Evidence of meeting #92 for Public Accounts in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was program.
A video is available from Parliament.
December 14th, 2023 / 12:15 p.m.
Liberal
Shaun Chen Liberal Scarborough North, ON
Thank you very much, Mr. Chair, and thank you to the witnesses for being here.
I just want to follow up on what Ms. Luelo said earlier about the office of the CIO having accountability, but not having central control of funding. Could you expand on that and explain further what you meant by that?
12:15 p.m.
Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat
This is probably one of my greatest irritants. One of the tools that I used to have as a CIO in the private sector was the ability to set the strategy and then actually control the funding. By controlling the funding, I'm not suggesting that they gave me x billions of dollars to dispense, but there was a level of control where there was a sign-off on technology work that went on right across multiple divisions of publicly traded organizations that I, as the CIO, had. That same level of oversight does not exist.
We are in a very vertical model for many good reasons, but these are horizontal problems, and we don't, in my opinion, have the right horizontal financial controls in place on technology investment. As such, we're spending x billions of dollars on thousands of things versus x billions of dollars on the few things that need to move fast, and the benefits delivery modernization program is an example. That's not just money; that's resources as well.
12:15 p.m.
Liberal
Shaun Chen Liberal Scarborough North, ON
Thank you for that.
I want to move to Shared Services Canada.
From 2019 to 2023, departments and agencies that reported on the health of their IT systems did not assess close to 12% of their applications. Has Shared Services Canada considered ways to reduce this number?
12:15 p.m.
President, Shared Services Canada
I think that, on the applications themselves, Catherine is actually in a better position to talk about that.
With regard to the infrastructure, we have been modernizing the underlying infrastructure, both the network server infrastructure in attempting to move as many as we can into modern, stable data centres.... However, the applications themselves are more.... That's actually one of the biggest challenges that we have at Shared Services. We simply don't control the applications. They are within departmental remit.
12:15 p.m.
Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat
What Mr. Jones is nicely not saying is the fact that the specialness of all of the applications drives complexity and cost into his business, which gets in the way of it being as efficient an infrastructure provider as it could be.
In terms of the 12%, you bet. We have 12% that we're not seeing, but we have a good appreciation of what the most critical services are, and that's outlined in the policy on government security. We know what those services are, and we know what those systems are. We feel like we have good visibility on the ones that will kick us in the butt—if I can use that term—but that doesn't mean that we don't pursue the other 12%, and we have to do better on that.
12:15 p.m.
Liberal
Shaun Chen Liberal Scarborough North, ON
Help me understand further.
Earlier it was said that we're not dealing, in some cases, with just an upgrade. It was said that there are generational leaps in terms of the updates that need to be done.
Can Canadians feel confident in these systems if we are not providing the latest technology? We're dealing with information and data, and in this day and age, we know how important it is for Canadians to have their privacy protected. Can you comment further on this issue and challenge that is being faced?
12:20 p.m.
Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat
I'd be happy to.
The information of Canadians and the privacy of their information, the security of their information, is something top of mind for all of the deputies and ADMs who are sitting in the room. That is an accountability that I have within our office, and you'll see that, with the data breach that we've been working through with a third party provider, we've taken a very active role—perhaps when it wasn't ours to take—to protect our employees' information. That's at the core.
I think, as Scott outlined, there's been good investment in network and cybersecurity and in privacy protocols that really give us some comfort that we have both good protections and good response mechanisms with regard to that. I'm comfortable saying that I think we have the right things in play there. That doesn't mean that there's no risk. That means that we have some managed risk in that space.
In terms of the leap-frogging, that's a situation many organizations find themselves in, not just government. It's a huge opportunity to actually rethink business process and to move from old ways of doing things to new ways of doing things.
I think that Canadians should be concerned that we're on old infrastructure. I think that, in the programs where we need to be advancing that—like OAS, like EI, like our immigration system—we have the right practices in place there. They should feel comforted by the fact that we are starting to look at more modern technology, and part of that means standardizing, which ultimately is going to drive the cost line down if done well.
12:20 p.m.
Conservative
The Chair Conservative John Williamson
Thank you. That is the time.
We're beginning our last round, which will involve six members asking questions.
Mr. Nater, you have the floor for five minutes, please.
12:20 p.m.
Conservative
John Nater Conservative Perth—Wellington, ON
Thank you, Mr. Chair.
Thank you to our witnesses. We have 12 witnesses in total. I'm sure there could be a joke made there about the complexity of government and perhaps the need to streamline in some areas, but I'll digress on that.
I may begin with Ms. Luelo.
Again, I echo the comments of wishing you well as you depart government for a return, I'm assuming, to the private sector. I want to touch a little bit on that, given your unique experience, and maybe use this as a bit of an exit interview with you as we go forward—your experience in the private sector and then in government.
I'd like to follow up on a few answers that you've given so far about this concept of the specialness of government and where there seems to be a want or a need in government to see itself as unique or special—needing almost tailor-made solutions.
Could you elaborate a little bit on that? You mentioned in one of your responses that—and I'm paraphrasing—not everything needs to be special, in some cases. Could you elaborate a little bit on the idea that, if we were to take out some of the specialness, we might be able to be more effective in delivering services?
12:20 p.m.
Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat
It has been remarkable to be able to go between the private and public sectors. I hope every executive takes the opportunity to do this. I think it would make for a different discussion between government and the private sector. I think we need to send government folks out into industry. I think it's a very rich experience. The U.S. likely does a better job of that than we do.
The big similarity is that the people are completely committed. The people I get to work with and support every day in tech in government are awesome. They work very hard. The specialness drives the complexity.
To very directly answer your question, why do we need 33 different HR systems? Recruitment is recruitment and development is development. That is consistent. Certainly, we have collective agreements that are different. I am not dismissing that. But in terms of the basics of HR, we have not had the discipline to get to a common approach to HR, regardless of the collective agreement complexities.
The biggest difference I would note—I ran into this at Enbridge and at Air Canada—is that there is a severity of consequence if you do not standardize in the private sector that does not exist in government. What I mean by that is that getting into an enterprise approach, when that is what has been decided by the board and the CEO, there is only one consequence if you choose not to get on board with that plan. It's a meritocracy in a way that's a little bit different from what I've experienced.
Now, the consensus-based, collegial-based complexity of government lends itself to having a bit of a different discussion around things, but I think there is room for improvement there to perhaps have a little bit more of that “edgeness”, for lack of a better word, for not complying with enterprise. That includes both public service...but as we actually build and make government policy as well.
12:25 p.m.
Conservative
John Nater Conservative Perth—Wellington, ON
Thank you for that. That gives us a lot to think about.
Following up, as you reflect on your two and a half years in government and your role as CIO, I'd be curious to know what you saw as your biggest frustration in your time in this position, specifically in terms of getting things done or frustration in terms of achieving a desired outcome. What would you recommend to your successor in terms of what they might want to see done in that position?
12:25 p.m.
Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat
I don't know if this is going to be a new practice in committee to do exit interviews with deputies, but I welcome the opportunity to share my thoughts here.
Look, this discussion here today, and my last appearance at ETHI, is a good example of probably one of my greatest frustrations. It's not about the public forum. It's not about the questions. I would observe that even within the public service, I'm used to being in meetings—talking about delivery velocity, talking about budgets, talking about change management, talking about adoption, talking about “the doing”. I find that we spend more time talking about what we might do versus actually talking about how we're doing it and the results. In my opinion, that needs to change.
12:25 p.m.
Conservative
12:25 p.m.
Conservative
The Chair Conservative John Williamson
Thank you very much.
I will turn now to Ms. Khalid.
You have the floor for five minutes, please.
12:25 p.m.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
Thank you very much, Chair.
Thank you to the witnesses for appearing today.
I'll start with you, Mr. Groen. Can you help us understand why BDM was not initiated sooner?
12:25 p.m.
Associate Deputy Minister and Business Lead, Benefits Delivery Modernization, Department of Employment and Social Development
BDM first entered the planning stage back in 2017. As was referenced, in 2010 there was an Auditor General report identifying the need to address critical infrastructure issues, including the programs that support the delivery of the core statutory benefit programs. There was an initiative to replace the old age security system, launched back in the early 2010s. Unfortunately, that project was not successful. That's why we're now with BDM. It's been since 2017 that we've embarked on the planning stage and now into the actual execution stage for benefits delivery modernization.
12:25 p.m.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
What flags were raised on this by the OAG and officials back in 2010?
12:25 p.m.
Associate Deputy Minister and Business Lead, Benefits Delivery Modernization, Department of Employment and Social Development
I have read that report, but it's been a while since I have. Essentially, it was flagging...and it was not a new phenomenon. It was not new in 2010. It was recognizing that there had been many years of underinvestment in information technology and that we were not making the needed investments in order to maintain the systems on an as-needed basis. It raised concerns about critical risks or failure. That was a big concern.
I can say that for the old age security, employment insurance and Canada pension plan systems, over the last five years we have made lots of investments on stabilizing the systems to ensure a minimizing of the risk of system failure. I want to assure Canadians who are listening to this session that through the emergency management processes we've put in place, if there were any technical issues with any of those core programs, we have a disaster recovery process in place. We're very confident that it would not impact the delivery of the benefits, which is absolutely critical to all Canadians.
12:25 p.m.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
If we had spent the money back in 2010, would we have had to spend less money? Would we not have had to deal with all of these issues that are ongoing now had we invested a little earlier?
12:25 p.m.
Associate Deputy Minister and Business Lead, Benefits Delivery Modernization, Department of Employment and Social Development
What I would say is that there is an inherent need for continued investment and maintaining the systems that deliver very complex programs across all of the Government of Canada. If we had made these investments and we were no longer on a 60-year-old system for old age security, we would not be seeing the costs that we have right now to deliver benefits delivery modernization.
However, there is and always will be a need to maintain these systems. Having secure ongoing investment is critical for today, and that will be the case 10 years from now as well.
12:25 p.m.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
Just to clarify, you stated that the 2010 report stated that these systems were at risk of failure. To be clear, no action was taken by the government of the day at that time.
12:25 p.m.
Associate Deputy Minister and Business Lead, Benefits Delivery Modernization, Department of Employment and Social Development
There were different initiatives that had been taking place since 2010 to address different IT risks and issues. The replacement of the applications that run the old age security, EI and CPP system are being driven now through the decision in 2017 to proceed. However, there were other initiatives since 2010, for sure.
12:30 p.m.
Liberal
Iqra Khalid Liberal Mississauga—Erin Mills, ON
Thank you.
Mr. Jones, as we're implementing all of these measures, how much do rising threats to security through hacking and through emerging technologies impact the cost of implementing a lot of these programs? How do you deal with these changing technologies to deal with how these programs are getting implemented?
12:30 p.m.
President, Shared Services Canada
That's actually a large question to answer.
I think there are two broad levels of things that we do. One is the infrastructure security piece, and that's where the investment in Shared Services paid dividends. When it was created, that wasn't the plan. The plan was to figure out how to consolidate infrastructure and save costs. What it did was give us a platform to build very strong cybersecurity and kind of ring the government with defences. Those are continuously augmented. We invest, constantly upgrade and keep up with modern technology. SSC provides the best available infrastructure-level modern technology, and then we have our partners at the Communications Security Establishment on top of that.
Then we turn to our partners in the departments, where we look at things like fraud, abuse of the systems, social engineering, etc., and try to provide them with the skills they need or the services they need, but to augment that part, which is a very hard problem as well, and a different set of cybersecurity problems. The investment is continuous and changes constantly. We are constantly upgrading. It requires that continuous investment just because the threat environment is incredibly fast paced.
12:30 p.m.
Deputy Minister and Chief Information Officer of Canada, Treasury Board Secretariat
This is one, if I could add to that, where we really do play as a team on cybersecurity. We have just published the enterprise-wide government cybersecurity plan, which really outlines how all the different departments work together. It includes an operations model that goes along with it—that next level of detail. That's one thing I would highlight that I think we're well orchestrated on.