Francois Guay
Originally published in the 
The problem is cultural not technical, says Steve Waterhouse
Canada prides itself on being a technologically advanced nation. We invest heavily in research, educate strong engineers and regularly speak about innovation as a pillar of economic growth. Yet in cybersecurity Canada continues to lag peer nations such as Israel, Singapore, the United Kingdom and the United States. According to veteran cybersecurity leader Steve Waterhouse the issue is not talent or technology. It is culture.
Waterhouse brings a rare and credible perspective to this assessment. His career spans more than two decades across the Canadian military provincial government and private sector. He has worked at the operational level inside government bureaucracy and alongside industry leaders. That breadth has given him a clear view of where Canada struggles and why progress has been uneven.
The Problem Is Cultural Not Technical
Canada has no shortage of capable people or advanced tools. What it lacks is consistent alignment between leadership accountability decision making and long term execution. Cybersecurity failures rarely stem from missing technology. They stem from hesitation, fragmented authority and delayed action.
Waterhouse argues that Canada often knows what needs to be done but struggles to act decisively. Innovation exists in pockets but national coordination remains weak. In cybersecurity, delay itself becomes a risk.
From Military Readiness to Cyber Reality
Waterhouse began his career in the Canadian Forces in the mid nineteen nineties transitioning from traditional military roles into information technology during the earliest days of military cyber operations. He describes the shift as moving from a rifle to a keyboard at a time when digital systems were becoming mission critical.
Over a twenty three year military career he managed large scale infrastructure supporting thousands of users across multiple sites. He also played key roles during national stress events such as the 1998 ice storm and the Y2K transition. These experiences reinforced a lesson that still shapes his thinking today. Preparation matters most before a crisis begins.
Preparation Matters More Than Response
Later in his military career Waterhouse was tasked with rebuilding the IT infrastructure at the Royal Military College in Saint Jean. Given unusual freedom and resources he was able to design systems with long term resilience in mind. That experience underscored the value of strategic planning, trust driven leadership and clear ownership rather than reactive fixes.
In cybersecurity resilience is rarely built during emergencies. It is built quietly long before they occur.
Building Threat Intelligence Before the Crisis
After leaving the military Waterhouse moved into the private sector before being recruited in 2022 by Quebec’s Minister of Cyber Security. His mandate was explicit. Change the cybersecurity culture inside the government.
One of his most impactful achievements during that period was the creation of a cyber threat analysis cell, a capability the province previously lacked. For the first time the government could systematically analyze emerging threats, identify patterns and anticipate risk rather than simply respond after incidents occurred.
While Waterhouse sees this as meaningful progress he is clear that such capabilities should have existed years earlier and should be standard across the country.
Why Canada Struggles to Share Intelligence
Canada’s historical failure to share cyber intelligence effectively has been one of its most damaging weaknesses. Prior to the creation of the Canadian Centre for Cyber Security in 2017 federal intelligence was largely siloed in Ottawa with limited sharing across provinces or municipalities.
Even today coordination remains uneven. Some improvements are underway. Since 2022 provincial cyber bodies have begun meeting regularly and formal intelligence sharing agreements have been established. Waterhouse calls this a step forward but notes that Canada still falls short of international best practice.
In Israel for example citizens can report suspicious digital activity through a centralized service that aggregates data nationally and identifies large scale threat campaigns in near real time. Canada has no equivalent capability leaving the country slower to detect and respond to coordinated attacks.
Politics and Process as Risk Multipliers
Waterhouse attributes this gap to three systemic barriers.
The first is politics. Jurisdictional boundaries and internal rulings frequently block funding and action even when resources are available. He recalls being unable to distribute millions of dollars to help municipalities improve cyber resilience due to political constraints rather than technical ones.
The second barrier is bureaucracy. A history of problematic government contracts has fostered a culture of risk avoidance. Decision makers hesitate to launch ambitious initiatives out of concern for accountability and scrutiny leading to incremental progress where bold action is required.
The third barrier is infrastructure. Public digital services have failed to scale with population growth and demand creating what Waterhouse describes as an inverse funnel. More people rely on systems that are increasingly strained and outdated, undermining both competitiveness and security.
Innovation Without Coordination
Beyond government Waterhouse is equally critical of Canada’s approach to commercialization and intellectual property. Unlike countries such as Israel or Singapore Canada lacks a coordinated national strategy that aligns government priorities, business needs and technological development.
Instead sectors operate independently competing rather than collaborating.
When Canadian IP Leaves So Does Leverage
The consequences are visible. Canadian companies with world class talent and intellectual property are frequently acquired by foreign firms with deeper capital. The technology leaves the country and with it the long term economic and strategic benefit.
In Israel intense competition coexists with a strong culture of collaboration when national interests are at stake often reinforced by shared military experience. In Canada that level of cooperation tends to emerge only during major crises such as natural disasters or the pandemic.
Ambition Without Foundations
Waterhouse is cautious about recent federal initiatives framed as transformative. Investments in quantum computing are welcome, he says but overdue. More than a decade has passed since a major breach of the National Research Council allegedly exposed foundational Canadian research. The announcement highlights a broader pattern of Canada losing early leadership in critical technologies.
He is even more skeptical of proposals to rapidly build a massive cyber reserve force. Training hundreds of thousands of people in short timeframes is unrealistic and potentially dangerous. Without experienced trainers proper equipment and a viable model for skill development such efforts risk creating more vulnerabilities than solutions.
More importantly Canada lacks national job protection legislation for reservists. Without guarantees that civilian employment will be protected, few skilled professionals will volunteer. This problem was evident decades ago and remains unresolved.
Waterhouse believes a smaller focused reserve force deployed on real world missions could be viable but only if legal logistical and cultural foundations are addressed first.
Privacy Is Not a Technical Issue
He concludes with a broader warning about privacy and civic responsibility. After decades in cybersecurity it remains troubling that basic digital hygiene is still inconsistent across society. Smart devices he reminds us are fundamentally data collection tools and every convenience comes with a trade off.
The erosion of privacy is not a technical issue alone. It is a democratic one.
Silence Is Not Neutral
If privacy is lost entirely the consequences extend to freedom of expression and access to information. Waterhouse urges Canadians to engage directly with their elected officials and demand better coordination, stronger policy and greater accountability.
In cybersecurity silence is not neutral. It is dangerous.
You can reach out to Steve here.