Public Accounts Committee on March 30th, 2023

Thank you very much, Mr. Chair. We appreciate this opportunity to discuss our report on cybersecurity of personal information in the cloud, which was tabled in the House of Commons on November 15, 2022.

I would like to acknowledge that this hearing is taking place on the traditional unceded territory of the Algonquin Anishinabe people. Joining me are Jean Goulet and Gabriel Lombardi, who led this audit.

Federal departments are increasingly moving software applications and databases into the cloud, including some that handle or store Canadians' personal information. Information stored digitally, whether on premises, in data centres or in the cloud, is exposed to the risk of being compromised.

In this audit, we wanted to know whether the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada, Communications Security Establishment Canada and selected departments had controls in place to prevent, detect and respond to security threats to Canadians' personal information in the cloud.

Overall we found that the departments we audited did not always implement and follow the controls the government has set out to protect information that is stored and transmitted using the cloud. These controls include, as examples, encryption and network security requirements. We also found that security requirements and the corresponding roles and responsibilities were not always clear. As a result, they were not consistently implemented. This leaves cloud-based information vulnerable to cyber-attacks, which are increasingly frequent and sophisticated.

In addition, we found that 4 years after the Treasury Board of Canada Secretariat first directed federal departments to consider moving information to the cloud, it still had not provided a long-term funding plan for cloud adoption. It also had not provided a way for departments to calculate the cost of moving to cloud applications and operating in the cloud environment.

Without a funding plan and costing tools, it is difficult for government departments to ensure that they have the people, resources, and expertise they need to secure cloud-based information and respond to threats. Having these would strengthen Canada’s cyber-defence capabilities both within individual departments and government-wide.

Finally, we found that Public Services and Procurement Canada and Shared Services Canada did not require cloud service providers to demonstrate their environmental performance or to explain how their services would reduce Canada’s greenhouse gas emissions. This is important because Canada has set a goal of net-zero emissions by 2050 and committed to including criteria aimed at reducing greenhouse gas emissions in the government’s procurement for goods and services. To date, this has not been done for procuring cloud services.

The government needs to act now, while departments are in the early stages of transitioning to the cloud. It needs to ensure that funding is available and that key security controls to prevent, detect, and respond to cyber-attacks are strengthened. This includes clarifying shared roles and responsibilities for cybersecurity so that the departments involved, central agencies, and cloud service providers know exactly what they should be doing.

This concludes my opening remarks. We will be pleased to answer any questions the committee may have.

Thank you.

Hello. Thank you, Mr. Chair, and members of the committee, for the invitation to appear for the study of the Auditor General of Canada's report to Parliament on “Cybersecurity of Personal Information in the Cloud”.

My name is Rajiv Gupta, and my pronouns are he and his. I'm the associate head of the Canadian Centre for Cyber Security at the Communications Security Establishment, also known as the cyber centre.

The Cyber Centre is Canada’s technical authority for cybersecurity, safeguarding Canada with our advanced cybersecurity capabilities and providing a unified source of expert advice and support on cybersecurity operational matters.

I'm happy to be joined by my colleagues from Treasury Board Secretariat, Shared Services Canada and Public Services and Procurement Canada, with whom we work closely on cybersecurity matters.

As part of the cyber centre's operational role, we share cyber-alerts and threat assessments across the Government of Canada to ensure that our information systems remain secure, responsive and well defended. As part of our education role, we work to increase cybersecurity awareness across the government through initiatives like the learning hub.

The Learning Hub is based at the Cyber Centre and provides training to improve the cybersecurity of Canada’s government and critical infrastructure organizations.

During the 2021-22 fiscal year, the learning hub renewed its collaboration with the Canada School of Public Service, CSPS, to provide a standardized cybersecurity curriculum for all—

Thank you very much.

As mentioned earlier, the Learning Hub is based at the Cyber Centre and provides training to improve the cybersecurity of Canada’s government and critical infrastructure organizations.

During the 2021-22 fiscal year, the learning hub renewed its collaboration with the Canada School of Public Service to provide a standardized cybersecurity curriculum for all federal public servants. The learning hub and CSPS co-developed an e-learning course to introduce public servants from non-technical backgrounds to the basics of cloud computing. This is a priority topic for the public service as departments continue to migrate their IT infrastructure to the cloud.

Government of Canada organizations are increasingly leveraging cloud computing, which has the potential to deliver agile, flexible and cost-effective IT services. As noted in our 2021-22 annual report, CSE continues to function as a pathfinder for the GC in migrating to the cloud.

Indeed, CSE was an early adopter of cloud technology, and we ensured that we were the initial adopters of our own internal advice and guidance.

We were the first department to securely implement several commercial cloud applications, securing them with our cloud-based sensors. We demonstrated leadership by sharing the lessons learned and the relevant advice and guidance with other departments.

As I mentioned earlier, the cyber centre is the operational lead for protecting the GC from cyber-threats such as ransomware and cyber-espionage.

We work with federal partners to defend the government’s networks and the sensitive information of federal institutions.

While there is no such thing as zero risk when it comes to cyber-threats, we are ensuring that the highest levels of protection are in place. The cyber centre uses autonomous sensors to detect malicious cyber-activity on government networks, systems and cloud infrastructure. We use three types of sensors: network-based sensors, cloud-based sensors, and host-based sensors.

These sensors allow the cyber centre to deter cyber-threats happening in real time. Our classified knowledge of threat-actor behaviour allows us to defend against and block these threats.

We work with our federal partners to ensure that the appropriate safeguards have been applied to ensure the security and the privacy of their information that is hosted in the cloud. As cloud environments continue to evolve, we are making sure that we continue to evolve our tools to ensure that the government's systems are well defended and secure.

I would like to thank the Office of the Auditor General of Canada for their report and the committee for bringing us together to discuss this important topic.

Although none of these recommendations outlined in the report is specific to CSE, we welcome them. CSE and the cyber centre take information security very seriously, and this includes the government's data in the cloud. We will continue to collaborate with our federal partners to move forward on these recommendations.

Members of the committee, I can assure you that CSE will continue to work with partners to bolster Canada's cybersecurity, while at the same time ensuring that the necessary protections are in place to respect Canadians' privacy.

Thank you for the opportunity to contribute to this important study, and I'm looking forward to answering any additional questions you may have.

Thank you very much, Mr. Chair.

I'm pleased to be here with you and members of the committee to discuss how Public Services and Procurement Canada is responding to the audit of “Cybersecurity of Personal Information in the Cloud”.

With me today is Catherine Poulin, assistant deputy minister of our Departmental Oversight Branch.

As the Government of Canada’s purchaser of goods and services, my department is committed to ensuring that our procurement processes meet the needs of our client departments and agencies.

We appreciate the importance of cybersecurity in all facets of the Government of Canada's work. The government continues to invest in enhancing cybersecurity capabilities. For example, in budget 2023 there is a proposed $25 million for PSPC to work with National Defence and others to establish a cybersecurity certification program for defence procurements in order to further protect Canada's defence supply chain.

Looking beyond Canada's defence supply chain, we know that the use of cloud computing for software applications and databases has the potential to not only improve how we and federal organizations provide services, but also to reduce the cost and maintenance of physical services and applications.

As the government continues its strategy of using cloud computing, it is clear that departments involved will need to work more closely together to manage the security risks in the cloud.

With cybersecurity threats and attacks continuing to increase in frequency and severity, my department welcomed the results of the audit of the protection of personal information in cloud computing.

For its part, PSPC plays a supporting role in two key areas.

First, as central purchaser for the Government of Canada, PSPC procures cloud services on behalf of departments and agencies, and has established a supply arrangement with pre-qualified cloud service providers to help streamline the process. PSPC is also responsible for assessing the physical security controls of cloud service providers and their personnel.

In cases where departments procure cloud services directly through our supply arrangement, or through other procurements, we are committed to providing advice and guidance to those departments to help ensure that cloud guardrails are implemented to prevent cybersecurity breaches.

Mr. Chair, while the security of information is an important Government of Canada priority, we at PSPC are also strongly committed to doing our part on another priority, which is promoting environmental responsibility and sustainable development.

The Auditor General's report rightly pointed out that our contracting processes did not require potential cloud service providers to demonstrate their environmental performance or ask them to explain how their services would reduce Canada's greenhouse gas emissions. In addition, even when providers offered that information, there has been no mechanism in place to confirm it was accurate.

The report recommended that PSPC, in conjunction with Shared Services Canada, include environmental criteria when procuring cloud services. Doing so will help contribute to supporting sustainability and help Canada achieve its net-zero carbon emission goals.

Our departments agree with that recommendation and we have committed to taking action by working with our colleagues from Shared Services Canada to address that. This includes requiring suppliers to provide information on their commitments to achieve net-zero emissions, developing clauses in cloud computing service contracts to include GHG reduction targets, and revising the standard contracts for the procurement of cloud services and for requests for proposals.

We are also working on incorporating environmental criteria into our existing cloud procurement vehicles.

To conclude, Mr. Chair, I would like to express my thanks to the Auditor General for her report. I believe her recommendations will help guide improvements in our practices around cloud computing services.

Through continued collaboration with our partners, Public Services and Procurement Canada will be better positioned to meet our climate change obligations and ensure the security of the information of Canadians.

Thank you for your attention. I look forward to your questions.

Thank you, Mr. Chair and members of the committee, for your invitation.

I am pleased to be here today, accompanied by Costas Theophilos, director general of Cloud Product Management and Services, to address any questions the committee may have with respect to the Auditor General of Canada's audit and Shared Services Canada's progress on addressing the recommendations.

Consistent with its commitment to provide modern and secure IT infrastructure, SSC is continuously modernizing the Government of Canada's IT infrastructure. In this effort, SSC has taken an enterprise approach, which means we continue to consolidate, standardize and modernize networks and systems across government.

It is essential that we keep pace with ever-changing technology and increased cyber-threat activity. As such, over the past few years, we have significantly adopted digital solutions, including leveraging the cloud environment. It is essential that we keep pace with these changes.

Cloud adoption is a shared responsibility across the Government of Canada. Shared Services provides controlled and secure access to the cloud environment at the enterprise scale. Precisely, SSC enables cloud adoption by departments and agencies by providing access to critical building blocks, such as supply, secure cloud-to-ground network connectivity, and guidance and expertise.

In that vein, SSC works with departments to migrate their data and applications from aging data centres to modern infrastructures, such as the cloud and enterprise data centres. This accelerates the modernization of applications in an agile, secure and cost-effective way.

Protecting the information of Canadians is a top priority for SSC. This is why a common approach across departments and agencies is important. We are still in the early stages of cloud adoption; therefore, enhancement and maturing of the processes and the protocols are expected.

While there is no such thing as zero risk when it comes to cyber-threats, we are ensuring that the highest levels of protection are in place. It is important to note that all information is stored in Canada, and the most sensitive information is stored in data centres owned by the Government of Canada.

We welcome the report and recommendations of the Auditor General. This audit is helping to strengthen the operating framework for cloud services. This is particularly important at a time when reliance on the cloud environment is increasing.

SSC has a role in four of the five recommendations included in the audit.

For recommendation one, SSC is working closely with the Treasury Board Secretariat to strengthen guardrail validation and enforcement and to ensure coordination with departments. Cloud guardrails set the minimum security requirements that departments need for the configuration and the operations of their cloud environment. This includes how data is managed and where it is stored. SSC has begun the automation of the guardrails to assess compliance in real time. This will be tested with pilot departments beginning in fall 2023.

On the second recommendation, the Government of Canada set a minimum-security requirement for securing cloud-based information. SSC is working with departments to validate any outstanding cloud security controls.

On the third recommendation, to address the issue of cloud funding models, SSC is working with TBS to review the way forward as it relates to cloud costing and recovery. It is expected that the proposed cost model will be available in the near future.

And on the fourth recommendation, SSC and Public Services and Procurement Canada will soon release a standard template for cloud contracts that includes sustainability terms for cloud providers.

In fact, SSC has started to include environmental criteria in competitive solicitations under the Cloud Framework Agreement. For example, some processes now include rated criteria, encouraging suppliers to set targets to reduce their greenhouse gas emissions.

Going forward, SSC will include rated environmental criteria in all new competitive solicitations under the Government of Canada Cloud Framework Agreement.

Mr. Chair and committee members, SSC works continuously to manage cloud security risks and to enhance cybersecurity so that Canadians’ data and privacy are safeguarded.

Thank you. We will be pleased to take your questions.

Thank you, Mr. Chair, and members of the committee. This is my first time appearing at this committee. I've met some of you, but for the others, I'm pleased to be here today.

I've been 21 months in government, having spent about 30 years in the private sector before that so I'm still in my “firsts” as I go through all of these different exercises.

As chief information officer of Canada, I provide overall leadership for the management of information technology, information management and service and digital transformation within the Government of Canada. As you see me sitting here with my colleagues today, we could have another 100 people here with all of the departments. It's a team sport to modernize digital infrastructure in government, and certainly cybersecurity is as well.

We have legislation that we manage out of my department, including access to information and open government, and we have oversight for all of the major technology programs. We have accountability for the GC cybersecurity event management plan—that's a mouthful—GC CSEMP for short.

When it comes to the protection of Canadians' personal information, we set out policies, set cybersecurity requirements, and execute decisions on the management of cybersecurity risks on behalf of the government. This is through the policy on government security, the policy on service and digital and a number of different mechanisms that sit underneath that, such as the digital standards.

I have a couple of key messages in response to the AG's report. We welcome this report, and as noted by the auditor, we're at the baby steps. We are at the beginning of the beginning. This is a beautiful time for us to be getting these findings and have an opportunity to improve. In my experience in prior organizations, a strong audit function really helps technology organizations be better, and I look forward to continued work with the Auditor General on this and other files.

As I noted, we're at the very beginning of the modernization of our technology environment. Only 35% of the systems in the Government of Canada are in a healthy state, and the cloud is a key to modernizing those systems. Cloud migration is one lever—and of note, private and public organizations all around the globe are dealing with this. I worked for several large Canadian companies, and some of the things that we've noticed here are things that we ran into in that environment.

The Government of Canada takes the protection of Canadians' information very seriously, and as Sony noted, not all services will be in the cloud. That is not our plan. We are going to have the cloud, and we are going to have enterprise data centres, and that is partially from a financial perspective and partially from a utility perspective. Cloud guardrails, a standard set of controls, are going to evolve over time. The threat landscape changes. The environment technically changes, so we'll be tuned to that. We will continue to strengthen oversight and compliance mechanisms for cloud use across government to make sure there's very clear guidance and compliance.

Since the Auditor General's report, I want to talk about a couple of areas of progress. We have updated our cloud roles and responsibilities document, and a corresponding matrix, and published it internally, so that our team members have access to that. In November 2022, we updated the Government of Canada cybersecurity event management plan. This is the plan that we put in place to respond to enterprise government cybersecurity incidents. This was first published in 2015, and we continue to test, review and tune that plan. That's normal practice with any type of a cybersecurity plan. In fact, about four weeks ago, we completed an “on guard”, which is a simulation that we run across government. It included a cloud component as part of that review, so we are starting to test our response to cyber incidents in the cloud.

In January, we also published an updated cloud strategy that had been in the works for several months. We've changed the language from “cloud first” to “cloud smart”, and that really identifies the fact that we are not always just going to go to the cloud, but are going to balance the decision-making on a number of factors, including financial.... Cloud first was exactly the right strategy for the government to move forward. We needed to start directing people into new technology, so it got the ship moving in the right direction, for lack of a better way of saying it. We have about 800 of our applications in the cloud. That's still a very small percentage of overall systems that we have across government.

Of note, in January, I issued guidance out of my office on the classification of personal information in the cloud and, in coordination with many of the people around this table, came to a decision that we are going to designate some high-value assets—personal information being an example—and some systems that would have an additional set of controls put in place to protect them even further. Our benefits delivery modernization program, which houses a lot of Canadians' data, is a good example of where we'll be deploying on that.

Finally, on continued development of a cloud costing model—and Sony talked about that already—we're looking to have that ready for publication in summer or fall. We've done a lot of work on that already. That is going to help departments make informed decisions about moving to the cloud, and not just the cost of moving to the cloud but the cost of operating in cloud. Both of those things are very helpful to understand. That will fulfill our responsibilities as it relates to recommendation 4.

In closing, our ultimate goal is to provide Canadians, Canadian businesses and all service users with the high-quality and efficient service that they expect in a digital age. Cloud is going to be a part of that. We will be regularly managing our progress on achieving this ambition, and cloud is an important part of that plan.

Once again, Mr. Chair, thank you for your invitation to speak to you today. I welcome any questions you may have.

Thank you.

There was just one recommendation.

Yes.

It is the policy. I don't think it's a law. It's a policy that in fact falls under Catherine's authority.

Thank you, Mr. Chair, for the question.

This is a product that we are working on with multiple departments. We're under the leadership of the Treasury Board Secretariat. There is nothing to hide. It's something that we'll share with the departments because it's a tool, so I assume that we will be able to share it with this committee when the product is ready for distribution.

Catherine may want to add to this.

That would be something we'd be happy to share.

Mr. Chair, I think the member of Parliament is referring here to the automation of guardrails verification. We'll have to find a way to share that with you. What it is, basically, is that right now there are 12 guardrails. My team, following the wise advice from the Auditor General, has taken to checking not only once at the beginning but on an ongoing basis that these guardrails are maintained. It will be more a monitoring than a one-time exercise.

We are monitoring compliance of each department right now. It's just that it's not automated. It's people who belong to Costas' team who basically undertake the manual work to regularly verify around 200 instances of cloud to make sure the departments, when using this, follow the standard. Often it is only enabling a function, but if they move them, the switch to the left, this is not working anymore, so we need to make sure they maintain that, because all of this is protecting the system.

My answer is that we can come back to this committee or share with the clerk the results of our review, for sure.