Yes, it is.
Evidence of meeting #17 for Public Accounts in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was system.
A recording is available from Parliament.
Evidence of meeting #17 for Public Accounts in the 40th Parliament, 3rd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was system.
A recording is available from Parliament.
10:40 a.m.
Liberal
10:40 a.m.
NDP
David Christopherson NDP Hamilton Centre, ON
Thank you very much, Chair.
I want to get to the issue of a potential cyber attack, but I have a couple of comments on the way there.
First of all, Madam Bethell, you mentioned that if we'd waited a few more years.... You made it almost sound like you were all here together as one big group to make a presentation, and, like certain others in politics, you pretty much had to be brought kicking and screaming. This is something we're familiar with.
You mentioned that if we'd waited years, we'd have been in trouble. So my question is this: if the auditor hadn't done her report, would this have just gone on into crisis?
10:40 a.m.
Chief Information Officer, Department of Human Resources and Skills Development
Thank you, Mr. Chair.
Not kicking and screaming: I was actually pleased to be here today to bring some comfort, I think, to the members of the committee.
What I was hoping to demonstrate in the opening remarks was that all of us have been aware of this situation—
10:40 a.m.
NDP
David Christopherson NDP Hamilton Centre, ON
No, no--sorry, but my time is limited--it was your recent remarks, not your opening remarks, where you said that you were glad that you were all here together presenting to us. That's why I was pointing out...although it may not have been quite that way.
At any rate, the fact is that you said if you'd waited all those years; but you're here in time; so--phew--everything's okay. My question is this: if the AG hadn't stepped in, would we have just walked into the abyss?
10:40 a.m.
Chief Information Officer, Department of Human Resources and Skills Development
No. Actually, I have taken initiatives during the last three years to begin to address this issue. I think with the Auditor General's report, it has given additional support for the reality of the situation we face. It has been quite helpful.
So no, we haven't been waiting. We are aware. It's a confirmation of the reality that we have in our departments.
10:40 a.m.
NDP
David Christopherson NDP Hamilton Centre, ON
All right. I accept that this is your interpretation. Mine would be just a tad different. But that will be for the report.
Two, just to be fair, I was the critic for Canada Revenue Agency, so of course there are lots of horrible things I've said about the agency. I want to give you the recognition and credit that you're due, that there weren't any recommendations necessary for you. You did a great job, and congratulations on that.
However--turning to the RCMP--the Auditor General's report, page 8, section 1.14, said that the “RCMP did not include aging IT as a corporate risk”. Pourquoi?
10:40 a.m.
Chief Information Officer, Royal Canadian Mounted Police
Thank you for that.
The response to that question comes down to how we look at our risk and how we use the integrated risk management methodology. As I pointed out in my opening remarks, we have spent a great deal of money over the last many years enhancing or replacing those systems that we felt were at highest risk.
The systems that we feel we have to replace most urgently are the radio systems, and we have a strategy in place for that. Where the aging IT systems actually did hit the top five--the risks were assessed, and we included the top five on the RCMP risk register--“aging IT systems” as a title didn't make the top five. What did make the list was “lack of funding”. That's where we can tie in our need to get funding to replace the systems, as we prioritize them.
10:45 a.m.
NDP
David Christopherson NDP Hamilton Centre, ON
I see. Thank you.
My last question takes us back to the cyber risk. We dealt with this in a separate report on cyber attack. I'm the furthest from an expert that you could possibly be, but it would seem to me that the older the system, the more vulnerable it would be, and the easier for hackers and others to attack.
I'm just wondering how much of our exposure.... The government has finally announced a plan, but for the longest time there was nothing. Again, thanks to the AG report, there was a response to that.
To anyone who feels they're quipped to answer this, how much of this aging technology plays into concerns about potential vulnerabilities to cyber attack?
10:45 a.m.
Chief Information Officer, Treasury Board Secretariat
The risk of cyber attack or the maintenance of cyber security is a top priority of CIOB. We reissued the government security policy last year with a strong focus on this matter. In fact, we're working on the number one initiative to address that, which is a consolidation of Internet access points for the government-wide network. This really is the first line of defence: to permit only authorized access into the government cloud, so to speak, and the use by authorized people of data and systems. For the last six months, we've been working with Public Works on consolidating these access points across government departments. We continue to work on that, and we hope to have quite reduced that risk over the next six to eight months.
10:45 a.m.
Liberal
The Chair Liberal Shawn Murphy
Thank you, Mr. Christopherson.
We're now going to go to Mr. Young.
Mr. Young, you have five minutes.
10:45 a.m.
Conservative
Terence Young Conservative Oakville, ON
Thank you, Mr. Chair.
Thank you, everyone, for coming here today.
I hear the folks on the other side talk about spending $830 million here or $620 million there, as if spending a lot of money quickly will solve a lot of your problems, and of course it won't. It's like government by spending announcement.
But I'm also hearing today that no system has ever crashed and caused a break in service to Canadians. No cheque for tax refunds has ever failed to go out. No pension cheque has ever been withheld due to technical failure. EI cheques are all going out and always have. System upgrades are being invested in and implemented at Citizenship and Immigration Canada. They have a new global case management system. Public Works and Government Services Canada has a record of infrastructure availability of 99.7%, which is as good as or better than anything in the private sector. Even electronic banking that lets you do your banking from your home PC goes down sometimes, and they have to do some servicing, etc.
They've invested $120 million in technology in the last three years, and investments are ongoing. About 45 million cheques for the Canada Pension Plan went out last May on a modernized system. Who would have known? The cheques just arrive in the mail.
So it's not as though the systems have failed or are held together with baling wire or are not being upgraded.
We've also heard that you can't just throw money at IT and all will be easy. It'll take time. It's a process that's been in motion. In fact, like refuelling a plane in the air, this is always going to be in motion.
It sounds to me like the people in the departments were so busy making the transitions that they took less time to actually formalize what they were doing procedure-wise, and they didn't have time...or no direction for government-wide coordination.
In that connection, Ms. Bethell, as you adopt a portfolio-wide approach to IT, is it possible to negotiate government-wide discounts on, for example, PCs, software, or mainframes?
10:45 a.m.
Chief Information Officer, Department of Human Resources and Skills Development
Thank you, Mr. Chair.
Yes. As a matter of fact, we do have departmental licences that we have negotiated on behalf of our department, and I believe some would apply at the government level as well.
10:45 a.m.
Conservative
Terence Young Conservative Oakville, ON
But there's an opportunity to take the departmental ones and maybe put them together and do even greater volumes, at greater discounts, is there not?
10:45 a.m.
Chief Information Officer, Department of Human Resources and Skills Development
I would think that would be the responsibility of the Treasury Board, as opposed to my specific responsibility, but we would certainly be prepared to share the information on what we currently have and make that available.
10:45 a.m.
Conservative
Terence Young Conservative Oakville, ON
I hope they're respecting that opportunity and taking advantage of it.
Also, I've been very concerned with many of the media stories of stressed-out seniors and unemployed people. These stories are perhaps misinterpreting the Auditor General's report. Could you please reiterate why the systems are not imminently going to collapse?
10:45 a.m.
Chief Information Officer, Department of Human Resources and Skills Development
Although the applications that really produce the cheques--or the warrants, as we call them--are written in COBOL, an old code, they work extremely well. We still have the in-house expertise to continue to support those applications. All three--CPP, OAS, and EI--are on that platform.
We've also modernized the mainframe platform that processes the applications and does all the work to make sure that the cheques can be printed. The reality is that we can produce them. We have the people, the knowledge, and the expertise. We have the technology in place at this point in time to continue to produce. That's why, as a result of the economic action plan, we were able to make improvements to the system over the last year and were also able to significantly raise the processing requirements while maintaining the levels of service that we've had historically.
I think I would suggest to Canadian citizens that they're in good hands. We are aware that we have some continued work to do. We have started the process. Today we have the people, the applications, and the technology to continue to deliver; the reason the future is so important to us is that as the systems and the applications get older, it's more and more difficult to make changes to those applications, so as the government sets new requirements for our particular department and as we align with those departmental priorities, it's more complex to actually start to modify that.
10:50 a.m.
Conservative
Terence Young Conservative Oakville, ON
There's a risk to buying new technology as well. For example, if you decided you wanted to buy a huge mainframe to serve all of the government and that mainframe turned out to be a lemon, you could end up with a crisis, so doesn't it make sense to buy systems and test them, or to do trials or pilot tests within a department and share the information on how that system performs and what the costs and the maintenance issues are around that system? Then if you're dealing with a reliable company and it has a great product, you can expand it to other departments.
Is that something that would be part of your government-wide programming?
10:50 a.m.
Chief Information Officer, Department of Human Resources and Skills Development
Absolutely.
10:50 a.m.
Liberal
The Chair Liberal Shawn Murphy
Thank you, Mr. Young.
I would like to go back to the very point that Mr. Young raised.
To Ms. d'Auray or Ms. Charette, if you read what Great Britain is doing, they're very much going in the direction that Mr. Young suggested we shouldn't go. I'm not saying who's right and who's wrong, but they are moving toward a very integrated government-wide system that all departments and agencies would be part of, and they've identified very significant savings. As Mr. Young pointed out, if they go to that risk and this didn't work out, instead of being a significant failure in a department, it could be a massive failure in a government-wide system.
Is this being looked at by the Government of Canada, and is it something we ought to consider?
10:50 a.m.
Secretary of the Treasury Board of Canada, Treasury Board Secretariat
Mr. Chair, I think there are two points I would make. The first is that we would move toward standardization, standard business process and streamlined business process. That would be the first step for us, and we are doing that. Madame Charette could speak to a couple of those areas.
The second is that I think the idea of merging everything into one big system or platform is not ideal for an organization the size of the Government of Canada. You have to build redundancies. You have to build the capacity to manage differently, and you have to look at what the core business lines are.
I'll maybe ask Corinne to add a few elements to that.
10:50 a.m.
Chief Information Officer, Treasury Board Secretariat
I would say that from an administrative systems perspective, and that's the focus of administrative review, there are opportunities to consolidate, standardize, simplify, and then renew back-office platforms. That's not necessarily on one massive...because government is too big and the requirements are still quite diverse, but certainly to renew a smaller number of platforms that currently exist across government.
But if we look at program-specific applications, such as EI or taxation or immigration, those applications are difficult; there's not much of a good argument for centralizing. Those areas are where departments will continue to focus their investment plans, strategies, and renewal efforts. Hopefully over time, and as a result of this review, we can reduce their burden of renewing and investing in common infrastructure that is very similar--for instance, data centres, as I mentioned, or more secure renewed networks, and certain back-office applications that can be streamlined and standardized before being renewed. Hopefully we can reduce the overall burden of investment and renewal.
10:50 a.m.
Liberal
Stéphane Dion Liberal Saint-Laurent—Cartierville, QC
Thank you, Mr. Chairman.
On the one hand, this report tells us there is a risk of systems breaking down, which would be followed by serious consequences. On the other hand, some people, like Mr. Young a little earlier, say that there has never been an incident and that the system works well. So I wonder why we need to massively invest in this sector.
I want to take this report seriously. To do so, today I should have heard each of you not only commit to receiving reports, priority updates and risk assessments, but also a contingency plan, including investments which will have to be made in the coming months.
Perhaps I did not listen closely enough, but I did not hear that. Each of your departments and agencies—
You will have to identify something like 5% of cuts, because the government needs to decrease its deficit. A large part of your operations cost is linked to technology of information, so I have a lot of concerns.
If we take this report seriously and then you come with an urgency plan where you identify investment in the coming months, and you say we need to invest more in order to satisfy the risk that the Auditor General identified, will you continue to say in 2012 that you will have reports and priorities? In the meantime, you will have to identify cuts, and maybe the cuts will be in exactly these systems.
Madam Auditor General—I have very little time—are you not concerned to see that there is such a feeble sense of urgency despite what you say in your report?