This Web page has been archived on the Web.

1998 December Report of the Auditor General of Canada

Main Points

19.1 Research groups and experts in the information technology industry have predicted a phenomenal growth in the use of the Internet for business. In government, the Internet provides an opportunity to streamline operations and improve service delivery, as well as an alternative mode of conducting business. In a policy statement, the government committed to making electronic commerce its preferred way of doing business by 1998. In support of its agenda for "connecting Canadians", it has also undertaken to become a model user of the information highway by 2000.

19.2 The audit focussed on the government's use of the Internet for internal and external purposes. We concluded that progress is being made in all three areas we examined, areas that are fundamental to support electronic commerce:

  • the government's public key infrastructure project as a measure for secure electronic commerce;
  • the legal framework to support conducting business electronically; and
  • common technology infrastructures for interoperability and seamless access to information and services across departments and agencies.
19.3 Nevertheless, we noted several key risks that could undermine the government's public key infrastructure project. Progress in designing business processes to make use of the Internet and developing the related computer applications is lagging behind the progress of the infrastructure project. Further, the need to certify the public, a necessary element in delivering services externally, has yet to be addressed.

19.4 A "paper bias" has been identified in the language of federal statutes and steps have been taken to resolve it. Further action is needed to manage the government's potential legal liability in its use of electronic commerce.

19.5 A senior sponsor is needed to advance electronic commerce in government. Many issues remain to be resolved before adequate common infrastructures exist to support the delivery of services across multiple departments and agencies.

19.6 If the government does not address on a timely basis the identified risks and areas requiring action, its objective of making electronic commerce its preferred way of doing business may not be fully realized and its goal of becoming a model user of the information highway by 2000 may also be in jeopardy.

Introduction

Electronic Commerce in Government

19.7 In general, the term "electronic commerce" refers to business activities and transactions that are conducted electronically. It involves using information technology and telecommunications to disseminate information, exchange data and perform financial transactions. The term is not unique, nor is it defined specifically. Other terms that are used include E-commerce, E-business and E-trade. Electronic commerce encompasses an array of tools and technologies - such as electronic data interchange, electronic funds transfer and the Internet - that support many types of business applications.

19.8 In its public consultation documents, the federal government has offered the following definition:

Electronic commerce, which is at the heart of the information economy, is the conduct of commercial activities and transactions by means of computer-based information and communications technologies. It generally involves the processing and transmission of digitized information.
19.9 For the government, electronic commerce involves using computers and telecommunications systems in a wide range of activities - from internal activities such as administration and operations to external activities such as providing services to the public. They can be financial, such as transferring funds, or non-financial, such as providing or exchanging data and information.

19.10 Over the years, initiatives in this area (see Exhibit 19.1) have received the endorsement and support of interdepartmental senior management committees such as Treasury Board Secretariat's advisory Information Management Subcommittee (TIMS) and the Council for Administrative Renewal (CAR).

19.11 In particular, the Treasury Board Secretariat identified electronic commerce as a key initiative in implementing the 1994 Blueprint for Renewing Government Services Using Information Technology . In late 1995, the Secretariat received approval from Treasury Board ministers to implement the Blueprint.

19.12 In December 1995, the Secretariat wrote to all deputy ministers to advise them that the Board had approved the Blueprint's implementation and endorsed its specific measures and initiatives. Advancing electronic commerce was one of those initiatives. The Secretariat indicated the government's intention to publicly announce that electronic commerce would be its preferred way of conducting business. Further, the Secretariat set the direction to achieve substantial progress in conducting internal activities electronically by 1997 and external activities by 1998. The letter also noted the government's intent to become a model user of the information highway. On many occasions since then, the Secretariat has committed to making electronic commerce its preferred means of doing business with other governments, private sector organizations and Canadians by 1998.

19.13 In the September 1997 Speech from the Throne, the government made the following commitment:

We will make the information and knowledge infrastructure accessible to all Canadians by the year 2000, thereby making Canada the most connected nation in the world.
It went on to state that connecting Canadians would provide them with access to the skills and knowledge they need to benefit from the country's rapidly changing knowledge and information infrastructure. A connected nation is viewed as an important element in enabling Canadians to participate and succeed in a global, knowledge-based economy.

19.14 The Electronic Commerce Task Force at Industry Canada has been leading the move toward "connecting Canadians". In early 1998, it formulated a two-part strategy - domestic and international - to make Canada a world leader in electronic commerce by 2000.

19.15 The domestic agenda focussed on:

  • building trust in electronic commerce among businesses and consumers;
  • setting ground rules for the digital marketplace as necessary; and
  • connecting Canadians to the digital economy by improving their access to networks, enhancing their awareness and developing their skills.
19.16 The international agenda dealt with the need for a global framework to facilitate the international growth of electronic commerce. This would include a legal framework, rules to govern the marketplace and the development of infrastructure. An immediate priority for this part of the agenda was to support the October 1998 OECD ministerial conference, "A Borderless World - Realizing the Potential of Global Electronic Commerce". Canada hosted the conference in Ottawa.

19.17 The domestic agenda further outlined a role for the government as a model user of electronic commerce. By "putting the government on-line", the Canadian federal government would become a world leader in Internet-based delivery of government information and services. This objective echoes a 1995 recommendation by the Information Highway Advisory Council. It is also consistent with the direction set by the Treasury Board Secretariat in late 1995 to make electronic commerce the preferred way of doing government business by 1998.

A Predominant Area of Future Growth

19.18 The government has been using many established technologies to replace paper-intensive and cumbersome processes, in administration and operations and in the delivery of programs and services. For example, it makes payments to millions of individuals through electronic funds transfer to their bank accounts, thereby eliminating the need to issue and process paper cheques. Taxpayers can file their income tax returns through electronic data interchange, replacing paper returns and related documents. Using kiosks and service centres, government provides key information to its clients electronically, on-site and without intervention from staff. By employing the X400 technical standard, government employees can exchange electronic messages (e-mail) across all departments and agencies. Today, e-mail has become an essential alternative to voice messages and paper mail as a means of communication.

19.19 General literature has shown that the Internet is a predominant area of future growth in electronic commerce. While statistics on Internet use are modest, the growth to date has been impressive and the potential for future growth is tremendous. In the United States, business-to-business Internet commerce grew tenfold from 1996 to 1997, when it reached US$8 billion; a research group has predicted that it will grow to $327 billion by 2001, a fortyfold increase. Another group has estimated that the number of U.S. companies using Internet commerce will increase from 100,000 in 1998 to 600,000 by the year 2000. A 1997 report by the Organization for Economic Co-operation and Development (OECD) noted that the most conservative private sector estimates predict a tenfold growth by 2000 in the volume of electronic commerce transacted over global information networks. Business-to-business Internet commerce is expected to be a major force in North America and Europe over the next two years.

19.20 By serving as a model user of the information highway and pursuing a domestic agenda of "connecting Canadians", the government is helping to position Canada in a global, knowledge-based economy. Conducting business via the Internet is a key element in the government's policy to make electronic commerce its preferred way of doing business. It provides an opportunity for new and innovative ways of interacting with the private sector, other levels of government and the public in delivering programs and services. It will help the government to meet anticipated demands from external users as access to and use of the Internet grow. Internally, electronic commerce can benefit government administration and operations by increasing efficiency and reducing costs.

Focus of the Audit

19.21 The audit focussed on the government's use of the Internet to conduct business - both internal and external - as part of its stated policy on electronic commerce and its commitment to serve as a model user of the information highway.

19.22 The audit assessed the government's progress in addressing three key areas that will enable it to do business over the Internet: a public key infrastructure as a measure for secure electronic commerce; a legal framework to support electronic commerce; and common technology infrastructures. In addition, we reviewed four government initiatives involving electronic service delivery, in order to identify good practices and possible lessons learned.

19.23 Further information about the audit objective, scope and criteria can be found at the end of the chapter in About the Audit .

Observations and Recommendations

A Public Key Infrastructure

The government's solution for secure electronic commerce
19.24 In moving from traditional paper-based transactions to electronic commerce via the Internet, users require trust and confidence that the transactions are safe and secure and that their concerns about privacy are adequately addressed. New technical tools and security measures need to be developed to support a secure environment for conducting business electronically.

19.25 In lieu of the traditional controls that provide assurance to users, different security measures are needed to keep electronic transactions safe. Cryptography provides protection in four areas, ensuring that business transactions are kept confidential ( confidentiality ), are not tampered with ( integrity ) and originate from the bona fide source that is claimed ( authentication ), and that their occurrence cannot be denied by the originator ( non-repudiation ). Exhibit 19.2 provides a glossary of selected terms related to public key cryptography services. Those terms appear in italics when they are first used in the chapter.

19.26 In 1995, the government identified the need for secure and private transmission of data as a key issue that needed to be addressed. Under the direction of a subcommittee of the Council for Administrative Renewal, work was begun to establish a public key infrastructure for the government. The public key cryptography techniques use technology to encrypt, decrypt and verify data. In addition to the technical component, an infrastructure is needed to manage and co-ordinate the administration in departments and agencies of security regimes that relate to public key cryptography services.

Infrastructure development and management are under way
19.27 Under the direction of the Council for Administrative Renewal and its subcommittee, an interdepartmental working group commissioned a business case for developing a public key infrastructure for government. The business case put forward three options for deploying public key techniques, and recommended that the government adopt a government-wide solution.

19.28 The recommendation was accepted by the government. In late 1995, the Treasury Board endorsed the Government of Canada Public Key Infrastructure project (GOC PKI) and approved the related funding requirement. It was anticipated that the project would be delivered during 1998 and be ready for departmental use by December 1998. The Secretariat, as an oversight body, established and chaired a Policy Management Authority committee to set GOC PKI policies and provide a management framework for departments and agencies participating in the project. Working in partnership with a private sector firm, the government's Communications Security Establishment (CSE) played the role of project manager in the development of the technical product. The CSE was also assigned the role of root authority , a central facility for the government.

19.29 In July 1996, the government entered into a contract with a private sector firm to develop a GOC PKI product to meet its requirements. In June 1998, the contractor released an interim GOC PKI product. The Communications Security Establishment expected that by December this release would be accepted on an interim basis and sanctioned for use by departments and agencies.

19.30 Four of the six departments that participated in the initial funding of the project have been using early releases of a commercial version of the product on a pilot basis. They expect to upgrade to the interim GOC PKI product when the CSE provides interim approval. In addition, a number of other departments and agencies have expressed interest; some have acquired the commercial product on a limited basis and are using it in a test mode, primarily for internal secure messaging.

19.31 The Policy Management Authority (PMA) committee established for the GOC PKI in early 1996 was chaired by the Acting Chief Information Officer of the Treasury Board Secretariat. A new Chief Information Officer was appointed in March 1997 and assumed the role of Chair in December 1997. Although Year 2000, the two-digit year code problem, became a top priority of the Chief Information Officer Branch, the GOC PKI project has remained a strategic priority.

19.32 In early 1998, it was recognized that additional resources would be needed to advance the development of policies and the management framework for GOC PKI. The Secretariat established an Interdepartmental PKI Task Force that, as of July, had a staff of about 15. The Task Force director became Co-Chair of the PMA committee. By early July 1998, some 11 subcommittees and working groups had been set up, involving over 300 staff from various departments and agencies (Exhibit 19.3) . In addition, the Senior Interdepartmental Lead Committee of senior government managers was struck and took on an advisory role to the PMA committee.

19.33 When we completed our audit in early July 1998 the government, under the direction of the PMA committee, had defined the need for eight certificate policies for GOC PKI. The policies represent four levels of security assurance: rudimentary, basic, medium and high. The PMA committee also directed the development of, and subsequently approved, a framework of elements that need to be addressed in a certificate policy and a certification practice statement .

19.34 The certificate policy and certification practice statements are necessary instruments to govern the implementation and management of a public key infrastructure. These instruments are essential in cross certification , a process designed to ensure trust and confidence among users in different organizations that use a public key infrastructure. The Interdepartmental PKI Task Force was preparing draft policies and it expected the drafts to be complete and ready for consultation by August 1998. When the certificate policies are adopted, all departments and agencies choosing to participate in the GOC PKI will develop certification practice statements that are in accordance with them.

19.35 We found, as of July 1998, that progress had been made in various areas of the GOC PKI project. An interim technical product had been released and was awaiting approval by the Communications Security Establishment; the management framework for the infrastructure component was being developed. However, we also observed several major risks to the project, which the following paragraphs discuss.

Applications using public key infrastructure have yet to be identified and developed
19.36 The business case for the GOC PKI project was prepared in order to identify options and recommend a course of action for providing public key cryptography as a measure for secure electronic commerce in government. Consequently, the options revolve around alternative ways of providing public key services. The analysis supporting the business case contemplated future requirements for public key cryptography services. However, the project has so far had limited involvement in identifying and facilitating the development of electronic business applications that would use the GOC PKI product when it becomes ready for use.

19.37 In preparing the business case, a working group conducted a survey to determine the extent of the demand in government for a public key infrastructure to support electronic commerce. The survey sampled 26 departments, agencies and Crown corporations, representing about 15 percent of government entities and some 60 percent of federal employees. In addition to the Treasury Board Secretariat about 14 entities, primarily larger departments, responded to the survey. Although the survey had attempted to directly involve government business managers and strategic business planning personnel, the survey report observed that responses from some departments had been prepared by technical specialists in information security. While the report noted that those specialists were familiar with their departments' strategic business objectives, it also acknowledged that this factor could have affected the quality of the assessment of demand.

19.38 The survey report summarized the projected demand for encryption and electronic authorization services from 1995 to 1999 by user type, such as government employee, private sector company and citizen. The requirements were also categorized by degree of certainty, from possible to likely to firm requirement.

19.39 The results showed that by 1999 there would be firm requirements for about 45,000 government employee users and 8,000 private sector company users of encryption and electronic authorization services; no firm requirements among citizen users were projected. By 1999, however, it was estimated that government employee users could exceed 110,000 and citizen users could reach 5.5 million. The cost projections in the business case were based on information from the survey report.

19.40 During 1998, the Secretariat convened several meetings to discuss the demand for the commercial product in order to plan a government-wide procurement strategy. Many departments and agencies expressed interest, but most were not ready to commit to a purchase; the product's lack of business applications was identified as a major barrier. A common application that has emerged as a driving force for using the commercial product would be internal secure messaging among employees. This is consistent with the projections made in the survey report. It estimated that of the 45,000 government employee users expected to require the services by 1999, some 25,000 would require them for internal secure electronic mail.

19.41 In the meantime, program managers and administrators in departments and agencies have been considering alternative means of delivering services and streamlining administrative and operational processes, mostly independent of the GOC PKI project. Through various interdepartmental committees and working groups, as well as senior management advisory and oversight committees, there is a general awareness and exchange of information on different business applications and initiatives being developed. Yet no direct action has been taken to co-ordinate new business processes that use the Internet with the development of corresponding computer applications and the public key cryptography services that support them.

19.42 There is a risk that the GOC PKI project will not be used to its full potential upon delivery. In our view, without direct action it is unlikely that business processes using the Internet and the corresponding computer applications will be ready when the public key cryptography services provided through this project become available and are officially approved for use in government. While the Year 2000 date code problem takes priority, action is needed to encourage government program managers and business planners to consider using the Internet as an alternative means of delivering services. Further, there is a risk that applications may focus on internal administrative and operational processes, although the government's technology Blueprint also envisioned external electronic service delivery.

Need for further analysis of implications for dealing with the public
19.43 Users of public key cryptography services need to be registered before they can be recognized as users. They are registered only after their identity, level of authority and required level of assurance are validated. Registered users are assigned unique digital certificates . The body that issues and manages these certificates is known as a certification authority . Like electronic passports, the certificates identify the specific registrants and their level of authority and assurance. They support the processes of encrypting, decrypting and verifying the transmitted data. Users under the same certification authority should be in a position to enjoy the benefit of secure transactions among themselves.

19.44 In an era of open public networks, users under different certification authorities will need to interact with one another, and certain transactions will require a secure environment. Confidence and trust in the system can be maintained only if certification authorities trust each other. This trust can be built through cross certification, a process by which the security regime and the administration of digital certificates are verified. Cross certification also involves matching assurance levels for transactions.

19.45 The process of cross certification is technical and complex and poses management challenges among different government organizations. It is a prime reason for the government to develop strict certificate policies and the infrastructure component of its GOC PKI project. The extension of public key cryptography services beyond government into the public domain further complicates the process. It also introduces many other issues.

19.46 For example, a government employee would logically be registered by either his or her own organization or another government entity charged with that responsibility. For members of the public, however, it is not obvious who the certification authority should be, nor is it a trivial matter.

19.47 If the government were to take on the responsibility of certifying members of the public, it could have each department and agency register public users of its own programs and services, or set up a single point of contact to register public users for all their transactions with different departments and agencies, or some combination of the two. Alternatively, the government could have public users register with private sector certification authorities and it could cross certify with those authorities to support secure electronic commerce transactions between the government and the public.

19.48 Each option has its advantages, disadvantages and ramifications. An every-department-for-itself approach would cause duplication and result in higher costs. In addition, members of the public might have to possess many digital certificates in order to receive services from the government or transact with it. At issue is the notion of "one user, one certificate" - that is, a public user would obtain and use a single set of certificates in doing business with the government. Whatever the government's eventual policy on issuing certificates, some members of the public would expect the government to make every effort to minimize the number of certificates they need.

19.49 In comparison, having a single government organization serve as the certification authority for public users could raise privacy issues and exposure to legal liability for the Crown. It would necessitate maintaining a high concentration of personal information electronically on one site, introducing the risk that the government certification of a public user could be misused or abused.

19.50 If the government were to use private sector certification authorities, public users would register with them and the government would need to cross certify with each of those authorities. This would be more complex and could pose a significant challenge. In addition, the government would need to address policy issues such as whether to select private sector certification authorities for cross certification, whether to limit their number, and whether and to what extent the government ought to encourage private sector investment in this area.

19.51 Another issue is the potential cost to the public. Regardless of the certification authority chosen, costs will be incurred for the initial registration of a public user, for ongoing maintenance, and for changes and renewals as necessary. If it were a government service, the extent to which costs would be recovered through user fees would be a policy matter; if it were a private sector service, the public would likely be charged a fee. These factors will impact the services that the government wishes to provide electronically and it will need to consider them carefully.

19.52 While the demand survey supporting the GOC PKI project forecast a significant requirement for public use of encryption and authorization services, its technical architecture focussed primarily on departments and agencies. There was limited dialogue between the Policy Management Authority committee and potential private sector service providers before 1998. It was only in recent months that the implications of certifying the public began to be analyzed. A May 1998 report of one interdepartmental working group recommended that resources be allocated to conduct an in-depth assessment and feasibility analysis and to identify a preferred option for registering external users.

19.53 The issue of certifying public users is complex and has major implications. If the government does not address it in a timely manner, other options may emerge and later complicate the task of co-ordinating a common approach. This could significantly compromise the potential return on the government's investment in its GOC PKI project and curtail the scope of secure government business conducted via the Internet.

Other development and implementation challenges to overcome
19.54 Public key cross certification is new and complex, and it has yet to be demonstrated in live applications. It calls for regimented discipline and strict adherence to certificate policies and the related practice statements. Within government, the current technical architecture contemplates seven certification authorities at the departmental level, with the Communications Security Establishment (CSE) serving as the central facility to conduct cross certification. Draft certificate policies are still being developed and have yet to be adopted by the certification authorities. The application of cross certification could pose a major challenge to implementing the government's public key infrastructure project.

19.55 We also noted that product development is experiencing delay. The original contract called for the technical product to be delivered in 1998, in time for the government to accept it and approve its deployment by the end of the year.

19.56 The contractor delivered an interim version in June. Information provided by the Communications Security Establishment showed that an update will be provided in the fall, and interim approval for use is expected by December 1998. According to the CSE, the interim product is being tested to support the rudimentary and basic levels of assurance, and possibly the medium assurance level. A final product supporting all levels of assurance is now expected for the summer of 1999, and the government's final acceptance and approval by the end of that year.

19.57 In addition, standards for cryptography products are evolving. Through the GOC PKI project, the government has adopted certain technical standards to allow different technologies in government to operate with one another. These standards are not sanctioned by a formally accredited standard-setting organization and they are subject to market forces. Since the standards are evolving, there is a risk that they may be superseded by others, causing further delays in product development and possibly leading to incompatibility with some trading partners and parts of the private sector.

19.58 The business case for the project estimated a total cost, for 16 departments, of approximately $35 million in the five years ending 1999, and ongoing operating costs of about $4 million a year thereafter. The cost estimates did not allow for potential costs of technological upgrades, maintenance and support. In a rapidly changing field such as this, the understatement of annual operating costs could be significant. Furthermore, the business case focussed primarily on using cryptography within the government. The estimates did not include costs related to the certification of public users and the possible need to fund private sector certification authorities or to share costs with them. If the estimates do not reflect the full costs of a project, it will be difficult to assess and report performance at a later date. Moreover, it can call into question the project's expected return on investment.

19.59 The risks and challenges that we have noted can severely compromise the scope and use of the public key infrastructure to provide a secure environment for electronic commerce. They can undermine the government's policy of making electronic commerce its preferred way of doing business, as well as its goal of becoming a model user of the information highway.

19.60 The government should act expeditiously to identify and develop applications requiring secure data communication. It should involve business and program managers from departments and agencies directly with the Treasury Board Secretariat's Public Key Infrastructure Task Force and the Government of Canada Public Key Infrastructure project, to optimize the use of the infrastructure in support of secure electronic commerce throughout the government.

19.61 The government should address concurrently the issue of certifying public users and the development of the technical product and management framework for its public key infrastructure, including consulting with the private sector and potential certification authorities for the public.

19.62 The government should manage the project risks that have been identified, and others as they arise. In particular, it should:

  • implement some small applications as early as possible to demonstrate that cross certification among a small number of government certification authorities is viable and that different platforms of technology can interoperate;
  • maintain a close watch over evolving standards to ensure that its public key infrastructure remains compatible; and
  • broaden the cost estimates in the business case to better evaluate the return on investment and provide an appropriate basis for making decisions and reporting performance.
Government's response: We are pleased that the Auditor General has undertaken an audit of electronic commerce. Electronic commerce or electronic service delivery will be one of the main vehicles used to improve services to Canadians. The rapid technological advances occurring in this field make this an area that is in constant change. Since the completion of the audit in July, progress continues to be made on a number of fronts.

We agree with the need to involve business and program managers with the Treasury Board Secretariat's Public Key Infrastructure (PKI), and consultations with these groups are under way. A recently completed inventory of PKI activity across government lists over a hundred initiatives planned and/or under way. This consultation and information sharing will continue. A senior-level committee composed of business managers from across government is providing the program managers with leadership in this field.

Consultations with the provinces and with the private sector on issues such as the certification of public users and cross certification are under way. The Public Sector Chief Information Officer Council created last March is examining these issues in the context of a harmonized approach to PKI implementation across Canada. The proposed model GOC PKI certificate policy is currently under review by both public and private sector organizations.

The original implementation of PKI in seven departments to meet their internal needs was established as a formal project and is being managed as such by Communications Security Establishment. The government's move to electronic service delivery will consist of many projects initiated and managed by individual departments. The Treasury Board Secretariat will provide co-ordination and oversight to these initiatives collectively but will be careful not to compromise the accountability of the individual project managers.

The overall approach to the public key infrastructure project is to use off-the-shelf commercial software. This is cost-effective and ensures more compatibility than a made-to-order approach. The Task Force is keeping a close watch over evolving standards to ensure continued compatibility. Consultations with other bodies across the country and internationally are providing the government with up-to-date information on the current trends and activities in this field.

In developing their business cases, departments will not be making a case for PKI per se. They will be making business cases for PKI-enabled applications to meet specific business requirements. These PKI-enabled applications will permit departments to do business securely within the government, between governments and with Canadians. The government's approach is to complete Phase I, putting in place the infrastructure to support these PKI-enabled applications as they are developed and deployed.

Legal Issues

Resolution of potential limitations in legal statutes is proceeding
19.63 In 1995, a working group was tasked by the Council for Administrative Renewal to identify and address legal issues associated with the government's security strategy for electronic information. Its report provided an overview of the various legal issues involved. In March 1996, the Department of Justice mandated an Electronic Commerce Secretariat to provide legal advice on electronic commerce technology. It was recognized that there was no separate legal framework for electronic commerce and that legal and commercial frameworks designed for a non-digital age might need to be adapted for doing business in an electronic environment. A proposed framework included three objectives:

  • making statutes media-neutral (applicable to any medium);
  • ensuring the recognition of secured electronic authorization; and
  • revising evidence rules for electronic records.
19.64 The Department conducted a review of federal statutes for language that might indicate a paper bias. Through an electronic search of key words such as "forms", "notarized" and "writing", the Department found that 330 of the nearly 600 statutes contain provisions that use such terms.

19.65 Further to the review, instead of amending the statutes individually the Department's assessment was that preparing general or global provisions would be more efficient and provide for more consistency. Among other things, the general provisions would serve as a tool for interpreting existing statutes in a media-neutral way. They would represent an additional option and would not preclude the use of paper-based mechanisms under existing statutes.

19.66 Moreover, the Department of Justice determined that the Canada Evidence Act ought to be amended to address the introduction of electronic records into evidence. The 1995 working group had also identified a possible need to review and amend this Act.

19.67 In early May 1998, the Department released a consultation paper entitled "Facilitating Electronic Commerce: Statutes, Signature and Evidence". The paper put forward the Department's proposal, as described in paragraphs 19.65 and 19.66, to resolve the potential limitations that it had identified. It expected to conclude consultations over the summer. Subsequent to our audit, the Department advised us that it had received endorsement from the government to proceed with the drafting of amendments and that the draft legislation would be ready for tabling in Parliament in the fall of 1998.

19.68 Moreover, the Department has been developing a harmonized approach with the provinces and territories. It participates in the electronic commerce project of the Uniform Law Conference of Canada. Among other matters, the Conference planned to give final approval in late August to its draft Uniform Electronic Evidence Act, the substance of which was being incorporated into the proposed amendments to the Canada Evidence Act.

Legal liability is a concern that requires further analysis and resolution
19.69 Secure electronic commerce via the Internet provides an alternative means of conducting business. However, losses and damages can occur through ignorance, negligence, abuse or deliberate attempt, and can lead to legal liabilities. The delivery of government services electronically introduces new risks and exposure that can result in legal liability for the Crown.

19.70 The need to address such potential liabilities has been generally acknowledged. In addition to legislation, the legal framework includes other instruments such as memoranda of understanding, contractual agreements and certification policies that form the basis for cross certification. Early analysis by the legal subcommittee showed that these instruments could be used to help limit the Crown's exposure to the risk of liability. Nevertheless, the significance of legal exposure, if any, where no contractual relationship exists and third parties choose to rely on government information still needs to be determined.

19.71 Consequently, the members of the government's legal community have suggested that every application using the public key infrastructure be preceded with a threat and risk assessment from a legal perspective. The assessment would identify and assess potential legal vulnerability so that it could be addressed accordingly, using various instruments in the legal framework. The Policy Management Authority committee also called for participating members of the GOC PKI project to put forward various scenarios for use in further analyzing the liability issues.

19.72 The government should ensure that issues of potential liability are identified and addressed as it introduces new electronic commerce initiatives.

Government's response: New legislation will provide a framework for electronic commerce. The government is aware of concerns about liability and will ensure that departments are aware of any legal implications related to electronic commerce, including potential liability, and that they manage them accordingly.

Action Needed to Develop Direction and Adequate Common Technology Infrastructures

19.73 The Blueprint for Renewing Government Services Using Information Technology envisioned that the government would use information technology not only internally but to extend its services to the public electronically. Seamless access to services will require support from common technology infrastructures, so that the various technology platforms of different departments and agencies can interoperate, that is, operate readily with each other.

Senior sponsor needed to lead electronic commerce in government
19.74 To make electronic commerce the preferred way of doing business by 1998, it would be reasonable to expect that the government would follow its 1995 policy announcement with a strategic plan, led by a senior sponsor and co-ordinated with plans and actions in departments and agencies.

19.75 Under the direction of the Treasury Board Secretariat, a strategic paper entitled "Electronic Commerce Commitment and Agenda for Action" was prepared in 1995 to lead the electronic commerce initiative. The paper set out a number of initiatives and identified a number of departments and working groups that would pursue them. Because of staff turnover and changes in priorities at the Secretariat, however, many initiatives were not continued beyond 1996.

19.76 As of early July 1998, no overall strategy or plan had been developed to update the 1995 strategy and to lead the government toward its goal. There was no statement of what is to be accomplished by 1998 or what being a model user by 2000 entails. Furthermore, there was no common definition of electronic commerce in government. Departments and agencies have been developing various electronic initiatives, but no attempt has been made to co-ordinate them. Although an interdepartmental committee of deputy ministers requested that the progress of electronic commerce in government be monitored and specific information collected, there has been no attempt to do so.

19.77 The primary effort at the Secretariat to advance electronic commerce in government has been by its PKI Task Force. Although cryptography services are critical to building confidence and trust in secure electronic commerce, they are not essential for all types of internal and external transactions of government. For example, among the four electronic initiatives that we examined, only one has a stated requirement for the services afforded by the government's public key infrastructure.

19.78 Departments and agencies are advancing their own electronic commerce initiatives. To advance electronic commerce government-wide, however, there is a need for a senior sponsor to assess the government's progress and to set future direction. Without this sponsor, the government risks not achieving its policy objective and its commitment to become a model user. More significantly, the objective envisioned in its information technology Blueprint - to renew government services using information technology - may not be fully realized.

Further efforts required for technology standards and guidelines
19.79 The Chief Information Officer Branch of the Secretariat is responsible for setting government-wide standards. Standards set by the Secretariat are promulgated as Treasury Board Information Technology (TBIT) Standards and form part of Treasury Board policies for the government.

19.80 Under the government's public key infrastructure project, progress is being made in identifying and adopting open standards that will support cross certification and the use of cryptography services. For example, standards are being set for electronic directories in government so that certification authorities could include in them electronic certificates for access by government or public users.

19.81 However, efforts to update TBIT Standards are slow. Technology standards are necessary to support common infrastructures so that different technology platforms can interoperate. Common infrastructures facilitate seamless access by the public to information and services from different departments and agencies. In Chapter 16 of our 1996 Report, we noted that many of the TBIT Standards were of questionable relevance and were being overtaken by de facto standards in the information technology industry. During the present audit, we noted that the need for standards to support common infrastructures in government had been discussed in many interdepartmental forums. But action has yet to be taken to identify the types of standards that are necessary and the specific standards to be adopted for use by government.

19.82 Through the work of an interdepartmental committee, the Treasury Board Secretariat has prepared an Internet Guide. The Guide is available on the Internet and provides technical guidance on creating websites. We found that the scope of the guidance could be broadened and that more emphasis could be placed on its use by departments and agencies.

19.83 The Guide focusses primarily on technical advice for creating websites. It also contains some guidance to help users in departments and agencies address the government principle of "common look and feel" and "ease of use". The principle of common look and feel is that websites should share certain common characteristics so that public users can readily identify that they are accessing government websites. The principle of ease of use is that websites should be easy to navigate, so that users can access information readily and efficiently. However, broader guidance on issues such as analyzing the impact of an Internet service on users and reviewing security and privacy concerns is not provided in this Guide or others.

19.84 It also came to our attention that access to and use of the Secretariat's Internet Guide were not tracked and there was no mechanism for feedback. Its length does not facilitate viewing on the Internet, and paper copies have not been disseminated.

19.85 In 1995, Public Works and Government Services Canada received approval to establish a Canada Internet site that would provide a federal government presence on the Internet. It would also provide single-window access to government information and services. The concept of a single window was discussed in the government's information technology Blueprint in 1994 and was supported by the Information Highway Advisory Council in its 1995 report. The site, http://www.canada.gc.ca, became operational in December 1995. Its usage has increased approximately tenfold, from about 500,000 hits per month in early 1996 to about five million hits per month in early 1998.

19.86 The Canada Internet site met the initial requirement to provide a common point of access to government information. Yet it is not user-oriented and does not facilitate seamless access to various government services, especially those involving more than one department or agency. In most instances, a user would need to know specifically which department or agency provides which particular services in order to access them. Since its implementation, the site has remained static; changes have not gone beyond routine maintenance. The Department advised us that it is aware of the site's shortcomings and plans to address them. Subject to resource availability, it plans to adopt a client-driven orientation for the site. Since the audit, the Department has advised us that actions are under way to help users access information on the Canada site.

19.87 Two and a half years after the policy statement on electronic commerce, there is no senior sponsor to set future direction and many issues remain to be addressed in order to achieve the common infrastructures needed.

19.88 The government should appoint a senior sponsor for the goals of advancing electronic commerce in government and making government a model user of the information highway. In particular, it should consider:

  • defining electronic commerce in government;
  • developing strategy and setting direction for electronic commerce beyond 1998, identifying deliverables and indicating when they may be completed;
  • assigning responsibilities, clearly defining the roles and terms of reference for those assigned and supporting them with appropriate authority and resources;
  • providing oversight and monitoring progress; and
  • reporting performance to Parliament on a periodic basis.
19.89 The Treasury Board Secretariat should accelerate its efforts to identify and adopt technology standards that will support common infrastructures in government. It should ensure that standards to support the government's public key infrastructure are in place and are followed when the crypto- graphy product becomes ready for deployment.

Government's response: In April of this year the government stated that to further enhance its commitment to the principles of service improvement, it has established within the Treasury Board Secretariat (TBS) a new sector with the mandate to focus on government-wide approaches to improving services to Canadians. The creation of the new sector was initiated as part of the Secretariat's continued and concentrated effort to ensure that electronic commerce becomes the government's preferred way of doing business. The new sector is focussing on the government's priority of ``connecting" Canadians and on making the information infrastructure available to all Canadians by the year 2000. The electronic service delivery channels will incorporate and make use of the public key infrastructure, the legal framework and the common technology infrastructures that are the focus of this audit.

Recently the Prime Minister indicated the government's support for electronic commerce, saying that ``the federal government is not alone in tackling issues related to electronic commerce....Together with business, consumers and other governments, we are making progress on various electronic commerce issues such as taxation, intellectual property, privacy, legal frameworks and cryptography policy."

It should be noted that sponsorship is a corporate responsibility of the government, with departments playing a key role. Senior sponsorship is the responsibility of more than just one department or deputy. Electronic commerce is a new way of doing business and demands new approaches. The issues are horizontal and touch all departments. It is important to recognize this horizontal responsibility.

The government's progress in adopting electronic commerce will be reported in the Treasury Board Secretariat's annual Report on Plans and Priorities and Report on Performance.

The government is addressing the need for information technology standards. Key technology standards for secure messaging, directories, "smart cards" and documents are being examined and adopted or proposed for adoption. The establishment of additional standards to support PKI will be undertaken as the need is identified, based on their relative priorities. An internal review of the standards needed for implementation of PKI, electronic commerce and service delivery will be undertaken in the fall. This review is expected to identify a number of standards projects that should be initiated or reactivated.

Electronic Initiatives in Government - A Profile

19.90 As part of the audit, we selected and reviewed four electronic commerce initiatives in the government. The purpose of the review was to identify good practices and lessons learned from the government's early experience in delivering services via the Internet. A brief description of the initiatives and a summary of our findings appear in Exhibit 19.4 .

19.91 All four initiatives use the Internet in delivering government services to individuals or Canadian businesses. Three of them charge fees for services rendered. When fully implemented, two initiatives will be used to complement existing hard copy services; the other initiatives will become the only means of access to those services.

19.92 Some initiatives are in pilot mode, while others have been fully implemented. The initiatives range from the simple to the complex. They require security features in varying degrees, from being able to authenticate the identity of users to protecting the integrity of transmitted data and collecting user fees.

Good practices and potential lessons learned
19.93 One initiative involved the re-engineering of a business process in co-operation with stakeholders. The National Energy Board is developing the Electronic Regulatory Filing system with a group of private sector companies it regulates and the Ontario Energy Board. When implemented, it will change the process of filing submissions for Board hearings to one that receives submissions electronically. It will also allow potential interveners in hearings to download relevant portions of the documents for their use. Currently, a single hearing often necessitates the copying and distribution of hundreds of thousands of pages of the document by the company filing the submission. In developing the initiative, the Board took into consideration the impact on program participants (regulated oil and gas companies), other levels of government (provincial regulators) and other interveners (the public, or other private sector firms that could be affected by a submission).

19.94 Two of the initiatives we looked at considered the opportunity for private sector partnership and are now involving private sector companies in delivering services electronically. Through its MERX system, Public Works and Government Services Canada outsources the provision of information to suppliers for purposes of tendering bids for procurement contracts. The Department and participating provinces provide the content; the private sector firm develops and maintains the website and the billing system to charge and collect fees from users.

19.95 In collecting user fees for its Online statistics application, Statistics Canada uses the service of a financial institution to handle all credit card transactions. A solution internal to government would have required the use of public key cryptography services. It would also have required Statistics Canada to certify the users directly or to cross certify with the certification authorities for those users. Further, as we have noted, approval to deploy the technical product for the government's public key infrastructure is not expected until December 1999 and this would have delayed the implementation of Statistics Canada's initiative. As of July 1998, the Online statistics initiative had been functional for about two years.

19.96 The government's Enhanced Management Framework for managing information technology projects calls for the preparation of business cases. Electronic initiatives can be developed for various purposes, such as to experiment with new service delivery mechanisms, to streamline operations and reduce costs, or to respond to business pressures and user demands. Without a business case that states the desired benefits of an initiative, it would be difficult to later assess its merits. In the absence of cost estimates at the start, cost overruns and broadening of scope would be difficult to control. With one exception, we found that business cases had not been prepared for the initiatives we reviewed.

19.97 We also found that none of four departments and agencies has conducted threat and risk assessments of the initiatives. Threat and risk assessments are usually conducted to determine the level of security required for transactions and to assess alternative solutions for security. They help to identify the most appropriate and cost-effective security solution.

19.98 In our view, existing electronic commerce initiatives can provide a wealth of information for other projects. In addition to learning from the experience gained in these initiatives, other projects may use specific features and elements of them. For example, other government organizations may also have business applications that require secure filing of documents, or may also charge user fees for services. Although there is a list of electronic commerce initiatives in government, no group has been given the responsibility to keep it up-to-date, or to review the initiatives and disseminate the experience gained to departments and agencies.

19.99 The Treasury Board Secretariat should ensure that an inventory of electronic commerce initiatives in government is maintained and updated periodically. It should analyze the initiatives for good practices and lessons learned, and share the information with departments and agencies so that they can take advantage of others' experience.

Government's response: We agree with the need to ensure that information on electronic commerce initiatives is shared across the government in order to take advantage of the experience gained by departments. This recommendation must be balanced with the need to not overburden departments with requests for more reporting. Pathfinder projects are currently highlighted by TBS. An informal inventory will continue to track initiatives and their progress.

Conclusion

19.100 The government is making progress in the areas we examined and is moving toward conducting business via the Internet by addressing barriers to electronic commerce.

19.101 In particular, it is developing a technical solution to concerns about the security of transactions conducted on open public networks. An interim product is available and is expected to receive government approval by the end of 1998. The management framework for this cryptography project is being developed.

19.102 In considering the legal framework, the government has identified language containing a paper bias in all federal statutes and is proceeding with a resolution. Through an interdepartmental committee, the Treasury Board Secretariat has produced an Internet Guide that offers technical advice to departments and agencies developing websites, and there is a Canada site that provides a federal government presence on the Internet.

19.103 At the same time, we identified several key risks that could undermine the public key infrastructure project that the government has undertaken to support its secure electronic commerce. We found that the business process using the Internet and the development of related computer applications are lagging behind the progress of the public key infrastructure project, creating a risk that it may be underutilized when it is completed. The need to certify public users and the implications of doing so present another risk. If not addressed on a timely basis, it could severely limit the use of the infrastructure to support external service delivery. Furthermore, we noted some challenges to the project's development and implementation that need to be overcome.

19.104 We also noted that electronic commerce can have important implications for the government's legal liability; further analysis and resolution of this issue are required.

19.105 Moreover, we observed that a senior sponsor is needed to advance electronic commerce in government. Many issues remain to be resolved before common infrastructures are in place to support seamless delivery of services across departments and agencies. Strategy and direction are needed to define the government's objectives and goals for electronic commerce beyond 1998. Further action will also be required to meet the government's commitment to become a model user of the information highway by 2000.

About the Audit

Objective and Scope

The audit focussed on the conduct of government business via the Internet, a predominant area of growth in electronic commerce. Government business includes administration, operations, and delivery of programs and services. The use of the Internet in conducting government business is an important part of the government's policy of making electronic commerce its preferred way of doing business. The government's commitment to serve as a model user of the information highway supports the Information Highway Advisory Council's recommendation and forms part of the platform toward Canada's goal of becoming a world leader in electronic commerce.

The audit objective was to assess the government's progress in three key areas:

  • the development and implementation of a public key infrastructure for the federal government as a measure for secure electronic commerce;
  • the review of and changes to the legal framework in support of transacting business electronically; and
  • the implementation of common infrastructures to support government administration, operations and delivery of services via the Internet.
The audit sought to identify and highlight issues in these areas that require resolution to help advance the use of the Internet in government operations, both internally and externally. We did not audit other emerging policies such as those relating to privacy, cryptography, intellectual property and taxation. Nor have we examined the government's role and efforts in broadening public access and enhancing skills and awareness of the information highway.

We also examined four electronic commerce initiatives being pilot-tested or operating with the use of the Internet in government service delivery. They include trademarks registration at Industry Canada, electronic regulatory filing at National Energy Board, the MERX tendering service at Public Works and Government Services Canada, and Online statistics (CANSIM and trade data) at Statistics Canada.

Criteria

The general criteria used in the audit were as follows:

Security

  • Clear roles and responsibilities should be established for ensuring proper safeguards for electronic commerce within and outside government.
  • Risks and issues concerning electronic commerce, specifically confidentiality of information and authentication of senders/recipients, should be identified and addressed in a cost-effective manner.
Legal framework

  • The legal framework should provide for appropriate definition and interpretation of records and signatures in support of the use of electronic commerce in government.
Common infrastructures

  • Government-wide standards and guidelines should be in place to ensure support of electronic commerce with common technological infrastructures that offer reliability, interoperability and scalability. Policies and guidelines to effect a government-wide approach to providing electronic services should exist and be readily accessible by the intended community and easy to use.
  • Measures should be in place to ensure proper conformance to standards and policies.
Selected electronic commerce initiatives

  • Electronic commerce initiatives should be developed and managed to meet business needs with due regard to security, legal requirements and interoperability.

Audit Team

Assistant Auditor General: Douglas Timmins
Principal: Nancy Cheng
Directors: Guy Dumas and Tony Brigandi

Joe Lajeunesse

For information, please contact Nancy Cheng.