Overview of the Review
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
11. On June 19, 2020, the Committee decided to undertake a review of the Government of Canada's framework and activities to defend its systems and networks from cyber attack. On July 6, 2020, the Chair of the Committee provided notification letters to the ministers of National Defence and Public Safety and Emergency Preparedness, and the President of the Treasury Board. The review included the following organizations:
- Communications Security Establishment;
- Shared Services Canada;
- Treasury Board of Canada Secretariat; and
- Public Safety Canada.
12. The Committee informed the ministers that the review would examine the federal framework for cyber defence, the activities that constitute cyber defence for the government, and the authorities and governance structures, including for interdepartmental governance and coordination, under which they are conducted. The objectives of the review would be to:
- examine the evolution of the legislative, regulatory, policy, operational, administrative or financial frameworks associated with the conduct of cyber defence activities;
- identify the type, nature and extent of the activities that constitute cyber defence for the government and the evolving threat they are designed to counter;
- examine the evolution of the authorities, accountability and governance structures for cyber defence activities, including interdepartmental governance and coordination;
- identify the systems and networks that constitute the government's information technology systems;
- review relevant case studies pertaining to the cyber compromise of government systems; and
- consider the risks associated with cyber defence activities (e.g., to the privacy rights of Canadians).
13. The Committee focused its inquiry on the defence of federal government systems from cyber attack, an area of examination squarely within its statutory mandate. In doing so, the Committee excluded a number of issues from the scope of its review. It did not examine cyber defence activities related to the protection of critical infrastructure outside of federal government systems (e.g., other levels of government or sectors such as energy). The protection of critical infrastructure is a large and complex topic in itself, which the Committee may examine in the future. It did not examine the government's activities in relation to the defence of the 2019 federal election from cyber threats. The government had already undertaken a report on this subject when the Committee announced its review; after receiving that report in 2020, the Committee made comments and recommendations to the Prime Minister. Finally, the Committee did not examine the government's response to cyber crime: the Royal Canadian Mounted Police, one of the core security and intelligence organizations subject to Committee review, was in the midst of implementing significant changes in how it investigates cyber crime. Further, the majority of cyber crime does not fall within the Committee's review mandate.
14. The Committee reviewed significant amounts of historical documentation from 2001 to the present, principally to explore the evolution of the government's understanding of cyber threats and what was needed to address them. The Committee focused its analysis on key periods when major incidents forced government departments to shift operations, and when the government passed enabling legislation or made changes to the machinery of government to address cyber defence challenges. Consistent with its past reviews, the Committee placed significant emphasis on accountability, authorities, and governance and coordination of activities.
15. The Committee's review proceeded in two stages. The first was an examination of government material that described the evolution of responses to new and emerging cyber threats. The Committee supplemented this material with academic and public sources of information, but it was limited in the discussions it could hold with subject matter experts outside of government due to the pandemic. The second stage was to hold briefings and appearances with government officials. The Committee's Secretariat worked closely with relevant departments to obtain and clarify information. In total, the Committee held five meetings with various government departments and considered over 2,500 documents, representing over 37,000 pages of material.
16. This report is written in five parts. The first is a description of cyber threats facing the government and an examination of what is at stake when government networks are attacked by cyber threat actors. The second is a historical description of how the government's framework for defending its networks has evolved since 2001. That part explains the importance of statutory authorities in underpinning cyber defence activities, the role of various government policies, particularly successive cyber security strategies, and key changes in the machinery of government, notably the creation of Shared Services Canada in 2011 and the Canadian Centre for Cyber Security in 2018. The third part examines the roles, responsibilities, authorities and activities of the key players in the government's cyber defence framework: the Treasury Board of Canada Secretariat, Shared Services Canada, and the Communications Security Establishment, collectively known as the Information Technology Security Tripartite. The fourth describes the overarching governance framework for cyber defence activities in the government. Finally, the Committee provides its assessment, findings and recommendations.
17. In this latter section, the Committee notes that the government's cyber defence framework has evolved over time towards a horizontal 'enterprise' approach that treats government systems and networks as a single entity. The last ten years have shown that this evolution has improved Canada's cyber defences considerably. However, Canada cannot be complacent: the government must continue to implement the measures required to adapt to change. In particular, the horizontal approach to cyber defence is increasingly at odds with departments' vertical authorities, where individual organizations and Crown corporations retain significant discretion to opt into the government cyber defence framework or to make the changes necessary to protect their systems from sophisticated threats. These authorities were set in a pre-digital era and should be updated for new technologies and threats.