Opening Statement before the Standing Committee on Public Accounts
Cybersecurity of Personal Information in the Cloud
(Report 7—2022 Reports of the Auditor General of Canada)
30 March 2023
Andrew Hayes
Deputy Auditor General
Mr. Chair, thank you for this opportunity to discuss our report on cybersecurity of personal information in the cloud, which was tabled in the House of Commons on November 15th, 2022. I would like to acknowledge that this hearing is taking place on the traditional unceded territory of the Algonquin Anishinaabe people. Joining me are Jean Goulet and Gabriel Lombardi, who led this audit.
Federal departments are increasingly moving software applications and databases into the cloud, including some that handle or store Canadians’ personal information. Information stored digitally, whether on‑premises in data centres or in the cloud, is exposed to the risk of being compromised.
In this audit, we wanted to know whether the Treasury Board of Canada Secretariat, Shared Services Canada, Public Services and Procurement Canada, Communications Security Establishment Canada, and selected departments had controls in place to prevent, detect, and respond to security threats on Canadians’ personal information in the cloud.
Overall, we found that the departments we audited did not always implement and follow the controls that the government has set out to protect information that is stored or transmitted using the cloud. These controls include, for example, encryption and network security requirements. We also found that security requirements and the corresponding roles and responsibilities were not always clear, and as a result, they were not consistently implemented. This leaves cloud-based information vulnerable to cyberattacks, which are increasingly frequent and sophisticated.
In addition, we found that 4 years after the Treasury Board of Canada Secretariat first directed federal departments to consider moving information to the cloud, it still had not provided a long-term funding plan for cloud adoption. It also had not provided a way for departments to calculate the cost of moving to cloud applications and operating in the cloud environment.
Without a funding plan and costing tools, it is difficult for government departments to ensure that they have the people, resources, and expertise they need to secure cloud-based information and respond to threats. Having these would strengthen Canada’s cyber-defence capabilities both within individual departments and government-wide.
Finally, we found that Public Services and Procurement Canada and Shared Services Canada did not require cloud service providers to demonstrate their environmental performance or to explain how their services would reduce Canada’s greenhouse gas emissions. This is important because Canada has set a goal of net‑zero emissions by 2050 and committed to including criteria aimed at reducing greenhouse gas emissions in the government’s procurements for goods and services. To date, this has not been done for procuring cloud services.
The government needs to act now, while departments are in the early stages of transitioning to the cloud. It needs to ensure that funding is available and that key security controls to prevent, detect, and respond to cyberattacks are strengthened. This includes clarifying shared roles and responsibilities for cybersecurity so that the departments involved, central agencies, and cloud service providers know exactly what they should be doing.
Mr. Chair, this concludes my opening remarks. We would be pleased to answer any questions the committee may have. Thank you.