Committee
Consult the user guide
For assistance, please contact us
Consult the user guide
For assistance, please contact us
Add search criteria
Results: 1 - 60 of 1066
View Andrew Cash Profile
NDP (ON)
View Andrew Cash Profile
2015-06-04 12:35
Mr. Chair, this has been just a fascinating discussion.
Thank you all for being here.
I'd like to talk about the importance of cybersecurity in the context of emerging disruptive technologies. Maybe we could start with Mr. Horgan, and if I do interrupt, forgive my rudeness but you know we don't have a lot of time.
Patrick Horgan
View Patrick Horgan Profile
Patrick Horgan
2015-06-04 12:35
Here's a little-known fact. The best cybersecurity knowledge has been coming from Canada. Q1 Labs in Fredericton, which you may have run into in your time, is now an IBM company, but it runs our cybersecurity around the world, which is, in many circles, known as top-notch. One of the reasons is not a perimeter defence; it goes back to this point that it's not about putting up walls. It's actually understanding every day on every interaction and in real time what's going on in your network. It's also the realization that cyber-intrusions are happening every day; they're already there, and there's nothing you can do about them, even as interesting individuals. The average time that a cyber person is inside your walls is about a year before they exfiltrate the information they like, because they're looking around for more. That's a quick road that has taken place.
For briefness I'm just going to slow down now and talk about the more comprehensive steps which Q1 Labs have taught us about. They have this Q1 radar that actually overlooks all of your environment and sees anomalies, as you would in police work, and understands the anomalies in real time and then is able to circle the anomalies and eventually take them out of your system. That's the kind of cybersecurity you're interested in having, and frankly, I think it's really one that is world leading and you can take advantage of it. Once you start to take some of those steps, you'll be much more interested in saying, “Let's now open up our data and really encourage ourselves to go to the future.”
Pearl Sullivan
View Pearl Sullivan Profile
Pearl Sullivan
2015-06-04 12:37
I do think there are a lot of habits and ways we do things as a country. This is something we're all going to have to be extremely concerned about as we are moving into an era of the Internet of things. If it's true that our personal health, in the era moving forward...and I think there are a lot of economic benefits to monitoring and tracking elderly and vulnerable Canadians, people who are sick. Part of that is to make sure there's embedded security in all the systems. I think there is quite a bit of work being done in Waterloo. While I do not know what's happening across the country, I do know that in Waterloo, the areas of quantum cryptography and quantum information systems and security are very important. These areas are now being worked on by the Institute for Quantum Computing, the faculty of mathematics, school of computer science, and the department of electrical and computer engineering. In fact, I would say all researchers and users are highly alerted and the area of cybersecurity is front and centre for them.
I also want to talk a little bit about BlackBerry. I think the BlackBerry operating system is still the most secure in the world. It truly is. I think for instance that years ago they also purchased a QNX system, which is used right now in automotive applications and, in fact, right now in transportation systems. QNX is seeing a lot of applications, more than just the cellphone. That security will be the differentiator for the industry.
View Andrew Cash Profile
NDP (ON)
View Andrew Cash Profile
2015-06-04 12:39
Both of you, Dr. Sullivan, and Mr. Horgan spoke a lot about and we share the concern about retaining talent in Canada. During the debates around Bill C-51, a number of business leaders wrote an open letter raising alarms around Bill C-51. I want to quote a small bit from the letter:
Most importantly we ask for data security. We know that many of our clients, including our government, will only host services in Canada because of the invasive privacy issues in the U.S. The U.S. tech industry has already lost billions in revenue because of this, and we don't want it to happen here.
Is there a concern here in Canada around the sorts of invasive technology breaches we're seeing in the U.S? Is there a concern here in Canada around this and its impact on exactly what we're talking about here, retaining talent and building disruptive technologies?
Patrick Horgan
View Patrick Horgan Profile
Patrick Horgan
2015-06-04 12:41
Some of my peers do not have a presence here in Canada. They have sales offices. We actually have a number of centres here where all the data stays in the country.
Now, there's a worldwide flow of data, there's no question. If you are somebody who has to be protected, you need to think about having a presence here, and some people are starting to build a presence so that they don't close off the ability for them to do business in a different way.
Patrick Horgan
View Patrick Horgan Profile
Patrick Horgan
2015-06-04 12:41
Right. My comment before was to ensure that you have a security understanding and take steps if there are gaps. As the government, there are a lot of great steps forward but there's a lot of knowledge still to be gained. Once you get satisfied that you're working that very, very strongly, then start to work on the five open areas of the future. If you wait, or say you're not going to do anything, I'm afraid that's not a very competitive picture for our country.
I think this is a very important field. I totally agree that every new area we're working on is opening up data, potentially, but that's why you have to think about security, focus on it, learn about it, implement it, but then move quickly past it. Don't block it.
Patrick Horgan
View Patrick Horgan Profile
Patrick Horgan
2015-06-04 12:42
I share...anything that's protecting, putting up borders, in the same way I would on free trade. Commerce is being done globally. Every organization, whether they think so or not, is a global company because their customer base, their supplier base, and their competition are coming from around the world. Think of it in that frame of reference. Then I would say you have to figure out ways for yourself to be open on the data side as well in order to compete. That's our take and my take.
View David Sweet Profile
CPC (ON)
Thank you very much, Ms. Sullivan.
Thank you very much, Madam Gallant.
I'm going to take the liberty—I generally never do—because there is one very important question I'd like to have clarified on the record.
Mr. Horgan, you were talking about a different kind of cybersecurity in the sense of not creating a firewall, but having a monitor that's constantly looking at the traffic that's within your network, so if there are any kinds of anomalies then you can address them specifically. Is that going to be quick enough for the kind of cybersecurity we need for personal information, health, and for banking?
Patrick Horgan
View Patrick Horgan Profile
Patrick Horgan
2015-06-04 12:53
As a matter of fact, those organizations, many of the banks, of course, but the government agencies and others, are working with us on that because of the level above.
Why I was even speaking as much as I was is that I was in a cybersecurity U.K.-Canada colloquium that was taking place with their cybersecurity experts, and some of us from Canada on the other side, about two months ago. Unfortunately one of the thoughts was that this is what you do after a cybersecurity attack takes place, this is how you try to recover, like the Tylenol scandal. I thought, “What?” It was amazing to me that that was a general thought, even from the U.K. Thomson Reuters was there as well.
We started to give them this view that this is how a number of other people are doing it here in Canada, and we are taking steps not permeated everywhere. Venus in Ottawa is now a centre of knowledge where people are starting to get the latest in the understanding of how to do this.
I'd say that we in Canada could have a leg up further. If you're going off in your own practices, going to an open Internet somewhere, and trying to put your personal information there, or answering questions when someone says, “Hey, check your bank account. Answer this question and put in your personal information”, then shame on you. That can happen. More education is required.
In terms of systems, to be able to do that thoughtfully, and to have it permeate through your system view of cybersecurity, that is what is required. That's what we have said, that you can take steps. It's not one vendor's view. It's a network of people. I will cite Venus here in Ottawa as one of the leading collaboratives that understands the different steps that are needed.
Patrick Horgan
View Patrick Horgan Profile
Patrick Horgan
2015-06-04 12:55
Real time. Not lightning fast, but real time.
I would even go one step further. Predict it. That's where cognitive computing and this analytics.... You don't just look at the past or the present. You ask, “Where is it coming from next?“ It's like policing. Put the police where the next thing might happen before it happens, because you've seen these patterns in the past. That is where many places have started to take this dramatic step into the future. We can get on top of this.
The one thing I'll leave you with to put on the record is that we can get on top of this. We know as much as, or even more than, some of the bad guys do.
View Diane Finley Profile
CPC (ON)
Thank you very much, Mr. Chair.
I am pleased to be here today to talk about my two departments' main estimates and reports on plans and priorities for the 2015-16 fiscal year. With me from Public Works and Government Services Canada are the deputy minister, George Da Pont, and the chief financial officer, Alex Lakroni.
From Shared Services Canada I'm joined by the president, Liseanne Forand, and Elizabeth Tromp, the acting senior ADM, corporate services, and chief financial officer.
Both PWGSC and SSC provide essential services to other departments and support our government commitment to creating jobs, growth and economic prosperity.
For the 2015-16 main estimates, Public Works' net spending is expected to increase by $30.6 million over the previous year. This is primarily due to the transfer of responsibilities to Public Works from the former Enterprise Cape Breton Corporation, as well as to the rehabilitation of the Parliament Buildings, including interim accommodation for the Senate.
For Shared Services Canada, the 2015-16 main estimates represent a total of $1.444 billion and show a net decrease of $127.8 million compared to the previous year. This is due mainly to savings achieved across various key transformation initiatives and a $63.4 million reduction in funding for partners' projects and initiatives.
Over the next year, PWGSC is looking forward to reaching several milestones.
Last week my colleague Tilly O'Neill-Gordon, member of Parliament for Miramichi, officially kicked off the construction of the new public service pay centre, showing just how far we've come on the transformation of pay administration initiative. The construction of this building will create an estimated 200 jobs in addition to the 550 employees currently working in the interim pay centre. In fact, by the end of the year, over 140,000 pay accounts will be administered at this new centre.
By consolidating pay services into a single building, we will generate approximately $70 million in savings each year starting in 2016-17. Obviously that's good news for taxpayers, and it's good news for the people of Miramichi.
Another great Public Works initiative with which you might be familiar is the build in Canada innovation program, or as we fondly refer to it, BCIP. Through this program our government is kick-starting Canadian businesses by helping them get their innovative products and services from the lab to the marketplace.
One of the biggest hurdles that companies face with new products is making that first sale. As you all know, it can be tough to get someone to take a chance on an untested product or service.
I've heard the story from business owners a hundred times that when Canadian companies try to sell their products internationally, the first question they're asked is if the Canadian government is one of their customers. Let me tell you, it is a pretty tough sell when the answer to that question is no. It's through this program the federal government acts as a first buyer of new technology. I'd like to stress that this is not a subsidy or a grant. Companies and their innovation are matched with government departments that could use their innovation to fulfill a business need.
But, the government departments are not just customers. After test-driving the innovation, they provide real-world evaluation and feedback to suppliers who can then make refinements. We hear all the time that companies find this feedback very useful.
Having made a sale to the Government of Canada, businesses can demonstrate the value of their products and services to potential customers in Canada and indeed right around the world. With 100 contracts issued since 2010, this program is a great boost to innovative Canadian companies.
We're also looking forward to making further progress under our national shipbuilding procurement strategy. Over the next month, Vancouver Shipyards will begin construction on the Canadian Coast Guard offshore fisheries science vessel. Irving Shipbuilding in Halifax will cut steel on the Arctic offshore patrol ship for National Defence.
The two shipyards are employing hundreds of highly skilled workers, while some 256 companies across Canada have already been engaged in contracts valued at $900 million. This is all thanks to our national shipbuilding procurement strategy, which is helping rebuild a strong Canadian shipbuilding industry and a marine industry that will create an estimated 15,000 jobs over the next 30 years.
This long-term approach to building ships will ensure strong jobs and economic growth, stability for the industry, and vital equipment for our men and women in the Royal Canadian Navy and in the Canadian Coast Guard. We are also looking forward to making further progress on our government's new defence procurement strategy.
This strategy marks the most significant shift in the federal government's purchasing of military equipment in 30 years.
It aims to achieve three important objectives: deliver the right equipment to the Canadian Armed Forces in a timely manner; leverage these purchases to create jobs and growth; and streamline our procurement processes. While we've made progress on the implementation of this strategy, I am looking forward to taking further steps to its implementation. Value propositions are beginning to be applied to procurements and will continue to be applied on a systematic basis going forward.
If I may, I would now like to turn to Shared Services Canada. SSC continues to modernize and consolidate our government's IT infrastructure.
Our data centre consolidation will also continue over the course of the fiscal year, as aging data centres are closed and replaced by a small number of modern, secure and highly efficient ones.
Fewer data centres will eliminate duplication, will standardize processes, and perhaps most importantly, will tighten security. We have established three enterprise data centres already and closed 57 data centres over the past two years. Savings of $14.5 million have been achieved already through consolidation and renegotiation of data centre contracts under economic action plan 2012.
In the course of executing this part of the plan, SSC has identified over 200 additional existing data centres, the vast majority of which are small rooms within office buildings. While we initially planned for 485 aging facilities to be replaced by no more than seven modern, secure, reliable centres, opportunities that include better-than-expected pricing and the use of cloud computing will allow Shared Services Canada to now consolidate over 700 data centres to no more than four or five by 2020.
SSC is also helping to modernize our telephone system by moving away from conventional, and quite frankly costly, desktop phones to cellular service or voice-over-Internet protocol phones where possible. Believe it or not, this has already generated ongoing savings of approximately $28.8 million a year.
The safety and security of Canadians continues to be one of the government's top priorities. Shared Services Canada is building a secure, centralized communications infrastructure that directly supports Canada's Cyber Security Strategy. SSC works closely with government security partners to protect government systems from cyber threats and intrusions.
As new products are brought forward, Shared Services will work with industry experts to identify best practices and approaches by providing secure, cost effective, and robust IT architecture.
SSC is making it possible to partner departments to achieve their priorities and better deliver services and programs to Canadians. The total amount the government has saved since SSC's creation is now $209 million each year. That's $150 million for the consolidation of existing services and the reduction of overhead, $50 million through email transformation, and $9 million through the consolidated procurement of hardware and software for workplace technology devices.
Mr. Chair, PWGSC and SSC are tasked with very broad and complex responsibilities. While difficulties can and do arise, overall I am pleased with the progress that has been made by both departments over the last fiscal year.
I anticipate another year of steady progress in achieving cost savings, better services, and greater security for the Government of Canada and for the citizens that it serves.
Thank you very much. We now look forward to your questions.
View Diane Finley Profile
CPC (ON)
It's $400 million a year by the time the transformation is complete.
Another aspect is security. When we had, as we did previously, so many different unconnected systems, the security aspect of monitoring them was really quite a challenge. Through the consolidation that they've already seen, Shared Services Canada has eliminated a number of entry points, which is a good thing, but they've also been able to put in place much better cybersecurity systems and be much more responsive to attacks. As we've seen a couple of times in the last year, they were able to recognize things, get on top of them right away, and then to fix them and take that knowledge that was learned from those experiences and apply it across the government, thereby enhancing security awareness across the board.
There are savings. There are efficiencies and increased security. I think that's a pretty good package. It means that with higher security and more efficient and more responsive systems, we will be able to serve Canadians better, because more and more they are turning to our Internet portals for services, whether it be just to get information, or things like setting up direct deposit accounts, or indeed, transacting business through their personal accounts for themselves or their own businesses.
View Mathieu Ravignat Profile
NDP (QC)
View Mathieu Ravignat Profile
2015-05-26 11:48
Concerns have been raised about the security issues for Shared Services Canada particularly with regard to Bell's involvement. I'd like to know what you have to say about that. Do you think that Bell, for example, has the necessary expertise? How are you ensuring that data is being protected while this transition is going on?
Liseanne Forand
View Liseanne Forand Profile
Liseanne Forand
2015-05-26 11:49
Thank you, Mr. Chair, for the question.
As the minister mentioned in her remarks earlier about Shared Services Canada, improving security, security of data, security of information, and cybersecurity are the key benefits we're seeking to achieve through the transformation and modernization of IT infrastructure. That is true of all the initiatives we have under way.
I think the honourable member is talking about our email transformation initiative. The contract for that was awarded to Bell Canada in partnership with CGI and Microsoft in June 2013. Security of data and security of systems is one of the key objectives of that contract. Our colleagues at Communications Security Establishment Canada have stated time and again that email systems can be a vulnerability for IT infrastructure—
Liseanne Forand
View Liseanne Forand Profile
Liseanne Forand
2015-05-26 11:50
Practically speaking, security has been built in from the beginning through the security clearance of staff and all the facilities in which they're working, as well as right into the infrastructure of the systems. It's had to go through a very rigorous security authorization and accreditation process that was overseen by CSEC. It continues to be a key component of the project.
We have worked very hard with the contractors to make sure that the data is secure. The data centres are located in Canada. The data must be Canadian when it is in place as well as when it is in motion. That means the networking all has to be secured as well.
View Mathieu Ravignat Profile
NDP (QC)
View Mathieu Ravignat Profile
2015-05-26 11:51
Are you confident that the players at the table, Bell, Microsoft, and so on have a good sense of what our security needs are with regard to data, particularly within the public service and in serving the public?
Liseanne Forand
View Liseanne Forand Profile
Liseanne Forand
2015-05-26 11:51
Thank you. That was an excellent point. We have worked very hard, both through the RFP process, as well as with the winning contractor, Bell. We make sure from stem to stern that it is safe and that they understand it.
One thing we've brought in as part of our procurement and building processes is something we call supply chain integrity. We make sure, with respect to every piece of equipment, every piece of gear, that every contractor and every subcontractor is using trusted equipment. We use the security agencies to give us that assurance as we go.
Yes, we believe that we have definitely emphasized to the contractors and to their whole teams that security is absolutely key for us, and we will not approve the email system for use across government until we are absolutely confident it's secure.
View Julian Fantino Profile
CPC (ON)
Thank you, Mr. Chair.
Thank you for the opportunity to address your committee alongside my colleague, Minister Kenney.
I would like to take a few minutes to discuss how the main estimates enable the Canadian Armed Forces and the Department of National Defence to continue defending the sovereignty and security of Canada.
One of my responsibilities as associate minister of Arctic sovereignty, with the increased activity, commercial shipping, natural resources exploration, and even tourism in the north, along with Russian military activity, makes it ever more critical that National Defence has the right monitoring capabilities and the emergency response options to meet the many current and emerging challenges that we face.
Mr. Chair, last month I visited Operation Nunalivut in Cambridge Bay and the Nunavut area to get a sense of how the military conducts northern operations. I also had the opportunity to visit the Joint Task Force North in Yellowknife, and the 1st Canadian Ranger Patrol Group, our eyes and ears in the Arctic.
Mr. Chair, our work in the north to ensure Canada's sovereignty is both impressive and, indeed, vital. Moreover it is critical that National Defence continue to have the right policies and resources in place to protect Canada's northern interests and enable the Canadian Armed Forces to fulfill its responsibilities in this regard.
Another major responsibility of my portfolio is information technology security and foreign signals intelligence, which serve to protect our national security and, of course, our interests. While this might be more abstract, its effects are unequivocally tangible and, indeed, critical. Continual exponential advances in communications technologies are transforming almost every aspect of our lives.
The Communications Security Establishment, CSE, has a vital role in protecting and defending federal government systems from malicious attacks each and every day. National Defence also plays a supporting role and has a great interest in protecting its systems against cyber threats, given the military's reliance on cyberspace to enable its operations, and as we have seen recently, cyberspace is increasingly a prime target for both terrorists and malicious cyber actors.
Mr. Chair, let me be clear. The Government of Canada networks are attacked millions of times every single day, and those numbers will certainly rise. The new reality of modern warfare is here. The digital battleground, as we have witnessed, ranges from recent ISIS cyber attacks to Russian cyber aggression against Ukraine.
Mr. Chair and members, these are just two areas where the Canadian Armed Forces and the Department of National Defence work hand in hand every day to defend and protect Canadians and our interests. The main estimates are a critical part of ensuring that the necessary funding is in place to enable operations to continue.
I should note for your benefit that one noteworthy item from the main estimates is CSE seeing a year-over-year reduction of nearly $301.6 million. This shrinkage is one time, an exceptional occurrence, as it is the result of payment of $306.7 million for contract costs related to the construction of CSE's headquarters in the year prior.
With that, Mr. Chair and members, I will bring my remarks to a close and I would be happy to take your questions.
Thank you.
View Rick Norlock Profile
CPC (ON)
Thank you for mentioning that. Having been in uniform for 30 years, I know how important it is to have the proper uniform and equipment to do your job.
When I asked about the practical implications, that development at CFB Trenton—which is currently in my riding and will be in the new Bay of Quinte riding—means more than just the $800-million-plus that we've spent on infrastructure at the base. What it means to the community, Minister, as I think you've reminded me of in the past, is that payments in lieu of taxes go to that municipality so they can complete their infrastructure and the municipality doesn't have to raise taxes on the local people. Those kinds of investments at our bases, etc., have a multiplier effect.
My next question would be for Minister Fantino.
Thank you for being here, Minister. The main estimates show that there is an increase of $16.1 million to the Communications Security Establishment to further support their mandate. Without getting into any details on specific operations, because I know there is confidentiality around that, can you explain why this is necessary to protect the interests of Canadians in this new day and age?
View Julian Fantino Profile
CPC (ON)
Thank you for that question.
Under its cybersecurity mandate, the CSC helps protect and secure Government of Canada and other important Canadian computer and information networks. CSC's role includes providing advice, guidance, and services to government departments on a wide range of security issues.
There's definitely an exponential increase in the need to escalate that protection because of the advances in technology, obviously, and also because of the use that is made of it and the malicious cyber-actors who operate in this kind of world. Indeed, it also includes the risk and the threat of terrorism. It's about trying to keep pace with all of the issues we're facing and trying to do the best we can, as well as to get ahead of these threats. It's a relatively small amount compared to the value in return.
View Stephen Woodworth Profile
CPC (ON)
My thanks as always to the Auditor General, the assistant auditor general and staff, and also the departmental officials.
I wish to ask some questions with respect to the departmental security plans. Forgive me for being a little naive, but I notice, Ms. Whittle, your title has the word “security” in it. Does that mean I should direct questions about these departmental security plans to you or to some other group?
View Stephen Woodworth Profile
CPC (ON)
In that case, I'll start with you, Mr. Scott-Douglas.
Can you tell me the purpose of the departmental security plans?
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 15:52
Yes. It is important that all departments and agencies have a clear sense of the overall risks that their departments are meeting, that they are ensuring that actions against those risks align with the priorities of their departments.
They ensure that they have the appropriate internal governance and overall planning and processes within their departments to do what's needed to ensure the security, to ensure such things as information is properly secured, to ensure they have such things as the appropriate business continuity plans, and the right kind of physical security and cybersecurity. All these important elements are brought together in an integrated plan, which the department security plan is aimed at ensuring.
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 15:53
They're an evergreen document I think is the best way to put this. It's important always in all areas of management, but most particularly in areas of security, that you keep up to date with those issues before you. It's best to describe them as an ongoing evergreen document.
Deputy heads have responsibility within their organizations to ensure that the planning under the policy on government security is undertaken and that those plans are kept up to date.
View Stephen Woodworth Profile
CPC (ON)
When the Auditor General tells us that about half the departmental security plans that were due by June 2012 had not been finalized at the time of the audit, does that mean there are no departmental security plans for half the departments?
View Stephen Woodworth Profile
CPC (ON)
Does the physical and/or the cybersecurity of a department depend entirely on the contents of the departmental security plan?
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 15:55
It's a very important part of it, but it's certainly not the entirety. I think it's important to note that the Auditor General did not audit departmental security practices. They didn't audit the specific actions being taken to ensure that security in all those important areas that I mentioned are being done.
The degree to which those departmental plans had been signed off by their deputy heads was audited.
A great deal of important practices are ongoing every day to ensure that the security of departments in all those important areas is under way.
View Stephen Woodworth Profile
CPC (ON)
Ms. Cheng, is it correct that the Auditor General did not audit the actual security practices in any given department?
Nancy Cheng
View Nancy Cheng Profile
Nancy Cheng
2015-05-13 15:56
That is correct, Mr. Chair. We did not audit the security practices. The audit focus is on the reporting requirement and whether those departmental security plans were formally approved. At the time of the audit, about half of them did not have an approved departmental security plan.
View Stephen Woodworth Profile
CPC (ON)
That does not equate to saying that half of them have any significant gaps in their security, though, does it? I want to be clear about that.
View Malcolm Allen Profile
NDP (ON)
View Malcolm Allen Profile
2015-05-13 15:57
Thank you to all the witnesses for coming.
Mr. Scott-Douglas, I'd like to keep on the theme that my colleague Mr. Woodworth talked about, and that's the issue of security—albeit, as Ms. Cheng has pointed out, it's really about the auditor looking at the processes and plans; it's not the implementation thereof, but whether there's some structured plan to be secure. I wrote down quickly what I thought I heard you say. Albeit the Auditor General was looking to see that everything would be updated by 2012, you're saying now that 80% are approved and 64% are signed off by deputy heads. Is that correct?
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 15:57
Of those departments covered by the Government of Canada's security policy, that's correct.
Nancy Cheng
View Nancy Cheng Profile
Nancy Cheng
2015-05-13 15:58
Right.
At the time when we completed the audit, we found that about half of them had approved plans. This has to go back to the start of the requirement, really. The policy on government security was approved in 2009. Further to that, there was a directive that required departments and agencies to prepare these kinds of plans.
Really, this is a tool to help them put all their risk postures together so that they can understand what they're faced with, from the physical side to the financial side, as well as the cyber, to ensure that they have a comprehensive view, and to ensure that they have a plan to address the different exposures they think they might have. This helps them put it all together so that they know what they have and they can manage accordingly.
The policy and the directive were in place in 2009. Recognizing that it was a significant exercise, departments and agencies were given time to pull together the plan. That's why the plan was not required before June 2012.
In the report, we note that Treasury Board Secretariat actually did some follow-up as well along the way, trying to see if they were coming along. They were not particularly fast in terms of completing the plans. At the end of the audit timing, we saw that about half of them had completed plans.
Now, because we didn't look at the practices, or didn't look at the state of the unfinished plans, we don't know how mature they are. Treasury Board Secretariat probably has more up-to-date information and perhaps can help us with that.
View Malcolm Allen Profile
NDP (ON)
View Malcolm Allen Profile
2015-05-13 15:59
I think that's where the 64% that's been signed off comes from. We've gone from 50% to 64%, it would seem, from what should have been 100% in 2012. I guess we're moving along by millimetres. I would be hard pressed to say that we're inching along, because that would be too fast. There's incremental movement, albeit it's too slow.
There's ample evidence from last year—not in the report, I must admit—of cyber breaches in some of the departments that, Ms. Cheng, you actually looked at in this audit. I agree with my good friend and colleague Mr. Woodworth that it's not just about cyber breaches, but clearly that's the most egregious part when it comes to the protection of data that's confidential.
Last year, we clearly saw that at Transport Canada. It's one of the departments that's actually in this audit and that is talked about.
Mr. Scott-Douglas, do you know whether Transport Canada is actually finished its particular piece? Has it gotten to the end? Is it one of the 64% that signed off?
I see a nod of the head, so....
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 16:00
Yes, it's non-verbal communication.
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 16:01
It stands in the category of a large department and agency. Its department security plan has been signed off by its deputy head, yes.
View Malcolm Allen Profile
NDP (ON)
View Malcolm Allen Profile
2015-05-13 16:01
Thank you.
As we look at the security pieces, one of the things I find troubling, to be truthful, is the speed at which we move along, Mr. Scott-Douglas. I recognize, sir, that you're not responsible for writing these for all these departments. They report to you as to whether they've done them or not. I understand that. It would be nice to have the departments here to understand why exactly they're so slow. Clearly, when it's of such critical importance and the Treasury Board Secretariat puts a great emphasis on it.... You have a person responsible for making sure that we have things secure. Why are things so slow when there's a real sense that it needs to be done, that it's very important that it be done?
From 2012 to 2015 we've literally gone up 14%. That's not quite true; it's only 14% more than that. If you actually break it down, it's less, about a 7% increase. Do you have any sense, sir, of why it is that slow?
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 16:02
No. It's a very good question, Mr. Allen.
The Treasury Board Secretariat is concerned as well about movement. We've been working with departments consistently. Nancy indicated that there's been consistent follow-up, and we've taken a number of other measures to try and support departments and agencies in this. We have worked on it. Guidelines came out to support departments in working through their security plans. In addition to that, seminars have been held. Recently, a security seminar was held to move that forward. There are workshops. We've developed enhanced templates.
I might just indicate in parentheses here, and it's actually a feature theme of the Auditor General's report, that we've been paying particular attention to move small departments and agencies along and support their capacities to write this kind of report. That's a feature we're going to continue to press, not just in departments' security plans, but in other reporting requirements as well. There would be some tailoring and some adjustments to try to support them.
View Alain Giguère Profile
NDP (QC)
We spoke earlier about how information technology is evolving and the security challenges that that poses for the departments. It is a matter of knowing how much budget cuts have affected security upgrades within the departments. A lot of money went into such upgrades in the past, but despite all that, security is still at risk.
Can we expect that situation to quickly improve?
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 16:57
There is nothing specifically in the audit about that, I'm afraid, so I don't have a direct answer to that.
I would say generally, though, that under the government policy on security, and in the departments' security plans we spoke about a little bit earlier in the meeting, one of the things they would be wanting each department to look at is their general risks to ensure that they would be doing whatever is necessary to try to mitigate those risks.
View Alain Giguère Profile
NDP (QC)
Obviously, we want to avoid this sort of thing as much as possible, but if wrongdoing is committed and the department does not have the resources to remedy or even recognize it, are there people in your units who can be contacted and who can help to fix this problem?
Christine Donoghue
View Christine Donoghue Profile
Christine Donoghue
2015-05-13 16:58
That is a service that the PSC offers and that has been used a number of times. In the past, we have identified problems through audits, sometimes even before an audit is completed. In such cases, we work with groups of experts from the departments to solve these problems.
As I was saying earlier, authority is delegated to the deputy ministers of the departments by the PSC. The PSC also has the power to withdraw or attach conditions to that delegated authority. That has happened only a few times because we have excellent managers. On several occasions, the PSC has taken back the authority in order to help an organization acting on its behalf deal with a situation. That does not happen very often, but the PSC now offers that type of assistance more and more. It is called prevention. We intervene when we can collectively determine that a problem may arise with a process or in the system within a given department.
Roger Scott-Douglas
View Roger Scott-Douglas Profile
Roger Scott-Douglas
2015-05-13 17:07
You're absolutely right to ask that question. We're asking the same question, and we're going to make sure that the plans are done, that deputy heads as they are responsible under policy are having their departmental security plan signed off, and that the benefits of those plans you've quite rightly pointed out are taking effect within departments. I would point out importantly that this was not an audit of security practices, and there's no sense of this being conveyed in anything the Auditor General said, that in any of the departments there's any increased risk, or any concerns on that.
View Marc-André Morin Profile
NDP (QC)
Something is limiting e-commerce. There are pockets of resistance where e-commerce is not developing as quickly as it should.
What regulations, what measures, could we put in place to give users some sense of security so that they are not always worried about the security of their data or financial information and so that they are not victims of fraud or abuse?
Colin McKay
View Colin McKay Profile
Colin McKay
2015-04-29 16:32
Once again, I think the frameworks around security of the networks and the security of financial systems have evolved over the past 10 years, but you're right to identify that as a concern.
One area we're working on as a company, and importantly in Montreal, is to have a cybersecurity team that deals specifically with attempts to deceive users on the web and through our search results. It's called safe browsing, and if you arrive at a search result that we have seen, through our systems, will to try to take you to a malicious website or to steal your information, it will actually block your path and not let you go forward, and warn you.
From the private sector point of view, we find it's just as important for us to make those investments so that our users are confident in these tools, so they can make those financial investments as a small business and be confident that the transaction will work all the way through for them and their customers.
In terms of the government, there's—
Raheel Raza
View Raheel Raza Profile
Raheel Raza
2015-03-25 19:26
Laws obviously do make a difference. They don't deter it entirely but legislation is important in every country in every situation. We need better monitoring of those who are leaving to fight the jihad, so to speak, especially if they are fellow countrymen. At the risk of saying that our civil liberties are threatened, I am the president of an organization and I believe that unfortunately we are living in a post-9/11 world and times are such that personal information needs to be shared. That's the reality and I don't have a problem with it. If my bank accounts, my Internet, and my cellphone are being monitored for the sake of the larger security and safety of this country and if I have nothing to hide and if 17 agencies want to check on me, I'm okay with that. Again, the larger picture is that of the security and safety of Canada.
View James Bezan Profile
CPC (MB)
You mentioned the importance of the role CSE plays in cyber-defence. We, of course, are just wrapping up a study on defence of North America. Cybersecurity has become a major part of that study. Can you talk about the role CSE plays in cyber-defence for Canada?
Greta Bossenmaier
View Greta Bossenmaier Profile
Greta Bossenmaier
2015-03-25 16:41
CSE actually plays a really important role in the cyber-defence world. As this committee appreciates, I'm sure, and as we hear almost every day in some kind of news story, there are increasing threats and concerns in terms of cyber-defence, whether it's from our own personal situations to private sector companies and of course, to government. It's a very dynamic environment now in terms of the variety of different threats to systems. I think that's going to be a really important part of my role going forward.
CSE is a lead security agency from an IT perspective for the Government of Canada. An important role is that cyber-defence role of trying to ensure, along with our partners, such as Shared Services Canada, the Treasury Board Secretariat, and Public Safety, that government systems remain safe and secure, and that the information they hold remains safe and secure.
We have a really skilled team at the CSE that works diligently to protect Government of Canada systems, and I'm sure that will be a very important part of my role in the coming years.
View James Bezan Profile
CPC (MB)
Cyber has been a major issue that we have talked about at this committee. It will be a large component of the report: how we best defend, and also conduct warfare, in cyber.
If you're looking at that from a reserves capability, are you looking at this broad spectrum, or specialized units?
J.J. Bennett
View J.J. Bennett Profile
J.J. Bennett
2015-03-23 16:25
I would say it's a bit of both.
It isn't us looking at it specifically—it's through our chief of cyber—but we're looking at the experience of other nations and their use of reserves. The U.K. and the U.S. have a reserve component with cyber capability, and we're looking at that, whether it's a standing capability, a capability that is brought to the Canadian Armed Forces in a different way, so that these people are working from home or they're....
I think the reason we call it a reserve capability is that they will be held within the Canadian Armed Forces in a different manner. It's not that they will necessarily be part-time or after-supper soldiers or sailors; it would be resident.... It's much like we hold our professionals in the health service reserve in a slightly different way—they're not required to come out every Tuesday or Thursday, or one weekend a month—but considering across the gambit of both, in terms of the protection, the warfare, and I guess a more diverse cyber capability than we had originally considered.
Kevin Radford
View Kevin Radford Profile
Kevin Radford
2015-03-12 12:08
Good morning.
My name is Kevin Radford. I'm the senior assistant deputy minister of operations, and I'm accompanied by Manon FiIlion, director general of finance and deputy chief financial officer at Shared Services Canada.
We are pleased to be here today to discuss the funding that our department is seeking, as provided under supplementary estimates (C), tabled recently in Parliament.
I will start by updating you on the progress the department has made in delivering on its mandate to transform, consolidate and standardize how the government manages its IT infrastructure, particularly in the areas of email, data centres, telecommunications and improved security.
The email transformation initiative is a complex project that involves converting 63 separate email systems and 3 technology platforms of 43 organizations to a new system. Shared Services Canada has now begun to migrate to the new system. The plan is to migrate all departments over the course of the fiscal year.
The department's data centre consolidation is moving ahead. Shared Services Canada currently has three operational enterprise data centres in Gatineau, Borden—on the Canadian Forces base—and Barrie that provide the Government of Canada with the capacity needed to move data and applications out of old data centres and into the new. Shared Services Canada has closed a total of 49 legacy data centres over the past two years. At the end of this initiative, the government's data centre footprint will have shrunk from 485 to no more than 7.
Under the telecommunications transformation program, as of December 2014, almost 38,000 traditional land-lines have been migrated to the more cost-effective voice over Internet protocol, and just over 11,000 traditional land-lines have been migrated to cellular services. SSC is also upgrading and better connecting federal video conferencing and enhancing Wi-Fi services.
Shared Services Canada is also delivering on its mandate by consolidating and standardizing the procurement of workplace technology devices. These include operating system software and basic desktop applications such as word processing software. While the government spends about $660 million a year in this area, Shared Services Canada is negotiating new contracts and now buys these essential tools in bulk, providing consolidated savings.
Shared Services Canada is developing a more integrated approach to improve security for the Government of Canada. Working closely with our security partners, we have created a security operations centre that provides 24-7 prevention and detection services, and a dedicated response and recovery team that directly supports our partner departments. These security services include a supply chain integrity process that is part of all Shared Services Canada's procurements.
I will now turn to the supplementary estimates overview. The supplementary estimates (C) for Shared Services Canada represent an increase of $39.9 million in the department's reference levels.
The first component is $34.3 million in new funding. The majority of this new funding, $32.5 million, will be used to create a more secure IT environment for the National Research Council, following last year's cyber-attack. Shared Services Canada, in collaboration with the National Research Council and Communications Security Establishment Canada, is building a new and secure information technology infrastructure for the National Research Council on an accelerated basis. A portion of the supplementary estimates' financing for the National Research Council is to acquire new network services to take advantage of our new data centre infrastructure and the associated security benefits of this new architecture.
The remainder of the new funding outlined in supplementary estimates (C)—$1.8 million—will support the IT infrastructure that will allow two of our partner departments, Employment and Social Development Canada and Citizenship and Immigration Canada, to upgrade their IT applications to reflect the reforms implemented in 2014 in the temporary foreign worker program, as well as provide additional storage and database capacity and connectivity.
The second component of Shared Services Canada's supplementary estimates (C) is proposed net transfers from our partner organizations, some for adjustments related to Shared Services Canada's creation and others related to specific projects and initiatives.
Let me share with you a couple of highlights of these transfers. Proposed for transfer from Public Works and Government Services Canada is $1.8 million. The transfer is for the closure of three legacy data centres in Ottawa and one in Toronto. From National Defence, $1.3 million is identified for transfer for services and equipment in support of the Mercury Global military wideband satellite project, as well as for support of IT-related renovations at the Royal Military College in Kingston, Ontario.
All these activities are helping Shared Services Canada to improve savings, security, and service. Moreover, by providing secure, robust, modern IT infrastructure, Shared Services Canada is helping our partner departments to achieve their priorities while they deliver services to Canadians.
My colleagues and I will be pleased to answer your questions. Thank you.
View Mathieu Ravignat Profile
NDP (QC)
View Mathieu Ravignat Profile
2015-03-12 12:25
Okay.
My questions will now be for the Shared Services Canada representatives.
When a system is centralized, concerns are raised in terms of security, information loss and a reduction in service quality. I mainly want to talk about security.
I know that Bell was awarded the private contract. What mechanisms are in place to ensure that Bell is working with the departments to ensure the security of Canadians?
Kevin Radford
View Kevin Radford Profile
Kevin Radford
2015-03-12 12:26
With respect to the email contract and all of our contracts, we have implemented a supply chain integrity piece and all of our procurements are subject to a dual process that allows us to look at security from a procurement perspective. In this particular case, we've actually looked at over 2,100 different procurements and Bell was no exception in the contract associated with the email transformation initiative.
View Mathieu Ravignat Profile
NDP (QC)
View Mathieu Ravignat Profile
2015-03-12 12:26
In the call for proposals for that contract, was there clear criteria with regard to what level of security was expected from the company?
Kevin Radford
View Kevin Radford Profile
Kevin Radford
2015-03-12 12:26
Absolutely.
As we involve these new sourcing contracts or as we build our new infrastructure, we are ensuring that we are working closely with the Communications Security Establishment around standards, with the RCMP around physical security standards, and of course, we are building security into our designs.
View Chris Warkentin Profile
CPC (AB)
Wonderful, that's great.
In terms of the move from land-lines to other types of phones, either cellular or VoIP, what is the expected savings with that transformation? Second of all, are there any concerns in terms of the security and the integrity of those protocols? Is there any concern about the security of those conversations that are being taken with cellular phones versus a land-line?
Kevin Radford
View Kevin Radford Profile
Kevin Radford
2015-03-12 12:31
Mr. Chair, thank you for the question.
I'll respond to the security piece first and then turn it over to my colleague for the specific savings associated with the telephony modernization projects. As we move forward with respect to security we have established a security operation centre. This is a 24-7 capability that looks at all of our intergovernmental networks. It looks at all of our infrastructure and it does continuous monitoring and vulnerability assessments. We also have put in place an incident recovery team and an incident response team that's available to all of our partners should some type of security event occur.
With respect to the security of the telephony service itself, we work closely with our Communications Security Establishment. They recently launched a standard for land-lines and for traditional land-line architecture, but also for the voice over IP implementations. They made recommendations up to protected B conversations, and they asked for our partner clients to mask those conversations because telephony security is only as good as the point-to-point interface. I don't want to get too technical, but what it means is that if I'm on a land-line and I'm calling you on a cellular phone the security is really only as good as the cellular phone. That is what we've done with respect to security and with respect to savings.
I will turn that over the Madam Fillion.
View Wai Young Profile
CPC (BC)
I see.
All right. I may be sharing my time, if I have time at the end, with my colleague here, Mr. Kerr.
The cyber-attack was a big issue for Canadians. They were quite concerned about Canadian data, etc., so I wanted to ask Shared Services this. How can we be assured that another attack would not occur? What steps have you taken in these new systems? I was happy to hear about this security centre, which is 24-7, and all the different things that you've done to put that into place and to provide those kinds of services for all the different departments, but can you give us a more in-depth understanding of how we can be assured as Canadians that this attack will not recur?
Kevin Radford
View Kevin Radford Profile
Kevin Radford
2015-03-12 12:39
Thank you, Mr. Chair, for the question.
With respect to the National Research Council and the incident that occurred there, I will try to explain just very briefly. I've talked already about the capability around our security operations centre, but maybe we can reach back a couple of years to when we had a cyber-incident that happened at Treasury Board and at the Department of Finance. The Department of Finance and the Treasury Board were able to continue working because they were on the secure networks of the government. We were able to basically cut off their access to the Internet and they could carry on with business.
With the National Research Council it was much different. They were working outside the government networks. There were many distributed sites across the country and they had varied Internet connections at all of these different sites. The strategy was around the containment of that particular security incident. We worked very closely with the National Research Council in developing that particular plan. Obviously, we had to try to minimize the impact on their operations, so it wasn't as simple as Finance and Treasury Board and allowing them to continue to work. We had to work with them around the containment and to make sure we protected ourselves from the particular incident.
The first order of business was obviously to protect the rest of government from this particular threat. Using the security operations centre and our capable folks who work within Shared Services Canada we were able to do that, as a first instance.
Going forward, the entire program of Shared Services Canada is around upgrading as per the 2010 Auditor General's report on the state of IT infrastructure. By building new data centres we are building in security by design. By reducing the 50 wide-area networks and contracting with our supply chain integrity under national security exceptions, so we know of country of origin, etc., all of this is to put security by design into our new networks as we go forward.
On the issue around the National Research Council and the expense that was associated with it, the nature of that particular threat meant we actually had to physically replace all of the equipment, all of the networks, etc. This was a very sophisticated act as has been discussed in the media, and this necessitated a complete replacement. We couldn't just clean it and use it again. It required a complete, new infrastructure.
In nine or ten short weeks, again working closely with the Treasury Board, working with our security partners, leveraging the new data centres at Gatineau, we were actually able to create a brand new infrastructure working with the vendors' and the telcos' brand new wide-area networks, and create a green environment from which NRC can now operate. We are working closely now with NRC, National Research Council, to migrate their workloads from the contaminated site that's been contained, scrubbing that data and moving that into the new infrastructure.
That's just one example of what Shared Services Canada and the creation of Shared Services Canada can do with respect to security.
Results: 1 - 60 of 1066 | Page: 1 of 18

1
2
3
4
5
6
7
8
9
10
>
>|
Export As: XML CSV RSS

For more data options, please see Open Data