Chief Information Officer of Canada appearance before the Standing Committee on Public Accounts concerning Report 7 — Cybersecurity of Personal Information in the Cloud of the 2022 Reports of the Auditor General of Canada

On this page

1. Scenario Note
2. Overview of the Standing Committee on Public Accounts and Recent Studies
3. Office of the Auditor General (OAG) Audit of Cyber Security of Personal Information in the Cloud
4. Timeline on Recommendations
5. Management Action Plan
   • Detailed Management Response and Action Plan (as submitted to the Committee)
6. Roles and Responsibilities
7. Cloud Guardrails
8. Departments in Scope of Policy
9. Cloud Consumption in the GC
10. Application Modernization

• Public Environmental Scan
• Recent Media Calls with Responses

A. Scenario Note

Appearance of The Chief Information Officer of Canada before the House of Commons Standing Committee on Public Accounts concerning Report 7 — Cybersecurity of Personal Information in the Cloud of the 2022 Reports of the Auditor General of Canada

Background

• The 2022 Reports 5 to 8 of the Auditor General of Canada were tabled in the House of Commons on November 15, 2022 and subsequently referred to the Standing Committee on Public Accounts (PACP).
• PACP commenced consideration of the 2022 Reports 5 to 8 in camera on November 15, 2022 with an appearance from the Office of the Auditor General. The Committee requested Management Action Plans from all departments concerned with recommendations, which will be submitted to the Committee prior to the appearance.
• Report 7 on Cybersecurity of Personal Information in the Cloud noted that 4 years after the Treasury Board of Canada Secretariat (TBS) first directed departments to consider moving information to the cloud, it had still not provided a long‑term funding plan for cloud adoption.
• TBS has been invited to appear at PACP on February 16, 2023 as part of a panel of witnesses alongside Deputy Ministers from Public Services and Procurement Canada (PSPC), Shared Services Canada (SSC) and the Auditor General in view of its study on the Report.

Day of – Scenario (PACP)

• The meeting is expected to begin at 3:30 pm, subject to delays due to votes in the Chamber. The Chief Information Officer of Canada is expected to appear alongside the Deputy Minister of PSPC and the President of SSC.
• Witnesses appearing in person should arrive half an hour early to allow time for security screening.

Other Relevant Information

• The President of the Treasury Board tabled the 2022 Public Accounts of Canada on October 27, 2022.
• Following this, TBS officials appeared at PACP on November 18 and November 22, 2022 to discuss the Public Accounts 2022, alongside officials from the Department of Finance and from the Office of the Auditor General.
• The Committee has received training on how to evaluate audit reports and generally ask questions relevant to their details. The Committee will also be interested in the specific details in relation to how the Government will implement the recommendations outlined in the report.
• The Committee has been holding meetings on the other 2022 Auditor General Reports tabled last November, with one meeting on November 25, 2022 on Report 8, Emergency Management in First Nations Communities, and another on November 29, 2022 on Report 5, Chronic Homelessness.

B. Overview of the Standing Committee on Public Accounts and Recent Studies

Mandate of the Committee

When the Speaker tables a report by the Auditor General in the House of Commons, it is automatically referred to the Public Accounts Committee. The Committee selects the chapters of the report it wants to study and calls the Auditor General and senior public servants from the audited organizations to appear before it to respond to the Office of the Auditor General’s findings. The Committee also reviews the federal government’s consolidated financial statements – the Public Accounts of Canada – and examines financial and/or accounting shortcomings raised by the Auditor General. At the conclusion of a study, the Committee may present a report to the House of Commons that includes recommendations to the government for improvements in administrative and financial practices and controls of federal departments and agencies.

Government policy, and the extent to which policy objectives are achieved, are generally not examined by the Public Accounts Committee. Instead, the Committee focuses on government administration – the economy and efficiency of program delivery as well as the adherence to government policies, directives and standards. The Committee seeks to hold the government to account for effective public administration and due regard for public funds.

Pursuant to Standing Order 108(3) of the House of Commons, the mandate of the Standing Committee on Public Accounts is to review and report on:

• The Public Accounts of Canada;
• All reports of the Auditor General of Canada;
• The Office of the Auditor General’s Departmental Plan and Departmental Results Report; and,
• Any other matter that the House of Commons shall, from time to time, refer to the Committee.

The Committee also reviews:

• The federal government’s consolidated financial statements;
• The Public Accounts of Canada;
• Makes recommendations to the government for improvements in spending practices;
• Considers the Estimates of the Office of the Auditor General.

Other Responsibilities:

• The economy, efficiency and effectiveness of government administration;
• The quality of administrative practices in the delivery of federal programs; and,
• Government’s accountability to Parliament with regard to federal spending.

Committee Members

Name & Role	Party	Riding	PACP member since
Chair
John Williamson	Conservative	New Brunswick Southwest	February 2022
Vice-Chair
Jean Yip	Liberal	Scarborough—Agincourt	January 2018
Nathalie Sinclair-Desgagné Critic for Public Accounts; Pandemic Programs; Economic Development Agencies	Bloc Québécois	Terrebonne	December 2021
Members
Garnett Genuis Critic for International Development	Conservative	Sherwood Park—Fort Saskatchewan	October 2022
Michael Kram	Conservative	Regina—Wascana	October 2022
Kelly McCauley	Conservative	Edmonton West	October 2022
Blake Desjarlais Critic for TBS; Diversity and Inclusion; Youth; Sport; Post-secondary Education; Deputy critic for 2SLGBTQI+ Rights; Immigration, Refugees and Citizenship	New Democratic Party	Edmonton Greisbach	December 2021
Valerie Bradford	Liberal	Kitchener South – Hespeler	December 2021
Han Dong	Liberal	Don Valley North	December 2021
Peter Fragiskatos Parliamentary Secretary National Revenue	Liberal	London North Centre	December 2021
Brenda Shanahan	Liberal	Châteauguay—Lacolle	December 2021; and Jan 2016 – Jan 2018

Anticipated TBS-Related Activity – 44^th Parliament

• Briefing from the Canada Audit and Accountability Foundation
• Introductory briefings from the Auditor General; Comptroller General of Canada; others.
• Public Accounts of Canada
• Reports of the Auditor General of Canada

TBS Related Committee Activity – 43^rd Parliament

• Public Accounts of Canada (Link to study)
  • Government Response provided: link
• Reports of the Auditor General of Canada:
  • Oversight of Government of Canada Advertising (Link to study)
    • Government Response provided: Link
  • Procuring Complex Information Technology Solutions (Link to study)
  • Investing in Canada Plan (Link to study)
  • Call Centres (Link to study)
    • Government Response provided: Link
  • National Shipbuilding Strategy (Link to study)
• Public Service Culture (Link to study)
  • No report

Interest in TBS Portfolio

Conservative Party of Canada (CPC)

• Cybersecurity
  • Conservative MPs Ben Lobb, Jamie Schmale, and Robert Kitchen (not committee members) respectively requested parliamentary returns on the Log4J software vulnerability (Q-372, February 2022), Contracts for Cloud-Based Storage Services (Q-537, May 2022), and cyberattacks on government departments and agencies (Q-961, October 2022)
  • During a November 22, 2022 meeting of PACP, MP Stephanie Kusie (not a committee member, though she was a substitute for this meeting) was interested in government funding for cloud storage, and suggested it was hindering government cybersecurity. She asked the Auditor General questions regarding the “lack of funding provided, as seen in Public Accounts…, and the impact that it has had on the government’s cybersecurity of cloud storage” as well as “…the lack of funding provided, which is leaving our systems in the cloud vulnerable.”
    • November 22, 2022 – PACP - Public Accounts of Canada 2022 (OAG)
  • Conservative MPs have also been suspicious of the Chinese telecom firm Huawei, citing its links to the Chinese government in arguing the government took too long to decide not to allow it to operate in Canada. During the same debate on Bill C-26, MP Garnett Genuis said “We are behind when it comes to defending our security. We are behind what we should have known much earlier. We are behind our allies. We were the last of the Five Eyes and very late to step up on recognizing the risks associated with Huawei.”
    • December 1, 2022, Debate on Bill C-26
• Spending Oversight and Accountability
  • Conservative MPs consider the government is spending too much, and without proper oversight and accountability. This criticism amplified since the election of the CPC’s new leader, MP Pierre Poilievre. Since the return of Parliament in September, most of the party’s interventions during Question Period have been about government spending.
  • More broadly, Conservatives have been using the Public Accounts as an example of wasteful spending and government incompetence. MP Andrew Scheer (not a committee member) claimed that “we are constantly poring through Public Accounts to find wasteful spending and, lo and behold, we find them all the time.”
    • October 28, 2022, Debate on Bill C-9
• Public Service and Public Servants
  • MP Philip Lawrence (no longer a committee member) claims that he is frustrated by the fact that when he was a member of PACP, the studies have always focused on the same topic ands reports that do not necessarily get implemented. He wants to focus more on improving the performance of the public sector.
    • May 5, 2022, PACP – Main Estimates 2022-23 (OAG)
• Environment and Greening Government
  • MP Philip Lawrence (no longer a committee member) believes that investments in many sectors of government need to be made, specifically about data management and climate change resilience. He mentioned that he would like more information on what the government is doing on that front.
    • March 3, 2022, PACP – Meeting #8
• Order Paper Questions
  • MPs Scott Aitchinson and Tom Kmiec (not committee members) respectively requested parliamentary returns on Expenditures on Transportation Machinery and Equipment listed in the 2021 Public Accounts (Q-297, January 2022) and on Losses of public money and property as listed in the 2021 Public Accounts (Q-323, February 2022)

Bloc Québécois (BQ)

• Cybersecurity
  • Bloc MPs have not spoken extensively on cybersecurity in the Federal Government, however they’re shown interest in the topic of potential cyber threats for federally regulated businesses and the private sector, as evidenced in their interventions during debate on Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts
  • During a June 2022 meeting of OGGO, MP Julie Vignola asked questions to the Minister of Public Services and Procurement, as well as the president of Shared Services Canada about government countermeasures to protect against cyberattacks, and “protect the private information of both citizens and businesses, as well as the government’s confidential information.”
    • June 10, 2022 – OGGO – Supplementary Estimates (A) (PSPC, SSC)
• Spending Oversight and Accountability
  • MP Sinclair-Desgagné criticized on multiple occasions the ‘’fiscal imbalance’’ in the Public Accounts, particularly when it comes to healthcare transfers to Quebec and other provinces from the federal government.
    • October 27, 2022, Debate on Bill C-31
  • MP Sinclair-Desgagné suggested that the President of the Treasury Board is happy that workers from the Office of the Auditor General are on strike because it means they are no longer able to produce reports that “embarrass the government” and that they can no longer ensure accountability.
    • March 31, 2022, Statement by Members
  • MP Sinclair-Desgagné showed concerns that Crown corporations make it impossible to correctly track government spending. With Crown corporations, “it is impossible to know how much money is being handed over”. She believes that the current situation is unacceptable. More recently, in a PACP meeting, she asked a TBS official what legislative changes would be needed for crown corporations to disclose information the same way departments do.
    • November 1, 2022, PACP – Meeting #36 (Briefing on the Office of the Auditor General); May 9, 2022, Debate on Budget 2022
• Public Service and Public Servants
  • MP Sinclair-Desgagné showed support for employees working at the Office of the Auditor General that are on strike, saying they deserve better pay equity.
    • March 31, 2022, Statement by Members
• Environment and Greening Government
  • MP Sinclair-Desgagné believes Government funding should be cut off to sectors where positive environmental results are lacking, such as the oil sector
    • February 8, 2022, PACP – Meeting #4

New Democratic Party (NDP)

• Cybersecurity
  • MP Gord Johns (not a committee member) has expressed concerns about cybersecurity and the implementation of cloud storage in the government. During a November 11, 2022 meeting of OGGO, Johns said, “Last week, the Auditor General released a report with concerning findings about the government’s ability to prevent, detect and respond to cyber-attacks. The report found that departments are confused about cybersecurity roles and that four years after the Treasury Board directed departments to consider moving to the cloud, it had not provided the long-term funding for cloud adaptation.”
    • November 21, 2022, OGGO – Meeting #40 (TBS Appearance on Supplementary Estimates (B) 2022-23)
  • MP Johns has also questioned the Chief Information Officer about the cybersecurity implications of the ArriveCan application, asking “what the Treasury Board will be doing to urgently address security vulnerabilities and ensure Canadians’ personal information is protected?”
    • November 17, 2022, OGGO – Meeting #39 (TBS Appearance on ArriveCAN Application)
  • The NDP has also made comments on cybersecurity more broadly, in both the public and private sector context. On December 1, during debate on Bill C-26, MP Gord Johns said, “I think we all agree that Canada is ill-prepared to deal with cybersecurity threats. I am comforted to hear that we are all on the same page. However, we are falling far behind other similar jurisdictions, such as France and the U.K. Their ability to intercept and respond to cybersecurity threats is much more enhanced to protect their countries.”
• Spending Oversight and Accountability
  • MP Daniel Blaikie (not a committee member) reminded the House several times about the Parliamentary Budget Officer’s remarks about how the government has been filing the Public Accounts too late. He and the NDP believes that “…additional financial reporting (is) warranted…” and that “normally, in the countries of most of our allies and trading partners, that happens on a six-month timetable after the end of the fiscal year, so tabling them in December was very late. I think it is true, especially when the government is spending large sums of money, that accountability and transparency become that much more important”.
    • February 2, 2022, March 23, 2022 & March 28, 2022, Debate on the Economic and Fiscal Update Implementation Act, 2021
• Public Service and Public Servants
  • MP Blake Desjarlais criticized the Pheonix Pay System, saying that the Treasury Board not consulting with public servants resulted in a direct impact on workers. He claims that years later, the Government continues to fail with Phoenix.
    • May 3, 2022, PACP – Meeting #17
• Diversity and Inclusion, GBA+
  • MP Desjarlais believes more work needs to be done in the public sector and with Crown corporations when it comes to ensuring diversity inclusion and equity. He believes stronger targets and indicators should be put in place so we can see the tangible results and progress.
    • February 15, 2022, PACP – Meeting #6; March 31, 2022, PACP – Meeting #12; March 31, 2022, Debate on Bill S-214
• Environment and Greening Government
  • MP Desjarlais often criticizes the lack of “real climate action” by the Government. He believes the government should be held accountable on the lack of progress on that front. He believes climate actions should play an integral part in the action plans of Government departments.
    • December 1, 2021, Reply to the Speech of the Throne; March 1, 2022, PACP – Meeting #7; April 7, 2022, Statement by Members
  • Other NDP MPs, like Laurel Collins (not a committee member) showed concerns over the fact that when it comes to the greening government, Crown corporations are not required to report on their emissions.
    • May 3, 2022, ENVI – Meeting #15

Meeting Summaries

Meeting 39 – November 22, 2022
Public Accounts of Canada 2022 (Part 2)

Full transcript: Evidence – PACP (44-1) – No. 39

Witnesses

Department of Finance

• Michael J. Sabia, Deputy Minister
• Evelyn Dancey, Assistant Deputy Minister, Fiscal Policy Branch
• Nicholas Leswick, Associate Deputy Minister

Office of the Auditor General

• Karen Hogan, Auditor General of Canada
• Etienne Matte, Principal
• Chantale Perreault, Principal

Treasury Board Secretariat

• Roch Huppé, Comptroller General of Canada
• Monia Lahaie, Assistant Comptroller General, Financial Management Sector
• Diane Peressini, Executive Director, Government Accounting Policy and Reporting

Highlights

The Committee continued its consideration of the Public Accounts of Canada 2022.

At the beginning of the meeting, the Comptroller General provided an update on a follow-up for Mr. Garnett Genuis (CPC) from the previous meeting. He indicated a response regarding an increase in Passport Canada salary figures was forthcoming, but outlined that it was due to a collective agreement being signed, and resumption of the payment of excess leave. He further explained that an increase in passports being processed resulted in increased costs.

The tone of the meeting was generally cordial and polite, and Members were very engaged with their questioning. However, at times, Members challenged the responses provided by officials. Topics of discussion included:

• Erroneous information in the Public Accounts
• Details regarding write-offs of liabilities
• Environmental and Social Governance (ESG) reporting
• Financial transparency in Crown corporations
• Reforming the Public Accounts
• Cybersecurity and cloud adoption
• Issues with the Phoenix Pay System, and plans for the Next-Generation system
• Real property and the impact of return to work/hybrid work on occupancy

Follow-Ups

• Details regarding the error in the Public Accounts surrounding debt forgiveness by Export Development Canada - MP Garnett Genuis (CPC)
• Factors driving the increase in GST and corporate tax write off provisions - MP Kelly McCauley (CPC)
• Costing of the suspension of paying out excess accrued vacation leave - MP Kelly McCauley (CPC)
• Total amount for unfunded pension liabilities – MP Kelly McCauley (CPC)
• Analysis on effect of delay in CERB post-verifications by CRA on expected recoupable costs MP Garnett Genuis (CPC)
• How much of the reported damage to buildings was due to climate change? – MP Blake Desjarlais (NDP)

Meeting 38 – November 18, 2022
Public Accounts of Canada 2022 (Part 1)

Full transcript: Evidence – PACP (44-1) – No. 38

Witnesses

Treasury Board Secretariat

• Roch Huppé, Comptroller General of Canada
• Monia Lahaie, Assistant Comptroller General, Financial Management Sector
• Diane Peressini, Executive Director, Government Accounting Policy and Reporting

Department of Finance

• Nicholas Leswick, Associate Deputy Minister
• Evelyn Dancey, Assistant Deputy Minister, Economic Policy Branch

Office of the Auditor General

• Karen Hogan, Auditor General of Canada
• Etienne Matte, Principal
• Chantale Perreault, Principal

Highlights

In her opening remarks, the Auditor General verified that her office issued a clean opinion on the Public Accounts 2022. She highlighted the impact the COVID-19 pandemic had on government spending. She also noted that pay administration is still an issue with Phoenix. Pay action requests involving overpayments are at risk of the Government not being able to recover.

The Comptroller General provided the Committee with an overview of the Public Accounts 2022 in his opening remarks. Mr. Huppé explained the requirements for the timing of the tabling of the Public Accounts and highlighted that the tabling occurred on time this year. He also explained that TBS is focused on becoming more efficient and is in the process of considering the recommendations issued in the recent PACP Report entitled: Public Accounts of Canada 2021. Mr. Huppé updated the Committee on the efforts being made to modernize the Public Accounts, including incorporating feedback from the PACP Committee.

Members were very engaged with witnesses on key issues such as reporting on crown corporations, tabling timelines and challenges, the Phoenix pay system and specific line items in the Public Accounts. Members expressed their gratitude throughout the meeting for the informative discussion with witnesses and indicated that they would be grateful to receive any follow-up information prior to Tuesday’s continuation of the consideration of Public Accounts. Additionally, the Chair raised the issue of the legal window to recoup the Phoenix overpayments (and risk) involved and requested that TBS officials come prepared with that information on Tuesday.

Follow-Ups

• Additional Information on Passport Canada figures – MP Garnett Genuis (CPC)
• Increase in doubtful accounts and analysis of the Bank of Canada’s purchases on Canada’s bonds – MP Kelly McCauley (CPC) and John Williamson (CPC)
• Timeline of previous tabling dates – MP Brenda Shanahan (LPC)
• Variance for crown corporations – Députée Nathalie Sinclair-Desgagné (BQ)
• Additional information concerning the public sector pension increase – MP Kelly McCauley (CPC)

Meeting 36 – November 1, 2022
Briefing on the Office of the Auditor General (TBS Appearance)

Full transcript: Evidence – PACP (44-1) – No. 36

Witnesses

Treasury Board Secretariat (TBS)

• Stephen Diotte, Executive Director, Employment Relations and Total Compensation, Strategic Compensation Management, Office of the Chief Human Resources Officer

Office of the Auditor General (OAG)

• Karen Hogan, Auditor General of Canada
• Andrew Hayes, Deputy Auditor General

Department of Finance (FIN)

• Nicholas Leswick, Associate Deputy Minister

Highlights

Pursuant to the motion adopted on October 21, 2022, the Committee received a briefing on the Office of the Auditor General.

In her opening remarks, the Auditor General (AG) emphasized the importance of considering the workload in proportion with the amount of funding the OAG receives when requesting additional audits. The AG considers the current funding model problematic due to the fact that the Department of Finance (FIN) and Treasury Board Secretariat (TBS) are organizations audited by the OAG and presents challenges to maintain independence from the Government. The AG addressed the previous strike and the resulting challenges in attracting and maintaining personnel. The AG concluded by assuring the Committee that they will continue to pursue conversations with employees to foster a better working environment.

Members showed considerable concern with the independence of the OAG in the current funding model and questioned whether or not they were appropriately resourced. All Members pointed out the increasing expression of mistrust in Government institutions and emphasized the importance of the role of the OAG in maintaining that trust. MP Blake Desjarlais (NDP) questioned all witnesses on the roles of each organization in the events during the OAG employee strike last Fall. Government Members clarified how collective bargaining mandates work and asked TBS to identify the risk in expanding the mandate in terms of the existing agreements.

Follow-Ups

• What legislative changes would be needed for crown corporations to disclose information the same way departments do? – MP Nathalie Sinclair-Desgagné

Next Steps

The Committee is expected to meet next on Friday, November 4, 2022 to discuss Committee Business. The Chair also indicated that the Committee will have a briefing with the Auditor General on the upcoming performance reports on November 15^th (in camera). The Chair also indicated that the Committee will invite officials to appear on the Public Accounts 2022 on November 18^th.

Meeting 35 – October 28, 2022
Report 2, Greening Government Strategy (TBS Appearance)

Full transcript: Not available yet

Witnesses

Treasury Board Secretariat

• Graham Flack, Secretary of the Treasury Board of Canada
• Malcolm Edwards, Senior Engineer, Centre for Greening Government

Office of the Auditor General

• Jerry V. DeMarco, Commissioner of the Environment and Sustainable Development
• Milan Duvnjak, Principal

Department of National Defence

• Bill Matthews, Deputy Minister
• Nancy Tremblay, Associate Assistant Deputy Minister, Material
• Saleem Sattar, Director General, Environment and Sustainable Management

Department of Transport

• Michael Keenan, Deputy Minister
• Ross Ezzeddin, Director General, Air, Marine and Environmental Programs

Highlights

The Committee met to study Report 2, Greening Government Strategy, of the 2022 Reports 1 to 5 of the Commissioner of the Environment and Sustainable Development, and to question witnesses. Officials did not make opening statements as they had already done so during the meeting on October 18, which was interrupted due to votes in the House of Commons.

Today’s meeting was largely polite and cordial. Topics of discussion of interest to TBS included:

• TBS’s role in the Greening Government Strategy, including reporting, enforcement, and international cooperation.
• Costs associated with achieving the government’s greenhouse gas (GHG) emissions reduction goals.
• The government’s ability to provide comprehensive reporting on its GHG emissions.
• The impact of the COVID-19 pandemic on government GHG emissions
• The OAG’s recommendation that Crown corporations also report their progress, and TBS’s consultations with Crown corporations.
• Any current and future plans to purchase carbon offsets by the government.
• GHG emissions produced by ministerial travel.

The officials from DND and Transport also responded to questions regarding their own plans and progress in reducing their departments’ emissions. Mr. Matthews, from DND, made reference to tools and guidance provided to them by TBS. After the conclusion of witness testimony, the Committee met in camera to discuss committee business.

Meeting 32 – October 18, 2022
Report 2, Greening Government Strategy (TBS Appearance)

Full transcript: Evidence – PACP (44-1) – No. 32

Witnesses

Treasury Board Secretariat

• Graham Flack, Secretary of the Treasury Board of Canada
• Jane Keenan, Acting Executive Director, Centre for Greening Government
• Malcolm Edwards, Senior Engineer, Centre for Greening Government

Office of the Auditor General

• Jerry V. DeMarco, Commissioner of the Environment and Sustainable Development
• Milan Duvnjak, Principal

Department of National Defence

• Bill Matthews, Deputy Minister
• Nancy Tremblay, Associate Assistant Deputy Minister, Material
• Saleem Sattar, Director General, Environment and Sustainable Management

Department of Transport

• Michael Keenan, Deputy Minister
• Ross Ezzeddin, Director General, Air, Marine and Environmental Programs

Highlights

The meeting was delayed by votes in the House.

In his opening remarks, Commissioner of the Environment and Sustainable Development, Jerry DeMarco outlined the history of the Greening Government Strategy and the targets that were set and revised since the launch in 2017. He told the Committee that the audit focused on TBS’s leadership in supporting departmental progress; as well as how DND and Transport implemented controls to reduce GHG emissions. He concluded that TBS’s efforts to reduce emissions are not as complete as they could be, and that important information on greening government was hard to find, unclear or insufficient – including a lack of detail on costs and savings. He cited concerns that indirect emissions have not been reported, and that Crown corporations were outside the reach of the strategy. He said that neither DND nor Transport made it clear how they would meet the 2050 target. He concluded that the lack of info makes it difficult to track targets, and to determine if Canada is being the global leader it has set out to be. He told the Committee that of the five recommendations for TBS in the report, only one wasn’t fully agreed with. Finally, the Commissioner noted that he tabled a fall report on October 4 on the 2021 progress report on the Federal Sustainable Development Strategy.

In his opening remarks, Deputy Minister of Transport Canada, Michael Keenan, told the Committee that Transport Canada fully accepted the Commissioners recommendation and is fully committed to the GHG reduction targets. He said that Transport Canada’s emission largely result from its fleet, rather than from buildings, so its implementation plan is somewhat unique. He said that TC’s roadmap will continue to evolve and be updated, and that mechanisms would be put in place to assess risks and track reductions of emissions.

In his opening remarks, the Secretary of the Treasury Board, Graham Flack, outlined how the Government is greening its activities with a target of net-zero GHG emission by 2050, and an interim target of 40% reduction by 2025 for the conventional fleet of vehicles and federal facilities. He also reviewed the leadership role of the Centre for Greening Government (CGG) at TBS, in terms of the strategy to green buildings, vehicles and procurement by the government. This includes developing low-carbon real property portfolio plans; building new zero-carbon buildings; retrofitting existing buildings to be energy efficient and low-carbon; including environmental factors in their procurement; buying hybrid or zero-emission vehicles and clean electricity; and adopting clean technologies, such as smart building technologies, clean fuels, and renewable electricity. After touching on the top lines of the Commissioners report, the Secretary said that TBS agrees with all the recommendations of the report, other than the notion that TBS has not developed an approach to tracking costs and savings. He told the Committee that CGG uses life-cycle costing analysis and total cost of ownership methodologies to inform decision makers on the best value options to decarbonize government operations. He also said that other governments have reached out to ours on implementing a costing methodology. Finally, he said that TBS would do more to communicate the cost-effective approach to accounting for costs and emissions to Parliamentarians and Canadians.

In his remarks, DND deputy minister, Bill Matthews outlined the size and scale of DND’s operating environment. He said the department is making progress, meeting shorter term targets, but that there remains a great deal of work to achieve the Government’s long-term net-zero targets. He said that DND accepted the recommendations of the Commissioner.

Following opening statements, the Committee suspended proceedings due to additional votes in the House. The witnesses were released but are expected to be recalled for questioning at a subsequent date (TBD).

The Committee returned to meet in camera on Committee Business following the votes in the House.

Bios of the Committee Members

John Williamson (New Brunswick Southwest)
Conservative
Chair

Jean Yip (Scarborough - Agincourt)
Liberal
First Vice-Chair

Nathalie Sinclair-Desgagné (Terrebonne)
Bloc Québécois
Second Vice-Chair

Garnett Genuis (Sherwood Park—Fort Saskatchewan)
Conservative

Michael Kram (Regina—Wascana)
Conservative

Kelly McCauley (Edmonton West)
Conservative

Blake Desjarlais (Edmonton Greisbach)
NDP

Valerie Bradford (Kitchener South – Hespeler)
Liberal

Han Dong (Don Valley North)
Liberal

Peter Fragiskatos (London North Centre)
Liberal
Parliamentary Secretary to the Minister of National Revenue

Brenda Shanahan (Châteauguay—Lacolle)
Liberal

C. Office of the Auditor General (OAG) Audit of Cyber Security of Personal Information in the Cloud

Issue

In November 2022, the Auditor General of Canada tabled four performance reports on government services and programs in the House of Commons, one of which was focused on cyber security of personal information in the cloud.

The Treasury Board of Canada Secretariat (TBS) has developed a management response and action plan, in collaboration with Communications Security Establishment (CSE), Public Services and Procurement Canada (PSPC) and Shared Services Canada (SSC), to address the recommendations from the report.

Response

• Protecting the information of Canadians is a priority for the GC.
• The GC works continuously to manage security risks in the cloud and to enhance cyber security so that Canadians’ data and privacy are safeguarded.
• The GC has a critical role to play in protecting the information of Canadians. Information hosted in Cloud Service Providers (CSP) environments is no exception.
• The government is still in the early stages in its adoption of the cloud, and enhancement and maturing of processes and protocols is expected.
• While there is no such thing as zero risk when it comes to cyber threats, we are working hard to ensure that that highest levels of protection are in place. In support of this ongoing effort, we welcome the recommendations of the Auditor General.
• We are committed to working with our partners at Public Services and Procurement Canada, Shared Services Canada, and the Communications Security Establishment to ensure that Canada’s strong cloud security control safeguards currently in place are consistently applied, documented and monitored.

Background

On November 15, 2022, the Auditor General of Canada tabled four performance audit reports on government services and programs in the House of Commons, one of which was focused on Cyber Security of Personal Information in the Cloud.

Fall 2022 OAG Audit Report on Cyber Security of Personal Information in the Cloud

In 2016, the government published a cloud first adoption strategy that directed departments to first consider cloud as the preferred option for delivering information technology services. This strategy was updated in 2018 and it highlighted the benefit of security features provided by cloud service providers and implemented a shared responsibility model that relies on a number of parties working together to protect personal information in the Cloud.

The objective of the OAG audit sought to determine whether Communications Security Establishment (CSE), Public Services and Procurement Canada (PSPC), Shared Services Canada (SSC), Treasury Board of Canada Secretariat (TBS), and selected departments have governance, guidance, and tools in place to protect, detect, and respond to cybersecurity events affecting personal information of Canadians in the Cloud. The audit also sought to assess whether the federal government has met its commitments to the environment and sustainable development in how they procured cloud services.

The audit covered the period from April 1, 2021, to March 31, 2022. For the environment and sustainable development line of enquiry, the audit covered the period from April 1, 2017, to March 31, 2022.

Summary of Findings

Overall, the audit found that:

• There were weaknesses in departments’ controls for preventing, detecting, and responding to cloud cyberattacks.
• The roles and responsibilities for ensuring cloud cybersecurity were unclear.
• TBS did not provide departments with a costing model or funding approach for cloud services.
• PSPC and SSC did not include environmental criteria in their procurement of cloud services.

D. Timeline on Recommendations

The OAG Audit Report outlined five key recommendations:

Recommendation 1: Clarify the process and roles/responsibilities for validating and monitoring of guardrails and extend to PSPC procured solutions.

• September 2022 - publish the Cloud Responsibility Matrix (completed)
• December 2022 - clarify and extend to PSPC procured
• January 2023 - update the guardrails, including PSPC
• February 2023 - establish a score card report
• April 2023 - collaborate with SSC on automation
• Continue to provide advice and guidance on cloud security assessment and authorization activities

Recommendation 2: Ensure the roles and responsibilities required for security controls are clearly documented and proactively communicated to departments.

• September 2022 - publish the responsibility matrix (completed)
• March 2023 - complete a review of the matrix
• September 2023 - increase proactive communications
• March 2023 - updates to the community on review cycles

Recommendation 3: Ensure relevance of the GC Cyber Security Event Management Plan (GC CSEMP) and that it is reviewed and tested annually and updated if required. Ensure departments use GC CSEMP.

• Fall 2022 - GC CSEMP updated and published (completed)
• March 2023 – Explore options for tools to enable departments to facilitate cloud-based simulation exercises
• April 2023 – Include a requirement for departments to submit their CSEMP with their Plan for Service and Digital

Recommendation 4: Develop and provide a costing model and tools to help departments make informed decisions about moving to the cloud and determine resources and funding required.

• Fall 2022 – Recommendations to GC CIO on path forward (completed)
• June 2023 - provide a costing model & guidance
• June 2023 - assist departments & SSC with forecasting

Recommendation 5: PSPC and SSC should include environmental criteria in their strategies and contracts for procuring cloud services to support sustainability in procurement practices and contribute to achieving Canada’s net-zero goal.

E. Management Action Plan

TBS is working with CSE, SSC, and PSPC to implement the recommendations outlined in the OAG Audit Report and has developed a detailed action plan to respond to the recommendations with consideration of the following:

• As of May 2021, one of the GC’s security controls known as cloud guardrails was formalized as a policy requirement under the Directive on Service and Digital. These guardrails ensure that departments and agencies are implementing a preliminary baseline set of controls within their cloud-based environments. While a manual approach has been established to validate that these environments have indeed applied the cloud guardrails, SSC, in collaboration with TBS, is implementing an automated approach to validate the guardrails on a continuous basis.
• TBS published the initial version of the GC Public Cloud Roles and Responsibilities on December 2022. TBS is also working with SSC, CSE, and PSPC to update, publish, and communicate the Cloud Responsibility Matrix which will further assist departments in ensuring clarity in the roles and responsibilities and expectations when using cloud services. The GC Cyber Security Event Management Plan (GC CSEMP) provides an operational framework for the management of cyber security events (including cyber threats, vulnerabilities, or security incidents) that impact or threaten to impact the GC’s ability to deliver programs and services to Canadians. A refresh of the GC CSEMP was completed and published in November 2022 and addressed lessons learned from cyber simulation exercises as well as recent cyber incidents. This update also reflected third-party suppliers including cloud service providers who are required to manage and report on cyber events in accordance with the stipulations outlined in their respective contractual agreements with the GC.
• TBS is developing a cloud costing model to help departments make informed decisions about moving to the cloud.
• In addition, PSPC and SSC are aligning the GC’s approach to cloud procurement to include standard contract clauses and sustainability terms for cloud service providers.
• In keeping with the Policy on Green Procurement, SSC is integrating environmental performance considerations relating to greenhouse gas reduction targets into the competitive solicitations under the GC Cloud Framework Agreement and working with TBS and PSPC to establish the standard on the Disclosure of Greenhouse Gas Emissions and the Setting of Reduction Targets.

Detailed Management Response and Action Plan (as submitted to the Committee)

to the recommendations of the Independent Auditors Report of Cybersecurity of Personal Information in the Cloud

Report Ref. No.	OAG Recommendation	Departmental Response	Description of Final Expected Outcome/Result	Expected Final Completion Date	Key Interim Milestones (Description/Dates)	Responsible Organization/ Point of Contact (Name, Position, Tel #)	Indicator of Achievement
33	In consultation with Shared Services Canada and Public Services and Procurement Canada, Treasury Board of Canada Secretariat (TBS) should: Clarify who is responsible for validating and ongoing monitoring of cloud guardrails controls on an ongoing basis, and clarify the processes to be followed. Extend the requirement for guardrails to cloud service provider contracts stemming from supply arrangements established by Public Services and Procurement Canada.	TBS will clarify the process & roles/responsibilities for validating and monitoring of guardrails & extend to PSPC procured solutions.	Published Cloud Responsibility Matrix, that formally identifies who is responsible for validating, ongoing monitoring, performing oversight and compliance of the cloud guardrails controls. The Standard Operating Procedure for Validating Cloud Guardrails is clarified and extended for cloud service provider contracts awarded by PSPC. The GC Cloud Guardrails and Directive on Service and Digital is updated to reflect guardrail controls that apply to cloud services including PSPC procured cloud services. In addition, TBS will: establish a score card to report on departments’ level of adherence to the GC Cloud Guardrails, collaborate with SSC in their efforts to implement tools to automate guardrail monitoring for cloud service providers in the Government of Canada; and continue to provide advice and guidance to departments on ensuring that they perform security assessment and authorization activities for cloud-based applications using tools such as the Security Playbook for Information System Solutions which outlines a set of security tasks for consideration when designing and implementing solutions for Government of Canada (GC) information systems in cloud environments.	April 1, 2023	October 6, 2022 - publish the Cloud Responsibility Matrix December 2022 - clarify applicable guardrails for PSPC procured solutions and extend to PSPC procurement. January 2023 - update the guardrails, including PSPC February 2023 - establish a score card report template April 2023 - collaboration with SSC on automation of guardrails reporting proof of concept complete and onboarding of departments begins.	Scott Levac, Director – Cloud Oversight, 613‑793‑7207 Rahim Charania, Director - Cyber Security, 613‑612‑7808	(For Committee Use Only)
42	TBS should ensure that: The Government of Canada Cyber Security Event Management Plan is relevant to the evolving cloud environment and shared responsibilities, is reviewed and tested annually, and updated if changes are warranted. Departments finalize, implement, and regularly test their security event management plans.	TBS will ensure relevance of the GC Cyber Security Event Management Plan (GC CSEMP) and that it is reviewed and tested annually and updated if required. Ensure departments use GC CSEMP.	The Government of Canada Cyber Security Event Management Plan will be reviewed and tested at least annually and updated as appropriate. This includes an update to the GC CSEMP and inclusion of cloud-based scenarios in GC CSEMP simulation exercises; A process will be in place to validate that Departments have established and implemented a Departmental CSEMP that aligns with the GC CSEMP, that are submitted on an annual basis to TBS for review. Tools are planned for and available which will enable departments to regularly test their Departmental CSEMP, such as a canned tabletop product that focuses on a cloud-based scenario that departments can leverage to run their own simulation exercise; as well as exploring options to establish a procurement vehicle that will enable facilitated cloud-based simulation exercises by March 2023.	April 2023	Fall 2022 - GC CSEMP updated and published March 2023 – Explore options for tools to enable departments to facilitate cloud-based simulation exercises April 2023 – Include a requirement for departments to submit their CSEMP with their Plan for Service and Digital	Rahim Charania, Director - Cyber Security, 613‑612‑7808	(For Committee Use Only)
51	In consultation with Communications Security Establishment Canada, Shared Services Canada, Public Services and Procurement Canada, and departments, Treasury Board of Canada Secretariat should ensure that roles and responsibilities required in support of the design, implementation, validation, monitoring, coordination and enforcement of all the security controls needed to protect sensitive and personal information in the cloud are documented and proactively communicated to any department that is using or considering the use of cloud services. These documented roles and responsibilities would facilitate a complete and common understanding of each department’s roles and responsibilities and would facilitate coordination between all departments. The secretariat should review and update these documented roles and responsibilities at least every 12 months.	TBS will ensure that roles and responsibilities required for security controls are clearly documented and proactively communicated to departments. Review and update annually.	Published Cloud Responsibility Matrix, that formally identifies who is responsible for validating, ongoing monitoring, performing oversight and compliance of the cloud guardrails controls. The Cloud Responsibility Matrix is updated following a completed review that has examined and updated the roles and responsibilities required in support of the design, implementation, validation, monitoring, coordination and enforcement of all the security controls needed to protect sensitive and personal information in the cloud. Regular update engagements are arranged for GC Enterprise Architecture Review Board, Director General Cloud Steering Committee, GC Cloud and Computing Network of Expertise Working Group to proactively share information on roles and responsibilities to any department that is using or considering the use of cloud services. Updates to the Cloud Responsibility Matrix are published to information sharing sites such as the GC Cloud InfoCentre. A process is established for an annual review and publication of the Cloud Responsibility Matrix and providing updates to the community.	September 2023	October 6, 2022 - publish the Cloud Responsibility Matrix March 2023 - complete a review of the responsibility matrix September 2023 - increase proactive communications March 2023 - updates to the community on review cycles	Scott Levac, Director – Cloud Oversight, 613‑793‑7207 Rahim Charania, Director - Cyber Security, 613‑612‑7808	(For Committee Use Only)
62	Treasury Board of Canada Secretariat, in consultation with Shared Services Canada and other departments, should: Develop and provide a costing model to help departments make informed decisions about moving to the cloud, and determine whether additional resources and funding are required. Help departments determine their operational funding needs and sustain their funding so they can fulfill their evolving responsibilities for cloud operations, including securing sensitive information in the cloud.	TBS will develop and provide a costing model and tools to help departments make informed decisions about moving to the cloud and determine resources and funding required.	Completed TBS consultations with the GC community to discuss cloud operational models, prioritization criteria and associated funding models. A series of recommendations presented to the GC CIO on direction for operating in the Cloud. TBS Consultations with SSC and departments complete. Outcomes include a costing model and guidance to help departments make informed decisions about moving to the cloud. Tools and guidance available intended to assist departments, including SSC, with forecasting medium and long term costs required to operate in a cloud environment.	June 2023	Fall 2022 – Recommendations to GC CIO on path forward June 2023 - provide a costing model & guidance June 2023 - assist departments & SSC with forecasting	Scott Levac, Director – Cloud Oversight, 613‑793‑7207	(For Committee Use Only)

F. Roles and Responsibilities

The summary roles and responsibilities for cloud is as follows:

Treasury Board of Canada Secretariat

The secretariat provides policy and guidance on cloud services, such as that contained in the Government of Canada Cloud Adoption Strategy. It also coordinates government-wide cybersecurity responses to incidents as outlined in the Government of Canada Cyber Security Event Management Plan.

Shared Services Canada

As a provider of common services to government, this department provides other federal departments with access to approved cloud service providers through contracts that it administers. It also manages and monitors most of the Government of Canada’s computer servers and data centres and ensures secure cloud access.

Public Services and Procurement Canada

As a provider of common services to government, this department establishes supply arrangements with prequalified cloud service providers to allow other departments to obtain the software services they offer. In some cases, departments can procure these services directly with these or other providers. For contracts that exceed certain financial thresholds, Public Services and Procurement Canada establishes and administers the contract on a department’s behalf. It also assesses the physical security controls of cloud service providers and their personnel.

Communications Security Establishment Canada

As part of this agency, the Canadian Centre for Cyber Security provides Canadians with advice, guidance, services, and support on cybersecurity. This includes conducting security assessments of cloud service providers that Shared Services Canada and Public Services and Procurement Canada have identified for some of their cloud-based procurement processes. It also monitors cloud security and departmental networks and provides training, advice, and guidance on cloud security. It helps federal organizations implement secure digital infrastructures.

Individual departments

Departments (federal organizations) implement their own security controls and monitor information and user activity on their own software applications. They are ultimately responsible and accountable for security risks that arise through their use of cloud services. Departments are required to share information about privacy breaches with the Treasury Board of Canada Secretariat and the Office of the Privacy Commissioner of Canada.

G. GC Cloud Guardrails

Cloud Guardrails – applies to 6 different profile types. A summary of the cloud guardrails to be implemented in the initial phase are identified in the table below:

1. Protect root / global admins account: Protect root or master account used to establish the cloud service.

Key Considerations

• Implement multi-factor authentication (MFA) mechanism for root/master account.
• Document a break glass emergency account management procedure. Including names of users with root or master account access.
• Obtain signature from Departmental Chief Information Officer (CIO) and Chief Security Officer (CSO) to confirm acknowledgement and approval of the break glass emergency account management procedures.
• Implement a mechanism for enforcing access authorizations.
• Configure appropriate alerts on root/master accounts to detect a potential compromise, in accordance with the GC Event Logging Guidance

2. Management of administrative privileges: Establish access control policies and procedures for management of administrative privileges.

Key Considerations

• Document a process for managing accounts, access privileges, and access credentials for organizational users, non-organizational users (if required), and processes based on the principles of separation of duties and least privilege (for example, operational procedures and active directory).
• Implement a mechanism for enforcing access authorizations.
• Implement a mechanism for uniquely identifying and authenticating organizational users, non-organizational users (if applicable), and processes (for example, username and password).
• Implement a multi-factor authentication mechanism for privileged accounts (for example, username, password and one-time password) and for external facing interfaces.
• Change default passwords.
• Ensure that no custom subscription owner roles are created.
• Configure password policy in accordance with GC Password Guidance.
• Minimize number of guest users; add only if needed.
• Determine access restrictions and configuration requirements for GC-issued endpoint devices, including those of non-privileged and privileged users, and configure access restrictions for endpoint devices accordingly. Note: Some service providers may offer configuration options to restrict endpoint device access. Alternatively, organizational policy and procedural instruments can be implemented to restrict access.

3. Cloud console access Objective - Limit access to GC managed devices and authorized users.

Key Considerations

• Implement multi-factor authentication mechanism for privileged accounts and remote network (cloud) access.
• Determine access restrictions and configuration requirements for GC managed devices, including those of non-privileged and privileged users, and configure access restrictions for endpoint devices accordingly.
• Note: Some service providers may offer configuration options to restrict endpoint device access. Alternatively, organizational policy and procedural instruments can be implemented to restrict access.
• Ensure that administrative actions are performed by authorized users following a process approved by Chief Security Officer (CSO) (or delegate) and designated official for cyber security. This process should incorporate the use of trusted devices and a risk-based conditional access control policy with appropriate logging and monitoring enabled.
• Implement a mechanism for enforcing access authorizations.
• Implement password protection mechanisms to protect against password brute force attacks.

4. Enterprise monitoring accounts: Create role-based account to enable enterprise monitoring and visibility.

Key Considerations

• Assign roles to approved GC stakeholders to enable enterprise visibility. Roles include billing reader, policy contributor/reader, security reader, and global reader.
• Ensure that multi-factor authentication mechanism for enterprise monitoring accounts is enabled.

5. Data location: Establish policies to restrict GC sensitive workloads to approved geographic locations.

Key Considerations

• As per the Directive on Service and Digital "Ensuring computing facilities located within the geographic boundaries of Canada or within the premises of a Government of Canada department located abroad, such as a diplomatic or consular mission, be identified and evaluated as a principal delivery option for all sensitive electronic information and data under government control that has been categorized as Protected B, Protected C or is Classified."

6. Protection of data-at-rest: Protect data at rest by default (e.g. storage) for cloud-based workloads.

Key Considerations

• Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments.
• Implement an encryption mechanism to protect the confidentiality and integrity of data when data are at rest in your solution’s storage.
• Use CSE-approved cryptographic algorithms and protocols, in accordance with 40.111 and 40.062.
• Implement key management procedures.

7. Protection of data-in-transit: Protect data transiting networks through the use of appropriate encryption and network safeguards.

Key Considerations

• Implement an encryption mechanism to protect the confidentiality and integrity of data when data are in transit to and from your solution.
• Use CSE-approved cryptographic algorithms and protocols.
• Encryption of data in transit by default (e.g. TLS v1.2, etc.) for all publicly accessible sites and external communications as per the direction on Implementing HTTPS for Secure Web Connections (ITPIN 2018-01).
• Encryption for all access to cloud services (e.g. Cloud storage, Key Management systems, etc.).
• Consider encryption for internal zone communication in the cloud based on risk profile and as per the direction in CCCS network security zoning guidance in ITSG-22 and ITSG-38.
• Implement key management procedures.

8. Segment and separate: Segment and separate information based on sensitivity of information.

Key Considerations

• Develop a target network security design that considers segmentation via network security zones, in alignment with ITSG-22 and ITSG-38.
• Implement increased levels of protection for management interfaces.

9. Network security services: Establish external and internal network perimeters and monitor network traffic.

Key Considerations

• Ensure that egress/ingress points to and from GC cloud-based environments are managed and monitored. Use centrally provisioned network security services where available.
• Implement network boundary protection mechanisms for all external facing interfaces that enforce a deny-all or allow-by-exception policy.
• Perimeter security services such as boundary protection, intrusion prevention services, proxy services, TLS traffic inspection, etc. must be enabled based on risk profile, in alignment with GC Secure Connectivity Requirements and ITSG-22 and ITSG-38.
• Ensure that access to cloud storage services is protected and restricted to authorized users and services.

10. Cyber defense services: Establish MOU for defensive services and threat monitoring protection services.

Key Considerations

• Sign an MOU with CCCS.
• Implement cyber defense services where available.

11. Logging and monitoring: Enable logging for the cloud environment and for cloud-based workloads.

Key Considerations

• Implement adequate level of logging and reporting, including a security audit log function in all information systems.
• Identify the events within the solution that must be audited in accordance with GC Event Logging.

Note: You may need to configure your solution to send the audit log records to a centralized logging facility, if one is available, where existing auditing mechanisms will be applied.

• Configure alerts and notifications to be sent to the appropriate contact/team in the organization.
• Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.
• Continuously monitor system events and performance.

12. Configuration of cloud marketplaces: Restrict Third-Party CSP Marketplace software to GC-approved products.

Key Considerations

• Only GC approved cloud marketplace products are to be consumed. Turning on the commercial marketplace is prohibited.
• Submit requests to add third-party products to marketplace to SSC Cloud Broker.

The applicable scope for the guardrails for the guardrails are based on cloud usage profiles.

H. Which Departments are in Scope of Policy

The requirement to meet the GC Cloud Guardrails is embedded in the Directive on Service and Digital.

• The population of organizations that must comply with the policy are Government of Canada departments, as defined by Schedule I, I.1 and II of the FAA.
• We recommend others, such as agencies, to also comply. As an example, although Canada Revenue Agency (CRA) is not governed by the Directive on Service and Digital, we do monitor their GC Cloud Guardrail status.
• For crown corporations we do not make any recommendations.

I. Cloud Consumption in the GC

Top 10 Fiscal 2022-23 to date:

Account Name	Total Usage
Statistics Canada	$1,938,302
Communications Security Establishment Canada	$1,404,305
Employment and Social Development Canada	$1,194,125
Royal Canadian Mounted Police	$1,106,179
Health Canada	$913,122
National Defence (Department of)	$572,368
Canada Border Services Agency	$453,470
Immigration, Refugees and Citizenship Canada	$444,675
Shared Services Canada	$400,833
Treasury Board of Canada Secretariat	$388,312
Total	$8,815,691

Spend by cloud service provider (CSP):

CSP	AWS	Google	IBM	Microsoft	Oracle	Salesforce	ServiceNow	ThinkOn	Total
Fiscal Quarters - Fiscal Year	Total Usage
FY 19-20	$95k	$0	$0	$1,3M	$0	$0	$0	$0	$1,4M
FY 20-21	$5,2M	$48k	$64k	$30M	$1k	$12M	$343k	$15k	$48M
FY 21-22	$18,5M	$1M	$1,3M	$66M	$101k	$16M	$728k	$383k	$104M
FY 22-23	$18,6M	$1,8M	$0	$72M	$110k	$7,5M	$1,4M	$289k	$101M
Total	$42M	$2,9M	$1,4M	$169M	$211k	$35,6M	$2,4M	$688k	$255M

J. Application Modernization

Issue

Government programs and services are supported by outdated and aging IT systems and applications, putting the government at risk of system failures and cyber-attacks, directly impacting the ability to deliver services to Canadians.

Key Facts

• Digital services to Canadians are underpinned by the applications and infrastructure on which they reside.
• At present, the overall health of these technologies is aging and outdated, with only 37.5% of Government of Canada (GC) applications considered healthy.
• Many of these applications and their associated data remain hosted in legacy data centers, which, while being maintained through the Shared Services Canada (SSC) information technology (IT) Repair and Replacement Program, have greater risks of service interruptions, loss of data, and security vulnerabilities.
• SSC, in collaboration with the Office of the Chief Information Officer at Treasury Board Secretariat (TBS-OCIO) support the move and modernization of these outdated and mission-critical GC applications to more secure and modern environments, either to the Cloud or to a newer Enterprise Data Center (EDC).
• By adopting cloud computing, the GC is better able to support a digitally enabled workforce and digital services for Canadians.
• Cloud adoption presents great opportunities for better serving Canadians through agility, elasticity, improved service levels, and enhanced security.
• Cloud adoption enables rapid provisioning of secure computing resources, which can expand and shrink with the level of demand, resulting in timely, modern and secure core IT systems that will enhance service delivery to Canadians.

Response

• Continued attention is required to ensure the ongoing delivery of secure and reliable digital services to Canadians.
• Because the technical condition of the GC portfolio of applications continues to deteriorate, priority investments must target those application that rely on aging information technology and outdated infrastructure.
• The GC is building the digital foundation for modern service delivery to Canadians by adopting cloud technologies, modernizing IT systems, as well as the IT infrastructure and networks on which they reside.
• TBS is providing departments and agencies with financial incentives to acquire the expertise to accelerate department readiness to modernize their applications.
• With sustained investments in information technology infrastructure and the applications themselves, and a prioritization of systems at risk, it is expected that the overall GC application health and security posture will continue to improve.
• Over the last six years, the measure of overall health of the application portfolio has increased from 28% to 37.5% which is progress, but the GC needs to continue this trend of improvement.
• As of October 2022:
  • 1417 applications have been modernized and rationalized
  • 793 applications have been migrated to Cloud (35% of Cloud migration target)
  • 287 applications have been migrated to Enterprise Data Centres (EDC) (19% of migration target)
  • 337 applications have been retired (69% of target)

Background

The Application Modernization (AppMod) Investment fund supports the priorities of the President of the Treasury Board as described in her mandate letter “Continuing leadership to update and replace outdated IT systems and modernize the way government delivers benefits and services to Canadians” Moreover, the AppMod program improves government services for Canadians and helps the Government of Canada avoid system failures and backlogs seen during the height of the pandemic, as outlined in the Prime Minister task force on this matter. It accomplishes this by moving applications to modern cloud and enterprise environments that leverage industry-grade technologies, security controls, and efficiencies of scale, thereby reducing cyber security threats and reducing and preventing technical debt.

A secure, trusted, and resilient GC application portfolio enables the digital services which support economic prosperity and good governance for Canadians and advances the Digital Ambition that the Government of Canada adopted last August.

The Application Modernization (AppMod) and Workload Migration (WLM) programs started in 2018 to work towards the same common goal of closing legacy data centers and moving applications to the Cloud or Enterprise Data Centre. Although they are both working towards improving the health and security of business applications and services, they are two distinct programs. The AppMod fund incentivizes departments and agencies to proactively evaluate their applications’ business value and technical risk. It promotes a triaging approach by allocating funds to departments and agencies on a priority basis to ensure outdated systems (Aging IT or technical debt) are addressed; thus helping departments in their modernization, migration or decommission strategy.

Overall, the main goals of the AppMod program are to:

• Prioritize funding to address and proactively manage GC at-risk technologies and technical debt​
• Promote and incentivize cloud as a viable option for digital-first service delivery​
• Ensure GC digital systems are modernized​
• Enhance the prioritization framework to support appropriate departmental modernization strategy​
• Streamline governance processes to align with government priorities endorsed by the Deputy Minister Committee on Enterprise Priorities and Planning (DM CEPP) for improved project reporting from project delivery to service performance.

The AppMod program received $110M in 2018 and an additional $51.2M in 2022. As of January 31, 2023, TBS has disbursed all $110M from budget 2018 to 18 SSC partner departments to support the application migration and modernization efforts. In addition, $9.1M from Budget 2022 has been allocated and will be disbursed by the end of this fiscal year. The intake process to distribute funding in fiscal year 2023/24 is already underway.

The migration and modernization activities will strengthen the overall health of the GC application portfolio, increase business value of digital services, reduce cybersecurity threats and eliminate technical debt.

Public Environmental Scan

An environmental scan conducted from December 1^st 2022 to present (February 7^th 2023) on articles related to Cyber security and Federal government garnered a total of 12 notable results; 10 English articles and 4 French piece. The tone of the pieces is generally neutral.

Espionage and foreign interference overtake terrorism as chief threats to Canada’s security: CSIS

A House of Commons committee looking into alleged Chinese government "police stations" in Canada was told on Monday evening that terrorism is no longer the chief concern of Canada’s intelligence services. "The threats to Canada now are from espionage and foreign interference," c, director general of intelligence assessments at the…

Kevin Dougherty - iPolitics - 2023-02-07

Incursion dans la plus grande équipe de cybersécurité de Google au Canada

Dans les bureaux montréalais de la deuxième équipe de cybersécurité en importance de Google au monde, on est loin du fantasme médiatique du pirate informatique à capuche recroquevillé sur son ordinateur dans un sous-sol sombre. C’est plutôt dans un espace de travail ouvert du dixième étage d’un gratte-ciel en plein…

Stéphanie Dupuis - Radio-Canada.ca: Grands titres - 2023-02-07 05:00 (EST)

This could be the worst year ever for ransomware attacks; experts

NATIONAL POST.COM | CANADIAN POLITICS - RYAN TUMILTY - 2023-02-01

• Ryan Tumilty wrote that the government should expect more attacks from cybercriminals. He also said that the cyber center published a detailed annual threat report and concluded that ransomware are the most likely threats to affect Canada. The head of the Canadian Center for Cyber ​​Security states in this article that the Canadian federal government is adequately protected against cyber-attacks.

The threat of ransomware is real. So why are Canadians handcuffing themselves?;…

GLOBE AND MAIL.COM | OTHER - JOE MASOODI - 2023-01-28

• In this piece, senior analyst policy Joe Masoodi explains that we should talk openly about cybercriminals attack, ransomware, data protection, etc. According to Joe Masoodi, the Canadian government has responded partially these cybersecurity concerns with the proposed cybersecurity law, Bill C-26. However more should be done.

Intelligence agency calls for a ’heightened state of vigilance’ against Russian-aligned hacks

CBC.CA: POLITICS | POLITICS - CATHARINE TUNNEY - 2023-01-26

• The agency that oversees cybersecurity for the federal government on Thursday called for a "heightened state of vigilance" against the threat of retaliatory cyber-attacks from Russia-aligned hackers - just hours after Ottawa promised to give Ukraine four Leopard 2 A4 main battle tanks.

Le Canada augmente sa vigilance face aux cyberattaques de pirates prorusses

RADIO-CANADA.CA: GRANDS TITRES | EUROPE - 2023-01-26

• Le journal explique que le Centre canadien pour la cybersécurité a fait un appel à la vigilance à la communauté canadienne de la cybersécurité, en particulier aux défenseurs des infrastructures critiques et des réseaux de l’industrie de la défense.

Le PDG de l’agence fédérale de cybersécurité met en garde contre TikTok

RADIO-CANADA.CA: GRANDS TITRES | POLITIQUE FÉDÉRALE - 2023-01-22

• Dans cet article, Evan Koronewski, le porte-parole du Centre de la sécurité des télécommunications, affirme que le Centre travaille en collaboration avec des partenaires fédéraux du Secrétariat du Conseil du trésor et de Services partagés Canada pour s’assurer que les systèmes d’information et les réseaux du gouvernement demeurent sécurisés et protégés.

Policy-makers need to recognize and regulate digital infrastructure

Elon Musk’s leadership of Twitter has been chaotic. In the past few months, he has fired half of the sales and engineering staff, amplified conspiracy theories, welcomed back banned right-wing figures, and presided over the exodus of many of the company’s top advertisers, who now perceive Twitter as unsafe for…

Hill Times - 2023-01-18

• In this piece, Natasha Tusikov , professor of criminology in the department of social science at York University, affirms that critical digital infrastructure should be stable and reliable given our economic, social and political dependence on digital services.

Mendicino open to working with MPs to ’improve’ much-criticized cybersecurity bill

Please note this content is not part of the Copyright Media Clearance Program. To read the article, click the external link below to visit the website. / Veuillez noter que ce contenu ne fait pas partie du Programme d’autorisation pour les médias protégés par les droits d’auteur. Pour lire l’article…

CTV News - 2023-01-10

• Journalist Jim Bronskill wrote about the federal government’s intention to establish a framework to better shield systems vital to security and give authorities new tools to respond to emerging threats in cyberspace.

ESPIONNAGE : LE CANADA EN RETARD SUR SES ALLIÉS

Le Canada n’est pas prêt, tant stratégiquement que technologiquement, à faire face aux nouvelles menaces mondiales en matière de sécurité nationale, selon plusieurs experts. PENDANT QUE LES ÉTATS-UNIS, LE ROYAUME-UNI ET LA NOUVELLE-ZÉLANDE S’ACTIVENT, NOTRE PAYS « N’AGIT PAS » Au printemps dernier, un groupe de travail de l’Université d’Ottawa regroupant les experts…

JOURNAL DE QUÉBEC - 2023-01-07

• L’article du Journal de Québec adresse le fait que le canada ne soit pas prêt au niveau stratégique et technologique, à faire face aux nouvelles menaces mondiales en matière de cyber sécurité nationale. On y mentionne également que les dangers qui guettent le Canada sont nombreux et imprévisibles selon le directeur du Service Canadien du renseignement, David Vigneault.

Canada’s electronic spy agency watching TikTok ’very carefully,’ Trudeau says

…CSE is one of the best cyber security agencies in the world and they’re watching very carefully." WATCH | CSE watching social media ’carefully’ for foreign threats, Trudeau says U.S. moves to ban TikTok Republican Sen. Marco Rubio on Tuesday announced bipartisan legislation to ban the app, which reaches more…

CBC.CA - BEN ANDREWS - 2022-12-15

• Ben Andrews published a piece about the federal government watching threats from the popular Chinese-owned social media app Tik Tok and any other cybersecurity dangers for other government accounts such as Twitter.

Data breach of Ontario’s vaccine booking system affects hundreds of thousands, province…

…The statement says the vaccine booking system is "regularly monitored and tested" through the Ministry of Health’s cyber security protocols, and that the province is "confident" the system remains a secure tool. Photo: The ministry says it has been working with the Ministry of Health, police and Ontario’s privacy commissioner…

CBC.CA - 2022-12-09

• This article talked about thousands of Ontarians’ personal information that may have been compromised in a data breach of the Ontario’s vaccine management system. Nevertheless, the provincial government affirms that their vaccine booking system remains a secure tool.

LCBO confirms malware attack intended to steal customers’ personal information online

…he LCBO is just one of several government agencies facing tech troubles this week. In December, a ransomware attack shut down network systems at the Hospital for Sick Children and took weeks to fully restore. On Tuesday, Toronto’s University Health Network experienced a "Code Grey" outage of its computer systems. As…

TORONTO STAR.COM - SANTIAGO ARIAS OROZCO - 2023-01-12

• Santiago Arias Orozco wrote about the recent cyber attack on the LCBO websites. A malicious code was embedded into their website to obtain LCBO’s customers personal information such as addresses and credit card numbers.

Amnesty International Canada hit by cyberattack out of China, investigators say

The Canadian branch of Amnesty International was the target of a sophisticated cyber-security breach this fall - attack forensic investigators believe originated in China with the blessing of the government in Beijing. The intrusion was first detected on October 5, the human rights group said Monday. The attack showed…

CBC.CA: POLITICS - MURRAY BREWSTER - 2022-12-05

• Murray Brewster wrote about a sophisticated cyber-attack breach that happened to the Canadian branch of Amnesty international. He wrote that the attack showed signs of being the work of what’s known as advanced persistent- threat group according to the cyber security company. The goal behind the attack appeared to be attempting to obtain a list of Amnesty’s contacts and monitor its plans.

Social Media Scan

• Between December 1^st 2022 and present (January 19^th 2023), total Twitter impressions (the total number of times a tweet has been viewed) was 28M from 99 mentions by 26 users (not including quoted tweets or retweets). 69% of the 99 mentions were original tweets while 29.8% were retweets (5.1% were replies and 2% were quoted tweets). The sentiment was generally negative with 57% of users reporting on cyber/malware attacks and ransomware.
• The top hashtag used was #cybersecurity (17 mentions). Other top hashtags included #ransomwhere (16 mentions), #cybersecuritytoday (10 mentions), and #getcybersafe (8 mentions).
• The top tweets were the following:

Text version

10 blue, round icons connected with a thin red line in a rectangle representing the different critical infrastructure sectors:

• Energy and utilities
• Finance
• Food
• Health
• Government
• Safety
• Water
• Transportation
• Information and communication technology
• Manufacturing

Text version

An open laptop faces towards the right with a cloud in the centre of the image. The cloud is surrounded with concentric circles and icons depicting location, contact information, download, calculator, credit card, desktop and mobile devices.

Text version

On the left half, on a navy blue background are the headings “Canadian Centre for Cyber Security” and “National Cyber Threat Assessment”. On the right half, on a white background is a circle split diagonally with images of the Canadian flag and programmer code. The centre of the circle has the years 2023 and 2024.

Text version

Light blue background with a dark blue computer monitor on a flat surface. A shadow of a hooded individual appears to be coming out of the screen.

Recent Media Calls with Responses

House of Commons Standing Committee on Public Accounts - OAG’s Fall Audit entitled: Report 7, Cybersecurity of Personal Information in the Cloud

February 2023

In advance of PACP this package contains recent media calls and their responses along with further relevant questions and answers.

Questions and Answers

On Cloud

Q1. The auditor general recently found that the government is not protecting the personal information of Canadians stored in the cloud. How could you have allowed these serious security gaps to happen and why didn’t you inform Canadians that their information was at risk?

The Auditor General’s report did not find that personal information of Canadians had been compromised, or that security breaches to personal information had occurred.

While there is no such thing as zero risk when it comes to cyber threats, together with our partners, we are ensuring that the highest levels of protection are in place. In support of this ongoing effort, we welcome the recommendations of the Auditor General.

TBS officials have reached out to their counterparts to remind organizations of their responsibilities in ensuring the protection and security of information in the cloud.

Q2. What advancements has government made on the OAG’s recommendations?

TBS is working with CSE, SSC, and PSPC to implement the recommendations outlined in the OAG Audit Report and has developed a detailed action plan to respond to the recommendations. On December 2022, TBS published the initial version of the GC Public Cloud Roles and Responsibilities. TBS is also working with SSC, CSE, and PSPC to update, publish, and communicate the Cloud Responsibility Matrix which will further assist departments in ensuring clarity in the roles and responsibilities and expectations when using cloud services.

A refresh of the Government of Canada Cyber Security Event Management Plan was completed and published in November 2022. This addressed lessons learned from cyber simulation exercises as well as recent cyber incidents. The update also reflected third-party suppliers including cloud service providers who are required to manage and report on cyber events in accordance with the stipulations outlined in their respective contractual agreements with the GC.

Q3. How do we know that Canadians’ personal information is safe in the GC cloud environment?

The GC depends on vendors for many aspects of security and privacy. The Government of Canada Cloud Security Risk Management Approach and Procedures document outlines the key points for managing security risks when services are hosted on a cloud environment provided by a cloud service provider.

One of the ways the government manages this risk is by requiring cloud service provider to clearly document the security controls and features implemented within their cloud services so government can ensure that the environment is secure.

The government’s security approach and procedures document also outlines the requirement for departments to conduct a privacy impact assessment when they are planning to implement a cloud-based service that involves personal information. The assessment must comply with the Directive on Privacy Impact Assessment to ensure that privacy concerns and risks are appropriately mitigated.

Q4. The Auditor General indicated that there was a risk to personal information in the cloud. Was Canadians’ personal information compromised?

It is important to note that the Auditor General’s report did not find that personal information of Canadians had been compromised or that security breaches to personal information had occurred.

Q5. How does the Government of Canada ensure cloud service providers meet Government of Canada security requirements?

Under the GC Cloud Framework Agreement, there are requirements for cloud service providers to ensure their data centers are hosted in Canada. In addition, the GC cloud guardrails direct departments with specific data residency requirements outlined under the Directive on Service and Digital. It is the department’s responsibility to ensure their facilities are located in the right location, and this is validated through the GC’s cloud guardrail validation process.

In order for a cloud service provider to work with the Government of Canada, they must first agree to meet government security policy requirements through the contracting process. The contracts contain terms and conditions that bind the vendors to their obligations to implement government security requirements.

Once a cloud service provider has been awarded a contract, the department conducts a security assessment and authorization process to ensure the appropriate security controls are in place. This process is signed off by the Chief Information Officer and/or Department Security Official.

The GC develops and maintains cloud security controls as identified in the Government of Canada Security Control Profile for Cloud-based GC Services. This specifies the security controls that must be met by cloud service providers and departments and agencies to host GC programs and services in the cloud and summarizes the context in which these security controls are expected to be implemented. These security controls are based on internationally recognized security certifications.

The GC cloud guardrails are validated by Shared Services Canada. The process includes the validation of evidence packages provided by departments confirming their adherence to the protocols set out in the relevant security policies. A monthly compliance report is prepared and submitted to the Treasury Board of Canada Secretariat summarizing the GC’s compliance to the policies.

Q6. How will TBS provide guidance through policy to ensure that contracts on IT services meet privacy and environmental requirements across all organizations? What guidance has been provided already?

As per the Policy on Government Security, departments must ensure that security requirements associated with contracts and other arrangements are identified and documented, and that related security controls are implemented and monitored throughout all stages of the contracting or arrangement process. This will provide reasonable assurance that information, individuals, assets, and services associated with the contract or arrangement are adequately protected.

The Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) supports departments in understanding existing TBS security policy requirements in the context of cloud computing and to set out guidance to assist organizations in the secure use of commercial cloud services (cloud services). This includes the expectations for departments to ensure that IT security requirements are addressed at every stage of contracting when acquiring cloud services, in accordance with the Directive on Security Management.

Q7. What directives and policies are put in place for departments contracting with cloud service providers?

SSC acts as a broker of cloud services for the Government of Canada (GC), ensuring that a variety of services are available to meet the unique business needs of each government organization. These contracts provide the GC with access to a wide range of qualified cloud service providers who are certified to meet the GC’s stringent security requirements. Any department and agency can access these contracts through the GC Cloud Services Portal, which simplifies the procurement process for them and shortens the lead time required to get started with cloud.

Departments can buy cloud services through these contracts, which reduces procurement time and standardizes the requirements that cloud providers must compete against.

Q8. What classification level can be supported in the cloud?

Government of Canada (GC) information in the cloud has a security category of Protected B for confidentiality. The Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) supports departments in understanding existing TBS security policy requirements in the context of cloud computing and to set out guidance to assist organizations in the secure use of commercial cloud services (cloud services).

Q9. Why were PSPC and SSC not aligned to ensure inclusion of environmental criteria / security requirements during the procurement of cloud services, given the GC’s net-zero target?

As part of Shared Services Canada’s (SSC) and Public Services and Procurement Canada’s (PSPC) efforts to align approaches around cloud procurement, a draft standard template for cloud contracts has been developed that includes standard sustainability terms for cloud providers. It is anticipated that the new template will be released this fiscal year.

The framework agreements currently do not include sustainability requirements; they do provide the ability to include such requirements in future solicitations. SSC has developed rated environmental criteria, which it has begun to include in competitive solicitations under the Government of Canada Cloud Framework Agreement. The agreement includes greening requirements related to greenhouse gas emission (GHG) reduction targets. In addition, SSC has confirmed that all eight GC cloud framework vendors have equal or enhanced targets compared to Canada’s net-zero commitments.

PSPC’s Software as a Service (SaaS) supply Arrangement (SA) does not evaluate environmental criteria; however, it does collect this information from suppliers in order to assist clients in evaluating SaaS solutions available through the SA. PSPC will update the environmental information collected in its SaaS SA and will refresh the SA in order to address Government of Canada priorities related to net-zero greenhouse gas emissions. The SA will enable clients to include environmental criteria in bid solicitations issued against the SA, and PSPC plans to develop resulting contract clauses about greenhouse gas emissions reduction targets.

Q10. How does PSPC ensure departments are aligned in terms of procuring cloud services with consistent criteria?

SSC and PSPC aim to provide consistent access to world-class, secure cloud services. SSC does so when providing access to cloud hosting and enterprise digital solutions, and PSPC when procuring Software as a Services operating in a cloud environment.

SSC and PSPC have collaborated to achieve common terms and conditions for cloud contracting, which has streamlined and improved the user experience for cloud consumers.

Q11. What guidance has been provided to departments regarding inclusion of environmental considerations into procurement of cloud services?

The Government of Canada is committed to reducing Canada’s greenhouse gas emissions by 40% from 2005 levels by 2030 and putting Canada on a path to reach net zero emissions by 2050, in line with the ratified Paris Agreement. Greenhouse gases trap heat in the Earth’s atmosphere, contributing to climate change.

Contractors must provide a certification from an independent third party or a letter attesting to the verification that they have science-based greenhouse gas reduction targets set in line with the Paris Agreement or net-zero targets set for 2050 or before. At its discretion, Canada may audit a contractor by requesting certifications or letters to validate that they are in compliance with this requirement.

Q12. Can you explain the change from Cloud First to Cloud Smart as seen in the new Cloud Strategy Update?

The evolution to Cloud Smart means that we will study all material prior to moving to Cloud. Content will be considered from a security point of view as well as a costing scope. This evolution is an indication that government is still in the early stages of Cloud adoption and that we are learning from best practices and implementing them as we grow.

On Government Wide Cyber Security

Q1. What is the GC CSEMP?

The GC CSEMP is a whole-of-government incident response plan. It provides an operational framework which outlines the stakeholders and actions required to ensure that cyber security events (including cyber threats, vulnerabilities or security incidents) that impact or threaten to impact the GC’s ability to deliver programs and services to Canadians are addressed in a consistent, coordinated, and timely fashion across the government.

Q2. Who are the key stakeholders involved in the GC CSEMP?

TBS, which has responsibilities outlined in the Policy on Government Security, and the Canadian Centre for Cyber Security (Cyber Centre), as the national technical authority on cyber security, are primary lead security agency (LSA) stakeholders in the GC CSEMP and lead the coordination of all events that meet the criteria for GC Cyber Security Event Management Plan (GC CSEMP) responses.

Q3. Why hasn’t the GC CSEMP been updated since 2019? How do you know if it has been successful to manage incidents?

A new version of the GC CSEMP was posted on Canada.ca in November 2022. This version was tested during the EnGarde 2022 cyber simulation exercise and contains the lessons learned from the exercise along with other lessons learned from cyber events affecting the government. Continuous testing of the GC CSEMP strengthens the government’s ability to respond to cyber events in a consistent, coordinated and timely manner across the Government of Canada, which is essential in ensuring the security and resilience of government programs and service delivery. The newest updates to the GC CSEMP are highlighted on Canada.ca.

Q4. What will TBS do to ensure that it will stay up to date on its versions?

TBS will continue to test and review the plan on an annual basis, and update it if changes are warranted, to ensure effectiveness. Analyzing post event reports and conducting Government of Canada-wide lessons learned exercises of cyber events are also important inputs into updates of the GC CSEMP. These exercises also help drive security policy, privacy policy, or enterprise security architecture-related improvements.

Q5. What is an EnGarde Tabletop Exercise?

Tabletop exercises are roleplaying scenarios that help the Government of Canada test specific aspects of a cyber response or overall performance. These simulations are a useful way to improve the coordination and effectiveness of the government’s response to cyber events. Participants of these exercises include primary stakeholders from the Treasury Board of Canada Secretariat and the Communications Security Establishment Canada and it’s Centre for Cyber Security, as well as other specialized lead security agency stakeholders. Conducting regular exercises to test both the GC CSEMP and departmental CSEMPs is important to ensure individual stakeholders (especially when there are changes in personnel) understand their roles, to validate the plans, and revise them based on lessons learned during exercises.

Privacy

Q1. What is the Government of Canada doing to prevent and responds to privacy breaches?

The Government of Canada takes all privacy breaches seriously. Institutions are required to report privacy breaches involving sensitive personal information that could cause serious injury or harm to an individual, to the Treasury Board Secretariat and the Office of the Privacy Commissioner.

The Government of Canada has developed a range of tools to guide institutions to fulfill their responsibilities when a privacy breach occurs. This toolkit improves the government’s ability to respond to and prevent privacy breaches, which in turn ensure better protection of personal information of Canadians. The government also has robust systems and tools in place to monitor, detect and investigate potential threats, and takes active measures to address and neutralize them.

The Government of Canada works continuously to enhance cyber security in government services to safeguard personal and private information, how to make sure it’s not so costly moving forward

NSICoP

Q1. The NSICOP report observed that the cybersecurity system "is increasingly managed horizontally, while its foundational authorities remain vertical. This creates significant discrepancies: Treasury Board policies intended to secure government systems are not uniformly applied; individual departments and agencies retain considerable latitude whether to opt into the framework or to accept specific defensive technologies; and a large number of organizations, notably Crown corporations and potentially some government interests, neither adhere to Treasury Board policies nor use the cyber defence framework." Does the government agree with this criticism? Is so, what will you do about it?

The Government welcomes the findings of the National Security and Intelligence Committee of Parliamentarians (NSICoP) and I would thank them, as well, for recognizing the progress the government has made on dealing with cyber threats.

Treasury Board Secretariat (TBS) will be conducting a review of its policy framework to ensure that cyber defence directives and policies are applied to federal organizations not currently subject to them to the greatest extent possible.

TBS is continuing to work with Shared Services Canada (SSC) and the Communications Security Establishment (CSE) to extend advanced cyber defence services, notably the Enterprise Internet Service of Shared Services Canada and the cyber defense sensors of CSE, to all federal organizations. Our officials continue to encourage all organizations to take advantage of the full complement of the government’s cyber defence services.

Recent Media Calls and Responses

Ransomware

Marsha McLeod – G&M – Jan 19

According to redacted records from the Office of the Privacy Commissioner of Canada, PSPC (or perhaps an entity connected to it) was hit with a ransomware attack, which it reported to the OPC in a breach report received by the office on July 22, 2021. I have attached the record I am reviewing, for your convenience.

1. In this instance, did PSPC make a ransomware payment? If so, how much was it for?
2. How were attackers able to gain control of the system in question?

RESPONSE:

The Government of Canada (GC), like all other government and private sector organizations around the world, face constant and persistent cyber threats. The Government continually strives to improve cyber security in Canada by identifying cyber threats and vulnerabilities, and by preparing for and responding to all types of cyber incidents to better protect Canada and Canadians.

Although there is no official government policy on paying ransomware, the GC does have policies that outline security measures that protect information, information technology assets, and server infrastructure that help prevent ransomware attacks. In addition to advice from the Canadian Center for Cyber Security, the RCMP also recommends against paying a ransom, as payment does not guarantee the unlocking of a computer or network (Preventing Ransomware | Royal Canadian Mounted Police (rcmp -rcmp.gc.ca).

The Treasury Board of Canada Secretariat (TBS) is currently developing Safeguards for the Prevention and Mitigation of Ransomware which are intended to help GC organizations understand the current requirements under the TBS Security Policy in the context of ransomware prevention and mitigation. These measures also outline guidance from the Ransomware Playbook (ITSM.00.099) - Canadian Center for Cyber Security and reference applicable policies from Treasury Board policy instruments.

As a security measure, the Government of Canada does not discuss specific details of cyber investigations.

Treasury Board policies and the cyber defence framework

Response to IT World (Solomon) – Feb 23, 2022:

Questions:

Q1. The Parliamentarians complained the cybersecurity system "is increasingly managed horizontally, while its foundational authorities remain vertical. This creates significant discrepancies: Treasury Board policies intended to secure government systems are not uniformly applied; individual departments and agencies retain considerable latitude whether to opt into the framework or to accept specific defensive technologies; and a large number of organizations, notably Crown corporations and potentially some government interests, neither adhere to Treasury Board policies nor use the cyber defence framework." Does the government agrees with this criticism?

Q2. If not, why not?

Q3. If yes, what will the government do about it?

Response:

The Government of Canada recognizes that secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. It underpins the delivery of things such as health care, financial transactions, safe transportation, and emergency communications. The Government is continuously working to enhance cyber security in Canada by identifying cyber threats and vulnerabilities, and by preparing for and responding to all types of cyber incidents to better protect Canada and Canadians.

The Government agrees with the findings of the National Security and Intelligence Committee of Parliamentarians (NSICoP) and agrees with its recommendations.

To that end, the Treasury Board of Canada Secretariat (TBS) will be conducting a review of its policy framework to ensure that cyber defence is applied equally to departments and agencies, including small organizations, Crown Corporations, and other federal organizations not currently subject to its cyber defence policies and directives, to the greatest extent possible. This includes alignment between the scope of the Policy on Government Security and the Policy on Service and Digital. This review will take into consideration the Financial Administration Act and the authorities under that Act, as well as any legal considerations.

The Treasury Board of Canada Secretariat is continuing to work with Shared Services Canada (SSC) and the Communications Security Establishment (CSE) to extend advanced cyber defence services, notably the Enterprise Internet Service of Shared Services Canada and the cyber defense sensors of CSE, to all federal organizations. All federal organizations can access the government’s cyber defence services and we continue to encourage them to take advantage of the full complement of the government’s cyber defence services.

CSE helping Canadian Businesses

Response to CBC (Tunney) – February 15, 2022

Questions:

1. Case study two gives details about CSE using its new authorities to help a Canadian business. How many times since 2019 has CSE used its authorities for non-federal institutions?

2. What sectors do they fall in?

3. When Bill-59 passed, was this anticipated?

4. Given some of the examples in this report and then stories like the N.L. incident, is there a conversation at all about how to export CSE’s defence capabilities to non-federal organizations, businesses etc.

5. Page 27 mentions "the government is currently considering a policy on ransomware payments." Is that something CSE is involved in and if so what is under consideration?

Provided response:

The Government of Canada recognizes that secure and reliable connectivity is a necessity for our daily lives and our collective safety and security. It underpins the delivery of things such as health care, financial transactions, safe transportation, and emergency communications. The Government is continuously working to enhance cyber security in Canada by identifying cyber threats and vulnerabilities, and by preparing for and responding to all types of cyber incidents to better protect Canada and Canadians.

The Government agrees with the findings of the National Security and Intelligence Committee of Parliamentarians (NSICoP) and agrees with its recommendations.

To that end, the Treasury Board of Canada Secretariat (TBS) will be conducting a review of its policy framework to ensure that cyber defence is applied equally to departments and agencies, including small organizations, Crown Corporations, and other federal organizations not currently subject to its cyber defence policies and directives, to the greatest extent possible. This includes alignment between the scope of the Policy on Government Security and the Policy on Service and Digital. This review will take into consideration the Financial Administration Act and the authorities under that Act, as well as any legal considerations.

The Treasury Board of Canada Secretariat is continuing to work with Shared Services Canada (SSC) and the Communications Security Establishment (CSE) to extend advanced cyber defence services, notably the Enterprise Internet Service of Shared Services Canada and the cyber defense sensors of CSE, to all federal organizations. All federal organizations can access the government’s cyber defence services and we continue to encourage them to take advantage of the full complement of the government’s cyber defence services.

Previous OGGO

Cyber Attacks and Privacy

Q1. Following your last appearance here at OGGO, you informed us that there were 308 cyber incidents reported in the past year. You also reported that there were 358 material privacy breaches reported to your departments between March 2021 and January 2022. You also said that the reporting currently does not correlate cyber incidents and material privacy breaches. When is the government going to get serious about making sure that Canadians’ private information is safe within government systems? Why is the government not doing more to prevent cyber attacks that are potentially putting Canadians’ personal information at risk?

Response from OGGO

A1. As per the Government of Canada Cyber Security Event Management Plan, departments and agencies are responsible for reporting cyber incidents to the Canadian Centre for Cyber Security (CCCS). In the last year, there were a total of 308 cyber incidents reported.

The Government of Canada works continuously to enhance cyber security in government services by preventing attacks through implementation of protective security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to cyber incidents to better protect Canada and Canadians.

Institutions are responsible for establishing plans and procedures for addressing privacy breaches, and are required to notify the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat when there is a material privacy breach, in accordance with the Directive on Privacy Practices. Material breaches are breaches that involve sensitive personal information – such as medical and financial information – and could reasonably be expected to cause injury or harm to the individual.

Between March 2021 to January 2022, there have been 358 material privacy breaches reported to TBS. At this time, reporting does not correlate cyber incidents and material privacy breaches.

TBS supports institutions in the management of multi-institutional privacy breaches across government and identifies where additional guidance or training may be required.