National Defence Committee on March 10th, 2023

I assume you're talking about security clearances and classifications. I can't speak to how the agencies are screening to let in individuals with those clearances. What I can say is that because we face this on the defence file, we take a view in this country that we want the fewest security clearances possible. We think that clearing fewer people will make us safer, meaning that fewer people having access to that kind of information and knowledge will make us a safer country, because there will be perhaps fewer leaks or things like that.

Other countries have taken a very different approach now. They're starting to declassify more and more information. We've actually seen that in real time in Ukraine, where the U.K. government's GCS is declassifying information in real time to show everyone a picture of what is going on. We're seeing that as well in the updated national security strategy coming out of the United States, where they're saying they're going to declassify more information to make the public more aware.

Whether it's screening, whether it's agencies or whether it's the contract security program in this country that does it for National Defence, the lens through which we do that needs to change. I think the idea that we need to keep people out instead of bringing people in and making them more aware needs to change.

I think it greatly hinders our co-operative effort. We see it on a regular basis within government entities: DND-CAF to the security agencies, and the security agencies to the government. Not to bring in the proceedings of yesterday, but you saw it in real time in foreign interference in the government itself holistically between departments—foreign affairs and public safety. We saw it in circumstances in Ottawa in the convoy situation, where government agencies provincially and municipally, and actually across the federal government, were not harmonized on approaches or information and threat sharing. We see it and feel it on our end in the private sector, where very often we're asking ourselves what is going on, whether we need to be aware, whether the threat is increasing or decreasing.

I think our siloed behaviour is a hindrance to this country, and it's a shame, because we're such a small nation.

We've been talking a lot, and this is under the defence policy review, the defence policy update, around a concept of continuous capability sustainment or agile procurement.

There is a time and a place for competition. Typically, nations compete when there are two foreign vendors and there is no Canadian incumbent. That is the normal way in which we see it happen around the world. When there is a Canadian incumbent—and what we're talking about here on the cyber side is that you would want to have an already trusted, curated Canadian business that you are prepared to deal with—then in that particular case, sole-sourcing is not and should not be viewed as a shortcut to the process. It should be a solution to agility.

Where it goes sideways is when you don't understand that most nations use the process of sole-sourcing or agile procurement to sustain, maintain and grow their businesses within their own country, meaning that national security is economic security. They fundamentally understand that by investing in a Canadian company, and by doing that in an agile way with trusted sources or trusted individuals, we can effectively be investing in our economy.

Well, they don't compete at the same level. Small businesses are generally part of the supply chain.

There are two ways in which small businesses generally get directed contracts. Either you have a niche technology—that typically gets sought after by agencies and these are directed, very targeted purchases—or you have platforms or larger projects where you have a vendor of a chip, a plane or whatever, and that OEM has an entire supply chain. In those cases, what you want to do is get in on the ground floor in being a supply chain partner, a trusted partner to those OEMs. This means that you want to position your defence industrial base or your industrial base as players within that supply chain.

This is where we come to the idea of needing to ensure that we are trusted supply chain partners, by making sure that we have the appropriate regulations in place so that we don't end up with non-tariff trade barriers—in other words, those OEMs saying that we can't play in their sandbox because we are not certified. That's the way in which we ensure that the smaller business gets a piece of the action, if you will.

It can happen. There isn't a one-size-fits-all. There are various incentives you can use. In our country, we have what we call an offset policy or an industrial and technological benefit policy that is applied at the time at which you do procurement. That incentivizes prime contractors to use Canadian businesses within their supply chains in order to get Canadian government contracts. You can do those kinds of things.

You can also dictate the terms of your requirements and say, “I want you to work with that vendor, because they have that technology.” You can specify it in the way you do business. In the case of cyber and agile procurement, we would argue that you already have pre-trusted Canadian firms and you could simply source directly to them, which would expedite the process. You already have your trusted partners with the proper classifications that you need, and you would be able to go back to that base again and again.

Well, we're trying to apply to agile procurement a model that wasn't designed for agile procurement. What we're suggesting isn't that the current model is broken. It's that the current model is being inappropriately applied to technology.

Yes.

Well, in a model, time is the enemy. In our report—and the report you're referring to, I assume, is the 2021 report “Procurement at Cyber Speed”—for those of you who have it, page 18 is a good read. There are really three things that could be done.

You start to create these umbrella projects that procure capability. As I suggested, you break down those barriers, so you have trusted partners and there is a capability development and sustainment that is resident within a country, and you allocate funding at an umbrella level.

The other thing you could do is have more flexible funding. Right now, we have a whole approvals process. It goes through Treasury Board and there are about 200 steps if you take the old model. You would get rid of all that sausage making, if you will, and you would consider a vote of funding that has the flexibility of vote 1 and the ability to acquire new capability of vote 5.

Then, the last thing you could do is fast-track the approval and contracting process by, as I said, setting guidelines, which is where you have technology and services made by Canadian nationals with Canadian security clearances and trusted, curated Canadian businesses where taxes are paid in Canada and IP rests in Canada—boom. I can buy that.

I think you would have heard from the agencies that gave the testimony that effectively they don't procure. I believe what they're doing is looking at that system and imagining that if they had to apply that system to procuring cyber-technology, boy, would that be an impediment, which is potentially one of the reasons why they don't do it. Is the system cumbersome and somewhat unwieldy, and is there a whole cottage industry around how to use it? Absolutely. That is why we're frequently here at the table saying that this can be made much better. Particularly for cyber, there are many ways in which it can be made much better and much more agile.

Well, as I mentioned, there were those three things. I don't want to reiterate them more than I already have, but again, there's the concept of umbrella projects, where there's a big chunk of funding and you can allocate it to subprojects, meaning that I could buy various technologies, try them out and integrate them into my enterprise in a very expedient manner, and the funding doesn't have to go continuously up through Treasury Board for various approval levels. Once I get a base chunk of funding, I can start allocating it through projects.

Lastly, there is this fast-tracked process, by which if a subproject meets a number of criteria that we believe are good economically and security-wise, we can procure in an agile manner without having to go through all 200 steps to make that happen.