Sean Boots

Technology, public services, and people. But mostly people.

Suggestions for the next GC CIO

With a new Minister and new Mandate Letters, it’s an exciting time to be working in digital government in the federal government. Efforts to make the government more effective and more human-centred are gaining momentum, and it’s really refreshing to see the level of enthusiasm and ambition that people across the federal government are putting into this work.

Ambitious digital government efforts depend on an environment where public servants can use modern technology, learn from users, and quickly iterate and deploy improvements to services. That’s a pretty dramatic departure from how federal government IT has historically operated. In the federal government, a lot of these changes – to policies, procedures, and standard practices – rest with the Office of the Chief Information Officer.

The previous GC CIO was an enthusiastic proponent of change in government, and his successor has led the OCIO team with a lot of thoughtfulness and care. With a new GC CIO likely arriving in January, it seemed timely to put together a “new year’s wishlist” of suggestions – ideas to help put wind into the sails of digital teams across government.

Low-hanging fruit

  • Buying cloud services on a credit card. The government’s 2018 “Cloud First” strategy (inspired by similar approaches in the US and UK) recommended that departments use public cloud providers and software-as-a-service (SaaS) products as their first choice. In many cases, credit cards are the only way to pay for SaaS products. Uncertainty around doing so (and accepting products’ standard terms of use and liability conditions) has held back a number of departments from following the Cloud First strategy. Being instructed to use cloud services without being told how to pay for them has also encouraged teams to use the free tiers of products, which often have fewer security and user administration or data export features. Explicitly stating that departmental teams have permission to buy low-cost cloud services on departmental credit cards (and accept commercial terms) is an important next step.

  • Deprecating Internet Explorer 11. The GC CIO is responsible for officially instructing government departments to retire outdated software, through IT Policy Implementation Notices. In 2015, an ITPIN set an end-of-life date for older versions of Internet Explorer. This should be done as soon as possible for Internet Explorer 11, which Microsoft itself no longer recommends, in favour of Chrome, Firefox, or Microsoft Edge. IE11 doesn’t support many modern websites that public servants regularly use, and introduces security risks that will only increase as time goes on.

Medium-term

  • Switch from the Open Government License to a Creative Commons license for open data. The federal government’s open data and information is released under the Open Government License, a Government of Canada-specific license (overseen by the GC CIO) that allows for reuse but isn’t fully compatible with other open source and copyleft licenses. Officially switching to an internationally-recognized Creative Commons attribution license would make it easier for counterparts in other governments, the non-profit sector, and academic researchers to re-use and incorporate Canadian government information and data into other works.

  • Mandate that all new publicly-funded software code is published as open source. Open source software is widely recognized as an important way for governments to maximize the value of taxpayer dollars they invest in information technology. It allows other government teams (and other governments) to reuse, repurpose, and learn from software code – rather than it only being useful to one team – and also adds security benefits by making code more visible and auditable. Both the United Kingdom and France have blanket policies that custom software code developed for their governments should be open source; Canada should do the same.

  • Exempt small and medium projects from traditional project management and project gating activities. Many of the policies and guidance pieces on managing IT projects in government predate the technology industry’s shift from “waterfall” to “agile” software development. Following these practices (for example, project gating) often hampers teams that have adopted agile methods. Exempting small and medium projects from these activities can empower and accelerate them, while avoiding disruptive changes to large-scale projects that are already several years into waterfall processes.

  • Remove data residency requirements on cloud hosting and storage. Data residency – requirements to host data within national borders – is one of the most common pieces of “security theatre” seen in large institutions. Data residency practices don’t add any significant operational security benefits, and prevent the use of modern cloud services that don’t have regionally-hosted versions (which is to say, most cloud services!) Fortunately, the forthcoming Policy on Service and Digital removes explicit requirements for data residency (as of April 2020); this should be followed with updates to Public Opinion Research standards and any other earlier policies that require storing data within Canada.

Long-term

  • Streamline the government’s information classification structure. The Government of Canada has seven layers of information classification (Unclassified, Protected A through C, Classified to Secret to Top Secret). In April 2014, the United Kingdom replaced its similarly-complex system with a new structure that reduced the number of classification types to three (Official, Secret, and Top Secret). By doing this, it immediately eliminated a wide range of outdated, paper-oriented processes that had been attached to each layer of its old classification system. The UK’s new system allows for the use of standard commercial software products and services with Official data, and was a key success factor behind the UK government’s adoption of cloud services at scale.

  • Increase the maximum salaries for senior developers and cybersecurity experts. The government’s success at delivering modern digital services – and protecting Canadians’ personal information – is dependent on being able to hire world-class software developers and cybersecurity experts. Competition for this talent is fierce, and other governments (including the United States) have modified or made exceptions to their compensation levels in order to compete with private sector salaries.

  • Cap the maximum size and length of government IT contracts. The Government of Canada spends millions of dollars per year on contracts to IT companies. Many of these contracts are long-term contracts (more than five years), which limits the government’s ability to change or improve services that don’t meet users’ needs. The UK’s Technology Code of Practice introduced maximum caps on the size of IT contracts, limited certain contracts to a maximum of 2 years, and eliminated automatic contract renewals. Adopting similar steps in Canada would increase the value-for-money of government IT contracts, encourage modern technology practices like building small, modular systems, help build in-house capacity, and increase the percentage of contracts that go to small and medium enterprises.

Many of these steps are challenging, and involve coordinating with other parts of government (responsible for contracting, human resources, and other areas). But changing the environment that public servants work in, for the better, is essential – as digital government becomes a normal part of how governments work. I’m excited for what the next GC CIO will take on, and how the ripple effects will empower public servants across the Canadian government.