Evidence of meeting #14 for Government Operations and Estimates in the 43rd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.
A recording is available from Parliament.
5:35 p.m.
Liberal
Patrick Weiler Liberal West Vancouver—Sunshine Coast—Sea to Sky Country, BC
Thanks for that answer.
Next, how is cybersecurity addressed in the Government of Canada, including cyber-threats that might pose a risk to government infrastructure, or potentially, when they're aimed at private enterprise?
5:35 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Cybersecurity is addressed in a very integrated way so that there is not a patchwork of approaches across the Government of Canada. This is essential to the success we've been hearing about from officials today in terms of reducing the vulnerabilities and the success of attacks. The Canadian Centre for Cyber Security is the core organization that provides the various aspects of being able to protect government networks and activities from being hacked or threatened.
The chief information officer branch, SSC and CSE, the Communications Security Establishment, are the triumvirate in what is a coordinated approach. They have written what is called the Government of Canada cybersecurity event management plan, so that when an event or an incident occurs, it is very clear who has what role in responding so that we can be effective as an organization right across the government.
I will ask whether Scott has other elements of that to add.
5:40 p.m.
Conservative
5:40 p.m.
Head, Canadian Centre for Cyber Security, Communications Security Establishment
Thank you. I'll just add a bit more onto that.
The Government of Canada has multiple layers of defence that we use. Then we take everything we learn in defending the Government of Canada and make sure it's available to every Canadian business.
We've done that in many different ways. One is to give it to an organization called the Canadian Internet Registration Authority, so that every Canadian can benefit from something called Canadian Shield, which I'd be happy to talk about, but also to send out unique indicators of compromise that have never been seen anywhere else in the world because of the world-class defence we've been able to build for the government. We're making sure we're leveraging that to give it to all Canadians, including, of course, Canadian businesses.
5:40 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Thank you very much.
We'll go back to Mr. Aboultaif, for five minutes, please.
5:40 p.m.
Conservative
Ziad Aboultaif Conservative Edmonton Manning, AB
The government operations committee once requested from the department.... The department on digital government indicated that 11% of the federal government's application portfolio is unused, basically.
Minister, can you tell us, in numbers, how many applications are unused, or haven't been assessed, as a better term?
5:40 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
If I could clarify, they haven't been assessed for what purpose, Mr. Aboultaif?
5:40 p.m.
Conservative
Ziad Aboultaif Conservative Edmonton Manning, AB
For all purposes, for validity, for the benefits of it, and actually whether we need it or not.
You know and I know that there are still many of the digital centres that have either been shut down or are not being used. We've spoken about that before. I'm wondering, with regard to the software applications, how many software applications haven't been assessed yet.
5:40 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Thanks for that question.
Software applications are owned by the departments that use them to provide their services. They are not part of the responsibility of digital government.
I can say that there are many, many applications, somewhere around 18,000 applications, and some of them are older. There's no question about that. We're working with all of the departments to encourage them to reduce the number and to consolidate their applications, as well as to use digital principles, so that we have an approach across government where we're working together and sharing applications that can be used for various departments.
5:40 p.m.
Conservative
Ziad Aboultaif Conservative Edmonton Manning, AB
Do I understand that the 18,000 applications haven't been assessed? Is that correct?
5:40 p.m.
Liberal
5:40 p.m.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
Thank you, Minister.
The 18,000 number refers to the total inventory of applications in our application portfolio. Of those, we have an annual reporting exercise where departments report in on their status, their health, and as you mentioned, their technical validity. Out of that inventory, there are about 10% or 11% that aren't reported on. This could be because they've been closed and they're no longer in use, or it could be mistakes in reporting.
The other way of looking at it is that we have over 90% of applications reporting.
5:40 p.m.
Conservative
Ziad Aboultaif Conservative Edmonton Manning, AB
The answer from the department shows that there are 7,363 software applications that haven't been assessed. That is based on the report that came out of your department. To clarify the record—at least to correct the records in place—the answer is that 7,363 software applications haven't been corrected.
This is showing that the digital infrastructure is collapsing. Is it a fair assessment to say that, because only 36% of the applications are in a healthy state and the rest are not?
5:40 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
Thanks for the question.
I would characterize our situation in Canada as doing a great deal of work to transform our government's Internet and telecommunications technology foundations to be able to serve Canadians better. There are many examples of where that's working. Yes, there are some legacy systems, data centres, as well as applications that pose challenges, and we are working in a very thorough and step-by-step way to address those issues.
5:45 p.m.
Conservative
Ziad Aboultaif Conservative Edmonton Manning, AB
As mentioned, only 36% of those applications are in a healthy state. The 64% are not, which is basically two-thirds.
What is the timetable, Minister, that you're going to achieve, looking forward, to make sure that what we have is basically 100% healthy, to be able to operate properly?
5:45 p.m.
Liberal
5:45 p.m.
Acting Chief Information Officer of Canada, Treasury Board Secretariat
Thank you, Minister.
The importance is not to.... We do not have a timetable for the whole application, but it is to focus on modernizing those applications of the highest criticality and the highest business value to government, and that is what we're doing. We have plans to look at those applications and migrate them to either end-state data centres or cloud.
5:45 p.m.
Conservative
The Chair Conservative Tom Lukiwski
Thank you very much.
We'll now go to our last five-minute intervention.
Mr. Kusmierczyk, you have five minutes, please.
5:45 p.m.
Liberal
Irek Kusmierczyk Liberal Windsor—Tecumseh, ON
Thank you very much, Chair.
Just to pick up on the line of questioning of my colleague, according to the SSC's 2020-21 departmental plan, nearly 80% of the federal government’s roughly 18,000 applications reside in aging and unreliable data centres that are at risk of service outages and failures, and it will prioritize moving these applications to the cloud or enterprise data centres.
I just wanted to know whether the COVID crisis has accelerated this process. Are there also advantages to moving to the cloud in terms of cybersecurity? Maybe we'll just begin with those two questions to start.
5:45 p.m.
Liberal
Joyce Murray Liberal Vancouver Quadra, BC
There certainly are advantages to moving to the cloud. I would say security is a big one, but also cost-effectiveness.
I will ask Paul Glover of Shared Services Canada to comment on whether that initiative, that migration of data centres, which our government funded several years ago and is well under way, has continued during the last three months while we have had to really focus on emergency answers to millions of Canadians in a way that hadn't been anticipated.
5:45 p.m.
President, Shared Services Canada
Thank you, Minister.
Without a doubt, that work has continued. It's really important. Some of the buildings were at their end of life. We needed to get the data centres out of there and into what we call modern end-state data centres. We continue to work very hard. In the last two years we've exceeded our targets—120% last year, and over 100% of target this year. Just about 100 data centres were closed this past year.
We continue to significantly reduce the number of data centres that we're closing, but the goal isn't just to shut data centres. As you say, it's the applications that reside in them and making sure that we have robust strategies so that those applications can continue to operate. We're doing that. We're moving them to more modern data centres. We're making sure that when we can't get to them, we're replacing hardware so that they no longer have the same risks. Not all of them need to be moved. For some of them, it's just a good bit of maintenance and upgrades to make sure they're functional.
With respect to cloud, absolutely, we've seen an acceleration because it's about speed and scale. To some of the comments about call centres earlier, when you go from a few thousand calls to hundreds of thousands of calls a minute, you need to be able to scale up very quickly. Cloud provides the ability to do that.
We're very pleased to report that, through the co-operation of the CSE and the policy direction of the CIO, we're ensuring that the journey to cloud is safe for Canadians and for the government. We have a secure channel to cloud, so that when applications do exist in the cloud, the network and the path there is secure.
All of our cloud contracts are protected. That includes things like the Patriot Act and others, where all the cloud data centres are on Canadian soil for departments to be able to use for protected information. The work has accelerated, and we are ensuring that it is done in a very secure and safe manner.
5:50 p.m.
Liberal
Irek Kusmierczyk Liberal Windsor—Tecumseh, ON
Thank you very much for that very detailed response.
Just to follow up on that, I'm wondering whether the federal government has experienced fewer cybersecurity incidents affecting applications that are already in the cloud.
5:50 p.m.
President, Shared Services Canada
I would repeat what Scott Jones has said. Our perimeter is really world-class and is the envy of many other nations. It is constantly blocking threats, so to say there are none.... There are literally billions every day, but they don't get through. Even in those exceptionally rare cases where they do get through, they're spotted very quickly and contained. Services are shut down, brought offline and unplugged before any damage can be done. There were literally no incidents in the last 10 weeks that I can think of where there has been any data breaches at all. There are incident blocks every day, but none of consequence.