I note that my computer has glitched throughout, so hopefully I will be able to make it through. I believe you have my written testimony, and I would be happy to repeat if required.
Thank you for having me here today. Before I begin, I feel that I should disclose that I worked for the Canadian Security Intelligence Service between 2012 and 2015 as a strategic analyst. I did not, however, specifically work on this file, and my interest in the nature of Canada's relationship with China comes from my own scholarly interests, research and activities.
In that sense, I'm very pleased to be able to speak with the committee today about this important issue. My argument is essentially this: The Nuctech contract is problematic, but not for any of the reasons that have been discussed in the media.
Yes, the scanners are made in China, but so are the computers our embassies use, and the phones and basically all the telecommunications equipment. Also, all the technologies that are made elsewhere probably contain components that are in fact made in China. For better, and quite possibly worse, it is not possible at this time to have technology that is not made in China or with parts that are somehow made in China or sourced from China.
Now, of course there is a risk here, but at the same time it's not clear that banning all this technology is going to make us safe either. Indeed, it's more problematic to suggest that bans on equipment make it safer. By this I mean that China is good at getting the information it wants through a variety of means, and many, if not most, non-Chinese technology firms, particularly in the telecommunications sector, have security flaws and vulnerabilities that can be and most certainly are exploited by malicious actors.
Frankly, there are many ways to spy on Canadian embassies abroad: physical surveillance, phishing attacks, insider threats and exploiting vulnerabilities in software. An X-ray machine in a non-classified area seems to me one of the clumsier ways of trying to do it. In that sense, I feel that the technical threat element has been overstated in the public discourse.
Now, I want to be clear. This does not mean that the Nuctech contract is fine. There are clear problems with it and the procurement process, which this entire matter illustrates.
The first issue is that of state-owned enterprises, or SOEs. I don't think I need to explain to the committee why these are a problem generally, but in this particular case it is worth noting that these are firms that can normally depend on extremely generous support from the state in terms of money or strategic information often gathered through corporate espionage. These advantages give SOEs the ability to undermine any competition. Because they do not have to adhere to the normal business practices, they can bid on contracts at very low prices in order to win, without having to worry about profit or answering to shareholders. In the long term, this can lead to moves that effectively skew the market in certain strategic areas. In this sense, it is clear that some SOEs represent a geo-economic challenge to Canada and western technology firms in their ability to engage in anti-competitive practices. This behaviour should not be rewarded by the federal government.
That relates to a second concern about Canada's procurement practices. It is worth noting that Canada is increasingly developing processes around foreign investment by SOEs generally and has recently tightened restrictions around certain sectors such as health care during the COVID-19 pandemic. However, for some reason, it appears that protective measures around foreign investment do not extend to the federal procurement process.
Based on the testimony provided to this committee on November 18, 2020, by Mr. Scott Harris, vice-president, intelligence and enforcement branch of the Canada Border Services Agency, his organization “leaned into our colleagues at CSE and elsewhere to gather their expertise” on the issue of security threats from Nuctech technology. If this consultative step was taken in the case of CBSA, why is this not standard practice across the federal government? The lack of standardized policies and procedures, where some departments seek security advice and others do not, seems to be a serious problem.
In conclusion, my recommendations are as follows:
First, Canada should have a policy in place where the procurement of goods and services provided by SOEs by any department are given additional formalized and consistent scrutiny to make sure such investments align with Canadian priorities and values. To be sure, all SOEs are different, and some are simply profit motivated. In this sense, a total ban does not make sense. However, it is something to be risk managed in co-operation with Canada's security agencies.
Second, the federal government needs to develop what is often referred to as a “defence in depth” policy when it comes to the procurement and use of technology, particularly as so much of it presently comes from China.
This is a layered security approach, where multiple steps emphasize measures that control physical access, technology controls that limit what adversaries can do should they get access to a system, and fundamentally for the issue before us, administrative measures that ensure the right policies are in place to prevent security breaches.
Bans will likely not solve our problems, but risk management with layered security approaches will likely be more successful in the long run.
Of course, implementing such a policy will be difficult. In our federal system, many different agencies have different slices of the security and procurement pie. CSE is responsible for the technological assessment, CSIS for the geo-economic threat context, PPSC for ensuring the best value for money, etc.
Media reporting has indicated that tensions have emerged in similar exercises by federal departments, such as the investment reviews required by the Investment Canada Act. However, our federal departments and agencies continue to work together on these new security challenges, and they are learning to get along for the greater good. There is no reason why this could not happen in the area of securing procurement for the federal government.