Part II: Evolution of the Government's Framework for Cyber Defence
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
68. The evolution of the government's framework for cyber defence has been a mix of unanticipated and reactionary, and deliberate and planned. Changes in legislation provided new authorities that drove the development of activities to strengthen the security of government systems and eventually better defend them. At the same time, major cyber threat actors forced the government to adapt its defences, particularly following critical cyber incidents that caused significant loss of data and underlined the vulnerability of individual departments and the government more generally. The government responded by promulgating key strategies and policies, investing in the modernization of information technology and cyber defences, and creating organizations specifically tasked with addressing weaknesses in the system. In the process, the government progressively moved away from its siloed approach where individual departments, no matter how big or small, were responsible for their own cyber defence, to treating the government as an "enterprise," where specific organizations are responsible for driving the implementation of government-wide policies and for providing "defence in depth" services to protect the government as an organization.
Early days (2001 to 2010)
69. The genesis of cyber defence in Canada was legislative. On December 18, 2001, Parliament passed the Anti-Terrorism Act. As its name suggests, the Act was a response to the terrorist attacks of September 2001. For the Communications Security Establishment (CSE), it meant that its mandate and authorities were enshrined in statute (the National Defence Act), Footnote 102 permitting a significant expansion of its foreign intelligence activities to support, among other things, the fight against al-Qaida. At the same time, the Act provided CSE with broad authority to provide advice, guidance and services to protect electronic information and information infrastructures of importance to the government, including ministerial authorizations for activities that would risk intercepting private communications. Overtime, this authority allowed CSE to develop and conduct novel cyber defence activities on government computer systems or networks, notably active network security testing to measure the security of specific government systems and networks and computer network defence activities to protect specific government systems and networks. Footnote 103
Active network security testing and security posture assessments
70. From 2002 to 2012, CSE offered active network security testing activities to government departments. These activities involved CSE using various unclassified technical methods to penetrate the computer systems of a government institution to identify vulnerabilities and weaknesses in a network and to test the reaction of the department to an active cyber threat. These "penetration" tests were designed to determine if a cyber threat actor (played by CSE) could access a network and obtain sensitive or classified documents that should not have been publicly available. The results were used to make recommendations to remedy deficiencies. Footnote 104
71. CSE conducted its first activities under ministerial authorizations in 2002. It tested for vulnerabilities in *** CSE's own networks and for weaknesses in *** networks at CSE and the Privy Council Office. Footnote 105 In November 2002 and April 2003, CSE obtained ministerial authorizations to conduct similar tests against networks at the Canadian Security Intelligence Service (CSIS) and the Department of Foreign Affairs and International Trade, respectively. Based on this experience, CSE began using its authorities in earnest. Between 2002 and 2006, CSE obtained 11 ministerial authorizations to conduct testing and assessment activities of the systems for the following organizations:
- Department of National Defence, including *** (October 2002);
- Royal Canadian Mounted Police (June 2003);
- Privy Council Office (November 2003);
- Canada Customs and Revenue Agency (December 2003);
- Department of Human Resources Development (January 2004)
- Department of National Defence (January 2004);
- Industry Canada (May 2004);
- *** (October 2004)
- CSE, including the networks of the Office of the CSE Commissioner (April 2005);
- Privy Council Office (February 2006); and
- Department of National Defence (February 2006). Footnote 106
These activities were halted in October 2006. When they were restarted in December 2007, CSE used a different approach (paragraphs 74-76).
The origin of computer network defence activities
72. [*** This paragraph was revised to remove injurious or privileged information. ***] Between 2004 and 2006, CSE began conducting activities that would form the basis of its cyber defence program. In late 2003, the Department of National Defence (DND) identified intrusions (later identified as Russia) against its systems and requested CSE assistance. In January 2004, CSE sought the Minister's authorization to conduct normal active network security testing activities on the DND network and to deploy cyber defences to identify attempted exploitations and monitor the activities of the advanced cyber threat actor. Footnote 107 In the same year, CSE and Foreign Affairs Canada (FAC) had been tracking attempts by China to compromise the FAC network. In June 2005, CSE sought the Minister's authorization to deploy cyber tools on FAC systems. Footnote 108
73. In 2006, CSE received ministerial authorizations to conduct computer network defence activities on the DND networks (February), FAC networks (June) and its own networks (June). CSE attributed the increasingly sophisticated attacks against DND networks to China, and the attacks against FAC networks to both China and Russia. As it had done *** in 2004, CSE *** deployed tools to enhance its capacity to detect sophisticated cyber attacks against government networks, to respond to such attacks, and to pursue the (foreign) origins of detected attacks through CSE's foreign intelligence activities. Footnote 109 This was the birth of advanced, computer network defence activities in the Government of Canada, what today is called "cyber defence activities."
Hard lessons learned along the way
74. In October 2006, CSE suspended all of its active network security, testing and computer network defence activities. As the CSE Commissioner later explained,
CSE did not fully comply with the requirements and conditions of [its ministerial authorizations (MAs)] during the period June 2005 to October 2006. Insufficient management attention was paid to the conditions of the MAs, to their communication, and to compliance with them. The control framework for those carrying out these activities was not sufficiently clear, consistent, comprehensive, or current. The cumulative impact of these issues called into question CSE compliance with the Privacy Act and the National Defence Act. Footnote 110
CSE reviewed its programs and implemented several changes over the course of a year to restructure its activities and policy framework, and improve program monitoring and accountability.
75. In December 2007, CSE requested ministerial authorization to resume active network security testing activities. CSE moved from a department-by-department request for authorities to an umbrella approach of a single ministerial authorization that permitted CSE to provide network security assessments at the request of any government department, consistent with the Treasury Board Government Security Policy. Footnote 111 CSE continued to offer these services to government departments until 2012, when it was clear that the relative value of network penetration tests had declined (CSE was always able to penetrate its test subject networks). CSE shifted its focus exclusively to cyber defence, where its defences were making considerable progress on identifying and blocking sophisticated cyber attacks.
76. In March 2008, the Minister of National Defence approved a similar umbrella request for ministerial authorization to resume computer network defence activities on government networks to protect against the theft of sensitive information by advanced cyber actors. CSE noted that an expanding number of government departments were being victimized by highly sophisticated adversaries, particularly China and Russia. CSE was authorized to conduct five types of computer network defence activities under the authorization:
- incident analysis: the investigation of alerts when CSE's classified intrusion detection system flagged possible threats;
- anomaly analysis: the creation of standardized profiles for government departments and their network traffic to identify abnormal behaviour that may indicate malicious activity;
- forensic intrusion analysis: the detailed examination of malicious network intrusions to identify potential harm to a government network;
- incident reporting: the provision of mitigation advice stemming from identified intrusions; and
- advanced tool development: the enhancement of CSE's classified intrusion detection tools based on the analysis of malicious cyber activity to improve detection of cyber threats. Footnote 112
As is detailed later, this shift enabled CSE to deploy its sensors to the government's Secure Channel Network, which consolidated Internet access for over 70 departments. As a result, CSE discovered that China had compromised a number of departments and stolen significant amounts of data. This discovery was the catalyst for a number of changes in the following years (described below), including to push more departments under CSE's defences. Footnote 113 For its part, CSE continues to offer its computer network defence activities to government departments and has done so under successive ministerial authorizations since 2008. Today, these are known as cyber defence activities, described in more detail in the CSE section (paragraphs 154-213).
Government policies for cyber defence
77. Between 2001 and 2010, the government released two policies of significant relevance to cyber defence: the Government Security Policy in 2002 and the National Security Policy in 2004. The Government Security Policy was intended to support the national interest and the government's business objectives by safeguarding employees and assets and assuring continued service delivery. This policy stated that deputy heads are accountable for safeguarding employees and assets under their responsibility and established a number of baseline security requirements that deputy heads must follow. Among these requirements, departments must appoint a departmental security officer to establish a security program that ensures coordination of all policy functions including information technology security, security screening and access limitations. The Government Security Policy obligated departments to implement baseline information technology security controls to prevent, detect, react to and recover from the compromise of information technology systems. Importantly, departments had to conduct periodic security evaluations of their information technology systems, continuously monitor the operations of these systems to detect anomalies in service delivery levels, and establish mechanisms to respond effectively to information technology incidents, should they arise, and exchange incident-related information with lead departments in a timely manner. Footnote 114 Treasury Board updated the Government Security Policy in 2009 and again in 2019, when it was renamed the Policy on Government Security. Its contemporary relevance and application is described in paragraphs 103-106.
78. The government's National Security Policy provided a strategic framework and action plan to ensure that the government was prepared to respond to a range of national security threats. The Policy described cyber attacks as “a growing concern that have the potential to impact on a wide range of critical infrastructure that is connected through computer networks.” To address this threat, the document introduced two initiatives: first, to substantially improve threat and vulnerability analyses for government systems and to strengthen its ability to defend government systems from attacks; second, to develop a National Cyber Security Strategy. Footnote 115 These initiatives were funded in later Budgets.
Establishing the government enterprise (2010 to 2018)
79. The period between 2010 and 2018 was critical to the establishment of the government's cyber defence framework. During this time, the government introduced two national cyber security strategies and allotted significant funding toward cyber defence and cyber security. The government also made significant changes to its organizational structure with the creation of Shared Services Canada and the Canadian Centre for Cyber Security. At the same time, major cyber attacks were important catalysts for change, including the growing deployment of CSE's defensive sensors on government networks and the consolidation of government data centres and Internet access points. The government also established mechanisms to govern cyber defence and clarified the roles and responsibilities of respective players in the cyber defence framework. These changes are described below.
Canada's Cyber Security Strategy, 2010
80. In October 2010, the government released Canada's Cyber Security Strategy to defend Canadians, Canadian businesses and the economy from cyber threats. The strategy had three pillars:
- Securing government systems: intended to strengthen the government's ability to prevent, detect, respond to and recover from cyber threats.
- Partnering to secure vital cyber systems outside government: intended to strengthen cyber resiliency in Canada, including for critical infrastructure sectors.
- Helping Canadians to be secure online: intended to promote public awareness, educate Canadians on how to protect themselves online and strengthen the ability of law enforcement agencies to combat cyber crime. Footnote 116
The strategy received over $244 million in funding over five years, and $60 million annually thereafter. Footnote 117 The most relevant pillar to cyber defence was the first: securing government systems. Under it, there were three notable outcomes: strengthening CSE's cyber defence program, the creation of Shared Services Canada, and implementing better governance and policies. Each are addressed in turn below.
Strengthening CSE's cyber defence program
81. The primary goal of the first pillar of the strategy was to increase the government's cyber technology, intelligence analysis and investigative capacity. The majority of funding, $205 million over five years (84 percent of total funding for the strategy), was provided to CSE to enhance its ability to defend government systems and networks. This included installing new network-based sensors to monitor departments' networks for cyber threats and automatically mitigate cyber attacks, and developing host-based sensors, software designed to defend individual government devices. Footnote 118
82. These investments significantly improved CSE's cyber defence capabilities. Prior to the strategy, CSE's cyber defence program focused on incident response and mitigation, which involved labour-intensive manual processing and ad hoc reporting to individual clients. With the deployment of network-based dynamic defence in 2013, CSE was better able to monitor and analyze threat information that it could then use proactively to prevent cyber attacks from reaching government users and systems by blocking attacks at the government perimeter. The merit of this tool was underlined in 2014, when CSE deployed its dynamic defence network-based sensors on the Shared Services Canada Secure Channel Network to support the government's efforts to mitigate a major cyber vulnerability (see case study 3 on HEARTBLEED). Under the strategy, CSE had established the Cyber Threat Evaluation Centre to improve its awareness and understanding of sophisticated cyber threats targeting government systems. Footnote 119 This allowed CSE to better track and report on known cyber threats and trends and to automate the discovery of cyber threats and the deployment of defences. Footnote 120 The development of CSE’s cyber defence program has contributed to a steady expansion of the visibility of government networks to CSE and a simultaneous decrease in the number of successful data exfiltrations. Footnote 121
Creating Shared Services Canada
83. The creation of Shared Services Canada (SSC) facilitated the implementation of the objectives outlined in Canada's Cyber Security Strategy. Footnote 122 This change contributed significantly to the evolution of the government's cyber defence architecture, as it consolidated information technology resources from 42 departments (approximately 95 percent of all federal resources) and accelerated the shift toward an enterprise approach to cyber security. In general, SSC is responsible for designing and operating secure information technology infrastructure that protects government data and technology assets; developing security policies, standards, plans and designs; and providing security-related services for the delivery of government services. Footnote 123 As part of the strategy, SSC increased its capacity to provide threat monitoring, vulnerability assessment and computer forensic services for its 43 core partners and deployed new tools to assist in handling the increasing volume of cyber threats (see section on SSC, paragraphs 126-153). Footnote 124 Notably, SSC also consolidated more than 720 government data centres to 381, with a goal to ultimately transition to 4 regional hubs, and reduced the number of Internet access points from approximately 100 to 2, with plans to add 3 regional hubs (for a total of 5 secure connections) and potentially 3 international hubs. Reducing these points of vulnerability made the protection of the entire government cyber enterprise easier. Through its Federal Information Protection Centre, SSC provided threat monitoring, coordinated all security incidents affecting SSC's supported infrastructure, and consolidated incident reporting from its core partners. The creation of SSC and the consolidation of departments into a government enterprise model has increased the government's awareness of cyber threats and vulnerabilities and established conditions for more uniform deployment of CSE's sophisticated cyber defence sensors. Footnote 125
Implementing better governance and policy
84. Governance was another key feature of the 2010 cyber strategy. Prior to the strategy, governance of cyber defence was marked by a lack of clarity concerning roles and responsibilities and a largely ad hoc and decentralized model, with deputy ministers individually responsible for the cyber security and cyber defence of their respective organizations. Footnote 126 One of the objectives of the 2010 strategy was to establish clear roles and responsibilities for the management of cyber events. To this end, Public Safety Canada and CSE re-aligned their responsibilities related to incident coordination and management, making Public Safety Canada responsible for performing cyber security management for non-federal entities, including the provision of mitigation advice to other levels of government (at the time, the Strategy focused on engagements with provincial and territorial governments) and the private sector, and CSE responsible for performing cyber security operations and cyber incident management for government systems. Footnote 127
85. For its part, the Treasury Board of Canada Secretariat (TBS) established three governance committees to provide information technology security governance for horizontal initiatives under the first pillar of the 2010 strategy. Known as the Information Technology Security Tripartite, these committees were created at the Director General, Assistant Deputy Minister and Deputy Minister levels and are further described in paragraphs 221-223. TBS also led the development of an improved Information Technology Incident Management Plan to enable more rapid and integrated government-wide response to cyber security incidents. This plan identified departmental roles and responsibilities for reporting and responding to information technology incidents; formalized horizontal reporting, warning and response protocols; and identified senior committees and officials to be engaged when threats escalated in severity. Footnote 128 Governance of incident management further evolved in 2015 as the government replaced this plan with the new Cyber Security Event Management Plan (paragraphs 224-236).
86. As roles and responsibilities were better understood and departmental coordination increased, the government created a number of interdepartmental governance mechanisms. The primary governance mechanism for policy matters was the Deputy Ministers' Committee on Cyber Security (DM Cyber Security), which was supported by committees at the assistant deputy minister and director general levels. These three committees were chaired by senior Public Safety Canada officials; their membership consisted of senior officials from CSE, TBS, SSC, CSIS, the Royal Canadian Mounted Police, DND / Canadian Armed Forces, and the Privy Council Office. The purpose of DM Cyber Security was to establish policy direction for issues related to cyber security, set cyber security-related priorities for member departments and agencies, and consider emerging cyber security issues. Footnote 129 In terms of outcomes, a 2016 evaluation found that this governance structure facilitated collaboration, coordination and information-sharing among participating organizations, and helped to clarify departments' roles and responsibilities. However, the evaluation could not determine the extent to which governance bodies fulfilled their stated purposes, including holding regular meetings, due to an absence of proper documentation. It also found that uncertainty regarding roles and responsibilities persisted, causing confusion for departments, agencies and private sector stakeholders, and that information-sharing was selective or ad hoc due to the absence of specific policies. Footnote 130
87. TBS supported effective governance and the response to cyber incidents by establishing operational standards, guidelines and policies. In 2016, TBS released the Information Technology Strategic Plan. This plan guides federal organizations on information technology priority-setting and decision-making, including in the area of information technology security. Relevant priority initiatives in this area included securing the government's network perimeter, implementing endpoint security profiles, and implementing a systematic approach to vulnerability and patch management. Footnote 131 TBS also released the first iteration of its Digital Operations Strategic Plan in 2018. This plan sets the direction for departments on the priorities for the integrated management of services, information, data, information technology and cyber security. From a cyber security and cyber defence perspective, the plan mandates the development of a layered approach that uses trusted interconnection points to provide a gateway to cloud services. Footnote 132
The evolution of Canada's Cyber Security Strategy
88. In 2015, the government renewed its 2010 cyber security strategy. This renewal marked the second phase of the strategy and was meant to address three challenges. First, the strategic cyber threat environment had evolved considerably, with the emergence of more capable cyber threat actors and an increase in the proliferation of cyber tools. Second, cyber security had become a major economic issue as cyber threat actors had increasingly targeted Canadian businesses. Third, there was an increasing need to keep Canadians safe online through better digital literacy and new approaches to cyber crime. To address these challenges, the government provided funds for three initiatives:
- increasing cyber threat intelligence collection and analysis in order to share threat information with critical infrastructure and private sector systems;
- increasing partnership with telecommunications service providers for conducting assessments of cyber vulnerabilities and dependencies in critical infrastructure; and
- dedicating law enforcement capacity to more effectively investigate and disrupt cyber crime. Footnote 133
These initiatives fell within pillars two and three of the 2010 cyber security strategy - partnering to secure vital cyber systems outside of the government, and helping Canadians to be secure online - areas that had received less funding. Specific funding was also devoted to address security gaps highlighted by China's cyber attack against the National Research Council in 2014 (see case study 4). Footnote 134
89. In June 2018, the government announced its new National Cyber Security Strategy. The 2018 strategy was based on a government-wide evaluation of the 2010 strategy and included input from private sector experts, law enforcement and academics. The 2018 strategy defined three goals to achieve security and prosperity in the digital age:
- Secure and resilient Canadian systems: intended to improve the government's ability to protect Canadians from cyber crime, respond to evolving cyber threats, and help defend critical government and private sector systems;
- An innovative and adaptive cyber ecosystem: intended to support research, foster innovation and develop cyber skills to position Canada as a global leader in cyber security; and
- Effective leadership, governance and collaboration: intended to advance cyber security and work with allies to shape the international cyber security environment in Canada's favour. Footnote 135
The 2018 strategy's core goals and initiatives were reflected in Budget 2018's investments in cyber security, which totalled $508 million over five years and $109 million annually thereafter. Most notably, CSE received $155 million over five years and $45 million annually thereafter to create a new centre for cyber security.
90. In response, the government created the Canadian Centre for Cyber Security (CCCS) in October 2018. This change consolidated the roles and responsibilities of a number of federal cyber organizations, notably CSE's Information Technology Security program, Public Safety Canada's Canadian Cyber Incident Response Centre and its public awareness campaign, and some functions of SSC's Security Operations Centre. CCCS has four primary responsibilities:
- inform Canadians about cyber security matters, including cyber security threats;
- protect Canadian interests through advice, assistance and collaboration with partners across the country and abroad;
- defend networks and systems that are within its visibility; and
- develop and enrich the knowledge, personnel and skills needed to continually improve cyber security for Canadians. Footnote 136
CCCS is meant to serve as a single source of government advice, guidance, services and support on cyber security operational matters. It is the government's operational lead during cyber security events and is intended to provide more coordinated and focused government responses to cyber threats and incidents; improve coordination of government cyber security activities; and provide more effective information exchanges between the government and private sector partners.
91. The 2018 strategy included a number of initiatives related to protecting Canada's critical infrastructure. The strategy's five-year action plan directs CCCS to improve its partnerships with owners and operators of critical infrastructure in the finance and energy sectors to enable the exchange of cyber security knowledge and capabilities to better defend against advanced cyber threats. Footnote 137 It also directs Public Safety Canada to deliver a comprehensive risk management approach to enable critical infrastructure owners and operators to better secure their systems and information. Finally, the strategy included funding for CSIS to increase its work in cyber intelligence collection and cyber threat assessments to improve its cyber situational awareness and ability to provide advice to the government on issues of cyber relevance. Footnote 138
92. The government's framework for cyber defence continues to evolve. In June 2019, the Communications Security Establishment Act received Royal Assent, significantly changing CSE's mandate, authorities, immunities and oversight, including in areas of immediate relevance to cyber defence. In April 2020, Treasury Board released its Policy on Service and Digital, which establishes the rules by which the government will manage service delivery, information and data, information technology, and cyber security in the digital era. These changes will be addressed in the following sections on TBS and CSE, respectively.