Question Period Note: Cyber security issues

Cybersecurity is a key dimension of the services provided to Canadians. Cyber security incidents, in addition to affecting the continuous delivery of quality services, have an impact on trust in institutions. Shared Services Canada’s (SSC) role in addressing cyber security issues for the Government of Canada (GC), including Small Departments and Agencies (SDAs)

• SSC works diligently to keep networks safe, secure, and accessible for Canadians
  • SSC applies enterprise level cyber security measures to identify and prevent malicious actors from gaining access to government networks by using perimeter defence, vulnerability management, and endpoint security tools and services
  • Cyber security is a shared responsibility between SSC, CSE, TBS and partner organizations. When a cyber security event occurs, SSC and its partners coordinate to determine root causes, limit impact, implement mitigations and undertake recovery
  • SSC supports the effective design, delivery and management of priority IT security initiatives
  • SSC has been working with Small Departments and Agencies on an approach to improve the security of their networks

If pressed on current and future investments:

• SSC responsibilities include GC networks, email, data centres, and classified information technology (IT) infrastructure
• With Budget 2022’s funding, SSC will be able to expand its offerings to 43 SDAs with a bundle of network, security and digital services that improves their security posture

If pressed on SSC’s responsibility versus CSE’s:

• SSC ensures that the Government of Canada is leveraging industry-leading commercial cyber security solutions across our networks while CSE supplements that with unique tools that address adversarial techniques that are not yet defended against commercial solutions

If pressed on cyber defence to small departments and agencies:

• SSC developed a rollout strategy based on the state of readiness of each SDA. The work to deliver network, security and digital services is already underway for 11 SDAs
• Network, security and digital services include:
  • Enterprise Internet
  • Local Internet Access
  • Enterprise Email and Exchange Security as part of Microsoft 365
  • Secure Remote Access
• These services will improve the cyber security posture of SDAs through:
  • enhanced monitoring of internet traffic
  • SSC-provisioned firewalls for remote sites
  • secure remote connectivity
  • improved detection and prevention of cyber threats

If pressed on 2023 Distributed Denial of Service (DDoS) campaign / attack:

• A large DDoS campaign against the GC occurred between April 10, 2023 and May 14, 2023
• A DDoS is a cyber attack where an online resource is sent a flood of requests with the goal of making it unavailable to legitimate users
• SSC, CSE-CCCS and partners have systems and processes to detect and mitigate these common attacks. Most attacks are mitigated automatically with no manual intervention
• Multiple sites were affected. Mitigations restored access to affected websites. SSC continuously monitor the situation to ensure mitigations remain effective

• The Government of Canada works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to cyber incidents to better protect Canada and Canadians
  • The Government has improved its enterprise capacity to detect, defend and respond to cyber threats; centralized Internet access points; launched an enterprise security architecture program; established the foundation of a Government Cyber Security Program and implemented a whole-of-government incident response plan

• Cyber security is a shared responsibility between SSC, Communications Security Establishment (CSE), Treasury Board of Canada Secretariat (TBS), and partner organizations
  • Budget 2022 includes $178.7 million over 5 years for SSC and CSE (beginning fiscal year 2022-23) and $39.5 million ongoing to expand cyber security protection for Small Departments and Agencies (SDAs)