Government Operations Committee on Dec. 9th, 2020

Mr. Chair, honourable members, thank you for the opportunity to present today.

I'm Benjamin Bergen, executive director of the Council of Canadian Innovators, or CCI, a national business association that represents more than 130 of Canada's fastest-growing technology companies. Last year alone, our members employed more than 40,000 Canadians and generated more than $6.5 billion for the domestic economy.

I'm joined today by Neil Desai, a senior executive with one of CCI's member companies, Magnet Forensics. Neil is an expert in cybersecurity and public procurement policy and will have much to contribute to today's discussion. For my part, I'll focus my comments on the role that procurement can play in supporting the growth of Canada's homegrown companies.

As your 2018 report on modernizing procurement stated, the Government of Canada is the biggest customer of goods and services in the country, and the procurement system has the opportunity to be a much larger driver of economic prosperity. In the global innovation race, having the Canadian government as a purchaser of goods and services is considered a major validator for domestic companies. It helps them to accelerate future sales with other governments around the world, which in turn enhances Canada’s innovation export potential.

We are all abundantly aware of the issues the federal government has faced with procurement in recent years, especially when it comes to buying technology systems. The Phoenix pay system, the Government of Canada website renewal project, and now the X-ray machines for Canadian embassies, have each become matters of national interest, and for all the wrong reasons. The end result is billions of dollars paid to foreign technology firms that have failed to deliver on what they promised.

Canada's current approach to procurement lacks a strategic economic development lens, which has a direct impact on the economic opportunities for domestic innovators who wish to help their governments defend physical and digital borders. This all has a negative impact on both our prosperity, and more importantly, national sovereignty.

I'd now like to turn it over to Neil Desai for his opening comments.

Thanks very much, Ben.

Thanks to members of the committee.

Magnet is a Waterloo-based cybersecurity company that provides digital investigation software solutions that are used by over 4,000 police, national security and other public and private entities with investigative authorities in 94 countries.

We're proudly Canadian and thankful to call a dozen federal organizations our customers, but I should point out that Canada accounts for about 5% of our business.

The challenge we see with federal procurement in the security sector is the lack of a strategic lens. First and foremost, the government continues to buy modern tech, largely software, the same way it purchases office supplies, through lengthy RFI and RFP processes that are focused on what is believed to be the lowest price of a static product, versus the best value delivered through a solution that will evolve to develop benefit over a long time horizon.

Modern software is highly iterative technology. It can solve key problems, but it can also create grave ones if it's not developed and purchased with foresight and a focus on value. Leading global governments in procuring security solutions acknowledge this, and allow their front-line experts to work with their innovators much earlier in the development cycle. They also keep a close eye on the potential for such solutions to be exported.

This isn't to say that these governments don't buy foreign technology, but they assess the risk and consider the prosperity opportunity. They use national security and small business exemptions in their trade agreements. They also use non-tariff barriers such as security clearances and government expectations, to ensure that the solutions they procure are trustworthy and deliver economic spillovers. They also shorten procurement to align with imperative development cycles, allowing pivots and off-ramps to avoid massive failures.

The concern I'm expressing here today is less from a business-operator perspective and more from a proud Canadian vantage point.

Cybersecurity is the nexus of prosperity preservation and creation with geopolitical conflict and criminal activity. If we, as a country, don't update our playbook soon, we risk being left behind.

I'd be happy to animate the themes I've covered with some tangible approaches to a Canadian-made technology procurement strategy.

Thanks very much.

Thank you, committee members.

My name is Sime Buric, and I am the vice-president of K'(Prime) Technologies.

K'(Prime) Technologies is a Canadian-based company based in Calgary, Alberta. We employ approximately 40 people across the country. Our CEO, Kham Lin, and our CFO, Amanda Lin, started the company 22 years ago. The company was founded as a sales and service provider for the analytical testing and security market. We are a for-profit organization that is not subsidized by government. To be competitive, we need a fair playing field.

I want to start by saying that we share the views of prior witnesses, such as Mr. Burton, Mr. Mulroney, Ms. Carvin and Mr. Leuprecht. We are one of the companies that submitted a response to the tender. A lot of the issues that OGGO is discussing now are issues that we brought up when we challenged the awarding of the standing offer. We followed the only avenue we had to challenge the awarding by submitting a complaint to the Canadian International Trade Tribunal.

One of the concerns that we brought to the CITT was the question of how Nuctech could meet the Canadian regulations when submitting bids. We provided examples of many global news articles and decisions against Nuctech for some questionable practices. We expressed our concern about competing against a state-owned company. VOTI Detection—which I'm glad to see is on this witness panel—another Canadian company that bid on the tender, also expressed concerns about Nuctech. In a newspaper article, VOTI also expressed concerns, knowing how the equipment and the hardware could be significantly cheaper—up to 25%.

Another concern that I brought to the attention of the tribunal was the stretching of the truth when it came to the abilities of the technology to automatically detect weapons and other potential threats. All the X-ray systems run on a similar principle. The systems that were quoted were all of a single-view type, meaning a picture from one angle. The probability of accurately identifying a specific threat—like the difference between a gun, knife or bomb—with a single-view system is low, but the specification was not removed or revised. A single-view system is not meant to replace the use of visual inspection of a package. It is meant to be a complementary technique.

The X-ray systems differentiate threats based on atomic mass. Therefore, a colour is applied to the screen to identify a material, whether it's a metal, liquid or organic material, etc. If the premise is to reduce the amount of visual inspections, a dual-view system or a CT-based system is necessary, but these require a higher investment and are similar to what CATSA uses at the airports.

Unfortunately, these concerns were not investigated further, and our complaint on the matter was disregarded. Based on the decision by CITT, it was recommended that we be charged $575 for the challenge.

I personally have over 14 years of experience in responding to government tenders. This was one of the more difficult tenders to respond to, as there were a lot of unrealistic hypotheticals in terms of the number of units required per global region. When I would respond to any previous tenders, the specifications were clear and concise. The number of units was specific or a price per unit and a standing offer issued over a specific number of years. The locations where the units were to be installed were specific.

These are just a few examples of some of the hurdles presented when responding. As this tender was based on hypotheticals, it made responding to the tender more difficult than it had to be. Companies that are for-profit organizations then have to uplift or pad their pricing to make sure they do not lose money in different regions.

There are a lot of security concerns that have been discussed in previous committee meetings. It has been mentioned a couple times that X-ray equipment would be a low to medium security threat. Yes, electronic modifications can be done after the fact by a service person or by anyone else who has access to the equipment, but we also need to question whether there's a security threat coming in with the system. Who tests whether there's a back door, malware or any other security vulnerability in the system prior to deployment?

We at K'(Prime) Technologies are responsible for the maintenance of X-ray equipment at many airports across the country. In order to provide this service, we are required to have a restricted area identity card, which is an application that is reviewed and approved by Transport Canada, to get access to the equipment. However, in order to service equipment at the embassies, no clearance is necessary.

As a Canadian citizen representing a Canadian company that employs Canadians across the country, I am here to say that we are looking for our government to provide better procurement standards, and for matters of security to be reviewed at a higher level with interdepartmental collaboration. This could hopefully prevent the government from spending taxpayers' dollars on expensive reviews by external companies when there are resources available internally, like the Canadian Centre for Cyber Security.

Canadian companies need to abide by ethical and legal standards to compete for business. We want these standards to apply to all non-Canadian organizations that want to do business in Canada. When it comes to security, reviews of companies need to be done ahead of reviewing tender responses, to exclude companies that do not meet the Canadian standard.

I thank you for your time and welcome any questions.

Thank you very much, Mr. Chairman and honourable members. Thank you for this opportunity to address the committee on issues that I believe are of critical importance to VOTI Detection and the Canadian business community.

In my remarks I will address three main issues that I believe are relevant to your hearings, and it would be my pleasure afterwards to take any questions you might have.

First, as president and chief executive officer of VOTI Detection, I stress our support for the competitive bid process in public procurement. We welcome the opportunity to offer best-in-class technology to address the needs of our potential clients, while offering tremendous value for money. VOTI Detection believes the procurement opportunity that was managed by Public Services and Procurement Canada for the benefit of Global Affairs Canada followed all the rules in place at that time.

Our request of policy and decision-makers is the consideration of changing some of those rules. The only thing we ask for is the opportunity to participate in the bid process on a level playing field. We believe it is virtually impossible to have a level playing field when companies that are state-sponsored, with a history of predatory pricing practices, are allowed to participate. There should be a vetting of companies to ensure that they have the ability to deliver all the commitments in their bid while respecting the high ethical standards of business governance.

Our belief is that any company that has been disqualified from procurement opportunities for security reasons by our closest allies or known to have engaged in illicit and corrupt practices such as bribery and honey trapping should be excluded from Canadian government bid opportunities. It is our hope that the bid authorities will embrace opportunities to consider the value of benefits other than a low price in the evaluation of submitted bids.

The second issue touches on security considerations related to the acquisition, deployment and ongoing maintenance of X-ray security scanners. While we understand that the security scanners will not be connected to any network, we also understand that the scanners will record and store data that should be kept highly confidential. Although the data will not be vulnerable to a network attack, whenever a technician—a simple technician—is required to perform preventative maintenance, a software update or the servicing of a defective part, there would be ample opportunity for that technician to download the sensitive data that should be protected and send it to wherever that person wishes.

The security value can go beyond the actual technology. Companies and the individual employees who will participate in the fulfillment of the procurement opportunity could, and should, receive security clearances based on reliable and verifiable information.

The third point is to stress the importance for Canadian business to find government support through public procurement, especially during these very difficult economic times. I believe small and medium-sized businesses are the backbone of the Canadian economy and the greatest opportunity to stimulate sustainable growth. There is no support that is more valuable that a government entity can give to a Canadian business than a purchase order. Procurement of Canadian goods supports domestic industry as well as the important downstream supply chain. These businesses employ Canadians, and it is through the fulfillment of purchase orders that businesses can grow, continuing to invest in growth strategies, research and development and the creation of additional jobs for Canadians.

VOTI Detection employs over 80 people across Canada. These are high-paying research and development jobs with fundamentally superior IP in technology to any of the competitors in its class. These are things that should be taken into account and considered when going through any type of procurement process.

In conclusion, it's my hope that this committee will shape policy that will support better outcomes for the Canadian government, their departments and agencies, and for the Canadian people. It is my belief that, when possible, the promotion of a Canada-first or buy-Canadian procurement strategy would generate positive outcomes for all involved.

Again, Mr. Chairman and honourable members, I thank you for the opportunity to address you. I make myself available for any questions you might have.

In my opinion, when it comes to security, anything when it comes to the embassy has to be taken into the same account as any other high-risk area—for instance, the airports that we work at. Information is travel. People are travel. People go through. All of these, whether the risk is low or not, are still security threats. That has to be taken into account in any type of security response or tender.

All of those have to be applied to the same level when it comes to the procuring of hardware.

I can't respond on whether or not it was tailored toward a specific provider. What I can say is that, based on hypothetical numbers and the quantities that were being requested by specific regions, it was not realistic based on how many embassies are in those specific regions. When a contract gets awarded for a specific dollar value, when you have a lot of hypothetical quantities of equipment, it is very difficult to say what that final contract will be. When people say it's awarded at specific million-dollar amounts, it's not realistic. Therefore, you start getting budgets that get blown out of proportion, and costs start to creep up.

There is the potential for a security breach as a function of the machine being required to be maintained. From that maintenance visit, a maintenance technician could easily download all of the information on the hard drive.

My comments really speak to the fact that when you look at how procurement is done in this country, often you see foreign firms bidding but sometimes not actually delivering on what they're promising. We saw that with the Phoenix pay system. We've seen that with the government's website renewals and we are seeing it now with Nuctech in terms of X-rays.

I think the thread that pulls these pieces together is really more the strategy and the policy that we have with regard to procurement. I read over the comments from the committee on the 18th, and if you look at what Assistant Deputy Minister Ieraci and Assistant Deputy Minister Danagher stated, it's about lowest cost and it doesn't take into account other externalities and factors that are critical when thinking about public policy. You need to take into account national security—obviously it is an important piece—but also the opportunity to create prosperity through an economic driver, which is the government actually being a purchaser of these products.

Neil, would you like to add anything to that?

I think we're confusing two pieces here. Obviously funding research and development and cybersecurity is a positive step and the government should continue to do that. However, it is somewhat absurd when we don't have that same government actually go and buy that domestic technology to defend its borders. That really is the articulation of the challenge we're seeing with new technology right now. We could potentially have Canadian companies that have received things like SR and ED or IRAP or other funding, but then are not the actual company that's being purchased from.

Although it is all well and good for us to spend money on research and development, if we're not actually commercializing and building that capacity through companies in this country, it's a bit of a wash.

Neil, would you like to answer that question?

I'll jump in here and just say that these are all really great initiatives, and cyber is a real problem, but we also need to have a scaled understanding of the challenge and then work from there.

I'm going to one industry report. McAfee, a global player in cyber, has done independent research on this. They see cybercrime as growing from a $600-billion global problem two years ago to a $1-trillion problem this year, and they expect it to accelerate because of COVID and the number of vulnerable populations online.

Just on differentiating between economic development, things like the programs you mentioned in the previous question, and ITBs and procurement, I don't think we should consider procurement as a handout. I don't think anyone I heard during the opening statements was looking for favouritism.

What they are looking for is a level playing field, and I'll just say from a purely economic development perspective, a purchase order of $1 million is much greater in terms of its knock-on effects to the economy than $1 million of economic development programming. It validates the technology and its usability in the field, and frankly, we have to be cognizant that Canada is a very well-respected country globally. We make up about 2% of GDP and roughly the same amount of cybersecurity consumption, so the opportunity of domestic procurement—and the Government of Canada is one of the largest purchasers of cybersecurity tools in this country, along with the banking sector and other sectors—is not only to solve the narrow problem within government. It's to give an incredible launch pad to cybersecurity companies.

Frankly, we shouldn't look at size of company as the only measure of capability. We should get deep into the capabilities they have. Large system integrators, big companies—and I won't name them here—often have the balance sheet and lobbyists to withstand long RFI and RFP processes that are multiple years when they, in fact, don't have the technological capability.

Maybe we need to get a a lot clearer on what we're trying to achieve in procurement and create smaller bite-sized procurement processes we can get through, and then validate technology and start responding to problems the way technology is built and not the way procurement is built.