Language selection

Government of Canada / Gouvernement du Canada

Search

Appearance of the Chief Information Officer and Canadian Digital Service on the Government’s Response to the COVID‑19 Pandemic (Cyber Security) at the Standing Committee on Government Operations and Estimates (OGGO)

Notice to readers

This report contains either personal or confidential information, or information related to security, which has been redacted in accordance with the Access to Information Act.

On this page

Opening statement and overview

In this section

1. Opening statement (Strategic Communications and Ministerial Affairs Sector)

Opening Remarks for Marc Brouillard, Chief Information Officer of Canada, to the Standing Committee on Government Operations and Estimates (OGGO) regarding the Government’s Response to the COVID‑19 Pandemic (Cyber Security)

Ottawa

May 31, 2021

Thank you, Mr. Chair.

I am pleased to be joined today by Aaron Snow, Chief Executive Officer of the Canadian Digital Service, along with my colleagues from the Communications Security Establishment and Shared Services Canada.

After my opening statement, my colleagues and I will be available to answer the Committee’s questions.

Mr. Chair, it may be helpful to briefly explain the roles and responsibilities of the Office of the Chief Information Officer as it pertains to cyber security in the Government of Canada.

The Office provides strategic direction and leadership in information management (IM), information technology (IT), security, privacy, and access to information across the Government of Canada.

We also provide support and guidance on capacity-building, project management and oversight across the Government of Canada.

Treasury Board policy instruments outline the roles and responsibilities for government cyber security management and departmental management. Leveraging the Policy on Government Security and the Policy on Service and Digital, we provide strategic direction and oversight.

We define cyber security requirements to ensure that Government of Canada and departmental information and data, applications, systems and networks are secure, reliable and trusted. During cyber security events, The Treasury Board of Canada Secretariat (TBS) will perform strategic coordination, which may include the issuance of strategic direction to departments and agencies on measures to minimize the government-wide impact.

This is critical work, which is why our Office works closely with the Canadian Centre for Cyber Security and Shared Services Canada to collectively form the Government of Canada IT Security Tripartite, established to develop and maintain a coordinated and collaborative approach to enterprise IT security. This includes maintaining awareness of the global cyber threat environment, regularly scanning for new vulnerabilities that may impact government systems, and ensuring there is a coordinated response to potential and active threats through the Government of Canada Cyber Security Event Management Plan.

And this work has only intensified over the past 14 months, Mr. Chair.

Throughout the pandemic, we have been working very closely with Shared Services Canada to support government operations by ensuring that secure IT infrastructure and systems continue to enable the delivery of critical federal services.

Virtual collaboration was a key element in ensuring that continuity of operations. To enable this, the Government of Canada had to adjust rapidly, enabling 290,000 employees and contractors to work securely and remotely, representing a 60% increase in remote connections from pre-pandemic levels.

From the early days of the pandemic, TBS, Shared Services Canada and the Communications Security Establishment worked closely together to address the quickly evolving needs of the government. Shared Services Canada procured and provisioned new devices and equipment, and rapidly deployed new secure cloud-based collaboration and communication systems, while the Office of the Chief Information Officer provided resources, advice and guidance to Government of Canada departments, employees and contractors on working remotely securely. During this time, the Communications Security Establishment provided ongoing advice on the evolving cyber threat conditions related to the pandemic.

This was to ensure that public servants could continue serving Canadians, all while ensuring that the security, privacy and integrity of government information were not compromised.

Another example of collaboration is the work of the Canadian Digital Service, a team within TBS that collaborates with departments to address service delivery challenges.

The Canadian Digital Service has developed GC Notify, a platform tool that allows departments to quickly and easily “push” email and text messages to subscribers.

When the pandemic started, misinformation was prevalent. The Canadian Digital Service, Service Canada and Health Canada came together to use GC Notify to build “Get Updates on COVID‑19,” an email service to get people quick and trusted information about COVID-19.

Since launch, the service has securely sent over 5.5 million notifications to subscribers.

Indeed, Mr. Chair, security has been a priority throughout the pandemic.

With so many public servants working from home, we have taken concrete steps to ensure the ongoing security and safety of government networks.

We have robust systems in place to monitor, detect and investigate potential cyber security threats to information, including new and emerging threats that resulted from working remotely.

Safeguards such as enhanced and enterprise secure remote access, digital signature workflows, as well as appropriate policy guidance, have been used to protect information, while ensuring employees can continue delivering trusted services and programs to Canadians.

It has also been working to protect the Government of Canada by defending important programs against cyber threats – including COVID-related benefits such as the Canadian Emergency Response Benefit.

The Centre is constantly monitoring the security of cloud usage across the Government of Canada and evaluating cloud applications, including for the Public Health Agency of Canada.

Mr. Chair, the COVID‑19 pandemic continues to transform the operational and service landscape of government departments.

It has forced us to accelerate digital transformation efforts that were already underway and to move quickly to deliver new services that directly support Canadians.

At each step of the way, security has remained at the forefront.

We remain focused on continuously enhancing cyber security in Canada by preparing for all types of cyber incidents and protecting Canadians and their data.

Thank you, Mr. Chair.

We are ready to take the Committee’s questions.

2. Overview of the Committee: OCCO (Strategic Communications and Ministerial Affairs Sector)

Standing Committee on Government Operations and Estimates (OGGO)

Committee members
Name and role Party Riding OGGO member since
Chair
Robert Kitchen Conservative Souris–Moose Mountain October 2020 (Chair since October 2020)
Vice-Chair
Francis Drouin Liberal Glengarry–Prescott–Russell January 2016 (Vice-Chair since February 2020)
Julie Vignola Bloc Québécois Beauport–Limoilou February 2020 (Vice-Chair since February 2020)
Members

Steven MacKinnon

Parliamentary Secretary to the Minister of PSPC

 Liberal Gatineau September 2017

Rachael Harder

Digital Government Critic

 Conservative Lethbridge February 2021

Pierre Paul-Hus

PSPC Critic

 Conservative Charlesbourg–Haute-Saint-Charles October 2020
Kelly McCauley Conservative Edmonton West January 2016

Matthew Green

TBS Critic

Ethics Deputy Critic

 New Democratic Party Hamilton Centre February 2020
Majid Jowhari Liberal Richmond Hill January 2018
Irek Kusmierczyk Liberal Windsor–Tecumseh February 2020
Patrick Weiler Liberal West Vancouver–Sunshine Coast–Sea to Sky Country February 2020
Treasury Board of Canada Secretariat (TBS)-related Committee activity: 43rd Parliament, 2nd Session
Anticipated business
  • 2021–22 Supplementary Estimates (A)
  • Strengthening the protection of the public interest within the Public Servants Disclosure Protection Act
  • Government’s response to the COVID‑19 pandemic
  • Administration of the Canada Student Service Grant and WE Charity
  • Shipbuilding procurement
  • IT infrastructure improvements
  • NucTech contracts

On March 10, 2021, the Committee adopted the following motion:“That, in the context of its study of the Supplementary Estimates (C) 2020–21, the Committee send for, from TBS, all monthly COVID‑19 expenditures reports and COVID‑19 spending data as disclosed by the chief financial officers of all respective departments and that these documents be provided to the Committee no later than Wednesday, March 17, 2021, and then update this Committee on a monthly basis by the 15th of the month.”

TBS has provided three of these reports to the Committee (March 17, April 15, and May 11, 2021), as well as the information submitted by organizations to TBS (April 23, 2021). The information is now also available publicly on GC InfoBase (as of May 12, 2021).

Government Response to COVID‑19

May 31, 2021: TBS, Shared Services Canada and Communications Security Establishment officials will appear before the Committee in relation to this study to provide testimony specifically about cyber security. The Minister of Digital Government last appeared on this subject on May 25, 2020.

Other relevant parliamentary activity
  • Order Paper Question 96 (Mr. Aboultaif, Conservative Party of Canada (CPC)): TBS responded on behalf of the Government of Canada in 2019 to an order paper question regarding the government’s policy on ransomware attacks. The response outlined the Policy on Government Security, the supporting Directive on Security Management and the government’s Cyber Security Event Management Plan.
  • Order Paper Question 142 (Mr. Aboultaif, CPC): TBS also responded to an order paper question in 2019 regarding cyber security penetration testing. The response outlined the department’s adherence to the Treasury Board policies on security and the implementation of security assessment and authorization methodology.
Meeting summaries

February 17, 2021: Information Commissioner

The Information Commissioner began by reiterating that the right to access cannot be ignored, even during an emergency. She outlined the ways in which departments and agencies should be working to help with this right to access to ensure accountability. The government has not met expectations; however, there are some encouraging signs such as institutions regaining ability to process access to information requests. The postponement of the Access to Information and Privacy (ATIP) Online Request system and the delay in the Access to Information Act review is disappointing. There were, and continue to be, steps that can be taken immediately that do not require legislative change. Mme Maynard outlined the measures in the submission she sent to the President of the Treasury Board.

The Information Commissioner was critical of the leadership and guidance provided by the Treasury Board and reiterated throughout the meeting that concrete action was not being taken. The Commissioner is concerned about the ability for the ATIP process to keep up and the lack of resources (both in human resources and IT technology). The Commissioner expressed concern with the way in which reporting is done by TBS, including monthly departmental statistics and a better understanding of the current situation with ATIP shops. The Commissioner believes that vaccine contracts could be disclosed with the protection of certain elements in them. She also reinforced that proactive disclosure would solve a lot of the strain on the Access to Information and Privacy (ATIP) Online Request system, using examples such as Australia.

The Committee adopted a motion moved by Mr. Kelly McCauley (CPC) to re-adopt the Committee’s 2017 Report (Strengthening the Protection of the Public Interest Within the Public Servants Disclosure Protection Act) and request a government response. The Committee will also request that the President of the Treasury Board appear for a progress update on the recommendations.

Main Estimates 2021–22 and Departmental Plans 2021–22
Meeting summaries

May 26, 2021: Minister of Digital Government appearing with officials

In her opening remarks, Minister Murray provided the Committee with an overview of the mandate and vision of the digital government portfolio, focusing on the pan-governmental digital transformation, which includes modernizing the procurement of major IT systems; improving the service delivery experience; coordinating digital operations through collaboration; and removing organizational barriers by developing digital skills and diverse perspectives. The Minister also outlined the specific way that the investments included in the Main Estimates would help realize the transformation. Minister Murray reviewed the Departmental Plans for the digital government portfolio, with a focus on initiatives including the modernization of government IT and moving on from hundreds of legacy data centres; ensuring pan-governmental consistency on public-facing platforms; the development of SignIn Canada; and the implementation of the enterprise-management approach to IT.

The questioning of the Minister and officials focused on sole-source contracts, particularly with Cisco; on the presence of Huawei in the Canadian telecommunications grid, as well as within the Government of Canada’s IT systems; on the acceleration of the digital transformation as a result of the COVID‑19 pandemic; on the modernization of legacy systems; and on cyber security.

May 12, 2021: President of the Treasury Board appearing with TBS officials

The President of the Treasury Board began with opening remarks describing the Main Estimates 2021–22 government-wide and for Treasury Board, including funding for economic support for Canadians, vaccine funding and virtual care. The Departmental Plan 2021–22 for TBS highlighted the support and guidance for the COVID‑19 response, working with the Department of Finance Canada on the government’s financial impacts, support for a supportive and inclusive workplace, reducing greenhouse gas emissions, and reducing burden in regulatory affairs.

The Committee asked a variety of questions on the items in the Main Estimates 2021–22 and the TBS Departmental Plan 2021–22. The members were interested in the TBS initiatives related to diversity and inclusion, and the target diversity and inclusion numbers for executives set out in the Departmental Plan. Members also expressed curiosity in TBS’s involvement in the approval of COVID-related contracts and expenditures (for example, the Canada Emergency Wage Subsidy). Mme Julie Vignola (Bloc Québécois) expressed particular interest in the Phoenix damages file and the improvements set out by TBS to enhance bilingualism in the public service.

Interest in TBS / MDGO Portfolio

Conservative

  • Treasury Board processes
  • Sole-source contracts
  • Diversity and inclusion in the public service (particularly with executives)
  • Procurement guidelines and oversight by TBS
  • Consequences for departments not meeting the legislative ATIP deadlines

Liberal

  • Diversity and inclusion in the public service
  • Phoenix damages
  • Low-carbon fuel program
  • Transparency in financial reporting
  • Modernization of Official Languages Act

Bloc Québécois

  • Phoenix damages
  • Use of official languages in the public service
  • Modernizing networks
  • Access to information systems and software

New Democratic Party

  • Use of official languages in the public service
  • Class-action lawsuits and land claims
Other relevant parliamentary activity
Procurement practices within Shared Services Canada
Meeting summaries

April 28, 2021: Shared Services Canada President, Paul Glover, and Deputy Chief Technology Officer, Matt Davis, appearing

Mr. Glover provided an overview of the procurement practices within Shared Services Canada to the Committee in his opening remarks and offered to provide the Committee with any additional information the Committee would find helpful. Shared Services Canada will continue to modernize and standardized the networks across government to allow for being able to react quickly to the needs of departments. Shared Services Canada is also working on improving IT infrastructure to support advancing technology. Mr. Glover also reviewed the recommendations provided by the Gartner report submitted to the Committee by Shared Services Canada, Network Sourcing Decision Matrix Benchmark: Final Report.

Exchanges on the reasoning behind certain redactions in the documents previously provided by Shared Services Canada were tense at times. Mr. Glover explained the responsibilities and reasoning behind the redactions for Cabinet confidences and national security. Members were also curious about the advancements and modernizations Shared Services Canada has made in procurement processes and the procurement process with Cisco products.

Interest in TBS / MDGO Portfolio

Conservative

  • Decisions on how a Cabinet confidence is decided and who has access to them
  • Encouraging diversity in government vendors (Cisco)

Liberal

  • Relationships with vendor community

Bloc Québécois

  • Decisions on how a Cabinet confidence is decided and who has access to them

New Democratic Party

  • Decisions on how a Cabinet confidence is decided and who has access to them
Other relevant parliamentary activity
Supplementary Estimates (C) 2020–21 and Departmental Results Reports 2020–21
Meeting summaries

April 12, 2021: follow-up meeting to TBS appearance on Supplementary Estimates (C) 2020–21

Mr. Glenn Purves gave an opening statement to provide the Committee with additional context for the amounts provided in the documents provided by TBS on March 17, 2021. Mr. Purves welcomed the Committee’s feedback on the documents and encouraged the Committee to request more detailed information on any specific measure from the responsible departments. The final expenditures for the fiscal year 2020–21 will be available in the Public Accounts, which are expected to be tabled in the fall 2021.

Members expressed frustration at the level of detail provided by TBS in the March 17, 2021, documents and requested that the next reporting be the detailed information provided by all departments. TBS committed to providing reporting with the detailed level of information as requested by the Committee. TBS officials explained how reporting was done by departments every month through Titan and the ways in which parliamentarians and Canadians can rely on GC InfoBase to find the expenditure information. Members had many questions relating to details of other department expenditures, which TBS does not track.

March 10, 2021: Supplementary Estimates (C) 2020–21 and Departmental Results Reports 2020–21

Members were cordial and polite with the witnesses. Questions were technical at times in nature. Members were inquisitive about the funding to the Public Health Agency of Canada for vaccines and personal protective equipment and were interested in a breakdown of the information. The members were also keen to receive further information about the Phoenix damages payments and how those funds were being reported on. Questions also focused on the reduction of greenhouse gas emissions and the official languages white paper. Members were supportive of TBS’s initiative to promote fiscal transparency.

Interest in TBS / MDGO Portfolio

Conservative

  • Contracts awarded to Cisco
  • Products and services provided by the Canadian Digital Service
  • Tracking of COVID spending

Liberal

  • Reduction of greenhouse gas emissions

Bloc Québécois

  • Amounts allocated for Phoenix damages payments (including taxation)
  • Methods of calculations for expenses related to COVID‑19

New Democratic Party

  • Procurement assessments
Other relevant parliamentary activity
Briefing on the Parliamentary Budget Office’s reports
Meeting summaries

December 2, 2020: Parliamentary Budget Officer

The Parliamentary Budget Officer gave brief opening remarks on the change in timing in the supply cycle and raised concerns about the authorities approved in legislation for COVID‑19 relief, making it difficult to track the government’s spending.

Interest in TBS / MDGO Portfolio

Conservative

  • Transparency of COVID spending by the government
  • PPE procurement and contracts
  • Treasury Board approval for COVID relief programs

Liberal

  • Quality of information provided to Finance Committee (FINA) in the 43-1 Parliament by the Department of Finance Canada

Bloc Québécois

  • Quality of information provided on GC InfoBase by TBS for COVID-related spending

New Democratic Party

  • Quality of information provided on GC InfoBase by TBS for COVID-related spending
  • Critical of IT infrastructure programs
Other relevant parliamentary activity
Supplementary Estimates (B) 2020–21
Meeting summaries

November 30, 2020: President of the Treasury Board

Members were mostly cordial with witnesses but expressed frustration at the answers provided in response to questions related to transparency. Questions focused on the responsibility of the requirements under the Official Languages Act for any new implementation of programs, as well as a request for clarity on the process. Members were also concerned with the lack of clarity in terms of the amount of funds allocated toward COVID‑19 measures, as well as any future spending into these measures. The President also spoke of the Greening Government Strategy that was released earlier this week and the progress of Canada’s Centre for Regulatory Innovation.

Interest in TBS / MDGO Portfolio

Conservative

  • Transparency of COVID spending by the government

Liberal

Bloc Québécois

  • Requested a clear chart of COVID‑19 measures, spending to date, and future planned spending for each measure
  • TBS Response

New Democratic Party

  • The Parliamentary Budget Officer’s criticism at lack of transparency with COVID‑19 spending by the government
  • Requested a clear chart of COVID‑19 measures, spending to date, and future planned spending for each measure
  • TBS Response
Other relevant parliamentary activity (QP, OPQs, debate, tablings)
Main Estimates 2020–21
Meeting summaries

November 25, 2020: Minister of Digital Government

The members were primarily concerned with network security and the IT issues that the Government of Canada faces. The CPC members were seized with the issue of quantum computing and how Canada is working toward preventing an attack by this system. The CPC and New Democratic Party (NDP) members also wanted more information and updates on the access to information progress that the government has made after the initial problems in the spring. The Minister of Digital Government and officials highlighted that access to information requests and transparency remain a priority for the government. Shared Services Canada and TBS officials spoke of the efforts being made by the government to modernize and maintain the IT systems, while ensuring security is a priority.

The Committee carried all votes referred to the Committee on the Main Estimates 2020–21 on division.

November 4, 2020: President of the Treasury Board

Members were mostly cordial with the witnesses but were sometimes impatient with lengthier responses. The questions focused on the themes of transparency and accountability by the Treasury Board in spending and procurement policies. The comment in the most recent Parliamentary Budget Officer’s Report on the lack of transparency in Supplementary Estimates (B) was brought to the attention of the witnesses by several members. Members were also concerned about the mental health of public servants throughout the pandemic and the use of leave code 699, as well as the future of working from home (such as the purchase of home office furniture and the divesting of buildings). Officials from the Department of Finance Canada were also asked about plans for the tabling of a Budget, which does not yet have a determined date.

Interest in TBS / MDGO Portfolio

Conservative

  • Cyber security concerns (quantum computing)
  • Divesting of public service buildings (future of working from home)

Liberal

  • Phoenix stabilization

Bloc Québécois

  • Stabilization of Phoenix and NextGen

New Democratic Party

  • Nil

Chair: Robert Kitchen (Manitoba: Souris–Moose Mountain) – Conservative member

Robert Kitchen
  • Elected as the Member of Parliament for the riding of Souris–Moose Mountain in 2015.
  • Educated as a chiropractor and served on several provincial and federal committees prior to entering politics in 2015.
  • Served as a member on the Health Committee in the 43-1 Parliament and as the Vice-Chair on the Veterans Affairs Committee in the 42nd Parliament.
  • Has previously subbed for Conservative members on the OGGO Committee in past Parliament.

1st Vice-Chair: Francis Drouin (Ontario: Glengarry–Prescott–Russell) – Liberal member

Francis Drouin
  • Elected as the Member of Parliament for the riding of Glengarry–Prescott–Russell in 2015.
  • A member of the Standing Committee on Government Operations and Estimates and the Standing Committee on Agriculture and Agri-Food. Also a previous member of both those committees in the 42nd Parliament.
  • Prior to his election, Mr. Drouin worked as a special assistant in the Office of the Ontario Premier.

2nd Vice-Chair: Julie Vignola (Quebec: Beauport–Limoilou) – Bloc Québécois member

Julie Vignola
  • Elected as the Member of Parliament for the riding of Beauport–Limoilou in 2019.
  • Bloc Québécois Critic for Public Services and Procurement and government operations.
  • Former high school teacher and vice-principal.
  • Interested in and involved with various community well-being organizations, for example, Lions Club, Canada World Youth.
  • Advocate for Quebec’s independence.

Steven MacKinnon (Quebec: Gatineau): Liberal member, Parliamentary Secretary to the Minister of Public Services and Procurement

Steven MacKinnon
  • Elected as the Member of Parliament for the riding of Gatineau in 2015.
  • Parliamentary Secretary to the Minister of Public Services and Procurement.
  • Previously a non-voting member of the Standing Committee on Public Accounts and the Standing Committee on Government Operations and Estimates.
  • Previously a member of the Standing Committee on Finance.
  • Prior to his election, Mr. MacKinnon was a senior vice president at a global consultancy firm.
  • Mr. MacKinnon served as an advisor to former Prime Minister Paul Martin and former New Brunswick Premier Frank McKenna.

Rachael Harder (Lethbridge, Alberta): Conservative member

Rachael Harder
  • Elected as the Member of Parliament for the riding of Lethbridge in 2015.
  • Official Opposition Critic for Digital Government.
  • Formerly served as the Shadow Minister for Status of Women and the Shadow Minister for Youth and Persons with Disabilities.
  • Previously served as the Chair of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) in the 43-1 Parliament.
  • Serves as a member on the Standing Committee on Natural Resources (RNNR).

Pierre Paul-Hus (Quebec: Charlesbourg–Haute-Saint-Charles): Conservative member

Pierre Paul-Hus
  • Elected as the Member of Parliament for the riding of Charlesbourg–Haute-Saint-Charles in 2015.
  • Official Opposition Critic for Public Services and Procurement
  • Role as the lead editor for the PRESTIGE Media Group giving him experience with business, political and cultural sectors in Quebec City.
  • Previously served as the Official Opposition Critic for Public Safety and Emergency Preparedness
  • Served as Vice Chair of the Standing Committee on Public Safety and National Security (SECU) in the 43-1 and the 42nd Parliament.
  • Also a current member of the Canada-China Relations Committee (CACN)

Kelly McCauley (Alberta: Edmonton West): Conservative member

Kelly McCauley
  • Elected as the Member of Parliament for the riding of Edmonton West in the 2015.
  • Previously served on the Standing Committee on Government Operations and Estimates.
  • Served on the Executive Committee of the Board of Northlands, the Board of Alberta Aviation Museum.
  • Chairperson of the Employmnet Insurance Board of Referees for Edmonton and Northern Alberta.
  • Hospitality professional (managing hotels and convention centres).

Matthew Green (Ontario: Hamilton Centre): New Democratic Party member

Matthew Green
  • First elected in the 2019 federal election in the riding of Hamilton Centre (formerly held by NDP MP David Christopherson).
  • NDP Critic for Treasury Board, National Revenue, Public Services and Procurement, and Deputy Critic for Ethics.
  • Former Councillor for the City of Hamilton (2014 to 2018).
  • Member of the House of Commons Standing Committee on Public Accounts (PACP).
  • Member of the Canada-Africa Parliamentary Association (CAAF) and the Canadian Section of ParlAmericas (CPAM).

Majid Jowhari (Ontario: Richmond Hill): Liberal member

Majid Jowhari
  • Elected as the Member of Parliament for the riding of Richmond Hill in the 2015.
  • Previously a member of the Standing Committee on Government Operations and Estimates and the Standing Committee on Industry, Science and Technology.
  • A member of the Standing Committee on Government Operations and Estimates and the Standing Committee on Industry, Science and Technology.
  • Prior to his election, Jowhari was a licensed Professional Engineer from 1995 to 1999 and founded his own boutique consulting firm to provide advice to chief financial officers.
  • In 2018, the Canadian Alliance on Mental Illness and Mental Health named Majid Jowhari as a Parliamentary Mental Health Champion.

Irek Kusmierczyk (Ontario: Windsor–Tecumseh): Liberal member, Parliamentary Secretary to the Minister of Employment, Workforce Development and Disability Inclusion

Irek Kusmierczyk
  • Elected as the Member of Parliament for the riding of Windsor–Tecumseh in the 2019.
  • A member of the Standing Committee on Government Operations.
  • Parliamentary Secretary to the Minister of Employment, Workforce Development and Disability Inclusion.
  • Prior to his election, Mr. Kusmierczyk was a city councillor for the Windsor City Council.


Patrick Weiler (West Vancouver–Sunshine Coast–Sea to Sky Country): Liberal member

Patrick Weiler
  • Elected as the Member of Parliament for the riding of West Vancouver–Sunshine Coast–Sea to Sky Country in 2019.
  • Member of the Standing Committee on Natural Resources.
  • Environmental and natural resource management lawyer.
  • Represented First Nations, municipalities, small businesses and non-profits on environmental and corporate legal matters within this riding.
  • He is a champion of the Liberal government’s Pan-Canadian Framework on Clean Growth and Climate Change.

3. Overview of digital government during the COVID‑19 pandemic (Office of the Chief Information Officer, Canadian Digital Service, Digital Transformation Office)

Issue

What has the government done on the digital front to address operational and service delivery challenges related to the COVID‑19 pandemic?

Key facts

  • The Office of the Chief Information Officer is working with Shared Services Canada, the Canadian Digital Service and the Digital Transformation Office to support the operation of government IT infrastructure and systems and maintain continuity of critical federal services.
  • The Digital Transformation Office is coordinating the whole-of-government approach to online citizen service at Canada.ca/coronavirus with Health Canada, the Public Health Agency of Canada, the Privy Council Office and Service Canada.
  • Following COVID, the Secure Remote Access capacity was increased to support 300,000 simultaneous connections, which represents roughly 72% of the employees working for federal entities supported by Shared Services Canada.
  • Over 282,855 accounts for Microsoft 365 were created, supporting employees across the government with collaborative tools.
  • The mobile phone inventory grew by 45,000 new accounts during the pandemic. This includes smartphones (voice/text/data) and regular mobile devices (voice/text).

Response

  • We are accelerating our efforts for digital transformation during this pandemic to continue advancing an open, secure and resilient digital government.
  • We are actively supporting the ongoing operation of IT infrastructure and systems and have also increased the federal network’s capacity so that critical services can continue.
  • We are ensuring that departments and public servants have the knowledge, tools and equipment they need to work remotely. This includes procuring and provisioning new devices and equipment, and rapidly deploying new cloud-based collaboration and communication systems government-wide.
  • Working with many departments since early March 2020, the Digital Transformation Office has been coordinating the whole-of-government web response to COVID‑19, constantly improving the user experience through evidence-based updates on Canada.ca/coronavirus.
  • The Canadian Digital Service is helping Canada respond to the COVID‑19 crisis by working with departments and other jurisdictions to build new open source tools and services such as GC Notify, a tool that provides any department with the ability to send email or text notifications quickly.

Background

The COVID‑19 pandemic continues to transform the government’s operational and service landscape. In mounting its response, the government is accelerating its digital transformation, delivering results that directly support Canadians during this time of crisis while strengthening the government’s foundation for becoming a more open, people-centric and resilient digital government into the future.

The Office of the Chief Information Officer of TBS is working with Shared Services Canada, the Canadian Digital Service and the Digital Transformation Office to actively support the ongoing operation of the government’s IT infrastructure and systems and maintain continuity of critical federal services.

In parallel, Shared Services Canada and the Office of the Chief Information Officer are ensuring that departments and public servants have the knowledge, tools and equipment they need to work remotely. This includes procuring and provisioning new devices and equipment, and rapidly deploying new cloud-based collaboration and communication systems government-wide.

The Office of the Chief Information Officer is in continuous contact with the Canadian Centre for Cyber Security to maintain awareness of the global cyber threat environment, including regular scanning for new vulnerabilities that may impact the government.

The Office of the Chief Information Officer is working closely with departments and agencies to support service delivery by strengthening business continuity planning, identifying critical services, and focusing committee forward agendas on COVID‑19-related efforts. This includes working with Shared Services Canada and Public Safety Canada to identify critical service interdependencies, including between services identified in departmental service inventories, critical services and the IT systems that support them.

TBS has reached out to chief information officers from all departments to understand their unmet staffing needs in priority areas, and to develop a tool to centrally identify and deploy talent to the most-needed areas. This includes repurposing and upgrading features on the Talent Cloud platform to create the GC Talent Reserve, a tool to capture staffing needs and available talent. This will be used initially for the chief information officers community, and the Office of the Chief Information Officer is working with the Office of the Chief Human Resources Officer to determine its suitability for wider use. 

TBS is actively supporting government in managing its legislative and policy responsibilities during the COVID‑19 response, including those related to IM. Key activities include system modifications and website notifications, as well as regular guidance to departments and agencies. The Office of the Chief Information Officer also improved the searchability of open government resources, including datasets and infographics, related to COVID‑19 by creating a COVID‑19-specific search functionality on open.canada.ca.

The Office of the Chief Information Officer is engaging within the Government of Canada, as well as across Canadian jurisdictions, sectors and internationally, to establish strong lines of communication, share best practices, and support a coordinated response by chief information officers to the COVID‑19 pandemic.

On the global stage, this includes engaging partners through key forums like the Digital Nations, the Open Government Partnership, and the Organisation for Economic Co-operation and Development (OECD).

At the national level, the Office of the Chief Information Officer is leveraging its role as co-chair of the Public Sector Chief Information Officer Council and the Chief Information Officer Strategy Council to bring together chief information officers from provincial and territorial public sectors, and from Canada’s public and private sectors, respectively, for coordinative action on COVID‑19 challenges.

The Office of the Chief Information Officer is also exploring opportunities to leverage private sector expertise to support the COVID‑19 response. This includes launching a task force to act as a coordinative hub for all IM/IT COVID‑19 vendor offers of support across government.

The Digital Transformation Office is working with lead COVID‑19 departments to ensure that the COVID‑19 information and services provided through Canada.ca/Coronavirus are provided in an integrated, whole-of-government way. It’s providing rapid prototyping and usability research and testing skills to key COVID‑19 files, such as vaccines, public health guidelines, travel, ArriveCAN, the Canada Recovery Benefit, the Canada Emergency Wage Subsidy, and the Canadian Emergency Response Benefit. Moreover, the Digital Transformation Office has put in place a performance measurement framework to gather, evaluate and improve the performance of top COVID‑19 information and services so that departments and agencies have data and direct feedback from citizens and businesses to support improvements.

On a national level, the Digital Transformation Office established a COVID‑19 web working group with provincial and territorial counterparts to improve the coordination of COVID‑19 efforts across jurisdictions, including sharing usability testing results and feedback received from citizens and business through Canada.ca. The Digital Transformation Office is also working with the Communications Community Office on a collective staffing process to bring in more skilled user experience researchers, content designers and digital communication specialists to fill the talent gap in these functional areas in the federal government.

The Canadian Digital Service is helping Canada respond to the COVID‑19 crisis by working with departments, other jurisdictions and sectors to build new open source tools and services and leverage existing ones.

For example, the Canadian Digital Service is helping combat misinformation during COVID‑19 with GC Notify, working with Health Canada to launch a new notification service that has sent more than 5 million messages to Canadians to provide them with up-to-date and accurate information on COVID‑19 that they can trust.

The Canadian Digital Service also collaborated with Employment and Social Development Canada and the Canada Revenue Agency to launch an online service that has already helped more than 1 million Canadians receive personalized advice on financial help available to them from the government during the pandemic.

This includes partnering with public and non-profit partners (including the Canada School of Public Service) to leverage available open source tools and services for effective collaboration and service delivery through the Open Call initiative.

4. Digital Strategy (Office of the Chief Information Officer, Canadian Digital Service, Digital Transformation Office)

Issue

In May 2021 (TBC), Canada’s Minister of Digital Government will be releasing the Digital Strategy for the Government of Canada.

Key facts

  • On November 20, 2019, the Government of Canada announced the Honourable Joyce Murray as Minister of Digital Government, with a mandate to lead work across government in its transition to a more digital government and improved services to citizens.
  • The Office the Chief Information Officer, Shared Services Canada and the Canadian Digital Service have worked collaboratively to support the operation of government IT infrastructure and systems and maintain continuity of critical federal services.
  • Four key areas of work to enable digital transformation have been identified:
    • modernizing how the government replaces, builds and manages major IT systems
    • providing services to people when and where they need them
    • taking a coordinated approach to digital operations
    • transforming how we work, recognizing that this isn’t just an IT challenge – it’s also a culture challenge
  • The strategy is an online, evergreen plan that lays out the necessary steps to transition to a truly digital government that employs up-to-date technology to deliver the type of services citizens and residents expect in a digital age. The strategy, along with the Digital Operations Strategic Plan and the Government of Canada’s Digital Standards, will provide the framework for the government to deliver secure, reliable and easy to access services to citizens, residents and businesses.

Response

  • The Government of Canada is accelerating its digital transformation and strengthening its foundation for a more open, people-centric and resilient digital government, now and into the future.
  • This includes enabling new ways to deliver more secure, reliable and easy to use services to Canadians.
  • The Digital Strategy is an iterative plan to transform Canadians’ experience with the Government of Canada and offer the level of service we have all come to expect in the digital age.
  • The Digital Strategy outlines four key areas of work to deliver secure, reliable and easy to access services to citizens, residents and businesses.
  • First, we are modernizing the way that we replace, build and manage major IT projects.
  • Second, the government is also exploring options for new platforms, tools and services, designed for the people they serve, that make it easier for Canadians to find and use services.
  • Third, we are building and strengthening our foundational infrastructure to support whole-of-government operations, meet departments’ digital operational needs, and continue to protect information, people and assets to deliver trusted programs and services to citizens, whether digital or in person.
  • Finally, this accelerated transformation includes looking at ways to transforming the institutional barriers to digital change within government, ensuring we always have the right digital skills, in the right places, supported by a strong, enabling leadership that empowers the change.
  • Throughout this transformation, we continue to advance the Digital Standards and Digital Operations Strategic Plan to ensure that users and their needs are at the heart of our services, programs and operations.

Background

On November 20, 2019, the Government of Canada announced the first stand-alone Minister of Digital Government, with clear mandate letter commitments to lead work across government to transition to a more digital government and improve citizen service.

Mandate and actions to date

In this role, the Minister will lead the development and implementation of digital strategy and programming at TBS and Shared Services Canada, including efforts to identify core and at-risk IT systems and platforms, to assemble the expertise needed to effectively implement major transformation projects, and to renew Shared Services Canada.

The Minister is also mandated with leading work on the Next Generation Human Resources and Pay System, with accelerating progress on a new strategy to create a single online window for all government services, and with supporting several key Ministers in digitally transforming their services as well as leveraging both digital technologies like artificial intelligence and digital approaches like open source and open data.

This ministerial mandate builds on the Government of Canada’s work during the last mandate to lay the building blocks for digital government. This included amending the Financial Administration Act to formalize the role of the Chief Information Officer of the Government of Canada in legislation and elevate the function to a deputy minister–level position in order to strengthen management of government IT and support government-wide digital transformation.

The Government of Canada also announced its Digital Standards that establish how all public servants should work differently in the digital age. This includes ensuring that services, programs and operations are user-centric, and that the Government of Canada leverages digital technologies and methods to deliver the high-quality citizen services Canadians expect. The standards were recently updated with further guidance on how departments and agencies can fully integrate the standards into their work.

This includes responsibly and ethically leveraging artificial intelligence in service delivery. The Government of Canada’s world-leading Directive on Automated Decision-Making and Algorithmic Impact Assessment tool supports the responsible, human rights–based use of automated decision-making systems by helping departments and agencies assess and mitigate any associated impacts. The Government of Canada has also created an artificial intelligence source list to support departments and agencies in procuring ethical and effective artificial intelligence solutions, services and products that enable improved, digital-age public services.

The Government of Canada is also building a policy framework that supports government‑wide digital transformation. This includes the Policy on Service and Digital, which took effect April 1, 2020. This policy suite establishes a set of now-integrated rules that will guide how the Government of Canada manages service delivery, accessibility, information and data, IT, and cyber security in order to deliver better, user-centric services in the digital era.

Finally, the Government of Canada has established new organizations, designed to support the transition to a more digital government. The Digital Transformation Office is leading the integration of the Government of Canada’s web presence on Canada.ca and improving it so that people can find and use the information and services they need, regardless of the department or agency that provides them. Fundamental to this work is measuring the performance of Canada.ca’s top tasks and providing guidance to departments and agencies on how to improve their top tasks to better meet the needs of citizens and businesses. The Canadian Digital Service helps federal organizations design and deliver services that meet the needs of citizens including through GC Notify that allows departments to quickly and easily send emails and text messages to service users. To date, 117 services have sent over 12.6 million notifications through GC Notify. On July 31, 2020, the Canadian Digital Service and Health Canada also released COVID Alert, Canada’s free COVID‑19 exposure notification app. The app was developed in collaboration with partners in the private sector and with provincial governments.

Additionally, the Digital Academy at the Canada School of Public Service equips public servants with the skills they need to deliver digital age service excellence.

Digital Strategy and Budget 2021

The Minister is leading the implementation of a digital strategy for government organized across four key areas:

  • using modular methods to modernize the way we replace, build and manage mission-critical IT systems
  • designing services for the people that use them so that they are reliable, secure, timely, accessible and easy to use from any device
  • taking a whole-of-government approach to data stewardship and IT operations, tools and assets
  • transforming the institutional barriers to change that have held us back in the past

Building on this existing strategy, Budget 2021 reinforces the government’s commitment to generational investments in Canada’s IT ecosystem. These include investments to acquire new technologies and tools to protect taxpayer information, the modernization of Canada’s benefit delivery systems, accelerating plans to ensure all Canadians have access to broadband Internet, establishing a new Data Commissioner to inform government and business approaches to data-driven issues, as well as a range of supporting investments to address the overall technical debt across government.

Budget 2021 outlines an ambitious next phase for Canada’s digital transformation, with over $2.5 billion invested in both the highest-impact services – like benefits, taxes and immigration – with over $1 billion of that amount dedicated to modernizing critical IT systems, strengthening cyber security efforts, and providing coordinated and informed centralized support to our government-wide transformation effort.

This includes $88 million over four years, starting in 2022–23, and $25.8 million ongoing, to TBS to renew and expand the capacity of the Canadian Digital Service and further improve how the government delivers digital services to Canadians. It also provides $34 million to the Office of the Chief Information Officer to provide strategic direction and leadership in the areas of IM, IT, security, privacy and access to information across the Government of Canada.

TBS continues to work actively with its partners across the Government of Canada to concretely advance the digital government mandate and to improve services to Canadians. This includes efforts to improve governance while empowering teams to be agile and focus on designing user-centred services.

5. Digital Operations Strategic Plan 2021–2024 (Office of the Chief Information Officer)

Issue

The Digital Operations Strategic Plan is the Chief Information Officer of Canada’s annual, forward-looking three-year strategic plan. It sets government‑wide priorities and lists key actions that departments and agencies need to transition to a more digital government and to meet the requirements of the Policy on Service and Digital.

Key facts

  • The Digital Operations Strategic Plan for 2021–24 was published on May 13, 2021.
  • In April 2020, the Treasury Board Policy on Service and Digital formalized the requirement for the Chief Information Officer of Canada to issue “an annual, forward‑looking 3‑year enterprise‑wide plan that establishes the strategic direction for the integrated management of service, information, data, information technology (IT) and cybersecurity.”
  • The 2021–2024 Digital Operations Strategic Plan fulfills this requirement and outlines four strategic pillars – or areas of work directly related to the Digital Government Strategy – necessary to make digital government a reality for Canadians and the public service. These pillars are:
  • modernize legacy IT systems
  • improve services
  • implement enterprise
  • transform the institution

Response

  • The Government of Canada is accelerating its digital transformation and strengthening its foundation for a more open, people-centric and resilient digital government, now and into the future.
  • The 2021–2024 Digital Operations Strategic Plan provides the strategic direction for the government’s integrated management of service, information, data, IT and cybersecurity.
  • The current Digital Operations Strategic Plan has been updated and refreshed to reflect the accelerated digital transformation and lessons learned from the COVID‑19 pandemic.
  • The Digital Operations Strategic Plan is made up of four areas of work which represent the objectives that support the achievement of a transition to a more digital government:
    • modernizing the way we replace, build and manage major IT systems
    • providing services to people when and where they need them
    • taking a whole-of-government approach to digital operations
    • transforming how we work

Background

In fall 2016, in response to an audit conducted by the Office of the Auditor General, the Office of the Chief Information Officer of Canada in TBS issued strategic direction to federal departments and agencies for IM and IT by publishing the first Government of Canada Information Technology Strategic Plan.

As committed to in response to the audit, the first annual update to the strategic plan was produced in 2017. It was then refocused in fall 2018 to include service alongside IM and IT priorities and renamed the Digital Operations Strategic Plan.

In 2019, the government reaffirmed its commitment to digital government and better service delivery, a commitment strengthened when the Prime Minister created a separate portfolio for digital government and appointed its first stand-alone Minister responsible for the Digital Transformation of Government.

In April 2020, the Treasury Board Policy on Service and Digital formalized the requirement for the Chief Information Officer of Canada to issue “an annual, forward‑looking 3‑year enterprise‑wide plan that establishes the strategic direction for the integrated management of service, information, data, information technology (IT) and cybersecurity.”

The 2021–2024 Digital Operations Strategic Plan, published on May 13, 2021, fulfills this requirement and outlines four strategic pillars – or areas of work directly related to the Digital Government Strategy – necessary to make digital government a reality for Canadians and the public service. These pillars are:

  • modernize legacy IT systems
  • improve services
  • implement enterprise
  • transform the institution

Each pillar is articulated through priorities and associated actions that departments and agencies need to fulfill to advance the digital government agenda.

Deputy heads are responsible for developing their annual, forward‑looking three‑year integrated plans for service and digital in alignment with the Digital Operations Strategic Plan and in support of their departmental mandates and requirements.

Budget 2021

In this section

6. Investments in digital government

Issue

How will investments included in Budget 2021 support digital government in Canada?

Key facts

  • Budget 2021 proposed to invest a total of $101.4 billion over the next three years.
  • The Budget includes $648 million over seven years to TBS and Employment and Social Development Canada to continue implementing Benefit Delivery Modernization, invest in Service Canada’s IT systems and related activities, and support service delivery to Canadians.

Response

  • Budget 2021 recognizes the critical role played by digital government and provides the investments needed to continue the government’s digital transformation and ensure a resilient digital government for the future.
  • Proposed key investments outlined in the budget will enable the government to improve and defend our cyber networks, repair and replace critical IT infrastructure, and to continue to help departments move digital applications to modern computing facilities.
  • Budget 2021 investments will also allow continued work on the Benefit Delivery Modernization program and support the government’s future service delivery to Canadians.
  • We look forward to working together to ensure the investments made through Budget 2021 continue to strengthen the Government of Canada’s ability to meet the needs and expectations of Canadians, now and into the future.

Background

Budget 2021 proposed to invest a total of $101.4 billion over the next three years, which is forecasted to result in a deficit of $354.2 billion in 2020–21. The deficit is further forecasted to decline to $30.7 billion in 2025–26, approximately 1% of GDP.

To support digital government, Budget 2021 committed:

  • $88 million over four years, with $25.8 million ongoing, to the Canadian Digital Service to continue to design and deliver digital government services
  • $34 million over five years, with $7 million ongoing, to the Office of the Chief Information Officer to continue to provide strategic direction and leadership in the areas of IM, IT, security, privacy and access to information across the Government of Canada
  • $456.3 million over five years, starting in 2021–22, with $60.7 million in remaining amortization and $62.2 million ongoing, to Shared Services Canada and the Communications Security Establishment, to ensure the security of Canadians’ information (allocation of funds between Shared Services Canada and the Communications Security Establishment is not publicly disclosed)

Other Budget 2021 investments supporting the government’s digital service delivery include:

Investments to enable government operations
  • $45 million over two years to ensure that the Office of the Chief Human Resources Officer has the capacity necessary to address human resources, pay and pension policy matters on behalf of the Government of Canada
  • $267 million over five years for the Department of National Defence to upgrade the critical information systems it relies on to manage its assets, finances, and human resources
  • $4 million over five years to the Office of the Commissioner of Lobbying of Canada to improve the resilience and capabilities of the Office’s IM/IT systems used to ensure transparent lobbying in Canada
Investments to enable service delivery
  • $1 billion over six years, starting in 2021–22, to the Universal Broadband Fund
  • $648 million over seven years to Employment and Social Development Canada and TBS to continue implementing Benefit Delivery Modernization, invest in Service Canada’s IT systems and related activities, and support service delivery to Canadians
  • $43.9 million over three years to the Canada Revenue Agency to accelerate the ongoing work with digital government and Employment and Social Development Canada, and to develop the first phase of an e-payroll solution. TBS will co-chair a steering committee with the Privy Council Office to oversee the implementation of this project
  • $9 million in 2021–22 to fund Health Canada to ensure continued availability of the federal digital tools for COVID‑19
  • $428.9 million over five years, with $398.5 million in remaining amortization, starting in 2021–22, to develop and deliver an enterprise-wide digital platform that would gradually replace the legacy Global Case Management System; this will enable improved application processing and support for applicants, beginning in 2023
  • $41.7 million over three years, starting in 2021–22, to the Canada Revenue Agency to reduce processing time for T1 adjustments (that is, corrections to people’s general income tax return) by making online self-service more user-friendly and improving automated processing of T1 adjustments
  • $88.2 million over five years, starting in 2021–22, with $13 million ongoing, to the Parole Board of Canada, the Royal Canadian Mounted Police and Public Safety Canada to reduce application fees, create an online application portal, and support community organizations that help people navigate the pardon application process
Investments in privacy and cyber security
  • $330.6 million over five years, starting in 2021–22, with $1.6 million in remaining amortization, and $51.2 million ongoing, to the Canada Revenue Agency to invest in new technologies and tools that match the growing sophistication of cyber threats, and to ensure the Canada Revenue Agency’s workforce has the specialized skills to proactively monitor threats and better safeguard Canadian data
  • Up to $443.8 million over 10 years, starting in 2021–22, in support of the Pan-Canadian Artificial Intelligence Strategy
Investments in data
  • $17.6 million over five years, starting in 2021–22, and $3.4 million per year ongoing, to create a Data Commissioner to inform government and business approaches to data-driven issues. An additional $8.4 million over five years, starting in 2021–22, and $2.3 million ongoing, to the Standards Council of Canada to continue its work to advance industry-wide data governance standards
  • Up to $5 million over two years, starting in 2021–22, to Statistics Canada to work with partners to enhance the availability of business condition data, better ensuring that the government’s support measures are responsive to the needs of Canadian businesses and entrepreneurs

Cyber security

In this section

7. Cyber security overview: Government of Canada’s roles and responsibilities (Office of the Chief Information Officer)

Issue

How is cyber security addressed in the Government of Canada, including cyber threats that may pose a risk to government infrastructure, or when aimed at private enterprise?

Key facts

  • TBS, Shared Services Canada and the Communications Security Establishment are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and continues to evolve.
  • The Royal Canadian Mounted Police (RCMP) is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin on the government’s infrastructure.
  • The Policy on Service and Digital outlines the roles and responsibilities of departments for specific aspects of cyber security.
  • The Policy on Government Security outlines the roles and responsibilities for lead security agencies.
  • Government of Canada departments and agencies play an integral role in establishing governance to ensure the integrated management of service, information, data, IT and cyber security within their department.

Response

  • Government of Canada departments and agencies, in collaboration with lead security agencies, are responsible for ensuring that cyber security risks are assessed and mitigated within their organization.
  • Together, TBS, Shared Services Canada and the Communications Security Establishment work to ensure the government’s cyber security posture is current and effective.
  • We have robust systems and tools in place to monitor, detect and investigate potential threats, and take active measures to address and neutralize these threats.
  • The government will continuously work to enhance cyber security in Canada by preparing for all types of cyber incidents, protecting Canadians and their data.

Background

Overview

The Government of Canada works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to all kinds of cyber incidents to better protect Canada and Canadians.

The government has improved its enterprise capacity to detect, defend and respond to cyber threats; centralized Internet access points; launched an enterprise security architecture program; established the foundation of a government cyber security program; and implemented a whole-of-government incident response plan.

Recent investments

Budget 2018 investments included the implementation of a new National Cyber Security Strategy, including the establishment of the Canadian Centre for Cyber Security (Cyber Centre) within the Communications Security Establishment. Funding was allocated for the following four initiatives to strengthen protection of the Government’s networks and information:

  • Government of Canada Secret Infrastructure (GCSI) to offer classified (up to Secret) network service to a wider Government of Canada audience
  • Endpoint Visibility, Awareness and Security (EVAS) to provide the government with a comprehensive understanding of its IT assets and the ability to protect these assets and respond effectively to cyber security events
  • Small Departments and Agency Study to conduct a study and cost benefit analysis to migrate all small departments and agencies to secure Shared Services Canada–managed Internet connections
  • Secure Cloud Enablement and Defence (SCED) Project to establish new private, secure, dedicated connections between the Government and major cloud service providers to minimize cyber security risks

Budget 2021 provided additional funding to the SCED Project to further improve the infrastructure and increase bandwidth, availability and the resources to facilitate connectivity for departments.

Roles and responsibilities

Government departments and agencies have responsibility of ensuring cyber security within their organization. The Policy on Service and Digital for specific aspects of cyber security, such as:

  • integrating cyber security in overall governance of service, information, data and IT
  • designating an Official for Cyber Security who is responsible for departmental cyber security management function
  • including cyber security in departmental planning in alignment with enterprise-wide plan approved by the Chief Information Officer of Canada

TBS, Shared Services Canada and the Communications Security Establishment are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats.

TBS provides strategic oversight of government cyber security event management to ensure effective coordination of major security events and support government-wide decision-making. The Chief Information Officer for the Government of Canada, at TBS, sets IT security policy along with other delegated powers.

The Communications Security Establishment houses the Canadian Centre for Cyber Security (Cyber Centre) which monitors government systems and networks for malicious activities and cyberattacks, as well as leads the government’s operational response to cyber security events. The Cyber Centre works to protect and defend the country’s valuable cyber assets and works side by side with the private and public sectors, including critical infrastructure, to solve Canada’s most complex cyber issues.

The Cyber Centre leads the “Get Cyber Safe” a national public awareness campaign to inform Canadians about cyber security and the simple steps they can take to protect themselves online.

Given the cross-cutting nature of cyber security, a number of other federal departments and agencies play a role in various aspects of cyber security:

Public Safety Canada leads national cyber security policy and strategy by, for example:

  • coordinating the overall response to significant national cyber events through the Government Operations Centre working closely with TBS.
  • working with Canadian and international governments, associations, academia and industry to continually advance cyber security both domestically and internationally

The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin on the government’s infrastructure. They also lead the investigative response to suspected criminal national security cyber incidents and assist domestic and international partners with advice and guidance on cybercrime threats.

The Canadian Security Intelligence Service is the primary department responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.

National Defence / Canadian Armed Forces is the primary department responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.

Government of Canada Cyber Security Event Management Plan

TBS has developed and maintains the Government of Canada Cyber Security Event Management Plan (GC CSEMP).

GC CSEMP is the whole-of-government incident response plan under the oversight of TBS, providing an operational framework which outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion across the government.

TBS is responsible for strategic oversight of government cyber security event management to ensure effective coordination of major security events and to support government-wide decision-making.

TBS works closely with the Communications Security Establishment and its Canadian Centre for Cyber Security (Cyber Centre), who leads the government’s operational response to cyber security events. The Cyber Centre works to protect and defend the country’s valuable cyber assets and works side by side with the private and public sectors, including critical infrastructure, to solve Canada’s most complex cyber issues. The Cyber Centre monitors government systems and networks for malicious activities and cyberattacks.

GC CSEMP’s latest update of the plan took effect in April 2020 and is available publicly on Canada.ca. The update was made to reflect the creation of the Canadian Centre for Cyber Security as well as lessons learned since 2018 and was not related to the COVID‑19 pandemic.

Lessons learned from the recent cyber incidents in the summer 2020 (credential stuffing incident) are being captured and will be integrated into the next refresh of GC CSEMP, scheduled for this year.

Keeping Canadians safe from cyber threats during the COVID‑19 pandemic

COVID‑19 has presented cybercriminals and fraudsters with an effective lure to encourage victims to visit fake web sites, open email attachments, and click on text message links. These various forms of communication typically impersonate health organizations and can pretend to be from the Government of Canada.

TBS amended the Standard on Email Management in 2020, to enhance email domain protection by requiring the implementation of domain-based message authentication, reporting and conformance. This email authentication protocol reduces the ability of cyber actors to impersonate trusted brands to perpetrate fraudulent activity and allows the Government of Canada to detect email spoofing.

The Cyber Centre, in coordination with industry partners, is taking action that is contributing to the removal of a number of fraudulent sites that have spoofed organizations such as the Public Health Agency of Canada, the Canada Revenue Agency, and the Canada Border Services Agency.

The Cyber Centre has also been working to protect the Government of Canada through continued monitoring of important government programs against cyber threats (including COVID-related benefits such as Canadian Emergency Response Benefit and others), enabling cyber security monitoring/defence for cloud usage across the government and evaluating cloud applications, including for the Public Health Agency of Canada.

The Cyber Centre shares advice and guidance to help clients make informed decisions when using remote access services, and selecting, installing and using video-teleconferencing tools.

The Canadian Internet Registration Authority (CIRA) partnered with the Cyber Centre to integrate its Canadian threat intelligence feed into a free DNS firewall service that provides online privacy and security to individuals and families across Canada, based on defensive measures that have already been in place to protect the government’s own systems.

8. Security and information management during COVID‑19 (Office of the Chief Information Officer)

Issue

In the context of the COVID‑19 pandemic, a large portion of the public service is working from home. Concerns have been raised regarding potential risks associated with security and IM.

Key facts

  • In her letters to the President of the Treasury Board on April 2, 2020, and April 28, 2020, the Information Commissioner of Canada reminded the government of the importance of documenting decisions and proactively disclosing data during these extraordinary times.
  • In April 2020, TBS released guidance entitled “Managing government information when working remotely” to guide employees in managing government information securely when working remotely.
  • On May 28, 2020, the President wrote to his Cabinet colleagues encouraging Ministers to proactively publish as much information as possible related to COVID‑19 and reminded them of the importance of ensuring best practices in IM.
  • TBS released an updated version of the Guideline on Service and Digital in November 2020 that provided organizations with the most current advice and guidance for the strategic management of information and data.

Response

  • The government remains committed to managing information securely and effectively, in accordance with its sensitivity, while ensuring transparency, openness and accountability to Canadians.
  • All public servants are expected to manage, secure and document information according to legislative requirements and Treasury Board policies, whether working on-site or remotely, and regardless of the tools they use. Tools that are publicly available can only be used for unclassified, non-sensitive discussions that would be permitted in an open, public setting.
  • Robust systems are in place to monitor, detect and investigate potential cyber security threats to information that may result from working remotely.
  • Safeguards such as encryption, encrypted virtual private network (VPN), encrypted storage devices and upgraded tablets, have been used to protect information, while ensuring employees can continue delivering trusted services and programs to Canadians.
  • Guidance has been provided to departments and agencies emphasizing the importance of documenting decisions and adhering to IM security requirements and to notify departments that security policy requirements for the protection of government assets remain in place, including information, whether in the office or off-site.

Background

Government of Canada employees were reminded of the requirements to manage information securely and effectively in accordance with its sensitivity and all relevant policy and legislative requirements while working remotely. These requirements are set out in legislation, including the Library and Archives Act, as well as in Treasury Board policy instruments, including the Policy on Service and Digital and Directive on Service and Digital and the Policy on Government Security, including the Directive on Security Management.

These requirements include the obligation of employees to document decisions and activities of business value. This includes information, regardless of medium or form, which is created or acquired because it enables and documents decision-making in support of programs, services and ongoing operations, or supports departmental reporting, performance and accountability requirements. Information of business value, no matter where it is created or collected, is required to be transferred to and stored in the appropriate organizational corporate repository.

Employees are also required to ensure the security and proper handling of sensitive information, consistent with the security categorization of the information, as outlined in the Policy on Government Security instruments. This means respecting security markings, and making sure that appropriate tools, devices and methods are used to store, transmit, use and protect the information. In the case of third-party applications, such as Zoom and Google Drive, their use is acceptable for unclassified information. Employees have been reminded to use approved government tools and services for collaboration and communication, such as Microsoft 365, Microsoft Teams and GC Tools, wherever possible.

TBS continues to provide guidance to organizations on IM and security. Last April, we released guidance entitled “Managing government information when working remotely” as well as a toolkit to further guide employees in managing government information when working remotely. The toolkit has been updated regularly since its initial release to ensure it provides the most relevant and up-to-date guidance.

TBS also co-hosted a virtual security summit in October 2020 and reinforced the important leadership role of the government security community to continue to provide direction and guidance to employees on the protection of government information. This message was again re-emphasized to government chief security officers in an email from TBS in January of this year.

TBS hosted a virtual event last November for over 1,600 public servants to launch the Policy on Service and Digital, with a focus on the integrated approach of the policy that brings together technology, information and data, services, and cybersecurity. This event coincided with the release of updated policy guidance that provides organizations with the most current advice and guidance for the strategic management of information and data.

9. Government of Canada cyber security events (Office of the Chief Information Officer)

Issue

The Government of Canada’s response to cyber incidents such as GCKey, SolarWinds, Microsoft Exchange and the recent third-party supplier incident.

Key facts

  • On August 5, 2020, the Government of Canada was made aware of a credential stuffing attack against the GCKey service.
  • Of the roughly 12 million active GCKey credentials in Canada, the passwords and usernames of just over 9,300 GCKey credentials were used by bad actors to access government accounts.
  • On December 13, 2020, SolarWinds disclosed a security advisory outlining recent malicious activity impacting SolarWinds Orion Platform resulting from a supply chain compromise. SolarWinds Orion software products are used to help monitor networks for problems.
  • In early March 2021, Microsoft announced that they detected four zero-day vulnerabilities being exploited to compromise on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft released out-of-band patches to address all four vulnerabilities.
  • On March 12, 2021, a third-party printing services supplier to the government was impacted by a ransomware cyber event. Upon its detection, the supplier shut down all external access to their systems. This attack was not directed at the Government of Canada, nor its IT infrastructure.

Response

  • The Government of Canada, like many other public and private sector organizations in the world, faces ongoing and persistent cyber threats.
  • The government has robust systems and tools in place to monitor, detect and investigate potential threats, and to neutralize threats when they occur.
  • TBS, the Canadian Centre for Cyber Security, Shared Services Canada and other partners work closely together to investigate and respond to the cyber events as soon as alerted, and to make data, applications and systems secure for Canadians.
  • We work continuously to protect Canadians’ data and personal information against cyber threats. We will continue to work to identify cyber threats and vulnerabilities and preparing for and responding to all types of cyber incidents.

Background

In this past fiscal year, the Government of Canada experienced four notable cyber security events: GCKey credential stuffing attack, SolarWinds supply chain compromise, the exploitation of Microsoft Exchange critical vulnerabilities, and a ransomware incident at a third-party printing service that has contracts with the government. The incidents are the result of threats faced by public and private sector organizations alike.

GCKey

On August 5, 2020, the Government of Canada was made aware of a credential stuffing attack against the GCKey service. A credential stuffing attack involves a bad actor who maliciously attempts to access an online service by using usernames and passwords found from breaches of other services. Bad actors take advantage of the fact that many people reuse usernames and passwords across multiple accounts. The GCKey itself was not compromised and the credentials used did not originate from the service. Around the same time, a similar attack was mounted against the Canada Revenue Agency. Of the roughly 12 million active GCKey credentials in Canada, the passwords and usernames of just over 9,300 GCKey credentials were used by bad actors to access government accounts. In response, the government revoked the affected credentials and put in place measures to prevent further attempts to access its services with these compromised credentials. These measures blocked subsequent attacks.

In addition to the impact on GCKey users, the Canada Revenue Agency identified suspicious activities occurring between early July and August 15, 2020, on approximately 48,500 of the more than 14 million Canada Revenue Agency user accounts. Service Canada and the Canada Revenue Agency took additional safety measures to protect account holders by deactivating the compromised accounts, temporarily removing some online abilities, and adding additional security measures to the account sign-in process.

To better coordinate government-wide efforts, a government-wide response was triggered under the Government of Canada Cyber Security Event Management Plan (GC CSEMP).The Office of the Chief Information Officer of the Government Canada issued an official statement to the public about the incident on August 15, 2020, with a follow-up statement on September 17, 2020.

On August 31, 2020, a proposed class proceeding was filed in Federal Court. The action concerns the unauthorized disclosure to a third party of the personal and financial information of thousands of Canadians from their online accounts with the Government of Canada–branded credential service, the Canada Revenue Agency and My Service Canada.

The government has implemented additional security features such as multi-factor authentication, to help Canadians protect their accounts, and advancing efforts around digital identity. In Canada, pilots and projects are currently underway that allow users to log in with their provincial trusted digital identities to access federal government services in a timely and secure way.

The government also makes available tools and resources to the public to assist them in protecting their personal information, for example Get Cyber Safe, publications at the Canadian Center for Cyber Security, and “Slam the scam.”

SolarWinds supply chain compromise

On December 13, 2020, SolarWinds (a privately held American company) disclosed a security advisory outlining recent malicious activity impacting SolarWinds Orion Platform resulting from a supply chain compromise. A supply chain compromise occurs when cyber threat actors target the networks of trusted vendors and then leverage the vendors to access the networks of their true targets. Supply chain compromises can occur before or after the delivery of a product or service, or during software updates or hardware upgrades. Cyber threat actors target these updates and upgrades because they know they will be downloaded and installed.

SolarWinds Orion software products are used to help monitor networks for problems. SolarWinds has publicly stated that fewer than 18,000 of its 300,000+ global customers are believed to have been affected. Victims are understood to include the US Government and consulting, technology and telecoms entities in North America, Europe, Asia and the Middle East.

A government-wide response was triggered under the GC CSEMP and the Cyber Centre, and TBS held regular Event Coordination Team meetings and worked collaboratively with Shared Services Canada and stakeholders to assess, mitigate, analyze and communicate with the government.

To date, the Cyber Centre has not received any reports of government organizations being impacted by this incident.

About supply chain attacks

The Cyber Centre’s National Cyber Threat Assessment 2020 identifies supply chain vulnerabilities as an ever-present threat. The Cyber Centre has assessed that these vulnerabilities will continue to be targeted over the next two years and encourage all Canadians to follow the Cyber Centre’s Alerts and take any appropriate action that is required to ensure their networks and systems remain secure.

Exploitation of Microsoft Exchange critical vulnerabilities

In early March 2021, Microsoft announced that they detected four zero-day vulnerabilities being exploited to compromise on-premises versions of Microsoft Exchange Server in limited and targeted attacks. A zero-day vulnerability is a software vulnerability that is not yet known by the vendor, and therefore has not been mitigated. Zero-day vulnerabilities often, but do not necessarily, have high severity levels. The government’s response to a zero-day vulnerability must take into account the severity of the vulnerability, government exposure to the vulnerability, the existence of an exploit, and availability of any mitigations. Microsoft released out-of-band patches to address all four vulnerabilities. The vulnerabilities did not affect cloud-based Exchange services.

Given the widespread use of Microsoft Exchange in the government, and the critical nature of this vulnerability, as well as the potential for exploitation, this vulnerability triggered a government-wide response under the GC CSEMP on March 3, 2021, in order to ensure a coordinated approach across the government.

The risk of further impact to the government has been mitigated; however, the Cyber Centre continues to monitor the situation.

Third-party supplier ransomware incident

On March 12, 2021, a third-party printing services supplier to the government was impacted by a ransomware cyber event. Ransomware is a type of malware that denies a user’s access to a system or data until a sum of money is paid. Upon detecting the cyber event, the supplier shut down all external access to their systems. This third-party organization provides services to Canadian clients, including to some federal departments and agencies. This attack was not directed at the Government of Canada, nor its IT infrastructure.

Given the number of contracts with this particular supplier, a government-wide response under the GC CSEMP event was declared on March 17, 2021. The Office of the Privacy Commissioner was also advised at the same time.

The Cyber Centre performed an assessment of the supplier’s infrastructure. In addition, the Contract Security Program under Public Services and Procurement Canada (PSPC) also undertook at a compliance review with respect to security requirements of the contract(s). PSPC is expected to produce a report at the conclusion of the review. The report is expected mid-May 2021.

10. Data security and protection of personal information (Office of the Chief Information Officer)

Issue

The protection of personal information is paramount in Canada’s increasingly digitally enabled government.

Key facts

  • The Government of Canada has to be particularly vigilant to ensure the protection of personal information.
  • The Privacy Act requires that government institutions protect Canadians’ personal information. TBS privacy policies, directives and guidelines support institutions to meet these obligations.
  • Since 2019, TBS has been implementing a Privacy Breach Action Plan, which focuses on strengthening the prevention and management of privacy breaches across government.
  • Recent cyberattacks have highlighted the need to continue to protect personal information.

Response

  • The Government of Canada takes the privacy of Canadians seriously.
  • A number of policies guide federal organizations to build in privacy considerations, including the Policy on Privacy Protection, the Policy on Service and Digital and the Digital Standards.
  • All new or significantly modified government programs that collect personal information must conduct Privacy Impact Assessments and provide them to the Office of the Privacy Commissioner and TBS.
  • TBS has also been strengthening the prevention and management of privacy breaches across government through the Privacy Breach Action Plan, including those that might arise as a result of cyber incidents.

Background

The Policy on Privacy Protection and its related directives require institutions to undertake a Privacy Impact Assessment (PIA) for new or substantially modified government programs and activities that involve collecting, using or disclosing personal information.

A PIA is an evaluation process ensuring the sound management and decision-making as well as careful consideration of privacy risks with respect to the creation, collection and management of personal information as part of government programs or activities.

Institutions must provide PIAs to TBS and the Office of the Privacy Commissioner.

To support the government’s urgent response to the COVID‑19 pandemic, TBS issued an interim privacy policy and related directives.

Effective from March 13, 2020, to March 31, 2021, the interim policy and related directives gave institutional heads the discretion to undertake a more condensed, but still rigorous, analysis of privacy considerations to ensure privacy is protected in the implementation of urgent COVID‑19 initiatives.

These measures were used to ensure that privacy continued to be protected as the government delivered urgent initiatives in response to the COVID‑19 pandemic

Privacy breaches

Privacy breaches are defined as an improper or unauthorized creation, collection, use, disclosure, retention or disposition of personal information.

The Directive on Privacy Practices requires government institutions to establish plans and procedures for addressing privacy breaches in their institutions which must include roles and responsibilities and mandatory reporting of material privacy breaches.

Material breaches are breaches that involve sensitive personal information – such as medical and financial information – and could reasonably be expected to cause injury or harm to the individual.

In addition, the Policy on Service and Digital requires that institutions, when managing personal information or data, protect the privacy of individuals according to the Privacy Act and any other relevant legislation or policy.

TBS supports institutions in the management of multi-institutional privacy breaches across government and identifies where additional guidance or training may be required.

Since 2019, TBS has been implementing the Privacy Breach Action Plan, which focuses on strengthening the prevention and management of privacy breaches across government.

The Action plan has three main priorities:

  • to raise awareness about privacy breaches for federal workers and key communities
  • to improve training for federal employees
  • to strengthen policies, guidance, and tools

Some of the successes of the Privacy Breach Action Plan include close policy integration with cyber security, a new course for public servants offered through the Canada School of Public Service, and the development of a new privacy breach reporting form made in collaboration with the Office of the Privacy Commissioner.

11. Access to information and transparency during COVID‑19 (Office of the Chief Information Office)

Issue

Workplace measures to curb the COVID‑19 pandemic and protect the health and safety of federal employees affected institutions’ ability to respond to access to information and personal information requests in the first few months of the pandemic.

Key facts

  • In response to public health direction on COVID‑19, most employees have been working remotely, and many had reduced access to documents and information systems that they would usually use to respond to requests.
  • There are no provisions in the Access to Information Act or the Privacy Act to extend deadlines or place requests on hold due to an emergency.
  • On May 28, 2020, the President wrote to his Cabinet colleagues encouraging Ministers to proactively publish as much information as possible related to COVID‑19 and remind them of the importance of ensuring best practices in IM.
  • On June 3, the President sent a letter responding to the Information Commissioner’s recommendations shared on April 28, 2020, concerning the Access to Information and Privacy (ATIP) Online Request system, recognizing the importance of adhering to best practices in IM and mentioning upcoming government plans to better support information practices across government.
  • On July 10, 2020, the Information Commissioner wrote to the President of the Treasury Board calling for strong leadership and concrete actions by government to repair the access to information system.
  • As of April 26, 2021, of the 152 institutions that responded to TBS’s biweekly capacity questionnaire, 29 reported having full capacity to respond to requests.

Response

  • The government remains committed to maintaining the openness and transparency of government during this challenging time.
  • The Access to Information Act requires that government institutions make every reasonable effort to assist those who request information and respond to requests in a timely manner.
  • Since the onset of COVID‑19 workplace measures, institutions have worked hard to mitigate the impacts on their ability to respond to access to information or privacy requests.
  • In response to the Information Commissioner’s recommendations, we committed to making information related to COVID‑19 and its response proactively available.
  • Institutions are asked to respond to a biweekly questionnaire regarding their capacity to receive, process and respond to requests, the results of which have been published on Open.Canada.ca.
  • The government will continue to work with the Information Commissioner to meet Canadians’ needs for open, accessible and trustworthy information.

Background

Government of Canada employees are currently working remotely wherever possible to help slow the spread of COVID‑19. Consequently, most institutions are operating with significantly reduced on-site workforces, which limits their ability to respond to requests and within the timelines mandated by the Access to Information Act and the Privacy Act.

Request processing

TBS has issued guidance to institutions to make best efforts to process requests and proactively publish information, in accordance with operational realities. Notices currently posted on the Open Government Portal and the Access to Information and Privacy (ATIP) Online Request service inform requesters of potential delays due to COVID‑19 measures. TBS continues to support institutions with suggested best practices for working digitally to respond to requests. All 152 institutions that responded to TBS’s biweekly capacity questionnaire in the week of April 26, 2021, indicated that they had full or partial capacity to respond to requests.

Since the onset of COVID‑19 measures, institutions have worked hard to mitigate the effects of the COVID‑19 measures on their ability to respond to requests:

  • Institutions are offering to provide electronic records to requesters, where paper records cannot currently be accessed.
  • Institutions are utilizing e-post where possible to facilitate electronic responses to requesters.
  • In addition, to help reduce pressures on the access to information system during these extraordinary times, the President of the Treasury Board, Jean-Yves Duclos, wrote to his Cabinet colleagues to encourage Ministers to proactively publish as much information as possible related to COVID‑19 as well as reminding them of the importance of ensuring best practices in IM.
  • TBS also organized workshops to share best practices to help ATIP offices adapt their procedures to the remote work environment.
  • The Access to Information and Privacy (ATIP) Online Request system has remained available as a simple and efficient means for Canadians to submit requests to 210 federal institutions.

When workplace restrictions are eased and capacity increased, in accordance with ongoing public health advice, ATIP offices are addressing outstanding requests. In particular, where there is increased access to offices, institutions are able to make progress in processing classified records for responses to access to information requests. Progress may be impacted by ongoing provincial lockdowns, given that access to offices may be restricted.

TBS began gathering information on institutions’ request processing capacity in April 2020, and by June 2020, all institutions but one reported having full or partial capacity. In July 2020, the last institution that had indicated it had ceased processing requests reported having partial capacity. As of April 26, 2021, of the 152 institutions that responded to TBS’s biweekly capacity questionnaire, 29 reported having full capacity to respond to request.

The review of the Access to Information Act, which began in June 2020, offers an opportunity to have an open exchange on making access to information systems and processes more resilient.

In October 2018, the government launched the new Access to Information and Privacy (ATIP) Online Request system to modernize the ATIP process for Canadians. That was an important first step in making ATIP a digital process by enabling Canadians to make access to information and personal information requests electronically to 210 institutions. In its use of artificial intelligence in the portal, the government is helping requesters choose the institution that is most likely to have the information they want. Its continued use during the pandemic has enabled Canadians to submit requests without leaving their homes and institutions to receive requests remotely.

The government continues to update and improve the Access to Information and Privacy (ATIP) Online Request system with tools and functionality, making the receipt, processing and delivery of requests more secure and efficient. We continue to work on streamlining the process and avoid paper and compact discs.

Parallel to its work on the Access to Information and Privacy (ATIP) Online Request system, the government is also undertaking a procurement process to ensure modern ATIP request processing software is available to government institutions.

The Office of the Chief Information Officer continues to engage with the Offices of the Information Commissioner and Privacy Commissioner to ensure that these oversight bodies are aware of institutions’ operational status.

Ensuring transparency

The Information Commissioner wrote to the President of the Treasury Board on April 2 and April 28, 2020, reminding government of the importance of documenting decisions and recommending measures to reduce the pressures on the access to information system during these extraordinary times.

On July 10, 2020, the Information Commissioner wrote to the President of the Treasury Board calling for strong leadership and concrete actions by government to repair the access to information system.

In response to the Information Commissioner’s concerns, the President of the Treasury Board, in his capacity as designated Minister for the administration of the Access to Information Act across the federal government, and as a member of the Cabinet committee on the federal response to the coronavirus disease (COVID‑19), wrote to Cabinet colleagues encouraging Ministers to have institutions proactively publish as much information as possible, as well as remind them of the importance of ensuring best practices in IM.

Last April, TBS released guidance entitled “Managing government information when working remotely” as well as a toolkit to further guide employees in managing government information when working remotely. This guidance is meant to reinforce employees’ awareness of their collective responsibility to document decisions of business value and to ensure that government information is managed securely and effectively with respect to legislative and policy requirements, including the requirements of the Access to Information Act and Privacy Act.

12. Access to Information Act review (Office of the Chief Information Officer)

Issue

The conduct of the government’s Access to Information Act review

Key facts

  • In 2016, the government committed to reform the Access to Information Act in two phases, with Phase I consisting of targeted amendments to deliver on specific commitments, and Phase II constituting a full review of the Act.
  • Phase I was accomplished in June 2019, with targeted changes made by Bill C‑58, including a requirement for the President of the Treasury Board to undertake a review of the Act every five years, with the first review beginning by June 21, 2020.
    • The review was launched on June 18, 2020, focusing on three themes:
    • examining the legislative framework
    • opportunities to improve proactive publication to make information openly available
    • assessing processes and systems to improve service and reduce delays
  • On March 31, 2021, the government launched public engagements on the review, and is currently receiving online submissions. The first virtual public event took place May 20, 2021. Other engagement opportunities are being planned for the coming months.

Response

  • Access to information should reflect today’s digital world and Canadians’ expectations for accessible, timely and trustworthy information.
  • On June 18, 2020, we launched a full review of the Access to Information Act.
  • The review will take a broad look at access to information, which will include:
    • examining the legislative framework
    • identifying opportunities to improve proactive publication to make information openly available
    • assessing processes and systems to improve service and reduce delays
  • On March 31, 2021, we launched public engagement and began receiving submissions through our online engagement portal.
  • On May 20, 2021, we held our first virtual public event. There will be other opportunities for stakeholders, Indigenous groups and representatives, and interested Canadians to share their views over the coming months.
  • This review is an opportunity for Canadians to participate in an open exchange about the right to access government information.

Background

Canada’s current access to information regime dates to 1983, when the Access to Information Act first came into effect. The Act represents a key cornerstone of the Canadian democratic system, but its administration across 265 federal institutions faces increasing pressures. In the last five years alone, the number of requests has more than doubled from approximately 68,000 requests in 2014–15 to more than 150,000 in 2019–20.

In 2015, the government made the reform of the access to information regime a key mandate commitment for the President of the Treasury Board. In 2016, the Government announced that it would review the Access to Information Act in two phases, with Phase I comprising a targeted set of amendments to deliver on specific commitments, and Phase II representing a full review of the Act.

Phase I, or Bill C‑58, was introduced in Parliament in June 2017 and received Royal Assent two years later, on June 21, 2019. One of the amendments made to the Act through Bill C‑58 was a requirement for the President of the Treasury Board to undertake a review of the Actwithin one year of Royal Assent, and every five years thereafter. This requirement represents Phase II of the government’s commitment to reform Canada’s access to information regime.

On June 18, 2020, the government launched the Access to Information Act review in fulfillment of the legislative requirement. The review focuses on three broad areas: reviewing the legislative framework, opportunities to improve proactive publication to make information openly available, and assessing processes and systems to improve service and reduce delays. The Terms of Reference, published on the review web page, outline the mandate of the review and indicate that a final report of recommendations will be submitted to the President of the Treasury Board by January 31, 2022.

The review is seeking the views of Canadians through an online engagement platform and virtual events. The review will also seek the views of national Indigenous organizations, and other Indigenous groups that are interested in access to information issues. A “What We Heard”report summarizing the input received will be made public in fall 2021.

The President of the Treasury Board invited the Information Commissioner and Privacy Commissioner to provide him with recommendations to improve access to information, given their important roles and expertise. Both Commissioners have responded and submitted their input into the review. The President of the Treasury Board has also sent invitations to the Multi-Stakeholder Forum on Open Government and National Indigenous Organizations. These invitations have been published on the review web page in support of an open and transparent review.

IT Infrastructure

In this section

13. Emerging technologies: artificial intelligence (AI), and quantum computing (Office of the Chief Information Office)

Issue

AI and quantum computing bring new challenges and opportunities. Governance and investments are required for the Government of Canada to adapt to these new technologies.

Key facts

  • The Government of Canada’s Directive on Automated Decision-Making was introduced in March 2019 and came into force on April 1, 2020. It encourages the responsible use of automation and AI in delivering services to Canadians.
  • Together, these tools help ensure that the government’s use of technology leads to more efficient, accurate, consistent and interpretable decisions.
  • The Government of Canada relies on cryptography as an effective way to protect the confidentiality and integrity of information and to protect systems from cyberattacks.
  • Quantum computing threatens much of the cryptography used today to protect the confidentiality and integrity of information and to protect systems from cyberattacks.
  • Experts estimate that a large universal quantum computer could exist as early as the 2030s.
  • Virtually all systems used by the Government of Canada will need to be updated or replaced in the coming years to support quantum-safe cryptography to address this threat.

Response

Artificial intelligence
  • The Government of Canada is taking concrete steps in defining how AI should be used responsibly and ethically in the delivery of public services, in line with the principles of openness, transparency, equity of access, security and privacy, as well as the avoidance of bias.
  • The Directive on Automated Decision-Making sets out the rules for how federal departments and agencies must manage risks when using technologies like machine learning or AI.
  • TBS has also developed the Algorithmic Impact Assessment which helps assess the risks associated with the use of AI.
Quantum computing
  • The Government of Canada is working with industry partners, allies and the broader international community to ensure that its cryptographic systems are resistant against attacks by quantum computers.
  • The unique capabilities of quantum computing will pose a threat to much of the cryptography the government uses today to protect the confidentiality and integrity of information and systems from cyberattacks.
  • Public Services and Procurement Canada is working with industry partners to communicate the need for quantum-safe products and services, while the Communications Security Establishment participates in international standards development organizations to encourage the development of post-quantum cryptography standards.
  • Virtually all systems used by the Government of Canada will need to be updated or replaced in the coming years to support quantum-resistant cryptographic components, which may require significant investments.

Background

Artificial intelligence

AI can be described as IT that performs tasks that would ordinarily require biological brainpower to accomplish, such as making sense of spoken language, learning behaviours or solving problems.

Government of Canada Directive on Automated Decision-Making

The Government of Canada has been a leader in the development of guidance for AI use by the public sector:

  • Canada’s Directive on Automated Decision-Making, launched in March 2019, seeks to ensure that automated decision systems are deployed in a responsible manner that reduces risks to Canadians and federal institutions, and leads to more efficient, accurate, consistent and interpretable decisions made pursuant to Canadian law.
  • The directive includes a set of guiding principles which will help ensure departments use AI effectively and ethically.
  • The creation of this directive was done in collaboration with academics, industry leaders, civil society and other governments to identify and mitigate various risks associated with using AI systems.
  • The Algorithmic Impact Assessment tool, launched in May 2019, is a questionnaire designed to help government departments assess and manage the risks associated with deploying automated decision systems. The Algorithmic Impact Assessment also helps identify the impact level of automated decision systems under the Directive on Automated Decision-Making to ensure that the mitigation measures are proportional to the risks. The Algorithmic Impact Assessment was also developed in the open and is available to the outside world for sharing and re-use under an open licence.
Recent media coverage of National Defence’s use of AI in human resources

On February 7, 2021, The Globe and Mail reported on National Defence’s use of AI to enhance hiring processes without completing and publishing an Algorithmic Impact Assessment. The federal department contracted Knockri and Plum – AI-driven Canadian hiring services – to help shortlist candidates as part of a campaign to improve diversity in the workplace. The companies conduct automated behavioural assessments and provide clients with measurements of the “personalities, cognitive abilities and social acumen” of applicants. The incident highlights the importance to continue working with our federal partners to ensure they are aware of the requirements and best practices of the Directive on Automated Decision-Making. This is critical to building public trust in the government and ensuring that we uphold our commitments to responsible AI in the public sector. Currently, there is only one Algorithmic Impact Assessment posted on Canada.ca.

Quantum overview

Quantum computers have the potential to revolutionize computing, calculating in minutes what a supercomputer would take more than 10,000 years to do. Quantum computers are best suited to solve certain types of problems that are hard for classical computers, but which can be tackled using new algorithms developed specifically to exploit the often unintuitive properties of the world of quantum physics. Quantum computing researchers are actively working on new algorithms and approaches to harness the advantages of quantum computing in new fields.

Quantum computing threatens to break much of the cryptographic systems the Government of Canada uses today. Experts estimate that large universal quantum computers that are powerful enough to break much of the cryptography we use today will likely exist by sometime in the 2030s. While that’s an estimate, it’s something that the Government of Canada needs to be prepared for since cryptography is fundamental to cyber security. Without strong cryptography, electronic communications and systems used today would be threatened.

Government of Canada work underway to address risks posed by quantum computing

The Government of Canada has a strong interest in ensuring that its cryptographic systems are resistant against attacks by quantum computers, once fully realized. Work currently underway to address this includes:

  • The Government of Canada is working with industry partners, allies and the broader international community to develop and evaluate the next generation of quantum-resistant cryptography and design of new cryptographic components that are not vulnerable to quantum computers. In fall 2019, Public Services and Procurement Canada worked with industry partners to ensure they are aware that the requirements for quantum-safe products and services may become a standard part of the Government of Canada’s procurement process.
  • The Canadian Centre for Cyber Security is the lead agency on cryptography in the Government of Canada and provides advice and guidance on the use of cryptography to secure networks and information.
  • The Canadian Centre for Cyber Security is working closely with Canadian industry and academia and contributing to research and development in cryptography. These research results are incorporated into the advice and guidance which helps to protect the Government of Canada’s current sensitive information.
  • The Canadian Centre for Cyber Security is working with Government of Canada departments and agencies who hold information with a long intelligence life to protect systems against the confidentiality threat posed by quantum computers.
  • The Communications Security Establishment participates in cryptographic standards development which includes the development of post-quantum cryptography standards by the National Institute on Standards and Technology.

14. Application modernization (Office of the Chief Information Office)

Issue

Much of the Government of Canada’s applications, infrastructure and hosting environments are outdated, lack modern security, and are at constant risk of outages.

Key facts

  • Digital services to Canadians are underpinned by the applications and infrastructure on which they reside.
  • At present, only 36% of government applications are considered healthy.
  • Many of these applications and their associated data remain hosted in legacy data centres, which, while being maintained through the Information Technology (IT) Repair and Replacement Program, have greater risks of service interruptions, loss of data, and security vulnerabilities.
  • Shared Services Canada, in collaboration with TBS, supports the migration and modernization of these outdated and mission-critical government applications to safe and secure modern environments, either to the cloud or to a newer enterprise data centre.
  • By adopting cloud computing, the government is better able to support a digitally enabled workforce and digital services for Canadians, particularly during this critical pandemic period.
  • Moving application workloads from on-premise environments to the cloud supports green IT initiatives by reducing the corresponding carbon footprint.
  • The protection and privacy of government data stored and processed in the cloud is a top priority for Shared Services Canada and includes compliance monitoring.

Response

  • As government applications continue to deteriorate, we must prioritize investments to replace those applications that rely on aging IT and outdated infrastructure.
  • The 2021 federal budget announced $300 million to Shared Services Canada over the next three years to repair and replace critical IT infrastructure and another $215 million to continue to help departments migrate digital applications to modern computing facilities.
  • The government is building the digital foundation for modern service delivery to Canadians by adopting cloud technologies, modernizing IT systems, as well as the IT infrastructure and networks on which they reside.
  • Shared Services Canada in collaboration with TBS is supporting these efforts, ultimately improving overall application health to provide efficient, secure and stable digital services.
  • Over the last three years, the measure of overall health of the application portfolio has increased from 28% to 36% which is progress, but we need to continue this trend.
  • TBS is providing departments and agencies with financial assistance to acquire the expertise to accelerate department readiness to modernize their applications.
  • Shared Services Canada is providing core services to departments and agencies by assessing and modernizing IT infrastructure and works with departments on new initiatives to further advance cloud adoption, standardize support, improve processes and service levels and enhance security.
  • Cloud adoption presents great opportunities for better serving Canadians through agility, elasticity, improved service levels and enhanced security.

Background

To provide Canadians with important programs and services, federal government organizations depend on Shared Services Canada to provide modern and reliable IT infrastructure and services.

To modernize/enhance the government digital services, Budget 2018 proposed significant investments to address evolving IT needs and opportunities, while proactively addressing cyber security threats. As part of this investment fund, TBS received $110 million over six years, starting in 2018–19, to be accessed by Shared Services Canada’s partner departments and agencies to help them modernize their applications by migrating them from older data centres into more secure modern data centres or cloud solutions.

In addition to the Budget 2018 investment fund, the following activities support departments in improving the health their application portfolio:

  • The Chief Technology Officer for the Government of Canada co-chairs the Enterprise Architecture Review Board along with the Chief Technology Officer of Shared Services Canada, which defines current and target architecture standards for the government and reviews departmental digital proposals for alignment, which includes:
    • alignment to the 2018 GC Cloud Adoption Strategy that provides direction in delivering IT services using modern technologies
    • promotion and prioritization of enterprise solutions and reusable assets in order to reduce technical debt
  • To reduce cyber security threats and vulnerabilities, TBS and the Canadian Centre for Cyber Security are continuously:
    • enhancing cyber security guidance and tools for digital identity, security and privacy
    • publishing a Zero Trust Security Model for use by departments
    • developing reusable cloud security code (that is, guardrails) available to departments to help accelerate their Cloud adoption
    • promoting secure application development practices and implementation of Top 10 Security Actions
  • Departments are invited to share their cloud strategies and present lessons learned at the Cloud Technical Working Group and the Cloud Computing Network of Expertise in order to promote collaboration between departments.
  • TBS is producing improved data driven insights from the government Application Portfolio Management framework to enable senior leaders in making empirical-based prioritization decisions regarding enterprise investments.
  • TBS publishes guidance, standards and playbooks including but not limited to government Digital Standards, Cloud Adoption Playbook, and Zero Trust Security Playbook for Information System Solutions.
  • TBS, in collaboration with industry, hosts an annual cloud event for government IT professionals (and scientists) to showcase their success stories in adopting cloud and modern application development practices.
Modernizing applications

The Application Modernization Fund incentivizes departments and agencies to proactively evaluate their applications’ business value and technical risk for either modernization or decommissioning. It promotes a triaging approach by allocating funds to departments and agencies on a priority basis to ensure aging IT is addressed while establishing application portfolio management best practices, including sustainability planning.

As of March 31, 2021, TBS had disbursed $64 million to 18 Shared Services Canada partner departments to support the application migration and modernization efforts. To date:

  • one department has completed its modernization efforts, including migration to the cloud, and has embarked on their continuous modernization activities
  • eight departments/agencies in the planning (discovery phase) of their journey
  • nine departments/agencies are executing on their modernization and migration plans (execution phase)
Adopting cloud technologies

The government has implemented a “cloud first” adoption strategy and developed multiple guidance documents, as cloud represents a fundamental shift in the modern and flexible delivery of digital services. Cloud services provide access to shared IT resources through “pay-for-use” models, similar to those for water and electrical utilities. Fully leveraging the speed, reliability and agility of modern cloud services, the government will be able to improve its digital service delivery to Canadians.

15. Enabling technology: equipment, collaboration tools and network capacity to support public servants

Issue

With an unprecedented number of federal public servants working remotely, the Government of Canada has ensured that government workers are appropriately equipped to maintain continued operations.

Key facts

  • There are approximately 287,000Footnote 1 federal public servants in the Government of Canada. In addition to this number are contract workers, students and casual workers forming a population of federal users that leverage technology on a daily basis in support of government operation. This total number does not include Canadian Forces Members, RCMP Civilian Members, RCMP Regular Force Members, employees on leave without pay, Ministers’ exempt staff and employees locally engaged outside of Canada.
  • Federal users are averaging over 230,000 remote connections daily.
  • Since March 16, 2020, government’s secure remote access capacity has increased by 72% effectively allowing for government operations to be delivered by a predominantly remote workforce largely unimpeded.
  • As of March 2021, approximately 306,000 federal users are using Microsoft Teams – one of the tools that is part of the Microsoft 365 suite of applications – to collaborate, with more than 280,000 federal users participating in virtual meetings on that platform in the past month (March 2021).
  • An Emergency Communication System has been implemented to support the government business continuity activities for up to, and including, Protected B work and collaboration. With over 680 users, it is designed to be operational even in the event of an interruption in the availability of government infrastructure.Footnote 2
  • Of the over 225,000 mobile phones deployed, over 183,000 are now enrolled on Wi-Fi calling, enabling employees to make and receive calls in areas with poor cellular service.

Response

  • Our response to the COVID‑19 pandemic continues to transform the government’s operational and service landscape. In mounting our response, we have accelerated our digital transformation to better enable public servants in delivering results that directly support Canadians, while strengthening the foundation to become a more open, user-centric and resilient digital government for the future.
  • We have deployed new tools that allow employees to work and collaborate remotely with their colleagues.
  • The deployment of Microsoft 365 has been accelerated across government to allow collaboration and remote conferencing within and between departments, that follows appropriate levels of securit
  • In situations where new equipment is to be purchased, federal organizations have been reminded of their duties to be stewards of public funds, and to ensure that value for money is considered in all actions.

Background

The pandemic has prompted an unprecedented shift, requiring a majority of the 287,000 federal public servants to work remotely.

TBS’s Office of the Chief Information Officer is working with Shared Service Canada to actively support the ongoing operation of the government’s IT infrastructure and systems and to maintain continuity of critical federal services.

Ensuring that departments and public servants have the knowledge, tools and equipment they need to work remotely means:

  • increasing network capacity to support the rise in remote work across government
  • prioritizing network access and IT services to maintain critical service continuity
  • providing guidance on the use of tools such as Zoom, Google Meet and GCCollab when access to the government network was not available
  • mobilizing the chief information officer community to identify support needs
  • providing real-time feedback on IT needs in core service areas and coordinating government action to ensure key IT infrastructure continues to function

The Office of the Chief Information Officer is working closely with departments and agencies to support service delivery by strengthening business continuity planning, identifying critical services, and focusing committee forward agendas on COVID‑19-related efforts. TBS is also working with Shared Services Canada and Public Safety Canada to identify critical service interdependencies, including between services identified in departmental service inventories, critical services and the supporting IT systems.

The Office of the Chief Human Resources Officer has developed a remote working toolkit, available to all federal public servants, providing helpful advice, tips and tricks to both existing and new public servants. This toolkit touches on areas including (but not limited to):

  • mental health
  • setting up your workspace
  • communications with your colleagues
  • official languages

COVID‑19 and service to Canadians

In this section

16. COVID Alert application

Issue

The national exposure notification app, COVID Alert, was developed to let users know that they may have been exposed to COVID‑19.

Key facts

  • COVID Alert, a national exposure notification app, was launched July 31, after approximately 45 days of design and development efforts.
  • It was made available to provinces and territories as a public health tool intended to help individuals know that they may have been exposed to COVID‑19.
  • Onboarded provinces and territories include Ontario, Manitoba, Saskatchewan, Quebec, Newfoundland and Labrador, Nova Scotia, Prince Edward Island, New Brunswick and Northwest Territories.
  • Metrics about app downloads and usage of one-time keys have been available in the public domain since the launch of the app on Canada.ca.
  • COVID Alert was developed by the Canadian Digital Service, using open-source code developed by volunteers from Shopify, as well as Bluetooth exposure notification technology co-developed by Apple and Google. It received security reviews from the Office of the Chief Information Officer at TBS, the Canadian Centre for Cyber Security and BlackBerry.
  • Engagement with the Office of the Privacy Commissioner began before the launch of the app and continues as improvements and features are added to the app.

Response

  • As Canadians continue to face the health and economic impacts of the pandemic, we need to work together to keep people safe and healthy and contain the virus.
  • One of the tools that some countries have found effective in helping to slow the spread of COVID-19 is exposure notification. That’s why the government of Canada developed the COVID Alert app.
  • COVID Alert is just one of many tools the Government of Canada has made available to provinces and territories for Canadians to help protect them from the pandemic and keep them safe.
  • The COVID Alert app has been downloaded by millions of Canadians, but because there continues to be a low distribution of one-time keys to people who test positive, COVID Alert hasn’t realized its potential.
  • The federal government has continued to engage with the provinces and territories – both those who have adopted COVID Alert and those who have not – to find ways to encourage uptake of the app and improve distribution of one-time keys when people test positive.
  • We are continually assessing the value of COVID Alert in the dynamic context of the pandemic.

Background

Exposure notification uses Bluetooth technology via an application that is downloaded to mobile devices. This is different from conventional contact tracing done by public health officials, a manual process requiring extensive personal information.

As of May 18, COVID Alert app has been downloaded approximately 6.5 million times, with 32,603 one-time keys (OTKs) claimed in the app across nine provinces and territories. Low rates of one-time key distribution continue to limit the effectiveness of the OTK-based service. Fewer than 5% of people in Canada diagnosed with COVID‑19 have received an OTK to enter into COVID Alert. Of the COVID Alert users who tested positive for COVID and did receive an OTK from their provincial or territories’ health authority, nearly all (over 80%) entered that OTK into the app. This indicates that users are willing and able to participate in the system. However, while there have been ongoing discussions with provinces and territories at all levels, OTK distribution is reliant on provinces and territories, which face limited capacity and competing priorities, including vaccine distribution. Downloads of COVID Alert have plateaued since December 2020.

Consideration is being given to a Quick Response (QR) Code exposure notification service (QR Code service) that could be introduced into the app with the potential to help to break the chain of transmission faster, by streamlining contact tracing for app users, businesses and organizations, and public health officials. It is also intended to help respond to the rise in variants of concern. The success of a QR Code service would depend on widespread uptake from provincial and territorial health authorities and businesses.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: