Government Operations Committee on Dec. 9th, 2020

To me, when someone says “strategy” in a public sector context, what I believe is that it has to be horizontal in government, not vertical. What I see being called “strategy” is that they've secured this specific thing. You know, this X-ray machine meets the needs of the security of this embassy. I think we have to be a little more holistic. I don't mean that just in a Canadian context. We have to look at multilateralism and evolve it as well.

We have the Five Eyes, which I would say is one of the most effective forms of multilateralism that Canada is a part of, discussing critical issues of cybercrime, infrastructure, integrity and such. We are putting it at risk currently.

I think better conversations with our allies where we have capabilities, not just in Canada but within our tight, close allies where we have co-accreditation of technologies and of governance of those technologies, these are some actual solutions we can be looking at. Not everything is going to be able to be built under the watchful eye of the Government of Canada. We have to take a risk management approach here, not a risk avoidance approach, because we're just going to be let down at the end of the day if we have a risk avoidance approach.

I think I'll pass it over to Neil, given that he's already articulated some of these pieces and is so eloquent on this stuff.

Thanks. I appreciate the question.

I'll get into the nitty-gritty. When we develop a piece of software, it is not static, as I mentioned. It's a 1.0. We have a road map that's very tight and, I would say, within a six-month window. There's still a road map even beyond that for up to two years. That's constantly evolving based on our users' feedback and the things we're learning about the cyber-threat landscape, etc.

In a procurement process, what we see is a waterfall list, a long laundry list of capabilities that are required on the day the RFP goes live. That list usually takes almost a year, if there's an RFI, through to the RFP. Really, most of the time when we see these RFPs, they're dated by the time they get posted, or they are actually asking for things that don't exist in the market or aren't functionally capable.

Oftentimes when we show them to users of such products in the government, they don't even know where they came from or why anyone would want those capabilities. The things they want are very specific. They have to navigate that through procurement services, where they actually list in a waterfall way what they want today, in a long laundry list, but they also know that it's going to evolve over time. Sometimes, frankly, they have to do what they know is wrong and say that they're picking things that will lead them to where they want to get to in six months.

I think there are a couple of really tangible things we can be doing. One is shortening the time, the length from information gathering through to procurement. Then, concurrently, we can be reducing the dollar amounts so that the risk isn't as high, and acknowledging how software is built—highly iterative, versioned—including opportunities to pitch road maps of technologies within the procurement process to the end-users and the technologists, not to the procurement people to be translated into jargon, but in the language that the end-users use them.

Also, then, there's understanding the landscape in a constant way. We have a procurement system that's highly responsive and not actually proactive in getting to the marketplace and understanding, first, what's out there, and second, what's possible within road maps and structures.

The last piece I'll say is that in the security phase, I think we need to do more assessment of companies and getting security clearance to the companies that have capabilities and can have capabilities in the future, so that they can work with government more hand in glove.

Sure.

Thank you.

It's a big question, and I'm not sure a short answer can do it.

Fine. If someone will send me the question, I'm more than happy to put it in writing.

Could you please repeat the question?

I'm not in a position to determine who should be investigated and for what. That's not something I'm confident to comment on.

Thanks for that really thoughtful question.

I'm not in the bio space, but I think the lessons I draw from experience dealing with similar organizations like DARPA in the U.S., on more of the law enforcement or national security side of technology versus the medical security side, is that we have to start being able to walk and chew gum. We need to understand that solving real problems that are societal problems is the best form of economic development. If we don't marry those two, we will lose some of our best companies.

I will say that, if we work with some of those types of agencies similar to DARPA in other jurisdictions, they become attempts to draw us away from Canada. If we don't mirror this.... This is not just saying we should be nice Canadians and support our companies. This is a matter of future prosperity and maintaining our standard of living in this country. This is how, in highly secure industries, development is being done, both in the public and private sector.

One of the questions I believe should be asked is “Should the hardware or any type of equipment be examined before going out into the field, as is done by some other Canadian entities?” CATSA, some of the transportation safety authorities and CBSA do examinations of hardware before it is deployed. That is definitely something that I believe the cybersecurity field should take into consideration for any future bids.