Government Operations Committee on May 25th, 2020

Thanks so much, Mr. Chair. It's good to see everyone virtually.

I'm pleased to appear before this committee from my home in the traditional territory of the Coast Salish peoples. I'm joined today by Paul Glover, president of Shared Services Canada; Raj Thuppal, SSC, senior assistant deputy minister for networks, security and digital services; Marc Brouillard, acting chief information officer of Canada; and Scott Jones, head of the Canadian Centre for Cyber Security.

Mr. Chair and colleagues, as Minister of Digital Government, I'm leading the Government of Canada's digital transformation. My mandate is to provide public servants with the tools they need and to deliver the digital services Canadians expect. This transformation is critical for the government to keep pace digitally, and as the pandemic has shown, it's more important than ever that we have secure, reliable and easy-to-use digital services to make sure that no Canadian is left behind.

It has been about 10 weeks since our government took the unprecedented step of asking federal employees to work from home, and to support this, the digital teams right across government stepped up their efforts to ensure the public service could continue working safely and effectively, because our government's first priority is to continue serving Canadians.

I have been so impressed by the work of Shared Services Canada, the office of the chief information officer and the Canadian Digital Service have been doing to ramp up our digital capacities almost overnight. SSC has been working to maintain IT support for efficient and secure delivery of critical services as citizen needs escalate, and this in addition to supporting an unprecedented increase in public servants teleworking from their homes. I can't express enough the magnitude of this work and I thank all of the public servants who've been doing it.

SSC expanded networks, boosted services and provided equipment and tools so employees were able to continue to deliver critical services while working from home. They also enabled WiFi-calling so that employees could call and receive calls where there was poor cell service, and they increased departments' Internet capacity, in some cases up to 300%. They nearly doubled government's secure remote access capacity so that we can currently have up to 270,000 simultaneous remote connections. SSC also tripled the ability of the CRA to manage the flood of Canadians applying for the Canada emergency response benefit and the emergency student benefit.

The Canadian Digital Service has also been helping with digital responses right across government. They created a digital tool kit, helping departments recruit tech staff and access a library of open source code solutions—and how to use them—and helping citizens navigate the multiple benefits that are available and sign up for secure notifications about COVID-19 from Health Canada and other ministries.

The office of the CIO has been working across government to provide guidance on COVID-19 IT challenges, making sure that private sector offers of help are assessed and connected quickly with departments as well. To keep information safe, this office has helped all federal employees make telework more secure and provided best practices for using digital tools safely.

Disruption attracts cybersecurity challengers and we're very aware that increased and new uses of digital tools carry the risk of malicious cyber-activities. Cybersecurity is and will continue to be a high priority for our government as we safeguard Canadians from cyber-threats. Let me assure this committee that we are constantly monitoring, detecting and actively neutralizing cyber-threats, and that we coordinate events effectively through the Government of Canada cybersecurity event management plan.

Shared Services Canada has increased the overall security of the government through services such as perimeter defence, vulnerability management, supply chain integrity and an integrated cyber and IT security program to protect the infrastructure supporting departments and agencies.

To combat COVID-19 misinformation and fraud, the Canadian Centre for Cyber Security coordinated with industry partners to help remove thousands of fraudulent websites and email addresses that could have been used for malicious activity.

In conclusion, every crisis can be an opportunity to change for the better, and this pandemic is no different. In short order we have seen a move towards collaboration across all orders of government and industry. We've adopted digital solutions to unprecedented challenges at unprecedented speed, and we're doing it safely. I thank all our public servants for their Herculean efforts in this digital response.

Thank you. We'll be happy to now take your questions.

Thank you very much.

We'll now go to Mr. Aboultaif, for six minutes, please.

Good afternoon, Minister. I hope you are keeping well with your family.

There was a story that came out showing hundreds of thousands of credentials being hacked from Zoom. There was a story also about Skype, some actual videos being stolen for external analysis where the users were unaware.

We've been using Zoom, as well as other methods such as Skype. How are we protecting sensitive information from being hacked or communicated over video chat? How are we making sure that sensitive information is not going into the wrong hands?

First, we understand that during a time of pandemic there are always those who look to take advantage of the crisis, and we're taking every precaution to ensure that Canadians and our systems are protected.

You refer to Zoom. In particular, I understand that the House of Commons is using zoom for virtual Parliament. It's widely known to be an insecure application, of course, but it is not used in the public service nor with Parliament for anything that is required to be confidential. It is only for matters that can be discussed and dealt with in the open that Zoom and that type of public tool are appropriate.

We have been providing guidance to public servants on what the appropriate tools are for which type of activity in supporting Canadians.

Minister, a lot of public servants are working from home, from politicians to everyone else. Different departments are operating from homes and there is some sensitive information being exchanged back and forth.

Are you aware of any sensitive information being leaked, or have you received any complaints of any kind or any reports of such an incident?

Mr. Aboultaif, I'll ask my officials to add to my answer because they will have more information about details, but I am not aware of any breaches.

We have rapidly increased the capacity of the secure networks to be able to support the public servants working from home. In fact, before this pandemic emergency, an average number of secure remote connections at a single point in a day was about 40,000. We are now up to 200,000 such connections, which means that there was a very fast and very effective transition to public servants working from home through secure networks. There have also been secure cloud-to-ground networks created for other types of specific work.

It's an important question and I think the public servants have been doing a great job to protect the integrity—

Minister, was any cybersecurity assessment done before we used Zoom, and since when has any Zoom application been used by the government in any capacity?

The answer is yes. Zoom is being used by government employees but only in circumstances where their communications are public, or can be public. For anything that is restricted or confidential, Zoom is not used. The chief information officer provides clear guidance on that, and again, I invite my officials to add.

I know in this format it's a little more difficult, but if there is anything they have to add, I welcome that.

Paul.

I have a quick question.

Definitely there were some breaches—I will verify—if I understood correctly the minister's aide. Was there any exchange of intelligence with other partners such as the Five Eyes, for example, on incidents happening to us or happening elsewhere within our allies?

Please give a very brief answer.

We're continually monitoring, and yes, the Centre for Cyber Security, which my ministry is a partner in, works closely with the Five Eyes to identify threats.

Thank you very much.

We'll now go to Mr. MacKinnon for six minutes, please.

Thank you, Mr. Chair.

I'm delighted to see my colleague the minister and the people who are with her today.

I'm extremely proud of what these people have been able to accomplish in terms of resources, having visited Shared Services Canada. The progress we're seeing at Shared Services Canada is quite remarkable. So, Madam Minister, I want to acknowledge the success of the men and women at Shared Services Canada who have provided public servants with access to the secure networks and technological tools they needed to maintain services to citizens during this crisis. I know that Shared Services Canada has often been the target of criticism, but this time it is showing us the way forward. We are very proud of what these people have been able to accomplish.

I'm sure my colleagues don't always appreciate that we highlight the success stories here, Madam Minister, but I think it's important that the women and men of our public service are recognized for the incredible work they have done.

There's a lot of talk lately that everyone is going to be able to work from home. We'll be able to empty all of our downtowns and no one will ever have to go back to the office again.

Minister, you've been working very hard on technology-enabled workplaces. That's work that goes on with Public Services and Procurement Canada as well, with respect to enabling flexibility, enabling unassigned workplaces and enabling the kinds of workplaces that we're really going to need going forward, and doing so in part using technology. Maybe we could have the benefit of your thinking on that.

Thanks, Mr. MacKinnon.

There has been certainly commentary in the public about the emergency we've been responding to with so much increase in digital tools and secure digital tools, and how that will translate into changes post-COVID. We are certainly thinking about what might be a strategy for going forward post-COVID.

I think we've all been surprised, and pleasantly surprised, as you mentioned, by how quickly we as a government were able to continue to serve Canadians, and not just that, ramp up service. As we know, almost a million Canadians applied for the CERB on day one.

I see this as a continuum. From 2018's budget of over $2 billion over five years there has been a very concentrated effort to have a more integrated approach to our information storage use and our digital government. That was an SSC budget. There has been a half a billion dollars put into the whole arena of cybersecurity and the creation of a collaborative approach to cybersecurity, which is really serving us very well as a government right now. On some of those building blocks of addressing the old data centres and migrating them, I think about 40% have now been migrated to modern data centres and the cloud.

Some of these fundamental pieces that may have not been given the attention they deserved over the years have really been a key focus of this government, which is what the ministry of digital government is all about. It's to continue focusing on better serving Canadians. Really, what we know is that it just is not good enough if the only channels the public has to get service from their government is through downloading PDFs and faxing documents, or potentially standing in line and waiting to see someone.

We've moved it into the modern era.

I know Mr. Chair's going to cut me off very soon, but I just want to perhaps point out or even ask.... We've spent a lot of time doing things as basic as putting WiFi into the new GC workplace standard, so that public servants across departments can collaborate and come together in new, modern workplaces and are able to use technology to unleash creativity. That's going to be an important part of the mix going forward as well. I'm just wondering if you have any closing thoughts on that, if we have any time left.

Unfortunately, we do not have any time left.

All right.

Since there was an open-ended question, Minister, if you care to respond to Mr. MacKinnon, I would ask you to do so in writing as soon as possible and send that response to our clerk.

That's excellent.

Ms. Vignola, you have the floor for six minutes.

Thank you Mr. Chair.

Good evening, Ms. Murray.

Indeed, the pivot that employees performed in recent months has been dramatic. Nonetheless, we will have many questions in this regard.

On May 8, the Acting Chief Information Officer told the committee that there was ongoing monitoring of the federal government network by the Communications Security Establishment.

What are the greatest risks, the major threats, to the federal government network? How is the federal government mitigating these risks and threats?

Thank you for that question, Madame Vignola.

I think one key is that we have an integrated approach to threats. There may have been a previous day when each of the ministries had to deal with its cybersecurity threats. We have a very collaborative approach right now, and that's through the Canadian Centre for Cyber Security.

One example of how this works well is in the creation of the new benefits, which happened so quickly, for example the emergency response benefit. There are cybersecurity officials who are monitoring that application to make sure there are no vulnerabilities and there are no attacks that succeed in disrupting our service.

It's a very collaborative approach. Each of the ministries has a clear and separate responsibility with respect to preventing and responding to cybersecurity threats and attacks. I think it has been working very well.

In your speech, you referred to fraudulent websites that were copying Government of Canada sites. How many of these websites have been detected? Were they all shut down?

I will ask the official from the Canadian Centre for Cyber Security, Scott Jones, to elaborate on that.

I would say that the monitoring and the very effective Government of Canada perimeter within which all of our secure government activities are placed and take place have resulted in a remarkable absence of real cyber-incidents over the past time period during COVID when so much activity is happening.

Scott, do you have something to add?

Could you tell us how many victims there were before these sites were detected by your services?

Are there any teleworking public service employees whose computer systems have been targeted by a cyber attack?

Among the 1% of cyber attacks that remain, have there been any consequences either on government data or on the personal data of Quebeckers and Canadians?

Give a very brief answer, please, Mr. Jones.

Thank you very much.

We'll now go to Mr. Green for six minutes.

Thank you very much, Mr. Chair.

I certainly appreciate having the opportunity to hear from the honourable minister today.

As you know, constituency offices across the country have been absolutely inundated with calls for every single government announcement, particularly as it relates to EI benefits and CERB, and certainly for small businesses it's the same, so I can appreciate the Herculean effort it must take to provide responses throughout the public service.

We've been hearing, though, from many people that they've had problems with the processing of their EI and CERB applications and cannot get in touch with an agent from the CRA or Service Canada. A constituent in my riding, Shannon Cooper, applied for EI leave on March 19 and is still waiting to receive her first payment. She has needed to call Service Canada to help sort out problems with her application. One of the biggest challenges she's facing is that when she's finally able to talk with an agent on the phone, her call gets dropped and the agent doesn't call her back. This has happened multiple times. She's now gone with close to 70 days without pay.

Given the IT infrastructure challenges that certainly all of government is facing, are you aware of this issue of calls being dropped by call centres?

Well, to be—

Minister, before you attempt an answer, I would just remind Mr. Green to, again, try to keep his questions focused on the government's response to the COVID-19 pandemic. That is the frame of reference.

Mr. Chair, respectfully, CERB applications are in direct response to COVID, and it's a very important question.

It is an important question. I appreciate that. I'm just trying to make sure the precision of the question is there.

Please go ahead.

It's rooted in CERB, so I assure you it's 100% related.

Thanks for that question.

Of course, because serving Canadians quickly, effectively and securely is a high priority for our government, I always regret to hear that somebody is having a challenge having an interaction with our government.

I can say that, through the work of the public servants of Canada to very quickly ramp up the capability to work from home, and even call centre employees who are working from home in some cases, it has been a unique circumstance. Given the millions of Canadians who have needed the government's help and the millions and millions who have received that help, I'm very proud of the work that has been done, but we will never stop trying to improve our systems and the infrastructure and the secure tools that are needed.

I can appreciate that, and I would expect that and hope that, certainly from the government's perspective. However, in order to basically address these challenges that you're faced with, understanding that it's probably a function of old technology—and I'll let you comment on that in a moment—do you know exactly what percentage of calls are getting dropped? What type of evidence are you using to help improve the systems of IT?

Thank you for that question. I'm going to ask Paul Glover to answer.

I like the generalities, but I would prefer the specific—

There were none. No calls were dropped yesterday. Is that your assertion?

Just to close it out, in terms of the improvement you've identified, I'm very happy to hear that. I think our constituency offices might have a different anecdotal perspective.

Could you just give us a sense of, when this unprecedented wave happened for dropped calls until now, what it would have been at its peak?

That's helpful.

Mr. Chair, thank you very much.

Thank you very much.

We'll now go to our five-minute round of questions, starting once again with Mr. Aboultaif.

Thank you again, Chair.

Minister, the federal government wants to help provinces build a framework for contact tracing through personal cellular devices. Is it safe to assume that this is pre-COVID, or after COVID?

This might be a question for the health minister, but I'll take a shot at it.

I think this is in response to COVID, and in response to the very important program of opening up our economy and enabling our businesses to continue serving Canadians. I think it is as we open up. Therefore, at that time, we need to be doing more contact tracing and more testing, and the federal government has offered to support the provinces, which are responsible for that.

Speaking of which, we know there have been previous attempts by this specific government to invade the privacy of Canadians, specifically the incident of Statistics Canada and personal banking information, about half a million of these records being out without the knowledge of Canadians.

We know that our people, Canadians, are very concerned about their privacy and their private information being leaked. That's in addition to, obviously, their being under constant surveillance. They'd be under surveillance all the time.

Could there be, or will there be, any chance that the voluntary contact tracing initiative could be made mandatory, yes or no?

I can't comment on that. I can say—

Minister, I appreciate that but it's your department. You're going to have to be doing the work at the end of the day.

I know we'll be providing any advice, guidance and support we can as digital government. The provinces are doing the testing and the tracing. Our federal government has offered funding to help them ramp that up and has offered the work of federal employees to do the hours of contact tracing. However, through the chief information officer and our other public servants, we oversee very strong policies and guidance on privacy and respecting individuals' privacy.

Then you're not only supporting the provinces financially. You're also putting out guidelines or guidance as to how this is going to be done.

It's very important because Canadians are going to look at two things: They're going to look at their privacy, and they're going to look at the information that's needed by the government.

Between public safety and privacy, how are you going to cross that fine line?

We have guidelines and laws around privacy. For example, SSC has a privacy risk checklist and a requirement for privacy impact assessments in many cases for new infrastructure or initiatives. That would be SSC's initiative.

Government's collection, use and disclosure is subject to privacy notice statements and consent forms, consent for any data to be used for a purpose other than the one for which it was originally collected. We have strong rules and we will make sure that the appropriate ministries are aware of them.

In light of this whole thing, since this is happening because of COVID-19, so that at least Canadians, and even policy-makers on the opposition side, can understand where the government is headed with this, when was the last legislation or policy put forward by the ministry?

I'll ask my official, the acting chief information officer, Marc Brouillard, to answer that question.

Monsieur Brouillard, respond very briefly, if you could.

Yes.

Only because we're out of time, could you get the exact information that Mr. Aboultaif has asked for and submit it in writing to our clerk as soon as possible?

We appreciate that very much.

Thank you.

We will now go to Mr. Weiler for five minutes, please.

Thank you, Mr. Chair.

Thank you, Minister and the other witnesses, for joining our committee today.

I also want to give a quick shout-out to all the employees who have been quickly able to shift from working in the office to working remotely and continue to deliver a high level of service in a really stretched time. It's also incredible and amazing to hear that there have been no breaches of cybersecurity for public sector employees during the pandemic.

Minister, first, what is the Government of Canada doing to protect the personal information of citizens in this increasingly digitally enabled government?

We were just talking about privacy, the government's privacy policy. Every public servant has training on the privacy policy and is aware of it.

Shared Services Canada has a very important role to play in the privacy of Canadians' data and personal information, because SSC is the main government infrastructure and storage of information. It's a very strong gatekeeper, actually, a custodian of the majority of this information. There are very clear guidelines for its staff on secure document use and storage, as well as an inventory of all personal information handled by SSC enterprise staff. They restrict and manage the collection, use, storage and disposal of data to respect the intended purpose and privacy laws. This is a high priority for us.

Paul, do you have anything to add?

Thanks for that answer.

Next, how is cybersecurity addressed in the Government of Canada, including cyber-threats that might pose a risk to government infrastructure, or potentially, when they're aimed at private enterprise?

Cybersecurity is addressed in a very integrated way so that there is not a patchwork of approaches across the Government of Canada. This is essential to the success we've been hearing about from officials today in terms of reducing the vulnerabilities and the success of attacks. The Canadian Centre for Cyber Security is the core organization that provides the various aspects of being able to protect government networks and activities from being hacked or threatened.

The chief information officer branch, SSC and CSE, the Communications Security Establishment, are the triumvirate in what is a coordinated approach. They have written what is called the Government of Canada cybersecurity event management plan, so that when an event or an incident occurs, it is very clear who has what role in responding so that we can be effective as an organization right across the government.

I will ask whether Scott has other elements of that to add.

Sir, you have about 30 seconds to respond.

Thank you very much.

We'll go back to Mr. Aboultaif, for five minutes, please.

The government operations committee once requested from the department.... The department on digital government indicated that 11% of the federal government's application portfolio is unused, basically.

Minister, can you tell us, in numbers, how many applications are unused, or haven't been assessed, as a better term?

If I could clarify, they haven't been assessed for what purpose, Mr. Aboultaif?

For all purposes, for validity, for the benefits of it, and actually whether we need it or not.

You know and I know that there are still many of the digital centres that have either been shut down or are not being used. We've spoken about that before. I'm wondering, with regard to the software applications, how many software applications haven't been assessed yet.

Thanks for that question.

Software applications are owned by the departments that use them to provide their services. They are not part of the responsibility of digital government.

I can say that there are many, many applications, somewhere around 18,000 applications, and some of them are older. There's no question about that. We're working with all of the departments to encourage them to reduce the number and to consolidate their applications, as well as to use digital principles, so that we have an approach across government where we're working together and sharing applications that can be used for various departments.

Do I understand that the 18,000 applications haven't been assessed? Is that correct?

I will ask Mr. Brouillard to comment on that question.

The answer from the department shows that there are 7,363 software applications that haven't been assessed. That is based on the report that came out of your department. To clarify the record—at least to correct the records in place—the answer is that 7,363 software applications haven't been corrected.

This is showing that the digital infrastructure is collapsing. Is it a fair assessment to say that, because only 36% of the applications are in a healthy state and the rest are not?

Thanks for the question.

I would characterize our situation in Canada as doing a great deal of work to transform our government's Internet and telecommunications technology foundations to be able to serve Canadians better. There are many examples of where that's working. Yes, there are some legacy systems, data centres, as well as applications that pose challenges, and we are working in a very thorough and step-by-step way to address those issues.

As mentioned, only 36% of those applications are in a healthy state. The 64% are not, which is basically two-thirds.

What is the timetable, Minister, that you're going to achieve, looking forward, to make sure that what we have is basically 100% healthy, to be able to operate properly?

You have about 30 seconds, Minister.

I'll ask Mr. Brouillard to respond to that.

Thank you very much.

We'll now go to our last five-minute intervention.

Mr. Kusmierczyk, you have five minutes, please.

Thank you very much, Chair.

Just to pick up on the line of questioning of my colleague, according to the SSC's 2020-21 departmental plan, nearly 80% of the federal government’s roughly 18,000 applications reside in aging and unreliable data centres that are at risk of service outages and failures, and it will prioritize moving these applications to the cloud or enterprise data centres.

I just wanted to know whether the COVID crisis has accelerated this process. Are there also advantages to moving to the cloud in terms of cybersecurity? Maybe we'll just begin with those two questions to start.

There certainly are advantages to moving to the cloud. I would say security is a big one, but also cost-effectiveness.

I will ask Paul Glover of Shared Services Canada to comment on whether that initiative, that migration of data centres, which our government funded several years ago and is well under way, has continued during the last three months while we have had to really focus on emergency answers to millions of Canadians in a way that hadn't been anticipated.

Thank you very much for that very detailed response.

Just to follow up on that, I'm wondering whether the federal government has experienced fewer cybersecurity incidents affecting applications that are already in the cloud.

Could I just add—

Very briefly, Minister, please....

Okay.

For those who are listening or watching, as well as our members, there is access to a free version of CIRA's Canadian Shield firewall. That's for small businesses, but also for individual Canadians. That is drawing on the experience and expertise of the combined team through the cybersecurity initiatives in the Government of Canada.

Thank you so much.

We'll now go to our two and a half minute interventions, starting with Monsieur Barsalou-Duval.

Thank you very much, Mr. Chair.

Earlier, I heard repeatedly that since the beginning of the COVID-19 pandemic, when people were encouraged to work from home, there have been no security problems, no intrusions and no data leaks regarding our officials. The same would seem to be true for House of Commons staff.

However, I've also heard that in the majority of cases where there are leaks, data leaks or espionage, for example, people are not aware of it or don't notice it.

How do you know there wasn't one, when people rarely notice?

Thank you for that question.

What we do know is that it was a high priority for us to be able to serve Canadians and to provide the tools so that our public services could do that and do it safely within the perimeter of the Government of Canada's security perimeter. It has been very successful.

We're also clear on what activities have to happen through secure channels and which ones can happen through other public tools like Zoom. I will ask Mr. Glover to explain how we—

So you can't guarantee that there have been no leaks, data leaks, espionage or anything like that.

Mr. Jones, I know that you're going to be sticking around for another hour. Perhaps you can expand upon the answer you were about to give, but we're completely out of time, unfortunately.

We'll go to our final intervention.

Mr. Green, you have two and a half minutes, please.

Thank you, Mr. Chair.

In its digital operations strategic plan 2018-22, the federal government recognized the need to modernize its aging at-risk IT infrastructure and systems. It also indicated that its “IT systems and assets that have been in service beyond their normal useful life will fail to meet the current and emerging requirements for the delivery of timely and critical services and information to Canadians”.

For the minister, in your mandate letter, the Prime Minister asked you to identify “all core and at-risk IT systems and platforms”. Has the federal government modernized its at-risk infrastructure and systems since the beginning of the pandemic? If so, what is the estimated cost of updating all identified core and at-risk IT systems and platforms?

Thank you.

That's a pretty big task that you just laid out there. This is something that is being done over the course of a number of years. Shared Services Canada was assigned $2.2 billion in the 2018 budget, and there have been other budget amounts since then.

I will ask Marc, who is the acting CIO, to continue with the details for that question.

Thank you, Mr. Chair.

Thank you very much.

Minister, that ends our first round of questions. We want to thank you very much for your appearance here today. I can safely say that I suspect when you signed up for this job as Minister of Digital Services you didn't think, nor did any of us, that the situation we see today, in which we're living in a virtual world, would be upon you and your officials. Thank you for being here. We appreciate your appearance. Good luck to you. I hope you stay healthy and safe.

Thank you.

Colleagues, we will not suspend. I will excuse the minister, however.

We will go directly into our second hour. We have with us the head of the Communications Security Establishment, Mr. Scott Jones. He has a brief, five-minute opening statement.

Mr. Jones, I'd ask you to deliver that statement now.

Thank you, Mr. Jones.

We'll now go into our six-minute round of interventions, starting with Mr. McCauley.

Thank you, Mr. Chair.

Mr. Brouillard, welcome. I'll start with you. Most of this is going to be around access to information.

How are we updating the guidelines for employees on Government of Canada information management?

Of course, yes.

Right, but are we doing anything besides reiterating to them?

Okay.

The directive on record-keeping outlines effective record-keeping practices that enable departments to manage and protect the integrity of information.

If we have so many people working from home now, what are we changing, one, to protect that information, and two, to make sure it is available for ATIPs?

Okay.

The ATIP process has been put on hold. Obviously people are working at home. When are we going to see it reopen so that the public, politicians, etc., can start getting answers to access to information requests?

It has been, yes.

I would challenge you to find a single response in the last two months.

Are we developing a plan to address this? We can't just sit and say we can't access it forever. Are we developing a plan, or are we doing a wait-and-see to see how COVID bears out?

The Information Commissioner, Ms. Maynard, has been very critical—I guess that would be a polite word—of the government's handling of transparency right now. She put on her website, “institutions are reminded that they must continue to properly document their decisions as well as their decision-making process in accordance with the Policy on Information Management.”

How are we ensuring that's done, besides saying they're using government servers?

The CIO of Treasury Board is the overseer. Is this another example of, “Well, that's the departments, and if they fail, that's too bad”?

Right, but what is Treasury Board doing to follow up to make sure this is being done? That's my concern.

Are we ramping up these active reviews, considering nothing is going on ATIP-wise and there's this very real concern, as expressed by the Information Commissioner?

What's your confidence level that the policy and information management is going to be followed?

Thanks.

I have just a last question on that. She lists tips on her website, the nine email tips for maintaining information. Have you rolled that out to the departments, or are you just waiting for departments to look at her website on their own?

Again, Treasury Board is responsible for this. If you let it go.... We've seen this repeatedly from Treasury Board on human resources, whistle-blowing and departmental plans. Treasury Board is responsible but always says that it's the departments, and then nothing gets done.

Mr. Brouillard, I'm going to ask you to provide that answer—in writing, as I've mentioned before—to the clerk as soon as possible. I'm sure you want to give a fulsome answer to Mr. McCauley's question. I'll give you the opportunity to do so as quickly as possible, sir.

We will now go to our second round of questions, for six minutes again.

Mr. Jowhari.

Thank you, Mr. Chair.

Welcome to all of our witnesses and thank you for the information you've provided so far.

My question is for Mr. Brouillard. A lot of my colleagues have taken an approach where they've gone to one of the specific what I call pillars or building blocks of our digital strategy or digital government, whether it's cybersecurity or aging infrastructure, etc. For the benefit of the many Canadians who are watching, could you take a step back and very briefly demystify our government's digital strategy into four or five key pillars?

Give us an idea of where we were on the path of delivering our mandate before COVID-19, and what the impact of COVID-19 has been on our mandate and our being able to deliver. I'll ask some follow-up questions after that.

Before COVID-19, there was a mandate. There is a mandate letter for the minister. For you as the CIO, what would you identify as the key building block of our government's digital strategy?

Perfect. That's exactly what I was hoping for. I was hoping that you'd go in and demystify those different building blocks.

Then we have COVID-19. Naturally, that has impacted our strategy or our road map to deliver what we had committed to. Can you quickly talk about the overall impact on our ability to deliver? Where have we had the highest impact?

I'm sorry to interrupt. Very quickly, where do you think our vulnerabilities are going forward, based on the original strategy we had?

It's our response to our ability to deliver our mandate because of the impact of COVID-19.

It's a risk area.

Give me one of the priorities that we have to pay special attention to as we are ramping up and opening up the economy.

Yes, I realize that, but as an internal government we are supporting those initiatives.

I have 30 seconds left. Do we have the capital resources and the funding to be able to deliver that? If not, where should we focus on getting those resources?

Give a very short answer, please.

Thank you.

Thank you very much.

Ms. Vignola, you have the floor for six minutes.

Excuse me. The interpretation was cut off, so I didn't hear everything.

In the departmental plan, Shared Services Canada noted that computer-related threats were constant. Earlier, it was said that there are 2 billion daily attacks against various government services. At least that's what I heard.

First, what resources does Shared Services Canada have to prevent these attacks?

Second, is there collaboration with other police services, such as the SQ?

Third, where are these attacks coming from? Are they coming from internal sources in Canada or from external sources?

I'll stop with three questions. I'll see later about the rest.

My questions are for either Mr. Brouillard or Mr. Jones.

Earlier, we talked about applications. There's a whole host of them and rumours are rife. Some companies would like to have applications to monitor their employees, for example to calculate the number of clicks, the sites they have visited, and so on.

Does the Government of Canada currently use this type of application for its own employees who telework?

Thank you.

Among other things, there was talk of increased bandwidth, new computers, new structures, microphones and cyber security. To date, what is the impact of these new needs on budgets?

Please give about a 30-second answer, if that's possible.

Thank you very much.

We'll now go to Mr. Green for six minutes.

Thank you.

It's certainly not every day that you get to put questions to the Communications Security Establishment, so I'm going to go ahead and take that opportunity today, Mr. Chair, through you to Mr. Jones.

In 2018, the federal government launched the cyber centre as a part of the CSE by consolidating cybersecurity expertise from the CSE, Public Safety and the SSC. How many employees work for the cyber centre?

How many of them came from Public Safety and SSC respectively?

How were they selected?

Thank you.

According to a media report, the CSE is working in coordination with its partners to ensure that COVID-19-related phishing sites mimicking the Government of Canada are removed. Who are those partners?

That's very well stated. Thank you.

Could you provide some further examples of how the CSE's cybersecurity work is related to COVID-19?

This might seem like a frivolous question, but I'm going to ask it anyway because fraud is a concern of mine. It might not be in your portfolio. Are new technologies in place that enable us to better target the old-school phishing scams through telephones, i.e., even as a member of Parliament, I continue to get CRA calls on my government phone that I'm about to go to jail unless I send them money right away.

Are there ways we can fight back against that type of traditional phone scam?

That must be interesting. Do you let them know where you work?

Thank you.

That concludes my questions. I won't take up time for the sake of taking up time, Mr. Chair.

Thank you very much, Mr. Green.

Now we'll go to five-minute rounds, and we'll start with Madam Block.

Thank you very much, Mr. Chair.

Thank you also to our witnesses for joining us today.

As you noted in your opening remarks, Mr. Jones, these are extraordinary times, which have required us to change the way we work and communicate. While we have risen to the challenge, I believe it is more important than ever that we secure critical infrastructure as we shift government operations to digital and telework.

Also in your opening remarks, Mr. Jones, you noted that the Government of Canada has a strong and valuable relationship with our international cyber partners, and that we regularly share information, which has a significant impact on protecting “our respective countries’ safety and security”. Maybe this segues just a bit into the answer that you just provided to my colleague Mr. Green.

According to an article in The Telegraph on Saturday, the Prime Minister of the United Kingdom announced that he will reduce Huawei's role in Britain's 5G network in the wake of the coronavirus outbreak. If Huawei is a part of Canada's 5G network, will it pose a security risk to Canadians?

Thank you.

Other Five Eyes partners have already made a decision on Huawei and their 5G networks. Is there something different about Canada that dictates why we have not made a decision yet?

From your perspective, would it even be possible for Canada to make a decision right now on Huawei's involvement with our 5G networks?

I appreciate what you said about always considering that a network is vulnerable.

Is Huawei considered a higher risk vendor when it comes to a 5G network?

Thank you very much.

We will now go to Monsieur Drouin, for five minutes, please.

Thank you, Mr. Chair, and through you, I will be asking my questions to Mr. Glover.

I recall almost 10 years ago, 2013 I believe, it was Marissa Mayer, when the whole debate about working from home versus not working at home.... That Yahoo CEO said, “I'm bringing back all the employees to work and nobody is working from home.”

In our case, I know that some employees were able to work from home, but now COVID-19 has hit and everybody must work from home. Can you talk to me about ramping up that capacity to allow telework, to allow our public servants to work from home?

Mr. Glover, I know through the Buyandsell.gc.ca website, for instance, IT services and IT products were identified as priorities for COVID-related issues. Did your organization go to the same suppliers that you would normally go to, or did you provide some innovation within the system to allow...? Maybe there are new products out there that we don't know of yet, or great solutions that were offered through Buyandsell.

How did your department balance “I'm going to go with the people I know” versus “there may be new solutions out there that we still don't know of”?

Very briefly, sir, you're over time now, so finish in the next 16 seconds, please.

Thank you.

Mr. McCauley, go ahead, please.

Thanks.

Mr. Jones, I'd just like to follow up on Mrs. Block's question regarding Huawei. You commented that we have to protect ourselves from all vendors. Do you feel the same way about the other two main vendors, Ericsson and Nokia, for servers, as Huawei, that we have to protect ourselves against them?

You talked about extra risk reduction. Is there a larger risk issue with Huawei than, say, Ericsson or Nokia?

What are the different risks for Huawei, say, than for Ericsson?

You're putting Huawei on the same level of security risk-wise as, say, Nokia or Ericsson.

Let me ask you a couple of different questions. The minister stated earlier in her comment that it is widely know Zoom is insecure. Many government workers use Zoom. How do you feel about private caucus meetings—Conservatives, Liberals, NDP or the Bloc—using Zoom, if it is widely known to be insecure?

Should we not be doing that? The governing Liberals are having their caucus meetings over Zoom, and the opposition and the NDP are discussing confidential government information.

What's your level of inability to sleep at night over something like this? Is it that you sleep soundly or you're up at night with the night terrors over the lack of security for members of Parliament using the prescribed program in the House of Commons?

I don't mean for committee work that's open to anyone viewing. I mean for private information, such as a caucus meetings, or perhaps cabinet meetings, if they're doing those over Zoom.

In your opening statement, you mention that you monitor and protect programs against cyber-threats, including CERB. What is the threat there? Is it duplicate programs? Are people hacking into CERB? The reason I ask is that in a National Post article today there was a concern expressed that people overseas could be applying. Is it a matter of ensuring the VPN users are actually in Canada for applying? What are your concerns about it?

Your exact words were “against cyber-threats”. That's not a cyber-threat of CERB. That's a phishing or fraud threat. Did you perhaps word it badly, or was that your intent?

Okay. This will be my last quick question, I'm sure—

Unfortunately, Mr. McCauley, we just don't have the time.

Thank you, Mr. Chair.

We'll now go to Mr. MacKinnon, please, for five minutes.

Hello again. I'd like to thank you for your efforts.

There is a lot of talk these days about returning to work and preparing for it, even though we don't know how or when we're going to get back to our offices. The Government of Canada has spent a lot of time reviewing its workplace of the future model.

My question is primarily for Mr. Glover. Could you tell us more about the technology side of the office of the future in the public service and from a post-COVID-19 work perspective? I'm obviously talking about the availability of wireless Internet, cloud computing, and other tools.

That's fantastic.

I know one of the things your organization has spent a lot of time assisting with is a pilot project called GCcoworking. For the benefit of colleagues, that is a pilot project whereby employees from different departments can enter an office environment that is closer to their homes or, when they're on the road, have access to all the technology tools and the required security.

Can you talk a little about GCcoworking and the technology enablement you have done there?

Thank you very much.

Thank you.

We'll now go to our final two interventions. These are two and a half minute interventions, starting with Monsieur Barsalou-Duval.

Thank you, Mr. Chair.

Earlier, it was said several times that cloud computing was good for computer security.

I'm not a computer security specialist, but does data or emails from MPs that are stored on their computer's hard drive end up on private companies' cloud servers?

Sir, my question is whether or not data is being held by private providers. Is there any outsourcing of cloud computing or is it done directly by government or government services?

Are these suppliers all Canadian or are there some from other countries?

Let's have a very brief answer, please.

Thank you very much.

We will go to our final two and a half minute intervention.

My understanding, Mr. Green, is that you have ceded your time to Mr. McCauley. Is that correct?

I have. I'm keenly interested to see where he goes with it.

Thank you very much.

Mr. McCauley, you have the final intervention for two and a half minutes.

Thanks.

Mr. Jones, just back to you, again in your opening remarks, you said, “Finally, it is important to note that the Government of Canada has a strong and valuable relationship with our international cyber partners. We...share information, which has significant impact on protecting our respective countries' safety and security.”

This goes back to Huawei. We're the only one of the Five Eyes that has not banned Huawei from our 5G or the major role. How will this affect us? Do we risk being excluded from the sharing of vital information if we move ahead with something like Huawei?

Do we risk being shut out of such information for using Huawei, when everyone else has banned Huawei for security reasons?

Do you think this is going to be a political decision as opposed to a decision made by your department or on information provided by your department?

If we went to Huawei, you say you believe there would be no change in sharing. We've heard the U.S. threaten to cut us out of information sharing if we go to Huawei. Is that not a concern for you?

I know you can't speak for other countries. Is that not a concern for you, as a Canadian dealing in your business, that we will be shut out if we go against our allies' wishes and go to Huawei servers?

Thank you very much.

I'm dumbfounded. I'm absolutely dumbfounded.

Thank you very much. I'd like to thank all of our witnesses who were here today, witnesses from Shared Services Canada, the Treasury Board Secretariat and, of course, the Communications Security Establishment. Your information, your testimony, has been very helpful and informed.

To Mr. Jones personally, I know that on a number of occasions people talked about the fact that you may have some difficulty sleeping at night, particularly in your position. I would just point out to you, sir, that's why God invented red wine, so perhaps take that into account.

To the rest of you, colleagues, we will meet again this Friday at 11 a.m. eastern standard time. I wish, in the intervening three or four days, that you all keep healthy and safe, and we will see you on Friday.

Have a good evening, everyone.