Part III: Key Cyber Defence Players, Authorities and Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

93. Cyber security is a shared responsibility across government. While individual departments are responsible and accountable for the security of their information technology assets, three key organizations carry out specific government-wide responsibilities and services, including for the narrower mandate of cyber defence. Known as the Government of Canada Information Technology Security Tripartite, these organizations are the Treasury Board of Canada Secretariat (operating at the direction of the Treasury Board), Shared Services Canada and the Communications Security Establishment.

94. This section examines the roles, responsibilities, functions and cyber defence activities of the Information Technology Security Tripartite in detail. It delineates the responsibilities of individual departments for cyber security, based on an expansive view of the scope of entities that make up the Government of Canada. An analysis of the legislative regimes, administrative policies and other authorities of the Tripartite organizations related to providing cyber defence services to government entities identifies which entities can receive cyber security and cyber defence services, and to what degree. This approach facilitated a broad understanding of the responsibilities, activities and range of protection of the government's cyber defence framework.

Treasury Board of Canada and the Treasury Board of Canada Secretariat

95. Established as a Cabinet committee in 1869, the Treasury Board of Canada plays a foundational role in Canada's cyber defence framework. The Treasury Board prescribes the policies, standards and directives for cyber defence and determines to which organizations these requirements apply. Treasury Board's enabling legislation, the Financial Administration Act (FAA), provides roles and responsibilities for key officials across government and broadly sets a number of the policy, administrative and accountability pillars of the government's cyber defence framework.

96. Treasury Board exercises a broad mandate across government. Under the FAA, it is responsible for departmental accountability and financial management in the administration of government and for regulatory oversight of government programs and services; it is also the primary employer for the Government of Canada. The FAA sets out the requirements for a number of key officials and enables the Treasury Board, through the Treasury Board of Canada Secretariat (TBS), to issue policies, directives, standards and guidelines for the management and administration of the majority of federal organizations. The Treasury Board is also responsible for monitoring departmental management practices and program results, including in areas of security policy. Though historically Treasury Board has played a nominal role in matters of national security, its functions regarding the management and administration of government make it a central player in the cyber defence framework.

97. The FAA defines broad roles and responsibilities. These include the President of the Treasury Board, the Secretary of the Treasury Board of Canada Secretariat (the department's deputy head), and the Chief Information Officer of Canada (the CIO of Canada). Their key roles and responsibilities include the following:

  • President of the Treasury Board: serves as the Chair of the Treasury Board and sets the agenda for the government in the areas of people, money and technology. The President is also responsible for TBS as a department and sets the strategic direction of the organization.
  • Secretary of the Treasury Board of Canada Secretariat: serves as the Secretariat's deputy head and is appointed by the Governor in Council. The Treasury Board may delegate any powers or functions to the Secretary that it is authorized to exercise under any Act of Parliament or order made by the Governor in Council. The Secretary provides guidance on the interpretation of policies, directives or standards prescribed by the Treasury Board.
  • CIO of Canada: exercises specific government-wide leadership responsibilities for the direction, oversight and capacity building for information management, information technology, government security and government service delivery, including monitoring departmental management practices, and reporting on the implementation of enterprise-wide objectives and strategic direction, including in areas of cyber security. The Treasury Board may also delegate to the CIO any powers or functions that it is authorized to exercise under any Act of Parliament or order made by the Governor in Council in relation to information technology. Footnote 139 In fulfilling this mandate, the Office of the CIO of Canada has a staff of approximately 195 people and a budget of approximately $31 million, with 21 percent ($6.4 million) allocated specifically to cyber and security policy needs. Footnote 140

98. For their part, deputy heads of federal institutions must ensure that their departments deliver on the government's priorities and agenda, while maintaining program and service integrity. For cyber defence, this includes the responsibility of ensuring that departmental systems and networks are secure.

Defining government organizations

99. Treasury Board identifies 169 federal organizations and an additional 100 federal “interest” organizations. Footnote 141 Understanding how the government defines its own size and scope is critical to determining and assessing which organizations are subject to Treasury Board policies and their obligations to secure systems and networks, and ultimately the degree to which they are protected within the cyber defence framework.

100. The FAA groups most federal organizations into specific categories, or “schedules,” based on their mandate, responsibilities and relationship to government. The following six FAA schedules are of direct relevance as Treasury Board uses them to determine the applicability of policies, standards and guidelines for cyber security and cyber defence:

  • Schedule I consists of “Ministerial Departments.” Legislation establishes these organizations with mandates that cover large areas of public policy. They are assigned one or more Cabinet ministers, and are financed through parliamentary appropriations. Notable examples include the Department of Public Safety and Emergency Preparedness, the Department of Foreign Affairs, Trade and Development, and the Department of National Defence.
  • Schedule 1.1 consists of “Departmental Agencies” and “Agents of Parliament.” These entities typically have more narrowly defined mandates and generally operate with varying degrees of independence. Notable examples include the Communications Security Establishment, the Canadian Security Intelligence Service and Shared Services Canada.
  • Schedule II consists of “Departmental Corporations” and “Service Agencies”. Departmental corporations include organizations that perform highly operational services for which there is usually no private sector competition. They have varying levels of autonomy and management structures. Notable examples include the Canada Border Services Agency, the Canadian Nuclear Safety Commission and the Transportation Safety Board of Canada. Service agencies consist of three specialized entities established through legislation and financed through parliamentary appropriations and some user fees: the Canada Revenue Agency, the Canadian Food Inspection Agency and Parks Canada.
  • Schedule III consists of “Parent Crown Corporations.” These organizations operate on a private sector model, but have a mix of commercial and public policy objectives. Crown corporations are directly owned by the Government of Canada. Notable examples include the Canada Mortgage and Housing Corporation, Export Development Canada and VIA Rail Canada. There are nine additional parent Crown corporations not listed in this schedule of the FAA that have separate governance models established by legislation. Footnote 142
  • Schedules IV and V consist of additional “Portions of the Core Public Administration” and “Separate Agencies.” These include organizations to which Part I of the Canada Labour Code does not apply or those where a minister, Treasury Board or the Governor in Council is authorized to establish the terms and conditions of employment. Notable examples include the offices of the Information Commissioner and Privacy Commissioner (Schedule IV) and the Canada Revenue Agency (Schedule V, but also under Schedule II). While portions of these entities may be captured in the preceding schedules, schedules IV and V include other separate or stand-alone federal entities not listed previously. Footnote 143

The FAA defines a department as an organization listed in schedules I and 1.1 (above), any departmental corporation, and a variety of other organizations and staffs. Footnote 144 Treasury Board also uses this definition to determine the applicability of certain policy instruments for cyber defence. As discussed later, entities falling under Schedule III are not subject to those instruments.

101. The government holds an interest in a number of other organizations in addition to those listed in the FAA. These “interests” generally include organizations where the government may share ownership or participate in their management and oversight but where they are not considered formally part of the government. Footnote 145 Examples of federal interests include the Canadian Institute for Health Information, the Halifax Port Authority and the Greater Toronto Airports Authority. Notably, the House of Commons and Senate are not considered government entities and are therefore not subject to the FAA or Treasury Board policies: ***.

Foundational policies for cyber defence

102. Under the FAA, Treasury Board issued two primary policy instruments and a strategic plan that together set the administrative foundations of the government's cyber security and cyber defence posture. These are the Policy on Government Security, the Policy on Service and Digital, and the Digital Operations Strategic Plan. Footnote 146 These policy instruments and their subsidiary components are applicable to a variety of federal organizations. As part of this administrative structure, deputy heads and departments are responsible for securing their systems and networks in accordance with these policies. In instances where departments do not comply with these policies, deputy heads may apply administrative measures, ranging from persuasion (e.g., maintaining a dialogue with the non-compliant department) to restraint (e.g., reorganization of an institution or termination of employment). Footnote 147 Although the Committee observed instances of non-compliance with TBS direction, TBS did not provide examples of administrative consequences imposed in the context of non-compliance with the above-noted policy instruments. As the CIO of Canada emphasized during a hearing with the Committee, “Deputy heads are the ones who are ultimately responsible for meeting the requirements outlined in our [Treasury Board] policies. In particular, they have responsibility to ensure the protection and confidentiality of the information and assets within departments.” Footnote 148

Policy on Government Security

103. The Policy on Government Security has two primary objectives. The first is “to effectively manage government security controls in support of the trusted delivery of Government of Canada programs and services and in support of the protection of information, individuals and assets.” The second is “to provide assurance to Canadians, partners, oversight bodies and other stakeholders regarding security management in the Government of Canada.” Footnote 149 The current version of the policy was issued July 1, 2019, and is applicable to 110 federal organizations. Footnote 150

104. The policy prescribes a series of requirements for departments and officials. It makes the Treasury Board responsible for establishing and overseeing a whole-of-government approach to security management; providing policy leadership, advice and guidance for government security; and providing strategic policy oversight and coordination of security events that may affect the government as a whole. Footnote 151 For federal organizations, it requires deputy heads to appoint a chief security officer who is responsible for providing leadership, coordination and oversight of departmental security activities.

105. Under the policy, deputy heads must approve a three-year security plan that sets out a strategy for meeting departmental security requirements. This plan must address eight security controls, which are administrative, operational, technical, physical or legal measures for managing security risks. Of the eight security controls, four relate specifically to cyber security and cyber defence:

  • Information technology security requirements, practices and controls must be defined, documented, implemented, assessed, monitored and maintained throughout all stages of an information system's life cycle to provide reasonable assurance that information systems can be trusted to adequately protect information, are used in an acceptable manner, and support government programs, services and activities.
  • Business continuity management is conducted systematically and comprehensively to provide reasonable assurance that in the event of a disruption, the department can maintain an acceptable level of delivery of critical services and activities, and can achieve the timely recovery of other services and activities.
  • Information management security requirements, practices and controls are defined, documented, implemented, assessed, monitored and maintained throughout all stages of the information life cycle to provide reasonable assurance that information is adequately protected in a manner that respects legal and other obligations, and balances the risk of injury and threats with the cost of applying safeguards.
  • Security event management practices are defined, documented, implemented and maintained to monitor, respond to and report on threats, vulnerabilities, security incidents and other security events, and ensure that such activities are effectively coordinated within the department, with partners and government-wide, to manage potential impacts, support decision-making and enable the application of corrective actions. Footnote 152

106. In addition to these broad requirements, the Policy on Government Security shapes the government's administrative framework for cyber defence through the creation of detailed, subsidiary directives, standards and guidance. For example, the Directive on Security Management flows from the Policy on Government Security. Among a range of requirements, the directive defines the security roles and responsibilities of the chief security officer, senior officials, security practitioners and employees across the government and includes a number of detailed appendices that further refine cyber security controls. Footnote 153 One of these appendices is Mandatory Procedures for Information Technology Security Control, which sets out information technology requirements and practices, project management practices, life cycle and supply chain integrity, security assessments and authorizations, and monitoring and corrective actions. Footnote 154 In short, the Policy on Government Security and its subsidiary instruments help set the foundation for government cyber security and cyber defence.

Policy on Service and Digital

107. The Policy on Service and Digital is the second primary policy instrument in the government's cyber security and cyber defence framework. Footnote 155 Issued on April 1, 2020, it “serve[s] as an integrated set of rules that articulate how Government of Canada organizations manage service delivery, information and data, information technology, and cyber security in the digital era.” Footnote 156 Together with its subsidiary Directive on Service and Digital, it consolidates and replaces a number of previous policies and directives. Footnote 157 Of note, the policy is applicable to 87 federal organizations, a narrower area of applicability than the Policy on Government Security. Footnote 158 Given the recent issuance of the policy, these organizations have an implementation period of two years to ensure compliance.

108. The Policy on Service and Digital includes a number of delegated authorities from the Treasury Board to specific officials:

  • The President of the Treasury Board has the authority to issue, amend and rescind directives related to the policy.
  • The CIO of Canada has the authority to issue, amend and rescind standards, mandatory procedures and other appendices related to the policy, and to enhance the government's framework to defend its networks from cyber attack.

109. The Policy on Service and Digital further defines the roles and responsibilities of key senior officials for the governance and administration of cyber security and cyber defence. The Secretary of the Treasury Board is responsible for establishing and chairing the Deputy Minister Committee on Enterprise Priority and Planning, a senior-level body that provides advice and recommendations on a number of information technology issues, including cyber security. Footnote 159 The CIO of Canada must:

  • define cyber security requirements to ensure that government and departmental information and data, applications, systems, and networks are secure, reliable and trusted;
  • manage cyber security risks for the government and direct “a deputy head to implement a specific response to cyber security events, including assessing whether there has been a privacy breach, implementing security controls, and ensuring that systems that put the Government of Canada at risk are disconnected or removed, when warranted;” and
  • approve an annual enterprise strategic plan for the integrated management of data, information technology, information and cyber security. The latest such plan, known as the Digital Operations Strategic Plan 2018-2022, is examined further below. Footnote 160

110. The Policy on Service and Digital gives deputy heads and departments numerous responsibilities for information technology. They must prepare an annual information technology strategic plan that is aligned with the CIO of Canada's Digital Operations Strategic Plan (see paragraphs 119-124) and monitor their organization's compliance with the Policy on Service and Digital and its supporting instruments. Deputy heads also have clearly defined responsibilities for cyber security. They must establish clear governance and reporting requirements, including the designation of an official responsible for leading the departmental cyber security management function: the Designated Official for Cyber Security. The subsidiary Directive on Service and Digital and the Guideline for Service and Digital define the roles and responsibilities of this designated official. For example, the designated official, in collaboration with the departmental chief information officer and the departmental chief security officer, provides department-wide leadership, coordination and oversight for integrating cyber security requirements to protect information technology services. Footnote 161 The designated official must also establish roles and responsibilities for reporting cyber security events (defined as an event that may be detrimental to government security, including threats, vulnerabilities and security incidents). Footnote 162

111. Taken collectively, the Policy on Service and Digital and its subsidiary instruments require officials to enhance program delivery by leveraging new services and technologies while prescribing key cyber security and cyber defence functions and responsibilities. An important example is the government's recent Cloud Adoption Strategy and corresponding cyber security and cyber defence direction included in the Direction on the Secure Use of Commercial Cloud Services.

Using and securing cloud services: Direction from the CIO of Canada

112. Cloud-based services enable individuals and organizations to use software, hardware and services that can be hosted separately from an entity's facilities, and managed by private sector organizations. Footnote 163 As TBS describes:

Cloud computing can be compared to public utilities that deliver commodities such as electricity. Instead of buying and running infrastructure itself, an organization buys computing power from a provider. Much like electricity in a home, cloud computing is on-demand and the consumer pays for what they use. The cost of the infrastructure used for delivery (storage and services in the case of cloud computing, hydro poles and power lines in the case of electricity) is covered by the charges to the consumer. Footnote 164

113. There are three types of cloud services: public, private and hybrid. Under the public cloud model, a private sector company delivers the hardware, software and other network devices over the Internet. In this type of cloud, entities (including government organizations) rent space as “tenants” and share the same services and space with other organizations. Footnote 165 A private cloud consists of the delivery of the same services (hardware, software, network devices) on a private network used exclusively by one organization. Footnote 166 These services can also be delivered within the cloud tenant's physical premises. The hybrid approach is a combination of the public and private models. Notable service providers in Canada include Microsoft, with the Azure and Office 365 platforms, and Amazon Web Services.

114. Cloud services offer several benefits. One benefit can be streamlining costs, as organizations no longer manage or maintain the information technology assets included in the cloud environment (maintenance and management requirements are the responsibility of the cloud service provider). Another is that an organization's cloud requirements are scalable, meaning that they pay according to their changing computing requirements. TBS describes the benefits of public cloud services for the government:

  • improved service performance due to scalable computing resources and contractually obligated performance levels;
  • strong security as cloud service providers offer internationally recognized certifications that would be a challenge for a single organization to deliver;
  • innovation through the deployment of new tools and technologies that are subscription based and do not require large capital investments; and
  • greater flexibility in program development through a greater variety of resources and capacity offered in the cloud. Footnote 167

Cloud environments are not devoid of risk, however. Government data stored in the cloud may still be subject to compromise or theft, and government operations that use cloud-based services may still be interrupted as a result of cyber threat activity. As with traditional computing environments, these require appropriate security controls to mitigate risks to privacy, data loss and service continuity. Footnote 168

115. Since 2016, the government has pursued a cloud adoption strategy to maximize these benefits and mitigate risks. TBS notes that the adoption of cloud computing “will help the [government] maintain information technology service excellence during a period of increasing demand for digital services and timely access to emerging technologies.” Footnote 169 The strategy is also intended as a policy directive that emphasizes a number of requirements for federal organizations:

  • a “cloud-first” adoption strategy in which cloud is the preferred option for delivering information technology services and public cloud is the preferred option for cloud deployment;
  • an approach to managing security risks in cloud adoption that safeguards Canadians' data and privacy;
  • a series of principles that will guide chief information officers as they adopt cloud services; and
  • a vision for enabling community clouds, specifically, a Canadian public sector community cloud, to bring together Canadian public sector buyers with public cloud service providers, brokered and security-assessed by the Government of Canada. Footnote 170

The strategy is aligned with Treasury Board direction included in the Directive on Service and Digital and the Digital Operations Strategic Plan. These documents also establish goals of enhanced service delivery through the use of cloud services, whereby departments must identify and evaluate them as a principal delivery option. Footnote 171

116. Based on the requirements for departments to prioritize the use of cloud services, the CIO of Canada issued the Direction on the Secure Use of Commercial Cloud Services on November 1, 2017. This Directive ensures that security considerations are built into a department's approach through specific policy obligations. Footnote 172 For example, cloud environments can be used only for information holdings equal to or below a certain security category. Footnote 173 This direction is applicable to 110 federal organizations. 174

117. In procuring cloud services, Shared Services Canada (SSC) functions as a broker for the government. This means that SSC contracts cloud service providers, accredits departmental use and provides a self-service model that enables federal organizations to manage their cloud resources. Footnote 175 Nonetheless, departments (through their deputy heads) remain ultimately responsible for the management and safeguarding of their information, including in the cloud space, under the FAA. In accordance with the Direction on the Secure Use of Commercial Cloud Services, departments are therefore obliged to:

  • apply graduated safeguards that are commensurate with identified risks;
  • use third-party certification on the secure design of their cloud space;
  • perform security assessments prior to receiving authorization for use;
  • apply the separate direction for data residency, which requires departments to keep sensitive data in Canada; Footnote 176
  • manage vulnerabilities in information systems (e.g., through patching of vulnerabilities); and
  • establish appropriate mechanisms to manage and respond to security incidents. Footnote 177

To further support secure cloud implementation, a cloud operationalization framework (the cloud security guardrails) was established in 2019 to provide additional direction and guidance to departments. These guardrails reiterated the requirements outlined under the Direction on the Secure Use of Commercial Cloud Services, notably that TBS may disable a department's access to the cloud, should that department not meet these security requirements within 30 days of establishing a cloud environment. Footnote 178

118. In short, the Cloud Adoption Strategy and the corresponding direction on secure use are meant to balance information technology enhancements with corresponding cyber security and cyber defence requirements.

Digital Operations Strategic Plan

119. The third foundational policy instrument for cyber defence is the Digital Operations Strategic Plan. Established in accordance with the Policy on Service and Digital, the Digital Operations Strategic Plan applies to 87 organizations. Footnote 179 Also consistent with the Policy on Service and Digital, the CIO of Canada must produce an annual forward-looking information technology plan for the whole of government. These strategic plans set the direction for departments on the priorities for the integrated management of services, information, data, information technology and cyber security. Between 2016 and 2019, the CIO of Canada published three such plans: the Government of Canada Information Technology Strategic Plan 2016-2020; the Government of Canada Strategic Plan for Information Management and Information Technology 2017-2021; and the current Digital Operations Strategic Plan 2018-2022. Due to the pandemic, the CIO of Canada did not prepare a plan in 2020, but intends to publish a version for the 2021-2024 period.

120. The 2018-2022 Digital Operations Strategic Plan builds on the two previous iterations. It restates the vision statement that “the Government of Canada is an open and service-oriented organization that operates and delivers programs and services to people and businesses in simple, modern and effective ways that are optimized for digital and available anytime, anywhere and from any device." Footnote 180 From a cyber defence and cyber security perspective, the plan mandates the development of an in-depth, layered approach that uses trusted (monitored) interconnection points that provide a gateway to cloud services. Overall, the strategy includes four broad categories of actions or initiatives that address key gaps or concerns for cyber defence and cyber security, all of which have varying completion timeframes within the strategic plan's timeframe. Footnote 181

121. The first broad category aims to bolster network consolidation, connectivity and perimeter security. In pursuing the consolidation of network access to trusted external connection points, the government seeks to ensure the proper safeguarding of its information technology perimeter. As part of these efforts, SSC has reduced the number of internet connections. It will also complete network consolidation of the existing 50 SSC partner wide area networks into a single enterprise network. Similarly, SSC will migrate 61 departments and agencies that do not currently use the SSC Enterprise Internet Service to the SSC-managed enterprise network (which use SSC Internet services exclusively and benefit from the protection of CSE’s *** cyber defences) for a total of 104 departments by 2024. Footnote 182 As part of the Cloud Adoption Strategy, the government will pursue the establishment of dedicated network connections to cloud service providers. This will ensure secure communications channels for government information. Moreover, TBS, CSE and SSC are establishing additional trusted interconnection points between government networks and external partners. Ultimately, these measures seek to consolidate the government's perimeter by narrowing external touch points to a limited number of trusted and secure connections.

122. The second broad category of initiatives seek to secure endpoint devices. Endpoint devices generally consist of laptops, desktops, smartphones, tablets and servers, or information technology assets used by government employees. In consultation with TBS and CSE, SSC will develop standardized procedures to securely configure endpoint operating systems and applications. This includes two key components: the deployment of an endpoint intrusion prevention system to automate the collection of information to identify malicious activity and prevent device compromise; and controls for accessing applications, which enable system administrators to identify and run permissible programs. Initiatives in this category will also support the deployment of tools and processes that monitor the real-time status and configuration of all endpoint devices (e.g., the status of hardware and software versions, operating system versions and patch installations). This capability will complement CSE’s host-based sensors (see paragraphs 198-200), facilitate a comprehensive understanding of endpoint devices, and supplement the speed and ability of the government to address enterprise-wide vulnerabilities on endpoint devices. This initiative is expected to be completed in 2024. Footnote 183

123. The third category of initiatives will improve access control and application development. These enhancements relate primarily to accounts for information technology systems administrators who have privileged access to departmental information technology systems. In 2019, TBS, SSC and departments strengthened the management and control of administrative privileges to minimize the misuse of any account with elevated privileges, and to ensure they are managed, controlled and monitored properly. In the future, TBS will improve secure application development by establishing an application security framework. Departments will apply this framework when developing and implementing digital services. The government's approach seeks to ensure that security is a key component of application design from the outset. This item is ongoing and does not have a scheduled completion date.

124. The fourth broad category aims to improve awareness of cyber threats and risks to the government's systems and networks. Similar to other actions within the Digital Operations Strategic Plan, this collection of initiatives seeks to improve the awareness of cyber risks and cyber threats through improved governance and training, while also bolstering the government's ability to respond to cyber incidents. In line with the above-noted enhancements for a centralized real-time view of endpoint devices, TBS proposes to establish a centralized capability to conduct governance, risk and compliance management activities. This will facilitate greater knowledge of the government's broad business technology environment that facilitates the identification of the system-wide attack surface and areas of vulnerability. TBS does not currently have a deliverable date for this project. Separately, TBS and CSE will develop a government vulnerabilities disclosure framework that quickly identifies and mitigates vulnerabilities. From a training perspective, the Canadian Centre for Cyber Security (CCCS) will promote a government-wide approach that enhances the cyber security of all employees. These efforts will help ensure that all system users contribute to system security and integrity. Lastly, TBS will update the Government of Canada Cyber Security Event Management Plan (see paragraphs 224-236), which describes the “stakeholders and actions required to ensure that cyber security events are addressed in a consistent, coordinated and timely fashion." Footnote 184

Summary

125. The Treasury Board and TBS play a central role in ensuring the proper administration and management of government. In the areas of cyber security and cyber defence, Treasury Board prescribes policies and directives that most (but not all) government organizations follow to ensure the integrity and security of their information technology assets and those of the government more generally. In turn, individual departments are ultimately responsible for ensuring their organization's cyber security and for safeguarding information and digital assets. Within this model of shared responsibility, SSC and CSE also play central roles in supporting departments to meet their obligations. The Committee discusses these organizations next.