Public Accounts Committee on April 3rd, 2024

We do have a list of those names, and we can provide it to the committee.

Yes. Thank you very much.

As I've said before, it would be totally unacceptable for a contractor to be involved in drafting a request for proposals for a contract that they then bid for. Under the procurement rules, you can use a contractor for technical reasons, but they then have to exclude themselves from making a bid for that contract, and it has to be disclosed.

My answer to the question is I do not know, because I've not been involved in any of those internal investigations, and I'm certainly not involved in the RCMP investigation. If wrongdoing is found in any case, with any of these contracting approaches, then action will be taken. That's what I'm assuring, but I can't say at this moment a name because I do not know a name.

What Mr. Hayes helped me with was just to remind me of the chronology around who was involved in the border technologies and innovation directorate, and I do accept that chronology.

I apologize to Mr. MacDonald for mentioning him when clearly we know he was not there at that time.

I have not been approached by the RCMP at all.

What I can say is that normally our service level indicator is to do a complex review within 120 working days. This review started in November 2022, following the Botler allegations. A discussion was held in December 2022 with the RCMP. The RCMP felt that interviewing witnesses could impact their own investigation, and they therefore asked the CBSA not to step down their investigation but not to pursue all avenues.

In October 2023, the RCMP informed the CBSA that those investigations could now continue, and the CBSA internal investigation proceeded. It came out with a preliminary statement of facts, which I'm not aware of. I have not seen that, but my understanding is that it was shared with the OGGO committee.

I think we're always looking at how to modernize and improve the code of conduct. There is a review being undertaken at the moment around the code of conduct. The aim is always to make sure that it is relevant. For example, if social media changes, then adjustments need to be made to the code of conduct.

As I said, I think the procurement improvement plan, which I've been working very hard on over the last nine months, has taken a number of actions in that respect, in particular around the conflicts of interest and in particular around the disclosure of relationships or within interactions with vendors or potential vendors.

My belief is that ArriveCAN did provide value for money, but it didn't provide the best value for money. I know that not necessarily everyone agrees with that approach, but we had to do this at a time of national emergency.

We had to get the paper-based system out of the approach and get into a digital system. That was done within six weeks, and it was very important for our officers not to fear touching pieces of paper from people crossing the border.

I think it's a really important sort of thing to recognize that we did not do everything right with ArriveCAN. We recognize that, and we accept the recommendations made and are doing something about it. Overall, we did a very difficult job in very difficult times, and I'm proud of what we did, but we did make some mistakes and will learn from those mistakes.

The data breach actually got a very small amount of data from Aurora, and we were subjected to blackmail. Basically, they tried to force us to pay to not release it, but the amount of information they stole was extremely limited, so we made a decision as an organization not to pay.

It didn't. The reality is that anybody can read any of the news. Cyber-attacks are increasing. As we've seen with the Government of Canada in the last year, since I've been here, a number of cyber-attacks have disrupted services. Every organization is under attack. The vast majority of organizations have been subjected to successful attacks, so it's not uncommon at all.

The thing that worked well when I was at Aurora was the design of our cybersecurity. While the hacker was able to get in, they were only able to get a very small amount of data, so our protection actually worked very well. A cyber-attack that's successful is never ideal, but every CIO is prepared for that.

You're never as prepared as you could be, but the reality is that cyber-attacks continue to increase worldwide. You just have to google the number of companies that get hacked on a daily basis. It is expected. What you have to do is limit the damage, and in this case the damage was extremely minimal.