Question Period Note: Cyber Security Overview

Explaining Shared Services Canada’s role in addressing cyber security, as opposed to other agencies such as the Treasury Board Secretariat and the Communications Security Establishment.

• Shared Services Canada works diligently to keep networks safe, secure, and accessible for Canadians
  • Cyber security is a shared responsibility between SSC, CSE and TBS. SSC is an integral part of the cyber security tripartite
  • SSC supports the effective design, delivery and management of priority IT security initiatives affecting Government systems and Government-wide operations
  • When a cybersecurity event occurs within its network infrastructure, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery. This is also true for SSC-managed components in the Cloud
  • SSC continuously works to enhance the cyber security of Government of Canada digital assets by preparing for all types of cyber incidents and for responses to threats

If pressed on Budget 2022:

• The National Cyber Security Strategy, announced in 2018, is working to keep Canadians safe from evolving cyber security threats that target Canadians, Canadian businesses, and our critical infrastructure
• As Canadians grow more dependent on digital systems, the potential consequences of cyber incidents continue to increase, and Canada needs to be ready
• That is why Budget 2022 proposes to provide $875.2 million over five years, beginning in 2022-23, and $238.2 million ongoing for additional measures to address the rapidly evolving cyber threat landscape
• This includes $178.7 million over five years allocated to SSC and CSE, starting in 2022-23, and $39.5 million ongoing, to expand cyber security protection for small departments agencies and Crown corporations

If pressed on SSC’s responsibility vs. that of CSE:

• Although most of the security systems used to protect the Government of Canada’s IT infrastructure are designed and managed by SSC, the Cyber Centre also uses an array of its own complimentary solutions to supplement the SSC-managed security systems
• While SSC provides IT security infrastructure, the Cyber Centre monitors government systems and networks for malicious activities, as well as leads the government's operational response to cyber security events

Overview

The Government of Canada works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to all kinds of cyber incidents to better protect Canada and Canadians.

The Government has improved its enterprise capacity to detect, defend and respond to cyber threats; centralized Internet access points; launched an enterprise security architecture program; established the foundation of a Government Cyber Security Program and implemented a whole-of-government incident response plan.

Given the cross-cutting nature of cyber security, a number of other federal departments and agencies play a role in various aspects of cyber security including: TBS, Communications Security Establishment, Public Safety Canada, the RCMP, CSIS, and National Defence.

Government of Canada departments and agencies play an integral role in establishing governance to ensure the integrated management of service, information, data, IT, and cyber security within their departments.

Roles and Responsibilities

Government departments and agencies have a responsibility to ensure cyber security within their organization.

TBS, SSC, and the Communications Security Establishment (CSE) are the primary stakeholders with responsibility for ensuring the Government’s cyber security posture is effective and able to respond to evolving threats.

TBS provides strategic oversight of Government cyber security event management to ensure effective coordination of major security events and support government-wide decision-making. The Government of Canada Cyber Security Event Plan provides an operational framework which outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion across the government. The Chief Information Officer for the Government of Canada, at TBS, sets Information Technology security policy along with other delegated powers.

SSC provides IT security infrastructure (design, deploy and operate). In conjunction with TBS and CSE, SSC also provides security and privacy by design as part of the establishment of new services.

Although most of the security systems used to protect the Government are designed and managed by SSC, the Canadian Centre for Cyber Security (Cyber Centre) also uses an array of its own complimentary solutions to supplement the SSC-managed security systems (e.g., Host-Based Sensor for monitoring and protection of Government of Canada endpoints).

The security of goods and services is evaluated at all stages of the procurement process to ensure what SSC buys from suppliers is as safe from cyber security threats as possible.

CSE houses the Cyber Centre which monitors government systems and networks for malicious activities and cyber-attacks, as well as leads the government's operational response to cyber security events. The Cyber Centre works to protect and defend the country’s valuable cyber assets and works side-by-side with the private and public sectors, including critical infrastructure, to solve Canada’s most complex cyber issues.

The Cyber Centre leads the “Get Cyber Safe” national public awareness campaign to inform Canadians about cyber security and the simple steps they can take to protect themselves online.

Public Safety Canada leads national cyber security policy and strategy by, for example: coordinating the overall response to significant national cyber events through the Government Operations Centre working closely with TBS; and working with Canadian and international governments, associations, academia and industry to continually advance cyber security both domestically and internationally. Public Safety Canada is also lead on developing a new policy pertaining to how the GC supports non-government entities; the draft policy is currently called Government of Canada Coordination Policy for Cyber Security Incidents and Events Affecting Non-Government of Canada Cyber Systems. SSC’s role under that policy will need to be defined.

The Royal Canadian Mounted Police is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin on the Government of Canada's infrastructure. They also lead the investigative response to suspected criminal national security cyber incidents and assist domestic and international partners with advice and guidance on cybercrime threats.

Canadian Security Intelligence Service is the primary department responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.

National Defence/Canadian Armed Forces is the primary department responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.

Each department has responsibilities under the TBS Policy on Service and Digital for specific aspects of cyber security, such as:

• Integrating cyber security in overall governance of service, information, data and information technology
• Designating an Official for Cyber Security who is responsible for departmental cyber security management function; and
• Including cyber security in departmental planning in alignment with enterprise-wide plan approved by the Chief Information Officer of Canada

None