Canada Takes a Big Step Towards Open Government Development

June 15, 2018

More important progress has been made towards an open and digital Canadian government.

A new Policy Implementation Notice (PIN) was posted to the government of Canada’s site today, focusing on the Direction on Enabling Access to Web Services, specifically when it comes to the federal government’s Policy on Acceptable Network and Device Use (PANDU). Now, that’s a lot of drawn-out names and acronyms, but essentially this new notice provides a prescriptive direction on how departments within the government should configure their web filtering processes.

This kind of notice is extremely important for an organization like the government that needs to be careful about how and what kinds of services their employees access and use online. Imagine a normal tech company—they probably use a vast amount of services to communicate, work and interact with clients, such as Slack, Google Docs, Trello and more.

But, at one point or another, all of those sites were blocked and not allowed to be used by federal government employees, due to “potential security risks.” This leads to two things: a slow moving and less-agile digital government that cannot keep up with the pace of technology, and employees who circumvent the bans and find loopholes to use this industry-leading tech, resulting in even deeper security flaws than if those services were allowed in the first place.

“Being able to work the community where they are, using the tools they use, is fundamental to the #GCdigital and #opengov agendas, and the cyber security team I lead is trying to make that easier,” writes Imraan Bashir, the senior director of cyber security at the Treasury Board of Canada Secretariat.

This means the government must bring in pragmatic security, and that is what this new PIN is for. When PANDU first came out in 2014, it forced government departments to open access to Web 2.0 tools, but in the four years since, that implementation has not gone so well. This new PIN that came out today opens up the entire internet—except for a few restrictions, detailed below.

Obviously, government employees cannot access anything that is against the law through the newly opened internet, including illegal gambling, hate propaganda, spyware, violence and a few other notably illegal activities. Also include in “categories to be blocked” list are anonymizer proxies, games, harassment, peer-to-peer file sharing, pornography and a few other catch-alls.

Other than those above, government employees can use any site to process non-sensitive information, enabling better workflows and keeping workers up to date with programs people are actually using in the field.

“Rather than blocking employees, let’s work with them, by providing training, being available for questions, ultimately enabling them to use websites properly,” Bashir writes. “This will prevent the insecure workarounds, allowing them to get their jobs done easier and allowing us to ensure that all activity remains on a network that we are monitoring and protecting.”

This new PIN is a great first step to help the federal government continue its push to be fully open and digital. However, it only applies to a handful of organizations within the government that abide by PANDU, shown below. Other departments and agencies “are encouraged to abide by this PIN to the extent possible.”

Office of the Auditor General
Office of the Chief Electoral Officer
Office of the Commissioner of Lobbying of Canada
Office of the Commissioner of Official Languages
Office of the Public Sector Integrity Commissioner of Canada
Offices of the Information and Privacy Commissioners of Canada

This new open internet rule is effective immediately within the above organizations. Pragmatic security is the latest endeavour from the federal government to become more open and digital—federal teams in Ottawa have recently looked to bring more services to where Canadians reside online (such as virtual assistants), as well as formed partnerships with leading digital countries like Estonia to share best practices.