Part IV: Governance of Cyber Defence
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
214. Cyber defence is a team sport. The government has several interdepartmental governance mechanisms to support proper administration, effective program operations and accountability of cyber defence. When a cyber attack occurs, the government uses specific committees to coordinate a response commensurate with the attack's severity and scope. This section explains the role that various committees play in developing strategic cyber defence policy, supporting the effective management of information technology security initiatives affecting government-wide operations, and responding to cyber security incidents. It then describes the Cyber Security Event Management Plan, the government's primary mechanism to establish departmental roles and responsibilities for cyber security incident response. This description includes how the government sets its response levels for cyber attacks, the roles of various governance bodies and the phases of the process.
215. The Deputy Ministers' Committee on Cyber Security (DM Cyber Security) is the primary body responsible for cyber security coordination, policy and strategic cyber objectives. Co-chaired by Public Safety Canada and the Communications Security Establishment (CSE), its mandate is to develop and lead Canada's cyber security policies and operations in support of the government's economic and social priorities. The purpose of DM Cyber Security is to:
- identify policy, legislative and program opportunities to ensure that Canada's 21st-century digital economy is secure by design, and that Canada is recognized internationally for leadership on cyber security issues; and
- oversee the evolution and progress of the implementation of Canada's National Cyber Security Strategy. Footnote 346
DM Cyber Security's core membership consists of deputy ministers from 14 organizations, including those with operational or policy responsibilities for cyber security (CSE, Treasury Board of Canada Secretariat - TBS, and Public Safety Canada), lead security agencies (Privy Council Office, the Canadian Security Intelligence Service - CSIS, Department of National Defence and Canadian Armed Forces - DND/CAF, the Royal Canadian Mounted Police - RCMP), critical infrastructure sectors (Health Canada, Natural Resources Canada, Transport Canada) and deputies from economic departments that exercise authority within Canada's critical infrastructure sectors (Department of Finance; Innovation, Science and Economic Development Canada).
216. DM Cyber Security replaced a previous committee (see paragraph 86 in the section on the evolution of cyber defence 2010 to 2018) and differs from its predecessor in important ways. First, the revised mandate of DM Cyber Security is to enhance collaboration between security departments, economic departments and critical infrastructure in the recognition that issues of cyber security touch a range of departmental responsibilities. Second, leadership for this committee was expanded from the previous Deputy Minister of Public Safety to include the Chief of the Communications Security Establishment (CSE) as co-chair, reflecting the creation of CCCS and its central role within cyber defence. Footnote 347 The new DM Cyber Security held its first two meetings in June and September 2020 to discuss collaboration between security departments, economic departments and critical infrastructure; cyber operations and threats; and the National Cyber Security Strategy. The Committee has since met every 8 weeks.
217. DM Cyber Security is supported by an Assistant Deputy Ministers' Cyber Security Committee (ADM Cyber Security). As a supporting committee, ADM Cyber Security's mandate mirrors that of the DM committee: to develop and lead Canada's cyber security policies and operations in support of the government's wider economic and social priorities. It coordinates these issues among departments and prepares issues for DM consideration and decision. The purpose of ADM Cyber Security is to:
- guide policy direction and operations for issues related to cyber security;
- develop cyber security-related priorities for member departments and agencies;
- monitor progress on the implementation of Canada's National Cyber Security Strategy;
- consider emerging cyber issues and threats; and
- review and prepare items for DM Cyber Security.
ADM Cyber Security is co-chaired by the Senior ADM, National Security and Cyber Security Branch of Public Safety Canada, and the Deputy Chief of CSE. Its core membership mirrors that of DM Cyber Security. It is supported by the Director General Committee on Cyber Security and its operational sub-group, the Director General Cyber Operations Committee. Footnote 348 ADM Cyber Security meets every 10 weeks, or on an ad-hoc basis as needed. Footnote 349
218. The Deputy Minister Committee on Enterprise Priorities and Planning (DM Enterprise Priorities and Planning) is another governance body with responsibilities related to strategic, enterprise-wide cyber security considerations. As stated in the Policy on Service and Digital, DM Enterprise Priorities and Planning serves as a senior-level body responsible for improving the government's client service and government operations through the strategic management of enterprise services, information, data, information technology and cyber security. Footnote 350 While the previously discussed DM Cyber Security focuses on enhancing cooperation across the security and intelligence community and with economic departments and critical infrastructure, DM Enterprise Priorities and Planning focuses primarily on the management of information technology and service delivery.
219. After the Treasury Board Policy on Service and Digital was approved, DM Enterprise Priorities and Planning created new terms of reference to better reflect the importance of discussing horizontal issues, with a focus on improving the delivery of services to Canadians. Footnote 351 Consistent with the Policy on Service and Digital, the purpose of DM Enterprise Priorities and Planning as it pertains to cyber security is to:
- establish priorities for information technology shared services and assets, and information technology investments and procurements that are government-wide or require the support of Shared Services Canada (SSC);
- support and enable departments to adopt enterprise solutions for common services;
- review and endorse the SSC investment and work plan, and provide input to SSC transformation initiatives;
- provide strategic advice and recommendations on matters relating to the management and delivery of government services to individuals and businesses; and
- endorse enterprise architecture and government-wide standards for information technology.
220. DM Enterprise Priorities and Planning is co-chaired by the Secretary of the Treasury Board and the Chief Operating Officer of Service Canada. Its membership consists of eight senior government executives, including the Chief of CSE, the President of SSC, the Chief Information Officer of Canada and the Deputy Clerk of the Privy Council. Footnote 352
Operations, policy and programs
221. The Assistant Deputy Minister Information Technology Security Tripartite Committee (ADM Tripartite) is the primary body responsible for the governance of interdepartmental information technology security initiatives. It is chaired by the TBS Chief Technology Officer of Canada and its membership is made up of assistant deputy ministers from CSE, SSC, TBS and invited departments. It provides direction and oversight to its supporting Director General Information Technology Security Tripartite (DG Tripartite).
222. The ADM Tripartite has a two-part mandate. First, it serves as a decision-making body supporting the effective design, delivery and management of priority information technology security initiatives affecting internal government systems and government-wide operations. Under this part of its mandate, ADM Tripartite is responsible for:
- providing advice to set strategic and policy direction in the area of information technology security for the government;
- providing direction and guidance to the DG Tripartite (further described below) to ensure that information technology security strategic priorities are aligned with the enterprise direction established by the ADM Tripartite; and
- raising key initiatives and recommendations to senior-level executive committees for consideration or decision.
The second part of the ADM Tripartite mandate is to manage major cyber events, discussed further below. This committee meets on an ad hoc basis and has held four meetings since 2016.
223. The DG Tripartite plays an active role in supporting the ADM Tripartite. Its mandate is to:
- align information technology security strategic priorities with the enterprise direction established by the ADM Tripartite or ADM Enterprise Priorities and Planning;
- provide advice, guidance, oversight and direction to CSE, TBS and SSC to address significant issues and obstacles that may affect progress of enterprise information technology security initiatives;
- monitor the progress and health of select CSE, TBS and SSC horizontal projects and initiatives related to enterprise information technology security; and
- provide the ADM Tripartite with strategic cyber security guidance and reporting on the status, risks and issues related to CSE, TBS and SSC enterprise information technology security initiatives.
The DG Tripartite is chaired by TBS and its membership comprises officials from TBS, CCCS, SSC and invited guests. It meets about 10 times a year. On July 9, 2021, NSICOP was informed that in March 2021, the ADM Tripartite and three other ADM-level governance committees were amalgamated to create the new ADM Quad Committee. The DG Tripartite supports this new committee. Footnote 353
224. The Cyber Security Event Management Plan is the primary mechanism to govern departments' roles and responsibilities in the context of cyber security incident response. It provides an operational framework for the management of cyber security events that affect or threaten to affect the government's ability to deliver programs and services to Canadians. Pursuant to the Policy on Government Security, TBS first issuedthe plan in 2015 and updated it in 2019. TBS is currently reviewing the plan to ensure that the roles and responsibilities of the newly created CCCS are clearly articulated. Footnote 354 The Cyber Security Event Management Plan applies to all departments and agencies subject to the Policy on Government Security (currently 110 departments and agencies). Footnote 355
Cyber Security Event Management Plan response levels
225. The plan establishes four levels that govern the government's response to cyber security events targeting its systems and networks. Response levels are based on two factors: severity and scope. The severity of a cyber incident is measured through standardized departmental assessments of injury, including harm to the health and safety of individuals; financial losses or economic hardship to an individual, business or the economy; effects on government programs and services; effects on civil order or national sovereignty; damage to the reputations of individuals, businesses or the government; and damage to federal-provincial relationships and international relations. The scope of the event is measured by the number of people, organizations, facilities, systems and geographic areas affected by the event and the expected duration of the injury. Based on their analysis, departments identify to CCCS the expected results of a compromise. These range from low harm (e.g., physical harm or financial stress to an individual, minor impediment to departmental service delivery) to very high (e.g., major damage to public safety, national security or the economy, loss of confidence in government).
226. Based on this departmental input, CCCS and TBS use a standardized matrix to calculate the government's overall response level. Footnote 356 The matrix considers whether a compromise is likely to affect one or more internal government programs or services, whether external services are affected, and whether there is potential for broader propagation of the injury. Based on these values, CCCS and TBS determine the response level required, ranging from Level 1 (requires the least government coordination) to Level 4 (requires the most government coordination). There are four government response levels:
- Level 1: The severity and scope of the cyber security event does not engage the plan. Such events require only a departmental response and the standard level of government coordination. Departments respond consistent with standard internal procedures, apply regular preventive measures, and communicate with CCCS for advice and guidance.
- Level 2: The severity and scope of the cyber security event surpasses a Level 1 event and engages the plan: a limited government-wide response is required. All primary stakeholders are on heightened alert for cyber activity. This includes monitoring departmental and government-wide sensors (e.g., network- and host-based sensors) to verify whether the event has affected other departments and ensuring that any real or potential impact is contained and mitigated. Specialized stakeholders are engaged when a threat or incident is related to crime, terrorism or national defence.
- Level 3: The severity and scope of the cyber security event surpasses a Level 2 event and requires an immediate and comprehensive government-wide response. Event response at this level is coordinated through the plan's governance structure, with departments and agencies given ongoing direction on how to proceed.
- Level 4: These events represent the highest level of severity and scope and are considered "severe catastrophic events" that affect multiple government institutions, confidence in government or other aspects of the national interest. They require the invocation of Public Safety Canada's Federal Emergency Response Plan, which identifies the mechanisms and processes to facilitate a harmonized federal government response to emergencies. Footnote 357 There have been no Level 4 cyber events or incidents to date. Footnote 358
Cyber security events are dynamic and their injury and scope may increase or decrease as the event unfolds. As a result, the government may escalate or de-escalate its response level over the course of a particular cyber security event. Decisions regarding the escalation and de-escalation of the government's response level are made by increasingly senior governance bodies, described below.
Cyber Security Event Management Plan governance bodies
227. Three categories of stakeholders are involved in the Cyber Security Event Management Plan. TBS and CCCS are primary stakeholders and are engaged in all Level 2 and 3 events. CCCS would also provide advice and guidance in the context of a Level 1 event. Public Safety Canada, SSC, the RCMP, CSIS and DND/CAF are specialized stakeholders and are engaged for confirmed cyber security incidents or threat events based on their specific mandates and areas of expertise. The plan lists other stakeholders who play different roles in cyber defence, including the Chief Information Officer of Canada, the Government Operations Centre, the Privy Council Office, the CSE Canadian Committee on National Security Systems (responsible for the governance and protection of Top Secret systems), Footnote 359 the Director General Event Response Committee, and external partners, such as private sector suppliers and other levels of government.
228. The plan establishes three governance bodies that are responsible for prioritizing the government's response to serious cyber incidents and managing the escalation of responses to a cyber security event:
- Event Coordination Team: This group of working-level stakeholders is co-chaired by TBS and CCCS. It is activated for Level 2 events or when invoked by other governance bodies for Level 3 or 4 events. The Event Coordination Team works with stakeholders to recommend courses of action and to ensure the Executive Management Team (below) is apprised of events.
- Executive Management Team: This Director General-level committee is co-chaired by TBS and CCCS. It is triggered for Level 3 events. The Executive Management Team provides the Event Coordination Team with strategic direction and ensures that senior government officials are apprised of events.
- ADM Tripartite: This assistant deputy minister-level committee is chaired by the TBS Chief Technology Officer. It is triggered for Level 3 events. This committee provides direction to the Executive Management Team to respond to and mitigate an event. It is also responsible for ensuring that deputy ministers are apprised of events. During Level 4 incidents, the ADM Tripartite would support the Federal Emergency Response Plan Committee of assistant deputy ministers as appropriate. CCCS's Deputy Chief and SSC's ADM, Networks, Security and Digital Services co-chair this committee.
For all three governance bodies, other government departments can be engaged as required. For example, when an event involves national security concerns or is believed to be criminal in nature, any of the governance teams may include officials from CSIS and the RCMP, respectively. Departments directly affected by specific threats or incidents are invited to participate in governance discussions.
Phases of the cyber security event management process
229. The cyber security event management process has four phases: preparation; detection and assessment; mitigation and recovery; and post-event activity.
230. Preparation involves ongoing steps to ensure that the government is ready to respond to cyber events. This includes establishing roles and responsibilities, documenting and testing plans and procedures, training personnel, and applying protective and preventive measures at the host, application and network levels of government information systems. As part of this ongoing phase, all of the Cyber Security Event Management Plan's stakeholders, including all departments and agencies to which the plan applies, are responsible for implementing such measures within their respective areas of responsibility. For its part, TBS is responsible for developing and maintaining the plan, coordinating regular exercises with all implicated stakeholders, and reviewing lessons-learned reports from past events to drive policy changes. CCCS is responsible for ensuring that departments and agencies are provided with the required advice and guidance to mitigate cyber threats and vulnerabilities in order to prevent cyber security incidents.
231. The second phase, detection and assessment, involves monitoring for emerging cyber security events and the assessment of their potential or actual impact on government service delivery, government operations or confidence in the government. As part of this phase, CCCS is responsible for monitoring technical sources and information reported by other stakeholders; the government's perimeter and all endpoints visible to CCCS; cloud-based environments; government networks and intelligence sources; and information from domestic and international sources. DND/CAF is responsible for monitoring all ONO-managed networks. The RCMP and CSIS are responsible for monitoring information from criminal surveillance sources and intelligence sources, respectively
232. The Cyber Security Event Management Plan imposes a number of general and specific responsibilities. Generally, the plan obligates organizations to implement security controls consistent with the Policy on Government Security. It also obligates them to notify relevant authorities when an event falls under the domains of national security or law enforcement. rvlore specifically, the plan obligates primary and specialized stakeholders to report detected cyber security events to TBS and CCCS and, when cyber events related to crime, terrorism or the military are detected, to the RCMP, CSIS and DND, respectively. When information is received indicating that a potential or actual cyber security event may exist, CCCS establishes the initial government response level in consultation with TBS, and other partners as necessary.
233. The third phase of the plan is mitigation and recovery. The purpose of this phase is to mitigate events before they become incidents and to contain and minimize the effects of incidents that have occurred to ensure the timely restoration of normal operations. Responses here may include installing patches, containment and mitigation of an incident, the invocation of business continuity and disaster recovery plans, or the temporary shutdown of vulnerable services.
234. The plan establishes the roles and responsibilities of applicable departments related to mitigation and recovery. For Level 3 events (and when determined by involved stakeholders, for certain Level 2 events), TBS provides strategic coordination, including strategic direction to departments on minimizing the government-wide effect of cyber events. The Government Operations Centre assumes this role for Level 4 events. For all events, CCCS provides operational coordination, including technical direction and advice to departments on mitigation or containment measures. All of the plan's primary and specialized stakeholders provide advice and guidance based on information received from their respective sources. Finally, departments and agencies must implement direction provided by CCCS and TBS within established timelines.
235. For all Level 3 and 4 incidents (and when determined by involved stakeholders, for certain Level 2 incidents), CCCS leads the development and implementation of a government wide containment plan, and facilitates a targeted response. It also leads forensic examination and analysis of information technology systems in collaboration with affected departments. Affected departments and agencies and applicable service providers implement the containment plan, and SSC works to identify and report on affected or vulnerable systems.
236. The fourth phase of the Cyber Security Event Management Plan is post-event activity. In this phase, departments conduct post-event analysis and identify lessons learned to drive improvements to the cyber security event management process. As part of this phase, affected departments and agencies must produce a lessons-learned report and action plan, and contribute to government-wide post-event activities as required. CCCS collates departmental findings and produces a post-event report, including a timeline of events and root cause analysis. For Level 3 events (and when determined by involved stakeholders, for certain Level 2 events), TBS must produce a lessons-learned report and action plan on behalf of the government and monitor implementation of the recommendations. The Government Operations Centre is responsible for producing a similar lessons-learned report and action plan for Level 4 events. Finally, all other stakeholders must support the development of government-wide lessons-learned reports and implement action items under their particular areas of responsibility. Footnote 360