Language selection

Government of Canada / Gouvernement du Canada

Search

Standing Committee on Public Accounts: Auditor General Report on the Cyber Security of Government Networks and Systems

Opening statement

Scott Jones
President
Shared Services Canada

Ottawa, Ontario
January 26, 2026

Thank you, Mr. Chair, for the opportunity to discuss the Auditor General’s Report on the Cyber Security of Government Networks and Systems.

Before we begin, I would like to acknowledge that we are on the traditional, unceded territory of the Algonquin Anishinaabe People.

I’m here today with Patrice Nadeau, Senior Assistant Deputy Minister for SSC’s Connectivity and Security Services Branch.

Introduction

Shared Services Canada (SSC) welcomes the Auditor General’s findings and is working to address the issues raised.

It’s important to underline that the Auditor General found that government had tools in place to protect and defend its networks and that the government’s cyber security plan was sound and comprehensive.

As the provider of IT services to departments and agencies, SSC plays a pivotal role in this work.

Indeed, SSC blocks about 6.5 trillion cyber threats annually, which is an average of 18 billion per day. This ensures the uninterrupted operation of government services.

We do that through a state-of-the-art enterprise infrastructure and modern commercial cyber security solutions that defend government systems against a wide range of cyber threats.

SSC uses multiple layers of defence, including firewalls, network defences, anti-denial of service measures, anti-virus and anti-malware tools, encryption, virtual private networking (VPN) and robust identification and authentication services.

We have an excellent partnership with the Treasury Board Secretariat (TBS) and the Communications Security Establishment (CSE).

This collaboration is absolutely vital, as the Auditor General underscored, and we continue to improve it. We regularly conduct postmortems on cyber events to identify ways we can do better.

Together, SSC and CSE’s Canadian Centre for Cyber Security provide sophisticated cyber defenses that go beyond commercial capabilities. Our work offers one of the most sophisticated cyber defenses in the world.

Cyber security is a space that is evolving fast, and we work continuously to keep on top of it.

That said, there is more to do, as the Auditor General rightly underscored.

We share the Auditor General’s concerns about organizations that are outside SSC’s enterprise Internet service. As the threat environment changes rapidly, that is a model that clearly needs to evolve.

This is why SSC is now working to provide connectivity and security services to 43 small departments and agencies, and is on track to complete this work by the end of March 2027.

The Auditor General also highlighted a project called Endpoint Visibility, Awareness and Security, or EVAS for short. This is one of the tools SSC is adding to its cyber security environment.

EVAS will automatically identify network-connected endpoints—such as desktops and servers—and verify they meet security requirements. Unlike our semi-manual system, EVAS is automated and enables real-time vulnerability and impact assessments.

EVAS will also provide automated response to cyber events.

While there were delays to this project, our organization has learned a number of lessons. The project has turned the corner, and since implementation began in July 2025, over 36,000 deployments have been completed.

The Auditor General also highlighted our project to develop a Security Information and Event Management system, or SIEM for short. I want to assure you that we are on track to award a competitive contract for this project in early 2026.

Further, SSC is currently operating an interim SIEM capability, which allows SSC to manage priority needs and supports an effective response to cyber threats.

Conclusion

Mr. Chair, since SSC’s creation, we have shifted the government’s business model from one that is siloed and decentralized, to a government-wide, enterprise approach.

This not only reduces costs, but strengthens overall security GC-wide. It’s easier to monitor, patch and fix one system than 45 separate ones.

We’re not done. SSC is streamlining the management of devices and software by centralizing procurement and operations. This achieves considerable efficiencies and reduces the potential for inconsistencies in security policies.

We’re also continuing to reduce duplication by replacing additional siloed back-office tools with standard, government-wide tools.

Legacy systems are also more vulnerable to cyber threats. Moving off legacy systems improves our security posture.

In short, everything we do to consolidate and modernize IT systems is essential to improving cyber security.

Mr. Chair, reports from the Auditor General are also an important tool to hold us accountable and allow us to improve our operations.

Cyber security is an evolving field with actors that don’t follow our rules. Continuous improvements are key to protecting the GC’s IT systems.

Thank you for the opportunity to speak on this important file, and I look forward to answering your questions.

Page details

2026-01-26