Findings
National Security and Intelligence Committee of Parliamentarians Special Report on the Government of Canada’s Framework and Activities to Defend its Systems and Networks from Cyber Attack

259. The Committee makes the following findings:

F1.

Cyber threats to government systems and networks are a significant risk to national security and the continuity of government operations. Nation-states are the most sophisticated threat actors, but any actor with malicious intent and sophisticated capabilities puts the government's data and the integrity of its electronic infrastructure at risk. (Paragraphs 25 -  67)

F2.

The government has implemented a robust, 'horizontal' framework to defend the government from cyber attack. The Treasury Board of Canada Secretariat, Shared Services Canada and the Communications Security Establishment play fundamental roles in that framework. Nonetheless, this horizontal framework appears to be increasingly incompatible with the existing department-by-department 'vertical' authorities under the Financial Administration Act. (Paragraphs 95 - 213)

F3.

The government has established clear governance mechanisms to support the development of strategic cyber defence policy, the effective management of information technology security initiatives affecting government-wide operations, and the government response to cyber incidents. This framework has evolved over time in response to changes in government policies, machinery and the cyber threat environment. (Paragraphs 214 - 236)

F4.

The strength of this framework is weakened by the inconsistent application of security-related responsibilities and the inconsistent use of cyber defence services. These weaknesses include:

• Treasury Board policies relevant to cyber defence are not applied equally to departments and agencies. As a result, not all organizations must fulfill the same responsibilities, requirements and practices. This creates gaps in protecting government networks from cyber attack. (Paragraphs 95 - 125)
• Crown corporations and potentially some government Interests are known targets of state actors, but are not subject to Treasury Board cyber-related directives or policies and are not obligated to obtain cyber defence services from the government. This puts the integrity of their data and systems and potentially those of the government at significant risk. (Paragraphs 251 - 254)
• Cyber defence services are provided inconsistently. While Shared Services Canada provides some services to 160 out of 169 federal organizations, only 43 of those receive the full complement of its services. The Communications Security Establishment provides services in support of Shared Services Canada and through agreements with some individual organizations. This inconsistency introduces risks to those organizations and to the rest of government and limits the overall efficacy of CSE's cyber defence program. (Paragraphs 126 - 153)