In February, Prime Minister Mark Carney launched Canada’s first defence industrial strategy, promising to lift the share of defence procurement awarded to Canadian companies to 70 per cent over the next decade from the current 43 per cent.
It is the most ambitious procurement target Ottawa has set in a generation. However, it has a major flaw. The strategy never defines what makes a company “Canadian.” That is not just an omission. It is the whole game.
Guillaume Beaumier and Hubert Cadieux argued recently in Policy Options that Canada risks “funding its own dependence at a cost of billions of dollars” by branding compute capacity built on American hyperscaler clouds as “sovereign.”
Their warning was about artificial-intelligence infrastructure. The same logic applies – with sharper edges – to defence software.
Canada’s digital sovereignty debate overlooks software risks
The right way for Canada to secure cloud sovereignty
The secret to a successful defence industrial strategy is procurement reform
If we cannot say what “Canadian” means for procurement, the 70-per-cent target can be hit merely by relabelling the status quo. Instead, the federal government should implement three tests – covering auditability, data residency and Canadian-controlled intellectual property (IP) – before any software can be counted as Canadian for procurement purposes.
The argument that Beaumier and Cadieux made about compute and the argument about software lead to the same operational definition. Sovereignty is the effective control of the digital systems on which the state depends. Anything else is a label.
The current system doesn’t work
I run a Vancouver automation company that bids for federal contracts. I see what gets scored as “Canadian content” under the current rules. A great deal of it would not survive a serious test.
Start with the obvious gap. When the new defence industrial strategy was unveiled, a senior official told reporters that sovereign capabilities “are not defined in terms of Canadian companies or by ownership.”
Industry Minister Mélanie Joly cited Bell Textron, the Canadian subsidiary of a U.S. aerospace prime, as her example of a Canadian company. Under that logic, the federal cloud already qualifies. The Department of National Defence’s productivity stack, Defence 365, is Microsoft 365 with a Canadian wrapper. The same is true across most federal software systems.
Former policies no longer apply
For hardware, Canada has spent decades refining what is now called the industrial and technological benefits policy, which has been in place since 2014 and is built on an industrial and regional benefits regime that dates to 1986.
The policy requires contract winners to spend a dollar in Canada for every dollar of contract value. That was established for airframes and ammunition, where Canadian content can be physically measured by parts, labour and assembly.
It does not translate to software. With software, the question is not where the bits were compiled. It is who can read them, who can be compelled to hand them over and who owns the underlying intellectual property when the lawyers arrive.
How to define “Canadian” in software
There are three tests that a software vendor should have to pass before being counted as Canadian for procurement purposes.
The first is auditability. Can the Crown or an independent assessor inspect the source code, the build pipeline, the model weights and the third-party dependencies? Most enterprise software shipped to the government today fails this test. Ottawa gets a service-level agreement, not the right to look under the hood.
The second is data residency. Storing bits on a server in Toronto is not the same as keeping them under Canadian law. Treasury Board Secretariat conceded this point in its 2018 white paper on data sovereignty and the public cloud: “As long as a CSP that operates in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data.”
The U.S. CLOUD Act, passed in 2018, permits American authorities to compel U.S.-incorporated providers to produce data within their “possession, custody or control” regardless of where the servers sit. That applies to a Canadian data centre operated by a U.S. parent.
The third test is Canadian-controlled IP. Who owns it? Who can license it? Who can revoke access if a political wind shifts? Subsidiary status is not control. Carve-outs and parent guarantees are not control. Control means the legal right to run the system, modify it and keep it running regardless of what the parent company does.
New pressure being applied
This matters more than ever. In May, Elbridge Colby, U.S. Under Secretary of War for Policy, announced via social media that because “Canada has failed to make credible progress on its defense commitments,” the Pentagon was “pausing the permanent joint board on defense to reassess how this forum benefits shared North American defense.”
The board, established by the Ogdensburg Agreement in 1940, is the senior advisory forum on continental defence. Whatever one thinks of the politics, the operational message is plain.
The good news is that Ottawa is – almost by accident – building the instrument that could give “Canadian” real meaning.
The Canadian program for cyber security certification is modelled on the U.S. cybersecurity maturity-model certification and requires defence suppliers to attest to specific controls.
Level 1 certification became available to suppliers on April 1 and will be required in select defence contracts beginning this summer. Third-party level 2 assessments follow in spring 2027 for contracts involving controlled defence information, with government-conducted level 3 assessments reserved for the most sensitive work.
Tie the strategy to the program
The program is run jointly by Public Services and Procurement Canada and the Canadian Centre for Cyber Security, and is the first federal instrument that scores vendors on something concrete and verifiable rather than on a corporate flag of convenience.
The defence industrial strategy should be tied to those certifications, plus a parallel attestation covering data jurisdiction and IP control.
A vendor that can show its corporate structure is legally isolated from foreign compulsion, that its data flows are bound by Canadian law and that its code base is auditable by the Crown would then be Canadian for procurement purposes. A vendor that cannot show those things would not be, regardless of where it incorporated last quarter.
The 70-per-cent target is the right ambition. However, hitting it honestly requires Ottawa to write down what “Canadian” means in software before the first contract under the new strategy is awarded. Otherwise, we will spend the next decade buying our own dependence and calling it autonomy.
Disclosure: Some of Caseway’s work involves developing software for the defence sector.
