Question Period Note: GC Cyber Security Events - Government of Canada’s Roles and Responsibilities and Recent Events

How is cyber security addressed in the Government of Canada, including cyber threats that may pose a risk to government infrastructure and services, and the Government of Canada’s response to notable cyber incidents this past year.

•Government of Canada departments and agencies, in collaboration with lead security agencies, are responsible for ensuring that cyber security risks are assessed and mitigated within their organization.
•Together, the Treasury Board of Canada Secretariat, Shared Services Canada, and the Communications Security Establishment work to ensure the government’s cyber security posture is current and effective.
•We have robust systems and tools in place to monitor, detect and investigate potential threats, and take active measures to address and neutralize these threats.
•The government will continuously work to enhance cyber security in Canada by preparing for all types of cyber incidents, protecting Canadians and their data.

Overview
The Government of Canada works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to all kinds of cyber incidents to better protect Canada and Canadians.

The Government has improved its enterprise capacity to detect, defend and respond to cyber threats; centralized Internet access points; launched an enterprise security architecture program; established the foundation of a GC Cyber Security Program and implemented a whole-of-government incident response plan.

Recent Investments
Budget 2021 provided additional funding to the SCED Project to further improve the infrastructure, increase bandwidth, availability, and the resources to facilitate connectivity for departments.

Roles and Responsibilities
Government departments and agencies have a responsibility to ensure cyber security within their organization. The Policy on Service and Digital addresses specific aspects of cyber security, such as:
oIntegrating cyber security in the overall governance of service, information, data and information technology;
oDesignating an Official for Cyber Security who is responsible for the departmental cyber security management function; and
oEnsuring cyber security is included in departmental planning in alignment with enterprise-wide plan approved by the Chief Information Officer of Canada.

TBS, SSC, and the CSE are the primary stakeholders with responsibility for ensuring the Government’s cyber security posture is effective and able to respond to evolving threats.
TBS provides strategic oversight of Government cyber security event management to ensure effective coordination of major security events and support government-wide decision-making. The Chief Information Officer for the Government of Canada, at TBS, sets Information Technology security policy along with other delegated powers.

GC Cyber Security Event Management Plan (GC CSEMP)
TBS develops and maintains the GC Cyber Security Event Management Plan. The GC CSEMP is the whole-of-government incident response plan under the oversight of the TBS, providing an operational framework which outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion across the government. The plan is applicable to all departments subject to the policy on Government Security.

The GC CSEMP latest update of the plan took effect in April 2020 and is available publicly on canada.ca. The update was made to reflect the creation of the CCCS as well as lessons learned since 2018 and was not related to the COVID-19 pandemic.

In 2020-2021, the Government of Canada experienced five notable cyber security events: GCKey Credential Stuffing attack, SolarWinds supply chain compromise, the exploitation of MS Exchange critical vulnerabilities, a ransomware incident at a third-party printing service that has contracts with the GC, and a vulnerability with MS Print Spooler. The incidents are the result of threats faced by public and private sector organizations alike.

GCKey
On August 5, 2020, the Government of Canada was made aware of a credential stuffing attack against the GCKey service. The GCKey itself was not compromised and the credentials used did not originate from the service. Around the same time, a similar attack was mounted against the Canada Revenue Agency. Of the roughly 12 million active GCKey credentials in Canada, the passwords and usernames of just over 9,300 GCKey credentials were used by bad actors to access government accounts. In response, the government revoked the affected credentials and put in place measures to prevent further attempts to access its services with these compromised credentials. These measures blocked subsequent attacks.

On August 31, 2020, a proposed class proceeding was filed in Federal Court. The action concerns the unauthorized disclosure to a third party of the personal and financial information of thousands of Canadians from their online accounts with the Government of Canada-branded credential service, the Canada Revenue Agency, and My Service Canada.

The government has implemented additional security features such as multifactor authentication (MFA), to help Canadians protect their accounts; and advancing efforts around digital identity. In Canada, pilots and projects are currently underway that allow users to log in with their provincial trusted digital identities to access federal government services in a timely and secure way.

Microsoft Print Spooler Vulnerability
On June 30, 2021, the Cyber Centre released an Alert to raise awareness of a Critical 0-Day vulnerability in Microsoft Windows Print Spooler affecting all Windows desktops and servers. The following day Microsoft confirmed that there were exploits in the wild which if exploited, would allow a threat actor to run remote code and gain control of a system.

Given the widespread use of Microsoft in the GC, the fact that the Print Spooler Service is enabled by default, and the critical nature of this vulnerability, a GC-wide response under the GC CSEMP was declared on July 2, 2021, in order to ensure a coordinated approach across the GC. The risk of further impact to the GC has been mitigated, however the Cyber Centre continues to monitor the situation.

None