Question Period Note: Lenovo – Potential Security Risk

The presence and/or access to IT products manufactured by Chinese-owned entities within the Canadian market have raised concerns due to claims that some, such as Lenovo and Huawei, have direct ties to the Chinese government.

On June 6 2023, an article published in La Presse entitled “Faut-il avoir peur des appareils Lenovo ?”, states that the Government of Canada has not banned equipment from Lenovo. The Center for Security Establishment (CSE) is quoted in the article and mentions that they evaluate equipment on a case by case basis. Fyscillia Ream, a researcher from l’Université de Montréal, states that the tendency is to move towards banning Lenovo products.

• The Government of Canada takes the security and privacy of its network infrastructure and any devices that access it extremely seriously
  • During procurement, Shared Services Canada conducts a supply chain integrity check with support from the Communications Security Establishment for all IT purchases
  • This assesses the potential risks to the security of the Government of Canada's IT infrastructure and provides any necessary mitigation measures
  • Supply chain integrity is only one part of Shared Services Canada’s broader approach to cyber security which also includes identifying and preventing malicious actors from gaining access to government networks by using firewalls, network scans, anti-virus, anti-malware as well as identification and authentication tools and services. When a cybersecurity event occurs, Shared Services Canada and its partners coordinate to determine root causes, limit impact and undertake recovery

If pressed:

• Shared Services Canada has a supply chain integrity process which is used in all procurements, including all Lenovo purchases
• This process is in place to ensure that that there are no known security vulnerabilities or risks in the context in which the goods and services are purchased
• These assessments are done in conjunction with our public safety partners who leverage intelligence both from within Canada as well as internationally
• If security risks are identified, mitigation measures are put in place prior to formalizing the procurement, or the procurement does not proceed

• A number of departments and agencies play a role in cyber security, including the Treasury Board Secretariat (TBS), the Center for Security Establishment (CSE), Public Safety Canada (PSC), the Royal Canadian Mounted Police (RCMP), Canadian Security Intelligence Service (CSIS), and National Defence
  • All departments and agencies have a responsibility to ensure cyber security within their organization. Treasury Board Secretariat, Shared Services Canada, and the Communications Security Establishment are the primary stakeholders with responsibility for ensuring the Government’s cyber security posture is effective and able to respond to evolving threats
  • The Treasury Board Secretariat provides strategic oversight of Government cyber security event management
  • Shared Services Canada provides IT security infrastructure (design, deploy and operate). In conjunction with the Treasury Board Secretariat and the Center for Security Establishment, Shared Services Canada also provides security and privacy by design as part of the establishment of new services. The security of goods and services is evaluated during the procurement process by the Communications Security Establishment and Shared Services Canada
  • the Communications Security Establishment houses the Canadian Centre for Cyber Security (CCCS) which monitors systems and networks for malicious activities and cyberattacks and leads cyber event operational response
  • Public Safety Canada leads national cyber security policy and strategy
  • The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin against Government of Canada infrastructure
  • CSIS is responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists
  • National Defence/Canadian Armed Forces is responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems

N/A