{
"title": "Canada Spent $1.3B on U.S. Cloud—Now Its Military Admits 'Mission-Critical' Apps Depend on AWS, Azure, and Google",
"content": "In September 2025, the House of Commons tabled answers to a parliamentary question that delivered a jolt to national security policymakers: Canada’s Department of National Defence (DND) has been running “mission-critical” applications on Amazon Web Services, Microsoft Azure, and Google Cloud. The disclosure came alongside the revelation that federal spending on U.S. hyperscaler clouds has topped $1.3 billion since 2021, with Microsoft capturing more than $1 billion of that total.
The Numbers: A $1.3 Billion Cloud Habit
The figures were released in response to a written question by Conservative MP Todd Doherty, who asked departments to disclose, fiscal year by fiscal year, their expenditures on cloud services from Amazon, Microsoft, and Google, and to identify which services support critical government functions. The government’s return (Question No. 94) laid out the numbers: approximately $1.05 billion to Microsoft, $247.4 million to Amazon (most of which went to AWS), and roughly $22 million to Google.
DND’s own slice of that pie seems modest at first glance: $4.57 million on AWS, $8 million on Microsoft services, and $835,691 on Google Cloud. But the dollar amounts are not the headline; it’s the department’s own words describing those services. “Amazon Web Services hosts several mission-critical applications that directly support operational readiness and national security,” the response stated. In another entry, it noted that “Google Cloud provides advanced artificial intelligence services that enhance operational capabilities across various defence functions,” while Microsoft Azure “hosts operational planning tools used by the Canadian Army to manage daily activities and long-term strategic initiatives.”
What’s Actually Running on Those U.S. Servers
The DND return offers specifics that move the conversation from abstract risk to concrete dependency. AWS hosts systems used by the Royal Canadian Air Force for aircraft coordination and maintenance, as well as situational awareness tools for the Canadian Army. Microsoft Azure powers the military’s pay platform, meaning soldiers’ salaries depend on a cloud service controlled by a U.S. corporation. Google Cloud’s AI services include real-time language processing that can be critical in multinational operations.
“These capabilities are essential to both domestic operations, such as emergency response, and international engagements,” DND wrote. In plain terms: if AWS suffers an outage or is compromised, aircraft maintenance scheduling could grind to a halt. If Azure goes down, soldiers might not get paid, and operational planning could be disrupted. The reliance is not on peripheral systems but on digital backbone functions.
The Legal Black Hole: CLOUD Act and Cross-Border Reach
Why does it matter that a Canadian military application sits on a server in, say, AWS’s Canada Central region? Because under the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) of 2018, the American government can compel U.S.-based companies to hand over data they control, even if it’s stored in another country. Microsoft, Amazon, and Google are all U.S. companies. So while the data might physically reside in Montreal or Toronto, a U.S. law enforcement or intelligence order could theoretically force its disclosure without the knowledge of Canadian authorities.
That legal exposure is not theoretical. As trade tensions between Canada and the U.S. have heightened over the past year, the idea that sensitive defence data could be accessed by a foreign government has moved