PACC Committee Meeting
Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
For an advanced search, use Publication Search tool.
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
37th PARLIAMENT, 1st SESSION
Standing Committee on Public Accounts
EVIDENCE
CONTENTS
Tuesday, May 21, 2002
¹ | 1545 |
Mr. Pat Martin (Winnipeg Centre, NDP) |
The Chair |
Mr. Pat Martin |
The Chair |
Mr. Mac Harb (Ottawa Centre, Lib.) |
Mr. John Williams |
Mr. Mac Harb |
Mr. John Williams |
Mr. Pat Martin |
¹ | 1550 |
The Chair |
Mr. John Bryden (Ancaster—Dundas—Flamborough—Aldershot, Lib.) |
The Chair |
Mr. John Bryden |
The Chair |
Mr. Mac Harb |
The Chair |
The Chair |
Mr. Alex Shepherd (Durham, Lib.) |
The Chair |
Ms. Phinney |
The Chair |
Mr. Gerald Keddy (South Shore, PC) |
¹ | 1555 |
The Chair |
Mr. Lebel |
The Chair |
Mr. Ghislain Lebel |
The Chair |
Mr. Ghislain Lebel |
The Chair |
Mr. Ghislain Lebel |
º | 1600 |
The Chair |
Mr. Shawn Murphy (Hillsborough, Lib.) |
The Chair |
Mr. Ghislain Lebel |
The Chair |
Mr. Harb |
The Chair |
Mr. Ghislain Lebel |
The Chair |
Mr. Ghislain Lebel |
The Chair |
Mr. John Bryden |
The Chair |
The Chair |
º | 1605 |
Mr. Harb |
Mr. Ghislain Lebel |
The Chair |
Mr. Harb |
The Chair |
Mr. Douglas Timmins (Assistant Auditor General, Office of the Auditor General of Canada) |
º | 1610 |
The Vice-Chair (Mr. Mac Harb) |
Ms. Michelle d'Auray (Chief Information Officer, Chief Information Officer Branch, Treasury Board of Canada Secretariat) |
º | 1615 |
º | 1620 |
The Chair |
Mr. Philip Mayfield |
Mr. Douglas Timmins |
Mr. Philip Mayfield |
Mr. Douglas Timmins |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
º | 1625 |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
º | 1630 |
Ms. Michelle d'Auray |
The Chair |
Mr. Odina Desrochers (Lotbinière—L'Érable, BQ) |
Ms. Michelle d'Auray |
º | 1635 |
Mr. Odina Desrochers |
Ms. Michelle d'Auray |
Mr. Odina Desrochers |
Ms. Michelle d'Auray |
Mr. Odina Desrochers |
Ms. Michelle d'Auray |
Mr. Odina Desrochers |
The Chair |
Mr. John Bryden |
Ms. Michelle d'Auray |
Mr. John Bryden |
Ms. Michelle d'Auray |
º | 1640 |
Mr. John Bryden |
Ms. Michelle d'Auray |
Mr. John Bryden |
Mr. John Weigelt (Director, IT Security and Public Key Infrastructure Policy, Chief Information Officer Branch, Treasury Board of Canada Secretariat) |
Mr. John Bryden |
Mr. John Weigelt |
Mr. John Bryden |
Ms. Michelle d'Auray |
Mr. John Bryden |
Mr. Douglas Timmins |
º | 1645 |
Mr. John Bryden |
Ms. Michelle d'Auray |
The Chair |
Mr. Pat Martin |
Mr. Douglas Timmins |
Mr. Pat Martin |
º | 1650 |
Mr. Douglas Timmins |
Mr. Pat Martin |
Ms. Michelle d'Auray |
The Chair |
Mr. John Weigelt |
The Chair |
Mr. Douglas Timmins |
Mr. Pat Martin |
The Chair |
º | 1655 |
Ms. Michelle d'Auray |
Ms. Val Meredith |
Ms. Michelle d'Auray |
Ms. Val Meredith |
Ms. Michelle d'Auray |
Ms. Val Meredith |
Ms. Michelle d'Auray |
Ms. Val Meredith |
Ms. Michelle d'Auray |
The Chair |
Mr. Shawn Murphy |
» | 1700 |
Ms. Michelle d'Auray |
Mr. Shawn Murphy |
Ms. Michelle d'Auray |
The Chair |
Mr. Mac Harb |
Ms. Michelle d'Auray |
Mr. Mac Harb |
» | 1705 |
Ms. Michelle d'Auray |
Mr. Harb |
The Chair |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
» | 1710 |
Ms. Anne Brennan (Director, Information and Security Policy Branch, Treasury Board Secretariat) |
Mr. Philip Mayfield |
Ms. Anne Brennan |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
Ms. Michelle d'Auray |
Mr. Philip Mayfield |
The Chair |
» | 1715 |
Mr. Douglas Timmins |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Mr. Douglas Timmins |
The Chair |
Ms. Michelle d'Auray |
» | 1720 |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Mr. Douglas Timmins |
The Chair |
Ms. Michelle d'Auray |
The Chair |
Mr. Douglas Timmins |
The Chair |
CANADA
Standing Committee on Public Accounts |
|
l |
|
l |
|
EVIDENCE
Tuesday, May 21, 2002
[Recorded by Electronic Apparatus]
¹ (1545)
[English]
The Chair (Mr. John Williams (St. Albert, Canadian Alliance)): I think we have a quorum here, ladies and gentlemen, so I would ask the television cameras to take their final shots and leave, because cameras are not allowed in the room.
Mr. Martin.
Mr. Pat Martin (Winnipeg Centre, NDP): Mr. Chairman, if we are in order, I have a motion I would like to present.
The Chair: I didn't quite call the meeting to order, so let me just do that first.
Mr. Martin, you have the floor.
Mr. Pat Martin: Thank you, Mr. Chairman.
I have a motion that I would like to present. Once it is circulated, I would like the opportunity to speak to it.
The Chair: Let's just give the clerk a couple of minutes to circulate your motion.
Mr. Harb.
Mr. Mac Harb (Ottawa Centre, Lib.): Does he need a suspension of the rules?
Mr. John Williams: We don't have a 48-hour motion rule in the public accounts committee.
Mr. Mac Harb: Okay.
Mr. John Williams:
Okay. The motion I have been given by Mr. Martin reads as follows:
I, Pat Martin, MP, Winnipeg Centre, move that the public accounts committee hold one or more hearings into the Auditor General's report on Groupaction Communications sponsorship contracts. |
That has now been circulated in both official languages.
Mr. Martin.
Mr. Pat Martin: Thank you, Mr. Chair. Now that that's been circulated, I would like to make a couple of comments as to why I raised this motion today.
It's my feeling, Mr. Chair, that the public accounts committee is charged with the responsibility of being the oversight committee for all public spending. In light of the shocking revelations of the Auditor General's investigation and report into the Groupaction contracts, I believe it's both fitting and very timely that this committee be seized of that issue and conduct an in-depth study and analysis of those particular Groupaction awards. Many might say the Auditor General has already volunteered to investigate further, and in fact, the RCMP will be conducting an investigation, but my argument is that an RCMP investigation, by its very nature, is secretive. We will not learn anything the RCMP unearths, other than evidence of criminal activity, such as fraud or false representation on the part of the contractor. The Auditor General is limited in her scope and her mandate, in that she can only comment on wrongdoing by the public servants in question. Therefore, we don't believe we will get the information the public wants and all parliamentarians should be interested in, which is a detailed account and analysis of how this particular public spending went so far wrong. I would argue that this is the appropriate venue and forum to deal with this issue, and I would move that we deal with it as an item of business of this committee.
¹ (1550)
The Chair: Okay, Mr. Martin. Thank you very much.
Mr. Bryden.
Mr. John Bryden (Ancaster—Dundas—Flamborough—Aldershot, Lib.): We're having a formal debate on the motion now, are we?
The Chair: The motion is before the committee. Yes, we're going to have a debate, and we'll call the question.
Mr. John Bryden: I'd like to make a couple of comments. I do think this is the appropriate forum for this type of Auditor General's report. My only concern, with respect to the motion, is that it's very limited in scope. A couple of meetings past the Auditor General reported the same type of phenomenon in very unusual Public Works contracting-out with the Canadian Health Network. In fact, if I recall, she said they broke every rule in the book, every Treasury Board guideline in the book. So it suggests to me that what we're looking at here is perhaps a government-wide problem that's emanating from Public Works.
I'm happy to go with a motion like this, whether or not it really is limited in scope and we really ought to wait until we hear a bit more from the Auditor General in other areas and we do our hearings on the Canadian Health Network.
The Chair: Thank you.
Mr. Harb.
Mr. Mac Harb: I have absolutely no problem with the motion, Mr. Chair. I guess, in light of what my colleague has clearly stated, the Auditor General is in the process of doing more work on the file, there is a police investigation taking place, and I think it's very much apropos for us to proceed with this, to pass it on to the steering committee for scheduling and timing, and to do it as soon as possible.
The Chair: Mr. Mayfield.
Mr. Philip Mayfield (Cariboo—Chilcotin, Canadian Alliance): I would like to see this motion passed. I think there are many people in the departments, as well as in the House of Commons, who would like to examine the issue and come to a rational decision. We have a history in this committee of coming at these things in a reasonably non-partisan way. In dealing with an issue as significant as this, I think it should go forward in that spirit. I'm very encouraged to hear members on the government side speaking in favour of this motion, and I have to support them in that.
The Chair: Mr. Shepherd.
Mr. Alex Shepherd (Durham, Lib.): I'm very possibly in support of the motion and taking it to the steering committee. The concern is, of course, that we're going into summer adjournment, so we should find a way to deal with some of this as expeditiously as possible. The instructions would be to the steering committee to define the scope so we could limit the amount of time. Not that we want to deal with this quickly, but we want to get the most out of the one or two meetings we can possibly schedule between now and summer adjournment. Obviously, we would bring back the Auditor General for one of those meetings.
The Chair: The motion does say one or more hearings on the Auditor General's report. I'm sure the government House leader will want to make sure Parliament doesn't go to recess until we get all this worked out.
Ms. Phinney.
Ms. Beth Phinney (Hamilton Mountain, Lib.): Mr. Chair, I'd like to suggest that we call for the vote.
The Chair: The question has been called.
Mr. Keddy, I'll allow you one very brief comment.
Mr. Gerald Keddy (South Shore, PC): Thank you, Mr. Chair. I did try to get your attention before.
The issue becomes, are we voting on the motion as it reads, or are we voting on an amended motion?
¹ (1555)
The Chair: We are voting on the motion as it reads. It has not been amended.
(Motion agreed to)
The Chair: Mr. Lebel.
Mr. Ghislain Lebel (Chambly, BQ): I also have a motion to table. It was sent to the clerk prior to the meeting.
The Chair: I received it today. It's being distributed in both official languages as we speak.
Okay, Monsieur Lebel.
[Translation]
Mr. Ghislain Lebel:
I've tabled a notice of motion that reads as follows:
That the Standing Committee on Public Accounts examine the report made by the Auditor General to the Minister of Public Works and Government Services... |
That's the Auditor General's report to which Mr. Martin was referring earlier.
...on three contracts awarded to the firm Groupaction, and hear from relevant witnesses, in particular... |
I would ask my colleague opposite to show me the same courtesy.
...Ms. Sheila Fraser, Auditor General of Canada; Mr. Jean Brault, President of Groupaction; Mr. Roger Desjeans, Vice-President for Marketing, Groupaction; Ms. Diane Donnelly, Corporate Affairs Director, Groupaction; Mr. Charles Guité, former PWGSC official; and Mr. Pierre Tremblay, official with the Canadian Food Inspection Agency. |
Mr. Tremblay took over for Mr. Guité upon his retirement.
Let me explain it to you. In her report to the minister, which I'm sure you all recall, the Auditor General stated that some people had circumvented the law. However, the AG operates within the confines of government and does not have the authority to request information from outside organizations.
I've included the names of Roger Desjeans and Diane Donnelly.You will recall that when this story broke, it was revealed in the House that although Groupaction claimed to have submitted three separate reports, Ms. Donnelly in fact had signed an affidavit in the presence of Mr. Desjeans. The affidavit per se, I will admit, was upheld, but Ms. Donnelly, an employee of Groupaction, had signed an affidavit in the presence of Mr. Desjeans, before whom she swore an oath. The affidavit said that they had done some work and submitted a third report. Unfortunately, the affidavit cannot be called into question. We need to question the person who swore under oath that a third report, the one that has gone missing, was in fact submitted.
Why do I want to question Mr. Tremblay? It has to do with a report that went missing in 1999, according to the AG's report, except that on May 8, 2001, that is a year and a half after this infamous report was apparently submitted to the department, Mr. Tremblay, in a letter to...
The Chair: This is not the time to discuss this matter, Mr. Lebel.
[English]
I think what we want is a synopsis of your motion or why you would like it to be presented at this time.
[Translation]
Mr. Ghislain Lebel: I understand, but I'm simply trying to explain my reasons to you. I don't want to debate the substance of the motion. I just want to explain to you that Pierre Tremblay requested...
[English]
The Chair: I just want a general direction as to why you feel the motion should be put forward, not a detailed explanation of the individual--
[Translation]
Mr. Ghislain Lebel: Let me finish. You'll have your answer in 30 seconds.
One and a half years later, Pierre Tremblay wrote to Jean Brault and informed him that something was missing, that the qualitative aspect of the study, the primary feature of Groupaction contracts, had not been provided. When the AG says that some critical parts of these contracts have not been fulfilled, this appears to be consistent with what Mr. Tremblay was saying and with what Mr. Brault and Ms. Donnelly, in separate letters dated May 8, 2001, seemed to be saying to Pierre Tremblay. Apparently, the most important part of this contract had been overlooked.
That is the reason why I would like these persons to come before the committee to explain their actions and to produce supporting evidence, so that the Public Accounts Committee, which has a duty to defend the interests of the public, can shed some light on this whole affair.
Therefore, my motion ties in with that of Mr. Martin, but goes one step further in so far as the witnesses are concerned.
º (1600)
[English]
The Chair: Mr. Murphy.
Mr. Shawn Murphy (Hillsborough, Lib.): Thank you very much, Mr. Chairman.
First, I support the motion in that we have to deal with this matter as expeditiously as possible. However, Mr. Chairman, this is not the way we've done things before. It's my position that this matter should be referred to the steering committee. We should hear from the Auditor General first, and then the steering committee should get together with the clerk and decide, after discussion, who the best witnesses are to call. So we'll deal with it the way we've dealt with all other matters as long as I've been in this committee as quickly as possible. For that reason I would oppose this motion, Mr. Chairman.
The Chair: Okay.
[Translation]
Mr. Ghislain Lebel: Are you telling us that the AG needs to prepare a report on her own report?
[English]
The Chair: Mr. Harb.
Mr. Mac Harb: Let it be clear, Mr. Chair, the government has nothing to hide on this particular issue, and I don't want to give the impression to my colleague that we are trying to block anything. It's the opposite, we are as anxious as my colleague is to get to the bottom of it. In fact, it was a government request that got the Auditor General to look into it.
What I would like to see happen, if my colleague will agree to a friendly amendment, because it basically deals with exactly what Mr. Martin put forward, is that this matter be referred to the steering committee, as my colleague Mr. Murphy has clearly stated, so we can have an idea. Maybe there are other witnesses, maybe fewer witnesses, maybe the Auditor General will make some other suggestions. This way we can give it the proper and reasonable priority it requires. I suggest we should meet as quickly as possible on this matter, Mr. Chair, so we can deal with it. If my colleague would be in agreement, an amendment to refer it to the steering committee for consideration would be the most appropriate route.
The Chair: Thank you. Let me ask Monsieur Lebel.
[Translation]
Mr. Ghislain Lebel: I'm trying to understand, Mr. Chairman. In other words, the member opposite is telling me that the Public Accounts Committee would no longer be a public committee and that we would discuss this matter as a steering committee.
Some hon. members: No.
Mr. Ghislain Lebel: That's how I understand it.
[English]
The Chair: No, let me explain. As Mr. Murphy pointed out, the main committee approves the recommendations by the steering committee to hold hearings on certain issues. Now we've decided that we're going to hold a hearing on this particular issue, the report by the Auditor General on Groupaction Communications. The steering committee decides on the witnesses in consultation with the Auditor General's office, because the Auditor General is the person who knows from the inside who are the most important witnesses who need to be heard from. That decision is made at the steering committee. We have then, as we are having here later on, a public meeting, but the witnesses are determined by the steering committee. I think that is what Mr. Harb and Mr. Murphy are saying.
My point to you, Mr. Lebel, is, do you want your motion to be voted on as is, or do you want to accept that it can be referred to the steering committee to determine the witnesses? The choice is yours.
[Translation]
Mr. Ghislain Lebel: We'll go along with that, if he votes in favour of it.
[English]
The Chair: Mr. Bryden.
Mr. John Bryden: I was going to come up with another suggestion, but I think that's entirely acceptable.
The Chair: Okay.
Mr. Forseth.
Mr. Paul Forseth (New Westminster—Coquitlam—Burnaby, Canadian Alliance): Generally, steering committees work by consensus, and on the rare occasion that a steering committee has a problem, it brings it back to the committee as a whole, and the committee as a whole is the decider. But usually steering committees are able to make decisions by consensus.
The Chair: Your point is well taken, Mr. Forseth, and the final decision-maker is the committee as a whole.
So Mr. Lebel has agreed to amend his motion. Am I correct in saying that the witnesses are to be chosen by the steering committee? Now we're reiterating the first motion. The clerk advises me the motion is superfluous, since we have already agreed to hold a hearing by virtue of Mr. Martin's motion, and the witnesses will be determined by the steering committee. If the steering committee has a deadlock and cannot agree, it will come back to this meeting. Since the clerk advises me that the motion is superfluous, I'm going to rule the motion out of order. Is that okay? All agreed?
º (1605)
Mr. Mac Harb: Mr. Chairman, we can make suggestions.
[Translation]
Mr. Ghislain Lebel: Mr. Chairman, you can't rule my motion out of order.
[English]
The Chair: The clerk advises me that the motion can be referred to steering committee.
Mr. Mac Harb: Referred, yes, that's what we want to do.
The Chair: So rather than having the motion ruled out of order, Mr. Lebel, it will be referred to the steering committee. Of course, the Bloc Québécois has a seat on the steering committee, and your representation, no doubt, will be bringing forward those very names that you have proposed. If there is a problem in agreeing, it comes back to the full committee for resolution.
The business of the day, pursuant to Standing Order 108(3)(e), is consideration of chapter 3 (Information Technology Security) of the April 2002 report of the Auditor General of Canada.
Our witnesses today are, from the Office of the Auditor General, Mr. Douglas Timmins, the Assistant Auditor General, Ms. Nancy Cheng, a principal, and Mr. Richard Brisebois, a director. From the Treasury Board of Canada Secretariat we have Ms. Michelle d'Auray, chief information officer, chief information officer branch, Mr. John Weigelt, director, IT security and public key infrastructure policy, in that branch, and Ms. Anne Brennan, director, information and security policy branch. Welcome, all.
We'll start with Mr. Timmins and his opening statement.
Mr. Douglas Timmins (Assistant Auditor General, Office of the Auditor General of Canada): Mr. Chairman, thank you for this opportunity to discuss the results of our audit of information technology security. As you've already noted, joining me at the table are Nancy Cheng and Richard Brisebois, the principal and the director responsible for the audit.
Cyber-threats are real and can cause significant damage to an organization. Data from the United States show a dramatic rise in reported incidents, particularly in recent years. Canadian data show a parallel trend. In addition, security and privacy concerns have been identified as a key issue in the Government On-Line initiative, a major government initiative to connect Canadians and provide them with on-line access to services. As a result, information technology security in government is becoming increasingly important.
The government security policy was previously updated in 1994, and was revised during 2001. The revised policy came into effect in February 2002 and is an important step in the right direction. It puts a strong focus on information technology security and provides a governance framework for security across government. The policy is supported by operational and technical security standards. The operational security standards were last updated in 1995, and a set of technical security standards was published by the RCMP in 1997. These standards remain unchanged, and a plan to update them has yet to be completed. Technology has advanced significantly since that time. Without up-to-date standards, the 2002 security policy will not be fully effective.
The 1994 policy required departments to conduct internal audits of security and request the RCMP to review their IT security programs at least once every five years. At the Treasury Board Secretariat's request, the RCMP had to submit a report on the state of IT security in government based on its reviews. We found there had been little monitoring of the state of IT security across government. In the past five years of about 90 departments and agencies subject to the government security policy only 10 departments have submitted internal audit reports and 14 have had RCMP reviews. The last RCMP report on the government's IT security program was submitted in 1995, and the Secretariat has not requested any report since then.
º (1610)
[Translation]
As a result, the government does not have an adequate basis to determine whether existing IT security practices are acceptable; nor does it have an appropriate baseline to measure future progress. The 2002 policy calls for a report card on the effectiveness of the policy by 2004. In our view, the assessment of the effectiveness of IT security across government needs to be done sooner.
The revised security policy no longer stipulates a minimum frequency for internal audits and independent assessments. Under the revised policy, the Treasury Board Secretariat is responsible for active monitoring, but each department will decide when and how often audits and assessments will be conducted.
We also reviewed IT security practices in four departments. We found several weaknesses that could be symptoms of potential weaknesses in other departments and agencies.
[English]
It is neither feasible nor cost-effective to eliminate all risks or threats to information assets. Risk assessments help direct resources to areas that warrant them. We found that departments have prepared threat and risk assessments on an ad hoc basic, and the assessments have tended to focus on a single application. We also found that some departments have conducted little or no technical testing of their network systems for unauthorized modems and potential vulnerabilities.
Finally, as part of the audit, we conducted certain technical tests on some departments to identify vulnerabilities in their network systems, but we did not exploit them. Of the 260 systems we tested 85 contained vulnerabilities. We noted that most of them could allow the system to be readily compromised by a targeted attack. In fact, one of them could have posed an imminent threat, and we reported the situation immediately to that department. In January 2002 we provided all other test data and results of our vulnerability assessments to the various departments for corrective action. The results confirmed the merit of conducting vulnerability assessments. We recommended that the government consider requiring departments to conduct periodic vulnerability assessments of their information systems.
Specific and timely action to address IT security concerns is important. The committee may wish to request a detailed action plan to update IT security standards. It may also wish to consider the merit of evaluating the effectiveness of IT security in government sooner than required by the government security policy.
Mr. Chairman, that concludes my opening remarks. We'd be pleased to answer any questions the members have.
The Vice-Chair (Mr. Mac Harb): Thank you very much, Mr. Timmins.
Now we'll hear from Treasury Board Secretariat, Ms. Michelle d'Auray.
Ms. Michelle d'Auray (Chief Information Officer, Chief Information Officer Branch, Treasury Board of Canada Secretariat): Thank you, Mr. Chairman. Good afternoon, members of the committee. Thank you for the opportunity to appear today to discuss chapter 3 of the Auditor General's report on information technology security.
Ensuring the security of our systems and networks and protecting information are of utmost importance to the Government of Canada. This is particularly so as we begin to implement the Government On-Line initiative, which will provide citizens and businesses with on-line access to the most frequently used government services, whenever and wherever they connect to the Internet, in the official language of their choice by 2005.
I am pleased to indicate to the committee that for the second year in a row an independent consulting firm found that Canada ranked number one in the world for its on-line initiative. Given our GOL target and our commitment to the security of our IT systems, I'd like to assure members of the committee that the government's key information holdings are secure. While vulnerability assessments were conducted by the OAG at several departments, these were primarily oriented towards outward-facing systems, and we believe none of the vulnerabilities found exposed sensitive government information holdings.
The audit conducted by the Office of the Auditor General assessed the framework for IT security the government has in place to protect its information assets and provide secure, uninterrupted delivery of electronic services to Canadians.
º (1615)
[Translation]
The recommendations made in Chapter 3 of the report focused on two main areas: reporting on the state of IT Security in the Government; and the Government's IT Security Standards. We are generally in agreement with the recommendations in Chapter 3 of the AG's report, and the government's responses reproduced in the chapter reflect this.
The Government's strategy for IT security has three main components: security architecture, which calls for a government wide approach; policy, standards and guidelines; and finally, implementation of this architectural framework, policies, standards and guidelines.
The renewed Government Security Policy came into effect on February 1 of this year and the Auditor General recognized this, and I quote, as “an important step in the right direction”. The policy sets out the roles and responsibilities of departments, lead agencies and federal employees with respect to IT security.
The review of the GSP involved over 200 people from a variety of departments and addressed the policy in its entirety. The IT security working group, with over 20 representatives from across Government, collected a considerable amount of information on the topics that could form the basis of technical standards to guide departments in their roll out of secured electronic services. We agreed to speed up the work to develop and implement these standards.
[English]
The government's lead security agencies possess a vast amount of knowledge on best practices, which is regularly shared with departments. As the lead IT security engineering authority for the government, the Communications Security Establishment provides guidance to departments on how technology can be deployed in a secure manner. The CSE's secure electronic business test bed responds to departmental business requirements and produces detailed reports to support the departmental rollout of secure business applications. While not officially titled standards, the CSE's reports represent the best practice for securing the service, product, or technology that is the subject of each of these reports. One of these reports, for example, is on the use of BlackBerrys in government networks.
We agree with the OAG that to date we have not formally documented this knowledge within the context of formal standards, and we agree with the Auditor General's recommendation that our efforts in this area need to be expedited. We have now developed a comprehensive plan that prioritizes the development of key standards, and we would be pleased to share the top 40 standards with the members of the committee, but we are continuing to finalize departments' input into the response. These standards respond to business drivers and risk management, so that the standards balance both the openness to allow for service delivery and the need for protection and assurance.
But standards are only one component of our strategy. We are also approaching security through an enterprise-wide architecture, which means that we are drawing on the expertise of lead agencies, as well as the private sector, to develop the blueprints government departments can use to develop and implement secure on-line services. We are working with the private sector, for example, to build a secure channel and the public key infrastructure, to ensure that Canadians can conduct transactions on-line with the government in a secure environment. The secure channel is the translation of our vision of a secured, privacy-respecting environment that we will achieve through the Government On-Line initiative.
Other measures the government has taken include the establishment of the Office of Critical Infrastructure Protection and Emergency Preparedness--known through the rather awkward acronym OCIPEP--in February 2001 to provide a central capacity for real-time monitoring and remediation strategies with respect to network and departmental IT security incidents. Through OCIPEP and the mandatory reporting of IT security incidents by departments, which is required under the new government security policy, we have strengthened our capability to coordinate responses to IT security incidents. This mandatory reporting will enable OCIPEP to fulfil its mandate to coordinate a response to incidents and will also provide for more systematic collection of information, as well as the analysis of long-term trends. Committee members should also note that since the Y2K rollover there has also been a weekly conference call of IT security practitioners, which also helps us to identify trends and to monitor intrusion detection.
º (1620)
[Translation]
The Government remains of the view that departments are in the best position to determine when and how frequently internal audits and independent assessments of their IT security postures are to be conducted, as is stated in the renewed GSP. To assist departments and agencies in fulfilling this obligation, self-assessment tools and guidance on vulnerability analysis requirements and optimal frequency of periodic assessments are being developed.
One of the greatest challenges of IT security monitoring is making sense of the abundance of incident-related data that is generated as part of routine network administration. We are building tools that will assist departments in making those assessments an in managing risk.
We are proceeding responsibly with respect to IT security, and we will build on the observations and recommendations made by the Auditor General, to ensure that the Government's systems, networks and information are secure and protected.
Thank you for your attention. My colleagues and I look forward to responding to your questions.
Merci, monsieur le président.
[English]
The Chair: Thank you very much. That was a long five-minute opening statement, but that's okay.
Mr. Mayfield, eight minutes, first round.
Mr. Philip Mayfield: Thank you very much, Mr. Chairman.
It is quite a long statement, and it reminds me of the first week I spent reading sociology, where you had to learn a new language to understand what we were talking about. And I must say, the way it was read, with the acronyms, the language, does not make it very easy for people like me to understand. Being of a suspicious mind, I wonder why we don't use language that is clearly understood. I look at the Auditor General's report and I see some specificity there: 85 contained vulnerabilities, one had to be reported because of the imminent danger there.
On the other hand, I see in your report, Madame d'Auray, that it can be done, we will build on it, we can use it, anything but specificity. I'm reminded of a situation, nothing to do with this, of a fellow who decided he was going to live in the wilderness and was going to break into people's summer cottages, and he did that for a long time, many months, perhaps years, I don't remember exactly. What always surprised me was that while the police couldn't catch him, a TV crew could go out and find him almost anytime they wanted and get an interview. So while we are dealing with this issue in a rather specific way, the Auditor General is able to move in and say these are some real problems we've found, and we haven't even looked at the whole show yet.
Mr. Timmins, was this report prepared relatively recently? We're not dealing with old information here, are we?
Mr. Douglas Timmins: No, this was tabled in April.
Mr. Philip Mayfield: I saw April 2002 on the book, and the audit was done reasonably soon before that?
Mr. Douglas Timmins: Yes, that's correct.
Mr. Philip Mayfield: Madame d'Auray, in your report, on page 2, you say, “We are generally in agreement with the recommendations in chapter 3”, which is really not a ringing endorsement, in my mind, of the recommendations of the Auditor General. Without telling me what you agree with, could you specifically tell us what you don't agree with in the Auditor General's recommendations?
Ms. Michelle d'Auray: If I can start with that, we do agree that we need to accelerate the work on the standards. We had to complete the review of the entire government security policy, which we completed, and the policy is in place as of February 2002. We have since launched the review of the existing IT standards, and where we have perhaps some questions is with whether or not a required monitoring or timing statement for the required report of departments and agencies is really the best way of dealing, for security purposes, for example, in information technology, with something that is really iterative. It changes on a regular basis. So having a static view at a given time will give you exactly that, a static view at a given time, but will not necessarily address the constant changes, which is in fact what departments and agencies have been doing.
º (1625)
Mr. Philip Mayfield: Are you saying the Auditor General just took a snapshot and really doesn't understand the dynamic view? Is that what you're suggesting?
Ms. Michelle d'Auray: That's certainly not what I said. I--
Mr. Philip Mayfield: I'm asking if that's what you're implying?
Ms. Michelle d'Auray: No, I'm not. You asked me where there is disagreement--
Mr. Philip Mayfield: That's right, I did.
Ms. Michelle d'Auray: Disagreement may be too strong a word. We would, as the policy indicates, leave it up to departments and agencies to determine when best to undertake the review of their IT security approach or status, as opposed to requiring a set timeframe within which those reports have to be done or completed. We had that in the previous security policy, and as the Auditor General found, it didn't necessarily lead to a regular reporting anyway. However, what we have found is that the departments have--
Mr. Philip Mayfield: Could I ask why there was not regular reporting? Were people too busy doing other things, so they forgot there was this timeline ahead of them, or they didn't have the information or couldn't get the information? Deadlines are usually there for a reason, and it's disappointing to me that we can just say it wasn't done. I'd like to know why.
Ms. Michelle d'Auray: There were a number of reports and a number of activities. We undertook a fairly major review of government holdings as part of the Y2K initiative. A number of business continuity plans were identified and undertaken. A number of reviews of security postures were undertaken as well as part of that. So there have been a number of initiatives and a number of undertakings. But if you are asking me where we have a disagreement, to use your term, it is on whether or not it is as effective as the Auditor General would conclude in the report to have a set date or time by which departments are held to report. Our view is that this is iterative and that it is best left to the deputy head of the department, which is what is indicated in the government's security policy.
Mr. Philip Mayfield: What if they never get around to it? In your report you do talk about government information, but I'm concerned about the personal information people give to the government. How secure is that? We read reports about people who have had their identities stolen by unscrupulous people. They can get that off the Internet in certain instances, if they have the expertise to do that. How concerned are you about the information of your clients, and not only government information? When we were talking about the Y2K thing, there was the example given of the Department of Defence in the United States setting up a group of hackers to test their systems. In fact, their systems were not very secure. Would you be able to even tell if someone were intruding into your information systems in the government?
Ms. Michelle d'Auray: You are posing a number of questions.
Mr. Philip Mayfield: I am, yes. I have many concerns.
Ms. Michelle d'Auray: Indeed. When we refer in the statement to government information holdings, this is the information the government holds, which includes the information citizens and business provide to the government. So when we talk of core information holdings, it is not the information we provide in the public domain, but the information we receive.
Yes, we are extremely concerned. Departments and agencies do undertake some vulnerability testing. They also rely quite extensively on the work of the Canadian Communications Security Establishment, which has a test to provide--
Mr. Philip Mayfield: I would ask about the depth of your concern, because I see the language used is ''we could'', ''we can'', ''we can build on'', but I don't hear what you are doing, and I don't hear you meeting deadlines. I don't hear a great concern about this in the report you've made, other than your saying you have real concerns. I hope you do have real concerns, but to go by the report of the Auditor General and the statements you have made here, I don't think the concern is really that great. That is my impression, considering the language you have used. How can you tell me you're concerned when in your own language you don't express that concern? You don't express anything beyond having a system ready in case there is an emergency. It would seem to me that this is such a dynamic process that the emergency may be today, and we don't even know about it.
Thank you. As soon as you're finished, you're off the hook until next time.
º (1630)
Ms. Michelle d'Auray: Actually, if I can disagree with you on that front, we're not off the hook. We are constantly on the hook on this issue. In fact, we are extremely concerned, and we do spend a fair amount of time, effort, and funds on this. What we do, though, is leave it to the departments and the experts in the departments and agencies who have a primary mandate to make sure that more than the information is kept secure, that they watch and monitor this.
You were asking me earlier whether we have the capacity to determine whether or not people are intruding. Yes, we do. Do we publicly share that knowledge? No, we don't. Do we make sure it doesn't happen again? Absolutely. We have weekly conference calls where IT security experts share this information and determine the best ways to counter some of the incidents that do happen. There have been incidents where other governments in Canada have been taken down entirely as a result of viruses, but not the Government of Canada. This is a very effective security mechanism.
Perhaps my words are not translating the concern and effort we put into this, but rest assured, we are extremely concerned about it.
The Chair: Thank you very much.
Monsieur Desrochers.
[Translation]
Mr. Odina Desrochers (Lotbinière—L'Érable, BQ): Thank you very much, Mr. Chairman.
It is a pleasure for me to address the witnesses who have come here today to try and shed light on some of the observations made by the Auditor General.
With your permission, Mr. Chairman, I'd like to make an observation of my own. When it comes to getting explanations from officials from the Treasury Board Secretariat, we inevitably hear the same concerns expressed, namely that they seem to have a great deal of difficulty establishing performance indicators. In particular, it seems they have to drag the information out of departments.
In this particular context, it would seem that the only assessment we have is the one given by the Auditor General in her report. She pointed to several positive decisions that had been made and indicated that this was an encouraging sign. However, we don't have an overall picture of how the situation is likely to evolve.
Ms. d'Auray, the following is noted in the summary given today by the AG's representative: “ Of the 260 systems that we tested, 85 contained vulnerabilities.” That's one third of all systems. Could you tell me if the systems that make up the other two thirds are at least secure? How do you feel about such disappointing audit findings?
Ms. Michelle d'Auray: Let me make it clear to you that I did not have access to all of the data produced by the Office of the Auditor General, but I can tell you that judging from the reactions of the audited departments, most of the systems targeted were public ones. They did not contain - and that's what I was trying to explain earlier - the kind of privileged or critical data that the government protects any way it can.
We do not publish certain kinds of information either and it would not be wise to reveal which systems in particular were found to be vulnerable in some way because all that would do is to encourage other potential security breaches.
However, I can tell you that to the extent we verified and validated the information with the departments concerned, we were given assurances that internal data most likely to pose a problem was fully protected.
º (1635)
Mr. Odina Desrochers: In the course of your regular review, were you able to identify which departments tend to be most cooperative when it comes to the objectives that you have presented to us today and could you share this information with us?
Ms. Michelle d'Auray: All of the departments are cooperating and I have to say that departments are actively participating in our Government On-Line initiative, particularly in terms of setting up secure communications channels. All departments will want to be involved and this will provide us with a joint infrastructure for the entire Government of Canada. Countries around the world are envious of us for having such an infrastructure.
We have an IT architecture and security framework in place that covers the full spectrum of the Government of Canada. We are now in the process of implementing this framework and as such, we are investing substantial sums of money in this initiative.
Mr. Odina Desrochers: Do you have an action plan in place with specific timelines? As Mr. Mayfield was saying, you have laid out some major organizational principles, but there seems to be problem measuring progress made. If you were to come back next year on the same day, that is on May 21, 2003, would you be able to report back on progress made in achieving the goals set out for us today?
Ms. Michelle d'Auray: The majority of what I referred to earlier as the top 40 security standards would be fully in place. Our capacity for information exchange will also be much more developed and operations will be conducted in a secure facility where departmental IT security specialists will be able to exchange ideas and develop sound practices. We will be taking the best international practices and applying them to the Government of Canada.
However, before undertaking this task, we had to complete our renewal of the overall Government Security Policy, which we did. The new policy come into force on February 2, 2002.
Mr. Odina Desrochers: Will systems be less vulnerable in a year's time? Will we see some improvement?
Ms. Michelle d'Auray: I can tell you that most systems have been audited, according to the information conveyed to me by the departments. These were found to have an external focus. The most sensitive or delicate systems were not affected. Will they benefit from additional protection? Yes. WIll this be provided on a regular basis? Yes. Will follow-up action be taken? Yes.
Mr. Odina Desrochers: Thank you very much, Mr. Chairman.
[English]
The Chair: Merci beaucoup, Mr. Desrochers.
Mr. Bryden, eight minutes, first round.
Mr. John Bryden: Thank you, Mr. Chair.
I don't need the Auditor General's report to tell me there's been a huge increase in cyber-attacks on sites. The number of attacks coming into my constituency and parliamentary offices in the last couple of years has been quite remarkable. I find that we're constantly under attack.
That having been said, one can now deal on-line with the Canada Customs and Revenue Agency. If one deals on-line with the CCRA, is there some degree of vulnerability?
Ms. Michelle d'Auray: The CCRA is in many ways in the best position to respond to that, but the answer they would give you is that there are no vulnerabilities. They take their security, as do HRDC and a number of departments and agencies, extremely seriously. The information holdings they have on citizens are extremely well protected.
Mr. John Bryden: In that context, I noticed that you are only just bringing in now a secure channel in the public key infrastructure, and I happen to know what that means. If it's not implemented now, surely the systems that don't have it are vulnerable.
Ms. Michelle d'Auray: What they rely on now is layer protection, and what it does not allow us to do right now is communicate in an interactive way in a secure environment. What a public key infrastructure will allow us to do is correspond. You can send in your tax statement now, but what we cannot do, because we cannot guarantee that you are who you say you are on-line, is provide you with the corresponding assessment notice. So we send that to you still by mail.
º (1640)
Mr. John Bryden: Can one of you explain, then, in some detail, for the benefit of Mr. Mayfield and others on the committee, what you mean by public key infrastructure?
Ms. Michelle d'Auray: I would ask John Weigelt, who is the director of the public key infrastructure policy, to answer.
Mr. John Bryden: And in nice layman's language. I understand it, but some of us might not.
Mr. John Weigelt (Director, IT Security and Public Key Infrastructure Policy, Chief Information Officer Branch, Treasury Board of Canada Secretariat): In a public key infrastructure you have a desire to share a key with a number of people, so that they can protect information for you and you only, and you have the assurance that only you can open it. One way to look at this is through a practical example. Let's look at the banks. I used to work in the hospitality industry, and at night I needed to deposit my funds in the bank, in a night deposit box. The bank distributed their public key to me. I went to the bank night deposit box, I opened up the deposit box, put the day's earnings into the deposit box, and closed it with the assurance that only the bank could open it, because only the bank held the private key to get at the information. We do the same thing in the electronic world. We distribute keys publicly to individuals, so that we can protect information to them, and only they hold the private key that enables them to open up that information. Essentially, we're doing that in the electronic world.
Mr. John Bryden: How far along are you on that program, because it's been around for quite a long time now, certainly in technological terms?
Mr. John Weigelt: We have a Government of Canada public key infrastructure installed that's servicing over 30 departments today, with certificates to small user groups. We're moving out with larger applications as we see the business need. We've also recently implemented perhaps the world's largest public key infrastructure plant, a hardware plant to deliver certificates to all those who do business with the Government of Canada. We've got that operational as of February 25.
Mr. John Bryden: Going back to the whole question of individual departments and current operations without the public key infrastructure, I noticed that you say Treasury Board is asking the departments to meet the standard set out in the policy. How can you be guaranteed that the departments are actually going to meet those standards?
Ms. Michelle d'Auray: I would argue that a number of departments are meeting internationally based standards. What the Auditor General's office has indicated quite correctly, and as we've responded, is that we haven't documented and formalized the standards work that currently exists, and that's what we're in the process of doing.
How would we monitor? Departments will, for example, if they want to connect to the secure channel, have to meet operationally some pretty tight security standards. So there's a very clear operational requirement. You will not be able to connect to and use the secure channel unless you meet some very specific security and operational standards. We will be producing a report by 2004 on the state and the implementation of the government security policy, but in order for us to be able to get those reports in, we also have to complete the developmental work on the standards. So we will be producing an interim report, which will be done by 2004.
Mr. John Bryden: One of the things that concerns me, though, is that it's going to be left to the departments themselves to determine when they need to do internal audits to look after maintaining the level of security they need. I'll put this question to the officials of the Auditor General. Is that a satisfactory response to the concerns you have been expressing?
Mr. Douglas Timmins: We made the recommendation that there should be a higher standard than that, there should be some minimum standard established. We note, as was pointed out, that the previous policy contained that and there wasn't a great deal of compliance, but I'm not sure that means the policy was wrong. It meant it wasn't being enforced or that people weren't complying with it. By taking a step back and now having a policy that doesn't require it, I'm not sure you're going to see more compliance, more awareness of security, and more effort to do it, just because there's no requirement. Our concern would be that the pressures for ease of access become the priority, not necessarily making sure that security is there. So I think there is a need for a minimum standard, and that's what we've suggested in our report.
º (1645)
Mr. John Bryden: That's what bothers me. In the history of espionage and the whole business of breaking into government systems it's always a question of those who are trying to break in looking for those departments, those areas that are the most vulnerable, that have paid the least amount of attention to the policies that usually, when implemented, work. My concern is that indeed, if you leave it to the departments to police themselves, you're creating an enormous opportunity for non-compliance that will eventually be exploited before the government is aware of it. How do you answer that?
Ms. Michelle d'Auray: The approach to security is, in fact, a layered approach.This is a another discussion we have with the Auditor General's office, that there is no single minimum standard in the world in which we operate right now. There are different standards, different layers of security, depending on the sensitivity of the information and the type of interaction you want to have. So in that regard we would have a series of standards, as opposed to a single benchmark standard, and we will have, as we do now, a layered approach to security.
The other point I would make is that by making the deputy head accountable for the undertaking of the review of a security posture on a regular basis, as we move increasingly on-line, I would argue that people will not, in fact, be taking up the on-line services unless we provide some pretty good, bullet-proof security. And we will not meet our target unless we are quite concerned about it. That's why, in many regards, the departments themselves, as they move their services on-line, are in the best position to determine the degree of sensitivity, the degree of layers of protection within an overall framework the government can give.
The Chair: Thank you very much. That seems very good.
Now we turn to Mr. Martin for eight minutes.
Mr. Pat Martin: Thank you, Mr. Chair.
I must say I'm feeling a little uneasy the more I learn about this. I don't know if that was the intention of the authors of the document, that we would be alerted to some risk many of us weren't aware of.
I have a number of questions. First, the four government departments you reviewed were HRDC, Fisheries, Industry, and Parole Board. My first question has its origins in what happened recently in my own province of Manitoba, where the former Tory government contracted out the Manitoba health records to a private firm, and that firm was then bought up by a Houston firm, so now Manitoba's public health records, including my personal health information, are held and operated and controlled by a private contractor in Houston, Texas. There's always the fear of selling lists to drug companies who might want to solicit customers etc., so there's a confidentiality issue. I'm wondering how much alternative service delivery or contracting out is going on in those four government departments you looked at. Is database one of the things that's being privatized or contracted out? Did you come across evidence of that in your investigations?
Mr. Douglas Timmins: That was not the focus of our work. The focus of our work was to assess the practices as they applied them in those particular departments, including the original policy of 1994. We looked at the frequency of the internal audits, whether they had RCMP reviews, and so on. We were not focusing on whether they were contracting out.
Mr. Pat Martin: Okay, I'll move on.
Some of the charts and graphs are really quite interesting. With the Canadian cyber incidents on page 5, I would ask what types of recent attacks those four government departments have suffered. Also, how do you explain the unbelievable spike of activity during August and September of 2001? Do you tie this to some kind of international industrial sabotage or something? Could this be tied to terrorism on a cyber level?
º (1650)
Mr. Douglas Timmins: That certainly was something that struck us, but there is no indication that there is any connection in that regard. The most logical connection seems to be with a couple of fairly significant viruses that were spreading at that time and hit fairly widely. As for relating this to the four specific departments, we didn't do that. This is general Canadian information.
Mr. Pat Martin: So you could say that school is out for summer during July, August, and September, and high school hackers are more free to get out there. You would agree, though, that a committed group of hackers could grind government to a halt, they could grind industry to a halt, they could grind the stock markets to a halt if they were effective enough in infiltrating and screwing up the way we record data now. What I'm saying is that there's a sense of unease I share with Mr. Mayfield.
How often has Revenue Canada or the Treasury Board been hit with nuisance hackers? Is this a daily, weekly, monthly occurrence that you have to fend off on a regular basis? What were your findings?
Ms. Michelle d'Auray: There are a number of instances that occur on a regular basis, but I will ask John Weigelt to give you more details.
There is a point I think is interesting, which is that in order to get access to a number of key network systems, the office of the AG had to ask departments for their permission to do it from inside, because in many instances they were not able to get in from outside. There are lessons we have learned in dealing with denial of service attacks or hacking attacks. It has taught us some valuable lessons, but I would ask Mr. Weigelt to respond specifically to the question.
The Chair: Mr. Timmins has another point to make as well.
Mr. Weigelt.
Mr. John Weigelt: How frequent are computer events on our networks? If you have a system that's on the network, people are going to come by to see if you're vulnerable, much as they drive by your house while you're on vacation to see the mail pile up. Those events attract, and people monitor that, people go by to see if you leave your windows open. That can be viewed as a vulnerability. Vulnerability assessments will tell you when windows are open. Is that a risk? You may want to ventilate your house. So it's a matter of context, of understanding what risks you're taking, what risks you're accepting. Every day people are rattling the doorknobs, people are looking to see where there are exposures. For the most part, government departments withstand those. The actual penetrations are rather few.
The Chair: Mr.Timmins.
Mr. Douglas Timmins: I just want to clarify a comment that Madame d'Auray made. Our testing was external, not internal. To use the analogy of the house, we went to the door and checked to make sure it was open. We did not go inside, we didn't determine what damage we could do inside and whether anybody was there, but we did confirm that the door was open. We could have gone in, but we stopped and did not.
Mr. Pat Martin: That's very interesting. Thank you.
The Chair: Thank you very much, Mr. Martin.
Ms. Meredith, four minutes. We're now in the second round.
Ms. Val Meredith (South Surrey—White Rock—Langley, Canadian Alliance): Thank you.
I'm a user, but not a very smart computer person. I would imagine I'm not alone in that. A lot of people working in government departments aren't aware of when you leave a door or a window open. What kind of protection do you provide by giving courses? Who is responsible for that? Is part of this attempt to secure the system making sure the people using it understand that when you use a program and shut it down, you may not have closed the door?
º (1655)
Ms. Michelle d'Auray: Yes, it is. It is part of two types of activities. One of them is the intrusion detection capacity of individual departments and agencies. Most departments have firewalls, so there is a capacity to monitor who is coming in and who isn't, who's at the door, who's checking it out. There was also, as part of the creation of OCIPEP, a training and education awareness component, which is also part and parcel of the work we are doing as a result of the implementation of government security policy. There are IT coordinators in each department and agency, and that's also part of their task.
But perhaps I could ask Anne Brennan to talk about some of the communications and awareness work we're doing.
Ms. Val Meredith: What I'm interested in is not so much what the program is, but who monitors it, who makes sure the people using computer systems know what the secure measures are. If you don't have an audit on a regular basis, how do you know whether your staff are aware of when they're shutting doors?
Ms. Michelle d'Auray: There are a number of ways of doing that, mainly through the control of the network systems. The IT security coordinators or the CIOs of a department or agency will establish what the standards are, so that you are in fact logging off, and if you're not, that though the system is open, it doesn't create a vulnerability for the network as a whole. There are measures and mechanisms built into the systems.
Ms. Val Meredith: So you're telling me there are measures so that if somebody leaves a door open, it will be shut by somebody else or by another part of the system
Ms. Michelle d'Auray: I don't want to mislead you. There are different types of doors and windows and there are different layers. It's almost as if you had a house within a house. At some point, yes, some windows are more vulnerable and open than others, but when you get closer to the protected, very secure, and very sensitive information, there are no doors and there are no openings. When you're running very open systems, when you're trying to get people to connect to you through the Internet, there are, as I was saying, layers within which you will create openings, because you actually want people to come in and gain access to information.
Ms. Val Meredith: You were referring to a process you have for that where you want input, and so you give out certificates to people who would be using an input on a regular basis with the government. How do you determine who gets those certificates? What kind of control is there on the individuals you would allow that kind of access to a more in-depth information base?
Ms. Michelle d'Auray: We do what is known as on-line authentication on the basis of what we have called shared secrets. So we will authenticate or validate you only if you tell us a certain set of information only you could have, which we then match against our holdings. We determine that you are who you say you are, and that allows you to get a certificate, but it doesn't automatically allow you to get into, let's say, a benefit or program, because then the normal application process kicks in.
Ms. Val Meredith: So there's a screening to indicate whether or not a person is who they say they are, but they may still be an individual you don't want to give the information to. Do you do screening on that?
Ms. Michelle d'Auray: There are some automatic rejections, if you will, that would disqualify you from getting a certificate.
The Chair: Thank you very much, Ms. Meredith.
Mr. Murphy, four minutes.
Mr. Shawn Murphy: Thank you, Mr. Chairman.
Madame d'Auray, in an answer to one of the recommendations--it's probably not that relevant, but I just want to point it out--you indicate that the security standards must be accelerated in support of the government's security policy, and you undertake to do so within available resources. I wanted to follow up on this whole area of available resources, which is something of a scary answer. It appears to me that as the government goes on to the whole on-line initiative by the year 2005, the services your secretariat performs are going to become much more important and take much more prominence. If I could put this thing is perspective, I think the issue we're talking about is probably 1000 times more important in the whole scheme of things than the Groupaction matter. Again, you're only as good as the people you have working for you, and I'm talking not only about your secretariat, but also about the whole internal department of people working in this area. I have three or four questions.
Are there enough resources allocated to this whole issue? Are the people the right type of people? How are these people recruited? We have had a lot of meetings here with the whole Public Service Commission, and we hear horror stories about trying to hire people. If you determine that you need a person in a particular job, by the time you determine the job description, go from A to Z to get that person hired, go through all the steps that are required, it takes up to a year. Could you describe the recruiting process? Is this recruiting process adequate for the types of people you are trying to hire? And do you have any other comments in the whole matter of human resources in this area, which I think is so important?
» (1700)
Ms. Michelle d'Auray: In the area in which we work we do have a certain amount of flexibility that may not be necessarily relevant in other categories or classifications in the Government of Canada. We have an accelerated recruitment capacity, given the nature and the requirements we have in this area. We can hire people who are outside government fairly quickly. We have, in fact, started to benefit from the downturn, especially in the Ottawa area, by gaining a number of highly specialized IT security experts to help us in the work we are undertaking.
On the resources side, we are spending, on average, about $100 million a year in security for the Government On-Line initiative specifically, which is out of the funding that was attributed for this. That's in addition to what departments and agencies are spending.
Mr. Shawn Murphy: So to answer my question, do you feel you have sufficient resources, and do you feel confident that you're getting the right type of people to work for the public service in this area?
Ms. Michelle d'Auray: We are benefiting from the capacity to recruit some very high-level expertise in this specific area, which would not, in other economic circumstances, necessarily be the case. We can take advantage of that right now and will continue to do so. Do we have all the expertise we would need in this field? We would probably benefit from having quite a few more, but we are also trying to put our services on-line, so there are experts in on-line service delivery and business transformation, as well as IT security experts.
The Chair: Thank you very much.
Mr. Harb, four minutes.
Mr. Mac Harb: Thank you very much.
You deal with information on-line as well as all the other issues. Where does Canada sit in regard to information on-line compared with the rest of the world? Are we the first? Are we the most connected nation?
Ms. Michelle d'Auray: We are doing extremely well. This is the second year in a row that an independent consultant has named Canada number one in the world for its on-line efforts. We have reached that mainly on the basis of two approaches we take. One is to put the user, the citizen and the business, at the centre of our activities, the other to take a whole government approach, which means we're trying to move the entire government forward. It is a very complex undertaking, but we seem to be doing it properly. A number of countries keep coming to us to find out how we're doing it. In fact, we have jokingly said we're not talking to them any more, because they are catching up to us.
Mr. Mac Harb: As a consumer, I will try to go on-line. I often find myself totally lost in the web. I want to find some information, and suddenly, before I know it, I have been dumped in a deep, dark well. I struggle often to get out and just go back to gain the information I am really looking for. Is any kind of effort now being undertaken by your department for easier use of information on-line, so somebody who is a first-time user will be able to find information a little more easily? The Auditor General did a report not too long ago criticizing some of the departments. The information on-line is exceptionally difficult to get to unless you are someone who is working in the department, and even then, it is exceptionally difficult.
Second, in answer to my colleagues, it doesn't matter, you can bring down the most sophisticated system in the world. There is nothing that is totally accident-proof, there is no question about it. As long as there are people who are designing systems, you are going to be able to find people who able to destroy those systems. The Auditor General spoke about the external security of things, indicated that it was easy to get in through the main door. He could have gone in deeper if he had decided to, but he didn't. I would be interested in finding out what mechanism you have in place to ensure that the people who are working in the system internally are not causing trouble, in a sense, with providing information to people on the outside.
» (1705)
Ms. Michelle d'Auray: As to how you find your way through the Government of Canada information, we've tried to make it as easy as possible. If you go to the Canada site, which is www.Canada.gc.ca, at any point, as you're navigating through that site, you can always go back to the main page. The search engines are also pretty sophisticated. We've also organized the information and services along the lines we think are more intuitive to people. If they are looking for information for an aging parent, they will be able to find it under that, as opposed to trying to find out which department or program is concerned.
With regard to security and the measures we take for protection, a large part of the activity we undertook as part of the government security policy was looking at security practices for people as well, not only how we deal with the system's security itself, but also how we hire people, how we do their security checks, how we actually control access to buildings. That's why, with the government's security policy, when we look at it from an IT perspective, we also have to look at the entire range of security measures we have to take. If you have an alarm system in your house, that's great, but someone can throw a stone, dash in, and come out, or someone can actually reveal the code to your house from inside. We have to look at the whole gamut of security activities, as we do when we look at IT security. It's one part of the picture, hence the need to look at and review the government security policy as a whole.
Mr. Mac Harb: Thank you.
The Chair: Mr. Mayfield,you have four minutes.
Mr. Philip Mayfield: Thank you very much, Mr. Chairman.
When I read that less than 10% have submitted the audits that were required, when I realize that Treasury Board didn't go after those that were not available, and then, as I understand it, that Treasury Board did not analyse those audits that were submitted, it causes me real concern. Has there been an action plan prepared to guide the implementation of those recommendations you have agreed to?
Ms. Michelle d'Auray: We have developed an action plan to implement the IT security standards, and we are creating a senior level committee to continue the elaboration.
Mr. Philip Mayfield: Would you please provide that action plan to this committee?
Ms. Michelle d'Auray: I would be prepared to provide the top 40 security standards we are considering and to provide the final plan once we have completed the discussion with the departments and agencies.
Mr. Philip Mayfield: Can you give me an idea of when that might be?
Ms. Michelle d'Auray: That would be probably in a month's time.
Mr. Philip Mayfield: If you would do that in both instances, I'd appreciate it.
Do you have a timetable for updating the operational and technical standards for the GSP?
Ms. Michelle d'Auray: We have a timetable for the IT security component of it. Some of the first phases will be completed this summer.
Mr. Philip Mayfield: Would you provide that to this committee, please?
Ms. Michelle d'Auray: Yes, we will.
Mr. Philip Mayfield: Do you now have plans for communicating and implementing the government security policy?
Ms. Michelle d'Auray: Yes, we do, and we have done quite a bit to do so. My colleague Ann Brennan can speak to that.
» (1710)
Ms. Anne Brennan (Director, Information and Security Policy Branch, Treasury Board Secretariat): In January of this past year we had meetings internally in the National Capital Region with all the security personnel to elaborate what the new policy requirements are. We also had sessions in the regions from March until about May to explain what the policy requirements are, and we are continuing with these presentations. I think we still have Winnipeg and Toronto to do. We also have bimonthly meetings with the security community where it can raise any concerns about the policy.
Mr. Philip Mayfield: Would you be willing to provide a copy of this policy to this committee?
Ms. Anne Brennan: Yes, absolutely.
Mr. Philip Mayfield: What priority has Treasury Board Secretariat assigned to addressing gaps in information technology security that have been identified by this audit?
Ms. Michelle d'Auray: We have identified, as I indicated, the top 40 standards we will be working on and have already started to work on. We are identifying a number of the intrusion detection capabilities, and departments and agencies have a number of these in place. And we are completing the implementation of the secure channel, which is a huge component of our government-wide security posture.
Mr. Philip Mayfield: What technological, human, and financial resources have been allocated to this effort you're describing?
Ms. Michelle d'Auray: They're in a number of places, but the December budget indicated quite a bit of funding for OCIPEP, which is the organization that will collect--
Mr. Philip Mayfield: That's the emergency one, isn't it?
Ms. Michelle d'Auray: That's the Office of Critical Infrastructure Protection and Emergency Preparedness. It was $396 million in the December budget of 2001 that was allocated to OCIPEP.
Mr. Philip Mayfield: Have there been extra human resources provided for this too?
Ms. Michelle d'Auray: We have been allocated some extra human resources to deal with this particular issue.
Mr. Philip Mayfield: Can you give me an idea of how many?
Ms. Michelle d'Auray: Eight.
Mr. Philip Mayfield: Eight.
Ms. Michelle d'Auray: That applies to the secretariat itself. Others have been provided to other departments and agencies, including the CSE and the RCMP.
Mr. Philip Mayfield: The Auditor General reports that under previous versions of the government security policy very few of the internal audits that were required every five years were conducted. The new policy only calls for active monitoring. Can you tell the committee why this change was made?
Ms. Michelle d'Auray: There are a number of reasons, the core one being, as you yourself have indicated, that this is a dynamic environment and we would prefer to have an iterative and regular discussion among IT security specialists. We do have and will continue to have weekly conference calls among the 20 most important departments and agencies to share best practices, so that we do have an active monitoring, if you will, on a weekly basis.
Mr. Philip Mayfield: Considering the dynamic and rapid pace of this technological change, you consider that to be adequate, do you?
Ms. Michelle d'Auray: Well, every time there is a virus or a potential for a denial of service attack, OCIPEP produces an alert, and those alerts go out sometimes on a daily basis, sometimes three or four times a day. Patches are downloaded by the security specialists and put into the system. So the touchstone, if you will, is weekly, but the monitoring and the activities happen on a daily and sometimes hourly basis.
Mr. Philip Mayfield: When you talk about bringing the government along, I know it must be difficult. I know what it's like to move a horse, particularly when it's standing on your foot, so I do have some sympathy for you.
Thank you very much.
The Chair: Thank you, Mr. Mayfield.
I'm looking at Mr. Timmins' opening statement. We read:
We found that there had been little monitoring of the state of IT security across government. In the past five years of about 90 departments and agencies subject to the government security policy only 10 departments have submitted internal reports.... As a result, the government does not have an adequate basis to determine whether existing IT security practices are acceptable.... |
In your opening statement, Ms. d'Auray, you say, "I would like to assure members of the committee that the government's key information holdings are secure." I have a problem trying to reconcile these two statements, and so I'm going first to Mr. Timmins. Do you feel the government can make the assertion that their systems are secure?
» (1715)
Mr. Douglas Timmins: One of the major concerns in our chapter is that the information is lacking. Although we certainly support ongoing monitoring on a weekly basis, having meetings, and so on, we would certainly suggest, and I think our reports suggests, things like overall threat and risk assessments on a regular, periodic basis, internal audits, other forms of assessment, to gather the information, perhaps conducting vulnerability testing and accumulating material over some period of time, but it all needs to be brought together. The plan is to do that in 2004, and we're suggesting a definite action plan to get that information by at least 2004, though we would encourage it earlier. I think our perspective would be that it requires a more rigorous action plan to do all that, rather than just continuing to have meetings and doing it ad hoc, as it tends to have been done up to now.
The Chair: Ms. d'Auray, in light of Mr. Timmins point that they did a test from the outside and they found a number of open doors, although they never did go through the doors, how do you make this assertion that the government's key information holdings are secure?
Ms. Michelle d'Auray: Because some of the doors, even though they may have been open, didn't necessarily lead to some of the confidential or sensitive systems or data holdings of the government.
The Chair: When you don't have the audit reports from the departments, and some of them were never even done, how can you make that assertion?
Ms. Michelle d'Auray: We have the audit reports now, and we have gone through them. When we wrote the statement and sent it to you, we didn't have all the information. What we do have is a good understanding of what took place, and if you want some more specific elements, I can ask my colleague to speak.
The Chair: No, my point was that you're saying these doors didn't lead anywhere, and they've all been closed now anyway. Is that what you're saying?
Ms. Michelle d'Auray: Yes, those doors identified by the Office of the Auditor General have been closed. What I am saying is that a number of the doors will continue to be open, because we want public access, we want input. The core systems, the internal systems, the holdings of sensitive data are in fact secure.
The Chair: Okay.
Mr. Timmins, did you advise Treasury Board of all the doors you found open?
Mr. Douglas Timmins: We advised each of the departments we did around January. The one that was of particular concern to us immediately we let know. That was particularly problematic. I think the point is that once you're in, the issue becomes the internal practice in being able to protect how far you can wander in the house once you're inside the front door. There may be barriers, there may not be barriers, and that's the issue we raised. Until you know, you're not able to determine if the secure areas are adequately locked, and that needs to be done as well.
The Chair: Your statement, Ms. d'Auray, that everything is secure tests my credibility, and I'm not exactly sure. Where the audit was done, these statements you're making are accurate, but perhaps, since they only did a test, there may be other doors you're not aware of that are still open. I think you're being more than generous with the statements about everything being fine in the government. I am not that assured, as Mr. Mayfield and others have said they are not this afternoon.
I take a look at paragraph 3.42 and forward from there about the problems the Auditor General has found where there has been absolutely no follow-up by the Treasury Board on your own rules and regulations. How big is your department that writes this policy for security for IT within the government?
Ms. Michelle d'Auray: For the government security policy, which is the overall, I think we have two people. For IT security we have four.
» (1720)
The Chair: So you've got six people writing the policies for the whole of the government. How many people are part of this monitoring process to ensure that they follow the rules you write?
Ms. Michelle d'Auray: We have, as I indicated, a weekly conference call that gathers about 20 departments and agencies or individuals.
The Chair: No, it wasn't a question about a conference call. How many people do you have on your staff who are involved in monitoring to ensure that the policies you have written are actually implemented?
Ms. Michelle d'Auray: For IT security? They're the same people.
The Chair: So you've got a total of six people on the Treasury Board who have this responsibility for security, government-wide policy, and monitoring the policy government-wide. Do you feel that's sufficient?
Ms. Michelle d'Auray: We have just, as I indicated earlier, been allocated eight more people.
The Chair: Oh, double and more. What was the motivation for the doubling? Was it the Auditor General's report?
Ms. Michelle d'Auray: No, it actually happened before that. It was for the implementation of the government security policy and the development of the standards.
The Chair: Okay.
Mr. Timmins, do you have anything to add on this?
Mr. Douglas Timmins: No.
The Chair: Okay.
The problems we have are well known. There are hackers around the world who are constantly trying and testing. A number have been successful, as we know, not just in this country. There have been embarrassing opportunities to attack government systems in other countries around the world. We are not immune with 6 people going to 14. Fourteen to write policy and monitor it I think is a start, but I've always been critical of the Treasury Board and the fact that you write a myriad of policies, but you never police your own policies. Here we have another example of Treasury Board writing policy and not monitoring it. So let me ask you, if you have all these people writing these rules and saying, you have to do audits every five years, you have to do this, you have to do that, you have to ensure that security is fine, how are you going to monitor it from here on in?
Ms. Michelle d'Auray: We are going to monitor, and we are going to also rely on the specialists who reside in departments and agencies, such as the CSE, such as the RCMP, because we are not the only holders of the information, the capacity, or the expertise to develop some specific standards. Our approach in the development of the standards and the monitoring is also to share across the band of the departments and agencies, because they do also have an individual responsibility, as the deputies have at their institutions, to undertake the monitoring.
The Chair:
In spite, again, of your assertion that everything is fine, I'm taking a look at a CSIS report dated May 6, 2002, that's on the web. It says:
As a result, the growing capability of a variety of hostile actors to make offensive uses of IO in both its physical and non-physical forms has a potential to threaten the public safety of Canadians and the national security of Canada. |
CSIS, as of May 6, 2002, which was two weeks ago, are not convinced that our security is up to par, which is why my credibility with your statement is stretched, to say the least.
I think we've run out of time, so we're going to have some closing comments by Mr. Timmins.
Mr. Douglas Timmins: I'm encouraged to hear the responses from Treasury Board in regard to the technical and operational standards and the action plan they have promised to provide to the committee. But I would reiterate my other concern that remains, whether there will be sufficient information collected across government for us to know about the status of security. I would certainly urge that this be revisited by Treasury Board, or perhaps this committee may want to come back and visit it, depending on what they see in the action plans they receive.
The Chair: Thank you, Mr. Timmins.
Before we adjourn, in light of the motion that was adopted by the committee earlier in this meeting, the clerk advises me that the witness, Ms. Falardeau-Ramsay, will not be available until 4 o'clock on Thursday. Therefore, I'm proposing that we have a steering committee from 3:30 to 4 o'clock on Thursday. If there are any problems with witnesses, we would bring them back to the committee on Thursday afternoon. So that's an advance notice of a steering committee from 3:30 to 4 . The main committee meeting will not start until 4 o'clock on Thursday. The clerk will be sending out a notice accordingly.
The meeting is adjourned.