CIO Address to 2005 Cyber Protection Forum

Helen McDonald, Acting Chief Information Officer

January 18, 2005

Bonjour. Good morning!

It is my pleasure to be here this morning and to have the opportunity to address the first Cyber Protection Forum on issues surrounding the state of IT security in the Government of Canada.

Privacy, accessibility, interoperability, transparency and resilience are core requirements for democratic governments. In Canada, these permeate every function and activity of the federal government.

Security is also one of these broad requirements.

A democratic government has the duty to protect its transactions, assets, employees and infrastructures to the best of its ability. This is very much the context in which the Government Security Policy and, more recently, the National Security Policy, were developed. This commitment applies to our physical environment as well as to cyber space, the area on which I will be focusing today.

We have come a long way, over that past few years, in protecting Government of Canada critical infrastructures, information and business processes.

For the past four consecutive years, the Government of Canada has led the world in our move to establish e-government. And despite significant changes to both program designs and technological environments, the government has successfully evaded major disruptions to its operations. Canadians are using the Internet more than ever in their dealings with us, and we have been able to guarantee them the level of access, privacy and security that they rightfully deserve. In those instances where cyber threats were expected, the Government of Canada has been able to come together as an enterprise and, through effective collaboration and coordination, to manage related risks effectively. This has been thanks to the relentless efforts of the IT Security community.

Next month, however, the Auditor General of Canada, Sheila Fraser, will table an audit report on Canada's performance in several areas, particularly the matter of IT security. This report is a follow-up to an IT Security audit that was conducted in 2002.

I expect that the Auditor General will find that federal departments have not devoted sufficient importance to complying with published IT security standards and to developing departmental business continuity plans.

As for my own unit in Treasury Board Secretariat, the audit will likely find that we could have been more aggressive in developing IT security standards to meet constantly changing technological advances, in coordinating the necessary awareness training across the government (especially at senior levels) and in providing effective feedback, audit and oversight (either by ourselves or by lead agencies).

The Treasury Board Secretariat (TBS) agrees. We need to make more progress on the path of continuing improvement.

As a business, the Government of Canada is not necessarily behind when compared to other jurisdictions or large multi-national companies. Achieving effective IT security is a very difficult challenge, especially in an environment as complex as the federal government.

It is our intention to complete all remaining operational standards to support the Government Security Policy before the end of 2006. We have also initiated a process to keep the policy and standards up-to-date.

In 2007, TBS is required to review the GSP. Over the next few months we will be providing Treasury Board Ministers with a mid-term report on the effectiveness of the 2002 GSP as well as its implementation. This report will include the results achieved, training for security professionals and governance for Business Continuity Planning, physical security and ITS.

TBS is proposing a three pronged approach to improve the security posture of the GoC at large, namely:

• by developing an Integrated Risk Management framework that incorporates security risks
• by promoting the "business" value of IT security for GoC programs, and
• through more effective assessment in departments and agencies of the impact of adopting new technologies and solutions.

Let me expand on each of these:

The first prong is the Security Risk Management framework:

The risks surrounding cyber security – or lack thereof – remain poorly understood among the senior levels of government. Despite the many threats and vulnerabilities to which our IT systems are exposed, we have yet to experience a serious disaster. Perhaps as a result, we do not spend enough effort to communicate effectively the value of our efforts and related expenditures to business or program managers. In a sense, the efforts of the ITS community have been too successful.

But given the continued if not increasing need for difficult choices between strategic priorities and hard decisions with respect to the corporate risk profile, particularly in today's ERC world, it is more important than ever to effectively communicate the value of IT security solutions within departments and agencies.

The most difficult event we have had to deal with was the electricity failure that blacked out Ontario in the summer of 2003. This event was not caused by sabotage but was the result of an unfortunate accident and, arguably, poor business planning.

We believe that a more strategic approach to business security and business continuity planning could have prevented this disaster, which cost US and Ontario citizens and businesses hundred of millions of dollars.

As leaders and specialists in this field, we have to continually examine these situations and adapt the lessons learned to our respective environments.

Many of the cyber incidents typically reported to senior managers in departments and agencies have been related, for example, to the defacing of websites, to new viruses, or to events that have resulted in minimal denial of service, events which at best constitute an annoyance rather than have any significant business impact.

By the way, these incidents are no longer included in the incident statistics of the major Computer Emergency Response Teams, such as Carnegie-Mellon or our own CanCERT. So, an effective IT security posture must also be supported by an equally effective communication and reporting strategy, by which events will be given the appropriate level of attention by the appropriate management level.

TBS is developing a Security Risk Management framework, consistent with the Integrated Risk Management Framework and policy. To be effective, security risk management must be practiced in a continuous fashion, both by the technical specialist as well as the program manager. TBS looks at continuous security risk management as a three-step process, which in our view is fundamental to the departmental implementation of the Government Security Policy.

First, threat and risk assessment must be carried out, and this is not happening to the extent it should be today.

A TRA identifies employees, assets and services requiring protection, assesses the likelihood and consequences of threats to them and recommends safeguards that allow for an acceptable level of risk. In today's technological environment and with the widespread use of the Internet for the exchange of information and delivery of government services, this level of risk will never be zero. And that's OK. The focus is on the acceptability of the residual risk, through a sound risk management decision process.

A key element in the way forward is the project under way led by CSE and RCMP to amalgamate the detailed TRA guidelines from their respective organizations. This much-welcomed effort will provide a common approach that will incorporate both physical and IT security TRA processes. This will supplement the TBS Operational Security Standard on Risk Management that is being revised now.

The second step is the implementation of safeguards once the security risk is assessed.

Safeguards must be incorporated into operational and service delivery plans, programs and processes. Too often still, IT security is being carried out as an afterthought. Key here – and I will be addressing this issue a bit later on – is the need to develop a greater awareness around these issues especially among senior GoC officials and program managers.

The third step of  "continuous security risk management" is monitoring. Monitoring includes security audits and inspections, security incident responses and investigations, and keeping track of trends and developments. These monitoring activities should inform threat and risk assessment activities and provide the means for determining if safeguards are effective.

Treasury Board Secretariat is now working with lead security agencies and departmental representatives to develop a monitoring process that will provide meaningful information. We will also ensure that we find the most effective way to collect the information required for this monitoring.

TBS will also work closely with lead security agencies, as well as with line departments, to develop the guidance and tools (such as an updated IT security self-assessment tool) to assist you to include IT security in an overall integrated corporate risk process.

This more comprehensive risk management approach will improve IT security and IT security management across departments, and thus improve the integrity of our operations and service delivery. As well, it will enable more effective sharing of information about the risks and effective responses. The Security Risk Management standard will be published by this summer.

The second prong, of our three-pronged strategy to improve the overall GoC security stance, is to promote the "business" value of IT security solutions to GoC program managers:

We need to find better ways to promote the "business" value of IT security solutions to GoC deputy heads, senior officials and program managers. We need more effective communication strategies around the value to government programs of good security.

Security has to be understood as being more than just protection. Unfortunately, many senior government officials see IT security as somewhat of a black art or, at best, as a very narrow specialty. IT security is not usually seen as adding to the value of their business processes.

It will be easier for business managers to see the value in security if IT security solutions not simply presented as an ultimatum. Too often managers are being asked to either fund the total security package presented to them or single-handedly accept all residual risks.

One of the opportunities for making the link for business managers will be around the management of secure electronic identity, both for employees and for our clients. Managers need to ensure that commercial confidential or personal information is only shared with the right individual, that the right level of benefits goes to the right person, and that there is a reliable audit trail for on-line client transactions.

The adoption of an electronic identity, perhaps shared, or in certain circumstances common, including digital signatures for citizens, businesses and Government of Canada employees, will bring great value to business processes and programs. Trusted electronic identity management is part of security and should be understood as such.

We need to promote the need for everyone in the Government of Canada to be IT security "responsible" just as managers and employees have become much more conscious of their privacy responsibilities in the past several years. We need to develop a similar awareness and commitment in the area of IT security. IT security is a discipline that must be adhered to by everyone, at all levels of an organisation, not only by technical managers.

This does not have to be difficult. According to the IT Security audit by the Auditor General in 2002, almost all of the vulnerabilities in departmental systems were the direct result of a failure to pay attention to IT security.

Most of the vulnerabilities were due to the use of ineffective passwords, the continued use of default configurations in operating systems, and a failure to install security patches. These are very basic problems and the solutions are already known. In fact, every ITS Web site provides clear directions on how to solve these problems.

We also need to communicate better among ourselves.

Like any large and geographically dispersed organization, the Government of Canada must operate within a networked and interdependent environment. This environment will increasingly require a "collective" approach to ensure effective IT security and to enable departments to respond quickly to a security incident and to share relevant information. This ability to react will become an essential element of an enhanced security organization.

But what does this means concretely? It means creating fora for the exchange of information, ideas and best practices. We have recently initiated "MITS days", half-days dedicated to the ITS practitioners and other security specialists.

But TBS also has an oversight role. Departments and agencies should prepare action plans indicating when they intend to fully comply with the IT security requirements of the GSP and with the Management of Information Technology Security standard. TBS will soon be requesting that departments and agencies produce IT security action plans.

Discussions have already begun with IT Security Coordinators on how best to develop individual departmental plans for compliance. Departmental plans will be required for submission to TBS by summer 2005, under the signature of the deputy head or designate thus ensuring the involvement and commitment of senior departmental management.

Departments will have until the end of 2006 to meet their stated security posture. TBS will be following up on the implementation of these plans shortly after December 2006 and, in early 2007, will be reporting to the Treasury Board on the organizations that are and are not complying.

The third and final prong in our overall approach to improving the IT security posture of the Government of Canada relates to technology:

We often refer to technology as an enabler of change. Technology can make government programs and departments more agile, more effective and more efficient. It is also required to meet the expectations of a citizenry that wants to interact with its government at anytime of the day, on any issue relevant to them, from anywhere in the world.

But this is only the case if we pro-actively plan for such enablement. Otherwise, technology can be a disruptive force or can have unexpected and negative impacts. More effective strategic planning processes are needed before the adoption of new technologies, including IT security solutions, in departments and agencies.

From a strategic planning perspective, we need to consider how various products and services can work together in a secure mode "before" they are implemented. In too many cases, today's practices attempt to integrate security solutions after the applications or services have been bought or built.

And, I believe that we need to act more strategically. Too often, IT security is driven by risk avoidance rather than by risk management. Again, that situation is linked to the fact that managers do not understand the value of security solutions.

There is a growing need for individual departments and agencies, as well as the GoC at large, to be more resilient in the face of rapid technological change. There are advantages of providing some of the solutions at the enterprise level, for the government as a whole.

It is in this context, then, that TBS and PWGSC, in conjunction with the lead security agencies, are leading the move towards the provision and use of common and shared IT security infrastructures and services.

Measures such as Intrusion Detection, Vulnerability Assessment, software maintenance and system development methodologies are more efficiently implemented in a common centrally-managed IT infrastructure rather than in a department-by-department fashion.

The significant investments made by the GoC in common IT services are and will continue to be an important contribution towards more effective security for the Government of Canada's transactions, operations and services.

The Secure Channel provides a set of common and secure infrastructure services designed to ensure the delivery of protected information and allow individuals, businesses, employees and other governments to conduct transactions with security.

At present, 122 departments and agencies are using Secure Channel services.

TBS will soon be asking Treasury Board Ministers to approve the criteria under which Secure Channel services will become mandatory for all departments and agencies.

Building and maintaining the trust and confidence of our citizens, businesses and other governments with whom we do business is essential to effective service delivery. To achieve that trust and confidence, we need the commitment and cooperation of personnel across organizational boundaries, sharing information on IT security incidents, issues and related solutions.

The Integrated Threat Analysis Centre (ITAC) developed by the Canadian Security Intelligence Service is a noteworthy example of improved information sharing on threats and vulnerabilities.

An effective security system begins with threat assessments. In the past, many departments and agencies produced threat assessments with limited sharing and inconsistent analysis.

ITAC's primary goal is to produce comprehensive threat assessments through increased information sharing and integrated intelligence analysis. These threat assessments will provide policy makers and first responders with the information they need to make decisions and take actions that contribute to the safety and security of Canadians. The Centre brings together the information and expertise from numerous departments and agencies.

ITAC's contribution to the intelligence community and relevant first-responders has already been felt and will play a key role in the broader issues of interoperability, of rethinking how information is classified and the ability of the federal government to share, in real-time, sensitive information with other jurisdictions.

We need to develop a coordinated incident detection and response capability across government to respond effectively to cyber threats and vulnerabilities.

Treasury Board Secretariat, the Communications Security Establishment and Public Safety and Emergency Preparedness Canada are working to provide this capability.

The detection, analysis and response infrastructure project (DARI) is an integrated effort dealing with standards, a government-wide architecture, and coordinated government-wide implementation. The architecture work is nearly complete and the Secretariat, in partnership with PSEPC, is developing standards for Incident Detection and Incident Management.

ITAC and DARI illustrate the kind of transformations required to have a government-wide capability to meet the new requirements in the National Security Policy.

More of these kinds of transformations will be needed. TBS provides support through architecture methodologies and tools such as the Business Transformation Enablement Program (or BTEP). At the root of BTEP is the concept of a common language [the Government Strategic Reference Model (GSRM)] that will enable the necessary transformation to greater interoperability and more effective information sharing, key elements to a safer Canada.

These tools were successfully applied in DARI and additional effort is currently underway to develop the broader Vision, Strategy and Design for security in the Government of Canada.

Let me now close with a few additional thoughts.

In our attempt to continually find new ways to promote and effect greater IT security, the CIO Branch is considering how the Management Accountability Framework can be used to enhance departmental security postures.

As you know, the MAFs are the basis for annual discussions between deputies and the Secretary. One of the dimensions for discussion is risk management in general, and thus we will be using the information available within TBS to give our views on the IT security stance within departments.

We will also increase the attention given by the Secretariat to IT security aspects of departmental submissions and corporate risk profiles.

There may also be other Secretariat "incentives" related to improving Information Technology Security. For example, we have not yet examined the possible reallocation of any departmental savings identified by the Expenditure Review Committee as a result of effective security measures.

We will ensure that departments and agencies follow a strategy that promotes integration and coordination of IT security plans and activities for their infrastructure and their operations.

My organization will actively support projects that emphasize proactive sharing of best IT security practices and processes in order to promote this kind of integration.

The governance surrounding security policies is crucial to ensuring enhanced security. We are now reviewing the governance of Information Technology and Information management in the Government of Canada to ensure that security – especially, Information Technology security – are essential parts of our governance models.

The Government of Canada (GoC) operates in a dynamically changing risk environment that requires an active and continuous defence against cyber attacks, viruses and other internet-related threats.

Policy and standards are necessary to establish a common posture and constitute one of the key components of the overall federal ITS response. But in addition, TBS and the lead security agencies have been providing practical assistance and guidance to departments and agencies to help them improve their overall ITS posture and to support their ability to act quickly and cooperatively to prevent, detect and respond to security breaches across the Government of Canada.

Such support will continue in the future.

Thank you.