Cyber security overview: Committee of the Whole—May 19, 2022
Document navigation for "Committee of the Whole: May 19, 2022"
Cyber security
In this section
Key data points
- Shared Services Canada is mandated to manage information technology (IT) infrastructure services related to email, data centres, and telecommunications for 43 other federal organizations
- Budget 2022 proposes to provide $875.2 million over 5 years, beginning in 2022 to 2023, and $238.2 million ongoing for additional measures to address the rapidly evolving cyber threat landscape
- This includes $178.7 million over 5 years allocated to Shared Services Canada (SSC) and Communications Security Establishment (CSE), starting in 2022 to 2023, and $39.5 million ongoing, to expand cyber security protection for small departments agencies and Crown corporations
- As per its 2020 to 2021 annual report, the Communications Security Establishment routinely blocks between 2 and 7 billion malicious actions every day
Response to cybersecurity
- The safety and security of Canadians’ data and the services provided by the Government of Canada rely on information technology infrastructure that is safe from vulnerabilities and able to swiftly and effectively respond to cyber security attacks
- Mr/Madam speaker, protecting Government of Canada data begins with our network. Shared Services Canada continuously assesses technology trends and developments to ensure it builds and adjusts a Government of Canada network that is responsive to current and future needs
- SSC makes it a priority to protect the Government of Canada’s IT infrastructure from vulnerabilities and ensures the safety and security of data
- We are converging, consolidating and standardizing complex and aging wide area networks to a common, shared, enterprise network providing enhanced security
- Overall security is improved with a network designed and built to be appropriately secured from the ground-up to minimize flaws that could compromise security
- SSC is also moving to software-defined networks to improve continuous network monitoring and application performance baselining
- Improved monitoring using a single window to manage network traffic, regardless of the number of vendors and products in the infrastructure, allows greater visibility of critical business traffic performance
- SSC is working with Government of Canada departments and agencies to apply a zero trust architecture approach to cyber security. Zero trust changes the focus of cyber security from mainly protecting access points to GC systems or networks to an approach that constantly monitors activity, verifies users, and limits access within government systems or networks
- Zero trust is an approach to cyber security—and not a specific technology. It does not replace traditional perimeter-focused network security; it can be implemented gradually in both new and existing systems to improve the overall government security posture
- It should also be noted that cyber security is a shared responsibility between SSC, the Canadian Centre for Cyber Security, and the Treasury Board of Canada Secretariat
- Cyber security is and will continue to be a priority for me, Shared Services Canada and its partners, to safeguard government data from cyber threats
Shared responsibility
- Though government departments and agencies have a responsibility to ensure cyber security within their organization, SSC, the Treasury Board Secretariat, and the Communication Security Establishment are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats
- SSC provides IT security infrastructure. In conjunction with Treasury Board of Canada Secretariat (TBS) and CSE, SSC also provides security and privacy by design as part of the establishment of new services
- When a cybersecurity event occurs within its network infrastructure, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery. This is also true for SSC-managed components in the cloud
- SSC continuously works to enhance the cyber security of Government of Canada digital assets by preparing for all types of cyber incidents and for responses to threats
Cybersecurity projects
- SSC is delivering on a portfolio of projects that range from the protection of classified systems, the automated detection of threats and cybersecurity events, the protection of desktops, laptops and other “endpoint” devices. For example, our initiatives include the implementation of a central security information and events management platform, the expansion of the government secret infrastructure, and a consolidated platform for privileged access management
- SSC aligns its priority projects with the CSE “top 10” recommendations, and also with the National Institute for Standards and Testing’ priorities for cyber risk mitigation. Our projects include substantial participation from private sector partners, to integrate their advanced technologies and their expertise
Rollout for small departments and agencies
- The government’s cyber security tripartite, consisting of SSC, CSE, and TBS, are investigating options for improving the overall cyber defence posture of all federal organizations. From an SSC perspective, this involves exploring the possibility of extending a predefined subset of core network and cyber security related shared services that are currently provided to partner departments to a greater number of federal organizations
- These services, when delivered together by SSC and CSE, improve the overall security posture of an organization by bringing them within the government’s perimeter, by standardizing key operational tools, and by providing monitoring of network traffic for potential threats or vulnerabilities
- SSC has worked closely with TBS and CSE to evaluate the current security posture of small departments and agencies to understand their requirements and explore options of onboarding mandatory and optional clients onto existing SSC and CSE security services such as enterprise internet, secure remote access, and M365 to reduce the exposure to government networks. SSC has already engaged with a number of these organizations to assess their current status and has received funding via Budget 2022 to work with the remaining organizations over the next 5 years
Who is covered by Shared Services Canada’s mandate
- The Shared Services Canada Act authorizes the governor in council to specify the services that SSC must or may provide, and the entities to whom these services must or may be provided
- There are 43 federal partner departments which are required to come to receive all of SSC services related to email, networks, data centres, and end user IT
- Additionally, there are 45 client departments who must obtain a subset of these services from SSC. This subset of services varies depending on the infrastructure these clients are currently running, and their readiness to move onto more modern solutions
- All other federal organizations, over 150, including crown corporations and agents of parliament, commissions, and any other entities who report through a minister to Parliament, may choose to receive some or all of these services from SSC, but are not obligated to do so
- Currently SSC is providing services to some 55 of these non-mandatory departments, agencies and other entities receive some services from SSC on a voluntary basis. Such services are delivered on a pure cost-recovery basis