Evidence of meeting #14 for Government Operations and Estimates in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
6:30 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Thank you very much.
We will now go to Monsieur Drouin, for five minutes, please.
6:30 p.m.
Liberal
Francis Drouin Liberal Glengarry—Prescott—Russell, ON
Thank you, Mr. Chair, and through you, I will be asking my questions to Mr. Glover.
I recall almost 10 years ago, 2013 I believe, it was Marissa Mayer, when the whole debate about working from home versus not working at home.... That Yahoo CEO said, “I'm bringing back all the employees to work and nobody is working from home.”
In our case, I know that some employees were able to work from home, but now COVID-19 has hit and everybody must work from home. Can you talk to me about ramping up that capacity to allow telework, to allow our public servants to work from home?
6:30 p.m.
President, Shared Services Canada
Absolutely, I would be happy to do that. My apologies if I take up all of your time; just wave and I will stop.
We did a ton of work here. It was truly unprecedented. It started with what we call secure remote access points, to make sure that we were doing this safely.
When Mr. Jones was talking about all the work in terms of COVID, one of the things he forgot to share with you is all the advice they gave us about how to do this safely. That involved setting up secure remote access points for public servants to do that.
We worked with all the major telcos and Internet providers to expand bandwidth and dedicate it in spots where we knew it was weak. We worked with first responders to make sure they had priority access to the lines they needed. It was really multi-faceted.
We realized very quickly that it wasn't just the number of secure remote access points that were relevant. It was also bandwidth. It was how they were working, what they were doing—and they were doing a lot. We had to really increase the bandwidth. We've just about doubled the number of secure remote access points, and we have just about doubled the bandwidth that's dedicated to this as well. There were big, big changes in that space.
The minister spoke about call centre operators, for example. We moved to make sure they had tablets and they had phones, so that they didn't need to go into a physical call centre. We worked with the telcos and the service providers to make sure the technology worked. That was part of the reason, in the earlier days, that we had a few—quite a few, frankly—dropped calls. We worked quickly to correct that, to route those calls to people's homes so they would be able to do that.
We also realized that not everybody needed the secure remote access, so we worked to stand up what we call the government collaboration site. It's Microsoft Office 365 and Teams in the cloud, but not secured. Public servants are still able to work together to collaborate with colleagues on a government-sponsored platform, but it is not secured. They know that. We're then going to roll that back in so that no information is lost.
We tried to give people as many tools and choices as possible to be able to operate. We doubled our video-conferencing capacity. We went from about a million minutes, a million and a half minutes a day of teleconferences, to over five million a day.
It was literally just standing up capacity. It was not just a tablet and Internet, but the telephones that go with it, the video conferencing, the security, the service to store all of the data with CERB and with more people applying. It was really quite comprehensive.
6:30 p.m.
Liberal
Francis Drouin Liberal Glengarry—Prescott—Russell, ON
Mr. Glover, I know through the Buyandsell.gc.ca website, for instance, IT services and IT products were identified as priorities for COVID-related issues. Did your organization go to the same suppliers that you would normally go to, or did you provide some innovation within the system to allow...? Maybe there are new products out there that we don't know of yet, or great solutions that were offered through Buyandsell.
How did your department balance “I'm going to go with the people I know” versus “there may be new solutions out there that we still don't know of”?
6:35 p.m.
President, Shared Services Canada
There are two parts to the answer to the member's question.
The first is that we needed to move quickly, so scale and speed mattered and we looked for partners in vendors that were going to be able to do that. To move at the numbers we were dealing with—millions of Canadians logging in simultaneously on day one—had to be a no-fail. We needed to be ready. The systems needed to work, so we had to work with people who could move at the speed and the scale we were looking for. It was not who we knew; it was speed, scale and security.
Because we work from coast to coast to coast, we had to look at our relationships with SMEs. We couldn't get to all the places we needed to get to, so we shifted the business model to allow, for example, trusted partners to be able to configure and install equipment for us. We would audit that and ship direct to reduce the time we were taking. We innovated that way and tried to bring more SMEs, particularly those that perhaps might have been hurting for some business, and we had some. If they could meet our security requirements, we were able to bring them into the ecosystem, so it was that mix.
I will tell you, quite frankly, I received—
6:35 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Very briefly, sir, you're over time now, so finish in the next 16 seconds, please.
6:35 p.m.
President, Shared Services Canada
I received offers for new technologies virtually every day. We worked with partners to try to assess those to find ones that were relevant to us. We have literally been inundated with people trying to provide new services to us and we're trying to work through all those.
6:35 p.m.
Conservative
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Thanks.
Mr. Jones, I'd just like to follow up on Mrs. Block's question regarding Huawei. You commented that we have to protect ourselves from all vendors. Do you feel the same way about the other two main vendors, Ericsson and Nokia, for servers, as Huawei, that we have to protect ourselves against them?
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We look to make sure that we evaluate every individual product and company on its own basis and then we try different mitigations, depending on where it comes from.
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
You talked about extra risk reduction. Is there a larger risk issue with Huawei than, say, Ericsson or Nokia?
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
There are different risks. One of the things that we look for is—
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
What are the different risks for Huawei, say, than for Ericsson?
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
For example, we look to see where the products are coming from, where they're being built, where the software is being written. In general, for most of this equipment it's not really a physical hardware issue; it's mostly software. Software right now is being written around the world. One of the things we look at is the testing framework that needs to go with it.
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
You're putting Huawei on the same level of security risk-wise as, say, Nokia or Ericsson.
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We would take it into account where we apply different mitigations. One example would be the lab testing program we have in place with a Canadian lab company that does additional testing. That's an additional mitigation measure that we put in place for the existing 4G network.
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Let me ask you a couple of different questions. The minister stated earlier in her comment that it is widely know Zoom is insecure. Many government workers use Zoom. How do you feel about private caucus meetings—Conservatives, Liberals, NDP or the Bloc—using Zoom, if it is widely known to be insecure?
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Zoom bombing was a phenomenon. We heard a lot about it at the beginning of the COVID crisis. We can do things like using the lobby as we did here, using unique codes and passwords, sharing those things as a way to minimize the number of people....
In terms of the communication itself, we've never assessed Zoom for the protection of sensitive communications, such as those we call protected B in the government.
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Should we not be doing that? The governing Liberals are having their caucus meetings over Zoom, and the opposition and the NDP are discussing confidential government information.
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
We've been working with the House of Commons to find an appropriate balance. Unfortunately, it was security.... No one product has all the features we need plus all the security things we would be looking for, and it really is to strike a balance between using—
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
What's your level of inability to sleep at night over something like this? Is it that you sleep soundly or you're up at night with the night terrors over the lack of security for members of Parliament using the prescribed program in the House of Commons?
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
I'm very comfortable with using Zoom for this. I think the way we've worked with the House of Commons to set it up and mitigate—
6:35 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
I don't mean for committee work that's open to anyone viewing. I mean for private information, such as a caucus meetings, or perhaps cabinet meetings, if they're doing those over Zoom.
6:35 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
One of the things we are working on with the House of Commons staff is to provide a solution for caucus meetings, and for electronic voting as well, to make sure that we're adding additional layers of security. That is something we have been working with since the beginning in continuing to enhance security but also maintain the usability. I think that's something we're working to strike a balance on with the House of Commons. We have a team stood up and their full-time job is to work with the House of Commons to support you.
6:40 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
In your opening statement, you mention that you monitor and protect programs against cyber-threats, including CERB. What is the threat there? Is it duplicate programs? Are people hacking into CERB? The reason I ask is that in a National Post article today there was a concern expressed that people overseas could be applying. Is it a matter of ensuring the VPN users are actually in Canada for applying? What are your concerns about it?