Evidence of meeting #33 for Government Operations and Estimates in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was cybersecurity.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Scott Jones  Head, Canadian Centre for Cyber Security, Communications Security Establishment
Sony Perron  Executive Vice-President, Shared Services Canada
Marc Brouillard  Acting Chief Information Officer of Canada, Treasury Board Secretariat

4:20 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

Well, as I said, we are able to provide the full range of services that we do for the federal government. It is by far our biggest client, but those are optional for Crown corporations. They make the choice. We have made the offer to every one of them to work with them just as we do with every government department.

4:25 p.m.

Conservative

Kelly McCauley Conservative Edmonton West, AB

Thanks.

4:25 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Mr. McCauley.

Now we'll go to Mr. Kusmierczyk for five minutes.

4:25 p.m.

Liberal

Irek Kusmierczyk Liberal Windsor—Tecumseh, ON

Thank you, Mr. Chair.

Each year the chief information officer hands out community awards. In 2020 Shared Services Canada was awarded the excellence in diversity and inclusion award for the accessibility, accommodations and adaptive computer technology program, or AAACT. I was delighted to see that an additional $3 million was allocated in budget 2021 towards this important program. Again, I'm delighted to see the work of SSC in accessibility and disability inclusion, so well done to the team.

This being National AccessAbility Week, are there specific challenges when we talk about cybersecurity and disability inclusion? In other words, how do we make cybersecurity accessible?

I guess this would be a question for either Mr. Perron or Mr. Davies.

4:25 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

Mr. Chair, it's an interesting question in the sense that while we are very focused on security and cybersecurity, we need to make sure that our employees and Canadians have access to the services and the systems we are putting in place. Accessibility is always, besides security, one of the preoccupations.

At Shared Services Canada we have a team, which is called the accessibility, accommodation and adaptive computer technology program team. It reviews and advises departments on applications and solutions to really make sure that when something is launched, whether it's an application or a new process, it's accessible by default, making sure that what has been in place for a while is also reviewed and adjusted. We follow the standards for accessibility. We have that capacity, and it's very important.

The link with security here is that when we implement new measures, we have to make sure we test them from an accessibility perspective so that it doesn't become a barrier for those who legitimately need to access these applications and these systems to do their work or to access their services. It's critical that we maintain that attention.

There are two other aspects to this program. One is about supporting the employees so they receive an assessment of what might be needed for them to fully operate in the workplace, so making sure that we have equality there. The other is about providing advice. Last year we added a dimension that had been missing from that, which is that new employees or temporary employees coming in also benefit from what we call the lending library. It's to make sure that early on in their employment with the federal government, as an employer of choice, we provide them with the tools and the adaptations in terms of technology, monitors, devices and applications that can help them to fully participate in the workplace. This program is essential.

Thank you for mentioning that. It's very important, particularly this week.

4:25 p.m.

Liberal

Irek Kusmierczyk Liberal Windsor—Tecumseh, ON

That's it exactly. I appreciate the fact that whenever we're looking to introduce cybersecurity measures, we're always putting an accessibility lens on those measures themselves so that they don't add barriers to our federal employees.

According to the digital operations strategic plan, the federal government is on track to launch the OneGC program, which will allow individuals and businesses to use a single identity and password to access federal government services through a single window on Canada.ca. We're talking about making things easier as well for people.

What is the status of the work on the OneGC platform? What are some of the challenges to delivering on that vision?

4:25 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

The principle behind OneGC is that we don't want Canadians to have to try to understand and decode all of the government bureaucracy machinery behind it, and really have a single window for all services to Canadians. That's Canada.ca. To enable that to the next level, to take it to a service-oriented environment, the foundation of that is digital identity. We want to be able to allow Canadians to use the trusted identity of their choice to access services on Canada.ca and to move between those services seamlessly.

We've recently launched a pilot project with ESDC, which is called the benefits delivery modernization program, to enable what is called Sign In Canada. This is going to be used specifically to access those benefits that ESDC delivers in a way that is seamless to Canadians. They'll be able to log in once and access multiple services.

We're doing that with an enterprise lens so that once that work is completed, it will be reusable by other departments and agencies, so that ultimately and eventually all GC services will be available through a single identity capability. That's what we call the OneGC.

Thank you.

4:30 p.m.

Liberal

Irek Kusmierczyk Liberal Windsor—Tecumseh, ON

Are there additional risks or challenges that this service simplification or streamlining represents in terms of cybersecurity?

4:30 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

Under the current model, if you had all services accessible under a single credential and that credential was compromised, there would obviously be an increased risk. What we're doing to address that is making sure this is bound not just through a credential but through a true digital identity, something that is verifiable and highly secure. For example, you would need to be able to provide access to your provincial identity plus maybe a password or some other form of identification. Multiple actions are required to gain access to it. We call that multifactor authentication. That's how this service will be more secure.

4:30 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Mr. Kusmierczyk.

We'll now go to Ms. Vignola for two and a half minutes.

May 31st, 2021 / 4:30 p.m.

Bloc

Julie Vignola Bloc Beauport—Limoilou, QC

Thank you very much.

My question will be to Mr. Jones or Mr. Brouillard. They are sharing the task.

Mr. Brouillard, last week there was some half-joking, full earnest talk about outdated systems, comparing them to our old DOS systems. Joking aside, what are the biggest risks and threats caused by our outdated systems? The Auditor General talked about breaking points caused by obsolescence.

Are we at that breaking point? What might the consequences be for citizens? Where exactly are the threats coming from? Are they domestic or international threats? If they are international, which country is attacking us?

4:30 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

I will answer the question first.

I'll explain the difference between technical debt and legacy system risk.

First, the older the systems, the more expensive it is to maintain them. It's like buying a car and not putting oil in the engine: sooner or later, you'll have to replace the engine.

Second, as systems age, cyber risks increase because systems are exposed for much longer to cyber attackers.

I will turn the floor over to Mr. Jones to explain this risk.

4:30 p.m.

Head, Canadian Centre for Cyber Security, Communications Security Establishment

Scott Jones

Thank you.

There are a couple of things I would just add. The first one is that if the system is connected to the Internet, it has to be kept up to date. That's where our legacy environment just isn't connected in that same way. This is where a modern environment does change the threat.

That being said, in general, where we're looking at threats coming from actually doesn't matter as a cyber defender. We look at what the malicious activity could look like, no matter where it comes from, because we don't differentiate that. Then if there is a threat it's dealt with by the proper authorities who investigate those types of activities. In most cases it would be the RCMP if it were something of a criminal nature.

When we're looking at the IT environment there are a few things we've said, and they're in our top 10. One of the biggest ones is maintaining systems up to date, keeping them up to date and ensuring that they're continuously improved. That's one area where we need to be working on the next generation of technology with security built in from the start. Security is not something you bolt around systems; it's built in throughout the process. When Marc was talking about the digital identity process, security was thought of from the start, before a single piece of code was written or a simple application was purchased. That's what we need to be doing going forward.

4:30 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Mr. Jones and Ms. Vignola.

We'll now go to Mr. Green for two and a half minutes.

4:30 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Thank you.

On May 25, 2020, Mr. Glover told the committee that in the first 10 weeks of the pandemic, there had been no incidents involving data breaches. However, during the same period, there had been incident blocks every day, but none of consequence.

How has the situation evolved since May of last year? Have there been any incidents involving data breaches?

That's for the CIO, Mr. Brouillard, I believe.

4:35 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

Mr. Chair, to my knowledge, there have been no significant data breaches related to cyber-activity since the pandemic started. There was the credential stuffing incident from last summer, which as Mr. Jones talked about, wasn't a breach of our systems; it was people accessing the system with fraudulent credentials. That really becomes fraud, not cybersecurity.

Some other incidents we've talked about today—SolarWinds, the Microsoft Exchange vulnerability, some third party vulnerabilities as well—have been addressed. They were remediated, but there was no significant breach of data.

4:35 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Have there been any incidents concerning blocks that are of consequence? If so, how many and when?

4:35 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

I'm sorry. Please define “blocks”, as in—

4:35 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Well, Mr. Glover was quoted as saying that there had been incident blocks every day, but none of consequence. I think I know what it means, but I don't want to—

4:35 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

On the technical aspects, maybe Mr. Perron or Mr. Jones would like to comment.

4:35 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Is it a denial of service type of deal?

4:35 p.m.

Acting Chief Information Officer of Canada, Treasury Board Secretariat

Marc Brouillard

That they stop, yes.

4:35 p.m.

Executive Vice-President, Shared Services Canada

Sony Perron

Maybe I can add that in the first, I would say, 10 weeks of the pandemic, there were difficulties for the system to accommodate remote access and there was not enough connection. When it came to the end of May to June last year, the capacity ramped up in terms of secure remote access, so these blocks have stopped.

You may have noticed at the time that Mr. Glover was talking, we were also talking about the situation where we were asking employees to use the system only at certain times of the day. We went over this during the summer by increasing the capacity of secure remote access.

I will insist on the words “secure remote access”. The idea is not to give access. It's to give secure remote access, allowing our employees to work from home and not increase the risk for the network and the government's activities. Now we are able to provide 290,000 simultaneous connections, and we have answered all the demands from the departments in terms of increasing capacity.

With regard to these situations that were visible in the first few weeks of the pandemic, with hard work and collaboration among the parties, we were able to put in place solutions that have allowed hundreds of thousands of federal employees to do their work from home.

4:35 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Mr. Perron and Mr. Green.

We will now go to Ms. Harder for five minutes.

4:35 p.m.

Conservative

Rachael Harder Conservative Lethbridge, AB

Mr. Perron, my question is for you.

Shared Services is responsible for all IT-related procurement. We're talking about emails, telephone, computer data centres for the entire Government of Canada. Given your role, can you tell this committee whether or not there is a prohibition on securing Huawei technology for any department within the Government of Canada?