Cybersecurity: Canada could be a cybersecurity powerhouse with this one little trick
June 20, 2023
By Laurent Carbonneau
Here’s a troubling thought I heard recently from somebody in the cybersecurity industry: we are probably not far off from cyberattacks that are actually lethal, if we haven’t already crossed that threshold indirectly.
As more and more computers and sensors are included in more and more ‘smart’ hardware, the attack surface for cybercrime is only going to grow exponentially over the next few years. Every year brings more and more prominent ransomware and other cyber-attacks. Ransomware brought Canadian bookstore chain Indigo’s systems down for weeks earlier this year. It’s a fascinating moment to be in that industry, and a daunting one for government.
Apart from the real security risks posed by cybercrime and cyberattacks, there is also real opportunity in being a global leader in the cybersecurity sector. Canada already has an outsized footprint. Between 2018 and 2020, the cyber sector in Canada grew by nearly a third in terms of employment, R&D activity and revenue. We have strong domestic expertise and are members of lots of global clubs, like NATO and the Five Eyes, that have their doors open for Canadian solutions.
There is a real irony about our club memberships. Our Five Eyes allies buy three times as much Canadian technology, products and services as Ottawa does itself. In fact, only 8% of the sector’s revenue is derived from Canadian government contracts. We don’t have a problem selling Canadian cybersecurity products to Canadian and international companies or to foreign governments. Where we do have a problem is in selling to our own government.
With all due respect to the federal government, this is not because the feds have an agency staffed with crack cybersecurity software developers making top-notch products that are used in-house and that no one else has even heard of. The real answer is that navigating government procurement is difficult, and the processes set up to buy tanks and boats is not well-suited to the more fluid world of cutting-edge software, despite the existence of channels that should make it easier.
Traditionally, procurement works on a demand- or supply-based model. Government puts out a request for bids or proposals to meet a need they have or invite providers to pitch them on products. What we don’t have is an environment where government buyers can have open-ended conversations with product developers about their needs. Add serious delays with security clearances and other prosaic annoyances, and it’s no wonder Canadian cybersecurity entrepreneurs prefer to sell to the Americans.
The U.S. even has a dedicated security-oriented venture capital fund, In-Q-Tel, established in the late 1990s by the CIA but that now includes other three-letter agencies and the Department of Homeland Security. In-Q-Tel invests in promising companies and products to steer their development towards fulfilling government needs. No matter what you might think of the American security establishment, there is no real question that this model has resulted in considerable advances — for example, Keyhole, which later became Google Earth, was an early investment success.
Comments from a few nameless executives of portfolio companies point to exactly the kind of collaboration described above as a key selling point. One Evident.io (a cloud security company) executive said that “Our relationship with In-Q-Tel has been critical in helping to ensure that our product roadmap and development efforts are in alignment with the needs of the [intelligence community]. While we work closely with our commercial customers to ensure that we have prioritized their needs, it is more challenging to get that level of interaction with some government agencies because of the nature of the programs. In-Q-Tel helps to bridge that gap.” Others said much the same thing: the open, collaborative relationship helped fine-tune product offerings to government needs.
In rapidly-evolving software fields like cyber-security, this kind of responsive development is basically non-optional. We don’t necessarily need our own In-Q-Tel. There are other options, like better leveraging existing channels like the Cyber Security Procurement Vehicle. But if Canada wants to both ensure that government is able to secure its own cyber assets and services and contribute to the growth of a competitive, export-oriented industry, it needs to ensure that the new cyber-security strategy reorients procurement to a more agile and open model.
Many services Canadians rely on across government are a bit the worse for wear after the pandemic, from passports to health care. That crisis, and former US Deputy Chief Technology Officer Jennifer Pahlka’s new book Recoding America, have set a lot of gears turning in the minds of decision-makers. If we’re able to create a model that works for flexible government procurement in this realm, that could open up a lot of new space for change elsewhere.