Al Vigier is the CEO of Caseway, a Vancouver dual-use AI company, and a former member of the Canadian Army.
On May 18th, the Pentagon suspended the Permanent Joint Board on Defence, the body that has coordinated Canadian and American military planning since 1940. The reason given was blunt. Washington said Canada had failed to make credible progress on its commitments, and that the gap between rhetoric and reality could no longer be ignored. Ottawa downplayed it. But the message landed in every defence procurement office in the country: the assumption that we can lean on American systems indefinitely is no longer safe.
That makes this a strange moment to discover that “Buy Canadian,” the phrase the government repeats whenever defence procurement comes up, has no agreed meaning in the one domain where sovereignty is decided line by line: software.
Hardware is easy to point at. A frigate built in Canada is visibly Canadian. Software is not. A platform can carry a Canadian logo, a Canadian sales team and a Canadian invoice while its data sits on infrastructure governed by foreign law, its source code is controlled abroad, and its audit trail is whatever the foreign vendor chooses to expose. “Canadian” software, absent a test, is a marketing claim.
The government has already conceded the core problem in writing. Its own 2018 Treasury Board white paper, Data Sovereignty and Public Cloud, states that as long as a cloud provider operating in Canada is subject to the laws of a foreign country, Canada will not have full sovereignty over its data. That sentence is still posted on a federal website. It is not a fringe worry. It is the government’s own position.
And the government keeps procuring against it. Shared Services Canada’s own 2024-25 evaluation of its cloud services found that federal consumption of Microsoft Azure was roughly four times that of Amazon Web Services between fiscal 2019-20 and 2022-23, making Azure the dominant federal cloud platform. There is nothing wrong with Azure as engineering.
The problem is the contradiction: a government that has written down, in its own words, that foreign-controlled cloud means no full data sovereignty, then routes the bulk of its workloads onto exactly that.
So what would a real test look like? Three things, none of which a vendor can fake under scrutiny.
There must be auditability. Can the system produce a complete, tamper-evident record of who accessed what, when, and from where, on demand, in a form an investigator can use?
We also need to think about data residency. Does sensitive data actually stay in Canada, beyond the reach of foreign legal compulsion, rather than merely being “available” in a Canadian region while control sits elsewhere?
Up next is Canadian-controlled intellectual property. If the foreign parent is ordered by its own government to cut access, does Canada still own and operate the capability, or does it go dark?
Here is the good news, and the catch. For the first of those three, a testable bar finally arrives this summer. The Canadian Program for Cyber Security Certification, whose Level 1 becomes mandatory in select defence contracts in the coming months, builds directly on the Cyber Centre’s control set and includes a full audit-and-accountability requirement. For the first time, a defence software vendor will have to demonstrate, not assert, that it logs and protects an audit trail.
But CPCSC carries only the first pillar. By the Cyber Centre’s own admission, it is a Canadian version of an American standard with no substantial technical changes. It tells a vendor to know where its data lives; it does not require that data to stay in Canada. And it says nothing about who owns the intellectual property. Residency lives in Treasury Board direction. Canadian ownership lives, sort of, in the Defence Industrial Strategy launched in February, which sets a target of raising the Canadian-firm share of defence acquisitions to 70 per cent over the next decade.
That is the real failure. The testable definition of “Canadian” software already exists. It is simply scattered across three instruments, a cyber certification, a cloud directive and an industrial strategy, that procurement does not enforce together. A vendor can clear one and fail the other two and still win the contract. Until a single evaluation requires all three at once, “Buy Canadian” remains a slogan a foreign-controlled platform can satisfy on paper.
British Columbia has an unusual stake in fixing this. In the past year PacifiCan has put roughly $20 million into Simon Fraser University for secure defence-grade computing and a quantum-secure Vancouver network, nearly $9 million into a UBC defence research accelerator, and more into Vancouver scale-up programs.
TELUS is building Canadian-owned AI infrastructure downtown and in Mount Pleasant, designed to keep sensitive workloads on Canadian soil. The capability to meet a hard three-part bar is being built here, now. What is missing is procurement that rewards it.
None of this is an argument for economic nationalism for its own sake. It is an argument that a word the government uses constantly should mean something it can check. The F-35 review is still open precisely because the data-control question turned out to be real. One competitor is now openly pitching a Canadian-soil data centre against an architecture that routes through Texas. The fighter debate simply made visible what is true across every software contract Ottawa signs.
“Buy Canadian” does not survive contact with how Ottawa actually buys software. It can. This summer’s certification is the first piece of a usable test. But only if the government is willing to enforce all three pillars in one place, and to mean the sentence it already wrote down about sovereignty, the next time the easy foreign option is on the table.