OGGO Committee Meeting
Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
For an advanced search, use Publication Search tool.
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
Standing Committee on Government Operations and Estimates
|
l |
|
l |
|
EVIDENCE
Wednesday, November 18, 2020
[Recorded by Electronic Apparatus]
[English]
I call this meeting to order.
Welcome to meeting number seven of the House of Commons Standing Committee on Government Operations and Estimates. The committee is meeting today from 4:10 p.m. to 6:10 p.m. to begin a study on the Nuctech security equipment contract.
Officials from Public Services and Procurement Canada, Global Affairs Canada, the Communications Security Establishment and the Canada Border Services Agency are here to discuss this subject.
Pursuant to the motion adopted by the House on Wednesday, September 23, 2020, the committee may continue to sit in a hybrid format. This means that members can participate either in person in the committee room or by video conference via Zoom.
To ensure an orderly meeting, I would like to outline a few rules to follow.
Interpretation in this video conference will work very much like in a regular committee meeting. You have the choice, at the bottom of your screen, to use floor, English or French. Should you be speaking in French, I would ask you to make certain that your language is in French for the interpreters, and likewise in English.
Before speaking, please wait until I recognize you by name. When you are ready to speak, you can click on the microphone icon to activate your mike. When you are not speaking, your mike should be on mute. To raise a point of order during the meeting, committee members should ensure their microphone is unmuted and say “point of order” to get the chairman's attention.
In order to ensure social distancing in the committee room, if you need to speak privately with the clerk or an analyst during the meeting, please email them through the committee email address.
I will now invite representatives of PSPC to make their opening statements.
[Translation]
Good afternoon, honourable members of the Standing Senate Committee on Government Operations and Estimates.
Thank you for having me here today.
My name is Lorenzo Ieraci, and I am the acting assistant deputy minister of the Procurement Branch at Public Services and Procurement Canada.
Joining me today are two of my colleagues from our Departmental Oversight Branch, Catherine Poulin, director general of Integrity and Forensic Accounting Services, and Claude Kateb, director general of the Industrial Security Sector.
[English]
Today I would like to focus my brief remarks on two areas. First, I will provide some general background with respect to roles, responsibilities and process in contracting security. Second, I will provide an overview of the specific procurement process involving Nuctech, which is the focus of today's meeting.
With regard to security and contracting, each federal department is responsible for protecting sensitive information and assets under its control, not only in its own operations, but also through any contracts it manages. Federal departments are also responsible for determining if suppliers will require access to sensitive information, assets or sites.
In its capacity as a common service provider, Public Services and Procurement Canada has two distinct responsibilities with respect to security and contracting.
[Translation]
First, the contract security program is responsible for security screening companies and personal. The program also provides the necessary security clauses to be included in each contract based on the information provided by the client department.
Second, the Procurement Branch ensures that the procurement is undertaken in a way that reflects the security profile, and that suppliers have received the necessary clearance prior to contract awards.
It should be noted that the level of security required is determined by the client department in consultation with their departmental chief security officer. These security requirements are captured at a high level through a security requirements check list, which is sent to Public Works and Procurement Canada along with other documents.
[English]
When procurement officers at Public Services and Procurement Canada receive these documents, and where security requirements have been identified, they contact the contract security program. In turn, the program provides the procurement officer with security clauses to be used in the solicitation and contract.
Prior to awarding a contract with security requirements, our procurement officers must confirm with our contract security program that the supplier holds the appropriate security clearance.
Mr. Chair, I will now move on to the procurement at issue, which involves Nuctech.
[Translation]
In December 2019, Public Services and Procurement Canada issued a competitive request for standing offer with the requirement to establish two standing offers for the supply of two types of securing screening equipment—conveyor-style X-ray machines and walkthrough metal detectors. This standing offer would be for Global Affairs Canada and other federal departments on an as-and-when-requested basis. The various trade agreements to which Canada is a signatory applied, and international suppliers were eligible to bid on this process.
I note that a standing offer is not a contract; it is an offer from a supplier to provide goods or services at prearranged prices, under set terms and conditions, when and if required. It is not a contract until the government issues a call-up against the standing offer, which is a notice to a supplier to provide the goods or services in accordance with their standing offer. It is important to note that the government is under no obligation to purchase until such a time as a call-up has been issued.
[English]
The request for a standing offer for screening equipment closed in early April. Seven offers were received for the supplier of conveyor-style X-ray machines. All were evaluated against the requirements of the request for standing offer. This included the need for offers to demonstrate that they met a set of 63 mandatory technical requirements to be declared responsive.
In accordance with the request for standing offers, the responsive offer with the lowest evaluated price would be selected. Three of the seven offers received were determined to be responsive, meaning that three of the seven offers met the 63 mandatory technical requirements. Of these three, Nuctech had the lowest evaluated price and was therefore awarded the standing offer.
I would like to conclude, Mr. Chair, by noting that to date no call-ups have been issued against this standing offer.
Mr. Chair, thank you for the opportunity to provide this overview. I'll be happy to take questions.
Thank you, Chair and members of the committee.
My name is Dan Danagher. I am the assistant deputy minister of the international platform at Global Affairs Canada. My team and I are responsible for providing the infrastructure required by Canada's network of missions abroad. That includes all real property, common services and physical installations.
We are grateful for the opportunity today to provide some background on Global Affairs Canada's recent procurement of X-ray equipment for those missions.
First, we at Global Affairs are seized by the importance of keeping our employees, our information and our assets safe. We have a robust security framework that continuously monitors the threat and risk environments, and we adapt our approach as those threats and risks change. We work with our closest partners globally and exchange ideas and approaches. We learn from each other.
Our installations are often complex, including high-security zones, security zones, as well as operations and public access or reception and public zones. X-ray equipment is used in the latter and helps screening deliveries and visitors to the mission. While this equipment represents a small part of our installations, every component is important for the good functioning and safety of our missions abroad.
In mid-July PSPC awarded a standing offer worth up to $6.8 million over five years for Nuctech X-ray equipment. To date, Global Affairs has not availed itself of this arrangement and has no Nuctech equipment in its missions abroad.
In the days following the award of this standing offer, the Minister of Foreign Affairs directed me to conduct a review of how we acquired security equipment such as X-ray machines. I turned to Deloitte Canada, and they conducted an exhaustive review. Their findings are currently in draft form, but I am sufficiently satisfied with their recommendations and we've already begun to implement them.
First, Deloitte found that Global Affairs Canada followed all applicable policies. While that is reassuring, they also found that those policies asked two key questions that fundamentally influenced our approach: Would the equipment handle sensitive information or be connected to our information networks? Because this equipment is used in a public access zone and the answer to those questions was negative, the procurement proceeded through normal processing without the application of a national security exemption or higher levels of security, which my PSPC colleagues can explain should the chair or committee members be interested. I should point out here that Global Affairs Canada has in place a national security exemption for the acquisition of equipment to be used inside the more secure zones of our chanceries.
Deloitte, however, recommended that we consider that the technical specifications themselves, even for the detection equipment in the public zone, should only be accessible to companies with higher levels of security clearance. Further, they recommended that we consider that service personnel who had access to the equipment should be security-cleared. These two steps could go a long way toward future-proofing our public zones from future threats should they emerge.
We are currently working through the mechanics of implementing these recommendations. However, I can confirm today that Global Affairs Canada will not avail itself of the standing offer awarded in July 2020, and we have already begun the process with PSPC to design a new procurement strategy that will implement Deloitte's recommendations.
We thank the committee for giving us this opportunity to explain how we are continuously improving and adapting as we strive to keep our people, information and assets safe. I am pleased to take your questions. Thank you.
Thank you, Mr. Danagher. It is much appreciated.
I understand we're having a little bit of difficulty with your sound, but we'll try to make certain that we keep on top of that as we go through, if we need to interrupt briefly to correct that.
We'll now start our questions in the first round with Mr. Paul-Hus.
You have six minutes.
[Translation]
Thank you, Mr. Chair.
I thank the witnesses for joining us today to answer our questions.
I heard what was said about the first assessment carried out, and then the one Deloitte did. My problem is that the Government of Canada has agreed to enter into a standing offer with Nuctech.
My first question is for the Communications Security Establishment. Ms. Mullen, what is your security assessment of Nuctech right now?
[English]
Hello. Thank you very much for the opportunity to speak to you today.
Let me begin by giving you a feel for my role within the organization, so that you understand where I'm coming from with my remarks today. As the director general of partnerships and risk mitigation at the Canadian Centre for Cyber Security within the Communications Security Establishment, I'm responsible for three main functions.
First is building trust-based partnerships with all levels of government, Canadian critical infrastructure and the private industry. Second is providing cybersecurity architecture advice and guidance to our partners and the Canadian public at large based on the threat landscape that we observe. Third is implementing risk mitigation programs aimed at reducing the risks identified through our assessments of technologies on the basis of our understanding of the threat environment, which is informed by both—
[Translation]
I apologize Ms. Mullen. I don't want to be rude, but I have only six minutes to ask questions.
Can you directly answer my question on the assessment of Nuctech's security risk? Can you confirm that Nuctech is linked to the Chinese Communist Party and is under its direct control?
[English]
CSE was not asked to assess Nuctech as a part of the Global Affairs Canada standing offer that we're here to speak about today.
[Translation]
Thank you, Ms. Mullen.
My next question is for Public Works and Government Services.
If no assessment request has been made, how can we justify the Government of Canada wanting to give a contract to Nuctech? Is it because the government turned a blind eye or did not want to know?
Had we not gotten involved, the contract would have probably been concluded. I understand that it did not materialize, but the offer was made in July. Can you explain to me why?
Thank you for your question.
In the case of procurement concerning Nuctech, needs and their associated security levels were set by the Department of Foreign Affairs, Trade and Development. The department provided us with information given that, at the time, no potential security risk had been identified. We undertook the procurement process, which was open to all businesses.
However, you know that the U.S. Department of Transportation has been warning people against acquiring airport equipment from Nuctech since 2014. That should have been known here, in Canada. Isn't that right?
Thank you for your question.
Were we aware of the information relayed by the United States? Yes, we were.
However, as I said, the process had no impact on security. Being in charge of procurement, we cannot know who will award or receive the potential contract. In this case, it was a standing offer and not a contract. As there were no security-related eligibility conditions, the process was undertaken openly.
We just voted on a motion in the House of Commons to obtain answers on Huawei. Given everything we know about China right now, how can we do business with a company directly related to the Chinese Communist Party without carrying out more thorough security checks? Please explain that to me.
Thank you for your question.
Procurement processes are based on security codes set by our client, which was Global Affairs Canada in this case. Our current procurement approach does not exclude companies from certain countries. Given that, at the time of the procurement, we had identified no security-related issues, the process went ahead.
Okay.
Can the Global Affairs Canada representatives tell me why they did not deem it important to establish security measures in their eligibility conditions even though we are talking about our embassies?
[English]
We did do a security review, Mr. Chair, prior to the issue of the requests for a standing offer. That security review really was based on two fundamental questions that we asked, in accordance with the Government of Canada's security policy. When those two questions were considered negative, this was considered low-risk. It was the paradigm that existed at the time. That has now changed.
Thank you, Mr. Chair.
I'd also like to thank all of our witnesses for coming to join us and speak with our committee today.
I'd like to jump right into it here. I was hoping that the witnesses could explain a bit more about what our government does to protect against unethical and illegal business practices.
Mr. Chair, thank you for the question.
I'm not sure if that was directed to Public Services and Procurement Canada, but I will start. From a procurement perspective, we do have the integrity regime, which is part of the work we do, as well as the contract security program, as I mentioned during my opening remarks.
Briefly, the contract security program does a few things. First, once we receive a requisition from a client department that indicates security obligations, the contract security program is engaged to ensure that the appropriate security clauses are included in the tender documents as well as the resulting contracts. In advance of a contract being awarded, the procurement officers will check in with the contract security program to ensure that the company has the appropriate security clearances to meet or to match the security requirements of the procurement.
In addition to that, the department manages the integrity regime, and I have colleagues from the department who are available to provide more details if necessary. In essence, what that does is ensure that companies have not been tried or convicted of offences. If they have been, they are placed on an ineligibility list, whereby we ensure that we don't undertake procurement with them.
Briefly, that's from a Public Services and Procurement Canada perspective.
Thank you for that.
With this in mind, what implications do the integrity regime and the other measures you mentioned have on the Nuctech standing offer?
With regard to both of these, in terms of contract security and integrity, I'll deal with the first one first.
In terms of contract security, as I indicated, once we received the requirement from Global Affairs Canada, there was no security requirement associated with it; therefore, the procurement went ahead in the manner that it did. In advance of awarding the standing offer, the procurement team did a check-in with the integrity regime to ensure that Nuctech was not identified at that time and Nuctech was not part of the inadmissibility list.
Thank you.
With this in mind, have you considered any...? I heard in the opening remarks about the recommendations that were made by Deloitte, and I was wondering if you could speak a bit more to how, as a government, we're considering new steps to protect the security of our workplaces abroad.
Mr. Chair, that question is probably best fielded by me.
We do have a very robust threat and risk assessment process. It's called the global security framework. It has been in place for a number of years now. We have a very, very large security team that focuses on it, and we deliver those installations abroad, so it's pretty robust. This equipment hasn't previously been considered to be sensitive—
Mr. Danagher, can you hold on for a second? We need to check some technicalities. You're not coming through clearly yet. Just hold on for a second, if you would.
I will pause the time for you, Mr. Weiler.
If you could try that, Mr. Danagher, we'll try to see if it works or not. The issue is that the sound quality is not sufficient for our interpreters to interpret.
What I'm going to suggest is that you try again. We're going to ask you to try to speak as slowly as possible, and we'll see if our interpreters can hear, and then we'll see if that works. Do try to hold the mike closer to your mouth, but not directly right at it, and we'll see if that works.
Thank you. I will try to speak a little clearer and louder.
Thank you, again, for the question. Just to confirm, we do have a very robust global security framework that is constantly assessing the threats and the risks abroad, and we are always assessing our vulnerabilities. This equipment was not seen as overly sensitive equipment, so the national security exemption that we had did not apply. It fell within a paradigm that basically allowed it to be competed out in the open in that way.
Does that answer the member's question?
It does indeed. I'm just hoping you can expand a little bit more on what level of risk was thought that this equipment could provide.
Essentially, because the equipment stands alone in a room and is screening visitors' equipment, their briefcase, a bag or something like that—
Mr. Danagher, excuse me for interrupting again. It seemed to come through a little clearer when you spoke a bit slower. That way the interpreters could pick you up. I realize I'm breaking up your usual cadence, but if you would try that out, I'd appreciate it.
Okay. I will do my best to slow down.
This equipment is in the public access zone outside of our chanceries, just in the very exterior of our chanceries. It is used to screen visitors' belongings. It is not typically plugged into our network and it doesn't handle classified information. As a consequence, it doesn't fall within two of the key questions of the government policy on information security. It was just put out to a broad tender, as you heard earlier.
Just quickly, maybe the witness from PSPC, Mr. Ieraci, could mention how a standing offer is different from a contract, per se.
Thank you, Mr. Chair, for the question.
A standing offer is essentially a pre-qualified tool where multiple suppliers have been selected to provide goods or services at predetermined prices under established or set terms and conditions. A standing offer is actually not a contract. There is no obligation on the part of the Government of Canada to procure anything using a standing offer. In fact, a contract is only entered into when the Government of Canada issues what is referred to as a “call-up” to the supplier. A call-up is basically an order for a certain amount of goods or services in accordance with the terms of the standing offer.
Until such time as a call-up is offered, there is no obligation on the part of the Government of Canada with regard to that procurement instrument.
[Translation]
Thank you very much.
I paid close attention to what you were saying, and I understand that the standing offer had no security-related requirements, as it concerned equipment that would be used for visitors.
However, we now agree that we don't need a large piece of equipment to listen to everything that is happening and is being said within a company, especially embassies, which are, after all, pretty hot information spots.
That said, the Border Services Agency has awarded five contracts to Nuctech since 2017, despite the fact that the company was convicted of dumping in 2010. The company has a history of corruption in Namibia, and it has already used honey traps repeatedly to indirectly attract investors. In 2017, it was forced to collaborate with the Chinese intelligence service, like every other Chinese company.
Despite all this, it was been awarded five contracts since 2017 and is now being given access to a standing offer. I would like to understand how a company with such a background can be seriously considered for a standing offer.
That is beyond comprehension, and I really want to understand.
Good afternoon.
Thank you for your question.
I don't know whether the question is for the representatives of Public Services and Procurement Canada, but I will answer it anyway.
As mentioned earlier, since there was no security-related requirement to move forward, the procurement process used to award the standing offer retained Nuctech, one of the companies that submitted a bid, as one that met all the requirements. As far as procurement goes, we carried out an assessment through the integrated program and, as the company was not flagged in that respect, it was eligible to receive the standing offer.
So, if I understand correctly, Mr. Ieraci, despite that history of dumping, bribes and honey traps, there was no note anywhere in the entire government to indicate that this company may not be a good candidate.
No light went off anywhere when the company ended up among the lowest bidders with such a history of dumping?
I am not putting the blame on officials. I really want that to be clear. I want to improve the process, and I want our security to be ensured.
So despite this company's entire history, no red light went off. No one noticed the fact that the company was still on our lists and should no longer be there because it cannot be trusted.
How did that happen?
Thank you for the question.
Yes, we all want to improve systems and ways of doing things to protect Canadians' security.
Issues had been raised about Nuctech, and we had information on that company. Unfortunately, in terms of procurement, we had limited options to award the standing offer, since the company has shown that it met all the requirements. That is one of the areas we are currently looking into with our colleagues from other departments to determine whether there is a way to reduce risks.
That said, as I mentioned earlier, at the beginning of a procurement process, we cannot know what company will win it. So one of the ways used to reduce risk is to properly determine the security level at the outset of the process.
Okay.
So it is a matter of properly establishing the security level, and Nuctech met that level. So there is no continuity with....
[English]
[Translation]
Okay.
At Nuctech, and I suppose at other businesses, as well, there have been cases of dumping, and there is suspicion that the company received subsidies from its government to enable that.
Does PSPC have a process to determine whether a company has received subsidies from a foreign government that help it slip through the net?
Thank you for your question.
We are looking into the issue of government subsidies when it comes to many countries. That is often a point of friction with countries, not only with China, but also with other countries such as the United States or European countries. Different definitions of what is considered an acceptable subsidy or not are things we are looking into closely.
To tell you the truth, this is a fairly complex area, since countries have found numerous and various ways to subsidize companies. That is something we are looking into closely, and foreign countries subsidizing national industries is an issue almost every country in the world is facing.
[English]
Thank you very much, Mr. Chair.
What's most interesting to note is that we seem to be back at square one when it comes to procurement, now that Global Affairs has decided not to avail itself of the standing offer. It leads me to ask the question of whether somebody at either Global Affairs or PSPC clearly didn't do their homework ahead of time. They would have gone ahead with purchasing from Nuctech if the media hadn't broken the story.
Whose responsibility was it to do the homework on this?
Mr. Chair, I think that's a good question.
The assessment started with Global Affairs. Global Affairs assessed this procurement in a way that complied with policy. The procurement started without us requesting a national security exemption. Now, whether or not a national security exemption would have led us to a different outcome is another question. I can't speculate whether it would have.
It does start with the assessment, at the beginning, of whether or not this conformed with policy. For whatever reason, it was the paradigm at the time. Those two questions, once they were answered, were deemed sufficient to go ahead with the procurement that resulted in Nuctech getting the standing offer.
On review, we stopped it.
Maybe you can help me through this. It might be more appropriate for PSPC, because with PSPC, pursuant to the ineligibility and suspension policy, they may sometimes deem a company ineligible or suspend it from entering into certain contracts if it's engaged in specified offences within specified time frames. The policy may also apply to a company—or in some cases its subsidiary—that was convicted of similar offences in the past three years in a jurisdiction other than Canada.
Once you brought on Deloitte and you did your review.... Maybe this is for PSPC. I don't know. Has Nuctech or its subsidiaries been convicted of offences specified in the ineligibility and suspension policy or of similar offences in a jurisdiction other than Canada within the past three years?
Thank you, Mr. Chair.
I believe the answer to that question is no. I will turn to my colleague, Catherine Poulin, to get confirmation.
You are right; the answer is no. We are aware of the allegation, but we haven't found any charges nor convictions associated with those behaviours listed in the policy.
Subsequent—
How would you go about investigating whether bidders have been convicted of offences specified by this policy?
We do some verification. Throughout those verifications, we haven't found any charges nor convictions under one of the offences listed in the policy. Consequently, Nuctech has been found not to be ineligible to be awarded that contract.
Okay.
We talked a little bit about subsidies. There's been an ongoing debate about China's role in the world. There's been a lot of red-baiting and a lot of really problematic framings around China, particularly from some of my Conservative colleagues who have a new-found disdain for the way that they run their economy.
Through you, Mr. Chair, would anybody care to comment on Canada's obligations as it relates to FIPA in allowing for broad bidding from countries like China? I'm hearing in some of the rhetoric that they should automatically be excluded from bidding on contracts, yet it was our Conservative friends who entered us into a 30 year-plus contract.
It would probably be PSPC. We are in a global trade agreement. I'm hearing a lot of really derogatory comments as it relates to China and its essentially state-run capitalism, yet it doesn't seem to be the same frame that was used not too long ago when the Conservative government entered into a long and ironclad agreement with China.
What would it cost us to try to end any kind of bidding processes from the People's Republic of China under FIPA?
Thank you for the question, Mr. Chair.
I'll admit that I'm not very familiar with FIPA. I will say that we have obligations in terms of trade agreements with numerous countries around the world, including with the World Trade Organization. Our approach in terms of procurement has been that unless there are specific needs or requirements, particularly in the area of security, our default is to open federal procurements to the international community.
I can't quantify what the cost would be. What I can tell you is this. Companies that are not happy with the way that procurement is done have the option of turning either to the Canadian International Trade Tribunal or to the federal courts in instances where we undertake procurements that are not aligned with our legal obligations or with our trade obligations.
Again, taking the subject matter of Nuctech and setting the personal opinions on it aside, when you talk about subsidies, how would state subsidies in a company like Nuctech differ from the subsidies we provide to, say, oil and gas?
I'm not sure we could answer that question. I think the issue of subsidies is a fairly complex one.
As I was mentioning, I think a lot of different countries use a lot of different approaches or mechanisms to be able to support domestic industries, which are the subject of ongoing discussions at the World Trade Organization and other international fora.
Thank you for the contribution.
I will note that I'm still having some audio troubles with the feedback and the echoes.
Thank you, Mr. Green. We're trying to keep an eye on that.
Ms. Poulin, if you have to speak again, could you move your microphone up just a touch? That might be helpful. Thank you.
We're now going into our second round, and we'll go to Mr. McCauley.
Mr. McCauley, you have five minutes.
Thanks, Mr. Chair.
Thank you, witnesses.
I have to ask, why was a national security exemption not used for this? We've seen the government use it for paperclips, photocopy paper, jackets. Why not use it for something as vital as this?
Mr. Chair, I think that gets to the heart of this question here. It wasn't, because we applied the tests we've always applied when we've bought equipment that doesn't plug into our network. It—
They just didn't consider it a security issue.
Okay, I'm going to move over to CSE. How would Nuctech have received a security clearance?
Anyone can answer that.
Thank you for the question, Mr. Chair.
I think that would be more appropriately answered by the industrial security folks at PSPC, as CSE is not actually involved in that.
Okay, Mr. Ieraci, how would a company that's owned by the Communist Party—it's a state-owned company—have received a security clearance?
Very quickly, we did not clear that company. We clear the industrial security sector, and contract security program clears Canadian companies. Nuctech does not hold a security clearance with the Government of Canada.
Oh, I thought I heard Mr. Danagher say that they passed a security clearance.
Would something like this not require a security clearance on such a bid?
As others have noted, our services in the contract security program are triggered when a security requirement is identified for a procurement. In this particular case—
I find this whole thing stupefying. Something like this being overlooked and overlooked and overlooked is mind-boggling.
The CSE just came out with their cyber-threat assessment report—I think it was today—highlighting a lot of issues with state-owned actors, naming China and Russia for the first time.
How could the information that would have been gained from this equipment been gathered from our embassies and the CSE not have a concern about this?
Thank you for the question, Mr. Chair.
Normally a supply chain integrity assessment, which is what CSE would perform in support of a department making a risk-based decision on a procurement for a piece of technology like this—
Sorry, maybe I didn't ask the right question.
Your threat assessment report came out today, specifically naming China for the first time and state-sponsored actors attempting cyber-threats. What kind of information could such state-sponsored actors gather from our embassies from this equipment? Do you share the lack of concern that seems to be coming from Global Affairs and PSPC?
To be honest, sir, I think the nature of the X-ray machines over time has evolved such that they are becoming more of interest.
But this is not about the nature or the past. This is about the exact machines that the Government of Canada decided we were going to okay for our embassies.
Understood, sir, and this is exactly why we're working together now to identify this and other types of equipment that perhaps should be flagged in future under procurement activities, because the nature of the technology has evolved such that it could gather information that could be of risk to Canada, even though—
Again, we only perform these assessments when we're approached by a department that's making the acquisition, because it is the risk-based decision of the department making the acquisition.
How do we stop this from happening again? Does it start with Global Affairs asking you if they can bring state-owned Chinese equipment into our embassies?
The way this changes in the future is for them to ask us whether the types of equipment they're looking at should be assessed for supply chain integrity, in which case we would look at ownership as one of the three prongs of things that are assessed.
Thank you, Mr. Chair.
Thanks to all the witnesses for taking the time on this important issue.
I want to get back to Global Affairs, but I'd love to hear from CBSA because I know they're also big purchasers of scanners as well. I'm not sure if I have the right folks to answer this—Mr. Harris or Ms. Zafar—but does CBSA invoke the national security exemption clause or have higher security requirements when they buy similar technology?
Thank you. I'll just check the sound. I was having technical issues, so I will try to speak slowly for the benefit of the interpreters.
To date, in our X-ray detection procurement, we have not invoked the national security exemption for that purpose. As has been noted by my colleagues at GAC and Public Services and Procurement Canada, we do a review of the security requirements under the contract security policy.
As X-ray equipment does not handle sensitive or technical information in our context, it hasn't to date risen to the bar that would trigger enhanced security in that space, and as a result we do procure X-ray technology from a number of different companies, including from Nuctech.
Again, depending on where this similar technology would be installed, would the person installing that technology require a security clearance to install this at the border or anywhere else? I'm not sure if you deal with the company itself or with a subcontractor.
Yes, absolutely, we have a number of mitigating interventions that we put in place around this technology. As I said, one of the first ones is obviously to keep it disconnected from our networks and from any Government of Canada networks. This retains its integrity as a tool that can support our border officers' work in terms of secondary examinations.
As you mentioned, the second is the fact that anyone affiliated with any of our suppliers would be screened through security processes and would be escorted on site if they were present in our facilities.
I'd love to get back to Global Affairs on this.
Again, if we take Nuctech for example, if the company had been successful and were to install in the embassies, does GAC require those who would install that particular technology in our embassies to have security clearance? I know X-ray is not exactly top-notch technology. There are some out there, and we can find them in some places where civilians often operate, but I'm just wondering, for general purposes, for this committee.
In the past, no, we haven't required that, partly because any service personnel would be accompanied by security personnel at Global Affairs Canada watching everything they do. That is changing, moving forward. Understanding that we have 178 locations around the world, servicing can get very expensive, but it's an expense that we will be incurring as we move forward.
Okay.
To PSPC, I know that normally there would be...when security requirements are triggered, but is there a second process where PSPC would advise the client department that, for example, we've seen other departments procure similar technology, and perhaps you may want to invoke the NSE? Does that sort of interaction happen with the client departments?
Yes, that interaction happens with the client departments. That interaction happens primarily at the beginning of the process. The decision to invoke a national security exemption is taken early on in the procurement process. If a national security exemption is triggered, what that means is that we set aside all or part of that procurement from our obligation in a trade agreement. That needs to be determined early on.
When our client departments raise requisitions with us in terms of what they need from a good or service perspective, our procurement officers have conversations with them in terms of potentially the best way forward, while recognizing that in most instances our client departments obviously know their operating environment much better than we would.
[Translation]
Thank you very much.
VOTI Detection, a company set up in Montreal, bid unsuccessfully in the standing offer process. Here is what its president and CEO told the media:
Even though the contract did not stipulate the walkthrough X-ray machines be connected to embassy networks...hard drives will be accessible, and data downloadable when the machines are serviced.
How accurate is that statement?
My question is for Ms. Mullen from the Communications Security Establishment.
[English]
I will do my best to answer that. Normally, we have to take all of the surrounding details of a particular deployment into account when we explain something like this.
Typically speaking, in the more recent versions of equipment like this, they are starting to emerge now with embedded hard drives and USB ports that can be used for maintenance purposes for uploading and downloading data and software updates and that sort of thing. In the truest sense of the word, those would indeed give vectors for something like that to be done with malicious intent.
[Translation]
Okay.
So it is in fact possible to access embassies' hard drives while the machines are being serviced.
Did I understand correctly?
[English]
I believe our colleague from Global Affairs said that their practice is to have any maintenance workers escorted by embassy staff, in which case that would be observable behaviour. I will leave it to him to weigh in on that.
That's exactly correct. Yes, we would see if that was happening and whether or not it would pose a risk. We are obviously going to look at that, moving forward. Our new approach will correct and minimize that risk.
[Translation]
Aside from having an escort during the servicing, how possible is it to manage those kinds of disks remotely?
[English]
I can't speculate as to how possible that would be. We don't want that to happen, so our procedures moving forward will prevent that from happening.
Thank you very much.
I'm going to ask a very pointed question, and please forgive me if this comes off as terse.
In 2018, there was an Auditor General's report on the physical security of Canadian missions abroad. The AG report concluded that overall Global Affairs Canada had not taken all measures needed to keep pace with the evolving security threats at its missions abroad. The department had identified security deficiencies that needed immediate attention at many of its missions. Many of these deficiencies were significant, and several had been identified years ago, yet not all of the recommended measures to address these security deficiencies were in place. These measures included improved video surveillance, alarms, and the installation of vehicle barriers at entrances.
The report found that most of the department's capital projects to upgrade security were at least three years behind schedule, usually because of the weakness in the department's project management and oversight. The physical security measures at any mission did not always match the levels of threat it was under. For example, one mission in a high-threat environment had no X-ray machine for visitor screening.
Two years ago, the AG reported that Global Affairs was already at least three years behind schedule. Now we're at the five-year mark and counting, and we still don't have a contract to purchase this necessary equipment. This lack of adequate or appropriate security equipment means that the safety of Canadian diplomats abroad, and of the local country staff, is still at risk.
How can you justify these delays? What do you have to say to the diplomats and their families who still don't have the equipment they need?
Excuse me just for a second, Mr. Danagher.
Maybe we could get you to unplug your mike and maybe just lean forward and talk into your computer a little bit closer, and we'll see if that works a little bit better. There are still some issues with the interpretation, so we'll just check it. If that doesn't work, we'll have you go back to the way you've been doing it.
We'll try it and see.
Thank you very much.
Mr. Green, I did stop the clock for you, so we'll give you time to answer.
We do take very seriously the security of our personnel around the world. Obviously it's a major challenge keeping 178 missions around the world with the latest equipment. I can assure you that where we need X-ray equipment right now, the missions have it. For the one mission at which the auditors found that there wasn't an X-ray machine working, that was because on that day it was unplugged and being serviced, but a manual bag search was in place to keep our people safe. Every time equipment is being serviced or it fails, we have a manual process in place to keep our people safe. It is absolutely my top priority. We have taken very seriously the Auditor General's recommendations, and we've made enormous strides.
Thank you.
[Translation]
Thank you, Mr. Chair.
Since the beginning of our meeting, we have been watching a baseball match: everyone is throwing each other the ball.
I want to be very clear with all the participants. First, we have a report from the Library of Parliament that confirms that Nuctech is controlled by the Chinese communist regime.
Second, I don't know how the equipment assessment was carried out by Deloitte, but I can confirm that the machine does not meet the requirements of ISO/IEC 27001:2013 or of the NIST Cybersecurity Framework. In addition, the machine's operating system is not even supported anymore. So it is very vulnerable in terms of security.
Third, before we talk about the contract that was soon to be awarded for that equipment for our embassies, let's mention that the Canada Border Services Agency has acquired five pieces of equipment. During testimony, we heard that the situation concerning embassy equipment was not very serious, as there was no connection and we could rely on equipment purchased from Nuctech this year. The Border Services Agency is talking about communication equipment with images, video, cabling and components.
I served in the Canadian Armed Forces for 22 years, and I have sat on the House of Commons Standing Committee on Public Safety and National Security. I have never seen this kind of a security breach situation. This is not about politics; this is really about the public. Our government is dealing with a company that is problematic in terms of national security despite our security agencies' reports confirming that China and Russia are countries that are dangerous for computer security.
Could I get a clear, straightforward and precise answer, as well as confirmation that the Government of Canada will immediately stop dealing with Nuctech?
Thank you for the question.
If your question is about whether we will stop doing business with that specific company, I would like to tell you that the answer is yes. Currently, based on the standards, rules and approaches we use or the legislation, I cannot guarantee or tell you that will be the case.
Okay.
We'll conduct verifications. However, according to all the information, it's quite clear. If the Canadian legislation currently contains shortcomings, I urge my Liberal friends to work together to change the legislation. Canada's national interests must be protected. Sometimes, I get into petty politics, but I'm not doing this right now. This is an important security issue.
I also understand that the organizations have their own work to do. At some point, it gets so complicated that the right hand no longer knows what the left hand is doing. We're experiencing this situation to some extent.
The Global Affairs Canada assessment went to Public Services and Procurement Canada. The security issue wasn't raised. As a result, there was no security investigation. This isn't working. Let's take note of this at the committee.
I'll now give the floor to Mr. Lloyd or Mr. McCauley.
[English]
I think I'm taking it, Mr. Paul-Hus.
Ms. Mullen, it sounds like some of these security issues are going ahead without CSE's knowledge. How do we change that so that the CSE has input into this, because it's obviously valuable input?
You've identified Russia and China, for example, as state-sponsored threats to Canada in the report that came out today. Should we ever be allowing their tech, their state-owned tech, to be in any Government of Canada operations?
No, it's okay.
The CSE is not a regulatory agency, so it does not endorse or ban specific technologies or specific companies. However, I think, more importantly, the first part of your question gets to the heart of the matter: How do we ensure that departments and agencies know when to come to the CSE to have it do its assessment, one part of which, in this case, is looking at the ownership and the business practices of the entity in question?
I think that's exactly what I was getting at earlier when I said that, because technology is evolving, things we didn't use to look at we now should start looking at because capabilities with embedded operating systems and USB ports that didn't use to exist in X-ray machines now do.
I think that's really the biggest step that those of us here as witnesses today are working on together: to add into the procurement process flags that come up when equipment that falls into these particular categories is being acquired so that the departments making the acquisitions know to reach out to the CSE.
Thank you, Mr. Chair.
Thank you to the witnesses.
I'd actually like to continue on the same thought process.
A lot of my colleagues have covered various aspects of the process and the way it was granted, the lack of review or the limited scope of the review that was done. I was really intrigued by the response that PSPC provided when asked if it would work with Nuctech again. The answer was that you don't know about the future, but that given what the rules and regulations are today, you have to—if my understanding is correct because I'm quoting you.
What changes to the rules and regulations do we need to put in place? I think Madame Mullen already talked about some of the elements of the process that could be enhanced, regardless and independent of the rules and legislation. I found that very interesting.
I'm going to go back to PSPC. Can you talk about where we have to strengthen the rules and where we have to strengthen legislation to make sure that we don't run into a situation like this again?
Thank you, Mr. Chair, for the question.
As quick background, the question that I was responding to was whether I could guarantee that we will never do business with Nuctech moving forward. In my brief response to that, I indicated that I can't provide the guarantee that that will never occur.
As I indicated before, when we undertake a procurement process, we don't know in advance who is going to be the winning bidder, the winning company, so there's always the potential that a company, state-owned or otherwise, may be successful in undertaking the procurement.
As was indicated by Ms. Mullen, there is work being done to be able to identify commodities that may be at higher risk of vulnerabilities moving forward, where we need to ensure that we have the appropriate security approaches or mechanisms to decrease the potential risk.
If the question is whether we want to limit or exclude a specific company or exclude, for example, a country or geographic region, I don't know what that would mean in terms of having to make changes to the current procurement process. I can't point to a specific rule, but chances are that that would be something that would be fairly broad in terms of an approach.
Thank you.
You mentioned that during the RFP there were 63 technical requirements, and then for whoever passed those technical requirement the second element came into it, which was the lowest price.
If my notes are correct, there were seven responses to the RFP and of those there were three that qualified, that met those 63, and then Nuctech was the lowest price.
Are you in a position to be able to share the gap between the price that Nuctech provided and the price that the other two provided?
Thank you, Mr. Chair, for the question.
I actually don't have that information with me. If it's possible, we could provide that to the committee.
I would appreciate that.
Are any of the other two that were short-listed Canadian companies? I'd really like to think that we have some Canadian companies that build conveyer-style X-ray and walk-through X-ray machines. Were any of the other two Canadian companies, by any chance?
I don't know of the other two that met all 63. What I can say is that, of the seven companies that submitted bids—obviously one of them was Nuctech, which is from China—the remaining six companies were either from the U.K., Canada or the U.S.
Okay.
I have a little bit of a technical question just for my clarification. When you put a standing offer, what is the typical dollar value that's attached to that standing offer?
Technically, a standing offer has a dollar value of zero. In our systems, we actually need to put in a dollar amount, so our procurement officers will tend to put $1.
In request for standing offers, there are times when we will give an estimated value of what we anticipate could be the potential call-up value of all the call-ups that would be issued.
So the $6.8 million is your estimated value of the contract, or was it actually what Nuctech's bid came in at?
No, that was.... The standing offer has no dollar value associated with it, so the total cost would depend on what call-ups are issued and how much equipment, in this case, would have been procured or could have been procured.
The $6.8 million, I assume, would have been an estimate in terms of what a potential value would have been, because as I indicated there's no obligation on the part of the Government of Canada with regard to these.
Thank you, Mr. Ieraci and thank you, Mr. Jowhari. We've come to the end of our first hour.
We are now going to enter our second hour.
We will start with six minutes with Mr. McCauley.
Thanks very much.
Mr. Ieraci, Nuctech was awarded the standing offer. There were two different items. Did they receive the standing offer for both the X-ray machine and the other item, or just the one?
Did anyone else receive the standing offer award, so to speak, for that specific item that Nuctech received for, or was it only for Nuctech?
To Nuctech.
What would have happened if Global Affairs had come out and said, okay, we're going to go ahead and buy? Would it automatically go to the existing standing offer or would it go to another competitive bid?
In a scenario where a standing offer is in place and the department wants to issue a call-up against that standing offer, they would issue the call-up to the company that—
So it would have gone to Nuctech. The process that PSPC ran would have led to Global Affairs buying from Nuctech and no one else.
Yes, exactly. A bit of the push-back seems to be that, oh, it's only a standing offer, so it's no big deal. They in fact basically won the right—the only one, the only company—to sell that to us. There wasn't a contract, but the narrative should be “They did not get the contract yet”, because if the media had not brought this up and this hadn't exploded, they would have received the contract. Am I correct?
If call-ups had been issued against the standing offer, yes, those call-ups would have been given contracts.
There's a comment that was in the media. I'm going to read it out:
For Global Affairs to proceed when China has been implicated in a systemic campaign of cyber-espionage against Canada, while former diplomats are being held hostage and tortured in Chinese prisons, is unintelligible.
Do you agree with that? I'm sitting here and I'm dumbfounded that this could have possibly happened. I accept Ms. Mullen's point that technology has been changing, but a five-year-old would know that I'm not going to bring a piece of Chinese technology that's owned by the Chinese Communist Party into Canadian property where they could have a Wi-Fi signal sending out, collecting information and where their workers could come in and put in a USB drive.
Do you agree with the assessment that it's “unintelligible” that this could have happened? What do we need to change to ensure this never happens again so that we're not sitting here and saying that technology has changed or that we didn't think of putting an NSE on it?
I'm sorry for sounding so critical, but good Lord.
Thank you, Mr. Chair, for the question.
I can't obviously—and my position doesn't make me an authority to—answer all aspects of Canada-China relations.
I can speak to this acquisition and the fact that it's very, very important for us to have reliable, trusted companies providing us this type of equipment. We are a learning organization. We'll learn from whoever brings items like this to our attention. In this instance, we conducted I would say a responsible review, and we've taken the correct action moving forward.
You say “a responsible review”.
We all know. We saw what Huawei did to Nortel. We see the costs taxpayers are bearing to clean out the old Nortel building of bugs placed by that state before DND comes in. It is not a secret that the Chinese state is an adversary to us. How is it possible that we could have made a decision that overlooked the fact that a Chinese Communist state-owned company was putting technology into our embassies?
I'm sorry. It's not a learning experience. We all know this. How is it possible? What other examples are there that possibly are happening that we're not aware of and that are compromising Canadian security or embassy security or financial or commercial secrets?
Thank you again for the question.
I think the question gets to the heart of the Deloitte report, which is not anti-Nuctech or anti-China. It is pro-security, and it forced us to re-examine our paradigm. You may not like the answer, but that is the way forward for us. It's to make these decisions based on a more rigorous security assessment than we've done for this type of equipment in the past.
Should we automatically use an NSE for security equipment, then, for Global Affairs, so that we don't run into this?
We did request and we have an NSE for all of the equipment in our security and high-security zones in our missions around the world. This is equipment that, as I said, was in the public access zone and was assessed probably in a more naive era of looking at this type of equipment. As my colleague at the CSE points out, the technology changes very rapidly and we are now aware of risks that we weren't aware of previously.
Thank you, Mr. McCauley.
Thank you, Mr. Danagher.
We will now go to Mr. Kusmierczyk for six minutes.
Thank you very much, Chair.
I really do appreciate the discussion we've been having today. It's a fascinating conversation, in essence, about how we manage risk and how we balance that with balancing the tens of billions of dollars in trade that takes place between our two countries. This is really an interesting discussion.
I bet many of us wish that our own BlackBerry company was in the business of making X-ray machines. We know that it's a Canadian company that is well trusted. If only they made those machines....
I do have a question about the Canadian International Trade Tribunal, which issued a determination on October 26 following a complaint that they received from a potential supplier. I guess this is a question for PSPC.
I want to get a sense of what the basis of the tribunal's involvement was in this procurement process. Was it security or was it something else?
Thank you, Mr. Chair, for the question.
Obviously, I'm not an expert on the Canadian International Trade Tribunal, so I'll share the information that's publicly available.
A complaint was filed with the tribunal with regard to the request for standing offers, both elements of it: group 1, which was for the X-ray machines, as well as group 2, which was for walk-through metal detectors. The Canadian International Trade Tribunal is the vehicle, the remedy or the place where companies can go if they have concerns with regard to the way that a procurement was undertaken.
A complaint was filed with the Canadian International Trade Tribunal. It was accepted for review. The tribunal undertook their review and issued their rulings. In essence, it basically found that the evaluations undertaken by Public Services and Procurement Canada were reasonable. Basically, the way I would put it is that they found in favour of the Crown, so the complaint that was raised was not upheld—if that's the appropriate term.
I understand that you mentioned that you're not an expert in the work of the CITT, but I'm just wondering what PSPC's role is in the complaint review process. Does PSPC come forward as a witness in any way, share documents? I'm just curious about what that relationship is between the CITT and PSPC.
When a complaint is filed with the Canadian International Trade Tribunal, the complainant provides their rationale for the concern that they are raising with regard to the procurement that was undertaken. If PSPC is the procuring organization, then as part of the CITT's process we're given the opportunity to provide what I believe is called an institutional response, which is basically our explanation of what happened in terms of the procurement process, in order to provide the tribunal with information on the procurement.
The information that we provide as a department, as well as the information that's provided by the complainant, I would assume, is reviewed by the tribunal, and then they issue determinations.
The report that we received, the briefing, indicated that the CITT has not yet made its reasons for its determination public. Do you have a sense of when that will come forward?
My understanding is that it occurred within the last day or two. The rationale or the explanation for the CITT's determinations is usually made available on their website, and my understanding is that it has happened within the last day or two, but I don't have the specific date.
Okay, that's terrific.
PSPC was awarded costs as a result of this determination. Does that happen frequently? Is that a regular occurrence or is this a unique happenstance?
That's a good question. I can't speak to the regularity of it. Representatives from the tribunal might be able to explain this better.
My understanding is that in instances where the tribunal finds in favour of either the company that's filing the complaint or of the federal contracting department that is responding, part of their mechanism or part of their process is to award costs. They have a specific cost structure. To put it in perspective, if memory serves me correctly, I think it's $575, or something like that. I think that has to do with the Canadian International Trade Tribunal regulations, which mandate or oversee the way the tribunal operates.
Okay. I'm sure the cost is there to make sure there are no excessive or egregious cases that are brought before it. I'm sure it serves a little bit as a deterrent for vexatious complaints being brought forward.
This is a question for PSPC. What are we doing to support Canadian businesses to take advantage of the procurement process?
Thank you very much for the question.
I was the director general with the office of small and medium enterprises. Public Services and Procurement Canada is doing a number of things, but in the interest of time I'll only highlight two of them.
The office of small and medium enterprises exists to help Canadian companies to understand the federal procurement process, to be able to find opportunities that exist on the Buyandsell website, and to be able to get assistance in terms of understanding the federal procurement process. Public Services and Procurement Canada has regional offices across Canada where Canadian companies can avail themselves of the services of the office of small and medium enterprises, in order to be able to help them participate in federal procurement.
In the interest of time, that's the one I will highlight specifically.
[Translation]
Thank you, Mr. Chair.
As always, I'll begin by greeting you, my fellow colleagues.
I also want to acknowledge the witnesses and thank them for participating in this meeting. Today we're discussing the Nuctech security equipment contract, an issue that I consider very important.
I'll first turn to the witnesses from the Canada Border Services Agency.
Will the agency review its current contracts with Nuctech in light of the concerns raised regarding the standing offer for security screening equipment? In particular, does CBSA have any concerns with respect to the equipment provided by Nuctech?
[English]
Thank you very much for the question.
We have done a review of the equipment that we have in operation from Nuctech and we looked at the contracts that have been fulfilled in this space. We have leaned into our colleagues at CSE and elsewhere to gather their expertise to make sure we have done that.
We have satisfied ourselves that we have had no security breaches or incidents of concern with this equipment to date. We are looking forward to strengthening the contracting regime around this. For example, we are working with our partners in Public Safety and at Procurement Canada, and public safety more broadly, to enhance the contracting security guidelines to ensure that transportation technology—more specifically X-ray detection equipment in the port of entry space—is considered within that policy.
We will be looking to move forward with a national security exemption for our operations in this space. Equally, we are looking to accelerate our life cycling on this to ensure that we can move forward with ensuring that any new equipment or any equipment we have in operation meets those new security guidelines.
I will add that in the meantime, we have obviously reviewed our mitigation strategies, which I mentioned earlier. As you can never fully eliminate risk, it's important for us to ensure we have the right operational procedures, departmental security procedures and tools in place for our staff, so we can mitigate any residual risks that may be there.
[Translation]
Thank you for the information, Mr. Harris.
I'll ask a slightly longer question this time. The information is very important. Feel free to let me know whether you want me to repeat anything afterwards.
My question is for the Canada Border Services Agency representatives.
In November 2019, CBSA awarded a contract worth $2,378,062 to Nuctech. The contract is related to a tender notice issued by Public Services and Procurement Canada on behalf of CBSA for the acquisition of a medium-footprint mobile large-scale imaging system for use at the Emerson, Manitoba port of entry to enable the non-intrusive inspection of large objects, such as marine containers, transport trucks and passenger vehicles, using high energy X-rays.
According to the request for proposals, the required delivery date was March 31, 2020, and the contract would include an option to purchase five additional systems along with additional licence warranties. The competitive procurement strategy was the best overall proposal. There were no security requirements for the contract.
My questions are as follows:
Did Nuctech provide the mobile large-scale imaging system to CBSA by March 31, 2020?
Is this system currently in use at the Emerson, Manitoba port of entry?
[English]
Thank you for the question.
It was not provided to us prior to March 2020, but we have received that equipment. It is not in Emerson, but it is elsewhere. It is not currently in use. It is what is referred to as a mobile large-scale imaging device. It is meant to scan large commercial pallets. It is mobile, so it can be deployed as needed. As I said, on a go-forward basis we're looking at our life cycling of this in light of the new security requirements that we are moving forward with.
[Translation]
Thank you for the clarifications, Mr. Harris.
Does CBSA plan to acquire additional systems from Nuctech by March 31, 2025?
[English]
Acquire more X-ray detection equipment...? Just to clarify, do you mean more broadly or are you specifically again referring to Nuctech equipment?
[Translation]
Regardless of the equipment, do you plan to acquire additional systems from Nuctech for the Canada Border Services Agency by March 31, 2025?
[English]
It's my understanding that our current contracts are fulfilled, so any new equipment that we acquire on a go-forward basis will be acquired under the new guidelines for contract security.
[Translation]
[English]
At the time, under the contract security policy, as I mentioned earlier.... The review process is done to determine what type of information this equipment handles, whether it's secure personal or protected or classified information, and whether it's connected to a government network in any way so as to introduce risk in that space.
X-ray detection equipment in the port of entry environment does not do any of those things. It is a supplementary tool that is used by staff. It is not connected to our networks and it does not hold classified or secure information and therefore does not trigger under the procurement policy the need for the enhanced security requirements that we are now talking about.
[Translation]
Thank you, Mr. Blanchette-Joncas.
[English]
We will now go to Mr. Green for six minutes.
Go ahead, please.
Thank you very much, Mr. Chair.
I have found this committee to be intriguing. Of course, it's a little bit of a departure from some of our previous conversations. It seems as though one of the themes we've had throughout OGGO has been PSPC's reliance on Deloitte. Can you please just refresh my memory as to exactly what Deloitte's role was in their report?
Mr. Chair, that's probably more of a question for Global Affairs Canada. It was my choice to go to Deloitte for this review. My view—and I think you would understand this—is that I wanted this review done outside of my department by people who weren't involved in the original decision to assess the technical security requirements. I have to say, I have really good people. I have engineers who are really seized with security. They applied the paradigm of the policies that were in place, and in the public service often policies have the weight of gold. What Deloitte did was to give us a recommendation that would help us break that paradigm. That was their role.
Is this a case of an emperor who wears no clothes? I feel like we ought to have the mechanisms within our public service to be able to provide that, without prejudice, and sometimes maybe even counter to policy, although I know it's not your job to make policy recommendations. It just strikes me that we have Deloitte now reporting back, and I'm wondering where the gap is between our public service and their ability, and maybe even within other departments.
We hear, through you Mr. Chair, Liberals love to use the language of whole-of-government approach, but where was procurement on this? Why do we not have checks and balances in place within procurement to ensure that these needs are met?
If I could, Mr. Chair, I'll respond on behalf of Global Affairs on this one.
Global Affairs does have a procurement team, so we have some insight into procurement here, although this was done by PSPC on our behalf. Employees often don't feel empowered to challenge policy—I'm saying this as a public servant of almost 40 years—especially at the levels where these decisions and these reviews are made, and they, again, do yeoman's work. They're bright people, hard-working people, and they apply what they apply at the time. They follow the paradigm that is dictated often by policy, and they did a great job of applying the policy.
What we were able to do with the Deloitte report and our subsequent conversations with the CSE and others, is to say that there's a different way to look at this equipment. We're going to be buying this for 10 to 15 years. We need to future-proof this against future threats, which we cannot anticipate right now. We need to look at this differently, not at the present with the policies that exist, but looking forward. Deloitte helped us do that.
I appreciate the support for staff, and I believe that to be true. I appreciate your candour, but respectfully, what strikes me is that we don't have within the national security framework a whole-of-government approach across all departments, a substantive whistleblower framework through which people who believe our national security could potentially be at risk—contrary to the lack sometimes of collective wisdom that we have as legislatures—would be able to contact our security establishment or the RCMP or the CBSA, or have some kind of way to draw a red flag to say that, contrary to public policy, this needs greater scrutiny when it comes to national security. We're not talking about staplers, and we're not talking about printers or papers. We're talking about our national security and diplomats all around the world.
I'll leave with these last two questions. I think they're important ones because we want to move forward and we want to make sure that we do the right thing in this committee.
When will the Deloitte report be made public? What are the next steps for procurement of this equipment?
It's a final draft right now. We're moving to make it final by the end of the week or early next week, and we can share it with the committee at that time. I'll be happy to do so.
As for what we're doing moving forward, we're already in conversations with public servants in procurement about a replacement standing offer for our X-ray equipment and the metal-detection equipment that we have, the walk-through equipment we have around the world, so that process is starting. We're starting by changing the technical specifications so that they won't be published widely going forward. Those are two really important steps that we're taking.
Just to be clear, it was PSPC that did the procurement on your behalf. Is that what I heard in one of your earlier answers?
Then would somebody from PSPC maybe answer the question about why we needed to bring Deloitte in to report back on this, versus having a check and balance in place internal to our government?
The Deloitte review.... My understanding is that they took a look at the security posture of Global Affairs' missions and the equipment they would need within there, and not specifically on the procurement process.
Did anybody in your department raise a red flag to you as a senior manager, saying maybe this isn't right?
With regard to a potential national security threat, did any of your very learned procurement folks say that we should probably look at this more closely?
When we received the request from Global Affairs and it had no security implications, nobody raised it. I know there were conversations between Global Affairs and our procurement folks, but at the time the view was that there was no need for security—
Indeed. You can follow through with that.
We have now finished our first round and will go to our second round.
Mr. Paul-Hus, you have five minutes.
[Translation]
Thank you, Mr. Chair.
The witnesses here today are from the Department of Public Works and Government Services; the Department of Foreign Affairs, Trade and Development; and the Communications Security Establishment.
When this issue was raised, which ministers were informed and when?
For example, at the Department of Foreign Affairs, when was Minister Champagne informed of the issue?
[English]
I don't know exactly when my minister was informed, but it would be on or around the days just after the award of the standing offer. I think he was publicly questioned about it at the time and made pretty quick statements that he was instructing the department to conduct a review.
[Translation]
Mr. Ieraci, at Public Works, was the minister informed at the same time?
I can't tell you exactly when the minister was informed. However, once the information was released and Minister Champagne had discussed it, over the summer, I believe that she was informed.
When the ministers were informed, did they ask you to respond?
Did your bosses ask you directly to resolve the situation and get answers?
[English]
I can speak on behalf of Global Affairs. Yes, very, very quickly I was instructed to conduct the review, as discussed earlier.
[Translation]
Ms. Mullen, CSE is responsible for security. Have you been in contact with CSIS?
Has CSIS given you any reports or advice regarding the Nuctech situation?
[English]
Again, we were not actually approached by Global Affairs in support of this Nuctech standing offer that we're speaking about today. So my minister—
[Translation]
I'm talking about CSIS.
You represent CSE. I want to know whether CSIS contacted you regarding national security issues.
[English]
[Translation]
Okay.
I want to inform the committee members that, two years ago, the government introduced Bill C-59, a bill to clean up security issues. The bill was reviewed by the Standing Committee on Public Safety and National Security. However, I can see that it isn't working. We identified the problem with working in silos. We can now see that the various departments don't seem to be communicating with each other.
For the benefit of the committee, the enforcement of the National Security Act, 2017 should be quickly reviewed and changes should be made, as needed.
I'll give the rest of my speaking time to my colleague Mr. McCauley.
[English]
Ms. Mullen, could you just take a bit of time and tell us what we need to do, going forward, to protect our assets, our people, our data and everything, both overseas in embassies and within Canada, from such state-sponsored aggression, I guess, in dealing with state-owned enterprises?
Thank you for the question. It's a big one.
The technical aspects that CSE is normally seized with assessing are but one of the inputs into a question like that. As you're aware, there are geopolitical, economic and other considerations that need to be layered upon the technical advice and guidance that we offer in terms of supporting departments and agencies in making acquisition decisions and, frankly, making decisions on whom they partner with in the international realm going forward, so I think it's—
[Translation]
Thank you, Mr. Chair.
I'll try to give a recap.
There was a tender notice for a standing offer.
Mr. Ieraci, is that your understanding?
Nuctech was identified as the company with the best offer.
Yes. That's correct.
The standing offer for the supply of security screening equipment, X-ray machines, was awarded to Nuctech.
The standing offer was awarded to Nuctech once the procedure had been followed—it may be necessary to review the procedure or to discuss things that should have been reviewed—after all the boxes in a fairly typical procurement, in my opinion, had been ticked off.
Isn't that right?
Yes. All the bids received were assessed in accordance with the tender notice. As I said, there were 63 technical criteria, which were all reviewed. Three companies were considered eligible. We looked at the prices of the three companies that met the 63 requirements. Based on those prices, we awarded the standing offer.
I've now been in contact with Public Services and Procurement Canada officials for almost four years. In my experience, they're quite diligent when it comes to procurement for their department or for partner departments.
Isn't that right?
Yes. We take this very seriously. Assessments are conducted in partnership with our clients. Of course, the technical areas are established by our clients. They also review the bids from a technical standpoint. We conduct a secondary review to make sure that the bids were assessed in keeping with the requirements. We review everything once it's completed.
Although the procedure was followed to the letter and the company met the 63 criteria, when the standing offer comes out, a minister—Mr. Paul-Hus even asked the question— takes a look at it and asks Global Affairs Canada to review the contract because it doesn't necessarily pass the test. We have an embassy and a security apparatus, so everything is reviewed.
Do you find this normal? Can this be part of the procedure? Does this bother you too much?
Given the time constraints, I'll be brief. The standing offer doesn't create any obligations on the part of the federal government. Our client initiated a review of the offer to determine whether the supplier would meet their requirements. As my counterpart at Global Affairs Canada said, as soon as his officials have completed the report, they'll look at it with us in order to move forward with the procurement.
Mr. Ieraci, I have one last quick question for you.
I know where you're coming from. Public Services and Procurement Canada's policy is to encourage not only Canadian companies, but also SMEs to bid on these types of contracts.
Can you very quickly describe the many efforts made to ensure a Canadian presence in the bidding process?
As I said, the Office of Small and Medium Enterprises is there to help inform Canadian companies of tender notices or procurement opportunities.
We're also carrying out other work, for example, to change our procurement systems and move to a digital and electronic system. In addition, we're trying to simplify our procurement processes as much as possible to encourage SMEs to participate.
[English]
[Translation]
[English]
[Translation]
Thank you.
My question is for the Communications Security Establishment representative.
I spoke to you earlier about the communications possibilities during the maintenance of the walkthrough X-ray machines, for example, where very small things can lead to a great deal of information being transmitted.
In your opinion, how likely is it that Nuctech or a company with the same goals will have access to the data?
What would be the risk to Canada if this type of company, and China indirectly, had access to embassy data and our telecommunications data?
[English]
Thank you for the question, Mr. Chair.
I think the answer to your question really depends upon the sensitivity of the information that's going to be flowing through that machine. It will depend largely on where it's deployed, which is why typically when we do our assessment we have to do it in the context of an actual deployment, as opposed to a very general contract like this one, where it's not actually in the context of a deployment, but rather potentially for future acquisitions.
I think that's really where the crux of the matter is: where it's deployed, what the surrounding circumstances are, and specifically what type of information is going to transverse that product. That's going to determine the degree to which the risk is—
[Translation]
[English]
Clearly, what they are putting these pieces of equipment in place for, at embassies—and obviously Global Affairs is better to answer—is to screen people who are entering the embassy to make sure they're not bringing in anything they shouldn't be.
Really, the type of information that this machine itself would carry isn't going to be the problem. Where the problem lies is whether there are any additional capabilities embedded within the machinery that are of concern. That is where a supply chain integrity assessment, such as the one we do, comes into play.
[Translation]
Thank you for your response.
Should the government review its procurement policy to ensure that Chinese technology companies no longer have access to Canadian infrastructure?
Nuctech was awarded a $4-million contract for image and video communications equipment with the Canada Border Services Agency.
Should the entire policy be reviewed to ensure that this type of situation doesn't happen? The contract is dated November 2019.
[English]
[Translation]
[English]
In my opinion, the work we're doing right now to identify additional types of equipment that should be flagged within the procurement policy for review of this type will get us to where we need to be to be more aware of what sorts of things should come to CSE for evaluation.
I want to go back to the original question to PSPC, just to be crystal clear that at no step along the way through this process did somebody flag that this could potentially be an issue.
Thank you for the question, Mr. Chair.
During the procurement process, when we received the initial request from Global Affairs, we did go back and double-check with them to see whether or not the “no security clearance” was a potential issue or concern. My understanding is that prior to the award of the standing offer, we double- checked that there were still no security issues at the time.
I hope that answers the question.
It does, and I appreciate that. We're trying to get to a place here where, hopefully, people can have the ability to express any kind of dissenting opinions on policy that might protect people.
I have a question for Ms. Mullen that's a bit of a shot in the dark.
In 2014, there was a presentation called “IP Profiling Analytics & Mission Impacts”, which tracked the cellphones of travellers passing through Toronto Pearson Airport. Was anything learned from that that we might apply to potential risks that could have come through malicious technologies that could have been placed in our own equipment, in our own missions?
Thank you for the question, Mr. Chair.
Although I'm not specifically familiar with that particular study, I can say that the cyber centre does issue quite a lot of advice and guidance in terms of specific mitigation measures that individuals who are travelling should take to protect themselves. This is in terms of the types of vulnerabilities that their communications equipment, their cellphones, etc., inherently have, which is informed by that report and others like it. I would say that there is quite a bit of advice and guidance available to travellers for exactly that reason.
Not so much travellers.... I'm just suggesting that if you were able to do that to travellers, I can only imagine that Nuctech, if it was malicious in its equipment, could have done that within our missions as a form of a national security threat.
I'm wondering whether, through a reverse engineering thought process, you have learned anything from the work you're doing in the Communications Security Establishment to better check the profiles of our future procurements, to ensure that no malicious technologies are hidden or stowed away within equipment that we're procuring?
Yes and no.
Yes, we are using the things we know about the techniques we employ within our lines of business to better design protections to those types of techniques; and no, in that we are not being asked to weigh in on specific changes to procurement activities, other than, as I said, urging departments making technical procurements to come to us for advice and guidance.
Thank you, Mr. Green.
Thank you, Ms. Mullen.
We're going to our last grouping, and we'll go to four minutes.
We'll start with Mr. McCauley.
Thanks, Mr. Chair.
Ms. Mullen, thanks for your comments.
You mention urging departments to come to you. In your opinion, then, should this committee ask PSPC and TBS to change the policy so that all such tech purchases have to go through a process such as that?
Thank you for your question.
All tech purchases.... I couldn't even begin to know how my team could keep up with that level of demand. I think it's about choosing the right types of equipment in the right deployment scenarios that warrant our attention.
For security reasons, should we then have an outright ban on buying tech equipment that is controlled by state-owned operators in an adversarial position to our country?
While I can see how you might feel that way, CSE, of course, is not a regulatory agency at all, so we don't weigh in on—
I think we definitely need to continue to consider who they are, the sensitivity of information and the specific technology in question before we decide whether or not they should be—
They at least should have a security clearance, which apparently Nuctech didn't.
Mr. Ieraci, I just want to go back to you, because some of my colleagues here seem to be pushing the idea that the system worked: we caught the problem, we had the review and we stopped purchasing from Nuctech. Is it not the reality, however, with Nuctech receiving the sole standing offer for this equipment, that if the media hadn't found this, we'd be looking at them installing it in our embassies right now? The system only worked because the media found it, basically.
Thank you for the question, Mr. Chair.
I don't really know how to answer the question, to be perfectly honest.
No contract was signed, but they were the only company approved, so if Global Affairs had gone forward, they wouldn't have started a whole new process. They would have gone to the standing offer that had been approved and would have gone forward with Nuctech, if we hadn't found out about this issue.
With the standing offer in place, had Global Affairs issued a call-up, it would have been issued to Nuctech.
Right, so it's not a matter of “the system worked and we caught it”. It was a matter of thank heavens someone in the media found it. I want to thank them for that.
How much did we pay Deloitte for this contract? Was there any scope outside of whether we should go forward with Nuctech? Was it a broader scope, Mr. Danagher?
The scope was pretty broad. It was giving us verbal advice on some security aspects, but it was also looking at how we approach and how we review all security equipment purchases moving forward. It was not about this standing offer in particular—
It was a policy matter. It was not about the technical use of equipment in a particular deployment. The CSE is absolutely invaluable for us in that aspect, and they have been in the past in other aspects of our deployments.
On this one in particular, and on other security equipment, I needed an assessment of what happened and why it worked that way. I now have it, and—
Thank you, Mr. Chair.
Given that we are much past our time today and I have another commitment—I know that a number of other members have commitments that they need to get to at this point—I would yield the rest of my time today. I also would like to suggest that we do our best, going forward, to stick to our approved times.
Thank you.
Thank you, Mr. Weiler, for doing that. It is much appreciated.
With that, I would like to thank the witnesses for staying with us. With the vote, things got extended a little longer than we would like, and that's unfortunate. I appreciate our trying to stay as close to being on time as we could.
That said, we would appreciate it if any of those officials who have indicated that they will provide information to the committee do so by sending that to our clerk so that it can be dispersed amongst the committee. That is greatly appreciated.
I would like to thank our interpreters for sticking with us in some of the AV issues that we had and in the handling of that. It is much appreciated. Thank you.
With that—
Mr. Chair, can I make a request that for future meetings witnesses are required to log in early and do the sound check early? I feel that six months in, we should have a better system in place, whereby we make sure that this isn't a problem moving forward.
Mr. Green, in this case we actually did. Mr. Danagher actually did log in earlier. They tried to do a lot of checking with that to make certain it was working. Because of the situation, we wanted to make certain we got through.
The other option would have been for Mr. Danagher to come back at a later time to committee on that issue, but we found that the interpreters were able to accommodate us in this situation, and we appreciate that from them, as well as the members bearing with it. We will make certain that everyone comes in earlier. Thank you.
With that, I call the meeting adjourned.
Publication Explorer
Publication Explorer