Information & Ethics Committee on Feb. 19th, 2019

Great. I will be doing my address in both languages, if you want to connect your headphones right away, and I apologize in advance to the translators: I get quite excited because this topic is very important to me. I will try to make sure I speak slowly.

Thank you, Mr. Chair, for the invitation to appear here before the committee today.

As you mentioned, with me today is Ruth Naylor, executive director of the information and privacy policy division.

I will start with some brief remarks, after which, I will be happy to answer the committee's questions.

Mr. Chair, in the age of smart phones, social media and apps that do everything, Canadians have a growing expectation that their government will provide them with services as easily as Expedia, Amazon or Netflix do, which is why the Government of Canada is embracing digital tools to provide Canadians with the reliable, accessible and secure services they expect, while at the same time protecting their privacy.

We believe that better service and privacy are not at odds with each other, thanks to technological improvements that allow these protections to be built in from the concept and development stages.

As chief information officer of the Government of Canada, I am responsible for providing strategic direction and leadership in information management, information technology, security, privacy and access to information across the Government of Canada.

Therefore, my office has taken steps to promote digital services and better protect Canadians' personal information.

For example, the Government of Canada recently adopted a set of digital standards that help departments and agencies design better services for Canadians. They ensure that government makes investment decisions that increase security and privacy, builds in accessibility from the start, and allows for more collaboration while working in the open. These standards are being put into action with the next-generation HR and pay initiative, which is to identify options for an alternative HR and pay solution.

Working through our agile process, these digital standards are being used to assess whether vendors can meet government business outcomes, including delivering a solution that is secure and respects the privacy of users. The digital standards allow us to define how the future of government services will be delivered in a digital age, while enabling us to be more agile, open and user-focused at all stages of design.

The initiative to develop the next-generation human resources and pay solution is an example of what can be achieved when the standards are applied successfully.

The process will take a few more years yet, and much work lies ahead, but the results to date are promising.

In addition to digital standards, we are developing rules and guidelines based on best practices to help departments and agencies with the digital transition. For instance, in the spring of 2018, the government approved targeted changes to the Policy on Management of Information Technology and the Policy on Information Management.

The targeted changes are meant to address a number of issues. These include improving governance and oversight of information technology, or IT, overall, and strengthening the role of the chief information officer of the Government of Canada and that of departmental chief information officers.

As recently as December 2018, we updated the Directive on Management of Information Technology.

More specifically, as part of our digital exchange strategy, we adopted modern procedures related to application programming interfaces, known as APIs.

I apologize for the technical term.

Our changes have made Government of Canada services and data accessible via APIs, promoting the re-use and sharing of data across departments and with Canadians.

The API standards also enable the private sector to streamline services in co-operation with government and ensure Canadians' security and privacy.

In December 2018, we also updated our rules on enterprise architecture, which is the coordination of information, applications, technology, security and personal data.

The changes we've made support open standards and open source programs, “cloud first” principles, as well as ethical data collection and data security principles.

Ultimately, with these changes, staff will be able to work more efficiently government-wide thanks to a better convergence of technology and policies and opportunities for dialogue from the beginning of the procurement process.

These measures are key in order for the Government of Canada to develop a comprehensive digital strategy for the long term.

A key focus of the proposed policy is to integrate security and privacy at the investment and design stage of government services, programs and operations. The proposed digital policy will continue to be developed over the course of this year.

Along with our partners at the Canada School of Public Service, we've also created a public sector digital academy, the first ever in Canada. The academy will be giving our employees the leading edge skills they need to deliver the digital government services Canadians expect. An important part of this curriculum is privacy.

As we move forward on digital service delivery, we're also collaborating with provincial and territorial governments, as well as the private sector, to create rules to commonly accept and trust digital identities.

Canadians don't need to know how government is organized or the intricacies of federal, provincial and territorial jurisdictions when they try to access services.

To improve service delivery, we'll focus on the needs of the user rather than the organization of government, and enable Canadians to conveniently and securely access online services across jurisdictions. For example, we are building a digital identity ecosystem to support the use of trusted digital identities by Canadians to access services across jurisdictions. These jurisdictions include all orders of government, private sector and even international partners.

Specifically, development has begun on an initiative called “Sign In Canada”. Through this common access point, Canadians across the country will be able to access their government services online using their federated trusted digital identity. Sign in Canada will also support the digital service strategy and our efforts to federate identity across the government of Canada.

In addition, we are establishing a digital exchange platform to help enable departments to share their data with each other and the outside world in a modern, secure and unified way. This would be similar to Estonia's X-Road, which you've heard about. Just as Canadians don't need to know how government is organized to access services, citizens expect government not to ask repeatedly for the same information.

Furthermore, we've adopted mandatory procedures in relation to enterprise architecture and begun a preliminary conceptual analysis review to ensure alignment. We've also established an enterprise architecture review board, made up business and technology representatives from across government. In managing the information Canadians share with us, we want to ensure their privacy is respected while enhancing interoperability government-wide. This work is still in the early stages.

We are committed to improving service delivery by investigating a “tell us once” user experience. This means that Canadians could possibly provide key information once and not be repeatedly asked for the same information when dealing with different departments and agencies. My staff is currently examining government business processes, policies and legislation to identify any barriers to implementing this service vision. With this in mind, we need to look at the rules around information-sharing and how we could, with the right checks and balances in place, allow more efficient information-sharing across departments and agencies that provide services to Canadians.

My staff is also working closely with the Office of the Privacy Commissioner to benefit from advice on our plans and initiatives to advance digital government. We've heard from the Privacy Commissioner that privacy should not be characterized as a barrier to innovation. We look forward to continuing to work closely with the Privacy Commissioner to rethink how we can best protect the personal information of Canadians.

To meet our privacy obligations, we have to do the hard work of developing digital services that are citizen-centred and protect the personal information of Canadians. To that end, we're collaborating on a number of fronts in order to share best practices and learn from the work of others. To harness the power of technological advances, TBS and PSPC have been working to develop innovative and agile procurement tools to meet the current demands of the public service.

We recently worked together to build the first list of AI suppliers. They had to demonstrate that they had the necessary resources and skills and had adopted ethical AI practices. To safeguard privacy, this initiative is aligned with, and builds on, the government's direction and our current policy development work.

This initiative promotes the use of new tools, while providing concrete direction and oversight to limit unintended consequences for Canadians. To develop a meaningful strategy, we worked transparently with international experts, industry leaders and government officials who will oversee its implementation.

This is part of our concerted effort to open up government that was recognized in September when the World Wide Web Foundation's Open Data Barometer ranked Canada first in the world alongside the United Kingdom for its open data leadership. Each of these areas, such as Al, data, cyber and privacy do not exist in silos. They are intertwined with each other and with other sectors to such an extent that it is impossible to know it all.

Technology continues to dissolve traditional boundaries, which is why it's essential that we continue to work as one government, recognizing that all aspects of our businesses are being touched more and more by technological advances.

Success in digital government means providing the seamless, integrated services people have come to expect—services that meet people's needs and expectations of government, and that ensure government stays relevant in people's lives. This obviously includes protecting the privacy of Canadians.

Charting this course for modern digital services, including privacy protections, will keep Canada on the cutting edge of citizen support and engagement.

In closing, I want you to know that I look forward to the committee's report and recommendations on this important issue. Thank you.

Thank you, Mr. Chair; and thank you to the committee and Alex.

With me is my colleague John O'Brien, director of security and reliability engineering at the Canadian Digital Service. Before CDS, John was with the Communications Security Establishment as a technical lead for malware analysis and automation, or put more simply, John knows how the bad guys operate.

For those of you who are less familiar with CDS, we're a digital consultancy in government, for government. We're part of the Treasury Board Secretariat and we work side by side with Mr. Benay's organization. CDS was established only 18 months ago, with a mandate to help this government improve how it designs and delivers digital services by providing direct, hands-on help to federal departments to make digital services faster, simpler, more accessible and secure. In the process, we help build capacity in those departments to do modern service design and delivery.

For example, we've been working with Veterans Affairs Canada to improve how veterans and their families find and access benefits; with Immigration, Refugees and Citizenship Canada to help newcomers to Canada reschedule their citizenship tests online; with the Royal Canadian Mounted Police to help victims report cybercrime and online fraud; with our colleagues in Mr. Benay's office to make connections to government websites more secure; and with the Canada Revenue Agency to help Canadians with low income file their taxes and access related benefits.

I'm American.

Before I arrived in Canada last spring, I had the privilege of leading a similar initiative in the U.S. to bring new tools, practices and approaches into government to better serve the public. In 2013, I was a presidential innovation fellow. We were told on our first day as fellows that it was a bait-and-switch program, and sure enough, many of us who signed up for six-month fellowships stayed for four years.

My colleagues and I went on to create the service delivery unit called 18F in the aftermath of the failed initial launch of healthcare.gov. I served as 18F's first director of delivery and then as executive director. I'm also a former lawyer.

As Mr. Benay pointed out, digital isn't just about bringing services online. As our U.K. colleague Tom Loosemore once put it, digital is about “Applying the culture, practices, processes and technologies of the Internet era to respond to people's raised expectations.”

Technology is not without its challenges, but it's not usually the hard part. We only half joke at CDS that we're a change management office disguised as a digital service office half the time.

How do we go about designing and developing government digital services that are both easy to use and secure? There are lots of answers to that question, but I want to touch on five important practices that CDS tries to demonstrate in every project we take on, and that historically have been more the exception than the rule in government, but that is changing rapidly.

Those practices are, first, to apply research and design practices that put people first, not rules and processes; second, to deliver and improve continuously; third, to assume there will be failures and to be good at reacting to them; fourth, to work in the open; and finally, to have strong feedback loops between delivery and policy.

In regard to the first, CDS relentlessly focuses on the people who use government services. In practice, this means working with users continuously to find out what they need, not just what government needs from them. We know that among those needs, security and privacy are critical and non-negotiable. To meet those needs, we factor them into how we build and deliver services from the outset, and continuously throughout deployment and development. This allows us to test our assumptions with the people who will use the service. If you've never witnessed user research, it can be eye-opening and profoundly humbling. It lets us develop a mutual understanding about what data is actually necessary to complete a service transaction and provide a first-rate experience.

By engaging with users early on and throughout the design of a service, we're able to develop an ever-improving understanding of their specific needs, concerns and preferences, including what and how much personal data we need to deliver a great service, how long we need to retain that data, and how we can provide assurances about how we will handle it, and when appropriate, delete it.

Talking directly and often to the people we serve is critical to building in privacy and security from the start, which brings me to the second point about how we work.

We develop digital services iteratively, employing practices and tools that enable continuous, incremental improvement. How does this promote more secure systems? The Canadian Centre for Cyber Security publishes a list of the top 10 IT security actions organizations can take to minimize the likelihood and impact of a cyber intrusion, and one of their key messages is to keep your systems patched and up to date, such as the regular updates you make to your phones from Apple, Google or BlackBerry.

This seems simple, but it's an issue for organizations everywhere. To do this well and in a timely way, services need to be built in such a way that frequent improvements are the norm, not the exception. The harder it is to make changes to your system, the longer it will take to create and disseminate fixes when a vulnerability is discovered.

Some government systems in operation today deploy changes only a few times a year, other than urgent patches, and even a simple change request can take more than a year to work its way through the long queue, get coded, and survive a lengthy, manually driven gauntlet of review, compliance tracking, testing, staging, and perhaps a little silent prayer before it goes live.

By contrast, most of the websites that you interact with every day, built by companies like Amazon, Google and Shopify, release dozens or hundreds of changes every day, safely, quickly and painlessly, into the public. This process is commonly referred to as continuous delivery, and it's how we build things at CDS, too. Updating systems to improve reliability, to fix problems, and to adapt to users' changing needs and expectations is easier, faster and more reliable this way. Making this model of continuous delivery and improvement the norm in government is both a problem of technical debt and a problem of delivery practice. Modernizing our systems and how we manage changes to those systems is the single-most effective thing we can do to improve the security posture of those systems.

This brings me to my third point. Continuous delivery enables you to act quickly when something goes wrong—not if, but when. In a perfect world, every system would be 100% secure. Of course, we don't live in that world. Cybersecurity best practice is to make the rational assumption that failures and breaches will happen, and to plan accordingly. Leading organizations make the most of the lessons learned after every such incident, large or small, to improve their resilience. We conduct blameless post-mortems after incidents, creating an environment where staff feel psychologically safe and confident in being fully open and honest about errors and mistakes. We learn more and improve more by acknowledging failures than by hiding them. It's healthier for organizations to encourage discovering and surfacing the root causes of failures than for people to fear being blamed for circumstances outside their control.

Fourth, we've all witnessed the blowback against organizations that stay silent about security incidents or other kinds of project failures for far too long. This is one reason why we work in the open—that is, in full view of the team, and whenever possible, the public. Building our services in the open by default reduces risk. This might seem counterintuitive. It is a stubborn myth that secrecy is good for security. In practice, developing software in the open allows others to contribute to, stress-test and critique our work. It provides more incentives for everyone to get the code right instead of taking shortcuts that might not be exposed in a tightly held environment. It gives us the opportunity to discuss openly the decisions we're making and the potential trade-offs. It allows us to create a culture of learning from mistakes, and it shares our work with others—a perk of which we've been the beneficiary many times already.

The U.K. government encapsulates this in a simple design principle, “Make things open: it makes things better”. The same principle appears in our government's digital standards.

This brings me to my final point about how we go about delivering secure, easy-to-use services to the public. Mike Bracken, who led the U.K.'s government digital service through its first four years, once wrote that “in an analog world policy dictates to delivery, but in a digital world delivery informs policy. This is what agile means for Government and its services”.

Working with and listening to our users, putting working prototypes in front of them as quickly as possible, and continuously improving those services is the best way to not only learn what works for our users, but also learn which policies are working, how others are not, and how we should update them to keep pace with modern expectations. This is somewhat of a shift from traditional policy development, which is often divorced, organizationally, from implementation. Everything is figured out months, maybe even years, before it lands at the people who will be impacted by it, at which point, unsurprisingly, it may sometimes miss the mark.

We believe that the practices CDS employs and promotes every day, practices encouraged by the digital standards, are the best way to meet public expectations for better, more integrated services that are also more secure and more responsive to the privacy needs of Canadians.

Having done this in two countries, I feel certain of this: change is hard, and it doesn't happen overnight. However, we're making headway in meeting the public's expectations for user-friendly, efficient, secure service delivery, and we look forward to making more and greater progress.

Thank you. I'd be happy to answer your questions.

The talent cloud is an experiment by a select few public servants who thought that we could look at a different model for bringing employees into the Government of Canada. We tend to take a decent amount of time to bring employees in, and the goal is to bring staff and employees into the Government of Canada within about 30 days. It's still the goal. It has not been achieved yet, but we're working towards it.

By using some of the techniques that my colleague Mr. Snow mentioned, they were able in the last year to launch a beta, open-source, very low-cost prototype where we're now hiring people within roughly 40 to 50 days. We're addressing the need to bring people in quickly in government.

The system also looks at the concept of the gig economy that's out there, where people in the technology field are increasingly choosing short-term assignments as opposed to a 35-year career with the public sector, which makes their coming in and out very difficult.

What we're trying to do with the talent cloud, which is still experimental, is to facilitate that trend and give otherwise contract employees the rights to have access to pensions and benefits. They may choose to come to work for six to 12 months at a time with our talent cloud solution, then leave for a few years and come back in. In the technology space, that's extremely useful, because it means that people stay relevant, people work in different sectors, and they're bringing in different perspectives. We're making that concept of a porous public sector increasingly a reality thanks to the work of the talent cloud team.

The core principles that you need to stick to to maintain and gain the public's confidence are transparency and acknowledgement.

When we talk about iterative service development, we talk more about user research and understanding these users at a more micro than macro level, which might be more conducive to the use of AI. For any number of veins, when we're talking about using large amounts of data and algorithms that may or may not be perceptible by most of the public, it is core to be as transparent as possible and have an open conversation with private, not-for-profit and public sectors about what constitutes appropriate oversight of AI. That's more in Mr. Benay's wood house than mine.

It's a very good question.

Estonia is one example. You've raised some important points of difference. We also have provincial and some pretty significant municipalities across the country. We are not Estonia. It's important both culturally and legally speaking to recognize that. However, there are a lot of things we've learned from the Estonians. We've learned how to share data in a secure way. We've learned that they can deliver digital services and increase privacy at the same time. They've shown the world that this can be done. For us it's a question of scale, and it is a question of technical debt and legacy, to your point.

We've put in place some governance measures over the last year wherein we are asking departments to come and have conversations about their solutions earlier through a mandated enterprise architecture review board where every functional group is represented at the table, from security to privacy to applications to service delivery, to make sure that we're having the right conversations and not doubling down on legacy systems because that's the easier thing to do, and that we're having the conversations on moving to cloud, on protecting citizens' data, on artificial intelligence and on new governance challenges that some of these technologies pose.

We've systematically been bringing the conversation closer to investment decisions, because that's where some of the decisions are made, and we often live with the repercussions.

We took a first step towards that. The short answer is “not yet”.

It is a group that is fairly new, but we did take a first step towards that when Canada led a joint declaration on responsible artificial intelligence usage across all of the countries. That now means we can go back into our respective countries and work with our industry to make sure that we start respecting some of these rules. The next step will be to bring corporations into the D9 conversations and start working together.

The answer is that it's a beginning. It's not necessarily as mature as you would have described.

Not on the D9, but Canada is in a treaty with nations in Europe that requires us and all those nations to provide a single source of—

No.

We're required to provide a single source of procurement opportunities across federal, provincial and local governments, academic and health institutions by, I believe, 2022. This is way outside my wheelhouse. We've been discussing and working on that with PSPC. They would be the right folks to talk to about that.

I'll answer from a technological perspective, and by that I mean there's a lot we can learn from what the Estonians have done with their X-Road, their data-sharing platform. We brought some of the founders into Canada twice over the last year to start re-creating our own similar platform, but from the Canadian perspective. We have provinces and large municipalities; we are not Estonia. From that perspective, we've learned a lot.

We've also learned a lot around the need to continuously update laws, for example, in the context of a digital age. We've learned the fact that they do data governance very well. They decree that an organization is the holder of that piece of data, and that becomes very rigidly implemented.

There are a lot of things, regardless of scale of countries, values and background, that we should look to and we actually are looking to. We've learned a lot from them.

We've also learned a lot from our other D9 partners. For example, Portugal has a very good digital identification system that might actually be closer to Canadian systems than those in Estonia.

We do look to Estonia on technological leadership, but in some cases, we're seen as leading in values and ethics around ethical AI and responsible AI usage, so they're learning from us. It has been a very good relationship that way.

I'm not super familiar with X-Road, the technology itself.

That said, if you were to approach it from the pure functionality that it offers, the idea of verifiable audit logs is, in itself, a function that I would suggest we'd want to have in any system we put out.

The second factor on that is the concept of having citizens be able to see when government officials access their data. That transparency is the core element we need to build into any system we build in the future.

If we can articulate those things quite clearly to Canadians, it will not be a very difficult thing to sell.

Certainly. I'll comment on both aspects.

The reason that we're trying to design—and this gets back to Mr. Snow's point—this in a way that we don't impose the structures of government on service delivery to citizens is that we just want them to see us as the Government of Canada and to make it as seamless as possible for them to access services. We do have structures, we do have laws, we do have processes within the Government of Canada, but with technology we may actually be able to represent our existence and our delivery of those services in a very different and much more intuitive way to citizens. That's what we mean by those comments: how do we streamline things for citizens? It's not what we think they want, but from talking to them, which goes some of Aaron's points, knowing what they want.

In light of that, what we've been able to do with, for example, the next generation system of Phoenix is to take a good hard look at the lessons learned that were produced by the OAG, by the Goss Gilroy report, by committee reports, and apply those lessons so that we could say they were lessons learned in the replacement of Phoenix.

For example, in the procurement exercise we're currently running, we've had user expos conducted across the entire country where we're putting the actual competing technologies that are going through this process in the hands of users for them to test and give us their comments, putting accessibility experts in a room and testing things. By putting the user at the centre of it, we've been able to change the decision mechanism from a process as Aaron was outlining it, to what the HR administrator or pay administrator, the everyday public servant, will need. We've actually embedded them in the procurement process in a way that's not been done before.

So we are able to show that we can actually move some of these issues on procurement in a very [Inaudible-Editor], where we have included everybody in the process from the beginning, including the Parliamentary Budget Officer, who sits in on our meetings once in a while, to unions and heads of bargaining agreement agents. It's been a very inclusive tent; it's been a very large tent. We have “privacy by design” principles being applied to the procurement process as well. And all of our documents, for the most part, as long they don't interfere with the procurement process, are publicly available on a portal so that people can see our transition as we're going through this and feed into the process. We're showing that we can do the thing differently. It's our first step into this space and we'll see how this goes.

At this point we do, and if we don't, we go get it, and we recognize when we don't. But, again, the way we've designed this process has been iterating with the vendors. We're talking to them as we're going through the process, which is slightly different from a traditional procurement process, where we talk through binders and responses and 200- and 300-page RFPs. In this case we're working with them as we're designing the process, at every gate, because we've gated our entire process. If we know from talking to them that we have some gaps, we will go get them.

You heard me say in my earlier statement that it's very hard to be an expert in absolutely everything in digital. I think if we start with that premise, we'll make sure we have the right people around the table when we know there's a gap.

CDS works with a limited number of partner departments at a time. We don't have that sort of horizontal data. We aren't privy to the kinds of threats that various departments are seeing in the back-end systems that we don't touch.

That's probably not a question for me.

I don't have the data readily available for state actor versus individual actors. At this point, we're trying to operate with the idea that an attack could come from someone in a basement, all the way to a state actor and everything in-between. We have people who are knocking on the front door of government systems hundreds of thousands of times a day.

We've been able to centralize some of our infrastructure with Shared Services Canada in order to build a moat around this. We've created a new national cybersecurity centre that was launched this year. It's trying to bring the private and public sectors together as well, because an attack on one sector can often bleed into another. Critical infrastructure is an example.

When we're designing our services, we have to bake in security from the beginning. You heard me speak about the architecture review board that we created. The security lens is applied for every major digital project moving forward in the government and over the last 12 months.

I'll start, and you may want to jump in.

Just to be very clear, we're not advocating putting our government information in one big system, one big data lake or one big pool of information.

For example, the Canada Revenue Agency is responsible for the business number in our policies. It doesn't mean that the information is not located in other places as well. We're not advocating for a central system.

I think that—

Yes. For privacy breaches, luckily Ruth's team is responsible for overseeing and being involved in these discussions. On the cyber front, we have another executive director who works closely with Shared Services Canada and with CSEC on major incidents. They do make their way into the office of the CIO on a daily basis.

Ruth, I don't know if you want to comment on privacy breaches and the process.

Yes, I can speak to that a little bit.

Institutions have a responsibility or an obligation under our Treasury Board policies to report privacy breaches that are material in nature, both to the Office of the Privacy Commissioner and to TBS. We work quite closely with the Office of the Privacy Commissioner to compare notes on those reports.

At TBS, we make a range of tools available to institutions to support them to identify, manage and do the reporting aspect of this. We work with the OPC and follow up with institutions where that's warranted.

Yes, from a cultural perspective you heard my colleague Aaron mention the fact that we have to get to a place where escalating issues are not necessarily seen as a negative, but a positive. There have been some good steps taken toward that throughout the public service. We've had a lot of support from senior government officials on the transparency required to raise some of these issues, and we're seeing deputy ministers, ADMs, and DGs asking for an update on the red status of either projects or breaches.

Culturally speaking it's going to continue to be a work in progress. There's some good momentum on that side in the public service from a transparency perspective, but Ruth probably has some details on the two-year action plan we're developing in partnership with the departments and the Privacy Commissioner's office.

We had the benefit of some recommendations from the Privacy Commissioner in his last annual report on exactly this issue and that office's concerns about the varying numbers of breaches reported. Often, the institutions up that decision about what to do and what not to do. I think institutions are working in good faith on that, but we want to be doing some work over the next two years.

We're developing a two-year action plan. We've shared it with the Office of the Privacy Commissioner, because we want their input before it's finalized, and we'll be working in partnership with them to deploy it.

It will be focusing on increasing awareness about the nature of personal information, what a breach is and how to report a breach. Also, at the recommendation of the Office of the Privacy Commissioner, we're focusing a lot of those efforts on the IT and security community, because they are the people on the front lines when there could be a compromise or information could be lost. Therefore, we want to make sure they have the instinct to say that personal information was involved in this.

We have a small team working on this in partnership with government institutions. We're hoping we'll be able to make a difference on that front over the course of the next two years.

Thank you.

Yes. Sign In Canada itself is in its infancy. In the last few years we have been focused on the rules framework underneath it instead of the technology.

We have been working on the pan-Canadian trust framework with the provinces, NGOs, non-profits and the corporate sector as well. It's essentially a set of rules that we all agree to abide by to respect each other's identities.

If a province abides by the pan-Canadian trust framework, it should be good enough for the federal government and for a bank. It's more of a federated model. It matches the governance framework of the country more.

I fall victim to them myself as well, and I have a vested interest in ensuring that these things don't happen.

Sign In Canada will essentially permit you to choose the “no wrong door” approach to services, accessing federal services from a province or a territory, or vice versa, and possibly from your bank as well. We do have the security regime to put this in place, but we didn't have the rules framework in place.

Sign In Canada means that you could have access to ESDC services from CRA. Also, we are in active discussions on possible pilots and projects with the provinces, where we would give federal services through the provincial ID system as well.

It's very different from the Estonian model, which is a singular approach to it. We are taking more of a “no wrong door” approach to services, as long as a rules-based approach is followed.

Yes. As part of the new governance that we put in place roughly 18 months ago when we changed the Financial Administration Act to create standards, we changed the governance process around the architecture review board. It means that any one of these kinds of major projects has to go through this review board, where privacy is looked at.

Another part of this may possibly be legislative impediments as far as data-sharing is concerned, which is another tombstone piece of work that we have to do. We have been in conversations with the Privacy Commissioner's office on those, for example, as well.

I suspect that the dialogue will continue to increase as we do more and more digital services between my office and the Office of the Privacy Commissioner.

We can certainly make any of that documentation available. We've also started a legislative review process, so we can look into—

In this case, it's a little further ahead than the identification piece. Our Canadian digital exchange platform—DXP for short—is a series of tools, from a messaging service where we can share the data to an open-source API store where federal government services will be able to create an API for third parties to gain access to unclassified data for now. We're walking before we're running. As we're designing this, I'd say that we've completed about 50% of the build. The challenges are in finding real “live-use” cases that have minimal risk and in ensuring that we are using unclassified data first, rather than citizen data. We will make sure that we walk before we run. In this case, we brought in the Estonians who had designed X-Road, and we started redesigning X-Road in the context of Canada's laws, regulations and other things.

The beauty with this system, if it proceeds down this road, is that we will be able to bake in accessibility, privacy and security. We'll also be able to determine how we move data around in the Government of Canada, based on a core set of principles.

I would say the theory you've described is accurate. Where we choose to apply it may not be with personal information first. For example, the business number is something that we've agreed on. There is a central registry for a business number, so we may want to start there. We may want to start with unclassified...well, no, I promise you we will also start with unclassified information first. We could crawl before walking.

I think there are a few things. I do think that we are gradually—and possibly not quickly enough—applying the lessons we've learned from some of our major failures. You heard me speak to the NextGen process. I think that the culture shift is going to be the big change, and it's not necessarily the culture of the public sector. It's simply the fact that things are changing so quickly. In some cases, things are happening, and it's not necessarily in our control or something that we didn't see happen, because the pace of change in the outside world is very quick. That could mean companies automating themselves, with our not necessarily having a say in it and all of a sudden it's a service that we use. That is a major risk.

I think our biggest challenge, or at least the thing that we have to keep an eye on, is the pace of change, and therefore our laws and some of our regulations. The dialogue is there at a technical level across all levels of government. The biggest challenge.... Some of the countries that are doing quite well are the ones that are adjusting some of their frameworks more rapidly, as rapidly as the change in technology itself.

We're learning from that. We have a good opportunity with the digital line to see how some of these smaller countries are being a bit more nimble. We are also seeing how we could apply that in Canada. That is probably one of the biggest lessons we've learned up to now. Whether that means protecting privacy or developing regulations for economic growth, we're seeing that those countries that are able to react faster are getting a lot of benefit, both from a citizen protection perspective and from an economic growth perspective.

What we would like to deliver is a system without any closed doors, so to speak, a system that provides digital services to Canadians on the IT platform of their choice or in person at a Service Canada office. They would be able to obtain a service at a Service Canada desk or through their Apple or Samsung smart watch, for instance. Canadians would have a multitude of choices enabled by a system developed with their help. The system would be designed so that all privacy and data protection requirements and access to information standards were built in from the outset. All too often, these fundamental principles are unfortunately overlooked or relegated to the end of the implementation process. Every Canadian would have access to the services they need via their preferred gateway. Finally, the ideal system would support interoperability across different levels of government, in contrast with a single system that would have to be tested in 43 federal departments and some 20 provincial ministries.

There are two points I would be looking for.

Number one is that in my ideal digital world, the system is fully transparent. You understand how the service is being delivered and what the steps are. When government asks for your information and when government provides you with the benefit, there is a clear, plain-language map of how it all works.

The second point I would make, to Mr. Benay's point on the previous question, is that systems that are flexible and adaptable are the systems that will keep up with whatever changes. It was only 11 and a half or 12 years ago that the first iPhone appeared. Twelve years from now, the way we want to interact with digital services and with government will be something that we are not imagining yet.

As a systems nerd, I want to know that my government is ready to adapt to whatever comes next.

I think the U.S. government shares many of the same obstacles that this government and other governments at this scale face. There are many sides to that question. I'm sure that in some places the U.S. government is a little further ahead and in some a little further behind.

I am happy to jump in.

A few weeks ago, in Washington, I met with my American counterpart, Suzette Kent.

I'll repeat what Mr. Snow said. The Americans have a better grasp of certain elements, particularly cloud computing, an area where they do business with U.S. companies, and that may give them a data protection advantage.

We, however, have a leg-up when it comes to AI governance. We are in the midst of developing multiple directives on an open basis, directives other countries are using in their approaches to AI governance. Given all the interest this has generated, our two countries have been in constant communication over the past 12 months.

Our strategy is to make sure that every Canadian is able to access services. We recognize that it's perfectly acceptable if someone opts for in-person service at a Service Canada office. I should point out that TBS has begun gauging public opinion on digital service delivery. We've learned that two out of three Canadians are comfortable with federal government departments sharing their personal information to improve service quality.

As you mentioned, the number of people who want access to digital services is on the rise, but I don't see us doing away with in-person delivery for important services. As I see it, our service strategy must adhere to a fundamental principle: no one should fall through the cracks. Trust will likely play a role as well. We'll have to show people that we can meet our commitments and that they can have confidence in the system—hence the importance of being transparent about the services we will provide and the policies we develop.

That's a question I would have to put to Service Canada. We'll take it under advisement, as we would any feedback from Canadians and MPs' offices. We want to make sure our services better target the right people to prevent those kinds of situations.

Yes. For the past 14 months we've been working on direction and policy for the way government departments use automated services, moving forward, because this is something we're seeing increase.

You heard me say that PSPC has done a procurement action for creating an AI vendors catalogue. We now have 74 companies that have been registered in this vendors catalogue for the the last few weeks. We've been providing policy direction, working fully in the open, putting our policy instruments and our documents and our directives on GitHub and Google Docs for the world to see. We've collaborated with MIT and Oxford and other universities.

It's been a very open and transparent process in creating a tool set that is called an algorithmic impact assessment. You would be familiar with something called a privacy impact assessment, when we're looking at privacy; we're looking to develop something similar, as a prevention tool, for algorithms that will identify to the departments the level of risk. Automating a chatbot that tells you through the NCC website whether the skating rink is open is probably a lower-risk step than automating our borders, for example, or our immigration systems.

We've been developing this tool fully in the open. We've had countries such as Mexico start to use the algorithmic impact assessment already, and we have other countries, such as Portugal and others we're working together with—the “digital nine”—use some of the tools we've been developing. This creates an international body of knowledge that up until now just did not exist.

I'd say that in part—and this is actually part of the answer to the previous question as well—fear or confidence in a system is in part a function of how easy it is to use and understand and how transparent the system is about how it is dealing with you and with your information.

We understand that digital is, generally speaking, a good, efficient means to provide services at scale at a lower cost. As Mr. Benay noted, we would never want to close out other forms of service; we want to make sure that we remain multi-channel. But the extent to which adoption and digital happens or does not happen has everything to do with the type of experience people have, which is why it is so important to be working with those people at every step of the process.

Let me add as well a few statistics.

According to Statistics Canada, in the 65-plus age group about 80% of homes are Internet-connected, which is not a great but not a bad statistic. I think the question is—and this will relate to what Aaron was saying—if we can make the service seamless, transparent and easy to use, we'll go a long way in shifting the behaviour of the teams and the service model that they choose and want.

We've seen in countries such as Uruguay who have committed to having 100% of their services become 100% digital for 100% of their citizens by the end of this calendar year that they make an effort to educate the population as well, both from a data privacy perspective but also from a service delivery perspective on how to engage with government.

Those are things we'll have to do to make sure that we don't leave anyone behind.

CDS's answer to that question is one partner-department at a time. Culture change is not usually something that happens effectively with a single directive that everybody should just start behaving and thinking differently all at once.

There are pretty clear models of how adoption of new technologies in the public culture occurs. It looks like a bell curve or a Rogers curve. Early adopters will try anything and get started. If they're comfortable, their friends and their networks start to hear about it and more people take it up. Then, at the very end, after mass adoption, there are a few folks like my father who took 15 years to start using email.

It is slow. One of the ways we measure the success of a project that we do with partner departments is that as we're wrapping up or are in the midst of that project, we see if the department is starting to use some of the same methods, practices and tools that we brought in, possibly for the first time there, on other unrelated projects. If we see that, we know that we're succeeding because those notions are starting to take root and spread in the department.

I guess I'll start by saying, I did work for CSE for about 12 years. I was in the cyber defence branch, so I was likely involved in these intrusions you spoke about, in some respect. That said, I no longer work for CSE and I don't want to speak on their behalf, but I'll kind of wave my hand a little bit.

You're right. There are actors around the world, both at a nation-state level and from a script kiddie—people just trying to break things—who are constantly attacking systems around the world. We're not really special—well, maybe we are special—but I think one of the challenges that a lot of organizations have is that when they get compromised, they don't really want to go and tell people because that creates negative press for them.

Essentially, what happens is that everyone ends up suffering in silence. Part of the work I did before I left CSE was to take one of the security tools that we built and open-source it, to release it to the security community so that we could actually bring up that security bar across the industry. From a transparency perspective, that's where we sit in terms of the security space.

To kind of pivot on to your question about the banks, I guess the point to that would be, I don't actually know how banks secure their systems. For me to say that I think they are in the best position to protect Canadian security would be kind of out of place. I would love it if they would be more open and honest about that, just like I would love it if Google and Facebook and all these companies would be very open and honest about how they do security things. At that point, we could all collectively bring up our security postures, and I think Canadian citizens would be a lot more trusting of all of the parts.

I haven't had any interaction directly with the bankers' association, but I can say that the banks have been engaged in the pan-Canadian trust framework, for example, so this isn't something that is necessarily new to them.

We have architecture conversations with the banks fairly regularly on some of their investments, including their sign-in protocols, and ours, and making sure that we're working together. We also have, I would suspect increasingly, at least the objective of the new Canadian Centre for Cyber Security, to continue interacting cross-sector, because often an attack on a bank could lead to something happening in the CRA and other places. I can tell you that the focus on cross-sector collaboration is something that Public Safety Canada is examining and CSEC and other colleagues, as we're going through this new era of cybercrime, frankly.

You raise some very good points. The current Privacy Act has been in force since 1983, well before the Internet era. The discussion we're having today attests to the big changes on the way that will affect society. The act applies to 265 institutions. I mention that not to make excuses, but simply to highlight how colossal the undertaking is.

When we encounter an issue, we work closely with the Department of Justice. TBS is responsible for building an inventory of situations that arise, and our discussions with the Department of Justice and other stakeholders are ongoing. The enterprise architecture review board began cataloguing issues and key points that have come to our attention.

Naturally, it takes time. Take, for example, Europe. The EU General Data Protection Regulation, or GDPR, wasn't developed in a few years. It takes time to come up with those kinds of rules, which will likely require regular review, as Mr. Snow pointed out. Many of our private sector partners are currently putting new services in place. Obviously, it's an ever-evolving challenge. We also have to work closely with our partners at Innovation, Science and Economic Development Canada, since they are the ones in charge of enforcing the Personal Information Protection and Electronic Documents Act, or PIPEDA, in the private sector.

There is no doubt that the digital ecosystem is quite complex, so we want to be sure we take the time we need to analyze all of the issues reported to us. The next step will be to engage with Canadians about their private data.

In the timetable we gave ourselves, we set aside two years to review certain legislation that might hinder information sharing. We wanted to ascertain whether an issue was real or merely just a rumour, so after examining 11 departments, we identified 187 amendments to legislation that could affect the sharing of information.

What I just said is also based on the premise that information sharing is a problem, real or imagined, but we wanted to validate it. With some of the technologies we talked about earlier, namely X-Road in Estonia, we'll be able to validate some of the notions we have. We'll continue working with our partners at Justice Canada and Innovation, Science and Economic Development Canada to make sure we have the complete picture. Right now, we are thinking it all through.

I can refer to my experience in the United States. Legislation, being the slowest and most encumbered of all routes to the solutions, can often result in unintended consequences. We saw that happen in several cases, so I would exhort all of us to look for the smallest and fastest unit of governance when possible to avoid going into the process of creating and amending laws.

It's important not to dissociate issues related to data protection, AI and automation. For instance, we're doing a lot of work with France right now on issues around ethics, data management, privacy and automation, so I encourage you to explore those elements.

Rare is the project we work on that does not delve into service design, and not just digital design. In fact, in every product team we have, in addition to our research and design, and our engineers, there's a member of our policy team on that team as well for exactly this reason. Service design spans across. To communities like yours where connectivity is at issue and where complexity is to grow, we design with those users in mind. We go to those people.

For instance, this isn't necessarily an example about disconnected users, but the work we did for citizenship exam rescheduling for folks who were trying to change citizenship, we knew that some subset of the people who would need to reschedule citizenship exams would be doing so from their phones, because it's the only Internet access they had. Those connections might be intermittent, so that particular service was designed to work even when their connection goes in and out. It was designed to work on a phone, computer, gaming console, on any access they had, so that whatever level of access they had, it was going to be an experience they were not going to suffer through.

Every service is different. Every service has different requirements, different needs based on who's consuming the services, but that's why it's so important and why it's the first of the digital standards to put your users at the centre of the design experience, not just digitally but for the entire service design.

Oh, oh!

We've committed to doing a two-year study within TBS on legislative reviews for digital service delivery. We did an assessment of 11 departments, and I believe we found well over 150 possible—and I do want to highlight “possible”—legislative impediments.

We also found a lot of existing data-sharing agreements among the departments. Now we have to sift through those as well. Work with the Privacy Commissioner's office has started in sharing the plan. We do have some form of assessment of that.

Eleven core service departments. It's a front-line set-up.

I believe the number is 187, but we'll confirm that.

I will validate that, but I do not believe the list has been shared, but the project intent itself has been shared, yes. We've not finished the work. We're at year one of two right now.

Absolutely.

Not quite yet.

CDS, being fairly young, is also walking before it runs. The citizenship examining schedule is the closest to that. The process before was that you would get a letter in the mail that looked like a summons. It was scary and it was written in “policy-eese”, and somewhere near the bottom in small print was some instruction about where to send a letter if you wanted to reschedule. The team that worked on the project talked to people who were caught between taking their citizenship exam or attending their daughter's graduation. People would try to make it. We're going to the place where now.... The the first thing the team did had very little to do with technology, but to simplify the letter. The the first words at the top of the letter were changed to, “Congratulations, you're one step away from becoming a citizen of Canada”. Just that content design change was enough to change the experience for lots of people. Then, here's the URL, you go there, you go online, you pick other dates that you're available on, you hit submit, you receive a confirmation soon thereafter. The experience is considerably—

I haven't spoken with Minister Philpott about that particular approach. Over the last 18 months, CDS has literally had hundreds of conversations with offices in departments and agencies all over government. We listen to a lot of requests, many of which are not necessarily in our wheelhouse, but we try to redirect and help folks in other ways.

We have a set of criteria that we use to evaluate the opportunities and figure out where we can have the most impact and do the most reusable work.

To speak to the Privacy Act review, I know that the Minister of Justice, in her response to this committee, acknowledged that the government was going to undertake a review of the act. It is a complex endeavour, so an issue like that is something that's still under consideration. That work's ongoing.

We'll get back to you officially with an answer in writing.

The immediate reaction I would have for you is that we would take that kind of an issue to our architecture review board, as we're designing the services and as we go through, so that as we see a trend, we then apply a standard. That has not necessarily gone through the architecture review board, at this point and at that level of granularity, but we'll look to it and get back to you with a written answer.

The easier to use and, obviously, the more secure those services are, the more folks will use them, I believe.

In some ways, this is also due to how long it takes to do this kind of work, a question of—if I may borrow a Canadian expression—skating to where the puck is going and not to where it is. Availability of connectivity and so on is only getting better, not getting worse. Again, services will always be multi-channel, for as long as there are people who can only access services—even countries with incredibly high rates of digital adoption for their government interactions, like Denmark, which is at 90% plus, they still continue to provide services through alternative channels when people cannot or will not participate. However, you can incentivize the use of digital services and thereby move more people into that experience, if they find it acceptable, but it has to be usable.

To be direct, I would say that we're looking at every facet of the issue, together with the enterprise architecture review board. We want to make services easier to access, yes, but we also have to ensure people's information is secure. I can tell you the problem is the subject of intense discussion among the members of our governance team, which we set up 12 months ago.

I'll let my colleagues at the Communications Security Establishment field some of the more technological questions.

I will say, though, that the scale of public education initiatives is growing. Countries like Uruguay have literally brought iPads into people's homes to educate them, show them how to interact with the government and explain what to do and what not to do—if their mobile device is hacked, for instance.

As society moves farther down the digital path, initiatives will have to include an educational component. That's already happening all over the country, both provincially and municipally.

It is incumbent upon any service that handles personally identifiable information or other sensitive information to provide the basic tools for a confidence-inspiring level of security. It's a common best practice.

For instance, today we use what is called "two-factor authentication". You enter not only a password, but also, after doing so, you need to be able to either get a code on your phone or carry around a physical key. I don't have mine on me; it's in my bag. It provides a belt-and-suspenders solution. The systems that provide that are providing an order of magnitude more security and confidence in the systems, and they are much more difficult to scam.

Current laws prohibit us from doing that. They tend to be structured vertically within an institution.

Our Privacy Act also says that information is collected and used for the purpose for which it was collected.

Legally speaking, it would be very difficult to do what you just described without notifying Canadians.

When an enterprise service becomes a reality, or if we ever achieve a state of—let's call it—Utopia, where all services are available to Canadians on a single portal, we'll certainly have to consider those kinds of questions.

Currently, however, things are structured more vertically, as I said, preventing that type of data sharing and analysis.

That's one of the burning questions we have in the digital service space writ large, not just in Canada, but frankly around the world. It is a question of values. Different countries will automate different things according to their values framework. We want to make sure that Canada automates some of its services based on our values framework. It is a continuous conversation.

Currently, the directives that we're putting in place are looking at certain elements, for example, making sure that we don't have a black box making a decision on behalf of a human. We know that the decision pattern of the algorithms as they change is an important factor, because how do we authenticate the fact that the Government of Canada is responsible for this service if it's an algorithm?

We also have directives in there where, according to the level of severity, you may have to have an internal peer review of the automation that you're working on. That's something we're considering, as well, in putting in some of these directives. It's all part of the algorithmic impact assessment tool that we talked about previously, which we've developed collaboratively around the world.

Those are some of the examples.

I would also point to data. We could have the most unbiased code ever and have bad and biased data. We've seen examples in the private sector, from recruitment tools at Amazon to other things, where the data was biased and therefore the service and algorithm became biased.

It's not just a question of the technology; it's actually a question of the data holdings that we currently have as well. Those are all things that we're looking at.

It's not a perfect solution, but it's something that's going to have to iterate quite frequently.

That discussion is happening literally as we speak, so I can't answer that definitively one way or another. It is something that we want to take into consideration. There are pros and cons to both sides of this thing. We want to make sure that we have the best technology available, but at the same time, we have to respect certain values and ethics that are important in the country.

We do have instances where we have private sector code that is being held in case there is an emergency. Those are the things that we're looking at as well.

To be very transparent, this is a new space. Governing algorithms is a new space. Canada is one of the countries actually taking the lead on some of these things. The key for us will be to work iteratively with our global partners who share the same values.

We have a few existing mechanisms. For example, the architecture review board, which I mentioned a few times, will be looking at automation projects as these are identified in investment plans, departments and other things. From concept, we will be looking at applying our values throughout, from procurement to deployment. The architecture review board will look at that. I think the level of transparency of our services will be very important as we move forward. Some of our directors were looking at the facts we must disclose, such as that you are talking to a robot and not a person on the other side of the chat, for example—which will be good—and that we are expecting citizens to report issues back. The dialogue will increase and become very active as we start automating. It is a pace-of-change discussion as much as it is a values discussion.

Perhaps I'll just note that we're used to talking about computer code as something that we understand in terms of how that code functions. We don't generally treat each other that way. Increasingly, as the code gets more complex and harder for us to comprehend ourselves, it may become more important to focus on, in addition to how the code operates, the outcomes that are actually occurring. If the outcomes are going in the wrong direction, then hold the systems responsible for the output and not just for the nature of the decision-making itself.

That's a very good question. I would answer with a few things.

First, I think artificial intelligence and automation, like any new technology.... My colleague, Mr. Snow, spoke to a hype cycle. It's actually a thing in our sector where we see where that technology sits on the hype cycle. I still think that artificial intelligence and the concept of job replacement is, frankly, something that is very debated. It has gone from “the machines will take our jobs” to our increasingly seeing coexistence of humans and machines, and how that will actually augment the work as opposed to replace the work.

I can't speak definitively on the strategy because I still think it's very early in the hype cycle. We're seeing that the countries that do this well are the ones that not only make the investments in these technologies, but also bring a multidisciplinary lens to this discussion.

It's not only an economic growth issue; it's a service to Canadians issue, writ large. It's also how the private sector serves citizens as well. I think it will be important for us to keep an eye on the developments. Often things are done so quickly.... A service provider from a company without necessarily.... It happens so quickly we don't see it. For example, translation services are increasingly becoming very efficient on social media platforms, and it's only for the last eight months that you've actually seen an efficiency curve really spike. So, all of a sudden, that's a different conversation than we were having six months ago.

I think the key will be multidisciplinary, making sure that we don't bring departments to an issue, but bring a horizontal sort of lens to the issues and just continue that narrative and the dialogue.

I would say that we are increasingly mature on the artificial intelligence path. We're a little less mature on blockchain in the Government of Canada. It doesn't mean that we don't have places that are experimenting. We are looking at ID pilot, digital identification pilots with provinces, for example, using blockchain. We're looking at grants and contributions, I believe, at the National Research Council, using blockchain. It is probably the next area that we need to look at. I would like to say we're more mature in that space, but we're actually not.

We invested heavily in the AI space to match the investment that the government's made in AI across the country, to make sure we were ready to ingest those services. I would suspect blockchain and a few other concepts will probably be next on our radar.

I think that in terms of regulation, I would completely pass that over to Alex.

I'm going to go back to my earlier point that—

I think transparency is the key in that. I'm not going to speak ill of any companies, but there are some companies that are very good about being transparent in how they do security of their cloud services, for example. Google, Microsoft, Amazon all publish very good security white papers about what they do to protect the information in their systems. They also tend to try to be as transparent as they can on the data they're collecting. In a lot of cases, I think sometimes people just don't understand the things they're agreeing to. I think those are some of the things that have been done in the U.K. and in the EU with GDPR in getting more informed consent. I would leave it at that, but I think Alex probably has certain things to say.

Yes, it's maybe a three-part answer. I think we need to get better at understanding that there are certain pieces of data that are okay to be on some of these platforms, and there are other pieces of data that are not. Personal information, I would say, is too unclear at this point, but it doesn't mean that we can't look at the discussions with these vendors and suppliers around the values that we want to bring in how we manage personal information, the requirements around security.

Some of the work we do on policy, for example, should be completely transparent and open when we're talking about algorithmic impact assessments, because these things will impact a citizen directly. Putting that on Google Docs and, frankly, 10 other platforms, is not necessarily an issue. That's the first part.

On the other part, I would like to just bring standards into the conversation versus regulation. I think there is an opportunity to start with better standard-setting across the country. During my time in the private sector, and when I was at OpenText, I would often run into other countries that had set standards for themselves that, frankly, possibly would put their own organizations or enterprises into advantageous positions. I think we need to look at standards as both offensive and defensive mechanisms, and find ways to actually start looking at these standards as a first step.

With regulations, the problem is that they could stifle innovation—you'll hear that a lot from the private sector and some of my former colleagues—but they're possibly a step. There are probably some other steps you could look at before diving directly into regulations, because they are a double-edged sword.

Obviously the policies and whether those vendors are encrypting at rest, whether they're encrypting in transit, whether they're taking various steps to protect data are part of the equation. The other part of the equation is, how are we protecting our own account management? Making sure that we are using password managers, making sure that we are using that second-factor authentication that is available on many of these systems at this point—and increasingly will probably start to become required—are steps that government can also encourage and help explain. So there's a role there as well.

No, I don't have a response on that issue.