Part III: Key Cyber Defence Players, Authorities and Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

Table of Contents

Shared Services Canada

126. SSC is the second member of the Information Technology Security Tripartite. SSC is responsible for ensuring that the government's information technology infrastructure protects the government's technology assets and data in the government's possession. ^{Footnote 185} This section discusses the evolution of SSC's mandate, key SSC services and projects to strengthen the government's general cyber security posture and those more specific to cyber defence, and SSC partners and clients.

SSC mandate

127. Prior to 2011, federal departments were viewed as unique in their individual information technology requirements. There was very little standardization as a result: departments were individually responsible for the acquisition and management of their information technology infrastructure, computers and devices, and for securing their electronic assets. ^{Footnote 186} SSC was created in 2011 to fundamentally change this approach. The preamble to the Shared Services Canada Act (the SSC Act) establishes that the objective is to “standardize and consolidate, within a single shared services entity, certain administrative services that support government institutions; and doing so will enable those services to be provided more effectively and will support the efficient use of public money." ^{Footnote 187} In practice, this meant consolidating the provision of email, data centre and network services to a core group of partner departments, and coordinating the purchase and provision of information technology equipment for the government. ^{Footnote 188} While this consolidation was initially considered a cost-saving measure, the scope of the changes required necessitated considerable investments in following years. ^{Footnote 189}

128. The authorities underpinning SSC have evolved. SSC was created by order in council in 2011. The department was then established in statute on June 29, 2012, when the SSC Act received Royal Assent. The SSC Act provides for a Minister to be designated as responsible for SSC-currently, the responsible minister is the Minister of State (Digital Government) ^{Footnote 190} - and grants the Minister authority to coordinate telecommunications services for departments and agencies. SSC has the responsibility to:

determine and deliver information technology solutions and common services across the government enterprise;
plan and design forward-looking, consolidated and standardized services to meet the needs of partner and client departments;
manage and maintain existing information technology infrastructure, including all necessary ongoing service and maintenance support;
procure goods and services to enable the delivery of common information technology services to partner and client departments; and
support government-wide information management and information technology security in partnership with CSE, including CCCS, and other government security partners. ^{Footnote 191}

129. In total, the government has issued 21 orders in council to adjust SSC's mandate, appoint presidents of the organization, and expand the number of organizations to whom SSC must provide services or act to procure equipment and services. ^{Footnote 192} Four of the orders in council are of particular relevance to this review:

In 2011, the government issued two orders in council that transferred six information technology-related units from then-Public Works and Government Services Canada, ^{Footnote 193} and transferred the email, data centre and network services units of 42 departments to SSC, thereby creating SSC's 43 core “Partners.” ^{Footnote 194}
In 2012, the government issued an order in council that circumscribed SSC mandate's by stipulating that it would not provide email, data centre or network services to any department that was accredited to process and store Top Secret information, or where four specified organizations used specific systems to operate ships, aircraft or vehicles or to support operations in the areas of national defence, national security or public safety. ^{Footnote 195}
In 2015, the government issued an order in council to expand the SSC mandate beyond its original 43 core partners to include 40 “Mandatory Clients” that would receive a subset of services related to email, data centres and network services on a cost-recovery basis. The order in council also expanded the number of government organizations required to procure end-user devices (e.g., desktop computers, printers) from SSC, and created a category of “Optional Clients” that could obtain services from SSC on a cost-recovery basis (the definition included Crown corporations and other levels of government). ^{Footnote 196}

130. In sum, the periodic issuance of orders in council has established SSC's mandate cmd membership, and clarified its provision of services for email, data centres, networks and procurement for endpoint workplace technology devices. At present, SSC provides some or all services to 160 of 169 federal organizations (the Committee explores the issue of which departments are included later). See Table 1 for an overview of the division of responsibilities between SSC and individual departments.

Table 1: Distribution of Government of Canada Information Technology Service Responsibilities and Service Areas ^{Footnote 197}
Responsibility	Email, data centres, and networks	End-user devices	Applications
Service management and delivery	Shared Services Canada (mandatory or optional for specific departments as specified in orders in council)	Departments	Departments
Procurement	Shared Services Canada (mandatory or optional for specific departments as specified in orders in council)	Shared Services Canada	Public Services and Procurement Canada
Policy and standard setting	Treasury Board of Canada Secretariat	Treasury Board of Canada Secretariat	Treasury Board of Canada Secretariat

SSC services and projects

131. SSC has a fundamental role in ensuring that government digital assets and information are protected. Its provision of email, networking and data centre services means that it provides the infrastructure that houses and carries important information belonging to Canadians and to the government. This infrastructure supports the delivery of government programs, and Canadians expect and depend on consistent and reliable service from those programs. The persistent threat of cyber attack against this infrastructure means that cyber security remains a significant risk; where technical or operational security controls are inadequate, or where security vulnerabilities are not addressed, government systems remain vulnerable to malicious cyber activity. ^{Footnote 198} As SSC notes, the security of the government's information technology infrastructure is therefore of “paramount importance.” ^{Footnote 199}

132. The Committee understands SSC's fulfillment of its responsibilities as falling into two broad categories. The first is the ongoing protection of government digital assets and communications through the proper management of information technologies (SSC services). The second is the implementation of a government-wide information technology infrastructure plan to better protect government systems against security threats (SSC projects). ^{Footnote 200} The Committee discusses each of these in turn.

Cyber defence and SSC services

133. The networks and data that SSC is responsible to protect vary widely in size, function and mandate. These differences are representative of the variability in government programs and service delivery. Some organizations hold little sensitive information on their networks and therefore face relatively few security threats; others hold large amounts of sensitive information and face significantly greater threats. ^{Footnote 201} To respond to these threats, SSC applies a number of cyber security measures to identify and prevent malicious actors from gaining access to government networks, including firewalls, anti-virus and anti-malware services, and identification and authentication tools. ^{Footnote 202} SSC is responsible for the government's Secret-level network infrastructure, and collaborates with CCCS to manage the government's network perimeter by using specialized security monitoring of Internet gateways (see the section, “The Communications Security Establishment”) that have enhanced the government's ability to detect and deter malicious cyber activity. ^{Footnote 203} All together, SSC offers 34 different services to its partners and clients that fall across five categories, and contain at least one service of relevance to SSC's role in defending government networks from cyber attack. The following paragraphs briefly describe each of the services and their relevance to cyber defence.

Digital services

134. Digital services is the largest category of services provided by SSC. Of the 12 services in this area, four play a role in cyber defence. The first two are the provision of email accounts for government employees and the means of accessing them remotely through secure network connections. These two services are subject to user identity and credential management controls, and monitored for viruses and spam. The third service is the provision of mobile devices (cell phones) for telephony, email and Internet connectivity. ^{Footnote 204} The fourth service is an identity validation system for ensuring synchronized, system-wide control and management of user credentials, to provide access to government systems and information in both cloud environments and standard, “on premises” networks. ^{Footnote 205}

Security services

135. SSC security services authenticate individuals to access government services and accounts, both internally and externally to government networks. Three elements in this service area are relevant to defending government networks:

Internal credential management: SSC manages a public key infrastructure that facilitates authentication for secure access to applications and government networks. ^{Footnote 206} The service allows users to exchange encrypted email up to a certain classification and to securely access applications that process sensitive personal information (e.g., pay information). ^{Footnote 207}
Secure remote access management: This service uses the public key infrastructure (above) to permit users to securely transmit and receive information from remote workstations while maintaining the availability, confidentiality and integrity of data. ^{Footnote 208}
External credential management: SSC manages a public key infrastructure that provides a standardized cyber authentication service to Canadians, businesses and individuals to permit secure online business with various governmental programs and services. ^{Footnote 209} This service is mandatory for departments and agencies. ^{Footnote 210}

Hardware and software services

136. SSC provides departments with procurement options for devices such as computers and printing equipment, and for multiple kinds of software, including for connectivity, individual devices and security needs. Services of relevance to cyber defence include:

Hardware provisioning and procurement: SSC procures workplace technology devices (hardware) for its partners and clients, including desktop computers, laptops and tablets. ^{Footnote 211}
Software provisioning and procurement: SSC procures software for its partners and clients for devices (e.g., device operating systems), services (e.g., desktop software configuration), connectivity (e.g., print services), productivity (e.g., web browsers) and security (e.g. , user authentication). ^{Footnote 212}

137. All SSC hardware and software procurement services are subject to the SSC Supply Chain Integrity Standard. This standard is meant to identify and assess any procurement process that “could be compromised, or used to compromise, the security of Canada's [hardware], software, services or information,” and to ensure that hardware and software identified for procurement is subject to a security assessment (including engagement with CSE), contracts are audited, and that items identified as high risk can be avoided, recalled, or removed from government systems. ^{Footnote 213}

Data centre services

138. SSC offers nine data centre services. While these are predominantly database infrastructure and hosting services, this service includes two important elements for cyber defence:

Cloud Brokerage Services: Consistent with the 2017 Treasury Board Direction on the Secure Use of Commercial Cloud Services, SSC provides a brokerage service for government departments to identify suitable cloud service providers with whom SSC has established contracts. SSC provides this service to all 43 partners, 23 SSC mandatory clients and 15 optional clients. ^{Footnote 214}
Government of Canada Secret Infrastructure: SSC manages and maintains this Infrastructure to permit the creation, processing, storage and sharing of information classified at the Secret level. The service uses the government's wide area network for transmission of encrypted data between users and departments. Risks in protecting more sensitive information at the Secret level are shared between SSC and customer departments or agencies, with SSC responsible for maintaining the integrity, assurance and effectiveness of security controls for approved users, and departments responsible for managing user access to their applications and data. ^{Footnote 215}

Network services

139. SSC networking services include the provision of wi-fi, Internet services and satellite connectivity. There are eight elements within network services, with the following two of critical importance to the government's framework for cyber defence:

The Government of Canada Wide Area Network (GC WAN): The GC WAN is a fully managed network service that connects partner or client locations across metropolitan, regional, national or international boundaries. It connects users and computers to each other and the Internet, and it supports simultaneous voice, data and video communications, and the transmission of classified information using appropriate encryption. The GC WAN services come with security monitoring and enhanced security protocols (e.g., logging and intrusion detection services). ^{Footnote 216}
Enterprise Internet Service: The SSC Enterprise Internet Service provides secure connectivity for government users to access the Internet and for the public to access government websites. SSC provides the Enterprise Internet Service to all of its partner organizations and on a fee-for-service subscription basis for its clients. The service requires a GC WAN connection and provides the highest protection, owing to built-in security monitoring and enhanced security protocols provided by the integration of CSE's *** cyber defences to Enterprise lnternet Service Internet gateways. The Committee further explores the benefit of this integration in the discussion of CSE below. ^{Footnote 217}

Overall, the creation of SSC's Enterprise Internet Service and its progressive adoption by departments has played a foundational role in strengthening the government's cyber defence framework. Its evolution is described below.

Secure Internet connectivity: The evolution toward the Enterprise Internet Service

140. The origins of SSC's Enterprise Internet Service date to 2002 when the government launched the Secure Channel Network as a means for federal organizations to securely deliver their most commonly used services online. ^{Footnote 218} The Secure Channel Network was intended to reduce operational and maintenance costs through the use of a common network infrastructure for government that included monitored, protected and redundant access to the Internet. ^{Footnote 219} In 2006, Treasury Board provided direction to make the use of the Secure Channel Network mandatory and by 2008, 75 departments had migrated to it. In 2010 and 2011, China conducted large-scale attacks against numerous government departments, resulting in the loss of significant amounts of sensitive data (see case study 1). In response, the Chief Information Officer of Canada again issued directives to require departments to migrate to the Secure Channel Network to:

reduce the risks we are currently collectively facing from ever increasing external cyber attacks. The key approach for mitigating these risks is to reduce the number of individual departmental Internet connections and replace these with a robust, high-performing and very secure common access for [government]. Decreasing the number of Internet access points - and securing those points - will reduce the overall [information technology] security risk to the Government, making it easier to prevent and defend against attacks aimed at disrupting our business or stealing sensitive and private information. ^{Footnote 220}

By 2012, the number of departments using the Secure Channel Network grew from 75 to 87. ^{Footnote 221}

SSC partners and clients

141. In 2015, the Secure Channel Network became the Enterprise Internet Service and the number of departments using it grew to 90. All SSC core partners have moved to the Enterprise Internet Service (with the exception of the Department of National Defence, which will be migrated in 2021-2022), as have a number of SSC's mandatory clients and optional clients. ^{Footnote 222} However, government-wide adoption of the Enterprise Internet Service remains a challenge. In 2018, Treasury Board reiterated its direction to government departments to migrate to the Enterprise Internet Service:

To address risks to its network, the government is standardizing protection and creating a secure, government-wide perimeter that will protect government data both on premises and in the cloud. TBS, the Communications Security Establishment (CSE) and SSC are establishing additional trusted interconnection points between the government [backbone] network and external partners to: provide standardized and secure connectivity with external partners and the Internet; act as a gateway to cloud services; and protect cloud-based workloads from direct attacks from the Internet. Departments that do not currently use SSC Internet services will be migrated to the SSC-managed enterprise network and will use SSC Internet services exclusively. ^{Footnote 223}

Requiring this migration makes sense. As discussed in further detail in the section on the CSE (paragraphs 154-213), CSE and SSC manage a highly effective system of sensors and defence tools (both classified and commercially available) that protect government organizations within the Enterprise Internet Service from normal threats and, most importantly, the most sophisticated cyber threat actors. As of August 2021, SSC provides the Enterprise Internet Service to 94 organizations. ^{Footnote 224} The Committee addresses the issue of Treasury Board direction and the number of departments using SSC's Enterprise Internet Service in its assessment.

Case study 1: A wake-up call - network consolidation and dynamic defences

[*** Four paragraphs were revised to remove injurious or privileged information. ***] In February 2010, CSE deployed its sensors to the government's Secure Channel Network, the first time CSE had used this capability outside of three departments: Foreign Affairs and International Trade (now Global Affairs Canada), National Defence, and CSE itself. ^{Footnote 225} CSE immediately discovered a long-standing and significant compromise of government networks by a Chinese state-sponsored actor. The Chinese actor was known to target government networks around the world for intelligence related to natural resources and energy, defence, global finances, foreign policy, and trade. CSE assessed that the actor sought to acquire Canadian position papers, briefing notes and strategies for multilateral negotiations related to several international bodies.

Between August 2010 and August 2011, China targeted 31 departments, with 8 suffering severe compromises. Information losses were considerable, including email communications of senior government officials; mass exfiltration of information from several departments, including briefing notes, strategy documents and Secret information; and password and file system data. Treasury Board of Canada Secretariat and the Department of Finance were the worst affected, losing entire sets of network passwords.

CSE launched a three-pronged response. First, it monitored malicious activity through its network sensors. Second, it provided advice and guidance to departments to improve system management and security. Third, it aided in the strategic mitigation of the compromise, using its information to better understand the attacker's intentions and capabilities. For their part, Treasury Board of Canada Secretariat and the Department of Finance were forced to disconnect their networks from the Internet to mitigate the compromise.

This incident was a wakeup call for the government regarding the scale of its cyber vulnerability and the need for commensurate defences. To that point, government networks were an easy and valuable target for Chinese state-sponsored threat actors, as they were essentially undefended and used to store classified information in the absence of a secure alternative. The deployment of CSE’s network-based sensors to this broad network was a “turning point in the history of Cyber Defence in the government” - it confirmed the need for consolidated Internet access points that could be monitored for threats and for a single, government-wide enterprise network to properly secure government systems from cyber attack. ^{Footnote 226}

Cyber defence and SSC projects

142. The second broad category of SSC responsibilities is the implementation of a government-wide information technology infrastructure plan to better protect government systems against security threats, that is, SSC projects. SSC uses a secure-by-design approach to integrate its cyber security activities into its core responsibilities. ^{Footnote 227} This means that SSC services and activities are designed and built to incorporate applicable engineering and security standards, and to comply with government security policies. In practice, this means that SSC maintains its own internal security policy instruments, each one a guide for consistently implementing an information technology security standard. ^{Footnote 228} SSC currently has 12 active cyber security projects, organized into three areas: identity and access control, connectivity, and monitoring. These areas and their relevance to cyber defence are described below.

Identity and access control

143. Verifying a user's identity and controlling the user's access to required elements of a department's digital infrastructure is essential to ensuring the security of digital systems. ^{Footnote 229} Identity and access controls are meant to ensure that users are authorized to access only the digital resources they require, consistent with their role in an organization. In the past, the government used a castle-and-moat approach, where the focus was securing the perimeter of the network, authenticating and granting access to approved users at secure entry-points, and layering defensive systems (e.g., firewalls) to filter network access. SSC described it as “a defence in-depth posture that uses a series of defensive mechanisms layered to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack.” ^{Footnote 230}

144. SSC notes that this approach is increasingly unviable in a digital environment marked by the proliferation of devices and connection options and greater user mobility requirements. It is therefore implementing several projects to modernize identity and access control. These will build on effective perimeter defences to include continuous verification and authorization of users and devices. The most important are as follows:

Network Device Authentication: Network device authentication is meant to improve the authentication of devices to government networks (as opposed to individual users and their accounts). The project aims to improve access controls, auditing functions and forensic analysis of devices accessing a network, the latter a significant gap in responding to compromises of government systems. ^{Footnote 231}
Secure Remote Access Modernization: Secure remote access to government networks is currently done at the individual department level. This project is designed to migrate secure remote access to a consolidated government-wide enterprise system. The project will improve cyber defence functions related to remote connectivity, including connectivity logs, analytics regarding threat detection and traffic volume management. ^{Footnote 232}
Administrative Access Controls Service: Network administrators tend to share and re use passwords, reducing barriers to cyber attackers' ability to gaining broad access to multiple networks within and across departments. The project is meant to eliminate this practice by standardizing and enforcing the management of administrative privileges. ^{Footnote 233}
Directory Credential Account Management: This project is designed to enable greater collaboration by SSC partners and clients in cloud operating environments by synchronizing user credentials through a centralized user authentication service in the cloud. It will allow SSC to authenticate a user's identity between cloud and non-cloud workspaces. ^{Footnote 234}
Internal Centralized Authentication Service: This project will provide government-wide, standardized credentials (e.g., usernames and passwords) and a centralized authentication service to support web-based access to internal applications regardless of organization. It will enable the transition to more robust security credential technology and the retirement of browser technologies with security vulnerabilities. ^{Footnote 235}

Connectivity

145. Managing digital connectivity for government users and systems is an important challenge for cyber defence. The current government network is a complex mixture of telecommunications connectivity to approximately 4,000 locations, 5,000 buildings and hundreds of thousands of fixed and mobile digital devices for government employees and contractors in Canada and abroad. ^{Footnote 236} Historically, government departments operated more than 720 data centres across Canada, all without shared infrastructure, standards for network configurations or connectivity, operating procedures, or standardized service levels for redundancy and availability. ^{Footnote 237} To address the many challenges that this situation poses, SSC intends to consolidate legacy data centres into four regional hubs, implementing a wireless-first approach for intra-building connectivity, and adopting new technologies (e.g., the adoption of 5G and the expanded use of mobile technology). ^{Footnote 238} This evolution of SSC connectivity measures will require commensurate security measures to protect networks, data centres and their users. SSC connectivity projects in this area include the following:

Enterprise Perimeter Security: This project is designed to provide enhanced visibility of cyber threats targeting government networks and their connections to departmental cloud environments. By leveraging the identity and access control projects, this project enables secure remote connectivity to government networks, from any location, including through physical or virtual connection links. This project will also provide additional visibility on cyber threats to both SSC and CCCS. ^{Footnote 239}
Secure Cloud Enablement and Defence: This project will provide the connectivity and security controls (controlled, monitored gateways) necessary for government departments to access and safeguard sensitive information in cloud networks. This will include centralized logging and monitoring to permit identification and management of security events affecting cloud-based data, and of threats to government networks that may originate from a cloud environment and target the government backbone network. Similar to the Enterprise Perimeter Security project, this project will provide additional visibility on cyber threats to both SSC and CCCS. ^{Footnote 240}
Secret Infrastructure Expansion: SSC maintains a dedicated infrastructure to store and transmit information classified as Secret. Currently providing service to 31 departments, this project will expand SSC's current infrastructure to some new clients and expand services to a number of existing clients. ^{Footnote 241} This will fill a considerable gap - in the past, some departments handled Secret information on unclassified networks, resulting in the loss of classified information to state actors. ^{Footnote 242}
SmartPhone for Classified: Some government officials require an ability to securely communicate by phone and mobile data to support operations. This project will build on a CSE proof of concept to provide an initial capacity of 2,000 government users across Canada and to select international locations, with scalability up to 10,000 users. ^{Footnote 243}

Monitoring

146. Security monitoring of the government's information technology infrastructure ensures its consistent and reliable performance, and supports the government's business continuity and provision of services to Canadians. Monitoring activities include the identification of events related to user identification and authentication on a network or device, the monitoring of network traffic transiting a government communications link and the use of applications on end user devices. When done well, proactive monitoring enables administrators to rapidly identify and address security events on network devices. That is not currently the case. Security monitoring of government networks is inconsistent, with networks variously monitored by SSC, SSC core partners and organizations that have no relationship with SSC. Moreover, SSC's own security information and event management system is not standardized for all of its clients. ^{Footnote 244} Overall, this means that SSC does not have full visibility over government networks to identify risks and to respond to incidents quickly, resulting in inconsistent accountability for network monitoring across government. ^{Footnote 245}

147. Building on the consolidation of government data centres, SSC is implementing three projects to centralize its security monitoring to broaden its awareness of activities on government networks and to enable more rapid and coordinated incident response capabilities. ^{Footnote 246} These projects are:

improving SSC's real-time situational awareness of the security posture of endpoint devices (e.g., laptops, desktops, tablets and servers); ^{Footnote 247}
improving SSC's awareness of security vulnerabilities across larger elements of the government's information technology enterprise (e.g. , within data centres); ^{Footnote 248} and
monitoring network communications for events that may indicate a potential security incident and to notify SSC users to take remedial action to investigate and respond where necessary. ^{Footnote 249}

Across all three projects, SSC is focusing on automating the monitoring of deployed devices and network connections and assessing their security posture against known vulnerabilities or emerging cyber threats. Each project is designed to improve SSC situational awareness and to fill identified gaps in government network security (e.g., lack of awareness regarding up-to-date patching for security vulnerabilities). In the event of a serious cyber incident, the projects are meant to enhance the capacity to assess, in real time, points of weakness in the enterprise network and to reduce the time required to detect, respond and recover from a cyber incident.

SSC partners and clients

148. SSC provides services to the following three categories of departments or agencies. The categories determine the types of services provided, the latitude specific organizations have in determining which SSC services they will use, and how costs for services are attributed:

Core partners: Since 2011, SSC has been responsible for managing the network infrastructure for 43 partner departments and agencies. At the time, these organizations transferred their respective budgets and personnel for email, data centres and network services to SSC, and consequently received all SSC's services without additional cost.
Mandatory clients: In 2015, the SSC mandate was expanded to include mandatory clients. These organizations, which include small departments and agencies, must use certain SSC services in areas of email, data centres, networks and endpoint devices, or to procure other digital infrastructure. There are currently 39 mandatory clients, which pay SSC for services on a cost-recovery basis. ^{Footnote 250}
Optional clients: In 2015, SSC's mandate was expanded to include optional clients. Optional clients may request SSC services on a cost-recovery basis, and could include a provincial government or municipality, Canadian aid agency, public health organization, intergovernmental organization or a foreign government. There are currently 78 optional clients. ^{Footnote 251}

Currently, SSC provides all or some of its services to 160 of 169 federal government organizations.

149. Which organizations are included as part of SSC's service delivery has significant implications for the government's cyber defence framework. As SSC evolved, it implemented increasingly comprehensive measures to protect digital infrastructures (e.g., the reduction of Internet connection points, the introduction of CSE's advanced sensors and defences on SSC Internet gateways) and, through its projects to modernize government digital infrastructure, developed a secure-by-design approach to email, data centre and network solutions. ^{Footnote 252} While this evolution involved significant challenges for SSC and partner organizations, these benefits have come automatically to SSC's 43 core partners through their status as organizations that receive all SSC services. ^{Footnote 253}

150. That is not the case for SSC's mandatory and optional clients. These clients vary significantly in terms of size, mandate, complexity, the modernity of their digital infrastructure, and their budget for digital technology and security. ^{Footnote 254} Some of the organizations obtain SSC services through links with SSC core partners; ^{Footnote 255} others use only a selection of SSC services; some obtain a mix of information technology services from SSC and private service providers; and others do not connect to a government network at all. ^{Footnote 256} Many of these organizations are known as small departments and agencies, defined as having fewer than 500 staff and an annual budget of less than $300 million. These departments and agencies pose a security risk to government networks for three reasons:

they may lack connectivity to the secure Internet gateways provided by SSC and to SSC brokered secure cloud access. In such cases, these departments and agencies would not receive the advanced cyber monitoring of CCCS;
they employ varied services for Internet connectivity, often from multiple physical locations, and maintain connectivity to other government departments; and
they have limited resources (personnel or financial) to address Internet security issues, resulting in inconsistent cyber defences. ^{Footnote 257}

Notably, SSC identified four departments and agencies that posed high or critical risks to government networks because of their simultaneous connections to government networks and use of third-party Internet connections that had few or no defensive measures. ^{Footnote 258} In short, these organizations hold government data and often have electronic links into government departments, but do not necessarily benefit from SSC's (and CSE's) range of cyber defence measures, nor SSC's secure-by-design projects to modernize the government's digital infrastructure. (This is also true for mandatory clients that do not use SSC's Enterprise Internet Service.) As a result, cyber attacks against those organizations (including the loss of data) may go undetected, and the government may be unable to respond effectively or at all to significant cyber incidents. The inability of these organizations to adequately protect themselves is a risk to their own digital infrastructure and potentially to other government organizations.

151. In 2020, Shared Services Canada (SSC) developed a four-year project to address the challenge of organizations being connected to Government of Canada networks without being required to install robust cyber defences or being subject to oversight by SSC or CCCS. The Small Departments and Agencies Project aims to raise all small departments and agencies and mandatory clients (61 in total) to maximum SSC network security levels by providing them with access to the government backbone network (GC WAN), full network security at the same level as an SSC core partner, monitoring by CCCS and SSC enactment of all the network security improvements. ^{Footnote 259}

The primary objectives of the project are to:

bring all mandatory clients and small departments and agencies “inside the security fence” so that they use SSC secure Internet gateways, which would reduce the number of external connections to departmental networks;
consolidate Internet connection points through SSC's regional communications hubs, which would improve visibility of network traffic to SSC and CCCS and allow SSC and CCCS to apply higher-level cyber defences for identifying and mitigating unauthorized entry, data exfiltration and other malicious activity; and
increase the cyber security posture of government through the elimination of different classes of network security for SSC partners and mandatory clients. ^{Footnote 260}

Notwithstanding the importance of this initiative, it currently has neither a budget nor a timeline for implementation. ^{Footnote 261}

Cyber security event management

152. As part of its broad responsibilities, SSC coordinates with its partners to respond to serious cyber incidents. SSC is responsible for:

blocking cyber threat activities from targeting SSC-managed networks and mitigating their effects;
responding to CCCS recommendations and ensuring that updates and mitigating measures are applied in a timely manner;
implementing prevention, mitigation and recovery efforts (among other things, this could include shutting down or isolating specific networks);
supporting the identification, risk assessment, mitigation, recovery and post-analysis of cyber security events within the government;
assessing government-wide impacts of cyber security events, threats and vulnerabilities on program and service delivery; and
producing post-event reports, including a timeline of events and root-cause analysis, to be submitted to the CCCS. ^{Footnote 262}

As noted, these responsibilities are coordinated with key partners, notably CCCS and TBS (through the Chief Information Officer of Canada).

Summary

153. SSC was created in 2011 to provide information technology services to a group of federal organizations that represented the majority of the government's spending on digital infrastructure. Over time, the SSC mandate evolved, along with the range of security and defence services it provides to its partners and clients. From its establishment as an organization serving 43 core partners, SSC has grown to provide services to 160 different organizations across the Government of Canada. While SSC's secure-by-design approach has facilitated a robust security posture for organizations that receive its key cyber security and cyber defence services, the inconsistencies in service provision to mandatory and optional clients introduces challenges and cyber security risks to the rest of government. The Committee returns to this consideration in its assessment.

Footnotes

Footnote 185

SSC, Cyber and Information Technology Security, undated, https://www.canada.ca/en/shared-services/corporate/cyber-information-technology-security.html

Return to footnote 185 referrer

Footnote 186

SSC, Serving Government: Remote Access Security Hardening Standard, undated, http://service.ssc-spc.gc.ca/en/policies_processes/policies/remote.

Return to footnote 186 referrer

Footnote 187

Shared Services Canada Act, S.C. 2012, C.19, S.711, Preamble, June 29, 2012, https://laws-lois.justice.gc.ca/eng/acts/S-8.9/page-1.html.

Return to footnote 187 referrer

Footnote 188

Such as keyboards, desktop hardware and software, and monitors. Office of the Auditor General, 2015 Fall Reports of the Auditor General of Canada: Report 4 — Information Technology Shared Services, 2015, https://www.oag-bvg.gc.ca/internet/English/parl_oag_201602_04_e_41061.html

Return to footnote 188 referrer

Footnote 189

By 2020, investments in SSC alone totaled over $4 billion.

Return to footnote 189 referrer

Footnote 190

Order in Council 2019-1366 designated the Minister of State (Digital Government) as the Minister for SSC. See https://orders-in-council.canada.ca/attachment.php?attach=38701&lang=en. From 2012 to 2019, the Minister of Public Works and Government Services was the responsible minister.

Return to footnote 190 referrer

Footnote 191

SSC, “Shared Services Canada's Mandate, Authorities and Partners,” Deck, Presentation to the NSICOP Secretariat. November 2020.

Return to footnote 191 referrer

Footnote 192

SSC, “Shared Services Canada's Mandate, Authorities and Partners,” Deck, Presentation to the NSICOP Secretariat, November 2020.

Return to footnote 192 referrer

Footnote 193

Order in Council 2011-0877, August 3, 2011, https://orders-in-council.canada.ca/attachment.php?attach=24554&lanq=en.

Return to footnote 193 referrer

Footnote 194

SSC is one of the 43 partners. Order in Council 2011-1297, November 15, 2011, https://orders-in-council.canada.ca/attachment.php?attach=24978&lang=en. This order in council resulted in SSC assuming responsibility for the information technology infrastructure of 42 partner organizations (servers, data centres, human resources and information technology budgets), including 485 data centres, 50 different networks and approximately 23,400 servers. This represented about 95 percent of the government's information technology infrastructure spending, with the remaining smaller departments and agencies representing the other5 percent. SSC, Order in Council — Procurement, https://www.canada.ca/en/shared-services/corporate/transparency/briefing-documents/ministerial-briefing-book/order-in-council-procurement.html

Return to footnote 194 referrer

Footnote 195

The four organizations are the Canada Border Services Agency, the Department of Fisheries and Oceans, the Department of National Defence and the Royal Canadian Mounted Police. Order in Council 2012-0958, June 29, 2012, https://orders-in-council.canada.ca/attachment.php?attach=26384&lanq=en

Return to footnote 195 referrer

Footnote 196

Order in Council 2015-1071, July 16, 2015, https://orders-in-council.canada.ca/attachment.php?attach=31447&lanq=en.

Return to footnote 196 referrer

Footnote 197

Adapted from: SSC, Shared Services Canada History and Legislative Responsibilities, February 3, 2016. https://www.canada.ca/en/shared-services/corporate/transparency/briefing-documents/ministerial-briefing-book/shared-services-canada-history-legislative-responsibilities.html; and SSC, “Shared Services Canada's Mandate, Authorities and Partners,” Deck presented to NSICOP Secretariat, November 2020.

Return to footnote 197 referrer

Footnote 198

The Departmental Security Plan identified two other significant security risks: the security of the SSC workforce, workplace, facilities and assets; and the governance of SSC security-related activities. SSC, Departmental Security Plan 2019-2022, May 15, 2019. Similar risks were also identified in SSC's 2013-2016 Departmental Security Plan.

Return to footnote 198 referrer

Footnote 199

SSC, Departmental Security Plan 2019-2022, May 15, 2019; and SSC, Shared Services Canada Network and Security Strategy (version 1.6), September 1, 2020.

Return to footnote 199 referrer

Footnote 200

SSC, “Mandate,“ https://www.canada.ca/en/shared-services/corporate/mandate.html.

Return to footnote 200 referrer

Footnote 201

SSC, Departmental Security Plan 2013-2016, June 17, 2013.

Return to footnote 201 referrer

Footnote 202

SSC, “Cyber and Information Technology Security”, https://www.canada.ca/en/shared-services/corporate/cyber-information-technology-security.html.

Return to footnote 202 referrer

Footnote 203

TBS, Government of Canada Cyber Security Event Management Plan (CSEMP), 2019, https://www.canada.ca/en/government/system/digital-government/online-security-privacy/security-identity-management/government-canada-cyber-security-event-management-plan.html#toc6; Public Safety Canada, Horizontal Evaluation of Canada's Cyber Security Strategy, September 29, 2017, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/vltn-cnd-scrt-strtg/index-en.aspx#s331.

Return to footnote 203 referrer

Footnote 204

SSC, “Serving Government: Email — for Administrators,” http://service.ssc-spc.gc.ca/en/services/commuinicating/email/admin; and SSC, “Serving Government: Mobile Devices — for Government of Canada Employees,” http://service.ssc-spc.gc.ca/en/services/communicating/mobile-dev-phones/mobile-users

Return to footnote 204 referrer

Footnote 205

SSC, “Serving Government: Service Catalogue,” http://service.ssc-spc.gc.ca/en/services; and SSC, Directory Credential and Access Management. Implementation Business Case (version 3.0), September 8, 2020.

Return to footnote 205 referrer

Footnote 206

A public key infrastructure is used to protect the confidentiality of information and to electronically authenticate the identity of individuals in accessing protected information. TBS, Guideline on the Management of Public Key Infrastructure in the Government of Canada, https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=20008#appB.

Return to footnote 206 referrer

Footnote 207

SSC, “Serving Government: MyKey — For Government of Canada Employees,” https://service.ssc-spc.gc.ca/en/services/access/mykey/users.

Return to footnote 207 referrer

Footnote 208

SSC, “Serving Government: Secure Remote Access — For Administrators,” https://service.ssc-spc.gc.ca/en/services/access/secure-remote-access/admin

Return to footnote 208 referrer

Footnote 209

SSC, “Serving Government: Service Catalogue,” https://service.ssc-spc.gc.ca/en/services, and SSC, “Serving Government: Responsibilities Matrix for Cyber and IT Security. Section 6.0 Identity and Access Management (IAM) Services,“

Return to footnote 209 referrer

Footnote 210

SSC, “Serving Government: Service Catalogue,” https://service.ssc-spc.gc.ca/en/services

Return to footnote 210 referrer

Footnote 211

SSC, “Serving Government: Microcomputers,” https://service.ssc-spc.gc.ca/en/services/hw-sw/microcomputers/procure; and SSC, Shared Services Canada, Supply Chain Integrity Standard, November 2015.

Return to footnote 211 referrer

Footnote 212

SSC, “Serving Government: Software - For Procurement,” https://service.ssc-spc.gc.ca/en/services/hw-sw/software-provisioning/procurement

Return to footnote 212 referrer

Footnote 213

SSC, Shared Services Canada Supply Chain Integrity Standard, November 2015.

Return to footnote 213 referrer

Footnote 214

SSC, “Serving Government: Cloud Brokering Service,” https://service.ssc-spc.gc.ca/en/services/dc/cloud; TBS, Government of Canada Cloud Adoption Strategy: 2018 Update, https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/government-canada-cloud-adoption-strategy.html; and TBS, Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN), https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/cloud-services/direction-secure-use-commercial-cloud-services-spin.html.

Return to footnote 214 referrer

Footnote 215

SSC, “Serving Government: Government of Canada Secret Infrastructure Network and Hosting - for Administrators,” . In the past, the government maintained 34 stand-alone, independently managed Secret-level networks across 18 departments. The GCSI Expansion Project includes efforts to transition those networks to SSC enterprise architecture for one system for secret communications and data. See also, SSC, Secret Infrastructure. 34 Legacy Networks, undated.

Return to footnote 215 referrer

Footnote 216

SSC, “Serving Government: GC WAN - For Administrators,” http://service.ssc-spc.gc.ca/en/services/infrastructure/network-infra/gcnetwan-admin

Return to footnote 216 referrer

Footnote 217

SSC, “Serving Government: Service Catalogue,” http://service.ssc-spc.gc.ca/en/services. Also SSC, “Serving Government: GC WAN - For Administrators,” http://service.ssc-spc.qc.ca/en/services/infrastructure/network-infra/gcnetwan-admin.

Return to footnote 217 referrer

Footnote 218

SSC, Discussion on mandate with NSICOP Secretariat - February 24 and follow-ups, March 9, 2021.

Return to footnote 218 referrer

Footnote 219

SSC, Discussion on mandate with NSICOP Secretariat - February 24 and follow-ups, March 9, 2021.

Return to footnote 219 referrer

Footnote 220

SSC, “SCNet Enterprise Internet - 2010 and 2011,” TBS CIOB communique, February 24, 2021.

Return to footnote 220 referrer

Footnote 221

SSC, Discussion on Mandate with NSICOP Secretariat - Feb 24 and follow ups, March 9, 2021.

Return to footnote 221 referrer

Footnote 222

SSC, Discussion on Mandate with NSICOP Secretariat — Feb 24 and follow ups, March 9, 2021. The Department of National Defence *** is monitored separately by CCCS.

Return to footnote 222 referrer

Footnote 223

TBS, Digital Operations Strategic Plan 2018-2022, Section 4.2, “Secure the government's evolving perimeter,” https://www.canada.ca/en/government/system/digital-government/digital-operations-strategic-plan-2018-2022.html

Return to footnote 223 referrer

Footnote 224

SSC, NSICOP Discussion on Mandate with Committee Secretariat-Feb 24 and follow ups, Email, March 9, 2021; and SSC, “Re: NSICOP Discussion on Mandate with Committee Secretariat,” Email, April 30, 2021.

Return to footnote 224 referrer

Footnote 225

This summary is based on CSE, Analysis of Wides pre ad Chinese Intrusions on Government of Canada Networks, April 2010; CSE, Interdepartmental Assessment: The Chinese Cyber Threat to Government of Canada Networks — August 2010-August 2011, undated; CSE, “OM Security and Intelligence: Update on January 2011 Cyber Intrusions,” Memorandum for the Chief, CSE, February 2011; and CSE, NSICOP Cyber Defence Review — Information Package #17 — Table of Contents, March 11, 2021.

Return to footnote 225 referrer

Footnote 226

CSE, NSICOP Cyber Defence Review — Information Package #17 — Table of Contents, p. 1, March 11, 2021.

Return to footnote 226 referrer

Footnote 227

SSC, Departmental Security Plan 2019-2022, May 15, 2019.

Return to footnote 227 referrer

Footnote 228

The 16 SSC information technology security standards cover multiple areas, including management of security systems logs, supply chain integrity, perimeter security, patch management for servers and workstations, and network and Internet access. SSC's information technology security standards are available at http://service.ssc-spc.gc.ca/en/policies-processes/policies.

Return to footnote 228 referrer

Footnote 229

SSC, Shared Services Canada: Network and Security Strategy (version 1.6), September 1, 2020.

Return to footnote 229 referrer

Footnote 230

SSC, Shared Services Canada: Network and Security Strategy (version 1.6), September 1, 2020.

Return to footnote 230 referrer

Footnote 231

During cyber attacks, officials often spend significant time analyzing forensic data to differentiate between legitimate network activity and activity attributable to malicious cyber actors.

Return to footnote 231 referrer

Footnote 232

SSC, Shared Services Canada: Network and Security Strategy. (version 1.6), September 1, 2020.

Return to footnote 232 referrer

Footnote 233

SSC, Administrative Access Control Services. Project Proposal (version 1.7), September 12, 2016. PDF. This project responds to the Auditor General's Fall 2015 report on information technology shared services in the Government of Canada.

Return to footnote 233 referrer

Footnote 234

SSC, Directory Credential Account Management (DCAM) — DCAM Overview (version 1.7), December 5, 2019. PDF.

Return to footnote 234 referrer

Footnote 235

SSC, Internal Centralized Authentication Service (ICAS): Concept of Operations (Con-Ops) (version 1.1), October 8, 2020.

Return to footnote 235 referrer

Footnote 236

This includes government departments in single and multi-tenant buildings in multiple locations across Canada, using hard-wired infrastructure, wireless connectivity, and varied approaches to technology deployment, maintenance, and contracting with vendors and telecommunications service providers.

Return to footnote 236 referrer

Footnote 237

SSC, Shared Services Canada: Network and Security Strategy (version 1.6), September 1, 2020.

Return to footnote 237 referrer

Footnote 238

SSC, Shared Services Canada: Network and Security Strategy (version 1.6), September 1, 2020.

Return to footnote 238 referrer

Footnote 239

SSC, “Networks, Security, and Digital Services and the Senior Assistance Deputy Minister, Project Management and Delivery. For Decision. Enterprise Perimeter Security (EPS) Authority to Operate (ATO),” Memorandum to the Authorizing Official and Senior Assistant Deputy Minister, undated; and SSC, Enterprise Perimeter Security (EPS), Security Assessment Report, April 7, 2020.

Return to footnote 239 referrer

Footnote 240

SSC, Shared Services Canada: Network and Security Strategy (version 1.6), September 1, 2020; and SSC, “SSC Networks, Security and Digital Services: Cyber and IT Security Program,” Presentation to the Canada Revenue Agency (CRA), February 4, 2020.

Return to footnote 240 referrer

Footnote 241

SSC, “Government of Canada Secret Infrastructure Expansion (GCSI Expansion),” Implementation Business Case (version 2.2), September 28, 2020; SSC, Government of Canada Classified (SECRET) Information Technology Convergence Update, April 8, 2020; SSC, Government of Canada Secret Infrastructure Expansion (GCSI Expansion), Project Management Plan, September 28, 2020; and SSC, Secret Infrastructure: 34 Legacy Networks, undated.

Return to footnote 241 referrer

Footnote 242

See case study 1.

Return to footnote 242 referrer

Footnote 243

SSC, “SmartPhone for Classified,” Implementation Business Case (version 0.13), October 19, 2020.

Return to footnote 243 referrer

Footnote 244

While SSC provides the electronic platform for security information and event management, CCCS is responsible for its configuration and operation, and the monitoring of events.

Return to footnote 244 referrer

Footnote 245

SSC, Shared Services Canada: Network and Security Strategy, (version 1.6), September 1, 2020. Of note, departments also have key responsibilities in monitoring and securing their networks and endpoints (see paragraphs 102 to 105).

Return to footnote 245 referrer

Footnote 246

SSC, Shared Services Canada: Network and Security Strategy, (version 1.6), September 1, 2020.

Return to footnote 246 referrer

Footnote 247

SSC, Endpoint Visibility Awareness and Security Project. Project Management Plan, (version 1.0), March 30, 2020. See also SSC, “SSC Networks, Security and Digital Services: Cyber and IT Security Program,” Presentation to CRA February 4, 2020. At full implementation, the project will provide automated information on as many as 900,000 endpoints across government networks, consolidating individual department snapshots into a government-wide status.

Return to footnote 247 referrer

Footnote 248

The Enterprise Vulnerability and Compliance Management project, noted in SSC, Shared Services Canada: Network and Security Strategy (version 1.6), September 1, 2020.

Return to footnote 248 referrer

Footnote 249

The Security Information and Event Management project. SSC, “Security Information and Event Management,” Business Case (version 1.1), November 6, 2018; SSC, “SSC Networks, Security and Digital Services: Cyber and IT Security Program,” Presentation to CRA February 4, 2020. See also SSC, Shared Services Canada: Network and Security Strategy (version 1.6), September 1, 2020. Of note, CCCS is now responsible for this project.

Return to footnote 249 referrer

Footnote 250

SSC, “Improve the Internet Security Posture of Small Departments and Agencies,” Business case, December 15, 2020. There were 40 clients in 2015. See also SSC, “Mandatory Clients (MCs) IT Service Landscape Survey: As of Winter 2019-20,” Deck, Provided to NSICOP Secretariat March 24, 2021.

Return to footnote 250 referrer

Footnote 251

SSC, “Serving Government: Order in Council 2015-1071 Questions and Answers,” http://service.ssc-spc.gc.ca/en/policies_processes/oic2015-1071-qa. SSC currently provides a public key infrastructure service to two organizations, the office of a minister of the British Columbia government and the Ontario Provincial Police, and the GC WAN service to the Government of Ontario.

Return to footnote 251 referrer

Footnote 252

SSC, “Re: NSICOP Discussion on Mandate with Committee Secretariat,” Email, May 21, 2021.

Return to footnote 252 referrer

Footnote 253

SSC noted that it inherited many disparate systems from its partner departments and that the effort to design and implement an enterprise security approach for all of its partners has been an iterative one. SSC, Addendum to the Business Case for the Small Departments and Agencies Study, November 30, 2020. Some departments, like the Royal Canadian Mounted Police, struggled to have their unique operational requirements recognized by SSC.

Return to footnote 253 referrer

Footnote 254

SSC, “Mandatory Clients (MCs) IT Service Landscape Survey: As of Winter 2019-20,” Deck, Provided to NSICOP Secretariat March 24, 2021.

Return to footnote 254 referrer

Footnote 255

255 Eight organizations, including the National Farm Product Council (under Agriculture and Agri-Food Canada); the Veterans Appeal and Review Board (under Veterans Affairs Canada); the Canada Employment Insurance Commission (under Employment and Social Development Canada); the Department of Indigenous Services (under Crown-Indigenous Relations and Northern Affairs Canada); the Parole Board of Canada (under the Correctional Service of Canada); the Office of the Correctional Investigator of Canada (under the Correctional Service of Canada); the Leaders Debates Commission (under the Privy Council Office); and the Copyright Board (under Innovation, Science and Economic Development Canada). SSC, “Mandatory Clients (MCs) IT Service Landscape Survey: As of Winter 2019-20,” Deck, March 24, 2021.

Return to footnote 255 referrer

Footnote 256

SSC, “Mandatory Clients (MCs) IT Service Landscape Survey: As of Winter 2019-20,” Deck, March 24, 2021.

Return to footnote 256 referrer

Footnote 257

SSC, “Improve the Internet Security Posture of Small Departments and Agencies,” Business case, December 15, 2020.

Return to footnote 257 referrer

Footnote 258

SSC, Improving the Internet Security Posture of Small Departments and Agencies Study: Survey Report (version 1.0), December 15, 2020.

Return to footnote 258 referrer

Footnote 259

SSC, “Improve the Internet Security Posture of Small Departments and Agencies,“ Business case, December 15, 2020.

Return to footnote 259 referrer

Footnote 260

SSC, “Improve the Internet Security Posture of Small Departments and Agencies,“ Business case, December 15, 2020.

Return to footnote 260 referrer

Footnote 261

SSC, “SSC Comments,” email to NSICOP Secretariat, July 28, 2021.

Return to footnote 261 referrer

Footnote 262

TBS, Government of Canada Cyber Security Event Management Plan (CSEMP), 2019. Some of these responsibilities have shifted to CCCS with its creation in 2018.

Return to footnote 262 referrer

Table of Contents

Language selection

Social Media

Search

Search and menus

Part III: Key Cyber Defence Players, Authorities and Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

Shared Services Canada

SSC mandate

SSC services and projects

Cyber defence and SSC services

Digital services

Security services

Hardware and software services

Data centre services

Network services

Secure Internet connectivity: The evolution toward the Enterprise Internet Service

SSC partners and clients

Case study 1: A wake-up call - network consolidation and dynamic defences

Cyber defence and SSC projects

Identity and access control

Connectivity

Monitoring

SSC partners and clients

Cyber security event management

Summary

Part III: Key Cyber Defence Players, Authorities and Activities National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

Shared Services Canada

SSC mandate

SSC services and projects

Cyber defence and SSC services

Digital services

Security services

Hardware and software services

Data centre services

Network services

Secure Internet connectivity: The evolution toward the Enterprise Internet Service

SSC partners and clients

Case study 1: A wake-up call - network consolidation and dynamic defences

Cyber defence and SSC projects

Identity and access control

Connectivity

Monitoring

SSC partners and clients

Cyber security event management

Summary

Part III: Key Cyber Defence Players, Authorities and Activities
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack