Summary of Cyber Defence Review
The National Security and Intelligence Committee of Parliamentarians 2021 Annual Report
10. On September 17, 2020, the Committee announced its review of the Government of Canada’s framework and activities to defend its systems and networks from cyber attack. The classified version of the Committee’s special report was delivered to the Prime Minister on August 11, 2021 and tabled in Parliament on February 14, 2022. This first-of-its-kind review describes the threat to government systems from malicious cyber actors; examines the evolution of the Government of Canada’s cyber defence policies and laws; assesses the roles and responsibilities of relevant government organizations; and examines relevant case studies where government systems were compromised in cyber attacks.
Government of Canada networks are a vital part of Canada’s critical infrastructure.
11. As part of this review, the Committee examined documentation from the three organizations that play a leading role in developing and implementing the government’s cyber defence framework: the Communications Security Establishment (CSE); Treasury Board of Canada Secretariat (TBS); and Shared Services Canada (SSC). The Committee received documentation covering the period from 2001 to 2021, principally to explore the evolution of the government’s understanding of cyber threats and the authorities, governance mechanisms and activities needed to address them. The Committee held four hearings, two in 2020 and two in 2021. The Committee met with a total of 12 senior officials from CSE and TBS, and considered over 2,500 documents, representing over 37,000 pages of material.
12. The Committee made four findings (See Annex A). First, cyber threats to government systems and networks are a significant risk to national security and the continuity of government operations. Government of Canada networks are a vital part of Canada’s critical infrastructure. The government uses them to collect and hold information, such as tax records, and to provide services, such as Employment Insurance, of fundamental importance to Canadians and Canadian businesses. The information they hold is also of significant value to Canada’s adversaries, including state-sponsored cyber threat actors and cybercriminals.
13. Second, the government has built a robust, ‘horizontal’ cyber defence framework to defend its systems and networks from cyber attack. The evolution of this framework has been a mix of unanticipated and reactive, and deliberate and planned. Changes in legislation provided new authorities, including in 2001 ministerial authorizations for cyber defence activities that would risk intercepting private communications and in 2019 ministerial authorizations to protect non-federal electronic infrastructures, that drove the development of activities to strengthen the security of government systems and eventually better defend them. At the same time, major cyber threat actors forced the government to adapt its defences, particularly following critical cyber incidents that caused significant loss of data and underlined the vulnerability of individual departments and the government more generally. The government responded by developing key strategies and policies, investing in the modernization of information technology and cyber defences, and creating organizations specifically tasked with addressing weaknesses in the system.
14. In the process, the government moved away from its siloed, department-bydepartment approach to cyber defence. It now treats the government as an ‘enterprise,’ where a few organizations are responsible for government-wide cyber defence. Central to this framework are three organizations: TBS, SSC and CSE. Nonetheless, this horizontal framework appears to be increasingly incompatible with the government’s existing department-by-department ‘vertical’ authority structure outlined in the Financial Administration Act. This authority structure makes deputy heads ultimately responsible for ensuring the protection of their department’s respective systems. It also gives them latitude to accept or reject TBS, CSE or SSC direction, putting at risk the overall efficacy of the cyber defence framework.
The Committee found that the strength of the government’s cyber defence system is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services.
15. Third, the government has established clear governance mechanisms to support the development of strategic cyber defence policy, the effective management of information technology initiatives affecting government-wide operations, and the government response to cyber incidents. This framework has evolved over time in response to changes in government policies, machinery and the cyber threat environment.
16. Fourth, the Committee found that the strength of the government’s cyber defence system is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services. Put simply, not all federal organizations receive cyber defence protection. Most significantly, a number of federal organizations and interests are not subject to Treasury Board cyber-related directives or policies, and are therefore not obligated to obtain cyber defence services from government. Some of these organizations – including Crown corporations – have chosen not to receive government cyber defence services, leaving those organizations and the government as a whole at considerable risk from the most advanced cyber threats. Even among the federal organizations that do receive CSE cyber defence services, protection is inconsistent: organizations can select which services they would like to receive, while declining others. The Committee found that while SSC provides some cyber defence services to 160 of 169 federal organizations, only 43 of those organizations receive the full complement of SSC services.
17. The Committee made two recommendations to strengthen the government’s cyber defence framework and extend that framework over federal government organizations as broadly as possible (see Annex B). First, the Committee recommended that the government continue to strengthen its framework for defending its networks from cyber attack by ensuring that its authorities and programs for cyber defence are modernized as technology and other relevant factors evolve. Second, the Committee recommended that the government apply relevant cyber defence policies, directives and services to all federal organizations to the greatest extent possible.
18. Together, the Committee’s recommendations seek to ensure that government authorities are better aligned with the cyber defence ‘enterprise’ and that all federal organizations are brought within the government’s secure perimeter and protected to the greatest extent possible.
19. The Committee was pleased to see that, for the first time, the government provided an official response to NSICOP recommendations. This is an important step in strengthening accountability and transparency.