Shared Services Canada: Standing Committee on Government Operations and Estimates—March 4, 2022
Document navigation for "Standing Committee on Government Operations and Estimates: March 4, 2022"
On this page
Cyber security overview
Key messages
- Shared Services Canada works diligently to keep networks safe, secure, and accessible for Canadians
- Cyber security is a shared responsibility between Shared Services Canada (SSC), Communications Security Establishment (CSE), Treasury Board of Canada Secretariat (TBS) as well as its partners. SSC is a integral part of the cyber security tripartite
- SSC supports the effective design, delivery and management of priority information technology (IT) security initiatives affecting government systems and government-wide operations
- When a cyber security event occurs within its network infrastructure, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery. This is also true for SSC-managed components in the cloud
- SSC continuously works to enhance the cyber security of Government of Canada digital assets by preparing for all types of cyber incidents and for responses to threats
If pressed on SSC’s responsibility vs. that of CSE:
- although most of the security systems used to protect the Government of Canada’s IT infrastructure are designed and managed by SSC, the Cyber Centre also uses an array of its own complimentary solutions to supplement the SSC-managed security systems
- while SSC provides IT security infrastructure, the Cyber Centre monitors government systems and networks for malicious activities and cyber-attacks, as well as leads the government's operational response to cyber security events
Key data points
- Shared Services Canada is mandated to manage IT infrastructure services related to email, data centres, and telecommunications for 43 other federal organizations
- As per its 2020 to 2021 annual report, the Communications Security Establishment routinely blocks between 2 and 7 billion malicious actions every day
Background
Overview
The Government of Canada (GC) works continuously to enhance cyber security in Canada by preventing attacks through robust security measures, identifying cyber threats and vulnerabilities, and by preparing for and responding to all kinds of cyber incidents to better protect Canada and Canadians.
The GC has improved its enterprise capacity to detect, defend and respond to cyber threats; centralized Internet access points; launched an enterprise security architecture program; established the foundation of a Government Cyber Security Program and implemented a whole-of-government incident response plan.
Given the cross-cutting nature of cyber security, a number of other federal departments and agencies play a role in various aspects of cyber security including:
- TBS
- CSE
- Public Safety Canada (PS)
- the Royal Canadian Mounted Police (RCMP)
- the Canadian Security Intelligence Service (CSIS)
- National Defence
GC departments and agencies play an integral role in establishing governance to ensure the integrated management of service, information, data, IT, and cyber security within their departments.
Roles and responsibilities
GC departments and agencies have a responsibility to ensure cyber security within their organization.
TBS, SSC, and CSE are the primary stakeholders with responsibility for ensuring the government’s cyber security posture is effective and able to respond to evolving threats.
TBS provides strategic oversight of government cyber security event management to ensure effective coordination of major security events and support government-wide decision-making. The GC Cyber Security Event Plan provides an operational framework which outlines the stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion across the government. The chief information officer for the GC, at TBS, sets Information Technology Security Policy along with other delegated powers.
SSC provides IT security infrastructure (procure, design, deploy and operate). In conjunction with TBS and CSE, SSC also provides security and privacy by design as part of the establishment of new services.
Although most of the security systems used to protect the government are designed and managed by SSC, the Canadian Centre for Cyber Security (CCCS) also uses an array of its own complimentary solutions to supplement the SSC-managed security systems (for example, host-based sensor for monitoring and protection of GC endpoints).
CSE houses the CCCS which monitors government systems and networks for malicious activities and cyber-attacks, as well as leads the government's operational response to cyber security events. The CCCS works to protect and defend the country’s valuable cyber assets and works side-by-side with the private and public sectors, including critical infrastructure, to solve Canada’s most complex cyber issues.
Public Safety Canada leads national cyber security policy and strategy by, for example: coordinating the overall response to significant national cyber events through the Government Operations Centre working closely with TBS; and working with Canadian and international governments, associations, academia and industry to continually advance cyber security both domestically and internationally.
Public Safety Canada is also lead on developing a new policy pertaining to how the GC supports non-government entities; the draft policy is currently called Government of Canada Coordination Policy for Cyber Security Incidents and Events Affecting Non-Government of Canada Cyber Systems. SSC’s role under that policy will need to be defined.
The RCMP is the primary investigative department on all cyber security incidents dealing with actual or suspected cybercrime of non-state origin on the GC infrastructure. They also lead the investigative response to suspected criminal national security cyber incidents and assist domestic and international partners with advice and guidance on cybercrime threats.
CSIS is the primary department responsible for investigating threats against information systems and critical infrastructure posed by foreign state actors and terrorists.
National Defence/Canadian Armed Forces is the primary department responsible for addressing cyber threats, vulnerabilities or security incidents against or on military systems.
Each department has responsibilities under the TBS Policy on Service and Digital for specific aspects of cyber security, such as:
- integrating cyber security in overall governance of service, information, data and information technology
- designating an official for cyber security who is responsible for departmental cyber security management function
- including cyber security in departmental planning in alignment with enterprise-wide plan approved by the chief information officer of Canada
Government of Canada readiness for return to worksite
Key messages
- Shared Services Canada continues to work with its partners to implement the technology and network upgrades necessary to enable effective communication and collaborative tools for government employees
- To enable virtual work, SSC quickly implemented major upgrades to the enterprise network, government-wide internet and network security, and enabled the deployment, across the enterprise, of the digital communication and collaboration platform enabled by Microsoft 365
- Now, SSC is making significant upgrades to networks and boardrooms to enable employees to collaborate from worksites with their remote colleagues as well as support bandwidth-intensive videoconferencing tools
- This will support the return to the worksite and enable a hybrid workforce, as well as prepare the foundational infrastructure and platforms that will modernize program and service delivery to Canadians
If pressed:
- videoconferencing, mostly via Microsoft (MS) Teams, has become the defacto digital communication and collaboration channel, given the work from home environment. This service offering was accelerated and implemented across the GC, in response to the pandemic
Key data points
- There are in excess of 3,500 buildings connected to the Government of Canada network
- Prior to the pandemic, there were an average of 20,000 simultaneous remote connections. During the pandemic, we are seeing an average of 240,000 simultaneous remote connections
Background
Videoconferencing technologies use much more network bandwidth. As a result, maintaining the same user experience for a home user is not currently supported from within Government of Canada buildings given infrastructure limitations.
There are in excess of 3,500 buildings connected to the GC network. Therefore, SSC is prioritizing, with partner departments, the most critical sites requiring digital communication and collaboration tools to support Canadians and government operations. This will allow the GC to increase its efficiency and effectiveness in providing these tools to those employees and worksites that will continue to leverage these modern tools going forward.
The work required to improve user experience for a hybrid workforce relies on SSC and partners to ensure IT performance through proactive testing and analysis of operations, devices and tools. SSC continues to work with partners to ensure their business requirements are addressed.
Government outsourcing of information technology services
Key messages
- SSC works to ensure the operation of secure, modern, and reliable government information technology systems
- SSC remains focused on providing its partners with the most secure and cost effective solutions to meet the needs and expectations of a digital government
- By accessing some technologies through contracts, SSC can provide products and services which are cutting edge—aligned to global best practices and offering extensive support and functionality to users
- Examples of this include the government’s approach to cloud services which represents a fundamental shift in the way the GC delivers and consumes information management/information technology (IM/IT) services. Private sector cloud-based service offerings allow for a common, enterprise-wide platform with increased accessibility that enables a workforce to work together remotely, from anywhere
- Cloud services increase the responsiveness, flexibility, and value for money of the applications used to deliver programs and services to Canadians
Background
On January 17, 2022, a report appeared in the Globe and Mail, stating that the federal government spending on outsourcing contracts in the fiscal year 2020 to 2021 increased by 40% when compared to fiscal year 2015 to 2016. This came from information publicly available in the Public Accounts of Canada, tabled in the House of Commons on December 14, 2021.
Though these recent media reports make no mention of Shared Services Canada, there has been past criticism of government departments, including SSC, in regards to the outsourcing of IT services.
Examples of information technology service contracts
In 2019, Shared Services Canada in consultation with Treasury Board of Canada Secretariat, the Communications Security Establishment established the Microsoft Enterprise Agreement for the Government of Canada as the basis for replacing a multi-year contract for a fully vendor-managed email service. This enabled the transition to a GC-managed email service hosted on cloud components allowed the GC to close-out the vendor-managed service in December 2021.
In addition, the Microsoft Enterprise Agreement also provided a digital collaboration toolset, delivered via a cloud provider (Software-as-a-Service), which was fundamental to allowing the GC’s quick response to pivot to a mobile workforce throughout the pandemic and continue to provide programs and services to Canadians.
The next generation human resources and pay (NextGen HR and Pay) initiative is an example of where the GC has strategically chosen to outsource. This initiative is part of the government’s modernization effort, where legacy IT systems are being replaced with modern digital solutions. For the NextGen HR and Pay solution, the GC has chosen to explore a Software as a Service (SaaS) model, that is configured to the GC environment, but not customized through fundamental changes to the software. SaaS tools come with a standard configuration aligned with international best practices (including for managing HR and pay).
Therefore, by pursuing a commercially available SaaS solution, the GC is adopting a world-leading solution, without the need for extensive customization. In the case of NextGen HR and Pay, by choosing to outsource, the GC is getting access to proven product with a solid international reputation that will align its approach to HR and Pay with global best practices. It also means that the software is rigorously tested and that users have access to extensive support.
Response to National Security and Intelligence Committee of Parliamentarians Report
Key messages
- Shared Services Canada is committed to protecting the confidentiality, integrity and availability of digital services to Canadians, including data and related technologies by providing reliable and secure IT infrastructure and services to its partner organizations
- While there are clients who are mandated to come to SSC for services under the department’s accountabilities, not all small departments agencies are currently mandated to use SSC’s services
- SSC is working closely with TBS and CSE to evaluate the current security posture of small departments and agencies to understand their requirements and explore how enterprise internet adoption could reduce the exposure to government networks
If pressed on small departments and agencies:
- the report recommended the extension of SSC security services to entities that currently do not fall under the SSC umbrella, such as a number of small departments and agencies
- the report’s recommendations are in line with work SSC and government cyber security partners had already initiated, and only further validate the work to date
- SSC remains focused on providing its partners with the most secure and cost-effective solutions to meet the needs and expectations of a digital government
If pressed on SSCs role on cyber security:
- Shared Services Canada works diligently to keep networks safe, secure, and accessible for Canadians
- cyber security is a shared responsibility between SSC, CSE and TBS. SSC is a integral part of the cyber security tripartite
- SSC supports the effective design, delivery and management of priority IT security initiatives affecting government systems and government-wide operations
- when a cyber security event occurs within its network infrastructure, SSC and its partners coordinate to determine root causes, limit impact and undertake recovery. This is also true for SSC-managed components in the cloud
- SSC continuously works to enhance the cyber security of Government of Canada digital assets by preparing for all types of cyber incidents and for responses to threats
Background
The National Security and Intelligence Committee of Parliamentarians (NSICOP) was established under the National Security and Intelligence Committee of Parliamentarians Act, which received royal assent in June 2017. It is not a parliamentary committee, but rather a committee of parliamentarians, composed of both members of Parliament and senators. All members hold top secret security clearances and are permanently bound to secrecy under the Security of Information Act.
In July 2020, the Honorable David McGuinty, Chair of the NSICOP, wrote to the president of the Treasury Board Secretariat to advise that the committee will review the Government of Canada’s framework and activities to defend its systems and networks from cyberattacks.
NSICOP completed its review of the Government of Canada’s activities to defend its systems and networks from cyberattack. This included reviewing the:
- federal framework for cyber defence
- activities which constitute cyber defence
- authorities and governance structures under which they are conducted
In the report, tabled in the House of Commons on February 14, 2021, recommendation 2 of annex A recommended the leveraging of SSC managed enterprise internet services by all small departments and agencies (SDAs), and read as follows:
To the greatest extent possible, the government will extend advanced cyber defence services, notably Enterprise Internet Service of Shared Services Canada and the cyber defence sensors of the Communications Security Establishment, to all federal organizations.
Five SDAs were chosen to participate in pilots aimed at elevating security protection and visibility. The Office of the Chief Information Officer at the Treasury Board Secretariat has continued to investigate measures required to apply those same cyber and IT security policies and directives to all federal entities, which are currently not under Treasury Board Secretariat’s purview.
TBS, SSC and CSE continue to work to ensure that cyber defence is applied equally across departments and agencies to the greatest extent possible, including alignment between the scope of the Policy on Government Security and the Policy on Service and Digital.
Document navigation for "Standing Committee on Government Operations and Estimates: March 4, 2022"
- Date modified: