Government Operations Committee on April 28th, 2021

Thank you, Mr. Chair and members of the committee, for your invitation to discuss the Gartner Canada report that you received on the network sourcing decision matrix benchmark. I am pleased to be here today to address any questions the committee may have with respect to the report.

Mr. Chair, I want to state at the outset that I have the utmost respect for this committee and its important function in our democracy. I greatly support the work of the committee and I am committed to helping its members better understand how Shared Services Canada is working to modernize our networks in order to better serve Canadians.

I am here today to provide you with as much information as possible to aid you in this work. It is also why, when responding to the committee's request, I included additional information that was not originally requested, but which I hope will be helpful to the committee and answers questions that members had previously posed to me and members of my organization.

However, I am bound, as the president of Shared Services Canada, to steward our information in a manner that respects different priorities, including our democratic processes, the integrity of proprietary information and national security. That said, know that I am fully committed to assisting the committee with your endeavour to understand the network space.

As president of Shared Services, I support the Minister of Digital Government in providing federal public servants with the tools and the IT infrastructure they need to deliver the programs and services Canadians expect in a digital era—services that are delivered on secure and reliable networks.

When it was created, Shared Services Canada inherited many different independent and non-standardized departmental networks. I would encourage members to review the “Network Modernization Way Forward” document, in particular pages 11 through 15, for details of what we inherited and what has changed over time. Our work is ongoing as we continue to take an enterprise approach to modernization. This means we will continue to consolidate, standardize and modernize our networks right across government.

It is essential that the Canadian government keep pace. As the pandemic has shown, it is even more critical in a crisis. Over the past year, we were able to respond quickly when urgent changes were needed and adoption of solutions were required at an unprecedented speed. We were able to increase our network capacity, provide widespread secure, remote access and roll out collaboration tools that allowed public servants to work securely, as well as remotely.

However, the complexity and the pace of change in the digital environment means that we need to be prepared for significant and ongoing upgrades and technical innovations, such as software-defined infrastructure, where critical IT infrastructure and functions like data centres are fully automated and programmable. We also need to ensure that we have the IT infrastructure that can take advantage of emerging technology such as artificial intelligence, machine learning, 5G capacity and potential innovations that might transform federal service delivery, such as multi-user supercomputers and in time, quantum computing.

As we go forward, we are engaging with industry in advance of setting up long-term contracting vehicles to deliver a common set of services to all government departments and partners, rather than the customized services that exist today. To that end, SSC is developing a modern enterprise network and security strategy to increase network, cloud and mobile access and ensure agile service delivery to all our partners. The new model aligns with government priorities to allow us to work smarter and more efficiently, as well as more reliably.

In developing this strategy, we must consult with third parties to ensure our approach is responsive, reflective of industry trends and has sound governance. In this context, SSC proactively engaged Gartner, an industry-leading research firm. We asked Gartner to review our network and security documentation, to give us advice on developing an approach for decision-making for future network equipment sourcing and to look at specific case studies within SSC to provide insight and advice on decisions that we have made on sourcing equipment.

Gartner made a number of recommendations—which have been shared with you—to ensure that our documentation follows industry standard practices, to help us standardize how we source our equipment through open and competitive procurements and to provide us with review mechanisms for when we need to deviate from this approach. These recommendations have provided Shared Services Canada with approaches to help balance business, technical, security and procurement risks and to create a network strategy that fosters accountability and transparency.

We subsequently updated our strategy paper and posted it on Canada.ca.

The “Network Modernization Way Forward” paper solicits feedback from industry partners and attempts to document our future state. This strategy will of course evolve as SSC continues to work with industry as part of its collaborative procurement process and to keep pace with the changes in technology and advancements in innovation.

To do our work, we need positive, functional vendor relationships. I take disclosure seriously. I take disclosure of information that would affect this relationship extremely seriously. I am mindful of the powers of the House of Commons for the production of documents and the role of members in holding the government to account. Part of my job as a senior public servant is to reconcile the exercise of those privileges with others, including national security, cabinet confidence and the confidentiality of business information.

In the report that I provided I itemized each and every redaction and included the reasons used to protect the information deemed confidential, in keeping with the practices of public disclosures of such information.

Making this information public would not only be making public Gartner's intellectual property and commercially sensitive information, but it could also be detrimental to the vendors included in this research. We looked at the report and only took out parts that would be a security risk or could jeopardize industry relationships and partners.

We take very seriously, Mr. Chair, the need for transparency, along with the need to protect the proprietary information of the companies that have entrusted us with it.

Thank you. We are now ready to answer your questions.

The short answer is, I did. As president of Shared Services Canada, as I outlined in my opening remarks, I have an obligation to protect national security and confidential business information. I also sought legal counsel and was advised that my actions are consistent with those responsibilities.

As per my letter, each of the redactions is indicated with a listing, so it would either have been for confidential business information reasons for the companies that were not comfortable with the disclosure of that information—

The majority of the redactions are related to confidential business information—

Mr. Chair, may I have a moment to look at the page in question?

Mr. Chair, I'm trying to look at the very specifics to make sure that I provide the member with a full answer. I would be happy to follow up—

Mr. Chair, I had a chance to look at the page in reference to the member's questions. Gartner was not able to see any specific cabinet confidences. It speaks to cabinet meetings, their potential existence, which is a confidentiality issue and is not to be disclosed. Therefore, Gartner was not disclosed any cabinet confidential information.

Again, Mr. Chair, in response to the member's question, Gartner was not disclosed any cabinet confidences. They speak to cabinet—

Mr. Chair, I'm attempting to answer the member's question.

Mr. Chair, again I'm happy to attempt to respond to the member's question.

Gartner did not. The redaction was made under an interpretation that I had whereby they speak to processes about future meetings, and any references to future meetings that the government may have could be considered a cabinet confidence. They did not have access to it. They hypothesized—

As I was attempting to finish, Mr. Chair, it speaks to when meetings may occur and that, as I understand it and have been advised, is a cabinet confidence. They did not have access to it. For me to suggest when cabinet may or may not consider something on a hypothesis is not appropriate to be disclosed.

I can happily check with our counsel again—

Mr. Chair, that is correct. It is common knowledge, when we are doing procurements, that sometimes Treasury Board approval is sought and that is then through Treasury Board meetings. If and when Treasury Board is required to do that is not something that would be disclosed publicly.

The short answer is transparency and documentation. If you refer to some of the attachments that I included in response to the committee's request, we intend to be very transparent with you, with the vendor community and with all Canadians about what we inherited, where we are today and where we want to be moving forward.

We will also work with industry so that it understands what our objectives are and why, so that companies can think about the technologies they are developing, and we can integrate them into our forward procurements. We are also moving to open source, which will make it easier for us to allow more vendors into that ecosystem.

That, frankly, is not always a guarantee that different vendors will win. We've done two open, generic procurements, and one happened to be won by Cisco, a company that is the subject of a lot of attention here. Another one was won by Juniper.

We will be open and transparent. We will consult with industry on what we need and why. We will invite industry to help us refine our technology requirements to take advantage of state-of-the-art technologies moving forward, and we will be moving to the more open-source, software-defined, zero-trust types of networks that Gartner speaks to. Every one of our actions will be fully transparent.

The final thing I will say is that, in line with the recommendations from Gartner, oftentimes we get requirements from departments saying we have to go sole source. It has to be plug and play. They can't accept anything else, because the risk is too high. We've implemented a review committee that looks at each and every one of those, and challenges those requirements to make sure that they are what is claimed.

If it has to be specific, because it's plug and play, the risk is too high or timing, we will accept that and we'll be transparent about it. When it's not, we have a better process now to push back, rather than simply accept because they say it must be sole sourced. We now challenge each and every one of those.

Thank you, Mr. Chair, for the member's question.

I don't mean to be repetitive, but it goes back to the way forward document, and working with industry to lay out multi-year plans. If you look at some of the documents that we tabled with you, they're short, medium and long term about where we want to go, where we need industry to be with us as part of that journey, recognizing that this won't happen overnight.

They have full line of sight to our short-, medium- and long-term strategic plans, and the ability to work with us as the technology changes. One of the largest criticisms I have heard from industry is that we go to them with “we know the solution”, and because of that, we turn away a lot of potential innovation and opportunities. That's why we want to work with them before we finalize plans.

The bottom line is that they will know where we want to go, short-, medium- and long-term. We will consult with them and we will evolve that plan with them.

Thank you for your question.

I would be happy to again consult with legal counsel, take a further review of this and respond in writing.

My answer is the one that I have. It's the one where my understanding is that speaking about cabinet and when it may or may not choose to meet is a potential confidence and is not to be disclosed. Gartner was not provided with any specific cabinet confidential information. The fact that they referenced it is not something that I should continue to promulgate or include in public disclosures. That is my understanding of the reasoning.

I understand that is not sitting well with a number of the committee members today. I'm happy to review that again with legal counsel to make sure that answer is complete, but that is my answer today. It is based on significant consultation and a very serious review of each and every one of those redactions.

However, I'm happy to revisit and update my answer if I missed anything.

Thank you for your question.

Of course, we consulted Gartner Canada to get their perspective.

We definitely consulted with Gartner, as this is their confidential business information. It is their proprietary information about their analysis of the industry and the methodologies they use to rank and provide advice to not just us but many international clients globally. Absolutely we consulted with Gartner.

Once again, thank you for your question.

In my opinion, it's definitely possible.

Without a doubt it is possible that there is lobbying that occurs. These are huge procurements. Look at the dollar values that I shared with you that we do, and for every winner of a procurement that we do, there are multiple losers.

Absolutely, every single one of these firms employs lobbyists who are attempting this, at all levels.

It's why the integrity of this process is incredibly important to me. It's so that it is able to withstand the lobbying that we know occurs constantly.

I'm not sure I understand your question.

I hadn't understood the word “enterprise”. Thank you.

An enterprise approach is one where we look at all of the departments as a whole—as the enterprise—and rather than running each individual departmental network, we want to move them to simplified standardized networks. Even when we have, for example, a lot of Juniper gear or Cisco gear or any of the others that you see in the ecosystem we have, it can be configured differently and is non-standardized.

Think about Interac terminals that we all work with every day. What if each one of those was configured a little bit differently or required a slightly different way to operate for you? We want an enterprise approach, so the user experience is the same and consistent. That will allow us to aggregate requirements to obtain a better price for Canadians, improve our service and, frankly, reduce costs over time while increasing reliability.

It's part of that Gartner.... Remove the number of vendors and move to a smaller, more stable, predictable environment. That's what we mean by the enterprise approach.

Thank you, Mr. Chair for the member's question.

I will undertake to follow up in writing given the number of times this has come up.

In response today, it is the advice that I received from legal counsel that speaking about when cabinet may or may not choose to meet is not something that is to be disclosed.

Mr. Chair, the Department of Justice provides advice to me.

Mr. Chair, again, the advice provided to me is privileged. I interpret that. It is my understanding—

Mr. Chair, the answer to that question is that I have been at Shared Services Canada for over two years. In this role, because we do not do a lot, this would be the first time, but as a senior official, this would not be the first time that I have seen this and been told not to speak about when Cabinet may or may not choose to meet and what it should choose to meet on. The attendance, the dates, sir, as I understand it, are confidential.

Mr. Chair, the answer to the member's question is that I could not presume how you would choose to conduct the study, what you would need and the time frames. In order for me to provide this fully unredacted, I need consent from all of the parties. That consultation takes time, and your letter did not afford that time.

The other factor here is that, even within that, there are some things, like national security and others, where I would not have been able to not redact that. We do not disclose certain information that would, frankly, be a playbook for those people who would wish to attack our networks. That would not be disclosed. I am not in a position to do that.

I respect this committee's right to ask those questions, and I hope that this committee understands my rights and responsibilities to protect certain information.

Mr. Chair, I spoke to my legal counsel, who would be from the Department of Justice. I did not—

—speak to the law clerk. I did not.

Mr. Chair, absolutely I understand how you view it. I would hope that the members also understand that my responsibility as a member of the executive branch is to protect national security and confidential business information. As others have said, those—

I have redacted that information for national security reasons, yes, and it is not something that someone would just find through Google. Unfortunately—

Mr. Chair, you can find some Gartner information but not all.

Mr. Chair, it did. The contract complies with standard contracting principles and obviously continues to operate under my obligations.

It's not a “view”, Mr. Chair. It is a requirement.

I'm sorry, Mr. Chair. How many...?

I would not be able to estimate off the top of my head how many people—

It would be a handful.

Again, I know that I'd speak about this with about five to six members of my immediate team. I would have to consult with them in terms of the number, but all would be—

Those would be at the assistant deputy minister level, with one exception at the director general level.

The members of my staff who have seen this report are subject to protect the information around national security and confidential business information to the same standard that I am, so I am confident that they are—

I would imagine that it's quite a few as well, yes, and the people who work in them, the people who support them, have all been appropriately security cleared and bonded for confidentiality.

However, yes, given the size and the nature of them, there are a few.

That's not correct, Mr. Chair—

Mr. Chair, just to be clear on the drywall comment, the people, the trades, in there would not know the purpose of that building. They would be under strict orders—

Mr. Chair, I'm absolutely serious.

This will hopefully answer other members' questions about why certain pieces of information have been withheld.

On any given day, when I arrived at Shared Services two years ago, there were over 400 unplanned outages per day. This past year, we had almost 80-some thousand unplanned outages. That's about 200 a day. That's the state of the infrastructure, so we've made significant improvements. Of those unplanned outages, the number that are critical is pretty small but significant, and it's about 300—just a little less than 300 critical outages. That's where services to Canadians or public servants who need those services desperately to do their jobs are out for an extended period of time.

We're racing to fix some of these old outdated systems faster than they are breaking to make sure that public servants have the tools they need to serve Canadians.

The security issues that we, for example, why we wouldn't disclose the location of a data centre... On any given day, as Scott Jones testified to this very committee, there are two billion malicious activities that we intercept, each and every day. These are not theoretical cyber-threats. They are real. They are organized, and they would desperately love to know the details of our architecture and the location of that architecture.

Therefore, absolutely, I will take my responsibility to protect that information, because they are assets of the nation that this government uses to serve Canadians.

Thank you for your question.

Absolutely, I have a responsibility to keep the minister informed and aware of the activities of Shared Services Canada, but that also includes a certain separation, for example, on things like procurement decisions and others where it is the department's responsibility and not the minister's.

It is difficult to overgeneralize, but there is definitely a regular flow of information. It is dependent upon the authorities and delegations with respect to the timing and the level of detail.

We set up the supply arrangements. Departments come to us with their requirements, and we go to market to fill them. We do that, either through competitive processes.... If you look at the materiel, that's about 87% of the time, a little over $1.13 billion. Sometimes we do that through a non-competitive process, because of the urgent nature of the requirement. That's about 13% of the time. It represents about $170 million. They come to us, and we're responsible for the procurement.

Frankly, it's pretty much final. If we go out through a competitive process, the requirements are the requirements. The submissions from industry are assessed against those requirements as per procurement policy. When a winner is selected, it has a right to supply.

The departments do not get to veto that. They do not get to choose. We go through a fair, open and transparent process, and use the procurement policy.

That's an exceptionally broad question. I don't want to frustrate the minister with my answer. If there's more precision—

Thank you. That's much clearer.

Departments will come to us with their requirements. There are times when they will say, “We can't accept interoperability. We don't have the time to test anything.” They want like-for-like. They make the case that we have to get, not necessarily Cisco, but it could be any vendor's gear. We must replace it with exactly the same vendor. That's the instance where Gartner has said that, when we are doing that, we should review them to make sure they are what the departments claim.

We used to, not all the time but mostly, just accept those. We now review and challenge those requirements to make sure that there is an operational imperative, and that we cannot move to a more open and transparent process. They make the request, and they lay out the case and the reasoning why.

Mr. Chair, our data centres do not.

I want to double-check my list, Mr. Chair, but that, to me—the location of the data centres—based on the member's question, would be national security. Those are assets, the workloads in them, what moves through them, including, unfortunately—I know it sounds strange—an empty data centre. We would not want to telegraph when we intend to fill that and where it will be to make it a target for those who might want to intercept traffic going in or out of that. We have every intention of filling that data centre.

Thank you, Mr. Chair, for the member's question—

What the witness is trying to convey is that, depending upon the data centre, the nature of the workloads in it, absolutely, we would consider that of national significance and security, and would not proactively disclose that. I would not perpetuate that if somebody else has.

Thank you, Mr. Chair, for the member's question.

I'm sure the member is aware we run literally hundreds of data centres, so it would depend on the nature of the workload. Not everything we do is secret, protected B. There are some things for which there isn't that sensitivity, absolutely, and it would be disclosable. It depends on the nature of the workload that goes through that and its security assessment. Those security assessments are also subject to change as the workload changes in them, and as the security posture and the intelligence of those actors looking to frankly intercept the data—

Mr. Chair, I'm not going to comment further.

I'm sorry, Mr. Chair. I'm not sure.... I heard a statement, not a question.

Thank you, Mr. Chair. I appreciate the clarity from the member.

I can assure you I am in no way attempting to mislead the committee in any of my answers. Absolutely not.

Again, Mr. Chair, I'm not sure there was a question for me in that last....

The security assessment, which is constantly changing and which is relevant to the previous member's question, is material here. As we move more services to digital and online, the number of threats are increasing, as I testified earlier. This is not my data. This is from Scott Jones from the CSE. We intercept and block two billion malicious events every single day. Those are only increasing and they're only getting more sophisticated.

The risk here is that sensitive government operations could have been compromised. Services to Canadians could have been interrupted, stopped or brought down. As we have seen most frequently, there are attempts to obtain information about Canadians for financial gain elsewhere in the system. That is one part of this.

The other part of this is our relationship with the vendors who take very seriously the technology that they deploy and provide to the Government of Canada to defend against some of these security threats. If they felt that their proprietary information was being disclosed or compromised, they may choose not to or they may alter the arrangement within which we would do that. This could have a material impact on the availability and the cost of those services to the Canadian taxpayer.

My attempt, as I stated in my opening, was to try to be transparent, recognizing the important nature of the study you are undertaking. We wanted to be very clear and transparent with you about where we are going with respect to the nature of the network. There's a lot of talk about interoperability and the enterprise approach. We have shared with you the “Network Modernization Way Forward” document.

I think people often think of the network as one simple thing. We've tried to include diagrams for you, for industry and for every interested party on just how complex the network is, with the different topologies. There was a sense that it was just the Cisco environment. We tried to include all of the different vendors we have in that environment and to lay out where we're going. We also included our network and security strategy to demonstrate how we have been transparent with industry about what we are doing and how we intend to go from a strategic document in the “Way Forward” to something that is more technical in nature, and to share with you the types and nature of the conversations we are having.

I also felt it would be helpful, so we put together information for parliamentarians about the nature of our work and what we've done. Given the number of questions that have been asked of me, there is a sense that we don't compete a lot of our procurements. We tried proactively to share with you the volume we do, how much of it is done competitively and how much of it is sole source, not just in sheer numbers, but what that represents in terms of dollar values.

Because of previous interest and because we feel a social responsibility, we tried to include how much of those things go to small and medium-sized enterprises. With data, we were able to target indigenous-specific businesses. Moving forward, we hope to be able to expand that to more employment equity groups, women-led businesses and other employment equity-led businesses.

Given the number of procurements that we do, while we are trying to advance that enterprise approach, we are also trying to encourage Canadian businesses of all sizes to interact with us.

I'm sorry, Mr. Chair. Is it January 22 of this year? I just want to confirm.

Thank you very much.

I think, Mr. Chair, rather than speculate I would appreciate the opportunity to investigate the specifics and to report—

I would very much appreciate the opportunity to investigate this properly and report back in writing. The details will help accelerate that.

I would just like to reassure the committee that my intention is not to withhold any information from this committee at all. It is to uphold my responsibilities with respect to my legal obligations to protect confidential business information and others. I definitely understand the—

There's a sense that this is precedent setting. I would point all committee members to the Access to Information Act, where it makes very clear that any vendor before or proposed to be before cabinet is a confidence. That was the interpretation used. My team, under my direction, was asked to consistently interpret and apply the access to information law.

To give you the short answer, this is not anything that I would want attributed to me, but there are those who have said that the COVID pandemic has accelerated the shift to digital right across all aspects of society. We have certainly seen that within the departments we serve and their level of ambition to provide services digitally to Canadians. Increasingly, we are seeing the rollout of new technologies and new services to Canadians being done at record-setting paces. Call centres used to be these big physical buildings. We had to scramble in days, literally days, to figure out how to allow people to operate call centres from their home and kit them up to be able to do that.

The network is increasingly important, moving forward. I think it's something that will be increasingly important for this country, frankly. Those who have access to the network with a strong signal will be able to access those incredible services. For those in remote or isolated communities, we're going to have to find a way to roll those out. The network is increasingly important. It connects us all. It is a way, increasingly, that government and businesses are delivering services.

Collaboration tools like Zoom, Teams and others that we use accelerated that rollout. That's created new opportunities and new challenges in cybersecurity, as I said earlier. The threat landscape is changing, and changing fast. It is getting more sophisticated. They understand that there is more volume here and, therefore, more opportunity.

From a procurement point of view, that means that, as we move forward, simplifying, standardizing while not relying on just one vendor, and making sure that cybersecurity is top of mind in everything we do will be incredibly important. That's why we talk about, and Gartner in its report talks about, those three pillars and monitoring so that we know what is happening and we can detect and respond far more proactively than we can now. That will require some standardization.

Mr. Chair, the member's assumption is correct. We had, maybe on a busy day, 30,000 to 40,000 public servants working from home before the pandemic. In a snowstorm or ice storm it had gone up a little bit, but not much. We're at about 300,000.

We don't call them “people” but “connections”, because people will connect and disconnect. We don't actually have connections for every single person, because not every single person is on at the same time. It's how we consolidate efficiencies. The numbers are staggeringly large in terms of public servants working from home, the network requirements to support that, and the bandwidth requirements, because we push more video now. They used to walk into a meeting room. The reliance on the network and on the bandwidth that's required is significantly higher.

Thank you, Mr. Chair, for the member's question.

I am unable to provide an exact number.

The principle here is to make sure that only those who need this information have it. Only those who need it to conduct their day-to-day responsibilities would be privy to this information.

That goes back to that question about the drywaller and others. They would be appropriately security cleared, vetted and indoctrinated in order to be able to interact with this information, or with the data centre. For anybody involved in this, it is because it is a job function.

I will be happy to undertake to provide a full response in terms of both Gartner and within SSC.

I have a principle today.... I understand that the question is looking for something more precise, so I will undertake to provide that.

I would have to consult with counsel on that.

One of the things I was advised on was that, if I were to disclose this report, even in camera, it would be a disclosure and I would be in breach. There are some challenges there that I would have to consult further with counsel on.

I apologize. Somebody said this is not something that happens normally. We are dealing with sensitive information, sensitive systems, all the time. Every department works with some degree—

I want to be very clear that I have a sense that you have asked for precise numbers.

I have these conversations with members of my direct management team, who have certain obligations and indoctrination that I am very clear on, and I trust that they have conversations relative to the functioning of their responsibility consistent with those delegations and their obligations. However, that prevents me from speculating and giving you the complete number.

I can speak to you about my number of direct reports, but I would have to canvass them about what they have done within their chain of command. However, I have every confidence—

I have every confidence that they would uphold their responsibilities.

No.

Mr. Chair, I apologize for the directness of—

I'll have to confirm what exactly the security requirements were, and I will happily provide that in writing. I can speculate now, but I want to provide a very precise answer to the member's question.

I would refer to the material I provided. We do not put all of the contracts in Cisco's hands. In fact, even when we procure Cisco equipment, it is not through direct relationships with Cisco. It is done either through a competitive process or a mini-competitive process with people who have prequalified to provide that type of equipment. It always goes through what we would describe as a reseller.

In the documents I provided, on pages 11 through 15, you will see all of the different vendors, what we inherited and, over time, how that has evolved. It depends on the nature of the network, and which piece of it we are talking about, to see which portion Cisco has provided, more or less, over time as we move forward. That was all in full detail in the documents that were provided to the committee.

That's a very important question. I appreciate the opportunity to clarify.

This is done at my direction as the deputy head. It is my responsibility and accountability. I turn to an access to information unit that is well trained in the administration of this, and it is directed on a standing order, not specific to this request but to all requests, to enforce the law strictly. When the unit is not clear about how to interpret it, it is to obtain legal advice.

That would have been done by professionals, trained and well-experienced in the interpretation of the act.

From my department, Mr. Chair.

The interpretation is to the vendors, to the marketplace. If we target a specific vendor to provide the equipment, that is deemed a non-competitive sole source. The requirements may dictate Cisco, and then we could compete the Cisco requirements, so we would consider that to be competitive.

There are two parts to that answer. From a procurement point of view, that is a competitive procurement, because the industry has been—

As I said, that would be in the 87% that was competitively bid. There were a number of firms competing for that business to ensure we obtained the best price for Canadians.

Mr. Chair, for the first time I'm going to turn to Mr. Davies, the chief technology officer. He's far more capable of doing that quickly than me.

Thank you very much for the question. Thank you, Mr. Chair.

One recommendation from the Gartner group was for us to be more specific with respect to timing. They broke their report down into short-term, medium-term and long-term objectives. One clear recommendation that came through that report was for us to spend time assessing the current state and then put together a plan with clear activities for the short term, medium term and longer term. They also overlaid in that report the guidance for us in terms of what they see from their technology road map when certain technologies are going to become more relevant. We took the advice from the Gartner group. We took some of it immediately and incorporated it into our updated “Network Modernization Way Forward” paper.

We're going to meet with industry later, on May 14, to give feedback to it. It's also important that this document helped us to have a good discussion with industry partners. We got feedback from 26 different partners on that modernization way forward that we then took in and incorporated and will incorporate into our plans moving forward.

Overall, I think I've probably talked a little bit longer, but this is a first time for me. Thank you.

As a senior leader, I would describe it as stabilizing. It breaks too often. We need to assess it and fix its vulnerabilities and weaknesses. It is too complex. I want to standardize and simplify it moving forward, so that it is easier for us to maintain and far more predictable.

I was speaking earlier about outages. Fully 30% of the outages are results of changes that are made. That interoperability that everybody talks about is not always guaranteed. It doesn't always work. We need to simplify. We need to standardize as we move forward.

The future is software-defined zero trust. That is really where we need to get to more quickly, but we first have to stabilize the patient to stop the bleeding, then move to standardization and consistency and then to the longer term. Obviously, any opportunities we see to advance the longer term while we're doing the short term and the medium term we will attempt to harvest early.

That would be the way I would chunk it out.

Absolutely.

As I said earlier—I would encourage members to take the time to read those documents, and I do hope you find them useful—we're at about $1.3 billion or $1.4 billion in procurements in 2019-20. Of that, 87% we would call competitive and, recognizing a member's question earlier, even when that is for requirements—a vendor—we force competition, as per questions from members here, to ensure the best possible price. That is part of what we do.

When there are urgent requirements, we have no choice. We have to go out. A particular system needs more memory. It can't keep up with the demands of COVID and the number of Canadians logging in. We need to do it quickly and surgically. We'll go out and do some non-competitive.... It's about 87%:13% in terms of competitive and non-competitive as it moves forward.

We're quite pleased with the number of small and medium-sized enterprises that are engaged in this. That, we think, is something that we would like to continue to do. We don't want to be just dealing with the large multinationals as this moves forward. We're quite happy with the number of small and medium-sized enterprises we are doing, but we would like to grow that number moving forward, and we would like to share with you better information about what we are doing moving forward on employment equity, on what we can be doing better for aboriginal businesses, Black-owned businesses, women-owned businesses, other employment equity and the disabled. We are improving our reporting requirements on that front.

I am pleased to say that in 2019 we awarded 117 contracts to indigenous businesses, for almost $36 million. It's good, but there's a long way to go to improve that number.