Skip to main content
Packetlabs Company Logo
Blog

Bill C-22: Cybersecurity Concerns

Bill C-22: Cybersecurity Concerns

Canada’s proposed lawful access legislation is triggering growing concern across the cybersecurity industry, with experts warning that attempts to expand government surveillance capabilities could unintentionally weaken the security of encrypted systems nationwide.

Cybersecurity experts, including Packetlabs Founder and CEO Richard Rogerson, are cautioning that Bill C-22 may introduce systemic vulnerabilities that sophisticated attackers could eventually exploit.

Why Cybersecurity Experts Are Concerned About Bill C-22

Bill C-22 would require telecommunications providers, internet companies, and other digital service operators to modify systems in ways that support lawful interception and monitoring capabilities for law enforcement and intelligence agencies.

Supporters argue the legislation is necessary to modernize investigative powers and align Canada with other G7 nations. However, many cybersecurity professionals argue that introducing access mechanisms into encrypted systems fundamentally changes their security posture.

Packetlabs Founder and CEO Richard Rogerson stated that the concept of a “secure backdoor” is technically unrealistic because any intentional access pathway creates new opportunities for exploitation.

According to Rogerson in a recent interview with the Globe and Mail:

“Any such mechanism would create vulnerabilities that threat actors could also exploit.”

The concern extends beyond criminal actors alone. Nation-state threat groups increasingly target centralized infrastructure, privileged access systems, and lawful interception environments because of the scale of access they provide once compromised.

The Technical Problem With “Secure Access”

From an engineering perspective, encryption systems are designed to minimize trust exposure and eliminate unauthorized access pathways.

Introducing lawful interception capabilities may require:

  • Expanded privileged-access mechanisms

  • Additional key management systems

  • Centralized interception infrastructure

  • New authentication and monitoring layers

  • Persistent metadata retention environments

Each additional layer increases complexity, and complexity often increases attack surface.

This concern is not theoretical.

In 2024, the Salt Typhoon cyberespionage campaign reportedly exploited lawful intercept infrastructure within U.S. telecommunications environments to gain access to sensitive communications involving senior government officials.

For many security professionals, the incident demonstrated how systems designed for authorized surveillance can become high-value targets for sophisticated adversaries.

How AI is Changing the Risk Equation

The debate around lawful access is unfolding during a period of rapid advancement in offensive AI capabilities.

Recent cybersecurity industry research shows:

  • AI-assisted phishing attacks are significantly improving social engineering success rates

  • Generative AI tools can accelerate exploit development and vulnerability discovery

  • Organizations are struggling to maintain visibility across expanding cloud and SaaS ecosystems

At the same time, attackers are increasingly automating reconnaissance, privilege escalation, and exploitation workflows.

This creates a difficult reality for defenders: introducing new systemic access mechanisms while offensive capabilities continue accelerating may increase long-term national cyber risk.

As one industry expert quoted in the discussion warned, AI-powered hacking tools can now identify and weaponize vulnerabilities “at near-lightspeed.”

Packetlabs’ Perspective Comes From Real-World Adversarial Testing

Packetlabs’ concerns are grounded in practical offensive security experience. We conduct ethical hacking engagements that simulate how real attackers compromise systems under operational conditions.

Examples referenced in the interview with the Globe and Mail include, but aren't limtied to:

  • Escalating a banking test environment from a $500 card balance to $150,000 through application abuse

  • Compromising gas station infrastructure within an oil and gas environment, including the ability to manipulate fuel pricing systems

These examples demonstrate a core principle of modern cybersecurity: that threat actors rarely rely on a single vulnerability alone. Most serious breaches result from chained weaknesses, excessive trust relationships, poor segmentation, and unintended access pathways.

Lawful interception infrastructure could become another component inside these attack chains if not designed and secured with extreme caution.

Why Encryption Weakening Creates Broader Systemic Risk

Beyond technical compromise, experts warn that lawful access legislation could also introduce broader operational and economic consequences.

Potential risks include:

  • Increased attractiveness of Canadian infrastructure to foreign adversaries

  • Expanded insider threat opportunities

  • Greater compliance complexity for organizations handling sensitive data

  • Reduced trust in Canadian digital systems and cloud environments

  • Higher operational burden for providers required to maintain interception capabilities

Critics also warn that metadata retention requirements proposed under the legislation may create additional centralized data stores that become valuable targets for attackers.

In modern environments, metadata alone can reveal highly sensitive information about user behavior, communications patterns, and organizational activity.

What Organizations Should Focus on Now

As lawful access discussions continue globally, organizations should prioritize resilience against both external compromise and systemic infrastructure exposure.

Security leaders should:

  • Continuously validate identity and access controls through penetration testing

  • Review encryption architectures and privileged-access pathways

  • Assess concentration risk within centralized monitoring systems

  • Test lateral movement scenarios involving trusted infrastructure

  • Incorporate AI-assisted attack simulations into modern threat models

The broader cybersecurity lesson is increasingly clear: systems designed to expand visibility or access can also become some of the most valuable targets for attackers.

Organizations that continuously validate security assumptions through real-world adversarial testing will be significantly better positioned to reduce operational and systemic cyber risk.

Contact Us

Join our newsletter

Packetlabs Company Logo
  • Toronto | HQ401 Bay Street, Suite 1600
    Toronto, Ontario, Canada
    M5H 2Y4
  • San Francisco | Outpost580 California Street, 12th floor
    San Francisco, CA, USA
    94104
  • Calgary | Outpost421 - 7th Ave SW, Suite 3000
    Calgary AB, Canada
    T2P 4K9
  • Australia | OutpostPacketlabs Pty Ltd.
    ABN 14 691 178 542
    Level 24, 1 O'Connell St
    Sydney NSW 2000
Cyber Right NowCREST LogoCREST AI Signatory AICPA SOC 2 LogoG2Clutch 2023 Certification Logo