Evidence of meeting #14 for Government Operations and Estimates in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
5:50 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Okay.
For those who are listening or watching, as well as our members, there is access to a free version of CIRA's Canadian Shield firewall. That's for small businesses, but also for individual Canadians. That is drawing on the experience and expertise of the combined team through the cybersecurity initiatives in the Government of Canada.
5:50 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Thank you so much.
We'll now go to our two and a half minute interventions, starting with Monsieur Barsalou-Duval.
5:50 p.m.
Bloc
Xavier Barsalou-Duval Bloc Pierre-Boucher—Les Patriotes—Verchères, QC
Thank you very much, Mr. Chair.
Earlier, I heard repeatedly that since the beginning of the COVID-19 pandemic, when people were encouraged to work from home, there have been no security problems, no intrusions and no data leaks regarding our officials. The same would seem to be true for House of Commons staff.
However, I've also heard that in the majority of cases where there are leaks, data leaks or espionage, for example, people are not aware of it or don't notice it.
How do you know there wasn't one, when people rarely notice?
5:50 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Thank you for that question.
What we do know is that it was a high priority for us to be able to serve Canadians and to provide the tools so that our public services could do that and do it safely within the perimeter of the Government of Canada's security perimeter. It has been very successful.
We're also clear on what activities have to happen through secure channels and which ones can happen through other public tools like Zoom. I will ask Mr. Glover to explain how we—
5:50 p.m.
Bloc
Xavier Barsalou-Duval Bloc Pierre-Boucher—Les Patriotes—Verchères, QC
So you can't guarantee that there have been no leaks, data leaks, espionage or anything like that.
5:50 p.m.
President, Shared Services Canada
I will turn to Scott from the CSE to round out this answer, but the reason we can say this is that we have tools that monitor the traffic, so we're able to understand, and these tools are intelligent, using artificial and other things—the firewalls—to both block and monitor what's happening. If traffic is getting redirected and is inappropriate as flagged, we would be able to see that and stop that.
Scott.
5:50 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Mr. Jones, I know that you're going to be sticking around for another hour. Perhaps you can expand upon the answer you were about to give, but we're completely out of time, unfortunately.
We'll go to our final intervention.
Mr. Green, you have two and a half minutes, please.
5:50 p.m.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you, Mr. Chair.
In its digital operations strategic plan 2018-22, the federal government recognized the need to modernize its aging at-risk IT infrastructure and systems. It also indicated that its “IT systems and assets that have been in service beyond their normal useful life will fail to meet the current and emerging requirements for the delivery of timely and critical services and information to Canadians”.
For the minister, in your mandate letter, the Prime Minister asked you to identify “all core and at-risk IT systems and platforms”. Has the federal government modernized its at-risk infrastructure and systems since the beginning of the pandemic? If so, what is the estimated cost of updating all identified core and at-risk IT systems and platforms?
5:55 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Thank you.
That's a pretty big task that you just laid out there. This is something that is being done over the course of a number of years. Shared Services Canada was assigned $2.2 billion in the 2018 budget, and there have been other budget amounts since then.
I will ask Marc, who is the acting CIO, to continue with the details for that question.
5:55 p.m.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
Thank you, Minister.
As you mentioned, Minister, in budget 2018, funds were allocated to modernize, and that included an application modernization fund of $110 million that was designed to support departments in taking their legacy applications and moving them into modern cloud infrastructures. At the same time, that's the right opportunity to look at their digital processes and to look at improving the way they deliver those services.
Identification of core services is ongoing. There's an inventory of the critical systems that require those modernizations, and we're continuing to work with departments on supporting those initiatives.
5:55 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Thank you very much.
Minister, that ends our first round of questions. We want to thank you very much for your appearance here today. I can safely say that I suspect when you signed up for this job as Minister of Digital Services you didn't think, nor did any of us, that the situation we see today, in which we're living in a virtual world, would be upon you and your officials. Thank you for being here. We appreciate your appearance. Good luck to you. I hope you stay healthy and safe.
5:55 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Colleagues, we will not suspend. I will excuse the minister, however.
We will go directly into our second hour. We have with us the head of the Communications Security Establishment, Mr. Scott Jones. He has a brief, five-minute opening statement.
Mr. Jones, I'd ask you to deliver that statement now.
5:55 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you, Mr. Chair, and thank you for having me continue to appear before you today.
I am the head of the Canadian Centre for Cyber Security within the Communications Security Establishment. We are one of Canada’s key intelligence agencies and the country’s lead technical and operational agency for cybersecurity. We report to the Minister of National Defence.
CSE continues to leverage all aspects of our mandate to ensure that Canada is protected against cyber-threats and that the Government of Canada has access to information that can help inform decisions on Canada's approach to COVID-19.
In October 2018, the cyber centre was launched as a unified source of expert advice, guidance, services and support on cybersecurity operational matters, providing Canadian citizens and businesses with a clear and trusted place to turn for cybersecurity advice. The COVID-19 pandemic has required us all to make changes to our daily routines and has impacted the way we work and communicate with one another.
During these uncertain times, cyber-threat actors are attempting to take advantage of Canadians’ heightened levels of concern and fear around COVID-19. Many Canadians are naturally feeling fearful and stressed, and those strong emotional responses can be exploited online. We’ve seen an increase in reports of malicious actors using COVID-19 in phishing campaigns and malware scams.
I would like to provide you with an update on the work the cyber centre is doing to protect Canadians, systems of importance, the House of Commons and the Government of Canada from cyber-fraud occurring before, during and after the pandemic.
First, to protect Canadians we continue to leverage all of our mandate to help ensure that Canada is protected against threats. The cyber centre is working tirelessly to continuously raise public awareness of cyber-threats to Canadian health organizations by proactively issuing cyber-threat alerts and providing tailored advice and guidance to Canadian health organizations, government partners and industry stakeholders.
In addition to our advice and guidance for Canadian organizations, we continue to enhance the Get Cyber Safe public awareness campaign to help every Canadian take action to help themselves be safe online. In coordination with industry partners and the international network of cybersecurity organizations, we have contributed to the removal of fraudulent sites and other materials used to lure Canadians, including sites impersonating the Government of Canada as I mentioned before.
As many people and organizations have shifted to working and learning from home due to COVID-19, their personal devices and home networks have become more attractive targets for cyber-threat actors. Cyber-attackers are looking to exploit teleworking connections, because so many people are now working outside their organizations’ IT security perimeters and they needed to quickly shift.
In response, we have partnered with the Canadian Internet Registration Authority, CIRA, to create and launch the CIRA Canadian Shield. The minister gave a great description of what CIRA is, and I would like to take this opportunity to thank CIRA for their tremendous leadership in giving Canadians an option to better protect themselves online. They are terrific partners.
To further protect Canadians, the next important step we’ve taken is informing them about cybersecurity matters. Through targeted advice and guidance, we're helping to protect Canadians’ cybersecurity interests. We've shared security tips on video teleconference tools and telework to help inform and educate Canadians so they can make good decisions about staying safe online.
We've created a collection of advice and guidance products, many of which are more relevant than ever. I encourage Canadians to visit our website to learn more about our specific guidelines and best practices that can be applied to protect themselves.
We have taken action to protect programs of importance to the government, including monitoring and protecting important Government of Canada programs, such as the Canada emergency response benefit web application, which you heard Mr. Glover talk about earlier.
As well, we have continued to evaluate cloud applications, including for the Public Health Agency of Canada, and enabled cybersecurity monitoring and defence for cloud usage across the government. The cyber centre has continued to collaborate with the Canadian Anti-Fraud Centre operated by the RCMP, the Ontario Provincial Police and the Competition Bureau, which are Canada’s trusted sources for reporting and mitigating mass-marketing fraud.
I’m also happy to mention that the cyber centre has a long-standing partnership with the House of Commons. As Parliament has shifted to virtual meetings, we are working alongside the House of Commons by providing tailored advice and guidance, including working to support virtual sittings and committee meetings. The cyber centre’s shared advice and guidance have helped you and all members make informed decisions when selecting, installing and using video teleconferencing tools. We are very proud to be supporting Parliament and the continuation of open parliamentary proceedings.
Finally, it is important to note that the Government of Canada has a strong and valuable relationship with our international cyber partners. We regularly share information, which has a significant impact on protecting our respective countries’ safety and security. I want to reassure Canadians that CSE and the cyber centre continue to work hard to mitigate these threats and protect Canadians.
Thank you very much, Mr. Chair.
6 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Thank you, Mr. Jones.
We'll now go into our six-minute round of interventions, starting with Mr. McCauley.
May 25th, 2020 / 6 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Thank you, Mr. Chair.
Mr. Brouillard, welcome. I'll start with you. Most of this is going to be around access to information.
How are we updating the guidelines for employees on Government of Canada information management?
6 p.m.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
You mean in terms of the new working conditions, working from—
6 p.m.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
We've reiterated to all Government of Canada employees that they have the responsibility to ensure that for any information of business value on GC equipment that is worked on from home, there's no issue with—
6 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Right, but are we doing anything besides reiterating to them?
6 p.m.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
We are reminding them that they have the responsibility and that, again, any public infrastructure, like Zoom or other collaboration sites, is for unclassified material only.
6 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Okay.
The directive on record-keeping outlines effective record-keeping practices that enable departments to manage and protect the integrity of information.
If we have so many people working from home now, what are we changing, one, to protect that information, and two, to make sure it is available for ATIPs?
6 p.m.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
We're providing the guidance that if GC employees are providing critical services, they still have access to the networks and to those tools. For users who are not—and we're sometimes asking them to either connect to the networks after hours or sporadically—we remind them that they still have the responsibility to get records of business value back into those systems.
There's a bit of tolerance for delays because they may not be able to connect to the network at all times. However, they're working on secure, government-furnished equipment from home, and they're still able to connect when possible.