PROCUREMENT AT CYBER SPEED

2021 Report | Canadian Association of Defence and Security Industries TABLE OF CONTENTS

1.0 Summary...... 4

2.0 Countering Threats Collaboratively...... 6

3.0 The Importance of Procurement to Sustained Collaboration.....9

4.0 Cyber Procurement Success Factors and Challenges...... 10

5.0 Problem 1: The procurement process is too slow and rigid...... 13

6.0 Problem 2: Procurement projects are too large and complex...... 14

7.0 Problem 3: Procurement professionals need new skills...... 17

8.0 Ideas for Reform...... 18

Improve the speed and flexibility of the procurement process...... 18 Increase support for existing agile and iterative programs...... 18 Respond to cyber integration challenges by expanding opportunities for education and training...... 19

9.0 Conclusion: Establish a forum to improve cyber procurement through collaboration...... 20 1.0 SUMMARY

From May 2019 to October 2020, CADSI However, CADSI’s research also concluded that gov- The following government departments and organizations interviewed 30 government, military, ernment and industry are not aligned on how to solve helped to shape this report: Department of National Defence and industry cyber experts to identify these challenges. In part, this discord is attributable to (DND), Defence Research and Development Canada (DRDC), military cyber procurement challenges a gap in Canada’s cyber ecosystem – currently, there Canadian Centre for Cyber Security (CCCS), Communications and potential solutions. is no government-industry forum to discuss these Security Establishment (CSE), (GAC), issues and challenges or to collaborate on possible Innovation Science and Economic Development Canada CADSI’s research concluded that government and reforms, so little progress has been made. (ISED), (PSC), Public Service and industry agree on the core challenges impacting Procurement Canada (PSPC), Shared (SSC), Canada needs an institutionalized government-industry military cyber procurement: and Treasury Board Secretariat (TBS). forum to discuss and obtain consensus around viable 1. The cyber procurement process is too slow and procurement reforms, and to support the implemen- The following cyber-engaged firms helped to shape this rigid to keep pace with cyber innovation and tation of solutions. report: ADGA, Calian, CCX Technologies, Clairvoyance Cyber obsolescence cycles; Corp, CryptoMill Cybersecurity Solutions, FireEye, General 2. Most cyber procurement projects are too large CADSI believes that industry- Dynamics Missions Systems, IBM, KPMG, Microsoft, Rhea Group, root9B Canada, Sapper Labs, and the SecDev Group. and complex, introducing unnecessary risks for government dialogue and business and government; collaboration are essential to 3. Procurement professionals need new skills and training to keep pace with cyber innovations and resolving many of Canada’s cyber to operationalize new procurement practices challenges, including procurement, better aligned to cyber. which further reinforces the key findings of our 2020 report, The Cyber Collaboration Imperative.1

1 The Cyber Collaboration Imperative, CADSI, 2020.

4 PROCUREMENT AT CYBER SPEED 5 2.0 COUNTERING THREATS COLLABORATIVELY

Canada and its closest allies are fighting a While Canada has been slow to adapt to the emerging 2. Cyber technologies present a unique risk profile 3. No organization, operating in isolation, can keep pace persistent cyberwar – a war born of the digital- cyber threat landscape, many of Canada’s allies have and calculus that challenges current procurement with the rapid expansion of new cyber knowledge, era, borderless, impacting soldier and citizen built strong cyber defence capabilities to counter approaches, and may result in a persistent techno- technologies and practices: logical mismatch between Canada’s military and its alike. This cyberwar has spilled out across these threats. They have done so by recognizing the » Established government processes cannot meet adversaries: our networks and systems affecting public fundamental differences between traditional and cyber or exceed cyber innovation cycles. Government defence, and by harnessing the power of government- » and private assets, democratic institutions, Given that adversaries can bring new capabilities needs to bring different expertise and knowledge industry collaboration in their response: online from scratch in 10 months or less, the the military, security agencies, and Canadian together in new ways to develop and acquire cyber perceived benefits of taking the time to thoroughly solutions effectively and on time; citizens. The digital domain has been rendered 1. In cyber defence, the role of the private sector is de-risk and compete procurements may be unsafe for Canadians and dangerous for our different and enhanced: » The pace of cyber innovation places a premium outweighed by the damage caused by an on continuous reskilling, training, and knowledge women and men in uniform. » Industry drives a speed of innovation and attack undefended attack; that is faster than traditional defence; exchange between government, industry, and » In its National Cyber Threat Assessment 2018, CSE » Developing cyber solutions is best done through academia. established that it is “now routinely blocking well » Industry is responsible for more of the innovation, rapid iteration, and by breaking down larger over a billion malicious actions aimed every day and plays a greater role in delivery of operations; problems into smaller, more discrete parts. Canada’s current procurement system cannot account at federal systems, databases and websites” and » Industry owns and operates most of cyberspace, This new paradigm does not mesh well with for cyber’s aggressive obsolescence cycles, cross-platform faces down “thousands of attempts to access and including the underlying networks and enabling DND’s current acquisitions approach. integration challenges, or the unpredictable impacts infiltrate government networks each day”.2 technologies. of converging technologies. Shared Services Canada effectively summarized the digital-era procurement » In its 2019 Update on Cyber Threats to Canada’s challenge when it noted that “we have shifted from Democratic Process, CSE established that “half of all discrete problems with fixed answers to holistic messes advanced democracies holding national elections that require innovative approaches and collaborative have had their democratic process targeted by solutions.”6 cyber threat activity;” a trend expected to increase.3 2 National Cyber Threat Assessment, CSE, 2018. » DND networks, including those of DRDC and the 3 Update on Cyber Threats to Canada’s Democratic Process, CSE, 2019. Canadian Defence Academy (CDA), have been 4 NATO Review: The History of Cyber Attacks – A Timeline, NATO, 2013. attacked and compromised on several occasions, 5 Four Canadian Military Schools Affected by Cyberattack, Paul Waldie and Colin Freeze, Globe and Mail, 2020. going back to 2011.4,5 6 Agile Procurement for the Public Sector – A Primer, Emilio Franco, Shared Services Canada, 2017.

6 PROCUREMENT AT CYBER SPEED 7 THE NATIONAL INTEREST: SOVEREIGN CAPABILITY 3.0

Canada is fortunate to have a world-class firms, especially SMEs.3 There may be utility in cyber industry. According to a 2020 ISED and better leveraging existing tools like the Industrial study, the sector comprises Technological Benefits (ITB) Policy and Value THE IMPORTANCE over 330 firms that build best-in-class tech- Propositions, already contained within the existing nology sourced around the world. Canada’s procurement framework, to help foster a stronger cyber industry generates over $1 billion in domestic industrial cyber base. annual export revenues, and sells its products 1 OF PROCUREMENT and services to all five-eyes allies. Unfortunately, 1 Statistical Overview of Canada’s Cyber Security Industry despite this strong domestic performance, in 2018, ISED, 2020. the federal government continues to buy 2 From Bullets to Bytes: Industry’s Role in Preparing approximately 90% of its cyber technology Canada for the Future of Cyber Defence, CADSI, 2019. from large foreign suppliers.2 It is time for This report examined the publicly available government TO SUSTAINED contracting data. this situation to change. The best response 3 Army Modernization Strategy, U.S. Army, 2019; Small to cyber threats is one that collaboratively Business Strategy, Department of Defence, 2019; mobilizes the innovation potential of domestic Small Businesses Behind Defence's Biggest Projects Recognized, Ministry of Defence, 2018. COLLABORATION

An effective procurement system for cyber goods By emphasizing the procurement of domestic cyber and services is essential to a productive and capabilities and empowering large Canadian companies collaborative relationship between government to maximize economic benefits harvested from the and industry. Canadian cyber industrial base, including through earlier application of the Value Proposition and Industrial We have to be able to buy the fruits Technological Benefits policies, enduring economic of any collaborative labour at the end value can be created and sustained within this critical domestic industry. of the process. Without the ability to acquire the end solution, everyone’s Given that much cyber innovation takes place within time is wasted, government and industry, failing to improve cyber procurement risks industry become frustrated, and placing significant limitations on one of the few channels through which industrial innovations can make their the collaborative will evaporates.7 way into the hands of government operators.

As cyber threats escalate and Canada rightfully intensifies This situation, left unresolved, has the potential to investment in defensive cyber capabilities, an opportu- undermine Canada’s national security by severely nity has been created. Canada’s cyber resilience can limiting the government’s access to the most advanced, be achieved through investment in sovereign capability. industry-driven cyber innovations and solutions critical Leading domestic firms possess the capabilities and to an effective defence against increasingly sophisticated operational experience required to ensure Canada’s and continuously innovating adversaries. digital defence. Now is the time for government and domestic cyber firms to work together to cultivate a broad domestic industrial base focused on cyber defence. 7 Quote from interview with government official.

8 PROCUREMENT AT CYBER SPEED 9 4.0 CYBER PROCUREMENT SUCCESS FACTORS AND CHALLENGES

Interview respondents identified more than This research also revealed a set of characteristics These success characteristics are likely applicable beyond 20 government procurements and projects that define successful cyber procurements: military cyber procurements, especially given that that demonstrated sub-optimal outcomes. » Operational and technical authorities are engaged some have been extracted from the successful cyber early and remain committed; procurements of other Canadian federal departments and agencies. » Projects deliver incremental results within 10-month cycles; However, anecdotal evidence collected through » Administrative and procedural overhead are interviews suggests most military cyber procurements consolidated and simplified; in Canada face moderate to significant challenges. Three consistent factors were identified as contributing » Communication between public and private stake- to sub-optimal outcomes: holders is direct and consistent; » Core team member churn in the public sector is 1. The cyber procurement process is too slow minimized over project lifetimes; and rigid to keep pace with cyber innovation and obsolescence cycles; » Operational need is pre-validated, and re-validated periodically, by end-user clients; 2. Most cyber procurement projects are too large and complex, introducing unnecessary » Industry is trusted with significant leeway to propose risks for business and government; creative and out-domain solutions; 3. Procurement professionals need new skills and » The business-case and scope of work remain training to keep pace with cyber innovations reasonable as the project adapts; and to operationalize new procurement practices better aligned to cyber. » One or more key public servants fully understands the systems at play and operational need; » Strong executive support ensures that funding remains ready and available.

10 PROCUREMENT AT CYBER SPEED 11 5.0 PROBLEM 1: THE PROCUREMENT PROCESS IS TOO SLOW AND RIGID

Canada’s federal government continues to apply The 2020 CGAI report also examined whether industrial-era acquisition processes to digital-era departmental financial constructs, as required by challenges. Defence procurement continues to government-wide comptrollership practices, were reflect a time when it was acceptable to acquire implemented at DND in a manner that contributed a weapons system or defensive platform over to sub-optimal procurement outcomes. For example, 10-20 years, given the system or platform would the report noted how Vote 5 capital, used to buy new then operate effectively for 25 years or more.8 or improved capability at higher financial thresholds, These decades-long product lifetimes in traditional triggers a long and complex procurement process that defence are a sharp contrast to obsolescence is not well suited to fast-paced technologies. Conversely, cycles in cyber that are measured in weeks the report noted how Vote 1 capital, used to keep and months. equipment up to date, triggers a more streamlined process better suited to fast-paced technologies, but A 2020 report by the Canadian Global Affairs Institute is afforded a significantly lower financial threshold, and (CGAI) concisely summarized many of the core challenges cannot acquire new or improved capability. The CGAI impacting the defence procurement process, which are report suggested another Vote of capital may be required most acute in the Options Analysis and Implementation for advanced technologies like cyber, which better aligns 9 Stages. While locking in requirements at the Options their shorter product lifecycles with quicker, more flexible Analysis stage has proved a worthwhile strategy for procurement rules and approaches, without sacrificing traditional defence procurements, it can introduce the appropriate financial thresholds required to field risks and costs for faster moving cyber technologies, new and improved capabilities. given how long the Options Analysis stage can take. The same problem arises at Implementation, where there is almost no ability to change project requirements, 8 Toward Agile Procurement for National Defence: Matching the Pace of Technological Change, CGAI, 2020. budget, or timeframe. This locks in solutions that risk 9 Options Analysis is when the business case is developed for becoming irrelevant and cost-ineffective. all options and Implementation begins with the launch of a competition for desired services to select a supplier and then manage delivery. 12 PROCUREMENT AT CYBER SPEED 13

6.0 CHALLENGES AND BOTTLENECKS IN THE PROCUREMENT PROCESS

At a minimum, a project – a proposal to purchase the fastest a procurement could progress from PROBLEM 2: a new capability for DND – must progress through Identification to an RFP, which occurs at the Defi- 84 gates or approvals, grouped into Project Phases, nition Phase, is nearly seven years, though longer before the project office can issue an RFP. DND’s is common. There is a clear disconnect between process is set out in the Project Approval Directive, the timelines of the decision-making cycle and that PROCUREMENT which establishes five Standard Project Phases – of the lifecycle of cyber technologies, which is 10 Identification, Options Analysis, Definition, Imple- months or less. This decision-making process does mentation, and Close-out. Each gate is administered not work for procurement officers or industry and by a “functional unit responsible for specific actions consistently procures technological solutions years and authorities in the approval process” and “all out of date. PROJECTS ARE proposals must be approved at each gate in order to proceed further.”1

It can take between 30 and 100 days, or more, to 1 Decision Making in the Capability Development Process: Organizational Issues within the Department of National TOO LARGE proceed from one gate to the next and scheduling Defence, Martin Rivard, Canadian Military Journal, 2018. of decision-making committees can also introduce AND COMPLEX delays. Assuming the minimum of 30 days per gate,

Procurement strategies and related documen- a measured progression of deliverables that moves Allied cyber procurement practices also reflect the use of the intention of allowing for greater flexibility in finding tation in Canada need to be updated to reflect a steadily towards full-scale delivery of an operationally- demonstrations, prototypes, and minimum viable products the balance between three mutually dependant factors: more iterative approach to cyber procurement. relevant capability. This approach also offers the as viable bid submissions, which are prioritized over highly This includes the need to strike a balance multiple off-ramps to replace detailed and overly specified requirements. This is a 1. Identifying, sourcing, and deploying new technologies at speed, which are available across a fast moving between smaller and steadier progressions non-performant technologies or suppliers, or to new way for bidders to prove how they meet potential incorporate emerging innovations, which de-risks requirements, and can deliver functional solutions, and highly innovative cyber ecosystem, to respond of deliverables, managing overall system com- the procurement process, while making it more before transitioning to full-scale deployment. to cyber capability deficiencies; plexity, and ensuring consistent alignment of responsive to change. 2. Managing increasing system complexity and capability/ procured capabilities to operational intent. These emerging cyber procurement best-practices technology integration requirements through a more reflect a certain level of experimentation, and allow for equitable sharing in the ownership of integration Leading cyber procurement practices among Canadian These types of iterative approaches different ways to promote greater competition while risks and responsibilities between government and allies favour new approaches, which break down com- have also been shown to secure de-risking the procurement process for firms and industry and; plex projects into manageable subsets of tasks and greater levels of SME engagement governments alike. This point cannot be understated: challenges. By adopting these approaches, the level 3. Continuous alignment of capability development to – a priority in the U.S. and UK, where modern approaches to cyber procurement have a operational intent through systemic and persistent end- of technological sophistication and scale of solution multiple reports have concluded different perspective on failure – a stepping stone, not user engagement throughout the procurement process. can be gradually increased over time, which allows that SMEs are key drivers of cyber a roadblock – along the path to successful acquisition. the customer (the Government of Canada) to review and digital innovation.10 Modern procurement practices are also designed with

10 Army Modernization Strategy, U.S. Army, 2019; Small Business Strategy, Department of Defence, 2019; Small Businesses Behind Defence's Biggest Projects Recognized, Ministry of Defence, 2018.

14 PROCUREMENT AT CYBER SPEED 15 7.0 PROBLEM 3: PROCUREMENT PROFESSIONALS NEED NEW SKILLS

Modern approaches to cyber procurement All interview respondents agreed that cyber procurement demand the application of a diverse array of new professionals will require access to ongoing training and evolving skillsets. Procurement teams need and skills-upgrading resources to keep pace with cyber to be comprised of professionals with a broad innovations and with leading procurement practices mix of proficiencies and capabilities including: and techniques.

» Management of collaborative relationships between For example, the U.S. military currently has more than government and industry to maintain a shared and 15 rapid-capability development and advanced-tech- accurate understanding of the technical and opera- nology acquisition programs from Dragon’s Den-style tional problem spaces; competitions and x-prizes, to dedicated venture capital investment funds.11 This range of technological access » The ability to forecast the implications of converging points allows the U.S. military to access emerging technologies and adjust procurements and projects technologies through a higher-risk approach where in response; the risk is balanced across a portfolio of investments. » Allowing for new ways to showcase cyber solutions in a competitive environment and encouraging SME Additionally, some allied military academic institutions and startup engagement, including pitch competitions, have developed curricula focused on advanced tech- x-prizes, and other emerging procurement practices; nology acquisition and integration in defence.12 Canada » The technical competency to engage operators on may want to consider pursuing education and training real problems in a live or simulated threat environ- partnerships with allied institutions to support the ment to better understand implementation and upskilling of its defence procurement professionals. interoperability concerns;

11 National Defence Authorization Act for Fiscal Year 2019, U.S. Congress, 2019. 12 For example, the Capability and Acquisition Practitioner Series at Shrivenham Defence Academy in the UK, or any one of the 100+ courses or digital learning engagements offered through 16 PROCUREMENT AT CYBER SPEED the U.S.’s Defence Acquisition University. 17 8.0 IDEAS FOR REFORM

Although industry and government representa- INCREASE SUPPORT FOR EXISTING DND, PSPC, and TBS should consider applying IDEaS’ FOR EDUCATION AND TRAINING AGILE AND ITERATIVE PROGRAMS core characteristics to official cyber procurement tives interviewed for this report proposed many The industry cyber experts interviewed identified solutions to respond to cyber procurement's programs. As Innovative Solutions Canada (ISC) shares Innovation for Defence Excellence and Security (IDEaS) two core training and education opportunities that core challenges, consensus on which were many of IDEaS’s core characteristics, ISED should work is an agile innovation program that demonstrates could be optioned to help resolve the technology with client departments to make greater use of the most likely to lead to successful outcomes some of the core characteristics of successful cyber integration challenge: program for national security and cyber challenges. was not achieved. procurement programs: Consideration should also be given to increasing the » Embed acquisition professionals and establish However, experts across both the private and public » Early-phase projects comprise bite-size requests resources available to IDEaS’s cyber component and two-way exchange programs with allied Material sectors considered a few ideas worthy of further for demonstration or proof of concept. Later phases developing a mechanism to fast-track winning projects and Information Management (IM) organizations, exploration and development. increase the sophistication of the technological ask into official DND/CAF procurement channels. The ability U.S. Cyber Command, U.S. Rapid Capability Devel- and scale of deployment; to launch classified IDEaS challenges is also likely worth opment Offices, and the Army Futures Commands, to gain first-hand experience working in programs IMPROVE THE SPEED AND FLEXIBILITY » Prototypes and technology demonstrations are further exploration. OF THE PROCUREMENT PROCESS acknowledged to be delivering successful cyber prioritized over paper-based submissions; outcomes. CGAI’s 2020 procurement report developed three RESPOND TO CYBER INTEGRATION » Testing and validation phases are backed opera- recommendations to improve DND-led procurements: CHALLENGES BY EXPANDING OPPORTUNITIES » Develop the mechanism for Canadian procurement tionally and financially by military end-users; professionals to receive undergraduate and graduate 1. Sustain the flexibility to upgrade cyber capabilities » The program’s staged progression from proof of instruction through U.S. and UK military academic over their life cycle by developing “evergreen Our current cadre of acquisition concept, to prototype, to scaled testing, provides programs focused on advanced technology procure- umbrella projects for ongoing capability improve- professionals have been taught to opportunities to re-evaluate and remove or engage ment and integration. ments where funding can be reallocated among new technologies and firms; acquire capability in the context of sub-projects by project sponsors.” discreet platforms. They have not been » Rewards are gated behind a progression of tangible 2. Develop a new Vote between Vote 1 and Vote 5 deliverables that increase in complexity and cost, trained to bring several different 13 Toward Agile Procurement for National Defence: Matching the for high-technology acquisitions that has the technologies together, across a few Pace of Technological Change, CGAI, 2020. flexibility of Vote 1 but the funding levels and over time, minimizing the financial risks of failure ability to acquire new capability of Vote 5.” for government and firms; different and complex technology areas. Nor have they been trained 3. Develop a “fast-tracked approval and contracting » The program’s focus on outcomes, and willingness process for technological and regulatory upgrades… to consider a broad diversity of solutions from to assess their fit and interoperability with high flexibility in terms of initial budgets out-domain, significantly increases the solution within the existing platforms, capa- and schedules.”13 space accessible to government; bilities, and technologies in the field. » The program puts functional technology in the hands of CAF operators in less than a year.

18 PROCUREMENT AT CYBER SPEED 19 9.0 CONCLUSION: ESTABLISH A FORUM TO IMPROVE CYBER PROCUREMENT THROUGH COLLABORATION

The research conducted in support of this report Progress hinges on the creation of a forum to structure The Cyber Advisory Council was instrumental in the development of this report demonstrates significant common ground a recurring dialogue between government and industry and its recommendations, and is comprised of the following individuals: between government and industry on the to jointly discuss and develop some of the potential nature of the problems that are holding back solutions captured here, and to examine others. AL AMLANI DAINA PROCTOR GDMS Canada, Director Cyber Operations IBM, Associate Partner, Security Intelligence cyber procurements in Canada. However, when Unsurprisingly, this is how many of Canada’s allies and Operations Consulting it comes to solving these problems this report stay on top in the cyber domain – through ongoing, ALLEN DILLON does not provide recommendations because institutionalized government-industry dialogue, root9B Canada, Chief Operating Officer RAFAL ROHOZINSKI none of the ideas presented have achieved knowledge sharing, and collaboration – aimed at SecDev, President and CEO government-industry consensus. gaining a sophisticated understanding of the rapidly SHAUN COVELL changing, innovation-rich cyber domain to meet its risks Sapper Labs, Director DAVE MCMAHON The ideas surfaced should instead be treated as and threats head on. Canada needs to do likewise. Clairvoyance Cyber Corp., CEO the initial thoughts and early concepts percolating CHRIS BARTLETT throughout Canada’s cyber community. They may CCX Technologies, President ROBERT MAZZOLIN hold the potential to resolve some of the identified Rhea Group, Chief Cyber Security Strategist challenges, but they require further discussion and NANDINI JOLLY joint investigation by government and industry. CryptoMill Cybersecurity Solutions, TYSON MCCAULAY President and CEO Rockport Networks, Chief Security Officer

GEORGE AL-KOURA BILL DUNNION ADGA, Director Cyber Operations Calian, Director Cyber Resilience

20 21 ABOUT CADSI

The Canadian Association of Defence and Security The industries contribute to the employment of more than Industries (CADSI) is the national industry voice of more 60,000 Canadians and generate $10 billion in annual than 900 Canadian defence and security companies that revenues, over 50% of which come from exports. To learn produce world-class goods, services and technologies more, visit www.defenceandsecurity.ca and follow us made across Canada and sought the world over. on Twitter at @CadsiCanada.

22 Canadian Association of Defence and Security Industries 300-251 Laurier Avenue West Ottawa, ON K1P 5J6 defenceandsecurity.ca @cadsicanada