Evidence of meeting #56 for Public Accounts in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was departments.
A video is available from Parliament.
4:45 p.m.
Deputy Auditor General, Office of the Auditor General
My apologies for taking your line. I think it was me who stole it, today.
4:45 p.m.
Voices
Oh, oh!
4:45 p.m.
Deputy Auditor General, Office of the Auditor General
In terms of accountabilities, I'll say that departments have to be accountable for the information entrusted to them. The roles and responsibilities of the central agencies are relatively straightforward. Treasury Board provides the policy direction. It gets to the point, though—when there's an event, and the roles and responsibilities are not clear—where there might be delays, or there might be something missed along the way...or in monitoring and ongoing supervision. Who's looking at that? If there is no clarity, somebody might not actually do it.
Our point is that everybody should know exactly what they should be responsible for doing, all of the time.
4:45 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Okay.
In the next paragraph down, paragraph 7.17, you state that the government must take “immediate action”. What is immediate with respect to this report? We've seen other reports where nine years down the road we're still waiting for it. What is “immediate”? Is it one month, one year, six months...?
4:45 p.m.
Deputy Auditor General, Office of the Auditor General
We were pleased to see the time frames that were put in the responses to the recommendations. From our perspective, those are reasonable time frames to take action. Obviously, we are dealing with an ever-evolving and very dynamic field, so there has to be constant vigilance with this.
I don't know if I said that—“constant vigilance”. It was under my breath there.
4:45 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Thanks. I wasn't going to use that term, so you can have that one.
Ms. Luelo, thanks for your comments. Your direct nature today is very much appreciated. You mentioned that departments are delivering plans to you in April. Who's deciding whether those plans are acceptable? Is it you? Do they then go back to the minister or the deputy minister to say, “This is not good; resubmit”?
4:45 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
That is correct. They are reviewed. I have portfolio leads within OCIO who have accountability for groupings of departments so that they're able to review them not just on an individual basis but as they compare with their colleague cohort group.
4:45 p.m.
Conservative
4:45 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
I believe it's April 6, but it might be April 3.
4:45 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Would you be able to provide to the committee, when they show up, which departments have met the acceptable level?
4:45 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
I'd be happy to do that.
4:45 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Wonderful.
Ms. Luelo or Mr. Perron, who are the companies we're using for hosting cloud?
4:50 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
I will let Sony answer that. Just for pure cloud services, we have eight service providers, if I have that number correctly.
I'll let my colleague from SSC answer that.
4:50 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Maybe you can just submit that to us, Mr. Perron, because I want to ask one last question.
With regard to the “on guard” tests you talked about, do you have the results or the conclusions from those tests?
4:50 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
We do those on a regular basis. Since I have been with the government, we have done two. We just finished the second one, and I'm expecting the report in the next number of weeks. Typically—
4:50 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
Is that something you could share with the department, maybe not the exact reports but perhaps—
4:50 p.m.
Deputy Minister, Chief Information Officer of Canada, Treasury Board Secretariat
With the caveat of “anything that does not expose risk publicly”, yes.
4:50 p.m.
Conservative
The Chair Conservative John Williamson
Thank you.
Mr. Perron, are you agreeable to...? Mr. McCauley asked for a document or a response. I don't know if you caught it.
4:50 p.m.
Conservative
Kelly McCauley Conservative Edmonton West, AB
I'm just looking for the name of the companies. I can get it from the public accounts, if you haven't got it.
4:50 p.m.
President, Shared Services Canada
Mr. Chair, it would be a great pleasure to respond to this.
4:50 p.m.
Conservative
The Chair Conservative John Williamson
I appreciate it. I just wanted to get acknowledgement of that.
We turn now to Mr. Fragiskatos.
You have the floor for five minutes.
March 30th, 2023 / 4:50 p.m.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
Thank you very much, Chair.
Thank you to everyone for being here.
I want to look at the issue from a big-picture perspective, if I can put it that way. In looking at the report, one of the key findings, obviously, is this: “Information stored digitally, whether on‑premises in data centres or in the cloud, is exposed to risks of being compromised.”
I understand the importance of getting into the technical details and the minutiae, if I can follow what Mr. McCauley has asked at this meeting and at others. It is important for MPs to delve into the details that way. But I also think of it from the perspective of constituents, who want to understand this and what's being done in response in general terms as well. What is being done to address this fundamental challenge, which I see as being one of the key findings in this report?
That's for whoever wishes to take it.
4:50 p.m.
President, Shared Services Canada
Maybe I can start.
This is a statement that is true in Canada. It's true everywhere in the world. It's just a pure fact that when you are in a digital world, everything is always at risk. We need to start from there. Otherwise, we won't be doing our job.
I think in Canada, for the Government of Canada, we have an infrastructure that can stand a lot. We have the process to handle these situations where there might be something detected through early intelligence but also detected on our system. We have a way to easily contain, address and remediate, but we will never be done. This is what I was saying a bit earlier. I think the point the Auditor General made at the beginning of the report is very important. Everything is at risk, and we need to always validate and enhance our safeguards.
I'm sure Catherine and Rajiv can add to this.
4:50 p.m.
Liberal
Peter Fragiskatos Liberal London North Centre, ON
Before they do, though, there's never going to be 100% protection. I think that's important for us to understand. That's true of not just the Canadian approach but what other democracies are finding as well, that a complete fail-safe system is not possible. That's fair.