Government Operations Committee on Dec. 9th, 2020

Evidence of meeting #13 for Government Operations and Estimates in the 43rd Parliament, 2nd Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was technology.

A recording is available from Parliament.

On the agenda

Nuctech Security Equipment Contract

Committee Business

MPs speaking

Robert Gordon Kitchen

Also speaking

Benjamin Bergen Executive Director, Council of Canadian Innovators

Neil Desai Vice-President, Corporate Affairs, Magnet Forensics, and Senior Fellow, Munk School of Global Affairs and Public Policy, Council of Canadian Innovators

Sime Buric Vice-President, K'(Prime) Technologies

Rory Olson Chief Executive Officer, VOTI Detection Inc.

4:35 p.m.

Vice-President, Corporate Affairs, Magnet Forensics, and Senior Fellow, Munk School of Global Affairs and Public Policy, Council of Canadian Innovators

Neil Desai

On the specific Nuctech stuff, I'll defer to my colleagues, but on the cybersecurity piece, the one thing I'll say, and I'll be very general here, is that, in human history, as long as people have things of value, there are unscrupulous people looking to try to get them. Digital is no different. The major nuance there is that people can act from afar and anonymize their behaviours.

The one thing I struggle with in the rhetoric around cybersecurity, both at the public and private level, is this commentary that “I am wholly secure.” Then when instances such as the ones you've outlined happen, we go into PR reaction modes of, “Well, these are all the things I did.” We need to be a bit more nuanced in our communications, level with people and say this is a major risk to the security of Canadians, to the prosperity of Canadians, and frankly, to our sovereignty when we talk about things such as elections, because there is no wholly secure system in the analog world, and I can tell you, I guarantee you, there isn't in the digital context.

I've often called for more of a public-private approach to Canadian cybersecurity. I'll also say that we're learning through the pandemic that things that are “essential” don't always sit in the purview of the Government of Canada, let alone the public sector. I know this committee is thinking about government operations and cybersecurity, or security generally, but we have to be cognizant that a lot of the essential systems in our society are outside the realm of the federal government and we need better public-private exchange on these subjects.

4:40 p.m.

Conservative

Dane Lloyd Conservative Sturgeon River—Parkland, AB

Thank you.

I echo that as well. It's a very good point that there's never going to be a situation where the government spends enough or the government has done enough to ensure that we will be wholly safe from cybersecurity threats. It's a war and it's a forever war that we're going to have to keep fighting. We're going to have to keep adapting. We're going to have to keep investing in new technologies, because what we're seeing out of countries like China with quantum computing is that the threats are evolving, and we need to evolve.

For too long Canada has taken for granted that we're not going to be targeted by these state actors or criminal organizations, but it's becoming an increasingly competitive and hostile world. Don't you think it's time for the government to put forward a real strategy to ensure that we can evolve and adapt, a strategy that would lead to an application like Nuctech's being dismissed out of hand because it's common sense? We're all acknowledging on this committee that a company like that should have never been considered for this kind of contract.

4:40 p.m.

Vice-President, Corporate Affairs, Magnet Forensics, and Senior Fellow, Munk School of Global Affairs and Public Policy, Council of Canadian Innovators

Neil Desai

To me, when someone says “strategy” in a public sector context, what I believe is that it has to be horizontal in government, not vertical. What I see being called “strategy” is that they've secured this specific thing. You know, this X-ray machine meets the needs of the security of this embassy. I think we have to be a little more holistic. I don't mean that just in a Canadian context. We have to look at multilateralism and evolve it as well.

We have the Five Eyes, which I would say is one of the most effective forms of multilateralism that Canada is a part of, discussing critical issues of cybercrime, infrastructure, integrity and such. We are putting it at risk currently.

I think better conversations with our allies where we have capabilities, not just in Canada but within our tight, close allies where we have co-accreditation of technologies and of governance of those technologies, these are some actual solutions we can be looking at. Not everything is going to be able to be built under the watchful eye of the Government of Canada. We have to take a risk management approach here, not a risk avoidance approach, because we're just going to be let down at the end of the day if we have a risk avoidance approach.

4:40 p.m.

Conservative

Dane Lloyd Conservative Sturgeon River—Parkland, AB

Thank you.

4:40 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Mr. Desai.

Thank you, Mr. Lloyd.

Now we'll go to Mr. Jowhari for five minutes.

4:40 p.m.

Liberal

Majid Jowhari Liberal Richmond Hill, ON

Thank you, Mr. Chair.

Thank you to all the witnesses. It's been quite informative.

I'll start with Mr. Bergen.

Mr. Bergen, in the closing part of your opening remarks, you talked about a strategic versus economic lens, or at least a balance of a strategic and economic lens. Also, you indicated or you predicated that the current process for procurement is more like the lowest price of a static product. You said the technology is evolving, and it's evolving quickly, and our current procurement process is not aligned with it. Mr. Desai has talked about various activities or various indicators of the fact that we're not using a strategic lens, and the last comment on a horizontal way of thinking rather than vertical is an example of that.

My question to both Mr. Bergen and Mr. Desai is this: What specific changes do we need to make to the procurement process to make it more agile as well as more horizontal?

Mr. Bergen, would you like to start?

4:45 p.m.

Executive Director, Council of Canadian Innovators

Benjamin Bergen

I think I'll pass it over to Neil, given that he's already articulated some of these pieces and is so eloquent on this stuff.

4:45 p.m.

Vice-President, Corporate Affairs, Magnet Forensics, and Senior Fellow, Munk School of Global Affairs and Public Policy, Council of Canadian Innovators

Neil Desai

Thanks. I appreciate the question.

I'll get into the nitty-gritty. When we develop a piece of software, it is not static, as I mentioned. It's a 1.0. We have a road map that's very tight and, I would say, within a six-month window. There's still a road map even beyond that for up to two years. That's constantly evolving based on our users' feedback and the things we're learning about the cyber-threat landscape, etc.

In a procurement process, what we see is a waterfall list, a long laundry list of capabilities that are required on the day the RFP goes live. That list usually takes almost a year, if there's an RFI, through to the RFP. Really, most of the time when we see these RFPs, they're dated by the time they get posted, or they are actually asking for things that don't exist in the market or aren't functionally capable.

Oftentimes when we show them to users of such products in the government, they don't even know where they came from or why anyone would want those capabilities. The things they want are very specific. They have to navigate that through procurement services, where they actually list in a waterfall way what they want today, in a long laundry list, but they also know that it's going to evolve over time. Sometimes, frankly, they have to do what they know is wrong and say that they're picking things that will lead them to where they want to get to in six months.

I think there are a couple of really tangible things we can be doing. One is shortening the time, the length from information gathering through to procurement. Then, concurrently, we can be reducing the dollar amounts so that the risk isn't as high, and acknowledging how software is built—highly iterative, versioned—including opportunities to pitch road maps of technologies within the procurement process to the end-users and the technologists, not to the procurement people to be translated into jargon, but in the language that the end-users use them.

Also, then, there's understanding the landscape in a constant way. We have a procurement system that's highly responsive and not actually proactive in getting to the marketplace and understanding, first, what's out there, and second, what's possible within road maps and structures.

The last piece I'll say is that in the security phase, I think we need to do more assessment of companies and getting security clearance to the companies that have capabilities and can have capabilities in the future, so that they can work with government more hand in glove.

4:45 p.m.

Liberal

Majid Jowhari Liberal Richmond Hill, ON

Thank you.

That was the “one, two, three, four” that I was looking for. Hopefully, it will make it into our report as a recommendation.

I'm going quickly to Mr. Buric and Mr. Olson.

You guys have talked about the acquisition, installation and maintenance. In the case you talked about, the fact was that you've already installed products at CBSA.

When it comes to the maintenance, there's been a lot of concern about the possibility of data being downloaded. Is that specific only to the maintenance for Nuctech or is it a risk that's available or that you're exposed to for all products that contain data during maintenance, in that if it's not properly overseen or validated, the data may get lost?

Probably Mr. Olson can talk about that first.

4:45 p.m.

Chief Executive Officer, VOTI Detection Inc.

Rory Olson

Sure.

4:45 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Mr. Olson, if you could respond fairly quickly, I would greatly appreciate that.

Thank you.

4:45 p.m.

Chief Executive Officer, VOTI Detection Inc.

Rory Olson

Thank you.

It's a big question, and I'm not sure a short answer can do it.

4:45 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

If you feel that it would be better to give a written response, then that would be fine as well.

4:45 p.m.

Chief Executive Officer, VOTI Detection Inc.

Rory Olson

Fine. If someone will send me the question, I'm more than happy to put it in writing.

4:45 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Okay. Thank you very much.

That ends our second round.

In looking at the clock, we basically have 10 minutes left to do this. What we will do is that we will go to one question per party in order for the witnesses to finish at the time frames they were looking for.

We'll go to Mr. Paul-Hus for one question please.

4:45 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Thank you, Mr. Chair.

Given the recent experience with Nuctech, the issue with CanSino Biotech and the situation with Huawei, we recommend that national security review all contracts with Chinese companies.

I want to hear your thoughts on this, Mr. Olson.

4:50 p.m.

Chief Executive Officer, VOTI Detection Inc.

Rory Olson

Could you please repeat the question?

4:50 p.m.

Conservative

Pierre Paul-Hus Conservative Charlesbourg—Haute-Saint-Charles, QC

Given the recent experience with Nuctech and the issues with CanSino Biotech and Huawei, the Conservative Party members are asking that national security review all contracts with Chinese companies. I want to hear your thoughts on this.

4:50 p.m.

Chief Executive Officer, VOTI Detection Inc.

Rory Olson

I'm not in a position to determine who should be investigated and for what. That's not something I'm confident to comment on.

4:50 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Mr. Olson.

Thank you, Mr. Paul-Hus.

We'll go to Mr. Weiler for one question.

4:50 p.m.

Liberal

Patrick Weiler Liberal West Vancouver—Sunshine Coast—Sea to Sky Country, BC

Thank you, Mr. Chair. I'll try to make this one question count.

I'd also like to first thank the witnesses for joining us for a very interesting discussion today.

My question is for Mr. Desai.

You mentioned some of the programs that the U.S. has for procurement, and you mentioned DARPA specifically. There is a local biotech company called AbCellera that won a competition that DARPA had where companies could compete to show how they could respond to the threat of a pandemic in developing a therapy.

It just so happens that, once the pandemic hit this year, there was a significant amount of investment from the Canadian government into AbCellera to develop a treatment for COVID, which eventually they did, and it was approved by PHAC, and we've now procured 26,000 doses of the therapy.

This is an interesting example, and I was wondering if you could speak to what lessons you think we can learn from the response to the pandemic with respect to the medical sector and how this can translate to support of the tech sector, particularly to navigate the valley of death?

4:50 p.m.

Vice-President, Corporate Affairs, Magnet Forensics, and Senior Fellow, Munk School of Global Affairs and Public Policy, Council of Canadian Innovators

Neil Desai

Thanks for that really thoughtful question.

I'm not in the bio space, but I think the lessons I draw from experience dealing with similar organizations like DARPA in the U.S., on more of the law enforcement or national security side of technology versus the medical security side, is that we have to start being able to walk and chew gum. We need to understand that solving real problems that are societal problems is the best form of economic development. If we don't marry those two, we will lose some of our best companies.

I will say that, if we work with some of those types of agencies similar to DARPA in other jurisdictions, they become attempts to draw us away from Canada. If we don't mirror this.... This is not just saying we should be nice Canadians and support our companies. This is a matter of future prosperity and maintaining our standard of living in this country. This is how, in highly secure industries, development is being done, both in the public and private sector.

4:50 p.m.

Conservative

The Chair Conservative Robert Gordon Kitchen

Thank you, Mr. Weiler and Mr. Desai.

I have Ms. Vignola for one question.

4:50 p.m.

Bloc

Julie Vignola Bloc Beauport—Limoilou, QC

I'll be brief. We asked many questions. We sometimes received an answer, and we sometimes didn't. It depends on your area of expertise. Are there any questions that we haven't asked and that you would like to address?

The question is for Mr. Buric.

4:50 p.m.

Vice-President, K'(Prime) Technologies

Sime Buric

One of the questions I believe should be asked is “Should the hardware or any type of equipment be examined before going out into the field, as is done by some other Canadian entities?” CATSA, some of the transportation safety authorities and CBSA do examinations of hardware before it is deployed. That is definitely something that I believe the cybersecurity field should take into consideration for any future bids.