Government Operations Committee on May 31st, 2021

Good afternoon, Mr. Chair and committee members.

My name is Scott Jones and I am the head of the Canadian Centre for Cyber Security at the Communications Security Establishment, or CSE.

CSE, reporting to the Minister of National Defence, is one of Canada's key security and intelligence agencies, with a mandate to provide foreign intelligence against a broad range of government priorities. CSE is also the country's lead technical authority for cybersecurity. The Canadian Centre for Cyber Security is a branch within CSE. In our national role, we defend the Government of Canada, share best practices to prevent compromises, manage and coordinate incidents of importance, and work to secure a digital Canada.

I appeared before your committee last May at the beginning of the COVID-19 pandemic, and I would like to provide an update on how the cyber-threat environment has evolved and on the work we have done since then to protect, from all types of cyber-threats, the Government of Canada, the health care sector, Canada's broader critical infrastructure and Canadians.

The COVID-19 pandemic has created an uncertain environment that is vulnerable to exploitation. CSE continues to leverage all aspects of its mandate to help ensure that Canada is protected against cyber-threats and to inform the Government of Canada's decisions. CSE and the cyber centre are continuing to work in coordination with industry partners so that malicious cyber-actors and fraudulent sites are less able to take advantage of Canadians.

Since March 2020, the cyber centre's work has contributed to the removal of over 8,000 fraudulent sites or email addresses, including websites impersonating the Government of Canada and impersonating COVID-19 vaccine booking portals. While this important work has been primarily focused on COVID-19-related fraud, this work continues every day as we identify and remove more fraudulent domains impersonating the Government of Canada or organizations involved in COVID-19 support efforts.

The cyber centre has assessed that the COVID-19 pandemic presents an elevated level of risk to the cybersecurity of Canadian health organizations involved in the national response to the COVID-19 pandemic. Throughout the pandemic, CSE and the cyber centre have continued to raise public awareness of cyber-threats to Canadian health organizations by proactively issuing cyber-threat alerts and providing tailored advice and guidance to all provincial, territorial and regional health authorities. federally funded associations and centres of excellence, patient care facilities, biopharmaceutical companies and research entities, medical device manufacturers, and academic research institutions.

Since the beginning of the pandemic, the cyber centre has hosted over 40 health sector community calls that provide timely updates to the health sector on the evolving cyber-threat landscape. Each one of them is tailored to the health sector. We have grown the health community, which we support, from a handful of organizations pre-pandemic to over 150 key health sector entities, and work with the IT security leads from these entities on a regular basis. The cyber centre, in close collaboration with our colleagues at Public Safety Canada, has facilitated cybersecurity posture assessments for many of these entities in the health sector, assisting them with determining their cybersecurity gaps and working with them to improve their cyber-posture and cyber-resilience.

The cyber centre has been focused on supporting COVID-19 vaccine research and development entities across Canada. We are working with a number of specific vaccine support organizations to offer services, such as protected DNS, that will strengthen their cyber-defence capabilities and dramatically reduce their vulnerabilities to cyber-attacks.

To protect and defend the vaccine rollout efforts, the cyber centre continues to work with the federal task force, the vaccine supply chain and the regional health authorities across Canada to raise awareness on cybersecurity, enforce and increase readiness for incident response and inform organizations when looming threats arise. We continue to reinforce perimeter security and access control to safeguard the vaccine ordering, tracking and data repository that is currently being developed by the federal health authorities. Also, to protect critical infrastructure, CSE and the cyber centre continue to regularly monitor and proactively share threat information with Canadian organizations, government partners and industry stakeholders.

Finally, the pandemic has made all of us more reliant on digital infrastructure. It is critical now more than ever that Canadians have access to the right information on how they can protect themselves online.

The cyber centre has created a collection of advice and guidance products available to inform Canadians about how to stay safe online. I encourage Canadians who are looking for easy-to-follow tips on cybersecurity to visit our website, getcybersafe.gc.ca. For businesses and larger organizations, or if you would like to read more of the publications of the cyber centre, they can be found at cyber.gc.ca.

CSE is constantly working to help address foreign threats and cyber-threats facing Canada in the health sector. We will continue to do so during the current pandemic and well after it's over.

Thank you, Mr. Chair.

Good afternoon, Mr. Chair and committee members. It's a pleasure to be with you today.

I'm Sony Perron, the executive vice-president of Shared Services Canada. I'm accompanied today by Mr. Matt Davies, deputy chief technology officer for SSC.

As you are aware, Minister Murray's mandate includes leading a transformation of the Government of Canada into a more digital government in order to improve citizen service. To effectively modernize how we deliver digital services to Canadians, we are investing resources to develop a fast and reliable network that is secure.

As we move to more services online, the risk to Canadians' and the Government of Canada's information is increasing. Robust enterprise cybersecurity services are essential to our plan, and we must accelerate investment in order to keep ahead of our threat actors.

As you can imagine, network security is more important than ever as Canadians access more programs and services online, such as the Canadian emergency response benefit, as more public servants are working remotely.

Prior to the pandemic, approximately 20,000 public servants accessed the network remotely on a typical day. To enable public servants to work from home, Shared Services Canada,SSC, was able to rapidly increase the secure remote access capacity. It can now support 290,000 simultaneous connections. This allowed public servants to continue to serve Canadians during a critical time.

SSC also acquired a suite of collaboration tools so that federal public servants were able to continue working. Today, almost all federal employees are using Teams, which offers a Protected B level of security.

The number of those working online is just astronomical from our perspective. This transition to a distributed workplace has been done without compromising IT security. We are very aware that as the use of digital tools and teleworking increases, so does the risk of being the target of malicious cyber-activity.

SSC is continually updating its security infrastructure and software to leverage the latest security measures. We are committed to protecting the Government of Canada’s data, information, and information technology infrastructure, along with the data and privacy of our citizens so Canadians can rely on a secure, stable and resilient digital government.

We collaborate with the Canadian Centre for Cyber Security and the Treasury Board Secretariat office of the chief information officer. They are essential partners for SSC for the conception and deployment of responsive IT solutions.

In addition, each and every day we intercept two billion malicious activities. These are not theoretical cyber-threats. They are real, and they are organized. Again, in such context, the collaboration and coordination with our partners is critical.

Recently exploited vulnerabilities to SolarWinds and Microsoft Exchange have highlighted the need to be able to respond to cyber incidents quickly and pivot to new technologies.

We recently published a strategy paper on the way forward to modernize the network, which solicited feedback from our various industry partners and stakeholders on the future state of the network.

The paper outlines a number of Shared Services Canada priorities, including moving towards software-defined infrastructure, leveraging improved wireless technology and adopting a zero trust architecture. We are investing in our cyber-defence capability and migrating toward zero trust.

The term Zero Trust means we “never trust, and always verify” everything before granting access, through a process of continuous monitoring. This involves verifying users, validating devices, and ensuring that individuals only have access to the resources needed to do their job.

SSC has increased the overall information technology security of the Government of Canada through services such as multiple-layer defence, vulnerability management, and supply chain integrity. Our integrated cyber and information technology security program protects the infrastructure supporting other departments and agencies.

Let me assure this committee that we are constantly monitoring for cyber-threats, and we have a robust system and tools in place to detect, investigate and take active measures to neutralize them. Under normal operating circumstances, no organization is immune to IT security threats, but these are extraordinary times. Cybersecurity is and will continue to be a priority for SSC to safeguard the government and Canadians from cyber-threats.

Thank you.

We will be pleased to respond to your questions.

Thank you, Mr. Chair. It's a pleasure to be with the committee again.

I'm pleased to be joined today by Aaron Snow, the chief executive officer of the Canadian digital service, along with my colleagues from the Communications Security Establishment and Shared Services Canada. After my opening statement, my colleagues and I will be available to answer the committee's questions.

It may be helpful to briefly explain the roles and responsibilities of the office of the chief information officer as they pertain to cybersecurity in the Government of Canada. The office provides strategic direction and leadership in information management, information technology, security, privacy and access to information across the Government of Canada.

We also provide support and guidance on capacity building, project management and oversight across the government. Treasury Board policy instruments outline the roles and responsibilities for GC cybersecurity management and departmental management. Leveraging the policy on government security and the policy on service and digital, we provide strategic direction and oversight.

We define cybersecurity requirements to ensure the Government of Canada and departmental information and data applications, systems and networks are secure, reliable and trusted. During cybersecurity events, TBS will perform strategic coordination, which may include the issuance of strategic direction to departments and agencies on measures to minimize the GC-wide impact.

This is critical work, which is why our office works very closely with the Canadian Centre for Cyber Security and Shared Services Canada to collectively form the Government of Canada IT security tripartite, established to develop and maintain a coordinated and collaborative approach to enterprise IT security. This includes maintaining awareness of the global cyber-threat environment, regularly scanning for new vulnerabilities that may impact government systems and ensuring there is a coordinated response to potential and active threats through the Government of Canada cybersecurity event management plan.

This work has only intensified over the past 14 months. Throughout the pandemic, we have been working very closely with SSC to support government operations by ensuring that secure IT infrastructure and systems continue to enable the delivery of critical federal services. Virtual collaboration was a key element in ensuring the continuity of operations. To enable this, the Government of Canada has had to adjust rapidly, enabling over 290,000 employees and contractors to work securely and remotely, representing a significant increase in remote connections from pre-pandemic levels.

From the early days of the pandemic, TBS, SSC and CSE worked very closely together to address the quickly evolving needs of the GC. Shared Services Canada procured and provisioned new devices and equipment and rapidly deployed new secure cloud-based collaboration and communications systems, while the office of the chief information officer provided resources, advice and guidance to Government of Canada departments, employees and contractors on working remotely securely. During this time, CSE provided ongoing advice on the evolving cyber-threat conditions related to the pandemic. This was to ensure that public servants could continue serving Canadians all while ensuring that the security, privacy and integrity of government information was not compromised.

Another example of collaboration is the work of the Canadian digital service, or CDS, a team within the Treasury Board Secretariat that collaborates with departments to address service delivery challenges. CDS has developed GC Notify, a platform tool that allows departments to quickly and easily push email and text messages to subscribers. When the pandemic started, misinformation was prevalent. CDS, Service Canada and Health Canada came together to use GC Notify to build “Get Updates on COVID-19”, an email service to get people quick and trusted info about COVID-19. Since its launch, the service has securely sent over 5.5 million notifications to subscribers.

Indeed, security has been the priority throughout the pandemic. With so many public servants working from home, we have taken concrete steps to ensure the ongoing security and safety of government networks. We have robust systems in place to monitor, detect and investigate potential cybersecurity threats to information, including new and emerging threats that resulted from working remotely. Safeguards such as enhanced and enterprise secure remote access and digital signature workflows, as well as appropriate policy guidance, have been used to protect information while ensuring employees can continue delivering trusted services and programs to Canadians.

It has also been working to protect the Government of Canada by defending important programs against cyber-threats, including COVID-related benefits, such as the Canada emergency response benefit. The centre is constantly monitoring the security of cloud usage across the Government of Canada and evaluating cloud applications, including for the Public Health Agency of Canada.

The COVID-19 pandemic continues to transform the operational and service landscape of government departments. It has forced us to accelerate digital transformation efforts that were already under way and to move quickly to deliver new services that directly support Canadians. At each step of the way, security has remained at the forefront.

We will remain focused on continuously enhancing cybersecurity in Canada by preparing for all types of cyber incidents and protecting Canadians and their data.

Thank you, Mr. Chair. We are ready to take the committee's questions.

This matter is before ministers. I don't think it's appropriate for me to comment any further. However, it is something we continuously work on in terms of cybersecurity, working with our partners—

Mr. Chair, as I said, we continue to work with our partners across the government. Our information has been shared with our partners, but we are waiting for our.... The Department of Public Safety is the lead on the overall study and report.

I would have to look into anything that we do have.

Under our current existing security review program, we have relationships with the majority of the telecommunications providers around Canada. We do talk to them about their overall deployments and their plans, but it is related to the 4G/LTE environment right now. Any specifics on our dealings with specific companies is something that I'd have to look into.

In terms of the government accepting the report, I think the report you are referring to, Mr. Paul-Hus, if I understand correctly, is the cybercrime ransomware report.

It would be unacceptable, I think, for an unelected public servant to speak on behalf of the government, the elected government. However, we certainly do look for any activity we can take to bolster our defences against ransomware, something that we're taking very seriously as part of the Canadian Centre for Cyber Security.

Thank you for your question.

I am aware of the references in the report that was issued by the National Defence audit group. This report is about actions in the last few years. Since then, we have implemented a new structure at Shared Services Canada that allows us to have better interaction with client departments.

We now have an assistant deputy minister and a team that serves the departments of National Defence and Veterans Affairs exclusively, as well as the Royal Canadian Mounted Police. So we have a new interaction structure in place, and we are trying to develop more integrated plans.

There were, in particular, a lot of questions about the deployment of phone services for military bases. That has been resolved. We now have a joint work plan with DOD and we've started the work. So things are getting better.

I'm sorry, but I can't answer that specific question. Each application on the GoC network has its criticality standards and the response time is set for each. For National Defence, the criteria vary depending on the services offered. Some may need to be revised. That said, I am not in a position to answer that question. However, I can provide the answer in writing, if you wish.

Absolutely, I'd love to talk about that. There are a few aspects.

First of all, we have been working with multiple entities across the sector on providing basic advice and guidance on cybersecurity, but also specific threat information. Early in the pandemic, along with our allies, we did note there was malicious state-sponsored activity targeting vaccine researchers. We went public with a public attribution on that.

We followed that up with private advice on what could be done to protect against those threats, what the threats looked like and what steps organizations could take. Further, though, we continue to work with those organizations to ensure they are strengthening their cybersecurity by providing advice and guidance on things they can do to secure themselves. That includes our sharing everything we learned from our defence of the Government of Canada, so they're well-prepared for any threats. Certainly, using our foreign intelligence mandate, learning what any threat actor is looking for, we also make sure the sector is aware of those threats as well, so it can take action before things happen.