<![CDATA[Canadian Cyber in Context]]>https://www.cyberincontext.cahttps://substackcdn.com/image/fetch/$s_!xNeN!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F022e597a-4e96-4f0f-885a-3489924dd07e_500x500.pngCanadian Cyber in Contexthttps://www.cyberincontext.caSubstackSat, 23 May 2026 16:22:05 GMT<![CDATA[Canadian Cyber News Rewire - 16/05/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-160526https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-160526Tue, 19 May 2026 13:12:37 GMTThe Weekly New Rewire is a survey of Canadian cyber or adjacent news stories from this past week (or recently). Please leave a comment if you think I missed anything.

Leave a comment

Editor Notes:

Feature your business in Canadian Cyber in Context through sponsorship.

Share

Canadian News

Canada-Relevant News

As many issues don’t respect borders, this section is for stories that impact Canada, but may not be Canadian-sourced or focused, to differentiate from the previous section, which is 100% focused on Canada.

Canadian Cyber Threat Intelligence

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Canada Buys Watch

I am still building. I plan to soon post more Canada Buysonce I have the time to build out the monitoring system.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Microsoft and American Hyperscalers Refuse to Accept Reality About Canadian Digital Sovereignty]]>https://www.cyberincontext.ca/p/american-hyperscalers-refuse-to-accepthttps://www.cyberincontext.ca/p/american-hyperscalers-refuse-to-acceptMon, 18 May 2026 14:37:08 GMTSupport Canadian Cyber in Context through sponsorship/advertisement or upgrade to paid membership.

In late April 2026, Microsoft invited a group of 50+ Canadians to hear a briefing on Microsoft’s approach to protecting Canada’s digital/data sovereignty. This group included other researchers and academics, lawyers, industry leaders, thought leaders, and me. As a result of participating in this brief, this article will often speak directly to Microsoft, but much of it applies to other American hyperscalers, including Google and Amazon Web Services. For a more point-by-point breakdown, I recommend reading Brent Arnold’s, aka the Cyber Lawyer and the slides to Microsoft’s briefing are included at the end.

The goal of the session was to discuss and “clarify” the US CLOUD Act and how Microsoft handles Canadian data, particularly in the event of legal requests from law enforcement, the role of cybersecurity, and Microsoft’s efforts to advance Canadian digital sovereignty.

Microsoft stresses that these briefings are meant to clear up misunderstandings of how Microsoft protects Canadian data and clarify its response to the US CLOUD Act. However, these presentations are deliberately crafted and intended to increase trust in Microsoft. They are very careful with the data presented, focusing on how Microsoft wants you to understand the issue rather than addressing concerns about Canada’s digital sovereignty. However, a central misunderstanding in the briefing was the assumption that Canada’s relationship with the United States has remained unchanged since January 2025.

On the contrary, Canadians’ trust in the United States has steadily declined under the current US administration. Approximately 60% of Canadians believe Canada can never trust the United States again. The reality is that Canadians no longer trust the United States, and US corporations are caught in the middle. Canada’s ability to trust Microsoft and other hyperscalers is fundamentally linked to a decline in trust in the United States. A failure to recognize this new reality will mean American hyperscalers pose a risk to Canadian digital sovereignty.

Share

What’s the Context?

Last year, Canada’s close relationship with the United States was forever broken by an unhinged United States administration. This new and unfriendly United States means that Canada must dramatically change its approach and come to terms with the new reality of an undemocratic, authoritarian United States. In June 2025, Microsoft France’s Director of Public and Legal Affairs, Mr. Anton Carniaux, was invited to provide testimony and answer questions from Senators. During the hearing, Mr. Carniaux was asked whether he could guarantee that data from French citizens would not be transmitted to United States authorities without the explicit authorization of the French authorities.

Mr. Carniaux said that he could not guarantee this. This also applies to Canada.

Although Canada and many other countries were already concerned about the United States’ extraterritoriality, which could supersede local laws, this hearing was a massive wake-up call for Canada and other countries that rely on US hyperscalers for their software, cloud, and broader information technology needs. Since then, Canada has increasingly pursued and investigated ways to increase its digital sovereignty and reduce reliance on United States corporations.

In September 2025, Prime Minister Carney even suggested that the Major Projects Office (MPO) may consider a sovereign cloud as a future project. Two months later, in November, the Prime Minister’s Office confirmed that sovereign cloud was indeed one of the projects it was to examine. However, no additional details have been released since this time. While Cabinet and Minister Evan Solomon continue to broker investments that do little to advance Canadian digital sovereignty and amount to platitudes, the bureaucracy is actually doing the hard work to figure out how the Government of Canada could advance digital sovereignty and sovereign cloud.

Shared Services Canada (SSC) and Public Services and Procurement Canada (PSPC) have been releasing a series of requests for information (RFIs) concerning sovereign public cloud capabilities. Increasingly, it is clear that the purpose of these RFIs is to determine and understand the current state of Canada’s cloud and data centre industry to support Canadian sovereign cloud. Thus far, much of the data and information is turning out exactly as many of us already anticipated. There is a lot of potential in Canadian cloud and data infrastructure for small- and medium-sized businesses, particularly in niche and specialized services, but none can provide such services at scale to the level of American hyperscalers like Microsoft, Google, and Amazon Web Services in Canada.

This means that Canada is unable to quickly adopt alternative products or services without considerable difficulty or reliance on other non-Canadian corporations. As a result, in the short term things will not change all too much, but long term strategic planning and investment is needed to reduce the risks of reliance on American corporations and increase domestic capacity and capabilities for information technology, particularly in cloud and data centre infrastructure.

Despite this, the growing frustration and declining trust have worried the hyperscalers, and for good reason. enough that Microsoft announced $19 billion work of investments

What is Digital Sovereignty?

A comprehensive definition and breakdown of digital sovereignty is outside the scope of this. For this, I recommend reading Chapter 1 of the Canadian Shield Institute’s Foundations of Digital Sovereignty.

But it is helpful to have an accepted understanding of what we are talking about. A state’s sovereignty is not a black-and-white concept but a complex instrument that is constantly negotiated and tested. A good analytical framework for understanding sovereignty is TRAC: Territory, Recognition, Authority, and Control.

For a country to have sovereignty, it needs:

  • Territory that is controlled by the country.

  • Recognition by its people, other countries, and international actors.

  • Authority to govern the territory.

  • Control over the country/territory

If you do not have these, then your country’s sovereignty is in question. However, sovereignty is not a checklist. Sovereignty, digital or otherwise, is constantly being redefined and given up in exchange for some benefit to the state. However, Canadians are no longer comfortable with the extent to which our digital sovereignty has been surrendered.

Digital Sovereignty is About Trust

Up until January 2025, Canadians were relatively comfortable with giving up some level of digital sovereignty for convenience and access to United States technologies and markets. In September 2025, 60% of Canadians reported believing that Canada can never trust the United States again. The trust continues to decline, and Canadians are no longer satisfied with the existing relationship. As Canadians’ trust in the United States continues to decline, many US corporations will be caught in the middle. This is a direct result of the actions of the current United States administration, which has been, in part, fueled by many corporations’ tacit support and endorsement.

I am in no way sympathetic to these multi-billion dollar corporations, but they need to recognize that they cannot have their cake and eat it too. If they want to truly support Canadian digital sovereignty, American hyperscalers must make the tough decisions to show concretely and without how they will support Canada in the face of US sanctions and or potential military aggression. Thus far, most have talked around the issue and stated they hope things do not come to that and they will work to ensure needs are met. This doesn’t address Canadian digital sovereignty or build trust. This specifically avoids the issue and shows that American hyperscalers refuse to accept the reality of the situation.

Since January 2025, the United States have taken many actions that we would never had expected prior and such events continue to happen. As a result, Canada must adjust its approach to these new risks and reality. Any American corporation which fails to understand this and tries to convince Canada otherwise is refusing to accept reality and cannot be trusted any more than the current United States administration.

Fortunately, sovereignty is not a static construct, and improving digital sovereignty is possible. However, it depends on which area you want to strengthen. For example, significant attention is currently being paid to improving Canada’s data sovereignty by increasing its domestic capacity for cloud software and data centre infrastructure. Although this would give Canada an increased amount of control over its data, there remain many layers of software and hardware, from operating systems to network switches, that mean a complete, clean Canadian digital stack is not possible. That doesn’t mean we can’t direct policy and investments to strengthen key areas of information technology and Canadian digital sovereignty.

At the end of the day, digital sovereignty concerns a country’s ability to use digital tools and technologies in accordance with the laws and customs of its country and place of residence. Canadians want to be able to trust the technology and services that they use

Will the US Target Canadians using Hyperscalers?

Since the first half of 2025, the Canadian policy and media landscape has been filled with article after article about the threat posed by United States corporations to Canadian digital sovereignty, including my very own, often focusing on the US CLOUD Act. Due to this focus on the US CLOUD Act, many American hyperscalers have focused on responding specifically to concerns about the US CLOUD Act. However, the root of the problem is not the US CLOUD Act, which is only a streamlining mechanism. The problem is the lack of trust in the United States using the law as it is meant, and concerns that Canada’s reliance on American information technology will be used against us.

This is not a future concern; this is already happening. On May 4, Wired broke news that the United States Department of Homeland Security is demanding that Google surrender data on a Canadian’s activity and location due to anti-ICE posts. The individual has not been to the United States in over 10 years and has not exported or imported anything from the United States during the periods being examined, but Homeland Security is attempting to compel Google to provide this data by citing the Tariff Act of 1930.

As a result, any claim by Microsoft or others which presumes that the socio-political and legal relationship between Canada and the United States is the same are completely out of their depth. Some, like Microsoft, will claim that Canada is “over-indexing” on concerns related to the United States, but this incident with Google instead shows that Microsoft is not addressing this enough. If anything, Microsoft is being willfully ignorant and shows it cannot be trusted by refusing to recognize the breakdown of democratic and legal norms in the United States.

What Hyperscalers Don’t Understand

There are many reasons not to trust Microsoft, but what Microsoft and many others fail to recognize is that the new issues of trust in American hyperscalers do not entirely lie with the corporations themselves. Canada’s trust in the United States changed in January 2025, and Microsoft happens to be caught in the middle. How many of these corporations have supported the current United States administration and continue to tacitly support American adversarial and aggressive behaviour, ultimately will determine if that corporation can be trusted. Thus far, American hyperscalers have not behaved in a way that would instill such trust.

Microsoft’s response so far suggests that everything is business as usual and that there has been little to no change in the United States. By failing to acknowledge that Canada cannot currently trust the United States as it did before January 2025, it digs itself into a hole and instills distrust among Canadians. Refusing to understand and adjusting accordingly suggests one of two things:

  • Microsoft believes that the United States is just as trustworthy and predictable, and can be trusted to act rationally.

  • Microsoft understands these changes but refuses to fully address them, attempting to gaslight Canadians into believing their data is safe to preserve its market share.

Neither of these is a good thing and suggests that Microsoft cannot be trusted with Canadian digital sovereignty.

In many ways, Microsoft and the other American hyperscalers are in a lose-lose situation, and trying to preserve the status quo will only hurt them. Further, Microsoft’s efforts to convince Canadian experts and leaders that nothing has changed and to trust in the status quo is potentially dangerous for Canada.

Technical Safeguards are a Last Resort

Amid discussion of digital sovereignty, too little attention is paid to technical controls and protections, for both good and bad reasons. Yes, we can have encryption, air-gaps, compartmentalization, and additional security controls that limit how much cloud corporations can access our data or disrupt them. This can help ensure that, if the United States were to undertake malicious legal action against Canada or a Canadian citizen, there would be some layers of protection in place. However, these are all one part of the equation with their own limits and downsides.

If technical safeguards were the only thing between us and malicious use or disruption, then Canada would have zero concerns about using Chinese-made equipment. The problems arise in the full use of the ecosystem, where concerns about governance and control can impact the overall system. While technical safeguards are certainly in place and are one part of the protections for Canadians, that does not negate the legal and political dimensions. Which, in some cases, could compromise the technical safeguards if a corporation is pressured to do so and complies. At worst, it would still mean disruption of technology in large parts of Canadian society.

We need the technical controls and safeguards. But what good are those safeguards if we cannot trust the corporation setting them up in the first place? Technical controls should be the last resort and do not resolve digital sovereignty concerns. Instead, they simply allow us to maintain a basic level of trust in the existing system’s integrity while giving Canada time to plan and invest in efforts to increase Canada’s digital sovereignty and reduce our risk exposure by transitioning to more trustworthy products and services, particularly Canadian.

TL;DR - Takeways

Canadian’s acceptance of reduced Canadian digital sovereignty has dramatically changed since January 2025. Canada is increasingly concerned with increasing its domestic control and autonomy over its digital products, particularly related to data. The source of this change is growing distrust of the United States administration due to its ongoing hostile behaviour.

By association, Microsoft and American hyperscalers are increasingly distrusted as well. Their insistence on treating current Canadian-United States relations as business as usual does not help prevent this either. Rather, by operating as if the social and political relationship has not changed, it only instills greater levels of distrust and gives the impression that the corporation is either lying to you or trying to trick you.

If American corporations want to rebuild trust with Canada despite the current United States administration, it will require more than promises of $19 billion dollars. Such massive investments do not mean the corporation is committed to Canadian digital sovereignty. All it suggests is that a corporation wants to preserve its market access and share, which are increasingly at risk. If anything, this potentially sends the message that they recognize they are a threat, but want to become so ingrained in Canadian digital society that Canada cannot do anything about it.

This is very much a pessimistic take, but it reflects the reality that Canada’s risk calculus has dramatically changed since January 2025. Canada has to adjust to those new risks from the United States, no matter how small they may be. Adjustments to these new risks seem so major only because Canadians have not had to consider them for over 100 years.

Investments do little to address the threats of the United States administration. To build trust with Canadians despite the current United States administration, it is necessary to take a social and political position siding with Canada over the United States. At the end of the day, will an American corporation support the United States or Canada?

Canadians know the answer when things get tough, and that is why American corporations are a risk, not the answer, to Canadian digital sovereignty.

Support Canadian Cyber in Context through sponsorship/advertisement or upgrade to paid membership.
Deck Microsoft's Commitment To Canadian Data And Digital Sovereignty
1.64MB ∙ PDF file
Download
Download

Thanks for reading Canadian Cyber in Context! This post is public, so feel free to share it.

Share

Subscribe now

]]><![CDATA[Canadian Cyber News Rewire - 09/05/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-090526https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-090526Mon, 11 May 2026 12:56:13 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Leave a comment

Editor Notes:

Feature your business in Canadian Cyber in Context through sponsorship.

Share

Canadian News

Canada-Relevant News

As many issues don’t respect borders, this section is for stories that impact Canada, but may not be Canadian-sourced or focused, to differentiate from the previous section, which is 100% focused on Canada

Canadian Cyber Threat Intelligence

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Media of the Week

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 02/05/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-020526https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-020526Mon, 04 May 2026 13:06:32 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Leave a comment

Editor Notes:

Feature your business in Canadian Cyber in Context through sponsorship.

Share

Canadian News

The Orchard
SCOOP: Elections Alberta investigating separatists for accessing electors list
An Elections Alberta official showed up to the launch of David Parker’s new separatist scheme with four Edmonton cops to inform the group that they’re under investiga…
Read more
23 days ago · 89 likes · 6 comments · Jeremy Appel
The Line
SCOOP: Jen Gerson: Elections Alberta's massive failure could have put people in danger. I tried to warn them.
By: Jen Gerson…
Read more
22 days ago · 195 likes · 48 comments · Jen Gerson

Canada-Relevant News

As many issues don’t respect borders, this section is for stories that impact Canada, but may not be Canadian-sourced or focused, to differentiate from the previous section, which is 100% focused on Canada

Canadian Cyber Threat Intelligence

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Media of the Week

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 25/04/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-250426https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-250426Mon, 27 Apr 2026 14:04:48 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Leave a comment

Editor Notes:

Feature your business in Canadian Cyber in Context through sponsorship.

Share

Canadian News

Canada-Relevant News

As many issues don’t respect borders, this section is for stories that impact Canada, but may not be Canadian-sourced or focused, to differentiate from the previous section, which is 100% focused on Canada

Canadian Cyber Threat Intelligence

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Media of the Week

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Share

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Program for Cyber Security Certification (CPCSC): Evaluation Findings Explained]]>https://www.cyberincontext.ca/p/canadian-program-for-cyber-security-bb9https://www.cyberincontext.ca/p/canadian-program-for-cyber-security-bb9Tue, 21 Apr 2026 10:01:24 GMTCanadian Cyber in Context is sponsored by
123 Cyber Inc.
All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.
Feature your business in Canadian Cyber in Context through sponsorship.

In 2025, Public Services and Procurement Canada (PSPC) conducted an evaluation of the Canadian Program for Cyber Security Certification (CPCSC). Luckily for us, the full report and management action plan were released to the public early this year.

The evaluation covered the period from April 2023 to June 2025, which includes the soft launch in early 2025. This means this only covers the initial preparation and phase 1 of implementation for CPCSC, and roughly a year of CPCSC activity is not covered by this report. Despite this gap, we get some interesting insights into program’s organization and the delays that occurred during this time. In particular, the report confirms much of what has been unspoken about CPCSC and the program's direction since January 2025.

Although this evaluation focuses on a period approximately a year ago, note that it was conducted specifically to improve the program, and a management action plan was developed in response. As a result, we can use the report and the management action plan to understand the CPCSC's current operations and direction.

With that said, the CPCSC Secretariat officially released CPCSC level 1, including the level 1 self-assessment tool and scoping guide. As much as this evaluation can inform us about the program itself and how it is developing, the program itself is continuing and making progress. Despite this major progress and milestones, the program still needs ongoing industry and stakeholder feedback on its activities, as this evaluation found.

Andrew Laliberte and I are underway with reviewing the new materials and hope to have a lot more out soon about CPCSC level 1, so make sure you are subscribed.

Subscribe now

Share

What is the Evaluation?

PSPC’s Departmental Evaluation Plan for 2024-2025 to 2026-2030 included a mandatory evaluation of CPCSC, which was conducted by the Evaluation Services Directorate between April and June 2025. The evaluation focused on “assessing stakeholder engagement and its contribution to CPSCC implementation, the extent to which risk management practices have been employed, as well as the prioritization of activities and available resources.” To assess these variables, the evaluators reviewed documents, conducted interviews and surveys.

As noted, the evaluation was conducted to improve the program, in particular, to ensure that the CPCSC program, as it is being rolled out, is in line with the priorities of the Government of Canada, to assess PSPC’s support of the program, and the inclusion/role of other departments in the implementation of the CPCSC.

In response to the report, PSPC developed a Management Action Plan, which will be reviewed at the end of this article.

Key Findings

The key findings of the evaluation are divided into three categories: relevance, effectiveness, and delivery.

Issue 1: Relevance

Relevance generally asks,” Why do we even need the CPCSC?” The answer is simple: Canada needs a mechanism to ensure the security of sensitive government data in non-government systems. CPCSC has been developed to fill this gap.

Although reciprocity with the United States’ Cybersecurity Maturity Model Certification (CMMC) was one of the primary motivations for creating the CPCSC, the CPCSC remains relevant and necessary regardless of alignment with other programs. Nevertheless, as will be discussed more later, the lack of reciprocation with CMMC had a major impact on the program.

One key question that was asked, and continues to be asked, is why CPCSC was not integrated into PSPC’s existing programs, such as Contract Security Program (CSP) and Controlled Goods Program (CGP). The report explains that CPCSC, CSP, and CGP all require specific compliance and assurances that, while complementary, address different areas that are governed by different policies and authorities. In particular, CSP is managed under the Policy on Government Security and CGP is governed by the Defence Production Act and Controlled Goods Regulations. CPCSC is managed under the Policy on Government Security and is defined by the ITSP 10.171 and ITSP 10.172 standards (10.172 not yet released).

Issue 2: Effectiveness

As CPCSC is still an in development program, effectiveness predominantly deals with the program’s ability to deliver the program based on its own timeline and goals. Unfortunately, the report obfuscates the actual effectiveness of the program delivery by putting it into the context of the entire program versus the completion status of deliverables during the period examined. As a result

The report explicitly states that the CPCSC implementation was slower than anticipated due to “factors such as the need to redevelop it with a Canada-only focus in early 2025.” In other words, Canada did not anticipate the United States' refusal to agree to reciprocity and thus had to switch to a Canada-only approach. What I find curious is that the phrasing makes it sound like there was a completely different plan and design for the program, and that they had to make modifications to launch it in March 2025 rather than January 2025. This begs the question as to what was so different to require changes, or was this a reassessment of the overall plan about CPCSC. Despite this lack of reciprocation, CPCSC is still based on CMMC and the ITSP 10.171 standard that is used in CPCSC is based on CMMC’s NIST 800-171. Further, the recently released self-assessement tool is based heavily on United States tools and wording. So there appears to be very little change.

Although the report states the delays are a result of a lack of reciprocity, a more kind interpretation would likely be that, after the initial delay, the delays have had a domino effect. These delays have been compounded by additional, more recent delays in CPCSC implementation that were not covered in the evaluation. All of this is understandable, and perhaps their timeline was optimistic in the first place, but what has increasingly frustrated industry and stakeholders is the CPCSC secretariat's lack of communication, which quietly updates its website with new dates and timelines.

While the program ultimately continues to roll out with occasional delays, the lack of communication about these delays and the resulting frustration are not captured by this report. However, as will be shown, we at least have an answer for this lack of communication.

Feature your business in Canadian Cyber in Context through sponsorship.

Issue 3: Delivery

Issue 3 predominantly deals with the governance and overall organization of CPCSC program and its secretariat to implement the program. In other words, less to do with the work of implementing the CPCSC and more to do with the work of the government implementing the CPCSC program. Overall, the CPCSC secretariat reported satisfaction with PSPC's support, but there was a need to clarify roles and responsibilities in administering the CPCSC.

Despite this, the report greatly overstates the organization and governance of the CPCSC and makes it sound like they have more resources and support than they have. The report states that the CPCSC is supported by clearly defined governance that includes The ADM Cyber Security Commtitee, Director General committees, and the Tiger Team. The Tiger Team Working Group is the group actually responsible for developing and implementing the CPCSC. So while the ADM Cyber Security Committee and Director Generals do technically have oversight and manages the Tiger Team, this is like saying Cabinet oversaw the creation of the Defence Industrial Strategy. While technically correct, the actual writing and work is done by a smaller team that reports up.

The precise composition of the The Tiger Team Working Group, also known as the CPCSC Secretariat, is unclear, but it is primarily composed of and led by members of PSPC’s Defence and Marine Procurement Branch and the Departmental Oversight Branch as the designers, implementers, and technical authority for the CPCSC. They are then supported by an inter-departmental group from DND, Treasury Board Secretariat, Communications Security Establishment/Canadian Centre for Cyber Security. The Standards Council of Canada is mentioned among partners, but as a Crown corporation, it is likely more of a partner than an active participant on the Tiger Team. This small, multi-departmental team is what has allowed them to stand up the program without running into mandate issues and ensure everyone is involved without being enormously slow.

One of the biggest complaints I have heard related to CPCSC thus far is about understanding its role in broader government cybersecurity compliance, such as the role of Canadian cloud profiles and CPCSC/ITSP 10.171. The reason that there has yet to be any adequate reconcilitation is stated plainly in the report:

“Several interviewees recognized the CSE-CCCS as the primary source of cybersecurity technical expertise for CPCSC and noted their limited involvement to date, citing a lack of funding and capacity as a barrier.”

CPCSC essentially rely upon CSE/CCCS for technical expertise related to the standard, but their capacity to deal with anything other than the standard are significantly limited or non-existent. As much as the Tiger Team organization has allowed them significant leeway to develop the CPCSC, there are limitations as it relates to the implementation of the program. The report notes insufficient technical cybersecurity expertise within CPCSC stakeholder departments, leading to reliance on technical authorities and experts such as CSE/CCCS.

These existing gaps were identified as risks to the ongoing implementation of CPCSC and could lead to further delays in the program.

This is closely related to the CPCSC's risk management. The report notes that the Secretariat undertook significant efforts to identify risks and included multiple stakeholders in this process, but there was minimal activity to address the identified risks, other than to help inform the planning and implementation of the CPCSC. Despite this, some interviewed noted that some risks were not fully addressed, which include:

  • SMEs are struggling with the financial and technical demands of CPCSC

  • Lack of reciprocity

  • Insufficient personnel, project management, and technical cybersecurity expertise in CPCSC stakeholder departments

  • Inconsistent stakeholder priorities, coordination, and engagement

  • Unclear plans to transfer CPCSC management following implementation.

Take note that all of these risks have still not been adequately addressed. While some issues may not be fully addressable, such as the lack of reciprocity, CPCSC has found a middle ground by allowing CMMC to apply to CPCSC on a case-by-case basis.

The management action plan includes details related to the development of CPCSC risk management tools after the evaluation was completed, but these tools do not neccesarily address the full breadth of risks noted above.

Long Term Program Governance and the CPCSC

What CPCSC is and where to start have already been covered in detail, but this report does a good job of showing how many different departments and teams are involved. Here is a breakdown of the overall structure of those involved, including those outside of the program (Thanks to Andrew Laliberte):

DM Committees (Defence Procurement Strategy)

└── ADM Committees (GC Cyber Security Oversight)

    └── DG Cyber Security Certification Steering Committee

        └── PSPC – DMPB (Program Lead)

            └── CPCSC Secretariat

                ├── DOB (Technical Authority / Business Owner)

                ├── Procurement Branch (Data Systems)

                ├── Tiger Team Working Group

                │   ├── PSPC (DMPB + DOB)

                │   ├── DND (Client / Assessments)

                │   ├── TBS (Policy)

                │   ├── CSE / CCCS (Technical Authority)

                │   └── SCC (Accreditation)

                └── External Ecosystem

                    ├── Industry (Suppliers)

                    ├── Third-Party Assessors

                    └── Cyber / IT Providers

Before CPCSC and informed folk yell at me, I know this does not fully/accurately reflect how the Tiger Team is organized, but it is a rough breakdown of the overall organization and stakeholders involved. it is meant to show just how many people are involved in this. As much as we would like to complain about a lack of communication or about how CPCSC is developing or being delayed, they’re essentially doing a giant juggling act among the different mandates of the organizations involved in this process.

The report is very explicit that a lack of personnel, project management, and cybersecurity knowledge is affecting implementation. The Tiger Team organization gives them a lot of flexibility, but may not have the capacity to accomplish everything to ensure that the program’s successful implementation. This should be a major concern for the government, military, and defence industry, as this is essentially saying CPCSC does not have the resources it needs.

Costs

One particular passage really stood out to me that I want to unpack:

“The evaluation also found that cost to industry is a major concern for all cyber security programs reviewed. In the case of Canada, CPCSC Secretariat-led industry engagements in May 2024, reported 46% of sub-contractors expecting to invest less than $50,000, while 29% of consultants projected costs of $150,000 to 175,000. 68% of respondents want comprehensive support: financial assistance, guidance, and resources in order to prepare for CPCSC assessment.”

When PSPC conducted the evaluation, this data was already approximately a year old. At this point, it is one month shy of being two years old and is likely inaccurate.

This data is from May 2024, long before ITSP 10.171 was released. Although we generally knew it would be based on CMMC’s NIST SP 800-171A, CPCSC remains a different mechanism and had to pivot after failing to acquire reciprocity with the United States’ CMMC. As a result, PSPC/CSPSC Secretariat must consider doing another RFI to determine how well industry is beginning to understand CPCSC, especially as level 1 is being introduced.

Takeaways - What Does This Tell Us About CPCSC?

  • The government has not provided CPCSC with sufficient resources to develop and implement the program.

The program states that there is “insufficient personnel, project management and technical cyber security expertise within CPCSC stakeholder departments.” It is unclear if this has been resolved since this report was released

Part of the problem with this appears to be the level of funding allocated to departments, where DND, the Treasury Board Secretariat, and CSE/CCCS were not given any funding for CPCSC activities despite having a role in implementation.

The need to prioritize funding is also likely what has led to a lack of communication between CPCSC and industry and external stakeholders, as they’re prioritizing program development over engagement. This is a completely understandable approach, but it is making it harder for the CPCSC Secretariat to develop the program.

Communication and engagement with external stakeholders are critical to maintaining an active dialogue for additional feedback and ensuring successful implementation. Ultimately, it is industry that will be implementing the program and be affected by it, so any supply chain program should include the feedback of the supply chain. Deprioritizing engagement due to a lack of funding ultimately hurts the CPCSC and makes their job so much harder.

In the end, the report even confirms this when it states “it was suggested that industry engagement should be increased to boost CPCSC awareness and buy-in, however interviews noted that CPCSC was not provided funds for industry engagement or program promotion.”

  • The CPCSC Secretariat does not have an accurate survey of the state of the defence industry and CPCSC implementation, particularly costs.

When CPCSC first conducted their RFI a few years ago, CPCSC was still in its very early stages and only 91 organizations responded. There is likely a strong chance that you only responded to this RFI if you were already aware of CMMC and the role it plays on CPCSC.

This is to say that many more organizations are now aware of CPCSC; we have the standard and understand its full scope, so now is a time for CPCSC to release another RFI to gain a better understanding of the preparedness of Canada’s defence industry supply chain and perceptions of CPCSC.

The report specifically notes recognition of the risk of SMEs struggling with financial and technical demands. More information about these risks and concerns from a new RFI and surveys could potentially help persuade the government, that is very defence conscious, to provide additional funding to ensure the success of the CPCSC.

The report specifically highlights the high costs associated with similar compliance programs, especially for SMEs, and notes that Australia used loans and regional development funds. This does not mean that the government will institute such programs, but awareness of this and the compliance costs are a positive step towards the government developing programs to assist SMEs and the broader sector in ensuring compliance. This is optimistic thinking, but these types of evaluations and audits are bureaucratic processes that motivate a lot of action on cyber-related programs in the Canadian government.

  • The CPCSC Secretariat is temporary

Unless this has changed, the handoff plan seems risky. The evaluation states that “the current CPCSC management model… was designed to be temporary with a reassessment and transfer of management to another entity following program implementation.” Authority and oversight of CPCSC was always going to be vested in other authorities when the implementation of CPCSC was completed, but there does not appear to be long-term thinking about governance of this program.

The evaluation in particular notes that CPCSC’s management is concerned about when CPCSC moves from DMPB in PSPC to “another organization.” Although we know that CPCSC level 3 will be largely be overseen and assessed by DND, there remain questions about the long-term management of the overall CPCSC program. As the CPCSC Tiger Team is a multi-departmental group with an organization and mandate that is unique, it is likely difficult to transition this into normal operations and continue on as normal.

Another aspect that the report overlooks is that the loss of expertise about CPCSC is likely to occur if CPCSC management is transferred. The report only emphasizes ensuring proper documentation of roles to enable short and long-term effectiveness, but this may not capture the full institutional knowledge and experience with CPCSC stand up that will be important during the course of implementation.

As a result, it may be better for the program to transition to long-term management sooner rather than later, as the program becomes more complex, the more difficult it may be to transfer management. Despite the stated problems of lack of technical knowledge in PSPC to manage CSPSC, this can be addressed better with a more long-term arrangement with CSE/CCCS.

Conclusion

There are many in the wider cyber defence and compliance space in Canada that does not give enough credit to the work of the CPCSC Secretariat. As this report notes, the CPCSC has simply not been provided with sufficient resources by the federal government and remains constrained in what it can achieve. Despite these constraints, its unique construction and “Tiger Team” approach have enabled the program to accomplish a great deal with a relatively small team.

It is unclear how much PSPC has been able to adjust its processes based on this evaluation report and the subsequent action plan, because the Management Action Plan only addresses the need for risk management tools and improved program documentation. These types of programmatic actions are relatively easy and do not suggest that the government has yet to provide CPCSC with the appropriate resources to ensure its success.

Although this evaluation covers a relatively old time period, it still tell us a lot about how the program is being developed and what has contributed to the delays. Rather than addressing some of the major risks the program has identified, PSPC has strengthened programmatic functions, since addressing anything beyond this would likely require ministerial or cabinet input.

In the coming weeks, will be releasing content and informational content about CPCSC level 1 with Andrew Laliberte. Already, Andy and I are finding that many of the risks identified in this evaluation are affecting the level 1 implementation.

Feature your business in Canadian Cyber in Context through sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 18/04/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-180426https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-180426Mon, 20 Apr 2026 13:59:25 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

Leave a comment

Share

Canadian News

Canada-Relevant News

As many issues don’t respect borders, this section is for stories that impact Canada, but may not be Canadian-sourced or focused, to differentiate from the previous section, which is 100% focused on Canada

Canadian Cyber Threat Intelligence

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 11/04/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-110426https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-110426Mon, 13 Apr 2026 14:21:26 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

Leave a comment

Share

Canadian News

Canada-Relevant News

As many issues don’t respect borders, I am creating this section for stories that impact Canada, but may not be Canadian-sourced or focused, to differentiate from the previous section that will be 100% focused on Canada

Canadian Cyber Threat Intelligence

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 4/04/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-40426https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-40426Tue, 07 Apr 2026 09:05:44 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

Leave a comment

Share

Canadian News

Canadian Cyber Intelligence

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 28/03/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-280326https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-280326Mon, 30 Mar 2026 13:43:23 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

Leave a comment

Share

Canadian News

Canada Cyber Threat Watch

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canada needs a secure-coding policy — and AI is making that more urgent]]>https://www.cyberincontext.ca/p/canada-needs-a-secure-coding-policyhttps://www.cyberincontext.ca/p/canada-needs-a-secure-coding-policyFri, 27 Mar 2026 16:04:48 GMTThis article originally appeared in Digital Journal here.

Feature your business in Canadian Cyber in Context through sponsorship.

The federal government spends approximately $6.8 billion on information and communications technology every year.

It contracts extensively with the private sector for software development, database administration, cybersecurity, and more, handling core Canadian services that include sensitive financial and health information. Despite the scale of that investment and the criticality of those systems, Canada does not have a secure-coding policy. That gap is getting harder to ignore.

Secure coding refers to a set of practices designed to instill security into software development from the start. Security educator Tanya Janca describes it as “fostering a proactive, security-minded culture in software development teams”. The goal is to eliminate bugs and exploits that expose sensitive data or allow threat actors into an application or network.

The stakes are real. On average, Canadian businesses lose nearly $7 million per data breach. Total recovery costs from cybersecurity incidents exceeded $1.2 billion in 2023. Secure coding is not yet standard practice across the industry, but the case for it is becoming more difficult to dismiss.

AI is a big reason why.

PwC has found that AI is already automating tasks previously performed by developers, driving labour reductions, and enabling smaller teams to deliver software-as-a-service models. The Information and Communications Technology Council finds that many junior-level tasks, including programming, are increasingly automated. As AI accelerates through the industry, the need for a clear market signal around secure development is growing.

That signal has not come.

AI is increasingly used in programming and operations despite ongoing debate about its reliability. Anthropic, the creator of the Claude programming model, has acknowledged that the model “frequently overstated findings and occasionally fabricated data during autonomous operations.” AI can be productive and transformative, but it is not infallible. In some cases, poorly developed models can obscure their own errors. Human-in-the-loop oversight is not optional; it is a necessary condition for responsible deployment.

The Government of Canada is the largest ICT client in the country. Adopting a secure-coding policy would be a significant market lever, establishing strict requirements for secure software development across all government contracts, not just IT contracts.

That matters not just for security, but for digital sovereignty. A secure-coding policy can help ensure that Canadian data used in software development is handled in accordance with Canadian law without cross-border data transfers that could compromise sovereignty when US infrastructure is involved.

This is not about constraining AI or slowing innovation. It is about ensuring that adoption meets a security and safety standard, one that allows the federal government to tell Canadians their data is protected.

Such a policy also fits squarely within Canada’s National Cyber Security Strategy. Pillar 2 seeks to make Canada a global cybersecurity industry leader by prioritizing trusted innovation and building a foundational workforce. Fostering secure-coding and secure-AI practitioners advances all three of those objectives.

Janca, a Canadian information security leader and secure-coding advocate, has initiated a petition to the Government of Canada calling on the federal government to adopt a secure-coding policy for all custom software systems. It is one of the clearest signals yet that the practitioner community sees this as urgent. Whether Ottawa is paying attention is another question.

Feature your business in Canadian Cyber in Context through sponsorship.

Thanks for reading Canadian Cyber in Context! This post is public so feel free to share it.

Share

Subscribe now

]]><![CDATA[Canadian Cyber News Rewire - 21/03/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-210326https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-210326Mon, 23 Mar 2026 13:07:56 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

Leave a comment

Share

Canadian News

Canada Cyber Threat Watch

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research, Op-Eds, and Events

NewsGuard's Reality Check
China Pushes Pro-Iran War Claims
Welcome to Reality Check, NewsGuard’s nonpartisan newsletter that tracks the false claims and conspiracy theories that shape our world — and who’s behind them. Support us by becoming a premium member or sharing our work…
Read more
2 months ago · 33 likes
NetAskari
China's massive data leak of military secrets ?
About two months ago we saw a sales announcement on a dark web forum by a hacker that goes by the name of “airborneshark1". It offered a massive data set of 10 Petabyte that was apparently extracted from the National Super Computer Center of China ( NSCC ) in Tianjin. It was re-upped again a few days ago, probably to drive up the bidding process. The fi…
Read more
2 months ago · 65 likes · 6 comments · NetAskari

United States News

United Kingdom and European Union News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 14/03/26]]>https://www.cyberincontext.ca/p/copy-canadian-cyber-news-rewire-140326https://www.cyberincontext.ca/p/copy-canadian-cyber-news-rewire-140326Mon, 16 Mar 2026 15:15:19 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

Leave a comment

Share

Canadian News

Read my analysis of sovereign cloud RFI and what it tells us about the Government of Canada's direction on sovereign cloud:

Canada Cyber Threat Watch

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research, Op-Eds, and Events

United States News

United Kingdom and European Union News

Other News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Compliance is Cash - Where to Begin with CPCSC]]>https://www.cyberincontext.ca/p/compliance-is-cash-where-to-beginhttps://www.cyberincontext.ca/p/compliance-is-cash-where-to-beginTue, 10 Mar 2026 12:02:59 GMTFeature your business in Canadian Cyber in Context through sponsorship.
The Canadian Program for Cyber Security Certification (CPCSC) is still in development and is subject to change. The information in this will be updated as the CPCSC Secretariat releases more information.

I’m Andrew Laliberte. For years, I worked inside the Canadian Armed Forces and Department of National Defence networks, deploying and sustaining technical capabilities under strict governance, risk, and compliance constraints. It was not glamorous work. It was long hours, rapid learning curves, and constant pressure to keep complex systems stable in environments where resources were scarce and the rules were rigid… except when they weren’t.

That experience gave me something invaluable. A practical understanding of how compliance frameworks shape architecture, operations, procurement, and organizational survival.

Today, I work with organizations across the defence industrial base (DIB), from primes to specialized subcontractors, who are entering a new era. An era where compliance is not optional, not theoretical, and not negotiable.

Here is what many still miss.

Compliance is no longer a checkbox buried in the back of a contract.
In the defence industrial base, it is becoming the price of entry.

The defence industrial base is becoming one of the most compliance-driven sectors in North America. While it may not entail the liquidity and capital controls of banking, its cybersecurity requirements are increasingly mandatory, enforceable, and directly tied to revenue.

Over the next few years, mandatory frameworks like CMMC in the United States and Canada’s evolving CPCSC requirements will determine who can bid, who can handle controlled information, and ultimately who gets paid.

Compliance is not just a cost center.
Done properly, it is a market filter.
Market filters create competitive advantage.

This series breaks down what the coming compliance landscape means for your business and how to turn governance requirements into strategic leverage.

Because in the DIB, compliance is not paperwork.

It is cash.

Share

The 101 on CPCSC Level 1

Who

Program governance is distributed across federal authorities:

• Program Manager: Public Services and Procurement Canada (PSPC)
• Defence Authority: Department of National Defence (DND)
• Standards Development: Canadian Centre for Cyber Security (CCCS)
• Accreditation Authority: Standards Council of Canada (SCC)

What

The Canadian Program for Cyber Security Certification (CPCSC) is the Government of Canada’s official cybersecurity certification program for defence suppliers.

It safeguards unclassified Specified/Sensitive Information that flows from federal departments to industry under defence contracts.

Specified/Sensitive Information is categorized as:

• SI Low
• SI Medium
• SI High

These categories align with specified/sensitive information data types such as Protected A, Protected B, and certain Controlled Goods contexts, as well as several others. Organizations must understand how their data maps to these operational impact levels.

When

Beginning in Spring 2026, PSPC will introduce contractual language requiring self-attested CPCSC Level 1 compliance for award on most DND contracts.

Where

If non-commercial off-the-shelf (COTS) activity or Specified/Sensitive Information (SI) is involved, CPCSC applicability and level will be determined through the Industry Contract Cyber Security Risk Assessment, CCSRA.

SI Low, aligned to CPCSC Level 1, includes:

Protected A information
• Low sensitivity Dual Use Goods technical data
• Non-critical sensitive supplier financial information
• Low sensitivity procurement documentation such as RFQs, purchase orders, and schedules

Why

CPCSC is Canada’s response to systemic cybersecurity risk across the Defence Industrial Base. It marks a shift from compliance on paper to structured, enforceable cybersecurity maturity requirements.

Three realities drive this shift.

  • The threat environment has evolved. Smaller subcontractors are often the easiest path into larger defence programs.

  • Self-attestation alone proved insufficient. Documentation did not always reflect operational reality.

  • Verification is now built into the model, but in a graduated form. Level 1 remains self-attested. Levels 2 and 3 introduce formal assessments to validate implementation and operational effectiveness.

The direction is clear. Canada is moving toward higher assurance requirements for higher sensitivity work.

Cybersecurity in Canadian defence contracting is no longer an honour system. It is becoming a tiered eligibility framework.

For DIB firms, CPCSC is not a policy update. It is a structural shift in how eligibility, competitiveness, and trust are determined.

Those who treat compliance strategically will find it does more than protect contracts.

It positions them to win.

How

The best way to keep your costs and timelines down is accurate scoping. You must first identify the systems, services, people, and workflows that touch defence contracts or Specified/Sensitive Information.

Once scoped, apply the 13 CPCSC Level 1 controls to that environment and build a controlled operating model that integrates people, process, policy, facilities, and technology.

Level 1 is not advanced security engineering.
It is just the minimum acceptable standard in 2026.

In 2026, we are 38 years removed from the first major internet worm (Morris Worm). Thirty-eight years of warnings. Thirty-eight years of incidents. Thirty-eight years to get the basics right.

There is no strategic justification left for ignoring technical debt, postponing governance, or hoping regulators will look the other way.

CPCSC Level 1 is not an innovation burden. It is the baseline cost of doing business in the modern defence ecosystem. Align with it or step aside for organizations that will.

It forces clarity on who has access, what systems matter and whether they are maintained. For some organizations, this will feel like overhead. For disciplined organizations, it becomes structured.

And structure scales.

Share

Feature your business in Canadian Cyber in Context through sponsorship.

Where to Start with CPCSC

In CPCSC level 1, there are 13 security requirements from 6 of the 17 security requirements families found in ITSP.10.171.

All of that translates into 71 assessment objectives (AO), which is really the only thing you should focus on applying to your organization’s scope.

The AO are the questions on the open-book test. If you can confirm you’ve applied them to every applicable part of your scope, then you pass the test.

To make life interesting, of course, you also need to track and insert various “organization-defined parameters” or ODPs

Direct from ITSP.10.171 Sec. 2.2:

“ODPs are an important part of specifying a security requirement. ODPs provide both the flexibility and the specificity needed by organizations to clearly define their specified information security requirements according to their particular missions, business functions, operational environments and risk tolerance. In addition, ODPs support consistent security assessments to determine if specified security requirements have been satisfied. If a GC department or agency, or a group of departments or agencies, does not specify a particular value or range of values for an ODP, non-GC organizations must assign the value or values to complete the security requirement.”

And

“The term ‘organization’ is used in many security requirements, and its meaning depends on context. For example, in a security requirement with an ODP, an organization can refer to either the GC department or agency or to the non-GC organization establishing the parameter values for the requirement.”

Which means that so far, unlike CMMC for which the DoD released an official list of ODP values you can just plug in and plan for, the ODPs in CPCSC will be left up to whichever government entity wants to take a stab at defining it before ultimately leaving the rest up to you.

How will that shake out? Will it be regulatory chaos? Time will tell but the most practical thing you can do is take those DoD-defined values as your starting point when planning as it would be unlikely to require much modification once you get your official values on a contract.

Now, let’s run through a couple of the most impactful security requirements to get a sense of what your new day-to-day reality looks like.

Family: 3.1 Access control

Security Requirement: 03.01.01 Account management

AO:

A.03.01.01.d.01: access to the system is authorized based on a valid access authorization

A.03.01.01.d.02: access to the system is authorized based on intended system usage

Impact: For the average defence contractor, these CPCSC Level 1 objectives represent a shift from a “convenience-first” to a “compliance-first” operational mindset. Meeting A.03.01.01.d.01 requires a formal administrative process where identity is verified before a single login is generated; gone are the days of informal account creation or shared credentials.

Meanwhile, A.03.01.01.d.02 introduces the concept of Least Privilege, mandating that access isn’t granted simply because a person is “on the team,” but only because their specific role requires it. For a small-to-mid-sized firm, this means an increased administrative burden for which you’ll need documented evidence of who has access and why.

In practice, this forces contractors to tighten their internal HR and IT workflows, ensuring that when an employee’s role changes or they leave the company, their access is adjusted or revoked immediately to prevent unauthorized data exposure.

Family: 3.14 System and information integrity

Security Requirement: 03.14.01 – Flaw Remediation

AO:

A.03.14.01.a[03]: system flaws are corrected

Impact: For the average defence contractor, objective A.03.14.01.a[03] transforms patch management from a “best effort” IT task into a high-stakes compliance requirement. The primary impact is the loss of operational flexibility; contractors can no longer afford to delay updates for months out of fear of software instability. Instead, they must implement a disciplined vulnerability remediation lifecycle that includes identifying, testing, and applying security patches within specific timeframes.

For many firms, this necessitates a move away from manual updates toward automated patch management tools to ensure nothing slips through the cracks. Beyond the technical shift, there is a significant documentation burden. Assessors won’t just want to see that the system is currently updated; they will want to see historical logs proving that flaws were corrected consistently and promptly. This effectively raises the “floor” for cybersecurity maturity, forcing smaller contractors to invest in more robust IT support or managed service providers to keep pace with the constant stream of newly discovered software vulnerabilities.

Even if you’re assessing your own organization, this is the level of consistent organizational effort required to meet that attestation.

Family: 3.13 System and communications protection

Security Requirement: 03.13.01 Boundary protection

AO:

A.03.13.01.a[02]: communications at external managed interfaces to the system are controlled.

Impact: For the average defence contractor, objective A.03.13.01.a[02] marks the end of “open-door” networking and necessitates strengthening the digital perimeter. The impact is felt most acutely in how the company interacts with the outside world—specifically at the Managed Interface, which serves as the single, guarded gateway between the internal network and external entities such as the public internet or subcontractor portals.

Contractors must move away from ad hoc connectivity and instead implement strict Boundary Protection technologies, such as enterprise-grade firewalls or specialized gateways that perform deep packet inspection. This requirement often forces a structural redesign of the network to ensure that all data “traffic” is funnelled through controlled checkpoints where it can be monitored, filtered, and restricted based on pre-defined security policies.

For smaller firms, this typically means moving away from consumer-grade routing hardware toward more sophisticated managed security services, as the burden of constantly updating and auditing these interface controls requires specialized expertise to prevent unauthorized data exfiltration.

From Vibes to Verifiable

Seventy-one assessment objectives. ODPs that may or may not be pre-defined for you. Evidence trails. Role catalogs. Patch clocks. Firewall rules that now require justification instead of “vibes”. All of this at level one is your new reality. It is the methods and actions your organization will have to live by.

But here’s the uncomfortable truth: none of this is exotic. None of it is bleeding-edge cyber wizardry. It’s basic governance. It’s discipline. It’s documentation. It’s doing the boring fundamentals consistently enough that you can prove it.

CPCSC Level 1 doesn’t demand a security operations center or classified infrastructure. It demands that you stop running your defence business like a startup lab and start running it like a regulated supplier in a national security supply chain. Access must be justified. Vulnerabilities must be fixed. Network boundaries must be controlled, and you must be able to demonstrate that this isn’t aspirational, it’s operational.

Ultimately, the shift toward CPCSC Level 1 isn’t just about checking boxes or surviving an assessment. It’s about a fundamental change in how the defence supply chain operates. For the average contractor, these objectives move cybersecurity out of the IT basement and into the boardroom. Whether it’s formalizing who can log in, automating your patch cycles, or hardening your network boundaries, the common thread is verifiable control.

The tedious technical stuff is the baseline for doing business today. If you cannot prove you’re doing it, you technically aren’t doing it in the eyes of the Government of Canada. By aligning your ODPs with established benchmarks such as the DoD’s published values and treating the assessment objectives as your operational roadmap, you transform a regulatory obligation into a capability signal.

The transition is not light work. It requires structure, investment, and consistency. But what it builds is something far more valuable than compliance: a resilient, professional, and contract-ready organization positioned to compete in a regulated defence marketplace.

If you want to win defence-related contracts, accountability isn’t optional anymore. CPCSC will be the price of admission.

Feature your business in Canadian Cyber in Context through sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 7/03/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-70326https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-70326Mon, 09 Mar 2026 14:41:29 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

Leave a comment

Share

Canadian News

Canada Cyber Threat Watch

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research and Op-Eds

Read my cyber review of the Defence Industrial Strategy. TL;DR: It will help a lot of Canada’s cyber industry, but there are major gaps and hurdles to overcome regarding infrastructure and hyperscalers.

Teresa Scassa’s Substack
BC's Court of Appeal decision in Clearview AI saga is a win for privacy
The British Columbia Court of Appeal has ruled that the BC Privacy Commissioner’s enforcement order against Clearview AI is both reasonable and enforceable. Clearview AI is a US-based company that scrapes photographs from the internet, including from social media websites, to build a massive facial recognition database which it offers as a service to la…
Read more
3 months ago · 3 likes · Teresa Scassa

United States News

European Union & United Kingdom News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Government Provides Next Steps to Sovereign Cloud]]>https://www.cyberincontext.ca/p/canadian-government-provides-nexthttps://www.cyberincontext.ca/p/canadian-government-provides-nextFri, 06 Mar 2026 21:26:56 GMT

Canadian Cyber in Context is sponsored by

123 Cyber Inc.
All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.
Feature your business in Canadian Cyber in Context through sponsorship.

Share

Where are we at with Sovereign Cloud?

Since early 2025, the Government of Canada has increasingly looked to shore up and improve Canada’s digital sovereignty. The reasons for this are myriad, including many strong economic reasons to invest in Canadian capacity to develop data centre infrastructure to support Canada’s digital technology. However, the most influential reason is the significant turn the United States has taken towards authoritarianism, and Canada’s growing realization of how much its digital sovereignty is compromised by its reliance on United States cloud providers.

Initial explorations by the federal government noted big loopholes in policy and procurement that allow major hyperscalers and United States-based corporations to refer to themselves sovereign cloud. This is problematic because United States law states that any data on a foreign server that a United States-based corporation has access to can be requested by the United States as part of a “criminal investigation,” and the country where that data is hosted will have no say in its transfer.

One of the primary problems is that there are four different definitions of a “Canadian company,” including “any company that is formed in Canada following the laws of either the Government of Canada or a provincial government. This includes government and private companies of any size.” As a result, a company incorporated in Canada but owned by an American corporation still counts as a Canadian company. The Canadian Shield Institute have done some great work on this topic.

Those opposed to Canadian sovereign cloud being wholly owned by Canadian firms refuse to acknowledge Canadian national security and sovereignty issues, particularly due to United States law. Their error is ignorance and naivety in believing that their sovereignty matters more than ours. Fortunately, the Government of Canada is invoking the national security exception, which is something common in most countries that can be triggered to exclude a procurement from trade agreement obligations. This means Canada can say trade agreement rules concerning data localization and inclusion in procurement don’t matter, sovereign cloud is a matter of national security.1

SSC updated the request for information (RFI) on March 3, which provides new information on the program's direction and who will be allowed in. Before jumping into what’s new, let us figure out what SSC first learned that may have contributed to this update.

What has SSC Learned?

SSC released the first wave of its RFI on sovereign cloud capability last year. In addition to requiring that data is processed, transmitted, and stored exclusively within Canada, the RFI also included a minimum requirement that “at all times only under the control of service providers, up to and including their ultimate parent corporations, that are not subject to foreign laws that permit foreign governments to obtain access to Canada’s data without Canada’s prior written consent.” This RFI is intended to inform the development of a procurement vehicle for a sovereign cloud Infrastructure as a Service (IaaS) and a native Platform as a Service (PaaS).

In the update to the RFI, this has been changed to “Cloud services remain at all times under the control of service providers (including their ultimate parent corporations) that are not subject to foreign laws permitting foreign governments to access or compel actions affecting Canada’s data or services without Canada’s prior written consent.”

This difference in wording is very telling as SSC figure out how to specifically frame and define the techno-legal constraints to ensure digital sovereignty.

The RFI examined a range of issues related to sovereign cloud, but that this is the basic entry point for it is a very positive sign. After the first wave, SSC released documents that elaborate upon what they are looking for and what they have learned so far:

Rfi Dr Wave 1 Vague 1 Sovereign Cloud Webinar Questions & Answers No1
189KB ∙ PDF file
Download
Download
Rfi Dr Wave 1 Wave 1 Sovereign Cloud Webinar Questions & Answers No2
189KB ∙ PDF file
Download
Download
Rfi Dr Sovereign Cloud What We Heard Report
376KB ∙ PDF file
Download
Download
Rfi Dr Wave 1 Vague 1 Sovereign Cloud Supplier Webinar August 22 2025 0
625KB ∙ PDF file
Download
Download

Share

The Carney Government is making a lot of policy and proclamations about Canadian digital sovereignty in cloud and AI, but it is doing so without understanding the extent to which Canadian industry can meet what it is calling for, or the obstacles it faces.

This RFI is intended to help with this, and as SSC determine what is possible, it will seek more granularity to inform the government and eventual competitive process. Some highlights of what they’ve learned so far (Keep in mind that this is all self-reporting):

  • 40 suppliers participated, and 32 met the sovereign eligibility requirements

    • This is honestly more than I expected.

  • Sovereign cloud options do not match the “scalability” of hyperscalers.

    • This confirms what I have been saying. Canadian cloud providers exist, but they cannot match the scale of the giants.

  • Limited sovereign hardware and reliance on proprietary software

    • This is no surprise. I do not want to call Canadian cloud providers resellers, but Canada hasn’t had much domestic innovation or development of cloud capabilities and technology. That means relying on other’s intellectual property a lot.

    • However, the current landscape and investment in this space mean this will be a growing sector.

I provide some additional commentary on some RFI Q&A at the end.

What’s New in the Update?

However, the federal government appears poised to address this gap. On March 3, Shared Services Canada (SSC) updated the Request for Information (RFI) - Sovereign Cloud Capability - Upcoming Competitive Processes with specific, targeted requests for information that should make proponents of Canadian sovereign cloud happy. I have covered a lot of information from last year here, so what’s new and so interesting about the update?

  • As I already noted above, they have slightly adjusted their definition concerning what counts as sovereign cloud: “Cloud services remain at all times under the control of service providers (including their ultimate parent corporations) that are not subject to foreign laws permitting foreign governments to access or compel actions affecting Canada’s data or services without Canada’s prior written consent.”

  • They have released details on the planned competitive process

    • Only Canadian small and medium businesses (SMBs) will be able to compete.

    • They use the Statistics Canada definition of SMBs:

      • A small business has 1 to 99 paid employees

      • A medium-sized business has between 100 and 499 paid employees.

    • When talking SMBs, they again want to emphasize that neither the corporation nor any parent corporation should be compelled by a foreign government to take any action without Canadian consent.

  • There are likely to be one-off competitive processes that “address specific [security or] sovereignty related challenges where Canadian firms can offer concrete solutions that materially enhance Canada’s sovereign cloud posture.”

    • This seems to indicate that there will potentially be contracts where SMBs cannot meet the needs. This may even mean that United States-owned Canadian corporation could compete in these one-offs, but it is unclear what definition they are using for “Canadian firm” here. It likely means the narrow one they have developed to sovereign cloud, but for these one-off contracts it could be more permissible depending on the context.

  • We also have a very vague timeline, but we at least know the steps. We know they are undertaking an agile procurement process, which is much more collaborative and can at times be quicker, so this is reflected in their timeline. It appears they are aiming to have a draft solicitation as soon as possible, which will be developed through engagement with industry.

    • One thing to note is that SSC/PSPC may move towards an initial technical qualification as the process progresses, because they will need to discuss some security requirements at some point.

Takeaways

  • Shared Services Canada (SSC) is specifically “leveraging an adjusted definition specific to Sovereign Cloud Services procurement.”

    • This may run into some difficulty later in the procurement process as the government’s wants and needs for sovereign cloud may not align with a lot of existing policies. This is particularly reflected in many of the questions received about specifics related to qualifications and existing definitions and policies of SSC

  • SSC are trying to determine what can be achieved with current capabilities that meet the specific guidelines they set out.

    • This may mean the results are not what we want to hear, but it will help the government determine what is feasible right now and what to invest in for the long term.

  • Because there is a major market gap for Canadian firms specializing in data centre infrastructure, this creates a potential obstacle to seeing a full-stack sovereign cloud that is Canadian, but this is a starting point

  • Post-Quantum cryptography will likely be required. They don’t have much more on this yet, but they at least acknowledge it’s likely a requirement.

  • Do not expect any sovereign cloud investment and competitive process to replace the hyperscalers. The information SSC has received indicates significant market potential, but there remains a gap between the current potential of the Canadian sovereign cloud market and that of hyperscalers. This is likely contributing to the big focus on SMBs.

    • In other words, major cloud and data centre/infrastructure projects, like secret cloud, will still likely go to a hyperscaler.

Selected Q&A Commentary

  • One question raised during the initial RFI was why the national security exception was invoked and whether this could limit competition.

    • It all depends on how you view competition. As this is an RFI, it is not a competition yet, but the exception will affect the competition in the end. Canada wants a sovereign Canadian cloud so using a national security exception doesn’t limit competition if it is specifically looking for Canadian firms. For American corporations who do not want Canadian to have digital sovereignty, this could be viewed as limiting competition because they aren’t involved. The problem here is that Canada doesn’t want their involvement, which is why the national security exception is being used. Americans do not seem to understand that they are the security problem we want to avoid.

  • There was a question about the involvement of American hyperscaler-owned Canadian corporations in the process, such as Microsoft Canada and AWS Canada.

    • The response was that the RFI is not a qualification process and is just about collecting market information. The question is largely wanting to speak to being qualified for the eventual IaaS and PaaS of sovereign cloud, many of them claim to sell sovereign cloud as well. However, the development of this specific procurement vehicle will mean American hyperscalers will not be able to say they provide sovereign cloud, because according to the RFI, they are leaning towards a very strict definition where

  • One question specifically asked about using “multiple services and technology layers” and the degree to which part or all of the components are affected by the United States CLOUD Act.

    • This is one of the best questions. We think of digital technology as a black box, all-inclusive, but when it comes to large data centres, cloud, servers, and everything in between, this can involve a vast range of supply chains spanning software and hardware. This is where a lot of Canadian service providers are likely to have some trouble because even if it is wholly owned by a Canadian firm, it could be using all United States products, such as software developed by an American hyperscaler.

  • One of the most important questions is concerning what is meant by “subject to foreign laws.”

    • The core of this question is concerning a Canadian company with operations in the United States would still be affected by the United States CLOUD Act, or really other laws for that manner.

    • SSC is particularly looking for input on how a Canadian-owned company would address this. A major issue is that any major Canadian-owned corporation that operates at the data centre level and provide government cloud services are likely to be operating in the United States as well.

      • I am of the view that any sovereign cloud would have to either not operate in the United States or places with similar sovereignty-infringing laws or to explicitly state they will refuse all foreign requests/demands for Canadian-hosted data.

  • One question asked if a Canadian-hosted service is sufficient, insinuating it is outside the scope of the US CLOUD Act.

    • This is false and part of the ongoing strategy of misinformation from American hyperscalers. It is no longer sufficient for data to only be hosted in Canada. A United States-based corporation like Microsoft or AWS, which owns its Canadian subsidiaries, is still required to give data to the United States if the courts say so, even if the data is hosted in Canada.

    • This is the entire reason for seeking to develop sovereign Canadian cloud.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

1

The exception can be challenged if it wasn’t “properly invoked,” but I believe this is extremely rare.

]]><![CDATA[Canadian Cyber News Rewire - 28/02/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-280226https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-280226Mon, 02 Mar 2026 14:30:59 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

  • I have completed the first rough draft of my dissertation (yay!). I will be entering a major editing phase over the next few weeks, so my availability may fluctuate.

  • Go sign Tanya Janca’s Secure-Coding Petition! (Article on this coming soon)

  • There are no indications of major Iranian cyber attacks yet, but be careful out there.

Leave a comment

Share

Canadian News

Canada Cyber Threat Watch

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research and Op-Eds

Read my cyber review of the Defence Industrial Strategy. TL;DR: It will help a lot of Canada’s cyber industry, but there are gaps to overcome major hurdles regarding infrastructure and hyperscalers.

  • The cybersecurity market is not consolidating. It is rewiring itself

    • Article by Francois Guay, creator of the Canadian Cybersecurity Network. It’s an interesting article. I especially like his emphasis on the importance of leadership, which is exactly the thing that I have been saying the Government of Canada is lacking on cybersecurity.

United States News

European Union & United Kingdom News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Canadian Cyber News Rewire - 21/02/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-210226https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-210226Mon, 23 Feb 2026 15:19:32 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this past week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

  • I have completed the first rough draft of my dissertation (yay!). I will be entering a big editing phase over the next few weeks, so my availability may fluctuate over the coming weeks.

Leave a comment

Share

Canadian News

Canada Cyber Threat Watch

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research and Op-Eds

Read my cyber review of the Defence Industrial Strategy. TL;DR: It will help a lot of Canada’s cyber industry, but there are gaps to overcome major hurdles regarding infrastructure and hyperscalers.

United States News

European Union & United Kingdom News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

]]><![CDATA[Cyber Dimensions to the Defence Industrial Strategy]]>https://www.cyberincontext.ca/p/cyber-dimensions-to-the-defence-industrialhttps://www.cyberincontext.ca/p/cyber-dimensions-to-the-defence-industrialWed, 18 Feb 2026 17:25:56 GMTCanadian Cyber in Context is sponsored by
123 Cyber Inc.
All views expressed belong to Canadian Cyber in Context and do not reflect the position of any sponsor.
Feature your business in Canadian Cyber in Context through sponsorship.

On February 17th, the Government of Canada finally released its long-awaited Security, Sovereignty and Prosperity: Canada’s Defence Industrial Strategy. As authoritarian states rise and seek to dismantle the rules-based international order established since the end of World War 2, Canada cannot rely on its allies and must increase its own defence investments to counter decades of inattention. The Defence Industrial Strategy is meant to accomplish this and I will breakdown and highlight where cyber and broader ICT plays a role in the strategy.

The vision of the Defence Industrial Strategy is to build "A robust Canadian defence industry that provides technological and operational advantage to the Canadian Armed Forces and its security partners in their mission to defend Canada, and maximizes growth, job creation and economic benefits for all Canadians."

Share

The Strategy has five pillars:

  1. Renewing the government’s relationship with industry

  2. Procuring strategically through the new Defence Investment Agency and a new Build-Partner-Buy framework

  3. Investing purposefully to strengthen an innovative Canadian defence sector

  4. Securing supply chains for key inputs and goods

  5. Working with domestic partners, including in Canada’s North and Arctic

The Strategy identifies seven key areas where Canada already has strengths: space, artificial intelligence, cyber, quantum technologies, medical countermeasures, robotics, and drones. These are key areas that area repeated throughout the strategy and where we will see some of the largest and most focused investments.

Many of the key 10-year goals of the strategy will impact including build world-leading Canadian firms in key sovereign capability areas; increase the share of defence acquisitions awarded to Canadian firms to 70%; accelerate procurement of successful Canadian R&D innovations; boost government investment in defence-related reseach and development by 85%; increase total Canadian defence industry revenues by more than 240%; grow defence revenues for Canadian SMEs by more than $5.1 billion annually; increase Canada’s defence exports by 50%; create 125,000 new jobs.

All of these goals tie directly into Canada’s cybersecurity industry, which is as dual-use of a technology as you can get.

Cyber as a Key Sovereign Capability

The federal government’s increased focus on defence matters has also coincided with a greater emphasis on cyber as a key capability, yet it is often overlooked because many capabilities are not considered intrinsically required for national security. In the Defence Industrial Strategy, the government actually lays out the Canada’s key sovereign capabilities. While there is no specific “cyber” capability, the closest is Digital Systems, with some overlap with other key capabilities areas.

Key Area 3: Digital Systems

  • Secure Cloud; Artificial Intelligence; Quantum Computing and Communications; Integrated Command, Control and Communications; High-Assurance Communications Equipment

You can also say cyber touches on:

Key Area 1: Aerospace:

  • Aerospace Platforms; Avionics; and Aircraft Communications.

Key Area 6: Sensors

  • Marine Sensors; Quantum Sensors; Electronic Warfare.

Key Area 7: Space

  • Space-based intelligence; Surveillance and Reconnaissance; Space Domain Awareness; Satellite Communications; Space Launch.

Cyber and digital capabilities touch nearly everything. Although the areas above are most directly connected to cyber, it can be argued that everything relies on cyber in some capacity; the question is how large or small that role is. The future of warfare is data and connectivity, which means cyber is at the heart of everything.

Canadian Cyber Security Industry Quick Facts

  • Canada is the 4th largest hub for cybersecurity in the world

  • The broader cyber security industry and value chain contribute more than $3.2 billion to Canada’s annual GDP, representing more than 30,000 jobs.

  • In 2020, Canadian cyber security services produced over $1.15 billion in exports, with nearly 80% going to Five Eyes partners.

  • 94% of Canada’s cyber firms are SMEs and 99.7% of Canadian AI firms are SMEs

  • The research and development intensity in the cyber security industry was close to 2.5 times the Canadian ICT average in 2020.

  • Growth in cyber security revenues is nearly double that of the broader ICT sector

In other words, Canada’s cyber security is a major economic force in the country and was already growing quickly without the additional support and investments via the defence industrial strategy. Many of these figures are old, but the stats remain the same or are even higher in 2025/26.

The strategy estimates that more than half a trillion dollars of downstream economic activity and overall investment will occur. This is a massive opportunity for Canada’s cyber industry that must take advantage, but it will take some adjusting to understand the nuances of the defence sector compared to the general market.

Pillar 1: Renewing Relationship with Industry

While no one will dispute that there is an inefficient and unproductive relationship between the federal government and defence industry, the cyber security industry wishes it had the relationship with the government that the defence industry does.

In Canada’s National Cyber Security Strategy, forging whole-of-society partnerships was the first objective that centred on a Canadian Cyber Defence Collective. However, the government’s efforts to do this are not off to a great start. The cyber industry should not expect any cyber-specific gains or advantages from Pillar 1 efforts, but there is still room for cyber to benefit from this, as with all other sectors.

This pillar focuses on how the government will improve its engagement with industry, including through procurement and partnerships. This includes the already launched Defence Investment Agency, as well as two other key actions of interest to the cyber industry in security clearance and ISED support.

The government will invest to speed up the security clearance process. This is something that everyone, including cyber folk, is hit with. Many people must go through the process to work in a field that many complain is overly classified, which can bottleneck operations due to security clearance requirements. This is good news for everyone.

The Government will also be investing in “dedicated ISED ‘concierge’ service for companies working on defence and dual-use technologies.” This includes cyber and is likely to be of a massive benefit once implemented. Given the niche, small areas cyber firms can cover, this concierge service and the many opportunities listed are likely to be a significant advantage for the cyber industry and the broader defence industry in integrating Canadian cyber.

Pillar 2: Procuring Strategically/Build-Partner-Buy Framework

This pillar centers on Canada’s need to develop strategic capabilities domestically, supported by the Build-Partner-Buy framework to guide this process. A significant focus here is on developing and securing Canadian intellectual property (IP) to ensure Canada maintains strategic capability and that the economic benefits of that IP remain in Canada.

The Build-Partner-Buy framework will be an approach led by the Defence Investment Agency to integrate the separate defence, industry, and procurement authorities and inputs to enable faster, coordinated decisions on capability acquisition. The framework seeks to prioritize purchasing from Canadian suppliers, investing in Canadian capabilities, including frontier areas such as AI and cyber, and partnering to build and maintain sovereign control. The Defence Investment Agency has already taken on multiple projects, including the Enhanced Satellite Communications Project – Polar, Airborne Early Warning and Control, Operational Training Infrastructure Enterprise Modernization, and others that are cyber or overlap with cyber.

Part of this pillar that has already been making headlines is that the Government will enter into partnerships with “champions” to help “[secure] domestic ownership and control over critical intellectual property and capacities - while also supporting Canada’s larger geopolitical objectives…” The government has already been doing this to a degree If you have been following the government’s approach to AI at all and their support of Cohere. This is a good approach and something that could be good with championing certain cyber firms, but it comes down to their process.

It is important to note that this approach is intended to protect IP and the economic benefits thereof AND to safeguard strategic capabilities and knowledge for Canada’s security. The framework’s emphasis on domestic reinvestment and sovereign control has a major impact on cyber capabilities. As the top cloud and AI hyperscalers are all American, there are no Canadian firms occupying the same space and competing at the same level as AWS, Microsoft, or Google. This means that there will need to be a middle ground between investment and purchasing of Canada products balanced with non-Canadian products and services that the Government of Canada will need to find ways to invest in while avoiding risks to Canada’s digital sovereignty. However, the Government of Canada has yet to demonstrate a full understanding of how to maintain digital sovereignty, as current policies still risk it by using cloud and AI data centres owned by American corporations. Despite these troubles, the partner dimension of the framework opens major opportunities with European enterprises, many of which are in a similar position as Canada, to leverage mutual efforts to build American-free cloud and AI infrastructure.

It appears the government will use the Industrial and Technical Benefits (ITB) Policy as a key lever to achieve many of these objectives. I have long advised any company or individual in the Canadian cyber space dealing with defence that ITBs are your key. ITBs are massive math equations for businesses that quantify how a government contract with said business will benefit the Canadian economy. The government’s intent to reform this system could benefit Canada's cyber sector by enhancing the benefits of hiring Canadian cyber firms. I have long said the ITB is the lever to actually build a coherent and strong Canadian defence ecosystem, not just defence industry. This is likely to be of incredible importance and benefit as the Canadian Program for Cyber Security Certification slowly enters into force over the next few years and increases cyber security compliance demands for Canada’s defence industrial base.

The proposed changes include:

Feature your business in Canadian Cyber in Context through sponsorship.

Pillar 3: Investing to Strengthen Canadian Defence Innovation

This pillar focuses on broad mechanisms that support defence innovation, including government initiatives and broader economic conditions that encourage investment. Many of the listed mechanisms are applicable to cyber, but it depends on finding the right program and CFP. It can be difficult for cyber capabilities to fit into many of these programs due to the niche nature of their work or product, so I at least hope they are developing these new programs with this in mind and recognizing that cyber is a frontier and key sovereign capability that needs to be recognized and included.

Where cyber is likely to see the biggest benefit is the additional capital for investment and support for defence exports. There is significant competition right now, but if you have a key sovereign capability, you should engage with all of these instruments. As noted above, Canada already is a major player in cyber security and support from the government can help to maintain and grow Canada’s cyber industry. The strategy also touches on growing the defence workforce, which should include cyber security professionals, but unfortunately, this is unlikely to be the case.

Pillar 4: Securing Supply Chains

This section discusses securing supply chains in a way that differs from how we do in cyber. A very loose definition of the supply chain in cyber refers to the components and applications that make up an individual piece of software or business suite. A compromise of a single supplier in a cyber supply chain can compromise the entire product or service. This is increasingly a common vector for cyber attacks. However, this section focuses on securing capacity or access to physical supply chains such as critical minerals or steel. As a result, these initiatives are unlikely to have a major impact on cyber.

One area which could impact cyber is the government’s commitment to looking at “legislative and policy tools to safeguard its most sensitive technologies, research, and know-how from malign actors.” Two potential dimensions to this instantly come to mind. First, as cyber operations are a common mode for intellectual property theft, the government may be seeking ways to punish cyber threat actors. Second, the government could be looking at levers to punish actors which try to export intellectual property illicitly. The section is quite unclear about this, but both raise interesting questions.

Pillar 5: Working with Domestic Partners, including in Canada’s North and Arctic

Of the categories, Pillar 5 is likely the least directly connected to cyber issues, but that does not make it any less important. Pillar 5 includes collaborating with provinces and territories, indigenous groups, and Northern and Arctic partners. Much of this section discusses partnering with local communities to ensure the critical infrastructure and capacity needed to secure Canadian sovereignty.

The most direct connections to cyber here are that in the North and Arctic there is very little digital infrastructure. The government is currently investing in satellites to improve connectivity in the North and Arctic, but relying solely on satellites is risky; you will also need on-the-ground infrastructure. Satellites are prime real estate for cyber threat actors, especially during an invasion or active conflict. Nevertheless, to accomplish anything the government wants, cyber or otherwise, you need people, which is much easier said than done. Cyber security and cyber overall are often known for their labour shortages, while it is debatable about how much of a shortage there actually is, this is something that should be really addressed in the workforce of the future and in the North and Arctic.

There is a significant opportunity among people in the North and Arctic, and cyber is a powerful vehicle and sector to support this enable further growth.

Takeaways - So What?

There is much to commend in the Defence Industrial Strategy overall, and it is well received in part because it is well constructed. Over the past few years, Canada has been bad at developing strategies. As Phil Lagasse says, Canada doesn’t do strategy. So, it is good to see them actually hit it out of the park on this one.

That said, from a cyber and digital perspective, this strategy is likely to benefit Canada’s cyber industries overall but is unlikely to affect capabilities that require a hyperscaler-level corporation. Ultimately, many of these efforts will help support and grow Canada’s defence and cyber industries, but current investment plans do not provide the means to counter the major risks to Canada’s digital sovereignty posed by hyperscalers. The reason I included stats about Canada’s cyber industry at the start is to highlight just how many are SMEs, which struggle to engage with DND/CAF. They often rely on attaching themselves to a large, prime contractor to contribute to a larger contract or do task-based contracts. Defence traditionally has a very difficult time engaging with start ups and small businesses, which is where most of the advanced, emerging cyber innovation is done. There is a lot of room for improvement in how DND/CAF engaged with Canada’s cyber industry and ecosystem, which this strategy is certain to help, we must be realistic about its limitations in affecting the broader economic realities of cyber and broader ICT industry.

Cyber and ICT are among the most dual-use technologies you can get. Individuals, businesses, and government agencies largely use the same software, run on the same operating systems, use the same protocols, and employ similar network technologies (for the most part). The difference between civilian and security or defence software or ICT, in most cases, is often about scale, uptime, use case, and additional security and protection. You can find many Canadian SMEs that develop niche software or hardware applications, but in certain major hyperscaler capabilities, you are unable to find a major Canadian corporation that can readily fill this spot anytime soon.

Secure Cloud/Secret Cloud is a perfect example of this and why I have been talking about it non-stop for 5 years. Secret Cloud refers to the military capability of a cloud networking environment that supports the use of secret-level data, including operational data. There is no single “Secure Cloud” or “Secret Cloud” project for DND/CAF; however, Information Technology Infrastructure in Support of Command and Control (ITI in SP of C2) is the primary one discussed when we talk about military secret cloud. The $250 to $499 million funding range is very small. To get a secret cloud in the way DND/CAF wants/needs will likely be more expensive than this. This is part of why the project has been taking so long: the cost expectations and the lack of a sole-source Canadian option.

ITI in SP of C2 is software- and hardware-intensive, with a large infrastructure footprint that likely requires a hyperscaler to support. That means either Amazon Web Services, Microsoft, Google Cloud, or potentially Oracle (All American). As I have discussed, there are significant sovereignty concerns with using any American cloud option. The only potential Canadian option that I am aware of is ThinkOn, but the scale and depth of security and control required may be beyond what ThinkOn can provide at this time, given its relatively new position in the government cloud space compared to its American competitors. However, investment in ThinkOn or another sovereign Canadian option could position it as one of the “Canadian champions” competing with American hyperscalers for security- and defence-related cloud capabilities, but this will take time, which is not on our side.

The problem with these options is that, strategically, DND/CAF needed a secret cloud a couple of years ago. The ITI in SP of C2 has been stuck in the definition phase for many years. The implementation is (currently) scheduled to begin in 2025/2026, with initial delivery in 2028/29 and final delivery in 2030/31. Although the project is delayed and has encountered difficulties, the timeline can still be met, but it would require an American hyperscaler. Digital transformation and broader military modernization increasingly require cloud networking to enable seamless data transfer and support capabilities, including NORAD's cloud-based command and control and the many electronic and information capability suites of the F-35. As these capabilities are currently being acquired, there cannot be any further delay in DND/CAF acquiring its own secret cloud.

To compete with hyperscalers, the Government of Canada needs to think about sovereign Canadian cloud in terms of major government projects and understand the limits of the current economies of scale which make cloud, AI and other infrastructure-dependent capabilities difficult to overcome with the present Canadian business landscape. Canada’s cyber industry is world-leading and its SMEs are some of the best in the industry, but they usually cannot compete with hyperscaler capabilities in data centre and data infrastructure. If we fail to recognize the overreliance on last-mile technologies, we overlook that it is the first-mile technologies and infrastructure, like data centres, that the first-mile relies upon and determine if Canada maintains digital sovereignty.

Feature your business in Canadian Cyber in Context through sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Share

]]><![CDATA[Canadian Cyber News Rewire - 14/02/26]]>https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-140226https://www.cyberincontext.ca/p/canadian-cyber-news-rewire-140226Tue, 17 Feb 2026 12:03:14 GMTThe Weekly New Rewire is a survey of cyber or adjacent news stories that I read this week (or recently). Please leave a comment if you think I missed anything.

Editor Notes:

  • Rewire is out on Tuesday due to the holiday, regular will be released on Monday next week.

  • I have begun receiving large batches of completed ATIPS that I requested, which are available to subscribers here.

Leave a comment

Share

Canadian News

Canada Cyber Threat Watch

While not all attacks are reported or receive media attention, any notable or open-source cyber attacks on Canadian organizations and any relevant cyber threat intelligence to Canada will be posted here. I only list the Canadian Centre for Cyber Security’s (CCCS) alerts here, not all advisories; follow the full feed here.

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Research and Op-Eds

NetAskari
Critical strike: China's hacking training grounds (PART 1)
China’s state-backed hackers have intensified their attacks on the critical infrastructure of other nations in recent years—often with notable success. Their techniques are highly sophisticated, but just as significant is the support ecosystem that enables them to develop and refine those attacks. Hidden “digital shooting ranges” allow operatives to pra…
Read more
6 months ago · 21 likes · 5 comments · NetAskari
Natto Thoughts
The Tianfu Cup Returns Under MPS Leadership as AI Takes Center Stage
The Tianfu Cup (天府杯), China’s premier exploit hacking competition, has returned to Chengdu, Sichuan Province, for its sixth edition, held from January 29 to 30, 2026. This time, under the organizational lead of China’s Ministry of Public Security (MPS), China’s domestic law-enforcement authority. Launched in 2018 after Chinese authorities…
Read more
3 months ago · 4 likes · Eugenio Benincasa

United States News

European Union & United Kingdom News

Other International News

Have your business and logo featured in Canadian Cyber in Context with a sponsorship.

Canadian Cyber in Context is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Share

]]>