National Defence Committee on Feb. 7th, 2023

Thank you again for this important question.

Recruitment is challenging, and it's a highly competitive space out there. We are trying to hire for a number of positions, for a variety of positions, and to ensure that we hire Canadians who represent the rich and diverse society in which we live.

Currently we are modernizing our multidisciplinary recruitment effort to attract the top talent and investing in a student program and a co-op program to make sure that our talent pool is rich. We are very engaged in communities to raise cybersecurity awareness in presentations to students to get them interested in the STEM field and are also investing in the retention of our current workforce. We have been named as a top employer three years in a row.

We are very mindful of the challenges associated with the current employment landscape. We endeavour to attract talent from all over Canada. We do not focus only on the national capital region. We try to hire people from all over the country with expertise in different areas. We also try to hire students, including those doing co‑op placements. It's not only professionals who join our organization. We have employees who bring a lot of talent to CSE. That's where we are focusing our efforts.

We are also exploring the possibility of hiring people willing to live in regions in order to support cybersecurity activities. We aren't just hiring people willing to move to Ottawa. People can provide support locally.

Thank you for your question.

To my knowledge, we don't have any contracts with that firm. I can send you more information in writing after the meeting, if you'd like.

As far as the security of contracts is concerned, each department is responsible for safeguarding its data. Our job is to establish security standards for various contracts, but not individually. Departments are responsible for adhering to those standards.

I hope that answers your question.

As far as I know, we don't have contracts with other firms. Again, I'd be happy to follow up in writing.

Thank you for your question.

We are always looking for ways to improve how we do things. We recently made a programming investment, and mainly, that helped us improve our ability to work with our foreign affairs colleagues. They play a very important role in our approval process.

I think what's important here is that we work very closely with our colleagues, both in the cyber centre and at Global Affairs Canada. They are responsible, with us, for providing assistance and advice in terms of our operational planning. However, we have been able to respond very quickly to threats as they have emerged.

I can answer that. Thank you.

The pandemic certainly disrupted the supply chain, and we are having just as much trouble as other departments when it comes to acquiring electronics and networking equipment to build our capacity. We are mindful of that. We try to work with companies to speed up the delivery of certain products, but we are just as affected by the situation as their other clients.

Thank you for the question.

We come up with the various information security standards that are out there: protected A, protected B, protected C. We communicate those standards. They are sort of promulgated through Treasury Board. With each of these levels of classification, departments are aware of what information is classified as protected B or protected C, or what is secret and what is top secret. The departments themselves have to live by those standards. We don't audit them per se.

Sometimes we get pulled into specific projects. At that point, we provide some security advice to the project and ensure that the information security of the project is commensurate with the classification of the information. We don't review on a contract-by-contract basis what information is being provided to the contractor. I'm talking about it from an IT perspective, because my primary concern is cybersecurity and IT security.

Each department has a departmental security officer. We have a community of those who meet on a regular basis. Treasury Board is the policy arm of our community. We would work with them to ensure that the information is promulgated as much as possible, but we don't go and audit departments to understand how it is that they are handling the information at the proper classification level.

Thank you again for the question.

I think departments know how to reach out, whether it's to Treasury Board or to us, if there is any clarity being sought on what is the proper classification of information. I personally have been in a number of conversations where we talked about the level of the classification of the information at hand and what is the proper security profile that we need to apply to the IT system in order to protect that information. Those forums exist today, and those channels exist today.

Thank you again for the question.

I would defer to PSPC on anything that has to do with contracting. Our role is very much to review the security architecture sometimes, and we would work with them.

Departments have the responsibility to do the SA and A of their systems. They review the security accreditation of their systems, and we get involved in those accreditations. Before the system goes live, obviously if it contains sensitive information the department will have to accredit that it has met the security baseline that the cyber centre has established. Sometimes we are part of the project, so we get involved in that.

On repeat offenders and contracting issues, I would respectfully defer that to PSPC.