Public Accounts Committee on April 23rd, 2013

Thank you for the question.

I'll say a few words, and then I'll turn to my colleague Madam Clairmont.

I think our partnerships and involvement with all levels of society, including Canadians more directly, have to evolve with the threat environment we're in. That's the first observation I would make.

Secondly, if we want individuals or companies to equip themselves and respond correctly, they need information—I very much agree with that premise. We have taken steps to be able to share with people fairly sensitive information that needs to be security cleared, so that they are aware of what they may be facing and their response is proportional to the knowledge of what the environment is showing.

I'll turn to Madam Clairmont for more information on that.

I think we're reaching out to the private sector on a number of levels and in a number of ways.

One way is through CCIRC, through our CSIRT, the computer security incident response team. That's where we're encouraging, as Mr. Gordon said, that companies reach out to us when they have a vulnerability or see something on their system. The more we're getting out to them, the more they're seeing that there's a value added from CCIRC, the more they're approaching us. That's developing out as well.

We're dealing with the private sector through the critical infrastructure sectors, which meet fairly regularly; through multi-sector forums, where we're briefing at different levels; and also the cross-sector forum, which brings together all the sectors and deals with issues of common interest, of which cyber-awareness is one.

We continue to engage at various levels with various stakeholders, both here and with our allies in the private sector. As Monsieur Guimont said, I think it's a work in progress, and one that is more like a journey than a destination, if I could put it that way.

Yes, indeed. The 15-7 essentially represents what I would call a normal workday, business hours, from one coast to the other. That is the premise. Seven days is exactly that, so a full week.

I'll let Madam Clairmont or Mr. Gordon address.... There is someone, probably through a rotation, who is to be available for phone calls if and when they manifest, but I will let them expand on that.

There are two dimensions to my response. One is that in addition to the on-call availability of being able to reach out through the telephone system to one of our operational response staff, we also have available the Government Operations Centre, also part of Public Safety, which is staffed 24 hours a day, seven days a week. So in the event that there was ever a disruption in our ability to reach out to our on-call person, they have the immediate availability of someone 24-7 in the Government Operations Centre.

That's correct.

It's part of Public Safety.

Yes. They're also part of the escalation process, so if an event became significant, the Cyber Incident Response Centre would reach out to the Government Operations Centre to draw in a broader range of government response, in a number of ways, and also to reach up to more senior levels within the government if it were required.

The other thing is, when we're dealing with our clients—the people who would likely be phoning in, the business clients—the nature of the cyber-attacks we're dealing with are things where the identity of that attack occurs over a period of time. It's not likely that you sit and watch it occurring in live time, so typically the companies watching this will see it and will be working during the day—hence, we’re working essentially the same hours—because the detection of these attacks can actually take many days to occur and there'll be a lot of analysis going on by the companies themselves. Once they see that, they will then contact the Cyber Incident Response Centre.

A similar program is also in place with our allies. The United Kingdom, Australia, and New Zealand run the same system.

Mr. Chair, I think I'll use the example of this chapter, where we identified that those action plans didn't exist at the time of our audit and because of that, we didn't have any way, really, to measure the progress that had been made in this area.

I think that sums up the value of an action plan. It lays out what needs to be done, when it needs to be done, and then you can measure progress against it.

I can't give an opinion on that. We haven't looked at the action plans in any detail.

The management action plan, as per the request of the committee, is specific to the recommendations of the OAG—systematically, blow by blow. We've tabled that. It was developed and tabled, and if I remember correctly, it's been carried out, except for one or two actions.

The other action plan is the more comprehensive action plan that the OAG has been looking for. We very much agree with him. We have now developed it, though it took a while, and now it is published. We rendered that plan public on April 18, I believe. By the way, it includes multi-departmental actions, so that departments are committed to carrying out certain tasks against a deadline of sorts. Along the lines of what the OAG is saying, it is grouped under the various pillars that we have for the strategy, which makes sense because that's our framework.

Departments, including my own, are expected to deliver a number of things. We have combined existing, ongoing, and completed tasks. The bottom line is that the comprehensive action plan includes some of the elements we produced as a management action plan in response to the OAG report.

In reality, just to be clear, the management action plan tabled before the committee as per your requirements, which we acknowledge, included having to develop a more comprehensive action plan. Our action plan for the OAG, for the committee, was developed very quickly, because we needed to be able to answer the various recommendations of the OAG. The more comprehensive action plan took some time. It was a fair amount of work and consultation to get the buy-in.