Part V: The Committee's Assessment of the Cyber Defence Framework
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
237. The Government of Canada has created the foundation for a strong and resilient cyber defence framework. Where other states have recently fallen victim to successful cyber exploitations and ransomware attacks, Canada has either blocked the attacks or limited their worst effects. This was not always the case. Less than a decade ago, Canada sustained multiple, damaging cyber attacks against some of its core government institutions. The government's understanding of the nature of the threat was limited; its cyber defences ranged from poor at some departments to good at others; and governance suffered from little central coordination and siloed accountabilities. The Communications Security Establishment, Canada's foremost technical expert on cyber defence, was only just deploying its defensive sensors outside of a handful of government organizations and had yet to build the type of dynamic, automated defences necessary to fight the unrelenting attacks by cyber threat actors that mark the modern cyber threat environment.
238. By 2020, however, Canada had become a world leader in defending its networks from cyber attack. What changed is a lesson in three things: the importance of maximizing authorities in the face of change, responding to crises to not only solve the problem but also build for the future, and ensuring that authorities and organizations are fit for purpose. This does not mean that Canada is perfect: the government must continue to adapt in the face of changing threats and the evolution of technology, and the Committee makes a number of recommendations to do so. The Committee provides its assessment of these changes below.
The evolution of cyber defence in Canada: A virtuous cycle, but incomplete
239. The Communications Security Establishment (CSE) is central to this story. When it was provided statutory authority in 2001, CSE's activities to protect data and information technology systems were focused on system testing and high-end cryptology. The idea of cyber defence hardly existed. For several years thereafter, CSE was the only federal organization with the lawful authority to operate systems which risked intercepting private communications, such as firewalls and intrusion detection, that could protect a government network. Building on the organization's knowledge of signals intelligence, CSE developed and deployed proprietary defensive sensors to organizations being attacked by sophisticated state adversaries: China and Russia. These activities would have been impossible were it not for the government's willingness to allow CSE to use its novel authorities, that is, ministerial authorizations, in unexpected ways. Between 2002 and 2007, CSE experimented with new approaches and techniques while working to protect several departments from cyber attack. Its efforts were not without problems: in 2006, CSE was forced to pause its cyber defence activities for more than a year because those activities did not comply with legal obligations stemming from those authorities. After restructuring of the ministerial authorization program and its policy framework, CSE resumed its cyber defence activities and deepened its expertise to detect and then block the most sophisticated cyber threats. Nonetheless, CSE's success in identifying threats and working with specific departments to implement mitigating measures likely would have continued to be constrained by the government's department-by-department approach to cyber defence.
240. [*** This paragraph was revised to remove injurious or privileged information. ***] Major cyber attacks proved to be important turning points. In 2010, CSE deployed its cyber defences onto the government's Secure Channel Network, where 75 departments had migrated their Internet access onto a single network managed by Public Works and Government Services Canada. That deployment revealed that China had penetrated the digital systems of a number of government organizations, key among them the Treasury Board of Canada Secretariat (TBS) and the Department of Finance, and stolen significant data. As a result, TBS directed all government departments to join the Secure Channel Network, which caused a number of departments to migrate their Internet access and laid the foundation for the evolution toward the Enterprise Internet Service several years later. In 2014, government networks were hit by the HEARTBLEED attack and the National Research Council suffered a separate, critical compromise involving the extensive theft of research information and scientific data. Both incidents were seminal events for the government, revealing broad system vulnerabilities and weaknesses in the government's cyber defence framework. They also resulted in CSE's first deployments of specific cyber defences. These deployments laid the groundwork for the further expansion and modernization of these services. These attacks also revealed significant problems in interdepartmental coordination and governance of major cyber incidents. As a result, TBS modernized various policies and directions to clarify roles and responsibilities and key departments took on increasingly prominent leadership roles in cyber incident response.
241. The government's development of new authorities and organizations was critical. In 2011, the government established a new organization, Shared Services Canada (SSC), to standardize and consolidate the purchase and provision of information technology and services across departments. Initially, the government emphasized the cost-saving elements of SSC's creation, but when the scope of the challenge was recognized (for example, SSC inherited a wide mix of new and outdated infrastructure), the government invested significant amounts to modernize the government's information technology infrastructure. Among other things, this meant that SSC would build security into the government's future technology modernization initiatives. From a cyber defence perspective, the most important changes arising from the creation of SSC were the increasing consolidation of government departments under the Enterprise Internet Service (more on this below) and the 'forcing function' played by SSC to oblige subject departments to patch their devices, systems and networks.
242. Important changes to the machinery of government continued in 2018 with the creation of a unit in CSE: the Canadian Centre for Cyber Security (CCCS). The amalgamation of three organizations, CCCS is the unified and authoritative source for cyber security in Canada. It is responsible for protecting and defending Canada's cyber assets through advice, guidance and direct operational assistance and, in collaboration with TBS, leading the government's response to cyber security events. It continually modifies its approach to cyber defence, updating its network-based sensors to better detect and block malicious cyber behaviour, creating new host-based sensors to deepen the layers of network defence to the level of individual devices, and working to identify new threats through the accumulation and analysis of new intelligence and anomalous data. The promulgation of the Communications Security Establishment Act in 2019 may contribute further to these efforts by clarifying CSE authorities and immunities, including the addition of defensive cyber operations as a still-nascent tool to protect government systems in specific circumstances.
243. Over time, these changes have created a virtuous cycle. As more departments migrate to the SSC Enterprise Internet Service, the more they benefit from the sophistication of CCCS's dynamic defences. The more departments subscribe to CCCS cyber defence services for endpoint devices and cloud environments, the more the government's systems and data are secured from advanced cyber threats and cyber crime. The more data that CCCS obtains and analyzes from its expanding number of cyber defence sensors, the greater its ability to identify and block new cyber threats. Finally, the greater clarity over roles and responsibilities, governance, and incident response resulting from the creation of new departments and the promulgation of new authorities, policies and directives, the more the government can react quickly and deliberately to evolving threats. This should be true for the foreseeable future, as well. For example, TBS has mandated cloud-based sensor usage as part of the government's cloud security guardrails, thereby ensuring that strong security measures are built in by design. These changes and their ongoing evolution have produced clear results: Canada now sees increasingly fewer successful incidents of network penetration, data loss or damage.
Who is protected depends on who you ask
244. Perfection of this system is impossible: threats evolve, mistakes occur, defences fail. But improvement is always possible, and there are three important challenges to address. The first challenge is the inconsistent application of Treasury Board policies and directives. These instruments determine the scope of services afforded to government departments. The Financial Administration Act groups most federal organizations into specific schedules according to their mandate, governance structure and degree of independence, and provides the legal authority for Treasury Board to issue policies and directives. This facilitates the standardization of accountability requirements for organizations across government. However, the three primary Treasury Board instruments for cyber defence do not have the same scope of application. On the one hand, the Policy on Government Security and its related security directives, such as for the secure use of commercial cloud services, apply to 110 federal organizations; whereas the Policy on Service and Digital (and its derivative policies) and the Digital Operations Strategic Plan apply to 87 federal organizations. More broadly, these core elements of the government's administrative framework for cyber defence do not apply evenly (or in some cases, at all) to all of the Government of Canada's 169 organizations.
245. The second challenge is the way SSC's mandate and responsibilities for cyber security services are set out. A series of orders in council reference specific schedules of the Financial Administration Act to identify the departments to which SSC must provide its email, data centre, networking and endpoint device services, and those to which SSC may provide such services. The group of departments and agencies (SSC's core partners) to which SSC must provide services are the best-protected, as they receive the full complement of SSC services. For the group to which SSC may provide services (SSC's mandatory and optional clients), SSC's provision of services is essentially a la carte, where SSC provides some or all of its services on a cost-recovery basis. When government organizations find the costs for these services prohibitively expensive, they do not subscribe to them, leaving their data potentially vulnerable to exploitation. Yet these organizations have electronic links to other organizations' digital infrastructure, and may inadvertently provide access to a malicious cyber actor and potentially threaten the wider security of the government.
246. [*** This paragraph was revised to remove injurious or privileged information. ***] The third challenge is establishing a basis for expanding the number of government organizations receiving the protection of CSE's cyber defence program. CSE's mandate under the Communications Security Establishment Act provides the most expansive authority to provide cyber defence protection to federal institutions . Yet no government departments are obligated to use one or more of CSE's cyber defence sensors. While CSE currently provides one or more of its cyber defence sensors to *** percent of the 169 federal organizations that make up the Government of Canada, that leaves *** percent of federal organizations unprotected by any of CSE's cyber defence sensors. This causes problems. For one, it limits how much malicious cyber threat activity targeting government departments that CSE can observe. For another, it handicaps CSE's ability to react quickly when one or more unprotected departments are compromised in a cyber attack. Further, those organizations outside the umbrella of CSE's cyber defence sensors are themselves unlikely to know when they have been victimized. The one possible avenue of protection for these organizations would be where CSE's signals intelligence program, through its tracking of global cyber threats, obtains some indication of compromise and shares this information with CCCS. As discussed in case study 6 on the attack against a Crown corporation, such assistance would almost always come after data had been stolen and the integrity of the organization's system compromised. Going forward, maximizing the number of departments using all three types of sensors (where applicable) to protect their networks and information will be important to further protect the sensitive information held by government organizations and to ensure the provision of government services critical to Canadians.
The success and the gap: Securing Internet access in government
247. The question of which federal organizations use the government's secure Internet access underlies all three challenges. The creation of SSC's Enterprise Internet Service and its progressive adoption by departments have played a foundational role in strengthening the government's cyber defence framework. Further, the integration of CSE's *** dynamic defences into the Enterprise Internet Service's Internet access points is arguably the single-most important defensive measure currently in the government's defensive framework. Extending this framework to all Government of Canada organizations requires addressing the three challenges described above.
248. First, departments should be applying Treasury Board policies and directives consistently. Since 2006, on four separate occasions, Treasury Board has issued 'mandatory' direction to government departments requiring them to use secure Internet services, most recently in 2018 as part of the Digital Operations Strategic Plan. This suggests that government organizations still exercise considerable discretion on which Treasury Board direction they accept and when. As of August 2021, 94 of 169 organizations subscribe to the Enterprise Internet Service. This includes nearly all organizations subject to Treasury Board policies, allowing the Committee to conclude that Treasury Board directives in this area have, eventually, been successful. Currently, the gap in the government's cyber defence framework is found among the 75 federal organizations not subject to Treasury Board direction in this area (more on this at paragraph 251 below). These organizations remain outside of the government's secure perimeter and the protection of CSE's cyber defences.
249. Second, the series of orders in council that establish SSC's mandate and responsibilities for cyber security services creates a patchwork of coverage for government organizations. The 94 organizations that receive or subscribe to the Enterprise Internet Service include 43 core partners, 27 mandatory clients and 24 optional SSC clients. For SSC's core partners, full SSC service provision includes the Enterprise Internet Service, and SSC is obligated to provide it. The mandatory and optional SSC clients that receive the Enterprise Internet Service have chosen to do so. In sum, these organizations contribute to and benefit from the framework's virtuous cycle, discussed above. In contrast, other federal organizations remain outside of the government's secure perimeter and the protection of CSE's cyber defences. Notwithstanding the vulnerability of these organizations, there is currently no plan or dedicated funding to incorporate some of them - namely, small departments and agencies - into SSC's wider security services, including in the Enterprise Internet Service. This is of significant importance. As the Committee heard:
Internet gateways and the connections to the Internet were consolidated, starting with only the 43 large departments and agencies that fell under SSC's mandate. All small departments and agencies were left to their own devices .... Bringing them into the capabilities of SSC and CSE is imperative to being able to secure them. They need those services more than anyone. Footnote 361
250. Third and finally, of the government organizations receiving the protection of CSE's cyber defence sensors, most are protected because they receive SSC's Enterprise Internet Service. Simply put, it is the means of acquiring this advanced protection from CSE. Of the*** federal organizations that receive one or more cyber defence sensors from CSE, *** of them benefit from *** dynamic defences. *** A few departments have their own bilateral agreements with CSE for deploying network-based sensors. The Committee lauds the efforts of SSC and CSE to enable such comprehensive protection for government systems. The concern now must be for establishing CSE cyber protection for those organizations that are not considered federal departments or agencies but are nonetheless digitally tied to the federal government.
Crown corporations and government interests
251. The 75 organizations that fall outside of Treasury Board direction and the Enterprise Internet Service are primarily Crown corporations and some government "interests." These corporations and interests have been created by the government for a variety of reasons and their mandates are meant to be independent of government direction to varying degrees. Most have considerable latitude to develop and secure their own information technology infrastructure, and many contract private sector companies to provide their infrastructure, host their data and protect their systems. Nonetheless, those organizations ultimately hold fiduciary and accountability requirements to the Crown. Most importantly for the purposes of this review, those organizations receive, hold and use the sensitive information of Canadians and Canadian businesses, information that is at risk of compromise by the most sophisticated of cyber actors, including states. Nonetheless, they are not required to adhere to Treasury Board policies meant to ensure the security of their information technology infrastructure. They are also excluded from the obligatory portions of SSC's enabling orders in council and therefore most do not obtain cyber defence services from SSC. The result is that most do not benefit from CSE's protection of the Enterprise Internet Service. This leaves those organizations worryingly vulnerable to the loss of their own data and, where they maintain electronic links with related federal departments, to inadvertently act as a vector into the government's protected systems, putting the government's data and systems at risk.
252. The Committee recognizes the importance of independence for Crown corporations and, where applicable, government interests. Independence of mandate is essential to protect the integrity of important areas of public policy, including the administration of justice or Canada's financial and economic systems. The Committee emphasizes two issues, however, in assessing whether independence of mandate should equate to exclusive control of data, systems and networks. First, it is clear that commercially available products and services are insufficient protection against the most sophisticated cyber threats. China and Russia have shown repeatedly that they are capable of penetrating well-defended systems and networks, particularly those that are not protected by equally advanced, state-supported cyber defences. The protection offered by CSE and SSC may be imperfect, but their combined cyber defences offer the greatest likelihood of protecting government data and the integrity of its systems in the future.
253. [*** This paragraph was revised to remove injurious or privileged information. ***] Second, Crown corporations and other government interests are targets of state cyber activities and cyber criminals, as demonstrated in specific incidents over the past several years. More generally, Russia, China and other states target critical infrastructure providers, including as noted in the Committee's 2020 Annual Report, American natural gas and electricity providers. In Canada, some critical infrastructure organizations are federal Crown corporations. Based on the known behaviour of the most sophisticated state cyber threats, it would be naive to believe that those organizations would not be targets ( or are not currently targets), either for the purposes of espionage or system degradation at some point in the future.
254. In the context of such organizations falling under the SSC and CSE protective umbrella, the Committee recognizes that organizations may have privacy concerns about CSE, in particular, monitoring system network traffic, email or web browsing. In that respect, the Committee takes note of the conclusions of the CSE Commissioner, who found that there were very low levels of privacy implications associated with CSE cyber defence activities conducted under ministerial authorization, an important consideration for organizations that cite privacy as a reason for remaining outside of the government's cyber defence framework. More importantly for the Committee, however, is the choice faced by Crown corporations and relevant interests: rely on the government, through a rigorous statutory mechanism with strong privacy safeguards and external review, to protect data, systems and networks from exploitation and potential degradation, or accept the relatively high probability that sophisticated cyber actors will compromise these organizations' systems in the future and steal the data they hold. For the Committee, the consequences of those choices are clear: not obtaining the government's cyber defence services means choosing to leave data and the integrity of systems vulnerable to the world's most sophisticated cyber threats.