Thank you.
Mr. Chair, thank you for inviting us to appear before the committee today to discuss our fall 2012 chapter on Protecting Canadian Infrastructure Against Cyber Threats.
I am accompanied by Wendy Loschiuk, assistant auditor general, and Tedd Wood, a recently retired principal, who was responsible for this audit.
Our work on this audit was completed in July 2012, so we cannot comment on actions that may have occurred since then.
Mr. Chair, much of the country's critical infrastructure is privately or provincially owned, but the federal government has an important role to play in helping to prevent attacks and reduce vulnerabilities. It has access to information sources that may not be available to infrastructure owners. It can collect and analyze threat information, and establish partnerships with stakeholders to help share that information.
In 1999 the Special Senate Committee on Security and Intelligence recommended that the government review its ability to, first, assess and reduce infrastructure vulnerabilities, and second, prevent or respond to physical and cyber-attacks. A federal task force was established in 2000 to advise ministers on protecting critical infrastructure. It found that a national strategy was needed. In 2001 the government stated that it would protect critical infrastructure by establishing partnerships and by monitoring and analyzing cyber-threats to federal systems.
Mr. Chair, we found that between 2001 and 2009 there had been limited progress in both those areas, despite the release of several policies and strategies, and recurring funding.
A key element of establishing partnerships was through sector networks. The government was to establish these networks and bring together key stakeholders by May 2011; some networks are in place, but there is still work to be done.
Of the 10 critical infrastructure sectors identified, only six had networks that included all the industry representatives who should be at the table, and only five had included cyber security in their discussions.
The government needs to have all the sector networks fully operational. We noted, for example, that the energy and utilities sector network is active and its members have a high degree of satisfaction and commitment to it. I believe this shows that networks can work and provide the government with a way to partner with stakeholders. The government has agreed to provide guidance on appropriate coverage for sector networks by December 2013.
In 2005, the government established the Canadian Cyber Incident Response Centre, which was intended to monitor and analyze cyber threats around the clock. However, this centre has never operated on a 24/7 basis as planned, nor are there plans to do so, although it has increased its operating hours since our audit.
We also found that the Cyber Incident Response Centre did not always have a full picture of the national and international cyber-threat environment because it was not always given timely or complete information. Without complete awareness of the cyber-threat environment, the centre's ability to analyze and provide advice on threats is limited. In some cases, critical infrastructure stakeholders were not aware of the centre or its role.
In its response to our recommendation, the government agreed to strengthen the centre's operational capacity and capabilities. Since 2010, with the release of the cyber-security strategy, the government has made progress. Shared Services Canada has been created to consolidate some of the government's information technology services. The government expects that this move will improve security. The IT incident management plan has clarified the roles and responsibilities of federal lead security agencies. There have been multi-industry and government forums, and a web-based information sharing portal has been set up.
However, one of the key challenges facing the government is the rapid pace at which cyber-threats evolve. In fact, officials raised concerns with us that the cyber-threat environment may be evolving faster than the government's ability to keep up with the changes.
We found that while there were policies and strategies for addressing cyber security concerns, Public Safety had not released action plans to identify priorities and timelines for keeping on track. Without these action plans, it was difficult to measure progress to see how well the government was able to keep pace with changing threats. In responding to our recommendation, Public Safety agreed to release an interdepartmental action plan for implementing its cyber security strategy.
Mr. Chair, this concludes my opening remarks. I would be happy to answer any questions the committee may have.
Thank you.