Government Operations Committee on May 31st, 2021

This is one of those areas where at previous meetings I've talked about a service called Canadian Shield, which is a service we work with with the Canadian Internet Registration Authority.

Let's say you get an email with a piece of malware, and it says, “Click on this”, and it's cybercrime. When you click, you can't go there. It stops it. That's how it's protected. It protects you from making that mistake when you click.

We've partnered with CIRA to provide the same service for commercial entities, in this case vaccine support organizations. We did that because of the threat they're facing during the pandemic. We worked to provide that same service.

That includes everything we learned from the Government of Canada and everything that we block. There are up to seven billion actions per day we take to defend the Government of Canada. We make sure all of that is also shared with CIRA, our partner in this, so that all those organizations also benefit from the same defence.

Mr. Chair, my office is the one that publishes what we call the DOSP. If it's okay, I can start, and then I'm sure the other members will have more to add.

Thank you.

The DOSP is a document that is updated every year. It provides a three-year integrated management plan for service, information, data and cybersecurity. The current DOSP has been updated and refreshed to reflect the accelerated digital transformation. I

t's made up of four areas, or what we call the four pillars. The first is modernizing the way we replace, build and manage major IT systems, addressing the legacy, what we call the technical debt within our organizations. The second is providing services to people when and where they need them, ensuring that we provide user-centric services to Canadians. The third is taking a whole-of-government approach to digital operations, providing an enterprise view so that we don't duplicate some of our efforts. The fourth is about transforming how we work, understanding that new ways of working, of providing governance, of providing resources, are critical to being able to answer the challenge.

I would leave it there and allow the others to respond if they wish.

Mr. Chair, from the Shared Services Canada perspective, this plan is very critical in the sense that it provides the architecture and direction for all the client departments to advance the agenda, from dealing with legacy architecture and us supporting them, modernizing their infrastructure and us supporting them, and transforming the enterprise and us supporting them. All the signals that are in this plan are essential for SSC to achieve its mandate.

It influences the client department that comes to us for support in advancing its own IT agenda, to provide them a broader framework. We are prepared to support that, so it goes into supporting workload migration. It supports advancing connectivity to the cloud and providing access to the cloud in a secure manner. It supports and directs departments to participate actively in enterprise solutions so we avoid duplication of technology, and rather, use an enterprise approach that serves all departments. It's an essential pillar of our work agenda.

Thank you, Mr. Chair.

Quickly, I think the digital operations strategic plan lets us ensure that security is built in from the start and forefront and is thought of at the beginning, and also in setting priorities. The fact is we have limited security experts, so it makes sure that we also put those resources on the most important priorities for the entire Government of Canada to advance the agenda. Both of those are critical.

There is a continuing range of cyber-activity that we face every day. As I mentioned a few minutes ago, we take between two billion and eight billion actions per day, on average around seven billion, because of cyber-activity targeting the government, but to my knowledge—

I would probably turn to my colleague Monsieur Brouillard to answer from the Treasury Board perspective, but as far as I know, from my perspective, we've managed. We have not seen any disruption because of cyber-attacks to the Government of Canada. There have been cyber incidents where we have chosen to take action, but nothing that the cyber-attack itself disrupted.

I can answer that.

You are referring to the credential stuffing attack that took place last summer. The identities of some Canadians were stolen by other sources. We don't know what those sources are specifically, but we do know that there were other events that affected the Canadian economy.

This information is often found on what is known as the dark web, which is sort of the criminal side of the Internet. Criminals take people's identities or whatever information they can gather and try to use it in federal systems. When we saw that there were a lot of attacks on people's identities, we made the decision to shut down the service. We wanted to make sure there were no more significant attacks. Subsequently, the Canada Revenue Agency verified the transactions. In all suspicious cases, citizens were contacted or the situation was reversed.

I'll let my colleague Mr. Jones answer that question.

Thank you for the question.

There are a few things to consider. Yes, it is the most used software, so of course anybody looks to the most frequently used software in terms of malicious actors. However, it's also the software on which the most security researchers have already been working as well.

One of the important aspects I would point to is the Government of Canada's response to things like patching, updating that software, keeping it up to date and managing it properly. That's one of the aspects of the benefits of Shared Services Canada. We've seen that there is a significant improvement when SSC is the lead for a department to respond very quickly to our alerts. In some of the larger cases, within minutes of our alerts, SSC was beginning the patching process to make sure we were ready to go, and I think that's something.

Every software has vulnerabilities. It's about how quickly you can respond to mitigate and reduce the risk we face as organization. No piece of software is invulnerable, unfortunately.

There were some companies on the Government of Canada network that were using SolarWinds software, but because of our infrastructure and the capacity of Shared Services Canada and the Communications Security Establishment, they were able to determine what was going on and find that our infrastructure was not under attack. They identified the vulnerabilities and worked to resolve the problem. As far as I know—my colleague Mr. Jones can confirm this—we have not experienced anything like what the United States has experienced.