Past Examinations of Cyber Defence Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

Table of Contents

External review

18. A number of reviews, audits and evaluations have been conducted on aspects of the government cyber defence framework. These were conducted by independent, external review or audit entities, parliamentary committees, the Communications Security Establishment (CSE) Commissioner (the former body dedicated to reviewing CSE activities) and bodies internal to the government. As background to the Committee's review, this section summarizes each in turn. The implementation of recommendations from these studies are not tracked as part of this review.

19. The following external reviews or audits contained specific reference to the protection of government information systems from cyber threats:

Office of the Auditor General of Canada — Chapter 3: Protecting Canadian Critical Infrastructure Against Cyber Threats (2012): Part of this audit examined how the government protects its information systems and the roles and responsibilities of the departments involved. It recommended that Treasury Board of Canada Secretariat update relevant policies to reflect the new information security roles and responsibilities of Shared Services Canada (SSC). ^{Footnote 6}
Office of the Auditor General of Canada — Report 4: Information Technology Shared Services (2015): This audit examined how SSC provided information technology services to other federal departments, including information technology security. It recommended that SSC establish expectations or provide information on core elements of security to partners to allow them to comply with government information technology security policies, guidelines and standards. ^{Footnote 7}
Senate of Canada Standing Committee on Banking, Trade and Commerce — Cyber Assault: It should keep you up at night (2018): This report primarily examined how to enhance cyber security for Canadians and businesses. However, it also considered how to improve the government's cyber security framework and strengthen oversight over the many departments that have cyber security as part of their mandate. The report recommended the creation of a new federal minister of cyber security who would be responsible for Canadian cyber security policy while coordinating cyber security efforts with provincial and territorial governments and the private sector. ^{Footnote 8}

The CSE Commissioner

20. Between 1996 and 2019, the CSE Commissioner was responsible for reviewing CSE activities for compliance with the law and policy direction from the Minister of National Defence. In his final report in 2019, the CSE Commissioner reported that CSE had accepted and implemented 166 of the 175 recommendations made since 1997 across all areas of CSE's mandate, a completion rate of 95 percent. Between 2001 and 2019, the CSE Commissioner conducted a number of reviews of CSE's cyber defence activities, which were variously known as active network security testing, security posture assessments, cyber defence operations and information technology security activities. In general, the CSE Commissioner examined programs or aspects of CSE's cyber defence activities to determine whether:

ministerial authorizations for cyber defence activities met conditions specified in the National Defence Act;
cyber defence activities were conducted in accordance with legislative, ministerial and policy requirements;
CSE directed cyber defence activities at Canadians or persons in Canada; and
if private communications intercepted by CSE were deemed essential to identify, isolate or prevent harm to Government of Canada computer systems or networks.

21. In October 2006, the CSE Commissioner noted that CSE senior management became aware that certain cyber defence activities may not have been compliant with operational policies and procedures. The Commissioner found that management paid insufficient attention to the conditions for and compliance with ministerial authorizations, and that the control framework for carrying out activities under ministerial authorization was not sufficiently clear, consistent, comprehensive or current. The cumulative impact of these issues called into question CSE's compliance with the Privacy Act and the National Defence Act. As a result, CSE suspended all cyber defence activities under ministerial authorization to conduct an internal investigation. These activities were restarted in October 2007 following a restructuring of the ministerial authorization program and policy framework. ^{Footnote 9}

22. Since 2007, the CSE Commissioner has found that ministerial authorizations for cyber defence activities met the requirements of the National Defence Act, and that these activities were in accordance with the law and CSE policies. ^{Footnote 10} The CSE Commissioner also confirmed that CSE did not direct its cyber defence activities toward Canadians or persons in Canada. Nonetheless, between 2001 and 2019 the CSE Commissioner made a number of recommendations to ensure that CSE cyber defence activities had:

practical definitions, new record classifications, and clear retention and disposal schedules for personal information; ^{Footnote 11}
appropriate policies for filing, retaining and deleting key information found under a ministerial authorization; ^{Footnote 12}
improved descriptions in ministerial authorizations to clearly identify what the Minister was authorizing; ^{Footnote 13} and
improved clarity under the National Defence Act regarding authorities that risk intercepting private communications. ^{Footnote 14}

23. In 2019, the National Security Act created two new organizations. The first is the National Security and Intelligence Review Agency, which took on the review activities of the CSE Commissioner. The second is the Intelligence Commissioner, who (among other things) reviews the annual cyber security authorizations granted to CSE by the Minister of National Defence. ^{Footnote 15} These authorizations allow CSE to access the information infrastructures of federal or designated non-federal institutions where it would otherwise contravene an Act of Parliament (e.g., the Criminal Code) or interfere with the reasonable expectation of privacy of a Canadian or a person in Canada. Since his office was created in 2019, the Intelligence Commissioner has found all cybersecurity authorizations he has reviewed to be reasonable. However, the Intelligence Commissioner also noted that cyber security authorization applications have had several inconsistencies, including missing descriptions of outcomes, missing descriptions of the cyber security services received by clients and unexplained conditions that the Minister imposed on authorizations. These issues did not affect the Intelligence Commissioner's assessment of the reasonableness of the Minister's conclusions.

Internal review

24. The following internal reviews or audits are particularly relevant to the government's cyber defence framework:

Treasury Board of Canada Secretariat — Report on Cyber Security of Government Systems (2016): This study analyzed aspects of cyber security across the government and determined there was a lack of clear decision-making at the enterprise level. It suggested nominating a senior-level executive with a mandate to resolve responsibility gaps and facilitate enterprise initiatives. It also suggested reducing redundancies among governance committees. ^{Footnote 16}
Office of the Comptroller General of Canada — Horizontal Internal Audit of Information Technology Security in Large and Small Departments (2016): Part of a multi-year, multi-phase effort, this audit reviewed governance and control frameworks over information technology security for unclassified government networks. It found that such frameworks were in place and that Treasury Board of Canada Secretariat had established policy direction for information technology security. However, the audit noted that policy instruments were out of date and that further clarification of roles and responsibilities was needed, including for SSC, to further define expectations for securing legacy systems. The audit also found that the several committees governing information technology policy instruments needed to improve coordination and reporting relationships. Additional phases were planned for the years 2019-20 to 2021-22. ^{Footnote 17}
Public Safety Canada — Horizontal Evaluation of Canada's Cyber Security Strategy (2017): This review examined the government's progress to defend against cyber attacks. It found that, despite improvements, there was still confusion between departments on their roles and responsibilities, particularly between CSE and the then Public Safety Canadian Cyber Incident Response Centre. The private sector echoed this concern, noting that it was unclear as to where private sector organizations should report cyber incidents or seek assistance. The review also found that the government needed to continue to strengthen its ability to prevent, detect, respond to and recover from cyber attacks. It recommended that the government strengthen its horizontal governance of cyber security by re-assessing participation on existing committees and developing terms of reference to better define departmental roles and responsibilities. ^{Footnote 18}

Footnotes

Footnote 6

Office of the Auditor General of Canada (OAG), 2012 Fall Report: Chapter 3: protecting Canadian critical infrastructure against cyber threats, 2012, https://publications.gc.ca/site/eng/9.575104/publications.html.

Return to footnote 6 referrer

Footnote 7

OAG, 2015 Fall Reports: Report 4: Information Technology Shared Services, 2015, https://www.oag-bvg.gc.ca/internet/English/parl_oag_201602_04_e_41061.html

Return to footnote 7 referrer

Footnote 8

Senate of Canada, Cyber Assault: It should keep you up at night, 2018, https://sencanada.ca/en/info-page/parl-42-1/banc-cyber-security/.

Return to footnote 8 referrer

Footnote 9

Office of the Communications Security Establishment Commissioner (OCSEC), Review of CSEC's activities under the Protection of Computer Systems and Networks of the Government of Canada Ministerial Authorizations — CSEC's Security Posture Assessment — Active Network Security Testing (ANST) Activities in 2007-2008 and 2008-2009, Report 58, February 14, 2011, pp. 4-5.

Return to footnote 9 referrer

Footnote 10

OCSEC, Review of CSEC's activities under the Protection of Computer Systems and Networks of the Government of Canada Ministerial Authorizations, Report 58, February 14, 2011, p. 25.

Return to footnote 10 referrer

Footnote 11

OCSEC, Report on CSE ITS Ministerial Authorizations, Report 24, May 20, 2003, pp. 31-32.

Return to footnote 11 referrer

Footnote 12

OCSEC, Information Security Activities Conducted Under the Industry Canada Ministerial Authorization, Report 38, December 19, 2006, pp. 10-11 .

Return to footnote 12 referrer

Footnote 13

OCSEC, Privacy and Technology, Report 46, June 11, 2008, p. 24.

Return to footnote 13 referrer

Footnote 14

OCSEC, Review of ITS ANST/CDO 2013, Report 89, March 31, 2015, p. 23.

Return to footnote 14 referrer

Footnote 15

The Office of the Intelligence Commissioner is an independent, quasi-judicial body responsible for reviewing the conclusions of: (a) the Minister of National Defence in issuing or amending a foreign intelligence authorization or a cyber security authorization for the Communications Security Establishment; (b) the Minister of Public Safety and Emergency Preparedness in determining classes of Canadian data sets that the Canadian Security Intelligence Service (CSIS) may collect, or in determining classes of acts or omissions that CSIS may be justified in doing, which would otherwise be offenses under the CSIS Act; and (c) the Director of CSIS in authorizing CSIS to query a dataset in exigent circumstances or to retain a foreign dataset. See Office of the Intelligence Commissioner, Annual Report 2020, March 31, 2020, https://www.canada.ca/en/intelligence-commissioner/annualreport.html.

Return to footnote 15 referrer

Footnote 16

References to enterprise decision-making or enterprise security initiatives refer to an Enterprise Security Architecture led by Treasury Board of Canada Secretariat that includes common, government-wide approaches to planning and delivering common security services. Essentially, it means treating the government as a single entity, rather than as a collection of individual organizations each responsible for their own cyber security and defence. In the context of cyber security, this enterprise approach enhances the government's ability to protect itself from cyber threats by standardizing security controls and improving information sharing about cyber threats, thereby supporting improved responses to cyber incidents. See Shared Services Canada (SSC), SSC Cyber and IT Security Framework, Version 1.0, October 8, 2014; and Public Safety Canada, Progress Report on Canada's Cyber Security Strategy — Horizontal Initiative for 2012-13 and 2013-14, undated.

Return to footnote 16 referrer

Footnote 17

Office of the Comptroller General of Canada, Horizontal Internal Audit Of Information Technology Security in Large and Small Departments (Phase 1), 2016, https://www.canada.ca/en/treasury-board-secretariat/services/audit-evaluation/horizontal-internal-audits/security-large-small-departments-phase-1.html.

Return to footnote 17 referrer

Footnote 18

Public Safety Canada, Horizontal Evaluation of Canada's Cyber Security Strategy, 2017, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/vltn-cnd-scrt-strtg/index-en.aspx

Return to footnote 18 referrer

Table of Contents

Language selection

Social Media

Search

Search and menus

Past Examinations of Cyber Defence Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

External review

The CSE Commissioner

Internal review

Past Examinations of Cyber Defence Activities National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

External review

The CSE Commissioner

Internal review

Past Examinations of Cyber Defence Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack