No. 02 · Conceptual

The Cyber Imperative

As external threats grow daily, AI-driven modernization will enable a stronger cybersecurity defense.

Alberta runs one of the strongest cyber security programs in Canada, and over the last 24 months it has held the line against a steady run of attacks, with layered defence-in-depth controls and extensive monitoring catching the incursions before they land. Holding that line is getting harder, and for two reasons at once. The waves of attacks outside the walls are rising in both the volume and the sophistication, and the walls themselves are aging, because a large part of the estate was built decades ago on technologies that are now slipping out of vendor support. This is the cyber imperative, stated plainly: AI-driven modernization is no longer separable from security.


## §01 A growing threat

In 2024-25, Alberta's cyber controls blocked an average of 189 million attempts to connect to the government network every single day. The year before it was 126.3 million, and the year before that 81.2 million, so the daily volume has more than doubled in two years. Technology and Innovation's 2024 annual report attributes the surge to sophisticated nation-state actors and financially motivated criminal groups. This is the background pressure our teams work inside every day, and the line is still climbing.

What has changed most is the speed of the cyber criminals. We have now weathered AI-orchestrated attacks where an exploit moves from proof of concept in a matter of hours, often days before the vendor's patch does. AI is enabling the bad actors to increase their campaigns against our infrastructure while reducing the skill, time, and cost needed to do so. 

Our cybersecurity professionals are not sitting idly by. In Alberta, we are bringing on the same foundational models to respond in kind, finding and fixing flaws that have sat undocumented in widely used code for years, the kind only an attacker with deep knowledge would have previously uncovered. 

And new tools and models are coming online every day to help in that fight. Anthropic's Project Glasswing is a consortium-driven partnership which is using the Mythos model to find and patch flaws in critical systems before attackers can exploit them. In the first couple of months after its limited release, Mythos has surfaced more than 10,000 vulnerabilities across critical software suites like operating systems and browsers. These bugs were there all along, but had gone undiscovered by all prior methods and teams. Using the Mythos model, Mozilla found and shipped fixes for 271 security bugs in Firefox in one month, more than ten times what its earlier methods had ever surfaced. These are doors which are closing on potential future exploits before they can become known. 

In Alberta, we are applying advanced AI tools in our own defense. Two new AI-driven cyber agents, a Red and a Blue, now run against our own code as a standing part of the toolkit, and they are a recent and fast-growing part of the arsenal. The paper Red, Blue, Green, and Yellow Agents covers them in detail; here it is enough to say that the defenders now have the machine on their side too.


## §02 A sprawling attack surface

The shape of the estate widens the target. Over decades, different Ministerial delivery teams adopted a range of shifting technologies, and the result is too many operating systems, too many languages, and too many dependencies, each one its own set of potential vulnerabilities. Every stack we run is another perimeter to protect. To defend this broad domain, we needed to see the shape of it.

We deployed AI agents to analyze the history of GitHub commit histories, traced open-source code contributions that originated in foreign countries, and shut down the systems and dependencies linked to them. Our AI agents also surfaced instances where staff had mistakenly committed secrets into the code repositories. AI surfaced these in 2025, and we put controls in place that removed, cycled, or invalidated every one of them, closing the matter in Alberta. Unmitigated, such secrets would represent serious exposures for governments and organizations around the world. AI found the issues, and the human teams closed them.

These insights have driven Technology and Innovation to become a much more 'opinionated' and standards driven organization. By setting clear standards for net new development, which will be enforced through AI-based delivery methods (see the white paper The Well Built Harness), we are closing this attack surface and rationalizing into well-supported open-source platforms and technologies.


## §03 The evolving threat landscape

As quickly as we are closing off issues, new challenges are emerging. Through 2026, attackers have shifted from breaching the perimeter directly to poisoning the well. By compromising open-source repositories used by hundreds of millions of products, bad actors can breach thousands of organizations at once. A recent campaign injected malicious code into more than five thousand five hundred open-source repositories which allowed threat actors to harvest massive amounts of API tokens, SSH keys, and cloud credentials. One such attack hijacked a release of Axios, a popular JavaScript package downloaded more than 100 million times a week, and pushed remote-access trojans straight onto developer machines and into continuous-integration pipelines. AI is enabling the bad actors, so our defences need to evolve too.


## §04 The cost of cyber exposure

Identification of vulnerabilities is getting much easier because of AI. The hard part is finding the room to remediate. When a legislative change carries a hard deadline, there is no flexibility on delivery. Historically, Technology and Innovation has built agile delivery teams from individual contractor resources, known as 'Contingent Labour', to stand up new solutions. These teams run in parallel with those implementing maintenance and minor enhancements. In IT, it is difficult to return to an application once it has shipped. Items are triaged reactively, and there is often little or no money after the completion of a project to fund remediation except in the most extreme cases, where the danger is clear and present.

ROUGH COST OF A SINGLE GOVERNMENT CYBER INCIDENT IS $5M per month. And that is closer to a best case. A significant data breach or ransomware event runs far higher. Alberta holds a firm position of never paying ransom, but the operational and reputational damage can be significant and long-lasting.

To stay ahead, Alberta proactively invests in maintaining our digital estate. In 2024-25, we spent 47 million dollars maintaining applications with upgrades and security patching to reduce vulnerabilities and chip away at the technical debt. Our dedicated cybersecurity program grew to 14.5 million dollars from 12.3 million the year before. Across the 115 applications classified as critical, 97 percent now hold tested disaster-recovery plans, up from 91 percent. The spend is real, it is rising, and it is the price of holding a line that will not hold still. The contest between cyber professionals and cyber criminals does not end, and standing still is the same as falling behind.

The latest insights into this domain can be found through our industry-leading CyberAlberta platform. 


AI drives down the cost of protecting the domain. We can now analyze applications for cybersecurity gaps and often remediate vulnerabilities for one to two dollars. This is only possible through the use of AI agents which are able to diligently implement tests, read logs, and remediate solutions. But first, we need to know what we are fixing. 


## §05 Assessing the enterprise

Defending an estate this large means first being able to see it as a whole to gain the ground truth intelligence of our workloads and processes. No one person or set of documentation had the whole picture. We needed way to harvest evidence from the code itself rather than from memory and folklore. So, that is exactly what we built. The next paper on Git Insights provides a deep dive into how we pointed AI at our entire GitHub estate, what it found, and how that evidence now informs where we defend first. 

Sources from this white paper: Project Glasswing, Anthropic (2026); Hardening Firefox, Mozilla (2026); CISA supply-chain alert (2026); Zscaler supply-chain research (2026); Unit 42 on npm supply-chain attacks; Technology and Innovation 2024-2025 Annual Report.

Tags: cybersecurity, supply-chain, technical-debt, drivers, ai-agents

Open the interactive version