I want to emphasize my colleague's point that it's helpful to tolerate some risk, particularly at the university level and younger, in terms of allowing people to explore computer security—professional researchers as well—without criminalizing their activity, if there's no malicious intent and if there's not deliberate harm. I think there are a number of regulations under way and laws being passed, in the States and elsewhere, in a good faith attempt to improve cybersecurity but which have the effect of stifling original research.
I obviously can't comment competently on Canadian law, but I urge you to avoid the impulse to criminalize what is essentially math and logic put into electronic form. Don't criminalize that thought process, because the same sort of creative people who are exploring those possibilities are the ones who you hope to employ one day to defend your country as well. There's nothing you can do that would hurt a relationship with the security community more quickly than to criminalize their work, or put a presumption of guilt into what may just be good-natured intellectual curiosity.