Canadian Centre for Cyber Security Events

<article data-history-node-id="6471" about="/en/guidance/roadmap-migration-post-quantum-cryptography-government-canada-itsm40001" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>June 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.40.001</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>June 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.40.001-e.pdf">Roadmap for the migration to post-quantum cryptography for the Government of Canada – ITSM.40.001 (PDF, 634 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span> <a href="mailto:cryptography-cryptographie@cyber.gc.ca">cryptography-cryptographie@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on June 23, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: June 23, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#0">Overview</a></li> <li><a href="#1">1 Introduction</a></li> <li><a href="#2">2 Stakeholders and planning</a></li> <li><a href="#3">3 Execution phases</a> <ul><li><a href="#3.1">3.1 Preparation</a> <ul><li><a href="#3.1.1">3.1.1 Roles and responsibilities</a></li> <li><a href="#3.1.2">3.1.2 Financial planning</a></li> <li><a href="#3.1.3">3.1.3 Education strategy</a></li> <li><a href="#3.1.4">3.1.4 Procurement policies</a></li> <li><a href="#3.1.5">3.1.5 Plan approaches for identification</a></li> </ul></li> <li><a href="#3.2">3.2 Identification</a></li> <li><a href="#3.3">3.3 Transition</a></li> </ul></li> <li><a href="#4">4 Milestones and deliverables</a></li> <li><a href="#5">5 Governance and coordination</a> <ul><li><a href="#5.1">5.1 Relevant Government of Canada governance bodies</a></li> <li><a href="#5.2">5.2 Reporting on progress</a></li> <li><a href="#5.3">5.3 Additional resources and support</a></li> </ul></li> </ul></details></section><section><h2 class="text-info" id="0">Overview</h2> <p>Every organization managing information technology (IT) systems must migrate cyber security components to become quantum-safe. This will help protect against the cryptographic threat of a future quantum computer. The Cyber Centre recommends the adoption of standardized post-quantum cryptography (PQC) to mitigate this threat.</p> <p>This publication outlines the Cyber Centre’s recommended roadmap for the Government of Canada (GC) to migrate non-classified <abbr title="information technology">IT</abbr> systems<sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup> to use <abbr title="post-quantum cryptography">PQC</abbr>, including milestones, deliverables, and guidance for departmental planning and execution.</p> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul></section><section><h2 class="text-info" id="1">1 Introduction</h2> <p>The Cyber Centre recommends organizations managing <abbr title="information technology">IT</abbr> systems migrate to use <abbr title="post-quantum cryptography">PQC</abbr> in order to replace public-key cryptography vulnerable to a future quantum computer<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup>. All instances of public-key cryptography must be migrated to secure <abbr title="Government of Canada">GC</abbr> <abbr title="information technology">IT</abbr> systems and Canadians’ data against this threat.</p> <p>The United States’ National Institute of Standards and Technology (NIST) has worked globally with cryptographic experts to standardize <abbr title="post-quantum cryptography">PQC</abbr> algorithms that can replace existing vulnerable public-key cryptography. Cyber Centre recommendations for <abbr title="post-quantum cryptography">PQC</abbr> algorithms are provided in <a href="https://www.cyber.gc.ca/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP 40.111)</a>. As standards for network security protocols support <abbr title="post-quantum cryptography">PQC</abbr> algorithms, the Cyber Centre will update the <a href="https://www.cyber.gc.ca/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a> publication. Vendors are incorporating <abbr title="post-quantum cryptography">PQC</abbr> in their products to rapidly meet the needs of government and industry.</p> <p>The <abbr title="post-quantum cryptography">PQC</abbr> migration within the <abbr title="Government of Canada">GC</abbr> will require significant commitment and take several years. The Cyber Centre is working with Treasury Board of Canada Secretariat (TBS) and Shared Services Canada (SSC) to prepare necessary updates to <abbr title="Government of Canada">GC</abbr> guidance, support and policy. Departments will need to clearly understand their cryptography usage. <abbr title="information technology">IT</abbr> infrastructure, both hardware and software, and data will need to be analyzed across the entire enterprise. Starting the <abbr title="post-quantum cryptography">PQC</abbr> migration early is important to leverage existing <abbr title="information technology">IT</abbr> lifecycle budgets as much as possible.</p> <p>This publication is the Cyber Centre’s recommended roadmap for the migration of non-classified <abbr title="information technology">IT</abbr> systems within the <abbr title="Government of Canada">GC</abbr> to use <abbr title="post-quantum cryptography">PQC</abbr>. It outlines the stakeholders, execution phases, milestones and governance involved in this <abbr title="Government of Canada">GC</abbr>-wide cyber security activity. The intention is to provide key activities and timelines that will assist in coordination of departmental planning activities for migrating to <abbr title="post-quantum cryptography">PQC</abbr> across the <abbr title="Government of Canada">GC</abbr>. It is aimed at directors and managers of <abbr title="information technology">IT</abbr> systems in federal departments and agencies and decision makers accountable for the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="2">2 Stakeholder and planning</h2> <p>The Cyber Centre is the lead technical authority for information technology (IT) security in the <abbr title="Government of Canada">GC</abbr><sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. As part of Canada’s cryptologic agency, the Communications Security Establishment Canada, the Cyber Centre:</p> <ul><li>promotes awareness of the quantum computing threat to cryptography to <abbr title="Government of Canada">GC</abbr> departments</li> <li>provides guidance on cryptographic recommendations, such as the use of <abbr title="post-quantum cryptography">PQC</abbr></li> <li>provides recommendations on incorporating cryptography into a strong cyber security posture</li> </ul><p>The Cyber Centre will continue to provide relevant advice and guidance to support <abbr title="Government of Canada">GC</abbr> departments and agencies in the migration to <abbr title="post-quantum cryptography">PQC</abbr>.</p> <p><abbr title="Treasury Board of Canada Secretariat">TBS</abbr> is responsible for establishing and overseeing a whole-of-government approach to security management, including cyber security, through policy leadership, strategic direction, and oversight. In May 2024, <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> published the <a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/enterprise-cyber-security-strategy.html">Government of Canada’s Enterprise Cyber Security Strategy</a> identifying a key action to transition <abbr title="Government of Canada">GC</abbr> systems to use standardized <abbr title="post-quantum cryptography">PQC</abbr> to protect <abbr title="Government of Canada">GC</abbr> information and assets from the quantum threat. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> will issue the necessary policy instruments to require responsible officials to establish a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan as well as report on progress under existing departmental reporting processes.</p> <p><abbr title="Shared Services Canada">SSC</abbr> manages <abbr title="information technology">IT</abbr> infrastructure and services on behalf of many of the departments and agencies across the <abbr title="Government of Canada">GC</abbr>. Due to its critical role in modernizing <abbr title="Government of Canada">GC</abbr> systems, <abbr title="Shared Services Canada">SSC</abbr> is already engaged in developing a plan for the migration to <abbr title="post-quantum cryptography">PQC</abbr> and is working directly with the Cyber Centre and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> to advise on the feasibility of implementation.</p> <p>Federal departments and agencies in the <abbr title="Government of Canada">GC</abbr> are accountable for managing cyber security risks in their program areas. Departments and agencies will be responsible for maintaining software hosted on <abbr title="Shared Services Canada">SSC</abbr>-managed <abbr title="information technology">IT</abbr> infrastructure, and any <abbr title="information technology">IT</abbr> infrastructure that is managed separately from <abbr title="Shared Services Canada">SSC</abbr>, including contracted cloud services. Departments and agencies will be required to develop a tailored departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan that covers the migration of systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. Departments and agencies will be responsible for executing that plan, as well as tracking and reporting on progress. This publication contains the initial considerations that can be used to develop a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan, but additional guidance and support will be provided by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr> and the Cyber Centre.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="3">3 Execution phases</h2> <p>This roadmap outlines 3 recommended phases to implement the <abbr title="post-quantum cryptography">PQC</abbr> migration. These phases will likely overlap.</p> <h3 id="3.1">3.1 Preparation</h3> <p>During the preparation phase, departments and agencies will be responsible for developing a departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems for which they are responsible to use <abbr title="post-quantum cryptography">PQC</abbr>. To develop this plan, we recommend establishing a committee and identify a dedicated migration lead. The committee should consist of stakeholders throughout the organization and should include at least one member from senior management to ensure executive buy in and support. In addition to technical areas responsible for managing <abbr title="information technology">IT</abbr> systems, we recommend the inclusion of stakeholders from non-technical areas such as finance, project management, procurement and asset management.</p> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan needs to be continually revised and expanded upon during the execution of the subsequent phases. The initial version of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan should establish the individuals responsible for the following:</p> <ul><li>execution of the plan</li> <li>financial planning</li> <li>education strategy to inform staff on the quantum threat and the progress of this migration within the organization</li> <li>procurement policies for new equipment</li> <li>approaches for the identification of vulnerable systems to build an inventory for transition</li> </ul><h4 id="3.1.1">3.1.1 Roles and responsibilities</h4> <p>The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must identify individuals responsible for various tasks in the execution of the plan. Ultimately, the Designated Official for Cyber Security (DOCS) is accountable for mitigating the quantum risk to cyber security. We recommend the <abbr title="Designated Official for Cyber Security">DOCS</abbr>, or a delegated executive official, be assigned the role of <abbr title="post-quantum cryptography">PQC</abbr> Migration Executive Lead to provide:</p> <ul><li>oversight</li> <li>accountability</li> <li>executive support for the execution of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> </ul><p>The coordination and cross-departmental engagement may be performed by a <abbr title="post-quantum cryptography">PQC</abbr> Migration Technical Lead. The Technical Lead would be responsible for facilitating coordination across the organization which may include service delivery, network management and <abbr title="information technology">IT</abbr> procurement, as well as other areas pertinent to the migration. The committee established to develop the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may be repurposed for managing the execution of the plan.</p> <h4 id="3.1.2">3.1.2 Financial planning</h4> <p>Departments and agencies should expect that many existing <abbr title="information technology">IT</abbr> systems may need to be replaced, or new service contracts put into place to support <abbr title="post-quantum cryptography">PQC</abbr>. The execution of the <abbr title="post-quantum cryptography">PQC</abbr> migration will have staffing impacts that may require new hiring, external contractors, or the realignment of roles that could affect other projects or work activities. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must have a cost estimate that includes resource allocation to complete the execution. The initial version of plan will not be comprehensive in its cost estimation, but the financial estimates can be refined as the identification and transition phases proceed.</p> <p>The costs associated with this <abbr title="post-quantum cryptography">PQC</abbr> migration may be reduced by utilizing existing IT equipment lifecycles and system modernization plans. To do so, it is critical to perform the initial phases of this plan quickly to identify where these cost efficiencies can be leveraged. Delays resulting in rushed procurement will increase costs.</p> <h4 id="3.1.3">3.1.3 Education strategy</h4> <p>It is important that staff across the organization are aware of the quantum threat and the impact it may have on the systems they use or are responsible for. The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with departments and agencies, including material produced by the Cyber Centre, such as presentations and publications for a variety of audiences. The Cyber Centre’s Learning Hub will provide course material to educate on the quantum threat to cryptography. Senior executives must be briefed to be aware of the impact the migration to <abbr title="post-quantum cryptography">PQC</abbr> will have on their operations.</p> <p>As the <abbr title="post-quantum cryptography">PQC</abbr> migration progresses, it’s important to keep senior executives informed of developments and progress, including any emerging challenges or roadblocks that teams may face.</p> <h4 id="3.1.4">3.1.4 Procurement policies</h4> <p>To maximize the lifetime of new systems, departments and agencies should ensure new procurements have requirements that support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre strongly recommends that systems employ established cyber security standards. Following standards provides assurance of independent security review and promotes interoperability to avoid vendor lock-in. Some cyber security standards are still being revised to support <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre is updating Guidance for securely configuring network protocols (ITSP.40.062) as <abbr title="post-quantum cryptography">PQC</abbr> support is finalized in standards. It is expected that support for <abbr title="post-quantum cryptography">PQC</abbr> may not be currently available in some product categories.</p> <p>The Cyber Centre has recommended contract clauses for systems containing cryptographic modules. These are available upon request and will be made more widely available. In general, departments and agencies should consider the following best practices for procurements:</p> <ul><li>contracts have clauses to ensure that the vendor will include support for <abbr title="post-quantum cryptography">PQC</abbr> that is compliant with Cyber Centre recommendations in Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</li> <li>cryptographic modules have been certified by the <a href="https://www.cyber.gc.ca/en/tools-services/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program</a></li> <li>support for <a href="https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">cryptographic agility</a> to allow for future configuration changes</li> </ul><p>The earlier <abbr title="post-quantum cryptography">PQC</abbr> is included in procurement clauses, the lower the costs departments will face during the migration.</p> <h4 id="3.1.5">3.1.5 Plan approaches for identification</h4> <p>The next phase in this roadmap is the identification of where cryptography is used in <abbr title="information technology">IT</abbr> systems. Sometimes called cryptographic discovery, this identification is necessary to create an inventory of systems that need to be transitioned. The departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan must include the approaches that will be undertaken to identify systems and build this inventory. More detail on identification is provided in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.2">3.2 Identification</h3> <p>Identifying where and how cryptography is used is a critical step in the process to migrate to <abbr title="post-quantum cryptography">PQC</abbr>. Systems using cryptography will include:</p> <ul><li>network services</li> <li>operating systems</li> <li>applications</li> <li>code development pipelines</li> <li>all physical <abbr title="information technology">IT</abbr> assets, such as <ul><li>server racks</li> <li>desktops</li> <li>laptops</li> <li>mobile telephones</li> <li>network appliances</li> <li>printers</li> <li>voice over Internet Protocol telephony</li> <li>hardware security modules</li> <li>smart cards</li> <li>hardware tokens</li> </ul></li> </ul><p>These may be hosted on-premises, within contracted <abbr title="information technology">IT</abbr> platforms, or a cloud service provider, or under employee possession. The scope is wide, thus making identification a challenging task.</p> <p>The information gathered in this phase will be used to create an inventory that should include the following information per system:</p> <ul><li>system components employing cryptography</li> <li>vendor and product version for each of the components</li> <li>security controls that rely upon the identified cryptography<sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup></li> <li>applicable network security zones</li> <li>current cryptographic configurations</li> <li>hosting platform</li> <li>system dependencies</li> <li>relevant service contracts and expiry dates</li> <li>expected refresh year for the system or its components</li> <li>responsible departmental point of contact</li> <li>if the system should be prioritized for migration</li> </ul><p>Other technical information may be relevant to include in the inventory. The Cyber Centre will provide additional guidance to departments as experience grows within the <abbr title="Government of Canada">GC</abbr>.</p> <p>Departments must identify systems that are a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Systems protecting the confidentiality of information in transit over public network zones<sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup> may be at risk earlier than expected due to the harvest now, decrypt later (HNDL) threat. A <abbr title="harvest now, decrypt later">HNDL</abbr> threat is when a threat actor intercepts encrypted information, stores it and then decrypts it in the future, when sufficiently powerful quantum computers exist. It is recommended that any systems susceptible to a <abbr title="harvest now, decrypt later">HNDL</abbr> threat be a high priority for migrating to <abbr title="post-quantum cryptography">PQC</abbr>. Other considerations include the information lifespan, support for cryptographic agility, and the impact of compromise. It may be valuable to complete a risk assessment for the quantum threat to ensure that systems are properly prioritized.</p> <p>Discovery of systems containing vulnerable cryptography should utilize multiple methodologies. Leveraging existing <abbr title="information technology">IT</abbr> service management (ITSM) processes within the organization may be an efficient way to produce an initial departmental inventory. Lifecycle and change management committees should have much of the information needed for an inventory system entry. However, in practice, ITSM maturity may vary across departments.</p> <p>Software tools and services will be necessary to complete cryptographic discovery. This may leverage existing cyber security services, such as security information and event management (SIEM) solutions, network monitoring and inspection, and endpoint detection and response (EDR) technologies. These services may require configuration changes, third-party plugins, or additional filters to identify the use of cryptography. Independent tools for cryptography discovery will employ technology for scanning networks, hosts, log files, or source code. The <a href="https://www.cse-cst.gc.ca/en/accountability/transparency/reports/communications-security-establishment-annual-report-2023-2024#9-1-1">Cyber Centre’s sensors program</a> is a tool expected to assist departments in identification. Additional guidance on cryptographic discovery tools and services will be provided to departments by the <abbr title="information technology">IT</abbr> Security Tripartite, which includes <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre.</p> <p>It is important to not be overwhelmed in completing the discovery and to begin with an initial, incomplete inventory with actions to iteratively improve the data.</p> <p>During the identification phase, departments should use the inventory to engage relevant <abbr title="information technology">IT</abbr> vendors and contractors to determine their plans to implement <abbr title="post-quantum cryptography">PQC</abbr> in their products and services. Understanding which system components will be eligible for upgrades versus replacement will assist in the next phase of developing a transition plan.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h3 id="3.3">3.3 Transition</h3> <p>The transition phase leverages the inventory created in the identification phase to plan and execute system upgrades, replacement, tunnelling, and/or isolation.</p> <p>In addition to the inventory data, the plan must consider departmental resources for identifying and assessing solutions, performing necessary procurements, testing, and deployment. The plan for each system will typically require multiple stages and should be integrated with existing <abbr title="information technology">IT</abbr> change management processes to ensure proper preparation including:</p> <ul><li>an impact assessment</li> <li>a rollback playbook</li> <li>a staging environment for testing changes</li> <li>monitoring to validate successful operation post-transition</li> </ul><p>For each system, technical teams must identify and assess solutions to incorporate <abbr title="post-quantum cryptography">PQC</abbr> or otherwise mitigate the quantum threat. The availability of <abbr title="post-quantum cryptography">PQC</abbr>-capable products may be limited in the early stages, but vendors are rapidly adopting <abbr title="post-quantum cryptography">PQC</abbr> as updates to protocol standards are completed. Solutions should meet all the procurement requirements established in the Preparation phase (<a href="#3.1.4">Procurement policies 3.1.4</a>).</p> <p>Many systems will need to maintain backwards compatibility to allow for continued operation with non-transitioned systems for a period of time. The first stage for a system transition may be to support the use of <abbr title="post-quantum cryptography">PQC</abbr>, followed by a second stage to disable the vulnerable, legacy cryptography.</p> <p>It may not be feasible to transition some legacy systems to use <abbr title="post-quantum cryptography">PQC</abbr> without a full system replacement. To meet migration milestones, it may be necessary to isolate such systems on the network or to tunnel traffic within a <abbr title="post-quantum cryptography">PQC</abbr>-protected encapsulation layer. Such decisions should be made during the transition phase planning.</p> <p>Early versions of the departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan may offer limited detail on the transition phase; however, this section should be expanded as identification efforts progress.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="4">4 Milestones and deliverables</h2> <p>Milestones and deliverables for federal departments and agencies are as follows:</p> <ul><li>April 2026: Develop an initial departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan</li> <li>Beginning April 2026 and annually after: Report on <abbr title="post-quantum cryptography">PQC</abbr> migration progress</li> <li>End of 2031: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of high priority systems</li> <li>End of 2035: Completion of <abbr title="post-quantum cryptography">PQC</abbr> migration of remaining systems</li> </ul><p>These milestones for the completion of migrations implies that quantum-vulnerable algorithms are disabled, isolated or tunnelled. That is, rather than just supporting <abbr title="post-quantum cryptography">PQC</abbr>, the quantum risk has been mitigated. It will be critical for departments and agencies to create, revise and follow their departmental <abbr title="post-quantum cryptography">PQC</abbr> migration plan to migrate systems as early as possible to meet the milestone dates.</p> <p>More information on expectations for reporting progress is given in the next section.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><section><h2 class="text-info" id="5">5 Governance and coordination</h2> <h3 id="5.1">5.1 Relevant Government of Canada governance bodies</h3> <p>Departments and agencies are accountable for managing cyber security risks in their program areas. However, <abbr title="Government of Canada">GC</abbr>-wide initiatives, such as this migration to <abbr title="post-quantum cryptography">PQC</abbr>, requires a whole-of-government approach managed at the enterprise level in accordance with accountabilities outlined under the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="information technology">IT</abbr> Security Tripartite consists of the <abbr title="Treasury Board of Canada Secretariat">TBS</abbr>, <abbr title="Shared Services Canada">SSC</abbr>, and the Cyber Centre. The tripartite is a centralized body that provides advice, guidance, oversight, and direction on <abbr title="Government of Canada">GC</abbr>-wide cyber security initiatives such as the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr>. The tripartite supports departments and agencies under <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> authorities.</p> <p>The <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Review Board (<abbr title="Government of Canada">GC</abbr> EARB) provides a governance mechanism to assess if proposed enterprise systems are aligned to the <abbr title="Government of Canada">GC</abbr> Enterprise Architecture Framework. The framework ensures business, information, application, technology, security, and privacy architecture domains meet the <a href="https://www.canada.ca/en/government/system/digital-government/policies-standards/service-digital-target-enterprise-architecture-white-paper.html">Service and Digital Target Enterprise Architecture</a>. Cyber security requirements, such as compliance to the Cyber Centre’s cryptographic recommendations, are part of the <abbr title="Government of Canada">GC</abbr> Target Enterprise Architecture which is aligned with overall <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> strategic direction and <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> policy instruments.</p> <p>The <abbr title="Government of Canada">GC</abbr> has interdepartmental Quantum Science and Technology (S&amp;T) Coordination Committees at senior executive levels to synchronise efforts and maintain Canada’s leadership in quantum S&amp;T. These committees oversee the federal government’s actions supporting <a href="https://ised-isde.canada.ca/site/national-quantum-strategy/en/canadas-national-quantum-strategy">Canada’s National Quantum Strategy</a> (NQS), including the <abbr title="National Quantum Strategy">NQS</abbr> roadmap on quantum communication and post-quantum cryptography.</p> <h3 id="5.2">5.2 Reporting on progress</h3> <p>Monitoring the progress of the <abbr title="Government of Canada">GC</abbr> migration to <abbr title="post-quantum cryptography">PQC</abbr> is essential for effective activity oversight and governance. This ensures accountability and the completion of milestones. <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> oversees compliance to its policy instruments in accordance with the Treasury Board <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=17151">Framework for Management of Compliance</a>. It also tracks progress on the departmental plan on service and digital which includes cyber security, as required under the <a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=32603">Policy on Service and Digital</a>. Reporting on departmental progress and on the activities needed to complete the migration to <abbr title="post-quantum cryptography">PQC</abbr> will be requested and collected by <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> as part of the annual submissions for the departmental plan on service and digital.</p> <h3 id="5.3">5.3 Additional resources and support</h3> <p>The <abbr title="Treasury Board of Canada Secretariat">TBS</abbr> GCxchange platform will be leveraged to share artifacts with federal departments and agencies to assist in the migration to <abbr title="post-quantum cryptography">PQC</abbr>. The Cyber Centre will continue to publish guidance and recommendations for organizations on the <a href="https://cyber.gc.ca/">Cyber Centre website</a>.</p> <p>Please use the Cyber Centre contact information at the top of this page to request more information on the quantum threat, <abbr title="post-quantum cryptography">PQC</abbr>, or this roadmap.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section><!–FOOTNOTE SECTION EN–><aside class="wb-fnote" role="note"><h2 id="reference">References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p>Non-classified <abbr title="information technology">IT</abbr> systems are those that do not contain, transfer, or otherwise handle classified information. In the Government of Canada, non-classified systems manage UNCLASSIFIED, PROTECTED A, and PROTECTED B information. For classified systems and systems handling PROTECTED C information, departments must contact the Cyber Centre to obtain advice on migrating commercial equipment.</p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 2</dt> <dd id="fn2"> <p>For more information on the quantum computing threat to cryptography, read the publication <a href="https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.tbs-sct.canada.ca/pol/doc-eng.aspx?id=16578">Treasury Board Secretariat of Canada’s Policy on Government Security</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 4</dt> <dd id="fn4"> <p><a href="https://www.cyber.gc.ca/en/guidance/annex-3a-security-control-catalogue-itsg-33"><abbr title="information technology">IT</abbr> security risk management (ITSG-33): Annex 3A – Security control catalogue</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> <dt>Footnote 5</dt> <dd id="fn5"> <p><a href="https://www.cyber.gc.ca/en/guidance/baseline-security-requirements-network-security-zones-version-20-itsp80022">Baseline security requirements for network security zones (ITSP.80.022)</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></div> </div> </div> </div> </div> </article>

The Canadian Centre for Cyber Security (Cyber Centre) and the United States’ Federal Bureau of Investigation (FBI) is warning Canadians of the threat posed by People’s Republic of China (PRC)

<article data-history-node-id="6456" about="/en/news-events/cyber-centre-advice-securing-operational-technology-systems" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) is warning Canadian organizations to defend their operational technology (OT) and industrial control systems (ICS) from malicious cyber actors.</p> <p>The Cyber Centre is aware of ongoing attempts by non-state malicious cyber actors to discover and compromise poorly secured, internet-connected <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> that provide critical services to Canadians. The motivations of malicious actors vary, including geopolitical reasons, financial gain, notoriety or a combination.</p> <p>Once they have compromised a system, these actors attempt to change device configurations and manipulate system settings. This can affect physical processes such as changing pressurization or disabling alarms and safety controls.</p> <p>This activity demonstrates reckless intent and complete disregard for real-world harm with the potential to impact the health and safety of Canadians. The Cyber Centre calls on all Canadian organizations who operate <abbr title="operational technology">OT</abbr> and <abbr title="industrial control systems">ICS</abbr> to protect their systems.</p> <p>Recent guidance from the United States’ Cybersecurity and Infrastructure Security Agency (CISA) addresses cyber threats to <abbr title="operational technology">OT</abbr> systems. The Cyber Centre strongly recommends critical infrastructure providers take the recommended steps to defend their <abbr title="operational technology">OT</abbr> assets:</p> <ul><li>Remove <abbr title="operational technology">OT</abbr> connections to the internet</li> <li>Change default passwords immediately</li> <li>Secure remote access to <abbr title="operational technology">OT</abbr> networks</li> <li>Segment <abbr title="information technology">IT</abbr> and <abbr title="operational technology">OT</abbr> networks</li> <li>Practice and maintain the ability to operate <abbr title="operational technology">OT</abbr> systems manually</li> </ul><p>Read the full factsheet: <a href="https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology">Primary Mitigations to Reduce Cyber Threats to Operational Technology</a>.</p> <p>We encourage any Canadian organizations who believe they may have been targeted by cyber threat activity to contact the Cyber Centre by email at <a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> or by phone <a href="tel:+18332923788">1-833-CYBER-88</a>.</p> <p>For more information, consult the following Cyber Centre guidance: <a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a> and <a href="https://www.cyber.gc.ca/en/cyber-security-readiness">Cyber Security Readiness</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6423" about="/en/news-events/chairs-statement-g7-cybersecurity-working-group-meeting" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Canada, under the leadership of the Communications Security Establishment Canada (CSE) and Public Safety Canada, hosted the G7 Cybersecurity Working Group (Working Group) from May 12 to 13, 2025, in Ottawa, to discuss shared issues on cyber security and emerging technology.</p> <p>The Working Group was established in 2024 under Italy’s G7 leadership and is composed of the principals in national cyber security agencies or roles across the G7. The Working Group acts as a cyber security community of practice for the G7, and is built on shared values, shared interests and a shared vision for the future of cyberspace.</p> <p>The speed, scale and intensity of current challenges in cyberspace are unparalleled, and coordinated efforts among G7 like-minded nations are needed to meet these challenges, namely through the following objectives:</p> <ul><li>Enhancing cooperation on cyber security, through the exchange of views and information, sharing threat analysis and advancing strategies to address current and emerging challenges, including security for <abbr title="artificial intelligence">AI</abbr> and <abbr title="artificial intelligence">AI</abbr> for cyber security.</li> <li>Promoting dialogue on guidelines, standards and approaches that contribute to shaping the best practices for cyber security nationally and internationally.</li> <li>Fostering long-term resilience for new and emerging technologies that have an impact on cyber security such as quantum computing.</li> </ul><p>During the in-person Working Group meeting in Ottawa, representatives met to discuss a series of workstreams on which the group has agreed to collaborate during Canada’s 2025 G7 presidency. This included:</p> <ul><li>Reflecting the shared vision of the group through the preparation and group endorsement of a <a href="https://www.acn.gov.it/portale/en/w/una-visione-condivisa-del-g7-sull-inventario-dei-software-dell-ia">“Food for Thought” paper on a Software Bill of Materials for Artificial Intelligence (SBOM for AI)</a>. The paper reflects a mutual recognition of the fast-paced nature of this space and the need to consider similar initiatives underway in other fora to avoid duplication.</li> <li>Agreeing to advance an <a href="https://www.nisc.go.jp/news/20250613.html">initiative to address the cyber security of Internet of Things (IoT) products (Japanese and English only)</a>, taking into account both the technical and non-technical nature of cyber threats.</li> <li>Renewing a commitment to advocate for a well-planned transition to Post-Quantum Cryptography and to further explore joint technical cyber advisories to leverage the Working Group’s collective voices on cyber security matters.</li> <li>Agreeing to exchange ideas and lessons learned from policy levers for incentivising cyber security.</li> <li>Discussing the need to protect our respective critical infrastructure and improve the collective cyber resilience of essential services and systems. This work is vital to serving citizens, maintaining economic stability and national security. Through these discussions on safeguarding critical infrastructure, the Working Group seeks to mitigate risks, minimize disruptions, and enhance our ability to respond to and recover from cyber threats.</li> <li>Sharing ideas and best practices to build up the cyber security skill set, foster public-private partnerships, and continue to promote secure-by-design principles in various engagements. Developing these skills and engaging in collaboration are crucial to respond effectively to evolving threats, ensuring resilience, and fostering innovation. Further, adopting secure-by-design practices will reduce the attack surface and enhance overall cyber resilience.</li> </ul><p>The Working Group plans to continue these efforts throughout the rest of the Canadian G7 presidency in 2025, including having a second meeting in fall 2025 to review progress and finalize the work prior to transitioning the presidency of the Working Group to France for 2026.</p> <p>Sami Khoury, Principal and Co-Chair<br /> G7 Cybersecurity Working Group<br /> Communications Security Establishment Canada</p> <p>Colin MacSween, Co-Chair<br /> G7 Cybersecurity Working Group<br /> Public Safety Canada</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6366" about="/en/news-events/executive-summary-joint-guidance-security-information-event-management-security-orchestration-automation-response" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and the following international partners in releasing updated cyber security guidance on security information and event management (SIEM) and security orchestration, automation and response (SOAR):</p> <ul><li>Czech Republic’s National Cyber and Information Security Agency (NÚKIB)</li> <li>Japan’s National Center of Incident Readiness and Strategy for Cyber Security (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>Republic of Korea’s National Intelligence Service (NIS)</li> <li>Singapore’s Cyber Security Agency (CSA)</li> <li>United Kingdom’s National Cyber Security Centre (NCSC-UK)</li> <li>United States’ Federal Bureau of Investigation (FBI)</li> <li>United States’ Cybersecurity and Infrastructure Security Agency (CISA)</li> <li>United States’ National Security Agency (NSA)</li> </ul><p><abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms offer many benefits to organizations. Both platforms can enhance an organization’s ability to detect and respond to cyber security risks by collating, analyzing and automating some aspects of an organization’s work. To function effectively, <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms rely on proper deployment and maintenance over time.</p> <p>This series of guidance includes 3 publications.</p> <h2>Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms</h2> <p>This executive summary provides considerations for organizations that are looking to procure <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms. The executive summary:</p> <ul><li>defines <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> <li>outlines the benefits and challenges associated with using <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> <li>identifies best practices for implementing and maintaining <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms</li> </ul><p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/implementing-siem-and-soar-platforms-executive-guidance">Executive guidance: Implementing security information and event management and security orchestration, automation and response platforms</a>.</p> <h2>Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation</h2> <p>This joint guidance provides high-level direction for cyber security practitioners on <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms. Cyber security practitioners in government and other organizations can leverage this guidance to implement <abbr title="security information and event management">SIEM</abbr> and <abbr title="security orchestration, automation and response">SOAR</abbr> platforms.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/implementing-siem-and-soar-platforms-practitioner-guidance">Guidance for practitioners: Implementing security information and event management and security orchestration, automation and response platforms and their implementation</a>.</p> <h2>Guidance for practitioners: Priority logs for security information and event management ingestion</h2> <p>This joint guidance is intended for cyber security practitioners. It provides recommendations for logs that should be prioritized for ingestion by a <abbr title="security information and event management">SIEM</abbr> platform, as well as tips on querying the platform.</p> <p>Read <a href="https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/system-monitoring/implementing-siem-and-soar-platforms/priority-logs-for-siem-ingestion-practitioner-guidance">Guidance for practitioners: Priority logs for security information and event management ingestion</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6340" about="/en/news-events/joint-advisory-russian-cyber-campaign-targeting-logistics-providers-companies" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ National Security Agency (NSA) and multiple international partners in issuing the following joint advisory.</p> <p>The advisory concerns Russian state-sponsored cyber activity targeting Western logistics providers and <abbr title="information technology">IT</abbr> companies, particularly those involved in delivering foreign assistance to Ukraine.</p> <p>Known targets include government organizations and commercial entities in <abbr title="North Atlantic Treaty Organization">NATO</abbr> member states and Ukraine as well as international organizations. Target sectors include:</p> <ul><li>the defence industry</li> <li>transportation and transportation hubs, such as ports and airports</li> <li>the maritime sector</li> <li>air traffic management</li> <li><abbr title="information technology">IT</abbr> services</li> </ul><p>The espionage-oriented cyber campaign is attributed to a group (military unit 26165) within the Russian General Staff Main Intelligence Directorate (GRU). This unit is commonly known to the cyber security community as APT28, Fancy Bear, Forest Blizzard or Blue Delta.</p> <p>The campaign uses a mix of tactics, techniques and procedures (TTPs) previously used by unit 26165, including:</p> <ul><li>password spraying</li> <li>spearfishing</li> <li>modification of Microsoft Exchange mailbox permissions</li> </ul><p>The advisory warns executives and network defenders at logistics providers and technology companies to:</p> <ul><li>be aware of the increased threat</li> <li>adjust their cyber security posture with a presumption of targeting</li> <li>increase monitoring and threat-hunting for the <abbr title="tactics, techniques and procedures">TTPs</abbr> and indicators of compromise listed in this advisory</li> <li>take the recommended mitigation actions</li> </ul><p>Read the full joint advisory <a href="https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF">Russian <abbr title="General Staff Main Intelligence Directorate">GRU</abbr> Targeting Western Logistics Entities and Technology Companies (PDF)</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="651" about="/en/guidance/security-considerations-voice-activated-digital-assistants-itsap70013" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–Info across the top under the image–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>May 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.70.013</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>May 2025 | Awareness series</strong></p> </div> <div class="col-md-12 mrgn-tp-lg"> <p>Voice-activated digital assistants are a type of smart device that can control other devices when prompted by a human voice. They can perform a variety of tasks, such as checking the weather, adjusting the thermostat and playing music. Voice-activated digital assistants can connect to the Internet, allowing them to communicate with other smart devices and form a vast network known as the Internet of Things (IoT). Although they can be convenient, it is important to consider the cyber security risks associated with voice-activated digital assistants before integrating them into your network.</p> <div class="row"> <h2 class="text-info">On this page</h2> <ul><li><a href="#voice-activated">How voice-activated digital assistants work</a></li> <li><a href="#risks-digital-assistants">Risks associated with digital assistants</a></li> <li><a href="#attack-methods">Attack methods</a></li> <li><a href="#selecting-vendor">Considerations for selecting a vendor</a></li> <li><a href="#securing-digital-assistant">Securing your digital assistant</a></li> <li><a href="#steps-address">Steps to address a compromise</a></li> </ul></div> <div class="row"> <h2 class="text-info" id="voice-activated">How voice-activated digital assistants work</h2> <p>Voice-activated digital assistants come in various forms, such as smart speakers, smartwatches and smartphone applications. These devices respond to human commands through voice recognition technology. They record and listen for commands or trigger words. Once triggered, the device captures the request and searches the Internet for a suitable response or carries out the requested action. These devices also listen and parse conversation for the purposes of targeted marketing.</p> <p>Voice-activated digital assistants use algorithms and machine learning to improve their performance over time. They create user profiles to identify individuals who issue commands, allowing for more personalized interactions. This involves saving voice recognition data and storing information about the resources and smart devices they use to fulfill your requests. For example, digital assistants may retain data such as websites visited and settings for controlling your home appliances or security cameras. Although digital assistants can create profiles to recognize voice commands from a particular individual, they will record and respond to any voice command they can interpret.</p> </div> <div class="row"> <h2 class="text-info" id="risks-digital-assistants">Risks associated with digital assistants</h2> <p>Voice-activated digital assistants are high-value targets for cyber threat actors who want to steal sensitive information. The interconnected nature of these devices means that a vulnerability in one digital assistant or a device connected to it can compromise the security of the entire network.</p> <p>Cyber threat actors can take advantage of these vulnerabilities in various ways, including:</p> <ul><li>accessing personal information, such as <ul><li>usernames</li> <li>passwords</li> <li>other sensitive account details</li> </ul></li> <li>learning whether you are at home or away</li> <li>tampering with other connected smart device controls to compromise security and integrity, such as <ul><li>adjusting temperature settings</li> <li>unlocking doors</li> <li>disabling alarms</li> </ul></li> </ul><p>There are also additional risks tied to some of the features of digital assistants.</p> </div> <div class="row"> <h2 class="text-info">Storing voice recognition recordings and transcripts</h2> <p>Devices can retain a voice-to-text transcription when the device sends a recorded voice command to a cloud-based resource. This data could contain confidential information, particularly if the voice service was triggered accidentally. Be aware of vendors’ privacy policies. Vendors often have terms that allow them to retain recordings or transcriptions for quality improvement or to share with partners.</p> </div> <div class="row"> <h2 class="text-info">Eavesdropping on sensitive conversations</h2> <p>Voice commands for activities like controlling lights or changing music have a minimal risk of capturing background conversation. However, there are other scenarios where captured background conversations can be risky. For example, connecting a voice assistant to a business platform to dictate the content of your emails could give it access to sensitive conversations. Threat actors can leverage this data to conduct dolphin attacks or make unauthorized purchases. You should turn on confirmation dialogs to minimize the risk of accidental or unauthorized transactions. This will prompt your device to repeat your command and confirm that you want to proceed. Modern devices that have on-device voice recognition can be safer.</p> </div> <div class="row"> <h2 class="text-info" id="attack-methods">Attack methods</h2> <p>Cyber threat actors could target your digital assistant through methods such as a "dolphin" attack or malware.</p> <h3>"Dolphin" attack</h3> <p>A "dolphin" attack broadcasts ultrasonic frequency sounds which are inaudible to the human ear but trigger the recording feature in digital assistants. These high-frequency sounds can be embedded into videos, websites or even physical devices enabling threat actors to target digital assistants within range. By emitting these sounds, threat actors can trigger the digital assistant to initiate actions, such as transferring files, making unauthorized purchases and stealing sensitive data.</p> <h3>Malware</h3> <p>Malware is a common method used by cybercriminals to compromise digital assistants. It infects these devices through disguised applications, malicious attachments and links. Malware is very hard to detect and diagnose on digital assistants. Once inside, threat actors can use malware to record your voice and use the recording for other malicious activities, such as bypassing voice recognition authentication on your other devices.</p> </div> </div> </div> <hr /><div class="row"> <h2 class="text-info" id="selecting-vendor">Considerations for selecting a vendor</h2> <p>When selecting a vendor for voice-activated digital assistants, ensure you understand the terms and conditions in your vendor’s end-user licence agreement. Consider the following questions when selecting a vendor:</p> <ul><li>Is there an option for a "tap to activate" mode?</li> <li>Is there an option to turn off the listening function to safeguard private events and conversations?</li> <li>What data is sent to their voice processing service?</li> <li>What information is returned in response to a service or application request?</li> <li>Who has access to raw voice or text data?</li> <li>How is retained data used and for how long?</li> <li>Is the data generated by the device encrypted?</li> <li>Where is data stored?</li> <li>Is data shared with any third parties?</li> </ul><p>Review vendors’ privacy policies and security practices. Research reviews and security ratings to determine whether the vendor’s databases have vulnerabilities or if their storage facilities have been breached. Consider products that offer local data storage options, as opposed to cloud-based storage. Storing data locally on the device can reduce the risk of exposure to cloud-based vulnerabilities and breaches.</p> <h2 class="text-info" id="securing-digital-assistant">Securing your digital assistant</h2> <p>When setting up your device or digital assistant, you should identify what potentially sensitive information it can access via your network. Consider isolating your digital assistant on a separate network, such as a guest network, to protect your main network should a compromise occur. You should also consider implementing the following best practices to secure your device.</p> <ul><li>Use a unique, strong password or passphrase for your digital assistant</li> <li>Set a PIN on your digital assistant to prevent unauthorized use of the voice assistant</li> <li>Use multi-factor authentication (MFA) to secure accounts and devices on your network</li> <li>Turn off your digital assistant when discussing personal or sensitive information in its vicinity</li> <li>Verify if your device allows you to turn off active listening features</li> <li>Review the microphone permissions granted to applications on your device</li> <li>Deactivate features that allow the digital assistant to perform security-sensitive operations, such as unlocking doors or controlling cameras</li> <li>Disconnect remote access functions on devices if they are not required</li> <li>Update and patch software and firmware frequently</li> <li>Use a virtual private network (VPN) on the network to which your digital assistant is connected</li> <li>Review permissions on your apps to determine whether or not they require access to your microphone and your conversations</li> <li>Delete your voice request history regularly to ensure that there is no memory bank of your voice profile and the content of your conversations</li> <li>Check your privacy settings and make sure you are not sharing more data than necessary</li> <li>Download apps from official stores only, and avoid third-party apps that may be more likely to contain malware</li> </ul></div> <div class="row"> <h2 class="text-info" id="steps-address">Steps to address a compromise</h2> <p>If you suspect malicious activity on your voice-activated digital assistant or other smart devices, you must act quickly to minimize the potential damage. You should take the following steps:</p> <ol><li>Power down the IoT device immediately</li> <li>Contact your mobile service provider to locate the point of intrusion and determine what data has been compromised</li> <li>Perform a factory reset immediately to remove any malicious software or configurations</li> <li>After resetting, update your device with the latest version and relevant security patches</li> <li>Consider both network-based and host-based monitoring solutions on your network</li> <li>Change the passphrases for all affected accounts and devices, ensuring they are strong and unique</li> </ol><p>Learn more about <a href="/en/incident-management">reporting cyber incidents to the Cyber Centre</a>.</p> <h2 class="text-info">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/internet-things-iot-security-itsap00012">Internet of Things (IoT) security (ITSAP.00.012)</a></li> <li><a href="/en/guidance/virtual-private-networks-itsap80101">Virtual private network (ITSAP.80.101)</a></li> <li><a href="/en/protecting-your-information-and-data-when-using-applications-itsap40200">Protecting your information and data when using applications (ITSAP.40.200)</a></li> <li><a href="/en/guidance/have-you-been-hacked-itsap00015">Have you been hacked? (ITSAP.00.015)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> </ul></div> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6307" about="/en/guidance/recommended-contract-clauses-security-operations-centre-procurement-itsm00500" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Management series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSM.00.500</strong></p> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Management series</strong></p> </div> <!–pdf download–> <div class="col-md-12 mrgn-tp-lg"> <div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/itsm.00.500-en.pdf">Recommended contract clauses for security operations centre procurement – ITSM.00.500 (PDF, 552 KB)</a></p> </div> <h2 class="text-info mrgn-tp-0">Foreword</h2> <p>This is an UNCLASSIFIED publication, issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information or to suggest amendments, email or phone our Contact Centre:</p> <p><span class="glyphicon glyphicon-envelope"></span><span class="wb-inv">email</span><a href="mailto:contact@cyber.gc.ca">contact@cyber.gc.ca</a> |<span class="glyphicon glyphicon-phone"></span><span class="wb-inv">Mobile</span> <a href="tel:613-949-7048">613-949-7048</a> or <a href="tel:+1-833-292-3788">1<span>‑</span>833<span>‑</span>CYBER<span>‑</span>88</a></p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 23, 2025</p> <h2 class="text-info">Revision history</h2> <ol><li>First release: April 23, 2025</li> </ol></div> </div> <section><details class="mrgn-tp-md"><summary><h2 class="h3">Table of contents</h2> </summary><ul class="list-unstyled"><li><a href="#1">1 Introduction</a> <ul><li><a href="#1-1">1.1 Scope</a></li> <li><a href="#1-2">1.2 Guiding Publications</a> <ul><li><a href="#1-2-1">1.2.1 Government of Canada resources</a></li> <li><a href="#1-2-2">1.2.2 Industry and other resources </a></li> <li><a href="#1-2-3">1.2.3 Recommended nomenclature </a></li> </ul></li> </ul></li> <li><a href="#2">2 Security operations centre provider selection process </a> <ul><li><a href="#2-1">2.1 Main services for consideration in a security operations centre </a> <ul><li><a href="#2-1-1">2.1.1 Security operations, monitoring and reporting</a></li> <li><a href="#2-1-2">2.1.2 Incident support </a></li> <li><a href="#2-1-3">2.1.3 Threat analysis and intelligence </a></li> <li><a href="#2-1-4">2.1.4 Documentation and standard operating procedures </a></li> <li><a href="#2-1-5">2.1.5 Additional capabilities: Advanced incident management support, forensics and malware analysis </a></li> <li><a href="#2-1-6">2.1.6 Security technologies maintenance and operation </a></li> </ul></li> </ul></li> </ul><p><a href="#3">3 Vendor readiness </a><br /><a href="#4">4 Terms and conditions </a><br /><a href="#5">5 Summary </a></p> </details><details class="mrgn-tp-md"><summary><h2 class="h3">Disclaimer</h2> </summary><p>The information provided in this document is provided "as-is", without warrantee or representation of any kind, to be used at the users’ discretion. The users of this information shall have no recourse against any of the authors for any loss, liability, damage or cost that may be suffered or incurred at any time arising for the use of information in this document.</p> </details></section><section><h2 class="text-info" id="overview">Overview</h2> <p>To effectively protect against cyber threats, it’s essential for your organization to have comprehensive visibility and control over its digital infrastructure and activities. Implementing a security operations centre (SOC) is one way to achieve this. To successfully deploy and manage a SOC, it’s critical to establish clear contract clauses and principles when contracting the SOC to a managed security provider (MSP) or managed security service provider (MSSP). This ensures mutual understanding and documentation of expectations.</p> <p>Key components of cyber security services must be outlined in these contracts. These include service-level agreements (SLAs), task orders, and governing standards, among others. Collectively, they form a prescriptive service framework, assuring clients that they will receive the expected services and solutions. This framework also guarantees the security of their data and identities.</p> <p>This publication details the specific services, deliverables and responsibilities expected from an MSP/MSSP, as well as those of the organization procuring these services. The recommendations should be interpreted in the context of both the functional and fiduciary aspects of service contracting with any managed service provider.</p> </section><section><h2 class="text-info" id="1">1 Introduction</h2> <p>As digital threats escalate, organizations increasingly rely on SOC services to monitor information security and manage digital risks effectively. While the specific functions of an SOC can vary, they typically involve centralized monitoring of the overall security posture through the collection of log data from network devices and systems. SOCs also rely on tools such as security information and event management (SIEM) systems, which interpret log data and correlate it with network incidents. Additionally, threat intelligence plays a crucial role in SOC operations by assessing events related to network systems.</p> <p>Given the complexity of building a mature SOC from the ground up, this publication aims to outline fundamental expectations for evaluating SOC contracts and identifying procurement risks. These considerations should be aligned with the main functional and fiduciary aspects of contracting, whether your organization is working with an MSP or an MSSP.</p> <p>While service providers may propose initial foundational service terms and conditions, management is responsible for ensuring that these terms address the organization’s business security needs and remain flexible for future adjustments. The terms and conditions in the service contract should be designed to yield the best business outcomes for your organization. It is crucial for your organization to take proactive steps to guarantee service provisions, including mechanisms for identifying, preventing, detecting, responding to and recovering from security risks.</p> <p>The clauses outlined in this publication are not legal advice but provide context for evaluating SOC services and understanding the terms and conditions from potential service providers.</p> </section><div class="clearfix"> </div> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <section><h3 id="1.1">1.1 Scope</h3> <p>This publication provides practical advice and guidance on contracting SOC services from a cyber security perspective. It is relevant for both the consuming organizations and the service providers. While the examples presented here are not exhaustive or definitive best practices, they do offer valuable insights based on successful applications by government and industry partners.</p> <p>Please note that despite the TLP:CLEAR classification, standard copyright rules apply. The contents of this document are protected and should not be reproduced or distributed without proper authorization.</p> <h3 id="1-2">1.2 Guiding publications</h3> <p>In preparing this guidance, the Cyber Centre considered inputs from the following reference publications and frameworks.</p> <h4 id="1-2-1">1.2.1 Government of Canada resources</h4> <ul><li><a href="https://www.cyber.gc.ca/en/guidance/best-practices-setting-security-operations-centre-soc-itsap00500">Best practices for setting up a security operations centre (SOC) (ITSAP.00.500)</a></li> <li><a href="https://buyandsell.gc.ca/cds/public/2018/12/18/53dc132a073954be5c139c9604d11d15/attachment_4.2_supply_chain_integrity_process.pdf">Supply chain integrity (SCI) process and assessment requirements (PDF)</a></li> <li><a href="https://www.cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations">Baseline cyber security controls for small and medium organizations</a></li> <li><a href="https://canadabuys.canada.ca/documents/pub/att/2022/03/15/601123b618f63d186d4988c1e06f4a4e/annex_a_-_schedule_1_-_security_obligations_-_en.pdf">Schedule 1 – Security obligations for Tier 2 Software as a Service (SaaS) (PDF)</a></li> <li><a href="https://buyandsell.gc.ca/cds/public/2022/03/15/7247efa8ea946aca0c70ea8726459006/annex_a_-_schedule_2_-_privacy_obligations_-_en.pdf">Schedule 2 – Privacy obligations (PDF)</a></li> </ul><h4 id="1-2-2">1.2.2 Industry and other resources</h4> <ul><li><a href="https://www.fedramp.gov/assets/resources/documents/agency_control_specific_contract_clauses.pdf">Federal Risk and Authorization Management Program (FedRAMP) Control-Specific Contract Clauses version 3.0 (PDF)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/171/a/final">Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171)</a></li> <li><a href="https://csrc.nist.gov/pubs/sp/800/172/final">Enhanced Security Requirements for Protecting Controlled Unclassified Information (NIST SP 800-172): A Supplement to NIST Special Publication 800-171</a></li> <li><a href="https://www.ncsc.gov.uk/collection/building-a-security-operations-centre">Building a Security Operations Centre (SOC) (National Cyber Security Centre)</a></li> </ul><h4 id="1-2-3">1.2.3  Recommended nomenclature</h4> <p>This publication highlights key contractual terms pertinent to procuring SOC services, especially those that are cloud-based, from a cyber security perspective. These terms are relevant for both immediate needs and future requirements.</p> <p>Below is a summary of essential clauses to consider, based on the specific SOC services required by an organization:</p> <ul><li>When establishing service contracts, it is crucial to differentiate between mandatory and rated requirements. Mandatory requirements are those that the service provider must meet (related contract clauses stipulate "must have" or "shall provide"). Rated requirements, on the other hand, are more flexible, and use terms like "should", "may", or "consider". These suggest that the provider already possesses these capabilities.</li> <li>For services that are part of a future roadmap or are not yet available, look for terms such as "will" or "capable of achieving". These indicate a provider’s commitment to meeting future expectations.</li> </ul><p>It’s important to recognize that some services might require time for re-engineering to meet specific needs or may include updated features in future roadmaps. Therefore, organizations must balance immediate requirements with those that allow for development and evolution.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="2">2 Security operations centre provider selection process</h2> <p>Many organizations may consider a SOC from an MSP or MSSP with different subscription models due to resourcing and capabilities of an outsourced SOC. The SOC can be hosted in an MSP or MSSP environment, whereby your organization can send all the logs to the MSP or MSSP within its cloud tenancy. Or you organization can hire an MSP or MSSP service to operate SOC features within its tenancy, on your behalf.</p> <p>When selecting an MSP or MSSP provider, there are many considerations and decisions your organizations should make internally on the approach and services it requires.</p> <ul><li>Service scope and offerings: Understand the range of services provided by the MSP/MSSP and determine if they offer both proactive threat hunting and reactive incident response capabilities</li> <li>Scalability and flexibility: Assess the provider’s ability to scale services up or down based on your organization’s changing needs and evaluate the flexibility of services in response to emerging threats or organizational growth</li> <li>Customization and integration: Ensure that the MSP/MSSP SOC service can be tailored to fit your organization’s specific environment, industry, and existing security infrastructure and check for compatibility with your current systems and tools</li> <li>Data management and protection: <ul><li>Inquire about the tools and technologies used for data collection and analysis</li> <li>Understand what data will be captured, how it will be used, and where it will be stored <ul><li>Understand where and with whom your data may be shared</li> <li>Clarify the approval or permissions process for sharing data</li> </ul></li> <li>Ensure robust measures are in place for protecting sensitive and confidential data</li> </ul></li> <li>Service level agreement (SLA): Examine the SLA for clear definitions of service expectations, deliverables, and response times and understand how the SLA will be measured, monitored, and enforced</li> <li>Compliance and security standards: Verify that the SOC provider follows industry-standard security practices and complies with relevant regulations to mitigate risks, including supply chain vulnerabilities</li> <li>Risk assessment and threat profiling: Perform a comprehensive cyber security risk assessment to identify specific threats and vulnerabilities relevant to your organization <ul><li>Government of Canada departments should refer <a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">to IT security risk management: A lifecycle approach (ITSG-33)</a></li> <li>Organizations outside the Government of Canada should consult the <a href="https://oasis-open.github.io/cti-documentation/stix/intro.html">Structured Threat Information eXpression (STIX) 2.1 framework</a></li> </ul></li> <li>Contractual clarity and responsibilities: Establish clear contractual terms, outlining the responsibilities of both your organization and the service provider as per the shared responsibility model</li> <li>Key considerations for choosing a SOC provider: Ensure there are provisions for regular reviews, updates, and adjustments to the services as needed</li> </ul><p>For more information, read <a href="/en/guidance/best-practices-setting-security-operations-centre-soc-itsap00500">Best practices for setting up a security operations centre (SOC) (ITSAP.00.500)</a>.</p> <p>Overall, as the organization requesting the services, you must do work upfront to decide on a SOC strategy and scope. This includes identifying which assets, such as systems and data, are sensitive and need to be monitored and protected. For more information on asset inventory and categorization, read <a href="/en/guidance/guidance-security-categorization-cloud-based-services-itsp50103">Guidance on the security categorization of cloud-based services (ITSP.50.103)</a>.</p> <h3 id="2.1">2.1 Main services for consideration in a security operations centre</h3> <p>Below are the key services for an effective SOC, accompanied by examples of contract clauses to help you draft the language and expectations in your service agreements.</p> <p>Consider the following essential services:</p> <ul><li><strong>Security operations, monitoring, and reporting:</strong> Continuous surveillance and analysis of security events, with timely reporting. Example clause: "Provider shall ensure 24/7 security monitoring and near-real time incident reporting."</li> <li><strong>Incident support:</strong> Rapid response and support for security incidents. Example clause: "Provider must offer near-real time incident response services."</li> <li><strong>Threat analysis and intelligence:</strong> Proactive identification and analysis of potential threats. Example clause: "Provider is required to deliver regular threat intelligence updates."</li> <li><strong>Documentation and standard operating procedures (SOPs):</strong> Maintenance of detailed security documentation and SOPs. Example clause: "Provider shall keep comprehensive, up-to-date security documentation and SOPs based on the shared responsibility model."</li> <li><strong>Additional capabilities: Advanced incident management support, forensics and malware analysis: </strong>Specialized support for complex incidents, including forensic analysis. Example clause: "Provider shall offer advanced incident management and forensic analysis capabilities."</li> <li><strong>Ongoing vulnerability assessments and security assurance scans: </strong>Regular assessments to identify and mitigate vulnerabilities. Example clause: "Provider must conduct periodic vulnerability assessments and provide reports."</li> <li><strong>Security technology maintenance and operation: </strong>Ensuring the effective operation and maintenance of security technologies. Example clause: "Provider must operate and maintain the infrastructure and technology supporting the service."</li> </ul><p>Your organization should also consider additional services that may be required upfront or that can be optionally included later, depending on evolving security needs. These could include compliance management, risk assessment, cloud security, and cyber security training initiatives.</p> <h4 id="2-1-1">2.1.1  Security operations, monitoring and reporting</h4> <p>Security operations, monitoring, and reporting are crucial for observing and analyzing data related to events, incidents, or breaches and the status of information systems or networks. The primary objective is to detect unusual or unauthorized activity and to gather security-relevant data to understand system behaviour. This process is essential for mitigating network vulnerabilities and identifying internal and external threats.</p> <h4>Role and functionality of log aggregation tool suites or capabilities such as SIEM tools</h4> <p>The SIEM system is a pivotal tool in this process. SIEM facilitates the centralization of data from various sources, including devices, applications, and endpoints. It enables:</p> <ul><li>real-time and historical event monitoring</li> <li>detailed analysis and correlation of information</li> <li>enhanced threat detection and response capabilities</li> </ul><h4>Key considerations for outsourcing</h4> <p>When considering outsourcing monitoring and reporting within MSP/MSSP, it’s important to assess:</p> <ul><li>the depth and frequency of monitoring services</li> <li>data storage strategies, including data residency considerations and security measures</li> <li>the provider’s certifications, particularly in cyber security and compliance standards</li> <li>the ability of the provider to integrate its services with your existing security infrastructure, in the case where the provider is operating within the organization’s premises</li> </ul><h4>Recommended contract clauses</h4> <p>The Cyber Centre recommends that organizations include specific clauses related to monitoring, reporting, and availability when contracting a SOC to an MSP/MSSP. Below are examples of wording that your organization may wish to include in its contracts.</p> <h4 class="h5">Monitoring</h4> <p>The Contractor must:</p> <ul><li>provide continuous (24/7/year-round) monitoring of security events</li> <li>analyze security event data for incident investigation using system logs and other detection methods</li> <li>review and record audit logs for inappropriate or illegal activity to facilitate event reconstruction during security incidents</li> <li>investigate and accurately identify anomalies detected by security devices or reported by various stakeholders</li> </ul><h4 class="h5">Reporting</h4> <p>The Contractor shall:</p> <ul><li>deliver actionable notifications, escalations and daily summary reports based on threat intelligence and security event analysis</li> <li>document all investigative activities and incident reports to support the organization’s incident response framework</li> <li>provide comprehensive written reports of all security events, adhering to established procedures and reporting protocols</li> <li>provide the organization with the ability to contact the provider and open an investigation when suspicious activities occur</li> </ul><h4 class="h5">Availability</h4> <p>The Contractor shall ensure the continuous availability and operational integrity of all SOC systems and applications.</p> <h4>References</h4> <ul><li><a href="/en/guidance/network-security-logging-monitoring-itsap80085">Network security logging and monitoring (ITSAP.80.085</a>)</li> <li><a href="https://csrc.nist.gov/publications/detail/sp/800-137/final">Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST SP 800-137, Appendix D)</a></li> </ul><h4 id="2-1-2">2.1.2  Incident support</h4> <p>Incident support is a vital component of a SOC-as-a-service (MSP/MSSP) model. Your organization and the MSP/MSSP must collaborate to manage incidents effectively. It is crucial to have an organizational incident response plan, detailing how your organization will detect, respond to, and recover from incidents. This plan should clearly define the SOC’s role, including the extent of its involvement and the responsibilities of your organization’s internal team. The following two scenarios outline the key aspects of incident support, as well as sample contract clauses, for SOCs hosted in an MSP/MSSP environment (hosted outside of your organization’s tenancy) and for SOCs operating within an organization’s tenancy.</p> <p>In both scenarios, it is vital to establish a partnership based on transparency, trust and shared responsibility for security outcomes. The contractual agreement should be detailed and clear, with specific attention to incident response, data protection, compliance, and service levels. This ensures that both the organization and the MSP/MSSP have a common understanding of their respective roles and responsibilities in securing the organization’s digital assets.</p> <h4>Scenario 1: SOC hosted outside your organization’s tenancy</h4> <p>If your SOC is hosted outside your organization’s tenancy, consider the following key aspects related to incident support.</p> <ul><li><strong>Incident detection and notification</strong>: The MSP/MSSP must promptly identify and notify the organization of security incidents. The agreement should specify the timeframe for notification following incident detection</li> <li><strong>Incident analysis and response</strong>: The MSP/MSSP should provide detailed analysis of incidents, including potential impact, and execute agreed-upon response actions</li> <li><strong>Data protection and confidentiality</strong>: The MSP/MSSP must adhere to strict data protection and confidentiality standards, especially since sensitive organizational data will be stored and processed in their environment</li> <li><strong>Access control and audit trails</strong>: The MSP/MSSP must implement robust access control measures and maintain audit trails of all activities related to the SOC services</li> <li><strong>Compliance and regulatory requirements</strong>: The MSP/MSSP must comply with relevant regulatory and compliance requirements and provide necessary documentation and support for compliance audits</li> </ul><h5>Example contract clause for incident support</h5> <p>The Contractor shall:</p> <ul><li>notify the Client within the negotiated or agreed-upon expected timeframe when detecting any security incident, providing detailed information about the nature, scope, and impact of the incident</li> <li>implement and maintain comprehensive data protection measures, in compliance with applicable laws and regulations, to safeguard the Client’s data against unauthorized access, disclosure, alteration, or destruction</li> <li>upon detecting an incident, commit to a [insert specified] uptime SLA and commence remediation actions within [insert specified timeframe]</li> </ul><h4>Scenario 2: SOC operating within your organization’s tenancy</h4> <p>If your SOC is operating within your organization’s tenancy, consider the following key aspects related to incident support.</p> <ul><li><strong>Integration with existing infrastructure</strong>: The MSP/MSSP must seamlessly integrate its SOC services with the organization’s existing infrastructure, ensuring minimal disruption</li> <li><strong>Incident handling procedures</strong>: The MSP/MSSP must define clear procedures for incident escalation, response, and resolution, tailored to the organization’s policies and procedures</li> <li><strong>Training and awareness</strong>: The MSP/MSSP may be required to provide training, knowledge transfer or both to the organization’s staff on security awareness and incident response procedures</li> <li><strong>Performance monitoring and reporting</strong>: Regular performance reviews and reporting are essential to ensure the SOC services meet the organization’s security requirements</li> <li><strong>Continuous improvement</strong>: The contract should include provisions for continuous improvement of the SOC services, including regular updates to security tools and processes</li> </ul><h5>Example contract clause for incident support</h5> <p>The Contractor shall:</p> <ul><li>ensure that SOC services are fully compatible with the Client’s existing systems and infrastructure and shall be responsible for any modifications required for integration</li> <li>adhere<strong> </strong>to the Client’s incident response procedures and timelines, ensuring incidents are resolved in a manner that minimizes impact on the Client’s operations</li> <li>provide<strong> </strong>monthly performance reports detailing incident detection, response times, and resolution outcomes, including any recommendations for improving security posture</li> </ul><p>Refer to <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a> for more information.</p> <h4 id="2-1-3">2.1.3  Threat analysis and intelligence</h4> <p>Threat analysis and intelligence are critical components of a proactive cyber security portfolio. Accurate and timely intelligence empowers decision makers to make informed, data-driven decisions. The Cyber Centre, along with other resources, offers valuable insights through publications and active services, aiding organizations in their threat intelligence efforts. It’s essential for organizations to ensure their MSP/MSSP stays abreast of emerging and sophisticated cyber threats.</p> <h4>Key elements of threat intelligence</h4> <ul><li><strong>Continuous monitoring:</strong> keeping track of evolving cyber threats and trends</li> <li><strong>Technical analysis:</strong> analyzing incidents in detail to understand attack vectors and methodologies</li> <li><strong>Intelligence sharing:</strong> utilizing shared resources for a more comprehensive threat landscape view</li> </ul><h4>Example contract clauses for threat analysis and intelligence</h4> <p>The Contractor shall:</p> <ul><li>detect, monitor, analyze, and mitigate targeted, highly organized, or sophisticated cyber threats</li> <li>maintain situational awareness of current cyber security activities and risks</li> <li>utilize various intelligence sources to develop insights into cyber threats and conduct advanced technical analyses of incidents on the organization’s networks</li> <li>analyze consolidated threat data from multiple sources to provide early warnings of impending attacks against the organization’s networks</li> <li>report on technical network and host-based attack vectors, emerging cyber threats, new vulnerabilities, and current trends used by malicious actors</li> <li>develop and maintain databases to catalog and track ongoing threats, enhancing the organization’s defensive posture</li> <li>integrate intelligence findings into the organization’s broader cyber security strategies and incident response plans</li> </ul><p>Incorporating comprehensive threat analysis and intelligence into MSP/MSSP offerings is crucial for organizations to stay ahead of cyber threats. The MSP/MSSP’s role extends beyond mere monitoring; it involves deep analysis, continuous learning, and integration of intelligence into the organization’s overall cyber security framework.</p> <h4>References</h4> <ul><li><a href="https://csrc.nist.gov/publications/detail/sp/800-137/final">Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST SP 800-137, Appendix D)</a></li> <li><a href="/en/guidance/baseline-cyber-threat-assessment-cybercrime">Baseline cyber threat assessment: Cybercrime</a></li> <li><a href="/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> </ul><h4 id="2-1-4">2.1.4  Documentation and standard operating procedures</h4> <p>SOPs and comprehensive documentation are crucial in ensuring that all parties involved in the SOC are aligned on methods and practices. These documents serve as a reference point for consistent and effective operations within the SOC, aiding in training and providing operational clarity.</p> <h4>Key documentation elements</h4> <ul><li><strong>Security deployment diagrams:</strong> providing visual representations of security deployments for reference and to ensure understanding</li> <li><strong>Regular SOP updates:</strong> updating SOPs with operational changes to ensure ongoing relevance</li> <li><strong>Performance and incident reporting:</strong> providing insights into SOC activities, incident handling, and operational efficiency</li> </ul><h4>Example contract clauses for SOPs and documentation</h4> <p>The Contractor shall:</p> <ul><li>create and maintain diagrams for new or revised security deployments, covering all systems and applications related to the SOC</li> <li>develop and regularly update SOC SOPs, particularly following changes in SOC operations or technologies, deliver regular written reports, including:</li> <li>daily, weekly, and monthly summaries of SOC activities</li> <li>performance metrics and status of security incidents</li> <li>actions accomplished and milestones reached during the reporting period</li> <li>submit comprehensive reports, encompassing</li> <li>monthly status updates on progress and developments</li> <li>planned activities, identified problems/issues with proposed solutions</li> <li>anticipated delays and resources utilized during the period</li> </ul><p>It is essential to establish clear and detailed SOPs and documentation protocols to maintain operational excellence in a SOC environment. These documents not only guide daily operations, but also serve as critical tools for training, performance tracking, and strategic planning.</p> <h4 id="2-1-5">2.1.5  Additional capabilities: Advanced incident management support, forensics and malware analysis</h4> <p>In addition to standard incident management support, organizations often require or desire advanced capabilities such as forensics and malware analysis. These services are crucial for thoroughly investigating and resolving sophisticated cyber incidents, understanding attack vectors, and enhancing future security postures.</p> <h4>Key advanced support services</h4> <ul><li><strong>Forensics and malware analysis:</strong> in-depth investigation of incidents to understand the nature and impact of compromises.</li> <li><strong>Reverse engineering and traffic analysis:</strong> detailed examination of malicious software and network traffic to uncover threat methodologies.</li> </ul><h4>Example contract clauses for advanced incident management support</h4> <p>The Contractor must:</p> <ul><li>provide both on-site and remote computer security incident management, response, and recovery support as necessary</li> <li>conduct advanced technical analyses of potentially malicious activities using security event data from the SOC</li> <li>perform detailed endpoint/host-based forensics and memory analysis</li> <li>undertake triage and in-depth analysis of malware, including reverse engineering of Windows software, phishing emails, and other client-side exploits</li> <li>conduct digital forensics on media from compromised hosts to assess intrusion scope and nature</li> <li>reverse engineer the sequence of events in breaches or attacks for comprehensive understanding</li> <li>execute static and dynamic file analysis to identify malware characteristics, intent, and origin</li> <li>recommend countermeasures against malware and other malicious code exploiting the organization’s systems</li> <li>propose changes to policies and procedures based on investigative findings to strengthen malware incident response</li> <li>perform advanced network traffic analysis at the packet level to identify anomalies, trends, and patterns</li> </ul><p>Advanced incident management support, particularly in forensics and malware analysis, is a critical component of a robust MSP/MSSP offering. These services not only aid in resolving current security incidents but also play a key role in refining organizational policies and strengthening the overall cyber security framework.</p> <p>Refer to <a href="/en/guidance/developing-your-incident-response-plan-itsap40003">Developing your incident response plan (ITSAP.40.003)</a> for more information.</p> <h4 id="2-1-6">2.1.6  Security technologies maintenance and operation</h4> <p>In an MSP/MSSP setup, managing key technologies, such as the SIEM system, intrusion detection and prevention systems (IDS/IPS), and data loss prevention (DLP) systems, is paramount. These technologies form the backbone of effective cyber security operations. Contracts should include specific clauses to ensure these tools are operated and maintained effectively, especially as the organization evolves and grows.</p> <h4>Key responsibilities for technology management</h4> <ul><li><strong>System maintenance and tuning:</strong> regularly updating and tuning security systems to ensure accuracy and efficiency</li> <li><strong>Operational effectiveness:</strong> ensuring continuous operation and optimal performance of all security technologies</li> <li><strong>Adaptability to change:</strong> ensuring flexibility to adapt tools and systems to the changing needs and scale of the organization</li> </ul><h4>Example contract clauses for technology management</h4> <p>The Contractor must:</p> <ul><li>effectively maintain the SIEM to aggregate and analyze data from various sources like network sensors, firewalls, antivirus systems, and vulnerability scanners.</li> <li>handle administration, management, and configuration of all SOC tools, including SIEM, IDS/IPS, DLP, and other dedicated security systems</li> <li>develop and update security device signatures, performance reports, and relevant metrics to track system efficiency</li> <li>fine-tune the SIEM and IDS/IPS to minimize false positives and enhance detection accuracy</li> <li>continuously operate, manage, and update all security technologies, ensuring they are configured appropriately for optimal performance</li> <li>ensure that all relevant security feeds are logged and correlated effectively within the SOC’s SIEM system</li> <li>install, update, or modify network security components and tools as needed to maintain comprehensive coverage and optimal performance in line with organizational growth</li> <li>install or modify network security components, tools, and other systems as required to maintain optimal coverage and performance</li> </ul><p>Effective management of key technologies within an MSP/MSSP framework is essential for maintaining a robust cyber security posture. This includes not only the operational maintenance of these tools but also improving and adapting them to meet the evolving needs of the organization.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="3">3 Vendor readiness</h2> <p>When contracting with an MSP for SOC services, it’s crucial to include specific clauses that ensure the vendor can provide services at the required scale and meet certain standards. These clauses help verify the provider’s experience, compliance with legal requirements, and readiness to handle your organization’s specific needs.</p> <h4>Key contract clauses for vendor readiness</h4> <ul><li><strong>Experience requirements:</strong> The contractor should have a minimum number of years of experience in providing SOC services and engagements of similar size, scale, and complexity</li> <li><strong>Compliance with Canadian laws:</strong> The contractor should have experience in delivering services within Canada and adhering to Canadian privacy and data laws</li> <li><strong>Audit and compliance rights:</strong> The organization reserves the right to perform SOC visits for audit, review, and compliance purposes</li> <li><strong>Business continuity planning:</strong> The contractor must have a robust business continuity plan (BCP) for its SOC to ensure service continuity</li> <li><strong>Certification requirements:</strong> The contractor must meet any industry or sector certification requirements, for example, SOC2 Type2, ISO 27001, CIS CSC, Cloud Security Alliance (CSA) Tier2, ISO 27017</li> <li><strong>Staff clearances and background checks:</strong> The contractor’s personnel should have necessary clearances and background checks (as required)</li> <li><strong>Cyber security controls framework alignment:</strong> Recognized cyber security controls frameworks must be implemented at SOC facilities (DRI Institute, NIST)</li> <li><strong>Liability and compensation:</strong> The contractor should provide clarification on shared responsibilities for breaches and details on the provider’s liability insurance coverage for compensation</li> </ul><p>Including these key clauses in your contract with an MSP for SOC services is essential to ensure that the provider is fully prepared and capable of meeting your organization’s specific requirements. These clauses cover a range of critical areas, from experience and legal compliance to business continuity and cyber security frameworks, ensuring a comprehensive approach to vendor readiness.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="4">4 Terms and conditions</h2> <p>From a security perspective, contract elements must be prescriptive and conform to recognized frameworks and approaches for the MSP/MSSP to establish how it addresses and maintains the security posture as indicated by an organization. In many cases, relying on a given provider’s terms and conditions, as outlined in a contract or end user licensing agreement (EULA), can be considered acceptable. However, if organizations have specific needs or are bound by regulated authorities, negotiation may be required between legal teams using some of the example clauses provided in this document. If you are concerned about any specific areas, seek legal advice where possible.</p> <p>Organizations should carefully consider and, if necessary, consult with their legal counsel on the following areas when negotiating contracts with service providers:</p> <ul><li><strong>Trade secret protections</strong></li> <li>Inquire how the service provider will separate or secure trade secrets (e.g., patented material, legal branding, etc.) within its system</li> <li>Ensure terms and conditions stipulate that the organization retains ownership and control over its trade secrets, even when placed with the service provider</li> <li><strong>Intellectual property</strong> <ul><li>Discuss measures for tagging, identifying, and securing intellectual property, which may not be officially registered like patents but is crucial to the organization’s operations</li> </ul></li> </ul><p>Clarify in the contract that intellectual property remains the property of the organization, regardless of its placement with the service provider</p> <ul><li><strong>Indemnification/limitation of liability: </strong>Define the level of liability and responsibility in the contract, considering complexities that may arise, especially when multiple service providers are involved</li> <li><strong>Support model considerations</strong> <ul><li>If your organization is subject to regulatory constraints on support locations or resource residency, discuss and agree on support models with the service provider</li> <li>Consider how the provider’s global support model, like a "follow the sun" approach, aligns with regulatory requirements.</li> </ul></li> <li><strong>Data migration policies: </strong>Address potential future needs for data migration, including <ul><li>costs associated with data ingress and egress</li> <li>timeframes and processes for migration activities</li> <li>data retention policies post-migration</li> </ul></li> <li><strong>Conformity with security frameworks</strong>: Ensure that contract elements conform to established cyber security frameworks and best practices</li> <li><strong>EULA versus custom contracts</strong>: While standard terms outlined in an EULA might be acceptable for general purposes, they may not suffice for organizations with specific security needs or those under stringent regulatory requirements.</li> <li><strong>Legal negotiations for custom needs</strong> <ul><li>For organizations with unique requirements or regulatory obligations, negotiations between legal teams are often necessary to tailor the contract appropriately <ul><li>The example clauses provided in this document can guide these negotiations</li> </ul></li> </ul></li> <li><strong>Seeking legal advice</strong> <ul><li>The organization should seek legal counsel, particularly if there are specific areas of concern or if the organization operates under regulated authorities</li> <li>Legal expertise can ensure that contracts are comprehensive, compliant, and tailored to the organization’s unique needs</li> </ul></li> </ul><p>When contracting with a service provider, especially in areas such as MSP/MSSP, organizations must ensure that specific legal and operational considerations are clearly addressed in the contract. This includes retaining ownership of intellectual property and trade secrets, clearly outlining liability terms, understanding support models in the context of regulatory constraints, and preparing for potential data migration. Organizations should consult legal counsel to ensure that these aspects are adequately covered to protect the organization’s interests.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> <h2 class="text-info" id="5">5 Summary</h2> <p>A SOC combines people processes and technology to improve an organization’s resilience against cyber threats.</p> <p>Whether this is done by an in-house team in a dedicated room within an organization or whether it is fully or partially outsourced to a team of information security professionals, SOCs are a first line of defence that is critical for preventing, detecting, and recovering from cyber attacks.</p> <p>This is especially true given the increase in operational technology, mobile and cloud technology, and industrial control systems. Whether work is in-house, hybrid, or fully remote, your organization will require the same inputs and outputs to your SOC. The guidance included in this document should help your organization write contract clauses that ensure your providers are meeting your expectations. As indicated, this is not to be taken as legal advice.</p> <p>Overall, the key message is that your organization should work with its selected MSP/MSSP provider to ensure common understanding and to also inquire and establish what can be done to meet your organization’s specific needs.</p> <div class="pull-right small text-muted"><a href="#wb-tphp">Top of page</a> <span aria-hidden="true" class="text-primary glyphicon glyphicon-circle-arrow-up"> </span></div> </section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6323" about="/en/news-events/joint-guidance-software-security-code-practice" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK) and Department for Science, Innovation and Technology (DSIT) in releasing a software security code of practice and accompanying guidance for software vendors.</p> <p>Software supply chain attacks and other software resilience incidents can be caused by weaknesses in software development and maintenance practices. This joint guidance aims to improve the security and resilience of software that organizations rely on.</p> <p>The joint guidance includes the 3 publications below.</p> <h2>Software security code of practice</h2> <p>The Software security code of practice outlines 14 principles that software vendors should implement to establish a consistent baseline of software security and resilience. These 14 principles are divided across 4 themes, which include:</p> <ul><li>secure design and development</li> <li>build environment security</li> <li>secure deployment and maintenance</li> <li>communication with customers</li> </ul><p>Read the <a href="https://www.gov.uk/government/publications/software-security-code-of-practice">Software security code of practice</a>.</p> <h2>Software security code of practice: Implementation guidance</h2> <p>The Software security code of practice: Implementation guidance helps organizations that develop and/or sell software understand how they can meet the principles in the Software security code of practice.</p> <p>Read the <a href="https://www.ncsc.gov.uk/collection/software-security-code-of-practice-implementation-guidance">Software security code of practice: Implementation guidance</a>.</p> <h2>Software security code of practice: Assurance principles and claims</h2> <p>The Software security code of practice: Assurance principles and claims guidance helps vendors measure how well they are meeting the themes and principles of the Software security code of practice and suggests remedial actions should they fall short.</p> <p>Read the <a href="https://www.ncsc.gov.uk/guidance/software-security-code-of-practice-assurance-principles-claims">Software security code of practice: Assurance principles and claims</a>.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6222" about="/en/news-events/cyber-centre-welcomes-round-2-nists-additional-digital-signature-scheme-standardization-process" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>In October 2024, the National Institute of Standards and Technology (NIST) in the United States launched round 2 in its ongoing process to standardize additional post-quantum digital signature schemes. Digital signature schemes are used to authenticate data and remote systems to protect against unauthorized access and are an essential part of cyber security solutions. Post-quantum cryptography (PQC), including post-quantum digital signatures, are designed to remain secure even against the emerging threat posed by quantum computers.</p> <p>The first round of <abbr title="National Institute of Standards and Technology">NIST</abbr>’s additional digital signature scheme standardization process began in 2022, with the publication of 40 candidates. For this second round, <abbr title="National Institute of Standards and Technology">NIST</abbr> has reduced the number of candidates to 14. This allows researchers worldwide, including those within the Cyber Centre, to dedicate more time to examining the remaining schemes.</p> <h2>How this initiative contributes to the post-quantum cryptography migration</h2> <p><abbr title="National Institute of Standards and Technology">NIST</abbr> has already published standards for 2 post-quantum digital signature schemes, the <strong>Module-Lattice-Based Digital Signature Algorithm </strong>(ML-DSA) and the <strong>Stateless Hash-Based digital Signature Algorithm </strong>(SLH-DSA). Read our announcement of these <a href="/en/news-events/cyber-centre-celebrates-new-nist-post-quantum-standards">new <abbr title="National Institute of Standards and Technology">NIST</abbr> post-quantum standards</a> to learn more.</p> <p>We expect <abbr title="National Institute of Standards and Technology">NIST</abbr> to release a draft standard for a third digital signature scheme, the <strong>Fast-Fourier transform over NTRU-Lattice-Based Digital Signature Algorithm</strong> (FN-DSA) soon.</p> <p>With so many options already chosen for standardization, practitioners may wonder why <abbr title="National Institute of Standards and Technology">NIST</abbr> is considering the standardization of additional schemes. Both ML-DSA and FN-DSA are based on hard problems over structured lattices. The nearly 30-year history of lattice-based cryptography has given rise to a robust understanding of the security of lattice-based cryptographic schemes. Nonetheless, in order to diversify cryptographic primitives, <abbr title="National Institute of Standards and Technology">NIST</abbr> has indicated that they are primarily interested in additional schemes based on hard problems other than structured lattices.</p> <p>While ML-DSA is intended to replace non-post-quantum digital signing algorithms in nearly all applications, there may be niche cases requiring schemes with alternative performance characteristics. Although SLH-DSA or FN-DSA are expected to cover most of these situations, <abbr title="National Institute of Standards and Technology">NIST</abbr> is particularly interested in finding schemes with small signature sizes and fast verification to support the migration to <abbr title="Post-quantum cryptography">PQC</abbr> in all situations.</p> <h2>Signature schemes under consideration for standardization</h2> <p>Of the 14 remaining schemes:</p> <ul><li>5 are built using multi-party computation (MPC) in-the-head techniques</li> <li>4 are multivariate signatures</li> <li>2 are code-based</li> <li>1 is isogeny-based</li> <li>1 is symmetric-based</li> <li>1 is lattice-based</li> </ul><p>For a review of these categories, see the "Mathematical Families" section of the <a href="/en/news-events/cyber-centres-summary-review-final-candidates-nist-post-quantum-cryptography-standards">Cyber Centre’s summary review of final candidates for <abbr title="National Institute of Standards and Technology">NIST</abbr> Post‑Quantum Cryptography standards</a>. Most of the approaches for building signature schemes have been previously considered in <abbr title="National Institute of Standards and Technology">NIST</abbr> ‘s standardization process.</p> <p>A notable development in the signature on-ramp has been the proliferation of signature schemes using MPC-in-the-head techniques. These signature schemes borrow ideas from multiparty computation to “prove” knowledge of some secret value.</p> <h2>How to prepare for the post-quantum transition</h2> <p>To ensure Canadian organizations are ready to make the transition to <abbr title="Post-quantum cryptography">PQC</abbr> once standardized algorithms are available, practitioners should review the Cyber Centre’s advice in the following publications:</p> <ul><li><a href="/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017">Preparing your organization for the quantum threat to cryptography (ITSAP.00.017)</a></li> <li><a href="/en/guidance/guidance-becoming-cryptographically-agile-itsap40018">Guidance on becoming cryptographically agile (ITSAP.40.018)</a></li> <li><a href="/en/guidance/guidance-securely-configuring-network-protocols-itsp40062">Guidance on securely configuring network protocols (ITSP.40.062)</a></li> <li><a href="/en/guidance/cryptographic-algorithms-unclassified-protected-protected-b-information-itsp40111">Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B information (ITSP.40.111)</a></li> </ul><p>Our guidance on securely configuring network protocols will be updated once these protocols support standardized <abbr title="Post-quantum cryptography">PQC</abbr> algorithms.</p> <p>The Cyber Centre advises consumers to procure and use cryptographic modules that are tested and validated under the <a href="https://cyber.gc.ca/en/cryptographic-module-validation-program-cmvp">Cryptographic Module Validation Program</a> (CMVP) with algorithm certificates from the <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program">Cryptographic Algorithm Validation Program</a> (CAVP). The Cyber Centre partners with <abbr title="National Institute of Standards and Technology">NIST</abbr> to manage both programs and we work jointly to update them to support the testing of new digital signature schemes that get standardized.</p> <p>The Cyber Centre also recommends that cyber security products be evaluated and certified to meet the <a href="/en/tools-services/common-criteria">Common Criteria</a> standard with a Security Target and Certification Report that includes the desired protocol security requirements. Once protocol standards are updated, Common Criteria Testing Laboratories will need to support testing and evaluation methods for protocols utilizing the new <abbr title="Post-quantum cryptography">PQC</abbr> algorithms.</p> <p>The Cyber Centre is working within the Government of Canada and with critical infrastructure to ensure a smooth and timely transition to <abbr title="Post-quantum cryptography">PQC</abbr> . Contact the Cyber Centre by email at <a href="mailto:cryptography-cryptographie@cyber.gc.ca">cryptography-cryptographie@cyber.gc.ca</a> or by phone at <a href="tel:18332923788">1-888-CYBER-88</a> if you have further questions.</p> </div> </div> </div> </div> </div> </article>

<article data-history-node-id="6282" about="/en/news-events/peoples-republic-china-activity-targeting-network-edge-routers-observations-mitigation-strategies" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="mrgn-bttm-md well well-sm col-md-4 col-sm-12 col-xs-12 pull-right mrgn-lft-md"> <p class="mrgn-tp-sm"><strong>Alternate format</strong>: <a href="/sites/default/files/csa25-001-en.pdf">People’s Republic of China activity targeting network edge routers: Observations and mitigation strategies (PDF, 411 KB)</a></p> </div> <h2 class="text-info mrgn-tp-2">Foreword</h2> <p>This cyber security advisory is intended for IT professionals and managers within government and all sectors.</p> <h2 class="text-info">Effective date</h2> <p>This publication takes effect on April 15, 2025.</p> <!– <section> <h2 class="text-info">On this page</h2> <ul class="list-unstyled mrgn-tp-md"> <li><a href="#background">1 Background</a></li> <li><a href="#security">2 Security and edge devices</a></li> <li><a href="#avenues">3 Known avenues of exploitation and persistence</a></li> <li><a href="#remediations">4 Remediations</a></li> <li><a href="#References">5 References</a></li> </ul> </section> –> <section><h2 class="text-info">1 Background</h2> <p>A Cyber security advisory is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional mitigation advice to recipients. The Canadian Centre for Cyber Security (Cyber Centre) is able to provide additional assistance regarding the content of this bulletin to recipients as requested.</p> <p>The Cyber Centre has observed increasing levels of the People’s Republic of China threat actor activity, including activity associated to SALT TYPHOON, targeting network edge routers across critical infrastructure sectors. The Cyber Centre and our partners have recently observed repeated compromises of misconfigured and unpatched routing devices.</p> <p>The Cyber Centre is urging the Canadian cybersecurity community to bolster their awareness of threat actor activity targeting network edge routers and to leverage Cyber Centre guidance to protect their networks.</p> </section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info">2 Security and edge devices</h2> <p>As we note in the National Cyber Threat Assessment 2025-2026<sup id="fn10-rf"><a class="fn-lnk" href="#fn10"><span class="wb-inv">Footnote </span>10</a></sup>, threat actors are exploiting vulnerabilities in security and network edge routing devices that sit at the perimeter of networks. The Cyber Centre is particularly highlighting that by compromising network edge routers, a threat actor can enter a network, monitor, modify, and exfiltrate network traffic flowing through the device, or possibly move deeper into the victim network.</p> <p>Given their outward facing presence on the Internet, edge routers are easily identifiable by threat actors. Threat actors often compromise network perimeter defenses by exploiting known vulnerabilities in edge devices. These security weaknesses are usually already identified, and patches are available to fix them. However, breaches occur because these patches are not consistently applied or implemented in a timely manner. We strongly recommend following our guidance in the Government of Canada’s Patch Management Guidance publication<sup id="fn3-rf"><a class="fn-lnk" href="#fn3"><span class="wb-inv">Footnote </span>3</a></sup>. In particular, all guidance, manuals and references provided with edge device equipment should be reviewed to ensure organizations adherence to the manufacturer’s security guidance. If that guidance is not clear or available, then organizations should reach out to their vendors as needed for support.</p> <p>The Cyber Centre’s Security considerations for edge devices<sup id="fn2-rf"><a class="fn-lnk" href="#fn2"><span class="wb-inv">Footnote </span>2</a></sup> also provides the following factors your organization should consider when evaluating the security of an edge device:</p> <ul><li>how it is made (the responsibility of the manufacturer)</li> <li>how it is configured (a shared responsibility between the manufacturer, through vendor hardening guides and through the organization)</li> <li>when the most recent software, firmware, operating system, and security updates and patches were applied</li> </ul></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info">3 Known avenues of exploitation and persistence</h2> <p>The following are examples of known patterns in threat actors’ exploitation of edge routers.</p> <h3>3.1 Exposed services to the Internet</h3> <p>Devices exposing services of any kind to the Internet will easily and rapidly be detected by adversarial actors through mass scanning campaigns and more targeted reconnaissance activity. Sensitive or administrative services such as management protocols are of particular interest to adversaries seeking to identify and exploit edge routers.</p> <h3>3.2 Poor configuration on device</h3> <p>The Cyber Centre has observed weak cryptography or default security settings configured and not updated that has led to exploitation of those devices. It is important to review manufacturer guidance for hardening edge routers, and to continually review and audit for compliance. Default setting(s) may also include insecure ports or protocols listening on untrusted interfaces. Even though a device is installed and configured properly at the beginning of its lifecycle, as time goes on those configurations can become less secure due to external factors. If a router is compromised, inadequate network segmentation and the absence of Access Control Lists can enable an adversary to more easily move laterally within the network.</p> <h3>3.3 Modifying configuration files</h3> <p>Trusted partners have observed that compromised edge routers often have their configurations altered to enable persistent mechanisms and techniques for lateral movement. This includes the establishment of traffic captures, the creation of new administrative accounts, and the configuration of traffic forwarding. Any configurable allow lists should also be reviewed to ensure that no unauthorized additions have been made. Typically, these modifications are executed using the devices’ inherent functions and capabilities.</p> <h3>3.4 Exfiltrating configuration files</h3> <p>Trusted partners have observed that compromised edge routing devices within Canada have had their configuration files exfiltrated out of their networks by threat actors. By exfiltrating configuration files, threat actors can extract additional sensitive information, perform tests, or identify further vulnerabilities to enable their access. Where configuration files contain credentials and especially those who are not cryptographically secure, threat actors can also use tactics such as offline password cracking to gain further access. Trusted partner reporting indicates that many of the exfiltrated configuration files contained deprecated hashing and password types, such as Type-4 and Type-7<sup id="fn9-rf"><a class="fn-lnk" href="#fn9"><span class="wb-inv">Footnote </span>9</a></sup>.</p> <h3>3.5 Unauthorized commands</h3> <p>Once an edge router has been compromised, threat actors run unauthorized commands to deepen their access or persistence on the host or network. Identifying suspicious or malicious use of successful unauthorized commands can often be a strong starting point for threat hunts and forensic investigations. Some common threat actor tactics include:</p> <ul><li>clearing logs and other records</li> <li>adding new threat actor-controlled accounts to the device</li> <li>brute forcing and abnormal logins</li> <li>making unapproved changes to configuration files</li> </ul><p>The Cyber Centre has observed threat actors modifying the configurations of edge routers. It is important to conduct regular reviews of these configurations to detect any unauthorized changes. Look out for signs of tampering, such as unrecognized IP addresses and newly added accounts, as well as any unusual packet capture settings that may have been introduced.</p> <h3>3.6 Weak credentials</h3> <p>The Cyber Centre has observed many cases where devices were compromised due to the use of default or easily guessable passwords.</p> <ul><li>Do not use easily guessed passwords, passphrases, or PINs, such as "password", "let me in", or "1234". Even if the passwords or passphrases include character substitutions like "p@ssword"</li> <li>Do not use common expressions, song titles or lyrics, movie titles, or quotes</li> <li>Do not use your personal details such as your birthday, hometown, or pet’s name</li> <li>Do not use the passwords assigned by the vendor when installing or enabling new hardware or software</li> <li>Do not use passwords found on known data breaches</li> <li>Do not reuse password across devices or deployments</li> </ul></section><div class="pull-right small text-muted mrgn-bttm-0"><a href="#wb-tphp">Top of page</a> </div> <section><h2 class="text-info" id="remediations">4 Remediations</h2> <p>The Cyber Centre has published guidance for organizations and has guidance for enhancing the security posture of edge devices <span class="nowrap"><sup id="fn1-rf"><a class="fn-lnk" href="#fn1"><span class="wb-inv">Footnote </span>1</a></sup><sup id="fn4-rf"><a class="fn-lnk" href="#fn4"><span class="wb-inv">Footnote </span>4</a></sup><sup id="fn5-rf"><a class="fn-lnk" href="#fn5"><span class="wb-inv">Footnote </span>5</a></sup><sup id="fn6-rf"><a class="fn-lnk" href="#fn6"><span class="wb-inv">Footnote </span>6</a></sup><sup id="fn7-rf"><a class="fn-lnk" href="#fn7"><span class="wb-inv">Footnote </span>7</a></sup><sup id="fn8-rf"><a class="fn-lnk" href="#fn8"><span class="wb-inv">Footnote </span>8</a></sup></span>.</p> <p>In addition to reviewing and implementing that guidance above, the Cyber Centre recommends the following remediations:</p> <ul><li>disable unnecessary services especially unsecured services such as Telnet, HTTP and SNMP versions (v1/v2c)</li> <li>disable any unauthenticated router management protocols or functions</li> <li>ensure that SNMP v3 is configured with encryption and authentication</li> <li>restrict device management to administrators inside secured management networks, avoiding direct internet access to management interfaces</li> <li>use phishing-resistant MFA for all administrative access, preferably using hardware-based PKI or FIDO authentication</li> <li>use secure modern encryption standards, such as AES-256 and ensure TLS v1.3 is utilized with strong cipher suites for secure communications</li> <li>use strong, non default passwords</li> <li>apply secure authentication to protocols and services which support it</li> <li>upgrade deprecated hashing mechanisms and password types</li> <li>ensure that devices are running vendor-recommended firmware versions</li> <li>validate software integrity of images using hash verification against authenticated vendor hashes</li> <li>implement secure, centralized logging with capabilities to analyze large datasets</li> <li>encrypt logging traffic to avoid tampering, store logs off-site, and integrate with SIEM tools for advanced correlation and rapid incident identification</li> <li>establish baselines for normal network behavior and utilize security appliances to alert on deviations</li> <li>investigate any configuration modifications or alterations to network devices outside of the change management process</li> </ul></section><section><aside class="wb-fnote" role="note"><h2 class="text-info" id="references">5 References</h2> <dl><dt>Footnote 1</dt> <dd id="fn1"> <p><a href="/en/news-events/joint-guidance-enhanced-visibility-hardening-communications-infrastructure">Joint guidance on enhanced visibility and hardening for communications infrastructure</a></p> <p class="fn-rtn"><a href="#fn1-rf"><span class="wb-inv">Return to footnote</span>1<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 2</dt> <dd id="fn2"> <p><a href="/en/guidance/security-considerations-edge-devices-itsm80101">Security considerations for edge devices (ITSM.80.101)</a></p> <p class="fn-rtn"><a href="#fn2-rf"><span class="wb-inv">Return to footnote</span>2<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 3</dt> <dd id="fn3"> <p><a href="https://www.canada.ca/en/government/system/digital-government/online-security-privacy/patch-management-guidance.html">Patch Management Guidance</a></p> <p class="fn-rtn"><a href="#fn3-rf"><span class="wb-inv">Return to footnote</span>3<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 4</dt> <dd id="fn4"> <p><a href="/en/guidance/rethink-your-password-habits-protect-your-accounts-hackers-itsap30036">Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)</a></p> <p class="fn-rtn"><a href="#fn4-rf"><span class="wb-inv">Return to footnote</span>4<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 5</dt> <dd id="fn5"> <p><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></p> <p class="fn-rtn"><a href="#fn5-rf"><span class="wb-inv">Return to footnote</span>5<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 6</dt> <dd id="fn6"> <p><a href="/en/guidance/top-10-security-actions-no-5-segment-and-separate-information-itsm10092">Top 10 IT security actions: No.5 segment and separate information (ITSM.10.092)</a></p> <p class="fn-rtn"><a href="#fn6-rf"><span class="wb-inv">Return to footnote</span>6<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 7</dt> <dd id="fn7"> <p><a href="/en/guidance/routers-cyber-security-best-practices-itsap80019">Routers cyber security best practices (ITSAP.80.019)</a></p> <p class="fn-rtn"><a href="#fn7-rf"><span class="wb-inv">Return to footnote</span>7<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 8</dt> <dd id="fn8"> <p><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></p> <p class="fn-rtn"><a href="#fn8-rf"><span class="wb-inv">Return to footnote</span>8<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 9</dt> <dd id="fn9"> <p><a href="https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/2938313/nsa-publishes-best-practices-for-selecting-cisco-password-types/">NSA Publishes Best Practices for Selecting Cisco Password Types</a></p> <p class="fn-rtn"><a href="#fn9-rf"><span class="wb-inv">Return to footnote</span>9<span class="wb-inv"> referrer</span></a></p> </dd> </dl><dl><dt>Footnote 10</dt> <dd id="fn10"> <p><a href="/en/guidance/national-cyber-threat-assessment-2025-2026">National Cyber Threat Assessment 2025-2026</a></p> <p class="fn-rtn"><a href="#fn10-rf"><span class="wb-inv">Return to footnote</span>10<span class="wb-inv"> referrer</span></a></p> </dd> </dl></aside></section></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6225" about="/en/guidance/security-guidance-dark-web-leaks-itsap00115" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.115</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <p>Data breaches can be stressful. Finding out that your organization’s credentials were leaked to the dark web can make the situation worse. This publication provides actions to take if you discover the presence of your organization’s credentials on the dark web. The following actions will help your organization reduce the risk of information being leaked to the dark web.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#how">How the dark web works</a></li> <li><a href="#reduce">Reduce the risks of dark web leaks</a></li> <li><a href="#implement">Implement security measures</a></li> <li><a href="#what">What to do when your credentials have been exposed</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="how">How the dark web works</h2> <p>The dark web is a part of the Internet consisting of hidden sites that are not indexed, meaning that the site is not visible by conventional search engines. Instead, the dark web can only be accessed through specific browsers which provide increased privacy and anonymity while browsing the Internet.</p> <p>Using the dark web is legal and there are many benefits to it, including increased security measures and the ability to access ad-free search engines. Despite the increased privacy measures that the Dark Web offers, it can also provide anonymity to users looking to host or spread content with malicious intent.</p> <p>Cyber threat actors may use the dark web to anonymously buy and sell illegal market goods and services, including illegal content, firearms, and personal data. Threat actors often target businesses to steal customer and employee data, as well as proprietary information. If your organization’s compromised data is found on the dark web following a data breach, it may result in substantial risks, including:</p> <ul><li>reputational damage</li> <li>financial losses</li> <li>legal consequences</li> </ul><h2 class="text-info" id="reduce">Reduce the risks of dark web leaks</h2> <p>Any access to the Internet can create vulnerabilities for your organization that may be exploited by threat actors. Promoting cyber security awareness in your organization is crucial for the safety of your network and systems. Among other benefits, it can significantly reduce the risks of stolen credentials.</p> <p>You should provide employees with adequate training on cyber safety and educate them on their role in protecting your organization’s network and information. Your employees should understand account security measures, such as:</p> <ul><li>the importance of maintaining safe password practices</li> <li>the benefits of multi-factor authentication (MFA)</li> <li>how to handle sensitive information</li> <li>using Wi-Fi safe practices</li> </ul><h2 class="text-info" id="implement">Implement cyber security measures</h2> <p>Your organization can take the following actions to reduce the risk of stolen credentials:</p> <ul><li>Use firewalls, antivirus software, and intrusion detection and prevention systems to protect your network and systems</li> <li>Update and patch all software and systems regularly</li> <li>Encrypt sensitive data</li> <li>Implement strong access controls and privilege principles</li> <li>Develop an incident response plan</li> </ul><p>For more information on these and other tips for how to increase your cyber security posture, consult our <a href="/en/guidance/cyber-security-hygiene-best-practices-your-organization-itsap10102">Cyber security hygiene best practices for your organization (ITSAP.10.102)</a>.</p> <h2 class="text-info" id="what">What to do when your credentials have been exposed</h2> <p>It could take your organization several months to find stolen information or credentials on the dark web. If you’re aware that your organization’s credentials have been leaked to the dark web, take the following actions to minimize the impact.</p> <h3>Contact your IT department</h3> <p>They will do a thorough scan for viruses, malware and other tools used by threat actors to evaluate the extent of the breach. They will also look for suspicious activity that may confirm whether the threat actors have maintained access to your network. For additional assistance, contact your relevant service providers.</p> <h3>Protect your assets</h3> <p>Ensure your antivirus software is up to date and perform thorough security scans on all devices. Isolate any compromised devices by:</p> <ul><li>disconnecting them from the Internet</li> <li>turning on airplane mode</li> <li>turning off networking and Bluetooth capabilities</li> <li>revoking access to any third-party applications or services connected to the compromised accounts</li> <li>reviewing and managing application permissions</li> </ul><h3>Change your passwords</h3> <p>Threat actors may use your passwords to gain unauthorized access to other accounts, especially those with administrative privileges. To prevent unauthorized access to your networks and information, all passwords should be changed, and old passwords should never be reused.</p> <p>A password manager can help you create and store complex and accessible passwords and passphrases. However, these tools present some risks to users’ information. We recommend researching different vendors to make an informed choice about which is right for you. You should also consult your IT department to create a recovery plan.</p> <h3>Turn on multi-factor authentication</h3> <p>Authentication adds an extra layer of security to protect your accounts, networks and devices. To provide additional security measures for your accounts, MFA uses a combination of two or more methods of authentication, such as:</p> <ul><li>passwords</li> <li>email</li> <li>text codes</li> <li>fingerprints</li> </ul><h3>Promote internal awareness in your organization</h3> <p>Your organization should ensure that employees are informed of compromised credentials. Employees should change their own credentials to prevent unauthorized access to networks and information.</p> <h3>Review your financial accounts</h3> <p>Carefully review any financial accounts linked to or logged in from your devices. Notify a credit bureau of any unauthorized use and ask them to remove fraudulent items from your credit report. Freeze any compromised accounts to prevent threat actors from opening new accounts or taking out loans.</p> <h3>Report the incident</h3> <p><em>The Privacy Act</em> governs the Government of Canada. However, private sector organizations are governed by the <em>Personal Information Protection and Electronic Documents Act</em> and are required to do the following in the event of a data breach:</p> <ul><li>Report any data breach involving personal information that poses a risk of significant harm to individuals to the Privacy Commissioner of Canada</li> <li>Notify individuals affected by the breach</li> <li>Retain records related to the breach</li> </ul><h2 class="text-info" id="learn">Learn more</h2> <ul><li><a href="/en/guidance/common-employee-it-security-challenges-itsap00005">Common employee IT security challenges (ITSAP.00.005)</a></li> <li><a href="/en/guidance/have-you-been-victim-cybercrime">Have you been a victim of cybercrime? (ITSAP.00.037)</a></li> <li><a href="/en/guidance/steps-effectively-deploying-multi-factor-authentication-mfa-itsap00105">Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)</a></li> <li><a href="/en/guidance/foundational-cyber-security-actions-small-organizations-itsap10300">Foundational cyber security actions for small organizations (ITSAP.10.300)</a></li> <li><a href="/en/guidance/secure-your-accounts-and-devices-multi-factor-authentication-itsap30030">Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)</a></li> <li><a href="/en/guidance/best-practices-passphrases-and-passwords-itsap30032">Best practices for passphrases and passwords (ITSAP.30.032)</a></li> <li><a href="/en/guidance/password-managers-security-itsap30025">Password managers: Security tips (ITSAP.30.025)</a></li> <li><a href="/en/guidance/application-allow-list-itsap10095">Application allow list (ITSAP.10.095)</a></li> <li><a href="/en/guidance/protecting-your-organization-while-using-wi-fi-itsap80009">Protecting your organization while using Wi-Fi (ITSAP.80.009)</a></li> <li><a href="/en/guidance/wi-fi-security-itsp80002">Wi-Fi security (ITSP.80.002)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6227" about="/en/guidance/search-engine-optimization-poisoning-itsap00013" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><div class="row"><!–DESKTOP STARTS HERE–> <div class="col-md-4 pull-left hidden-xs hidden-sm"> <p class="text-left"><strong>April 2025</strong></p> </div> <div class="col-md-4 hidden-xs hidden-sm"> <p class="text-center"><strong>Awareness series</strong></p> </div> <div class="col-md-4 pull-right hidden-xs hidden-sm"> <p class="text-right"><strong>ITSAP.00.013</strong></p> </div> </div> <!–MOBILE STARTS HERE–> <div class="hidden-lg hidden-md text-center"> <p><strong>April 2025 | Awareness series</strong></p> </div> <p>Search engines are the go-to tool for searching the Internet. Users often click on the first link in their results and trust the site is legitimate. Threat actors are aware of this user behaviour and try to exploit it.</p> <p>While the links at the top of your search results look legitimate, they can be spam or link to malicious sites. Threat actors can promote these malicious sites in your search engine using search engine optimization (SEO) poisoning. This publication will explain what <abbr title="search engine optimization">SEO</abbr> is and how you can protect yourself and your organization from potential compromises.</p> <h2 class="text-info">On this page</h2> <ul><li><a href="#search">Search engine optimization</a></li> <li><a href="#poisoning">Search engine optimization poisoning as an attack vector</a></li> <li><a href="#look">What to look out for</a></li> <li><a href="#yourself">How to protect yourself</a></li> <li><a href="#website">How to protect your website</a></li> <li><a href="#learn">Learn more</a></li> </ul><h2 class="text-info" id="search">Search engine optimization</h2> <p><abbr title="search engine optimization">SEO</abbr> is a series of techniques that marketers and website owners use to increase site traffic and the visibility of their product or service. <abbr title="search engine optimization">SEO</abbr> attempts to make a website seem more relevant to a search query so it will be ranked as a top result by search engines. <abbr title="search engine optimization">SEO</abbr> allows search engines to categorize your content to provide more tailored search results.</p> <p>The following <abbr title="search engine optimization">SEO</abbr> techniques can be used to influence search results in various ways.</p> <h3>Meta tags</h3> <p>Meta tags provide data on a webpage’s content and structure. These tags are helpful to both users and search engines. There are many different types of meta tags, such as those that indicate important page content and descriptive text for images.</p> <h3>Backlinks</h3> <p>Backlinks are links from other sites that direct users to your site. These can act as an endorsement of credibility. High-quality backlinks, from reputable sources, help rank your website higher in search engine results. However, beware of low quality or toxic backlinks from disreputable sources, as they can:</p> <ul><li>harm your site’s reputation or ranking</li> <li>lower your ranking in search engine results</li> <li>associate your website with low-quality or unsolicited commercial (spam) content</li> </ul><h3>Keywords and keyphrases</h3> <p>These are popular search terms used in search engines. Associating commonly used and relevant keywords on your website will help users find your content.</p> <h3>Descriptive URLs</h3> <p>Search engines use your URLs to crawl and index sites. By ensuring your URLs are short, descriptive and on-topic, you will help search engines better understand your content.</p> <h3>Semantic HTML</h3> <p>Semantic HTML is a markup language that consists of tags that add meaning to your website’s content. It also helps a search engine interpret your site’s content. Your HTML is the structure of your website. By giving sections meaning, you allow the website to be categorized by search engines.</p> <h3>Breadcrumbs</h3> <p>Breadcrumbs present a text path that shows the user where they are on the site. These breadcrumbs allow search engines to easily understand how your site is organized.</p> <h2 class="text-info" id="poisoning">Search engine optimization poisoning as an attack vector</h2> <p>An attack vector refers to a method that a threat actor uses to gain access to a system, network or application. <abbr title="search engine optimization">SEO</abbr> poisoning is an effective attack vector for threat actors. They can manipulate search results to target anyone using a search engine. <abbr title="search engine optimization">SEO</abbr> poisoning is effective due to the widespread trust users have in search engines. Many users have widespread trust in search engines and assume they display the most relevant, vetted and legitimate links first.</p> <p>Threat actors take advantage of these user assumptions and alter the weight or bias of search results seen by users. Threat actors can use <abbr title="search engine optimization">SEO</abbr> poisoning to manipulate search results and rank their malicious sites higher than legitimate sites. For example, they may use popular and trending search terms to raise their ranking, misleading users into clicking on harmful links.</p> <p>Threat actors can also exploit vulnerabilities in already established websites to hijack and spread their malicious content. This can occur whether it’s through malicious downloads or by linking to other spam websites. This technique can also have the following negative impacts on legitimate websites that are being spoofed:</p> <ul><li>Lower search engine ranking</li> <li>Reduced site traffic</li> <li>Damage to brand integrity and reputation</li> </ul><p>Any links or files that you click on or download from malicious sites can jeopardize your computer. Accessing a webpage without the appropriate firewalls and plug-ins could put your system at risk, even if you just click on a link.</p> <p>These malicious codes and attacks can:</p> <ul><li>distribute malware or ransomware</li> <li>steal personal information with the intent to sell it or use it maliciously</li> <li>urge you to call a false helpline number to allow access to your device or to transfer funds</li> </ul><p>They can pose as any type of website, whether it be a news site, streaming site, retail store or technical help desk.</p> <p>Along with the above-mentioned <abbr title="search engine optimization">SEO</abbr> techniques, threat actors can also use the following actions to assist in <abbr title="search engine optimization">SEO</abbr> poisoning.</p> <h3>Script spoofing</h3> <p>Threat actors use script spoofing to trick users by impersonating legitimate websites or email addresses. They use similar URLs that contain incorrect characters or domain names.</p> <h3>Keyword stuffing</h3> <p>Keyword stuffing occurs when threat actors fill webpages with keywords to increase their ranking. The keywords are repeated often and make the content of the site illogical. You may see many keywords combined with irrelevant words that will not make much sense when read. These are meant to be read by machines that recognize the keywords.</p> <h3>Typo squatting</h3> <p>Threat actors register domains that are similar to popular websites but with intentional typos or misspellings. They may design the website to look like the intended site the user wanted to visit. This may further trick the user into spending more time on the malicious site and clicking on links.</p> <h3>Link farms</h3> <p>Link farms are groups of websites that all link to one another. The more links or backlinks you have from other sites, the higher your search engine rating may be. Spam link farms manipulate the search algorithms by increasing their backlinks to automated link farms to increase their rating.</p> <h2 class="text-info" id="look">What to look out for</h2> <p>When searching the web or inputting a query into a search engine, always be aware that any link may contain malicious content. Use the following clues to avoid being compromised:</p> <ul><li>Check URLs for misspelled words</li> <li>Confirm the link’s content is related to the search query</li> <li>Be aware of unprofessional designs or cluttered webpages (if already on the website)</li> <li>Look out for fonts that seem out of place</li> <li>Use caution if links look too good to be true or are unrelated to the webpage</li> <li>Check to see if link extensions match the description</li> <li>Look for the padlock HTTPS symbol in the address bar, but always proceed with caution as some malicious sites may still show this symbol</li> </ul><h2 class="text-info" id="yourself">How to protect yourself</h2> <p>Use the following tips and techniques to proactively protect your computer from malicious websites.</p> <ul><li>Ensure the default script editor is set to block all scripts by default <ul><li>Doing so helps prevent automatic execution of potentially malicious scripts</li> <li>This can help keep your personal data private and your system safe from malware</li> </ul></li> <li>Install firewalls on your device which can warn you and block malicious sites</li> <li>Keep browsers and anti-virus software up to date</li> <li>Avoid clicking on suspicious links</li> <li>Avoid providing personal information unless you’re certain the site is legitimate and secure</li> <li>Always double-check the URL before clicking</li> <li>Instead of searching and clicking on a link, type the known address into the address bar and confirm you have not made any typos before hitting enter</li> <li>Allow for file extensions to be shown and verify that the type of file being downloaded matches its advertised intent</li> </ul><h2 class="text-info" id="website">How to protect your website</h2> <p>If you are a website owner or administrator, consider the following actions to secure your online presence. Many of these can be done by an IT professional.</p> <ul><li>Employ secure coding practices <ul><li>Practices such as input validation and proper error handling can help prevent various attacks</li> <li>For an in-depth look, see <a href="https://csrc.nist.gov/pubs/ir/8397/final">Guidelines on minimum standards for developers verification of <span>software (NISTIR 8397) </span></a></li> </ul></li> <li>Update information on your site regularly</li> <li>Apply web application firewalls</li> <li>Use reputable content management systems</li> <li>Perform regular security audits and review files, settings, and website codes</li> <li>Employ strong authentication methods for website administrators, such as multi-factor authentication</li> <li>Be aware of unexpected spikes and drops in website traffic, which may indicate that your site has been hacked</li> </ul><h2 class="text-info" id="Learn">Learn more</h2> <ul><li><a href="/en/guidance/protect-your-organization-malware-itsap00057">Protect your organization from malware (ITSAP.00.057)</a></li> <li><a href="/en/guidance/ransomware-how-prevent-and-recover-itsap00099">Ransomware: How to prevent and recover (ITSAP.00.099)</a></li> <li><a href="/en/guidance/dont-take-bait-recognize-and-avoid-phishing-attacks">Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)</a></li> <li><a href="/en/guidance/security-considerations-when-developing-and-managing-your-website-itsap60005">Security consideration when developing and managing your website (ITSAP.60.005)</a></li> <li><a href="/en/guidance/how-shop-online-safely-itsap00071">How to shop online safely (ITSAP.00.071)</a></li> <li><a href="/en/guidance/website-defacement-itsap00060">Website defacement (ITSAP.00.060)</a></li> <li><a href="/en/guidance/domain-name-system-dns-tampering-itsap40021">Domain name system (DNS) tampering (ITSAP.40.021)</a></li> <li><a href="https://www.getcybersafe.gc.ca/en/blogs/script-spoofing-protect-yourself">Script spoofing: What it is and how you can protect yourself</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="5758" about="/en/cyber-security-readiness" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>Canadian organizations are confronted with an evolving threat landscape as malicious cyber activities increase in scale and sophistication. Critical Infrastructure (CI) operators and owners are especially at risk. Cyber attacks on <abbr title="critical infrastructure">CI, </abbr> can have devastating consequences on Canada’s economy, safety and national security.</p> <p>This page provides resources from the Cyber Centre to help Canadian organizations and critical infrastructure increase their cyber security readiness. This includes information on current cyber threats, steps to protect against them and ways respond to and recover from incidents.</p> <h2>Cyber Security Readiness Goals</h2> <p>The Cross-Sector Cyber Security Readiness Goals (CRGs) provide Canadian organizations with 36 foundational, realistic and achievable goals to strengthen their cyber security. Each goal is linked to concrete recommended actions that, if taken, will elevate the cyber security posture of Canadian organizations and <abbr title="critical infrastructure">CI </abbr>.</p> <p class="mrgn-tp-md"><a class="btn btn-success btn-lg" href="/en/cyber-security-readiness/cross-sector-cyber-security-readiness-goals-toolkit">Consult the Cross-Sector Cyber Security Readiness Goals Toolkit</a></p> <p>To accompany these goals, the Cyber Centre has published <a data-entity-substitution="canonical" data-entity-type="node" data-entity-uuid="f552f117-1c52-46d4-a56a-0d2181223d8f" href="/en/cyber-security-readiness/cyber-security-readiness-goals-securing-our-most-critical-systems">Cyber Security Readiness Goals: Securing Our Most Critical Systems</a> which provides an overview of the cyber threat landscape and explains how the <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr> came to be. This publication also highlights the <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr>’ alignment with international frameworks and other Government of Canada publications and tools.</p> <p>The <abbr title="Cross-Sector Cyber Security Readiness Goals">CRGs </abbr> are a tool for self-assessment that any organization can use to track their progress and improve their cyber security posture. They will be updated regularly to support organizations in effectively mitigating emerging cyber threats.</p> <h2>Additional resources</h2> <ul><li><a href="/en/guidance/security-considerations-critical-infrastructure-itsap10100">Security considerations for critical infrastructure (ITSAP.10.100)</a></li> <li><a href="/en/guidance/cyber-threat-bulletin-cyber-centre-reminds-canadian-critical-infrastructure-operators">Cyber threat bulletin: Cyber Centre reminds Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="/en/guidance/cyber-threat-bulletin-cyber-centre-urges-canadian-critical-infrastructure-operators-raise">Cyber threat bulletin: Cyber Centre urges Canadian critical infrastructure operators to raise awareness and take mitigations against known Russian-backed cyber threat activity</a></li> <li><a href="/en/guidance/national-cyber-threat-assessments">National Cyber Threat Assessments</a></li> <li><a href="/en/guidance/state-sponsored-espionage-and-threats-critical-infrastructure">State-sponsored espionage and threats to critical infrastructure</a></li> <li><a href="/en/guidance/it-security-risk-management-lifecycle-approach-itsg-33">IT security risk management: A lifecycle approach (ITSG-33)</a></li> </ul></div> </div> </div> </div> </div> </article>

<article data-history-node-id="6252" about="/en/news-events/joint-guidance-badbazaar-moonshine" class="cccs-basic-page full clearfix"> <div class="content"> <div class="layout layout–onecol"> <div class="layout__region layout__region–content"> <div data-block-plugin-id="extra_field_block:node:cccs_basic_page:links" class="block block-layout-builder block-extra-field-blocknodecccs-basic-pagelinks clearfix"> </div> <div data-block-plugin-id="field_block:node:cccs_basic_page:body" class="block block-layout-builder block-field-blocknodecccs-basic-pagebody clearfix"> <div class="field field–name-body field–type-text-with-summary field–label-hidden field–item"><p>The Canadian Centre for Cyber Security (Cyber Centre) has joined the United Kingdom’s National Cyber Security Centre (NCSC-UK), and the following international partners in releasing 2 cyber security guidance publications on BADBAZAAR and MOONSHINE:</p> <ul><li>Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC)</li> <li>Germany’s Federal Intelligence Service (BND)</li> <li>Germany’s Federal Office for the Protection of the Constitution (BfV)</li> <li>New Zealand’s National Cyber Security Centre (NCSC-NZ)</li> <li>United States’ Federal Bureau of Investigation (FBI)</li> <li>United States’ National Security Agency (NSA)</li> </ul><p>The joint guidance provides new information and mitigation measures for those at high risk from 2 spyware variants: BADBAZAAR and MOONSHINE.</p> <h2>BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors</h2> <p>This publication raises awareness of the threat that malicious cyber actors pose to individuals connected to topics the People’s Republic of China (PRC) considers to be a threat to its domestic authority, ambitions and global reputation, including:</p> <ul><li>Taiwan</li> <li>Tibet</li> <li>Xinjiang Uyghur autonomous region</li> <li>democracy movements</li> <li>Falun Gong</li> </ul><p>The publication includes 2 case studies that detail the techniques employed by malicious cyber actors using BADBAZAAR and MOONSHINE to target data on mobile devices. The publication’s guidance also includes mitigation measures that individuals can use to help protect:</p> <ul><li>themselves</li> <li>their devices</li> <li>their data</li> </ul><p>Read the full joint guidance <a href="https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-guidance.pdf">BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors (PDF)</a>.</p> <h2>BADBAZAAR and MOONSHINE: Technical analysis and mitigations</h2> <p>This joint guidance provides new and collated threat intelligence on the spyware variants BADBAZAAR and MOONSHINE. It includes advice for app store operators, developers and social media companies to help keep their users safe.</p> <p>Read the full joint guidance <a href="https://www.ncsc.gov.uk/files/NCSC-Advisory-BADBAZAAR-and-MOONSHINE-technical-analysis-and-mitigations.pdf">BADBAZAAR and MOONSHINE: Technical analysis and mitigations (PDF)</a>.</p> </div> </div> </div> </div> </div> </article>