:
I'll call the meeting to order.
Welcome to meeting number 13 of the House of Commons Standing Committee on Government Operations and Estimates. The committee meeting today will be from 3:34 your time, until 5:34 your time. We will hear witnesses as part of the committee's study of the Nuctech security equipment contract, and then discuss committee business in camera at the end of the meeting.
To ensure an orderly meeting, I would like to outline a few rules to follow.
Interpretation in this video conference will work very much like in a regular committee meeting. You have the choice at the bottom of your screen to use either floor, English or French, for those who are here virtually. We would ask that you choose the language you are going to speak in when you do so.
Before speaking, please wait until I recognize you by name. When you are ready to speak, you can click on the microphone icon to activate your mike. When you are not speaking, we ask that your mike be muted.
To raise a point of order during the meeting, committee members should ensure their microphone is unmuted and say “point of order” to get the chair's attention.
In order to ensure social distancing in the committee room, if you need to speak privately with the clerk or analyst during the meeting, please email them through the committee email address. For those people who are participating in the committee room, please note that masks are required unless seated and when physical distancing is not possible.
I understand we have some opening statements from our witnesses today. I appreciate that. They will be provided five minutes.
Right now, I will invite the Council of Canadian Innovators to make their opening statement.
:
Mr. Chair, honourable members, thank you for the opportunity to present today.
I'm Benjamin Bergen, executive director of the Council of Canadian Innovators, or CCI, a national business association that represents more than 130 of Canada's fastest-growing technology companies. Last year alone, our members employed more than 40,000 Canadians and generated more than $6.5 billion for the domestic economy.
I'm joined today by Neil Desai, a senior executive with one of CCI's member companies, Magnet Forensics. Neil is an expert in cybersecurity and public procurement policy and will have much to contribute to today's discussion. For my part, I'll focus my comments on the role that procurement can play in supporting the growth of Canada's homegrown companies.
As your 2018 report on modernizing procurement stated, the Government of Canada is the biggest customer of goods and services in the country, and the procurement system has the opportunity to be a much larger driver of economic prosperity. In the global innovation race, having the Canadian government as a purchaser of goods and services is considered a major validator for domestic companies. It helps them to accelerate future sales with other governments around the world, which in turn enhances Canada’s innovation export potential.
We are all abundantly aware of the issues the federal government has faced with procurement in recent years, especially when it comes to buying technology systems. The Phoenix pay system, the Government of Canada website renewal project, and now the X-ray machines for Canadian embassies, have each become matters of national interest, and for all the wrong reasons. The end result is billions of dollars paid to foreign technology firms that have failed to deliver on what they promised.
Canada's current approach to procurement lacks a strategic economic development lens, which has a direct impact on the economic opportunities for domestic innovators who wish to help their governments defend physical and digital borders. This all has a negative impact on both our prosperity, and more importantly, national sovereignty.
I'd now like to turn it over to Neil Desai for his opening comments.
Thanks to members of the committee.
Magnet is a Waterloo-based cybersecurity company that provides digital investigation software solutions that are used by over 4,000 police, national security and other public and private entities with investigative authorities in 94 countries.
We're proudly Canadian and thankful to call a dozen federal organizations our customers, but I should point out that Canada accounts for about 5% of our business.
The challenge we see with federal procurement in the security sector is the lack of a strategic lens. First and foremost, the government continues to buy modern tech, largely software, the same way it purchases office supplies, through lengthy RFI and RFP processes that are focused on what is believed to be the lowest price of a static product, versus the best value delivered through a solution that will evolve to develop benefit over a long time horizon.
Modern software is highly iterative technology. It can solve key problems, but it can also create grave ones if it's not developed and purchased with foresight and a focus on value. Leading global governments in procuring security solutions acknowledge this, and allow their front-line experts to work with their innovators much earlier in the development cycle. They also keep a close eye on the potential for such solutions to be exported.
This isn't to say that these governments don't buy foreign technology, but they assess the risk and consider the prosperity opportunity. They use national security and small business exemptions in their trade agreements. They also use non-tariff barriers such as security clearances and government expectations, to ensure that the solutions they procure are trustworthy and deliver economic spillovers. They also shorten procurement to align with imperative development cycles, allowing pivots and off-ramps to avoid massive failures.
The concern I'm expressing here today is less from a business-operator perspective and more from a proud Canadian vantage point.
Cybersecurity is the nexus of prosperity preservation and creation with geopolitical conflict and criminal activity. If we, as a country, don't update our playbook soon, we risk being left behind.
I'd be happy to animate the themes I've covered with some tangible approaches to a Canadian-made technology procurement strategy.
Thanks very much.
:
Thank you, committee members.
My name is Sime Buric, and I am the vice-president of K'(Prime) Technologies.
K'(Prime) Technologies is a Canadian-based company based in Calgary, Alberta. We employ approximately 40 people across the country. Our CEO, Kham Lin, and our CFO, Amanda Lin, started the company 22 years ago. The company was founded as a sales and service provider for the analytical testing and security market. We are a for-profit organization that is not subsidized by government. To be competitive, we need a fair playing field.
I want to start by saying that we share the views of prior witnesses, such as Mr. Burton, Mr. Mulroney, Ms. Carvin and Mr. Leuprecht. We are one of the companies that submitted a response to the tender. A lot of the issues that OGGO is discussing now are issues that we brought up when we challenged the awarding of the standing offer. We followed the only avenue we had to challenge the awarding by submitting a complaint to the Canadian International Trade Tribunal.
One of the concerns that we brought to the CITT was the question of how Nuctech could meet the Canadian regulations when submitting bids. We provided examples of many global news articles and decisions against Nuctech for some questionable practices. We expressed our concern about competing against a state-owned company. VOTI Detection—which I'm glad to see is on this witness panel—another Canadian company that bid on the tender, also expressed concerns about Nuctech. In a newspaper article, VOTI also expressed concerns, knowing how the equipment and the hardware could be significantly cheaper—up to 25%.
Another concern that I brought to the attention of the tribunal was the stretching of the truth when it came to the abilities of the technology to automatically detect weapons and other potential threats. All the X-ray systems run on a similar principle. The systems that were quoted were all of a single-view type, meaning a picture from one angle. The probability of accurately identifying a specific threat—like the difference between a gun, knife or bomb—with a single-view system is low, but the specification was not removed or revised. A single-view system is not meant to replace the use of visual inspection of a package. It is meant to be a complementary technique.
The X-ray systems differentiate threats based on atomic mass. Therefore, a colour is applied to the screen to identify a material, whether it's a metal, liquid or organic material, etc. If the premise is to reduce the amount of visual inspections, a dual-view system or a CT-based system is necessary, but these require a higher investment and are similar to what CATSA uses at the airports.
Unfortunately, these concerns were not investigated further, and our complaint on the matter was disregarded. Based on the decision by CITT, it was recommended that we be charged $575 for the challenge.
I personally have over 14 years of experience in responding to government tenders. This was one of the more difficult tenders to respond to, as there were a lot of unrealistic hypotheticals in terms of the number of units required per global region. When I would respond to any previous tenders, the specifications were clear and concise. The number of units was specific or a price per unit and a standing offer issued over a specific number of years. The locations where the units were to be installed were specific.
These are just a few examples of some of the hurdles presented when responding. As this tender was based on hypotheticals, it made responding to the tender more difficult than it had to be. Companies that are for-profit organizations then have to uplift or pad their pricing to make sure they do not lose money in different regions.
There are a lot of security concerns that have been discussed in previous committee meetings. It has been mentioned a couple times that X-ray equipment would be a low to medium security threat. Yes, electronic modifications can be done after the fact by a service person or by anyone else who has access to the equipment, but we also need to question whether there's a security threat coming in with the system. Who tests whether there's a back door, malware or any other security vulnerability in the system prior to deployment?
We at K'(Prime) Technologies are responsible for the maintenance of X-ray equipment at many airports across the country. In order to provide this service, we are required to have a restricted area identity card, which is an application that is reviewed and approved by Transport Canada, to get access to the equipment. However, in order to service equipment at the embassies, no clearance is necessary.
As a Canadian citizen representing a Canadian company that employs Canadians across the country, I am here to say that we are looking for our government to provide better procurement standards, and for matters of security to be reviewed at a higher level with interdepartmental collaboration. This could hopefully prevent the government from spending taxpayers' dollars on expensive reviews by external companies when there are resources available internally, like the Canadian Centre for Cyber Security.
Canadian companies need to abide by ethical and legal standards to compete for business. We want these standards to apply to all non-Canadian organizations that want to do business in Canada. When it comes to security, reviews of companies need to be done ahead of reviewing tender responses, to exclude companies that do not meet the Canadian standard.
I thank you for your time and welcome any questions.
:
Thank you very much, Mr. Chairman and honourable members. Thank you for this opportunity to address the committee on issues that I believe are of critical importance to VOTI Detection and the Canadian business community.
In my remarks I will address three main issues that I believe are relevant to your hearings, and it would be my pleasure afterwards to take any questions you might have.
First, as president and chief executive officer of VOTI Detection, I stress our support for the competitive bid process in public procurement. We welcome the opportunity to offer best-in-class technology to address the needs of our potential clients, while offering tremendous value for money. VOTI Detection believes the procurement opportunity that was managed by Public Services and Procurement Canada for the benefit of Global Affairs Canada followed all the rules in place at that time.
Our request of policy and decision-makers is the consideration of changing some of those rules. The only thing we ask for is the opportunity to participate in the bid process on a level playing field. We believe it is virtually impossible to have a level playing field when companies that are state-sponsored, with a history of predatory pricing practices, are allowed to participate. There should be a vetting of companies to ensure that they have the ability to deliver all the commitments in their bid while respecting the high ethical standards of business governance.
Our belief is that any company that has been disqualified from procurement opportunities for security reasons by our closest allies or known to have engaged in illicit and corrupt practices such as bribery and honey trapping should be excluded from Canadian government bid opportunities. It is our hope that the bid authorities will embrace opportunities to consider the value of benefits other than a low price in the evaluation of submitted bids.
The second issue touches on security considerations related to the acquisition, deployment and ongoing maintenance of X-ray security scanners. While we understand that the security scanners will not be connected to any network, we also understand that the scanners will record and store data that should be kept highly confidential. Although the data will not be vulnerable to a network attack, whenever a technician—a simple technician—is required to perform preventative maintenance, a software update or the servicing of a defective part, there would be ample opportunity for that technician to download the sensitive data that should be protected and send it to wherever that person wishes.
The security value can go beyond the actual technology. Companies and the individual employees who will participate in the fulfillment of the procurement opportunity could, and should, receive security clearances based on reliable and verifiable information.
The third point is to stress the importance for Canadian business to find government support through public procurement, especially during these very difficult economic times. I believe small and medium-sized businesses are the backbone of the Canadian economy and the greatest opportunity to stimulate sustainable growth. There is no support that is more valuable that a government entity can give to a Canadian business than a purchase order. Procurement of Canadian goods supports domestic industry as well as the important downstream supply chain. These businesses employ Canadians, and it is through the fulfillment of purchase orders that businesses can grow, continuing to invest in growth strategies, research and development and the creation of additional jobs for Canadians.
VOTI Detection employs over 80 people across Canada. These are high-paying research and development jobs with fundamentally superior IP in technology to any of the competitors in its class. These are things that should be taken into account and considered when going through any type of procurement process.
In conclusion, it's my hope that this committee will shape policy that will support better outcomes for the Canadian government, their departments and agencies, and for the Canadian people. It is my belief that, when possible, the promotion of a Canada-first or buy-Canadian procurement strategy would generate positive outcomes for all involved.
Again, Mr. Chairman and honourable members, I thank you for the opportunity to address you. I make myself available for any questions you might have.
I want to point out to the committee that I have a document from the United States Department of Homeland Security dated November 2020. Paragraph 13 confirms that it's very easy to steal data from Nuctech's devices and that this poses a security issue. Our American colleagues confirm that there's a security issue in this area.
I have some time left, so I'll turn to Mr. Bergen.
Mr. Bergen, we discussed the purchase of foreign technology. You said that Nuctech is another example in a series of failures in our procurement system and that billions of dollars were paid to foreign technology firms that failed to deliver on what they promised.
Can you tell us more about this? When you talk about billions of dollars, how many companies and individuals are involved? Can you elaborate on this?
:
Thank you very much, Mr. Chair.
This government takes cybersecurity very seriously and in budget 2018 committed $500 million over five years for a national cybersecurity strategy. A big pillar of that cybersecurity strategy is to help build up domestic research and innovation capacity. This means making investments to help Canadian tech companies, innovation companies, grow and scale.
You can look, for example, at the $10 million that was given last year to the Rogers Cybersecure Catalyst program in Brampton. This was a partnership with Ryerson University. You can look at the $41 million in investment through FedDev, again in quantum projects, cybersecurity projects related to quantum at Waterloo. This was through Quantum Valley. There was $49 million of FedDev funding that was leveraged to create a cybersecurity centre in Vancouver. My point is that this government is making significant investments in tech companies and in innovation locally.
I wanted to ask Mr. Bergen whether we're on the correct path in terms of making these significant investments in domestic Canadian cybersecurity tech companies to help us address some of the threats we're facing.
:
I appreciate that and I understand also the role of procurement in helping these companies once they're scaling and growing to be able to scale further.
As you are probably aware, the Government of Canada has a program called the industrial and technological benefits policy, through which, for large defence procurement contracts, for example, the government can stipulate that, as part of the conditions of the contract, the company that's awarded the contract has to provide economic activity in Canada up to the value of the contract itself. Among the 14 key industrial capabilities that we're targeting are cybersecurity and cyber-resilience, for example.
Is this government's industrial and technological benefits policy program one of those pillars of procurement that you would support and that you think plays an important role in helping Canadian companies locally?
:
I'll jump in here and just say that these are all really great initiatives, and cyber is a real problem, but we also need to have a scaled understanding of the challenge and then work from there.
I'm going to one industry report. McAfee, a global player in cyber, has done independent research on this. They see cybercrime as growing from a $600-billion global problem two years ago to a $1-trillion problem this year, and they expect it to accelerate because of COVID and the number of vulnerable populations online.
Just on differentiating between economic development, things like the programs you mentioned in the previous question, and ITBs and procurement, I don't think we should consider procurement as a handout. I don't think anyone I heard during the opening statements was looking for favouritism.
What they are looking for is a level playing field, and I'll just say from a purely economic development perspective, a purchase order of $1 million is much greater in terms of its knock-on effects to the economy than $1 million of economic development programming. It validates the technology and its usability in the field, and frankly, we have to be cognizant that Canada is a very well-respected country globally. We make up about 2% of GDP and roughly the same amount of cybersecurity consumption, so the opportunity of domestic procurement—and the Government of Canada is one of the largest purchasers of cybersecurity tools in this country, along with the banking sector and other sectors—is not only to solve the narrow problem within government. It's to give an incredible launch pad to cybersecurity companies.
Frankly, we shouldn't look at size of company as the only measure of capability. We should get deep into the capabilities they have. Large system integrators, big companies—and I won't name them here—often have the balance sheet and lobbyists to withstand long RFI and RFP processes that are multiple years when they, in fact, don't have the technological capability.
Maybe we need to get a a lot clearer on what we're trying to achieve in procurement and create smaller bite-sized procurement processes we can get through, and then validate technology and start responding to problems the way technology is built and not the way procurement is built.
:
Thank you for your straightforward answer. I greatly appreciate it.
A number of foreign companies, especially Chinese companies, have representatives in Canada who are Canadian citizens. I'll focus on the Chinese companies.
As you know, in 2017, the intelligence law was enforced. This law required every Chinese citizen to provide information to the government.
In your opinion, if a Canadian citizen is hired by Nuctech, are they also subject to China's 2017 law?
:
Maybe I could provide some...not to the specific, but to the general question being asked.
As a Canadian company trying to sell in 94 different countries, as you move up market in security, significant questions come from foreign governments, such as how many nationals you employ, or if you have a separate board of directors for that country where the majority of members of that board of directors are nationals of that country.
As you, again, move further up the security spectrum in terms of risk, then it becomes “Is the development for this product done in country? Can it be validated in country? Would there be opposition to that if the deal size got to a certain level?” Among astute countries in the cybersecurity and broader security space, there's usually a risk opportunity matrix in the policy, where they have expectations of the vendors that increase as the risk increases.
:
We put our concerns on three different areas. In one area we spoke about the technology itself and how the technology that they were trying to apply outreached its capabilities in terms of the likelihood of differentiating between different types of threats, whether a gun or knife.
Another one we had was the concern of Nuctech being a subsidized state-owned company, with all the questionable practices. We provided a lot of newspaper articles from around the world in terms of some of the allegations. Basically, we brought to attention the information that they found to be true in terms of bribery, but the information was deemed not sufficient to go further.
The last one we brought up was about wanting to know the logistics of how to move equipment around the world. We stated that we use companies like FedEx or UPS, known suppliers of transporting goods, but they started knocking down points on how this was supposed to be done. Our response was that we work with our partners. That wasn't sufficient, so we challenged that response as well.
:
I think a proper study on the number of ITBs that have actually been deployed for the specific-purpose or general-purpose technology that's being offset with a foreign piece of technology would be good. I think it's sometimes burdensome to force companies to try to find something in Canada that will work. Making sure that it's generally in the line of security would actually help the economic development piece.
However, an ITB, again, is really trying to create a local economic stimulus. I will go back to pointing out that, in some cases, when a Canadian company can fulfill a procurement and is being kept out for arbitrary reasons, or for unfair business practices from foreign players, I think we have to solve the narrow problem before we try to look at these big structural issues.
I'm blending into your previous question because it's a really important question. The separation between the subject matter expert in security and the procurement process is so wide, there is such a separation. I understand why. You want to make sure you have a fair, transparent process to make sure government money is being spent well. However, the reality of technology is that you need subject matter experts to review things like security, things like the governance of technology and how updates will be delivered. The only way to solve for that is to bring the subject matter expert closer to the procurement process.
I think the procurement officers do their best with what they're given, but there's such a time lapse and separation between those independent procurement officers and the actual technical problems to be solved. We have to figure out ways to get that transparency, but with those subject matter experts in the process to review the tech.
It would probably be normal if government hadn't reached out to those who were not on the standing offer, because there are normally three or four vendors that would be on a standing offer. Then, obviously, Nuctech has been flagged as a security issue.
Then, K'(Prime) Technologies, it would be normal that you probably wouldn't have been contacted yet unless there are major changes to the technical requirements of the particular standing offer. I know you have experience in procurement, so obviously, you would understand that. Is that right?
:
Okay. Perhaps as a Canadian I would suggest, regarding Canadian devices, that you reach out and let them know you have a potential solution.
I'm not going to talk to the CITT ruling, because it's out of our hands. That's an independent body, and they make their own decisions.
To the Council of Canadian Innovators, you talked about leveraging procurement and what that means in this country. We often find ourselves stuck between—and this dates back 15 or 20 years or to probably before I was born—our international obligations on trade and our will to support our local businesses. Time and time again, I have had my fair share of work with IT companies that have said their first sales were to the U.S. government as opposed to a Canadian government. I find it insulting but it does happen. This is not something that is new in 2020. It's something that has been there for a very long time.
How do we fix procurement? This is something that our committee has studied in previous Parliaments. We have noticed the barriers to entry. Long procurements create a natural barrier to those companies, so what is your advice for how we can leverage that particular procurement to give that edge to Canadian companies?
:
In the security space specifically, which is what I will talk about, because that's what I know best, I think we have to emulate and also create our own things that meet our own values and systems.
I will say that security clearance is one big piece. I will say that in other leading security technology countries there is a proactive focus on understanding the marketplace and ecosystem of technology companies, and not just understanding their technology but also understanding their technology road map, how it could be applied to public sector challenges and how that could be influenced. These things are done in a very structured way, not just as one-offs with people going out and talking to companies. It's very structured.
In the United States, there are a number of different programs, things like DARPA, the space program. In-Q-Tel is one that's offered by the intelligence community, the 21 intelligence agencies. They are less interested in procurement of a widget and more interested in a company's broad capability, its technical wherewithal and, frankly, the security and reliability of the board of directors, the executives, the key engineers and the key business people in the company.
I think these are really simple steps that we can be taking to avoid some of the challenges we're talking about here.
I will be clear about one thing. I'm not suggesting that the Government of Canada doesn't need to buy foreign technology, but if you put a strategic lens on top of the capabilities required—where there is Canadian capability versus where there isn't or where you take a longer-term value lens—a lot of these companies will win the procurements and then pad them with afterwork. That's their goal. If we look and project a bit forward and not at a static moment in time, we will get better value over the long run.
I will stop it there, Chair.
I'll start with Mr. Bergen.
Innovating in Canada is expensive. Not only does it require a great deal of creativity, but also a significant amount of money. I understand that it can be very frustrating to see a company's investments overlooked to some extent.
My question is the following.
To encourage our investors, what procurement methods should the government use to keep these investments in Canada?
I'll nuance it. I don't believe it has to favour. I think we have to be very analytical in the outcomes we want. We want to see a successful business sector for the productivity of our country. Some of the facts we have to get on the record here is that Canada spends some of the highest amounts on investments in R and D from the public sector but has some of the lowest productivity outcomes in the OECD. That's our starting point. Continuing to do that and expecting better results is, by definition, insanity.
The second piece I'll say is that when we look at the economic development work we're doing—another member asked a question about some specific examples, but there are many different ones—we also have to be cognizant that the best form of financing for any company, regardless of what they make, is a purchase order. Take it to any bank, and they'll give you much better financing terms than a government grant, a government tax credit or a zero-interest loan. I think we have to acknowledge that in our analytical constructs here.
What I would say is that, if we assess the success of the programs out there in economic development for technology-intensive businesses, let's consider how we get people in government—who are frankly, as a sector, one of the largest buyers of technology in this country—to actually try Canadian tools and technologies.
Let's also be realistic. Through grants and subsidies we are giving companies money—start-ups, scaling companies, large technology companies—through SR and ED credits. Should we not try to take something back?
:
Thanks very much, Mr. Green.
The last thing I was saying is that, in these economic development programs that give grants or low-interest loans, the government should start taking the technology being built by Canadians and try to find out whether there are users in the government context. Many of our programs—even of our strategic procurement programs—are very ideological. They're either pure demand—the government has a problem it wants to solve, and that's innovative solutions Canada—or pure supply, the build in Canada program, which is when technology companies in Canada have a technology they want someone in the government to test.
The reality is that we need to play in the middle of those two, where Canadian technology vendors have something that's of value and that could potentially solve a government problem. If we get that middle ground right, I'm telling you, there will be major exports to be had and better economic growth for this country.
:
That was our business, and I'll tell you, we're not looking for any handouts here. However, I'll give you one example of the challenges that the Government of Canada faces in our software realm: investigating the extremely fast-growing issue of child sexual exploitation online, a massive, growing global issue. The same problem is happening in the U.K., the U.S. and around the world.
They all use their small and medium-sized enterprise exemptions in trade agreements. They all use their national security exemptions to work with their local innovators on solutions that solve problems such as that, or pure cybercrime investigations. That's what we're up against in a globally competitive world.
Again, I'm not suggesting that every piece of technology is going to have a Canadian vendor to solve the problem, but when there is a Canadian vendor that has technical chops and has an export potential and they get the door slammed shut on them, I just want to point out that with technology it's a winner-takes-all game a lot of times in procurement, so when you're locked out, you're locked out now for years and that launch pad is lost.
Therefore, we have to be very careful when there are Canadian players in the space and there are also security considerations.
This question is going to be focused on Mr. Desai.
The very fact that a company such as Nuctech could get this far in the process without anyone flagging it for security reasons is absolutely shocking, and I think it just demonstrates how our government—and maybe it has been going on for a long time—is taking our national security so for granted.
I read that the European Medicines Agency was hacked recently. They got information about the Pfizer vaccine. FireEye, the top private cybersecurity firm in the United States, was hacked. Even the cybersecurity companies are getting hacked.
I am being reassured by this government over and over again that they have a plan and that they're ready to protect our vaccine supply chains and protect our data with cybersecurity, but I'm just not convinced when I'm seeing all these countries around the world, countries similar to Canada, getting hacked and top firms such as FireEye getting hacked.
I want to get your comment. Does our government have an adequate strategy to enhance and protect our cybersecurity, and if not, why not?
:
On the specific Nuctech stuff, I'll defer to my colleagues, but on the cybersecurity piece, the one thing I'll say, and I'll be very general here, is that, in human history, as long as people have things of value, there are unscrupulous people looking to try to get them. Digital is no different. The major nuance there is that people can act from afar and anonymize their behaviours.
The one thing I struggle with in the rhetoric around cybersecurity, both at the public and private level, is this commentary that “I am wholly secure.” Then when instances such as the ones you've outlined happen, we go into PR reaction modes of, “Well, these are all the things I did.” We need to be a bit more nuanced in our communications, level with people and say this is a major risk to the security of Canadians, to the prosperity of Canadians, and frankly, to our sovereignty when we talk about things such as elections, because there is no wholly secure system in the analog world, and I can tell you, I guarantee you, there isn't in the digital context.
I've often called for more of a public-private approach to Canadian cybersecurity. I'll also say that we're learning through the pandemic that things that are “essential” don't always sit in the purview of the Government of Canada, let alone the public sector. I know this committee is thinking about government operations and cybersecurity, or security generally, but we have to be cognizant that a lot of the essential systems in our society are outside the realm of the federal government and we need better public-private exchange on these subjects.
I echo that as well. It's a very good point that there's never going to be a situation where the government spends enough or the government has done enough to ensure that we will be wholly safe from cybersecurity threats. It's a war and it's a forever war that we're going to have to keep fighting. We're going to have to keep adapting. We're going to have to keep investing in new technologies, because what we're seeing out of countries like China with quantum computing is that the threats are evolving, and we need to evolve.
For too long Canada has taken for granted that we're not going to be targeted by these state actors or criminal organizations, but it's becoming an increasingly competitive and hostile world. Don't you think it's time for the government to put forward a real strategy to ensure that we can evolve and adapt, a strategy that would lead to an application like Nuctech's being dismissed out of hand because it's common sense? We're all acknowledging on this committee that a company like that should have never been considered for this kind of contract.
:
To me, when someone says “strategy” in a public sector context, what I believe is that it has to be horizontal in government, not vertical. What I see being called “strategy” is that they've secured this specific thing. You know, this X-ray machine meets the needs of the security of this embassy. I think we have to be a little more holistic. I don't mean that just in a Canadian context. We have to look at multilateralism and evolve it as well.
We have the Five Eyes, which I would say is one of the most effective forms of multilateralism that Canada is a part of, discussing critical issues of cybercrime, infrastructure, integrity and such. We are putting it at risk currently.
I think better conversations with our allies where we have capabilities, not just in Canada but within our tight, close allies where we have co-accreditation of technologies and of governance of those technologies, these are some actual solutions we can be looking at. Not everything is going to be able to be built under the watchful eye of the Government of Canada. We have to take a risk management approach here, not a risk avoidance approach, because we're just going to be let down at the end of the day if we have a risk avoidance approach.
Thank you to all the witnesses. It's been quite informative.
I'll start with Mr. Bergen.
Mr. Bergen, in the closing part of your opening remarks, you talked about a strategic versus economic lens, or at least a balance of a strategic and economic lens. Also, you indicated or you predicated that the current process for procurement is more like the lowest price of a static product. You said the technology is evolving, and it's evolving quickly, and our current procurement process is not aligned with it. Mr. Desai has talked about various activities or various indicators of the fact that we're not using a strategic lens, and the last comment on a horizontal way of thinking rather than vertical is an example of that.
My question to both Mr. Bergen and Mr. Desai is this: What specific changes do we need to make to the procurement process to make it more agile as well as more horizontal?
Mr. Bergen, would you like to start?
:
Thanks. I appreciate the question.
I'll get into the nitty-gritty. When we develop a piece of software, it is not static, as I mentioned. It's a 1.0. We have a road map that's very tight and, I would say, within a six-month window. There's still a road map even beyond that for up to two years. That's constantly evolving based on our users' feedback and the things we're learning about the cyber-threat landscape, etc.
In a procurement process, what we see is a waterfall list, a long laundry list of capabilities that are required on the day the RFP goes live. That list usually takes almost a year, if there's an RFI, through to the RFP. Really, most of the time when we see these RFPs, they're dated by the time they get posted, or they are actually asking for things that don't exist in the market or aren't functionally capable.
Oftentimes when we show them to users of such products in the government, they don't even know where they came from or why anyone would want those capabilities. The things they want are very specific. They have to navigate that through procurement services, where they actually list in a waterfall way what they want today, in a long laundry list, but they also know that it's going to evolve over time. Sometimes, frankly, they have to do what they know is wrong and say that they're picking things that will lead them to where they want to get to in six months.
I think there are a couple of really tangible things we can be doing. One is shortening the time, the length from information gathering through to procurement. Then, concurrently, we can be reducing the dollar amounts so that the risk isn't as high, and acknowledging how software is built—highly iterative, versioned—including opportunities to pitch road maps of technologies within the procurement process to the end-users and the technologists, not to the procurement people to be translated into jargon, but in the language that the end-users use them.
Also, then, there's understanding the landscape in a constant way. We have a procurement system that's highly responsive and not actually proactive in getting to the marketplace and understanding, first, what's out there, and second, what's possible within road maps and structures.
The last piece I'll say is that in the security phase, I think we need to do more assessment of companies and getting security clearance to the companies that have capabilities and can have capabilities in the future, so that they can work with government more hand in glove.
That was the “one, two, three, four” that I was looking for. Hopefully, it will make it into our report as a recommendation.
I'm going quickly to Mr. Buric and Mr. Olson.
You guys have talked about the acquisition, installation and maintenance. In the case you talked about, the fact was that you've already installed products at CBSA.
When it comes to the maintenance, there's been a lot of concern about the possibility of data being downloaded. Is that specific only to the maintenance for Nuctech or is it a risk that's available or that you're exposed to for all products that contain data during maintenance, in that if it's not properly overseen or validated, the data may get lost?
Probably Mr. Olson can talk about that first.
:
Thank you, Mr. Chair. I'll try to make this one question count.
I'd also like to first thank the witnesses for joining us for a very interesting discussion today.
My question is for Mr. Desai.
You mentioned some of the programs that the U.S. has for procurement, and you mentioned DARPA specifically. There is a local biotech company called AbCellera that won a competition that DARPA had where companies could compete to show how they could respond to the threat of a pandemic in developing a therapy.
It just so happens that, once the pandemic hit this year, there was a significant amount of investment from the Canadian government into AbCellera to develop a treatment for COVID, which eventually they did, and it was approved by PHAC, and we've now procured 26,000 doses of the therapy.
This is an interesting example, and I was wondering if you could speak to what lessons you think we can learn from the response to the pandemic with respect to the medical sector and how this can translate to support of the tech sector, particularly to navigate the valley of death?
:
Thanks for that really thoughtful question.
I'm not in the bio space, but I think the lessons I draw from experience dealing with similar organizations like DARPA in the U.S., on more of the law enforcement or national security side of technology versus the medical security side, is that we have to start being able to walk and chew gum. We need to understand that solving real problems that are societal problems is the best form of economic development. If we don't marry those two, we will lose some of our best companies.
I will say that, if we work with some of those types of agencies similar to DARPA in other jurisdictions, they become attempts to draw us away from Canada. If we don't mirror this.... This is not just saying we should be nice Canadians and support our companies. This is a matter of future prosperity and maintaining our standard of living in this country. This is how, in highly secure industries, development is being done, both in the public and private sector.
I'd like to thank all the witnesses for their presentations and for answering questions. It's greatly appreciated.
Committee members, we will be moving in camera. We will suspend the meeting, after which the technical staff will end this meeting in Zoom. You will have to go out and then come back in. Information with the password and the link was sent to you by the clerk.
Again, thank you very much, witnesses.
[Proceedings continue in camera]