Government of Canada’s Enterprise Cyber Security Strategy

1.3.1 Drivers

As outlined in Canada’s Digital Ambition 2022, today’s digital landscape is marked by change of unprecedented pace and scope. Rapid technological, digital and data transformation is now part of Canadians’ daily lives, revolutionizing the way they access information and services, and the way they live, socialize and work. Canadians expect to have faith in their government and to be able to access any government service, at any time and on any device, in a secure and accessible manner. However, meeting this expectation presents a variety of challenges and security considerations that must be reflected on as part of the ever-evolving cyber landscape, including:

• Digital service delivery
  • Canada faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector and ultimately Canadians’ security and privacy.
  • As digital adoption increases, so do the opportunities for breaches and data loss. The growth in digitized personal information and improved delivery through digital approaches needs to be accompanied by measures to ensure that the privacy of Canadians will be protected and that government services can be delivered in the face of a rapidly evolving threat environment.
  • According to the Government of Canada Digital Standards: Playbook, services should be built to address the needs of users. Doing so includes applying a balanced approach to managing risk by implementing appropriate privacy and security measures that are frictionless so that they do not place a burden on users.
• Environmental, social and governance (ESG) commitments
  • As the GC increasingly focuses on responsible and sustainable digital service delivery, safeguarding its assets and Canadians’ personal information is integral to fulfilling the GC’s social responsibility.
  • Environmental concerns highlight the need to minimize the carbon footprint associated with cyber attacks and data breaches, as these incidents often result in significant energy consumption.
  • Strong cyber security practices demonstrate a commitment to governance by upholding transparency, accountability and ethical conduct, and by reinforcing the reliability and trustworthiness of the GC among Canadians.
• Future of work
  • The COVID-19 pandemic has highlighted the need for more modern work tools and practices to support a hybrid work environment. Within days of the pandemic being declared in March 2020, most federal public servants began working remotely.
  • As measures were introduced to enable remote work during the pandemic, an expansion of risk tolerance was required to ensure continuity of government. Looking to the future, this risk tolerance and the related mitigations will need to be reviewed and realigned to reflect the new work environment.
• Technology modernization
  • Technology is evolving at an unprecedented pace, with new innovations and advancements being introduced regularly (for example, artificial intelligence (AI), quantum computing, blockchain). While this rapid evolution brings about many benefits and opportunities, it also creates additional threat vectors and new challenges for cyber security. The speed of technological change means that security measures that were once effective may quickly become obsolete, underscoring the need for a proactive and adaptive approach to cyber security, which is one where organizations are constantly evaluating and enhancing their security measures to keep pace with an ever-changing threat landscape. The speed of change causes difficulties in appropriate oversight, creating gaps in accountability and responsibility for cyber security risks.
  • The adoption and integration of Internet of Things (IoT) devices has led to the convergence of cyber and physical systems, which expands the attack surface where physical impacts can result from a cyber threat vector or where cyber impacts can result from a physical threat vector.
  • The manner in which information technology (IT) services are delivered and consumed has changed significantly in recent years and is continuing to evolve. Widespread use of mobile devices and the adoption of cloud-based services are shifting the GC’s technology environment and must be considered from a cyber security perspective.
  • While the traditional perimeter-centric security model has served the GC well, the notion that digital assets and users within a defined boundary are trustworthy does not scale to the “new digital world” where the trusted perimeter cannot be defined. Increased connectivity, the risk of insider threats, and the need to protect and store data in various in-house and third-party repositories (for example, cloud) have led to new security concepts that do not rely solely on a perimeter-centric security approach (that is, zero-trust).
• Cyber security events and cyber security incidents continue to affect government
  • Each year, there is an increase in the number of zero-day vulnerabilities that require immediate action from the GC.
  • Compromises within the supply chain (for example, SolarWinds) have an impact on the GC, and introduce operational risks when third-party services are used. There is a need for critical infrastructure institutions (that is, natural resources, financial, health, telecommunications) to be at the forefront of cyber security and resilience discussions during vulnerability analysis. The GC needs to ensure that all cyber security activities are conducted in conjunction with these critical infrastructure institutions to ensure a cohesive and collective approach to cyber security and resilience.
  • Sophisticated cyber incidents^{Footnote 1} affecting departments and agencies demonstrate that the GC continues to be a target, which drives the need to promptly address any architecture weaknesses in GC information systems.
  • Cyber attacks and data breaches also provide opportunities for fraudsters to exploit vulnerabilities and carry out fraudulent activities using techniques, such as social engineering, phishing, or enumeration of stolen credentials, to gain unauthorized access to systems that can potentially lead to identity theft or financial fraud.

1.3.2 Progress to date

Building and maintaining government cyber defences is therefore vital for the protection of the functions and services on which Canadian society depends. In the last decade, there has been progress made in improving the government’s cyber security posture with centralized security capabilities having been implemented within the GC to some degree. Examples include:

• establishment of Shared Services Canada (SSC) as part of efforts to standardize the GC information technology (IT) infrastructure, including integration of cyber defence services at the GC enterprise perimeter
• establishment of the Canadian Centre for Cyber Security (Cyber Centre) as part of the Communications Security Establishment (CSE) to consolidate the operational cyber expertise from across the federal government and to provide a single, unified source of expert advice, guidance, services, and support on cyber security operational matters
• establishment of clear governance mechanisms to support the development of strategic cyber defence policy, the effective management of information technology security initiatives affecting government-wide operations, and the government response to cyber incidents
• increased availability of advice, guidance, and other tools and the implementation of minimum configuration requirements in 2022 as part of the Policy on Service and Digital, which was initially published in 2020, along with the renewal of the Policy on Government Security in 2019

1.3.3 Gaps remain

Despite this progress, gaps remain between the current state of government cyber resilience and where it needs to be. These gaps include:

• Varying levels of cyber maturity
  • The TBS Cyber Maturity Self-Assessment (CMSA) tool was launched in fall 2021 to support departments and agencies in assessing their cyber security maturity against recognized best practices, and is based on the methodology derived from the United States’ National Institute of Standards and Technology (NIST) Cybersecurity Framework.
  • A year-over-year comparison of results from 2021–22 with results from 2022–23 demonstrates that departments and agencies are making marginal progress in improving their cyber maturity, and that they remain on average below the target of having repeatable processes to identify and respond to threats in support of an effective defence against new and emerging threats.
• Lack of a comprehensive awareness of the cyber security risk environment
  • The level of capability, investment, and security understanding across federal departments and agencies remains inconsistent. The size and complexity of the GC’s digital estate, including the presence of legacy applications and technology, also make the challenge significantly more complicated.
  • Recognizing the potential gravity of impacts on the GC because of weaknesses in the supply chain, the increased use of third-party services has driven the need for more effective approaches and solutions to third-party risk management.
  • The ability to protect against evolving vulnerabilities and threats is further constrained by the presence of legacy GC information systems. This constraint drives the need to continue efforts in managing, upgrading or removing such systems, and in putting the necessary safeguards and ongoing investment in place to ensure that GC information systems are sufficiently secure throughout their entire life cycle. However, the tracking and maintenance of technology assets and data (both on-premise and in the cloud) are not comprehensively understood or managed, which limits visibility and awareness of which assets need to be protected. Many departments and agencies rely on manual processes, which can be time-consuming, error-prone and ineffective. The limits with regard to manual processes are particularly important for the many assets where proper tracking of configuration details (for example, exact cryptographic algorithms and their parameters) is needed.
• Disparate approaches to and a lack of coordinated investment in various security capabilities can lead to inconsistencies, inefficiencies and blind spots in the GC’s overall security posture
  • Identity, credential and access management (ICAM)
    • Managing digital credentials in a manner that mitigates risks to personnel, organizational and national security, while protecting program integrity and enabling trusted citizen-centric service delivery is of utmost importance to the GC. To that end, there is a requirement to modernize current GC ICAM solutions to ensure that identity is managed consistently and collaboratively across the GC for both internal and external services, while also increasing the level of assurance that is needed to mitigate authentication threats.
  • Security monitoring
    • Departments and agencies are using a combination of different tools, methods and services to monitor their systems, which can make it difficult to obtain a comprehensive view of potential security threats and may lead to unintended duplication or gaps in monitoring. This difficulty drives the need for increased visibility and access to data to support end-to-end monitoring where departments and agencies can analyze data from their own unique operational perspectives. It should be considered that many departments are not trained, equipped or staffed to support this function.
    • While the scope of on-premise services is clear as it relates to the mandate (for example, SSC is mandated to provide email, network, and data centre services, and departments and agencies are responsible for endpoints and applications), the rapid adoption of cloud computing has resulted in a lack of clarity about roles and responsibilities and the extent to which existing roles and responsibilities are extended to the cloud. Due to this lack of clarity, departments and agencies have been expected to manage their cloud-based environments, including cyber security operations. This expectation has led to duplication of efforts, inconsistent approaches, lack of intelligence sharing, and reduced visibility for the GC enterprise with regard to cyber security event analysis and mitigation.
  • Common services
    • While funding has been received to establish the enterprise cyber security capabilities, not all of these capabilities have been fully realized across the GC for various reasons, including waterfall approaches for project delivery and lengthy procurement processes.
    • The National Security and Intelligence Committee of Parliamentarians’ Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack highlights the overarching challenge where government is increasingly managed horizontally while its foundational authorities remain vertical, which creates significant discrepancies. Specifically, Treasury Board policies intended to secure government systems are not uniformly applied given that:
      • individual departments and agencies retain considerable latitude over whether to opt into the framework or to accept specific defensive technologies
      • a large number of organizations, notably Crown corporations and potentially some other government interests, are not obligated to adhere to Treasury Board policies nor use the cyber defence framework
    • While the use of centralized services across government would help reduce enterprise risks, there is a need for increased information-sharing to support such use, including enhanced coordination in developing strategic, implementation and operational activities. This need is also magnified by the lack of standardized tracking and service management of common services.
• Traditional security architecture models are less effective as users and applications now exist outside the traditional network perimeter
  • The growing threat of sophisticated cyber attacks has underscored that the GC cannot depend solely on conventional perimeter-based defences to protect critical systems and data. An information-centric approach where there is no implicit trust and all access is verified (also referred to as zero trust), coupled with host- and cloud-based network defence, will enable departments and agencies to rapidly detect, isolate and respond to these types of threats.
• Misalignment between traditional approaches for security assessments and agile delivery methodologies
  • As the GC moves toward working in a more agile environment with project management and development practices, security assessment and authorization (SA&A) processes in the GC continue to operate in a waterfall, compliance-based approach, which creates lengthy delays in the operationalization of information system solutions. The GC must evolve to a risk-based, threat-driven approach, which will reduce the friction with agile delivery methodologies while balancing security.
• Weak information management practices
  • Existing data protection processes are manual and have not comprehensively been standardized from creation to destruction. In addition, there is a lack of awareness of proper procedures related to the handling, processing, and classification of information (for example, under classifying or over classifying), resulting in inconsistent application across the GC.
  • There is inadequate protection of information due to outdated IT tools, which can result in an increase in cyber security incidents or privacy breaches, thereby eroding confidence in GC information management security.
• Immature cyber security event management practices

  • Cyber simulation exercises

    Performing cyber simulation exercises (also referred to as tabletop exercises) helps to improve preparedness, enhance communication and decision-making, and provide cost-effective training that increases confidence in handling cyber security events. In 2021–22, only 25% of departments performed cyber simulation exercises.

    While the GC has improved its central management of cyber security events through the establishment of the Government of Canada Cyber Security Event Management Plan (GC CSEMP), there is limited capacity within each department and it is not always clear which services provided at the enterprise level are available. Moreover, current solutions tend to be stand-alone and lack integration, workflow automation and the ability to generate trouble tickets to support cyber security incident management.
  • Departments and agencies experience a variety of significant or crisis events with varied complexity, and scope. They are responsible for identification, planning and recovery, as well as for the restoration of their critical services, internal operations, information systems and supporting applications. All these responsibilities are becoming more difficult to fulfill due to aging information systems and the increasingly distributed nature of technology assets. Sufficient resources are needed to ensure the continuity of critical services and to support incident recovery efforts.
• Challenges related to people and culture of security
  • The global demand for cyber talent far outweighs the supply, leading to a shortage of skilled professionals in the field. The GC is not immune, as vacant cyber positions continue to be a challenge for departments and agencies to staff. There is also a need to establish a right-sized staffing model for cyber talent between departments and central agencies so that positions are filled on a prioritized basis. The GC also has added layers of complexity due to security clearance requirements, second language profiles, and a hybrid work environment for many IT positions.
  • There is also a general lack of cyber security training available to GC personnel, both from a cyber domain perspective (for example, cloud security, incident response, security monitoring, use of existing cyber security tools) and from a general workforce perspective. To minimize cyber events that occur due to human error, there is a critical need to upskill all personnel in order to drive cyber security leadership and knowledge across the GC as a whole.
  • Insiders with authorized access to sensitive data can pose a significant risk to the GC, through intentional or unintentional disclosure or misuse. Without modernized security screening and continuous assurance processes for employees and contractors, trusted and identity-based access to IT resources and information, and robust anti-fraud management practices, there is an increased risk of insider threat.

Addressing this ever-evolving cyber security risk landscape will require the GC to harness its collective strength to build secure and resilient information systems. This strength will be supported by action-oriented policies, increased agility, and strategic investment-planning focused on addressing gaps to ensure that Canadians remain confident that their data is protected and that the provision of critical services will be uninterrupted.

2.3.1 Objective 1: articulate cyber security risk and its business impacts meaningfully for effective, action-oriented and accountable decision-making

As the cyber threat landscape is complex, evolving and extremely sophisticated, the GC needs to increase its understanding of the cyber threat landscape in order to develop more comprehensive and layered security defences. In order to manage cyber security risk, federal departments and agencies will have risk management processes, governance, and accountability in place to enable the proactive and effective identification, assessment, and management of their cyber security risks. Multi-year departmental cyber security strategies will be submitted to the TBS Office of the Chief Information Officer (OCIO) for approval on an annual basis. Through this risk-based approach, there will be sufficient overarching visibility with access to data to drive analytics, enabling the GC to effectively manage and measure cyber security risk holistically and align mitigation strategies with GC-wide goals. Further, the GC will have the mechanisms in place to enable the rapid identification, assessment and management of vulnerabilities across the enterprise.

Key actions and goals include:

• Plan and govern for the sustainable and integrated management of cyber security
  • Define a common approach, methodology, solutions and tools for assessing GC cyber security posture that is aligned with GC policy and the IT governance context, and that applies a risk-based approach according to the Canadian Centre for Cyber Security’s (Cyber Centre’s) IT Security Risk Management: A Lifecycle Approach (ITSG-33).
  • Conduct independent assessments, ongoing (year-round) testing and comprehensive reviews of departments’ cyber security posture to help identify and prioritize cyber security risks.
  • Strengthen governance related to digital and technology assurances, as part of the enterprise-wide IT investment-planning cycle, to ensure that cyber security spending proposals are aligned with government priorities and the Strategy.
  • Establish an integrated risk management platform that uses data-driven insights to identify, assess and communicate cyber security risks in a manner that:
    • resonates with senior management
    • provides actionable recommendations in order to improve risk remediation, prioritization of investments, and direction of resources
    • enables agile security assurance approaches
  • Ensure that resourcing and support is available to departments and agencies to improve their cyber security posture, in alignment with the Strategy and the target security operating model (TSOM).
• Improve the understanding of GC-wide exposure and strengthen vulnerability management
  • Implement tools to continuously identify, monitor, and manage the GC’s attack surface, leveraging existing tools where possible.
  • Develop accurate asset inventories and map relationships and dependencies between assets, which will also facilitate patching efforts.
  • Proactively address infrastructure, system, and application vulnerabilities, and the cyber security risks they present with a GC Enterprise Vulnerability Management Program to ensure that identified vulnerabilities are effectively managed across the GC’s digital estate, including building in redundancy and capability depth stemming from vulnerability assessments of our people, processes and technologies.
• Enhance third-party cyber security risk management
  • Seek measures to enhance system visibility and inventory management of the software and hardware supply chains to protect GC information and assets as part of a robust third-party cyber security risk management approach.
  • Standardize and strengthen risk-based cyber security requirements, clauses, and conditions in contractual arrangements with external suppliers and perform routine verification of supplier adherence to contractual security clauses.

Expected outcome:

• Cyber security is considered a whole-of-government endeavour where risks within GC information systems are continuously monitored, communicated, and remediated in an effective and timely manner

2.3.2 Objective 2: prevent and resist cyber attacks more effectively leading to greater protection of GC information and assets

The GC relies on a range of technologies to operate its functions and deliver digital services, which fundamentally requires a security-by-design approach to ensure that the functions and services consistently and continuously follow best practices and meet robust standards. Moreover, federal departments and agencies will increase the use of shared capabilities, tools, and services to address common cyber security issues, improving cyber security across the whole of government, as well as driving efficiency and value for money.

Key actions and goals include:

• Accelerate the implementation of modern cyber security and application architectures
  • Modernize enterprise-wide identity, credential, and access management systems, including using multi-factor authentication everywhere, to enable the hybrid workforce.
  • Modernize applications and delivery methods using common reference architectures for the secure delivery of digital services.
  • Establish a secure-by-design approach with security architecture and engineering resources integrated within projects to ensure that security aspects and potential threats to the system are addressed.
  • Improve and standardize security assessment and authorization (SA&A) practices by sharing SA&A results across the enterprise to reduce duplication of efforts when assessing common components.
  • Continue expansion of cyber defence services for all federal departments and agencies to the greatest extent possible.
  • Transition GC systems to use standardized post-quantum cryptography to protect from the quantum threat.
  • Improve the GC’s ability to prevent, detect, respond to and recover from fraudulent activity against GC applications.
• Deploy secure, modern, and accessible workplace tools and devices
  • Deliver common and secure baseline endpoint solutions where feasible that consider the specific needs of the GC workforce, such as mobility, collaboration and accessibility. This includes:
    • establishing always-on protections that are aligned with GC policies, directives, standards, and guidelines and that are easily auditable to enhance trust across government
    • developing easy-to-use protection profiles and supporting playbooks that outline security requirements and a collection of required safeguards, which will enable the adequate protection of assets in alignment with the security categorization of the information and the threat environment
• Strengthen data protection measures
  • Improve information security practices with a refreshed security categorization model.
  • Establish automated data security policy enforcement to prevent unauthorized access and data loss.
  • Improve insider risk management and awareness to support continuous assurance and after-care practices.

Expected outcomes:

• Standardized and modern tools, devices, and enterprise-wide cyber security services are deployed and leveraged across the GC
• A secure-by-design approach is applied to ensure that the security of digital services and protection of digital assets is continually assured throughout their life cycle

2.3.3 Objective 3: strengthen capabilities and resilience across the GC to proactively prepare for, respond to and recover from cyber security events

Even with robust protection and detection measures in place, the GC will be impacted by cyber security incidents. It is therefore essential that the GC be able to rapidly respond to cyber security incidents when they do happen to minimize impacts and ensure the continuity of essential functions and services. Testing and exercising incident response plans, both organizationally and across government, as well as establishing the ability to identify and communicate lessons learned from incidents, is a key part of the approach. A holistic monitoring approach with proportionate security monitoring capabilities based on organizational size, business context and maturity will help to facilitate the proactive detection of cyber threats. Further, central oversight and support of recovery from the most severe cyber security incidents will ensure that systemic risks are identified and mitigated.

Key actions and goals include:

• Improve security monitoring and detection capabilities to facilitate effective, tailorable options for departments and agencies
  • Increase the clarity of roles and responsibilities pertaining to monitoring coverage among GC internal enterprise service organizations, departments and agencies.
  • Establish a federated security operations centre (SOC) architecture allowing for coverage that is commensurate with the operational needs of departments and agencies to increase efficiencies, minimize duplication of efforts and ensure effective coordination. Specifically:
    • A centralized or command SOC at the Cyber Centre that monitors the overarching GC security infrastructure (including on-premise networks, cloud environments and other endpoints) where departments benefit from the cyber defence ecosystem and gain access to their data via a security analytics platform.
    • A multi-function infrastructure security and network operations centre (ISNOC) at SSC to enable effective network monitoring for the well-being of core departments and agencies under SSC’s mandate, along with the cyber security of common solutions provided by SSC, as well as to support the Cyber Centre and departmental security teams.
    • Specialized local SOCs for select departments and agencies that demonstrate sufficient maturity and that require additional visibility and nuanced metrics as a result of their unique mandates or business needs, which require enhanced monitoring to support the cyber security of program and service delivery.
    • Managed SOC services for departments and agencies that do not have sufficient maturity related to monitoring capabilities or resources, and that require hands-on coordination support.
  • Facilitate the sharing of logs and other critical information held at the enterprise-level to provide departments and agencies with end-to-end visibility of the data flows that support their information systems, which will enable departments and agencies to carry out their respective security responsibilities.
• Enhance enterprise alignment with the Government of Canada Cyber Security Event Management Plan (GC CSEMP) to enable better preparation for, response to and recovery from cyber attacks
  • Prepare departments through better incident planning and regular exercises using tools that allow for facilitated cyber simulation exercises (also called tabletop exercises) and after-action reports shared centrally to support the prioritization of recommendations for GC-wide considerations. At minimum, departments and agencies will conduct one cyber tabletop exercise up to the Deputy Minister level each year.
  • Foster community collaboration enabled by a security incident response management platform to automate responses to and reporting of requests for action by departments and agencies.
  • Develop additional tools and templates to enhance departmental cyber security event management plan activities and support for the execution of the overarching GC CSEMP framework.
  • Establish rapid and scaled incident response and compromise recovery surge teams with various skill sets to support departmental recovery activities.
• Improve the resilience of GC critical services with strengthened business continuity management practices
  • Establish a GC-wide business continuity plan to ensure that there is a coordinated approach for managing events that affect multiple critical services in order to ensure the continued delivery of GC programs and services.

Expected outcomes:

• GC networks, systems, applications, and endpoints are monitored to provide proportionate and end-to-end detection capability while respecting privacy
• GC information systems and critical services affected by cyber security incidents are quickly restored and resume operations with minimal disruption

2.3.4 Objective 4: foster a diverse GC workforce with the right cyber security skills, knowledge and culture

To achieve the Strategy’s vision and strategic objectives, the GC must cultivate a cyber security culture that empowers its people to learn, question and challenge in order to drive continuous improvement. Fostering a cultural shift in cyber security across the whole of government requires improving cyber security awareness and knowledge across all of the GC workforce in order to proactively engage organizational cyber security risks. According to the Government of Canada Digital Standards: Playbook, security measures should be frictionless so that they do not place a burden on users. Leveraging a robust cyber security culture across the GC will mature the cyber profession within the GC and enable the GC to attract, develop, and retain those skills, and to provide sustainable career pathways more effectively. Doing so will also ensure increased awareness and vigilance among all GC employees.

Key actions and goals include:

• Develop skills for cyber security
  • Engage with relevant departments and agencies to implement cross-functional training programs to leverage a variety of learning solutions that upskill employees from different departments who have different levels of experience in cyber security in order to increase redundancies and strategic coverage to protect GC assets.
  • Establish standardized, mandatory cyber security awareness training across government for all of the GC workforce.
• Attract and retain diverse talent for cyber security
  • Establish strategic partnerships with educational institutions, industry groups, and other external organizations or communities to further improve proficiencies and gain practical experience that can be leveraged in the GC.
  • Establish a centre for cyber workforce development that will:
    • promote a talent management culture in which a principle objective is to recruit and retain those candidates with requisite cyber skills and expertise.
    • reduce duplication of effort, stimulate interdepartmental collaboration and knowledge-sharing for effective talent and resource development and retention.
    • support the establishment of clear career progression pathways for employees, including opportunities for advancement and increased responsibility, with a priority focus on promoting an inclusive workplace culture by leveraging GC-wide equality, diversity, and inclusion programs.
• Accelerate the hiring of public servants by transforming personnel security screening and enabling continuous assurance
  • Modernize personnel security screening with strengthened policy, automation and technology enablement.

Expected outcomes:

• A cyber security culture across the entire GC that empowers behaviours that support continuous learning and improvement with a pool of cyber talent shared strategically across government
• A robust screening regime that balances evidence-based decision-making and continuous assurance to mitigate insider threat risks with improving the time it takes to hire