Past Examinations of Cyber Defence Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
18. A number of reviews, audits and evaluations have been conducted on aspects of the government cyber defence framework. These were conducted by independent, external review or audit entities, parliamentary committees, the Communications Security Establishment (CSE) Commissioner (the former body dedicated to reviewing CSE activities) and bodies internal to the government. As background to the Committee's review, this section summarizes each in turn. The implementation of recommendations from these studies are not tracked as part of this review.
19. The following external reviews or audits contained specific reference to the protection of government information systems from cyber threats:
- Office of the Auditor General of Canada — Chapter 3: Protecting Canadian Critical Infrastructure Against Cyber Threats (2012): Part of this audit examined how the government protects its information systems and the roles and responsibilities of the departments involved. It recommended that Treasury Board of Canada Secretariat update relevant policies to reflect the new information security roles and responsibilities of Shared Services Canada (SSC). Footnote 6
- Office of the Auditor General of Canada — Report 4: Information Technology Shared Services (2015): This audit examined how SSC provided information technology services to other federal departments, including information technology security. It recommended that SSC establish expectations or provide information on core elements of security to partners to allow them to comply with government information technology security policies, guidelines and standards. Footnote 7
- Senate of Canada Standing Committee on Banking, Trade and Commerce — Cyber Assault: It should keep you up at night (2018): This report primarily examined how to enhance cyber security for Canadians and businesses. However, it also considered how to improve the government's cyber security framework and strengthen oversight over the many departments that have cyber security as part of their mandate. The report recommended the creation of a new federal minister of cyber security who would be responsible for Canadian cyber security policy while coordinating cyber security efforts with provincial and territorial governments and the private sector. Footnote 8
The CSE Commissioner
20. Between 1996 and 2019, the CSE Commissioner was responsible for reviewing CSE activities for compliance with the law and policy direction from the Minister of National Defence. In his final report in 2019, the CSE Commissioner reported that CSE had accepted and implemented 166 of the 175 recommendations made since 1997 across all areas of CSE's mandate, a completion rate of 95 percent. Between 2001 and 2019, the CSE Commissioner conducted a number of reviews of CSE's cyber defence activities, which were variously known as active network security testing, security posture assessments, cyber defence operations and information technology security activities. In general, the CSE Commissioner examined programs or aspects of CSE's cyber defence activities to determine whether:
- ministerial authorizations for cyber defence activities met conditions specified in the National Defence Act;
- cyber defence activities were conducted in accordance with legislative, ministerial and policy requirements;
- CSE directed cyber defence activities at Canadians or persons in Canada; and
- if private communications intercepted by CSE were deemed essential to identify, isolate or prevent harm to Government of Canada computer systems or networks.
21. In October 2006, the CSE Commissioner noted that CSE senior management became aware that certain cyber defence activities may not have been compliant with operational policies and procedures. The Commissioner found that management paid insufficient attention to the conditions for and compliance with ministerial authorizations, and that the control framework for carrying out activities under ministerial authorization was not sufficiently clear, consistent, comprehensive or current. The cumulative impact of these issues called into question CSE's compliance with the Privacy Act and the National Defence Act. As a result, CSE suspended all cyber defence activities under ministerial authorization to conduct an internal investigation. These activities were restarted in October 2007 following a restructuring of the ministerial authorization program and policy framework. Footnote 9
22. Since 2007, the CSE Commissioner has found that ministerial authorizations for cyber defence activities met the requirements of the National Defence Act, and that these activities were in accordance with the law and CSE policies. Footnote 10 The CSE Commissioner also confirmed that CSE did not direct its cyber defence activities toward Canadians or persons in Canada. Nonetheless, between 2001 and 2019 the CSE Commissioner made a number of recommendations to ensure that CSE cyber defence activities had:
- practical definitions, new record classifications, and clear retention and disposal schedules for personal information; Footnote 11
- appropriate policies for filing, retaining and deleting key information found under a ministerial authorization; Footnote 12
- improved descriptions in ministerial authorizations to clearly identify what the Minister was authorizing; Footnote 13 and
- improved clarity under the National Defence Act regarding authorities that risk intercepting private communications. Footnote 14
23. In 2019, the National Security Act created two new organizations. The first is the National Security and Intelligence Review Agency, which took on the review activities of the CSE Commissioner. The second is the Intelligence Commissioner, who (among other things) reviews the annual cyber security authorizations granted to CSE by the Minister of National Defence. Footnote 15 These authorizations allow CSE to access the information infrastructures of federal or designated non-federal institutions where it would otherwise contravene an Act of Parliament (e.g., the Criminal Code) or interfere with the reasonable expectation of privacy of a Canadian or a person in Canada. Since his office was created in 2019, the Intelligence Commissioner has found all cybersecurity authorizations he has reviewed to be reasonable. However, the Intelligence Commissioner also noted that cyber security authorization applications have had several inconsistencies, including missing descriptions of outcomes, missing descriptions of the cyber security services received by clients and unexplained conditions that the Minister imposed on authorizations. These issues did not affect the Intelligence Commissioner's assessment of the reasonableness of the Minister's conclusions.
24. The following internal reviews or audits are particularly relevant to the government's cyber defence framework:
- Treasury Board of Canada Secretariat — Report on Cyber Security of Government Systems (2016): This study analyzed aspects of cyber security across the government and determined there was a lack of clear decision-making at the enterprise level. It suggested nominating a senior-level executive with a mandate to resolve responsibility gaps and facilitate enterprise initiatives. It also suggested reducing redundancies among governance committees. Footnote 16
- Office of the Comptroller General of Canada — Horizontal Internal Audit of Information Technology Security in Large and Small Departments (2016): Part of a multi-year, multi-phase effort, this audit reviewed governance and control frameworks over information technology security for unclassified government networks. It found that such frameworks were in place and that Treasury Board of Canada Secretariat had established policy direction for information technology security. However, the audit noted that policy instruments were out of date and that further clarification of roles and responsibilities was needed, including for SSC, to further define expectations for securing legacy systems. The audit also found that the several committees governing information technology policy instruments needed to improve coordination and reporting relationships. Additional phases were planned for the years 2019-20 to 2021-22. Footnote 17
- Public Safety Canada — Horizontal Evaluation of Canada's Cyber Security Strategy (2017): This review examined the government's progress to defend against cyber attacks. It found that, despite improvements, there was still confusion between departments on their roles and responsibilities, particularly between CSE and the then Public Safety Canadian Cyber Incident Response Centre. The private sector echoed this concern, noting that it was unclear as to where private sector organizations should report cyber incidents or seek assistance. The review also found that the government needed to continue to strengthen its ability to prevent, detect, respond to and recover from cyber attacks. It recommended that the government strengthen its horizontal governance of cyber security by re-assessing participation on existing committees and developing terms of reference to better define departmental roles and responsibilities. Footnote 18