Part III: Key Cyber Defence Players, Authorities and Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
Shared Services Canada
126. SSC is the second member of the Information Technology Security Tripartite. SSC is responsible for ensuring that the government's information technology infrastructure protects the government's technology assets and data in the government's possession. Footnote 185 This section discusses the evolution of SSC's mandate, key SSC services and projects to strengthen the government's general cyber security posture and those more specific to cyber defence, and SSC partners and clients.
SSC mandate
127. Prior to 2011, federal departments were viewed as unique in their individual information technology requirements. There was very little standardization as a result: departments were individually responsible for the acquisition and management of their information technology infrastructure, computers and devices, and for securing their electronic assets. Footnote 186 SSC was created in 2011 to fundamentally change this approach. The preamble to the Shared Services Canada Act (the SSC Act) establishes that the objective is to “standardize and consolidate, within a single shared services entity, certain administrative services that support government institutions; and doing so will enable those services to be provided more effectively and will support the efficient use of public money." Footnote 187 In practice, this meant consolidating the provision of email, data centre and network services to a core group of partner departments, and coordinating the purchase and provision of information technology equipment for the government. Footnote 188 While this consolidation was initially considered a cost-saving measure, the scope of the changes required necessitated considerable investments in following years. Footnote 189
128. The authorities underpinning SSC have evolved. SSC was created by order in council in 2011. The department was then established in statute on June 29, 2012, when the SSC Act received Royal Assent. The SSC Act provides for a Minister to be designated as responsible for SSC-currently, the responsible minister is the Minister of State (Digital Government) Footnote 190 - and grants the Minister authority to coordinate telecommunications services for departments and agencies. SSC has the responsibility to:
- determine and deliver information technology solutions and common services across the government enterprise;
- plan and design forward-looking, consolidated and standardized services to meet the needs of partner and client departments;
- manage and maintain existing information technology infrastructure, including all necessary ongoing service and maintenance support;
- procure goods and services to enable the delivery of common information technology services to partner and client departments; and
- support government-wide information management and information technology security in partnership with CSE, including CCCS, and other government security partners. Footnote 191
129. In total, the government has issued 21 orders in council to adjust SSC's mandate, appoint presidents of the organization, and expand the number of organizations to whom SSC must provide services or act to procure equipment and services. Footnote 192 Four of the orders in council are of particular relevance to this review:
- In 2011, the government issued two orders in council that transferred six information technology-related units from then-Public Works and Government Services Canada, Footnote 193 and transferred the email, data centre and network services units of 42 departments to SSC, thereby creating SSC's 43 core “Partners.” Footnote 194
- In 2012, the government issued an order in council that circumscribed SSC mandate's by stipulating that it would not provide email, data centre or network services to any department that was accredited to process and store Top Secret information, or where four specified organizations used specific systems to operate ships, aircraft or vehicles or to support operations in the areas of national defence, national security or public safety. Footnote 195
- In 2015, the government issued an order in council to expand the SSC mandate beyond its original 43 core partners to include 40 “Mandatory Clients” that would receive a subset of services related to email, data centres and network services on a cost-recovery basis. The order in council also expanded the number of government organizations required to procure end-user devices (e.g., desktop computers, printers) from SSC, and created a category of “Optional Clients” that could obtain services from SSC on a cost-recovery basis (the definition included Crown corporations and other levels of government). Footnote 196
130. In sum, the periodic issuance of orders in council has established SSC's mandate cmd membership, and clarified its provision of services for email, data centres, networks and procurement for endpoint workplace technology devices. At present, SSC provides some or all services to 160 of 169 federal organizations (the Committee explores the issue of which departments are included later). See Table 1 for an overview of the division of responsibilities between SSC and individual departments.
Responsibility | Email, data centres, and networks | End-user devices | Applications |
---|---|---|---|
Service management and delivery | Shared Services Canada (mandatory or optional for specific departments as specified in orders in council) | Departments | Departments |
Procurement | Shared Services Canada (mandatory or optional for specific departments as specified in orders in council) | Shared Services Canada | Public Services and Procurement Canada |
Policy and standard setting | Treasury Board of Canada Secretariat | Treasury Board of Canada Secretariat | Treasury Board of Canada Secretariat |
SSC services and projects
131. SSC has a fundamental role in ensuring that government digital assets and information are protected. Its provision of email, networking and data centre services means that it provides the infrastructure that houses and carries important information belonging to Canadians and to the government. This infrastructure supports the delivery of government programs, and Canadians expect and depend on consistent and reliable service from those programs. The persistent threat of cyber attack against this infrastructure means that cyber security remains a significant risk; where technical or operational security controls are inadequate, or where security vulnerabilities are not addressed, government systems remain vulnerable to malicious cyber activity. Footnote 198 As SSC notes, the security of the government's information technology infrastructure is therefore of “paramount importance.” Footnote 199
132. The Committee understands SSC's fulfillment of its responsibilities as falling into two broad categories. The first is the ongoing protection of government digital assets and communications through the proper management of information technologies (SSC services). The second is the implementation of a government-wide information technology infrastructure plan to better protect government systems against security threats (SSC projects). Footnote 200 The Committee discusses each of these in turn.
Cyber defence and SSC services
133. The networks and data that SSC is responsible to protect vary widely in size, function and mandate. These differences are representative of the variability in government programs and service delivery. Some organizations hold little sensitive information on their networks and therefore face relatively few security threats; others hold large amounts of sensitive information and face significantly greater threats. Footnote 201 To respond to these threats, SSC applies a number of cyber security measures to identify and prevent malicious actors from gaining access to government networks, including firewalls, anti-virus and anti-malware services, and identification and authentication tools. Footnote 202 SSC is responsible for the government's Secret-level network infrastructure, and collaborates with CCCS to manage the government's network perimeter by using specialized security monitoring of Internet gateways (see the section, “The Communications Security Establishment”) that have enhanced the government's ability to detect and deter malicious cyber activity. Footnote 203 All together, SSC offers 34 different services to its partners and clients that fall across five categories, and contain at least one service of relevance to SSC's role in defending government networks from cyber attack. The following paragraphs briefly describe each of the services and their relevance to cyber defence.
Digital services
134. Digital services is the largest category of services provided by SSC. Of the 12 services in this area, four play a role in cyber defence. The first two are the provision of email accounts for government employees and the means of accessing them remotely through secure network connections. These two services are subject to user identity and credential management controls, and monitored for viruses and spam. The third service is the provision of mobile devices (cell phones) for telephony, email and Internet connectivity. Footnote 204 The fourth service is an identity validation system for ensuring synchronized, system-wide control and management of user credentials, to provide access to government systems and information in both cloud environments and standard, “on premises” networks. Footnote 205
Security services
135. SSC security services authenticate individuals to access government services and accounts, both internally and externally to government networks. Three elements in this service area are relevant to defending government networks:
- Internal credential management: SSC manages a public key infrastructure that facilitates authentication for secure access to applications and government networks. Footnote 206 The service allows users to exchange encrypted email up to a certain classification and to securely access applications that process sensitive personal information (e.g., pay information). Footnote 207
- Secure remote access management: This service uses the public key infrastructure (above) to permit users to securely transmit and receive information from remote workstations while maintaining the availability, confidentiality and integrity of data. Footnote 208
- External credential management: SSC manages a public key infrastructure that provides a standardized cyber authentication service to Canadians, businesses and individuals to permit secure online business with various governmental programs and services. Footnote 209 This service is mandatory for departments and agencies. Footnote 210
Hardware and software services
136. SSC provides departments with procurement options for devices such as computers and printing equipment, and for multiple kinds of software, including for connectivity, individual devices and security needs. Services of relevance to cyber defence include:
- Hardware provisioning and procurement: SSC procures workplace technology devices (hardware) for its partners and clients, including desktop computers, laptops and tablets. Footnote 211
- Software provisioning and procurement: SSC procures software for its partners and clients for devices (e.g., device operating systems), services (e.g., desktop software configuration), connectivity (e.g., print services), productivity (e.g., web browsers) and security (e.g. , user authentication). Footnote 212
137. All SSC hardware and software procurement services are subject to the SSC Supply Chain Integrity Standard. This standard is meant to identify and assess any procurement process that “could be compromised, or used to compromise, the security of Canada's [hardware], software, services or information,” and to ensure that hardware and software identified for procurement is subject to a security assessment (including engagement with CSE), contracts are audited, and that items identified as high risk can be avoided, recalled, or removed from government systems. Footnote 213
Data centre services
138. SSC offers nine data centre services. While these are predominantly database infrastructure and hosting services, this service includes two important elements for cyber defence:
- Cloud Brokerage Services: Consistent with the 2017 Treasury Board Direction on the Secure Use of Commercial Cloud Services, SSC provides a brokerage service for government departments to identify suitable cloud service providers with whom SSC has established contracts. SSC provides this service to all 43 partners, 23 SSC mandatory clients and 15 optional clients. Footnote 214
- Government of Canada Secret Infrastructure: SSC manages and maintains this Infrastructure to permit the creation, processing, storage and sharing of information classified at the Secret level. The service uses the government's wide area network for transmission of encrypted data between users and departments. Risks in protecting more sensitive information at the Secret level are shared between SSC and customer departments or agencies, with SSC responsible for maintaining the integrity, assurance and effectiveness of security controls for approved users, and departments responsible for managing user access to their applications and data. Footnote 215
Network services
139. SSC networking services include the provision of wi-fi, Internet services and satellite connectivity. There are eight elements within network services, with the following two of critical importance to the government's framework for cyber defence:
- The Government of Canada Wide Area Network (GC WAN): The GC WAN is a fully managed network service that connects partner or client locations across metropolitan, regional, national or international boundaries. It connects users and computers to each other and the Internet, and it supports simultaneous voice, data and video communications, and the transmission of classified information using appropriate encryption. The GC WAN services come with security monitoring and enhanced security protocols (e.g., logging and intrusion detection services). Footnote 216
- Enterprise Internet Service: The SSC Enterprise Internet Service provides secure connectivity for government users to access the Internet and for the public to access government websites. SSC provides the Enterprise Internet Service to all of its partner organizations and on a fee-for-service subscription basis for its clients. The service requires a GC WAN connection and provides the highest protection, owing to built-in security monitoring and enhanced security protocols provided by the integration of CSE's *** cyber defences to Enterprise lnternet Service Internet gateways. The Committee further explores the benefit of this integration in the discussion of CSE below. Footnote 217
Overall, the creation of SSC's Enterprise Internet Service and its progressive adoption by departments has played a foundational role in strengthening the government's cyber defence framework. Its evolution is described below.
Secure Internet connectivity: The evolution toward the Enterprise Internet Service
140. The origins of SSC's Enterprise Internet Service date to 2002 when the government launched the Secure Channel Network as a means for federal organizations to securely deliver their most commonly used services online. Footnote 218 The Secure Channel Network was intended to reduce operational and maintenance costs through the use of a common network infrastructure for government that included monitored, protected and redundant access to the Internet. Footnote 219 In 2006, Treasury Board provided direction to make the use of the Secure Channel Network mandatory and by 2008, 75 departments had migrated to it. In 2010 and 2011, China conducted large-scale attacks against numerous government departments, resulting in the loss of significant amounts of sensitive data (see case study 1). In response, the Chief Information Officer of Canada again issued directives to require departments to migrate to the Secure Channel Network to:
reduce the risks we are currently collectively facing from ever increasing external cyber attacks. The key approach for mitigating these risks is to reduce the number of individual departmental Internet connections and replace these with a robust, high-performing and very secure common access for [government]. Decreasing the number of Internet access points - and securing those points - will reduce the overall [information technology] security risk to the Government, making it easier to prevent and defend against attacks aimed at disrupting our business or stealing sensitive and private information. Footnote 220
By 2012, the number of departments using the Secure Channel Network grew from 75 to 87. Footnote 221
SSC partners and clients
141. In 2015, the Secure Channel Network became the Enterprise Internet Service and the number of departments using it grew to 90. All SSC core partners have moved to the Enterprise Internet Service (with the exception of the Department of National Defence, which will be migrated in 2021-2022), as have a number of SSC's mandatory clients and optional clients. Footnote 222 However, government-wide adoption of the Enterprise Internet Service remains a challenge. In 2018, Treasury Board reiterated its direction to government departments to migrate to the Enterprise Internet Service:
To address risks to its network, the government is standardizing protection and creating a secure, government-wide perimeter that will protect government data both on premises and in the cloud. TBS, the Communications Security Establishment (CSE) and SSC are establishing additional trusted interconnection points between the government [backbone] network and external partners to: provide standardized and secure connectivity with external partners and the Internet; act as a gateway to cloud services; and protect cloud-based workloads from direct attacks from the Internet. Departments that do not currently use SSC Internet services will be migrated to the SSC-managed enterprise network and will use SSC Internet services exclusively. Footnote 223
Requiring this migration makes sense. As discussed in further detail in the section on the CSE (paragraphs 154-213), CSE and SSC manage a highly effective system of sensors and defence tools (both classified and commercially available) that protect government organizations within the Enterprise Internet Service from normal threats and, most importantly, the most sophisticated cyber threat actors. As of August 2021, SSC provides the Enterprise Internet Service to 94 organizations. Footnote 224 The Committee addresses the issue of Treasury Board direction and the number of departments using SSC's Enterprise Internet Service in its assessment.
Case study 1: A wake-up call - network consolidation and dynamic defences
[*** Four paragraphs were revised to remove injurious or privileged information. ***] In February 2010, CSE deployed its sensors to the government's Secure Channel Network, the first time CSE had used this capability outside of three departments: Foreign Affairs and International Trade (now Global Affairs Canada), National Defence, and CSE itself. Footnote 225 CSE immediately discovered a long-standing and significant compromise of government networks by a Chinese state-sponsored actor. The Chinese actor was known to target government networks around the world for intelligence related to natural resources and energy, defence, global finances, foreign policy, and trade. CSE assessed that the actor sought to acquire Canadian position papers, briefing notes and strategies for multilateral negotiations related to several international bodies.
Between August 2010 and August 2011, China targeted 31 departments, with 8 suffering severe compromises. Information losses were considerable, including email communications of senior government officials; mass exfiltration of information from several departments, including briefing notes, strategy documents and Secret information; and password and file system data. Treasury Board of Canada Secretariat and the Department of Finance were the worst affected, losing entire sets of network passwords.
CSE launched a three-pronged response. First, it monitored malicious activity through its network sensors. Second, it provided advice and guidance to departments to improve system management and security. Third, it aided in the strategic mitigation of the compromise, using its information to better understand the attacker's intentions and capabilities. For their part, Treasury Board of Canada Secretariat and the Department of Finance were forced to disconnect their networks from the Internet to mitigate the compromise.
This incident was a wakeup call for the government regarding the scale of its cyber vulnerability and the need for commensurate defences. To that point, government networks were an easy and valuable target for Chinese state-sponsored threat actors, as they were essentially undefended and used to store classified information in the absence of a secure alternative. The deployment of CSE’s network-based sensors to this broad network was a “turning point in the history of Cyber Defence in the government” - it confirmed the need for consolidated Internet access points that could be monitored for threats and for a single, government-wide enterprise network to properly secure government systems from cyber attack. Footnote 226
Cyber defence and SSC projects
142. The second broad category of SSC responsibilities is the implementation of a government-wide information technology infrastructure plan to better protect government systems against security threats, that is, SSC projects. SSC uses a secure-by-design approach to integrate its cyber security activities into its core responsibilities. Footnote 227 This means that SSC services and activities are designed and built to incorporate applicable engineering and security standards, and to comply with government security policies. In practice, this means that SSC maintains its own internal security policy instruments, each one a guide for consistently implementing an information technology security standard. Footnote 228 SSC currently has 12 active cyber security projects, organized into three areas: identity and access control, connectivity, and monitoring. These areas and their relevance to cyber defence are described below.
Identity and access control
143. Verifying a user's identity and controlling the user's access to required elements of a department's digital infrastructure is essential to ensuring the security of digital systems. Footnote 229 Identity and access controls are meant to ensure that users are authorized to access only the digital resources they require, consistent with their role in an organization. In the past, the government used a castle-and-moat approach, where the focus was securing the perimeter of the network, authenticating and granting access to approved users at secure entry-points, and layering defensive systems (e.g., firewalls) to filter network access. SSC described it as “a defence in-depth posture that uses a series of defensive mechanisms layered to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack.” Footnote 230
144. SSC notes that this approach is increasingly unviable in a digital environment marked by the proliferation of devices and connection options and greater user mobility requirements. It is therefore implementing several projects to modernize identity and access control. These will build on effective perimeter defences to include continuous verification and authorization of users and devices. The most important are as follows:
- Network Device Authentication: Network device authentication is meant to improve the authentication of devices to government networks (as opposed to individual users and their accounts). The project aims to improve access controls, auditing functions and forensic analysis of devices accessing a network, the latter a significant gap in responding to compromises of government systems. Footnote 231
- Secure Remote Access Modernization: Secure remote access to government networks is currently done at the individual department level. This project is designed to migrate secure remote access to a consolidated government-wide enterprise system. The project will improve cyber defence functions related to remote connectivity, including connectivity logs, analytics regarding threat detection and traffic volume management. Footnote 232
- Administrative Access Controls Service: Network administrators tend to share and re use passwords, reducing barriers to cyber attackers' ability to gaining broad access to multiple networks within and across departments. The project is meant to eliminate this practice by standardizing and enforcing the management of administrative privileges. Footnote 233
- Directory Credential Account Management: This project is designed to enable greater collaboration by SSC partners and clients in cloud operating environments by synchronizing user credentials through a centralized user authentication service in the cloud. It will allow SSC to authenticate a user's identity between cloud and non-cloud workspaces. Footnote 234
- Internal Centralized Authentication Service: This project will provide government-wide, standardized credentials (e.g., usernames and passwords) and a centralized authentication service to support web-based access to internal applications regardless of organization. It will enable the transition to more robust security credential technology and the retirement of browser technologies with security vulnerabilities. Footnote 235
Connectivity
145. Managing digital connectivity for government users and systems is an important challenge for cyber defence. The current government network is a complex mixture of telecommunications connectivity to approximately 4,000 locations, 5,000 buildings and hundreds of thousands of fixed and mobile digital devices for government employees and contractors in Canada and abroad. Footnote 236 Historically, government departments operated more than 720 data centres across Canada, all without shared infrastructure, standards for network configurations or connectivity, operating procedures, or standardized service levels for redundancy and availability. Footnote 237 To address the many challenges that this situation poses, SSC intends to consolidate legacy data centres into four regional hubs, implementing a wireless-first approach for intra-building connectivity, and adopting new technologies (e.g., the adoption of 5G and the expanded use of mobile technology). Footnote 238 This evolution of SSC connectivity measures will require commensurate security measures to protect networks, data centres and their users. SSC connectivity projects in this area include the following:
- Enterprise Perimeter Security: This project is designed to provide enhanced visibility of cyber threats targeting government networks and their connections to departmental cloud environments. By leveraging the identity and access control projects, this project enables secure remote connectivity to government networks, from any location, including through physical or virtual connection links. This project will also provide additional visibility on cyber threats to both SSC and CCCS. Footnote 239
- Secure Cloud Enablement and Defence: This project will provide the connectivity and security controls (controlled, monitored gateways) necessary for government departments to access and safeguard sensitive information in cloud networks. This will include centralized logging and monitoring to permit identification and management of security events affecting cloud-based data, and of threats to government networks that may originate from a cloud environment and target the government backbone network. Similar to the Enterprise Perimeter Security project, this project will provide additional visibility on cyber threats to both SSC and CCCS. Footnote 240
- Secret Infrastructure Expansion: SSC maintains a dedicated infrastructure to store and transmit information classified as Secret. Currently providing service to 31 departments, this project will expand SSC's current infrastructure to some new clients and expand services to a number of existing clients. Footnote 241 This will fill a considerable gap - in the past, some departments handled Secret information on unclassified networks, resulting in the loss of classified information to state actors. Footnote 242
- SmartPhone for Classified: Some government officials require an ability to securely communicate by phone and mobile data to support operations. This project will build on a CSE proof of concept to provide an initial capacity of 2,000 government users across Canada and to select international locations, with scalability up to 10,000 users. Footnote 243
Monitoring
146. Security monitoring of the government's information technology infrastructure ensures its consistent and reliable performance, and supports the government's business continuity and provision of services to Canadians. Monitoring activities include the identification of events related to user identification and authentication on a network or device, the monitoring of network traffic transiting a government communications link and the use of applications on end user devices. When done well, proactive monitoring enables administrators to rapidly identify and address security events on network devices. That is not currently the case. Security monitoring of government networks is inconsistent, with networks variously monitored by SSC, SSC core partners and organizations that have no relationship with SSC. Moreover, SSC's own security information and event management system is not standardized for all of its clients. Footnote 244 Overall, this means that SSC does not have full visibility over government networks to identify risks and to respond to incidents quickly, resulting in inconsistent accountability for network monitoring across government. Footnote 245
147. Building on the consolidation of government data centres, SSC is implementing three projects to centralize its security monitoring to broaden its awareness of activities on government networks and to enable more rapid and coordinated incident response capabilities. Footnote 246 These projects are:
- improving SSC's real-time situational awareness of the security posture of endpoint devices (e.g., laptops, desktops, tablets and servers); Footnote 247
- improving SSC's awareness of security vulnerabilities across larger elements of the government's information technology enterprise (e.g. , within data centres); Footnote 248 and
- monitoring network communications for events that may indicate a potential security incident and to notify SSC users to take remedial action to investigate and respond where necessary. Footnote 249
Across all three projects, SSC is focusing on automating the monitoring of deployed devices and network connections and assessing their security posture against known vulnerabilities or emerging cyber threats. Each project is designed to improve SSC situational awareness and to fill identified gaps in government network security (e.g., lack of awareness regarding up-to-date patching for security vulnerabilities). In the event of a serious cyber incident, the projects are meant to enhance the capacity to assess, in real time, points of weakness in the enterprise network and to reduce the time required to detect, respond and recover from a cyber incident.
SSC partners and clients
148. SSC provides services to the following three categories of departments or agencies. The categories determine the types of services provided, the latitude specific organizations have in determining which SSC services they will use, and how costs for services are attributed:
- Core partners: Since 2011, SSC has been responsible for managing the network infrastructure for 43 partner departments and agencies. At the time, these organizations transferred their respective budgets and personnel for email, data centres and network services to SSC, and consequently received all SSC's services without additional cost.
- Mandatory clients: In 2015, the SSC mandate was expanded to include mandatory clients. These organizations, which include small departments and agencies, must use certain SSC services in areas of email, data centres, networks and endpoint devices, or to procure other digital infrastructure. There are currently 39 mandatory clients, which pay SSC for services on a cost-recovery basis. Footnote 250
- Optional clients: In 2015, SSC's mandate was expanded to include optional clients. Optional clients may request SSC services on a cost-recovery basis, and could include a provincial government or municipality, Canadian aid agency, public health organization, intergovernmental organization or a foreign government. There are currently 78 optional clients. Footnote 251
Currently, SSC provides all or some of its services to 160 of 169 federal government organizations.
149. Which organizations are included as part of SSC's service delivery has significant implications for the government's cyber defence framework. As SSC evolved, it implemented increasingly comprehensive measures to protect digital infrastructures (e.g., the reduction of Internet connection points, the introduction of CSE's advanced sensors and defences on SSC Internet gateways) and, through its projects to modernize government digital infrastructure, developed a secure-by-design approach to email, data centre and network solutions. Footnote 252 While this evolution involved significant challenges for SSC and partner organizations, these benefits have come automatically to SSC's 43 core partners through their status as organizations that receive all SSC services. Footnote 253
150. That is not the case for SSC's mandatory and optional clients. These clients vary significantly in terms of size, mandate, complexity, the modernity of their digital infrastructure, and their budget for digital technology and security. Footnote 254 Some of the organizations obtain SSC services through links with SSC core partners; Footnote 255 others use only a selection of SSC services; some obtain a mix of information technology services from SSC and private service providers; and others do not connect to a government network at all. Footnote 256 Many of these organizations are known as small departments and agencies, defined as having fewer than 500 staff and an annual budget of less than $300 million. These departments and agencies pose a security risk to government networks for three reasons:
- they may lack connectivity to the secure Internet gateways provided by SSC and to SSC brokered secure cloud access. In such cases, these departments and agencies would not receive the advanced cyber monitoring of CCCS;
- they employ varied services for Internet connectivity, often from multiple physical locations, and maintain connectivity to other government departments; and
- they have limited resources (personnel or financial) to address Internet security issues, resulting in inconsistent cyber defences. Footnote 257
Notably, SSC identified four departments and agencies that posed high or critical risks to government networks because of their simultaneous connections to government networks and use of third-party Internet connections that had few or no defensive measures. Footnote 258 In short, these organizations hold government data and often have electronic links into government departments, but do not necessarily benefit from SSC's (and CSE's) range of cyber defence measures, nor SSC's secure-by-design projects to modernize the government's digital infrastructure. (This is also true for mandatory clients that do not use SSC's Enterprise Internet Service.) As a result, cyber attacks against those organizations (including the loss of data) may go undetected, and the government may be unable to respond effectively or at all to significant cyber incidents. The inability of these organizations to adequately protect themselves is a risk to their own digital infrastructure and potentially to other government organizations.
151. In 2020, Shared Services Canada (SSC) developed a four-year project to address the challenge of organizations being connected to Government of Canada networks without being required to install robust cyber defences or being subject to oversight by SSC or CCCS. The Small Departments and Agencies Project aims to raise all small departments and agencies and mandatory clients (61 in total) to maximum SSC network security levels by providing them with access to the government backbone network (GC WAN), full network security at the same level as an SSC core partner, monitoring by CCCS and SSC enactment of all the network security improvements. Footnote 259
The primary objectives of the project are to:
- bring all mandatory clients and small departments and agencies “inside the security fence” so that they use SSC secure Internet gateways, which would reduce the number of external connections to departmental networks;
- consolidate Internet connection points through SSC's regional communications hubs, which would improve visibility of network traffic to SSC and CCCS and allow SSC and CCCS to apply higher-level cyber defences for identifying and mitigating unauthorized entry, data exfiltration and other malicious activity; and
- increase the cyber security posture of government through the elimination of different classes of network security for SSC partners and mandatory clients. Footnote 260
Notwithstanding the importance of this initiative, it currently has neither a budget nor a timeline for implementation. Footnote 261
Cyber security event management
152. As part of its broad responsibilities, SSC coordinates with its partners to respond to serious cyber incidents. SSC is responsible for:
- blocking cyber threat activities from targeting SSC-managed networks and mitigating their effects;
- responding to CCCS recommendations and ensuring that updates and mitigating measures are applied in a timely manner;
- implementing prevention, mitigation and recovery efforts (among other things, this could include shutting down or isolating specific networks);
- supporting the identification, risk assessment, mitigation, recovery and post-analysis of cyber security events within the government;
- assessing government-wide impacts of cyber security events, threats and vulnerabilities on program and service delivery; and
- producing post-event reports, including a timeline of events and root-cause analysis, to be submitted to the CCCS. Footnote 262
As noted, these responsibilities are coordinated with key partners, notably CCCS and TBS (through the Chief Information Officer of Canada).
Summary
153. SSC was created in 2011 to provide information technology services to a group of federal organizations that represented the majority of the government's spending on digital infrastructure. Over time, the SSC mandate evolved, along with the range of security and defence services it provides to its partners and clients. From its establishment as an organization serving 43 core partners, SSC has grown to provide services to 160 different organizations across the Government of Canada. While SSC's secure-by-design approach has facilitated a robust security posture for organizations that receive its key cyber security and cyber defence services, the inconsistencies in service provision to mandatory and optional clients introduces challenges and cyber security risks to the rest of government. The Committee returns to this consideration in its assessment.