Question Period Note: Cyber Security Overview

Explaining Shared Services Canada’s (SSC) role in addressing cyber security, which is a shared responsibility with other agencies, such as the Treasury Board of Canada Secretariat – Office of the Chief Information Officer (TBS-OCIO) and the Communications Security Establishment (CSE), which holds the Canadian Centre for Cyber Security (CCCS).

• SSC works diligently to keep networks safe, secure, and accessible for Canadians
  • SSC applies cyber security measures to identify and prevent malicious actors from gaining access to government networks by using firewalls, network scans, anti-virus, anti-malware, identification and authentication tools and services
  • Cyber security is a shared responsibility between SSC, the Communications Security Establishment, Treasury Board Secretariat and partner organizations. SSC is an integral part of the cyber security tripartite
  • When a cybersecurity event occurs, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery
  • SSC supports the effective design, delivery and management of priority IT security initiatives

If pressed on current and future cyber security investments:

• SSC responsibilities include government networks, email, data centres, and classified IT infrastructure
• Budget 2022 proposes $875.2 million over 5 years, beginning 2022-23, and $238.2 million ongoing to address the rapidly evolving cyber threat landscape
• This includes $178.7 million over 5 years for SSC and CSE, beginning 2022-23, and $39.5 million ongoing, to expand cyber security protection for small departments agencies

If pressed on SSC’s responsibility vs. that of CSE:

• Although most security systems used to protect the Government’s IT infrastructure are designed and managed by SSC, CSE also uses an array of its own complimentary solutions to supplement the SSC-managed security systems
• While SSC provides IT security infrastructure, CSE monitors government systems and networks for malicious activities and cyber-attacks and leads the Government's operational response to cyber security events

If pressed on any particular cyber event (Exchange Vulnerability, Log4j, Print Nightmare, GAC Incident, NRC Incident, etc.):

• SSC has people, technology and processes in place to safeguard systems, and works collaboratively with TBS, CSE and federal departments to detect and respond to cyber threats
• When a cyber security event occurs, SSC and other federal departments coordinate to determine root causes, limit impact and undertake recovery
• The risk of cyberattacks is persistent and requires constant vigilance

Overview

The Government of Canada works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to cyber incidents to better protect Canada and Canadians.

To that end, the Government has:

• improved its enterprise capacity to detect, defend and respond to cyber threats;
• centralized Internet access points;
• launched an enterprise security architecture program;
• established the foundation of a Government Cyber Security Program; and,
• implemented a whole-of-government incident response plan

Roles

A number of departments and agencies play a role in cyber security, including TBS, CSE, Public Safety Canada (PSC), RCMP, Canadian Security Intelligence Service (CSIS), and National Defence.

All departments and agencies have a responsibility to ensure cyber security within their organization. TBS, SSC, and CSE are the primary stakeholders with responsibility for ensuring the Government’s cyber security posture is effective and able to respond to evolving threats.

TBS provides strategic oversight of Government cyber security event management.

SSC provides IT security infrastructure (design, deploy and operate). In conjunction with TBS and CSE, SSC also provides security and privacy by design as part of the establishment of new services. The security of goods and services is evaluated during the procurement process by CSE and SSC.

CSE houses the Canadian Centre for Cyber Security (CCCS) which monitors systems and networks for malicious activities and cyberattacks and leads cyber event operational response.

PSC leads national cyber security policy and strategy.

The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin against GC infrastructure.

CSIS is responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.

National Defence/Canadian Armed Forces is responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.

None