Public Accounts Committee on March 30th, 2023

Thank you very much, Mr. Chair. We appreciate this opportunity to discuss our report on cybersecurity of personal information in the cloud, which was tabled in the House of Commons on November 15, 2022.

I would like to acknowledge that this hearing is taking place on the traditional unceded territory of the Algonquin Anishinabe people. Joining me are Jean Goulet and Gabriel Lombardi, who led this audit.

Federal departments are increasingly moving software applications and databases into the cloud, including some that handle or store Canadians' personal information. Information stored digitally, whether on premises, in data centres or in the cloud, is exposed to the risk of being compromised.

In this audit, we wanted to know whether the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada, Communications Security Establishment Canada and selected departments had controls in place to prevent, detect and respond to security threats to Canadians' personal information in the cloud.

Overall we found that the departments we audited did not always implement and follow the controls the government has set out to protect information that is stored and transmitted using the cloud. These controls include, as examples, encryption and network security requirements. We also found that security requirements and the corresponding roles and responsibilities were not always clear. As a result, they were not consistently implemented. This leaves cloud-based information vulnerable to cyber-attacks, which are increasingly frequent and sophisticated.

In addition, we found that 4 years after the Treasury Board of Canada Secretariat first directed federal departments to consider moving information to the cloud, it still had not provided a long-term funding plan for cloud adoption. It also had not provided a way for departments to calculate the cost of moving to cloud applications and operating in the cloud environment.

Without a funding plan and costing tools, it is difficult for government departments to ensure that they have the people, resources, and expertise they need to secure cloud-based information and respond to threats. Having these would strengthen Canada’s cyber-defence capabilities both within individual departments and government-wide.

Finally, we found that Public Services and Procurement Canada and Shared Services Canada did not require cloud service providers to demonstrate their environmental performance or to explain how their services would reduce Canada’s greenhouse gas emissions. This is important because Canada has set a goal of net-zero emissions by 2050 and committed to including criteria aimed at reducing greenhouse gas emissions in the government’s procurement for goods and services. To date, this has not been done for procuring cloud services.

The government needs to act now, while departments are in the early stages of transitioning to the cloud. It needs to ensure that funding is available and that key security controls to prevent, detect, and respond to cyber-attacks are strengthened. This includes clarifying shared roles and responsibilities for cybersecurity so that the departments involved, central agencies, and cloud service providers know exactly what they should be doing.

This concludes my opening remarks. We will be pleased to answer any questions the committee may have.

Thank you.

Hello. Thank you, Mr. Chair, and members of the committee, for the invitation to appear for the study of the Auditor General of Canada's report to Parliament on “Cybersecurity of Personal Information in the Cloud”.

My name is Rajiv Gupta, and my pronouns are he and his. I'm the associate head of the Canadian Centre for Cyber Security at the Communications Security Establishment, also known as the cyber centre.

The Cyber Centre is Canada’s technical authority for cybersecurity, safeguarding Canada with our advanced cybersecurity capabilities and providing a unified source of expert advice and support on cybersecurity operational matters.

I'm happy to be joined by my colleagues from Treasury Board Secretariat, Shared Services Canada and Public Services and Procurement Canada, with whom we work closely on cybersecurity matters.

As part of the cyber centre's operational role, we share cyber-alerts and threat assessments across the Government of Canada to ensure that our information systems remain secure, responsive and well defended. As part of our education role, we work to increase cybersecurity awareness across the government through initiatives like the learning hub.

The Learning Hub is based at the Cyber Centre and provides training to improve the cybersecurity of Canada’s government and critical infrastructure organizations.

During the 2021-22 fiscal year, the learning hub renewed its collaboration with the Canada School of Public Service, CSPS, to provide a standardized cybersecurity curriculum for all—

Thank you very much.

As mentioned earlier, the Learning Hub is based at the Cyber Centre and provides training to improve the cybersecurity of Canada’s government and critical infrastructure organizations.

During the 2021-22 fiscal year, the learning hub renewed its collaboration with the Canada School of Public Service to provide a standardized cybersecurity curriculum for all federal public servants. The learning hub and CSPS co-developed an e-learning course to introduce public servants from non-technical backgrounds to the basics of cloud computing. This is a priority topic for the public service as departments continue to migrate their IT infrastructure to the cloud.

Government of Canada organizations are increasingly leveraging cloud computing, which has the potential to deliver agile, flexible and cost-effective IT services. As noted in our 2021-22 annual report, CSE continues to function as a pathfinder for the GC in migrating to the cloud.

Indeed, CSE was an early adopter of cloud technology, and we ensured that we were the initial adopters of our own internal advice and guidance.

We were the first department to securely implement several commercial cloud applications, securing them with our cloud-based sensors. We demonstrated leadership by sharing the lessons learned and the relevant advice and guidance with other departments.

As I mentioned earlier, the cyber centre is the operational lead for protecting the GC from cyber-threats such as ransomware and cyber-espionage.

We work with federal partners to defend the government’s networks and the sensitive information of federal institutions.

While there is no such thing as zero risk when it comes to cyber-threats, we are ensuring that the highest levels of protection are in place. The cyber centre uses autonomous sensors to detect malicious cyber-activity on government networks, systems and cloud infrastructure. We use three types of sensors: network-based sensors, cloud-based sensors, and host-based sensors.

These sensors allow the cyber centre to deter cyber-threats happening in real time. Our classified knowledge of threat-actor behaviour allows us to defend against and block these threats.

We work with our federal partners to ensure that the appropriate safeguards have been applied to ensure the security and the privacy of their information that is hosted in the cloud. As cloud environments continue to evolve, we are making sure that we continue to evolve our tools to ensure that the government's systems are well defended and secure.

I would like to thank the Office of the Auditor General of Canada for their report and the committee for bringing us together to discuss this important topic.

Although none of these recommendations outlined in the report is specific to CSE, we welcome them. CSE and the cyber centre take information security very seriously, and this includes the government's data in the cloud. We will continue to collaborate with our federal partners to move forward on these recommendations.

Members of the committee, I can assure you that CSE will continue to work with partners to bolster Canada's cybersecurity, while at the same time ensuring that the necessary protections are in place to respect Canadians' privacy.

Thank you for the opportunity to contribute to this important study, and I'm looking forward to answering any additional questions you may have.

Thank you very much, Mr. Chair.

I'm pleased to be here with you and members of the committee to discuss how Public Services and Procurement Canada is responding to the audit of “Cybersecurity of Personal Information in the Cloud”.

With me today is Catherine Poulin, assistant deputy minister of our Departmental Oversight Branch.

As the Government of Canada’s purchaser of goods and services, my department is committed to ensuring that our procurement processes meet the needs of our client departments and agencies.

We appreciate the importance of cybersecurity in all facets of the Government of Canada's work. The government continues to invest in enhancing cybersecurity capabilities. For example, in budget 2023 there is a proposed $25 million for PSPC to work with National Defence and others to establish a cybersecurity certification program for defence procurements in order to further protect Canada's defence supply chain.

Looking beyond Canada's defence supply chain, we know that the use of cloud computing for software applications and databases has the potential to not only improve how we and federal organizations provide services, but also to reduce the cost and maintenance of physical services and applications.

As the government continues its strategy of using cloud computing, it is clear that departments involved will need to work more closely together to manage the security risks in the cloud.

With cybersecurity threats and attacks continuing to increase in frequency and severity, my department welcomed the results of the audit of the protection of personal information in cloud computing.

For its part, PSPC plays a supporting role in two key areas.

First, as central purchaser for the Government of Canada, PSPC procures cloud services on behalf of departments and agencies, and has established a supply arrangement with pre-qualified cloud service providers to help streamline the process. PSPC is also responsible for assessing the physical security controls of cloud service providers and their personnel.

In cases where departments procure cloud services directly through our supply arrangement, or through other procurements, we are committed to providing advice and guidance to those departments to help ensure that cloud guardrails are implemented to prevent cybersecurity breaches.

Mr. Chair, while the security of information is an important Government of Canada priority, we at PSPC are also strongly committed to doing our part on another priority, which is promoting environmental responsibility and sustainable development.

The Auditor General's report rightly pointed out that our contracting processes did not require potential cloud service providers to demonstrate their environmental performance or ask them to explain how their services would reduce Canada's greenhouse gas emissions. In addition, even when providers offered that information, there has been no mechanism in place to confirm it was accurate.

The report recommended that PSPC, in conjunction with Shared Services Canada, include environmental criteria when procuring cloud services. Doing so will help contribute to supporting sustainability and help Canada achieve its net-zero carbon emission goals.

Our departments agree with that recommendation and we have committed to taking action by working with our colleagues from Shared Services Canada to address that. This includes requiring suppliers to provide information on their commitments to achieve net-zero emissions, developing clauses in cloud computing service contracts to include GHG reduction targets, and revising the standard contracts for the procurement of cloud services and for requests for proposals.

We are also working on incorporating environmental criteria into our existing cloud procurement vehicles.

To conclude, Mr. Chair, I would like to express my thanks to the Auditor General for her report. I believe her recommendations will help guide improvements in our practices around cloud computing services.

Through continued collaboration with our partners, Public Services and Procurement Canada will be better positioned to meet our climate change obligations and ensure the security of the information of Canadians.

Thank you for your attention. I look forward to your questions.

Thank you, Mr. Chair and members of the committee, for your invitation.

I am pleased to be here today, accompanied by Costas Theophilos, director general of Cloud Product Management and Services, to address any questions the committee may have with respect to the Auditor General of Canada's audit and Shared Services Canada's progress on addressing the recommendations.

Consistent with its commitment to provide modern and secure IT infrastructure, SSC is continuously modernizing the Government of Canada's IT infrastructure. In this effort, SSC has taken an enterprise approach, which means we continue to consolidate, standardize and modernize networks and systems across government.

It is essential that we keep pace with ever-changing technology and increased cyber-threat activity. As such, over the past few years, we have significantly adopted digital solutions, including leveraging the cloud environment. It is essential that we keep pace with these changes.

Cloud adoption is a shared responsibility across the Government of Canada. Shared Services provides controlled and secure access to the cloud environment at the enterprise scale. Precisely, SSC enables cloud adoption by departments and agencies by providing access to critical building blocks, such as supply, secure cloud-to-ground network connectivity, and guidance and expertise.

In that vein, SSC works with departments to migrate their data and applications from aging data centres to modern infrastructures, such as the cloud and enterprise data centres. This accelerates the modernization of applications in an agile, secure and cost-effective way.

Protecting the information of Canadians is a top priority for SSC. This is why a common approach across departments and agencies is important. We are still in the early stages of cloud adoption; therefore, enhancement and maturing of the processes and the protocols are expected.

While there is no such thing as zero risk when it comes to cyber-threats, we are ensuring that the highest levels of protection are in place. It is important to note that all information is stored in Canada, and the most sensitive information is stored in data centres owned by the Government of Canada.

We welcome the report and recommendations of the Auditor General. This audit is helping to strengthen the operating framework for cloud services. This is particularly important at a time when reliance on the cloud environment is increasing.

SSC has a role in four of the five recommendations included in the audit.

For recommendation one, SSC is working closely with the Treasury Board Secretariat to strengthen guardrail validation and enforcement and to ensure coordination with departments. Cloud guardrails set the minimum security requirements that departments need for the configuration and the operations of their cloud environment. This includes how data is managed and where it is stored. SSC has begun the automation of the guardrails to assess compliance in real time. This will be tested with pilot departments beginning in fall 2023.

On the second recommendation, the Government of Canada set a minimum-security requirement for securing cloud-based information. SSC is working with departments to validate any outstanding cloud security controls.

On the third recommendation, to address the issue of cloud funding models, SSC is working with TBS to review the way forward as it relates to cloud costing and recovery. It is expected that the proposed cost model will be available in the near future.

And on the fourth recommendation, SSC and Public Services and Procurement Canada will soon release a standard template for cloud contracts that includes sustainability terms for cloud providers.

In fact, SSC has started to include environmental criteria in competitive solicitations under the Cloud Framework Agreement. For example, some processes now include rated criteria, encouraging suppliers to set targets to reduce their greenhouse gas emissions.

Going forward, SSC will include rated environmental criteria in all new competitive solicitations under the Government of Canada Cloud Framework Agreement.

Mr. Chair and committee members, SSC works continuously to manage cloud security risks and to enhance cybersecurity so that Canadians’ data and privacy are safeguarded.

Thank you. We will be pleased to take your questions.

Thank you, Mr. Chair, and members of the committee. This is my first time appearing at this committee. I've met some of you, but for the others, I'm pleased to be here today.

I've been 21 months in government, having spent about 30 years in the private sector before that so I'm still in my “firsts” as I go through all of these different exercises.

As chief information officer of Canada, I provide overall leadership for the management of information technology, information management and service and digital transformation within the Government of Canada. As you see me sitting here with my colleagues today, we could have another 100 people here with all of the departments. It's a team sport to modernize digital infrastructure in government, and certainly cybersecurity is as well.

We have legislation that we manage out of my department, including access to information and open government, and we have oversight for all of the major technology programs. We have accountability for the GC cybersecurity event management plan—that's a mouthful—GC CSEMP for short.

When it comes to the protection of Canadians' personal information, we set out policies, set cybersecurity requirements, and execute decisions on the management of cybersecurity risks on behalf of the government. This is through the policy on government security, the policy on service and digital and a number of different mechanisms that sit underneath that, such as the digital standards.

I have a couple of key messages in response to the AG's report. We welcome this report, and as noted by the auditor, we're at the baby steps. We are at the beginning of the beginning. This is a beautiful time for us to be getting these findings and have an opportunity to improve. In my experience in prior organizations, a strong audit function really helps technology organizations be better, and I look forward to continued work with the Auditor General on this and other files.

As I noted, we're at the very beginning of the modernization of our technology environment. Only 35% of the systems in the Government of Canada are in a healthy state, and the cloud is a key to modernizing those systems. Cloud migration is one lever—and of note, private and public organizations all around the globe are dealing with this. I worked for several large Canadian companies, and some of the things that we've noticed here are things that we ran into in that environment.

The Government of Canada takes the protection of Canadians' information very seriously, and as Sony noted, not all services will be in the cloud. That is not our plan. We are going to have the cloud, and we are going to have enterprise data centres, and that is partially from a financial perspective and partially from a utility perspective. Cloud guardrails, a standard set of controls, are going to evolve over time. The threat landscape changes. The environment technically changes, so we'll be tuned to that. We will continue to strengthen oversight and compliance mechanisms for cloud use across government to make sure there's very clear guidance and compliance.

Since the Auditor General's report, I want to talk about a couple of areas of progress. We have updated our cloud roles and responsibilities document, and a corresponding matrix, and published it internally, so that our team members have access to that. In November 2022, we updated the Government of Canada cybersecurity event management plan. This is the plan that we put in place to respond to enterprise government cybersecurity incidents. This was first published in 2015, and we continue to test, review and tune that plan. That's normal practice with any type of a cybersecurity plan. In fact, about four weeks ago, we completed an “on guard”, which is a simulation that we run across government. It included a cloud component as part of that review, so we are starting to test our response to cyber incidents in the cloud.

In January, we also published an updated cloud strategy that had been in the works for several months. We've changed the language from “cloud first” to “cloud smart”, and that really identifies the fact that we are not always just going to go to the cloud, but are going to balance the decision-making on a number of factors, including financial.... Cloud first was exactly the right strategy for the government to move forward. We needed to start directing people into new technology, so it got the ship moving in the right direction, for lack of a better way of saying it. We have about 800 of our applications in the cloud. That's still a very small percentage of overall systems that we have across government.

Of note, in January, I issued guidance out of my office on the classification of personal information in the cloud and, in coordination with many of the people around this table, came to a decision that we are going to designate some high-value assets—personal information being an example—and some systems that would have an additional set of controls put in place to protect them even further. Our benefits delivery modernization program, which houses a lot of Canadians' data, is a good example of where we'll be deploying on that.

Finally, on continued development of a cloud costing model—and Sony talked about that already—we're looking to have that ready for publication in summer or fall. We've done a lot of work on that already. That is going to help departments make informed decisions about moving to the cloud, and not just the cost of moving to the cloud but the cost of operating in cloud. Both of those things are very helpful to understand. That will fulfill our responsibilities as it relates to recommendation 4.

In closing, our ultimate goal is to provide Canadians, Canadian businesses and all service users with the high-quality and efficient service that they expect in a digital age. Cloud is going to be a part of that. We will be regularly managing our progress on achieving this ambition, and cloud is an important part of that plan.

Once again, Mr. Chair, thank you for your invitation to speak to you today. I welcome any questions you may have.

Thank you.

There was just one recommendation.

Yes.

It is the policy. I don't think it's a law. It's a policy that in fact falls under Catherine's authority.

Thank you, Mr. Chair, for the question.

This is a product that we are working on with multiple departments. We're under the leadership of the Treasury Board Secretariat. There is nothing to hide. It's something that we'll share with the departments because it's a tool, so I assume that we will be able to share it with this committee when the product is ready for distribution.

Catherine may want to add to this.

That would be something we'd be happy to share.

Mr. Chair, I think the member of Parliament is referring here to the automation of guardrails verification. We'll have to find a way to share that with you. What it is, basically, is that right now there are 12 guardrails. My team, following the wise advice from the Auditor General, has taken to checking not only once at the beginning but on an ongoing basis that these guardrails are maintained. It will be more a monitoring than a one-time exercise.

We are monitoring compliance of each department right now. It's just that it's not automated. It's people who belong to Costas' team who basically undertake the manual work to regularly verify around 200 instances of cloud to make sure the departments, when using this, follow the standard. Often it is only enabling a function, but if they move them, the switch to the left, this is not working anymore, so we need to make sure they maintain that, because all of this is protecting the system.

My answer is that we can come back to this committee or share with the clerk the results of our review, for sure.

I think we are experiencing things that are very similar to what other organizations do at this stage of our maturity. We are less than 10% in the cloud. I think we are adopting what are standard best practices, and I think we are learning unfortunately a lot of the same lessons that organizations learn, which is.... One of the key findings of the Auditor General's report was that we have great standards and guardrails in place, but the application of them was inconsistent, which is why the automation is so very important.

Not that I'm aware of, but I might ask my colleague, who has been around the table a little longer, if there was an international benchmark done. There is not one that I'm aware of.

What I know about that—and maybe our colleagues from the Centre for Cyber Security will have views—is that we often compare our practice here in Canada to the standards of the Americans on cybersecurity. We do comparisons, but again, I'm not sure we have a report that will do a broader scan.

I would like to add as well that in terms of our assessment of the CSPs, the cloud service providers, we do look at international standards such as ISO FedRAMP in the United States, as well as SOC 2 Type 2 reports, which are required in terms of the assessment process. We make sure that we're very harmonized with the international standards and the U.S. in that space.

In terms of the roles and responsibilities, we were concerned that unclarity led to questions about who was on first, who was going to be dealing with issues when there was an event. We did also identify that the monitoring and oversight could be improved both by Shared Services and by PSPC.

I won't get into the details of some of the information that we weren't able to include in the report, but what we identified was that for the guardrails for the security requirements that are in place, they should be implemented in their entirety, and ongoing monitoring should be happening as well.

In my view, this is a role for the Treasury Board Secretariat to provide guidance and policy.

Just to make a point of clarification, it's 10% of systems, not data. It's a little different.

No, no, that's okay, but it's important that nuance.

I think we can continue course and speed. We have actually quite aggressively moved on the Auditor General's findings already, as I outlined in some of my remarks, and we will continue to tighten things as we move along.

There is always, as part of putting a new system into production, i.e., into the cloud, a released production activity list you go through to make sure that things have been met. We'll be disciplined in making sure that for cloud migrations, we pay very close attention to that, to ensure that we're managing that risk.

We looked at three departments. We weren't looking across the entire government. Because it's not a representative sample or anything, our results can't be extrapolated across the government, but the areas we identified in our report related to three departments.

We didn't look into that degree of specificity. We were looking at the testing of their plans and the implementation of their plans.

On an ongoing basis, we're assessing the threats to cloud service providers. We're providing threat assessments on those. We're providing advice and guidance for cloud service providers, including for the government and Canadians, in terms of how to secure your cloud systems. On an ongoing basis we're seeing how the threat landscape is changing in accordance with technologies and we're making sure that our advice and guidance and information are up to par.

For the government we're also deploying cyber-defence services to make sure the technologies we deploy for the government are actually taking into account the new threat factors we're seeing from both classified and unclassified sources, and we're making sure that those technologies are implemented on our servers.

Thank you, Mr. Chair, for that question.

I would just note that we have a physical inspection regime that has our employees doing the site inspections for cloud service providers as well as personnel security screening. Those are the two main activities that PSPC does to ensure that the cloud service providers are meeting their expectations.

I'll take that one and then Rajiv can add something if he wants to.

The reason we're shifting from cloud-first to cloud-smart, first of all, is that using the cloud allows us to stand things up very quickly. Where we would take potentially months to stand up an environment in which we can start building a new system for Canadians or migrating a new system for Canadians, we can do that in hours or days in cloud, so there's a huge opportunity to move more quickly to deliver service to Canadians.

We needed to get the government going in a direction because we were all data centres, and in fact SSC had an issue around the fact that they had some very old data centres. Before we just picked up and moved to a data centre, we said let's start moving some of the stuff into the cloud. As part of that, many of the things we've learned were pointed out in the Auditor General's report, including the fact that we need more maturity around our cost model. That is why we went into more of a cloud-smart model, so that we are really going to put that financial lens on migration to consider whether it's more efficient, when you put all things together, such as speed and cost, to have it in the cloud or to have it in an enterprise data centre.

So that was really the shift, and we'll continue to tune that as we go forward. As I noted in my remarks, there will never be a world in which we will be fully in the cloud, and that situation is consistent with those of many large organizations across the globe.

That's the work we're undertaking right now, and it's not a one-to-one answer, because there is a cost and a benefit to speed, and there's a cost with buying computing from Amazon Web Services or Microsoft Azure versus having all of the infrastructure that Sony needs to put in place to physically operate a facility with servers and all the things that we need to host on premise.

So we really needed to do what we've done, to move some of our systems over to the cloud in order to have some real-life examples around the cost and the benefit of a cloud environment versus the cost and the benefit of an enterprise data centre, but I would say that the theory that it is less expensive to go to the cloud is not a good theory. It is also not a good theory to say that you can get the equivalent amount of agility from a data centre environment that you can get from a cloud environment. We've seen that throughout COVID and how we've been able to use cloud to move very quickly on some things.

We need to balance all of those things to come up with the right economics because it takes staffing to do things in both environments and that has costs associated with it as well.

Thank you, Mr. Chair, for the question. That is a very good one.

We are using the cloud as a commercial solution. Catherine mentioned the name “hyperscaler”, which offers cloud. When they have been certified and we have approved utilization, they are integrated into our network. The traffic—whether it's a service, program or application in the cloud or running into a data centre—still comes to our network. The monitoring tools that a cybersecurity centre provides, and the enhanced monitoring we have on the Government of Canada networks, still apply to what we call the “workload”—let's call it the “applications”—that runs in the cloud, in the same way it would in the enterprise data centre.

It's why the security requirements, or the assessment done before we approve a hyperscaler to provide these services.... The validation of the guardrails or security control is so important, because it's one more option we have for hosting applications. Catherine explained really well the agility that comes with the cloud, but we have to do it in a safe way. We cannot lose the level of security we have built around the traditional [Inaudible—Editor] just because we are using a new [Inaudible—Editor]. We find a way to integrate that. We are never done with this. The guardrails we have today will continue to evolve and be perfected over time.

However, I think what the Auditor General reminded us about.... Did you know, now, that 200 instances of the cloud are organized and configured in line with these guardrails? Frankly, this raised the alert for us. We put the team on checking this. I was very glad to receive a report, last spring, that we were in a good place, in terms of compliance. The few departments that had challenges were notified and, with the support of the CGCIO, we got them to address it. However, this is an ongoing watch. We always have to make sure nothing is being changed and that the level of security remains there.

It's why automation is important. Human intervention in five instances is one thing. When we are at 200, 400 or 500, it will become almost impossible to have our eyes on everything, all the time. Automation is the way for us to get an alert if a guardrail is being changed by a department user. When I talk about the department, there is a small number of people who can change these. For various reasons, someone may decide to—or by mistake—change one of the configuration elements. We need to be alerted, so we can address that in a timely manner.

This is no different from when we were running data centres, before. It's just a different way to apply these guardrails.

We found deficiencies and have made recommendations to Treasury Board about them.

I'm thinking, for example, about the importance of following up on requirements. That's an example of information that we didn't include in the report, along with other details.

The recommendations that we made to the department were to do the things that are in the policies.

Public Services and Procurement Canada.

This is something we have to do. It was important for us to put a note in our report that we made that recommendation, so that we could...

Yes. This was regarding Public Services and Procurement Canada.

Thank you for the question. In fact it is interesting because while the Auditor General's office was doing their assessment, a lot of work was under way. I walked you through some of the items. We had updated our GC CSEMP, our roles and responsibilities, and our policy guidance around Canadians' information in the cloud. We are kind of arriving at a destination together since we already had work in progress to remediate a lot of the things that were rightfully pointed out in the audit because we had reached a certain critical size and had therefore been doing that reflection ourselves.

Certainly there were things the Auditor General pointed out, but none, in my opinion, that are not well enough along—in terms of the improved guidance we're providing or the improved monitoring that is in place—that would cause us to slow down our progress. I would just note that our progress is very slow when you compare it to that of other organizations I've worked for. We move at a very slow pace. I would consider it a manageable risk.

We're actually just in the process. At the beginning of April all of the departments across government will be sending in their annual plans on service and digital. It would be good for us to check those to make sure they have implemented within their plans some of the guidance we've been providing.

The second thing is for some of the larger programs that are going on. I noted our benefits delivery modernization program. We are working very closely with them as they are building out the system. They have not put data into a production environment in the cloud. I think all of the checks and balances are in place, but certainly, to Sony's point, automating this is very important. When you put humans into the equation to measure whether there's compliance, that's not a sustainable model. We will be doing regular checks with the departments, and we will continue to do the cyber-event management program. We just completed one. We do those on an annual basis. It's my belief that we have enough checks and balances in place, including, when we turn something over into production, a checklist that we go through that allows us to manage that risk.

This is the first one we did that was focused on this area.

Thank you very much for the question.

I'm happy to indicate that we have now made modifications to the terms and conditions, so the supply arrangements used for cloud service providers, as of next week—as we begin the new fiscal year—will be modified to include the new requirements with respect to greenhouse gas emissions. This pertains to the broader set of procurements, but also to cloud procurements.

I'm happy to say this will be in place starting next week, so any new call-ups against those supply arrangements, or any new activity, will be subject to these new greenhouse gas emissions requirements.

It will be for any new call-ups against those contracts—any new activities done by these pre-qualified suppliers that are qualified for these new activities under these existing arrangements. It would require them to comply with these attestations on greenhouse gas emissions.

Thank you for that question, too. It's a good question, because we're actually changing a broader set of procurement instruments.

At the same time, there was an announcement, a couple of months ago, I believe, on broader requirements for procurement. This fits into the requirement for all procurements above $4.5 million to require this attestation, based on recognized standards for tracking greenhouse gas emissions and having a plan in place towards net zero.

On that one, too, I'm happy to report we have standardized contract language. A working group has been established, which is noted in the Auditor General's report. It was established over the course of the audit. We now have, essentially, a single window to work with departments and ensure we have standard language. My colleague Sony Perron's team and mine worked very closely on these new aligned instruments.

I do not know the answer to that, but I will refer back to the committee with a better answer than what I'll give you on the fly, here.

Thank you. It's a good question.

Yes.

Again, it's a wonderful question, but as the chief information officer of Canada, that's not within my purview. I will make sure that I go back to our greening government folks, who will have a very good answer for you on that.

Thank you.

The Government of Canada is migrating systems and information to the cloud for a couple of the reasons I outlined.

One is it gives us speed and agility. We've seen some of the challenges we've had in meeting service levels to Canadians. Our hope is that we create digital environments that are elastic and changeable in a different way from some of our old, more monolithic systems, if I can use that word.

The second thing is that it gives us a platform for a more modern toolset, which is a really important way for us to attract digital talent into government. I've talked often and loudly about the digital talent gap in Canada, but particularly in the Government of Canada. Part of our attracting great talent into the government to work on this mission-critical work that we do is having modern tools for those professionals to use.

Yes. It's the speed of implementing new projects, and also the speed of changing systems. Imagine introducing a new policy or program. Some of the exceptional things that were done throughout COVID were done in ways that were extraordinary. In a normal organization, where you have a good cloud footprint, you're able to stand up and build things in a much quicker fashion than in our traditional environment.

I would also note that there is an advantage to using these large-scale organizations whose full-time day job is running these environments. There are benefits for security, generally keeping things modern and not getting behind that cloud environments provide to us. I think it's a dual purpose.

If any of my colleagues would like to comment...but I think got that okay.

There's a cost-benefit analysis done on every project. Part of that cost-benefit analysis is what type of posting Sony provides, whether it's the cloud or the data centres.

Because we are very much at the beginning of the beginning in the Government of Canada, I would say we were not fully appreciative some of the costs of moving to the cloud, so we found it more difficult to make the move. In some cases, we did not take the opportunity to simplify and reduce the platform of what we moved to the cloud, so that increases your cost. Also, we did not have good visibility on what it costs to operate and run an environment like the cloud, because we relied on the Shared Services group to run all the data centres. It's very difficult to compartmentalize how much it costs to run Stats Canada versus CSE, versus ESDC.

Part of the great opportunity of having done a small component of this is now we have some real-world data. The other cool thing about the cloud is that we can now take environments that are in there and we can simplify and decrease them. As our consumption goes down with a cloud provider, our bill goes down. There are advantages as we start to tune and calibrate that will be reflected in cost savings.

That's fair to say.

There are two scenarios that we would look at, and I'll turn to my colleague from SSC to complement the answer.

One is that we're moving something old into the cloud. Very simply put, that would include the thing the system does and the data that allows the system to do the thing it does. The second thing is that we could be standing up a net new system.

There are two reasons why we would move to the cloud. One is to get out of an old data centre and manage that risk. The second is that we're building something net new, which we did during COVID and will continue to do. It made more sense to do it in the cloud, because we could turn up an environment—which is where you build something—in days versus months.

If I understand your question correctly—please forgive me if I don't, and re-ask it—the benefits of having a digital service experience for Canadians could probably be best exemplified by the fact that we have Canadians who need to apply in a physical, paper format to get their passports renewed, versus having the opportunity to do that in a fully digitized format, which is what we aspire to.

What it allows for is agility and speed for the person receiving the service, and it reduces the amount of paper and number of forms that government employees need to process. There's an environmental side of that, as well, that I think is obvious.

I don't know, Sony, if you want to add to that.

If I can, Mr. Chair, digital is not an option. It's where we host that data, whether it's a data centre that is controlled by the Government of Canada, or it's the cloud, or in between. The reality is, a lot of the work we are going to do going forward will be hybrid. We are going to leverage traditional data centres for some aspects of the business or the process, and we are going to leverage the cloud for some other aspects. All of this needs to be tightly connected.

The business case that is being done at the beginning is about how we optimally leverage the various hosting options. The cloud, as Catherine said, brings that option to scale up. If there is a peak in demand—think about the tax season or the passport season or the demand at the border—these systems can take much more demand if they are in the cloud, because they can ask for more computing. When there is a peak, we pay more, and when there is a lower demand, we pay less.

If it's run in a traditional data centre that I operate, I need to build a farm of servers to be able to be ready to take peak times, so it might not be cost-effective. When we do the business analysis of that, we also have to look at the cycle that some of these programs or services are going through.

This is when we get to figuring out what is the best digital hosting option. Sometimes, it's a bit in the cloud and a bit in a data centre. It really depends on the business and the type of operation. Catherine gave some examples. Each one has its own cycle and its own demands.

That data needs to be hosted somewhere and the application that computes that data needs to be hosted somewhere, so in each case, we're doing a business case.

I think, first of all, there are funding constraints. We are trying to manage the highest risk systems within government first, and those are big, complex systems. We're talking about immigration systems. We're talking about benefits delivery systems. Those aren't things you do quickly. They take time to do, so that's some of the built-in slowness to the system.

I would also say, putting my private sector hat on for a minute, we are highly risk-averse in government. I think part of the conversation in the digital space needs to shift to the risk of not moving a little more quickly and the risk of doing nothing, if I could be so candid as to say that.

There's a pacing element around the complexity of our systems that is normal and appropriate, and then there is a general heaviness of process and heaviness of risk aversion in the digital space that we need to tackle from a cultural perspective.

That's an excellent question. Thank you.

I think there are things happening right now within the government in some of the committees that help manage this that are trying to move out of the way some of the systemic barriers that exist. We have things around skills and around decision-making, so I do feel we're making some progress there. I think from an overall MP perspective and ministerial perspective, it's just to support the fact that Canada is falling behind globally in digital government delivery and we can't continue to operate with the number of humans we have doing the things we have them doing.

I think as we talk about new policies and programs—and this is the advice I give to the minister whom I have the privilege of supporting—we have to ask the questions around digital-first delivery, and that includes having great digital tools for the public servants who work so hard every day to serve Canadians.

Yes, certainly risk assessments were completed. I can confirm that, and my colleague from SSC is also confirming that.

I think we're also learning about the robustness of those risk assessments as we move to the cloud: Should we ask different questions? Should we look for different information? Certainly with respect to some of the findings by the Auditor General around the implementation of the guardrails, the two big lessons we take away have to do with automation and making sure we have put in place a good compliance framework.

Thank you very much for the question.

The risk aversion I'm pointing to is that it is normal for organizations that are moving through modernization to learn lessons, and we are learning some lessons. What I want to avoid is our pulling back and saying we're going to stop because a couple of things weren't done properly. We're learning from those; we're implementing, and we were thoughtful about not doing our big systems first. For example, the old age security, EI and CPP systems will come later and we will have taken the opportunity to learn from some of the smaller systems that we've moved to the cloud.

I would say your question about a whole-of-government shutdown is absolutely something that is constantly on the minds of those on this team when we think about cyber—and Sony said that very well. The cloud still allows us to have all of the protections that the Centre for Cyber Security provides. This is a unique asset we have for the Government of Canada, one that makes me feel very comfortable—a different type of asset from what I had when I worked in the private sector.

So although we have learned some things, the incredible support that we get from the cyber centre is a “compensating control”, if I can say that.

I would like to talk about this for 40 minutes, but I will do it very quickly, because I know we're tight for time.

We have anywhere from a 25% to a 30% vacancy rate in technical jobs in the government. That is relatively consistent, by the way, across Canada. We are seeing particular pinch points in cybersecurity, cloud computing and architecture. There are a few areas in which we are competing with companies all across Canada.

We need to do a better job of lighting up what technology people in this country do for Canadians. No one gets to do what we do. It is my mission to go out and have many more people come in and do a tour of service within government doing digital work. First of all, I think there would be a different understanding of the complexity within government and the things we need to do. I say that with all humbleness, having worked for 30 years in the private sector. I looked across and said, “What's going on in there?” I came into government and said, “Oh, my goodness, this is very complicated.”

I think it would also be great to have people from government go out into the private sector and learn what it's like to have quarterly shareholder meetings and some of the metrics that drive industry and a lot of the innovation in our country. That is a huge issue, not just for the Government of Canada but also for Canada.

I'll make sure, yes.

Some of our findings relate to the central agencies' rules and the oversight, monitoring and implementation support. I think that, if the central agencies are addressing the weaknesses we found, and filling the gaps we found, we should see some better implementation.

We are planning on following up on this report on a faster basis than we would normally do, because of the fact that these are early stages and there's work to be done.

My apologies for taking your line. I think it was me who stole it, today.

Oh, oh!

In terms of accountabilities, I'll say that departments have to be accountable for the information entrusted to them. The roles and responsibilities of the central agencies are relatively straightforward. Treasury Board provides the policy direction. It gets to the point, though—when there's an event, and the roles and responsibilities are not clear—where there might be delays, or there might be something missed along the way...or in monitoring and ongoing supervision. Who's looking at that? If there is no clarity, somebody might not actually do it.

Our point is that everybody should know exactly what they should be responsible for doing, all of the time.

We were pleased to see the time frames that were put in the responses to the recommendations. From our perspective, those are reasonable time frames to take action. Obviously, we are dealing with an ever-evolving and very dynamic field, so there has to be constant vigilance with this.

I don't know if I said that—“constant vigilance”. It was under my breath there.

That is correct. They are reviewed. I have portfolio leads within OCIO who have accountability for groupings of departments so that they're able to review them not just on an individual basis but as they compare with their colleague cohort group.

I believe it's April 6, but it might be April 3.

I'd be happy to do that.

I will let Sony answer that. Just for pure cloud services, we have eight service providers, if I have that number correctly.

I'll let my colleague from SSC answer that.

We do those on a regular basis. Since I have been with the government, we have done two. We just finished the second one, and I'm expecting the report in the next number of weeks. Typically—

With the caveat of “anything that does not expose risk publicly”, yes.

Mr. Chair, it would be a great pleasure to respond to this.

Maybe I can start.

This is a statement that is true in Canada. It's true everywhere in the world. It's just a pure fact that when you are in a digital world, everything is always at risk. We need to start from there. Otherwise, we won't be doing our job.

I think in Canada, for the Government of Canada, we have an infrastructure that can stand a lot. We have the process to handle these situations where there might be something detected through early intelligence but also detected on our system. We have a way to easily contain, address and remediate, but we will never be done. This is what I was saying a bit earlier. I think the point the Auditor General made at the beginning of the report is very important. Everything is at risk, and we need to always validate and enhance our safeguards.

I'm sure Catherine and Rajiv can add to this.

Exactly. I think it's the departure point of all work. If we work with too much security, believing we have everything in place and there will not be risk, we will be surprised pretty quickly, because the threat actors are very creative. This is where the Canadian security establishment and the cybersecurity centre are bringing us the intelligence and the signal for what we need to prepare next all the time.

I would agree. The premise of that comment, I assume from the report, was that we had guardrails in place and these sorts of things, but they really have to be put in place and used to have that real-life implementation and a practical result in terms of protecting the system. It's very important to have those in place. Putting the right security controls in place is very important in moving forward.

I think it's been said, but we're continuing to advance our advice and guidance on how to properly protect against the threats. We are probably the only country—that I know of—that has cloud-based sensors and a security organization monitoring the cloud environment. Though these threats exist in the cloud, they exist on premises as well. That's something that I wanted to point out. It's very important for us to keep that in mind.

Someone was saying, “Who's first?” In fact, it's a team sport here, and sometimes with a team, there isn't a first.

However, there is a primary role for looking forward and identifying what new issues can be—which we have to prepare for, work on and anticipate—and this belongs to the Canadian Centre for Cyber Security. They are looking forward and they are bringing to the operator—which is me, or our organization—the intel. “Here's what you need to do and fix, because we believe this will be a new risk that we didn't contemplate in the past.” It's very important, and the integration with the policy lead in how we deal with this is critical.

We have this in Canada. We are lucky. We need to invest in this all the time, because we have to practise. It's good that we are doing tests, but real life also tests our ability to work together.

Currently, we have a cybersecurity posting that's up right now, and we are incredibly pleased with the number of applicants we've had. The Canadian Centre for Cyber Security is an employer of choice. Lots of tech folks want to work there.

The thing we are struggling with is the ability to onboard people into the system and the security clearance requirements, particularly in the cybersecurity roles. We're looking at efficiencies within the security screening policy, which I also have as part of my portfolio, to see what we can do to remove friction from the system to bring in new public servants, while making sure, particularly in the space of cybersecurity, that we are not creating any risk with those new employees. That's incredibly important.

It depends on the type of services you're going to be getting.

I'm going to put a hypothetical out there. In the cloud context, if you think about an analytics service that might be very high-powered, it uses energy. How is the company that's providing that service dealing with the environmental aspect of the service it provides?

What we're asking for is for information to be provided to the government, so that they can have a clear picture of what they are procuring and whether there are environmentally preferable options. It's basically for them to go in with eyes wide open.

Mr. Chair, that applies only to the establishment of the cloud framework agreement, where we have eight qualified vendors. We had asked initially when they were qualified—among many things we were validating—what their environmental commitment was and if they had a net-zero commitment towards 2050. We have done that. We have that in the books for seven of the vendors that were qualified at the end. What we don't necessarily have is an attestation, and I think we are working on getting that, so that it's not only a case of “I said”, but we also need to be able to demonstrate the results.

Like the team from the Auditor General looked at, not all the workload and not all the applications that we are putting in the cloud are consuming and having the same demand on the infrastructure. We need to be able to compare this if we do it in the cloud versus running this through an enterprise data centre: Do I consume more energy and do I produce more gas emissions? What will be the difference? This is something that without the addition of the clause in the contract we will not be able to do, and this is where we need to go, because otherwise, if you ask me five years from now if we're consuming less or more and producing less or more if it's in a data centre or in the cloud, I would not have the data and, frankly, if we want to advance towards these targets, we need to have it.

We are really at the beginning here. What is in the cloud is really tiny. A lot of departments are using the cloud right now for experimentation, so it's not major computing that is there. Some departments are more advanced than others, but a lot of the work we do in the cloud is really small. This is going to change in the future, and it's why we need to put these controls in place.

Well, Mr. Chair, I cannot really comment on the decision to use these words or not. I would say that you're probably right in your allusion that the potential in the future is more important than what we have done so far and in the past, but if we don't take the steps now....

Changing these clauses and including these means that my team—and Costas was part of that—is engaging with the industry on how we can do this and getting their views about how this could work, because we do not want to invent requirements and clauses that will not work for them, that cannot be built and that cannot be met in the future. There was a fair bit of work in the last few months between us and PSPC to really make sure that those who provide cloud services gave us their views about it: Would this work?

That's why we're really close to being able to release these new practices: because the industry told us that this is the right way to go, that they can comply with these requirements.

Costas, I don't know if you want to add anything.

Okay.

It would have been my predecessor, Mr. Chair, saying that, but that is right.

This is a question that would probably be better addressed by the Canada Revenue Agency.

I have to say that digital enablement is essential. In this day and age, if we want to provide agile services and deal with peak demand, we have to be digital. We have to ride the right infrastructure. Right now, a lot of the infrastructure at the Canada Revenue Agency depends on what we call “mainframe”. This was the best thing you could have, when the cloud did not exist. Now, the cloud can bring the kind of high-computing capacity and high velocity we only had with the mainframe, in the past. The mainframe is a supercomputer running in a data centre.

I think the cloud—if we stick with the theme of the audit, here—provides us with much more opportunity to do this. Sometimes, it's not only with a big program. Think about the Canada Revenue Agency. It probably has the largest programs that depend on technology in the Government of Canada. Now, with the cloud, we can have that kind of velocity for something that is way smaller, as well...and analytical work. There is great potential there.

Are we up to it? Catherine said we have a lot of challenges with talent and multiple priorities in the Government of Canada, but I believe we have done the foundational work. Hopefully, we'll have fewer servers hidden in closets.

What I want to avoid, early on, in the work we are doing on the cloud.... There are cloud instances out there that we, around this table, are not aware of. We need to manage this, as an enterprise, so we don't get into the mess that existed in the past, in terms of how we distributed the data centre and servers everywhere. We have done this cleanup. There is a lot of work still to do. We have to be very organized in the way we leverage the cloud, so we don't create this.... We leverage and build expertise. We are organized. We have common rules, so we don't expose ourselves. If there is an incident somewhere, we know what is out there and how to take back control, so we avoid the damage and consequences of incidents.

It's about being organized at the enterprise level. The players around this table are essential to make this happen.

I think it's a great question.

We don't have a choice. Canadians expect it. In every other part of their day-to-day life, they are engaging digitally with companies all over Canada.

I think—to Sony's point—we're up to the challenge, but we have a very big hill to climb. I think what we're talking about, here, is getting the right foundations in place and not being afraid that we've learned a few things...to push on, but push on in a smarter, better and more organized fashion.

The threat against the Government of Canada has been high for a long time. We always talk about the blocks we're doing, as the Government of Canada. In terms of activity, we say it's four to seven billion blocks per day. Those are a lot of reconnaissance activities and other sorts of threat, but the threats are still there.

We enumerated those international cyber-threat assessments, as well. Really, the sophistication of cybercrime has increased in the past few years. Nation-states are still there. We named China, Russia, Iran and North Korea as the primary countries we're worried about. We still have the sophistication of the state-sponsored threat actors, but we also have the rise of cybercrime in this space as well. That has proven to be very lucrative, I would say, from a ransomware perspective and others. It's really fuelling the threat in that space.

It's very important for us to learn from those threats, which we do on a daily basis. We are the national [Inaudible—Editor], so we see what's happening across Canada, to a certain extent. We also work with our partners to make sure we're taking everything we're learning from those threats and baking it into advice and guidance. We work with our partners, here, to make sure we're putting the best recommendations out, and also building that into our security analytics and the types of defensive solutions we use for the government.

We couple that, of course, with what we've learned from our signals intelligence. CSE is fortunate, in that we have the cyber centre, and also our foreign signals intelligence, which tracks cyber-threat actors around the world and gives us the intel we can use to inform our advice and guidance for Canadians.

Thank you for the question.

As I mentioned earlier, Shared Services Canada and Public Services and Procurement Canada are committed to working with industry to determine how best to require the information necessary to assess the environmental impact of service proposals in future bids for cloud services. The consultations are complete and in a few weeks, in April, the criteria will be incorporated into the contract vehicles we have for competitive bidding.

Mr. Theophilos, do we have any details regarding the criteria that have been added?

Thank you for the question.

Just to answer that directly, the answer is that it's in alignment with Canada's commitment to reduce greenhouse gas emissions and the net zero—

With regard to the accuracy of what they are providing, companies like Google provide their commitments on greenhouse gas emissions for their operations publicly. Seven of the eight providers that we deal with in the cloud space at Shared Services Canada have met or exceeded those targets in a public fashion. We're following up with the eighth.

As far as the second part of the question, the implementation of these contracts will be in early April. So, we are there.

In terms of the clauses that will be added to the contracts and to the calls for tenders, I'm sure Shared Services Canada or Public Services and Procurement Canada will be able to provide that information to the clerk in the next few weeks.

No, I would say that's not correct. It might have been a reference to cloud-based sensors, which is kind of our definition; we made up the term—

Oh, oh!

—so it's probably easy to say. At the same point in time, we haven't seen the analogous type of capability through the partners we work with, so I would caveat it as such.

Basically, one of the guardrails, which is very important, is that as a government entity stands up a cloud tenancy, we have to be baked in from the start to be able to get telemetry. We get log analysis and other sorts of data that help us analyze from the start of the instantiation of this tenancy. Back at CSE we can actually look at this data and detect threats right across the board on an enterprise scale. It gives us a common enterprise monitoring standard for cloud and gives that visibility of the cloud tenancies right from the start.

Often mistakes happen early on, when people don't know how to configure their cloud tenancies right, so being baked in was very important.

I'm sorry. What was the threat that was high...?

Oh, we've seen a high level of threat activity against the Government of Canada. Risk is different from activity. What we have seen on an ongoing basis, for the greater than a decade that I've been doing this job, is that there is a lot of threat activity against the Government of Canada. We are an interesting target for a lot of countries and a lot of cybercriminals. That has always been at a very high level.

You know, we are a prosperous country. We have things that other countries want. We have opportunities for cybercriminals, so I think that is a lot of the motivation. At the same point in time, we want to make ourselves a hard target and bake in the defences we have in order to make sure that cybercriminals don't make money off us and state-sponsored threat actors don't get the information they want.

Continuing to up our defences is probably the best way to do that.

Yes—as we have in the past as well with our cyber-defence services.

Yes. The departments responded to us on our recommendations, and we will be going back in to follow up to make sure that they are addressed. That was one of the reasons we wanted it in the report: so that it was completely transparent and you could ask us whether we have done our job.

Based on the recommendation we made, there was an importance to act immediately. At this point in time, I don't think there was a specific time frame in the response, but we will be looking at whether or not actions have been taken.

It was a monitoring and oversight kind of issue from the central agency perspective.

I'm not in a position to say that. I guess what I would say in response is that the importance of preventing, detecting and acting is one of the points of emphasis from our report. Part of being in a position to be able to do that is making sure that the controls that have been established are being put in place and the monitoring and oversight are being done effectively. That is the posture that needs to be taken.

In terms of a dollar value, from an overall government perspective I think the digital spend that we do is substantial, and the largest issue we have is around delivery against the work that we've committed to do. I would suggest that it is less about spending more money on digital and more about being more focused and prioritized in which digital work needs to go, applying the right resources to it and—

From a cyber centre perspective, budget 2022 did provide a significant amount of money to CSE.

From a cloud perspective, a lot of the monitoring we do is directly proportional to the transition or migration of departments to the cloud. As the departments migrate to the cloud, our needs will potentially grow, but currently we are able to monitor....

Thank you for the question, Mr. Chair. It's very complicated, but I think I will start the answer.

When we close legacy data centres and bring these workloads into an enterprise data centre, yes, there are savings, because the scale and infrastructure in the enterprise data centre give us better reliability and security.

Usually, to make it—

We try to avoid what we call “lift and shift” by taking a workload from a legacy data centre and bringing it to the cloud. There is an element of modernization, and there is a business there. I think, as my colleague explained a bit earlier, the analysis of each case depends on the effort we'll put into the modernization and how we are going to spread.... I think I can provide you with more, if you are interested.

In the last supplementary estimates C, we had savings in PSPC, which funded its transfer back to SSC. That's because we are consuming less space and closing legacy data centres. Thus, there are savings with the consolidation—at least within the infrastructure.

Thank you.

Certainly, we work very closely with our Five Eyes alliance. We have a very good understanding as to what they're all doing.

At the same point in time, as a cyber centre, we work with like-minded allies around the world, as well, and try our best to learn from their best practices, in order to make sure we're up to speed. We'll be growing that into the Indo-Pacific, as well, to build further allies and relationships in those places.

Obviously, we do a lot of information sharing and help each other out. That's very important. I think, from a government perspective, we're fairly well positioned, in terms of how we have built up our ecosystem. We'll continue to learn in the critical infrastructure space as we go forward. It's a bit of [Inaudible—Editor].

At this point, part of the work we're going through is analyzing what that right number is going to be. I can say that 50% will go to the cloud and 50% will stay in data centres, but we have not defined that completely, yet. I think that's a reasonable proxy. Again, not all systems are equal.

There is flexibility in the cloud, where we can stand things up, then roll things down when we don't need them any longer. That's a little different from the traditional data centre. Part of that will be informed by the financial modelling work we're going to do, because we want to make sure we're getting the best value for Canadians.

Yes, very much so. It's not needing to buy, install and keep updating our own equipment. That is the accountability of a cloud service provider. It puts us on a path of ever-fresh modernization, which would be a very good path to be on.

Mr. Chair, to continue on the last question, we have some use cases where we are doing it. There is pathfinder work here around the cloud. There are things we never did that we are doing. We never take a risk with the quality, the security, the privacy—this is always attached—but in terms of the business, we are experimenting to some extent, so it's why starting small is very important, namely, to learn and scale up.

We are working with one of our clients with whom we have a cycle where there is peak time. We are building an infrastructure, and then after a while we have to dismantle it, because it's not needed anymore. We are working with them on what the business will look like next time, because we are going to rely more on the cloud and less on the traditional infrastructure, and we are doing the cost assessment on that.

In the future, we will be able to answer a bit more these kinds of questions about how this would work.

From my perspective, one of the benefits of the cloud is the ability to go fast and to scale up and scale down. It's not the Government of Canada's obligation to decommission.... They installed all of that equipment that has been running there for a year or two. We don't have to buy this. What we are going to pay for is service.

Of course, it's a different model, because we're not going to spend capital; we are going to spend operating...on this. There will be a blip in our spending, but we will not have to invest in the infrastructure and then the installed infrastructure.

There are lots of business cases where this will make sense, but we start at a small scale, learn how it works, find the challenges we have to deal with and adjust. This is the model that paid off. I'm really glad that one of the first pathfinders was the CSE. This is where we learned a lot. This team is highly preoccupied by the security, so it was right to start on the cloud journey with an organization that has so much attention on security, because we needed to learn. We need to feel secure to put anything else in the cloud, so starting with the right use case is very important.

I just have one last comment. I hope today this committee saw a little bit of the team play that's going on within government on this really important file. It does take a community to deliver digital in government. We are behind; we need to accelerate.

We're going to learn from the things that the AG pointed out. Like we said, we're very supportive of that work, and we will continue to learn as we go along this path.

I really hope that if there's nothing else productive that you take away from today's session, you take away the fact that we are working on this as a collective community.

We provide the controls to make sure they could be equivalently secure, but then at the same point in time you have to look at staff and skill set and having the availability, and perhaps some of the scale that cloud providers might have to apply to the problem. It's more of an operational question.

It is a fair assessment.

It goes faster. If I'm asked to put together 25 servers, I will take days, weeks, to procure and install. This could be there tomorrow night if we use a hyperscaler.

Mr. Chair, there are not cost savings in all instances.

There are cost savings if we are taking what Catherine described as a “smart” model or approach, or some type of.... I could use the word “workload”. It's easier to describe, rather than “data application”. There are cost savings, but we need to do the detailed analysis before we go there, because it's difficult to just go in and go out. You cannot change your mind if you build into a data centre. If you want to amortize investment, you need to be there for a while.

If we go in the cloud, we also need to learn not to stay locked in with a vendor, and have that velocity. Catherine was really blunt with the committee before, so I will be on this one. I said to the hyperscaler that these companies have not given us the right price still. Organizing together as an enterprise, being able to procure with this consolidated demand from the Government of Canada, we can get a better price from them; so we are not at the end of measuring savings, because we haven't necessarily had the best price yet.

Thank you very much for that. That is an important point I did want to emphasize if I got the chance.

What we really wanted to get at with the recommendation about the costing model, the funding framework, was really about allowing departments who are onboarding onto the cloud to see, not just the short-term costs, but also the medium and long-term costs, because a big department can absorb additional costs down the road that might be there because of the need to increase skills or tools or oversight, but it's a lot harder for smaller departments. What they have to do sometimes might be to reallocate from other places, and that puts other programs or security at risk.

This a big part of that cost-benefit analysis. If you don't know your short, medium and long-term costs then you don't really have the clear picture. I think we're all on the same page on the importance of that, and this will be something that will help to identify which things should be moving to the cloud and which shouldn't.