Public Accounts Committee on March 30th, 2023

I would agree. The premise of that comment, I assume from the report, was that we had guardrails in place and these sorts of things, but they really have to be put in place and used to have that real-life implementation and a practical result in terms of protecting the system. It's very important to have those in place. Putting the right security controls in place is very important in moving forward.

I think it's been said, but we're continuing to advance our advice and guidance on how to properly protect against the threats. We are probably the only country—that I know of—that has cloud-based sensors and a security organization monitoring the cloud environment. Though these threats exist in the cloud, they exist on premises as well. That's something that I wanted to point out. It's very important for us to keep that in mind.

Someone was saying, “Who's first?” In fact, it's a team sport here, and sometimes with a team, there isn't a first.

However, there is a primary role for looking forward and identifying what new issues can be—which we have to prepare for, work on and anticipate—and this belongs to the Canadian Centre for Cyber Security. They are looking forward and they are bringing to the operator—which is me, or our organization—the intel. “Here's what you need to do and fix, because we believe this will be a new risk that we didn't contemplate in the past.” It's very important, and the integration with the policy lead in how we deal with this is critical.

We have this in Canada. We are lucky. We need to invest in this all the time, because we have to practise. It's good that we are doing tests, but real life also tests our ability to work together.

Currently, we have a cybersecurity posting that's up right now, and we are incredibly pleased with the number of applicants we've had. The Canadian Centre for Cyber Security is an employer of choice. Lots of tech folks want to work there.

The thing we are struggling with is the ability to onboard people into the system and the security clearance requirements, particularly in the cybersecurity roles. We're looking at efficiencies within the security screening policy, which I also have as part of my portfolio, to see what we can do to remove friction from the system to bring in new public servants, while making sure, particularly in the space of cybersecurity, that we are not creating any risk with those new employees. That's incredibly important.

It depends on the type of services you're going to be getting.

I'm going to put a hypothetical out there. In the cloud context, if you think about an analytics service that might be very high-powered, it uses energy. How is the company that's providing that service dealing with the environmental aspect of the service it provides?

What we're asking for is for information to be provided to the government, so that they can have a clear picture of what they are procuring and whether there are environmentally preferable options. It's basically for them to go in with eyes wide open.

Mr. Chair, that applies only to the establishment of the cloud framework agreement, where we have eight qualified vendors. We had asked initially when they were qualified—among many things we were validating—what their environmental commitment was and if they had a net-zero commitment towards 2050. We have done that. We have that in the books for seven of the vendors that were qualified at the end. What we don't necessarily have is an attestation, and I think we are working on getting that, so that it's not only a case of “I said”, but we also need to be able to demonstrate the results.

Like the team from the Auditor General looked at, not all the workload and not all the applications that we are putting in the cloud are consuming and having the same demand on the infrastructure. We need to be able to compare this if we do it in the cloud versus running this through an enterprise data centre: Do I consume more energy and do I produce more gas emissions? What will be the difference? This is something that without the addition of the clause in the contract we will not be able to do, and this is where we need to go, because otherwise, if you ask me five years from now if we're consuming less or more and producing less or more if it's in a data centre or in the cloud, I would not have the data and, frankly, if we want to advance towards these targets, we need to have it.

We are really at the beginning here. What is in the cloud is really tiny. A lot of departments are using the cloud right now for experimentation, so it's not major computing that is there. Some departments are more advanced than others, but a lot of the work we do in the cloud is really small. This is going to change in the future, and it's why we need to put these controls in place.

Well, Mr. Chair, I cannot really comment on the decision to use these words or not. I would say that you're probably right in your allusion that the potential in the future is more important than what we have done so far and in the past, but if we don't take the steps now....

Changing these clauses and including these means that my team—and Costas was part of that—is engaging with the industry on how we can do this and getting their views about how this could work, because we do not want to invent requirements and clauses that will not work for them, that cannot be built and that cannot be met in the future. There was a fair bit of work in the last few months between us and PSPC to really make sure that those who provide cloud services gave us their views about it: Would this work?

That's why we're really close to being able to release these new practices: because the industry told us that this is the right way to go, that they can comply with these requirements.

Costas, I don't know if you want to add anything.

Okay.

It would have been my predecessor, Mr. Chair, saying that, but that is right.

This is a question that would probably be better addressed by the Canada Revenue Agency.

I have to say that digital enablement is essential. In this day and age, if we want to provide agile services and deal with peak demand, we have to be digital. We have to ride the right infrastructure. Right now, a lot of the infrastructure at the Canada Revenue Agency depends on what we call “mainframe”. This was the best thing you could have, when the cloud did not exist. Now, the cloud can bring the kind of high-computing capacity and high velocity we only had with the mainframe, in the past. The mainframe is a supercomputer running in a data centre.

I think the cloud—if we stick with the theme of the audit, here—provides us with much more opportunity to do this. Sometimes, it's not only with a big program. Think about the Canada Revenue Agency. It probably has the largest programs that depend on technology in the Government of Canada. Now, with the cloud, we can have that kind of velocity for something that is way smaller, as well...and analytical work. There is great potential there.

Are we up to it? Catherine said we have a lot of challenges with talent and multiple priorities in the Government of Canada, but I believe we have done the foundational work. Hopefully, we'll have fewer servers hidden in closets.

What I want to avoid, early on, in the work we are doing on the cloud.... There are cloud instances out there that we, around this table, are not aware of. We need to manage this, as an enterprise, so we don't get into the mess that existed in the past, in terms of how we distributed the data centre and servers everywhere. We have done this cleanup. There is a lot of work still to do. We have to be very organized in the way we leverage the cloud, so we don't create this.... We leverage and build expertise. We are organized. We have common rules, so we don't expose ourselves. If there is an incident somewhere, we know what is out there and how to take back control, so we avoid the damage and consequences of incidents.

It's about being organized at the enterprise level. The players around this table are essential to make this happen.

I think it's a great question.

We don't have a choice. Canadians expect it. In every other part of their day-to-day life, they are engaging digitally with companies all over Canada.

I think—to Sony's point—we're up to the challenge, but we have a very big hill to climb. I think what we're talking about, here, is getting the right foundations in place and not being afraid that we've learned a few things...to push on, but push on in a smarter, better and more organized fashion.