Canada’s Five Eyes allies buy three times as much as Ottawa does of Canadian cyber products and services, an industry association has complained to a parliamentary committee.
While between 2018 and 2020, the sector grew over 30 per cent in terms of employment, R&D activity and revenue, only eight per cent of the sector’s revenue is derived from Canadian government contracts, Christyn Cianfarani, chief executive officer of the Canadian Association of Defence and Security Industries (CADSI), told the House of Commons defence committee on Friday.
“Those numbers speak to a central challenge we face in this country when it comes to cyber,” Cianfarani said. “Our allies see more value in Canada’s cybersecurity sector than Canada does. Something is wrong with that picture.”
She was one of a number of witnesses to testify this year before the committee, which is looking into the country’s ability to face cybersecurity attacks and cyberwarfare.
Related content from earlier hearing: Give tax break so small Canadian firms can invest in cybersecurity, Parliament told
Cianfarani’s complaint that the federal government doesn’t buy enough from domestic companies is just the latest in a series of pleas from the industry for more support.
“One side of the coin is Canada needs to acquire more from our own industrial base, using procurement as a policy lever to drive innovation and build scale in Canadian businesses,” she told MPs. “The other side of the coin is Canada needs to procure at the ‘speed of cyber.’ A slow procurement process is a recipe for buying out-of-date or even obsolete cyber technology. Innovation cycles in this domain are measured in months, or even weeks,” she said.
Related Content: CADSI 2021 report “Procurement at Cyber Speed”
Asked by a committee member what could speed procurement, she urged the government to have a more flexible purchasing process, including, in some cases, fast track approval: If a product or service is made by a Canadian company with Canadian nationals who have security clearance and the intellectual property remains in Canada, “boom, I [a government purchaser] can buy that”
“Resolving these issues boils down to one word: collaboration” she maintained. “Canada requires a much greater degree of co-operation, knowledge sharing, and co-development between government and the private sector. Some positive steps have been taken toward this, but we’re nowhere near where we need to be. While agencies like CSE [The Canadian Security Establishment, responsible for protecting federal IT networks] are very capable, CADSI’s research has shown our government falling behind our allies when it comes to working with the sector in an institutionalized way. Our allies are collaborating with industry in real-time right now in Ukraine.”
Ottawa needs to establish a recurring forum for dialogue and discussion on cyber issues with all the key players, including CSE, the Defence department, Global Affairs and Public Safety Canada, she said.
Canada also needs improved systems for threat-sharing that combine open sources with government and industry sources of information about breaches, indicators, and potential responses, Cianfarani said. This will mean rationalizing what is unclassified and what remains classified, and who has access to what, she said.
The government should consider sandboxes and collaborative lab spaces to test new technologies and capabilities together at scale, and talent exchanges between the public and private sectors like the U.K.’s Industry 100 program and a new talent exchange just launched by CSE, she said. That, she said, could start to address the cyber talent shortages that we’re all facing, because cannibalizing each other isn’t going to work. Reservists with cyber and computing skills that are employed by companies could be an attractive way to support re-constitution of the CAF, she suggested, so long as the government does not claim the intellectual property and patents that reservists create while employed in the private sector.
Cianfarani also urged Ottawa to adopt the U.S. Cybersecurity Maturity Model Certification (CMMC) standard that will have to be met before the Pentagon buys a product. CMMC will likely become a de facto Five Eyes, if not global, standard for defence firms, she said.
“In conclusion, effective cyber defence at national levels is a team sport,” she said. “If our allies can get this, why can’t we?”