:
I call this meeting to order.
Good afternoon, everyone. Welcome to the 56th meeting of the Standing Committee on Public Accounts of the House of Commons.
Pursuant to Standing Order 108(3)(g), the committee is meeting today to study Report 7, Cybersecurity of Personal Information in the Cloud, of the 2022 Reports 5 to 8 of the Auditor General of Canada.
[English]
I'd like to welcome our witnesses.
From the Office of the Auditor General, we have Andrew Hayes, deputy auditor general. It's good to see you.
We also have Jean Goulet, principal, and Gabriel Lombardi, principal. Thank you all for joining us.
From the Communications Security Establishment, we have Rajiv Gupta, associate head of the Canadian Centre for Cyber Security. Good day.
From the Department of Public Works and Government Services, we have Paul Thompson, deputy minister, by video conference, and Catherine Poulin, assistant deputy minister of the departmental oversight branch.
From Shared Services Canada, we have Sony Perron, president, and Costas Theophilos, director general of cloud product management and services.
From the Treasury Board Secretariat, we have Catherine Luelo, deputy minister and chief information officer of Canada.
There will be several opening statements.
Mr. Hayes, you have the floor for the first five minutes. It's over to you, please.
:
Thank you very much, Mr. Chair. We appreciate this opportunity to discuss our report on cybersecurity of personal information in the cloud, which was tabled in the House of Commons on November 15, 2022.
I would like to acknowledge that this hearing is taking place on the traditional unceded territory of the Algonquin Anishinabe people. Joining me are Jean Goulet and Gabriel Lombardi, who led this audit.
Federal departments are increasingly moving software applications and databases into the cloud, including some that handle or store Canadians' personal information. Information stored digitally, whether on premises, in data centres or in the cloud, is exposed to the risk of being compromised.
In this audit, we wanted to know whether the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada, Communications Security Establishment Canada and selected departments had controls in place to prevent, detect and respond to security threats to Canadians' personal information in the cloud.
Overall we found that the departments we audited did not always implement and follow the controls the government has set out to protect information that is stored and transmitted using the cloud. These controls include, as examples, encryption and network security requirements. We also found that security requirements and the corresponding roles and responsibilities were not always clear. As a result, they were not consistently implemented. This leaves cloud-based information vulnerable to cyber-attacks, which are increasingly frequent and sophisticated.
[Translation]
In addition, we found that 4 years after the Treasury Board of Canada Secretariat first directed federal departments to consider moving information to the cloud, it still had not provided a long-term funding plan for cloud adoption. It also had not provided a way for departments to calculate the cost of moving to cloud applications and operating in the cloud environment.
Without a funding plan and costing tools, it is difficult for government departments to ensure that they have the people, resources, and expertise they need to secure cloud-based information and respond to threats. Having these would strengthen Canada’s cyber-defence capabilities both within individual departments and government-wide.
Finally, we found that Public Services and Procurement Canada and Shared Services Canada did not require cloud service providers to demonstrate their environmental performance or to explain how their services would reduce Canada’s greenhouse gas emissions. This is important because Canada has set a goal of net-zero emissions by 2050 and committed to including criteria aimed at reducing greenhouse gas emissions in the government’s procurement for goods and services. To date, this has not been done for procuring cloud services.
The government needs to act now, while departments are in the early stages of transitioning to the cloud. It needs to ensure that funding is available and that key security controls to prevent, detect, and respond to cyber-attacks are strengthened. This includes clarifying shared roles and responsibilities for cybersecurity so that the departments involved, central agencies, and cloud service providers know exactly what they should be doing.
This concludes my opening remarks. We will be pleased to answer any questions the committee may have.
Thank you.
:
Hello. Thank you, Mr. Chair, and members of the committee, for the invitation to appear for the study of the Auditor General of Canada's report to Parliament on “Cybersecurity of Personal Information in the Cloud”.
My name is Rajiv Gupta, and my pronouns are he and his. I'm the associate head of the Canadian Centre for Cyber Security at the Communications Security Establishment, also known as the cyber centre.
[Translation]
The Cyber Centre is Canada’s technical authority for cybersecurity, safeguarding Canada with our advanced cybersecurity capabilities and providing a unified source of expert advice and support on cybersecurity operational matters.
[English]
I'm happy to be joined by my colleagues from Treasury Board Secretariat, Shared Services Canada and Public Services and Procurement Canada, with whom we work closely on cybersecurity matters.
As part of the cyber centre's operational role, we share cyber-alerts and threat assessments across the Government of Canada to ensure that our information systems remain secure, responsive and well defended. As part of our education role, we work to increase cybersecurity awareness across the government through initiatives like the learning hub.
[Translation]
The Learning Hub is based at the Cyber Centre and provides training to improve the cybersecurity of Canada’s government and critical infrastructure organizations.
[English]
During the 2021-22 fiscal year, the learning hub renewed its collaboration with the Canada School of Public Service, CSPS, to provide a standardized cybersecurity curriculum for all—
:
I'm sorry, you're not hearing the translation?
I'll just check with the clerk. One second, please.
Mr. Gupta, I'll give you a little time here. Maybe you could back up a paragraph, and slow down just a little, please. Sometimes the interpreters can't keep up. That could be the problem.
Are you hearing the translation from me now? Yes, okay.
We will go over to you, sir. Thank you.
As mentioned earlier, the Learning Hub is based at the Cyber Centre and provides training to improve the cybersecurity of Canada’s government and critical infrastructure organizations.
[English]
During the 2021-22 fiscal year, the learning hub renewed its collaboration with the Canada School of Public Service to provide a standardized cybersecurity curriculum for all federal public servants. The learning hub and CSPS co-developed an e-learning course to introduce public servants from non-technical backgrounds to the basics of cloud computing. This is a priority topic for the public service as departments continue to migrate their IT infrastructure to the cloud.
Government of Canada organizations are increasingly leveraging cloud computing, which has the potential to deliver agile, flexible and cost-effective IT services. As noted in our 2021-22 annual report, CSE continues to function as a pathfinder for the GC in migrating to the cloud.
[Translation]
Indeed, CSE was an early adopter of cloud technology, and we ensured that we were the initial adopters of our own internal advice and guidance.
[English]
We were the first department to securely implement several commercial cloud applications, securing them with our cloud-based sensors. We demonstrated leadership by sharing the lessons learned and the relevant advice and guidance with other departments.
As I mentioned earlier, the cyber centre is the operational lead for protecting the GC from cyber-threats such as ransomware and cyber-espionage.
[Translation]
We work with federal partners to defend the government’s networks and the sensitive information of federal institutions.
[English]
While there is no such thing as zero risk when it comes to cyber-threats, we are ensuring that the highest levels of protection are in place. The cyber centre uses autonomous sensors to detect malicious cyber-activity on government networks, systems and cloud infrastructure. We use three types of sensors: network-based sensors, cloud-based sensors, and host-based sensors.
These sensors allow the cyber centre to deter cyber-threats happening in real time. Our classified knowledge of threat-actor behaviour allows us to defend against and block these threats.
We work with our federal partners to ensure that the appropriate safeguards have been applied to ensure the security and the privacy of their information that is hosted in the cloud. As cloud environments continue to evolve, we are making sure that we continue to evolve our tools to ensure that the government's systems are well defended and secure.
[Translation]
I would like to thank the Office of the Auditor General of Canada for their report and the committee for bringing us together to discuss this important topic.
[English]
Although none of these recommendations outlined in the report is specific to CSE, we welcome them. CSE and the cyber centre take information security very seriously, and this includes the government's data in the cloud. We will continue to collaborate with our federal partners to move forward on these recommendations.
Members of the committee, I can assure you that CSE will continue to work with partners to bolster Canada's cybersecurity, while at the same time ensuring that the necessary protections are in place to respect Canadians' privacy.
Thank you for the opportunity to contribute to this important study, and I'm looking forward to answering any additional questions you may have.
:
Thank you very much, Mr. Chair.
I'm pleased to be here with you and members of the committee to discuss how Public Services and Procurement Canada is responding to the audit of “Cybersecurity of Personal Information in the Cloud”.
[Translation]
With me today is Catherine Poulin, assistant deputy minister of our Departmental Oversight Branch.
As the Government of Canada’s purchaser of goods and services, my department is committed to ensuring that our procurement processes meet the needs of our client departments and agencies.
[English]
We appreciate the importance of cybersecurity in all facets of the Government of Canada's work. The government continues to invest in enhancing cybersecurity capabilities. For example, in budget 2023 there is a proposed $25 million for PSPC to work with National Defence and others to establish a cybersecurity certification program for defence procurements in order to further protect Canada's defence supply chain.
Looking beyond Canada's defence supply chain, we know that the use of cloud computing for software applications and databases has the potential to not only improve how we and federal organizations provide services, but also to reduce the cost and maintenance of physical services and applications.
As the government continues its strategy of using cloud computing, it is clear that departments involved will need to work more closely together to manage the security risks in the cloud.
[Translation]
With cybersecurity threats and attacks continuing to increase in frequency and severity, my department welcomed the results of the audit of the protection of personal information in cloud computing.
For its part, PSPC plays a supporting role in two key areas.
[English]
First, as central purchaser for the Government of Canada, PSPC procures cloud services on behalf of departments and agencies, and has established a supply arrangement with pre-qualified cloud service providers to help streamline the process. PSPC is also responsible for assessing the physical security controls of cloud service providers and their personnel.
In cases where departments procure cloud services directly through our supply arrangement, or through other procurements, we are committed to providing advice and guidance to those departments to help ensure that cloud guardrails are implemented to prevent cybersecurity breaches.
Mr. Chair, while the security of information is an important Government of Canada priority, we at PSPC are also strongly committed to doing our part on another priority, which is promoting environmental responsibility and sustainable development.
The Auditor General's report rightly pointed out that our contracting processes did not require potential cloud service providers to demonstrate their environmental performance or ask them to explain how their services would reduce Canada's greenhouse gas emissions. In addition, even when providers offered that information, there has been no mechanism in place to confirm it was accurate.
The report recommended that PSPC, in conjunction with Shared Services Canada, include environmental criteria when procuring cloud services. Doing so will help contribute to supporting sustainability and help Canada achieve its net-zero carbon emission goals.
Our departments agree with that recommendation and we have committed to taking action by working with our colleagues from Shared Services Canada to address that. This includes requiring suppliers to provide information on their commitments to achieve net-zero emissions, developing clauses in cloud computing service contracts to include GHG reduction targets, and revising the standard contracts for the procurement of cloud services and for requests for proposals.
[Translation]
We are also working on incorporating environmental criteria into our existing cloud procurement vehicles.
To conclude, Mr. Chair, I would like to express my thanks to the Auditor General for her report. I believe her recommendations will help guide improvements in our practices around cloud computing services.
Through continued collaboration with our partners, Public Services and Procurement Canada will be better positioned to meet our climate change obligations and ensure the security of the information of Canadians.
Thank you for your attention. I look forward to your questions.
:
Thank you, Mr. Chair and members of the committee, for your invitation.
I am pleased to be here today, accompanied by Costas Theophilos, director general of Cloud Product Management and Services, to address any questions the committee may have with respect to the Auditor General of Canada's audit and Shared Services Canada's progress on addressing the recommendations.
Consistent with its commitment to provide modern and secure IT infrastructure, SSC is continuously modernizing the Government of Canada's IT infrastructure. In this effort, SSC has taken an enterprise approach, which means we continue to consolidate, standardize and modernize networks and systems across government.
It is essential that we keep pace with ever-changing technology and increased cyber-threat activity. As such, over the past few years, we have significantly adopted digital solutions, including leveraging the cloud environment. It is essential that we keep pace with these changes.
Cloud adoption is a shared responsibility across the Government of Canada. Shared Services provides controlled and secure access to the cloud environment at the enterprise scale. Precisely, SSC enables cloud adoption by departments and agencies by providing access to critical building blocks, such as supply, secure cloud-to-ground network connectivity, and guidance and expertise.
In that vein, SSC works with departments to migrate their data and applications from aging data centres to modern infrastructures, such as the cloud and enterprise data centres. This accelerates the modernization of applications in an agile, secure and cost-effective way.
Protecting the information of Canadians is a top priority for SSC. This is why a common approach across departments and agencies is important. We are still in the early stages of cloud adoption; therefore, enhancement and maturing of the processes and the protocols are expected.
While there is no such thing as zero risk when it comes to cyber-threats, we are ensuring that the highest levels of protection are in place. It is important to note that all information is stored in Canada, and the most sensitive information is stored in data centres owned by the Government of Canada.
[Translation]
We welcome the report and recommendations of the Auditor General. This audit is helping to strengthen the operating framework for cloud services. This is particularly important at a time when reliance on the cloud environment is increasing.
SSC has a role in four of the five recommendations included in the audit.
For recommendation one, SSC is working closely with the Treasury Board Secretariat to strengthen guardrail validation and enforcement and to ensure coordination with departments. Cloud guardrails set the minimum security requirements that departments need for the configuration and the operations of their cloud environment. This includes how data is managed and where it is stored. SSC has begun the automation of the guardrails to assess compliance in real time. This will be tested with pilot departments beginning in fall 2023.
On the second recommendation, the Government of Canada set a minimum-security requirement for securing cloud-based information. SSC is working with departments to validate any outstanding cloud security controls.
On the third recommendation, to address the issue of cloud funding models, SSC is working with TBS to review the way forward as it relates to cloud costing and recovery. It is expected that the proposed cost model will be available in the near future.
And on the fourth recommendation, SSC and Public Services and Procurement Canada will soon release a standard template for cloud contracts that includes sustainability terms for cloud providers.
In fact, SSC has started to include environmental criteria in competitive solicitations under the Cloud Framework Agreement. For example, some processes now include rated criteria, encouraging suppliers to set targets to reduce their greenhouse gas emissions.
Going forward, SSC will include rated environmental criteria in all new competitive solicitations under the Government of Canada Cloud Framework Agreement.
Mr. Chair and committee members, SSC works continuously to manage cloud security risks and to enhance cybersecurity so that Canadians’ data and privacy are safeguarded.
Thank you. We will be pleased to take your questions.
:
Thank you, Mr. Chair, and members of the committee. This is my first time appearing at this committee. I've met some of you, but for the others, I'm pleased to be here today.
I've been 21 months in government, having spent about 30 years in the private sector before that so I'm still in my “firsts” as I go through all of these different exercises.
As chief information officer of Canada, I provide overall leadership for the management of information technology, information management and service and digital transformation within the Government of Canada. As you see me sitting here with my colleagues today, we could have another 100 people here with all of the departments. It's a team sport to modernize digital infrastructure in government, and certainly cybersecurity is as well.
We have legislation that we manage out of my department, including access to information and open government, and we have oversight for all of the major technology programs. We have accountability for the GC cybersecurity event management plan—that's a mouthful—GC CSEMP for short.
When it comes to the protection of Canadians' personal information, we set out policies, set cybersecurity requirements, and execute decisions on the management of cybersecurity risks on behalf of the government. This is through the policy on government security, the policy on service and digital and a number of different mechanisms that sit underneath that, such as the digital standards.
I have a couple of key messages in response to the AG's report. We welcome this report, and as noted by the auditor, we're at the baby steps. We are at the beginning of the beginning. This is a beautiful time for us to be getting these findings and have an opportunity to improve. In my experience in prior organizations, a strong audit function really helps technology organizations be better, and I look forward to continued work with the Auditor General on this and other files.
As I noted, we're at the very beginning of the modernization of our technology environment. Only 35% of the systems in the Government of Canada are in a healthy state, and the cloud is a key to modernizing those systems. Cloud migration is one lever—and of note, private and public organizations all around the globe are dealing with this. I worked for several large Canadian companies, and some of the things that we've noticed here are things that we ran into in that environment.
The Government of Canada takes the protection of Canadians' information very seriously, and as Sony noted, not all services will be in the cloud. That is not our plan. We are going to have the cloud, and we are going to have enterprise data centres, and that is partially from a financial perspective and partially from a utility perspective. Cloud guardrails, a standard set of controls, are going to evolve over time. The threat landscape changes. The environment technically changes, so we'll be tuned to that. We will continue to strengthen oversight and compliance mechanisms for cloud use across government to make sure there's very clear guidance and compliance.
Since the Auditor General's report, I want to talk about a couple of areas of progress. We have updated our cloud roles and responsibilities document, and a corresponding matrix, and published it internally, so that our team members have access to that. In November 2022, we updated the Government of Canada cybersecurity event management plan. This is the plan that we put in place to respond to enterprise government cybersecurity incidents. This was first published in 2015, and we continue to test, review and tune that plan. That's normal practice with any type of a cybersecurity plan. In fact, about four weeks ago, we completed an “on guard”, which is a simulation that we run across government. It included a cloud component as part of that review, so we are starting to test our response to cyber incidents in the cloud.
In January, we also published an updated cloud strategy that had been in the works for several months. We've changed the language from “cloud first” to “cloud smart”, and that really identifies the fact that we are not always just going to go to the cloud, but are going to balance the decision-making on a number of factors, including financial.... Cloud first was exactly the right strategy for the government to move forward. We needed to start directing people into new technology, so it got the ship moving in the right direction, for lack of a better way of saying it. We have about 800 of our applications in the cloud. That's still a very small percentage of overall systems that we have across government.
Of note, in January, I issued guidance out of my office on the classification of personal information in the cloud and, in coordination with many of the people around this table, came to a decision that we are going to designate some high-value assets—personal information being an example—and some systems that would have an additional set of controls put in place to protect them even further. Our benefits delivery modernization program, which houses a lot of Canadians' data, is a good example of where we'll be deploying on that.
Finally, on continued development of a cloud costing model—and Sony talked about that already—we're looking to have that ready for publication in summer or fall. We've done a lot of work on that already. That is going to help departments make informed decisions about moving to the cloud, and not just the cost of moving to the cloud but the cost of operating in cloud. Both of those things are very helpful to understand. That will fulfill our responsibilities as it relates to recommendation 4.
In closing, our ultimate goal is to provide Canadians, Canadian businesses and all service users with the high-quality and efficient service that they expect in a digital age. Cloud is going to be a part of that. We will be regularly managing our progress on achieving this ambition, and cloud is an important part of that plan.
Once again, Mr. Chair, thank you for your invitation to speak to you today. I welcome any questions you may have.
I'm just going to say a couple of words at the top.
This I think is one of the most important reports and work that government can do, because we're not just dealing with dollars and cents or policies that members and civil servants deal with all the time. We're in fact potentially dealing with the identity of Canadians, which is in some cases invaluable. I appreciate the work that you do here today. I hope the Auditor General's office will continue to prioritize this review to ensure we always have standards that keep the identity and information of Canadians safe.
I'm going to ask two quick questions, just to help other members.
Mr. Hayes, I know that there is at least one recommendation that is not public. Is there just one or is there more than one recommendation that you felt was important not to make public in this report today?
:
Mr. Chair, I think the member of Parliament is referring here to the automation of guardrails verification. We'll have to find a way to share that with you. What it is, basically, is that right now there are 12 guardrails. My team, following the wise advice from the Auditor General, has taken to checking not only once at the beginning but on an ongoing basis that these guardrails are maintained. It will be more a monitoring than a one-time exercise.
We are monitoring compliance of each department right now. It's just that it's not automated. It's people who belong to Costas' team who basically undertake the manual work to regularly verify around 200 instances of cloud to make sure the departments, when using this, follow the standard. Often it is only enabling a function, but if they move them, the switch to the left, this is not working anymore, so we need to make sure they maintain that, because all of this is protecting the system.
My answer is that we can come back to this committee or share with the clerk the results of our review, for sure.
:
Just to make a point of clarification, it's 10% of systems, not data. It's a little different.
Mrs. Stephanie Kusie: Pardon me. It's 10% of systems. My apologies.
Ms. Catherine Luelo: No, no, that's okay, but it's important that nuance.
I think we can continue course and speed. We have actually quite aggressively moved on the Auditor General's findings already, as I outlined in some of my remarks, and we will continue to tighten things as we move along.
There is always, as part of putting a new system into production, i.e., into the cloud, a released production activity list you go through to make sure that things have been met. We'll be disciplined in making sure that for cloud migrations, we pay very close attention to that, to ensure that we're managing that risk.
:
I'll take that one and then Rajiv can add something if he wants to.
The reason we're shifting from cloud-first to cloud-smart, first of all, is that using the cloud allows us to stand things up very quickly. Where we would take potentially months to stand up an environment in which we can start building a new system for Canadians or migrating a new system for Canadians, we can do that in hours or days in cloud, so there's a huge opportunity to move more quickly to deliver service to Canadians.
We needed to get the government going in a direction because we were all data centres, and in fact SSC had an issue around the fact that they had some very old data centres. Before we just picked up and moved to a data centre, we said let's start moving some of the stuff into the cloud. As part of that, many of the things we've learned were pointed out in the Auditor General's report, including the fact that we need more maturity around our cost model. That is why we went into more of a cloud-smart model, so that we are really going to put that financial lens on migration to consider whether it's more efficient, when you put all things together, such as speed and cost, to have it in the cloud or to have it in an enterprise data centre.
So that was really the shift, and we'll continue to tune that as we go forward. As I noted in my remarks, there will never be a world in which we will be fully in the cloud, and that situation is consistent with those of many large organizations across the globe.
:
Thank you, Mr. Chair, for the question. That is a very good one.
We are using the cloud as a commercial solution. Catherine mentioned the name “hyperscaler”, which offers cloud. When they have been certified and we have approved utilization, they are integrated into our network. The traffic—whether it's a service, program or application in the cloud or running into a data centre—still comes to our network. The monitoring tools that a cybersecurity centre provides, and the enhanced monitoring we have on the Government of Canada networks, still apply to what we call the “workload”—let's call it the “applications”—that runs in the cloud, in the same way it would in the enterprise data centre.
It's why the security requirements, or the assessment done before we approve a hyperscaler to provide these services.... The validation of the guardrails or security control is so important, because it's one more option we have for hosting applications. Catherine explained really well the agility that comes with the cloud, but we have to do it in a safe way. We cannot lose the level of security we have built around the traditional [Inaudible—Editor] just because we are using a new [Inaudible—Editor]. We find a way to integrate that. We are never done with this. The guardrails we have today will continue to evolve and be perfected over time.
However, I think what the Auditor General reminded us about.... Did you know, now, that 200 instances of the cloud are organized and configured in line with these guardrails? Frankly, this raised the alert for us. We put the team on checking this. I was very glad to receive a report, last spring, that we were in a good place, in terms of compliance. The few departments that had challenges were notified and, with the support of the CGCIO, we got them to address it. However, this is an ongoing watch. We always have to make sure nothing is being changed and that the level of security remains there.
It's why automation is important. Human intervention in five instances is one thing. When we are at 200, 400 or 500, it will become almost impossible to have our eyes on everything, all the time. Automation is the way for us to get an alert if a guardrail is being changed by a department user. When I talk about the department, there is a small number of people who can change these. For various reasons, someone may decide to—or by mistake—change one of the configuration elements. We need to be alerted, so we can address that in a timely manner.
This is no different from when we were running data centres, before. It's just a different way to apply these guardrails.
You are way over the time. You were wise not to interrupt. Committee members know that, when we have a good question, I like to hear the answer.
I'm sorry that Mr. Fragiskatos is not timing me today, because he would have to give a lot of time to the Liberal bench.
Anyway, that was a good question and a good answer. Thank you.
[Translation]
Ms. Sinclair‑Desgagné, you have the floor for six minutes.
:
Thank you very much, Mr. Chair.
I thank all the witnesses for being here today. Indeed, it's important to talk about the topic at hand.
I will begin directly with a question to Mr. Hayes.
Clearly, the Office of the Auditor General is sounding the alarm not only on cybersecurity, but beyond that, as we know that cybersecurity raises security issues that exceed the cloud world.
In fact, you've sounded the alarm on two fronts. First, it's about cyber threats, so the damage we could suffer. Secondly, you pointed out a potential lack of resources and guidance that we would normally see from Treasury Board.
Did I understand your report correctly?
In some ways, we've come together with many different departments. I'd say that, oftentimes, when different departments are tasked with doing one big job, there's an issue of trying to figure out who's in charge of doing that work—in particular, the other aspects of what may not be the focus of the departments. Because of the broadness of engaging several ministries and departments, there are things that sometimes slip. Some of those things, which I think the Auditor General points out, were among some of the findings under “environment”. From paragraph 7.59 onwards, to the conclusion, there are recommendations on environment.
I noticed that, in particular, of course, Treasury Board has a mandate to ensure there are sustainability plans and environmental aspects pertaining to the work of government. It's noticed, in the report, that Public Works and Government Services was not active in the requirement to see the contracts between some of the cloud service providers to maintain information or data collection on environmental outcomes.
I just want to better understand how that process is going. This audit is a bit older, so we've had some time. I think the department has accepted the findings of the Auditor General, so I suppose my questions are for Paul.
In relation to that, what progress can you report regarding Shared Services' and PSPC's collaboration to further align the approach to the cloud procurement?
:
There's a cost-benefit analysis done on every project. Part of that cost-benefit analysis is what type of posting Sony provides, whether it's the cloud or the data centres.
Because we are very much at the beginning of the beginning in the Government of Canada, I would say we were not fully appreciative some of the costs of moving to the cloud, so we found it more difficult to make the move. In some cases, we did not take the opportunity to simplify and reduce the platform of what we moved to the cloud, so that increases your cost. Also, we did not have good visibility on what it costs to operate and run an environment like the cloud, because we relied on the Shared Services group to run all the data centres. It's very difficult to compartmentalize how much it costs to run Stats Canada versus CSE, versus ESDC.
Part of the great opportunity of having done a small component of this is now we have some real-world data. The other cool thing about the cloud is that we can now take environments that are in there and we can simplify and decrease them. As our consumption goes down with a cloud provider, our bill goes down. There are advantages as we start to tune and calibrate that will be reflected in cost savings.
:
If I can, Mr. Chair, digital is not an option. It's where we host that data, whether it's a data centre that is controlled by the Government of Canada, or it's the cloud, or in between. The reality is, a lot of the work we are going to do going forward will be hybrid. We are going to leverage traditional data centres for some aspects of the business or the process, and we are going to leverage the cloud for some other aspects. All of this needs to be tightly connected.
The business case that is being done at the beginning is about how we optimally leverage the various hosting options. The cloud, as Catherine said, brings that option to scale up. If there is a peak in demand—think about the tax season or the passport season or the demand at the border—these systems can take much more demand if they are in the cloud, because they can ask for more computing. When there is a peak, we pay more, and when there is a lower demand, we pay less.
If it's run in a traditional data centre that I operate, I need to build a farm of servers to be able to be ready to take peak times, so it might not be cost-effective. When we do the business analysis of that, we also have to look at the cycle that some of these programs or services are going through.
This is when we get to figuring out what is the best digital hosting option. Sometimes, it's a bit in the cloud and a bit in a data centre. It really depends on the business and the type of operation. Catherine gave some examples. Each one has its own cycle and its own demands.
That data needs to be hosted somewhere and the application that computes that data needs to be hosted somewhere, so in each case, we're doing a business case.
:
Thank you very much for the question.
[English]
The risk aversion I'm pointing to is that it is normal for organizations that are moving through modernization to learn lessons, and we are learning some lessons. What I want to avoid is our pulling back and saying we're going to stop because a couple of things weren't done properly. We're learning from those; we're implementing, and we were thoughtful about not doing our big systems first. For example, the old age security, EI and CPP systems will come later and we will have taken the opportunity to learn from some of the smaller systems that we've moved to the cloud.
I would say your question about a whole-of-government shutdown is absolutely something that is constantly on the minds of those on this team when we think about cyber—and Sony said that very well. The cloud still allows us to have all of the protections that the Centre for Cyber Security provides. This is a unique asset we have for the Government of Canada, one that makes me feel very comfortable—a different type of asset from what I had when I worked in the private sector.
So although we have learned some things, the incredible support that we get from the cyber centre is a “compensating control”, if I can say that.
I just want to mention this, before I continue: Catherine, your attendance here is quite impressive. Oftentimes, at this committee, we don't get as frank answers. It allows the MPs to do the work of this place—in particular, our committee. So really want to thank you for your honesty, because it allows us to do the work that, I think, is very important to making good recommendations in our report.
You mentioned a few things in your previous answers that I want to follow up on. One is the issue of capacity. It's the issue of talent acquisition, in particular the talent gap we have in digital services in Canada.
Could you describe what you mean by that and what that gap looks like? Is it among the IT service folks? What are you talking about when you say there's a capacity gap there?
:
I would like to talk about this for 40 minutes, but I will do it very quickly, because I know we're tight for time.
We have anywhere from a 25% to a 30% vacancy rate in technical jobs in the government. That is relatively consistent, by the way, across Canada. We are seeing particular pinch points in cybersecurity, cloud computing and architecture. There are a few areas in which we are competing with companies all across Canada.
We need to do a better job of lighting up what technology people in this country do for Canadians. No one gets to do what we do. It is my mission to go out and have many more people come in and do a tour of service within government doing digital work. First of all, I think there would be a different understanding of the complexity within government and the things we need to do. I say that with all humbleness, having worked for 30 years in the private sector. I looked across and said, “What's going on in there?” I came into government and said, “Oh, my goodness, this is very complicated.”
I think it would also be great to have people from government go out into the private sector and learn what it's like to have quarterly shareholder meetings and some of the metrics that drive industry and a lot of the innovation in our country. That is a huge issue, not just for the Government of Canada but also for Canada.
I echo Mr. Desjarlais' comments. It's refreshing to come to any committee and get forthright answers and not a word salad—so far.
Mr. Hayes, Mr. Goulet and Mr. Lombardi, thanks for the report. I appreciate everything you've put into it. I want to start with the three of you.
In paragraph 7.16 in the report, you comment that the requirements for security in clouds were not followed, but you only audited three departments. Do we need to do a wider audit, if you've come up with these concerns from just the three departments you audited?
:
Thank you very much, Chair.
Thank you to everyone for being here.
I want to look at the issue from a big-picture perspective, if I can put it that way. In looking at the report, one of the key findings, obviously, is this: “Information stored digitally, whether on‑premises in data centres or in the cloud, is exposed to risks of being compromised.”
I understand the importance of getting into the technical details and the minutiae, if I can follow what Mr. McCauley has asked at this meeting and at others. It is important for MPs to delve into the details that way. But I also think of it from the perspective of constituents, who want to understand this and what's being done in response in general terms as well. What is being done to address this fundamental challenge, which I see as being one of the key findings in this report?
That's for whoever wishes to take it.
This is a statement that is true in Canada. It's true everywhere in the world. It's just a pure fact that when you are in a digital world, everything is always at risk. We need to start from there. Otherwise, we won't be doing our job.
I think in Canada, for the Government of Canada, we have an infrastructure that can stand a lot. We have the process to handle these situations where there might be something detected through early intelligence but also detected on our system. We have a way to easily contain, address and remediate, but we will never be done. This is what I was saying a bit earlier. I think the point the Auditor General made at the beginning of the report is very important. Everything is at risk, and we need to always validate and enhance our safeguards.
I'm sure Catherine and Rajiv can add to this.
:
Someone was saying, “Who's first?” In fact, it's a team sport here, and sometimes with a team, there isn't a first.
However, there is a primary role for looking forward and identifying what new issues can be—which we have to prepare for, work on and anticipate—and this belongs to the Canadian Centre for Cyber Security. They are looking forward and they are bringing to the operator—which is me, or our organization—the intel. “Here's what you need to do and fix, because we believe this will be a new risk that we didn't contemplate in the past.” It's very important, and the integration with the policy lead in how we deal with this is critical.
We have this in Canada. We are lucky. We need to invest in this all the time, because we have to practise. It's good that we are doing tests, but real life also tests our ability to work together.
:
Mr. Chair, that applies only to the establishment of the cloud framework agreement, where we have eight qualified vendors. We had asked initially when they were qualified—among many things we were validating—what their environmental commitment was and if they had a net-zero commitment towards 2050. We have done that. We have that in the books for seven of the vendors that were qualified at the end. What we don't necessarily have is an attestation, and I think we are working on getting that, so that it's not only a case of “I said”, but we also need to be able to demonstrate the results.
Like the team from the Auditor General looked at, not all the workload and not all the applications that we are putting in the cloud are consuming and having the same demand on the infrastructure. We need to be able to compare this if we do it in the cloud versus running this through an enterprise data centre: Do I consume more energy and do I produce more gas emissions? What will be the difference? This is something that without the addition of the clause in the contract we will not be able to do, and this is where we need to go, because otherwise, if you ask me five years from now if we're consuming less or more and producing less or more if it's in a data centre or in the cloud, I would not have the data and, frankly, if we want to advance towards these targets, we need to have it.
We are really at the beginning here. What is in the cloud is really tiny. A lot of departments are using the cloud right now for experimentation, so it's not major computing that is there. Some departments are more advanced than others, but a lot of the work we do in the cloud is really small. This is going to change in the future, and it's why we need to put these controls in place.
:
This is a question that would probably be better addressed by the Canada Revenue Agency.
I have to say that digital enablement is essential. In this day and age, if we want to provide agile services and deal with peak demand, we have to be digital. We have to ride the right infrastructure. Right now, a lot of the infrastructure at the Canada Revenue Agency depends on what we call “mainframe”. This was the best thing you could have, when the cloud did not exist. Now, the cloud can bring the kind of high-computing capacity and high velocity we only had with the mainframe, in the past. The mainframe is a supercomputer running in a data centre.
I think the cloud—if we stick with the theme of the audit, here—provides us with much more opportunity to do this. Sometimes, it's not only with a big program. Think about the Canada Revenue Agency. It probably has the largest programs that depend on technology in the Government of Canada. Now, with the cloud, we can have that kind of velocity for something that is way smaller, as well...and analytical work. There is great potential there.
Are we up to it? Catherine said we have a lot of challenges with talent and multiple priorities in the Government of Canada, but I believe we have done the foundational work. Hopefully, we'll have fewer servers hidden in closets.
What I want to avoid, early on, in the work we are doing on the cloud.... There are cloud instances out there that we, around this table, are not aware of. We need to manage this, as an enterprise, so we don't get into the mess that existed in the past, in terms of how we distributed the data centre and servers everywhere. We have done this cleanup. There is a lot of work still to do. We have to be very organized in the way we leverage the cloud, so we don't create this.... We leverage and build expertise. We are organized. We have common rules, so we don't expose ourselves. If there is an incident somewhere, we know what is out there and how to take back control, so we avoid the damage and consequences of incidents.
It's about being organized at the enterprise level. The players around this table are essential to make this happen.
:
The threat against the Government of Canada has been high for a long time. We always talk about the blocks we're doing, as the Government of Canada. In terms of activity, we say it's four to seven billion blocks per day. Those are a lot of reconnaissance activities and other sorts of threat, but the threats are still there.
We enumerated those international cyber-threat assessments, as well. Really, the sophistication of cybercrime has increased in the past few years. Nation-states are still there. We named China, Russia, Iran and North Korea as the primary countries we're worried about. We still have the sophistication of the state-sponsored threat actors, but we also have the rise of cybercrime in this space as well. That has proven to be very lucrative, I would say, from a ransomware perspective and others. It's really fuelling the threat in that space.
It's very important for us to learn from those threats, which we do on a daily basis. We are the national [Inaudible—Editor], so we see what's happening across Canada, to a certain extent. We also work with our partners to make sure we're taking everything we're learning from those threats and baking it into advice and guidance. We work with our partners, here, to make sure we're putting the best recommendations out, and also building that into our security analytics and the types of defensive solutions we use for the government.
We couple that, of course, with what we've learned from our signals intelligence. CSE is fortunate, in that we have the cyber centre, and also our foreign signals intelligence, which tracks cyber-threat actors around the world and gives us the intel we can use to inform our advice and guidance for Canadians.
I believe it's our final round, so I want to offer my thanks to all the witnesses here today.
Thank you for your service. I think it's important that Canadians understand the value of digital infrastructure. You've been very patient with us, knowing that we're not experts in this field. I want to thank you for your accessibility in this discussion.
I do want to return to trying to understand the signals intelligence that was mentioned a few times. One fact that was submitted today, if I'm correct, and I can't remember which witness mentioned this, was that we are the only country currently utilizing signals information. Is that correct?
Thanks to the witnesses for being with us here, today.
I know cybersecurity is something our government is very seized with. Many different departments and ministers are involved.
Mr. Gupta, you mentioned we need to continue to invest in cybersecurity. Cybersecurity is included in our recently announced $2.3-billion Indo-Pacific strategy. I'm not sure whether you're able to shed a little more light...in terms of allies or friendlies that are doing a good job and from which we can learn best practices.
Are there countries we can look to, when we talk about cybersecurity?
:
Mr. Chair, to continue on the last question, we have some use cases where we are doing it. There is pathfinder work here around the cloud. There are things we never did that we are doing. We never take a risk with the quality, the security, the privacy—this is always attached—but in terms of the business, we are experimenting to some extent, so it's why starting small is very important, namely, to learn and scale up.
We are working with one of our clients with whom we have a cycle where there is peak time. We are building an infrastructure, and then after a while we have to dismantle it, because it's not needed anymore. We are working with them on what the business will look like next time, because we are going to rely more on the cloud and less on the traditional infrastructure, and we are doing the cost assessment on that.
In the future, we will be able to answer a bit more these kinds of questions about how this would work.
From my perspective, one of the benefits of the cloud is the ability to go fast and to scale up and scale down. It's not the Government of Canada's obligation to decommission.... They installed all of that equipment that has been running there for a year or two. We don't have to buy this. What we are going to pay for is service.
Of course, it's a different model, because we're not going to spend capital; we are going to spend operating...on this. There will be a blip in our spending, but we will not have to invest in the infrastructure and then the installed infrastructure.
There are lots of business cases where this will make sense, but we start at a small scale, learn how it works, find the challenges we have to deal with and adjust. This is the model that paid off. I'm really glad that one of the first pathfinders was the CSE. This is where we learned a lot. This team is highly preoccupied by the security, so it was right to start on the cloud journey with an organization that has so much attention on security, because we needed to learn. We need to feel secure to put anything else in the cloud, so starting with the right use case is very important.
:
Mr. Chair, there are not cost savings in all instances.
There are cost savings if we are taking what Catherine described as a “smart” model or approach, or some type of.... I could use the word “workload”. It's easier to describe, rather than “data application”. There are cost savings, but we need to do the detailed analysis before we go there, because it's difficult to just go in and go out. You cannot change your mind if you build into a data centre. If you want to amortize investment, you need to be there for a while.
If we go in the cloud, we also need to learn not to stay locked in with a vendor, and have that velocity. Catherine was really blunt with the committee before, so I will be on this one. I said to the hyperscaler that these companies have not given us the right price still. Organizing together as an enterprise, being able to procure with this consolidated demand from the Government of Canada, we can get a better price from them; so we are not at the end of measuring savings, because we haven't necessarily had the best price yet.
:
Thank you very much for that. That is an important point I did want to emphasize if I got the chance.
What we really wanted to get at with the recommendation about the costing model, the funding framework, was really about allowing departments who are onboarding onto the cloud to see, not just the short-term costs, but also the medium and long-term costs, because a big department can absorb additional costs down the road that might be there because of the need to increase skills or tools or oversight, but it's a lot harder for smaller departments. What they have to do sometimes might be to reallocate from other places, and that puts other programs or security at risk.
This a big part of that cost-benefit analysis. If you don't know your short, medium and long-term costs then you don't really have the clear picture. I think we're all on the same page on the importance of that, and this will be something that will help to identify which things should be moving to the cloud and which shouldn't.