Government Operations Committee on May 31st, 2021

Mr. Chair, it's an interesting question in the sense that while we are very focused on security and cybersecurity, we need to make sure that our employees and Canadians have access to the services and the systems we are putting in place. Accessibility is always, besides security, one of the preoccupations.

At Shared Services Canada we have a team, which is called the accessibility, accommodation and adaptive computer technology program team. It reviews and advises departments on applications and solutions to really make sure that when something is launched, whether it's an application or a new process, it's accessible by default, making sure that what has been in place for a while is also reviewed and adjusted. We follow the standards for accessibility. We have that capacity, and it's very important.

The link with security here is that when we implement new measures, we have to make sure we test them from an accessibility perspective so that it doesn't become a barrier for those who legitimately need to access these applications and these systems to do their work or to access their services. It's critical that we maintain that attention.

There are two other aspects to this program. One is about supporting the employees so they receive an assessment of what might be needed for them to fully operate in the workplace, so making sure that we have equality there. The other is about providing advice. Last year we added a dimension that had been missing from that, which is that new employees or temporary employees coming in also benefit from what we call the lending library. It's to make sure that early on in their employment with the federal government, as an employer of choice, we provide them with the tools and the adaptations in terms of technology, monitors, devices and applications that can help them to fully participate in the workplace. This program is essential.

Thank you for mentioning that. It's very important, particularly this week.

The principle behind OneGC is that we don't want Canadians to have to try to understand and decode all of the government bureaucracy machinery behind it, and really have a single window for all services to Canadians. That's Canada.ca. To enable that to the next level, to take it to a service-oriented environment, the foundation of that is digital identity. We want to be able to allow Canadians to use the trusted identity of their choice to access services on Canada.ca and to move between those services seamlessly.

We've recently launched a pilot project with ESDC, which is called the benefits delivery modernization program, to enable what is called Sign In Canada. This is going to be used specifically to access those benefits that ESDC delivers in a way that is seamless to Canadians. They'll be able to log in once and access multiple services.

We're doing that with an enterprise lens so that once that work is completed, it will be reusable by other departments and agencies, so that ultimately and eventually all GC services will be available through a single identity capability. That's what we call the OneGC.

Thank you.

Under the current model, if you had all services accessible under a single credential and that credential was compromised, there would obviously be an increased risk. What we're doing to address that is making sure this is bound not just through a credential but through a true digital identity, something that is verifiable and highly secure. For example, you would need to be able to provide access to your provincial identity plus maybe a password or some other form of identification. Multiple actions are required to gain access to it. We call that multifactor authentication. That's how this service will be more secure.

I will answer the question first.

I'll explain the difference between technical debt and legacy system risk.

First, the older the systems, the more expensive it is to maintain them. It's like buying a car and not putting oil in the engine: sooner or later, you'll have to replace the engine.

Second, as systems age, cyber risks increase because systems are exposed for much longer to cyber attackers.

I will turn the floor over to Mr. Jones to explain this risk.

Thank you.

There are a couple of things I would just add. The first one is that if the system is connected to the Internet, it has to be kept up to date. That's where our legacy environment just isn't connected in that same way. This is where a modern environment does change the threat.

That being said, in general, where we're looking at threats coming from actually doesn't matter as a cyber defender. We look at what the malicious activity could look like, no matter where it comes from, because we don't differentiate that. Then if there is a threat it's dealt with by the proper authorities who investigate those types of activities. In most cases it would be the RCMP if it were something of a criminal nature.

When we're looking at the IT environment there are a few things we've said, and they're in our top 10. One of the biggest ones is maintaining systems up to date, keeping them up to date and ensuring that they're continuously improved. That's one area where we need to be working on the next generation of technology with security built in from the start. Security is not something you bolt around systems; it's built in throughout the process. When Marc was talking about the digital identity process, security was thought of from the start, before a single piece of code was written or a simple application was purchased. That's what we need to be doing going forward.

Mr. Chair, to my knowledge, there have been no significant data breaches related to cyber-activity since the pandemic started. There was the credential stuffing incident from last summer, which as Mr. Jones talked about, wasn't a breach of our systems; it was people accessing the system with fraudulent credentials. That really becomes fraud, not cybersecurity.

Some other incidents we've talked about today—SolarWinds, the Microsoft Exchange vulnerability, some third party vulnerabilities as well—have been addressed. They were remediated, but there was no significant breach of data.

I'm sorry. Please define “blocks”, as in—

On the technical aspects, maybe Mr. Perron or Mr. Jones would like to comment.

That they stop, yes.

Maybe I can add that in the first, I would say, 10 weeks of the pandemic, there were difficulties for the system to accommodate remote access and there was not enough connection. When it came to the end of May to June last year, the capacity ramped up in terms of secure remote access, so these blocks have stopped.

You may have noticed at the time that Mr. Glover was talking, we were also talking about the situation where we were asking employees to use the system only at certain times of the day. We went over this during the summer by increasing the capacity of secure remote access.

I will insist on the words “secure remote access”. The idea is not to give access. It's to give secure remote access, allowing our employees to work from home and not increase the risk for the network and the government's activities. Now we are able to provide 290,000 simultaneous connections, and we have answered all the demands from the departments in terms of increasing capacity.

With regard to these situations that were visible in the first few weeks of the pandemic, with hard work and collaboration among the parties, we were able to put in place solutions that have allowed hundreds of thousands of federal employees to do their work from home.