Canadian cybersecurity companies are paying keen attention to an ongoing review of Ottawa’s procurement process, anxious to see whether the review will help hasten the protracted system and make military contracts more accessible for small domestic cyberbusinesses.
Deputy Minister of National Defence Jody Thomas pledged earlier this year to review procurement this summer, analyzing the necessity of each step with the aim of paring them down. And for cybersecurity companies, which offer products such as firewalls and detection systems for data breaches in which information is inappropriately accessed or stolen, the review can’t come too soon. Many say the massive amounts of paperwork and drawn-out timelines for military purchases can render the process prohibitively expensive or inaccessible for small Canadian cyberbusinesses.
Iain Paterson, managing director of Toronto-based cyberconsultancy Cycura Inc., pointed to current procurements as an example. There are two military cyberdefence projects that together include nearly a hundred pages of documentation in just the early letter-of-interest phase. From there, according to the Department of National Defence’s (DND) documents, the process will take several years to move through its schedule of industry days, classified one-on-one meetings, follow-up meetings, formal requests for information (RFIs), draft requests for proposals, formal requests for proposals, months of evaluation and finally, a contract award.
“At the end of the day, the only person that’s going to spend the time and effort doing it is going to be Accenture, IBM, Deloitte, big shops like that," said Mr. Paterson, who has met with DND representatives to discuss the current processes and the prospects for one that is more agile.
Many industry players are anxious about the future of Canadian cyberinnovation if government and military procurement isn’t made more accessible. They cite barriers like year-long waits for security clearance, which is required to even place a bid, and lengthens the existing process further. As well, some worry that Canadian investment in cybermarkets overseas could further weaken their domestic industry. Recently, Toronto-Dominion bank, the Bank of Nova Scotia and the Royal Bank of Canada have all made such investments in Israel. DND has shown an interest in consulting with and supporting the Canadian cyberindustry, but the current purchasing system still poses a hurdle too high for many.
“There’s an appetite right now within the Canadian government to get their hands on especially Canadian born-and-bred cybersecurity technology,” said Katherine Thompson, chair of the Canadian Advanced Technology Alliance’s Cyber Council. The council serves as an advocate for Canada as a global hub for cybersecurity innovation, research and skilled labour. “The challenge is, a lot of the requirements to do business with DND – from security certifications to having various standards and clearances – make it really difficult for small business to compete,” she said.
University of Toronto political scientist Jon Lindsay believes that small businesses have a unique set of skills that could be useful in military applications. Prof. Lindsay, who has 10 years' service in active duty for the U.S. Navy and a master’s degree from Stanford in computer science, said in an interview that larger companies can offer advantages if a military is looking at “securing the entire enterprise,” but smaller companies are uniquely poised to provide quick, innovative responses to smaller issues, particularly in artificial intelligence and data analytics. He agrees the barriers are high. "The procurement problem is huge,” he said. “This process definitely needs to be overhauled. It’s not operating at internet speed.”
Patrick Searle, director of cyberinitiatives for the Council of Canadian Innovators, said that if innovative Canadian companies can’t win government contracts, it’s harder for them to grow and expand, and gives them less incentive to stay in Canada. Not only does he worry about domestic industry, but also domestic security, if contracts are awarded internationally.
“Domestic capability in cyber is a precondition for countries remaining safe and sovereign in the age of digital threats," he said. “We would never outsource our border protection ... but when it comes to cyber we don’t have the strongest footing."
Citing operational security concerns, the Department of National Defence and Canadian Armed Forces said they could not specify “how cyber security tools are procured or who we procure them from." In a statement to The Globe, the DND says the federal government recognized "the challenges associated with military procurement”, and that they’re “working closely with partners across government and industry to examine every aspect of the procurement cycle in order to find solutions.”
Many individuals in the cybersphere who spoke with The Globe and Mail said that, when they spoke to DND officials in meetings and consultations, those officials were as frustrated with procurement as anyone – and that they all were actively looking for solutions.
But some individuals within the Canadian Forces still vouch for some merit in the existing procurement process. One of them is Brigadier-General Patrice Sabourin, the Canadian Forces’ newly-promoted director-general of information management operations. He said in an interview that defence procurement was a long process, but also “a very deliberate one.” “The process is there to make sure we actually buy the best tool to meet our requirements,” Brig.-Gen Sabourin said.
His major concerns are protecting information and keeping operations private; but with increasingly digitized weapons systems, vehicles, airplanes and ships, those assets are cyberconcerns, too. DND has made some moves recently to improve the agility of tech contracts, including the IDEaS (Innovation for Defense Excellence and Security) initiative in April. The initiative calls for bidders to submit “innovative science and technology proposals” with hopes of winning prospective contracts. Multiple cyberprofessionals who spoke to The Globe expressed their support of the program, noting that it was a step toward a more agile process.
But two ongoing cyber projects with DND/CAF − the decision support project, intended to provide response capability against advanced threats and enhance their decision making, and the cyber security awareness project, intended to manage the confidentiality, integrity and availability of DND/CAF cyberspace − are illustrative of the protracted process as it stands. The two projects began with a letter of interest issued in December, 2016. The actual purchase decision is slated for the summer of 2021.
Brig.-Gen. Sabourin said he believed the capability they’re looking for in their new cyber tools will stay “fairly static” between the beginning of the process and the eventual selection date. At that point, he believes the department will still be able to buy the “greatest and latest” technology.
But Ms. Thompson from the Canadian Advanced Technology Alliance’s Cyber Council disagrees.
Ms. Thompson says that, in the last few years where she’s worked with the federal government, she’s seen the DND struggle with accessing new, innovative technology − pointing to it as one of their largest issues at-hand. “When they do get [cutting-edge technology], by the time they go through the procurement process internally, that cutting-edge technology is no longer cutting edge,” she said. “It becomes status quo."