Government Operations Committee on May 26th, 2021

The first is through the digital standards that the office of the chief information officer, Marc's office, has established. There is a call to adopt open standards. That will be driving our work moving forward, so anybody who is able to comply with those open standards.... It's definitely a move that we are making, to comply with that standard.

The second, which I want to be very frank about, is that as an enterprise service provider, we don't want to be reliant on one vendor. That creates lock-in. That is a dangerous place to be. As I have shared, with previous advice from Gartner and others, the industry best practice is to diversify a little bit where you can, but it is a little bit. We would not want 30 or 40 different vendors that we are working with. While it may be interoperable, it requires different training and different skill sets. We have seen instances where it has not worked where things were said to be interoperable.

For mainframe memory that was certified, we went with an open competition. We plugged it in and it couldn't work. The vendor couldn't make it work. They tried and tried. At the last minute, with literally days before the department needed that mainframe memory working, we had to do an emergency purchase. There were other instances where the equipment throttled the backups and they were working at one-eighth the speed. While it was interoperable, the algorithm on the software was different. At one-eighth the speed, we were running out of time to complete backups.

Interoperability is important. It encourages competition, but it is not a guarantee. That is why we will introduce it and we will embrace it, but it will be limited. I want to be very up front and transparent.

Madame Vignola asked a question about the plans. Again, I would point back to the documents I shared with you. We are trying to be incredibly transparent with industry about where we are going. The network way forward document lays out what we think the issues are so that industry can propose to us what they think are state-of-the-art solutions, and we can work with them to pick the vendors of choice that we will work with moving forward.

I know there's a sense that we're overly reliant on Cisco, but I again want to point out that we have moved away from that in four broad categories. There are also times when it's open and competitive and Cisco has won. We will continue to use those processes moving forward.

Thank you for the question.

First, we're going to be transparent and document it. That's why we have the “Network Modernization Way Forward” document. In addition to that, we have a lower-level, more technical reference document moving forward. We have regular industry days where we open these up. We work with industry to hear their feedback on it, to update them and to guide our processes moving forward. We're not just having meetings. We're documenting them, we're publishing the papers and we have regular interventions and discussions with industry. All industry is open to that.

Through the pilots with Technation, we're making specific efforts to reach vendors we haven't traditionally reached. Not stopping there—because I understand the concerns that have been directed at my organization—I instructed the organization not to apply the national security exemption universally but to do it on a case-by-case basis. The national security exemption was previously applied to everything. It's no longer the case. This has resulted in more open, transparent processes. It has also resulted in more open competition. That's how we've been able in the last two years to move away in the four areas.

Again, I go back to Cisco, which had 80% of the firewalls. It's now Fortinet that has 95% of the firewalls. Load balancers were Cisco. They have no load balancers. It's F5 and A10. I could go on. That's not to say that Cisco isn't a big player in our network, but when we see the opportunities, we seize them.

Last, through our governance, as I said earlier, we have a process wherein all the requirements for like-for-like are reviewed, and not just by my staff. We have an external industry expert who sits in on that process to make sure we are adhering to industry norms and standards.

Thank you for your question.

It's a very interesting question, in my opinion. I believe that in the past, we were focusing solely on scheduling cost risks. Everything was about “give me the perfect plan, contain the costs”. We weren't behaving in an agile way, and we weren't focusing on the outcome risks.

Through the pandemic, we still managed cost, but we were far more aggressive on schedule. We didn't wait for the perfect schedule. We focused on the cost of not doing something, and that forced us to accelerate. I will be very candid. The early days were bumpy. They were messy. They were not perfect, but twice a week, we would literally sit down on the network and say, “What did we do on Sunday night? How did it work? Let's make changes on Wednesday.” We iterated quickly to fix our mistakes, to make things better faster. If we can continue to behave that way, I think we will be able to keep up this pace.

Mr. Chair, I thank the member for her question.

Unfortunately, my answer is not simple.

It's because of the complexity. In some areas, like on Microsoft Teams, where the OCIO had personas and we were able to move very quickly to deploy the technology, it was easy. In other areas where we have systems—not the hardware but the systems—that need to be modernized to be able to operate in the cloud in a cloud-native way, those will take longer. We've been working with the OCIO, under their leadership.

Marc, maybe you'd like to speak about the work we've been doing to understand the portfolio of applications that need upgrading and the plans to do that.

Some things, Madame Vignola, can be done quickly, but other things will take more time, particularly in the application space where we need to rebuild applications with departments.

Marc.

Thank you, Paul.

Good afternoon, Ms. Vignola.

Mr. Glover is talking about the condition or state of the applications in our organization. We have a database of all the applications and we monitor the shape they are in.

A few years ago, they scored about 23 or 24%, and they now score 36%. There has been progress in this regard. The progress is getting faster. However, this progress has to make the needs of businesses and Canadians the priority.

We cannot modernize everything overnight. That solution does not work; we will be sawing off the branch we are sitting on. We have to target the applications that need to be modernized in order to achieve better performance for the government and Canadians.

I think Mr. Glover could answer your question better.

What I will say is that for our part, we are responsible for applications.

Mr. Chair, I thank the member for her question.

This is a continuous improvement approach, because of security and technological progress.

For example, 5G is coming, so we will never be finished with the network. We are constantly introducing security upgrades and patches. We need to introduce two-factor authentication. The future is in zero-trust networks, the use of 5G and other technologies.

My answer to you is that my work will never be done in this space. It will constantly be improving to take advantage.

Thank you for your question.

In reality, we had a conversation with them to determine their needs and to talk about the state of the art.

We try to work with them to make sure that they understand what we believe is the best technology for them. They also have people who are used to operating that technology. We try to come to a common understanding.

There is a process that it then has to go to—through the enterprise architecture review board, particularly for new systems—to make sure that it is compliant with future direction. That is at the enterprise level.

I am not all that up to speed on Huawei relative to the other vendors that we deal with on a more frequent basis. You have my apologies.

Thank you. I'm definitely more comfortable answering the question when it's posed that way.

I think it is generally accepted that, years ago, Cisco had a large share of the marketplace, and I think that is representative of what we inherited. I would again point members back to the documents that I shared with you, where we tried to be very transparent about when SSC was created and what we inherited.

We do see that the competition is improving. We do see the adoption of open source standards making it easier. People talked earlier about Juniper Networks, Ruckus and Extreme Networks. They are competitors. Those are people who are finding their way into our ecosystem.

In some cases, we consider some of these vendors to be very much world class, and we've moved entirely to them. I would use the firewall example I spoke to earlier with Fortinet, where they are the vast majority of how we handle our firewalls. That used to be all Cisco. It is now almost all Fortinet. We are seeing these niche providers, and they are quite capable.

It is a transition that is occurring in the marketplace—absolutely.

Mr. Chair, I will ask Marc to elaborate if I can't help.

If only it was just DOS. There are some applications that are as old as I am.