Protecting the Municipal Crown Jewels in a VUCA World
Municipalities are not sheltered from the effects of global tensions, which in recent years have created an environment of volatility, uncertainty, complexity and ambiguity (VUCA) for their leaders. They are increasingly exposed to geopolitical risks given Canada’s position on the world stage. Local governments are closest to the people and operate many of the services citizens and businesses depend on most, including water, transit, emergency response, social services and permitting. That proximity, combined with growing digital dependence, makes municipalities an attractive target for state-sanctioned cyber actors seeking to disrupt critical infrastructure.
Leaders have traditionally associated cyberattacks with criminal intent, such as the theft of data or money. However, the cyber risk landscape for municipalities also includes threats to local infrastructure and services from hostile regimes and their proxies. State-sanctioned attacks aim to cause disruptions that have an immediate and visible impact on the daily lives of Canadians and destabilize democratic systems.
In an environment of heightened geopolitical risk, cyber risk can no longer be treated as a technical matter managed solely within municipal IT departments. It has become a leadership and governance issue for municipal governments. Chief administrative officers (CAOs) and their senior teams must assess their vulnerabilities and chart a course of action to prepare for, mitigate and respond to cyber risks and potential impacts on critical infrastructure and services.
Cyber Risk in a VUCA World
Municipal leaders are accustomed to multifaceted challenges such as fiscal pressures, aging infrastructure, workforce issues and political shifts. What distinguishes the
current environment is how closely geopolitically driven cyber risk reflects the characteristics of a VUCA world. The Communications Security Establishment (CSE), Canada’s foreign signals intelligence agency, has warned that cyber threats against critical infrastructure have increased in both frequency and complexity, with tactics becoming more sophisticated through the use of AI.
VUCA was how the Pennsylvania-based U.S. Army War College described the strategic reality of the post-Cold War era, reflecting the unpredictability of the world at that time. It remains highly relevant for civilian leaders today. Understanding the VUCA environment can help leaders prepare, adapt and recover from unforeseen challenges. Each component of VUCA can be understood in the context of geopolitical and cyber risk.
Volatility is evident in the speed at which the cyber-threat landscape is evolving. In April, central banks and financial institutions raised concerns about the risks posed by powerful AI models to the security of banking systems. What this means for municipalities and their own systems warrants serious consideration.
Uncertainty exists because it is highly unpredictable where, when and how state-sanctioned actors will strike. In 2024, officials in British Columbia uncovered three attempts by foreign actors to infiltrate government systems. These actors often cover their tracks to avoid detection, meaning it is not always immediately clear whether systems have been compromised.
Complexity arises from overlapping activity by state and non-state actors using similar tactics but with different objectives. Already under-resourced municipalities must defend against a range of threat actors, including hostile states, cybercriminals, hacktivists and opportunistic actors, each with their own motivations.
Ambiguity makes it difficult to determine whether a cyber incident is an isolated event affecting a single municipality or part of a broader campaign targeting the country’s critical infrastructure. When a breach occurs, municipalities must assess whether the incident is local or part of a co-ordinated campaign.
Geopolitics and the evolving cyber-threat landscape reinforce that preparedness is a leadership responsibility. Municipal leaders need to be clear about what their crown jewels are, how risk is governed, how strong their cyber resilience is and how ready the organization is when disruption occurs.
Linking the Global Risk Landscape to the Local Environment
The CSE’s Canadian Centre for Cyber Security (CCCS) and the Canadian Security Intelligence Service (CSIS) have highlighted the evolving cyber-threat environment facing critical infrastructure. State-sanctioned cyber actors are becoming more aggressive, moving beyond traditional espionage toward activities intended to infiltrate civilian digital systems. The “National Cyber Threat Assessment 2025-2026” suggests that during periods of geopolitical escalation, civilian infrastructure, including that operated by municipalities, is likely to be treated as a legitimate target.
Canada’s global standing also shapes this risk environment. As a NATO member, a supporter of Ukraine and given its positions on the conflict in the Middle East, Canada is a target of hostile regimes. Also, Canada’s role in international counter-terrorism efforts has made it a target for ideologically motivated threat actors.
Local elections are taking place across Ontario this October. As municipalities deploy online voting tools, election integrity becomes a key risk. CSIS has warned that Canadian elections are susceptible to foreign interference and the CSE has advised officials to be ready to address denial-of-service attacks, electronic voting manipulation and data interference.
Disruptions to critical infrastructure from cyberattacks are no longer a remote possibility.
When Cyber Risk Becomes Public Risk
The protection of critical infrastructure was historically treated as a matter of physical security. Over time, cybersecurity has become just as important. Municipal
infrastructure is a strategic asset tied directly to public confidence and trust. Residents and businesses immediately feel a disruption to emergency operations or utility services. At that point, cyber risk becomes not only a technical issue, but also a reputational, operational and political one.
Cybersecurity has traditionally been framed as an IT responsibility. However, an attack on critical infrastructure would have immediate and serious consequences for service delivery, public safety and trust in democratic institutions.
Municipal leaders do not need to become cybersecurity experts, but they do need confidence that cyber risk in a geopolitical context is being understood, prioritized and governed appropriately across the organization.
The Municipal Governance Context
Many municipalities rely on aging systems because replacement competes directly with visible and pressing capital needs. A CAO from a mid-sized municipality shared that half the challenge is securing council support when roads, bridges and municipal buildings dominate capital discussions. This reality can make it difficult to replace legacy IT systems, even as cyber risk grows.
In Ontario, the Enhancing Digital Security and Trust Act formalizes accountability for cybersecurity, data protection and digital trust. In this context, councils exercise fiduciary responsibility over digital assets in much the same way they do over finances and physical infrastructure. Seen through this lens, councils should function more like boards of directors overseeing enterprise risk.
A councillor shared that one of the most challenging aspects of cyber governance is simply knowing what questions to ask. That uncertainty is understandable. Most councillors do not have training in cybersecurity. However, governing effectively does not mean being cybersecurity experts. In this context, it means informed questioning, appropriate risk oversight and clear strategic framing of the issues.
Geopolitical risk, aging digital infrastructure and legislative requirements are converging to create a challenging environment for municipal organizations. Protecting municipal crown jewels is ultimately about protecting people, maintaining essential services and preserving public trust. Accountability for cybersecurity is a shared responsibility. In a heightened geopolitical environment, leadership means taking cyber risk seriously.
What Municipal Leaders Should Do Next
Municipal leaders do not need to become geopolitical or cybersecurity experts. They do need a clear understanding of which systems and services their community depends on and how to protect them. CAOs and their senior teams should be regularly briefed so they can ask informed questions that support operational planning, enterprise risk management and decision-making. Where internal capacity is lacking, external cybersecurity expertise should be engaged to assess vulnerabilities and develop an action plan. In a VUCA world, it is less about having all the answers and more about knowing where the biggest risks are and whether they are being managed.
Preparation also needs to be organization-wide. Steps to consider include ensuring staff understand operational risks, maintaining reliable backups of critical information and having a clear plan for what happens during an incident. These plans should not sit on a shelf. Employees across the organization should understand their roles, how decisions will be made and how communication will work if something goes wrong. This can be reinforced through tabletop exercises. When that groundwork is in place, leaders can respond quickly and keep services running when it matters most.
Finally, resilience should guide how municipal leaders think about cyber risk and vulnerability. Disruptions to critical infrastructure from cyberattacks are no longer a remote possibility. They are something to be prepared for. This means assessing how essential services would continue if systems were unavailable. It also means staying connected to trusted sources, such as the CCCS and Cyber Security Ontario, to remain informed about emerging threats. At its core, this is about being ready to respond to attacks, recover quickly and continue delivering for the community.
Ken Chan, ICD.D, is a partner at Optimus SBR. He previously served as an assistant deputy minister in Ontario and as senior advisor, policing, in the mayor’s office at London City Hall (U.K.). He serves on several boards, including the Canadian Air Transport Security Authority (CATSA).
As published in the AMCTO Municipal Monitor.
Optimus SBR’s Municipal Practice
Optimus SBR is an independently owned Canadian management consulting firm that focuses on turning policy into action. As a trusted partner, we help municipal governments navigate complex challenges and contribute to meaningful, major transformation projects, delivering a range of services including cyber security, strategic planning, process management, program & project management, change management, AI, data & analytics, technology, experience management, and learning and development.
Let’s have a conversation today! We can help you execute what’s next.
Ken Chan, Partner and Government & Public Sector Practice Lead
Ken.Chan@optimussbr.com
Industry Insights
Service Insights
Case Studies
Company News