Public Accounts Committee on March 30th, 2023

Evidence of meeting #56 for Public Accounts in the 44th Parliament, 1st session. (The original version is on Parliament’s site, as are the minutes.) The winning word was departments.

A video is available from Parliament.

On the agenda

Report 7, Cybersecurity of Personal Information in the Cloud, of the 2022 Reports 5 to 8 of the Auditor General of Canada

MPs speaking

John Williamson
Maninder Sidhu
Stephanie Kusie
Valerie Bradford
Nathalie Sinclair-Desgagné
Blake Desjarlais
Michael Kram
Jean Yip
Kelly McCauley
Peter Fragiskatos
Brenda Shanahan

Also speaking

Andrew Hayes  Deputy Auditor General, Office of the Auditor General
Rajiv Gupta  Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
Paul Thompson  Deputy Minister, Department of Public Works and Government Services
Sony Perron  President, Shared Services Canada
Catherine Luelo  Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
Costas Theophilos  Director General, Cloud Product Management and Services, Shared Services Canada

5:05 p.m.

Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment

Rajiv Gupta

The threat against the Government of Canada has been high for a long time. We always talk about the blocks we're doing, as the Government of Canada. In terms of activity, we say it's four to seven billion blocks per day. Those are a lot of reconnaissance activities and other sorts of threat, but the threats are still there.

We enumerated those international cyber-threat assessments, as well. Really, the sophistication of cybercrime has increased in the past few years. Nation-states are still there. We named China, Russia, Iran and North Korea as the primary countries we're worried about. We still have the sophistication of the state-sponsored threat actors, but we also have the rise of cybercrime in this space as well. That has proven to be very lucrative, I would say, from a ransomware perspective and others. It's really fuelling the threat in that space.

It's very important for us to learn from those threats, which we do on a daily basis. We are the national [Inaudible—Editor], so we see what's happening across Canada, to a certain extent. We also work with our partners to make sure we're taking everything we're learning from those threats and baking it into advice and guidance. We work with our partners, here, to make sure we're putting the best recommendations out, and also building that into our security analytics and the types of defensive solutions we use for the government.

We couple that, of course, with what we've learned from our signals intelligence. CSE is fortunate, in that we have the cyber centre, and also our foreign signals intelligence, which tracks cyber-threat actors around the world and gives us the intel we can use to inform our advice and guidance for Canadians.

5:05 p.m.

Conservative

The Chair Conservative John Williamson

Thank you very much.

Ms. Sinclair-Desgagnés, you have the floor for two and a half minutes.

5:05 p.m.

Bloc

Nathalie Sinclair-Desgagné Bloc Terrebonne, QC

Thank you, Mr. Chair.

Another aspect of a best-practice cost-benefit analysis seems not to have been included in the process, and that is concerning. According to the report, “Public Services and Procurement Canada and Shared Services Canada did not include environmental criteria in their procurement of cloud services.” Normally, really good cost-benefit analyses include environmental and social impacts.

Has this recommendation been addressed? Following the release of the report, have you begun to assess environmental impacts in contracts with companies?

5:05 p.m.

President, Shared Services Canada

Sony Perron

Thank you for the question.

As I mentioned earlier, Shared Services Canada and Public Services and Procurement Canada are committed to working with industry to determine how best to require the information necessary to assess the environmental impact of service proposals in future bids for cloud services. The consultations are complete and in a few weeks, in April, the criteria will be incorporated into the contract vehicles we have for competitive bidding.

5:10 p.m.

Bloc

Nathalie Sinclair-Desgagné Bloc Terrebonne, QC

Can you give us examples of criteria that will be incorporated into it?

5:10 p.m.

President, Shared Services Canada

Sony Perron

Mr. Theophilos, do we have any details regarding the criteria that have been added?

5:10 p.m.

Costas Theophilos Director General, Cloud Product Management and Services, Shared Services Canada

Thank you for the question.

Just to answer that directly, the answer is that it's in alignment with Canada's commitment to reduce greenhouse gas emissions and the net zero—

5:10 p.m.

Bloc

Nathalie Sinclair-Desgagné Bloc Terrebonne, QC

I'm sorry to interrupt, Mr. Theophilos, but I'd like to know what the criteria are, specifically.

5:10 p.m.

Director General, Cloud Product Management and Services, Shared Services Canada

Costas Theophilos

With regard to the accuracy of what they are providing, companies like Google provide their commitments on greenhouse gas emissions for their operations publicly. Seven of the eight providers that we deal with in the cloud space at Shared Services Canada have met or exceeded those targets in a public fashion. We're following up with the eighth.

5:10 p.m.

Bloc

Nathalie Sinclair-Desgagné Bloc Terrebonne, QC

Could you please send us a list of the criteria that will be added to the contracts to evaluate the environmental impact of the proposals? More importantly, can you provide us with an implementation date for these new contracts for which environmental assessments will be conducted?

5:10 p.m.

President, Shared Services Canada

Sony Perron

As far as the second part of the question, the implementation of these contracts will be in early April. So, we are there.

In terms of the clauses that will be added to the contracts and to the calls for tenders, I'm sure Shared Services Canada or Public Services and Procurement Canada will be able to provide that information to the clerk in the next few weeks.

5:10 p.m.

Bloc

Nathalie Sinclair-Desgagné Bloc Terrebonne, QC

Thank you very much.

5:10 p.m.

Conservative

The Chair Conservative John Williamson

Thank you very much, Ms. Sinclair-Desgagné.

Mr. Desjarlais, you have the floor for two and a half minutes, please.

5:10 p.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

Thank you, Mr. Chair.

I believe it's our final round, so I want to offer my thanks to all the witnesses here today.

Thank you for your service. I think it's important that Canadians understand the value of digital infrastructure. You've been very patient with us, knowing that we're not experts in this field. I want to thank you for your accessibility in this discussion.

I do want to return to trying to understand the signals intelligence that was mentioned a few times. One fact that was submitted today, if I'm correct, and I can't remember which witness mentioned this, was that we are the only country currently utilizing signals information. Is that correct?

5:10 p.m.

Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment

Rajiv Gupta

No, I would say that's not correct. It might have been a reference to cloud-based sensors, which is kind of our definition; we made up the term—

5:10 p.m.

Voices

Oh, oh!

5:10 p.m.

Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment

Rajiv Gupta

—so it's probably easy to say. At the same point in time, we haven't seen the analogous type of capability through the partners we work with, so I would caveat it as such.

5:10 p.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

I see. Okay.

What is that, exactly?

5:10 p.m.

Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment

Rajiv Gupta

Basically, one of the guardrails, which is very important, is that as a government entity stands up a cloud tenancy, we have to be baked in from the start to be able to get telemetry. We get log analysis and other sorts of data that help us analyze from the start of the instantiation of this tenancy. Back at CSE we can actually look at this data and detect threats right across the board on an enterprise scale. It gives us a common enterprise monitoring standard for cloud and gives that visibility of the cloud tenancies right from the start.

Often mistakes happen early on, when people don't know how to configure their cloud tenancies right, so being baked in was very important.

5:10 p.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

Yes. No kidding. I can see that's a massive piece to ensuring that we have the proper safeguards.

I think one thing you mentioned earlier as well, I think in response to a question from Mr. Fragiskatos, was that in relation to the threat present to Canada, it was high. What can we do in terms of our recommendations to ensure that we can reduce that? What would you say your biggest recommendation would be for Canada to ensure that we can actually try to control this threat? I think that's a scary thing to Canadians when they hear that.

5:10 p.m.

Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment

Rajiv Gupta

I'm sorry. What was the threat that was high...?

5:10 p.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

I think the question by Mr. Fragiskatos was in terms of the risk present to Canada, and you mentioned that the threat to Canada was quite high in terms of cybersecurity for information.

5:10 p.m.

Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment

Rajiv Gupta

Oh, we've seen a high level of threat activity against the Government of Canada. Risk is different from activity. What we have seen on an ongoing basis, for the greater than a decade that I've been doing this job, is that there is a lot of threat activity against the Government of Canada. We are an interesting target for a lot of countries and a lot of cybercriminals. That has always been at a very high level.

5:10 p.m.

NDP

Blake Desjarlais NDP Edmonton Griesbach, AB

What can we do to limit this risk?

5:10 p.m.

Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment

Rajiv Gupta

You know, we are a prosperous country. We have things that other countries want. We have opportunities for cybercriminals, so I think that is a lot of the motivation. At the same point in time, we want to make ourselves a hard target and bake in the defences we have in order to make sure that cybercriminals don't make money off us and state-sponsored threat actors don't get the information they want.

Continuing to up our defences is probably the best way to do that.