Federal departments and agencies are making only marginal progress in improving their cyber maturity, Ottawa said Wednesday as it released its first government-wide cybersecurity strategy to centralize IT cybersecurity responsibilities and oversight.
The strategy reflects unhappiness that departments and agencies have varying degrees of cybersecurity maturity.
Already this year the government has had to deal with cyber attacks on Global Affairs, the RCMP and the anti-money laundering agency known as FinTrac.
A document explaining the strategy notes a Treasury Board cyber maturity self-assessment tool shows in the past two fiscal years federal departments “remain on average below the target of having repeatable processes to identify and respond to [cyber] threats in support of an effective defence against new and emerging threats.”
“The tracking and maintenance of technology assets and data (both on-premise and in the cloud) are not comprehensively understood or managed,” the document adds, “which limits visibility and awareness of which assets need to be protected. Many departments and agencies rely on manual processes, which can be time-consuming, error-prone and ineffective.”
The pandemic has meant more civil servants working from home and therefore increased risk, the strategy notes.
“While the traditional perimeter-centric security model has served the government of Canada well, the notion that digital assets and users within a defined boundary are trustworthy does not scale to the new digital world,” the strategy says, “where the trusted perimeter cannot be defined.”
The government already has several tools, including a Policy on Government Security, which dates back to 2019. A Policy on Service and Digital in 2022 set minimum IT configuration requirements. Still, the strategy says, the level of capability, investment, and security understanding across federal departments and agencies remains inconsistent in part because of legacy IT systems.
Departments and agencies are using a combination of different tools, methods and services to monitor their systems, the document says, “which can make it difficult to obtain a comprehensive view of potential security threats and may lead to unintended duplication or gaps in monitoring.”
The government has a framework for defending IT systems, but individual departments and agencies have “considerable lattitude” over whether to opt into or accept specific defensive technologies. And Crown corporations — like the post office, the Bank of Canada, the CBC and others — aren’t obliged to follow Treasury Board cybersecurity policies.
The new strategy was created by the Treasury Board, which sets government-wide policies. It will apply to about 100 departments and agencies. Crown corporations are being encouraged to adopt the strategy’s objectives and goals.
The actual running of IT systems is in the hands of each department; Shared Services Canada (which provides standardized infrastructure for shared email, data centre and telecommunications systems for 45 departments) and Defence Department’s Communications Security Establishment (CSE), which advises on cybersecurity technical issues.
Within departments there are chief information officers (CIOs), chief security officers (CSOs), and a designated official for cyber security (DOCS).
The newly-announced IT strategy has four objectives:
- articulate cyber security risks and their business impacts for effective, action-oriented and accountable decision-making;
- prevent and resist cyber attacks more effectively, leading to greater protection of Government of Canada information and assets;
- strengthen capabilities and resilience across the federal government to proactively prepare for, respond to and recover from cyber security events;and
- foster a diverse federal workforce with the right cybersecurity skills, knowledge and culture.
To do that Treasury Board, Shared Services or the CSE will:
- create annual risk management processes, governance and accountability for departments to follow. This includes having a common approach for assessing each department and agency’s cyber security posture, conducting independent cybersecurity assessments and year-round testing and creating an integrated risk management platform that provides actionable recommendations;
- implement tools so IT departments can continuously identify, monitor and manage their attack surface as well as have accurate inventories of IT assets;
- create a government-wide vulnerability management program;
- enhance third-party cyber security risk management;
- standardize risk-based cyber security requirements, clauses and conditions in contracts departments sign with external suppliers, including obliging departments to routinely verify supplier adherance to contractual security clauses;
- modernize enterprise-wide identity, credential, and access management systems, including using multi-factor authentication everywhere;
- modernize applications and delivery methods using common reference architectures for the secure delivery of digital services;
- establish a secure-by-design approach with security architecture and engineering resources integrated within projects to ensure that security aspects and potential threats to the system are addressed;
- transition IT systems to use standardized post-quantum cryptography to protect from the threat of quantum computers from unscrambling encrypted federal data;
- at minimum making departments and agencies conduct one cyber tabletop exercise up to the Deputy Minister level each year.
The strategy also calls for clarifying roles and responsibilities for IT monitoring. That will include:
- creation of centralized or command security operations centre at the CSE’s Canadian Centre for Cyber Security to monitor all federal IT security infrastructure;
- creation of an infrastructure security and network operations centre (ISNOC) at Shared Services Canada for network monitoring;
- creating specialized security operations centres for mature departments and agencies that require additional network visibility;
- managed SOC services for those departments that aren’t mature to do it themselves;
- facilitating the sharing of logs and other critcial information held at the enterprise level to provide departments and agencies with end to end visibility of data flows.
The government will also establish a standard, mandatory cyber security awareness training program for all federal employees. To help expand the cyber workforce there will be cross-functional trainimg programs to upskill employees. That will include creating a centre of cyber workforce development.
The strategy includes a “logic model” which says some activities may take up to 10 years to accomplish.
The first phase of the strategy will:
- establish a centralized evaluation system with independent assessments and thorough reviews of departments’ cybersecurity to identify and prioritize risks;
- create a federated integrated risk management platform to enable prioritization and data-driven reporting as a key part of a broader enterprise portfolio management system;
- create a government-wide vulnerability management program for a co-ordinated vulnerability disclosure process;and
- form a new Purple Team that will emulate techniques used by malicious threat actors against government systems to proactively test and audit any security gaps.
The government has set aside $11.1 million over five years in the proposed budget now before Parliament to support the strategy.
“In a world when going digital is more and more our reality, we must ensure that our systems remain secure from cyber threats and deliver the highest quality of programs and services to Canadians,” Treasury Board President Anita Anand said in a statement. “To achieve this, we are announcing the first of its kind Government of Canada Enterprise Cyber Security Strategy to help us manage risk, prevent cyber attacks, strengthen our resilience, and cultivate a strong cyber security culture. Together, with our partners we will work to support a robust and modern digital infrastructure while ensuring our workforce has the talent and knowledge to foster cyber security.”
The strategy reflects years of IT underinvestment in federal IT systems, said Queen’s University professor Christian Leuprecht, an expert on security and defence. It’s also a recognition of a fragmented system that requires an integrated systems approach to succeed.
“Good plan in principle: strategies help to identify outcomes on which to focus, associate outputs to align with those outcomes, and align means (resources) with those outputs. The strategy is perfectly sensible, and hardly a moment too soon,” he said.
“But it comes at a time of severe fiscal constraint within the federal government, where relevant departments and agencies are subject to budgetary restraint and cuts; so, announcing a strategy is one thing. Actually aligning the human resource and O&M [operations and management] funding to operationalize it is quite another. This government in particular has a well-trodden track record of performative announcements that aren’t effectively resourced.”
He called the announcement “more of a vision than a strategy. Nonetheless, it’s an important step forward, and we can only hope the government will resource it appropriately and accordingly.”
“The high-level objectives make sense and map to best practices, which is good to see,” said David Shipley, head of New Brunswick’s Beauceron Security and co-chair of the Canadian Chamber of Commerce’s Cyber Council.
“The devil, as always is in the details,” he added. The announcement “strikes me as an aspirational roadmap more than a strategy.” He wants to see some clear metrics and a timeline to achieve goals including 100 per cent deployment of all multi-factor authentication for all internal and external government services and a target to use made-in-Canada technology and services from the private sector to supplement and enhance public sector initiatives.
“Also, $11 million to implement this strategy is beyond absurd. They’ll need much more money to get this done better and faster.”
