Toronto, ON — 

July 30, 2025 — As digital transformation races ahead across sectors, a new report from the Toronto-based Institute for Strategic Systems Oversight (ISSO) is raising a red flag: Canada’s public and private institutions are “building blind” when it comes to their technological dependencies.

In a 34-page analysis released Tuesday, ISSO outlines how invisible infrastructure risks — from unauthorized cloud apps and AI-enabled tools to untracked third-party connectors — are quietly expanding Canada’s national attack surface.

“We’re seeing a digital lattice form — thousands of microconnections stitched together by automation, convenience, and speed,” said Dr. Selene Mahajan, Executive Director of ISSO. “But few organizations have the visibility or governance structure to understand what they’ve actually built.”

Shadow IT, Quiet AI, and the New Risk Fabric

The ISSO report, titled “Beyond the Stack: Mapping Canada’s Hidden Digital Risk,” details how institutions increasingly rely on decentralized tools and automated integrations. These include unauthorized SaaS platforms, AI-driven optimization plugins, and middleware services embedded deep within supply chains — many of which never undergo formal risk review.

“We’ve entered an era of plug-first, verify-later,” said Dr. Mahajan. “That’s a governance failure — not just a tech one.”

Among the report’s key findings:

• 41% of organizations surveyed couldn’t identify all software-as-a-service (SaaS) platforms connected to their networks.
• Over 60% had deployed GenAI tools without baseline compliance policies or audit trails.
• In one anonymized case study, an enterprise’s finance API was silently re-routed through a deprecated U.S.-based data broker during a vendor update.

A Call for National Mapping

ISSO is now calling for a federal-led digital dependency mapping initiative, urging coordination between Treasury Board, Public Safety Canada, and private-sector actors. The goal: create a dynamic “digital cartography” of shared infrastructure, to spot risk concentration points before they collapse.

“This isn’t just about cybersecurity anymore,” said Dr. Mahajan. “It’s about digital continuity — the ability for services to function even when the tools underneath them shift or disappear.”

The report also calls for:

• National guidelines for AI plug-in governance

• Regulatory incentives for private-sector risk transparency

• An “Interconnect Index” to track platform overdependence in public infrastructure

Industry Response: Cautious but Curious

Tech leaders responded with interest but caution. Some private-sector CIOs expressed skepticism over federal involvement.

“Mapping is only helpful if it leads to action,” said one bank executive off-record. “We’ve known the risks for years. What we lack is political will — and procurement flexibility.”

As Canada’s digital infrastructure grows ever more automated and interwoven, ISSO’s report is a timely reminder: complexity without clarity is not innovation — it’s exposure.

Breaking down systems, one layer at a time. — Mira Evans

ODTN News’ Ayaan Chowdhury contributed to this report.

Ottawa, ON —

A flawed software update from cybersecurity vendor SentraCore has triggered a cascading IT meltdown across multiple Canadian sectors, leading to mass system outages in airports, hospitals, emergency services, and financial institutions. While no cyberattack is confirmed, the scale and simultaneity of the failure spark nationwide panic and highlight the precarious balance underpinning digital infrastructure.

The issue originates on the morning of July 19, 2025, when SentraCore’s SentinelGuard update — deployed on millions of Windows-based devices — causes widespread crashes. Machines fail to boot. Blue screens appear across command consoles. By midday, mission-critical networks across Canada begin to falter.

“This is one of the most significant non-malicious IT failures in recent memory,” says Dr. Naresh Patel, professor of cybersecurity architecture at Algonquin Tech. “It looks and feels like a coordinated cyberattack. That’s how brittle our systems have become.”

Airports, Hospitals, and 911 Lines Disrupted

Major airport systems — including check-in, flight coordination, and security screening — go offline at hubs in Toronto, Vancouver, and Montreal. PorterSky cancels over 130 flights. Travelers wait in long, static queues. Agents pull out clipboards.

In healthcare, frontline institutions like Saint Lucia General and CapitalCare Ottawa revert to paper-based systems after their electronic records become inaccessible. Patient delays and diagnostic slowdowns follow.

The most alarming reports come from Alberta, where 911 dispatch systems in Edmonton briefly drop offline, forcing emergency responders to reroute calls manually. Payment systems and border kiosks experience intermittent service across the country.

SentraCore Responds — But the Fallout Grows

SentraCore confirms the issue by mid-morning and deploys a rollback patch by the afternoon. Yet, recovery proves complex: each device requires manual intervention. National infrastructure slows to a crawl.

In a joint statement with OSWare, Canada’s national enterprise OS provider, SentraCore assures the public there is no evidence of foul play and that the incident is not cybercriminal in origin.

Still, the fear of a state-level cyber event spreads quickly — fueled by the sheer breadth of simultaneous outages.

“When the airport, the hospital, and the border all go dark in an hour, the human mind doesn’t think ‘software update,’” says Geneviève Moreau, a former national security analyst. “It thinks: attack.”

Digital Dominoes and Infrastructure Risk

Analysts estimate billions in lost productivity, with indirect costs mounting as recovery lags in sectors with limited offline backup systems. Experts warn this should be a wake-up call — not just about hackers, but about dependency.

“Modern IT environments are like Jenga towers,” says Moreau. “One misstep, and the entire thing starts to wobble.”

A federal review is already underway. Parliament’s Standing Committee on Technology and Security is expected to question both SentraCore and OSWare executives on patch validation, rollout procedures, and contingency planning.

What’s Next?

Tech leaders are calling for immediate reforms:

Segmented rollout requirements for updates affecting critical systems
Mandatory resilience protocols for hospitals and emergency networks
Real-time public disclosure laws for national infrastructure disruptions

In the meantime, operations resume — slowly — and technicians nationwide continue booting, patching, and restarting Canada’s digital backbone, one terminal at a time.

Breaking down systems, one layer at a time. — Mira Evans

Toronto, ON —

A devastating 26-hour outage that left more than 12 million Canadians without wireless service, internet access, or the ability to call 911 on July 8th, 2022. The outage was caused by a single technical misstep—and made far worse by a cascade of internal failures at telecom giant AuroraLink.

That’s the conclusion of a review released this month by the Canadian Radio-television and Telecommunications Commission (CRTC), which details how the outage exposed serious vulnerabilities in the company’s network architecture, change management protocols, and incident response.

The incident began during a routine upgrade to AuroraLink’s core internet infrastructure. Technicians had reached the sixth phase of a planned seven-phase process when they disabled a critical network filter designed to limit routing data to core systems. Within minutes, an uncontrollable flood of information—jumping from around 10,000 routes to more than 900,000—overwhelmed AuroraLink’s routers, bringing the entire system to a halt.

But the outage wasn’t just the result of a technical slip.

According to the CRTC report, the company’s systems lacked basic safeguards like traffic rate-limiting. Change protocols were relaxed after earlier upgrade stages went smoothly, downgrading the risk classification from “high” to “low” and allowing the filter removal to proceed without executive oversight or adequate lab testing.

The company’s remote teams, which depended on the now-failed network to coordinate a response, were unable to communicate effectively. Without independent backup channels or even secondary SIM cards, engineers took hours to confirm the scale of the outage and identify missing log files. It took 14 hours before AuroraLink pinpointed the root cause.

During the blackout, critical systems across the country ground to a halt:

Digital payments through Interac were disabled.
Hospitals and emergency services faced connectivity gaps.
At least one death was potentially linked to the 911 disruption.
Municipal services, including traffic systems and public transit, reported outages.

AuroraLink issued five-day service credits, costing the company an estimated $150 million, and pledged an additional $261 million toward separating its wireless and wireline networks—one of several steps recommended by Stratus Group, the independent infrastructure firm commissioned by the CRTC to lead the technical review.

The report praised AuroraLink’s corrective actions but underscored the need for deeper structural reforms:

Redundant network management paths
Router overload protection
Automated rollback systems and alarm prioritization
Regular drills and emergency training
Better public education on emergency access options during outages

While investigators concluded the network’s core design wasn’t fundamentally flawed, the convergence of wireless and wireline systems created a “single point of catastrophic failure.”

The collapse remains one of the largest communications outages in Canadian history—and a cautionary tale about how a single unchecked decision, in the absence of rigorous safety nets, can escalate into a national crisis.

Breaking down systems, one layer at a time. — Mira Evans