Question Period Note: Office of the Auditor General of Canada’s (OAG) Cyber security of government networks and systems report

• On October 21, 2025, the Auditor General tabled a report on the cyber security of federal networks and systems. It found the government “had tools in place to defend” its networks and its cyber security plan was “sound and comprehensive.”

• However, the report raised concerns about delays to key projects to improve the visibility of cyber events and coordinate the response to incidents. It highlighted shortcomings in the management of equipment and noted that certain small departments and agencies (SDA) were not using Shared Services Canada’s (SSC) cyber security services.

Key facts

• The report noted that of the 204 organizations in the Government of Canada:

• 85 were required by Treasury Board of Canada Secretariat (TBS) policies to use SSC’s Internet Service; however, 22 did not comply and instead used the Communications Security Establishment’s (CSE) cyber security defence sensors.

• 119 organizations were not required to use SSC’s Internet Service. Among these: 24 chose to use SSC’s services, and a majority—76 organizations—used CSE’s sensors.

Key messages

• SSC appreciates the Auditor General’s work, recognizing that countering cyber threats requires constant vigilance and robust security measures.

• SSC agrees with the findings and is working to address the identified issues. Specifically, SSC:

• is committed to completing a project to provide greater visibility of suspicious cyber events

• has initiated work to strengthen asset management practices

• is completing an inventory of network endpoints to improve oversight and control

• will work with TBS to update the government’s cyber event management plan this fall

• These actions will strengthen SSC’s cyber defences, which block 6.5 trillion cyber threats annually.

If pressed on the global affairs canada (GAC) cyber attack “7 day” delay

• On Friday, January 19, 2024, the Canadian Centre for Cyber Security (the Cyber Centre) officially requested specific VPN-related security information from SSC. The request was approved within an hour and all parties (SSC, GAC and the Cyber Centre) agreed to make the transfer on Monday, January 22, 2024.

• While this kind of transfer is typically not required, SSC has included this process in its standard operating procedures to ensure that future requests are treated more rapidly.

If pressed on cyber attack on GAC

• SSC is providing responsive support to departments to defend against cyber attacks.

• We recognize the importance of enhanced communication during a cyber event, and SSC is continuously working with the CCCS and TBS to improve communications.

• SSC and GAC jointly developed a Remediation Action Plan to enhance network security and collaboration. The plan reflects our shared commitment to effective coordination and strengthened security practices.

• It reaffirms decision-making authorities, defines respective roles and responsibilities, establishes a process for sharing information, and identifies mechanisms to resolve issues quickly.

If pressed on security information and event management (SIEM)

• The Government of Canada (GC) is conducting a collaborative and competitive procurement process for a security information and event management (SIEM) solution.

• These efforts will allow the GC to better predict, detect and respond to cyber threats.

• For example, the integration of threat intelligence feeds in one place will facilitate the response to cyber incidents.

• A centralized solution will collect data that will enable faster response to potential threats.

If pressed on the endpoint visibility, awareness, and security (EVAS) project

• SSC’s Endpoint, Visibility and Awareness Security (EVAS) project will enable a real time view of all endpoint devices connected to GC networks, such as desktops and servers.

• It will also enhance security capabilities, including protection to block file-based malware and other malicious activity, and continuous monitoring at endpoints with an automated response to cyber events.

• The project is under way and completion is expected by March 2028.

If pressed on vulnerability and patch management

• SSC continues to improve its vulnerability and patch management processes across all its systems and services. These improvements will reduce exposure to cyber-attacks, minimize lost productivity, and protect data and infrastructure.

If pressed on small departments and agencies (SDA)

• SSC is working to provide connectivity and security services to 43 SDAs.

• By the end of 2024-25, 23 SDAs had fully transitioned to government-managed internet and remote access services, while 15 had adopted the shared email system.

• By the end of 2025-26, 6 additional SDAs are expected to fully transition.

The GC, like all organizations worldwide, faces ongoing cyber threats from bad actors on a national and international level that require constant attention and strong security measures. Cyber threats are becoming more complex and sophisticated. These include criminal activities such as ransomware attacks and attacks by state-sponsored adversaries.

N/A