Public Accounts Committee on May 30th, 2024

Thank you, Mr. Chair.

Thank you to the members of the committee for inviting KPMG to contribute to this important conversation.

My name is Imraan Bashir. I'm a cybersecurity partner at KPMG in Canada. I am here following the appearance of my colleagues Lydia Lee and Hartaj Nijjar on April 4, when they spoke about the services KPMG provided to support the ArriveCAN program.

I've been in the information technology and cybersecurity field for close to 24 years, with my career split across the public and private sectors. I started my career at a leading IT services company before joining the public service. I was a proud public servant for almost 11 years, spending time at Indigenous Services Canada and the Treasury Board of Canada Secretariat under both Conservative and Liberal governments. I joined KPMG four years ago, in May 2020. Since joining KPMG, I have worked with a variety of public and private sector clients to provide cybersecurity services in an ever-evolving threat landscape.

Lydia and I are here today to represent KPMG Canada, which employs approximately 11,000 people across our country. Our role is to serve and assist our clients, including governments at the federal, provincial and municipal levels, in identifying and closing strategic and operational gaps, providing specialized knowledge and services in areas where support is required. We consider our services to be an important part of our contribution to Canadian society.

While we are very proud of the services we provide to assist governments, KPMG is not a leading recipient of government contracts. As you are likely aware, an analysis by Carleton University noted that KPMG ranked 112 on the list of contracts awarded across all public service departments and agencies in 2021-22.

KPMG is very supportive of the important work being done by this committee. In addition to joining committee meetings, we have provided written responses, as requested, to questions that arose from our previous appearance. For today's session, to the extent the committee thinks I can be helpful or of further assistance, I am happy to answer your questions.

As my colleagues Lydia and Hartaj discussed at their previous appearance, KPMG's work related to the ArriveCAN program fell into two streams. The first stream, led by Lydia, was for the Public Health Agency of Canada. In this stream, KPMG provided in-depth subject matter expertise and global knowledge to assist in developing policies and procedures for the implementation of the ArriveCAN program. The second stream of work was the cybersecurity assessment that was performed for the CBSA's ArriveCAN application and supporting infrastructure. I was the local delivery partner on this work, supported by Hartaj, who leads our national cybersecurity practice. As you know, KPMG is well known in the field for its cybersecurity expertise. We offer a range of services to help organizations identify, assess and mitigate cyber-risks.

Between October 2021 and March 2022, KPMG provided an independent cybersecurity assessment of the ArriveCAN application. This work was subcontracted to KPMG through GC Strategies in October 2021 at the request of the CBSA. Our scope consisted of five streams of work performed under two separate task authorizations, which involved reviewing the CBSA's cloud security architecture, including a comprehensive security control review; the department's alignment with privacy regulations; its vulnerability management practices; its secure product development practices; and its security incident response protocols and procedures. Our work was completed on time and on budget, in alignment with Government of Canada policies, and was reviewed and ultimately approved by the CBSA.

We are very proud of the services that KPMG provided during the pandemic to assist not only governments but also health care organizations, academic institutions, not-for-profits and the private sector. We delivered highly specialized expertise at a time of unprecedented uncertainty for Canadians and the world.

Thank you. We'd be happy to take your questions.

Good afternoon to the committee. Thank you for the opportunity to provide information on Donna Cona's involvement with ArriveCAN.

My name is John Bernard, and I am the CEO of Donna Cona. I am here with my business partner and the president of Donna Cona, Barry Dowdall. I am a status first nation person from the Madawaska Maliseet First Nation in New Brunswick. Although I grew up on reserve, I moved off reserve shortly after I graduated from university. After moving around to a number of cities, I landed in Ottawa in the late 1980s, working for a few federal government departments: Fisheries and Oceans, Health and Welfare Canada, and finally, as it was called back then, Indian Affairs.

In 1990, I resigned from the federal government and became an IT consultant working with Systems Interface. Right from the start, I began encouraging Systems Interface to hire aboriginal employees and pursue contracts within the Department of Indian Affairs. Unfortunately, it wasn't until 1996, with the introduction of the PSAB program, that any recognition was given to hiring aboriginals. Part of the PSAB requirement was that a company had to be owned and/or majority controlled by an aboriginal. It was at this time in 1996 that we spun off Donna Cona as 51% owned by me and 49% owned by Systems Interface. Today I own 100% of Donna Cona and continue to hire and promote aboriginals as much as possible.

Donna Cona provides information technology and information management professional services to several clients, one of them being the federal government. We also provide a crisis counselling service for all indigenous, first nations, Métis and Inuit people of Canada. This service runs 24-7 and handles about 50,000 contacts per year through phone and online chat. We are international standards—ISO—certified, and for the past six years we've been named one of Canada's best-managed companies.

Donna Cona has hired many indigenous employees over the last two and a half decades. Just as importantly, we've sponsored and supported indigenous associations, communities and students over the last 28 years. Today, Donna Cona has 84 employees. There are 18 indigenous staff and 58 women. We also use many incorporated subcontractors to supply our client delivery services. Thirty per cent of our overall revenue comes from PSIB set-asides. It was once PSAB, but today it's called PSIB.

The success of Donna Cona and technology afforded me the ability to experience my dream of moving back into my community and investing in businesses in my first nation. In 2007, I built an entertainment centre on the Madawaska Maliseet First Nation that eventually included a 10,000-square-foot events venue, as well as multiple restaurants and electronic gaming. Since 2008, these businesses have returned over $20 million to my community and close to $10 million to the New Brunswick government. With this business, along with a number of other businesses that I own on the reserve, I employ close to 150 employees from the local town and my first nation.

As today's agenda is to talk about the CBSA ArriveCAN project, the following has been our involvement with the CBSA, and in particular ArriveCAN. We have three supply arrangements with the CBSA that were competitively procured in July 2019 and September 2020. One is for enterprise data warehouse IT services, and the other is for travellers' projects. Neither of the supply arrangements, nor any of the TAs, mentions ArriveCAN.

With regard to the Auditor General's report, we disagree that we provided $3 million for ArriveCAN. We found, through the time sheets, activities for only the two contracts and determined that approximately $500,000 of the cloud infrastructure development was provided in support of ArriveCAN. We worked with CBSA staff to design cloud data pipelines on AWS cloud services to implement the Public Health Agency COVID-19 analytics architecture in AWS and to provide business intelligence and tech support for reporting purposes.

Once again, thank you for the opportunity to assist the committee in its efforts.

Thank you, Mr. Chair, the clerk and committee members, for inviting us to appear today regarding your study on the Auditor General's report on ArriveCAN.

My name is Chris Loschmann. I'm the director of Canadian government services at TEKsystems.

TEKsystems is a global provider of technology, business and talent solutions. We have over 100 locations worldwide and we partner with over 6,000 customers, including many Fortune 500 companies and public sector clients. We help our customers achieve their business goals through advisory, outcome-based and staff augmentation services. We pride ourselves on our core values and our fundamental commitment to excellence and integrity. We have worked hard to earn the trust and respect of our clients and to follow the rules when it comes to working with the government.

In March 2020, CBSA publicly posted an RFP for cloud engineering professional services. In June 2020, after submitting our bid and competing with three other bidders, TEKsystems was successful in securing this contract. The scope was to provide highly skilled IT professionals at the request of CBSA on an as-and-when-required basis to assist in deploying and maintaining its applications in cloud environments.

In May 2021, CBSA publicly posted another RFP competition for cloud cybersecurity services. In October 2021, after submitting our bid and competing against four other bidders, TEKsystems was awarded this second contract. The scope of the work was to provide IT professionals on an as-and-when-required basis to assist CBSA in performing cloud security assessments, vulnerability assessments and cloud security operations.

It's important to note that these contracts went through an open, fair and competitive process according to procurement rules and regulations. Neither contract was created specifically for ArriveCAN. Within the scope of these contracts with CBSA, TEKsystems was directed by CBSA to provide IT professionals for ArriveCAN. All the work we did on the app came at the direct request of CBSA, as it fell within the scope of these contracts.

Both of these contracts were ordered after the original rollout of ArriveCAN in April 2020. TEKsystems did not take part in the original development or set-up of the app. We also did not participate in the planning or management of any element of the delivery of ArriveCAN.

We provided highly sought-after professionals who were specialists in cloud networking and infrastructure services to help build and secure the platform that the application sits on, and we performed cloud-based, back-end development to strengthen and secure the application after its initial rollout. All our professionals go through a rigorous vetting process, including in-person meetings, reference checks and capability testing to make sure they have the skills to meet our clients' needs. We also make sure they have valid security clearance at the appropriate level.

At the request and direction of the CBSA, TEKsystems delivered $3.2-million worth of staff augmentation services for ArriveCAN. That was confirmed by the Auditor General and her report. We agree with her report and we co-operated with her investigation. Based on her findings, the findings of the procurement ombud and the previous testimonies already received at this committee, we would like to make the following points.

At no point did TEKsystems contact GC Strategies, Dalian or Coradix regarding any of the services provided to CBSA or the competition of CBSA contracts. We did not partner with any of these organizations for any IT professionals allocated for ArriveCAN or for any work done for CBSA. TEKsystems did not win any non-competitive contracts with CBSA, Health Canada, the Public Health Agency of Canada or any other government department for any IT professionals we provided to CBSA for ArriveCAN. All of our contracts went through an open, fair and competitive bidding process that had multiple bidders. All of the professionals that TEKsystems provided to CBSA went through a rigorous vetting process, reference checks, technical ability screening and security clearance validation.

Our work with the federal government has always been in accordance with procurement rules, guidelines, policies and procedures respecting the integrity of public institutions. We have a defined public sector practice that invests in making sure we operate ethically and deliver value to our customers and Canadians. We invest significantly in training and compliance for our teams, including annual mandatory legal and ethical training, and third party international standard organization audits.

We're happy to work with the committee today to answer any questions you may have. Thank you.

Just to clarify, are you referring to my current job at KPMG or previously in the federal government, or both?

Okay, thanks for clarifying.

I'll separate the answer into two different answers. In the federal government, I did meet with Mr. Firth two to three times at most—like I met with several vendors—generally to discuss some offerings that he had in the security space. I met with him once virtually while at KPMG.

The one KPMG meeting I mentioned was virtual. The two to three at most, when I was at the Treasury Board of Canada Secretariat, all occurred in the lobby of 90 Elgin, which is the Treasury Board government building.

That's correct.

Yes, that is correct.

Absolutely.

I should say that all my answers subsequently will be directed through the chair. I'm sorry about that.

While in the federal public service, many vendors reached out from time to time to explain what types of security products or services they were offering, given my role at the time was director general of cybersecurity.

In the specific meetings with Mr. Firth, I remember discussing two products related to—I apologize for the lack of detail—something around secure communications and digital identity, but there were no subsequent meetings. He left with a brochure, a pamphlet so to speak, and that was the end of that.

The KPMG meeting specifically was more of a reintroduction, I suppose. He had apparently been talking to one of my colleagues prior. I was looped into an email thread, and it was apparent that the subject of cybersecurity came up. I subsequently discussed with Mr. Firth the types of cybersecurity services that KPMG—

It's a retired partner who's no longer with the firm.

After we submitted a proposal to Mr. Utano, he and I did have a meeting, and it was at that meeting that he asked, ”Can you also submit this proposal through to GC Strategies?”

My understanding was that Mr. Utano was exploring his procurement options. I believe his procurement team had likely given him some advice on what the quickest way to procure was. I understand there was some urgency due to the cybersecurity nature of the work in question.