
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog

Canada’s proposed lawful access legislation is triggering growing concern across the cybersecurity industry, with experts warning that attempts to expand government surveillance capabilities could unintentionally weaken the security of encrypted systems nationwide.
Cybersecurity experts, including Packetlabs Founder and CEO Richard Rogerson, are cautioning that Bill C-22 may introduce systemic vulnerabilities that sophisticated attackers could eventually exploit.
Bill C-22 would require telecommunications providers, internet companies, and other digital service operators to modify systems in ways that support lawful interception and monitoring capabilities for law enforcement and intelligence agencies.
Supporters argue the legislation is necessary to modernize investigative powers and align Canada with other G7 nations. However, many cybersecurity professionals argue that introducing access mechanisms into encrypted systems fundamentally changes their security posture.
Packetlabs Founder and CEO Richard Rogerson stated that the concept of a “secure backdoor” is technically unrealistic because any intentional access pathway creates new opportunities for exploitation.
According to Rogerson in a recent interview with the Globe and Mail:
“Any such mechanism would create vulnerabilities that threat actors could also exploit.”
The concern extends beyond criminal actors alone. Nation-state threat groups increasingly target centralized infrastructure, privileged access systems, and lawful interception environments because of the scale of access they provide once compromised.
From an engineering perspective, encryption systems are designed to minimize trust exposure and eliminate unauthorized access pathways.
Introducing lawful interception capabilities may require:
Expanded privileged-access mechanisms
Additional key management systems
Centralized interception infrastructure
New authentication and monitoring layers
Persistent metadata retention environments
Each additional layer increases complexity, and complexity often increases attack surface.
This concern is not theoretical.
In 2024, the Salt Typhoon cyberespionage campaign reportedly exploited lawful intercept infrastructure within U.S. telecommunications environments to gain access to sensitive communications involving senior government officials.
For many security professionals, the incident demonstrated how systems designed for authorized surveillance can become high-value targets for sophisticated adversaries.
The debate around lawful access is unfolding during a period of rapid advancement in offensive AI capabilities.
Recent cybersecurity industry research shows:
AI-assisted phishing attacks are significantly improving social engineering success rates
Generative AI tools can accelerate exploit development and vulnerability discovery
Organizations are struggling to maintain visibility across expanding cloud and SaaS ecosystems
At the same time, attackers are increasingly automating reconnaissance, privilege escalation, and exploitation workflows.
This creates a difficult reality for defenders: introducing new systemic access mechanisms while offensive capabilities continue accelerating may increase long-term national cyber risk.
As one industry expert quoted in the discussion warned, AI-powered hacking tools can now identify and weaponize vulnerabilities “at near-lightspeed.”
Packetlabs’ concerns are grounded in practical offensive security experience. We conduct ethical hacking engagements that simulate how real attackers compromise systems under operational conditions.
Examples referenced in the interview with the Globe and Mail include, but aren't limtied to:
Escalating a banking test environment from a $500 card balance to $150,000 through application abuse
Compromising gas station infrastructure within an oil and gas environment, including the ability to manipulate fuel pricing systems
These examples demonstrate a core principle of modern cybersecurity: that threat actors rarely rely on a single vulnerability alone. Most serious breaches result from chained weaknesses, excessive trust relationships, poor segmentation, and unintended access pathways.
Lawful interception infrastructure could become another component inside these attack chains if not designed and secured with extreme caution.
Beyond technical compromise, experts warn that lawful access legislation could also introduce broader operational and economic consequences.
Potential risks include:
Increased attractiveness of Canadian infrastructure to foreign adversaries
Expanded insider threat opportunities
Greater compliance complexity for organizations handling sensitive data
Reduced trust in Canadian digital systems and cloud environments
Higher operational burden for providers required to maintain interception capabilities
Critics also warn that metadata retention requirements proposed under the legislation may create additional centralized data stores that become valuable targets for attackers.
In modern environments, metadata alone can reveal highly sensitive information about user behavior, communications patterns, and organizational activity.
As lawful access discussions continue globally, organizations should prioritize resilience against both external compromise and systemic infrastructure exposure.
Security leaders should:
Continuously validate identity and access controls through penetration testing
Review encryption architectures and privileged-access pathways
Assess concentration risk within centralized monitoring systems
Test lateral movement scenarios involving trusted infrastructure
Incorporate AI-assisted attack simulations into modern threat models
The broader cybersecurity lesson is increasingly clear: systems designed to expand visibility or access can also become some of the most valuable targets for attackers.
Organizations that continuously validate security assumptions through real-world adversarial testing will be significantly better positioned to reduce operational and systemic cyber risk.