Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
We'll start. Good afternoon, everyone. It was a lively bunch and now everyone is quiet, which is wonderful.
Welcome to meeting number 39 of the House of Commons Standing Committee on Government Operations and Estimates, a.k.a. the mighty OGGO. From 3:30 to 4:30, we will be studying ArriveCAN in public.
As witnesses we have, as an individual, Amanda Clarke, associate professor, school of public policy and administration, Carleton University. From the Department of Foreign Affairs, Trade and Development, we have Mr. Robert Stewart, who is the deputy minister of international trade. From Treasury Board, we have back with us Catherine Luelo, deputy minister and chief information officer; and also digitally we have Mr. Sean Boots, who is senior policy adviser, Canadian Digital Service.
We'll have five-minute opening statements, starting with Ms. Luelo, please.
Before I begin, I'd like to acknowledge that I am speaking here today from the traditional unceded territory of the Algonquin Anishinabe people.
I would just like to note that this is actually my first appearance at committee. I'm excited to be joining you here today. Be gentle; it's my first time. I'm not sure if that's appropriate to say.
I have spent 16 months at the government out of a 30-year private sector career across several industries. I worked in energy and telecom, and actually served as the chief information officer at Air Canada, as well as in a commercial role at WestJet, so I worked for both of our large airlines. Those were very complex operating environments, as is the Government of Canada. There is a sizable opportunity to deliver Canadians high-quality, accessible and efficient government services through the improved use of digital, and that's what attracted me to come and serve the country.
As the chief information officer of Canada, it's my accountability to provide overall leadership for the management of information technology, information management, and service and digital transformation within the Government of Canada. My office does this by supporting the administration of legislation related to access to information and privacy, developing policy plans and standards, and a strong emphasis on enabling departments in their project and program management. That's a big piece of what we do as well.
There's policy on service and digital and policy on security for government, which includes cybersecurity. That also includes the GC cybersecurity event management plan. In the event that we have a cyber event within government, it is our team that actually coordinates the response.
We are also accountable for ensuring overall technology planning for the Government of Canada and we do so through a variety of different mechanisms. I have the privilege to support the Canadian Digital Service as part of my accountability, and we have Sean Boots from that team with us here today.
In August 2022, we launched the Digital Ambition for the Government of Canada. This is an ambition for all Canadians and it's to serve them in a digital way and deliver government in a digital way. It's a clear long-term strategic vision that tells us and guides us as to how we are going to actually recruit talent and deal with privacy, accessibility and the landscape of cybersecurity, and wraps that all up into a three-year plan. I encourage you to look at Canada.ca to have a look at that.
The highlights of this plan are transforming our services with modern technology while continuing to deliver the services that Canadians rely on today, so really doing government in a digital age.
We also highlight unlocking data to enhance programs and services, designing policies and strategies that have real-world impacts, and measuring performance. A very important part of the overall digital ambition is evolution in funding, talent and culture. We are dealing with a talent issue in this country and at the Government of Canada as it relates to digital talent. I'm sure our conversations will take us there today.
Thank you once again, Mr. Chair, for inviting me to speak with you today.
Thanks so much, Mr. Chair. I'm really grateful to be here.
I'm a federal public servant who works on technology and public policy. I was invited to be here today in the context of research work that I did with Professor Amanda Clarke over the past year as part of the public servant in residence program. I'll be focusing my comments and answers today on observations related to that research.
This work was part of a research program that Professor Clarke leads on trustworthy digital government. IT procurement and the relationship between IT vendors and public service organizations are a big part of that story in terms of both public trust and public sector capacity.
Professor Clarke and I analyzed publicly available contracting data from federal departments, specifically the proactive disclosure of contract status set that lists contract award data. What we were looking for was trends in government IT contracting at scale. It's a classic kind of open-data problem. It's taking data that's publicly available but hard to understand or interpret and doing the work to transform it into something that's more insightful and easier to read and understand. You can see the results at govcanadacontracts.ca. I'll skip over our approach in the interest of time, but you can read about the methodology there.
There are a few questions that we can answer pretty confidently. In other cases, it's a bit more tentative given the data quality. One of the main takeaways is that this past fiscal year the government spent about $4.7 billion on IT procurement across all departments and agencies except for the Department of National Defence, which we categorize separately.
Of that, about $1.9 billion was spent on IT consultants and contractors, $1.2 billion on software licensing, $840 million on devices and equipment, and about $750 million on telecoms and other miscellaneous IT costs. These are all costs per year. Corrected for inflation, it's about a 27% increase in IT spending overall between 2017-18 and 2021-22.
Information technology is now the second-highest category of contract spending after facilities and construction. On the website, you can see who the largest IT providers are. Over the five years that we looked at, three companies received an average of over $100 million per year, which cumulatively is about 22% of total government-wide IT contract spending. Another 10 companies received an average of more than $50 million a year or about 17% of total IT spending. We don't have any publicly available data on how concentrated these companies are, for example, in the national capital region or, for example, how many of them are fully based in Canada.
The other question we were curious about was the number of IT contractor and consultant staff currently working at federal departments, typically with departmental laptops, emails and building passes. Our research team filed some access to information requests and none of the departments that responded had data available on the number of IT contractor staff working there, so we used some other publicly available IT expenditure data and we estimated that there are about 7,700 IT contractor staff across departments. In comparison, the government has about 18,000 in-house IT staff. In both cases, again, this excludes DND. Overall, for the core public service, that's a ratio of about one IT contractor for every 2.3 full-time IT employees.
From ATIP responses that came in this past month, we learned that the average per diem or daily pay rate for IT professional services contractors in federal departments is about $1,400 per day. These per diems go from as low as $230 per day to as a high as $2,800 per day. In comparison, a government IT-2 average employee salary is about $400 a day, including salary and benefits, and the average IT-5 salary is about $650 per day. An IT-5 is the highest-level tech employee in the public service. There are only about 500 or 600 of them across government.
What's challenging is that with the data that's publicly available, it's hard to evaluate whether the amount that the government is spending on IT is good or bad, and whether the ratio of outsourced IT contractors to in-house IT staff is appropriate. The source data isn't consistently linked to specific IT projects. There isn't public data on how those projects panned out. Essentially, without knowing whether IT projects turned out successfully or not, it's hard to say whether the money that was spent on them was worthwhile. There is some publicly available data on government IT projects that are larger than $1 million, thanks to a parliamentary written question. If you search for large Government of Canada IT projects, you can find recent data from earlier this year.
Professor Clarke can speak about this in more detail, but there's a strong relationship where the larger an IT project is, the higher its risk of failure. Our research puts into perspective that ArriveCAN, although it was a lot more publicly prominent than other government IT projects, is fairly small in scale compared to the government's overall IT spending totals.
I think the note I would end on is that it's great to see this level of interest in government technology work. More transparency on how we work as a public service, how we procure or build digital services and how we learn and improve them is really important.
Thank you, Mr. Chair, and thanks to the committee for having me here today.
I'm Amanda Clarke and I'm an associate professor at Carleton University's school of public policy and administration. For the past decade or so, I've been studying digital government reforms in Canada and internationally.
When I first read about the ArriveCAN app, I have to admit I wasn't particularly shocked. Its cost is actually a tiny percentage of the government's annual IT contract spend, as Mr. Boots just illustrated, and certainly it's not the most outrageous contract that I've seen over the years. But when I say I wasn't shocked, it's more because ArriveCAN's story is pretty standard. Reliance on a staffing agency to fill gaps in in-house capacity, insufficient research into how the app would be used by frontline staff or the public, sloppy public communications around data stewardship—this is a pretty classic government technology story.
The committee has the policy brief that Mr. Boots and I prepared based on our analysis of the federal contracting data. In my remarks, I really want to focus in on what I think is the key question at play here, which is what it would take to build a federal public service that can better manage technology projects like ArriveCAN, because that's where we all want to get to.
The most important step is to earnestly invest in the digital competency of the federal public service. We've long chosen, both deliberately and by unconscious habit, to turn to private IT vendors and management consultants to fill what are glaring gaps in digital expertise in the federal government. In turn, very little has been done to hire and train public servants such that the government could make sensible, accountable and strategic decisions about technology. We let the muscle atrophy and none of us should be surprised today that it can't do much heavy lifting.
This is a problem for two key reasons. One, if you don't have sufficient in-house IT expertise, you simply can't be a smart shopper when you go to buy IT services, software and equipment. This helps explain why in our analysis the federal government regularly breaks accepted best practice in modern IT procurement. The contracts are too big. They're too long. The government doesn't prioritize open source or public ownership of intellectual property. The government locks into vendors and finds itself with few escape routes if a vendor underperforms.
The second reason that you need to build strong in-house capacity speaks to the fundamental role of technology in today's policy process. Everything governments do is shaped by the digital systems informing that work, and all government activities today result in some sort of digital output. It's simply not enough to treat technology as something that happens after the real policy work and that can be largely outsourced as a result.
Acknowledging this after decades of outsourcing as a default, leading digital-era governments are now aggressively hiring technologists. They're appointing senior leaders like Ms. Luelo who have a deep understanding of technology and its role in the policy process. They do this because they've realized that governments can build beautiful services that genuinely improve people's lives. Further, they realize that the state is, in many instances, far better positioned than private actors to produce trustworthy, reliable and inclusive digital public services. Notably, this consensus globally is shared by governments on the left and on the right. This is not a partisan debate that's happening here.
The question, then, is how the federal government can catch up with this trend. As I said, first we really need to earnestly commit to hiring tech talent. This will require being honest about salary scales, career progression models, evaluating bilingualism requirements and loosening requirements to be in the office. It can be done, though, and the Canadian Digital Service is truly a success story here.
Second, more can be done to upskill existing public servants through dedicated training, and I'd really like to see this training focus in particular on senior leaders. The vast majority of leaders in the current federal public service have never been asked to understand technology and its role in the policy process. In fact, in some cases those leaders purposely divorce themselves from decisions about technology because they so often end in failure. That learned helplessness is no longer acceptable.
The last point I want to make, though, is that hiring and training will do very little if the broader administrative culture of the federal public service remains the same. Public service leaders and researchers have long complained that the federal government is excessively risk-averse and burdened with unhelpful processes, reporting requirements and webs of opaque, nonsensical rules. This stifles creativity. It overly restricts the autonomy of public servants. It encourages apathy. It's near impossible in that context to build strong digital products, even if you have all the talent on staff.
The thing I really want to make clear is that we're not starting from zero here. There is an immensely talented group of public servants like Mr. Boots who are trying to do good technology work in the federal government but in a context where it's often hard to do the right thing. It's easier to not try to be innovative and creative and push the boundaries. Many of these public servants are burning out; they're ready to leave or they already have.
Good afternoon to the members of the standing committee.
My name is Rob Stewart, and I'm the deputy minister of international trade. Until October 16 of this year, I was the deputy minister of public safety, and I believe that is the reason you are asking me to appear before you today. My remarks will focus on my time in that role.
As members are aware, the role of Public Safety Canada is to support the Minister of Public Safety and coordinate across portfolio agencies, namely, the Canadian Security Intelligence Service, the Canada Border Services Agency, the Royal Canadian Mounted Police, Correctional Service Canada and the Parole Board of Canada. We are not mandated to provide oversight over the agencies; rather, the department's principal role is to bring a coordination function to the public safety portfolio and its five agencies.
Today, I will provide a brief overview of the timeline of the ArriveCAN app's development and use when I was deputy minister of public safety.
As you heard in previous testimonies, the ArriveCAN app was developed and launched as quickly as possible after the World Health Organization declared a pandemic on March 11, 2020. As the Public Health Agency of Canada and the Canada Border Services Agency stated, the app was developed to help limit the spread of COVID-19 and facilitate the flow of travel. It was developed on an emergency basis, and was up and running on April 29, 2020.
The application was needed once it became clear that the Public Health Agency of Canada could not efficiently manage a manual, paper‑based process to pass health information to the provinces and territories. This information was needed to quickly carry out compliance and enforcement activities, including quarantines.
As such, ArriveCAN is not a simple information-sharing app; it's a secure transactional app and web tool that used the internationally recognized SMART health card standard to verify proof of vaccination.
The CBSA did not have all the resources needed to develop and manage ArriveCAN while it continued to perform its essential day-to-day function in managing the border. For this reason, the CBSA used several professional services contracts for the development and maintenance of ArriveCAN based on their expertise.
As the pandemic situation evolved, the Government of Canada made regular adjustments to border measures under new orders in council.
There were, I think, over 80 orders in council, in total, over the two-and-a-half-year period. These changes were to ensure Canada's COVID-19 response remained effective, but they also meant regular updates to ArriveCAN. Some of these adjustments were minor, whereas others, such as proof of vaccination, molecular attestations and quarantine plans, were very significant.
Each of these needed to be developed and tested prior to launch to ensure the app was up to date and secure. That would be on several platforms, several technologies, and in several languages. To that end, the total budget for ArriveCAN also includes all the necessary work to operate, maintain, and upgrade the app. That included 70 updates and upgrades as the COVID measures changed.
That is the context in which this work took place over the past two and a half years.
I don't know the answer to that, as a matter of fact. It was, in my understanding, part of a suite of digital tools the CBSA was developing with the aim of digitizing the border and better managing the border. When the pandemic arrived, I believe it was converted to the use as a screening tool.
No. Again, and I can't provide assurance, but as a general matter, when an organization like CBSA, which is a very large organization with many IT applications and many other services that require contracting, does that, they do it under the authority delegated to them. They are not required to, nor would it be efficient for them to, report on all those contracts to the minister.
It was not delegated to anyone in my department. It was done under the authority of the president of CBSA and CBSA as an institution, which is a direct report to the Minister of Public Safety. The Department of Public Safety's role, and my role, was to participate in the discussions that went on around managing the border. That is how I am aware of the ArriveCAN app.
It came up early in the discussions as we were managing what was, at that time, the very rapid closure of—or limits put on—the Canadian border. That would have been in March 2020. I can attest to the fact that the minister at that time, Minister Blair, was very anxious to have the CBSA get a tool in place that would allow the border to be better managed, because wait times were increasing and complaints were rising.
It was the president of the Canada Border Services Agency who would have been the person responsible, or the person who would have delegated authority for the contracting of the app, or was that all done by Shared Services Canada?
No, CBSA would have employed—and I believe they did employ—the services of Public Services and Procurement Canada, which has standing offers for the provision of services. They would have said, “This is what we need.” They would have gone to the PSPC department and had them prepare a contract for those services.
Are you aware of the consultations with any other vendors?
Ms. Luelo, perhaps you could speak to that process on the selection of an organization like GC Strategies when other companies had the in-house capabilities to deal with it, instead of subcontracting it out. Are you aware of the process that was undertaken in this case?
I am not aware of any additional context around this, but it would not be abnormal in a situation where you're time-constrained, as we were on this, to do the procurement the way CBSA did the procurement.
March 2020 was an extraordinary time for this country. We heard last week from the CBSA, when they were here in front of the committee, that the app was developed in a month, in 30 days. We heard that for the app itself, the systems and the back-end systems were quite complex, in the sense that it needed to facilitate data sharing among many agencies and organizations; it needed to safeguard privacy, which was absolutely paramount; and it needed to be accessible for Canadians across all platforms. We heard that there were 30 million submissions of this app. We also learned that 97% of those submissions went through without a hitch, without any glitches. We also learned, obviously, that this app was able to accommodate 80 orders in council, 80 changes.
I have a question for Ms. Luelo.
Has Canada, in your understanding, ever developed an app for a system of this complexity and scale in 30 days? In your extensive experience working in the private sector, even in the private sector would you say that this was an accomplishment?
I was at an airline when this happened, so I vividly remember the extraordinary times. This, to me, is a very good example of exactly what the private sector would do in a set of circumstances like this. I think that the CBSA team, the Government of Canada team, should be incredibly proud of the fact that they were able to develop and deploy this for Canadians at a very difficult time.
My hope, as we unpack the lessons that we need to learn around this, is that it does not put us into a spot where we become less risk-adverse than we are today as a system, because for us to do good digital work for the government we need to be able to move more quickly than we do today. I would offer that 65% of the digital systems for the Government of Canada are in poor health and we need to have a greater ability to work with partners, move more quickly and take some risks, and I think this is a very genuine example of a good accomplishment. As with any fast-moving digital projects that happened in my prior experience, and I've had wins and losses, there were always lessons at the end, but this is a good example of some of the best practices that do get used in building digital tools in tight timelines.
Again, going back to your experience, both now in the private sector and in the public sector, can you speak to the particular challenges that government IT faces that perhaps the private sector does not face?
I get asked that question quite often. I think there are a few things that I would highlight for the committee here.
One is that the thing the Government of Canada has going for it is the mission work, which is incredibly impactful for technology professionals. There's nothing that beats what we get to do every day. The 18,000-plus technology employees who serve this country, that's why they're doing what they're doing.
I think the consistent challenge that we have with the private sector right now is that there's a significant talent gap in this country and everyone is trying to digitize at the same time. A quick look at Stats Canada's data shows that year-over-year growth for software engineers is 115%. Those people don't exist, and that's just one example. So I think just the general constraint of talent in Canada is a consistent problem.
I think one of the unique issues that I observed within government is that it is a long process to attract, hire and get people into the system. We've stood up a digital talent and leadership team within the office of the chief information officer to specifically address some of those systemic issues and are finding great collaboration with our colleagues in OCRO to assist with that.
You mentioned the fact that one of your principal roles is to develop policies that help prevent cyber-events. We've heard in previous testimony in front of this committee that the Government of Canada faces billions of cyber-threats on a regular basis.
I want to ask you this. Does a project like ArriveCAN, a project of this scale and scope, a project that was stood up so quickly, elevate the risk for cyber-attacks or cyber-events, and is that why we had to pay such careful attention to make sure that it was cybersecure?
Yes. There is a set of standards we use for cybersecurity, and they were well followed in this example. Because of the way this application was developed and the use of cloud technology, we had comfort that even though they moved with velocity, they moved with security and safety.
Ms. Clarke, we received your guide on IT procurement reform at the Government of Canada, which contains very logical and relevant recommendations, particularly regarding contract size. The smaller the contract, the lower the risk, since they allow for better follow up. You also talked about recruiting specialized employees. You said we need to make sure managers have IT knowledge. I think that's a basic requirement if you work in this field. You can be a manager and have many skills, but the IT field does require some fairly technical knowledge.
There is, however, one recommendation on which our opinions diverge. You stated yourself, in your brief, that this recommendation would likely lead to disagreements. That is indeed the case. I am talking about the recommendation to eliminate the bilingualism requirement for IT employees in order to broaden the pool of available talent.
First, talent has nothing to do with the language spoken at birth. In addition, proportionally speaking, Francophones are the most bilingual and more easily express themselves in both of Canada's official languages, especially in Quebec. Moreover, of the managers who are supposedly bilingual, some are perfectly bilingual while others have difficulty answering questions in French.
Given all of this, what impact do you think adopting this recommendation would have on the right of Francophones to access IT jobs in government and on their right to work in their mother tongue?
What about francophones' access to government information and data?
Basically, your recommendation is saying that we are second-class citizens. It's a distressing recommendation. It's as though we don't matter.
Would you be comfortable in the opposite situation, that is, if a unilingual francophone with great IT expertise made everyone work in French?
These are questions that come to mind in reading this recommendation. Sometimes, when you are part of the majority, you don't realize how this kind of recommendation can impact the minority, particularly the linguistic minority in North America. Were you aware of all the repercussions and impacts this could have on employees?
We acknowledge in the brief that it is a highly controversial suggestion. What it emerges from is interviews with public servants to try to better understand the barriers to attracting tech talent, which is really in demand, into government. I think it would be perfectly legitimate to say that the values of bilingualism and the objectives of inclusivity and ensuring that francophone Canadians are represented in the federal public service, which is a policy objective, are valid. If that makes it harder to hire IT talent, we just accept that, because it's a more important value. I think that is perfectly reasonable. Where we were going with that suggestion was to say that objectively the more requirements you have for hiring, the smaller the pool can become.
The other thing we would note, for example, is that the current requirement to be in the office is another huge barrier to attracting tech talent. Acknowledging that government will never be able to compete, dollar for dollar, with the private sector in hiring tech talent, we have to have other incentives, and that's where we're going with that.
Are you implying that there are not enough bilingual people in Canada to fill these positions and that francophones should therefore give up their own rights so that unilingual anglophones can get jobs? It is important to note that, in a place such as Quebec, where the majority is francophone, bilingualism is required in more than 70% of cases, while that is not a requirement in francophone regions elsewhere in Canada.
Are you suggesting that we should drop francophones' rights so that English becomes the only language of work in IT in Canada?
Okay. The government owns the IP. Now, my understanding is that it is the policy on title to intellectual property arising under Crown procurement contracts that the default prevents the Crown from owning the IP for software products produced under government contracts.
What exemption to this policy was relied on to allow the Crown to obtain the IP? Was a Treasury Board approval granted?
Okay. My understanding is that the policy of the title to intellectual property arising under Crown procurement contracts generally prevents the Crown, as I said, from owning the IP for software products produced under government contract.
Under this policy, the default is that the IP is owned by the contractor. In this case, the contractor would be GC Strategies, an IT staffing firm, or perhaps it's one of the unnamed subcontractors. Are you able to confirm in writing who owns the intellectual property for the ArriveCAN app, whether that's GC Strategies, an unknown subcontractor or the Crown?
Does the government need to acquire and maintain any licences to make the app available to the public, and if so, who issues these licences? Can you advise if CBSA has paid any licensing fees in relation to ArriveCAN or if it anticipates that it will need to do so in the future?
Okay. It would be good to get those responses in writing.
I'm going to change my questions and go to Mr. Boots.
I was surprised to learn that the policy on title to intellectual property arising under Crown procurement contracts generally prevents the government from owning the IP for software products produced under government contracts, and that certain exemptions must be met or Treasury Board approval must be granted in order for the Crown to take ownership of the IP.
How often does the Treasury Board grant approval to allow departments to take ownership of IP for products that they are paying to have developed?
Okay. This policy seems like it would lock the governments into contracts with vendors and prevent software reuse between departments without additional licensing fees being paid.
Will the Treasury Board's comprehensive strategy policy review be looking at this policy and evaluating whether increasing public ownership of IP or use of open-source software would better achieve the goals of obtaining best value and demonstrating sound stewardship of public funds?
In the case of ArriveCAN, this committee has been told that work on the app was outsourced because of the urgent need and lack of internal capacity. The mandate letter of the President of the Treasury Board includes developing a public service skills strategy with an emphasis on “increasing the number of public servants with modern digital skills”. I think Ms. Clarke alluded to that as well. It also includes reducing “the time it takes to hire public servants.”
Can you speak to what progress has been made on those fronts over the last year? Will the strategy include anything to ensure digital expertise in senior leadership?
Let me start with the last part of that question. In terms of increasing the skill set of senior leadership, that is an ongoing process. In fact, last week I spent time with the deputy minister community actually walking them through the digital ambition and talking to them about the types of things they should be working on with their teams, from policy design right through to operations. That is a common occurrence that is starting to happen in government. We have a number of different programs through the Canada School of Public Service, which I can't comment on, but certainly that is intended to do that type of training.
Ms. Clarke talked about the pay scale. GC Strategies is making between $1.2 million and $2.7 million. It's an obscene amount of money.
In 2018, the Auditor General recommended mandatory training for procurement officers on complex IT projects and agile methods. Has any effort been made to implement that recommendation? What have been your efforts, to follow up on what Ms. Clarke said, to ensure that we're recruiting people who understand and have the capacity and ability to do this kind of work?
We have the recruitment office that we've stood up. In terms of the overall contract versus employee wage, I would offer up that this is a normal, consistent private sector-public sector gap across Canada. It specifically can be explained through the differential in things like pensions and benefit programs, etc. It's not a one-to-one ratio.
We can certainly revert with some additional information.
Not first-hand, but it would make sense for PCO and PMO to be informed of the intention to launch the app. Indeed, there was a community of deputy ministers and officials at all levels who were working together very intensively over that period of time: the Public Health Agency of Canada, Health Canada, Immigration, Transport, Global Affairs. All these people had an interest in the pandemic and what we were doing to manage it. They were meeting regularly and would have been informed of the intention to move from a paper-based process to an electronic process.
I'm now going to go to Ms. Clarke for a couple of questions. I'll put some context around the question.
We are all aware that GC Strategies was chosen for a large part of the work on ArriveCAN. They testified that they were not tech experts or developers. What they did was build teams with the expertise to do this work. We know from them and from the government that they cannot reveal the identities of the subcontractors because of confidentiality provisions in federal procurement rules. It is somewhat astounding to me that we can have government contracts awarded to companies that then subcontract, and there's no way we can know who those subcontractors are, the work they did and how much they were paid.
You recommended increased transparency around federal contracting: that departments “should disclose IT and professional services contract costs (also per-vendor) associated with each IT project on an annual basis.”
Can you comment on the practice of procuring the services of a vendor who does not do the actual work, but then procures the services of subcontractors? We can have no information when it comes time to ensuring that Canadians are getting value for the money that is being spent.
I don't know how widespread that is but, anecdotally, the idea that you would lean on a staffing agency to quickly pull together a team is not bizarre.
One of the things I've learned from the research and speaking with public servants, both in Canada and internationally, specifically about this question of how governments can responsibly work with private IT vendors is that once you have that core expertise in-house, you're in a great position to be that smart shopper, to compile those teams yourself and know which firms have expertise, who does good work, how to check their work and hold them to account. You can then directly build that search capacity—which is a term that often gets used by public servants—acknowledging that, especially when something needs to be done really quickly or there's an emergency, as was the case here, of course you're going to work with private vendors.
I don't tend to hear anybody telling me that working with an intermediary like a staffing agency is what they would view as best practice. That's all I will say about that.
I would like to thank the witnesses for coming in, in person, as well as for sharing their insight with us.
I look at the panel in front of us today and I see representatives from the government who are experts in digital polices, as well as security. I see researchers and academics who have done extensive research not only on our policy, but on how we could do better.
The CBSA representative, during that period, talked about the processing time and the scope of the work that was done.
In our last meeting, we managed to clearly establish, first of all, that in no way have we spent $54 million. The spend to date is about $40 million. In no way have we spent $54 million in developing this application. The total cost of the application development was around $8.8 million.
Today, I want to ask you this, as panellists with three different types of expertise. If I had come to you—and I consider myself a third party developer, and over a weekend developed an app—and I said that I am about to offer this application to you, which cost me, supposedly, about $250,000, what concerns would you have? Could such an application be developed with the extensive knowledge that you have and with the extensive discussions that you had during that time for that money?
It is a common practice to do weekend hackathons, when companies or individuals will build something that is a front-end application. Again, it's a common practice and one that we should aspire to work with these smaller start-up organizations on to continue to learn from some of the practices. I accept that.
What I would worry about, as an individual who has run wide-scale commercial operations, not just from the policy side, but actually running these things.... You worry about privacy; you worry about accessibility; you worry about it being multilingual; and you worry about how it hooks into all of the back-end systems. There's a whole testing protocol that needs to go on, not just to have you say it's okay, but to prove it's okay.
It's not just about taking the front end and connecting it to a very complex back-end environment that we have in the Government of Canada. It's taking the time to run the test to prove that you've met all of those criteria around accessibility, languages, security and privacy.
People are pretty much over their enthusiasm for weekend hackathons. It's not the thing when it comes to building robust, accessible public services. That's not to say that we don't want to tap into a specific tech community, create open APIs and think about releasing data and collaborating with these players. You can't build strong public services on a shoestring, and it's not the kind of thing that can be designed, developed, and maintained by somebody hanging out in their basement for a weekend.
I will say, having built things on weekends.... As Prof. Clarke said, it's easier to build what it might look like, but it's hard to know what it would look like to run that, and to run the infrastructure for it, at scale.
I would agree with my colleagues. This is not something you take lightly.
Having said that, in the instance of ArriveCAN, and with all due respect to Prof. Clarke, I think it's an example of the government being very nimble and agile, and able to do something that was very effective in a short period of time.
You have to take some risks. I'm not saying, “Put the app into production if somebody shows up and says it can do X”, but you should definitely look at it and think about the various considerations that have been articulated so far.
Is it fair to conclude that $250,000 might be a fair, agile response to the front end of an application, but not necessarily to the tune that we need to be able to run a digital platform with the level of security and data we need?
My question is for Mr. Stewart, Ms. Luelo and Mr. Boots.
If the bilingualism requirement had been waived, as recommended in the Carleton University brief, would we have been able to hire more people? Would more people have wanted to work for the Government of Canada to develop this app? Would it really have made things easier?
There is a fundamental lack of talent in Canada right now. There are not enough people to fill the roles. I don't subscribe to the idea that, if we'd removed that criterion, we would be in a different place on ArriveCAN.
Part of how we are thinking about this.... I speak with the CIO community. I'm the functional leader of that community in government. This is a topic we speak about often. We envision a world where we bring people in who are, perhaps, unilingual—either French or English—and provide a forum for them to be trained in both official languages.
I agree with your theory that this is what will make the best technology for Canadians. I'm a firm believer that the workforce that builds digital for Canada needs to look Canadian. That includes both official languages.
I would say the opposite. Since there is a lack of qualified workers to develop technologies, we need to set up education programs in both official languages so that the government can be better equipped in this field.
For my part, I agree with Ms. Luelo. I would add one point, however. Management positions require a certain level of bilingualism. I would recommend giving people access to positions in the public service where they would have advancement opportunities without becoming managers. This would lead to increased technical capacity within the public service without losing the very important values related to official bilingualism.
Ms. Luelo, you indicated in response to another question that you were comfortable that security protocols were met for ArriveCAN despite the velocity of the project.
This week, the Auditor General released a report concerning findings about the government's ability to prevent, detect and respond to cyber-attacks. The report found that departments are “confused on cybersecurity roles”, that “cloud guardrails [were not] monitored consistently across all contracts” and that “contract security clauses were unclear and not standardized.”
Can you comment on this report by the Auditor General and what the Treasury Board will be doing to urgently address security vulnerabilities and ensure Canadians' personal information is protected?
We are at the very beginning of our migration to cloud as an organization. The findings in the auditor's report would be consistent with my experience, having done this in other large Canadian organizations, where at the beginning you have a strong set of controls but the organization needs to adapt to make sure those controls are consistently applied.
We have taken action already to work with the different departments to ensure there is a clarity of roles and responsibilities. You will note that we have published an update to the GC cybersecurity event management plan. That's actually been in the works for about nine months. There was an update posted late last week, so that is a work in progress for us and will continue to be a work in progress.
Monitoring is going to be a very large part of ensuring that we have good controls in place that are in all cases being followed.
Ms. Clarke, in a brief to this committee you noted that the U.K.'s early spend control policies are a success and recommended that Canada adopt similar policies. Can you describe the differences between current Canadian policies and those the U.K. has implemented with success?
Also, you recommended improving the extent and quality of public disclosed IT procurement data. Maybe you could talk about Canada's transparency around procurement and compare that to other countries.
The U.K. is far ahead of the Government of Canada in introducing a lot of modern design practices, bringing in technology talent and also instituting hard carrots and sticks for departments to be smart about how they procure and manage technology.
One of the things they did early on was institute spend controls in order to shrink the size of contracts. In the brief, we explain why that's important: because when contracts are small, it's easier to pivot from vendors that aren't performing well. It also forces vendors to produce something early so you can test it with users to see if it actually makes sense and works.
They saved an incredible amount of money in that jurisdiction, and that's why they rose to the top of all the global rankings of digital government. Their model of thinking about how to build digital capacity has been largely recreated around the world, including in Canada. The Canadian Digital Service is built out of that model.
To the best of my understanding—and I'll preface this by saying that I'm still fairly new in this role—a national security exemption allows us to step around some of the practices that are in place around procurement to move more quickly based on national security concerns, but I will confirm back in writing that this is an accurate representation.
Ms. Clarke, I want to say I'm certainly a fan of your work and of your articles. As the new shadow minister for the Treasury Board, I am very interested in value for money. I certainly share your quandary in the existing situation, which is a lack of talent within the public service and therefore the use of what are probably overpriced consulting firms in an effort to compensate for that lack of inherent information and capacity, yet at the same time the recognition of the time and investment to make the transition and, as Ms. Luelo pointed out, the lack of talent available in Canada at this time.
You referenced the United Kingdom, which my colleague Mr. Johns mentioned briefly. Can you expand a little upon their system for this transition from consulting firms to inherent capacity, infinite capacity, and what that might look like based on their model?
Their model grew out of massive failure in parliamentary scrutiny, so you're on a good roll here. Basically, they have an amazing parliamentary report from, I think, 2011, called “Government and IT—'a recipe for rip-offs'”. They pretty much investigated the scandalous awarding of contracts to a small number of massive IT firms, which led to huge failures, including a massive failure of their effort to create a universal benefit system. That's really worth checking out.
From that failure.... At the time, there was a coalition government that was interested in improving public services, led by David Cameron. You saw huge investment and a lot of ministerial leadership to recruit tech talent and to evaluate the rules that make it hard to do good tech work in government.
The recipe is pretty clear. I hope we don't have to have a massive failure to get there, but I increasingly fear that we do.
It's a similar story in the U.S. The reason they moved ahead on a lot of tech reforms was that Obama's health care initiative failed on the first day because the website didn't work. This led to the creation of presidential innovation fellows and the U.S. Digital Service. Now, under the Biden administration, there's significant investment in reducing administrative burden and improving services.
We haven't seen that same kind of activity here in Canada. We have been more at the level of strategies, visions and some tech talent hiring, but we need some significant hard rules, I think. We also need to streamline some of the existing rules, so that public servants trying to do good work are enabled to do that good work.
I believe we are moving along the path on the mandate, demonstrated by the digital talent group that is being stood up. We are making significant efforts to hire outside of government.
Typically, what is happening is that we're seeing a migration of talent around government, but not the right net new into government. There's an outreach and recruitment process that our team has executed in the last six months. There are a number of job posters. In fact, we have had some very strong external candidates, but we need to increase the volume from where we are.
I would offer one other thought. We need to stop doing so many things. If we had less work, we would be able to take the talent that we have and.... “Talent” is maybe the wrong word. There is an incredibly talented group of leaders inside government, as well as coders, developers, software engineers and network experts. There are not enough of them, based on the large agenda that governments over many years have put forward.
The reality is that we have a technical environment that is in need of attention. We need to prioritize where we're going to spend limited tech talent.
By the way, I'm going to start by saying, Ms. Clarke, that I really appreciated the document you sent. I sent it to the minister after I read it. I thought it was very well done.
Mr. Stewart, I want to come back to the national security exemption that Mrs. Kusie just raised, which I believe was awarded to you. It's the contract related to ensuring that accessibility requirements were met, as Ms. Luelo just mentioned.
It's my understanding that in March 2020, the national security exemption was invoked to exempt all elements of the procurements of goods and services required in order to respond to the COVID-19 pandemic, and it exempted these procurements from the provisions of all of Canada's applicable trade agreements.
Is that your understanding? Did you understand that that exception applied to all goods and services, not just to ArriveCAN, in that one contract?
I don't know that for a fact, but I would certainly believe it to be true. In March 2020, we were trying to procure all kinds of goods and services, in particular goods such as protective equipment. We were doing it by any means possible and as quickly as we could do it.
That's my understanding. There's a lot of discussion, and things can sound very sinister in sound bites, but when you take the time to walk through them, most of these sound bites are untrue. My understanding is that there is no issue, because that wasn't a specific issue related to only one ArriveCAN contract. It was related to the timing of that contract, when there was a general exception for all goods and services.
Can I come back to you, Mr. Stewart, because you were there? You mentioned that you briefed Minister Blair. It is normal that you would brief the minister and his chief of staff on a regular basis with respect to what was happening.
Did the minister ever offer you any political direction stating that you had to contract any specific organization?
Thank you very much. Again, that dispels claims about Liberal insiders benefiting.
The $250,000 cost has been brought up multiple times in question period and, in fact, at committee the last time—that this app could have been developed for $250,000, which even the people who did the hackathon didn't say.
Ms. Luelo, I'll go to you first, and then I'll go to Ms. Clarke.
Ms. Luelo, you were not in government at the time. You came from the outside, so you were not involved in the development of ArriveCAN. Do you believe, as I asked the CIO of Public Safety last time, that ArriveCAN—meaning the initial development, the 70 or more updates required over a span of two years to make sure the app kept responding to changes in dynamics, and all the other things, such as accessibility, security, training and support—could have been done for $250,000, under any circumstances?
Let me know if you think this is right. I compare this to spending two years developing the best race car in the world. I've spent two years, made 70 modifications to the engine and all the different parts of the car, and tested it to make sure it met the highest safety standards. I tested it with multiple drivers on every different surface, in order to make sure it could be used easily, everywhere in the world. Then, somebody comes and copies the chassis of the car, based on the plans I developed. They say they did the same thing I did, even though nobody ever drove the chassis of that car.
There were cute stories about people who created the app for $250,000 over a weekend, but, as we've discussed, that's not a fully functioning service. It's not being maintained; it doesn't have security protocols; it's not necessarily accessible; it's not looped into back-end systems, all the updates and orders in council that required changes.
What's more interesting to think about is this. We have an external capacity of civically minded tech folks in Canada who want to feed into the work of government. We've already talked about using more open source. If we did that, we would see a more interesting thing—not people creating apps over the weekend to get a little story in the National Post, but, instead, people looking at the code. They could scrutinize it, and they could look for security issues and find ways to improve it. That's a really beautiful collaboration that actually produces public value.