Evidence of meeting #14 for Government Operations and Estimates in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Perfect. That's exactly what I was hoping for. I was hoping that you'd go in and demystify those different building blocks.
Then we have COVID-19. Naturally, that has impacted our strategy or our road map to deliver what we had committed to. Can you quickly talk about the overall impact on our ability to deliver? Where have we had the highest impact?
Acting Chief Information Officer of Canada, Treasury Board Secretariat
Internally, the work that Shared Services has done has been incredible in shifting the entire network configuration from one that is centred on people sitting in buildings talking to the outside to everyone sitting at home talking to the inside. The minister and Mr. Glover talked a bit about the actions that were taken. That was the first pivot.
The second pivot was very clearly the benefits to Canadians and the work that CRA and ESDC did to deploy the Canadian emergency relief benefit as well as others, the wages and things like that. Those were—
Liberal
Majid Jowhari Liberal Richmond Hill, ON
I'm sorry to interrupt. Very quickly, where do you think our vulnerabilities are going forward, based on the original strategy we had?
Acting Chief Information Officer of Canada, Treasury Board Secretariat
I'm not sure I understand. The vulnerabilities in response to...?
Liberal
Majid Jowhari Liberal Richmond Hill, ON
It's our response to our ability to deliver our mandate because of the impact of COVID-19.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
Right. I think that it isn't necessarily a vulnerability, rather than a shift—
Acting Chief Information Officer of Canada, Treasury Board Secretariat
It's also a shift in priorities, and there's a natural reason for that. I think those reasons are valid. As we start to plan for the resumption of business and a return to the workplace, going back to those original priorities pre-COVID is going to be the next focus.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Give me one of the priorities that we have to pay special attention to as we are ramping up and opening up the economy.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
I think that's a bit out of my wheelhouse, because I'm focused more on the internals of government operations.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
Yes, I realize that, but as an internal government we are supporting those initiatives.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
Absolutely. Ensuring that the departments responsible for that have the infrastructure required to deliver those services is a key priority. That's absolutely what we're focusing on.
Liberal
Majid Jowhari Liberal Richmond Hill, ON
I have 30 seconds left. Do we have the capital resources and the funding to be able to deliver that? If not, where should we focus on getting those resources?
Acting Chief Information Officer of Canada, Treasury Board Secretariat
The short answer is that it's part of the planning process and the prioritization that we have to look at as we move forward.
Conservative
The Chair Conservative Tom Lukiwski
Thank you very much.
Ms. Vignola, you have the floor for six minutes.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Excuse me. The interpretation was cut off, so I didn't hear everything.
In the departmental plan, Shared Services Canada noted that computer-related threats were constant. Earlier, it was said that there are 2 billion daily attacks against various government services. At least that's what I heard.
First, what resources does Shared Services Canada have to prevent these attacks?
Second, is there collaboration with other police services, such as the SQ?
Third, where are these attacks coming from? Are they coming from internal sources in Canada or from external sources?
I'll stop with three questions. I'll see later about the rest.
My questions are for either Mr. Brouillard or Mr. Jones.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Maybe I'll answer the general cybersecurity questions first.
On the first aspect in terms of where they come from, they come from all around the world. This is typical for cyber-actors. There is no unique location.
What we really look at is how to take care of any of the malicious activity rather than the individuals behind it. We work with our colleagues in law enforcement. Certainly, we do work with law enforcement from across the country, including the Sûreté du Québec, and with our partners in the RCMP as well, to make sure that we're trying to address these things.
Primarily, we let law enforcement do their job and we respond to ours, which is to really try to enhance the safety of Canadians in terms of giving them advice on how to protect themselves, and we really hope that our colleagues in law enforcement.... We try to get as much information as we can so they can do their jobs to go after the criminals at the other end of malicious cyber-activities.
Paul.
President, Shared Services Canada
Thanks, Scott.
In response to the question about the resources that Shared Services needs, there are a number of things. It's access to expertise, such as the Canadian Centre for Cyber Security, which is constantly monitoring those things. It's access to technology in the networks and in the data centres.
It's a range of things that work together to make sure of this, including, frankly, the physical layouts of buildings. Oftentimes you need to take a look at internal threats. For example, at the data centres, we make sure that, for people going in and out, it's all properly logged and captured. The ability to remove hardware is something that is deeply and tightly controlled.
It is definitely multi-faceted. We look at threats from all angles. We rely on a lot of the policy, direction and expertise from our colleagues elsewhere, and then work to ensure that we apply best practices to put that into the systems overall, from the desktop through the network to the end data centre, and at every step along the way.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Earlier, we talked about applications. There's a whole host of them and rumours are rife. Some companies would like to have applications to monitor their employees, for example to calculate the number of clicks, the sites they have visited, and so on.
Does the Government of Canada currently use this type of application for its own employees who telework?
President, Shared Services Canada
I'll take a first shot at the member's question.
We do not monitor how long they're on. Those are issues that the department deals with. What we do monitor is the type of traffic, the nature of it from a security point of view, to make sure they're visiting appropriate sites, the nature of the activity. It is at a very depersonalized level. Often, it's not an individual. It's firewalls. It's artificial intelligence, and looking at those things.
It's not exactly the same as individual companies trying to time-track their employees and what they're doing. It's purely from a security.... It's the nature of the communications, the nature of the exchange, to make sure there have been no compromises or threats.
Bloc
Julie Vignola Bloc Beauport—Limoilou, QC
Thank you.
Among other things, there was talk of increased bandwidth, new computers, new structures, microphones and cyber security. To date, what is the impact of these new needs on budgets?
Conservative
President, Shared Services Canada
Sure.
It's been about $58 million all told. That's tablets and equipment to help people work at home, network upgrades, secure remote access points, specialized equipment and hardware to deal with the volumes of Canadians trying to access new benefits, and increased storage costs and computing costs to deal with those unprecedented volumes. It's everything end to end.