Shared Services Canada: Standing Committee on Government Operations and Estimates—November 24, 2022

Document navigation for "Standing Committee on Government Operations and Estimates: November 24, 2022"

Cyber security overview

Suggested response

If pressed on SSC’s responsibility vs. that of CSE

If pressed on any particular cyber event (Exchange Vulnerability, Log4j, Print Nightmare, Global Affairs Canada (GAC) incident, National Research Council (NRC) incident, etc.): 

Key data points

Background

Overview

The Government of Canada works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to cyber incidents to better protect Canada and Canadians.

To that end, the government has:

Roles

A number of departments and agencies play a role in cyber security, including TBS, CSE, Public Safety Canada (PSC), Royal Canadian Mounted Police (RCMP), Canadian Security Intelligence Service (CSIS), and National Defence.

All departments and agencies have a responsibility to ensure cyber security within their organization. TBS, SSC, and CSE are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats.

TBS provides strategic oversight of government cyber security event management.

SSC provides IT security infrastructure (design, deploy and operate). In conjunction with TBS and CSE, SSC also provides security and privacy by design as part of the establishment of new services. The security of goods and services is evaluated during the procurement process by CSE and SSC.

CSE houses the Canadian Centre for Cyber Security (CCCS) which monitors systems and networks for malicious activities and cyberattacks and leads cyber event operational response.

PSC leads national cyber security policy and strategy.

The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin against Government of Canada (GC) infrastructure.

CSIS is responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.

National Defence/Canadian Armed Forces is responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.

Government of Canada readiness for return to worksite

Key messages

Key data points

Background

Shared Services Canada has taken significant steps to address government-wide technology challenges related to COVID-19 work arrangements, focusing primarily on demands on the government’s network capacity and security, and the functionality of workplace collaboration tools.

Network modernization

SSC implemented major upgrades to the enterprise network in the summer and fall of 2020. More internet and security upgrades are underway.

More than 3,500 buildings are connected to the Government of Canada network. It is not required, feasible or cost effective to upgrade all sites. Consequently, SSC is working with federal departments to prioritize sites most critical to Canadians and government operations.

Collaboration tools

Videoconferencing, mostly through Microsoft Teams, has become the main communication channel for employees, given the ongoing requirements for collaboration from different locations.

SSC has established interoperability between Microsoft Teams and the existing videoconference infrastructure located in approximately 7,800 government boardrooms across the country. As GC employees return to worksites and adopt hybrid work solutions, SSC will continue to work with its partners to enable standardized meeting spaces and modern conferencing capabilities. Where appropriate, SSC will deploy certified Microsoft Teams Room (MTR) technologies to upgrade videoconferencing equipment and provide users across the GC with an enhanced user experience. These technologies require significant bandwidth. As employees return to worksites, the level of service they have come to expect is not consistently available in all Government of Canada buildings. SSC issued guidance in January 2022 on thresholds for Microsoft Teams bandwidth consumption to assist departments with managing their users’ experience. After working with Public Services and Procurement Canada (PSPC), SSC updated the guidance in August 2022 where departments could establish thresholds for those working on the GC network, while allowing remote workers to fully leverage their available bandwidth, thereby supporting a better user experience for all.

Working with partners

The work required to implement future worksite strategies is shared with other federal departments. SSC will continue to work with federal departments on their specific needs. Some departments may choose to send their employees back to worksites in advance of the upgraded infrastructure being put in place; however, the current videoconferencing infrastructure will support the interoperability requirements with Microsoft Teams. Each department will also engage in proactive testing and analysis for their respective operations. 

Outsourcing information technology services

Key messages

If pressed on reasons for “outsourcing” technologies:

If pressed on reasons for “outsourcing” work:

Background

On January 17, 2022, a report appeared in the Globe and Mail stating that the federal government spending on outsourcing contracts in the fiscal year 2020 to 2021 increased by 40% when compared to fiscal year 2015 to 2016. This came from information publicly available in the Public Accounts of Canada, tabled in the House of Commons on December 14, 2021.

Though these recent media reports make no mention of Shared Services Canada, there has been past criticism of government departments, including SSC, in regard to the outsourcing of IT services.

In February 2022, the House of Commons Standing Committee on Government Operations and Estimates adopted a motion to conduct a study on the outsourcing of contracts in public services and procurement. The first meeting for this study occurred on October 3, 2022, at which officials from SSC, the Treasury Board Secretariat, and Public Services and Procurement Canada attended.

Response to National Security and Intelligence Committee of Parliamentarians Report

Key messages

If pressed on small departments and agencies:

If pressed on Crown corporations:

If pressed on SSCs role on cybersecurity:

Background

The National Security and Intelligence Committee of Parliamentarians (NSICOP) was established under the National Security and Intelligence Committee of Parliamentarians Act, which received royal assent in June 2017. It is not a parliamentary committee, but rather a committee of parliamentarians, composed of both members of Parliament and senators. All members hold top secret security clearances and are permanently bound to secrecy under the Security of Information Act.

In July 2020, the Honourable David McGuinty, Chair of the NSICOP, wrote to the president of the Treasury Board Secretariat to advise that the committee will review the Government of Canada’s framework and activities to defend its systems and networks from cyberattacks.

NSICOP completed its review of the Government of Canada’s activities to defend its systems and networks from cyberattack. This included reviewing the:

In the report, tabled in the House of Commons on February 14, 2021, recommendation 2 of annex A recommended the leveraging of SSC managed enterprise internet services by all federal organizations, and read as follows:

To the greatest extent possible, the government will extend advanced cyber defence services, notably Enterprise Internet Service of Shared Services Canada and the cyber defence sensors of the Communications Security Establishment, to all federal organizations.

Responses to the National Security and Intelligence Committee of Parliamentarians report on cyber security

The GC Cyber Security Tripartite (SSC, CSE, and TBS) continue investigating options for improving the overall cyber defence posture of all federal organizations. The Budget 2022 allocation provides support to SSC and CSE to extend these advanced services to small departments and agencies, and this work has already begun. These services, when delivered together by SSC and CSE, improve the overall security posture of an entity by bringing them within the GC perimeter, standardizing key operational tools, and by providing monitoring of network traffic for potential threats or vulnerabilities. SSC may provide these services to Crown corporations that seek them; however, they will continue to be cost-recovered unless funding is identified.

The Office of the Chief Information Officer at the Treasury Board Secretariat continues to investigate measures required to extend cyber and IT security policies and directives to all federal entities not currently under Treasury Board Secretariat’s purview.

TBS, SSC and CSE continue to work to ensure that cyber defence is applied equally across departments and agencies to the greatest extent possible, including alignment between the scope of the Policy on Government Security and the Policy on Service and Digital.

Information technology service management

Key messages

If pressed on security:

If pressed on disclosure:

Background

On January 24, 2022, Shared Services Canada replied to a media query regarding the procurement process for an information technology service management tool solution, following information received through an access to information request. BMC Software Canada Inc. was the winning supplier for this procurement.

On March 14, 2022, the Globe and Mail published a story on the contract raising issues with the proactive disclosure of the contract, that it went to an American company, security rules for working in the United States, and general issues regarding outsourcing. 

SSC invests in technology that supports a whole-of-government or “enterprise” approach by enabling organizations to shift toward the use of common IT systems. SSC’s contract with BMC reflects this approach to IT transformation, in that it provides for a single, modern ITSM tool available for use across the GC.

Information technology service management is, in part, the practice of managing IT delivery and operations for an organization’s customers. At SSC, the ITSM solution is being configured to manage service requests, changes and incidents for each of SSC’s services. The implementation of the solution is improving SSC’s ability to provide integrated quality services to partner departments.

On February 4, 2022, this contract was alluded to in the House of Commons by Mr. Kelly McAuley, member of Parliament, focusing on the fact the work was occurring outside Canada and the government’s overall posture on cyber security.

A complete security assessment was undertaken by SSC. On an exceptional basis, the contractors were allowed to perform unclassified work outside of Canada until May 31, 2022, while COVID-19 related travel restrictions were in place for non-essential travellers. The security risk was carefully assessed, and robust mitigation measures were put in place to protect government assets and information. Safeguards were also put in place to ensure that non-authorized non-Canadians didn’t have access to certain information.

An amendment for an additional $20 million was proactively disclosed late due to technical issues, however it has since been posted. Technical issues have been addressed by adding manual processes to avoid similar situations in the future.

The initial contract and all amendments up to June 2022 have been proactively disclosed, as of July 30, 2022. Any amendments made between July to September 2022 have been disclosed by October 30, 2022, on the open government site, in line with the guidelines on proactive disclosure.

An additional contract amendment was completed on Oct 17, 2022, to extend the contract to August 27, 2026 (from the original August 28, 2019, to August 27, 2022). However, no funds added to the contract.

Cloud services in the Government of Canada

Key messages

If pressed on procurement of cloud services:

If pressed on Amazon Web Services:

If pressed on ThinkOn Inc.:

If pressed on cloud security:

Background

To enable GC cloud adoption and support progress towards a digital government, SSC ensures that a variety of cloud services are available to meet the unique business needs of each federal department. SSC also acts as a centre of excellence for cloud services across the government, providing technical expertise and tools to guide customers and simplify cloud adoption.

SSC’s optional cloud brokering service provides customers with self-serve access to commercial cloud services. SSC acts as a bridge between customers and cloud service providers offering software-as-a-service (SaaS), platform-as-a-service level (PaaS), and infrastructure-as-a-service (IaaS) public cloud services.

To support Government of Canada access to cloud supply, Shared Services Canada established framework agreements with 8 leading cloud service providers:

The framework agreements provide departments with standardized terms and conditions, and cloud services that have been assessed by the Canadian Centre for Cyber Security and the Contract Security Program. The government has processes in place to ensure specified security requirements are met when awarding cloud contracts.

Since the establishment of the framework agreements, overall consumption has been growing. The total consumption for year 2019 to 2020 was $1,395,709 and grew to $103,807,761 by fiscal year 2021 to 2022. Consumption through the framework agreements is shared across the 8 cloud service providers, in alignment with the needs of GC departments and agencies.

All pre-qualified suppliers and available cloud services are accessible in one place: the Government of Canada cloud services portal.

Other levels of government can, and do, make use of these framework agreements. A few examples are:

The protection and privacy of Government of Canada data stored and processed in the cloud is a top priority for SSC.

GC departments and agencies that use cloud services remain accountable for the confidentiality, integrity, and availability of IT services and related information that a cloud service provider hosts.

In 2019, SSC, the Treasury Board Secretariat’s Office of the Chief Information Officer (TBS OCIO) and the Canadian Centre for Cyber Security co-developed a Secure Cloud Operationalization Framework for enabling secure access to public Protected B cloud services for the Government of Canada. This Included a minimum set of 12 mandatory guardrails, which departments are obligated to implement. SSC has the validation function, including reporting and notification of customer compliance to the guardrails, while TBS OCIO has the compliance function, such as remediation oversight and enforcement.

Amazon Web Services Inc

On April 1, 2022, TVA shared a news report, stating that expenditures related to Amazon Web Services (AWS) increased, both for the Government of Canada and the Government of Québec. It states that, across the federal government, over the last year, the federal government spent $24.6 million on services provided by AWS.

At Government Operations Committee, on April 29, 2022, member of Parliament Julie Vignola (Bloc Québécois ) asked Minister Tassi the following question:

Last year alone, the federal government signed contracts totalling $24.6 million with Amazon Web Services, which is about $2.4 million more than the annual amount it invests in Canada Post. That's not counting other contracts from 2011 to 2020 and those with the Canada Border Services Agency.

Is it normal for the federal government and its agencies to do business with American companies instead of a Crown corporation? Doesn't this send the message that the Crown corporation is not even competitive enough to serve the government properly?

The Amazon Web Services are separate and distinct from general distribution, shipping, or warehousing services offered by companies such as Amazon, and are not services offered by Canada Post.

ThinkOn Inc

On October 21, 2022, the Globe and Mail published an article stating ThinkOn never worked on the CBSA ArriveCAN app, despite ThinkOn’s name appearing on the CBSA September 2022 Report to Parliament on the costs of developing and supporting the app. On October 26, 2022, the Globe and Mail published a second article stating that Microsoft, not ThinkOn, received the $1.2 million contract related to the ArriveCAN app. CBSA is conducting a full review of contracts related to the ArriveCAN app.

The ArriveCAN app was built and is hosted in an Amazon Web Services environment and uses Google’s Captcha solution as a security measure to verify users are not robots. It was launched across the country on July 20, 2020, as a means to enable travellers to submit customs and immigration declarations online in advance of flying into Canada for a faster border experience. The cloud-based application was developed between CBSA and Public Health Agency of Canada. SSC’s primary role in the ArriveCAN app has been enabling the cloud connectivity, testing the solution and monitoring the supporting infrastructure.

Currently only 5 customers have accounts with ThinkOn through SSC’s framework agreements:

Total consumption of ThinkOn services since 2020 to 2021: $586,803

Document navigation for "Standing Committee on Government Operations and Estimates: November 24, 2022"

Page details

Date modified: