Evidence of meeting #86 for Public Accounts in the 41st Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was information.
A video is available from Parliament.
NDP
The Chair NDP David Christopherson
No, I am not doing anything I haven't done for anybody else. I'm giving him an opportunity. He's going to wrap up very quickly. Then I'll move along. Then we'll determine whether we have an issue or not.
Right now I don't hear one, but I'm looking to see if I do or not.
Continue and wrap up quickly, please.
NDP
Alain Giguère NDP Marc-Aurèle-Fortin, QC
We are the Standing Committee on Public Accounts. We must ensure that taxpayers' money is being spent properly and that it is spent where the government has said it needs to be.
We have given $570 million to this organization, and we are being given general information. I am asking for details. I want to know what this money went to.
We asked that the money be spent on a particular system. I want to know that it was. That is the essence of this committee.
NDP
The Chair NDP David Christopherson
Very well.
We'll leave that for the time being and deal with it going forward, if we have to.
Mr. Hayes, you have the floor now, sir.
Conservative
Bryan Hayes Conservative Sault Ste. Marie, ON
Thank you, Mr. Chair.
My question will be to Mr. Guimont.
Jim Burpee, president and CEO of the Canadian Electricity Association, has stated, “Through the National Strategy and Action Plan for Critical Infrastructure, launched two years ago, all of these players are engaged and working together to address Canada's cyber security challenges.”
I'm going to get there, but back to this action plan. I'm confused, because he's speaking to an action plan of two years ago, and you're speaking to an action plan that was released on April 18.
Can you shed some light? How many action plans are there? What was the reason these action plans were released? On what dates were they released?
Deputy Minister, Department of Public Safety and Emergency Preparedness
Thank you, Mr. Chairman, for the question. First, there is essentially, as I should call it, the management response to the OAG recommendations, which was filed with the committee, and that is very specific to the recommendations that were made and accepted by the department. That's number one.
Number two, one of those recommendations was to develop a comprehensive action plan in order to be able to track progress as well as results measured. We have done that. It took us a while to do that, months. It was a lot of work. It's normal. It's not unusual. Now that's been made public as of April 18. Not only that but we have also developed a framework to track progress, so that is also available.
The sector tables all have an action plan of sorts. They're busy looking at risk, managing risk, sharing information. As well, we are going to, on cyber, augment the frequency of meetings, and we will do that against actions that we will collectively agree we need to take in order to manage a cyber-risk, as a for instance. They all kind of fit together, but “separate but connected” is the way I would describe that.
Conservative
Bryan Hayes Conservative Sault Ste. Marie, ON
On this plan that the president of the Canadian Electricity Association refers to, according to him it's working extremely well. In other sector networks, it doesn't seem to be working as well. I wonder if you could elaborate for me why in the Canadian Electricity Association the plan seems to be unfolding very well, and in some other sectors it doesn't seem to be.
Then, what sector is the next priority? I'm getting a sense that it's a challenge to manage all the sectors at the same time. Is there a sector priority implementation plan, so to speak?
Deputy Minister, Department of Public Safety and Emergency Preparedness
I'll turn to Madame Clairmont to have a stab at this, please, if you may.
Senior Assistant Deputy Minister, National Security Branch, Department of Public Safety and Emergency Preparedness
I think you're referring to the critical infrastructure strategy and action plan that was developed with the provinces and territories. Each of the sector networks is part of that, and I think in the electricity sector it's working very well. I think other sectors are not maybe necessarily at the same level, but they're developing and coming along.
Conservative
Bryan Hayes Conservative Sault Ste. Marie, ON
So what are the lessons learned in terms of why it's working so well in one sector and not so well in other sectors?
Senior Assistant Deputy Minister, National Security Branch, Department of Public Safety and Emergency Preparedness
I think some of the sectors are more diverse. Some of the sectors were already more organized to start off with. Some of the sectors are more coherent. They have similar functions. When you take, say, the food sector or the food networks, it's a broad range of things, whereas some things like banking and the electricity grid are fairly centralized.
Conservative
Bryan Hayes Conservative Sault Ste. Marie, ON
Mr. Guimont, where are we in relation to two of our closest security and intelligence partners? In the report that was the U.K. and Australia. How do we compare in terms of our cyber-security systems with these two nations?
Deputy Minister, Department of Public Safety and Emergency Preparedness
Thank you for the question. I will start with the relationship we have with the U.S. They're very close. Our economies are connected in a meaningful way, so we have a lot of relationship. I was in Washington a couple of months ago and I sat down with a number of people, and cyber is a top-priority topic. That is my first observation.
The second one is that it's not just flying down and meeting. We also have essentially committed to a number of actions with the U.S. We've done that formally. Madame Clairmont will speak to it in a minute.
Third, we also deal with other countries, so not only the United States, the U.K., New Zealand, etc., and it's always the same thinking: sharing information; where we can have common strategies; and being ahead of the issues potentially coming our way. Madame Clairmont just had a meeting very recently on the so-called Five Eyes and she can speak to that as well specifically.
Senior Assistant Deputy Minister, National Security Branch, Department of Public Safety and Emergency Preparedness
I would say a couple of things. One is that our cyber-strategies closely align with those of our closest allies. They're all very similar. They were all announced at separate times, but we are different countries so we implement these things a little bit differently.
When I was preparing for the committee and thinking about how we align with our allies, I was thinking really thematically, that there are a couple of themes that we see in all of our like-minded countries that we deal with. Information sharing is key to all the strategies and approaches to cyber-security—that's the right information to the right people at the right time. Also, I think the public-private partnerships are really key as well. International engagement, making sure that we are having similar messages internationally is also key. Lastly, protecting our citizens through awareness campaigns, through anti-crime and anti-fraud kinds of situations.
With respect to the U.S. specifically, we announced our public safety-department of homeland security action plan in 2012, and that had basically three goals. One is to enhance our cyber-incident management—that's our CCIRC to their US-CERT—with more exchange of information, more timely information, and actually exchanging people. Second was the joint engagement and information sharing with the private sector, because a lot of the private sectors are common across the borders. Also, we have the continued collaboration on our cyber-awareness campaigns.
NDP
The Chair NDP David Christopherson
Okay, that does it. Time has expired, so thank you very much.
We'll move along now and go back to Mr. Byrne. You have the floor, sir.
Liberal
Gerry Byrne Liberal Humber—St. Barbe—Baie Verte, NL
Thanks, Mr. Chair.
One of the preoccupations of this particular committee and of Parliament is that we hold the government to account. One of the issues that was raised by the Auditor General in the report was a seeming reluctance to identify specific dollar figures spent on cyber-security threats.
The Auditor General did indicate there was approximately $780 million appropriated for various activities, but departments seem very reluctant to actually dig down and define how much of the $780 million was specifically identified and spent on cyber-security. Would you be prepared to provide that information to the committee, Mr. Guimont?
Deputy Minister, Department of Public Safety and Emergency Preparedness
Thank you for the question.
Mr. Chair, I can certainly provide some information on the $780 million, starting with the fact that four Treasury Board submissions were approved. This was over a 10-year period for 13 departments. I accept that this is not a straightforward topic. There is a bit of concern about resources and where they went.
Over that 10-year period, $21 million went to cyber, so I would like to take a moment to say that cyber 10 years ago is not what cyber is today, in the sense that this funding was for critical infrastructure, all hazard-type issues, including cyber. But 10 years ago cyber was at a given place. We all have to remember this was post-9/11 and we were in that world, if you wish.
Of that $780 million, $570 million went through the Treasury Board process, RPPs and DPRs, and all that reporting, to CSEC, the way Madame spoke to the resources and how they were invested at the macro level.
The last one I would mention briefly is that $190 million went to different infrastructure-type issues, writ large, not specific to cyber.
That's the macro, and I have examples here of how the resources were spread.
I want to make a little segue, and I won't be too long, on the very valid question of how come you had $155 million recently announced over five years and the action plan makes reference to four years. It's simply because when an announcement is made, the resources don't flow automatically. We had to go through an approval process that consumed a period of time, for due-diligence reasons, and now we have four years to invest that $155 million. I want to be on the record on that point.
Liberal
Gerry Byrne Liberal Humber—St. Barbe—Baie Verte, NL
Thank you very much, Mr. Guimont. I appreciate that.
Regardless, however, the Auditor General did identify $780 million within the audit period. He identified $570 million specifically for Communications Security Establishment Canada.
One of the things we always are a little bit concerned about is the process of double counting, where the government may suggest $780 million was spent on cyber-security in the advent of a cyber-security threat and then in the advent of a domestically radicalized insurgency threat all of a sudden $780 million is spent there as well.
It's useful from a parliamentary accountability point of view to have some clarity. I'm not asking for specific projects, which may infringe on national security requirements, but to have some clarity as to what exactly is prioritized for cyber-security versus other things.
Now with that said, I'll have to move on because my time is dear.
We appreciate, Mr. Guimont, that a very thorough, much more detailed publicly available document was provided on an action plan related to cyber-security. Would you be prepared to have that submitted to the clerk—that document entitled, “Action Plan 2010-2015 for Canada's Cyber Security Strategy”, which is a cross-governmental strategy—as a government-wide departmental action plan in relation to the Auditor General's report?
Would you be prepared to have with it and bear with it the same parliamentary accountability and scrutiny, which holds the government to account? That is, that which is found in this document is the same as that which is found in these two pages, in terms of its accountability requirements to this committee and to our report writing.
Would you agree to have this document submitted as a departmental action plan for the benefit of the committee and to be held account to that departmental action plan?
Deputy Minister, Department of Public Safety and Emergency Preparedness
The answer is yes.
NDP
The Chair NDP David Christopherson
Very good. Thank you. We appreciate your discretion.
Moving on, Mr. Dreeshen, you now have the floor, sir.
Conservative
Earl Dreeshen Conservative Red Deer, AB
Thank you very much, Mr. Chair.
Thank you to Mr. Guimont. I can add Pascal, COBOL, and BLISS as well to that. Had I learned how to type without just using one finger, I would probably have stayed in that particularly area, but now we're back to one thumb so it works out not too badly for me.
On the website, you had talked about having 227,000 hits come in. It's being used well, and I think that's something that is important. Of course you were also talking about how you get zero off-hour calls.
I know one of the things we talked about back in the fall when we first discussed this was the idea of going from the eight hours to the fifteen hours, which basically took our five-and-a-half time zones and made sure we were there for business hours. I think that was important. I can see the rationale for what we were talking about there, and again perhaps from the discussions we had maybe you bolstered a little bit in the other nine hours we have, to make sure that was being covered. I respect that part.
When I look at the Auditor General's report and I see the Auditor General talking about the $780 million and how the other split was, with the public safety officials talking about the $20.9 million of the remaining $210 million, I see that accounting and I respect that accounting. I believe that's what the Auditor General was looking at and saw those numbers and went through from there.
I guess I have a couple of points I really want to talk about as well. Could you speak to the steps the National Cross Sector Forum was taking with regard to the risk management activities and looking at how that partners throughout Canada? I wonder if we could have some comment with regard to what we have seen.
Auditor General, what did you see with this National Cross Sector Forum? Is that doing what you think should happen as far as risk management is concerned?
Auditor General of Canada, Office of the Auditor General of Canada
I'll ask Ms. Loschiuk to deal with that question.
Wendy Loschiuk Assistant Auditor General, Office of the Auditor General of Canada
Thank you very much.
We looked at the National Cross Sector Forum as an activity that had happened since 2010. It was something we saw as improvements in the communication, so we wanted to talk about it a little bit. In the chapter we do mention it in paragraph 338 where we talk about what has been going on that we noted was good progress. This National Cross Sector Forum we saw as something that was in there to help bring groups together that had not yet had an opportunity to fully coalesce as sector networks.
From that perspective we saw it as an active thing that was taking the place of sector networks that were not yet fully in place.
Conservative
Earl Dreeshen Conservative Red Deer, AB
Thank you.
Ms. Charette, in your opening remarks, you talked about how TBS had placed renewed emphasis on increased awareness and best practices for IT security across government. I wonder if you could go through what some of those best practices are.