Annex A – Cyber Defence Review Findings and Recommendations
The National Security and Intelligence Committee of Parliamentarians 2021 Annual Report

Description

A special report that describes the threat to government systems from malicious cyber actors; examines the evolution of the Government of Canada’s cyber defence policies and laws; assesses the roles and responsibilities of relevant government organizations; and examines relevant case studies where government systems were compromised in cyber attacks.

Findings

The Committee makes the following findings:

F1.

Cyber threats to government systems and networks are a significant risk to national security and the continuity of government operations. Nation-states are the most sophisticated threat actors, but any actor with malicious intent and sophisticated capabilities puts the government’s data and the integrity of its electronic infrastructure at risk.

F2.

The government has implemented a robust, ‘horizontal’ framework to defend the government from cyber attack. The Treasury Board of Canada Secretariat, Shared Services Canada and the Communications Security Establishment play fundamental roles in that framework. Nonetheless, this horizontal framework appears to be increasingly incompatible with the existing department-by-department ‘vertical’ authorities under the Financial Administration Act.

F3.

The government has established clear governance mechanisms to support the development of strategic cyber defence policy, the effective management of information technology security initiatives affecting government-wide operations, and the government response to cyber incidents. This framework has evolved over time in response to changes in government policies, machinery and the cyber threat environment.

F4.

The strength of this framework is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services. These weaknesses include:

  • Treasury Board policies relevant to cyber defence are not applied equally to departments and agencies. As a result, not all organizations must fulfill the same responsibilities, requirements and practices. This creates gaps in protecting government networks from cyber attack.
  • Crown corporations and potentially some government Interests are known targets of state actors, but are not subject to Treasury Board cyber-related directives or policies and are not obligated to obtain cyber defence services from the government. This puts the integrity of their data and systems and potentially those of the government at significant risk.
  • Cyber defence services are provided inconsistently. While Shared Services Canada provides some services to 160 out of 169 federal organizations, only 43 of those receive the full complement of its services. The Communications Security Establishment provides services in support of Shared Services Canada and through agreements with some individual organizations. This inconsistency introduces risks to those organizations and to the rest of government and limits the overall efficacy of CSE’s cyber defence program.

Recommendations

The Committee makes the following recommendations:

R1.

The government continue to strengthen its framework for defending government networks from cyber attack by ensuring that its authorities and programs for cyber defence are modernized as technology and other relevant factors evolve, including to align them with the horizontal framework for cyber defence that has emerged over the last decade.

R2.

To the greatest extent possible, the government:

  • Apply Treasury Board policies relevant to cyber defence equally to departments and agencies;
  • Extend Treasury Board policies relevant to cyber defence to all federal organizations, including small organizations, Crown corporations and other federal organizations not currently subject to Treasury Board policies and directives related to cyber defence;
  • Extend advanced cyber defence services, notably the Enterprise Internet Service of Shared Services Canada and the cyber defence sensors of the Communications Security Establishment, to all federal organizations.

Status

The government provided the following responses to the recommendations made by the Committee:

Response to R1: Agreed. Public Safety, Communications Security Establishment, and Treasury Board of Canada Secretariat agree that the government continue to strengthen its framework for defending government networks from cyber attack, ensuring that its authorities and programs for cyber defence are modernized as technology and other relevant factors evolve.

Public Safety, in collaboration with Communications Security Establishment and Treasury Board of Canada Secretariat, will continue to work together to align with the horizontal framework for cyber security to ensure that an appropriate governance structure is in place to advance cyber security policy.

Responsible organizations: Public Safety, in consultation with Communications Security Establishment and Treasury Board of Canada Secretariat.

Response to R2.1: Agreed. The Treasury Board of Canada Secretariat will review the Treasury Board policy framework to ensure that cyber defence is applied equally to departments and agencies to the greatest extent possible. This includes alignment between the scope of the Policy on Government Security and the Policy on Service and Digital.

Responsible organization: Treasury Board of Canada Secretariat.

Response to R2.2: Agreed. The Treasury Board of Canada Secretariat will undertake a review of the Treasury Board policy framework to explore and identify potential options to extend Treasury Board policies relevant to cyber defence to all federal organizations, including small organizations, Crown Corporations, and other federal organizations not currently subject to Treasury Board policies and directives related to cyber defence. This review will take into consideration the Financial Administration Act and the authorities under that Act, as well as any legal considerations.

Responsible organization: Treasury Board of Canada Secretariat.

Response to R2.3: Agreed. Treasury Board of Canada Secretariat, in consultation with Shared Services Canada and Communications Security Establishment agree that the government should extend advanced cyber defence services, notably the Enterprise Internet Service of Shared Services Canada and the cyber defense sensors of the Communication Security Establishment, to all federal organizations to the greatest extent possible. Treasury Board of Canada Secretariat will continue to strengthen cyber defence measures as part of the updates to the Policy on Service and Digital, specifically through the mandatory procedures outlined under Appendix G: Standard on Enterprise IT Service Common Configurations of the Directive on Service and Digital which will be published in Early 2022.

Shared Services Canada, in consultation with Treasury Board of Canada Secretariat and Communications Security Establishment, and as part of a funded study, is evaluating the current posture of small departments and agencies (SDAs) that have not adopted the Enterprise Internet Service of Shared Services Canada. The goal of the evaluation is to produce a costed business case outlining the funding necessary to migrate SDAs to the Enterprise Internet Service of Shared Services Canada, eliminate the use of non- Shared Services Canada managed internet services, and provision other enterprise services (including the cyber defense sensors of the Communication Security Establishment), which will help to improve the security posture of SDAs and reduce the threat exposure of the government’s enterprise networks.

Communications Security Establishment, in consultation with Treasury Board of Canada Secretariat, will explore options to extend the cyber defense sensors of the Communications Security Establishment to all federal organizations.

Responsible organizations: Treasury Board of Canada Secretariat, in consultation with Shared Services Canada and Communications Security Establishment.