National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack
255. The government is heavily dependent on its electronic infrastructure. It is how the government conducts its business and provides services to people in Canada. As a result, government systems and networks hold significant amounts of data of interest to foreign states, many of whom use sophisticated methods to try to infiltrate these systems and steal the data. Some of those states also increasingly target the very integrity of those systems themselves, leaving behind malware that could be triggered in the future to compromise the systems or render them inoperable. This is a threat to Canada's national security and the privacy of Canadians.
256. Over the last decade, Canada has built a strong cyber defence system to counter this threat. At its core are three organizations - Treasury Board of Canada Secretariat, Shared Services Canada and the Communications Security Establishment - that work closely together and with other government departments to build security into the government's cyber infrastructure and to strengthen its cyber defences. In its purest form, the system can be distilled into a few key elements:
- government systems fall within a single perimeter;
- the perimeter has a handful of access points to the Internet;
- those access points are monitored by sophisticated sensors that are capable of detecting and blocking known threats;
- defences are layered, with specialized sensors capable of detecting and blocking threats deployed on individual devices and to cloud environments;
- anomalies in network traffic are analyzed for new threats, information that is used to continually update *** cyber defences for threat identification and blocking; and
- departments continually update and patch their devices and systems under the coordinated direction, advice and guidance of the three organizations.
257. The current cyber defence system has not yet achieved this ideal. An overarching challenge is that the system is increasingly managed horizontally, while its foundational authorities remain vertical. This creates significant discrepancies: Treasury Board policies intended to secure government systems are not uniformly applied; individual departments and agencies retain considerable latitude whether to opt into the framework or to accept specific defensive technologies; and a large number of organizations, notably Crown corporations and potentially some government interests, neither adhere to Treasury Board policies nor use the cyber defence framework.
258. The threat posed by these gaps is clear. The data of organizations not protected by the government cyber defence framework is at significant risk. fv1oreover, unprotected organizations potentially act as a weak link in the government's defences by maintaining electronic connectivity to organizations within the cyber defence framework, creating risks for the government as a whole. These challenges are well-known to the government. The Committee expects that its review and recommendations will help to address them.