fluency in both cyber defence and national defence policy to manage the project effectively. These and ongoing delays in delivering advanced cyber and digital capabilities significantly hinder CAFCYBERCOM’s force development and the whole of DND/CAF’s digital modernization.
Although CAFCYBERCOM Commander MGen Yarker has stated he is quite happy with the cyber capabilities of the CAF Cyber Forces, cyber threats evolve quickly, and keeping pace with these threats requires a procurement system that can be agile and responsive to CAFCYBERCOM’s needs. However, likely informed in large part by the role and importance of electromagnetic capabilities in Ukraine’s defence against Russia, CAFCYBERCOM is increasingly looking to improve its electromagnetic capabilities.
In addition to procurement concerns, personnel and training issues also remain. A 2021 audit of the CAF Cyber Forces indicated that they had difficulty filling civilian and military positions, citing a lack of competitiveness with the private sector as one of the primary reasons. Since this audit, DND/CAF have taken action to improve its ability to recruit, train, and retain CAF cyber operators. One of the first actions was to make “positional investments” to retain and recruit personnel for offensive cyber operations and cyber intelligence. These investments appear to have helped as CAFCYBERCOM has indicated they are overall happy with the cyber operators and personnel it currently employs.
This is a positive sign for CAFCYBERCOM’s ability to draw talent because they cannot pay as much as the private sector. CAFCYBERCOM recognizes this inability to compete with monetary compensation, so they instead emphasize the unique missions and experiences available to cyber operators within the military. Mgen Yarker has noted that the joint defensive cyber operation mission in Latvia and support to Ukraine have significantly contributed to this. In addition to providing a meaningful mission to apply their skills, these missions provide vital training and operations experience. These trends suggest that mission and purpose are important motivators for the CAF Cyber Forces, but DND/CAF and the federal government must continue to provide career advancement to give CAF cyber operators a future to build and strive toward.
Another reason for the difficulty in retaining personnel was a historical lack of career development and advancement; however, there are increasing indications that DND/CAF has made positive steps to address these issues. This is an important consideration not just concerning a lack of career advancement opportunities, but also reflects the limited growth and development of the Cyber Forces during this time. In 2021, the CAF Cyber Forces relied on career managers to ensure personnel possessed the cyber skills on an ad hoc basis due to limited career development opportunities, and career management for cyber operators was largely considered non-existent.
Since this time, there have been significant improvements in career management and training for the CAF Cyber Forces. After basic military qualification, CAF personnel must undergo extensive training to become qualified as a Cyber Operator. If they are not a direct entry with prior experience, prospective cyber operators must undergo an initial cyber security foundations course at either Algonquin College (8 months), Willis College (15 months), or Nova Scotia Community College Institute of Technology (24 months). After completing the initial cyber security foundations program, prospective cyber operators must undergo an additional 12–16 weeks at the Canadian Forces School of Communications & Electronics to receive specialized, military-focused cyber operator training. Despite this progress, major deficiencies in DND/CAF led soldiers attending Willis College for cyber operator training have to rely on food donations from Willis College staff and others to make ends meet. The program and its reputation have since improved, and Willis College now competes with Algonquin College and Nova Scotia Community College for students.5
Following the development of the initial cyber operator training program, the CAF established the Cyber Training Unit alongside the Royal Military College’s (RMC’s) Cyber Programme. RMC’s Cyber Programme brings together experts from across departments and specialty areas at RMC to teach about the technical, social science, and humanities dimensions of computer engineering and defence. In 2025, the Cyber Training Unit was formalized as CAFCYBERCOM’s official cyber military school, leading the force generation of cyber operators and providing professional military education for intermediate and advanced cyber operator training. Those who complete sufficient training through the unit are eligible to receive a Professional Certificate in Cyber Security Foundations. CAFCYBERCOM maintains a strong commitment to ensuring it has a strong, reliable training program for cyber operators
In addition to improving training, professional development and advancement opportunities, the CAF increasingly appears to be proceeding with creating a Cyber Officer position, which the DND/CAF 2023-2024 Departmental Results states was intended to be launched in 2025. However, the DND/CAF’s 2025-26 Departmental Plan updates that it is still completing its study. Creating a Cyber Officer position would represent very positive step for maturing the CAF’s cyber capabilities as it would ensure that CAFCYBERCOM leadership receives the appropriate training, specialization, and attention to lead CAF Cyber Forces effectively.
The reluctance to create the Cyber Officer position is emblematic of DND/CAF’s institutional resistance to the growth and importance of the Cyber Forces and cyber capabilities. The 2021 audit of the CAF Cyber Forces says that 84 percent of survey respondents stated that DND/CAF would benefit from the creation of a Cyber Officer occupation, the majority of which were at the tactical and operational level. However, most senior managers interviewed disagreed, preferring a more generalized officer role as part of the overall C4ISR and signals officer pool, and strongly discouraged specialization. This thinking is deeply flawed because it assumes that cyber operations and cyberspace as a domain of conflict are static, passive, or that their role is only to support traditional land, sea, or air domains. In reality, cyberspace is a unique strategic environment that requires engagement in cyber defence against persistent cyber threats while leveraging cyber operations to support political and military objectives.
Since 2021, there has been a significant shift in how the CAF approaches cyber operator career management and cyber defence as a whole. The CAF intended to establish a Cyber Officer occupation by 2025, but the delay and internal resistance to its creation are examples of the historical disconnect between senior DND/CAF leadership and the CAF Cyber Forces. The lack of agreement between DND/CAF’s senior management and those working at the operational and tactical levels in the Cyber Forces is characteristic of a lack of alignment in priorities or recognizing the role of cyber operations. This is not a matter of disagreement and different priorities, but about having the CAF Cyber Forces in the discussions at the highest levels to ensure that cyber defence is treated as a priority.
Conclusion
CAFCYBERCOM faces two primary challenges in the coming years: building new and strengthen existing relationships with other government departments, and growing CAFCYBERCOM beyond its current status, described as akin to a minimal viable product. Cyber defence and cyber security are often described as “team sports.” This analogy refers to the inability of any singular actor, be it an individual or organization, to unilaterally address all their cyber security and defence needs. For the Government of Canada, this means recognizing that CSE, CAFCYBERCOM, GAC, the Canadian Centre for Cyber Security, the RCMP, and others contribute to Canadian cyber security and defence within their mandated areas of concern.
While CAFCYBERCOM has been provided with significant resources and position in DND/CAF for cyber defence, it remains one part of a broader Government of Canada cyber defence framework. Like these other Canadian organizations, CAFCYBERCOM is principally concerned with securing DND/CAF networks and systems from unauthorized access and attack and is where most of its investments will be dedicated. However, CAFCYBERCOM’s position as Canada’s military cyber defence organization means that it is mandated and required to develop unique defensive and offensive cyber capabilities that are meant to serve Canadian military and national defence interests and needs.
When CAFCYBERCOM was officially established in September 2024, there was no physical change to the organization. Instead, most of the changes were related to how CAFCYBERCOM and the CAF Cyber Forces are commanded and supported through the DSG. CAFCYBERCOM must now build beyond its status as a “minimal viable product.” Within DND/CAF, key obstacles that previously held back the CAF Cyber Forces have been addressed through key changes to DND/CAF’s command and administrative structures. This provides considerable opportunity for CAFCYBERCOM. Rather than fight with the bureaucracy and system to accomplish its mission, CAFCYBERCOM and its leadership can focus on growth and maturing the CAF Cyber Forces. However, even with DND/CAF better aligned to support CAFCYBERCOM, the organization still faces complex challenges in procuring new capabilities, advancing its training and recruitment processes, and managing other critical areas of development. This should not be understood that the CSE’s proactive disclosures about its foreign cyber operations are open or good, but that DND/CAF’s current proactive disclosures about its cyber activities are lacking.
About the Author
Alexander Rudolph is a Ph.D. Candidate in the Department of Political Science at Carleton University and an expert on Canadian cyber policy. His research examines the grand strategy, conflict, and competition in cyberspace and how states attempt to maintain their monopoly on violence in the digital domain. He applies sociology, information security, and open-source intelligence methods to investigate the strategic thought and doctrine of cyber conflict and how it influences the creation of cyber force structures in military and intelligence organizations. He obtained his MA in Political Science at Carleton University, where he wrote his thesis on Canada’s emerging offensive cyber operations posture following Strong, Secure, Engaged. His methods improve existing methods of analysis of cyber conflict by introducing hacker-informed perspectives on cyberspace and cyber conflict.
In addition to his academic work, Alex is an American-Canadian ex-pat and a frequent contributor to Canadian and international discussions on cyber conflict. He has more than 10 years of experience working for non-profits in the public education and advocacy sectors as a project manager and analyst. Recently, he has worked as a researcher and market analyst in defence consulting and presently works in Ottawa as a policy advisor and consultant.
As one of Canada’s leading Canadian Armed Forces cyber defence policy researchers, Alex created Canadian Cyber in Context, the first newsletter dedicated to following updates and providing in-depth analysis of Canadian cyber defence.
Canadian Global Affairs Institute
The Canadian Global Affairs Institute focuses on the entire range of Canada’s international relations in all its forms including (in partnership with the University of Calgary’s School of Public Policy), trade investment and international capacity building. Successor to the Canadian Defence and Foreign Affairs Institute (CDFAI, which was established in 2001), the Institute works to inform Canadians about the importance of having a respected and influential voice in those parts of the globe where Canada has significant interests due to trade and investment, origins of Canada’s population, geographic security (and especially security of North America in conjunction with the United States), social development, or the peace and freedom of allied nations. The Institute aims to demonstrate to Canadians the importance of comprehensive foreign, defence and trade policies which both express our values and represent our interests.
The Institute was created to bridge the gap between what Canadians need to know about Canadian international activities and what they do know. Historically Canadians have tended to look abroad out of a search for markets because Canada depends heavily on foreign trade. In the modern post Cold War world, however, global security and stability have become the bedrocks of global commerce and the free movement of people, goods and ideas across international boundaries. Canada has striven to open the world since the 1930s and was a driving factor behind the adoption of the main structures which underpin globalization such as the International Monetary Fund, the World Bank, the World Trade Organization and emerging free trade networks connecting dozens of international economies. The Canadian Global Affairs Institute recognizes Canada’s contribution to a globalized world and aims to inform Canadians about Canada’s role in that process and the connection between globalization and security.
In all its activities the Institute is a charitable, non-partisan, non-advocacy organization that provides a platform for a variety of viewpoints. It is supported financially by the contributions of individuals, foundations, and corporations. Conclusions or opinions expressed in Institute publications and programs are those of the author(s) and do not necessarily reflect the views of Institute staff, fellows, directors, advisors or any individuals or organizations that provide financial support to, or collaborate with, the Institute.
Showing 1 reaction