Introduction
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
In early March 2021, governments and organizations around the world became aware of cyber attacks targeting a previously unknown vulnerability in Microsoft Exchange email systems. These attacks were attributed to China, targeted the email communications of victim organizations, and were used to gain persistent access to victim networks. As the attack spread, other sophisticated threat actors quickly took advantage of the vulnerability and hundreds of thousands of organizations were eventually affected. In Canada, the government immediately declared a cyber security event and three organizations — the Treasury Board of Canada Secretariat (TBS), Shared Services Canada (SSC) and the Canadian Centre for Cyber Security (CCCS) — worked with departments to identify their vulnerabilities and directed them to patch their systems. CSSS also worked to notify hundreds of private sector organizations of their potential vulnerability. Within days, implicated organizations made required changes, and only one government department was affected. As of June 2021, no federal government organizations were found to have suffered any data losses from the attack. Footnote 1
Broadly speaking, the government succeeded in quickly and effectively defending its networks from a serious and previously unknown vulnerability. How did the government come to this point? What challenges remain? Is the government prepared to counter cyber threats in the future? This review seeks to answer these questions.
1. Cyber threats are a significant and pervasive risk to Canada's national security. They affect Canadians at numerous levels, threatening government systems and services, critical infrastructure providers, financial and health systems, research and academic networks, and sensitive personal information. Governments are highly attractive targets for cyber attacks. The federal government holds enormous amounts of data about Canadians, Canadian businesses and innovative sectors such as universities and research institutes. Cyber compromises of this data could reveal sensitive personal information of Canadians and sap the vitality of individual companies and of the economy. The government also manages foreign, trade and security relations through electronic infrastructures that, if compromised, could damage the government's policies and undermine Canada's vital interests. As well, the government provides many critical services, which are heavily dependent on robust and "no fail" electronic infrastructures.
2. Since its inception, the National Security and Intelligence Committee of Parliamentarians (the Committee) has been interested in the security of government systems. Government systems are a core part of Canada's critical infrastructure and integral to national security. Government departments have repeatedly briefed the Committee on the types of cyber threats facing Canada, and the Committee summarized those threats in its 2018 annual report to the Prime Minister and then, more thoroughly, in its 2020 annual report. It notes with concern the ubiquity of cyber threats and, in particular, the sophistication and persistence of threats from several foreign states and non-state actors, including the growing threat from ransomware. It also recognizes the significant changes implemented by the government over the last several decades, including updated and new authorities, the creation of new organizations and programs, and major investments in cyber security and defence. In fact, the Committee deferred a review of cyber issues in 2018 to avoid negatively affecting the implementation of recently announced changes to government machinery, notably the creation of the Canadian Centre for Cyber Security and the attendant changes in the roles and responsibilities of Shared Services Canada and Public Safety Canada.
3. Cyber security is a large and complicated field. In the 2018 National Cyber Security Strategy, the government defined it as "the protection of digital information and the infrastructure on which it resides." Footnote 2 Such a necessarily broad definition implicates a range of actors in industry, academia and government, and may include everything from procuring hardware, software and services, to developing laws and regulations. Although these areas are potentially critical in their own right, many have little or no relationship with issues of security and intelligence, the core of the Committee's review mandate.
4. The Committee therefore decided to initiate a review of a narrow subset of cyber security activities: cyber defence. Cyber defence may be understood as the technical capability to discover and detect cyber incidents, and to develop and deploy measures to defend against them. Footnote 3 In Canada, the Communications Security Establishment (CSE) has been the lead organization in developing and deploying cyber defence activities. Its efforts were facilitated by its complementary role as Canada's signals intelligence organization, which gave it insight into the activities and tactics of the most sophisticated cyber actors, particularly foreign states with the resources and capabilities to mount technically advanced and persistent attacks on target systems and networks (these actors are known as advanced persistent threats). CSE used this insight to build custom cyber defence sensors and defence technologies that could identify and defeat such threats where commercial technologies could not. At the core of CSE's ability to build its operations and adapt them to the rapid evolution of technology has been fundamental changes to statutory authorities. The first major change came in 2001 with the passage of amendments to the National Defence Act, which created the authority basis for CSE's information technology security and foreign signals intelligence activities. In 2019, the Communications Security Establishment Act came into force, which clarified and expanded those authorities. This report explains that evolution.
5. The framework for cyber defence has two other principal players: Shared Services Canada and Treasury Board, as supported by the Treasury Board of Canada Secretariat. Created in 2011, Shared Services Canada (SSC) plays a mostly operational role. SSC provides government departments three key services — networks, email and data centres — and works closely with CSE to address serious cyber incidents. When SSC was created, 43 departments were required to obtain these services from SSC, representing approximately 95 percent of the government's information technology infrastructure spending; the remaining smaller departments and agencies represented the other 5 percent. Those 43 original partners continue to receive all of SSC's services, including those related to cyber security. Over time, 117 other federal organizations have opted to obtain some of these services, bringing the total number of SSC service recipients to 160 out of 169 organizations, totalling 95 percent of all federal organizations.
6. SSC's role in cyber defence is essential in two ways. First, the government has reduced its vulnerability to all forms of cyber attack by consolidating the number of connection points between government networks and the Internet and by reducing the number of legacy data centres. Second, the government has significantly reduced the likelihood of cyber attacks being successful, and the potential damage done if they are, by placing the majority of federal organizations (i.e., those that receive SSC services) behind CSE's sophisticated sensors and cyber defence systems.
7. The Treasury Board and its Secretariat play an overarching role in cyber defence, both as the Chief Information Officer of the government and through directives and policies applicable to all government departments. Treasury Board and its Secretariat have the authority to create policies through various pieces of legislation, most notably the Financial Administration Act (FAA). First passed in 1985, the FAA sets out the roles and responsibilities for a number of key actors across government and enables the Treasury Board to issue policies, directives, standards and guidelines for the management and administration of federal entities. Consistent with Canada's parliamentary system, the FAA is a vertical authority structure: individual ministers and their deputies are responsible for the activities of individual departments.
8. Policy instruments promulgated under the FAA are fundamental for cyber defence. They clarify the roles and accountabilities of various departments, providing direction and defining requirements. The most important of these instruments are the Policy on Government Security, the Policy on Service and Digital, the Digital Operations Strategic Plan, the Cloud Adoption Strategy, and the Cyber Security Event Management Plan. They set the framework for cyber security and defence activities. Like all Treasury Board directives, TBS considers the implementation of those related to cyber defence as 'mandatory.' That said, consistent with the vertical authorities in the FAA, deputy heads of individual departments are ultimately responsible for ensuring the integrity and security of their electronic systems and networks and for implementing TBS direction. To address instances of non-compliance, Treasury Board has introduced a compliance management framework, which includes a range of possible administrative consequences. Footnote 4
9. Other authorities play more specific roles in the cyber defence framework. Changes to CSE authorities in 2001 and 2019 permitted that organization to develop a line of work that has proven critical to Canada's cyber defence. Also important were amendments made in 2004 to the Criminal Code and the FAA to clarify the authority of government organizations to protect their own cyber systems. This review summarizes the evolution of these authorities and instruments and the role they play in the area of cyber defence.
10. Finally, the government has provided key strategic direction, made important structural changes and invested significant resources to strengthen its cyber security and cyber defences. The government has provided strategic direction in the areas of cyber security and defence through the 2004 National Security Policy, the 2010 Cyber Security Strategy and the 2018 National Cyber Security Strategy. It made significant changes to the machinery of government, notably with the creation of SSC in 2011 and the Canadian Centre for Cyber Security in 2018. Many of these changes were accompanied by significant investments: in total, between the years 2010 and 2021, the government invested more than $6 billion in defending government networks from cyber attack. Footnote 5 This report will describe the various changes made by the government over the past two decades and recommend where efforts need to be made to complete this work, including in areas of government authorities.