Toronto, ON — 

July 30, 2025 — As digital transformation races ahead across sectors, a new report from the Toronto-based Institute for Strategic Systems Oversight (ISSO) is raising a red flag: Canada’s public and private institutions are “building blind” when it comes to their technological dependencies.

In a 34-page analysis released Tuesday, ISSO outlines how invisible infrastructure risks — from unauthorized cloud apps and AI-enabled tools to untracked third-party connectors — are quietly expanding Canada’s national attack surface.

“We’re seeing a digital lattice form — thousands of microconnections stitched together by automation, convenience, and speed,” said Dr. Selene Mahajan, Executive Director of ISSO. “But few organizations have the visibility or governance structure to understand what they’ve actually built.”

Shadow IT, Quiet AI, and the New Risk Fabric

The ISSO report, titled “Beyond the Stack: Mapping Canada’s Hidden Digital Risk,” details how institutions increasingly rely on decentralized tools and automated integrations. These include unauthorized SaaS platforms, AI-driven optimization plugins, and middleware services embedded deep within supply chains — many of which never undergo formal risk review.

“We’ve entered an era of plug-first, verify-later,” said Dr. Mahajan. “That’s a governance failure — not just a tech one.”

Among the report’s key findings:

• 41% of organizations surveyed couldn’t identify all software-as-a-service (SaaS) platforms connected to their networks.
• Over 60% had deployed GenAI tools without baseline compliance policies or audit trails.
• In one anonymized case study, an enterprise’s finance API was silently re-routed through a deprecated U.S.-based data broker during a vendor update.

A Call for National Mapping

ISSO is now calling for a federal-led digital dependency mapping initiative, urging coordination between Treasury Board, Public Safety Canada, and private-sector actors. The goal: create a dynamic “digital cartography” of shared infrastructure, to spot risk concentration points before they collapse.

“This isn’t just about cybersecurity anymore,” said Dr. Mahajan. “It’s about digital continuity — the ability for services to function even when the tools underneath them shift or disappear.”

The report also calls for:

• National guidelines for AI plug-in governance

• Regulatory incentives for private-sector risk transparency

• An “Interconnect Index” to track platform overdependence in public infrastructure

Industry Response: Cautious but Curious

Tech leaders responded with interest but caution. Some private-sector CIOs expressed skepticism over federal involvement.

“Mapping is only helpful if it leads to action,” said one bank executive off-record. “We’ve known the risks for years. What we lack is political will — and procurement flexibility.”

As Canada’s digital infrastructure grows ever more automated and interwoven, ISSO’s report is a timely reminder: complexity without clarity is not innovation — it’s exposure.

Breaking down systems, one layer at a time. — Mira Evans

ODTN News’ Ayaan Chowdhury contributed to this report.

Toronto, ON —

A devastating 26-hour outage that left more than 12 million Canadians without wireless service, internet access, or the ability to call 911 on July 8th, 2022. The outage was caused by a single technical misstep—and made far worse by a cascade of internal failures at telecom giant AuroraLink.

That’s the conclusion of a review released this month by the Canadian Radio-television and Telecommunications Commission (CRTC), which details how the outage exposed serious vulnerabilities in the company’s network architecture, change management protocols, and incident response.

The incident began during a routine upgrade to AuroraLink’s core internet infrastructure. Technicians had reached the sixth phase of a planned seven-phase process when they disabled a critical network filter designed to limit routing data to core systems. Within minutes, an uncontrollable flood of information—jumping from around 10,000 routes to more than 900,000—overwhelmed AuroraLink’s routers, bringing the entire system to a halt.

But the outage wasn’t just the result of a technical slip.

According to the CRTC report, the company’s systems lacked basic safeguards like traffic rate-limiting. Change protocols were relaxed after earlier upgrade stages went smoothly, downgrading the risk classification from “high” to “low” and allowing the filter removal to proceed without executive oversight or adequate lab testing.

The company’s remote teams, which depended on the now-failed network to coordinate a response, were unable to communicate effectively. Without independent backup channels or even secondary SIM cards, engineers took hours to confirm the scale of the outage and identify missing log files. It took 14 hours before AuroraLink pinpointed the root cause.

During the blackout, critical systems across the country ground to a halt:

Digital payments through Interac were disabled.
Hospitals and emergency services faced connectivity gaps.
At least one death was potentially linked to the 911 disruption.
Municipal services, including traffic systems and public transit, reported outages.

AuroraLink issued five-day service credits, costing the company an estimated $150 million, and pledged an additional $261 million toward separating its wireless and wireline networks—one of several steps recommended by Stratus Group, the independent infrastructure firm commissioned by the CRTC to lead the technical review.

The report praised AuroraLink’s corrective actions but underscored the need for deeper structural reforms:

Redundant network management paths
Router overload protection
Automated rollback systems and alarm prioritization
Regular drills and emergency training
Better public education on emergency access options during outages

While investigators concluded the network’s core design wasn’t fundamentally flawed, the convergence of wireless and wireline systems created a “single point of catastrophic failure.”

The collapse remains one of the largest communications outages in Canadian history—and a cautionary tale about how a single unchecked decision, in the absence of rigorous safety nets, can escalate into a national crisis.

Breaking down systems, one layer at a time. — Mira Evans

Calgary, AB —

As Canada’s retailers race to modernize their digital infrastructure, a quieter, more personal crisis is taking shape behind the servers — and it’s not one that can be patched with a software update.

Retail IT professionals across the country say they are facing crippling levels of burnout, driven by unrelenting demands for speed, security, and uptime. From frontline pharmacy platforms to national inventory systems, the people who keep Canada’s digital retail infrastructure running say they are stretched thin, overlooked, and on the verge of breaking.

“We’re not just fighting hackers — we’re fighting the clock,” says Devika Ramesh, a senior infrastructure engineer based in Calgary. “The deadlines keep moving up. The threats keep scaling. The downtime gets shorter. But our capacity? It’s flatlined.”

Ramesh works for PharmaNorth, one of Canada’s largest retail pharmacy chains. She agreed to speak with ODTN News under her own name — a rarity in an industry where silence is often expected during crises.

Migrations on Fast-Forward

Much of the pressure, Ramesh says, stems from a wave of rapid-fire digital transformation.

“We were supposed to migrate over 70 systems in 18 months. They’ve asked us to do it in eight. Legacy software, modern cloud tools, predictive inventory engines — everything’s converging, and no one’s breathing.”

While cybersecurity has dominated headlines, insiders like Ramesh say the operational load — not the threat landscape — is what’s burning teams out.

“It’s the blur, not the breach”

“People think the hard part is dealing with a cyberattack,” Ramesh explains. “But it’s the blur. The constant switching between tasks. Patch a system at 2 a.m., fix a pricing model at 8 a.m., do compliance documentation by noon, and prep a rollback before dinner. It never stops.”

According to a recent internal survey conducted by the fictional National Alliance for Retail IT Professionals (NARITP), 68% of retail IT workers in Canada reported “moderate to severe burnout symptoms” in the last six months.

A Widening Disconnect

Part of the issue, experts say, is that IT teams are often tasked with managing systems they didn’t build, integrating vendor software under relentless time pressure and with limited support.

“It’s like trying to renovate an airport while planes are still landing,” says Ramesh. “And when something goes wrong — a pharmacy outage, a delivery delay — people assume it’s your fault, even if it was a third-party glitch no one warned you about.”

Despite growing acknowledgment of the burnout problem in other sectors, there has been no coordinated federal response or guidance for tech professionals working in retail, logistics, or consumer healthcare.

A Fragile Foundation

“Everyone’s talking about resilience at the system level,” Ramesh says. “But people forget that humans are infrastructure too.”

While retailers continue to invest in AI forecasting tools, zero-trust architecture, and centralized platforms, some insiders warn that failure could come not from a breach — but from exhaustion.

“My team runs in crisis mode 60% of the time,” she says. “At some point, something gives.”

Breaking down systems, one layer at a time. — Mira Evans

ODTN News’ Ayaan Chowdhury contributed to this report.