Ottawa has spent almost $1.3 billion on cloud services from American tech giants since 2021, newly tabled government documents reveal. The Department of National Defence (DND) acknowledged that some of those platforms host systems it calls “mission-critical,” including aircraft maintenance coordination for the Royal Canadian Air Force and the military’s pay platform. The disclosures arrived in a House of Commons response to a parliamentary question from Conservative MP Todd Doherty and lay bare a deep but uneasy reliance on U.S. infrastructure—just as Prime Minister Mark Carney talks up a Canadian sovereign cloud.

The Numbers Behind the Cloud Spend

Doherty’s question asked every federal department and agency to account for spending on cloud services from Amazon, Microsoft, and Google since 2021, flagging any that underpin critical government functions. The answers, summarized by The Canadian Press, show a government firmly in the U.S. cloud orbit.

Microsoft captured the lion’s share: over $1 billion. Amazon collected roughly $247.4 million, almost all for Amazon Web Services. Google received about $22 million. While those headline figures cover all departments, DND’s own slice is modest in dollar terms—$4.57 million to AWS, $8 million to Microsoft, and $835,691 to Google—but outsized in operational significance.

The departmental response spells out exactly what runs where:

  • AWS hosts systems for Royal Canadian Air Force aircraft coordination and maintenance, plus situational-awareness tools used by the Canadian Army.
  • Microsoft Azure underpins the military pay platform and operational planning tools the Army uses for daily activities and long-term strategy.
  • Google Cloud supplies advanced AI services, including real-time language processing, that enhance defence capabilities.

DND already operates multi-cloud environments certified to handle Protected B data—a Canadian government classification covering sensitive but unclassified material—and reports running more than 70 applications on Azure, over 50 on AWS, and more than 10 on Google Cloud. The department thus lives an operational reality that is simultaneously pragmatic and precarious.

Why This Matters for Security and Sovereignty

When a nation’s military threads mission-critical workloads through servers owned by foreign companies, the legal and practical risks multiply. The U.S. CLOUD Act, passed in 2018, allows American law enforcement to compel U.S.-based providers to hand over data even if that data resides outside the United States. In a period of bruising trade disputes between Ottawa and Washington, the idea that Canadian defence data could be reached by a foreign power’s legal process is a hard political sell.

Civil liberties advocates and national-security analysts have warned for years that the CLOUD Act creates a backdoor tension for any country that depends on American cloud infrastructure. Though the law also provides for bilateral executive agreements to govern cross-border access, no such pact yet fully insulates Canadian government data from U.S. warrants. The legal exposure is real; it cannot be wished away by encryption alone.

Operationally, outsourcing the digital backbone of aircraft logistics, pay systems, and battlefield planning software introduces another layer of fragility. An outage at a hyperscaler, a supply-chain compromise, or a misconfiguration could cascade into tangible military effects. And because cutting-edge AI toolchains are deeply integrated into each provider’s ecosystem, swapping one cloud for another isn’t as simple as flipping a switch.

For Canadian taxpayers, the disclosure poses a direct question: Is it acceptable that sensitive defence data flows through infrastructure that Washington can legally poke into? The government’s own response acknowledges the stakes. DND’s filing calls the affected applications “essential to both domestic operations, such as emergency response, and international engagements.”

How Canada Ended Up Relying on U.S. Clouds

The path to this $1.3-billion dependency didn’t start yesterday. Governments worldwide sprinted to the cloud over the last decade, drawn by elastic computing, cutting-edge AI services, and the promise of shrugging off aging data centres. Canada’s Shared Services Canada, the central IT agency, actively encouraged departments to adopt cloud-first strategies, and the big three U.S. providers offered compliance packages that checked many procurement boxes.

Microsoft, in particular, cemented its position with long-standing enterprise agreements and productivity suites already woven into the public-sector fabric. Azure’s government regions promised residency controls, and AWS and Google followed with similar assurances. The convenience was undeniable; the costs, at least in the short term, appeared lower than building sovereign capacity from scratch.

The CLOUD Act scrambled the sovereignty calculus almost as soon as it passed. Legal scholars and parliamentarians warned that Canadian data could be swept up in U.S. investigations, but procurement momentum and the sheer difficulty of extracting petabyte-scale workloads from a tightly integrated ecosystem muted any immediate policy correction.

Then came the trade war. Tariffs, diplomatic spats, and a new prime minister talking openly about “sovereign compute” transformed an abstract legal concern into a live political issue. Carney’s recent musing—that a Canadian sovereign cloud would “build compute capacity and data centres that we need to underpin Canada’s competitiveness, to protect our security and to boost our independence and sovereignty”—framed the current spending as a vulnerability to be solved, not a bargain to be celebrated.

Practical Steps for Organizations and Concerned Citizens

For IT managers inside government or in heavily regulated industries, the Canadian cloud exposure offers a real-world case study in risk management. The playbook isn’t a single dramatic migration but a layered defence.

Classify ruthlessly. Not every workload is mission-critical in a national-security sense. Tag data and applications by sensitivity and legal exposure. Only a subset demands the highest level of sovereign control—personnel records, operational logistics, classified intelligence feeds. Everything else can benefit from hyperscaler innovation under tighter supervision.

Encrypt and control the keys. Customer-managed encryption keys, external key-management services, and confidential computing (such as Azure Confidential Computing or AWS Nitro Enclaves) raise the technical bar against unauthorized access. They don’t nullify a CLOUD Act demand, but they can make wholesale data extraction far harder and change the legal calculus for a provider faced with an overly broad warrant.

Negotiate better contracts. Government procurement teams should insist on operational segregation—dedicated administrative planes, personnel cleared to Canadian standards, and robust audit rights. The hyperscalers’ existing “sovereign cloud” products (e.g., AWS GovCloud, Microsoft Cloud for Sovereignty) aren’t silver bullets, but they do impose additional physical and administrative controls that reduce some risk vectors.

Build portability into every deployment. Containerize applications, favour open standards, and include explicit data-exportability clauses. Competition works only when switching is feasible, not just theoretically possible.

Advocate for a clear national framework. Citizens and businesses can press Ottawa to articulate which categories of data must reside in sovereign infrastructure and to pair that mandate with realistic funding. A sovereign cloud won’t materialize from speeches alone; it requires capital investment, skilled personnel, and procurement reform that levels the playing field for Canadian providers.

For individuals, the takeaway is simpler but no less important: government cloud choices influence the security of public services and the privacy of citizen data. In a world where cross-border legal reach is a fact of life, supporting policies that protect digital sovereignty is an investment in national resilience.

What Comes Next

Ottawa’s sovereign cloud ambition is no longer a background policy paper. It will feature in upcoming budgets and likely attract intense lobbying from both domestic tech firms and the incumbent hyperscalers. Watch for pilot projects targeting AI compute and secure enclaves, where classified analytics demand the tightest control. The European Union’s Gaia-X initiative and similar sovereign-cloud experiments abroad offer both inspiration and cautionary tales about how hard it is to build a competitive alternative from scratch.

Meanwhile, the CLOUD Act isn’t going away. Bilateral negotiations could yield a U.S.-Canada executive agreement that sets clearer rules for cross-border data requests, but the current trade climate does not make that a fast-track item. In the interim, every new defence application deployed on a U.S. cloud will add to the technical debt that a future sovereign shift would have to unwind.

The $1.3-billion figure is a marker of how far Canadian digital infrastructure has drifted into foreign territory. Whether Ottawa can pull it back—and at what cost—is now a question for the House of Commons, the IT community, and the public.