Government Operations Committee on Dec. 9th, 2020

Mr. Chair, honourable members, thank you for the opportunity to present today.

I'm Benjamin Bergen, executive director of the Council of Canadian Innovators, or CCI, a national business association that represents more than 130 of Canada's fastest-growing technology companies. Last year alone, our members employed more than 40,000 Canadians and generated more than $6.5 billion for the domestic economy.

I'm joined today by Neil Desai, a senior executive with one of CCI's member companies, Magnet Forensics. Neil is an expert in cybersecurity and public procurement policy and will have much to contribute to today's discussion. For my part, I'll focus my comments on the role that procurement can play in supporting the growth of Canada's homegrown companies.

As your 2018 report on modernizing procurement stated, the Government of Canada is the biggest customer of goods and services in the country, and the procurement system has the opportunity to be a much larger driver of economic prosperity. In the global innovation race, having the Canadian government as a purchaser of goods and services is considered a major validator for domestic companies. It helps them to accelerate future sales with other governments around the world, which in turn enhances Canada’s innovation export potential.

We are all abundantly aware of the issues the federal government has faced with procurement in recent years, especially when it comes to buying technology systems. The Phoenix pay system, the Government of Canada website renewal project, and now the X-ray machines for Canadian embassies, have each become matters of national interest, and for all the wrong reasons. The end result is billions of dollars paid to foreign technology firms that have failed to deliver on what they promised.

Canada's current approach to procurement lacks a strategic economic development lens, which has a direct impact on the economic opportunities for domestic innovators who wish to help their governments defend physical and digital borders. This all has a negative impact on both our prosperity, and more importantly, national sovereignty.

I'd now like to turn it over to Neil Desai for his opening comments.

Thanks very much, Ben.

Thanks to members of the committee.

Magnet is a Waterloo-based cybersecurity company that provides digital investigation software solutions that are used by over 4,000 police, national security and other public and private entities with investigative authorities in 94 countries.

We're proudly Canadian and thankful to call a dozen federal organizations our customers, but I should point out that Canada accounts for about 5% of our business.

The challenge we see with federal procurement in the security sector is the lack of a strategic lens. First and foremost, the government continues to buy modern tech, largely software, the same way it purchases office supplies, through lengthy RFI and RFP processes that are focused on what is believed to be the lowest price of a static product, versus the best value delivered through a solution that will evolve to develop benefit over a long time horizon.

Modern software is highly iterative technology. It can solve key problems, but it can also create grave ones if it's not developed and purchased with foresight and a focus on value. Leading global governments in procuring security solutions acknowledge this, and allow their front-line experts to work with their innovators much earlier in the development cycle. They also keep a close eye on the potential for such solutions to be exported.

This isn't to say that these governments don't buy foreign technology, but they assess the risk and consider the prosperity opportunity. They use national security and small business exemptions in their trade agreements. They also use non-tariff barriers such as security clearances and government expectations, to ensure that the solutions they procure are trustworthy and deliver economic spillovers. They also shorten procurement to align with imperative development cycles, allowing pivots and off-ramps to avoid massive failures.

The concern I'm expressing here today is less from a business-operator perspective and more from a proud Canadian vantage point.

Cybersecurity is the nexus of prosperity preservation and creation with geopolitical conflict and criminal activity. If we, as a country, don't update our playbook soon, we risk being left behind.

I'd be happy to animate the themes I've covered with some tangible approaches to a Canadian-made technology procurement strategy.

Thanks very much.

Thank you, committee members.

My name is Sime Buric, and I am the vice-president of K'(Prime) Technologies.

K'(Prime) Technologies is a Canadian-based company based in Calgary, Alberta. We employ approximately 40 people across the country. Our CEO, Kham Lin, and our CFO, Amanda Lin, started the company 22 years ago. The company was founded as a sales and service provider for the analytical testing and security market. We are a for-profit organization that is not subsidized by government. To be competitive, we need a fair playing field.

I want to start by saying that we share the views of prior witnesses, such as Mr. Burton, Mr. Mulroney, Ms. Carvin and Mr. Leuprecht. We are one of the companies that submitted a response to the tender. A lot of the issues that OGGO is discussing now are issues that we brought up when we challenged the awarding of the standing offer. We followed the only avenue we had to challenge the awarding by submitting a complaint to the Canadian International Trade Tribunal.

One of the concerns that we brought to the CITT was the question of how Nuctech could meet the Canadian regulations when submitting bids. We provided examples of many global news articles and decisions against Nuctech for some questionable practices. We expressed our concern about competing against a state-owned company. VOTI Detection—which I'm glad to see is on this witness panel—another Canadian company that bid on the tender, also expressed concerns about Nuctech. In a newspaper article, VOTI also expressed concerns, knowing how the equipment and the hardware could be significantly cheaper—up to 25%.

Another concern that I brought to the attention of the tribunal was the stretching of the truth when it came to the abilities of the technology to automatically detect weapons and other potential threats. All the X-ray systems run on a similar principle. The systems that were quoted were all of a single-view type, meaning a picture from one angle. The probability of accurately identifying a specific threat—like the difference between a gun, knife or bomb—with a single-view system is low, but the specification was not removed or revised. A single-view system is not meant to replace the use of visual inspection of a package. It is meant to be a complementary technique.

The X-ray systems differentiate threats based on atomic mass. Therefore, a colour is applied to the screen to identify a material, whether it's a metal, liquid or organic material, etc. If the premise is to reduce the amount of visual inspections, a dual-view system or a CT-based system is necessary, but these require a higher investment and are similar to what CATSA uses at the airports.

Unfortunately, these concerns were not investigated further, and our complaint on the matter was disregarded. Based on the decision by CITT, it was recommended that we be charged $575 for the challenge.

I personally have over 14 years of experience in responding to government tenders. This was one of the more difficult tenders to respond to, as there were a lot of unrealistic hypotheticals in terms of the number of units required per global region. When I would respond to any previous tenders, the specifications were clear and concise. The number of units was specific or a price per unit and a standing offer issued over a specific number of years. The locations where the units were to be installed were specific.

These are just a few examples of some of the hurdles presented when responding. As this tender was based on hypotheticals, it made responding to the tender more difficult than it had to be. Companies that are for-profit organizations then have to uplift or pad their pricing to make sure they do not lose money in different regions.

There are a lot of security concerns that have been discussed in previous committee meetings. It has been mentioned a couple times that X-ray equipment would be a low to medium security threat. Yes, electronic modifications can be done after the fact by a service person or by anyone else who has access to the equipment, but we also need to question whether there's a security threat coming in with the system. Who tests whether there's a back door, malware or any other security vulnerability in the system prior to deployment?

We at K'(Prime) Technologies are responsible for the maintenance of X-ray equipment at many airports across the country. In order to provide this service, we are required to have a restricted area identity card, which is an application that is reviewed and approved by Transport Canada, to get access to the equipment. However, in order to service equipment at the embassies, no clearance is necessary.

As a Canadian citizen representing a Canadian company that employs Canadians across the country, I am here to say that we are looking for our government to provide better procurement standards, and for matters of security to be reviewed at a higher level with interdepartmental collaboration. This could hopefully prevent the government from spending taxpayers' dollars on expensive reviews by external companies when there are resources available internally, like the Canadian Centre for Cyber Security.

Canadian companies need to abide by ethical and legal standards to compete for business. We want these standards to apply to all non-Canadian organizations that want to do business in Canada. When it comes to security, reviews of companies need to be done ahead of reviewing tender responses, to exclude companies that do not meet the Canadian standard.

I thank you for your time and welcome any questions.

Thank you very much, Mr. Chairman and honourable members. Thank you for this opportunity to address the committee on issues that I believe are of critical importance to VOTI Detection and the Canadian business community.

In my remarks I will address three main issues that I believe are relevant to your hearings, and it would be my pleasure afterwards to take any questions you might have.

First, as president and chief executive officer of VOTI Detection, I stress our support for the competitive bid process in public procurement. We welcome the opportunity to offer best-in-class technology to address the needs of our potential clients, while offering tremendous value for money. VOTI Detection believes the procurement opportunity that was managed by Public Services and Procurement Canada for the benefit of Global Affairs Canada followed all the rules in place at that time.

Our request of policy and decision-makers is the consideration of changing some of those rules. The only thing we ask for is the opportunity to participate in the bid process on a level playing field. We believe it is virtually impossible to have a level playing field when companies that are state-sponsored, with a history of predatory pricing practices, are allowed to participate. There should be a vetting of companies to ensure that they have the ability to deliver all the commitments in their bid while respecting the high ethical standards of business governance.

Our belief is that any company that has been disqualified from procurement opportunities for security reasons by our closest allies or known to have engaged in illicit and corrupt practices such as bribery and honey trapping should be excluded from Canadian government bid opportunities. It is our hope that the bid authorities will embrace opportunities to consider the value of benefits other than a low price in the evaluation of submitted bids.

The second issue touches on security considerations related to the acquisition, deployment and ongoing maintenance of X-ray security scanners. While we understand that the security scanners will not be connected to any network, we also understand that the scanners will record and store data that should be kept highly confidential. Although the data will not be vulnerable to a network attack, whenever a technician—a simple technician—is required to perform preventative maintenance, a software update or the servicing of a defective part, there would be ample opportunity for that technician to download the sensitive data that should be protected and send it to wherever that person wishes.

The security value can go beyond the actual technology. Companies and the individual employees who will participate in the fulfillment of the procurement opportunity could, and should, receive security clearances based on reliable and verifiable information.

The third point is to stress the importance for Canadian business to find government support through public procurement, especially during these very difficult economic times. I believe small and medium-sized businesses are the backbone of the Canadian economy and the greatest opportunity to stimulate sustainable growth. There is no support that is more valuable that a government entity can give to a Canadian business than a purchase order. Procurement of Canadian goods supports domestic industry as well as the important downstream supply chain. These businesses employ Canadians, and it is through the fulfillment of purchase orders that businesses can grow, continuing to invest in growth strategies, research and development and the creation of additional jobs for Canadians.

VOTI Detection employs over 80 people across Canada. These are high-paying research and development jobs with fundamentally superior IP in technology to any of the competitors in its class. These are things that should be taken into account and considered when going through any type of procurement process.

In conclusion, it's my hope that this committee will shape policy that will support better outcomes for the Canadian government, their departments and agencies, and for the Canadian people. It is my belief that, when possible, the promotion of a Canada-first or buy-Canadian procurement strategy would generate positive outcomes for all involved.

Again, Mr. Chairman and honourable members, I thank you for the opportunity to address you. I make myself available for any questions you might have.

In my opinion, when it comes to security, anything when it comes to the embassy has to be taken into the same account as any other high-risk area—for instance, the airports that we work at. Information is travel. People are travel. People go through. All of these, whether the risk is low or not, are still security threats. That has to be taken into account in any type of security response or tender.

All of those have to be applied to the same level when it comes to the procuring of hardware.

I can't respond on whether or not it was tailored toward a specific provider. What I can say is that, based on hypothetical numbers and the quantities that were being requested by specific regions, it was not realistic based on how many embassies are in those specific regions. When a contract gets awarded for a specific dollar value, when you have a lot of hypothetical quantities of equipment, it is very difficult to say what that final contract will be. When people say it's awarded at specific million-dollar amounts, it's not realistic. Therefore, you start getting budgets that get blown out of proportion, and costs start to creep up.

There is the potential for a security breach as a function of the machine being required to be maintained. From that maintenance visit, a maintenance technician could easily download all of the information on the hard drive.

My comments really speak to the fact that when you look at how procurement is done in this country, often you see foreign firms bidding but sometimes not actually delivering on what they're promising. We saw that with the Phoenix pay system. We've seen that with the government's website renewals and we are seeing it now with Nuctech in terms of X-rays.

I think the thread that pulls these pieces together is really more the strategy and the policy that we have with regard to procurement. I read over the comments from the committee on the 18th, and if you look at what Assistant Deputy Minister Ieraci and Assistant Deputy Minister Danagher stated, it's about lowest cost and it doesn't take into account other externalities and factors that are critical when thinking about public policy. You need to take into account national security—obviously it is an important piece—but also the opportunity to create prosperity through an economic driver, which is the government actually being a purchaser of these products.

Neil, would you like to add anything to that?

I think we're confusing two pieces here. Obviously funding research and development and cybersecurity is a positive step and the government should continue to do that. However, it is somewhat absurd when we don't have that same government actually go and buy that domestic technology to defend its borders. That really is the articulation of the challenge we're seeing with new technology right now. We could potentially have Canadian companies that have received things like SR and ED or IRAP or other funding, but then are not the actual company that's being purchased from.

Although it is all well and good for us to spend money on research and development, if we're not actually commercializing and building that capacity through companies in this country, it's a bit of a wash.

Neil, would you like to answer that question?

I'll jump in here and just say that these are all really great initiatives, and cyber is a real problem, but we also need to have a scaled understanding of the challenge and then work from there.

I'm going to one industry report. McAfee, a global player in cyber, has done independent research on this. They see cybercrime as growing from a $600-billion global problem two years ago to a $1-trillion problem this year, and they expect it to accelerate because of COVID and the number of vulnerable populations online.

Just on differentiating between economic development, things like the programs you mentioned in the previous question, and ITBs and procurement, I don't think we should consider procurement as a handout. I don't think anyone I heard during the opening statements was looking for favouritism.

What they are looking for is a level playing field, and I'll just say from a purely economic development perspective, a purchase order of $1 million is much greater in terms of its knock-on effects to the economy than $1 million of economic development programming. It validates the technology and its usability in the field, and frankly, we have to be cognizant that Canada is a very well-respected country globally. We make up about 2% of GDP and roughly the same amount of cybersecurity consumption, so the opportunity of domestic procurement—and the Government of Canada is one of the largest purchasers of cybersecurity tools in this country, along with the banking sector and other sectors—is not only to solve the narrow problem within government. It's to give an incredible launch pad to cybersecurity companies.

Frankly, we shouldn't look at size of company as the only measure of capability. We should get deep into the capabilities they have. Large system integrators, big companies—and I won't name them here—often have the balance sheet and lobbyists to withstand long RFI and RFP processes that are multiple years when they, in fact, don't have the technological capability.

Maybe we need to get a a lot clearer on what we're trying to achieve in procurement and create smaller bite-sized procurement processes we can get through, and then validate technology and start responding to problems the way technology is built and not the way procurement is built.

I think it would be extremely difficult to calculate what the degree of subsidy is relative to a given contract. A company like Nuctech is fully sponsored by the Chinese government, and as such, the financial commitment that the Chinese government has made is endless. There is nothing finite about it, so anything they do.... We have been in bids against Nuctech around the world, and in these reverse auctions, they will just continue to go lower and lower and lower. There is absolutely no floor. How do you quantify what the value of the subsidy is and then offset that and add it back to their price?

It would be extremely difficult, in my opinion.

Is that a question for me?

Go to Mr. Buric by all means. I'm not qualified to answer.

I'm not an expert in government policy, especially foreign government policy, so I can't comment on that.

I'm not able to comment on it, but it is an interesting question for sure.

Maybe I could provide some...not to the specific, but to the general question being asked.

As a Canadian company trying to sell in 94 different countries, as you move up market in security, significant questions come from foreign governments, such as how many nationals you employ, or if you have a separate board of directors for that country where the majority of members of that board of directors are nationals of that country.

As you, again, move further up the security spectrum in terms of risk, then it becomes “Is the development for this product done in country? Can it be validated in country? Would there be opposition to that if the deal size got to a certain level?” Among astute countries in the cybersecurity and broader security space, there's usually a risk opportunity matrix in the policy, where they have expectations of the vendors that increase as the risk increases.

I'd like to add that small companies like ours spend many millions of dollars a year developing their research and development. To be sure, a minuscule amount comes back to us through SR and ED and other potential subsidies, but not nearly what we put out. To look at the fact that a Chinese company, or any other company, can just hire a couple of people here and all of a sudden that makes them on par with a Canadian company deploying and spending millions, employing hundreds of Canadians, creating and participating in the economic ecosystem and supply chain, I don't see how that equation could ever work out.

I think it really depends on the type of technology being procured and where the security risk assessment is done. I think other witnesses have talked about leading agencies within the government context that have those technical skills to review the nature of a procurement and what the security risk is and then what mitigation should be put in within the procurement program.

I feel as though we're focused in very narrow lanes when it comes to procurement. It's buying at the lowest cost and then security is a separate consideration after the fact. Economic development is another consideration for another group of people at ISED. I think we need to be able to walk and chew gum in our public policy. We need to start looking at them as competing priorities but ones we want to reconcile. We're never going to get it perfect but we need to consider them through the procurement and also start looking at them as highly iterative. The actual technologies are built in an iterative way but the procurements are not. They are long—

We've supplied CBSA, in response to a tender, with X-ray machines, smaller tunnel-size 60-40 machines and one-metre-by-one-metre tunnel-size machines. We have provided them with quite advanced technology per their request. We worked very much hand in hand with them, and we continue to. I believe the fruits of that labour will have bestowed great benefits for CBSA in terms of their detection capability.

Yes.

I don't even know if Nuctech bid on that.

Millimetre wave technology is a complementary technique. It's meant for body screening. It allows for screening of anything through clothing material. It doesn't penetrate your skin, so it's not meant for packages. This technology we are bidding on right now is a human screening technology.

Currently, it's not connected to 5G in any way in terms of how the technology is being used.

We put our concerns on three different areas. In one area we spoke about the technology itself and how the technology that they were trying to apply outreached its capabilities in terms of the likelihood of differentiating between different types of threats, whether a gun or knife.

Another one we had was the concern of Nuctech being a subsidized state-owned company, with all the questionable practices. We provided a lot of newspaper articles from around the world in terms of some of the allegations. Basically, we brought to attention the information that they found to be true in terms of bribery, but the information was deemed not sufficient to go further.

The last one we brought up was about wanting to know the logistics of how to move equipment around the world. We stated that we use companies like FedEx or UPS, known suppliers of transporting goods, but they started knocking down points on how this was supposed to be done. Our response was that we work with our partners. That wasn't sufficient, so we challenged that response as well.

We are not in agreement, but we are accepting the outcome currently.

Not at this time, thank you very much.

We have a relationship with L3Harris, but it's no longer with L3Harris—it's with Leidos—where we are their service arm for the airports. We provide the servicing of the X-ray equipment for multiple airports across the country.

No, VOTI Detection has not been approached for any rebid or given any information about a rebid.

Mr. Buric, you can go first.

Depending on the region, if it's in the U.S. we've seen it on some private ones. Obviously price is usually the winning factor on a lot of these because everybody wants the lowest bid.

In the other bid opportunities where we have seen Nuctech in other countries outside of North America, while they were given an initial status as being a bona fide bidder, they were subsequently removed as such.

Listen, I'm not sure what the correct process is. I'm not a security expert and I'm certainly not an expert in the internal workings of government and best practices, but there are certain things that are so obvious that—

It certainly didn't need to take a quarter of a million dollars to tell you something, frankly speaking, that should have been quite obvious to everybody, and it was. The attempt to make it obvious to everybody was certainly something that was attempted.

I think a proper study on the number of ITBs that have actually been deployed for the specific-purpose or general-purpose technology that's being offset with a foreign piece of technology would be good. I think it's sometimes burdensome to force companies to try to find something in Canada that will work. Making sure that it's generally in the line of security would actually help the economic development piece.

However, an ITB, again, is really trying to create a local economic stimulus. I will go back to pointing out that, in some cases, when a Canadian company can fulfill a procurement and is being kept out for arbitrary reasons, or for unfair business practices from foreign players, I think we have to solve the narrow problem before we try to look at these big structural issues.

I'm blending into your previous question because it's a really important question. The separation between the subject matter expert in security and the procurement process is so wide, there is such a separation. I understand why. You want to make sure you have a fair, transparent process to make sure government money is being spent well. However, the reality of technology is that you need subject matter experts to review things like security, things like the governance of technology and how updates will be delivered. The only way to solve for that is to bring the subject matter expert closer to the procurement process.

I think the procurement officers do their best with what they're given, but there's such a time lapse and separation between those independent procurement officers and the actual technical problems to be solved. We have to figure out ways to get that transparency, but with those subject matter experts in the process to review the tech.

We were not on the standing offer. We were not in that final group.

I do not know the answer. I'm sorry.

That is correct.

We have not at this time. We wanted to see where this went first.

Neil, you laid out a couple of solutions in some of your comments earlier. I'm not sure if you want to articulate them again and maybe add on to them.

In the security space specifically, which is what I will talk about, because that's what I know best, I think we have to emulate and also create our own things that meet our own values and systems.

I will say that security clearance is one big piece. I will say that in other leading security technology countries there is a proactive focus on understanding the marketplace and ecosystem of technology companies, and not just understanding their technology but also understanding their technology road map, how it could be applied to public sector challenges and how that could be influenced. These things are done in a very structured way, not just as one-offs with people going out and talking to companies. It's very structured.

In the United States, there are a number of different programs, things like DARPA, the space program. In-Q-Tel is one that's offered by the intelligence community, the 21 intelligence agencies. They are less interested in procurement of a widget and more interested in a company's broad capability, its technical wherewithal and, frankly, the security and reliability of the board of directors, the executives, the key engineers and the key business people in the company.

I think these are really simple steps that we can be taking to avoid some of the challenges we're talking about here.

I will be clear about one thing. I'm not suggesting that the Government of Canada doesn't need to buy foreign technology, but if you put a strategic lens on top of the capabilities required—where there is Canadian capability versus where there isn't or where you take a longer-term value lens—a lot of these companies will win the procurements and then pad them with afterwork. That's their goal. If we look and project a bit forward and not at a static moment in time, we will get better value over the long run.

I will stop it there, Chair.

I may have missed a bit of what you were saying. Would you mind reiterating the question?

Thank you.

I think Neil might be able to illuminate some of the policy ideas behind helping to keep procurement opportunities for Canadian firms. It's a bit similar to what he mentioned in his previous comments.

Thanks Ben.

I'll nuance it. I don't believe it has to favour. I think we have to be very analytical in the outcomes we want. We want to see a successful business sector for the productivity of our country. Some of the facts we have to get on the record here is that Canada spends some of the highest amounts on investments in R and D from the public sector but has some of the lowest productivity outcomes in the OECD. That's our starting point. Continuing to do that and expecting better results is, by definition, insanity.

The second piece I'll say is that when we look at the economic development work we're doing—another member asked a question about some specific examples, but there are many different ones—we also have to be cognizant that the best form of financing for any company, regardless of what they make, is a purchase order. Take it to any bank, and they'll give you much better financing terms than a government grant, a government tax credit or a zero-interest loan. I think we have to acknowledge that in our analytical constructs here.

What I would say is that, if we assess the success of the programs out there in economic development for technology-intensive businesses, let's consider how we get people in government—who are frankly, as a sector, one of the largest buyers of technology in this country—to actually try Canadian tools and technologies.

Let's also be realistic. Through grants and subsidies we are giving companies money—start-ups, scaling companies, large technology companies—through SR and ED credits. Should we not try to take something back?

Thanks very much, Mr. Green.

The last thing I was saying is that, in these economic development programs that give grants or low-interest loans, the government should start taking the technology being built by Canadians and try to find out whether there are users in the government context. Many of our programs—even of our strategic procurement programs—are very ideological. They're either pure demand—the government has a problem it wants to solve, and that's innovative solutions Canada—or pure supply, the build in Canada program, which is when technology companies in Canada have a technology they want someone in the government to test.

The reality is that we need to play in the middle of those two, where Canadian technology vendors have something that's of value and that could potentially solve a government problem. If we get that middle ground right, I'm telling you, there will be major exports to be had and better economic growth for this country.

That was our business, and I'll tell you, we're not looking for any handouts here. However, I'll give you one example of the challenges that the Government of Canada faces in our software realm: investigating the extremely fast-growing issue of child sexual exploitation online, a massive, growing global issue. The same problem is happening in the U.K., the U.S. and around the world.

They all use their small and medium-sized enterprise exemptions in trade agreements. They all use their national security exemptions to work with their local innovators on solutions that solve problems such as that, or pure cybercrime investigations. That's what we're up against in a globally competitive world.

Again, I'm not suggesting that every piece of technology is going to have a Canadian vendor to solve the problem, but when there is a Canadian vendor that has technical chops and has an export potential and they get the door slammed shut on them, I just want to point out that with technology it's a winner-takes-all game a lot of times in procurement, so when you're locked out, you're locked out now for years and that launch pad is lost.

Therefore, we have to be very careful when there are Canadian players in the space and there are also security considerations.

On the specific Nuctech stuff, I'll defer to my colleagues, but on the cybersecurity piece, the one thing I'll say, and I'll be very general here, is that, in human history, as long as people have things of value, there are unscrupulous people looking to try to get them. Digital is no different. The major nuance there is that people can act from afar and anonymize their behaviours.

The one thing I struggle with in the rhetoric around cybersecurity, both at the public and private level, is this commentary that “I am wholly secure.” Then when instances such as the ones you've outlined happen, we go into PR reaction modes of, “Well, these are all the things I did.” We need to be a bit more nuanced in our communications, level with people and say this is a major risk to the security of Canadians, to the prosperity of Canadians, and frankly, to our sovereignty when we talk about things such as elections, because there is no wholly secure system in the analog world, and I can tell you, I guarantee you, there isn't in the digital context.

I've often called for more of a public-private approach to Canadian cybersecurity. I'll also say that we're learning through the pandemic that things that are “essential” don't always sit in the purview of the Government of Canada, let alone the public sector. I know this committee is thinking about government operations and cybersecurity, or security generally, but we have to be cognizant that a lot of the essential systems in our society are outside the realm of the federal government and we need better public-private exchange on these subjects.

To me, when someone says “strategy” in a public sector context, what I believe is that it has to be horizontal in government, not vertical. What I see being called “strategy” is that they've secured this specific thing. You know, this X-ray machine meets the needs of the security of this embassy. I think we have to be a little more holistic. I don't mean that just in a Canadian context. We have to look at multilateralism and evolve it as well.

We have the Five Eyes, which I would say is one of the most effective forms of multilateralism that Canada is a part of, discussing critical issues of cybercrime, infrastructure, integrity and such. We are putting it at risk currently.

I think better conversations with our allies where we have capabilities, not just in Canada but within our tight, close allies where we have co-accreditation of technologies and of governance of those technologies, these are some actual solutions we can be looking at. Not everything is going to be able to be built under the watchful eye of the Government of Canada. We have to take a risk management approach here, not a risk avoidance approach, because we're just going to be let down at the end of the day if we have a risk avoidance approach.

I think I'll pass it over to Neil, given that he's already articulated some of these pieces and is so eloquent on this stuff.

Thanks. I appreciate the question.

I'll get into the nitty-gritty. When we develop a piece of software, it is not static, as I mentioned. It's a 1.0. We have a road map that's very tight and, I would say, within a six-month window. There's still a road map even beyond that for up to two years. That's constantly evolving based on our users' feedback and the things we're learning about the cyber-threat landscape, etc.

In a procurement process, what we see is a waterfall list, a long laundry list of capabilities that are required on the day the RFP goes live. That list usually takes almost a year, if there's an RFI, through to the RFP. Really, most of the time when we see these RFPs, they're dated by the time they get posted, or they are actually asking for things that don't exist in the market or aren't functionally capable.

Oftentimes when we show them to users of such products in the government, they don't even know where they came from or why anyone would want those capabilities. The things they want are very specific. They have to navigate that through procurement services, where they actually list in a waterfall way what they want today, in a long laundry list, but they also know that it's going to evolve over time. Sometimes, frankly, they have to do what they know is wrong and say that they're picking things that will lead them to where they want to get to in six months.

I think there are a couple of really tangible things we can be doing. One is shortening the time, the length from information gathering through to procurement. Then, concurrently, we can be reducing the dollar amounts so that the risk isn't as high, and acknowledging how software is built—highly iterative, versioned—including opportunities to pitch road maps of technologies within the procurement process to the end-users and the technologists, not to the procurement people to be translated into jargon, but in the language that the end-users use them.

Also, then, there's understanding the landscape in a constant way. We have a procurement system that's highly responsive and not actually proactive in getting to the marketplace and understanding, first, what's out there, and second, what's possible within road maps and structures.

The last piece I'll say is that in the security phase, I think we need to do more assessment of companies and getting security clearance to the companies that have capabilities and can have capabilities in the future, so that they can work with government more hand in glove.

Sure.

Thank you.

It's a big question, and I'm not sure a short answer can do it.

Fine. If someone will send me the question, I'm more than happy to put it in writing.

Could you please repeat the question?

I'm not in a position to determine who should be investigated and for what. That's not something I'm confident to comment on.

Thanks for that really thoughtful question.

I'm not in the bio space, but I think the lessons I draw from experience dealing with similar organizations like DARPA in the U.S., on more of the law enforcement or national security side of technology versus the medical security side, is that we have to start being able to walk and chew gum. We need to understand that solving real problems that are societal problems is the best form of economic development. If we don't marry those two, we will lose some of our best companies.

I will say that, if we work with some of those types of agencies similar to DARPA in other jurisdictions, they become attempts to draw us away from Canada. If we don't mirror this.... This is not just saying we should be nice Canadians and support our companies. This is a matter of future prosperity and maintaining our standard of living in this country. This is how, in highly secure industries, development is being done, both in the public and private sector.

One of the questions I believe should be asked is “Should the hardware or any type of equipment be examined before going out into the field, as is done by some other Canadian entities?” CATSA, some of the transportation safety authorities and CBSA do examinations of hardware before it is deployed. That is definitely something that I believe the cybersecurity field should take into consideration for any future bids.

I'll go quickly.

You might also want to take a look at Russian technologies. It's a little less clear in the cybersecurity space, the lines between the public and private sector in that country, but there's definite risk. We're seeing some of our allies starting to analyze and create risk matrices for where they will allow Russian-made technologies into their cybersecurity supply chains.

I would say those are just a small sampling of the programs. I will say, however, that the non-tariff considerations that favour American SMEs are prevalent in the core of their procurement, besides those economic development programs that use procurement. This is core to their procurement system. We see it in everyday procurements: Please list your U.S. board of directors, and please list how many U.S. veterans you employ. Points are awarded for those types of things.

Eyes wide open, this is happening in other places and these are places that have the same trade agreements that we're party to.