Evidence of meeting #56 for Public Accounts in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was departments.
A video is available from Parliament.
5:20 p.m.
Conservative
The Chair Conservative John Williamson
Thank you very much.
Mr. Sidhu, you have the last five-minute round. The floor is yours, sir.
5:20 p.m.
Liberal
Maninder Sidhu Liberal Brampton East, ON
Thank you, Mr. Chair.
Thanks to the witnesses for being with us here, today.
I know cybersecurity is something our government is very seized with. Many different departments and ministers are involved.
Mr. Gupta, you mentioned we need to continue to invest in cybersecurity. Cybersecurity is included in our recently announced $2.3-billion Indo-Pacific strategy. I'm not sure whether you're able to shed a little more light...in terms of allies or friendlies that are doing a good job and from which we can learn best practices.
Are there countries we can look to, when we talk about cybersecurity?
5:20 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
Certainly, we work very closely with our Five Eyes alliance. We have a very good understanding as to what they're all doing.
At the same point in time, as a cyber centre, we work with like-minded allies around the world, as well, and try our best to learn from their best practices, in order to make sure we're up to speed. We'll be growing that into the Indo-Pacific, as well, to build further allies and relationships in those places.
5:20 p.m.
Liberal
Maninder Sidhu Liberal Brampton East, ON
Wonderful.
Is there something that stands out to you that the U.S., Australia, the U.K. or one of these countries is doing, perhaps, which you think we can bring to Canada?
5:20 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
Obviously, we do a lot of information sharing and help each other out. That's very important. I think, from a government perspective, we're fairly well positioned, in terms of how we have built up our ecosystem. We'll continue to learn in the critical infrastructure space as we go forward. It's a bit of [Inaudible—Editor].
5:20 p.m.
Liberal
Maninder Sidhu Liberal Brampton East, ON
Thank you.
Ms. Luelo, you mentioned there are roughly 800 services under cloud management at this time. You said that's a very small fraction. How many programs are there that need to be brought in?
5:20 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
At this point, part of the work we're going through is analyzing what that right number is going to be. I can say that 50% will go to the cloud and 50% will stay in data centres, but we have not defined that completely, yet. I think that's a reasonable proxy. Again, not all systems are equal.
There is flexibility in the cloud, where we can stand things up, then roll things down when we don't need them any longer. That's a little different from the traditional data centre. Part of that will be informed by the financial modelling work we're going to do, because we want to make sure we're getting the best value for Canadians.
5:20 p.m.
Liberal
Maninder Sidhu Liberal Brampton East, ON
Thank you for that.
In terms of cost efficiencies, I know that, when we're looking at a server room, the equipment ages and there's more maintenance. I'm guessing that's one of the reasons why we're looking at the cloud for longevity and savings.
Is that your approach?
5:20 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
Yes, very much so. It's not needing to buy, install and keep updating our own equipment. That is the accountability of a cloud service provider. It puts us on a path of ever-fresh modernization, which would be a very good path to be on.
5:20 p.m.
Liberal
Maninder Sidhu Liberal Brampton East, ON
Okay. I'll give our witnesses here some time, since this is the last round.
Minister, you got cut off. Is there something you want to highlight before we end today?
5:20 p.m.
President, Shared Services Canada
Mr. Chair, to continue on the last question, we have some use cases where we are doing it. There is pathfinder work here around the cloud. There are things we never did that we are doing. We never take a risk with the quality, the security, the privacy—this is always attached—but in terms of the business, we are experimenting to some extent, so it's why starting small is very important, namely, to learn and scale up.
We are working with one of our clients with whom we have a cycle where there is peak time. We are building an infrastructure, and then after a while we have to dismantle it, because it's not needed anymore. We are working with them on what the business will look like next time, because we are going to rely more on the cloud and less on the traditional infrastructure, and we are doing the cost assessment on that.
In the future, we will be able to answer a bit more these kinds of questions about how this would work.
From my perspective, one of the benefits of the cloud is the ability to go fast and to scale up and scale down. It's not the Government of Canada's obligation to decommission.... They installed all of that equipment that has been running there for a year or two. We don't have to buy this. What we are going to pay for is service.
Of course, it's a different model, because we're not going to spend capital; we are going to spend operating...on this. There will be a blip in our spending, but we will not have to invest in the infrastructure and then the installed infrastructure.
There are lots of business cases where this will make sense, but we start at a small scale, learn how it works, find the challenges we have to deal with and adjust. This is the model that paid off. I'm really glad that one of the first pathfinders was the CSE. This is where we learned a lot. This team is highly preoccupied by the security, so it was right to start on the cloud journey with an organization that has so much attention on security, because we needed to learn. We need to feel secure to put anything else in the cloud, so starting with the right use case is very important.
March 30th, 2023 / 5:25 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
I just have one last comment. I hope today this committee saw a little bit of the team play that's going on within government on this really important file. It does take a community to deliver digital in government. We are behind; we need to accelerate.
We're going to learn from the things that the AG pointed out. Like we said, we're very supportive of that work, and we will continue to learn as we go along this path.
I really hope that if there's nothing else productive that you take away from today's session, you take away the fact that we are working on this as a collective community.
5:25 p.m.
Conservative
The Chair Conservative John Williamson
Thank you very much.
I just have a couple of brief questions.
Mr. Gupta, I'm not looking for a long explanation. Are data centres more secure than clouds generally?
5:25 p.m.
Associate Head, Canadian Centre for Cyber Security, Communications Security Establishment
We provide the controls to make sure they could be equivalently secure, but then at the same point in time you have to look at staff and skill set and having the availability, and perhaps some of the scale that cloud providers might have to apply to the problem. It's more of an operational question.
5:25 p.m.
Conservative
The Chair Conservative John Williamson
Okay, so you're saying they can be made equivalent.
Mr. Perron, I get the impression that you're partial to the cloud because there are efficiencies. You can scale up, you can scale down, and you pay for what you use. Is that a fair assessment?
5:25 p.m.
President, Shared Services Canada
It is a fair assessment.
It goes faster. If I'm asked to put together 25 servers, I will take days, weeks, to procure and install. This could be there tomorrow night if we use a hyperscaler.
5:25 p.m.
Conservative
The Chair Conservative John Williamson
You believe that there are cost savings. Is that correct? I don't want to put words in your mouth.
5:25 p.m.
President, Shared Services Canada
Mr. Chair, there are not cost savings in all instances.
There are cost savings if we are taking what Catherine described as a “smart” model or approach, or some type of.... I could use the word “workload”. It's easier to describe, rather than “data application”. There are cost savings, but we need to do the detailed analysis before we go there, because it's difficult to just go in and go out. You cannot change your mind if you build into a data centre. If you want to amortize investment, you need to be there for a while.
If we go in the cloud, we also need to learn not to stay locked in with a vendor, and have that velocity. Catherine was really blunt with the committee before, so I will be on this one. I said to the hyperscaler that these companies have not given us the right price still. Organizing together as an enterprise, being able to procure with this consolidated demand from the Government of Canada, we can get a better price from them; so we are not at the end of measuring savings, because we haven't necessarily had the best price yet.
5:25 p.m.
Conservative
The Chair Conservative John Williamson
Thank you.
My last question goes to Mr. Hayes.
The report seems to suggest to me that, in fact, the budgeting has not been adequate. I'm going to give you the last remark on that, just to flesh that out a little bit, because you didn't get lots of questions on that. I'm curious to hear it, because it sounds like a big enterprise with so many different departments working together.
5:25 p.m.
Deputy Auditor General, Office of the Auditor General
Thank you very much for that. That is an important point I did want to emphasize if I got the chance.
What we really wanted to get at with the recommendation about the costing model, the funding framework, was really about allowing departments who are onboarding onto the cloud to see, not just the short-term costs, but also the medium and long-term costs, because a big department can absorb additional costs down the road that might be there because of the need to increase skills or tools or oversight, but it's a lot harder for smaller departments. What they have to do sometimes might be to reallocate from other places, and that puts other programs or security at risk.
This a big part of that cost-benefit analysis. If you don't know your short, medium and long-term costs then you don't really have the clear picture. I think we're all on the same page on the importance of that, and this will be something that will help to identify which things should be moving to the cloud and which shouldn't.
5:30 p.m.
Conservative
The Chair Conservative John Williamson
Thank you very much.
I'll now excuse all of the witnesses. I appreciate your coming today.
The meeting is adjourned.