Public Accounts Committee on April 23rd, 2013

Thank you.

Mr. Chair, thank you for inviting us to appear before the committee today to discuss our fall 2012 chapter on Protecting Canadian Infrastructure Against Cyber Threats.

I am accompanied by Wendy Loschiuk, assistant auditor general, and Tedd Wood, a recently retired principal, who was responsible for this audit.

Our work on this audit was completed in July 2012, so we cannot comment on actions that may have occurred since then.

Mr. Chair, much of the country's critical infrastructure is privately or provincially owned, but the federal government has an important role to play in helping to prevent attacks and reduce vulnerabilities. It has access to information sources that may not be available to infrastructure owners. It can collect and analyze threat information, and establish partnerships with stakeholders to help share that information.

In 1999 the Special Senate Committee on Security and Intelligence recommended that the government review its ability to, first, assess and reduce infrastructure vulnerabilities, and second, prevent or respond to physical and cyber-attacks. A federal task force was established in 2000 to advise ministers on protecting critical infrastructure. It found that a national strategy was needed. In 2001 the government stated that it would protect critical infrastructure by establishing partnerships and by monitoring and analyzing cyber-threats to federal systems.

Mr. Chair, we found that between 2001 and 2009 there had been limited progress in both those areas, despite the release of several policies and strategies, and recurring funding.

A key element of establishing partnerships was through sector networks. The government was to establish these networks and bring together key stakeholders by May 2011; some networks are in place, but there is still work to be done.

Of the 10 critical infrastructure sectors identified, only six had networks that included all the industry representatives who should be at the table, and only five had included cyber security in their discussions.

The government needs to have all the sector networks fully operational. We noted, for example, that the energy and utilities sector network is active and its members have a high degree of satisfaction and commitment to it. I believe this shows that networks can work and provide the government with a way to partner with stakeholders. The government has agreed to provide guidance on appropriate coverage for sector networks by December 2013.

In 2005, the government established the Canadian Cyber Incident Response Centre, which was intended to monitor and analyze cyber threats around the clock. However, this centre has never operated on a 24/7 basis as planned, nor are there plans to do so, although it has increased its operating hours since our audit.

We also found that the Cyber Incident Response Centre did not always have a full picture of the national and international cyber-threat environment because it was not always given timely or complete information. Without complete awareness of the cyber-threat environment, the centre's ability to analyze and provide advice on threats is limited. In some cases, critical infrastructure stakeholders were not aware of the centre or its role.

In its response to our recommendation, the government agreed to strengthen the centre's operational capacity and capabilities. Since 2010, with the release of the cyber-security strategy, the government has made progress. Shared Services Canada has been created to consolidate some of the government's information technology services. The government expects that this move will improve security. The IT incident management plan has clarified the roles and responsibilities of federal lead security agencies. There have been multi-industry and government forums, and a web-based information sharing portal has been set up.

However, one of the key challenges facing the government is the rapid pace at which cyber-threats evolve. In fact, officials raised concerns with us that the cyber-threat environment may be evolving faster than the government's ability to keep up with the changes.

We found that while there were policies and strategies for addressing cyber security concerns, Public Safety had not released action plans to identify priorities and timelines for keeping on track. Without these action plans, it was difficult to measure progress to see how well the government was able to keep pace with changing threats. In responding to our recommendation, Public Safety agreed to release an interdepartmental action plan for implementing its cyber security strategy.

Mr. Chair, this concludes my opening remarks. I would be happy to answer any questions the committee may have.

Thank you.

Thank you, Mr. Chair.

l'm pleased to be here to discuss the progress made by Public Safety Canada regarding chapter 3 of the 2012 Fall Report of the Auditor General of Canada.

Joining me are:

From Public Safety Canada, Lynda Clairmont, senior assistant deputy minister of the National Security Branch, and Robert Gordon, special advisor from Cyber Security.

From Shared Services Canada, Benoît Long, senior assistant deputy minister of Transportation, Service Strategy and Design.

From Communications Security Establishment Canada, Toni Moffa, deputy chief of Information Technology Security, and Scott Jones, acting director general of Cyber Defence.

From the Treasury Board Secretariat, as you noted, we have Corinne Charette, chief information officer, and Colleen D'Iorio, executive director of identity management and security.

Mr. Chair, I welcome the Auditor General's report, which included a number of important recommendations on how to keep our cyber-networks secure both within and outside government .

Since October, my department has made great progress and, today, I am tabling a management action plan that outlines our next steps.

Mr. Chair, cyber-security is a shared responsibility of all government departments and agencies at all levels, of international allies, of industry partners, and of individual Canadians.

We can only keep our networks resilient and secure through an integrated approach, as established in Canada's cyber-security strategy. The strategy comprises three pillars: securing government systems, partnering to secure vital cyber-systems outside the government, and helping Canadians stay safe online.

The federal government has backed this strategy with significant funding—a $90-million investment at its launch, and just recently, an additional $155 million over five years to further address the evolving cyber threat.

I will use the first two pillars of the strategy as guideposts as I discuss our progress on the Auditor General's report.

Related to the first pillar, the Auditor General asked Public Safety Canada to develop a public action plan with deliverables and timelines for our strategy. I am pleased to say that this plan has now been developed and was released last week. It sets out an active partnership-based approach to help us communicate our progress more clearly to Canadians and underscores the need for all Canadians and owners and operators of vital systems to do their part. Furthermore, we have developed a horizontal performance measurement strategy with key departments and agencies, which will help us track our progress in the coming months and years.

Related to the second pillar—that of securing vital systems networks outside the federal government—the Auditor General recommended that we bolster the capacity of the Canadian Cyber Incident Response Centre…

Yes, for sure, I'll slow down.

The CCRIC, our centre…

provides advice and support, and coordinates information sharing and incident response to cyber-threats on systems outside the federal government.

Since last October, CCIRC has among other things done the following. It has implemented a national cyber-threat notification system to provide automatic notifications of cyber-incidents to owners and operators of vital cyber-systems. It has improved dialogue with its partners through information and tools on its website, including establishing an online community portal; and finally, it has expanded its operational hours to 15 hours a day, seven days a week, with on-site coverage, to cover the full business operating hours of its clients.

Through a new telephone system, CCIRC personnel are directly accessible 24 hours a day, seven days a week, to serve its public and private sector partners. It's worth noting that since initiating the 15-7 operations in November, CCIRC has not received any call outside that timeframe.

Mr. Chair, looking ahead at the coming months, we will continue to strengthen engagement with provincial and territorial deputy ministers, and increase our meetings with critical infrastructure sectors to raise awareness of the cyber threat.

Finally, we will continue to work closely with our counterparts in Australia, the U.K., New Zealand, and the United States to share policy and operational responses to cyber-security concerns.

With that, Mr. Chair, I thank you for your time. I look forward to your questions.

Mr. Chair, good afternoon.

I'm pleased to be here to report on progress made by the Treasury Board of Canada Secretariat regarding chapter 3 of the 2012 Fall Report of the Auditor General of Canada.

As Deputy Minister Guimont indicated in his remarks, cyber-security is a shared responsibility. As chief information officer of the Government of Canada, I am committed to ensuring that the secretariat does its part to protect federal information systems against the ever-evolving cyber-threat. In the fall 2012 report, the Auditor General asked TBS to update relevant policies and plans to reflect the new information technology security roles and responsibilities of Shared Services Canada.

I am pleased to say that we have already updated the information technology incident management plan—the IT IMP—to define the roles of SSC with respect to incident management, and we continue to improve this plan on an ongoing basis. We are currently refreshing our security policy suite to embed the roles and responsibilities of SSC. This refreshed suite remains on target to be published later this year.

The Auditor General also noted that TBS had placed a renewed emphasis on increasing awareness of best practices for IT security across government. These efforts have led to the development of a security awareness training program that will provide all government employees with a standardized foundation of security principles.

Going forward, we will continue to work with our partners and support the security community, focusing on setting a common government-wide direction for security, establishing key security priorities and leading coordinated efforts to strengthen our collective security posture.

Thank you for your time, Mr. Chair. I would be pleased to answer any questions from the committee.

Thank you.

Good afternoon.

As part of its IT security mandate, CSEC provides advice, guidance, and services on the protection of electronic information and information infrastructures of importance to the government. CSEC also produces intelligence on foreign cyber-threats. We share this cyber-threat information and mitigation advice with Public Safety as well, for further dissemination to other levels of government and the private sector, as appropriate.

In his report, the Auditor General expressed concern that CSEC was not consistently providing the Canadian Cyber Incident Response Centre at Public Safety with timely and complete information about threats to Government of Canada information systems. CSEC and CCIRC have developed a close relationship, and at the time of the audit, adequate, secure communications for the transmission of classified information were lacking.

We have bridged this gap and we have also integrated a CCIRC official into our cyber-threat evaluation centre two days a week. We have added not only secure voice communications capacity but more easily accessible secure computer communications on their presence.

The report also referred to funding that CSEC has received since 2001. CSEC has invested some of this funding in activities to improve what we produce on intelligence on foreign cyber-threats. We've improved our detection, analysis, and mitigation of cyber-threats on federal systems. We are developing training for federal practitioners who need to respond to cyber-threats. With our colleagues from Treasury Board and Shared Services, we are designing and developing secure architectures for federal systems. These funds were also used to improve our overall program capacity, which supports all of our mandate activities, including but not exclusively, cyber-security.

While much of the information we produce is highly classified, CSEC continually seeks opportunities to share threat information and IT security advice and guidance beyond the federal government.

Thank you for your attention, and I am happy to answer any questions you may have.

Thank you very much, Mr. Chair.

I am pleased to be here to report on progress made by Shared Services Canada in the context of the Auditor General's report, released last October, on protecting Canadian critical infrastructure against cyber-threats.

Shared Services Canada was created on August 4, 2011, with the mandate to consolidate and modernize the IT infrastructure of the Government of Canada, including enhancing the security and safety of the digital infrastructure supporting the government's own systems, particularly with respect to e-mail, data centres, and networks.

Shared Services Canada's new and evolving role is consistent with the Auditor General's recommendations with respect to the security of IT infrastructure. The integrity of the Government of Canada's critical IT infrastructure is a priority for Shared Services Canada.

Shared Services Canada plays a key role with four facets.

First, it prevents cyber threats by using trusted infrastructure products and services, by enhancing security by design, and through security awareness and training.

Second, it detects cyber threats and unwarranted intrusions into government networks through real time, government-wide monitoring, detection, identification, prioritization and reporting of incidents. This would include forensics, log analysis and investigations, as well as security and vulnerability assessments.

Third, it responds and coordinates responses to cyber and IT security incidents, including through remediation, threat assessments, communications, post incident analysis and reconfigurations and replacements.

Lastly, it recovers through rapid and effective restoration of services using specialized IT security incident recovery services, mitigation advice and guidance, as well as vulnerability remediation.

As mentioned in the Auditor General's report, we are working with officials in the Treasury Board Secretariat to address the recommendations included in the audit, including revisions to the policy on government security to incorporate Shared Services Canada's new IT security roles and responsibilities.

Shared Services Canada is also enhancing the federal Information Protection Centre for its 43 departments, which will give them access to a centralized 24-7 centre with better recovery capabilities and a specialized IT security incident recovery team. As part of this work, we are establishing a cyber-asset recall system as well as updating security provisions for the procurement of products and services.

Finally, Shared Services Canada works extensively with partner departments and agencies, at both the planning and an operational level, to ensure continued efficient, high-quality, and secure IT service delivery to Canadians.

Mr. Chair, I will be pleased to answer any questions committee members may have.

Thank you for the question. The strategy was put forward in 2010 and it is a piece that in some ways reflects international approaches. So if one was to look at the Canadian cyber-strategy versus other nations that also had a strategy around the same time period, without being identical they have similar attributes.

The first point I would make, Mr. Chairman, is the centre, which is under our responsibility, is directed at issues on the outside. So if I were to compare that with CSEC, they deal with cyber-threats to the government systems and respond accordingly. CCIRC, our response centre, therefore deals with threats outside, private sector, provinces, territories. So at the macro level, that is the first one.

The second point is that it essentially has a responsibility to take on calls when they come, informed by people who are facing a cyber-attack. They will assist the company or the person in establishing what kind of a threat they are facing, what kind of a malware they may be facing. After that's done and they're trying to support and respond to the person in question, since they called to inform us and look for assistance, they will also, after doing triage and understanding, disseminate information for people who may be facing a similar malware to protect themselves. So they do carry out notifications.

If I remember, in 2012 they carried out something like 11,000 notifications very broadly. That's basically their function. They are also responsible for training, communication, partnerships, and as I mentioned in my remarks, we also have now a portal that provides them and people with access to either information or advice.

The last point I would make, if I remember, again in 2012, their website was used something like 227,000 times. So there are quite a number of interactions with people asking a number of questions. This is not necessarily only cyber-attacks but information of all sorts.

So those would be, in a nutshell, the functions of CCIRC.

Thank you for the question.

Earlier on I mentioned that the cyber-strategy was put forward in 2010 with $90 million. When the Auditor General came forward with his report, a further injection of resources was made of $155 million over five years. About $13 million went to CCIRC to augment their capacity to not only respond to threats but also carry out their work. So they're now operating on a 15-hours-a-day, seven-days-a-week basis, physical presence. As I made reference to in my remarks, there's also a new phone capacity, which essentially implies that they are on call 24 hours a day. So a CCIRC official will be answering should there be a phone call outside the 15 hours, seven days a week, to handle the situation that may rise.

Shared Services Canada was recently created. Our primary mandate is to consolidate the existing infrastructure.

Today, as we manage the infrastructure and networks for 43 departments, our role is to monitor and to respond to any threats to that network. We work collaboratively with the security agencies in identifying any incoming threats. Our ability to respond is progressing and has been augmented through the strategy the government recently announced, including additional funding to provide a consolidated and centralized capacity to respond, as well as to extend our coverage to 24-7.