Evidence of meeting #54 for Industry, Science and Technology in the 42nd Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was security.

A recording is available from Parliament.

On the agenda

MPs speaking

Also speaking

Ron Parker  President, Shared Services Canada
Raj Thuppal  Assistant Deputy Minister, Cyber and IT Security, Shared Services Canada
Graham Barr  Acting Senior Assistant Deputy Minister, Strategy, Shared Services Canada
Wayne Smith  Former Chief Statistician of Canada, As an Individual
Ivan Fellegi  Former Chief Statistician of Canada, As an Individual

8:45 a.m.

Liberal

The Chair Liberal Dan Ruimy

Welcome everybody to meeting number 54 of the Standing Committee on Industry, Science and Technology. We are continuing our study of Bill C-36, an act to amend the Statistics Act.

Today, from 8:45 to 9:45, we have with us, from Shared Services Canada, Ron Parker, president; Graham Barr, acting senior assistant deputy minister of strategy; and Raj Thuppal, assistant deputy minister of cyber and IT security. I like that title.

We're going to get right into it as we have limited time.

Mr. Parker, you have 10 minutes.

8:45 a.m.

Ron Parker President, Shared Services Canada

Thank you, Mr. Chair.

8:45 a.m.

Liberal

The Chair Liberal Dan Ruimy

Thank you.

8:45 a.m.

President, Shared Services Canada

Ron Parker

Good morning.

Thank you for this opportunity to discuss our role and the strong relationship we have established with our customers, such as Statistics Canada.

As the chair mentioned, I am accompanied today by Raj Thuppal and Graham Barr.

I would just like to start with a few words about the mandate of Shared Services Canada.

We deliver the IT infrastructure backbone for the programs and services that Canadians get daily from the government. Whether at the border, or for their pensions or benefits, we meet a very broad spectrum of infrastructure requirements.

The department is mandated to provide a range of services essential to government operations. This includes the delivery of email, data centres, network and workplace technology devices, as well as cyber and IT security.

Protecting and securing the integrity of the government of Canada's systems, networks, and information from cyber-threats is a top priority for us. We carry out this work with lead security agencies such as the Communications Security Establishment. We also benefit from strategic partnerships such as the international Five Eyes security and intelligence network, which includes the U.S., the U.K., Australia, and New Zealand.

More than ever, cybersecurity requires a collaborative approach. We are therefore committed to working together to share solutions on how best to protect our information and citizens. I would add that, with the creation of Shared Services Canada, or SSC, the government is better positioned to take swift, preventative, and corrective actions.

A great example occurred recently when we successfully managed a vulnerability that affected computer servers worldwide, including those of government departments such as Statistics Canada.

The vulnerability was identified in March. It affected specific servers running on a software called Apache Struts 2. SSC worked collaboratively with Statistics Canada to identify and rectify the situation. Though some services were not available during certain periods, no data was lost or altered in any way. We were able to react quickly, in large part because the government's IT infrastructure is managed as an enterprise rather than in silos, which was the practice in the past. This approach gives us an overall view of government networks and the ability to respond quickly to common threats facing departments and agencies within our security perimeter.

As a service organization we understand that our customers, such as Statistics Canada, hold us accountable for the services we provide. This is why our number one duty is to understand and meet their business and security requirements.

We are proud of the work we have achieved over the past several months to respond to the expectations of all our customers, who acknowledge the benefits of the enterprise model.

I would emphasize that our IT infrastructure does not impact or compromise, in any way, the independence of Statistics Canada or any other partner organization.

With respect to Statistics Canada, we have a strong partnership and have achieved a great deal together. This includes, for example, the fact that Canadians were able to participate in record numbers in the 2016 census using Shared Services IT infrastructure.

The IT services provided by SSC for the census consisted of data-centre, network, security, and communications systems. I would add that there were no IT infrastructure issues for the duration of the census.

To reinforce our working relationship with the agency, the chief statistician and I have made a joint commitment to continue to modernize the information technology services the agency relies upon to deliver programs to Canadians. I meet with him on a regular basis to ensure that business requirements are well-identified, captured, and processed in a timely fashion.

These efforts are part of a strong governance structure between our two organizations. The chief statistician and I share a committee overseeing all of Statistics Canada's information technology projects.

In the coming months, SSC will continue to work closely with Statistics Canada to respond to the agency's immediate and longer-term requirements. Planning for the 2021 census has already begun.

In the short term, we will continue addressing the agency's expanding program requirements by augmenting computing and storage capacity, among other initiatives.

We have already significantly increased the available memory in the legacy data centre as well as its computing capacity. This is to meet the agency's growing business needs.

Medium- and longer-term needs are being addressed through a second phase that includes closing a legacy data centre and moving the workload to a state-of-the-art enterprise data centre.

To date, SSC has opened three modern, highly efficient enterprise data centres to eliminate duplication, increase security, and better manage costs. SSC is also committed to meeting the strict security requirements established by Statistics Canada. For example, employees working at the data centre serving Statistics Canada are secret cleared and take an oath to meet the requirements of the Statistics Act.

In addition, this data is stored using infrastructure that is dedicated to Statistics Canada, and the encrypted data for the census, which resides in the enterprise data centre, is controlled through the use of electronic keys. Currently, no Shared Services Canada employees have access to that data.

Shared Services Canada also works with lead security agencies such as the Communications Security Establishment and the RCMP to ensure the overall security posture of its data centres from both physical and IT security perspectives and to ensure that this meets or exceeds Government of Canada requirements. This collaboration is instrumental in providing secure services to Canadians.

Let me be clear—Statistics Canada continues to have full control over its data, as it always has.

Let me close by emphasizing that maintaining the confidentiality and security requirements of our customers has always been, and will continue to be, of paramount importance to Shared Services Canada.

Thank you. My colleagues and I are pleased to answer your questions.

8:50 a.m.

Liberal

The Chair Liberal Dan Ruimy

Thank you very much, Mr. Parker.

We're going to jump right into questions.

Mr. Arya, you have seven minutes.

8:50 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

Thank you, Mr. Chair.

Mr. Parker, it's nice to see you again. The last time we met was at the public accounts committee to discuss the Auditor General's report.

Very briefly, can you tell me how the relationship with your clients is now, compared to what it was the last time we met?

8:50 a.m.

President, Shared Services Canada

Ron Parker

I benchmark our relationship in terms of how we are perceived in providing service to the clients. I'm happy to report that the customer satisfaction survey, which we conduct on an annual basis in December, and the monthly pulse surveys reflect an improvement in customer service. From the very first time we did it, we received 2.79 from our customers, and then in December we achieved 3.06, and that trend continued in the pulse surveys of January and February. From that perspective, our customers recognize improvement in services.

I also look to the participation of the deputy community in the various governance fora that we have for Shared Services Canada. There my sense is that the deputy community is very supportive, understands the importance of our mandate, and is helping us.

8:55 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

Thank you.

The former chief statistician, Mr. Smith, resigned because he had concerns in regard to Shared Services Canada. I'm sure you had interactions and meetings with him.

How often were those? What were his concerns? Have you addressed them?

8:55 a.m.

President, Shared Services Canada

Ron Parker

There were a number of concerns that he flagged, involving the provision of services going forward beyond the census. We discussed those, and by April he had indicated that there were no outstanding operational concerns. He was still concerned about the forward plan, and that's what I've talking about in terms of the work that's been done since September 19. We have put into place a very strong forward plan as well as a lot of new capacity for Statistics Canada.

As the chief statistician indicated when he was here, we are meeting their business needs and are working extremely collaboratively in an integrated fashion to make sure those needs are met going forward.

8:55 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

Cybersecurity is a real threat today for me. Being part of a bigger organization is better when it comes to cybersecurity. Can you address what Shared Services is doing to protect the integrity of Statistics Canada's data?

8:55 a.m.

President, Shared Services Canada

Ron Parker

First of all, Statistics Canada sets its security requirements. There is a series of controls and measures that it expects to have in place. Those are in place.

More broadly, the benefit of bringing into existence Shared Services Canada is that we've been able to bring together in one place the expertise and the capability to monitor, to take preventive action, and to remediate any types of threats that occur. That's one benefit and one aid to Statistics Canada.

In addition, we have established a security operations centre that has 24-7 operations and that constantly monitors the threats and traffic coming into our overall system, so there are substantial benefits.

If you want, I can ask Raj to address that.

8:55 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

Not right now, sir. I have some other questions for you.

8:55 a.m.

President, Shared Services Canada

8:55 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

Mr. Arora mentioned the service level agreement between Stats Canada and you. What are the parameters? What is covered? Can you highlight that, please?

8:55 a.m.

President, Shared Services Canada

Ron Parker

Sure. We're actually in the midst of renewing the business arrangements, and in that set of documents are the understandings, the service level expectations across all of the services that we offer, as well as potentially annexes for the different customers, which deal with their special requirements. Those are the types of services that include all the data centre services, email, and their networking, as well as the communications side of the equation.

8:55 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

Let me ask this very clearly: are there still any challenges between Statistics Canada and Shared Services? Are there any concerns that are still outstanding?

8:55 a.m.

President, Shared Services Canada

Ron Parker

I do not believe so. I think the relationship we've established is extremely solid and we have established an integrated team. The integrated team we had for the census at the working level was extremely productive.

We have a situation in which the leadership has signalled clearly the desire to make this relationship work. I think that's the single biggest thing in moving forward that will help with the success of the initiative.

8:55 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

Stepping back from Statistics Canada and Shared Services for the last minute that I have, when should expect everything to be good at Shared Services Canada?

9 a.m.

President, Shared Services Canada

Ron Parker

As I mentioned, the customer satisfaction survey is on an improving trend. There is a lot of work to do. It is a big job. I wouldn't want to predict when everything will be good.

The important thing for me is that we will have a forward plan that establishes that the Government of Canada infrastructure is in a state to continue to provide the vital services that Canadians are looking for.

9 a.m.

Liberal

Chandra Arya Liberal Nepean, ON

I'm sure we'll be meeting you again at the public accounts committee on the Auditor General's recommendations.

9 a.m.

Liberal

The Chair Liberal Dan Ruimy

Thank you very much.

Mr. Dreeshen, you have seven minutes.

9 a.m.

Conservative

Earl Dreeshen Conservative Red Deer—Mountain View, AB

Thank you very much, Mr. Chair.

Welcome to our guests this morning.

I had the pleasure of being at the OECD's Blue Sky Forum on Science and Innovation Indicators. Of course, in that particular forum there was a lot of discussion not only on statistics and how business manages, but also on how governments manage, information. I think one of the critical things, when you see all of the data points that are important to business and to government, is just how significant this is.

Of course, one of the things they spoke about was security issues. You hear so many different stories about how many times the Government of Canada has been hacked, and, of course, that's the concern that people have. I mean, if we have one particular organization that says, “don't worry, we've got this aced”, but you keep hearing this from all of these other actors, how confident are you that because it is in-house and you have very limited access among different departments that the security is what it should be in order to maintain confidence for Canadians?

9 a.m.

President, Shared Services Canada

Ron Parker

The cyber-threat world is ever-changing, growing, expanding, and becoming more sophisticated. Would I ever say that we have it aced? No. The nature of the threat is so dynamic that you need to constantly evolve your own operation to stay on top of it.

I'm going to ask Mr. Thuppal to take on the substance of the question.

9 a.m.

Raj Thuppal Assistant Deputy Minister, Cyber and IT Security, Shared Services Canada

Thank you, Ron.

Thank you, Mr. Chair.

At Shared Services Canada we take a holistic approach to applying security practices to support our partners. The functions vary, and include prevention, prevention techniques, detection techniques, and then response and recovery.

We do put a lot of effort into ensuring that we do have preventative capabilities, from both technology and a combination of processes and governments, but there is a lot of emphasis on detection as well. When we do get breached, we detect it very rapidly and then can respond and recover very quickly, as evidenced by Ron's comments on the recent worldwide threat, to which we responded very effectively, prevented any data loss, and then came out very quickly to restore the services for our partners.

We work in very strong collaboration with our security partners, especially the Communications Security Establishment. There are capabilities they bring that support us in ensuring that we provide security capabilities for our customers.

9 a.m.

Conservative

Earl Dreeshen Conservative Red Deer—Mountain View, AB

Thank you.

Again, I assume that you have thousands of people working for you, and you're dealing with background checks or security from the individual side as well, to make sure there's no concern about something inside that is causing problems. What process do you use with personnel as far as those backgrounds checks are concerned?